Podcast: Common Risks and Challenges in Running a Global Ethics & Compliance Program
As global regulations proliferate and become more complex, so too do the challenges of maintaining a high-performing global ethics & compliance program. While no two days are alike for compliance officers, they do face some common risks and challenges. In this podcast, Ropes & Gray litigation & enforcement partner Ryan Rohlfsen is joined by Glenn Leon, Senior Vice President, Deputy General Counsel and Chief Ethics & Compliance Officer with Hewlett Packard Enterprise, to discuss best practices for mitigating risks and meeting global expectations. The podcast covers:
- Striking the right balance between in-house and outside counsel
- Using data analytics to help manage your compliance program
- Practical ways of fostering a positive ethical tone at all levels of the organization
- Managing and mitigating third-party risk
- Staying current with regulatory and enforcement trends around the globe
Ryan Rohlfsen: Good afternoon. This is Ryan Rohlfsen, a partner with Ropes & Gray in the litigation & enforcement practice group. I'm here with Glenn Leon, senior vice president, deputy general counsel and chief ethics & compliance officer with Hewlett Packard Enterprise. We're talking today about common risks, challenges and opportunities in running a global ethics and compliance program. Thanks again, Glenn, for taking a few minutes to chat with us today. What does a typical day look like for you in running Hewlett Packard's global ethics and compliance program?
Glenn Leon: Well, it's fair to say that there is no typical day – probably all of us could say that about our respective jobs. My team handles the core workstreams we have are investigations, our most serious ethics investigations. We have a separate anti-corruption program. We have a global trade team. We have a privacy team. We also spend a lot of time with policies, training, running our mailbox and our open door policy. And then we also have a separate, what we call, a SER program, a social and environmental responsibility program. At a high level, that's what my team does. I would say I spend certainly the majority of my time focusing on anti-corruption issues and investigations, and less so perhaps on a day-to-day level on some of the other issues.
Ryan Rohlfsen: So Glenn, where would you say you're spending a majority of your time and resources right now in terms of mitigating risks for the company? And how are you tackling it?
Glenn Leon: A few areas. We are spending a lot of time on training. We're actually in the process right now of reviewing our SBC, our standards of business conduct – it's a very good product. It hasn't been revised in five years and we're making it better. We're making it more targeted to our particular areas of risk. We're making it more readable. We're making it more interactive. So training, communications is a big priority of ours. Anti-corruption, FCPA is a big area of risk, so we do spend a lot of time auditing our anti-corruption programs, auditing our partners as appropriate, making sure that the various systems that we have in place in-house can improve. We're always looking for areas to improve in our anti-corruption space – that's another big area.
Ryan Rohlfsen: Do you see any regulatory or enforcement trends, whether in the U.S. or abroad, that will be particularly in the forefront in the next year or two that not only HPE is focusing in on, but you think it's your understanding or impression, that other multinationals are looking to very closely?
Glenn Leon: Yes. Well, picking with the GDPR, that's important to all multinationals. I think there's going to be an interesting tension, if there isn't already, between the push that the GDPR is imposing on a lot of multinationals to be more sensitive to privacy issues and putting that against the threat coming in the cyberspace. So I think we have a potentially interesting tension where we're going to have more and more efforts needed, from a law enforcement perspective, to really fight cybercrime and issues that many multinationals face as an existential threat to their companies if they really have a real serious cyber threat, and weighing that against the GDPR and the push, particularly from the European community to respect individual privacy laws of individuals. That's a trend, I think, that we're kind of experiencing now and it's going to increase, so that's certainly one. And again, staying with anti-corruption, certainly the DOJ and SEC have been leaders in this space, but certainly we are seeing more and more and more countries taking anti-corruption prosecutions and investigations very seriously. And that's really now a true multinational and global enforcement trend throughout the world – it's only increasing.
Ryan Rohlfsen: One thing we could talk a little bit about, given what HPE does in terms of big data and managing, you know, enterprise-wide data, are there any tools or trends that you're seeing, whether it's now or coming online in the future, of trying to use data and data analytics to help you in your job in managing, you know, a really large global ethics and compliance program?
Glenn Leon: So that's a good question. We've identified three really big areas of risk that we do cover from an investigation standpoint, the kind of issues that I report up to the audit committee, for example – anti-corruption being one. The other two: one is off-book funds and the other is revenue recognition misconduct. And anything in the off-book fund or rev rec space is of particular interest to us – we pay particular attention and we take those allegations very seriously. Off-book funds and rev rec in particular, we believe that there are opportunities to do some better detection through data analytics. So for example, revenue recognition misconduct is basically improperly stuffing the channel, getting in your numbers at the end of a quarter through site agreements or other improper means to make your numbers for the quarter. At its high level, that's what it is. So we're partnering right now with our internal audit team to look at trends and to see well, maybe there are certain things, certain red flags that pop the last few weeks of any quarter that might be things that we can observe and measure and then use from a data analytics standpoint to catch things going forward. So that's one thing we're working on right now.
Ryan Rohlfsen: A key thing that everyone focuses on with a global ethics and compliance program is the concept of tone at the top. How is it that you address fostering a positive ethical tone at the top as well as tone at the middle, at the company?
Glenn Leon: So yes, tone at the top – a lot of lip service is given to it, it is very important. I'm proud in saying that we do have a strong tone at the top. I think we have that in several ways. One is we had a big FCPA settlement and that gets a lot of people's attention. And frankly, you know, I think we took advantage and made the most of a bad situation, so I can truly say we have the buy-in of the people who really run the company, so that's kind of point one. Point two is we have various measures that are in place where we get engagement with the business, not just legal but business, HR, finance, and legal. So we have in addition to regular contact with the audit committee, we have a separate ethics and compliance committee – that's a separate committee that I chair. It has many members of the executive committee, many members who report, business leaders who report to the CEO. And I meet with them once a quarter and I talk to them about trends, issues, key investigations, remedial efforts, things like that. That's another way to keep engagement tone at the top. We have other systems in place where we have very regular contact with key business leaders to let them know about issues, trends that we're seeing. So that's not just tone at the top, but then to your other part of your question, tone at the middle. I've got two calls, for example, scheduled next week with a group of people who we call liaisons. Those are people who are more senior level middle managers who are particular leaders in the regions in particular countries. And we're going to sit with them, two different calls for an hour each, and talk to them about investigations we're engaged with, remedial efforts, trends, positive and negative, and getting direct engagement with them. Another thing I'm going to be doing, I'm going to be flying around the back end of this year with several leaders of mine, my other directs, to go and do face-to-face training. Go to countries, go engage with business leaders really at that more middle manager level to let them know what we're seeing, want to hear what they're seeing, and have very frank conversations. And those are just some examples I have when we’ve engaged at the tone at the top as well as tone at the middle.
Ryan Rohlfsen: Are there any practical things that you've found, whether it's, you mentioned, for example, talking to, you know, senior middle management in terms of trying to foster a positive tone at the middle. Are there other things that you've found particularly successful in fostering that tone at the middle?
Glenn Leon: Yes. It's a good question. I would say we are doing a few things in that space. One of the things we've heard other companies doing and we're doing it, and we're getting some good engagement on this, is sharing kind of ripped from the headlines. So we are taking actual investigations where we've seen misconduct and sanitizing the fact patterns, so we're not outing a particular team or a particular person – but making it clear this happened at our company, this is wrong, this is why it's wrong, these people got fired or these people got sanctioned, this is what we've done to fix it. We're getting buy-in and a lot of positive reactions from the business who actually likes that. And the last thing I'd say on that is we will send out those communications not from me as the head of ethics compliance – we'll ask business leaders to actually send out those communications. We have found that it is more effective, more impactful and frankly those communications are read more carefully if a message like that is being sent by the guy or woman who signs their paycheck, who is responsible for their bonus and their review, rather than some guy like me in Washington who's the ethics guy. It sends a good tone at the middle where it's the manager, the business leader who's sending that ethics message rather than me.
Ryan Rohlfsen: We talked a little bit about training and how important that is to your program. Obviously, when you're thinking about a global ethics and compliance program, you're talking about a lot of different laws, a lot of complex issues, whether it's privacy, anti-corruption, accounting treatment, revenue recognition, a whole host of cybersecurity, a whole host of issues that could have not only a variety of different laws in the United States, but also multiply that by the number of countries you're operating in. How is it you're able to effectively communicate those complex, sometimes contradictory, laws and concepts to a broad group of employees around the world?
Glenn Leon: So, and not every company does it this way – the way we do it is as follows. We have very little mandatory training. To my knowledge, we only have two trainings for the whole company that are mandatory, required, every employee from the most senior to the most junior, and including board members, have to take. One is SPC, the standards of business conduct, our code of ethics – every employee has to take that once a year. And the other is cybersecurity, cyber training. There is a lot of other training at the company and that is targeted for particular teams. So the public sector team has to take separate public sector training. People who do particular work in the global trade space may have to take particular global trade training and on and on and on. But the only required training we have is our SPC annually and our cyber training. And when you look at our SPC training, our code, once a year, we have boiled that down to about an hour. One thing we've done in the last couple of years which, I think, has been a nice move is instead of having one training that everyone has to take that frankly used to be, like, an hour and a half, now we've boiled it down to three different modules. Depending on the kind of employee profile you have, if you are more back office, finance, you may have a training that focuses more on books and records and financial issues. If you have more of a job that's more sales and external facing, you may have more of a training that has a higher emphasis on the FCPA. Everyone takes the main areas, but we will modulate a bit to your particular profile. But we take the approach that if it's an employee's time, it's valuable. We're not bombarding them with a ton of required mandatory training. And in terms of the mandatory training, we try to make it very risk-based. We try to focus it on what is the kind of risk that this particular employee is most likely going to face? Trying to target it to that employee's profile and making the mandatory training pretty specific and targeted. Having said that, we have a lot of other training that, again, is situational, is regional – it's run more by country counsel, local counsel with support from ECO, my team, but it really is much more situational.
Ryan Rohlfsen: Do you ever train your third-party business partners?
Glenn Leon: We do. It's a good question. We do. We require all of our partners, and we have a lot of partners, to certify that they're familiar, have read, and certify that they're familiar with our partner code of conduct. We require that certification to be renewed on a fairly regular basis. And then when we see issues through an audit or in other areas, we will require training.
Ryan Rohlfsen: So, I mean, to state it somewhat obviously, I mean, one of the biggest risks for every company in the world is third-party engagement. That's obviously the risk that you see in virtually every enforcement action under the FCPA as well as several other laws. What is the most powerful tool that you have available, or that you believe is most successful, in terms of managing and mitigating third-party risk for the company?
Glenn Leon: Well, couple things. One is we can always fire them and get rid of them, and they know that and we do that. We try not to – that's a last resort, but we certainly do that. And frankly, the more we do that, even if it's the exception, not the rule, the more other partners see that and that drives behavior. We also have audit rights, and we do that and we're doing more of that, and that certainly drives behavior as well. Partners don't want to be audited. Frankly, a lot of our internal members of the business don't want the partners to be audited, but we do it and we hold them to it. But the other thing is obviously on the front end, we do have a very, very rigorous due diligence process on the front end. My anti-corruption team actually gets quite engaged pretty early on if there are any real red flags and then we will look under the hood even further. To your point, that's where a lot of the mischief is, whether it's with FCPA, off-book funds, you know, and you've got to make sure that you hold partners to a high standard.
Ryan Rohlfsen: About how many business partners does HPE have?
Glenn Leon: HPE has conservatively well over 10,000 partners. When you include partners tier-one, tier-two, systems integrators, consultants, and if you loop everyone in, well over 10,000.
Ryan Rohlfsen: And are all those parties run through some level of diligence?
Glenn Leon: Absolutely. Yes, everyone.
Ryan Rohlfsen: And how do you draw the line, practically speaking, between those that get, let's call it, like, a basic diligence versus enhanced diligence versus extra-enhanced diligence?
Glenn Leon: Yes. So we do that in a couple of ways. One is obviously, tier-one, the people that we are directly engaged with are going to get more scrutiny than a second- or third-level partner. Doesn't mean that tier-two and three don't get scrutiny, but the ones we directly engaged with certainly get more. The other is we do have on top of our due diligence of our partners, we have other anti-corruption programs that overlay on top of that. So for example, any public sector deal in particular countries, particular high-risk countries over a certain amount of money, gets scrutinized by my team, or they don't happen. So that's one example of a few examples where we have additional checks on particular high-risk deals. So that's another example of where a deal would be scrutinized and the partners would be scrutinized as well.
Ryan Rohlfsen: So what's next for HPE's program?
Glenn Leon: Good question, Ryan. So what's next for our program? Just picking up on what I was saying earlier, the way a good program or a very good program, I think we have, stays very good and gets better is you've always got to be evaluating, you've always got to be changing. And again, using the example I gave earlier with our FCPA program, we had a world-class FCPA program four years ago because we had to because we were entering into this big settlement with the DOJ and SEC. And I have every confidence that our program today four years later is better than it was then – and the only reason for that is we've hired more good people, we've stayed on top of trends, we've engaged with good outside counsel, and we're auditing and we're trying to continually improve. We've not just done that with the FCPA, but we've done that with the GDPR with some of the things we've just talked about this afternoon – training, compliance. We haven't even really talked about our SRC, our social environmental responsibility program, but we're doing a lot of things in the human rights space, supply chain ethics, what have you. So I'm confident – in this role, I've been here three years, I can say with confidence I inherited a strong team, which I was lucky to do, but it has gotten better. So the future is just continuing to improve and figure out other places we can continue to improve.
Ryan Rohlfsen: Thank you again, Glenn, for taking the time to chat with us today. And thanks everyone for listening. Please tune in to our other podcasts on topics related to international risk mitigation and management. You can find them on our website at www.ropesgray.com. And of course, if we can help you navigate any of these challenges, please don't hesitate to get in touch. Thank you.