Corporate Compliance Insights’ CEO, Maurice Gilbert, interviews Steven Grimes and Robb Adkins, partners at Winston & Strawn LLP.
Maurice Gilbert: How do you stay current on ethics & compliance issues?
Steven Grimes: I am a member of a number of professional organizations, read the relevant blogs, monitor the newsfeeds and case trends, and most importantly, I am in constant contact with in-house colleagues and clients. I regularly catch up over informal benchmarking sessions, or at various conferences to learn what others are experiencing and to share things I am hearing. I also routinely reach out to vendors in the compliance space to hear about their areas of focus. Finally, there are formal benchmarking tools that I regularly consult.
Robb Adkins: Several national professional organizations, such as the ABA White Collar Crime Committee, follow and report out on the latest ethics and compliance issues. While such national organizations are helpful, I find the most relevant source for the latest ethics and compliance challenges is an informal local group we formed several years ago, which is composed of former prosecutors and other white collar professionals in the Bay Area. That group meets every month or so to discuss what we are seeing in terms of compliance and enforcement issues in real time.
MG: What are some of the significant legal issues facing CCO’s, Risk Managers, etc.?
SG: Corruption, anti-trust and trade risks continue to be pressing issues. With rapidly evolving regimes governing privacy, and disparate IT systems being utilized, I see privacy and information security as a hot topic that will continue to be top of mind. While not many CCOs and Risk Managers are focused on it, I also see theft of trade secrets by internal actors as probably the most unmitigated high-risk area.
RA: Specific to the West Coast and in particular Silicon Valley, privacy and information security continues to be a significant and growing concern, as well as theft of trade secrets, often involving foreign actors.
MG: What do you believe is the optimal reporting structure for the CCO and why?
SG: While it varies greatly depending on the structure of the organization, I like to see the CCO directly reporting to the GC, with a separate and independent line of reporting into the governing body of the organization, either through the audit committee or some other format. Plugging into the law department can give the CCO better access to resources and can facilitate greater coordination. The direct line to the board ensures that compliance maintains its independence and is also viewed as standing on its own two feet outside of the law department.
RA: I agree that it depends on the structure of the organization. In some smaller entities, the CCO and others may wear multiple “hats” and that can have an impact on potential reporting and privilege issues. For some of those smaller entities, many of which have very limited legal departments, I have served as stand-by outside counsel to routinely review matters that are reported up by the CCO, in order to advise regarding next steps and to preserve privilege.
MG: How do you effect change within your client’s environment?
SG: It has to be cultural, and it has to be engrained in the business itself. You need the compliance team designing programs, processes, policies, and specific action items that make it clear that the message is coming from the top, but that the middle management is carrying the load. You also need to develop a specific, measurable, and sustainable framework for changing the culture. Quick fixes do not work, so systemic change (in small steps, over time) are needed. And that change must be measured and reported on to assess how it’s going.
RA: This is a frequent question at almost every compliance conference, and there is no easy answer. In my experience, the necessary first step is to create a realistic compliance program that aligns with the business realities and risks (see answer to question 10 below). This allows greater buy-in by employees, alignment with current structures and resources, and better auditing to ensure effective implementation.
MG: What do you see as the greatest business risks facing companies today?
SG: Loss of trade secrets. Too many companies do not do enough to protect their most valuable assets, and too many employees think it is OK to walk out with confidential information. Whether the employees feel entitled to the information, or whether they have specific plans to put it to financial gain, the data shows that theft is rampant. Companies need to take a cross-functional look at this problem and implement cross-functional measures to mitigate the risks up front, best positioning themselves to combat specific instances as it occurs.
RA: I agree that loss of trade secrets is an underestimated business risk facing companies today. In addition, privacy and data/information security are also significant and increasing concerns, especially for my Bay Area clients.
MG: What do you see as the greatest regulatory risks facing companies today?
SG: Corruption, financial disclosure requirements, trade sanctions, privacy, and antitrust.
RA: I would add that environmental enforcement has been a significant issue as well for companies out west.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?
SG: These professionals first need to create a heat map specific to their company to understand the risks and the specific actions the company takes to mitigate each risk. Once this assessment is in hand, companies need to build out a specific plan for prioritizing and maturing their program as it relates to the priority of each risk.
RA: Most compliance officers are aware of the need to tailor a compliance program on a risk-based model. However, one weakness I sometimes see is the failure to periodically reassess risk and thus alter the compliance protocol to take into account changes in the business footprint, regulatory changes, or enforcement priorities. This is especially true in fast-changing business sectors, such as tech and life sciences.
MG: How does your company help its clients mitigate risk?
SG: We have developed a maturity model framework that we teach to companies to help them first assess, then address their risks in a way that is specifically tailored to the company, the risks, and the available resources. Putting this framework in the hands of our clients empowers them to get the internal support they need to drive change and be able to continuously improve.
RA: In addition to the maturity model framework described by Steve, our international white collar practice has created a short handbook on what steps to take in the event a regulatory or enforcement issue suddenly arises. Although “dawn raids” are the most extreme and unlikely example of risks to be prepared for, many other enforcement issues can quickly arise and companies can often feel unprepared in the crisis that often follows. Clients have stated that they are appreciative to receive a short checklist that can be drawn upon in the unlikely event of such a crisis.
MG: What legislative and policy changes do you see on the horizon that would impact compliance professionals?
SG: We will continue to see CCOs be held personally accountable for compliance failures. This trend is specifically seen in the banking industry and will spread.
RA: Recent changes in enforcement priorities and leadership, often brought about by the recent change in administration, will continue to be an area of potential impact on regulation and enforcement (e.g., the leadership and priorities of the Consumer Financial Protection Bureau).
MG: What is the best advice you give your clients?
SG: Compliance is a continuum. Too many clients get frustrated or overwhelmed with the myriad difficulties that come with building a top-flight compliance program. It’s important to remember that these types of changes cannot come overnight, and that taking specific, tailored, and measurable steps to continuously improve the program, over time, is the best way to achieve lasting results.
RA: Do not set an unrealistic standard that you will fail. Many clients care deeply about compliance and earnestly endeavor to create a compliance program that is ambitious and robust. Sometimes those good intentions can lead to the creation of a compliance program that appears ironclad on paper but is unrealistic or even impossible to implement in day-to-day operations. One of the first things an enforcement authority will look at is whether a company has a mere “paper policy” versus a compliance program that is effectively implemented and embraced within the corporate culture. No compliance program can avoid all risks; and the best compliance programs are those that are realistic and actually implemented.
Steven Grimes, Partner, Winston & Strawn LLP, Chicago, contact: [email protected]
Robb Adkins, Partner, Winston & Strawn LLP, San Francisco, contact: [email protected]