How Best Buy launched its enterprise risk and compliance function

Hartman, then serving as deputy general counsel and chief compliance officer (CCO) for consumer electronics retailer Best Buy, wondered along with his team, “‘Could that happen here?’”

The Wells Fargo scandal saw employees open more than two million fraudulent deposit and credit card accounts on behalf of consumers. In the aftermath, the bank has paid billions in fines and restitution; parted with thousands of employees, including multiple chief executive officers; and is still seeking to restore its reputation.

Reacting to the news, Hartman in 2016-17 spearheaded an organizational change at Best Buy uncommon for its industry: making its compliance capability independent from its legal department and instituting an enterprise risk and compliance function. He sought to understand, “‘Do we have the structures that would always enable those communications to happen in the most complete and appropriate way?’”

He studied “why something that was so easily detectable—and was detected at a variety of places throughout the company (Wells Fargo) and a number of times—was somehow never appropriately escalated to the right levels of the company and then never fully addressed as the comprehensive risk that it ultimately became,” Hartman, now Best Buy’s chief risk officer and general counsel, told Compliance Week.

The answer was an ineffective governance structure. It was critical, in Hartman’s mind, to have a standalone, full-time chief compliance and risk officer that existed separately from the general counsel and that the functions under that authority be dedicated to the company’s second line of defense.

Small and tucked within legal, Best Buy’s compliance function at the time lacked broader visibility to other risks the company was facing. In studying the Wells Fargo crisis, Hartman recognized the hazards of this blind spot—as well as an organizational structure that hampered compliance officers from being heard at the senior levels of the business.

As then-CCO, Hartman managed the company’s ethics line and compliance capability, but his identity as a compliance officer was subsumed in his role as a legal officer. It was a subordinate function, at times, to other legal needs of the company, he said.

In 2016, building compliance as a separate pillar of governance from legal was a relatively novel concept outside of regulated industries like finance and pharmaceutical, though it has grown more common now. Establishing buy-in with senior leaders was tough, especially with the general counsel, Hartman admitted, because it involved stepping back from certain business legal functions and taking on new risk functions.

“I think it can be challenging for a legal department or a general counsel to think that compliance risk should be managed and overseen by a group other than the legal department,” he said. “I had to be able to demonstrate that we believed in the thesis of an independent function by being willing to move out of my comfort zone and do this.”

Hartman became chief risk and compliance officer for Best Buy in 2017. Two years later, he moved on to become chief risk officer and general counsel. The enterprise risk and compliance function now reports to him.

A major benefit of Best Buy’s revamp has been the creation of a compliance approach to training policies and communications that looks over the entire portfolio of compliance risks, from environmental to product safety to employee safety to advertising.

“If somebody asks, ‘How many resources do you have dedicated to training and communications within your team?’ I’ve got far more than probably the average compliance capability because I’ve pulled together all the ones from those separate independent compliance programs,” said Hartman.

Further, the balance of different compliance risks is something that needs to be calibrated, he explained. A consolidated enterprise risk and compliance function offers a view to the full breadth of risks, enabling the company to optimize the allocation of resources across them.

“You need to be able to quantify compliance risks within the overall context of the business risks of the organization in order for the board to know how to react because if you have your board overreacting to a compliance risk that can be almost as problematic,” Hartman said.

Despite initial frictions stemming from the separation of duties between legal and risk and compliance, the long view on the restructure has been positive.

“If I were to sit down with a room of other general counsel, which I recently did, most of them would now agree that the independence of the chief compliance officer [and that] function, separate and apart from the legal department and from the general counsel, is pretty critical,” he said. “So, we [at Best Buy] feel our initial thesis has been validated.”