This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Rockwell only created your position in February. Why then?
Rockwell, being a former defense contractor, has had numerous compliance concerns going back to the 1980s … We had, and have, very strong compliance programs centered around what I would call ethical behavior and standards of business conduct. We also created a very strong internal audit program, where trained auditors accountable straight to the board of directors periodically go out to a variety of our locations and examine the books, assess internal controls and fraud prevention, that sort of thing …
Then there’s a third category lumped to the side, that I would call “regulatory compliance”: rules and regulations that government issues to tell the company the rules of the road. That could be anti-trust, environmental, safety, SEC, fair labor—all those sorts of things. In those areas, we have a variety of subject-matter experts in each field. They largely worked independently of each other and answered to different parts of the business. To be honest, it was a little bit scatter-shot, largely dependent on need and risk and where we thought we needed attention.
The function we’ve created is one that will draw a concentric circle around those areas, and interface with internal audit and the ombudsman to ensure that we have a good intersection of all three areas of compliance.
Was this precipitated by Sarbanes-Oxley or some other exact cause?
It wasn’t precipitated by Sarbanes, no. I like to think it was driven more by a constant desire to do things better, and by an awareness that corporate best practices were much more consolidated around these functions than the independent silos that we’d had.
So give us more details about what you specifically oversee.
It specifically covers import and export, the Foreign Corrupt Practices Act, anti-trust, environmental, safety, document retention, employment practices, SEC compliance, employee privacy … that’s probably about it for direct oversight. But I also interact with our internal auditor and ombudsman to deal with Sarbanes-Oxley controls and general ethics and business conduct.
That's a lot. How does Rockwell structure the personnel to get all this done?
I have a direct staff of three people, who help me oversee what is a more informal, dotted-line reporting from each of the subject-matter experts. For each one of the areas I just mentioned, we have a minimum of one person with overall responsibility for that, although in many cases there’s a staff underneath them. For example, in import-export we have a total of 22 people. We have nearly that many in a combined environmental-health safety staff.
You’re director of global compliance—how do you track regulations happening overseas that might affect Rockwell?
That’s an area where we need to concentrate more on. Currently in the legal department we have Asian counsel, European counsel, and a U.S.-based lawyer responsible for Latin America. Those people are my direct liaisons into operations in each one of the regions. We’ve also emphasized that while my department facilitates and is a tool to help achieve compliance in every region where we operate, ultimate responsibility for compliance in those areas lies with the business leaders there.
So I look at it in the traditional sense that I am their lawyer and they are my clients. And my clients, who are senior vice presidents for each region, have direct accountability for compliance.
How did you decide where to start with this job?
The first thing I did was to conduct a risk assessment. I was able to use some resources we already had within the company, because another part of Rockwell was looking at overall enterprise risk management where compliance was only one of many components. They had developed some protocols for how to assess risks and scale the risks you determine, so I used those tools and with our subject-matter experts went through each regulatory area. We assessed what operations we had in place, what our budget and staff was, what training resources we used, what metrics were used for reporting, whether we audited, and what procedures we had in place.
We looked at all those things and then made a determination of what I thought the impact of potential consequences were, as well as the likelihood of noncompliance. From that, I gave each component a score, combined them into a total risk assessment score, and then ranked them based on our relative risks. That helped me prioritize where I thought we should put our resources.
What floated up to the top?
What floated most to the top was document retention. It was something where we felt we needed some improvement.
Use document retention as an example, then. How did you remedy that weakness?
Well, one reason it scored so highly on our risk assessment was that it did not already have dedicated resources to manage that process. It had developed over the years as an ad hoc, decentralized function with a lot of inconsistency. So we hired a full-time records manager and an outside consulting firm to help us develop best practices, and we are building a new retention policy and schedule that we’ll implement shortly. It will be a much more centralized function after November when we go live with it.
Who would implement improvements in a standard company function, then?
It’s a combination of me, the subject matter experts and the business unit leaders who are directly accountable for compliance.
Was it difficult to get business unit leaders to understand what your purpose was?
I don’t think so. I found that I was enthusiastically embraced by our business leaders. I think they understand the importance of it, and our culture here has always been one of strong compliance.
And that’s true even of Rockwell’s overseas units?
I didn’t encounter that, but perhaps that’s because as part of the risk assessment we did I took a “traveling tour” of our compliance areas. I spent time in our Asian, Latin American and European operations and met the business leaders there, and gave presentations on what we were going to do and how we’d go about doing it … And in each region I then had very specific break-out sessions with each country where we did work and developed individual plans for each one of those countries on how we’d stay on top of local regulations, what resources we had, what reporting structures we wanted to create to communicate with each other. I felt that from very early on I got a lot of cooperation.
What’s your typical day like? What are you tackling these days?
Typically right now I have other programs I’m trying to get up and running. We are creating a metrics dashboard for collecting compliance metrics and getting them reported to our board and senior management; I spend a lot of time rolling out the metrics dashboard. I spend a lot of time working with the document-retention specialists we’ve hired to give direction to that process. We’re also working on consolidation of our training platform into something we can use for all compliance training, so I have a staff of people both technical and compliance-oriented who are working on that. I guess I have a number of larger but discrete projects … so my typical day is managing these projects that we think raises the bar on our compliance activities.
Thanks, Gary.
Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.
Click here for upcoming Webcasts with compliance officers.
No comments yet