The CFA Institute is a not-for-profit professional organization that serves investment management professionals—mostly portfolio managers, financial advisors and research analysts on both the buy and sell side—by advancing ethics, market integrity, and professional standards of practice. The Institute serves firms that are primarily engaged in asset management (e.g., mutual funds, hedge funds, private equity, real estate investment, investment research and ratings, and investment advisory services), wealth management, fiduciary asset ownership (e.g., pension funds, endowments, and sovereign wealth funds), and the various regulators and standard-setters that oversee this sector.
For the last two years or so, Darin Goodwiler has been the Institute’s chief compliance, risk, and ethics officer.
Goodwiler comes to the job with an interesting background. Where many compliance professionals enter their current line of work from an allied field, such as legal, accounting, or auditing, Goodwiler comes by way of taking apart bombs and physically protecting the President of the United States.
Goodwilers’s career began as an EOD (explosives ordnance disposal) technician for the U.S. Marine Corps. From there, he was recruited into the Secret Service to work counterterrorism through the Bush, Clinton and second Bush administrations, during which he worked on over 300 protective details in every country on the planet for the President, Vice President, and other VIPs. After 9/11, he became the Homeland Security deputy director for the Great Lakes region, with more than 3,200 police officers and more than 10,000 armed security officers reporting to him, all jointly responsible for some 10,000 facilities and the people within them.
After that, Goodwiler joined engine manufacturer Briggs & Stratton as its director of safety and risk management, spending two of his 10 years there as a CEO and country manager of the company’s Mexico division. He was then recruited to work for Giant Eagle, a Pittsburgh-based regional grocery store chain, as its chief risk, ethics, and compliance officer, handling the various regulatory demands of the FDA, USDA, food manufacturing, EPA 9 (for the company’s gas stations), and other compliance challenges that were relatively new to him. Almost two years ago, he and his family moved to Charlottesville, Virginia, where he joined the CFA Institute as its chief compliance, risk, and ethics officer, and he has not looked back since.
What does your day-to-day look like at the CFA Institute?
One of my primary roles is to ensure that we at the Institute are doing what our CEO calls “eating our own soup”—that the virtues and actions that we extol externally to our members need to be mirrored internally. The Institute is all about ethics and integrity around the world, and I make sure we live by that higher standard at an organizational level.
We’re kind of a UN in the financial industry, breaking down barriers and getting everyone to sign on to our codes and standards so they put investors first in an ethical way. It’s an incredible opportunity to be part of it.
I have a big remit—compliance, risk, and ethics. The compliance and ethics program has the federal sentencing guidelines and all the components associated with that, and I have been standing up our program. While the CFA Institute is seven years old, our compliance and ethics program has somewhat only existed since I got here.
The other hat that I’m wearing is as the chief risk officer. When I joined the CFA Institute, we had seven different risk management programs that did not necessarily align. The idea was to pull all that together and come up with a reasonable, tactical, and strategic enterprise risk dashboard that meets the organization’s needs from the strategic standpoint but also is something tangible, that people can take ownership of. I am maintaining that component, as well.
I own the emergency preparedness and risk group which is all about our own crisis management and business continuity. I own the facilities and security program within the organization, and I also own our corporate social responsibility program, which is a risk mitigating component, but it’s really about being good corporate global citizens. That’s a unique responsibility, because we operate in so many different locations around the world.
What is your strategy for using communication to ensure you can do your job effectively across a broad array of responsibilities, but also for getting people to sign on to your vision for the Institute’s compliance, risk, and ethics program?
I think the key is convincing people that they have skin in the game. The idea is asking people, as part of an enterprise risk assessment, what keeps them up at night. You pull those risks together so these people know they have been listened to. And then you need to turn that around and say, “Here is the risk to the organization that you articulated, here is how we fix it and, by the way, you own it. I am going to be checking with you on a monthly basis and giving a status update, and that’s going to go all the way up to the audit and rick committee of the board of directors on a monthly basis.”
Getting their input and letting them know they have been heard and putting that skin in the game is getting that commitment to the point where they understand that they have a role to play.
It’s very clichéd to say that everybody owns safety. But in the manufacturing world, it is what it is, everybody has to make sure that the guy next to them is safe. With that in mind, everyone owns compliance. Everyone owns risk management. Now, to say that is one thing. But to have a name on a document that goes in front of the board and the leadership team on a monthly basis, and for those names to be checked on and compared to KPIs is the key. That’s the magic to having them get it—having those conversations and articulating why it should be important to them and how they tie into the larger picture.
You come to compliance from a most unusual background—explosives disposal, the Secret Service, and counterterrorism. How did that background help prepare you for your role now with the CFA Institute?
Military personnel make great risk management and compliance persons, as well as great business people overall—because they are trained to shut everything else out and stay calm under pressure, focus on what you’re doing while all heck is breaking loose, and make order out of chaos. That skillset really works well in the risk and compliance world, especially when you’re looking at the emergency management side of it. That consistency of character is an attribute difficult to find outside of military people.
When I was in the Secret Service, I filled up six diplomatic passports. I traveled to every country on the planet. When you go in there to do an advance for the President or the Vice President, you work with local municipalities and you really have to be a diplomat. I did a trip with President Clinton to the Gaza Strip, so we relied on our fellow law enforcement and security personnel in the Gaza Strip to help us out and create that secure perimeter. You have to have the ability to quickly build trust, evaluate the sincerity and the capabilities of people, and then quickly put a plan together to solve a problem where the life of the most powerful person of the planet is in our hands.
You take those same skillsets and you apply them to a business. It is a unique transition, but it is a matter of identifying threats and risks and vulnerabilities—whether it’s from a compliance standpoint, risk management, or emergency preparedness—and coming up with the appropriate countermeasures and assigning the resources to get it accomplished and then watching it play out. Sometimes military people have a hard time articulating these things because they are so used to acronyms and their military verbiage. But if you use the right words with your civilian counterparts, then the action makes perfect sense and creates order out of chaos, and that’s really what military people like to own.
What would you say some of your big successes at the CFA Institute have been, and what you credit those successes with?
There are three big nuggets that we accomplished in the last 18 months or so—and I say we because I was allowed to stand up a team with a lot of talent internally. I love building good teams and training people. I can teach anybody anything, but I cannot teach character. So when I recruit for my team, I look for people with certain professional attributes within the organization and I pull them in to train them.
The first big success was the Compliance and Ethics program, which I stood up with a person who had no compliance or ethics background. She is a superstar now, 18 months later, knocking it out of the park with a SEC certification academy as well as a bunch of different professional developments within the compliance program. She took to it like a duck to water. Again, it’s just finding the right people with the right professional attributes to thrive in a particular area.
ABOUT DARIN GOODWILER
Darin Goodwiler is responsible for providing a comprehensive, global compliance, ethics, and risk management framework and strategy for CFA Institute, its member societies, and affiliations. He will also be responsible for moving the organization’s compliance culture and programs forward, as well as risk management planning.
He joined CFA Institute in September 2015 following a diverse career in high-level government security, international business, executive leadership, and global compliance and risk management operations. He has served in executive roles for Giant Eagle, Briggs & Stratton, and the U.S. Department of Homeland Security. Earlier in his career, Mr. Goodwiler served in the U.S. Secret Service and the U.S. Marine Corps. He reports dually to the President and CEO and to the Committee Chair of the Audit and Risk Committee of the Board.
The second success was putting together an enterprise risk program. When I got here, there were seven disparate risk programs, and when I was asked by the chairman of the audit and risk committee what was the number one risk to the organization, I said, there are seven number one risks, and I don’t know if there are seven more, or if that’s all. So we needed to put together one truly global enterprise risk dashboard with a system and a process that maintains and manages that.
The third thing was pulling together these disparate programs in terms of business continuity and continuity of operations and putting together one solid crisis management program that has now been trained, tested and evaluated with subordinate teams. All of the plans that we had before roll up in this larger plan, so everybody is speaking the same language and communicating effectively to each other.
The key to my success here is that I have an incredibly supportive board. I’m on the leadership team so I report directly to the CEO and the board, so I’m at the most senior level of the organization. I have a seat at the table along with 12 additional people that make up the leadership team and report to the CEO for the organization. It’s an incredible group of people that I work with. So, I have incredible support from my peers on the leadership team, incredible support from the CEO, and a great audit and risk committee that I support. That’s the wind behind my back. It really helps me stand up a program fast.
As somebody who works across multiple lines within your organization, what are your thoughts on trying to make the risk and compliance function a more integrated function, as opposed to one person holding multiple titles, roles, and responsibilities?
I don’t mind having multiple hats within the organization. The difficulty is that by being the chief compliance, risk, and ethics officer, compliance and ethics go together, and there is a specific liability associated with it. If I have a person within the organization that is a bad actor and who does something wrong, and I don’t have a good ethics program, then there are repercussions that come not only to the organization but to me. I could potentially go to jail, and so there’s a lot at stake for the chief compliance officer.
As the chief risk officer, from a legal standpoint, your vulnerability as far as going to jail because you have some kind of FCPA violation because you didn’t have a suitable or substantial compliance program in place … that is really more of a fiduciary responsibility to your board and your various stakeholders. So there are different roles, liabilities, and risks associated with that.
And then there are the duties as assigned, based on the nature of the organization. For me, that’s another 50 percent of my remit with the different hats I wear. Each one has to be taken separately and importantly. Today, I’m the chief risk officer and tomorrow I’m the chief compliance officer and the next day, I’m a managing director on that part of the leadership team that strategically determines what the organization is supposed to look like in the future. So I’m not really in favor of coming up with a single defined role.
You have a diversity of experience coming into the compliance role. When I go to a compliance function, I talk to different compliance people across the role—legal, accountants, auditors, all kinds of people with different backgrounds. And the organization is going to use their skillsets based on the needs of the organization. I wouldn’t want to broad-brush that. I think there is richness in that.
If somebody calls me a chief compliance, risk, and ethics offficer, then I am going to protect the organization from a risk standpoint, and I’m going to make sure that you have a solid compliance and ethics program.
As you entered a career in compliance and ethics, what are your most unexpected challenges in that realm, and how did you turn those challenges into an opportunity or a success for yourself?
The biggest challenge was explaining the need or the necessity for a compliance officer to an organization. Both at Giant Eagle as well as at the Institute, the CEO, and the board thought it was important to have the compliance, risk, and ethics role but they didn’t really know what it was or why it was important. The challenge was getting asked to define compliance and demonstrate the value-add. At least, that has been my experience.
The way I overcame that is through a process I developed where I came up with a compliance owner framework. The idea is understanding all of the areas of compliance for the organization. In my last organization, I had 62 different areas of compliance. Here, so far I have identified 53 and we’re still working on it. That can be anything from HIPAA compliance to OSHA compliance to certain policy compliance, in different areas.
The next step is to take those compliance owners, put them down on paper, have them commit to being that owner and having a backup. Then we go through a survey with them: Are we compliant in their area? Are we benchmarked against anyone else so we can tell if we’re good, better, or best? Are there outstanding regulatory issues coming their way? Do we have policies and procedures around their working area? I send that out to all of the compliance owners, and then I take it back, and I interview each one of them and say, so, we have policies and procedures, are they outdated?
After I do a quick triage of where I’m at from a compliance perspective based on those areas, I go back in and I look at the policies and procedures of the organization and rewrite them policy by policy. Then I take all of the policies and ask, do all of my policies have an owner, and do all of my owners have a policy? I match up everything across the board and I make sure that the right subject matter experts are now compliance owners for the organization. I work that into a whole policies and procedures regimen where they have a very strict protocol to maintain that.
You go through that exercise and you talk the organization through it; you pretty much have gone through the entire culture so that everybody can tell you what compliance is. Everybody knows somebody who owns part of the compliance role. As you tell that story—here are the areas of compliance, here’s the list of names of who owns that compliance, here are the policies and procedures, here is what you will have to adhere to—then you have one center of knowledge with all of these policies and their owners. Five percent of their performance evaluations is tied to compliance responsibilities, so they have skin in the game. That is pushing it into the culture and letting them understand what compliance is all about and that everybody owns compliance.