Editor: Stasia, did you find that as a result of serving as general counsel of Fannie Mae, Sears and now MCI that you developed a set of principles that guide your actions? Most of us have never faced the challenge of coming into a troubled company as you did and building a new compliance culture. What is your perspective on the role of general counsel in compliance?
Kelly: The GC leads the effort in designing, developing and driving the compliance culture within the enterprise's broader governance program. Compliance is a way of behaving and not just a set of rules. It is a mistake to believe that the GC holds the primary responsibility to embed compliance within the organization, as that is the role of the company's leadership team. The GC is responsible for the elements of the compliance function and facilitates the creation of a compliance culture by championing the program with the business leadership. Additionally, it is most common for the compliance function to report up through the GC because of privilege issues and the sensitivity surrounding non-compliance.
Editor: Under Sarbanes-Oxley and the ethical rules, the GC has responsibilities to the board that could trump his/her responsibilities to the CEO. How can the GC best handle the tensions created by this situation?
Kelly: The GC's primary responsibility is to the shareholders. It is critical that the interests of the board, management and shareholders be aligned. If there are actions contemplated that could disrupt this alignment, the GC's duty to the shareholders trumps the interests of the others. Where the interests of the shareholders are in jeopardy, or the desire of the business conflicts with ethics or the law, the GC has to be willing to bring this to the attention of the appropriate members of the Board or the Audit Committee, even if the CEO objects. This is why it is important today for the GC to have good, solid, trusting relationships with members of the Board and Senior Management. Of course, the GC should exhaust discussions with the CEO and Senior Management before escalating an issue to the Board.
Editor: Does the GC have an obligation to insist on having the tools that make it possible for him or her to discharge his or her compliance obligations?
Kelly: The obligation falls on the company to provide the GC with the resources necessary to discharge his or her compliance obligations. But, the GC's most important task is to ensure that the executive team understands the long-term benefits of creating a compliance culture to allocate the necessary resources within their own organizations to create effective compliance programs. Management has to recognize that compliance is a business issue and that failures in this area can result in great losses and in some cases even jeopardize the future of the company. Our management team had the benefit of Restoring Trust, written by Richard Breeden and adopted in full by MCI, which clearly outlines, among other things, MCI's compliance responsibilities.
Editor: Does the GC have an ethical responsibility to resign if such tools are not made available?
Kelly: The existence of the tools is not the primary issue the real issue is the willingness of the Senior Management team to create the right culture. I would not want to be part of a company where there was a lack of support for a compliance culture with strong management involvement. It is important to ask yourself, "What is the company's perspective on governance?" and "Do they really care if they behave appropriately?"
Editor: To expand on the concept of embedding compliance within the culture, how do you see compliance expertise and responsibilities distributed across a company?
Kelly: I see three levels of compliance responsibilities within an enterprise. First, there is the compliance function with overall responsibility for coordinating the program and ensuring its effectiveness. Second, within the law department, I expect all of the attorneys to be fully cognizant of applicable legal requirements within their areas of responsibility so that they can spot issues and help to educate their business clients. Third, throughout the business there should be individuals embedded in the operations who understand the risks and the impact on business practices. Employees must feel that there are the channels available to ask questions or voice concerns, and that there is strong management support of the program.
Editor: Is it desirable to retain an outside consultant to advise the company as to the organization of compliance functions and to assist the general counsel in structuring the legal department so that it can carry out its compliance responsibilities?
Kelly: An effective compliance function must have an enterprise-wide perspective and touch everyone within the company; this is a much wider scope than anything we considered in the past. The success factors are quite different from the typical legal function. Legal and regulatory technical expertise is just one component. Outside consultants can help a company focus on organizational, process and change management best practices that must become embedded in all company activities. Consultants are very helpful because they are knowledgeable about what constitutes company-wide best practices and have experience with other companies which provide a measurement for performance. There is no need to reinvent the wheel by going it alone. When properly managed, consultants can save a company significant time and cost.
Editor: Carol, you came over with Stasia from Sears. When you arrived at MCI, how was compliance handled?
Petren: MCI's prior compliance model followed a more decentralized structure. Referring to the three levels mentioned by Stasia, we had lawyers who were well-versed in the laws and regulations governing the business. We also had individuals in the business who understood the potential risks in industry practices. What we added was a level of coordination through a VP of Compliance. Overall, the function required a centralized perspective to assure that risks were identified and addressed with the support of Senior Management. So, we enhanced the existing function with a level of overall coordination and increased executive involvement.
Editor: What was MCI's vision for compliance and how did it begin to take shape?
Petren: In addition to the basic components outlined in Restoring Trust, the vision for a compliance culture came from Michael Capellas, MCI's CEO, when he created his ten guiding principles for the company. These are values that each employee is expected to uphold. Additionally, the executive leadership team was actively involved in laying the foundation for compliance and provides support for its actual implementation. This support is embodied in the Ethics and Compliance Steering Committee, comprised of the CEO and top tier management who have the ultimate responsibility for setting the proper course for a compliant and ethical environment at MCI.
Editor: What initial steps were taken to accomplish that mission?
Petren: We first developed the compliance framework, which would drive how the company managed its compliance program across the enterprise. This included an organizational structure that defined the responsibilities of the compliance function as well as the obligations of those responsible for implementation throughout the company. The framework was presented to and approved by Senior Management and the Board. At the same time, we continued to work on our risk initiatives. In order to continue the work that was in progress on the risk side while developing a more effective compliance framework, we followed a program management approach in outlining the tasks, responsible individuals and deadlines for both work-plans. This allowed us to make progress and meet goals on both fronts.
Editor: How important was it to create an organizational structure for the compliance function?
Petren: Creating an organization that could leverage the skills and institutional knowledge within the company was key. The function is led by our Vice President-Compliance, Bill Single, who is responsible for focusing on risk identification, education, monitoring, and reporting. Critical to accomplishing these goals, Bill has fostered relationships with executive and business leadership and represents the function internally and externally. Bill is supported by attorneys who are responsible for individual projects and by a program manager who tracks project progress, among other responsibilities.
Editor: Bill, tell us about the risk initiatives.
Single: Risk identification is fundamental to an effective program. We started by meeting with business unit leadership, in-house counsel and outside counsel to gain a comprehensive understanding of the risks facing the company. We prioritized the risks by assessing the perceived size of each and the current state of controls.
An important part of addressing the areas of concern was to develop programs to effectively reach the company's employees. We therefore focused on educating the employees on the existing company policies as well as raising risk awareness. MCI reaches its employee base through multiple channels including online courses, handbooks, and emails conveying company policies. We are supported by MCI's internal training department and an outside vendor.
We also provide assurance that the enterprise is appropriately mitigating its risks. To that end, we created monitoring plans to ensure that we were doing what we said we would and to measure the effectiveness of our compliance efforts. We provide formal progress reports to the Audit Committee, the Board, Senior Executives and the Ethics & Compliance Steering Committee.
Editor: What role does technology play in the compliance function?
Single: Because MCI is a global company with employees all over the world, we need to leverage technology as part of the compliance function. We use technology to regularly track and communicate compliance issues and obligations with individuals throughout the organization. Technology is also part of our compliance messaging and education. We utilize a number of different solutions including databases that send automatic notifications to individuals with compliance responsibilities as well as the company intranet.
Editor: Carol, What challenges do you need to address to be successful?
Petren: MCI has a set of challenges that are similar to any large company: diversity of the businesses, geographic distribution of operations, and coordination of a large employee base. In addition, MCI had its own unique challenges in convincing its employees, customers and regulators that a new company had emerged from a troubled past with a meaningful compliance program. In the end, MCI had to effectively utilize its resources to assure that compliance was embedded in its business practices.
Editor: As vice president-compliance, what is your mission?
Single: My primary responsibility is to partner with the business and support organizations to promote a unified compliance program. I work with the businesses to identify and understand the risks and controls in order to begin to assess effectiveness. I also interact with other functions, such as Ethics, HR, IT, to name a few, in facilitating appropriate responses to identified compliance needs.
Editor: Carol, I assume communication is an important part of MCI's compliance function?
Petren: Effective communication is truly a cornerstone for our compliance program. In an organization our size, technology is critical to conveying the compliance message. Our Compliance Education Center website is the primary forum for compliance education and messages. When launching a new initiative, such as a training course, we work with our PR group to craft messages that resonate with our employee base and to coordinate the timing of our communications with other events on the company calendar. On a more tactical level, we have formal, regularly scheduled meetings with our business leaders and legal groups to keep abreast of changes in the practices of our businesses and to prioritize the risks confronting the company.
Editor: Many companies have a critical mass of corporate counsel with friendly relationships with middle management which operates as an early warning system of compliance failures. What other channels exist for employees to communicate their concerns?
Single: Because the company has historically been driven by regulation, our business people are used to having lawyers involved in meetings and acting as advisors. Despite this involvement, it is impossible for lawyers to be aware of all situations that may present risks. Therefore, it is essential for the compliance function to build relationships with the businesses, support functions and in-house attorneys. This creates a visible presence (in addition to the ethics line) which encourages individuals to share their concerns.
Editor: In monitoring the effectiveness of the program, what methods do you rely on to identify successes and earmark areas for further improvement?
Single: Most importantly, I want to know if we are following through on the programs that we committed to implement. If so, what are the results? For instance, if we roll out an on-line education program, we track completion rates and necessary feedback. We have an automated system that triggers emails to individuals requesting follow-up. Additionally, we engage in regular communication to ensure that the guidance provided in the educational program is in use, and if not, we know that additional work is needed in that area. MCI's SOX 404 controls team also monitors the compliance program to assure its effectiveness.
Editor: Earlier you discussed Senior Management buy-in, how is this maintained at MCI?
Single: Active, not passive, involvement is critical. You need to have the permanent forums built for ongoing engagement with top management such as we have with the Ethics and Compliance Steering Committee. Also, we have regular interchanges with Senior Management, so that compliance can remain a priority. Finally, active involvement from the board is essential.
Editor: What advice do you have for others who are implementing a compliance program?
Petren: Approach the task methodically and be realistic about your short term and long-term goals. Compliance is a very broad concept involving a multitude of laws and regulations presenting various levels of risk. Don't try to address all risks at once. Start by identifying the risks confronting your company, then prioritize the risks and begin working on them one at a time. If you do not have a meaningful program in place, it is important to retain a consultant who has had significant experience in this area and can share best practices with you.
Also keep in mind that in implementing compliance, you must remain aware of business objectives. In order to assure that a compliant environment is embedded in the company, there must be an appropriate alignment with business objectives. This requires a good understanding of the businesses and constant involvement of management in compliance initiatives.