Kami Niebank: Rising to the challenge

Not daunting enough? Factor in an ambitious five-year compliance plan that will alternately refine and overhaul CalPERS’ entire compliance regime. That project is now winding down its inaugural year.

We’ll back up a bit, however, before getting to that complex project. In Niebank’s own words she “took a really circuitous route to compliance.”

“I never really thought of myself as a compliance person or a compliance expert by any means,” Niebank says, describing a career path that elevated her to deputy chief compliance officer and interim head. Prior to CalPERS, she worked in the financial services industry and thinks of herself as “more an operations person” with an eye for strategy and reputation as “a good solid manager.” At her current firm, over the years, she has held a number of leadership roles, including running its Strategic Planning Group and having a key role in change management efforts.

What brought everything together was, in 2008, amid the throes of the financial crisis, joining CalPERS’ Investment Office. “We put together a really comprehensive plan to build out and change our internal control processes,” Niebank explains. “We looked at our relationships with internal managers to make sure there were strict ethical standards in how we approached everything. It was a really good balance of building out operations and ethics and driving a lot of change.”

Those lauded efforts led the CEO and CFO to approach Niebank with a new mission: to assess CalPERS’ overall compliance effectiveness and determine if there were opportunities to strengthen its overall compliance program. “It was the right timing, because we had our compliance program in place for about 10 years,” she says. “There are a lot of changes going on in the industry and with financial services and the role of compliance. The industry is beefing up compliances’ role and addressing what that means for organizations. It is no longer this separate entity that sits over in the corner, but something that is really everyone’s responsibility. We also had some leadership changes, so it really made sense to come back to the enterprise level and really assess our compliance program.”

Niebank’s approach, rather than parachute willy-nilly into various operations, was to develop a coordinated five-year plan with clear-cut, strategically developed timelines and objectives. “Looking at what we had done in the Investment Office, and my experience with driving change, we knew we needed to put together a multiyear plan,” she says. “There are some improvements we could maybe do that would be short-term, quick wins, but also much more systemic and long-term things we needed to lay the foundation for, and over time continue to mature them. We didn’t want it to be flavor-of-the-day, move on, and not have it stick. We wanted to build long-term, sustainable momentum for the organization to really think differently about how we approach compliance.”

Initial steps included garnering all-important buy-in at the senior leadership level and from the board of directors. An advisory body was convened to ensure that assessments weren’t conducted in an informational vacuum. Counsel was sought from both middle managers and senior executives at major business operations. “Once we then had a solid enough plan, using their feedback and what made sense, the plan was presented internally to our CEO and entire executive team,” Niebank says. “We also took it to the board and its risk and audit committee.”

The approach in what Niebank calls “Year Zero” was that rather than telling people what they needed to do, she tried to make it about what the organization’s operations really saw that they needed, with a focus on how to make them feel a part of the plan, sharing ownership and accountability. “Sometimes there will be a group audit and what happens is that management gets in a very defensive position,” she says. “With compliance and what we are doing it’s more like: ‘You guys know where all the landmines are; you know where the issues are. Let us help you and give you tools you need to fix those things and solve your problems. We are here to be like an internal consultant or advisor to you, so that by the time audits come around you have a clean slate.’ It was a bit of a paradigm shift, but management has really started embracing the concept.”

The first year entailed laying the foundation for long-term success, focusing on roles and responsibilities, hiring fresh compliance talent, and working with other control partners to figure out how they can best work together. A key objective: being a better business partner with audit and risk management.

“We are very pragmatic with the plan,” Niebank says. “Because it is a very complex and comprehensive, we are trying to make it very simple for the organization by focusing on smaller, tangible wins. For example, we didn’t have good standardized policy templates and processes, so that was something very tangible that we could put out there.” There was also a focus on mandated filings and training, making management a part of ensuring they were completed and communicating the importance. A lot of effort was put into improving communications and education with CalPERS’ internal social media site being updated with a compliance page offering weekly communications, occasional questionnaires, and articles of interest.

“If somebody isn’t necessarily compliant in a process, we step back and ask what we we can do differently,” Niebank says. “Are we not communicating effectively? Do our processes not work? How can we improve things? All these small, incremental things add up to building a culture of compliance.”

Initially focusing on tangible wins and easing organizational pain points helped keep the plan from becoming an exercise in—to use a compliance cliché—boiling the ocean. Relationship building, and developing trust and credibility with Niebank’s peers was important “so that when we needed to do some of the longer, more strategic items they would have confidence and trust in our abilities.”

“I don’t know if I am always the most popular or most liked, but I do think I am respected for knowing the organization and for helping it achieve its goals and objectives,” she says. “It is a bit like parenting. You try to pick your battles and figure out how you can help them achieve what they need to, and always try to look for that win-win, so that you are not that nagging compliance officer, but a collaborative facilitator. For us, a focus on roles and responsibilities was one of the key things even if that is very intangible in a lot of ways. We put together a group we are calling our Integrated Assurance Partners and a compliance and risk team with main business partners that we are rolling out compliance programs and working through with them. ‘Here is what we have on our plate in terms of priorities, here is what we need from you, and is that going to work with your time frame?’ We weren’t just showing up and saying, ‘Here is the plan, good luck with it.’ It was really a partnership.”

The process does, at times, require establishing what is, and isn’t, negotiable. That is where executive-buy-in helps separate mandated elements from matters where there is a more creative, flexible process in play.

One challenge, thus far, was the need to move away from standard compliance jargon, such as references to the U.S. Sentencing Guidelines, which many compliance objectives are mapped to, and various COSO frameworks. “Whenever we tried to communicate the Sentencing Guidelines’ seven elements of a successful compliance program there were blank stares,” Niebank says. “It didn’t resonate with our business partners. We had to take a step back. We restructured the plan to align with our business functions. We have an enterprise ethics group; a policy and delegation group; a compliance oversight and monitoring group; and communications and education reporting. We turned the whole plan on its head and aligned it in a way that made sense for our team and made more sense in how we communicated it out to our business partners.”

The plan also focuses on an “integrated assurance model” and making sure management understands and is accountable for their operations and internal controls in the context of the Three Lines of Defense. “They are responsible for complying with the rules and laws that apply to their organizations,” Niebank says. “We want to help them define what that means and get people on their team who can be day-to-day point people [acting as] a liaison with us, audit, and risk management.”

An ultimate goal over the course of the next five years is “continuous improvement.”

“Compliance is really about the culture and DNA of the organization, and CalPERS takes our responsibility to be fiduciaries and stewards very seriously,” Niebank says.

Her advice for others embarking on a compliance program redesign: “It is really important to have a plan and to engage your stakeholders. People will respond better if they know something is coming and can plan it into their day-to-day activities. Everyone’s time fills up with all the things they had planned to do and all the things that they hadn’t planned to do, so the more you can get on someone’s radar early to let them know what you are doing and why it is important, the better. Make the process very practical and pragmatic and make sure you are speaking operations’ and management’s language.”