Six Keys to Compliance

From The Practice July/August 2016
Perspectives from the field

What’s it actually like to be a leader in the compliance field? Whether one holds the chief compliance officer (CCO) title specifically or is double-hatted as the general counsel (GC) and CCO, those charged with ensuring compliance face a variety of challenges from both within and outside of their organizations. As part of this issue on compliance, The Practice interviewed four experienced compliance professionals—Henry Moniz of Viacom; Judy Perry Martinez, formerly of Northrop Grumman; Charles Senatore of Fidelity Investments; and Colin Owyang of Vermont Electric Power Company—to learn more about what they have learned and what it takes to succeed in this important field.

Judgment and integrity

While there is no silver bullet for succeeding in compliance, there are two absolutely paramount character traits: good judgment and integrity. This stands to reason given the twin responsibilities of compliance work: determining what should be done and enforcing it. Charles Senatore, who has more than two decades of experience managing compliance and ethics departments at two major financial service firms (Fidelity Investments and Merrill Lynch) and is currently the executive vice president at Fidelity overseeing regulatory coordination and strategy, explains that while some compliance work is straightforward—what he calls “binary”—a lot of it is open to interpretation and assessment of risk. For some issues, such as a financial firm’s obligation to price shares of mutual funds at the close of business each day, there is no question as to whether a firm is or isn’t in compliance. However, it’s more complicated with other issues, and that is where a compliance officer’s judgment becomes critical.

Compliance is about helping foster a culture where the firm’s employees are placing the welfare of clients and customers first.

Charles Senatore, head of risk oversight for Devonshire Investors within Fidelity Investments

With some issues, there is no wiggle room. Either you are in compliance or you’re not. But other rules and principles are less binary and involve more judgment—for example, whether a registered representative in a securities firm appropriately determines that investments are suitable for someone. In these instances, there is an element of judgment, and you would consider a few things. The threshold minimum would be what you believe the firm could defend. But one shouldn’t just settle for the minimum. Ideally, the behavior one would require should be a function of the values of the company and what it stands for. While compliance is certainly about understanding what the law and regulation require, more importantly, it is about helping foster a culture where the firm’s employees are placing the welfare of clients and customers first. With that lens, the firm can promote behaviors that will not only prevent problems, but also bring value and result in a competitive advantage.

If an officer’s judgment helps him or her determine adherence to the rules, an officer’s integrity ensures that he or she then has the mettle to enforce them. Judy Perry Martinez, the former vice president and CCO of Northrop Grumman Corporation, elaborates on this point:

CCOs need equal strength in backbone, to stand tall when necessary, no matter the perceived pressure to quietly look the other way, and in judgment, to assess and determine the best solution. Compliance is about relationships of trust, individual employee ownership of responsibilities, and empowerment to speak up and report conduct that is suspect or questionable, no matter how high up in management the individual perceived to have engaged in noncompliant conduct is.

Martinez continues:

So the CCO needs to be a person of integrity. Someone who is approachable yet respected by line employees and executives alike because of his or her reputation of doing the right thing, no matter how unpopular, as demonstrated by past performance in addressing company challenges and ethical dilemmas.

This isn’t to say that CCOs must be rigid and unbending. Rather, they must know the standards and find ways to rally allies and work across divisions. Martinez continues:

The CCO needs to be a thought leader who is skilled in change management and a broad spectrum of legal issues. Someone who is focused on working collaboratively across the organization to establish strong values to facilitate the right tone by management, and to counsel the organization regarding the consequences of not living up to its values.

A holistic approach

Today compliance has become a standard part of many organizations and businesses, but it remains anything but a formulaic practice. As described in “The Emergence of Compliance: A New Profession?” government regulations have encouraged the standardization of some organizational structures and protocols, but a single, agreed-upon philosophy of compliance remains elusive. Is it about upholding a company’s ethical commitments? Minimizing an organization’s risks through self-policing and training? Is it about merely staying within the boundaries of the law? Or is it about taking a more proactive and strategic approach to good corporate practices?

Henry Moniz, the CCO, Chief Audit Executive and global head of Strategic Business Practices at Viacom, takes a holistic approach to compliance that extends beyond the work of his teams. For Moniz, the actual compliance department is simply one of the many lines of defense that protect a company from undue risk. Moniz is the enterprise-wide ambassador for a five-layer framework for compliance, and the first line begins with the business operators themselves.  “Compliance in our company is not this thing where you can hold your nose and take your annual dosage of compliance medicine in the form of training and certification, and then you are done with it,” says Moniz.  “It’s not like swallowing cod liver oil. The business operators are the first line of defense—they have to own compliance and manage the associated risks.”

Compliance is not this thing where you can hold your nose and take your annual dosage of compliance medicine in the form of training and certification, and then you are done with it.

Henry Moniz, global head of legal/regulatory compliance, internal audit, and strategic business practices at Viacom

The second line of defense is what Moniz calls the “standard setters,” which include compliance officers, but also the finance and legal teams and others who work together to define internal ethical guidelines and compliance boundaries based on risk-tolerance levels. The third line of defense is also compliance, but in the form of audit. “There, my teams ensure that the first line of defense is not exceeding the boundaries set forth by the second line of defense; and if so, understanding why.” The fourth line of defense includes executive management and, in particular, the board of directors, which is critical to ensuring that the auditors have the support to do things which may be unpopular at times. The fifth, and final line of defense, Moniz notes, is the government, regulators, agencies, and other stakeholders.

For Moniz, an effective compliance department is not one that walls itself off from the rest of the organization.  Rather, it is one that takes an active role in getting employees to not merely check the box, but to adopt a culture of compliance that is ethics-based, risk-considerate, and good for business.

I think some people historically viewed the compliance group as a wet blanket.  But we have been able to re-engineer the function by taking an approach that adds value to businesses.  We have evolved into being a trusted advisor that is aligned with the business insofar as we are helping to identify and avoid destructive risk and to improve operations.  Risk is opportunity, and one can drive really fast if he or she has good brakes.

Powerful—but not omnipotent

To carry out these duties, compliance officers have to have the resources and status within the organization to have their voices heard. Whether they are acting as a GC or a CCO, those managing compliance are often forced to make unpopular decisions and broker compromises between many different parties. Colin Owyang, the GC and corporate secretary of the Vermont Electric Power Company, a position that also includes overseeing the compliance team, reflects on the mediation role compliance officers are often asked to play as they assess different risks:

The most enjoyable thing about working in compliance is the opportunity to solve a problem that works for a variety of stakeholders—the public, the shareholders, and company leadership. But that also makes the work very challenging. You end up never being anybody’s friend, but you also want to avoid being anybody’s enemy. Doing the job right means that the tough decisions are understood—and supported—by everyone affected.

While compliance officers have risen to leadership positions, their power is still limited compared to those who actually manage the firm. Senatore explains that many in the marketplace believe that the compliance department is the accountable driver of employee behavior. This is a myth that has emerged in some circles, including some regulators, about the omnipotence of compliance officers—a belief that portrays them as having become, in his words, “surrogate supervisors.”

People forget that the obligation to conduct business in compliance with the law existed with boards, CEOs, and management years and years before formal compliance departments ever existed. Compliance officers do not supervise the business. Managers and leaders do. What the compliance officer does is support the business leadership by helping set standards, providing guidance, training employees, and providing feedback from testing and monitoring. The standards, however, are executed by the business.

Senatore continues:

Sometimes you hear from regulators, “Where were the compliance officers?” They need to understand that compliance officers, who by definition, don’t run the business, only see a fraction of what happens in a business. They can’t be everywhere. In contrast, management supervisors see everything that happens. As such, there is a misconception that somehow compliance officers have this oversized ability to drive the organization when their job is really a staff support role.

Also, CCOs remain a comparatively new function within many companies. Their internal standing vis-à-vis other corporate actors and C-suite members is a work in progress. As such, one of the major challenges going forward will be forging close relationships with other executives in the organization and helping them understand how compliance can, in fact, support business goals by mitigating business risks.

Legal and compliance: partners or competitors?

Of all the different internal relationships that compliance officers manage, the one with the legal department has drawn the most attention. In some cases, compliance continues to be merely a division of legal, in which case the GC manages compliance work. But even in organizations in which the two areas are formally divided, the border remains porous. Senatore describes the relationship between legal and compliance work as being highly synergistic, where the two fields blend together and overlap.

Compliance focuses on regulatory obligations and possible liability, so it is closely connected to what a lawyer does in trying to mitigate firm risk from a legal perspective. Therefore in the past, it was not unusual for a compliance department to routinely report to the general counsel. As time went on, there have been emerging views that the objectives of a lawyer and those of a compliance officer may be a bit different.

He continues:

Some stakeholders, including in the regulatory community, observe that lawyers have ethical obligations to defend their client, and sometimes those concerns can result in a decision to limit the sharing of information pertaining to a given issue among people in the firm. The compliance officer’s focus is routinely different. It tends to be on remediating a problem and, as such, a compliance officer may have less hesitation about sharing information with others in order to accomplish that end. While I have never personally experienced a situation where two competing views frustrated doing the right thing, one can understand how conceptually this could drive different approaches and an organizational structure where compliance is independent from legal.

Owyang compares the debate over compliance departmentalization to the arguments for organizations to have separate individuals fulfilling the roles of chief executive and chairman.

The chief executive is seen as the senior executive manager and is responsible and accountable for running the business. But he or she might be more short-term focused. The chairman is almost always considered to be independent and is supposed to look out for the broader interests and the public good in addition to the company’s fiduciary duties.

He continues:

In the compliance debate, the argument is that the GC can’t be independent and that the CCO should be separate and apart from the management team. But if the GC can’t be independent, then it’s hard to see why another officer at the table would be any more independent considering that that person will have less structural protections around his or her role. And in all of this, there is almost always a self-serving dimension to either side of the debate. Ultimately, it comes down to the character of the person in the role and the culture of the organization – that’s the key symbiosis.

In reflecting on the ideal relationship between legal and compliance, all the interviewees agreed that there was not one magic formula. Industry plays a role, as does the size of the company and the personal dynamics of the individuals involved. What is most important is not the precise form of the relationship between compliance and legal, but its function and authority within the organization (see “The Chief Compliance Officer: Should there be a new “C” in the C-Suite?“). As long as those charged with compliance oversight are able to maintain a voice that is both strong and independent, then there very well might be many ways to skin the compliance cat.

Compliance cannot be about just doing the minimum or not getting caught. It has to be how each and every employee acts, no exceptions. There can be no shortcuts, no looking the other way.

Judy Perry Martinez, former vice president and CCO of Northrop Grumman Corporation

Corporate culture

A consistent theme among leaders in compliance is the importance of corporate culture in preventing problems before they begin. A strong culture—one that encourages ethical behavior, empowers employees to take responsibility for their actions, and provides pathways for communicating concerns and wrongdoings—will be much more effective in minimizing risk than any single audit or checklist. And it starts with the CCO. “Compliance is corporate culture,” Martinez explains.

Compliance cannot be about just doing the minimum or not getting caught. It has to be how each and every employee acts, no exceptions. There can be no shortcuts, no looking the other way. That is what compliance is about, day in and out. That is the culture of compliance—knowing that when no one is looking, there is no doubt that the answer is still “no.”

In pursuit of this culture, companies have increasingly turned to internal training programs and adopted firm codes of conduct to help strengthen their first line of defense: employees. For instance, PepsiCo has adopted a Global Code of Conduct that “applies to every employee [and] governs every business decision we make.” (In 2014 the company was awarded the New York Stock Exchange’s Best Governance, Risk and Compliance Award.) Among other things, the code details the company’s core values, both “formal,” such as adhering to antibribery statutes (the company offers supplementary guides as well), and “informal,” such as rewarding integrity and ethical behavior. By providing the code in an easy-to-read, publicly accessible manner, the company stresses the need for everyone involved in the business—from employees to third-party suppliers—to know, follow, and maintain its principles. Reflective of this frontline compliance attitude, the code offers practical tips including when and from whom to seek guidance. As one example, the company established a 24-hour toll-free hotline (Speak Up), which is available to all PepsiCo employees, suppliers, consumers, contractors, subcontractors, and agents to ask questions or to raise concerns about compliance or business ethics. The company has also developed a corresponding “webline,” available in 24 languages, ranging from English to Hindi to Magyar.

When to seek guidance

If something does not feel right, it might not be the right thing to do. Ask yourself:

  • Am I sure this course of action is legal? Is it consistent with our values, code, and policies?

  • Could it be considered unethical or dishonest?

  • Could it hurt the company’s reputation? Put our company at risk? Cause our company to lose credibility?

  • Will this hurt other people? Employees? Customers? Consumers? Investors?

  • Will it reflect poorly on me or our company? How would it look on the front page of the newspaper?

Source: PepsiCo Global Code of Conduct

One striking aspect of this initiative, and of compliance work in general, is the challenge of having both a strong department and empowered individuals. For while the PepsiCo Global Compliance and Ethics Department, led by a senior vice president, is primarily accountable for promoting, monitoring, and enforcing the Code, the Code also makes it clear that “the ultimate responsibility for following our Code and for maintaining PepsiCo’s culture of ethical excellence rests with each one of us individually.” Put differently, while effective compliance requires robust institutions and tough leaders, it ultimately depends on the many individuals who make the organization what it is.

Navigating a shrinking world

Globalization presents an incredible opportunity for companies, but it also brings with it its own set of risks. This is particularly true for issues related to compliance, which are deeply tied to local business customs and cultural norms. How do compliance officers maintain the integrity of their operations while also expanding to new markets? If the firm has done a good job creating a strong corporate culture, Senatore argues, this expansion will be all the easier.

Certain standards are tied to a firm’s culture, which is immutable and timeless and should apply virtually anywhere. If you have an overarching sense of standards that you want to apply across the firm, then you can build local ways of doing business that are still consistent with those standards. You might have a local operation in India, China, or Europe, and your task is to try to harmonize doing local business—with local standards—within the overall firm culture and set of standards that apply across the board. You have to figure out how to bridge cultures and communicate your standards in a way that people can understand and embrace.

Globalization has also forced many companies to deal with the subjective and interpretative nature of much of compliance, illuminating how critical it is to work closely with employees as they interpret company policies. Culture and language can affect employee perceptions of their duties, and compliance officers need to be aware of this. While this can be challenging, it can also be a good thing for companies, in both their global and national operations. Martinez states, “Globalization has brought about a greater awareness of the importance of diversity and inclusion, which is the foundation to any successful global compliance program.”

Six keys to compliance

Put together, those working in compliance or seeking to enter the field should keep the following pointers in mind:

  1. Judgment and integrity are your two most important strengths—never do anything to compromise either.
  2. Good compliance means taking a holistic approach—don’t ever wall yourself off.
  3. Compliance officers are powerful, but not omnipotent. Don’t let others under- or overestimate your power.
  4. Legal and compliance departments don’t have to agree on everything, but they need to get along.
  5. Corporate culture is the foundation of a successful compliance program: what individuals do when no one is looking is what matters.
  6. Globalization will bring a diversity of viewpoints and backgrounds into compliance work: respect this diversity and maintain your core values.