With regulators expecting more from compliance programs – such as sophisticated data analytics and heightened ESG standards – the role of the compliance officer continues to increase in complexity. As the chief compliance officer and assistant general counsel at General Motors, Michael Ortwein is on the front lines. He shared his insights on top-of-mind issues with the Anti-Corruption Report in advance of his participation in this fall’s ACI FCPA Conference.
See “How Lawyers Can Leverage the Shifting Environment to Enhance Compliance Programs” (Aug. 17 2022).
ACR: Can you tell us how your role is structured at GM and where you fit within the company?
Ortwein: It is probably structured in a way that many in the compliance industry are familiar with for a chief compliance officer in charge of compliance activities globally. I report directly to the general counsel.
My team is in legal, and then I have an indirect reporting relationship into the audit committee to ensure independence and oversight of the program.
We have a global team of lawyers and non-lawyer compliance professionals on the team. Many are based in Detroit, but we have others who are sprinkled throughout our key markets across the globe.
In terms of compliance program pillars or elements, as you would expect of any large multinational corporation, we have oversight of our corporate hotline and investigations, training and compliance communications, anti-corruption and anti-bribery program, as well as other substantive key risk areas, including third-party due diligence protocols and processes.
Most recently, and we’ll talk a little bit about this, we added a compliance assurance function, which is our center of excellence around managing our proactive compliance activities. And then our North Star from a compliance perspective is our code of conduct, which we aptly call “winning with integrity.” And we develop and manage our code while working with other subject-matter experts from various areas.
[See “Corporate Compliance and Enforcement Hot Topics With IBM VP Una Dean” (Jul. 20, 2022.]The Data Analytics Journey
ACR: We know that data analytics is a crucial part of the program and it’s a crucial part of the program in the eyes of the regulators. We have written in the ACR about diverse approaches different companies have taken to incorporating data analytics in their compliance program. Can you share the approach that GM has taken with data analytics in its program?
Ortwein: Those articles are always very helpful because it’s important to learn from other peers and other industry counterparts.
One thing that I am really struck by as I think about data analytics is that the entire industry is on a journey. Every company is at a different level of maturity. There is no one-size-fits-all approach – there is no off-the-shelf solution you can take out of a box and easily integrate into your company. It is always helpful to learn what’s working and what is not working from others.
As a baseline principle, we obviously try to keep abreast of everything that we are seeing and hearing that is coming out of the enforcement agencies about data use and then obviously take from that what we need to be doing as a compliance function. Everything is framed around the vantage point of taking a risk-based approach and then looking for ways to continuously improve. Obviously, those are buzzwords that are commonly understood and applied in the industry.
We look to leverage our own internal compliance team capabilities, but we also we look to leverage others outside of our core team in the organization, whether on legal staff or in the business, and learn from their data analytics capabilities as well.
I mentioned that we recently started a compliance assurance program – a function within our compliance team that is focused on trying to proactively detect policy and legal violations. We are trying to get our hands around business data in a number of different ways. Enterprise-wide financial data is another area of important focus as we go about what we are trying to do.
[See “How Combining Approaches to Data Analytics Can Yield Powerful Insights” (Mar. 16, 2022.]ACR: Sometimes lawyers don’t love math and data, so we must learn to dig into the numbers. What are the challenges that you faced when trying to get this program started and just, in general, challenges that come with trying to use data analytics for compliance?
Ortwein: Obviously, there are a number of challenges that are common across any organization or industry that’s trying to become more conversant and apply data analytics in its compliance function. I think I’ll start with the point that you just made, and I think you need to identify the right talent and expertise. It is important to find somebody on the team who can understand data and not be afraid of using it, as well as identify cross-functional experts or stakeholders in the company and get their expertise as well.
In addition, it’s important, at the outset, to try to obtain some high-level commitment across the organization, not just within compliance or legal, but across the enterprise because, in some instances, using business data is a foreign idea.
There is also always a danger of chasing the shiny objects – looking for needles in haystacks and quickly getting overwhelmed. At the beginning, having a starting point and knowing what you are trying to accomplish can help keep focus and avert feeling rudderless.
[See “Compliance Checklist for AI and Machine Learning” (Feb. 2, 2022).]ACR: The DOJ has appointed a new person, Matt Galvin formerly of AB InBev, who we’ve interviewed in our publication before, as an in-house data analytics expert. We know he’s been a long-time champion of data analytics for compliance. What do you think this means for companies now trying to defend their programs with this new in-house expert at the DOJ?
Ortwein: I view it as a positive when we see regulators continuing to add talent with real considerable corporate compliance expertise. These are obviously folks who have had success in-house, which I think may bring heightened expectations, but they also have lived firsthand some of the challenges and obstacles that compliance professionals face in the day-to-day. I think, in that way, it is a positive.
It is also a positive in the sense that it is another way that compliance professionals can underscore the why – why it is that we need data analytics and why we need to do what we’re trying to do as compliance personnel using data and operationalizing it in our in our programs.
Making the business case when you see these sorts of additions to any regulatory agency is positive.
[See “AB InBev’s C2CRIGHT Initiative: Can Companies Work Together to Prevent Corruption?” (Oct. 13, 2021).]Culture Beyond the Office
ACR: You mentioned earlier the collaboration you need with other with other departments to get this going. And now, much of that collaboration is going to have to be virtual. I know that at GM, you have people who need to be on site and always were on site, but there is still lots of hybrid working, which is the new normal since the pandemic. How have you tried to maintain a strong compliance culture? Has hybrid working made that more difficult?
Ortwein: I think as an industry, as a compliance profession, we all had to grapple early in the pandemic with what the new work-from-home model would mean for speaking out, for reporting generally, for investigations, so on and so forth.
As we all settled into the new norm, which certainly includes much more hybrid work arrangements working from home among the corporate staff, we look just as others do, at what we need to be doing better or different from a compliance perspective. I don’t think that there are any unique challenges that we face, but we use it as an opportunity to deliberately increase our overall speak-up and non-retaliation campaign just to ensure everybody knows and understands their obligation to speak up and how to do so.
We used to have our hotline materials posted everywhere in our offices. Obviously, we still have that literature posted at the plants, but in the office space where many folks are still working remotely, they are just collecting dust. It is important that you double down on these “Speak Up” campaigns and messaging just to make sure that folks are really focused on it when they are in this remote status.
[See “Opportunities for Anti-Corruption Compliance Enhancements While Working Remotely” (Apr. 15, 2020).]ACR: Have you changed the way your training is structured now that people are together less?
Ortwein: I think we have always had some virtual or online training, so obviously that all remains the same.
It is always good to look at new and different ways to do things, whether that be leveraging IT solutions to be able to get the word out in different ways for folks who may just have their computer at home or their phone. A message on a lock screen, on a computer or a pop-up of some kind are all effective ways to spread the message when folks are not necessarily physically in the office and at their desk.
In general, it is good to step back and understand where employees are and how to most effectively reach them wherever they are.
Promoting Internal Reporting
ACR: On a related topic of internal reporting, you mentioned the hotline. We’ve lately seen more and more whistleblowers and enforcement of anti-retaliation laws. Do you have any practical tips or initiatives to promote internal reporting regardless of whether that environment is hybrid?
Ortwein: It’s a great question. It is critical to focus on people and while it is obviously always important to have tone from the top, research shows that empowering people leaders and middle managers to recognize when somebody is actually coming to them to voice a concern is also important. It’s not always explicit. It can sometimes be subtle. Middle managers and people leaders should be empowered and knowledgeable to recognize that and then making sure that they know what to do when they are told something that needs to be reported. And so arming people leaders is important.
We’ve recently developed a toolkit just for that very purpose, and I think it’s an effective way to give practical advice so that our people and managers know how to get information to the trained professionals so that it can be reviewed and properly remediated.
ACR: Is there anything you’ve learned about how best to deal with people who are reporting issues?
Ortwein: You know, I think broadly speaking, I think it’s critical that there be trust and an appropriate level of transparency in the investigations and reporting process itself. I think that if folks trust the reporting process and the investigations process, they’re more likely to report. I think it’s important to ensure that people who bring a concern through your hotline or otherwise are contacted at the outset to be advised that the concern is taken seriously and is being looked at and then at the end properly informed that things have been handled, because there’s a lot that often happens behind the scenes that people are just not aware of.
It is obviously critical to always emphasize your company has a non-retaliation policy and ensure that if there are instances where that policy is violated, that it’s being enforced and taken seriously.
[See the ACR’s two-part series taking a fresh look at hotlines: “Responding to a Global Focus on Whistleblowers” (Sep. 1, 2020); and “Fostering a Speak-Up Culture and Leveraging Data” (Sep. 16, 2020).]Compliance and ESG
ACR: Another hot topic in this area is that ESG, which is certainly a focus of the SEC right now. It is a relatively new area, and there is some debate as to how much compliance officers should take on of this. What is your view of the CCO’s role in ensuring the company is satisfying the multiple stakeholders – regulators, investors, consumers and even employees – who care about this?
Ortwein: It is definitely a hot topic. It’s something that you read about almost daily and the headlines in the various industry forums. I think obviously there’s no one-size-fits-all approach in terms of what compliance is role should be. It has to make sense for the particular company and particular industry.
One thing though that is pretty evident is that there are major synergies between corporate compliance programs and then just ESG sustainability initiatives, regardless of who owns it within a particular organization. ESG sustainability highlights a company’s values, identity and culture. And that’s what corporate compliance functions have been seeking to promote and protect even before ESG was really a thing or a hot topic.
Compliance can work very closely with the proper stakeholders within the organization to have a seat at the table. Compliance activities are already serving the ESG related goals and objectives, whether that’s through the governance, whether it’s through due diligence in sourcing, supply chain handling of investigations and hotline tips, any type of anticorruption anti-bribery program. These are all helping to underscore the ESG initiatives.
The bottom line is whether compliance formally owns it or is just a seat at the table, business ethics has always been, I think, a top priority in the sustainability hierarchy, and that supports ESG initiatives.
Handling Scope Creep
ACR: Ethics significantly overlaps with compliance, so in some ways compliance is equipped to handle some of it. In the same vein, a lot gets piled on the compliance officers and in-house counsel. And I wanted to know your view about what some call “scope creep”: when there’s just more and more that compliance officers are being asked to do. Do you have any advice for those who want more opportunities but are wary of being overloaded and stretched too thin?
Ortwein: It is always something to be mindful of because you need to make sure that you can handle the day-to-day compliance tasks that the company obviously relies on you to do as a compliance professional to both protect or guard reputation, but also help enable the company to compliantly reach its objectives. It is a balancing test.
Most compliance functions now have a charter that lays out the key areas that they are charged with handling. And I think if things get to the point where it’s too much, a charter or something that clearly lays things out can be a good way to make sure that you have some protection from the scope creep.
But on the other hand, it’s important for compliance professionals to understand the business, understand operationally what’s happening and get involved in areas, whether it’s through cross-functional projects or other ways that allow them to see the business in a different way. While it is a balancing test, there are a lot of upsides with these additional opportunities that in some ways can outweigh the risk of overload if the overload is temporary and not some permanent long duration.
I do think that getting involved in other things can help you do your compliance job sometimes more ably or effectively.
[See “Managing Compliance Scope Creep” (Jan. 19, 2022).]
