This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
A general counsel wearing the compliance hat isn’t uncommon. How much of your time goes to the compliance role?
The compliance piece is fairly substantial; we’re lucky enough to have a structure within the legal department that allows me to spend a fair mount of time on that work. In particular, I have a general counsel in each of my groups who manage day-to-day affairs of group businesses, and I have four functional vice presidents at corporate who handle securities, labor relations, environmental. That allows me to let them run those areas reasonably independently and gives me time to spend on governance and compliance. I haven’t charted percentages, but I’d guess I spend 40 to 50 percent of my time doing things that relate to governance, board of directors matters and more general corporate-policy things.
What specific compliance tasks does Waste Management face?
Obviously financial reporting is a big part of it. [Vice president of internal audit] Brian Thelen and I play an important role in dealing with our audit committee and accounting groups. We have, internally, all kinds of other processes not directly related to financial accounting. We have a very active help-line … We have our compliance review team that meets on a regular basis. Brian runs the agenda for that, and it picks up people from our corporate security, environmental, internal audit, legal and HR. We meet at least on a monthly basis as that team.
Brian’s internal audit group is active doing normal audit functions. We have an internal-audit group that functions out of the environmental legal practice; we have separate environmental auditors. As you can imagine, compliance in its broadest form involves a lot of regulatory compliance and particularly at our company environmental compliance. We have not only lawyers and technical people involved, but a staff of environmental auditors, who go into the field and audit for environmental compliance, which is where we probably have the greatest vulnerability.
The compliance review team, what do they do?
We have a regular agenda, and get a report each time from corporate security. We get a report from them and a report from environmental. The HR people will attend and give a report on the people side of the business. Brian’s internal audit group always gives a report because they’re usually involved in some investigative matter.
How often does this team think strategically about new compliance issues?
We constantly do that—not only thinking about new processes we need, but because the company is very broad-ranging and we’re implementing new business plans in other parts of the company, we’re constantly tinkering with what the best structure is: whether we need new training, say.
What’s the personnel structure to carry out compliance efforts?
We don’t have a compliance officer designated in each business unit; rather, we try to ingrain it into everyone’s job description. Communication and getting the message out is a real challenge; we have 52,000 employees dispersed in 48 states and 1,500 operating units, and in each one of those locations are significant compliance requirements and local rules and so on. I don’t need 1,500 compliance officers reporting back up the chain of command to me. What I need is everyone in the field having a very high consciousness of what we’re trying to do and take it as part of their job.
I don’t know if this is the right term, but it’s more of a “matrix organization” where everybody treats it as part of their job, and everyone is trained on the compliance aspects of the business.
How do you convey all that training?
This last year, we administered a training program on the code of conduct … a lot of it is done by video and on the computer. We have training programs where people have to sign in to complete the training, pass the test, and have that authenticated … We try not to do training in lecture format or rely exclusively on written materials. There are written materials that get distributed, but we don’t rely on them exclusively.
One good example is that we have an in-house organ called “WM Monday.” We have a regular columnist who used to be our chief ethics officer, who is now a consultant with us. He writes a regular column there.
And for example, in addition to the code of conduct training, we’ve done extensive anti-trust compliance training—not always for the same people, but it’s the same process of asking workers to go through a Web-based training program and be certified. We’ve done the same with our IT security.
Section 404—what was that experience like for you?
Obviously our outside auditors were heavily involved in it; one of our senior people in our accounting people was appointed the lead on our end and worked like a Trojan for months and months. Brian’s internal audit group … did a fair amount of testing, in addition to the outside auditors. It’s a real manpower problem right now, trying to get through it the first time. The real problem in getting it finished is often just having the properly trained and qualified people with enough time basically to force your way through a massive number of testing and correction procedures. We really just threw our people, time and money at it to make goal. And we filed our 10-K ahead of the filing time from last year.
Well, what were the greatest challenges?
The key was that we looked at it as a scheduling and management process, that if we didn’t have good process around it, we couldn’t manage that many moving parts. From the beginning they had very extensive charts around what they were testing, where they were in the status of testing, whether tests had failed and where they were in retesting. It’s the kind of thing that had you not had the management process around it, you wouldn’t be able to keep up with it. They did a good job in putting a system around it … and worked it every week, with a session to see where they were on a percentage basis to achieve goal.
We were able to do this successfully in 404 because the company went through a restructuring in the early 2000s because of financial problems we had then. We had, in effect, new systems and new discipline put in place before SOX was even passed. So a lot of things imposed on us, were things we were already doing.
What will you do with all this control data, anyway—risk assessments or anything like that?
Well, Brian is tasked by the board of directors to do an extensive enterprise-risk management program now. About ERM, our board is intensely interested in that.
Waste Management is a sprawling organization. How do you benchmark compliance goals?
Well, our vice president of business diversity keeps what he calls his “ED indicators”—his ethics and diversity index. He tracks that; in effect it’s a scorecard that he keeps, and he has quarterly meetings around that with senior and operational management. In environmental, we have extensive tracking of NOVs (notice of violations), correspondence and communication we have from regulatory agencies, and our responses to those. The help-line gives us lots of statistics of problems within the company and resolution of cases.
I don’t know that we’ve done a peer-group study as of yet, although we do look at what other companies are doing through the associations we belong too.
And your top compliance priorities for the next 12 months?
One priority is that enterprise risk management; that’s the top priority as established by the board of directors. That’s something we’re reasonably new at doing, and Brian has just initiated that.
I think a lot of our programs are working pretty well. One thing that is a huge effort within the company is the effort to put everyone on the same page in terms of strategy for the company. It’s not directly focused on ethics, but we’ve established what we call a Team 200 and a Team 1500, and we’re going to roll out training on our business strategy. We’ve already rolled it out to 1,500 people, and they will try to roll it out to all 52,000. I think we’ll have established a process; part of the idea here is not to deliver one batch of training, but to develop a structure that we can use over and over to deliver messages and change the culture.
Thanks, Rick.
Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.
Click here for upcoming Webcasts with compliance officers.
No comments yet