This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Delineate your compliance and your risk duties for us.
We take an enterprise risk management approach. I have the chief compliance officer role, which involves corporate compliance and the code of conduct, as well as regulatory compliance. As you can imagine, we’re a highly regulated industry and so that part of the portfolio resides with me.
The rest of the organization is more in line with traditional risk management. That includes environmental affairs and safety, insurance and claims, disaster preparedness, as well as traditional security and cyber-security.
That’s a motley crew of responsibilities. How do you master the subject matter in those areas?
It makes for a challenging dynamic, frankly one that keeps me going day in and day out. But the truth is that you can’t do it on your own, and that’s one of the challenges of enterprise risk management. Is it an accounting function, is it a legal function, is it an engineering function? Well, it’s all of those, and you really need to have good people on your team and build up the right skill sets. And obviously you have to build up enough knowledge as a leader to make overall decisions. Good people, that’s how you do it.
Tell us about the people involved, then.
Qwest has a philosophy of centralized management of functions, including this one, so we’re responsible corporate-wide for all the functions described. Having said that, we have contacts in the major business and market units that help us to varying degrees depending on what their needs and risks are—and they do vary from unit to unit.
In terms of direct reports, I have section heads for all the groups I described with the exception of corporate compliance, where I serve as the chief compliance officer. We have a head of environmental and safety; a head of disaster of preparedness; a vice president of regulatory compliance, which is such a large area that it warrants not a stand-alone compliance program, but [a separate vice president]; a head of cyber-security; a head of physical security; and one person who does claims and insurance for us.
And who is above you on the organizational chart?
It’s a bit of a matrix. I report to the audit committee of the board for compliance-related issues, to the CEO for the overall compliance program, and to the CFO for the risk management piece. And even though I don’t report to the general counsel directly, I spend a lot of time with him as well.
How has Sarbanes-Oxley, and Section 404 particularly, changed your compliance program at Qwest?
From a macro-perspective—and this may not be true in every industry, but I believe it’s true in ours—pre-Sarbanes, we didn’t see corporate compliance and securities law and financial-related compliance matters as closely related as they are today. From the standpoint of running a compliance program and roles and responsibilities, there has been a remarkable change.
On a micro-level, in terms of what we do, several things have changed. There are many elements of Sarbanes that we have responsibility for, some wholly and some with a committee approach. Section 404 is certainly the biggest ... we handle it here through a committee, chaired by our general auditor, and my compliance group has a seat at that table. They meet monthly.
What other sections of Sarbanes have been a chore for you?
Like many other companies, we built a Section 307 attorney-whistleblower process; that works in conjunction with our employee hotline. Records retention is a significant area for which we have direct responsibility in the compliance department, in close partnership with our law department. Part of the challenge there is that we don’t have much interpretive help at this point, in what the record-retention requirements mean and what the ramifications of not adhering to the requirements might mean.
On the record-keeping provisions, for example, was it difficult for legal, IT and compliance employees to understand each others’ needs?
Absolutely, in terms of understanding the requirements and the scope and the like. The only thing I’d take exception to is that this isn’t over yet. This going back and forth and developing a solution ... that continues today, and I’d guess that question is true at most companies: What is your infrastructure solution going to be, to implement these new records requirements? We’re moving down the path to resolving that, but it is a daunting task.
What do you think of the new COSO standard for risk management?
We’ve watched the COSO document development, and to some degree it’s a road map for us and has helped us validate what we’ve done here for our enterprise-risk program. I believe in it. I think enterprise risk management is the way to go, but by definition that differs for every company depending on their risk appetites, corporate culture and a host of other factors ...
But I can’t predict what will happen with the COSO standard. There are a few different scenarios: one is that people will feel like they’re regulated enough with SOX 404; on the other hand, the COSO standards on audit documentation really have become the standard for the country. So if this enterprise-risk guideline follows in the footsteps of past COSO directives, it may well become mainstream.
Qwest has been investigated by the SEC and the Justice Department. How does that strain a compliance department, even just on morale?
The approach we try to take with employees is that we have a new management team, a new code of conduct, a new philosophy—and it all centers around serving our customers ethically and responsibly. That’s really the way you try to focus an organization. If you don’t, that’s how you get hung up on things and not able to execute the fundamentals of running the business.
Having said that, from a compliance officer’s standpoint, the investigations are both a blessing and a curse. Nobody would wish an investigation on their company, and you have to cooperate and use your best efforts to get things resolved as quickly as possible. The blessing is that there is going to be a lot of help and suggestion about what the elements of a compliance program ought to be ... because the program is under such great scrutiny. Everyone throughout the organization understands what it’s about and what the fundamentals are.
The governance officer at Tyco described his job as letting employees vent about executive corruption and essentially throw rotten tomatoes at him. Is that part of your role, too?
Notebaert
It’s part of every chief compliance officer’s role ... I absolutely have had to do that, but it goes back to the senior management team I described before. They really took the point that this is a new paradigm and a new team, and that we’re going to do things differently. [Qwest Chief Executive Officer] Dick Notebaert is very open with employees; he’s proud of saying that he not only encourages but answers email from employees. As a result, morale and some of the negatives associated with Qwest in prior times has moved past us ... And Dick was wise enough to let us build a new compliance program and get to our employees on a continuing basis.
Do you do a lot of compliance training?
We do ... We’re out there at staff meetings and group meetings and the like, you bet. That’s part of how you make a compliance program successful, making sure the compliance group interacts with the employee body. We require annual code-of-conduct training, and we use a pretty state-of-the-art Web-based approach supplemented by face-to-face meetings, depending on risks and need and other factors.
And your top compliance priorities for the next 12 months?
Well, our program is relatively new. I was appointed in September 2002 and 2003 was a construction year for us; we’re still building certain elements of the program. One objective is to complete construction of the program and then work on the effectiveness of it ... Things shift a bit after all the elements are in place to your satisfaction, and then you spend more energy tweaking it for maximum effectiveness.
What’s an example of that?
One good example is that our timeline said our compliance-audit program would be toward the tail end of building our compliance program. (The theory being, you have to build your program and put the right controls in place, and then you test them.) We’re pretty far down the road now, but our compliance-audit program is the newest element and still under construction.
Thanks, David.
Click here for upcoming Webcasts with compliance officers.
No comments yet