{"id":1603,"date":"2018-03-12T13:28:09","date_gmt":"2018-03-12T18:28:09","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=1603"},"modified":"2018-03-12T13:28:09","modified_gmt":"2018-03-12T18:28:09","slug":"guest-post-compliance-as-a-five-way-conversation","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=1603","title":{"rendered":"GUEST POST: Compliance as a Five-Way Conversation"},"content":{"rendered":"

David R. Jackson<\/em>
\n Guest Contributor<\/em>
\n J.D., University of Kansas 2007, LL.M. University of Arkansas 2012<\/em><\/p>\n

It\u2019s a typical Monday morning. I have a hundred unread emails, and my phone is ringing as I walk in the door, a Fed-ex envelope on my desk. The call is from my boss who wants to know why I\u2019m contacting the information security team about being included in the next table top exercise. It\u2019s a question the information security team raised directly, in one of the emails I will reply to later\u2014but for now, I\u2019m explaining to my boss that the privacy compliance team needs to be a part of any data breach practice that the company undergoes. I turn to the Fed-ex envelope, which is from the local Customs port. Enclosed is a \u201cRequest for Information\u201d due next week. Evidently, the envelope got lost in the mailroom for two or three weeks before getting routed to me, since Customs normally gives a company 30 days to respond. I will have to draft a formal response, but I will also ask for an extension. At the same time, one of my employees walks up to my desk and asks if we can talk about a conflict she\u2019s having with a member of the sales team about a customer that we had to terminate over violations of our Acceptable Use Policy.<\/p>\n

I am a compliance manager, and have been for over twenty years. While this is not an actual day, it\u2019s a pretty good approximation of what my days are like.<\/p>\n

Compliance leadership within a business requires maintaining five different conversations concurrently: (1) with the business, (2) with senior management, (3) with other teams that support the business, (4) with the government agencies and industry groups that provide external oversight, and (5) with the compliance staff. The challenge is not carrying out any one conversation, but juggling all conversations at the same time, and constantly shifting gears between conversations with different audiences.<\/p>\n

The Business Conversation<\/strong><\/p>\n

The central role of a compliance leader is to provide oversight for business transactions that carry any degree of risk. Usually this involves working with the sales and customer engagement teams to identify concerns with potential customers or vendors. The type of compliance needed generally depends on the type of business. In fact, the first task of any compliance leader is to assess the company\u2019s business model and the types of risk that model raises. In order to assess risk, the compliance leader must know what the business transactions are (or will be), and frequently that information can be a closely guarded secret. Developing a rapport with the teams that generate sales is critical to understanding the true nature of the business and its risk. The key question to ask is \u201cwhat are we selling now, and where are we headed?\u201d<\/p>\n

When I led Internet Abuse teams, the main goal of the internet service provider was selling Internet accounts\u2014sometimes email, sometimes websites, sometimes cable modem access. Each has their share of customers who are prone to violate the rules. Some customers would send out emails with viruses (to \u201cphish\u201d for account login information); others would set up servers on consumer accounts, and use more than their allotted share of bandwidth. Over time, my team and myself could profile typical bad actors and provide that data to the sales and customer engagement teams.<\/p>\n

I admit that we had variable degrees of success in establishing what types of customers were undesirable. But I still believe that the compliance team is the best early warning system of what customers a business should avoid. I see my role as the canary in the coal mine.<\/p>\n

The Conversation with Senior Management<\/strong><\/p>\n

In addition to a compliance professional\u2019s relationship with the business, he or she must remain in conversation with the individuals who lead the organization overall. Senior management generally hires the compliance leader, and the compliance leader will typically answer to a specific executive\u2014either General Counsel, a Chief Executive Officer, or the Board of Directors. Regardless, the conversation remains the same: \u201cWhat is the current level and type of risk that the company is facing and what does that cost?\u201d<\/p>\n

The answer depends on the company\u2019s culture, the type of business or industry, and the type of risk already assumed. From the standpoint of the compliance leader, the biggest challenge can be determining what the senior management really wants from the compliance role. The compliance that is needed may be ignored in favor of the compliance that the senior management wants.<\/p>\n

Some companies want a high degree of compliance. They are risk averse, and crave stability. They require standard processes for every type of transaction. Other companies want compliance to operate in the background with little visibility or support. In the latter, often the teams play a janitorial role and spend most of their time and resources cleaning up after a compliance failure. Most companies operate somewhere in the middle- enough compliance to avoid a total shutdown, but have some ambiguity in the more sophisticated and less frequent types of business transactions.<\/p>\n

I\u2019ve seen compliance done with excel spreadsheets and emails, and I\u2019ve seen compliance done with databases and regular reporting. I\u2019ve seen compliance staffs of 1, and compliance teams of 100. (Though I\u2019ve never met a compliance team that had \u201cenough\u201d employees.) The senior management directly or indirectly asks for the compliance they want\u2014and if management doesn\u2019t want to spend a lot of money, compliance will get minimal coverage. If senior management is concerned about the risk of government penalties, then the compliance team will likely have more people and technology to get their jobs done.
\nIt\u2019s a bit like insurance, where the compliance leader\u2019s job is to determine whether the company is a hypochondriac or a daredevil, and adjust priorities and resources accordingly.<\/p>\n

Conversing with Other Teams\u00a0<\/strong><\/p>\n

Most companies have teams that specialize in a particular area of support, such as human resources, accounting, network operations, customer care or logistics. These \u201coverhead\u201d organizations provide cost savings through specialization and efficiency. However, these groups often raise the greatest compliance risk for an organization because their role is focused on the continually optimizing processes to reduce costs rather than ensure regulatory or industry requirements are met. From support\u2019s perspective, compliance is only an additional cost, and frequently delays their work. As a result, there can be great reluctance to partner with compliance.<\/p>\n

Some of my work is international trade compliance, and that involves working with the logistics organization to review shipment data and determine what government reporting is required. For imports, the shipment has to be cleared with Customs before it can be released from the port. Because the statute of limitations on Customs entry documents is five years, the compliance team must review each line of an invoice to determine the amount of taxes to pay. The logistics team will often complain that the process takes too long. However, if the compliance team rushes, the penalties for violations can be very high, and those Customs filings, like tax returns, remain auditable for five years or more. The rules for imports are very complicated, and there can be tension between the logistics folks looking to move the merchandise as quickly as possible, and the compliance folks who need to make sure everything is correct, velocity versus accuracy.<\/p>\n

Talking to Government and Industry<\/strong><\/p>\n

The least-understood role of the compliance leader is to be the \u201cenforcement whisperer\u201d between the company and external regulatory agencies. External enforcement may come from a government agency or from an industry group that oversees a particular type of risk. \u201cWhispering\u201d in a compliance context is the ability to speak the nuanced language of the auditor or investigator and convey that \u201cwe are one of you, and we understand and comply with your rules.\u201d The company may not understand the risk completely, may not believe that the risk is real, or may overestimate the success of their own compliance efforts in addressing that risk. However, that does not eliminate the company\u2019s need to comply.<\/p>\n

For the compliance leader, being an effective advocate for the company starts by translating the risk and associated rules and regulations into the company\u2019s business processes. The compliance leader\u2014generally through the compliance team\u2014checks and documents the processes, anticipating the possibility of an audit. The compliance leader also acts as the corporate tea leaf reader, discerning the agency\u2019s or group\u2019s current priorities for oversight and regularly assessing the company\u2019s real risk of enforcement action.<\/p>\n

When I practiced law as a regulatory attorney, we would sometimes call the government investigator directly and ask for a deadline extension for a particular request. There was a certain attitude of respect that you conveyed\u2014not just in choice of words, but in approaching people warmly and deferentially\u2014which is not necessarily how law firms communicate as a matter of course. However, the government investigator has a great deal of discretion in granting the extension, and setting that tone can be key later in the discussions.<\/p>\n

Often, the company itself as the client might not have been aware of the discussion at all. Working internally in a compliance team, the senior leadership may not appreciate the effect a government investigator can have on their bottom line\u2014and that a little kindness and understanding can go a long way.<\/p>\n

Leading Compliance Staff<\/strong><\/p>\n

This is the least appreciated role of the compliance leader, and yet it can be the most important to the company\u2019s compliance efforts. The compliance team members that actually oversee the business transactions are faced with an uphill battle each day. The other company teams have no incentive to welcome compliance into their worlds, and an instant adversarial relationship is created. This tension between the compliance team and their business counterparts can be helpful where it encourages continued engagement\u2014i.e., \u201cwe have to stay alert.\u201d But if there is too much tension, the compliance team either becomes overly aggressive (often yelling at colleagues), or worse, gives up and just passively goes along to get along. Neither is ideal and the health of a company\u2019s compliance can be gauged by the compliance team\u2019s level of frustration.<\/p>\n

When I interview for a compliance team manager position, I am looking to see how engaged the compliance team members are. It\u2019s a weird process because you are actually looking for the \u201ctruth\u201d\u2014how frustrating is the job, assuming that there is frustration. I ask a leading question like, \u201ctell me about the sales team, what policies would you want to change?\u201d and then watch where they lead me. Some are more cautious, some are quite vocal. Then over time, I show support by caring about what they care about, both at work, and even to a certain degree about their personal lives.<\/p>\n

Compliance is a tough job because every day is a fight; managing compliance involves a great deal more caring and consideration, given how intense the fight can be.<\/p>\n

Acting as the Networking Hub<\/strong><\/p>\n

The daily challenge of a compliance leader is managing these five conversations at the same time. A call from a government agency official, a quick conversation with a compliance team member, an email from the General Counsel, a meeting about a conflict between a logistics team member and a compliance team member; all are part of an average day for the compliance leader. It\u2019s exciting and fun, but the dynamic nature of compliance means that it can be very difficult to do long-range planning, because you are always reacting to the immediate fire in front of you. In some ways the thrill of the job is the firefighting aspect of it\u2014compliance is a matter of black and white, or right and wrong.<\/p>\n

In a computer networking context, the work of compliance leadership is like a networking hub that takes communications from a variety of computers at the same time and sends and receives the responses. The success of a networking hub is dependent on its ability to handle the right messages from the right computers at the same time and maintain the connections. The success of compliance leaders is their ability to likewise maintain the five conversations with the business, senior management, across the company with other teams, with the government, and with their compliance staffs.<\/p>\n

 <\/p>\n

 <\/p>\n

David R. Jackson is a compliance team manager for a government contractor in the Washington D.C. area. He has led compliance teams for over 20 years, and provided expertise in fields as diverse as Internet Abuse, International Trade, Privacy, and Food Labeling. <\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

David R. Jackson is a compliance manager, and has been for over twenty years. As a consequence, he knows better than anyone the delicate balancing act being a compliance professional requires.<\/p>\n

Compliance leadership within a business requires maintaining five different conversations concurrently: (1) with the business, (2) with senior management, (3) with other teams that support the business, (4) with the government agencies and industry groups that provide external oversight, and (5) with the compliance staff. The challenge is not carrying out any one conversation, but juggling all conversations at the same time, and constantly shifting gears between conversations with different audiences.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51],"tags":[101,470,519,578,983,1129,1733],"class_list":["post-1603","post","type-post","status-publish","format-standard","hentry","category-compliance-the-law","tag-a-day-in-the-life","tag-compliance-officer","tag-corporate-culture","tag-david-r-jackson","tag-guest-post","tag-industry","tag-risk-analysis"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/1603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1603"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/1603\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}