Talking 'Heat Maps,' Training With Scientific-Atlanta's CCO

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

Start by outlining your areas of responsibility.

It’s pretty broad. Some companies see compliance in a narrow sense and some see it in a broad sense; we embrace the latter. Really, in a certain sense, everything under the sun would fall under compliance—that would include not just internal audit, but world-trade compliance, HR issues, Foreign Corrupt Practices Act, environmental health and safety, antitrust.

Just to give you a feel, we start here with a compliance charter that outlines what I’m supposed to do, how I’m supposed to do it, reporting responsibilities and so forth. We generate an annual plan, and at the end of the year we take stock of where we are in the plan with the audit committee.

You’re the first chief compliance officer at SA, correct?

That’s right; I’ve been here about 18 months. It came about that the board and senior management were desirous of this. We have a good board that tries to see ahead of the curve, and they just saw the climate in Corporate America today. They looked around, they benchmarked, they considered best practices, and said, “Maybe we need more than just internal audit, to be sure we’re doing it right.”

So after 18 months on the job, what sort of tasks take up most of your time?

A big element of the job is educational in nature. Now, I’m involved in a lot of things; when I got here we set up the corporate hotline, and took a good look at our policies and procedures. But the two biggest parts are the educational program … and the compliance monitoring and auditing.

What personnel structure does SA employ to help you get those tasks done?

I have a solid line to the audit committee, and as a matter of routine I report to the audit committee at every meeting and enjoy a private session with them without management. On a day-to-day basis, I have a line to the chief legal officer as well.

SA is not a super-large company and we run fairly lean. I have only two people who report to me, plus an administrative assistant to help me. But as I say in a lot of the presentations that I give to employees, anyone who has some compliance responsibility in the company has a dotted line to me. For example, we have a world-trade compliance group for import and export issues, and I speak frequently with the woman who runs that. The same goes for certain aspects of HR, or the legal department. It would be hard to give you an exact number—certainly more than one, but less than 50.

SA also has a corporate compliance committee. Tell us about that.

It’s a seven-member council, and we try to meet several times a quarter. It’s composed of the chief legal officer, myself as the chief compliance officer, the chief financial officer, the chief HR officer, our senior vice president of finance and operations, and then we also introduced two at-large sector presidents from the business side. The idea is that it’s good for them to be involved, because you really want to embed compliance in the operations. Those people serve a two-year term and we rotate them in and out, so everyone gets a seat from time to time.

What items might be on the committee’s agenda?

It’s really all over the place. A typical meeting might consider a revision to a policy on due diligence for the Foreign Corrupt Practices Act, or a concern about IT security, or a discussion of what comes through the hotline.

How many of these issues bubble up from below, and how many are broad, strategic thoughts about compliance policy?

It’s both. Someone on the committee might say, “We don’t have a camera policy, and maybe we should have a no-camera rule.” Or it could be an issue raised from one of our engineering groups, that perhaps a vulnerability has cropped up and we should address it.

What about Section 404? How has SA handled that?

We did pretty well, and got into it early on. Having said that, it’s not my primary area. We also have a vice president of internal audit, who reports to the CFO and also goes to the audit committee meetings. He’s primarily responsible for Sarbanes implementation and the resolution of any issues there. I get involved a little, but he’s really the guy.

Still, we looked at that whole process pretty positively. Some companies moan about it, but we picked up some process improvements and eliminated some redundancies. It’s been helpful.

Many companies do moan about it, frankly, but also learn much about their operations once it’s over. That was your experience?

I think so. You’d have to ask internal audit for specifics, but look at it this way: we’re going from manual processes to automated ones, from detective processes to preventative ones. Beyond that, I’m light on details because it’s not my responsibility, but I hear good things.

How do you train SA’s employees, both on the details of compliance and the importance of the subject?

Oh, that’s my baby here … We have five online courses that everyone at SA is required to take; they somewhat change each year, based on what the compliance committee feels is appropriate and what I recommend.

This year we’ve reworked our code of conduct (see box at right). Now, I believe that if you hand out a seven-page document, nobody will read it, so we designed an interactive, online code of conduct that teaches the material. It begins with an interview of myself and our chairman of the board, where I ask him about a half-dozen questions: should a person speak up, should they be fearful of retaliation, and so forth. We take them through the code, and at the end we have an acknowledgement that not only will the employee comply, but he or she will speak up if they see a violation.

The other component is instructor-based training, and this is the part I like. I facilitate here, but I don’t get involved too much because the idea is to push it into our operations. We challenge our business units to identify their own compliance risks in their area, and we direct the business-unit leader, his counsel and his HR person to devise appropriate training for a few hours for the employee population.

How do you benchmark all this training and effort?

There are two aspects. One is how a company does relative to other companies; if you go to the General Counsels’ Roundtable or the Ethics Officers Association, they provide some pretty good statistics about where you fit. The other benchmark is how to know you’re succeeding. For our online courses, we have a test at the end—and if the employee doesn’t pass, he starts over. You have to get 100 percent on the test, and that’s the best way I know to measure the acquisition of knowledge. I don’t like the idea of setting the bar at 70 or 80 percent. You need 100 percent; that’s what it’s all about.

You mentioned SA’s annual plan for compliance. How do you set the priorities in that plan?

Last year, I was pretty new and our head of internal audit was pretty new. We did a company-wide risk assessment that contemplated, beyond the traditional balance and income statement, all the risks I’d mentioned early on—as well as strategic risks like business continuity plans. We did dozens of interviews with middle management, operating folks, and senior executive management. We looked at past internal audit reports and prior legal issues.

Finally we came up with “heat maps,” where you’ll list the potential magnitude of a loss if some event were to happen, and you rank your risks. That’s where you prioritize and put your resources and attention immediately. So we came up with a risk-assessment first, and then we built a plan to mitigate those perceived risks. I have a plan, and internal audit has a plan.

So what are the top two items in this year’s plan?

Mine are pretty much educational; I want to continue to focus on that. Also, I want to get out into the field more … I find it very helpful to make more visits, to press the flesh. The more I do that, the more I get called into many problems or questions at the early stages, and that’s a good thing.

Thanks, Dan.

Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.

Click here for upcoming Webcasts with compliance officers.