This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
UPS is a sprawling, worldwide company. How does it divide up and manage the compliance function?
We created our compliance department in the 1990s. We rolled out our first code in 1996, took it international in 1999, revised the code in 2001, and then rolled out a global code this year—so we’ve had a number of years working with the compliance department, trying to define what’s critical here and what belongs in other areas.
From a structural view, I report to our chief operating officer, who is also our corporate compliance officer. I also report to the audit committee twice a year. We made a change about two years ago that was critical for us: The person who was the compliance manager for the organization also had some legal responsibilities, and the compliance department was actually part of the legal group. We made a strategic move to make compliance stand as its own department reporting directly to the chief operating officer.
Was that decision related to the Sarbanes-Oxley Act?
Actually, no. It was because the function had grown. We’ve always managed compliance as a values-based scenario rather than a legal or regulatory obligation, so this was a better fit for us, and at an opportune time because the previous compliance manager was retiring. It made a lot of sense for us to move it and stand on its own.
Talk about your responsibilities.
We generally review the regulations, and work with various groups to ensure they have the programs, functions or procedures in place so UPS can meet its regulatory obligations. We don’t day-to-day manage a lot of the compliance obligation, but we have the oversight … to make sure we have the right things in place.
We also have the general compliance program for training. We’ve developed updated training for overall compliance, to keep our program current and evergreen.
You must do a lot of travel.
I do. I pick those areas where I’ll get the most value. This being a global company, it’s important to go around and meet the people and really make sure the messages are truly heard.
How do you communicate to the masses when you have employees all over the world?
Most critically, we have a communications strategy that we develop on an annual basis. It uses almost every medium we have in the organization … to get messages to the front lines. It’s not always just me or someone in the compliance group talking about compliance issues. It’s the business managers also who spread the word about our obligations and what we stand for ethically.
I also attend a lot of meetings, and give a lot of presentations. We have a management conference annually, where all the senior leaders gather for a few days. There’s always a compliance presentation in front of that group.
Last week we spoke with Abbott Labs, which uses a quiz game to train employees on compliance. What tools do you use?
This past year we used CBT [computer-based training] modules that we could just send out to people. We have a number of people in different geographic areas where it’s hard to gather a group for facilitated training, and we’ve found it’s worked very well for us.
A lot of compliance officers grapple right now with how to implement a global standard. You’ve tackled that twice with your code of conduct. How challenging was that?
It was very interesting. When we rolled it out in 1999, when went to the various regions and held focus-group meetings with people working in those areas. We took the domestic code and had them give us feedback about what would work in their cultures and what wouldn’t work. From that we developed an international code.
Last year, as we became a global operation and began to synchronize commerce, we felt it was important for us to have one set of standards—so we took our two codes, and again we worked with partners overseas to see how we could blend things and move it to more of a values-based level. We weeded out some of the details in there before, such as references to specific agencies in the U.S. or other countries.
We do print the code, and all of our management people have a copy. We use it as a tool to open meetings, to read sections of it and talk about how it applies to our daily business practices. In addition, we have a training program: our business conduct and compliance training program. That uses the code as a reference material. It will go through scenarios, and force you back to refer to the code that you would use.
Can you give an example of those differences and how you blended them into one?
Sure. In the domestic code there were a lot of references to OSHA and DOT—agencies here in the U.S., and what our obligations to them were. As we looked at the two codes, we thought that since the purpose of this is to adhere to safety criteria, let’s talk about safety and not necessarily the safety agencies we must report to.
How much of your job is specifically compliance and enforcement, such as investigations or audits?
I work very closely with internal audit. We spend a lot of time together, and we do review risk assessments. I use the internal auditing group to do the auditing and monitoring piece of compliance … We’ll sit down at the beginning of the year and look at the schedule, based on risk assessment, of where we’re going to go and where we’re going to conduct the audit. Occasionally I’ll go on the audit with the internal audit group just to stay hands-on with the process.
We are a very cross-functional organization. We do a lot by committee work. You’ll find many of our projects have a committee assigned to them, with several people assigned to them who have reporting responsibilities and obligations to make sure those projects move forward. Sarbanes-Oxley is one of those; we have a committee, but most of the work is done by the internal audit group.
How many people are in your compliance group?
I have a group of 16. Most have project-management skills and expertise within certain areas: environmental, customs, hazardous materials, records management.
And what about the 404 project?
That’s managed with the internal audit group. We’ve had to put on a number of additional people who are working to document the procedures. Fortunately standardization is fairly common for us, but documenting every one of those procedures is quite a chore … We have a fairly large project team, and it’s a global team, working to document each one of those procedures.
Who sits on the oversight committee?
Our steering committee has people from risk management, accounting, compliance, our external auditors. Our director of internal audit directs it. We also have our tax people, the legal department, procurement.
You said you meet with the audit committee twice a year. What do you review with them?
Typically I’d review the training initiatives we have—any changes in our program, the results of any monitoring our auditing processes that we have that really show us the effectiveness of our program. We also do some questionnaires to our senior leadership, and we review what the results of those might be. Also the status of the help-line, things like the types of calls and the number of calls we get. Any programs initiated to address new business issues as we move into new business areas for us.
You came up through the HR department rather than legal or finance. That’s unusual for a compliance officer. How did you piece together the skills for this job?
It’s a good question—sometimes I wonder that myself! This is my 27th year with UPS. My background is a few years in operations, and most of my career in HR.
Throughout that, a few areas I managed were the learning and development group and internal communications. That experience in those areas is extremely helpful when you come into this role. I agree that most of my peers do have a legal background, but we have a whole department of lawyers that I can call on for assistance. In an organization as large as ours, if you really are going to have an environment where people do the right thing naturally because that’s what is expected … I think the training and communication sides are very important. Those skill sets are critical for managing in this environment.
And what are your goals for the next year?
First is to review new business. Any time we have a merger or acquisition, we stay as close to that as possible so we’re early in identifying any compliance gaps. We’re also working on producing a “guide to managing compliance” for our people out in the field. Since it’s such a huge responsibility and so diverse in our organization, we’re tying to come up with a reference tool for people manage the businesses. They can then go through … and have some idea of the questions they should be asking.
I also have a key interest in increasing visibility of compliance in our organization by attending meetings, coming up with communication strategies—getting more people to talk about compliance who are not in the compliance field.
And then there’s the typical day-to-day stuff, reviewing the regulations as they change and making sure there is a project team working on any regulation change that may affect our business.
Thanks, Joyce.
An index of previous Q&A Interviews is available here.
This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet