In a 2002 speech to the American Society of Corporate Secretaries, SEC Commissioner Cynthia Glassman called on companies to designate "what I refer to as a 'corporate responsibility officer'" to oversee compliance systems and procedures.
Since then, dozens of companies — from Boeing and Eastman Kodak to Sunoco and Walt Disney — have hired compliance executives, created governance departments, or made other organizational changes to demonstrate a commitment to compliance.
But the establishment of new offices creates new challenges, requiring some companies to carve out responsibilities, reallocate resources, establish measurement criteria, provide board access, address cultural issues, and codify new policies and procedures — often without the benefit of peer-group comparables.
And while the position of chief compliance officer is a familiar one to the financial services industry — investment companies are now required to designate a CCO to oversee compliance with federal securities laws — the position is a new one for most public companies.
As a result, there are few industry standards or "best practices" regarding the structure of an effective CCO position. In fact, many companies aren't even sure what to call it. Most companies utilize the CCO moniker, but chief governance officer and "vice president of business controls" are also common. For the record, few have taken up Glassman's wording of "corporate responsibility officer."
Whatever the title, the responsibilities are new and numerous. CCOs can oversee everything from the legal minutiae of Sarbanes-Oxley compliance to the banality of ethics code distribution. A CCO could conceivably be investigating potential wrongdoing one day, and preparing a compliance report for the board of directors the next.
The recent emergence of the position puts most CCOs in the position of trailblazers, forcing them to write new chapters in their companies' compliance efforts. And these first CCOs are gaining an important insight into what it takes to be successful.
In conversations with Compliance Week, several CCOs outlined a variety of issues — from departmental independence to program measurement criteria — that have helped ensure the efficacy of their roles and activities. What follows are some of their insights:
Reporting Relationships
Cheryl Wagonhurst was named chief compliance officer of Tenet Healthcare in August 2003. She assumed the mantle just as the Santa Barbara, Calif.-based company was facing federal probes into its Medicare billing practices and other operations.
While the company remains under fire and is still grappling with investigations, Wagonhurst brings a reformer's zeal to her role in helping Tenet clean up its act. She emphasizes independence and best-in-class processes as she builds a new compliance function for the company.
What helps, she says, is her clear delineation of responsibilities and mandate for compliance, which includes the resources necessary to build a 100-person compliance function with the goal of providing independent checks and balances in the organization.
CCO SAMPLING
Cheryl Wagonhurst, Chief Compliance Officer at Tenet Healthcare
Appointed: August 2003
Reports to: Board of directors ethics, quality and compliance committee. Administrative reporting relationship with the CEO.
Responsibilities: The department handles compliance reporting and monitoring, calls to the ethics line, and compliance issues that come up in daily hospital operations; issues monthly compliance reports; ensures ethics issues are tracked and action taken; monitors and tracks all audits; and manages specialty compliance.
Staff: When hiring is complete, the company will have a compliance staff of 100, including regional compliance officers, compliance officers in each hospital, and specialty personnel.
Rick Wittenbraker, SVP, General Counsel and Chief Compliance Officer at Waste Management, Inc.
Appointed: November 2003
Reports to: Executive vice president of operations, but expects to report to the new CEO after the current CEO retires later this year.
Responsibilities: Environmental, financial, employment, and legal compliance/reporting.
Staff: 40-45 employees.
Brent Saunders
SVP, Global Compliance and Business Practices at Schering-Plough
Appointed: November 2003
Reports to: CEO/chairman and board of directors¹ business practice oversight committee, which is responsible for oversight of the company¹s compliance program.
Responsibilities: Ensures compliance with all rules, regulations, and internal operating procedures for the entire organization.
Staff: 230 people in compliance department, including a compliance officer in every division.
Jay Haberland, Vice President Business Controls at United Technologies Corp.
Appointed: June 2003
Reports to: Vice chairman/chief financial officer, also reports to board of directors¹ audit committee at each meeting.
Responsibilities: Compliance with SOX, managing compliance program staff. Expects role to end in 2005, when compliance staff is absorbed into the corporate controller¹s office.
Patrick Gnazzo, Vice President of Business Practices at United Technologies Corp.
Appointed: 1993
Reports to: CEO and board audit committee
Responsibilities: Ethics and compliance; maintains and distributes ethics code to 200,000 employees in 182 countries; interprets and answers questions about ethics code; manages company¹s Ombudsman/Dialogue program that allows employees to report problems and potential illegal activity anonymously; investigates allegations of wrongdoing, and handles compliance training.
Staff: About 200
For Wagonhurst, independence is critical. In the past, the company's CCO was also its general counsel. By splitting the two roles, the company hopes to ensure that the compliance function only focuses on compliance. "We don't have to worry about whether we are properly defending the company," as the legal department would, says Wagonhurst.
Independence can also ensure the CCO has the freedom to report problems and wrongdoing without pressure from intermediaries.
According to most CCOs, independence must be complemented by the explicit backing of the board of directors and the CEO. If the company treats compliance as "window dressing" without operationally enforcing compliance at all levels, the CCO could wind up a glorified ethics trainer.
To prevent this, Tenet Healthcare's board of directors approved — as part of the compliance function's charter — the formation of a compliance and ethics committee made up of senior managers, including the CEO, CFO, chief medical officer, department heads, and senior managers in government affairs and auditing. The committee meets quarterly to ensure that the compliance program is operating effectively, is conducting the proper training, and is focused on the appropriate areas of risk for the company.
To be truly effective, most CCOs demand a direct reporting relationship to the CEO, as well as complete access to the board of directors. In these cases, "access" is often defined as having the authority to approach the board or appropriate committees without the approval of the CEO. In many cases, the CCOs have a reporting relationship with the board or one of its committees.
Brent Saunders, CCO of $8.3 billion Schering-Plough, considers executive access to the board as essential. "You also need a clear line to the CEO," says Saunders. "Otherwise, you spend much of your time trying to get the CEO to pay attention to you."
In addition to ensuring direct access to the board, companies should also take steps to make sure the CCO and the entire compliance staff are insulated as much as possible from outside pressure. Wagonhurst reports directly to the board's ethics, quality and compliance committee, and — for administrative purposes — also has a dotted-line reporting relationship with the CEO. "I feel like I have complete independence," she says.
To ensure that independence carries the day throughout the compliance function, Tenet Healthcare has mandated that all hospital compliance officers have a dual reporting relationship to both the hospital CEO and a regional compliance officer, who reports to Wagonhurst. All "hire and fire" decisions affecting hospital compliance officers can only be made by those regional compliance directors, which ensures that the hospital compliance officers are insulated from pressure within the hospital they serve.
These subtle reporting relationships and clarifications of independence not only create operational efficiencies for the CCO, but they demonstrate to employees that an ethical "tone at the top" is infused into the very structure of the company.
Compliance Culture
According to most CCOs, a true culture of compliance is created through such integration of systems and processes.
Schering-Plough has taken steps to ensure that compliance is part of the business process by incorporating compliance into company training programs, and by making compliance and ethics part of employees' performance evaluations. "The company communicates about what people should do, how to make good decisions, and expected behaviors," says Saunders. "This makes compliance part of the way people do their work."
Integrating compliance into the company culture can also improve operations. United Technologies is taking steps to integrate its Sarbanes-Oxley compliance efforts with its "Achieving Competitive Excellence" program for process improvement.
For example, the $31 billion corporation is using software automation to track all internal control-related issues on one system. This not only makes compliance easier to manage and support, but it helps identify issues quickly and enables the corporation's numerous businesses to share best practices.
In the past, the company's business units — which include subsidiaries like Otis Elevator and aircraft engine manufacturer Pratt & Whitney — were free to structure their own documentation and testing of internal controls, supplemented by internal audit reviews.
Now, the company has changed the process to ensure that a third party can see the documentation for the controls process. "Most large companies structure internal controls to satisfy themselves to some degree, but Sarbanes-Oxley compliance requires a much higher standard," says Jay Haberland, the Hartford, Conn.-based company's recently appointed vice president of business controls.
Reporting Process
Central oversight of controls and systems may be critical, but even the most competent CCO cannot be everywhere all the time. Therefore, companies need to develop channels through which employees can report problems and potential wrongdoing.
Houston-based Waste Management, Inc., has an active process for monitoring environmental compliance that tracks violations on a weekly basis. It also has an ethics hotline, managed by a third party vendor, which allows individuals to make complaints and suggestions anonymously. All the calls to the line are tracked and the company compiles statistics on how each call was handled, how long it took, and other key metrics, says Rick Wittenbraker, the company's senior vice president, general counsel and CCO.
United Technologies allows employees to report problems in person or in writing through its Ombudsman and Dialogue programs. Both programs receive about 58,000 complaints and reports annually, but only those involving ethical violations or potential illegal activity are handled by Patrick Gnazzo, the vice president of business practices, and his staff. Last January, United Technologies replaced its paper-based reporting system for these programs with a Web site, and now receives 56 percent of written reports through the Web site.
The company has also added a system enabling outsiders to contact the company board of directors directly via email through the governance section of the company's Web site or through the mail. [This is different than the SEC's new rule that requires companies to disclose the process through which shareholders can communicate with directors.] The United Technologies system enables a supplier, customer or other individual to report directly to the board information about potential accounting irregularities or illegal activity.
"If you create a culture in which there is pressure to do right thing and report things like conflicts of interest and potential criminal activity, the compliance program will be much more active," says Gnazzo.
By doing so, UTC widens the scope, and potentially the efficacy, of its compliance program. "If you have a compliance program that is only designed to keep individuals from committing Enron-type acts, then the activity level of the program will be relatively low," adds Gnazzo. "There are only a few people out there with that kind of evil intent."
Measurement
A key challenge for CCOs is measuring the performance of compliance programs, and understanding when they are succeeding or failing.
Asks Schering-Plough's Saunders, "How do you know you did a good job? Because nothing bad happens?" To that end, it is important to establish a base line for compliance
performance.Saunders has presented a performance measurement approach for compliance to Schering-Plough's board of directors that focuses on measuring 10 areas of compliance performance — like training, cost of action, discipline and oversight — using three business metrics: quality, cost and time to respond..
UTC takes a slightly different approach to measuring the performance of its business practices function by surveying employees biannually about the company's ethics and compliance programs. The survey asks whether employees understand and use the ethics code, and whether they are comfortable bringing problems to management's attention.
Waste Management's Wittenbraker has a more proactive view of measurement, especially since the company resolved accounting and compliance issues in recent years. "The toughest time to plan is when there is no crisis because you don't know what you are looking for," he says. "We are focusing on identifying what systems and people will give us the best chance to identify problems and deal with them proactively." Hiring Decisions As with all critical hires, companies need to determine whether the CCO should be an insider or a new executive from outside the company.
For many companies, a well-respected insider who knows the culture and personnel can make an immediate impact. Wagonhurst was senior counsel for Tenet Healthcare for 12 years before becoming CCO. In her view, it would have been virtually impossible for her to have made as much progress as she did during her first six months if she had come from outside the company. "I have built up excellent working relationships and everyone realizes that this is something we need to do," she says.
Another company that promoted internally was Boeing, which recently named Bonnie Soodik senior vice president of the Office of Internal Governance. Soodik had previously run the company's shared services group, and now has responsibility for internal audit, ethics, Sarbanes-Oxley, import-export compliance, and other governance requirements.
But under the right circumstances, an outsider can bring a fresh perspective to the organization and its compliance efforts.
For Waste Management, it made sense to hire an outsider as CCO, largely because the company had rebuilt its culture and senior management team after an accounting scandal and other problems in 2000. As a result, CCO Wittenbraker was able to fit in quickly, and to do so without the "baggage" of the previous regime.
And because there are so many executives who are relatively new to the company, Wittenbraker has not encountered the functional silos or turf wars that might be prevalent in a company with a more entrenched culture. Instead, his biggest challenge has been familiarizing himself with a very large, complex, and geographically dispersed company. "I have been learning the operations and getting my arms around the organization," he says. "As an outsider, I don't have any preconceived notions of how things should be done. If something is a good idea, it can get done. I don't listen to 'can't.'"
Whether an insider or outsider, many argue that the CCO should at least have in-depth industry experience. "You have to know enough about the industry to understand the business," says Saunders of Schering-Plough, a pharmaceutical company.
He and others argue that knowledge of regulations specific to an industry should be a prerequisite for the CCO. "It would be tough to go from working in compliance for a defense contractor to handling compliance for a pharmaceutical company," Saunders adds. That's one of the reasons Boeing promoted Soodik, who has more than 25 years of industry experience, having started her career with McDonnell Douglas in 1977.
The Right Background
Boeing SVP Soodik is not a lawyer, but — in many cases — a legal background can be helpful to a new
CCO.According to Pitney-Bowes Chief Governance Officer Amy Corn, this is because the key compliance and governance positions are a natural expansion of the corporate secretary's roles. In an August 2003 Q&A with Compliance Week, Corn stated, "Since a good corporate secretary will typically be engaged in assisting the board in staying current with best practices in governance, and because corporate secretaries who are also attorneys will typically be very active in assisting the board and senior management with regulatory compliance matters — including those flowing from Sarbanes-Oxley and the revised listing standards — it makes sense to expand the corporate secretary's role to include accountability for specific areas of legal and policy compliance."
Not coincidentally, many of the executives recently hired to oversee compliance are indeed lawyers. This includes Hershey Foods Chief Governance Officer Susan Angele, who was previously head legal counsel at a Kraft Foods business; CMS Energy CCO Michael VanHemert, previously assistant general counsel; Sunoco CGO Ann Mule, previously assistant general counsel; and Gulf Insurance Group CCO Patricia Lubey, formerly associate general counsel at an AIG unit.
However, it is important to remember that compliance is about much more than the letter of the law.
"You have to focus on what is right because what is legal is not always right," says UTCs Gn'azzo. "You must be able to convince people what is the right thing to do."
Moreover, the CCO needs the fortitude to stand up in face of adversity. Wagonhurst agrees that a legal background helps but is not necessary. She leads a multi-disciplinary team and — in addition to her compliance role — is involved in risk assessment for the
company.Sometimes the nature of the challenge requires a unique or specific skill set.
Such was the case at United Technologies. Though the company created a department of business practices in 1986, it created a new position — vice president of business controls — to deal specifically with Sarbanes-Oxley compliance. With 30 years of experience in finance, public accounting, and consulting experience — as well as a stint as CFO of one of the company's business units — Jay Haberland was uniquely positioned to fill the role. "It has given me the ability to see controls from a variety of perspectives," he says.
Technical skill is important, but Haberland says he also relies on his public speaking ability, communications skills, and project management skills to keep the Sarbanes-Oxley compliance project on schedule.
And those communication skills are considered critical, no matter what the CCO's background. The CCO must be open and approachable, able to represent a legitimate, stable and safe compliance system that is in the best interest of the company. "Without that, people won't report problems and the company will have big and unpleasant surprises," says Waste Management's Wittenbraker.
That goes for the chief compliance officer's work with external stakeholders, too. Although compliance should focus on how to improve the business, it is also about making sure the company is a good citizen and is not fostering adversarial relationships with those who regulate it.
No comments yet