This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Three years ago you were named Altria’s first chief compliance officer. What was the first order of business?
The mission was to develop a comprehensive set of systems and processes to allow us to make good on commitments to be an ethical company. It involved working with the board to develop a set of compliance and integrity standards that are mandatory for each of our operating companies.
Those standards require each company to develop a specific management structure for compliance; to define both business and individual compliance objectives; to work from an annual plan that is approved by the CEO of the operating company and by me; to have that plan be based on a comprehensive risk assessment. The standards go on to require objectives and deliverables in areas like communications, employee reportings, sanctions and investigations, monitoring and evaluation. That sets the framework.
How does that translate into the specific duties you oversee?
Well, first I chair a company-wide task force called the Compliance Leadership Team, which is the chief compliance officers in each of our operating companies, the lawyers who advise them, and representatives of allied functions like audit, HR, finance and so forth. It’s through that group that we drive most of the core programs.
For example ... That’s the group we worked with for our code of conduct. It had been a 50-page document appropriate for management, but we wanted to see what was appropriate for the grassroots employees. Through the compliance team, we produced a series of shorter codes; some were appropriate for office workers, some for manufacturing employees, and our companies have worked to translate that into 25 languages.
How many people are on the committee, and how often do they meet?
We meet three to four times a year, and there are about 30 people.
From a personnel standpoint, who works for you directly and who works for the compliance officers at Altria’s operating units?
We have three huge operating companies ... They each have a chief compliance officer, and those compliance officers have their own teams. But they also operate through a compliance council of, say, 15 to 20 people who aggregate the key functions and business units within their companies—and it’s that group that they use to develop their annual plan. What we have on an enterprise level with the Compliance Leadership Team, they mirror at the operating-company level.
Each company has a central compliance staff that’s usually no more than five to 10 people ... So there’s a core team focused on making sure the process runs, but also in keeping the accountability where it belongs, which is in the core of the business.
So whom would a Kraft or Philip Morris employee consider the go-to compliance officer—you, or their company contact?
You’d probably see it as both. I try to attend as many compliance council meetings as I can, either in person or by video hookup. When I travel around the country and the world, I do meet with employees; they recognize Altria as the parent. But I think the most important relationship for employees is with their management and their compliance officer; that is whom they look to.
And who is your boss?
When I first came into the job, we had a structure where the chief executives of the operating companies reported to a central chief operating officer. He really ran all the businesses, and when my job was created I reported to him. We no longer have that format, so my principal relationship is with the audit committee.
I’m also a member of Altria’s corporate management committee, which is a 12-person group ... Altria chose—and this had nothing to do with me—to put the chief compliance officer job at the most senior level of the company. I think that sent a strong signal that the corporation is serious.
How often do you meet with the audit committee?
Every meeting, and I think this year they will meet quarterly. It’s four to six times a year.
Altria is a diverse company. Aside from Sarbanes-Oxley, what other compliance efforts do you face?
It’s a funny situation, and I hope a lot of other compliance officers find this also: The specific regulatory or legislative compliance responsibilities in areas like finance or HR or worker safety—all of that stuff is well-buttoned up in a company like Altria. The bigger challenge is what you don’t know about, the risks that normal employees encounter on a daily basis that might not be top of mind.
What I’ve found is that the risks applied to large, undifferentiated parts of an employee population are the things that can, if you’re not careful, be a problem. The guts of a compliance and integrity system—creating a culture where people are willing to come forward and report possible misconduct—those are the kinds of things that I think a good compliance team can bring to a company ...
For example, Philip Morris has huge obligations under the master settlement with the states, to do any number of things to comply with the settlement. I review their summary every year to ensure compliance, and it’s absolutely gold-standard. That sort of stuff is in terrific shape. What worries me more is whether people in the far reaches of the enterprise understand how certain actions at the end of a quarter could cross a line.
In 2002, you met with employee groups to get their thoughts on updating the Code of Conduct. What feedback did you get from them?
That was a terrifically insightful process ... First, they wanted to know where this effort was coming from: Had they done something wrong? Was it about Enron or some lawsuit? We found we hadn’t really nailed the core reason for why we were undertaking this. And without having their minds around that ... all this activity creates a cognitive dissonance. People don’t take it in as well.
How did you answer that question? After all, much of this is because of Enron.
It was pretty straightforward. We pointed to the fact that I was appointed to this job before Enron, so I was focused on the task before all the scandals. But we obviously are a company heavily focused on issues related to our products ... And it goes without saying, we’re a company that attracts plenty of attention and plenty of scrutiny. One insight you can derive from that is that we’ve got to be much better than the average company on the street at meeting our obligations. People are going to look at us. I think our employees heard that and said, “Fair enough.”
What other feedback did they give you?
Our international employees took a look at the draft and said it was “too U.S. We’re an international company, so make it look more like a worldwide code.” We had what we thought was a great idea, of printing the number of the employee help-line at the bottom of every page of the code. They said that was too much, that it sent the message that the whole code and compliance integrity effort was about a phone line. They even said the code was too good-looking, too well-designed.
Really?
Yeah—and that one I ignored. I wanted something that looked good and that people would use.
What can you tell us about your experience with Sarbanes-Oxley? How is your Section 404 project coming along?
Well, I think you need to break it down into its parts. The board needed to do a bunch of things vis-à-vis auditors and audit independence, and all of that was relatively easy to take care of.
You’re right that 404 is the big work piece. It’s ... been a mammoth undertaking. It’s been driven by a worldwide finance team, and I get regular reports on it. I think we’ll be done well in time.
Who takes the lead on the 404 project?
Our controller. To me, on all of these issues, you have to ask who is in the best position to handle it. Perhaps if I’d grown up in finance, you could make an argument for me to lead that. Given my background, it really would have been a misuse of my time to oversee that.
Does your job require a lot of travel?
Yes. I don’t go a single day without talking to one of our chief compliance officers ... I’d say there’s a project needing a meeting or a conference call more than once a week. We have a Wednesday morning permanent conference call, to talk about the training front; when we review calls to the help-line, that’s a group effort. Just doing our day-to-day business pulls us together.
What are your top compliance priorities for the next year or so?
Well, as our program is maturing, the questions are not so much about creating new things as they are about making sure it’s all real. That brings to the front projects like how to audit this stuff. Our internal audit team has created a separate compliance-audit group, and we’ll work with them to ensure that what the companies say in their plans really happens. That’s one.
Another follow-up is our first worldwide employee survey on integrity. We expect to get a feel from that of what all this means on the ground. The responses and insights we get from that will create a work plan going forward.
Thanks, David.
No comments yet