In the latest of our occasional Q&As with governance and compliance executives, we talk to Garry Watzke, general counsel at $2 billion Iron Mountain. Click here for other recent conversations.
How big is your compliance staff? What are its main responsibilities?
I have a director of compliance responsible for the front-line work on compliance; the director has been with Iron Mountain for several years. She reports to me. She makes recommendations regarding the program and implements them. She has a staff that follows compliance issues and tries to implement the compliance program. The group presently consists of four people.
I also have a staff of lawyers doing legal work. There’s a meaningful interplay between compliance issues and what the legal staff does. There’s cross-pollination.
And who do you report to?
I report to the chief financial officer, though our team works across the company with operations people on compliance related issues. Also, Sarbanes-Oxley compliance really falls under the responsibility of our financial leadership, where I’m focused on all other laws and regulations that impact our business.
Why did Iron Mountain develop a separate compliance team?
The company began focusing on compliance in 2003. The team was put in place in the last two to three years. I think the motivation was less Sarbanes-Oxley than an awareness that it was important for companies of some size and reach to make sure they are in compliance with applicable statutes.
And in our business of providing storage and protection of customer information, we felt it was important to make sure that we were fully compliant. Senior management felt there was a need to establish a more formal and business-like incentive approach to become compliant.
Iron Mountain did an enterprise risk assessment to help set its compliance priorities. Tell us how that went.
In 2005, the company undertook an enterprise risk assessment that asked about 300 managers about what risks they saw that might be of a level that would be material to the company. Those risks were distilled and prioritized based on the likelihood of their occurring, coupled with the severity of the problem created by the risk.
From that risk assessment, we have a roadmap of two dozen or so principal risks. Some are operational, some are compliance. For all of them we identify the owners of the risk. That person was required to identify a risk mitigation action plan, to reduce the possibility that that risk would come to pass. The plans are being implemented now.
It was a comprehensive program to identify and prioritize risk. Some are not compliance, but might arise from a failure to comply with other policies and procedures that we might have. For my group, compliance relates to laws and regulations that affect us. The other risks might be operational procedures such as safety and security.
How much has the assessment been a trial-and-error process?
I would say it’s more about an evolutionary process. It continually evolves because of new issues. I think particularly in 2003 and 2004 we addressed what we thought were the right issues, but when we undertook the enterprise risk assessment and identified the risks in a more comprehensive way, we modified our compliance programs to address the risks identified there in a more scientific way.
Can you give us an example?
An example would be the decision, as a result of the
enterprise risk assessment project, to add legislative and regulatory developments as risks that Iron Mountain should monitor and be prepared to comply with. We recognized that it’s important to keep abreast of legislative and regulatory changes as they are developing because Iron Mountain, as custodian of our customers’ information, must be prepared
to comply with information-related requirements that
affect them, and appropriate reactions to legislative and regulatory changes often require substantial planning and training.
What recommendations would you make for designing an enterprise risk assessment program?
The first one is to have strong support from the very top levels of management, which we do. Secondly, give considerable thought to the structure of the company: how to get the best participants and identify risks by the appropriate people in the company. When you’ve identified the risks and created a mitigation action plan, educate the entire workforce as to what the risk is, what the company is doing about it, and what each person should be doing in their sector.
You need to be open-minded about what might constitute risk. It’s really helpful to solicit a broad opinion to get the information out in the field. They may offer useful insights as to what you should be looking for.
What levels of management did you include in your assessment?
We went as far as the general manager level, those actually managing operations, and gave them some tools to use to identify risks. Then we were able to quantify from a large number of people the particular areas to pay attention to. We got information from both ends of the spectrum.
We used a survey tool created in-house to obtain the initial assessment. The information was tabulated and used to create a risk profile: Those relatively likely to occur, and second, if they did occur, the possibility that the consequences of being serious were high. That helped us identify the risks we should be spending most of our attention focusing on.
And you mentioned educating the workforce. What tools do you use?
One of the principal tools we use is interactive learning and training. We use commercial systems and customize their programs for our needs. We use Integrity Interactive, we have webinars and seminars, and we also use a number of internal publications that publish articles regularly. We are considering other devices to help remind people, for example calendars and contests. Our director of compliance is good about thinking about ways to train and educate the workforce.
What’s your biggest priority for this year?
Education is our main priority. Our first program will be an interactive learning event for our code of conduct and business ethics, which will be rolled out in first-quarter 2007.
In general, compliance is a learning issue, so we’re trying to educate as many of our employees as possible. Because we have custody of so much information of our customers, we focus a lot on issues of privacy and confidentiality of that information. We store information for many financial institutions and medical institutions. We have extensive procedures to make sure we are compliant for customers with HIPPA and other statutes. A major part of our compliance effort is, in effect, making sure we comply on behalf of our customers.
What other priorities top your list?
First would be the security of our buildings, and the practices that promote the security of information in our custody or in transit. Second would be the training of employees with respect to the importance of being careful with our clients’ information. We’re constantly making changes to security and IT. We are focused on the security of information while in our custody. We don’t transfer information other than to our customers …
One of the risk areas I’m responsible for has to do with making sure Iron Mountain is aware of proposed legislation that might have an effect on our customers or us with respect to information security, storage, et cetera. The charge to me was to identify methods of becoming aware of legislation when it’s proposed, on the state or federal level, and of having a way to become aware of proposed legislation or regulations outside of the U.S. that could impact our operations. I monitor their progress and try to predict what effect they might have, giving us a chance to be aware of these developments before becoming actual legislation, so that it doesn’t catch our customers by surprise.
What’s the approach to tackle that?
We have been able to do that. We established a network of sources to obtain information about what might be happening in the states or various countries. We are communicating those issues to senior management before they become statutes.
We hired law firms that we think would be knowledgeable about issues in their country, maybe because they work on those issues for other clients, adding us to a mailing list or keeping us in mind. We have such a firm in the U.S. for federal and state legislative purposes.
Thanks, Garry.
No comments yet