The compliance officer’s role in the “front end” of investigations is generally understood: oversee employee hotlines, work with whistleblowers, and review allegations of misconduct. What about all the things that come next? How involved should a compliance officer be in fact gathering, determining culpability, and helping to decide upon (and impose) needed discipline? We spoke to Jim Zappa, associate general counsel and chief compliance officer at 3M Corp. about his approach. Zappa will be a panelist on a session devoted to these issues at the upcoming Compliance Week 2015 conference in Washington D.C., May 18-20.

Before we can get to the result of an investigation, the facts need to be uncovered. To what degree is it safe to assume that compliance is involved with internal investigations?

There are different models and approaches to this. There are some organizations where the chief compliance office is not involved with an investigation; the legal organization may take charge, or perhaps corporate security or audit. That’s not 3M’s model; compliance is the investigation organization for a number of business conduct concerns.

My job is to make certain that the investigation proceeds in a fair and full manner. It’s important that we do that well, and along the way communicate with the various stakeholders as we can, and as we should. When do you tell management, and who in management should be informed? What about other stakeholders, such as finance, security, or human resources? That’s a dynamic situation that we are trying to manage to protect the integrity of the investigation and make sure operational issues are not compromised.

When it comes to post-investigation discipline, what role should compliance have?

One of the things the compliance organization needs to do is make sure that the sanctions for violations are consistent over time, both from an employee equitability standpoint, but also from an organizational standpoint. In our process, compliance plays a very specific role in making sure that information about past disciplinary outcomes is provided to the decision makers for the specific matter being decided. We don’t want management to under-penalize someone, or over-penalize them. Bringing that calibration to the process is important.


Jim Zappa
Chief Compliance Officer
3M Corp.
Jim Zappa is 3M Corp.’s vice president, associate general counsel, and chief compliance officer.  In this role, he leads 3M’s corporate compliance & business conduct department.
Zappa has been with 3M for more than 13 years. Prior to his current role, he spent three years as 3M’s vice president, and associate general counsel, international operations. In that role, he led the team of 75 lawyers in more than 30 countries supporting 3M’s operations outside the United States. Zappa’s other 3M roles include: general counsel for the human resources organization; general counsel for the consumer business group; and business and employment counsel to multiple 3M business units.
Outside of 3M, Zappa was an associate at Dorsey & Whitney, an employee relations director at UnitedHealth Group, and law clerk to the Honorable Richard H. Kyle, United States District Court for the District of Minnesota.

The other role a chief compliance officer plays is in the communication of the “why.” Why is a sanction appropriate here? It is important that stakeholders understand what happened, why something was wrong, and why the sanction was what it was.

Once a matter is resolved, your work is not done, I would assume.

The third piece where we play a role is building upon the lessons learned from the remediation. How do we figure out what the fixes are? If there a process, policy, or operational gap, what recommendations can we make? What is the lesson that can be shared with other units that may be in a similar situation, so they can get in and fix things before there is a bigger problem?

All too often, compliance officers have the reputation of being a “cop on the beat.” How can you balance the role of an enforcer with the need to encourage open lines of communication with all units, and encourage hotline use?

If companies want to have an effective compliance program, you obviously have to respond to the people who raise issues. If you don’t respond, then people think the company isn’t going to do anything about it. On the other hand, if a company takes a very aggressive approach to an investigation, or makes people feel like they just want to make heads roll and set people up as an example, that can have a counter-effect as well.

In a lot of countries you may even be creating new legal risks for the company if you do investigations that way, from a privacy, defamation, or labor contract standpoint. Compliance has to be aware of, and attuned to, all of those nuances. At the end of the investigation process people may not like the outcome, but you want them to think the process was fair.

You stressed working with other business units on an investigation. Can that be a challenge?

It’s important to try to figure out an approach that allows you to maintain collaboration. At the end of the day most, if not all, compliance investigations are business operational problems. Everyone has to have a stake in trying to figure out how to navigate these waters. Business leaders may have some disruption in their team, someone that they can’t promote, or a customer they can’t sell to. The longer something goes on, the more employee issues come up and people are distracted.

It’s a challenge to maintain good coordination, but the chance for a successful outcome increases if everyone is working together and there is a core team that represents various functions. You want to keep them apprised of what is happening, and you may need to ask them for help with resources or clearing roadblocks. What is that core team and who is on it? That should be part of your investigation plan, so you can do a better job of trying to coordinate things.

As you bring other people and units within the company, is there a risk of compliance not having the independence it requires, especially as investigations can involve anyone from a dock worker, to an important sales manager, or even an executive?

There may be different models, but whoever does the investigation, there has to be a formal recognition that it is independent. You can achieve that independence in a number of ways, from the charter establishing an ethics or compliance committee, or having senior management stress that independence. It’s important that the investigators, and the people being investigated, know that this is being done with all the independence needed.