Q&A with James Cesarano, VP, Ethics and Compliance at Kroll
Maurice Gilbert: How did you get started on a career in compliance?
James Cesarano: After college, I began working in compliance as a Trade Analyst with the New York Mercantile Exchange. Those were early days for the compliance profession, and I immediately found the work interesting and exciting. I was drawn to law school and spent ten years as a prosecutor with the District Attorney’s Office in Manhattan. From there, I worked as a Vice President in Corporate Investigations at Morgan Stanley, where my team was responsible for conducting reputational due diligence for the Firm. I consider my work at both the Manhattan DA’s Office and Morgan Stanley to have provided great experience and laid a solid foundation for my full-circle return to the compliance world when I joined Kroll a few years ago. I now serve as the global head of Kroll’s Ethics & Compliance Department.
MG: How do you stay current on ethics & compliance issues?
JC: As with many companies, the compliance function at Kroll works very closely with and is part of the in-house legal team. Our legal and compliance teams monitor and review laws, rules, and regulations relevant to Kroll’s business, and as they relate to client matters. We also provide regular training and guidance to our global teams.
Members of the legal and compliance team are provided with subscriptions to various newsletters and periodicals which help us keep abreast of the latest rules, regulations, and developments pertaining to our industry. With specific regard to ethics and compliance issues, I am also a member of various compliance organizations, including the Society of Corporate Compliance and Ethics (SCCE) and Compliance Week.
Additionally, we gain a unique perspective on emerging risk from Kroll’s work assisting clients with their compliance-related challenges. As an integral member of the business leadership team, I see what cases are coming in and what issues are being raised. Hearing these risks articulated in real-time adds another dimension to our understanding of today’s global ethics and compliance issues.
MG: Can you please provide an overview of your role as Vice President of Ethics and Compliance at Kroll? What are your responsibilities?
JC: As the head of Kroll’s Ethics & Compliance Department, I am responsible for the implementation and management of Kroll’s compliance program consistent with the Company’s commitment to maintaining an ethical culture and conducting business ethically and in accordance with all applicable laws and regulations. Along with policy implementation and management, the compliance team:
- ensures that all employees are properly trained under the Company’s Code of Conduct and Business Ethics;
- oversees the vetting and approval process for all independent contractors hired by the Company;
- evaluates risk vis-à-vis overseeing the Risk Committee process and ensuring potential engagements with a high level of risk are brought before the Committee for evaluation and evaluating potential business conflicts of interest on new opportunities; and
- ensures staff are properly licensed and that Kroll is abiding by the various rules and regulations of the jurisdictions in which it does business.
MG: What are some of the significant issues you face, and how are they similar to those faced at other companies? How are they different?
JC: As the compliance profession continues to evolve, I think we have to be careful about painting compliance practitioners with too broad a brush. My experience has shown me that every compliance job is different and the issues that compliance professionals face depend on a wide variety of factors, including the industry of their business and whether it is regulated, the size of the business, whether the business is in the public or private sector, and more.
Working at a mid-size professional services firm, I’m sure there are several aspects about my job which I share with other CCOs in similar sized businesses. Policy management and implementation, training, and ensuring your organization is following the laws, rules, and regulations in which it operates are the crux of a compliance professional’s role, and a critical role in any company.
However, there are many other issues we face as a company, and which I face as the Vice President of Ethics and Compliance, which are unique to my role and Kroll:
- Enterprise-wide responsibilities. Unlike compliance officers at other firms, whose work may solely focus on one or two narrow compliance issues (e.g. AML, FCPA), I am charged with addressing compliance risk enterprise-wide. This means that on a daily basis, I must be prepared to deal with any compliance risks that might arise at the operational level, business level, administrative level, etc.
- Conflicts of interest. The potential for conflicts of interest is particularly sensitive at a company like Kroll due to the nature of our work and the spectrum of our clients, which includes law firms and financial services companies. We’ve developed a robust system for identifying these potential conflicts and strict policies and procedures for addressing them. We do this both for our business and to ensure we are always working in the best interest of our clients.
- Third parties, like independent contractors. These are individuals that we trust to work on behalf of our clients and represent Kroll, and that is not a position we would allow anyone to take without conducting thorough due diligence and ongoing monitoring. Again, this is something we take seriously for the protection of our business and to ensure the work we do is always in the best interest of our clients.
- Client engagements. We’ve implemented a Risk Committee, which I oversee and participate in, to identify and manage the risks of specific engagements. Members of the Risk Committee include senior business practitioners, legal and compliance representatives, and other senior members of management.
CCOs who work in an industry that is directly regulated may have to shape their team and educate their business based on the requirements of those regulations. At Kroll, our industry is not regulated directly, but certain regulations (e.g., privacy, sanctions) apply to our activities either directly or when agreed to contractually with our clients. Much of Kroll’s client base is regulated, such as financial services companies or the health care industry, and many of the regulations that impact clients directly may “flow down” to us. It is important for me to stay up to speed with significant issues which other organizations and specific industries may face, even if those issues don’t directly impact Kroll.
MG: How does your company approach ethics and compliance internally? How does this approach align with your advisement to clients on ethics and compliance issues?
JC: I’ve always felt that I hold a unique position in that I am the head of compliance at a company which offers compliance solutions and services to its clients. As mentioned above, every company is different and the needs of each company, from a compliance perspective, are often quite varied. That being said, we ensure we “practice what we preach” with respect to compliance. Many of the protocols we have in place internally are shared with our clients as a best practices approach to handling compliance issues.
Essentially, compliance efforts can never be a check-the-box exercise for management, staff, vendors, or clients. Employee training, the availability for employees to report compliance-related concerns, tone from the top, and the use of risk-based criteria to drive better-informed decisions on engagements, transactions, and managing third parties are best practices that we employ ourselves and recommend to clients.
MG: How does your company help its clients mitigate risk?
JC: At Kroll, our goal is to provide clients with the knowledge and intelligence edge they need to make confident choices on how to best anticipate, mitigate, detect, and respond to risk. And we know from our 45 years in business that surface-level information alone doesn’t lead to informed and sound decisions. So, we leverage our expertise, global reach, and technology to go deeper to give clients more refined and more contextual information. Our services are also aligned to the greatest challenges that clients are facing today and organized under four broad areas: Cyber Security, Due Diligence and Compliance, Business Intelligence and Investigations, and Security Risk Management. Each service line offers proactive planning and preemptive strategies to incident response and mitigation solutions.
MG: How do you see the role of compliance department leaders evolving within the next 3 years?
JC: Compliance is about managing risk. Regardless of the regulatory environment, new risks continue to emerge for each and every business, and compliance professionals are trained to be at the forefront of the issues and well equipped to handle them. I believe we will continue to see compliance leaders being placed at the executive levels of their companies, tasked with managing the ever-changing, increasingly varied, and complex world of risks associated with their business.
MG: What do you see as the greatest business risks facing companies today?
JC: Cyber is a major area of risk due to the evolving nature of the issue. We also see third parties as an area to be aware of, and, according to our 2017 Anti-Bribery and Corruption Benchmarking Report (“2017 ABC Report”), this is a view shared by 40% of other compliance officers, executives, and boards. We recently concluded our survey of companies for our 2018 ABC Report, and are looking forward to seeing how executives are thinking about the risks they flagged last year.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face cyber and third party risks?
JC: As far as managing cyber risks, a company has to be willing to make an investment in a strong IT and information security infrastructure. Professionals like those on Kroll’s Cyber Security team will evaluate companies’ current environments and provide guidance as to what they may need. If, in the unfortunate circumstance, a company becomes the victim of a breach or data loss of some kind, you then have a relationship with a company that is familiar with your business and your situation, and can assist in responding immediately.
With respect to third party risk, it’s more important than ever to know who you’re doing business with. Every day, information is becoming more easily accessible and more widely available. Transparency is key and the days of “We didn’t know about…” are getting further and further away. Due diligence is now a must-have, and a company like Kroll can help your business manage this risk by arming you with information about any third party your business works with.
It comes down to proactive risk management. Investing time and resources upfront will mitigate risks down the line and can reduce your response and resolution time in the event of an incident.
MG: What are some of Kroll’s unique services offerings?
JC: Compliance is an issue that is constantly evolving, and Kroll has the experience and global resources to provide clients with end-to-end services, from high-volume screening programs to complex investigative due diligence. To be sure we are supporting clients in the ways they need most, it is likewise important to Kroll to offer innovative technologies and platforms that make managing compliance as comprehensive and efficient as possible.
- We offer clients – and use ourselves – the Kroll Compliance Portal, which is a web-based due diligence, governance, and compliance platform to manage third party risk. Acting as an extension of a firm’s compliance team, the Kroll Compliance Portal allows users to take a holistic approach to third party compliance management, bringing together the four major components needed to help our clients comply with global anti-corruption laws — advice, technology, data, and diligence. The portal is configurable and scalable, supporting a company’s specific, internal business structures. It can also be customized to facilitate unique decision-making processes.
- Most recently, we rolled out a new monitoring functionality that allows clients to monitor counterparties on an ongoing and automated basis. Its features include the ability for clients to:
- Customize their desired monitoring interval: daily, weekly, or monthly
- Receive alerts when a new risk event is identified
- Assess a customer’s risk profile on an automated basis against global sanctions and enforcements, political exposure, state-owned enterprises, and adverse media
- Systematically maintain third party records for regulatory reporting
MG: Compliance departments are often asked to accomplish their work with limited resources….do you see this situation changing anytime soon?
JC: Again, I think the answer to this question depends on the industry one is in and the size of the company. If you work for a large financial services company, for example, there may be plenty of resources devoted to compliance. Compliance jobs at those companies tend to be very “silo’d.” At a smaller company, however, while you might not have as many resources, you will typically get to experience all sides of compliance. Compliance professionals at these companies will typically work closely with other functions within the company – HR, Legal, Finance, etc. It is incumbent upon compliance practitioners in smaller companies to maintain a good dialogue and good working relationships with these other departments as they will often be “dotted-line” resources, integral to helping the compliance function.
I have no doubt that the compliance profession will continue to grow and evolve. As it does, more and more resources will become available as companies realize the critical role compliance and compliance professionals play in their company. As long as there is risk, there will be a need for compliance.
James Cesarano serves as Vice President, Ethics & Compliance for Kroll. James is responsible for the implementation and management of Kroll’s compliance program consistent with the company’s commitment to maintaining an ethical culture and a high standard of compliance.