This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Compliance at Computer Associates is certainly a high-profile post. How did you get the job?
I was chief compliance officer at United Technologies Corp. for a little more than 10 years. A recruiter called and asked me for some names of people qualified to take a position like this at CA. The more I thought about it, the more I thought it might be an interesting venture on my part, going from a mature program to a company looking at all aspects of compliance and starting with a new position they never had before—in effect, establishing a strong compliance program through a compliance officer, a role the company never had before.
Last year much of CA’s former management resigned amid fraud charges. How did that weigh on your mind?
I did stop to think that moving from Connecticut to New York might be a big mistake [Laughs]. Seriously: If you like compliance and you really see what the benefits are both for the shareholders and the corporation, the challenge of working for a company looking forward to doing the right thing—to me, that’s invigorating … It keeps you on your toes. Or for a 58-year-old, it keeps you young.
What is the job right now, anyway?
I’d tell you that my job description is going to change. Right now the job is to look at everything. I want to look at every aspect of the organization, assess where CA is, and make recommendations to management about what changes, if any, need to be made.
If you ask me what my job will be one or two years from now, it will be to ensure that the changes management puts in place actually occur. That would be, in effect, doing a risk assessment from time to time, to ensure all those areas are being implemented.
You’ve been on the job two weeks. Where do you start?
What have I been doing for the last two weeks? Learning about what words mean to one company versus what they meaning to another; learning about what staff organizations exist in this company; understanding how the corporation operates. I’ve really spent the last two weeks just talking to people and getting a better sense for how CA works and what CA’s products are. To assess any compliance program, you need to understand a company and what its culture is. That’s going to be a learning process.
With whom are you meeting?
If you’re going to be a compliance officer for all parts of an organization, you meet not only with internal audit; you meet with the finance department, the legal department, human resources. You meet with every staff organization to understand how they function.
The older I get, the more convinced I become that a strong program depends on a leader or a functional head in just about every aspect of the company’s business ... If you make [the compliance officer] responsible for compliance at CA or any company, you’re bound to fail. If you make management—the heads of communications, HR, legal, sales—responsible for compliance in their particular areas, then you’re going to succeed.
Have you started with any preliminary ideas of what steps to take?
In all candor, management and the board of directors have a very strong idea of where they want to head. And if I hear the word one more time, I swear I’m going to pack up and leave ... What CA wants is to have a program that’s "world-class," not only in compliance but in ethics. They want to be viewed as a company that can be respected and trusted.
That’s lofty, but what specific items are on your mind?
Well, obviously you can look at what happened and why CA is under a deferred-prosecution agreement, but part of the problem at CA was that the controls in place weren’t adequate to ensure they’d be world-class. The major effort will be to ensure that the controls are there, and that they operate the business.
So the one thing we know we want to look at is controls. And … they’re not just financial controls and meeting the requirements of Sarbanes. It’s everything: how you do contributions; how you manage your sales force with respect to commercial bribery. It’s everything a company wants to look at.
How long do you expect your “getting up to speed” phase to last?
My goal is not to take much longer than the rest of the fiscal year, which ends March 31.
What else needs to be done, beyond financial controls?
The most important thing I can do is to understand the company. Once I’m able to do that, we can talk about what needs to be done in every aspect. But most compliance officers know that … the three areas that concern an organization the most are conflicts of interest, controls and direction. If you have management resolve and direction, if you’re looking at strengthening your controls, and if employees understand what their obligations are, you have a winner.
Will instructing employees about ethics be part of your responsibility?
I have a theory that everybody understands what the right things to do are; what they don’t understand is whether any laws are in place that are unique or different that compel them to do things differently. I think, for the most part, people are always hungry to understand that someone is going to support them in doing the right thing; the education that I’ll be doing for CA employees is to tell them, “I’m here for you. You want to do the right thing because you’ve been trained to do the right thing … you have a company that wants you to do the right thing, and you have someone here now who supports you in doing that.”
EDITOR'S NOTE
Editor's Note:
Two weeks after this interview was conducted—and five days before it was published—Computer Associates confirmed that Robert Lamm, senior vice president and director of corporate governance, had left the company. Spokeswoman Shannon Lapierre said Lamm's last day was Tuesday, March 15, and that he left to pursue another job opportunity.
After the conversation with Gnazzo was completed, we went back to him for some related follow-up:
Could you comment on Lamm's departure specifically, and how much house-cleaning needs to happen at CA considering its rocky recent past?
Bob Lamm was a valuable and appreciated member of CA's team and left the company to pursue another opportunity, independent of the company's past issues. As we said when we announced our resolution with the government in September 2004, we believe all executives responsible for the misconduct are no longer with the company. In the past year, CA has added a number of top executives with industry leading experience, including Lewis Ranieri, chairman; John Swainson, president and CEO, an IBM veteran; Jeff Clarke, COO, formerly with HP; and Bob Davis, CFO, formerly in a senior finance position at Dell Corporation.
Will you seek to have another second-in-command compliance director like Lamm, or will that position change?
To clarify, Bob Lamm reported to the general counsel, Ken Handal ... Handal will also assume the role of corporate secretary and will oversee corporate governance. CA has made several recent key additions to its legal team, including Jeffrey Livingston, deputy general counsel and the former Assistant United States Attorney for the Southern District of New York, Criminal Division; and Gary Brown, senior counsel and the former head of the Long Island Criminal Division of the U.S. Attorney's Office for the Eastern District of New York.
Do you expect any cynicism from the rank-and-file, since CA’s fraud happened at the executive level?
I think that will be one aspect of it, yes. Another aspect will be to say, “Look, we know you want to do the right thing, and we’ll give you the tools do to the right thing. We want to train you in the areas where you need to be trained, we want to put controls in; we want to make it easier to do your job and to do it right.”
Now, I can be minister for the right thing, but management does that already and that will make my job easier. Whenever they go talk to employees, they say the things I’d want management to say ... If I do my job right, I won’t need to do the talking because management will set the direction and the tone. This management team will do that. That’s why I came here.
Part of CA’s prosecution agreement was to have an outsider monitor its finances. How will that work?
I really don’t have an answer for you—we don’t even have a name yet of who it might be. When that does happen, I’ll welcome that person’s guidance. We’re going to be transparent in everything we do, whether we have a monitor or not … We’re just going to be getting more guidance down the road.
What can you tell us about CA’s Section 404 project?
Well, we’re moving ahead with all deliberate speed. We close our books on March 31, and there is as valid and strong an effort here at CA as what we were doing at United Technologies. I think CA has stepped up with a huge effort to meet those requirements.
It’s been driven by the financial department, but internal audit is involved, along with the IT department. So am I, so is the legal department. The controller’s organization ultimately has responsibility for all those controls in place, understanding that we’re talking about financial controls. There are other controls we still need to think about and worry about. And that’s part of my job that I’ll do going forward.
If we visit again in 2006, what three achievements do you want to have accomplished?
I want to have assessed our program and strengthened the areas that need strength. I want to be able to say the employee attitude about the company is as strong as the new management’s attitude is—and that I have to measure; it will take some time. Thirdly, I want us to be at a point where people won’t call us and ask, “What are you going to do with a company that’s in trouble?” I want you to call us and ask how we made our really good program work.
Thanks, Pat.
Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.
Click here for upcoming Webcasts with compliance officers.
No comments yet