This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Your title is corporate controller. Are you personally in charge of governance and compliance at Arrow?
Well, I’m controller. Along with that comes the corporate governance aspect, which is Sarbanes. In addition to that, we have a chief compliance officer whose role it is to ensure that our corporate goals align with our values around the globe, and that our policies are being followed around the globe.
So you oversee the grunt work of Section 404 and similar efforts?
That would be me, yes. Last year I owned Sarbanes along with our senior management team. We had various committees in place, including an executive committee of our CEO and CFO; and a steering committee that included our internal audit team, our outside professional support, and my project management office. In addition to that we had a forum where we had established key individuals in each of our locations around the globe, whom we termed our “Sarbanes champions.”
Are you serious?
[Laughter] ... Oh yes—and that was a title everyone was just dying to have! We had routine forums where we came together with our Sarbanes champions, and that was the way we drove the overall project.
And how did one become a Sarbanes champion?
It is a specific role for an individual, yes. We looked for a few balancing attributes. One was knowledge of the business, one was knowledge of the accounting and controls environment, another was broad project management skills. In 2004, for the most part this was a full-time role. It really depended on the peaks and valleys of where we were on the project.
So a Sarbanes champ would be, say, a vice president of finance?
Actually it would be one level below that. The VPs were really our sponsors, to ensure we could garner the right resources and have the right focus. The level beneath that were the individuals who would really be key for this role and had good influencing skills, and could also work well with the operations folks and IT staff.
In 2004, how difficult was it to start with Section 404? What infrastructure already existed?
Well, we already had good processes in place, so that wasn’t the challenge. Part of the challenge was determining which of the processes were within the scope of Sarbanes. In addition, our controls environment had been strong—so again, it wasn’t so much ensuring that we had controls in place, but more around the documentation of those controls and the subsequent testing.
You mentioned outside consultants. What did they provide?
The consultants were KPMG, and we used them in several ways. One was an overall administrative process simply to help provide guidance and be a sounding board for us. In certain areas of the globe where we were constrained in our resources, they helped us there as well for documentation.
So that first year went relatively smoothly?
The short answer is that it went well. We were successful in achieving an internal clean opinion as well as an external clean opinion. And it also provided us perspective on our operations, as far as an opportunity to determine whether we had the right number of controls in a particular area. We felt comfortable going into this that we had good processes and controls in place, and this helped validate that—as well as, in some cases, helping us realize that in some places we had too many controls that weren’t key controls.
How much extra “encouragement” did international sites need?
As a global company, we’ve always had that communication link. Absolutely this required a heightened level of communication, just to have them appreciate what Sarbanes is all about and what it means not only for them but also for all of us here. It required a level of continuous communication, so they heard the message several times from several individuals, whether it was from our chief executive or from me or from our CFO.
Let’s shift gears to 2005 and beyond. How will you push compliance to Arrow’s process-owners?
The essential word here is “sustainable.” Building a sustainable process and environment around Sarbanes is essential, and there are several factors. One is training to ensure there is a thorough and broad bench of people who understand Sarbanes.
Our approach at Arrow is that corporate governance is everyone’s role. Ensuring that our process-owners know what their roles are—not just from a documentation perspective, but also for testing and keeping everything current—is critical. In addition to that, streamlining the overall process by focusing on what’s key and what’s critical.
We also link Sarbanes to process-improvements efforts. I mentioned earlier that it gave us an opportunity to dig deep into our organization structure; by doing that, it gave us an opportunity to tie Sarbanes directly into several continuous process initiatives.
Could you give an example of that, or discuss how you’ll automate Sarbanes compliance into your processes?
From a tools perspective, last year was somewhat of a brute force effort. This year, the question is how much we can automate. We will be implementing a software tool this year for the continued maintenance of Sarbanes …
What tool will you use?
We’re actually still finalizing that decision now.
Back to using Sarbanes as a lever for ongoing process-improvements. How will that work?
First we have to ensure that idea is a focal point not only of our Sarbanes champions, but also of our process-owners. Second is to focus on what we need for IT processes that cut across our company, that really drive the balance sheet and the overall performance.
What is Arrow’s thinking on enterprise risk management?
As part of our ongoing assessments—and when I say “our” I mean senior management of the company rolling out our internal audit plan—we do go through various levels of risk assessment, whether they’re operational or compliance or strictly financial. So we had a process in place, and a piece of what we’re doing as part of our streamlining is determining how best to weave all of those existing compliance assessments into our overall Sarbanes rollout.
Some companies want to marshal those assessments into one chief risk officer’s role. Is that something Arrow has considered?
There’s no discussion of bringing all that under one umbrella. We do have a chief compliance officer, so he and I coordinate very closely. In addition we have a vice president of internal audit. The three of us are really in lockstep as we continue to assess Sarbanes and overall risk.
What is your typical day like? You’re doing this interview from Sweden—do you have lots of travel?
I can say it’s exciting. It’s busy. It has become busier because of Sarbanes and it will continue to be busier after Sarbanes. It’s a combination of partnering with our businesses, and working with our finance teams around the globe.
As to why I’m in Sweden, part of our approach to managing a global corporation is face time with our regions, not only to understand them but to help them through any challenges they may be enduring.
And what are your top compliance priorities for the next 12 months?
From a compliance perspective, it’s streamlining what we went through in 2004. We were successful in 2004, and we had tremendous learning that year—so it’s applying that learning as well as some of the best practices that are now out in print, as to how we become more effective at ensuring we will continue to be compliant.
Thanks, Carmelo.
Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.
Click here for upcoming Webcasts with compliance officers.
No comments yet