Q&A With CCO, Ethics And Privacy Officer At $4.8b Ryder

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

Your title is chief compliance, ethics and privacy officer. How much time does each of those topics consume?

It really depends on the day. I think of compliance as what’s legally required; ethics is the gray area in which you may or may not know what to do when something isn’t covered by a rule. From a privacy perspective, we look at the privacy directives and laws that are in place in the various countries where we do business. For example, Canada has its privacy regulations, the European Union has its privacy directive, the states where we do business have privacy regulations. So if we know the regulations are going to change in a particular country or state ... I may focus more of my time ensuring that we’re in compliance when those laws may change.

However, I’d say that most of my days are spent in the compliance and ethics arenas—and with many of the compliance issues, there’s an ethical issue as well. Something might be legal, but might not be the right thing to do in a particular circumstance.

Can you expand on some of your specific duties?

Sure. Ryder has always had a decentralized compliance program, and there have been various subject-matter experts and functional leaders who have had primary accountability and oversight over those areas ... My role evolved last year to formalize some of those programs. While I work closely with some of the heads of those departments, I also do have individual responsibilities.

For example, it’s my responsibility to ensure that the company is compliant with the mandate of the federal sentencing guidelines, especially the amendments that will go into effect Nov. 1 ... I prepare periodic reports to the executive team, the board and various levels of management on compliance issues; I might prepare a report for a division saying that some of the calls we get on the hotline lead us to believe we may have management issues in this area.

And how about on the ethics side? What do you do there to illuminate those gray areas—Ryder’s code of conduct, for example?

I drafted our code of conduct with input from other people in the company. We also just re-issued our code at the end of March ... and we distributed it to employees worldwide in several languages. It’s also going to be in our new handbook coming out in a few months.

We had our first code of conduct in 1978 and we’ve revised it periodically, and we chose to revise it again to ensure that we were going to be in compliance with Sarbanes-Oxley and the New York Stock Exchange. But we actually didn’t have very far to go, because many of the policies that those rules required we already had in place.

Which managers at Ryder help you with governance?

We have a corporate compliance steering committee. That consists of members from our audit, finance, law, international, IT, HR, operations, safety, environmental, strategy and risk management groups—it’s pretty large. Most of the people from those groups are either vice presidents or functional heads of their areas.

That committee meets quarterly, prior to certifications and board meetings. A core group meets more frequently, either in formal or informal meetings as needs arise.

And who sits on that core team?

The core team would be a staff group, basically everyone other than operations. And it may be different sub-groups of a core group. For example, if we want an investigation protocol that protects the privacy interests of people accused of wrongdoing ... when we started that protocol, I worked with audit, safety, legal and HR; at that point, there wasn’t a need for an IT person to be on that team. If I were working on compliance with privacy regulations, I’d begin with our IT and HR people.

How many staff or direct reports do you have?

It’s a little difficult to talk about it that way. I have a fairly small staff which helps out with compliance issues, but I work closely with our IT, finance, HR, safety, environmental and other groups—because it depends on the kinds of compliance issues that I’m dealing with. If we’re dealing with something that might have safety as well as HR issues, I’ll work primarily with people in that area. If it’s an allegation of fraud or embezzlement, I work with the audit group.

Because we have such a collaborative process, although I have only five people who work with me directly, I work with a team with many other people within the company.

And who’s above you on the org chart?

I report to the general counsel, with a dotted line and access to all the members of our leadership team. I’m on the same floor as our CEO, CFO and everyone else. I see them daily and at no time is there an issue if I had to walk into anyone’s office to raise a concern.

Do you ever present directly to the board of directors?

I do. The board wants to hear about how we are compliant, what risk-assessments have we done, where do we see ourselves—it’s the kind of thing our corporate steering committee handles. I present to the board occasionally, but our general counsel does a compliance report at every meeting that I don’t attend. In fact, we had a board meeting earlier this month, and I prepared a report to be delivered to the board.

It must be difficult to reach so many employees. How does Ryder teach them about compliance?

We are a widely scattered company; we’ve ... had to develop a variety of mechanisms. Sometimes we do some training on audiotape for our drivers, for example. Sometimes we do videotape training, or live standup training.

When first I came to the company as labor-employment counsel, I worked with my team to develop an eight-hour litigation avoidance training. Basically we did a road show around the country talking about employment law and litigation issues. Now we’ve added business conduct to that training, and we’ve had tremendous demand from our operators to have this training. And as you can imagine, when you have a bunch of operators wanting to hear lawyers talk for eight hours—well, that was pleasantly surprising.

We’ve also trained our HR managers to deliver some of that training, and we’re going to start training some of our operators so that they can train our hourly employees in the principles of business conduct ... Plus, we’re a transportation company, and we’ve been governed by various regulations for more than 70 years. All of our employees are used to working in a rules-based environment.

Ryder’s Section 404 project isn’t under your direct jurisdiction, but can you tell us generally how the company is managing its Section 404 project?

Our director of audit is in charge of our 404 requirements. He works with a steering committee of members from legal, accounting, finance and others who meet on a regular basis ... Obviously 404 is taking up more time than anybody ever anticipated, but it’s something Ryder is well on its way to completing.

What’s your typical day like?

I wish I had a typical day! Sometimes I just have to deal with whatever comes in the door. I do some traveling, because I like to remain hands-on. I train our managers in the field and our HR people in the field; I’ll be training our VPs of operations in August. And it’s important for me to be able to go out and do the training, because we adjust the training based on what our business needs are. It’s important for me to see how the employees are reacting, and sometimes they’ll raise issues that we may not have considered. So we’re constantly redrafting our training to make sure it’s relevant to people in the field.

And your compliance priorities for the next 12 months?

Well, compliance programs can never be static. We need to constantly evaluate our communications and policies to make sure we’re doing the right thing. When we’re looking at our incentive programs, for example ... all of our officers and some of our directors have bonus modifiers based in part on ethical decision-making and integrity. That can increase a person’s bonus by as much as 25 percent or decrease it by as much as 50 percent. We’d like to introduce additional incentive and deterrence programs to ensure that everybody at all levels of the company recognizes that it’s important to get the right results in the right way. That’s something that our CEO has said time and again.

As we’re expanding into different markets, we need to understand the legal and cultural frameworks of those countries so that our compliance programs and messages make sense. And of course we need to stay abreast of changing regulations in countries where we already do business.

One thing we’re doing is developing a global, cross-functional compliance calendar, so that we can ensure our decision-makers have sufficient time to plan for legislative changes that will affect the business strategy. If we’re going into a particular country and we know that country has legislation that is going to change 18 months from now, we’re ready to deal with those issues.

Thanks, Marcia.