AT: You’ve worked in compliance for a long time now, more than two decades. What led you into the field when it was still relatively new?
RW: You are correct, Adam, that I got my start in compliance during the 1990s, when both the compliance profession and I were still quite young. At the time, I was a white-collar criminal defense lawyer in New York. I was exposed to compliance in my work representing companies that were being investigated by federal prosecutors, and from the beginning, I fell in love with the positive, proactive nature of compliance. It was a wonderful contrast to the devastation that you are faced with when dealing with a criminal investigation.
I began practicing compliance law at Skadden Arps, which was perhaps the only large law firm that had a compliance program practice group during the 1990s. I feel very fortunate to have been able to transition from criminal defense into a wonderfully rich career in our noble profession early on. About 15 years ago, I formed a partnership with my friend and compliance lawyer extraordinaire Jeff Kaplan, and we have been happily practicing compliance law together since.
I love the work that I do, in particular when I am able to dig deep and witness the positive impact that compliance can have in an organization. I also cherish the connections and friendships that I have made over the years. (That includes you, Adam, and so many others at the fabulous SCCE!) Compliance tends to attract good people who are happy to share with and support each other. I love that about our profession.
AT: In that early era, compliance tended to have a significant legal focus, which isn’t surprising since so many of the early programs came out of serious criminal investigations. What do you think helped evolve the view to a more all-encompassing one that goes beyond legal?
RW: I think that the primary reason we were able to expand the focus of programs beyond a criminal—and even beyond a legal—focus is that compliance programs work. It took a little while (although not too long, really) for the compliance profession to gain the traction that it needed to be able to prove itself. But we got there, and the success of compliance programs at preventing and detecting misconduct has, in my view, been the primary reason for its expansion.
Other factors also contributed, of course. The development of the field of behavioral ethics helps us understand why compliance programs work and how they can be more effective. The Department of Justice and other regulators have also increased their focus on compliance. And the increased use of data analytics in programs allows us to prove the value of our programs with numbers, which enhances their credibility.
There’s an indisputable internal logic to compliance. If we create systems with an authentic intention to prevent and detect misconduct, then we will in fact prevent and detect misconduct. Of course! But in those early days, there were plenty of skeptics who questioned the value of compliance, and while we have come a long way, there are still some skeptics out there.
AT: Can you tell us a bit about the skeptics?
RW: I think that the origins of our profession led to some of the skepticism. Because the compliance profession got its start with the promulgation of the Federal Sentencing Guidelines, which offer an incentive for organizations to develop programs, there were plenty of folks in the early days who suggested that compliance programs aren’t sincere efforts to prevent misconduct but are instead designed to get a reduced penalty at sentencing in the event of a criminal action. I recall a particularly scathing article in which compliance programs were compared to Potemkin villages—nice facades built up to impress prosecutors in the event of an enforcement action, but with no real intent or ability to decrease misconduct. That, of course, was never an accurate depiction of our profession. But the value and importance of our work has become clearer over the years.
AT: One of the issues that was a struggle then, and is still today, is the whole question of ethics vs. compliance and which one is more important. I’ve long thought that debate was a distraction, that the two go hand in hand. Your work is focused on program assessments, so do you typically find that the problem is too much ethics or too much compliance? Or are there other more significant challenges typically? And does it all tend to boil down to culture, as with so many other things?
RW: I agree, Adam, that the debate of ethics versus compliance has become a bit of a distraction. Obviously, there is a difference between the two. One can follow all the rules but not act in an ethical way, and violating an unjust law is likely not unethical. I think that the debate became misguided, however, when the focus on ethics began to diminish the value of compliance. I am a big believer in values-based programs, but an effective values-based program will emphasize the importance of compliance. A big part of our job, as compliance professionals, is to assist employees in complying with the thousands of complicated—and not necessarily intuitive—rules and regulations that govern the work that they do. That requires a focus on compliance.
I have a similar view of the debate related to compliance versus culture. I’ve often heard Peter Drucker’s “culture eats strategy” quote paraphrased as, “Culture eats compliance for breakfast.” However, what I have found in my practice—time and again—is that compliance helps create culture. In an organization that doesn’t value process and compliance, the culture has failed. The two go hand in hand. A focus on compliance impacts culture, and a true ethical culture supports compliance, so the “versus” debate seems misdirected. In those organizations that have rules (on paper) but a culture that permits or encourages wrongdoing, culture has not “eaten” compliance; there is neither a good culture nor good compliance.
AT: Let’s talk a bit about assessments. Typically, how often should a compliance team stop and do a formal program assessment?
RW: Let me first point out that self-assessments are important program tools. So, for example, companies with robust compliance risk assessment processes typically conduct a type of program assessment each time they conduct a risk assessment, in that a compliance risk assessment usually involves review of controls as well as assessment of risks. And traditional compliance auditing and monitoring may also involve assessment.
However, for a formal program assessment in which the organization retains a third party to conduct the assessment, I would recommend that only every three years or so. The process itself can take months, and the company will want to allot sufficient time for implementation of the recommendations. Of course, if the company’s compliance risk universe changes dramatically or there is a serious compliance failure, that timeline might need to be moved up.
AT: What should the assessment include?
RW: The core components of a traditional program assessment are document review, interviews, and some combination of surveys and focus groups. Assessments can also involve review and analysis of program data, and more in-depth assessments may include testing of compliance controls. The assessor should obtain a good understanding of how the program is designed, how it is being implemented, and how it is perceived by employees.
In my practice, we typically conduct interviews on a nonattribution basis, meaning that we tell the company ahead of time and tell each employee at the beginning of the interview that—absent extraordinary circumstances—we will not attribute the comments they make during the interview to them. The company obviously knows with whom we are speaking, but we do not tell the company who told us what. We do this both because we want employees to feel comfortable opening up and because we do not want to create any risk of retaliatory conduct related to the information provided.
AT: Are there any warning flags you’ve seen through the years that compliance professionals should look for when conducting an assessment?
RW: What a great question! The most difficult assessments that I conduct are assessments where I am asked to come in because the compliance officer has lost confidence in senior leadership’s dedication to the program. It’s never phrased exactly in that manner, of course, but that is sometimes the motivating reason for the assessment. As anyone who’s been in the field for any length of time knows, implementing an effective compliance program is almost impossible without leadership commitment. And compliance can be an incredibly difficult job when that happens.
One other issue that has come up a few times in my work: You’ll recall that I conduct interviews on a nonattribution basis. Well, I have had a few phone calls from CEOs and general counsel demanding to know, “Who told you that?” That’s a very bright red flag that senior leadership commitment is lacking.
AT: And when the assessment process is done, what should you have in hand for it to be a truly useful exercise?
RW: The process should ideally yield useful, practical recommendations for advancing a compliance program and for continuous improvement. The form those recommendations take (e.g., a lengthy report, a PowerPoint) may vary, but the recommendations themselves are the true product of the assessment. Some of the recommendations that we have made lately—just to give you a couple of examples—are that the charter of the audit committee be modified to require meetings in executive session with the chief compliance officer or that the company develop an escalation protocol to specify how compliance concerns and reports should be escalated.
AT: Let’s move more macro now. There’s a lot more attention on the board over the last few years. Some of it has been driven by the realization that tone at the top doesn’t stop at the CEO. Some of it is due to the government pushing for more board oversight. How important have you found the board to be?
RW: I really cannot overstate the importance of active board oversight to an effective compliance program. At many organizations, the level of independence of the function is directly related to the level of board oversight. And, when a very serious issue arises, the board becomes more important because it may need to step in and shepherd the investigation.
Board oversight is important to any organization’s program. However, I can see and viscerally feel the value of an active board when I am assessing a young program in an organization where leadership doesn’t possess the background and experience necessary to understand and value the importance of the compliance program. Having a knowledgeable audit committee chair who asks the right questions and pushes the company to provide resources is sometimes the only way that a compliance program is able to survive.
The recent cases coming out of Delaware—Boeing,Clovis Oncology, and Marchand v. Barnhill —are also important, of course. Since 1996, when the Caremark case was decided, there has been theoretical board liability for failing to provide appropriate oversight of the compliance program. However, the potential liability seemed more theoretical than real. This recent line of cases should cause boards to reevaluate their oversight and—for some boards, at least—step up their activities.
AT: What are the keys for making the board/compliance relationship work more constructively?
RW: The most important aspect of the board/compliance relationship is the relationship between the chief compliance officer and the chair of the audit committee—or whatever the committee at an organization that has been designated with responsibility for overseeing the program. When compliance programs are faced with their greatest challenges—let’s say a credible allegation against a senior leader—the chief compliance officer needs to be able to directly reach the audit committee chair on an immediate basis. If there are issues or concerns related to senior leadership’s support of the program, the chief compliance officer needs to be able to raise those openly and honestly.
AT: That’s not the only evolution in compliance thinking over the years. Heck, I can remember when mandatory compliance training was still being debated. One of the more recent changes is the explosion of the environmental, social, and governance (ESG) movement. Investment decisions are being made; organizations are making commitments. Most of me thinks this is here to stay, but I also think of governance, risk, and compliance (GRC) and corporate social responsibility (CSR), neither of which ever really gained tremendous traction, at least in the US. What’s your sense?
RW: It’s interesting, isn’t it? I was speaking with a client recently—whose views I greatly respect—who called ESG the flavor of the month, which is something I’ve heard from a few folks. However, I think that the concepts and principles behind ESG are here to stay, although they may very well take on a new acronym in a few years’ time.
What ESG—and GRC and CSR—represent is a willingness by organizations to contemplate the environmental, societal, and sustainability impacts of the work that they do. With ESG, that often includes making public commitments and disclosures, and that reporting piece is important to ensuring accountability for the commitments. But the governing principles—that organizations understand the costs to our world of their work and seek to decrease the damage and increase the amount of diversity and inclusion—those principles are so important to our planet’s and our society’s future. The optimist in me certainly hopes that those principles and goals will continue to be important to organizations.
AT: ESG isn’t the only thing that’s likely to change the picture for compliance. How do you see compliance programs evolving over the next five years?
RW: At the 2021 Compliance & Ethics Institute, which was such a great conference, the discussion that stayed with me more than any other was when my friend David Greenberg, who was speaking on the topic of increasing the representation of compliance officers on boards, said, “Compliance officers need to learn to play bigger.” I think that’s such good advice. As a profession, we have tended to work hard at implementing each aspect of a program, but not always had the voice we should in terms of company strategy and big-picture issues. We will have better programs when we can get to that next level, and that is what I hope for compliance.
AT: Thank you, Rebecca.