This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Describe your duties at Aquila.
I don’t report to the office of general counsel, even though I’m a lawyer by training. I report to our chief executive, and also to the audit committee of our board.
I have responsibility for the internal audit group; our procurement services group, which sets the corporate-level policies and procedures for the purchase of goods and service; our environmental group; and our corporate records group, which sets the policies and procedures for the retention of our records. The financial reporting function falls under the chief financial officer.
Aquila named you its first chief compliance officer in August 2003. Why make that move at that time?
We had some of functional responsibilities distributed through the organization prior to that. Parts of those responsibilities I had in prior roles at the company, primarily in human resources …
As our company evolved over the past few years, it went through some significant restructuring, including divestment of our international operations and our energy merchant operation. We’ve taken a focused view to compliance and business ethics, and that was really done late 2002 into early 2003. We announced that we would move in this direction in May 2003. Not coincidentally, about that same time we were putting significant resources into meeting our obligations as a public company under Sarbanes-Oxley.
How has your HR background helped you in compliance? Was your lack of finance experience a weakness?
Doing labor and employment law, one thing you find is that you get to touch the entire organization, since you’re dealing with people issues and people cut across all functions. From that perspective, and because a lot of things like codes of conduct and compliance now are extensions of policies people within labor and employment have done for years, compliance is really just an extension of that work.
I’d agree that for me, the finance part is what I don’t have. I didn’t get that knowledge in private practice, and that’s the area where I need the most support. But you find good people who have those skills to assist you, and we’re fortunate that our head of internal audit group has 20-plus years of experience on the financial side.
How does Aquila staff its compliance function? Who answers to you?
From a pure “compliance” label, I’m it. We’ve really tried to move this beyond all the policies and procedures. It’s really everybody’s responsibility and about putting a framework in place; it’s building a culture where people understand how to make good decisions in the end. So the idea was not to build a huge compliance department, but to build around somebody who helps with the communications and the framework.
We have developed it so those four functional areas I mentioned earlier all report to me. But I also work with our “business-conduct compliance committee”: a management committee comprised of me, our general counsel and our chief administrative officer. We collectively oversee issues that arise, where I take primary responsibility but we take a collaborative approach so we can draw on all parts of the organization.
What might be an issue the compliance committee handles?
If we were going to recommend changes to the code of business conduct, for example, we would collectively make those decisions. That allows us to get people input, systems input, legal counsel for things like SEC or NYSE requirements, as well as my input into it, to make recommendations to the board. Another would be a particularly serious or far-reaching allegation that had been raised. We would collectively decide on or recommend approaches.
We certainly have a Sarbanes-compliant system for auditing and accounting allegations, but allegations can reach across any number of areas. This is a good way for us to evaluate whether we’re putting the right resources into something, not only to address the specific problem but also to look into the future about whether we should modify our practices.
An energy company has all sorts of regulatory oversight. How do you help the workforce toe the line?
One important item is ongoing communication … That runs the whole range of things, like an online training platform that all our employees go through to really keep things fresh in their minds. And when I say all employees, we require all union and nonunion employees. They’ve been very receptive to doing this; we have 99-plus percent completion on a regular basis.
We then layer in a bundle of communications, starting with our security badges with our helpline number and value system printed on it, to internal articles that various members of management write to circulate internally and externally. That enables us to set expectations on a recurring basis, so they understand that it’s just part of how we do business.
For monitoring beyond that, we use an external resource to help us monitor our helpline. They have tracking systems where they can monitor the nature of the call, and we get classifications in regular reports. And because we have the cross-functional business-conduct compliance committee and we’re relatively small … we coordinate on a consistent basis with each other. I can then consolidate and track and report back out, primarily to the audit committee and regularly to the full board, what kinds of things come in. That runs from inquiries and suggestions to complaints.
How did Aquila manage Section 404?
One of the early things we did when we recognized the need to establish a 404 process was to pull a cross-functional team together that acted as an advisory team, to plan where we would go: to identify processes, to document and test those processes, and ultimately to be able to report back to our audit committee and our 10-K. That steering committee put together a plan and timeline … It was primarily led through the head of our internal-audit group because they had a good understanding of internal controls.
We were going to have to do this on an ongoing basis, so we were going to have to plan the transition out to sustain it. As part of that we designed an internal-controls group which falls under our corporate controller. That group will have the administration and oversight responsibility for sustaining our 404 documentation and testing at the process-owner level. That will allow our internal-auditor group to maintain its independence as it does subsequent validation of that documentation.
Did you use external help for the first year?
We consulted with Protiviti. They were one of the organizations we used to develop our initial testing and documentation; they were the warehouse for the information. I know some companies built their own, but we felt that with our size organization, we would consult not only on the platform itself but also on some of the other issues.
We also retained other consultants. The primary was PwC [PricewaterhouseCoopers], to assist us on various aspects and support where we felt that we didn’t have adequate resources or expertise to do things like validation around our general and application controls for IT, as well as assisting us in designing some of the fraud testing we did.
What’s your typical day like?
I often start with one version of a calendar and it moves to others … I’ll have regular interaction with different people throughout the company—often much more from inquiries, such as how to interpret various policies or what kinds of procedures we should be looking at. And outward communication is important to get people attuned to this as business as usual, so getting out of my office on the second floor of our main building to other locations is important. I try to do that on a very regular basis.
What are your top one or two compliance priorities for the next 12 months?
One of the first things we want to do is further evolve the organization’s understanding of enterprise risk management. We’ve taken a number of good steps in that direction … but to get a consistent way of thinking about business risks will be an important thing for us over the course of the next year.
A second one is just making priority decisions on which requirements we are going to communicate about. Because we’re in such a heavily regulated industry, there are any number of requirements we’re hit by … continually refining that prioritization so that you get an appropriate balance of communication and getting your work done—that challenge we continue to have.
Thanks, Brock.
Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please send email Matt Kelly.
Click here for upcoming Webcasts with compliance officers.
No comments yet