Compliance Stories: Lessons Learned in the Field

Podcast
November 8, 2023
38:19 minutes

On this episode of There Has to Be a Better Way?, co-hosts Hui Chen and Zach Coseglia go it alone in a one-to-one talk designed specifically for ethics and compliance professionals. In past episodes, guests have hailed the power of storytelling, and this week, Hui and Zach share personal stories—and learnings—from their decades of experience in the world of corporate ethics and compliance. Topics include: earning a seat at the table through relationship-building and diplomacy; why complication and complexity isn’t always bad, but a lack of clarity is; and why compliance is, and needs to be recognized as, an area of unique expertise.  


Transcript:

Zach Coseglia: Welcome back to the Better Way? podcast, brought to you by R&G Insights Lab. This is a curiosity podcast, where we ask, “There has to be a better way, right?” There just has to be. I’m Zach Coseglia, the co-founder of R&G Insights Lab, and I’m joined, as always, by Hui Chen. Hi, Hui.

Hui Chen: Hi, Zach. Hi, everyone.

Zach Coseglia: Hui, it’s just us today.

Hui Chen: It sure is, but we’re going to do something fun. This is what compliance professionals—or at least the ones I know—like to do, which is tell some war stories. Now, this is typically done at an outing, probably sitting over some food and beverages. But I don’t have beverages right now, since it is morning for me, I only have my morning fruit shake. Those who are listening, you might want to have a beverage, if you are not in a car listening to this.

Zach Coseglia: Definitely. I hope that you all take Hui up on that suggestion: Have a drink, have some food, and let’s share some stories.

Hui Chen: Some of the most valuable things I’ve learned have come from challenges that were tough to go through at the time. So, I thought we would start by talking about some stories about just access-to-a-seat-at-the-table type of challenges. I was new in a global role for an anti-bribery and corruption position. The first thing I did when I went into that position was to do a program analysis to see what the gaps were, what things we had, what things we needed to build, and all of those. I charted those findings in a very lovely, color-coded chart. I broke the program into various elements—some were green, indicating that we already had those; some were yellow, which were the ones that were “in flight,” and red were the ones that we didn’t have. This is a familiar color scheme for companies that have audit reports that are done that way. Not surprisingly—at least not to me—for this particular organization, it was a pretty red document. When it was done, my boss—who was essentially the head of the compliance function—decided that he would present to one of the many committees in the company. I was not allowed to go—he went. Apparently, from the report that he brought back, the color charts got a lot of attention. People were nervous. They were asking: “What needed to be done? Are there actions that we need to take right away?” And the only action they did take was to send it to another risk committee consisting of mostly the same people. To this day, I can’t tell you what the difference really is between the two committees.

This time, I was allowed to go to the second committee, but I was instructed to “print that chart in grayscale, no colors”—so it got no reaction at all. So, think about the human brain’s visceral reaction to colors—colors like red, yellow and green. That, to me, was quite an interesting lesson in itself. One of the committee members during the meeting said that his counterpart at a competitor business thought anti-bribery and corruption was their biggest risk, which I took to be something of an encouraging sign because he was relaying a peer organization’s recognition of this risk. Before I could say anything to it, the chair of this committee responded to this comment by saying, “Your peer at” this competitor organization “must have nothing to do.” Then, there was a whole series of committee and stakeholder meetings that followed, as I tried to present what should be our priorities. After those experiences, I decided, “I really want to just narrow it down to two things that are very concrete, that are very doable.” And I decided those two things were anti-bribery and corruption training for senior management, which had not been done in years—in fact, had never been done as a specific training for the senior leadership.

Zach Coseglia: Based on the feedback from your committee meeting, maybe something that would be a good idea to do.

Hui Chen: You don’t say! So, that’s one thing. The second thing was really a review of the manual payment system, which was something I identified fairly early on. They had a manual payment system where, essentially, almost all controls could be bypassed, and I wanted to make sure that was reviewed, and controls put in place.

After that meeting, since my function was rarely allowed to go to most of the senior management meetings, none of these things got any traction. The only optimistic moment I had was in a private meeting that I had with the head of legal. I relayed to him my concerns, and he did say that he really wanted to put this on the audit committee’s agenda to discuss. It never materialized, but I don’t think it was for lack of effort on his part—he was ultimately, shortly thereafter, forced out of the organization. So, there was a lot of political stuff going on in the organization, And I think that’s something you also have to recognize—whatever you’re experiencing is part of the bigger picture. There was clearly a lot of frustration that I experienced, in terms of not being able to get traction or even access to the table. But I think what I learned from that was the importance of building one-on-one relationships with stakeholders, whether it was that conversation with the head of legal, or later, when I built a relationship with one of the business heads whose voice was strong, and when I could get her to be concerned about things, she would be the one raising it. So, “a seat at the table” does have to be earned, but sometimes, structurally, you just don’t have it. What I learned from the experience, the Better Way there is to earn it through your private relationships. Work on people one-on-one. The structure doesn’t allow you, but you can make friends, you can make contacts and you can build those relationships.

Zach Coseglia: I very much have experienced that myself. When I first went to China in my prior in-house life, I had this almost naivete that here we were, at an organization that valued ethics and compliance as much as it did and does, and so, I thought that that necessarily gave me a voice of authority on some of these topics. And so, when I saw an opportunity to improve, or where I saw an opportunity for us to try something, I just assumed, “I’m going to come in here, I’m going to share my ideas, and we’re going to do it.” I’ve described it before as sort of like coming in like a wrecking ball—when in reality, what I needed to do, and what I learned over time, was that it takes a much softer touch. It takes diplomacy, it takes understanding the political environment, and it takes building, as you said, personal relationships in order to actually get things done. You’ve got to play a much more nuanced game to accomplish some of the stuff that we’re trying to accomplish as compliance folks.

Hui Chen: I think I learned that through years of perhaps being a wrecking ball. Particularly, I had come in-house from the background of having been a federal prosecutor—and when you’re a prosecutor, you have a lot of power and you are used to those hard-line tactics. When I think about cross-examination lessons that I had taken as a prosecutor, a skillful cross-examination is really built by tiny little steps, where you lull the witness into some sense of safety and start slowly divulging the information that you want them to do. It’s a skill that I have used in investigations, but sometimes it’s a skill that we forget to use in daily interactions. Now, let me just make sure I clarify myself. The purpose here is not to lull people into a false sense of safety so that you can spring something on them, but the purpose is to build relationships. You want people to feel comfortable with you, to truly share their concerns with you, and truly help you understand, “If they can’t do something, why is it that they can’t do it?” Also, having that big picture that whatever you’re facing is not the only thing that’s going on in the organization.

Zach Coseglia: On this topic of access, relationship-building and the trust that you have to build, whether it’s day-to-day with your co-workers, in the context of an interview, in the context of an investigation, or in the context of cross-examining somebody, I then take the conversation to this point about compliance officers sometimes feeling like they’re perceived as “the police.” I think part of the reason why folks are sometimes perceived as being “the police” is because sometimes we act like the police. And so, it’s this concept that pops up in so many different contexts in the work that we do—we want people to listen to us, but in order for people to listen to us and to take our ideas, they have to trust us. We want people to not view us as “the police”—we want them to view us as a partner. In turn, we have to act like a partner, and the people on the other side of that equation have to be willing and open to our partnership. So, it’s really about the duality of your role and your perceptions, and their role and their perceptions that come together to hopefully get us to a place where there is trust, where we are partners, and where we do have a seat and access. But it takes both sides being intentional about their approach in order for that to actually happen.

Hui Chen: You remind me of a colleague. Many compliance people do have law enforcement backgrounds—sometimes they’ve come straight from a law enforcement position. This particular colleague, every time I was in the same meeting with him, he would begin his self-introduction by saying, “I’m a former federal prosecutor.” Oftentimes, we were doing international work—he’s saying it to people who don’t know what that means. To the extent that it did register, it was exactly that “police” message—that, literally, “I am the police. I just want you to know that that’s part of my identity and this is what I’m bringing to the table.” Whenever I talk to colleagues who have come through that transition, I always say, “Just be very careful—the context is very different, and you want to be mindful of how you present yourself.”

Zach Coseglia: I think that’s something that a lot of compliance professionals encounter, and particularly investigators who are sitting in an in-between world between both wanting to partner with the business and having a really difficult task at hand in finding truth and fact-finding.

Hui Chen: One of the ways that I tried to combat that when I was in a dedicated investigations role was, whenever I went to a market, I would make sure to stop in and see the business leaders, particularly if I had nothing to report or had no reason to do so, because I wanted to change that reaction of, “Seeing Hui Chen is bad news.” So, I wanted them to get used to me dropping by their office, chatting about, “How’s business?” and “How’s your family?” In the earlier few visits when I would do that, you could see their expression—they were waiting for the other shoe to drop, like, “You must have stopped in my office for some other reason that’s not welcomed by me. Why does she spend time with me, and there was nothing?” Ultimately, if you do that long enough, you begin to build that rapport, you begin to build some trust, and those will go a long way when you really need them to take some hard actions.

Zach Coseglia: Absolutely. It reminds me of something else that I often hear you say, which is, in the context of presenting to the DOJ, law enforcement or to regulators, that “Let’s not forget, they are human, they’re people. Let’s not forget that compliance professionals, investigators, are people. And let’s not forget that the business and the people who we support are people, too.” Doing exactly what you did is such a wonderful, normal, very human way of reminding people that we’re more than just deliverers of bad news.

Hui Chen: One of the things that I have found, whether it’s working with the companies or working with DOJ, people tend to not think of organizations as consisting of all individuals. In DOJ, I would hear people say, “The company is like this.” And in the industry and working with companies, we always hear people say, “DOJ wants this,” or “DOJ thinks that.” DOJ is not one person—DOJ is made up of a lot of people. Everybody in any organization has their own perspectives, their own opinions, and I think when we generalize like that, on both sides, we really suffer the loss of the insights and perspectives you can get.

I experienced this when I was in a company that was, at the time, actually under multiple monitorships, and the monitor would always try to get the view from “the compliance function.” But, again, “compliance function” has a head of compliance, that head of compliance has his leadership team, and his leadership team has the people on their teams—they all have different perspectives and opinions. So, we had this situation where the monitor circulated a draft report that described my function. The monitor sent it to head of compliance, the head of compliance sent it to his leadership team, and we were all to comment on the monitor’s draft report. I said, “I concur with the observations noted in there.” The head of the compliance function said, “No. I do not agree with the monitor’s observations, and I want you to write the following.” And I refused. He was like, “I want you to say that you agree,” basically, in an email. I remember calling a friend of mine who had worked in-house but was then working for a firm, and saying, “What should I say?” Basically, he said, “Just reply to the email and say, ‘We’ll have to agree to disagree.’ Because you need to document that you didn’t agree with his proposed answer.” I cannot let a record be there where I had “agreed” to it, but I also didn’t want to get into a continuous argument over this that had already been ongoing for a few rounds. So, when I was at DOJ and working with monitors, this is something I cautioned a lot with the monitors. “Just be mindful of the organization. You’re talking to heads of functions, but are you really getting the full picture by talking just to the heads of functions? When you’re circulating your results or getting reactions from people, you’re getting them from one set of people who have power over other people, who may have different opinions.”

Zach Coseglia: I want to actually piggyback off of that to talk about a related issue—building off the idea that not all people in an organization have the same view, not all cultures within an organization are the same—and that is that I think there’s this human nature to try to reduce things to something. We see it in the behavioral science space, too, not just compliance—we see it in all kinds of areas that we focus on. And it’s that I’ve heard in my experience, a lot, the words, “It’s too complicated. We need to simplify it, it’s too complicated.” Whether we’re talking about a policy, whether we’re talking about a training, whether we’re talking about a system, whether we’re talking about a presentation, whether we’re simply talking about a strategy or a set of priorities: “It’s too complicated.” Sometimes, we do overcomplicate things, there’s no question. Sometimes, though, when we say, “It’s too complicated,” what we actually mean, I think, is “It’s not clear.” So, it’s not that we need to “make it less complicated,” it’s that we actually need to just be clearer about what we’re trying to convey in the world of a complicated set of things. And then, as we’ve also talked about on this podcast before, sometimes we use the word “complicated” when what we actually are talking about is something that is “complex.” But whatever the case, I feel like sometimes in the world of compliance, in the world of DEI, the world or organizational culture and in the world of just broader risk management, all of these various areas that we work, we say, “It’s too complicated” when, in reality, what we really need to be doing is acknowledging that sometimes things are complicated, or sometimes things are complex, and to not try to reduce it to one thing, but to, instead, actually give whoever our audience is or whoever our partners are, the courtesy to believe that they actually can understand the complicated and the complex.

Hui Chen: I feel like what I’m getting out of what you’re saying here is we want to embrace the complexity and the complications in our thinking but be clear and simple in our communications.

Zach Coseglia: Yes. And you know what you just did? You were just clearer and simpler in your communication of the complicated and complex concept that I was articulating, so thank you for that.

Hui Chen: That, strangely, reminds me of some of the lessons I’ve gotten from working with people in risk assessment. So, I reviewed a risk assessment done by a company. It was done by a survey method—it was an-almost-hundred-question survey that was sent throughout the organization for people to complete.

Zach Coseglia: Sounds “complicated.”

Hui Chen: Yes and no. You’re the general manager of a market. You have a lot of responsibilities—you’ve got to meet your sales target, you’ve got to manage your people, and here, from the headquarters, comes a hundred questions asking you about whatever. So, are you really going to do it yourself? No. Are you going to give it to your most able lieutenants to do? No. You’re going to give it to the young intern who just came. Then, the other problem is these ask a lot of questions that are basically people’s opinions, rather than facts. So, “Do you believe you have enough budget?” Well, that’s a belief. “What is ‘enough’”? “Do you have enough headcount for this”? Same kind of problem. “Do you trust people”? A lot of these survey questions for this particular exercise, which was called a “risk assessment exercise,” I expected to be much more quantitative than subjective in this way. Then, there were also lots of questions that were open to interpretation—questions like “Do you have third parties”? “Well, what’s a ‘third party’? I don’t know what a third party is so I’m just going to answer, ‘No.’” Or, “I think third parties are distributors,” “I think third parties are suppliers.” All of these are undefined, and it leaves it for people, for the poor intern in the dark room, to interpret what that means. So, when they got back the risk assessment results, they got very strange outcomes.

For some of the high-risk markets, they came back looking pretty good because people were feeling pretty good about it. But for some of the lower-risk markets—and I will name one, which was the U.K. (U.K. you would not traditionally think, from the anti-bribery and corruption perspective, is a high-risk country)—they came back with a middle ranking because the people in the market who answered those questions were much more critical of what was needed and what did or did not exist. So, the result came back very puzzling to people who were expecting certain types of results. But the question was diving into why this was happening, then working with the risk assessment team to revise their thinking, and, even more importantly, to set people up for the expectation that “Since now that I’m in the role; and I am doing my job to educate people about what A, B, C risks look like; and that we are revising the risk assessment methodology to make it more accurate, as a result of us doing these things, many markets’ scores will be worse next year.” My very first compliance position was, again, an inaugural role in the field where there had been no compliance officer on the ground in this particular location. And I told people right away that “If I do my job right, the number of investigations will increase. It will increase, but at some point, hopefully, it will plateau and will begin to come down. But that’s going to take a few years, and that’s not a bad sign.” So, the lessons in here are everything from how people understand whatever you put out there, to setting people up for the right expectations and understanding data in context.

Zach Coseglia: The last thing that you said is just so critical, because I think that there’s a lot of discussion about “data and analytics” in the context of compliance. It’s often focused, as we’ve talked about before, on big, shiny, exciting tools and technology—words like “artificial intelligence,” “machine learning,” “advanced analytics,” and “predictive analytics” are thrown around. But when we actually begin to take a more thoughtful, intelligent, intentional approach to data analytics and compliance, it actually should be as much, if not more, about what you just said, which is we’re going to use data to talk about how many matters we’ve received, how many became investigations, where they’re coming from and the nature of them. We could just put that data out there and dump it on someone, but that’s not actually a really great approach—that’s not a real path to success. We’ve got to analyze it, we’ve got to interpret it and we’ve got to tell a story behind it. As you said, it’s very easy to fall into the trap of thinking, “The trend is going up, and so, that’s bad,” when, in reality, the trend going up may be good. Now, if the trend continues to go up forever, well, that’s something, and may very well warrant attention and intervention, but it requires just some very simple analysis of the data.

Same with the risk assessment example. It’s not just about how to analyze the data, but it’s about how to incorporate quantitative data into that risk assessment process. I personally am a fan of collecting qualitative inputs, of getting people’s perceptions and beliefs—especially, people who are knowledgeable and an authority on the things that we’re asking them about when it comes to risk assessment, whether that’s compliance and risk professionals or the business who may be experiencing it firsthand. But we’ve got to couple it with quantitative data, and we’ve got to just be thoughtful about the ways in which we ask those questions or the ways in which we incorporate that data. This, to me, is as much about how to structure a questionnaire, how to collect data in a thoughtful way, and how to use data, interpret it and analyze it, as it is about anything else.

Hui Chen: I completely agree. I think a good assessment, whether it’s a risk assessment or a culture assessment, really needs to have both a quantitative and qualitative narrative component. But I think the trick is thinking about what the right questions are to be asking. And what are the types of things that you ask quantitative data for, and what are the things that you ask qualitative data for. So, a question about how many third parties you have, that’s where you want a quantitative answer—you want how many. You don’t want to ask, “Do you believe you have third parties?” However, “Do you believe the company’s disciplinary process is fair?” There is a quantitative component to that—you can look at the company’s investigative and disciplinary data to get a perspective on it. But, even more important, in this case, is people’s perception, and that’s where your narrative qualitative data comes in as far more critical.

Zach Coseglia: Hui, I want to switch topics here a little bit, and talk about compliance as an expertise, and maybe dovetailed with that, compliance in larger organizations where things may be more decentralized. One of the things that I’ve seen from time to time—and this is not the rule, there are plenty of places where this isn’t the case—you see “compliance” treated as “something that anyone can do.” I’m not suggesting it’s rocket science, but it’s treated as though it’s not the expertise, the discipline, in and of itself, that it is. And I say that because I think it’s distinguished from some other, similar disciplines within an organization that don’t get treated that way. I don’t think that anyone thinks that they can be the lawyer for the organization unless they actually have those skills. I don’t think people feel like they could be the human resources person for an organization without a certain set of skills, or that they could be an auditor without a certain set of skills. But I think, from time to time, and more frequently than I’d like, folks think that anyone could do compliance. And so, sometimes, that has a real impact on the way in which the program is perceived within the organization, the way in which the talent is treated, and also, the impact that the program ultimately has.

Hui Chen: I’m very grateful, and I think the compliance profession owes a debt, to Andrew Weissmann, who was the head of the Fraud Section that created the compliance counsel expert position that I held—and the reason is his thinking behind that was precisely to recognize compliance as an area of expertise. It’s not that any prosecutor can just say, “I know—I can look at this compliance program and I can tell whether it’s good or bad.” Not that they’re not smart people, good lawyers or excellent prosecutors, but the same prosecutors, you wouldn’t expect them to say, “I can just do forensic accounting,” or “I can do medical examinations.” Those are specialized fields that contribute to building the cases and understanding the cases that they prosecute. Andrew’s thinking behind creating this position was precisely to recognize that compliance is an area of expertise—that it requires somebody who’s been in companies, understands how they operate in reality, and understands what it requires as skillsets (more than just legal skillsets) to come into the role to have that recognition. Unfortunately, I think the profession is still very much struggling with this, and it’s something that we need to continually build on by doing the kind of things that we’re doing, by highlighting the skillsets that are really involved. It really is an interdisciplinary, cross-functional expertise that, in a way, very few people in organizations have. So, when you’re able to help people understand that, then that really can add a lot more power to what we do. Recognizing that this is not just a legal regulatory exercise, this is not just some messaging and putting together some training sessions with no measurement—it is about the company’s values, it’s about how people behave and it’s about the culture that you’re trying to build in a company.

Zach Coseglia: Yes—couldn’t agree more. What else is on your mind today?

Hui Chen: When we’re also thinking about the challenges to the profession, the other thing that I always had struggled with when I was in-house was I oftentimes would be held responsible for all kinds of things over which I had no control. There would be an audit or some kind of assessment, and it would say, “There are improvements needed in payments,” or, “recruiting practices,” or “in marketing tactics.” I don’t own any of those. In one of the large organizations I worked with, I didn’t even own training. So, I would be given the goal to “roll training out within one year.” But I’d be told, “You don’t own training. Training has to be delivered by the training department, on their schedule.” And so, it’s about having to work with, particularly in large organizations, all these different stakeholders who may or may not understand why you want to do this, and who are oftentimes not even held accountable. I remember a member of my team had gone to the head of finance operations to talk about this manual payment issue to try to understand it and get better control over it. And the head of the financial operations said to him, “We’ve been doing this for 150 years. Who the heck does Hui Chen think she is to want to change that?” So, a couple of things that I learned from this was, again, set expectations. Even as the audit reports are being done, I’m working with auditors to make clear that they have to be clear about who is accountable for some of the remediations that are recommended. It cannot all fall on my function, which has no ability to implement without other stakeholders’ full input. Unless they’re also held accountable, it can’t be done, and that has to be reflected. So, making sure you work with them to get the ownerships really clearly reflected. If you can’t—and this is another common theme that many compliance officers would know about—document it. Document it in your own way, through your emails, through your memo-to-self—all those things. You document why certain things cannot be done on the schedule that you were told to do it. A lot of this is about protecting yourself.

Zach Coseglia: Hui, should we end with maybe some top-line suggestions, recommendations, or Better Ways for those that are listening?

Hui Chen: I think we’ve hit on a few themes. One is building relationships. Two is documenting, documenting, documenting. Three is listening to people and treating them as individuals, and not a collective.

Zach Coseglia: I’ve got embracing complexity and complication, but ensuring that your message is clear, and that you’re communicating in ways that folks understand, which may be complex or complicated. We didn’t really talk too much about this, but it’s something that always is on my mind, given my experience and given some of what I’ve done in the past, being brave enough to be innovative in the world of compliance. There are a lot of folks out there who are, and who are doing some really wonderful stuff. I think sometimes it feels like the job doesn’t allow for it, but I think it’s got to. We’ve built this business and we’ve framed this podcast around the idea that there are “Better Ways,” and so, encouraging people to look for them is definitely something that’s very much on my mind. And I think being a little introspective—by that I mean, if I’m being treated like “the police,” asking, “Am I acting like it?” If I find that folks aren’t trusting me, what am I doing to engender that trust, or what am I doing to show that I trust you? Maybe I don’t, and that’s part of the issue. But I think looking within was a big part of my journey and experience, as well.

Hui Chen: Absolutely—I completely agree. One area we haven’t touched on, probably because it deserves its own episode, is investigations. It’s too big a topic. You and I both met doing investigations, and there are so many war stories to tell on that.

Zach Coseglia: We should do that—let’s do an episode on that.

Hui Chen: Yes, let’s do another episode just on investigations and all the war stories. Listeners, we also invite you to share your stories with us. Send us an email, tell us some anonymized war stories that you’d like to share. We want this to be a community where we can share.

Zach Coseglia: Absolutely. Let me just say also, we shared from our experience some of our war stories, some of our perceptions and experiences. I just want to be totally clear to those who are listening who are compliance officers or who are on a compliance team, that you’re doing really hard work, sometimes under less-than-ideal circumstances. I admire those of you who have chosen this path. I know firsthand, and I know Hui does, too, just how hard it is, but also how rewarding and wonderful it can be, because it really is a great discipline, and very much is its own area of expertise.

Hui Chen: It sure is. I have seen also a lot of compliance colleagues who feel very beaten down, and believe me, I’ve been there. There are rewarding aspects to this work, and a lot of it is finding small victories along the way.

Zach Coseglia: Thank you all for tuning in to the Better Way? podcast and exploring all of these Better Ways with us. For more information about this or anything else that’s happening with R&G Insights Lab, please visit our website at www.ropesgray.com/rginsightslab. You can also subscribe to this series wherever you regularly listen to podcasts, including on Apple and Spotify. And, if you have thoughts about anything that we’ve talked about today, the work that the Lab does, or if you just have ideas for Better Ways we should explore, please don’t hesitate to reach out—we’d love to hear from you. Thanks again for listening.

Speakers

Zachary N. Coseglia
Managing Principal and Head of Innovation of R&G Insights Lab
See Bio
Subscribe to There Has to Be a Better Way? Podcast