David R. Jackson
J.D., University of Kansas 2007, LL.M. University of Arkansas 2012
It’s a typical Monday morning. I have a hundred unread emails, and my phone is ringing as I walk in the door, a Fed-ex envelope on my desk. The call is from my boss who wants to know why I’m contacting the information security team about being included in the next table top exercise. It’s a question the information security team raised directly, in one of the emails I will reply to later—but for now, I’m explaining to my boss that the privacy compliance team needs to be a part of any data breach practice that the company undergoes. I turn to the Fed-ex envelope, which is from the local Customs port. Enclosed is a “Request for Information” due next week. Evidently, the envelope got lost in the mailroom for two or three weeks before getting routed to me, since Customs normally gives a company 30 days to respond. I will have to draft a formal response, but I will also ask for an extension. At the same time, one of my employees walks up to my desk and asks if we can talk about a conflict she’s having with a member of the sales team about a customer that we had to terminate over violations of our Acceptable Use Policy.
I am a compliance manager, and have been for over twenty years. While this is not an actual day, it’s a pretty good approximation of what my days are like.
Compliance leadership within a business requires maintaining five different conversations concurrently: (1) with the business, (2) with senior management, (3) with other teams that support the business, (4) with the government agencies and industry groups that provide external oversight, and (5) with the compliance staff. The challenge is not carrying out any one conversation, but juggling all conversations at the same time, and constantly shifting gears between conversations with different audiences.
The Business Conversation
The central role of a compliance leader is to provide oversight for business transactions that carry any degree of risk. Usually this involves working with the sales and customer engagement teams to identify concerns with potential customers or vendors. The type of compliance needed generally depends on the type of business. In fact, the first task of any compliance leader is to assess the company’s business model and the types of risk that model raises. In order to assess risk, the compliance leader must know what the business transactions are (or will be), and frequently that information can be a closely guarded secret. Developing a rapport with the teams that generate sales is critical to understanding the true nature of the business and its risk. The key question to ask is “what are we selling now, and where are we headed?”
When I led Internet Abuse teams, the main goal of the internet service provider was selling Internet accounts—sometimes email, sometimes websites, sometimes cable modem access. Each has their share of customers who are prone to violate the rules. Some customers would send out emails with viruses (to “phish” for account login information); others would set up servers on consumer accounts, and use more than their allotted share of bandwidth. Over time, my team and myself could profile typical bad actors and provide that data to the sales and customer engagement teams.
I admit that we had variable degrees of success in establishing what types of customers were undesirable. But I still believe that the compliance team is the best early warning system of what customers a business should avoid. I see my role as the canary in the coal mine.
The Conversation with Senior Management
In addition to a compliance professional’s relationship with the business, he or she must remain in conversation with the individuals who lead the organization overall. Senior management generally hires the compliance leader, and the compliance leader will typically answer to a specific executive—either General Counsel, a Chief Executive Officer, or the Board of Directors. Regardless, the conversation remains the same: “What is the current level and type of risk that the company is facing and what does that cost?”
The answer depends on the company’s culture, the type of business or industry, and the type of risk already assumed. From the standpoint of the compliance leader, the biggest challenge can be determining what the senior management really wants from the compliance role. The compliance that is needed may be ignored in favor of the compliance that the senior management wants.
Some companies want a high degree of compliance. They are risk averse, and crave stability. They require standard processes for every type of transaction. Other companies want compliance to operate in the background with little visibility or support. In the latter, often the teams play a janitorial role and spend most of their time and resources cleaning up after a compliance failure. Most companies operate somewhere in the middle- enough compliance to avoid a total shutdown, but have some ambiguity in the more sophisticated and less frequent types of business transactions.
I’ve seen compliance done with excel spreadsheets and emails, and I’ve seen compliance done with databases and regular reporting. I’ve seen compliance staffs of 1, and compliance teams of 100. (Though I’ve never met a compliance team that had “enough” employees.) The senior management directly or indirectly asks for the compliance they want—and if management doesn’t want to spend a lot of money, compliance will get minimal coverage. If senior management is concerned about the risk of government penalties, then the compliance team will likely have more people and technology to get their jobs done.
It’s a bit like insurance, where the compliance leader’s job is to determine whether the company is a hypochondriac or a daredevil, and adjust priorities and resources accordingly.
Conversing with Other Teams
Most companies have teams that specialize in a particular area of support, such as human resources, accounting, network operations, customer care or logistics. These “overhead” organizations provide cost savings through specialization and efficiency. However, these groups often raise the greatest compliance risk for an organization because their role is focused on the continually optimizing processes to reduce costs rather than ensure regulatory or industry requirements are met. From support’s perspective, compliance is only an additional cost, and frequently delays their work. As a result, there can be great reluctance to partner with compliance.
Some of my work is international trade compliance, and that involves working with the logistics organization to review shipment data and determine what government reporting is required. For imports, the shipment has to be cleared with Customs before it can be released from the port. Because the statute of limitations on Customs entry documents is five years, the compliance team must review each line of an invoice to determine the amount of taxes to pay. The logistics team will often complain that the process takes too long. However, if the compliance team rushes, the penalties for violations can be very high, and those Customs filings, like tax returns, remain auditable for five years or more. The rules for imports are very complicated, and there can be tension between the logistics folks looking to move the merchandise as quickly as possible, and the compliance folks who need to make sure everything is correct, velocity versus accuracy.
Talking to Government and Industry
The least-understood role of the compliance leader is to be the “enforcement whisperer” between the company and external regulatory agencies. External enforcement may come from a government agency or from an industry group that oversees a particular type of risk. “Whispering” in a compliance context is the ability to speak the nuanced language of the auditor or investigator and convey that “we are one of you, and we understand and comply with your rules.” The company may not understand the risk completely, may not believe that the risk is real, or may overestimate the success of their own compliance efforts in addressing that risk. However, that does not eliminate the company’s need to comply.
For the compliance leader, being an effective advocate for the company starts by translating the risk and associated rules and regulations into the company’s business processes. The compliance leader—generally through the compliance team—checks and documents the processes, anticipating the possibility of an audit. The compliance leader also acts as the corporate tea leaf reader, discerning the agency’s or group’s current priorities for oversight and regularly assessing the company’s real risk of enforcement action.
When I practiced law as a regulatory attorney, we would sometimes call the government investigator directly and ask for a deadline extension for a particular request. There was a certain attitude of respect that you conveyed—not just in choice of words, but in approaching people warmly and deferentially—which is not necessarily how law firms communicate as a matter of course. However, the government investigator has a great deal of discretion in granting the extension, and setting that tone can be key later in the discussions.
Often, the company itself as the client might not have been aware of the discussion at all. Working internally in a compliance team, the senior leadership may not appreciate the effect a government investigator can have on their bottom line—and that a little kindness and understanding can go a long way.
Leading Compliance Staff
This is the least appreciated role of the compliance leader, and yet it can be the most important to the company’s compliance efforts. The compliance team members that actually oversee the business transactions are faced with an uphill battle each day. The other company teams have no incentive to welcome compliance into their worlds, and an instant adversarial relationship is created. This tension between the compliance team and their business counterparts can be helpful where it encourages continued engagement—i.e., “we have to stay alert.” But if there is too much tension, the compliance team either becomes overly aggressive (often yelling at colleagues), or worse, gives up and just passively goes along to get along. Neither is ideal and the health of a company’s compliance can be gauged by the compliance team’s level of frustration.
When I interview for a compliance team manager position, I am looking to see how engaged the compliance team members are. It’s a weird process because you are actually looking for the “truth”—how frustrating is the job, assuming that there is frustration. I ask a leading question like, “tell me about the sales team, what policies would you want to change?” and then watch where they lead me. Some are more cautious, some are quite vocal. Then over time, I show support by caring about what they care about, both at work, and even to a certain degree about their personal lives.
Compliance is a tough job because every day is a fight; managing compliance involves a great deal more caring and consideration, given how intense the fight can be.
Acting as the Networking Hub
The daily challenge of a compliance leader is managing these five conversations at the same time. A call from a government agency official, a quick conversation with a compliance team member, an email from the General Counsel, a meeting about a conflict between a logistics team member and a compliance team member; all are part of an average day for the compliance leader. It’s exciting and fun, but the dynamic nature of compliance means that it can be very difficult to do long-range planning, because you are always reacting to the immediate fire in front of you. In some ways the thrill of the job is the firefighting aspect of it—compliance is a matter of black and white, or right and wrong.
In a computer networking context, the work of compliance leadership is like a networking hub that takes communications from a variety of computers at the same time and sends and receives the responses. The success of a networking hub is dependent on its ability to handle the right messages from the right computers at the same time and maintain the connections. The success of compliance leaders is their ability to likewise maintain the five conversations with the business, senior management, across the company with other teams, with the government, and with their compliance staffs.
David R. Jackson is a compliance team manager for a government contractor in the Washington D.C. area. He has led compliance teams for over 20 years, and provided expertise in fields as diverse as Internet Abuse, International Trade, Privacy, and Food Labeling.