STEPHEN MARTINPARTNER, ARNOLD & PORTER

ON BUILDING TRUST, EMPOWERING COMPLIANCE TO HELP THE BUSINESS BE SUCCESSFUL AND LEARNING

HOW TO BE A PROACTIVE ETHICAL LEADER.

2Convercent © 2016. All Rights Reserved.

““

EXPERTEXPERIENCECURRENT Partner, Arnold & Porter, an international law firm. Specializes in compliance and white-collar work. Focuses on proactive compliance, enhancements of programs, risk assessments, working with clients on having an effective compliance program as well as handling government investigations type of work.

BACKGROUNDSpent about five years in the law firm setting. Previously was in-house compliance officer at three major companies (WorldCom, Quest and Adelphia), which faced massive government investigations – focused on rebuilding the compliance program and handling the government investigations. Former federal prosecutor at the Department of Justice and started career at the Missouri Attorney General’s office as Assistant Attorney General.

I LIKE TO SPEND MY TIME

WORKING ON THE PROACTIVE

SIDE, KEEPING COMPANIES OUT

OF TROUBLE AND REALLY

HELPING THE COMPLIANCE

PROGRAM AND THE

COMPLIANCE OFFICERS AND

PROFESSIONALS AND GENERAL

COUNSEL UNDERSTAND

THE RISKS THAT THEIR COMPANY

FACES.

3Convercent © 2016. All Rights Reserved.

Q:What does an effective compliance program look like to you?

STEPHEN:The way I like to talk about it at Arnold & Porter is around the six elements of a compliance program. If you look at it, it comes from the DOJ Guidance, from the FCPA [Foreign Corrupt Policy Act], the U.S. Sentencing Guidelines, international standards such as OECD [Organization for Economic Cooperation Development] and the U.K. Bribery Act. It applies both in the bribery FCPA context as well as any number of other kind of compliance issues that regulatory or government agencies would enforce. The World Bank is a perfect example with the Consumer Financial Protection Bureau.

What I like to try and do is make it simple for companies to understand. If you meet these six elements, then you would have an effective compliance program and that helps protect the business, the employees, and all the stakeholders. That’s made up of:

1. Leadership2. Risk assessment 3. Standards and controls4. Training the communication5. Auditing and monitoring

6. Response and enhancement of your program

We can talk about those factors and how companies can tackle them, but really if you meet those six elements, you would have an effective compliance program.

4Convercent © 2016. All Rights Reserved.

“ “

IF YOU THINK ABOUT IT PROACTIVELY, THAT'S THE BEST PLACE TO START TO TRULY UNDERSTAND WHAT YOU'RE DOING AS A COMPLIANCE OFFICER. IT'S ALSO THE KEY REQUIREMENT FROM THE GOVERNMENT STANDPOINT.

Q:What does an effective risk assessment look like? Why is it important for a compliance officer to take the time to conduct one? Where do they even begin?

STEPHEN:When you think about it from a risk standpoint,it’s really about understanding:

1. What is your business engaged in around the world?

2. What activities is you business involved in?

3. How are you conducting your business?

Financial risk, everybody understands. Operational risk, companies are really good at. The area that they often struggle is compliance risk. They may understand the key ones but they may not see all of the laws or other regulations that would apply or how they’re going to be impacted. Then there is reputational risk. When you’re talking about compliance, especially, the impact on the company from a compliance standpoint or reputational standpoint, both of which have a dramatic impact then on financial performance or operational performance, potentially.

When you think about risk assessments, the Department of Justice and the SEC [Securities Exchange Commission], as an example, say your program should be risk-based. If you think about it proactively, that’s the best place to start to truly understand what you’re doing as a compliance officer. It’s also the key requirement from the government standpoint.

You want to understand either the risk profile or conduct more in-depth risk assessments, understand the compliance program and how effective it really is. You can do them in very narrow areas like bribery and corruption or data protection or privacy or antitrust. You can do them in specific countries. I travel all over the world and do these in tough places where you have challenging concerns, whether it’s Southeast Asia or Brazil or Russia or China. You could do them in regions of the country. You could do them at the headquarters or enterprise-level. There are multiple ways that you can conduct these risk assessments, but the idea is that you have an ongoing process to be thinking about risk and how it’s impacting your business and then building your compliance program based on those findings.

5Convercent © 2016. All Rights Reserved.

Q:When you’re marketing your compliance program internally to your company and trying to get your employees on board with compliance so that they can change their frame of mind to be more compliance-first, how do you recommend communicating the risk that’s involved with not being compliant to employees and removing the fear factor? How do you try to get them more involved in compliance but not thinking that it’s this authoritarian -- rather becoming more of a business enabler rather than a blocker?

STEPHEN:There’s a couple challenges. One is getting the buy-in from senior management or the board of directors, which can sometimes be challenging for compliance officers or general counsels. The second one is really getting the money to effectively run your compliance program, because often, compliance is looked at as a cost center. Changing the conversation from “Here’s what the government expects” ... Because a lot of companies will say, “Hey, we do everything the right way. We’re totally compliant. We’re a good company.” But I’ve seen a lot of people who say that, have serious problems in their business. It’s not just your employees. It could be third parties or agents that you’re dealing with. It could be a rogue employee that gets the company into trouble.

What you’re really doing is building a compliance program that protects everybody -- the board of directors, senior management, all the employees, the stakeholders. If you talk about it from that way, that “This is going to be a good thing for all of us. We can reduce risk, maximize profitability” you get the buy-in from the corporate side.

On the employee side, we live in a YouTube society and a quick-hitting technology, everybody’s paying attention in 15-second increments, so that becomes a big challenge. The days of hour-long training doesn’t really work so you’ve got to figure out how can you communicate with a generation now -- and all of us, frankly -- that have smartphones, that are always looking at things instantaneously. You’ve got to make it interesting. Get witty. Make key points in very short amounts of time, but also relate to them “Why is this going to help you perform better?” If it’s the manager, “How’s it going to help your team perform better? How’s it going to help you and your team get your bonuses at year-end?” That’s a good way to talk about it.

6Convercent © 2016. All Rights Reserved.

You can talk about some of the downsides, because you can be charged with crimes, you can be imprisoned based on certain types of activities that can happen. I like to think about it much more on the proactive side. Most people really want to do the right thing. They care about the business they’re working with and they want to be part of that company. If they see people doing things that are inappropriate or wrong, they’re certainly going to report those if they have the right avenues and encouragement.

If it’s a positive environment, you’re talking about compliance being a good thing. I’ve seen companies do ethics weeks or ethics months or they do videos that employees create about why they like working here or why it’s important to be ethical. I’ve seen all kinds of different types of communication methods that really work well. Thinking outside the box. It’s not just giving them a piece of training, but really how do you communicate on an ongoing basis about the importance of compliance?

7Convercent © 2016. All Rights Reserved.

Q:How can a compliance program go from being reactionary to proactive?

STEPHEN:We’ve seen the compliance industry really start to become much more professional, much more organized, from what were the early stages -- where a company really had a hotline and training and that was kind of the key things that they would be doing to now having what we’ve described as an effective compliance program all the way through the auditing, monitoring, to the response, and how do you engage from a communication standpoint. Now what I see is that the best companies in the world and the ones that are really interested in trying to use compliance as a positive business tool, are thinking about “How do I make my compliance program predictive? How can I give really great data to boards of directors and senior management? How I can show what our employees are doing and how this is making a difference?” We’re on the cusp of seeing that really develop throughout the compliance world with a number of companies.

It’s a challenge. You have to invest in technology. Now we’re seeing great technology and Convercent has been leading this. How do you bring all of these various inputs, whether it’s training records, whether it’s policy certifications, whether it’s third-parties? It can be risk information and data. Any incidents and reports. How do you collate all of that data together so that you can see it in one organized fashion, which compliance officers have not been able to do before? How do you use that information to help the company make strategic decisions about compliance and how does the board of directors really see if this has been effective? It’s a great way, frankly, to protect the business at the end of the day. If you could show that data to a regulator that asks questions, it’s vastly different than a lot of companies can do out there.

That’s where you’re seeing the trends go for the best in practice in terms of compliance. Certainly it’s a return-on-investment that’s great. It’s less resource-constrained in terms of individual people. It certainly gives you transparency into regions around the world where you wouldn’t otherwise get it by using technology. That’s the next big push in terms of how compliance and where it’s headed as an industry.

8Convercent © 2016. All Rights Reserved.

Q:What makes a compliance program legally defensible?

STEPHEN:You’ve got to have high-level commitment. You’ve got to have somebody who is in the position of Chief Compliance Officer and that role can be in different locations. You have to have adequate resources. Then you’ve got to meet those six elements of the compliance program that we talked about. That’s really the standard for being defensible. If you don’t have adequate resources, if you don’t have the right person at top, with access to the board of directors and senior management, you don’t have senior management buy-in, or you’re deficient in one or more of those 6 elements that we talked about, then you simply can’t defend the company.

9Convercent © 2016. All Rights Reserved.

Q:What makes a great compliance officer?

STEPHEN:I think the number one thing when I talk to compliance officers that I tell them is, “You’ve got to really learn and understand the business. If you’re just going to sit at headquarters and roll out compliance programs or certifications or training or whatever it might be, you’re not going to be very effective. If you can’t understand the business -- and it’s not understanding the business from reading about it -- it’s understanding the business from being out on location. That does two things. One, you understand and appreciate what’s happening on a day-to-day basis. You see the challenges of what’s happening in the marketplace, in the industry, how the business is running. Then second, you also get to know the business executives, so you build trust. If you’re out there, whether it’s on manufacturing line, or if you’re out in China or another country as part of the business. If you’re really trying to figure out what the technology is, then your part of the business and a trusted business leader. That’s where I think a lot of compliance officers face a challenge is they’re sitting in their office. They’re not out doing things proactively.

The second thing I think is really important for a compliance officer is to always be focused on risk. Trying to understand: What is the business doing? As part of that, you’ve got to be paying attention to the new strategic business initiative. This is one of the things that is challenging for compliance officers, because they always talk about wanting a seat at the table. The way you get a seat at the table is that you’re a business leader that helps solve problems. You need to understand the strategic business initiatives, where the senior management wants to take the company, and help them get there. If you’re always the “no” person, then people will just ignore you. They won’t come to you as compliance. They won’t get you to help solve their problems.

There are times, clearly, that you have to say “no,” but when I was a compliance officer in-house, my approach was: “Okay, I appreciate you bringing that question to me. I’m going to help you solve this challenge. We can’t do it the way you’re suggesting, but I’m going to help you figure out another way to go about this, so that the business can do this if possible.” You’ve got to try and be a creative business leader. Too often, it’s just a lawyer or just a compliance officer and they’re not really engaged in the business and they’re not helping to solve the problems. Then people don’t trust them. Building that trust, getting out into the company, and then really thinking strategically about how can you help the business be successful, is what are the keys for a compliance officer.

ABOUT CONVERSEConverse is an interview series designed to shine a spotlight on corporate compliance practitioners and the important work they do. The goal of the series is simple: to facilitate sharing, provoke thoughts, inspire action and build community among executives in the growing and constantly evolving space of ethics and compliance. Each episode features insights, candid anecdotes and practical takeaways from a leading compliance executive based on their experience, challenges and successes on the front lines.

ABOUT CONVERCENTConvercent’s risk-based global compliance solution enables the design, implementation and measurement of an effective compliance program. Delivering an intuitive user experience with actionable executive reporting, Convercent integrates the management of corporate compliance risks, cases, disclosures, training and policies. With hundreds of customers in more than 130 countries— including Philip Morris International, CH2M Hill and Under Armour—Convercent’s award-winning GRC solution safeguards the financial and reputational health of your company. Backed by Azure Capital, Sapphire Ventures (formerly SAP Ventures), Mantucket Capital and Rho Capital Partners, and based in Denver, Colorado, Convercent will revolutionize your company’s compliance program.

10Convercent © 2016. All Rights Reserved.