This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

WellPoint has a few executives splitting up its compliance function. What do you oversee?

I’m vice president and deputy general counsel, one of four or five people with that title reporting directly to the general counsel, who is the chief compliance officer. My primary responsibilities are securities laws, mergers and acquisitions, and over the last two years a significant amount of my responsibility has been corporate governance flowing from Sarbanes-Oxley. I’d consider myself a corporate generalist, with an emphasis on these governance types of things.

WellPoint has more than a dozen operating companies. Do you have compliance agents at each unit, or enforce compliance through some other strategy?

I personally don’t have people in the companies answering to me. But all of the lawyers in the company report up to my boss, the general counsel. At WellPoint, everyone who operates as a lawyer (and a lot of them are doing compliance functions of one form or another) reports to the general counsel. He ultimately is accountable to the board as the chief compliance officer. That’s how we achieve visibility across the organization.

Our model is one of a centralized focus where it’s important to be centralized. We have operating companies that distinguish themselves when they’re looking outward toward the customer, but for many other functions it’s a centralized focus. That proceeds from one of the most significant aspects of our culture: Our chairman and CEO, Leonard Schafer, in a former career was a regulator. He ran what was then called HCFA ... in charge of the Medicare and Medicaid programs. He comes from a background that’s very compliance-oriented.

You’ve been with WellPoint since 1996. Certainly more duties have come onto your plate after Sarbanes-Oxley, but has your function changed conceptually?

For the most part, my functions have been constant. My general responsibilities and duties have remained relatively unchanged, although Sarbanes-Oxley has taken up a significant amount of my time since it was passed.

We’ve also grown considerably as a company since I joined the company. When I came here we had probably 3,000 employees, almost all of them in California; now we’re at 20,000 employees and a majority of them outside California. In some ways that makes it even more important to have that centralized focus.

How has that growth affected your compliance obligations? How many agencies exert some regulatory oversight?

Nobody is not looking at us, really. It’s a dual regulatory structure: Our primary business is to act as a healthcare insurance company, and generally that’s regulated on a state-by-state basis. But there are also federal health care laws like ERISA that have been passed, plus as a public company we live in a federal regulatory scheme coming out of the SEC. And I haven’t even touched on HIPPA ... that significantly affects how healthcare companies do business.

You’re right that as we’ve grown it has been a challenge, but we feel like we have a handle on it ... We do have those centralized core functions, and regulatory compliance is one. You want to make sure you get consistent activity from people across the company.

Talk about how WellPoint has managed Sarbanes-Oxley and the Section 404 project: steering committees, outside consultants, new IT systems?

All of the above ... Our approach, since we started more than a year ago, it to put together a team from all of our various operating units and our shared, central services. We put together a project management office with one person in charge and a staff associated with her. We’ve also engaged the services of our internal audit function, which is outsourced, to assist us in this project. Our general philosophy is that this must be managed mindful of the fact that it is an ongoing requirement for the company ...

We really approach it in a method that it has to be repeatable year in and year out.

How has that documentation process gone? Who specifically does that work for WellPoint?

That’s not something that I as legal counsel would do on a day-to-day basis, although I participate in steering committee meetings and things like that. That primary function has been left to the folks in our finance and accounting departments working with internal audit ... They have spent significant amounts of time in the last year or so doing that.

But for a company of our size—and I don’t think this is unique—we already had a well-functioning internal control system. It’s really more about documentation than anything else.

Has it been difficult to work with employees and make them understand what Sarbanes-Oxley means?

I’d have to say Sarbanes-Oxley in general and Section 404 in particular have not been difficult for us to get people to understand or internalize the urgency of them. Everyone sees stories in the paper every day about Sarbanes-Oxley, or Enron, or WorldCom—everyone understands the importance of this right now, and that Corporate America is under a spotlight. Our people have accepted that this is like gravity. For our folks, we’re used to new regulations being adopted every year ... There may be some grumbling, but they realize this isn’t optional.

We are curious about what compliance burden is heavier, HIPPA or Sarbanes-Oxley. Any thoughts on that?

They’re obviously much different exercises. Sarbanes-Oxley does affect everything we do, but HIPPA goes to the very core of our business. On balance, I think HIPPA was a more significant undertaking because it had so many different aspects. It wasn’t just understanding how you had to be more careful about patient privacy, but we also had to make changes to how our systems work and all sorts of things like that.

Has the new compliance mentality made WellPoint more sensitive to due diligence procedures when considering mergers or acquisitions?

That’s a fair comment. I would say that Sarbanes-Oxley does put more of a premium on certain types of due diligence when you’re looking at a potential acquisition. Certainly the accounting due diligence has become more important; you want to have some comfort that when you fold this new entity into your organization you’ll be able to comply with 404 for that entity. But we have always been very, very thorough in our due diligence investigations, so I’d say that apart from the accounting part of it, Sarbanes-Oxley hasn’t greatly affected our merger activity.

For companies doing acquisitions of other public companies, we’re all living under Sarbanes-Oxley and you probably have a little less concern. It’s the acquisition of small, private companies where Sarbanes-Oxley issues come to the front. And we do have a history of large, medium and small acquisitions. Sometimes there is more focus on that than other times.

What about the other components of Sarbanes-Oxley such as record-keeping, or accelerated filings? Have they been difficult to implement?

Well ... I don’t want to minimize the amount of work that has been done, because it has been a fair amount. We had to go back to all our board committees and amend their charters to reflect certain things, and we did have the accelerated Form 4 and now the 8-K deadlines. It’s something where you just accept it and get used to it. Initially it was a little inconvenient, but you move forward.

But how do you catch an event that might trigger an 8-K or Form 4 filing? Does WellPoint have an automated system or must employees alert you themselves?

We’ve always had, well before Sarbanes was in place, a policy that anyone subject to a Form 4 filing when they intend to do anything with WellPoint stock must clear it in advance with the general counsel. That serves as the mechanism for ensuring we know in advance. Don’t get me wrong—the two-day notice requires us to do some scrambling. But we know when somebody wants to do something.

Considering all the changes we’ve seen in the last two years, is this job what you expected?

If you asked me at the outset whether I thought I’d spend a significant percentage of time worrying about our compensation committee charter—well, I can’t say I would have predicted that. But a lot of the stuff I do, like mergers and acquisitions, I’ve always done and I like doing it. Likewise, Sarbanes-Oxley presents its own opportunities to learn new things. I never had the expectation that my job wouldn’t evolve over time. It’s evolved in a way I wouldn’t have predicted, but that’s the way things go.

How much of your time is devoted to Sarbanes-Oxley now?

We’re at the point now where it’s tapering off. In the last few years it’s been at the 25 to 40 percent range, and now we’re at the lower end of that. For most companies like us, now you’re in an ongoing monitoring and maintenance mode.

Thanks, Robert.

Topics