BulletProofBlog the blog on crisis communications

Each Monday, Bulletproof Blog now features exclusive interviews with thought leaders on issues of critical importance to companies and countries. This week, we interviewed Ken Handal, the Executive Vice President for Global Risk & Compliance and the Corporate Secretary at CA - one of the world' s largest IT management software providers. Prior to joining CA, Ken was Associate General Counsel and served as Compliance Counsel for Altria, then the parent company of Kraft Foods and Philip Morris. 

A leading authority on corporate governance and how it will change in the "new economy," Mr. Handal shared his insights with Bulletproof:

Ken Handal: The last several years since the last financial meltdown have seen a greater emphasis on compliance, corporate governance, and enterprise risk management. As the saying goes, "Out of great crises come great reforms."  It is in tough economic times like these that we need to be particularly attentive to compliance and governance matters.

For organizations to be strong, they need to have a strong culture of compliance and ethics. That culture takes time to develop, and we cannot afford to spare any time or resources in that regard. It is that culture of compliance that is the starting point for a healthy, competitive company.

What aspects of corporate governance need to change for companies, given the current economic situation?

Ken Handal: Companies that didn' t do so before need to integrate their governance, compliance, and risk functions (GRC) into their daily operations. Support for these functions should not be pushed off to the side as a necessary routine, but rather must come from the top of the company. "Tone at the top" should not be an empty phrase. Our CEOs, top executives, and board members need to embrace compliance, good governance, and enterprise risk management.

I add risk in there because a good risk program is important to an effective governance strategy. There is no substitute for being able to effectively anticipate issues coming up in the future and plan to mitigate their impact. We have all heard the stories about how the risks people ignored were a primary driver of the current financial crisis. If we are to recover, then risk management needs to take on added significance in real-time decision-making.

What should a company' s oversight and management look like in the "new economy?"

Ken Handal: At my company, CA, as we have gotten our GRC program up and running, the CA Board of Directors implemented two structures that I think have benefited us greatly.

First, we set up an independent organization called Global Risk & Compliance, which contains all of the groups that contribute to good governance and compliance: Business Practices and Compliance, Enterprise Risk Management, Corporate Secretary (board governance), Internal Audit, Internal Controls (SOX), and Global Security (including crisis management).

Second, about a year ago, the CA Board instituted the Compliance and Risk Committee of the Board to oversee the GRC functions. This was done because the Board considered those functions to be absolutely vital to the company and its future. The lesson is that the Board needs to be involved with management in these efforts. Another important aspect at CA is that under this structure, as head of Global Risk & Compliance, I report to the Board of Directors, as well as the CEO. In addition, the Chief Risk Officer and the Chief Compliance Officer have also had dual reporting responsibilities to the Board and to me, while the head of Internal Audit has reported both to the Audit Committee and to me.

This independence has, I think, been very important for the company.

What' s next with respect to corporate governance? What proactive actions should a company take in order to protect and enhance the corporate reputation?

Ken Handal: I have always believed the mantra: Good compliance is good business. I would point to three actions that can help to protect and enhance a company' s reputation. Of course, these are only three of many.

First, the governance, risk, and compliance functions need to be present at the creation of corporate policy and strategy. The GRC team needs to work closely with the operating units of the company to understand their objectives and their key dependencies and risks as they embark on executing their strategies. What' s more, the effort needs to cut across the entire enterprise and be done on a cross-functional basis, rather than in silos. Human resources, information technology, legal, and finance need to be involved, and transactions need to be evaluated before execution if risk is to be effectively mitigated.

Second, for a compliance program to be effective, the company needs to be sure that employees have available to them open communications processes to register their compliance and ethics concerns - and employees need to feel confident that those concerns will be properly investigated and dealt with. These processes should include a hotline, a webline, and open access to their managers (as well as the legal team and human resources). With these channels, senior management and the board can gain valuable insights about what is going on in the company. And by watching for trends, they can prevent major problems in the future.

Third, companies should proactively develop crisis management programs for physical, reputational, and financial risks. Cross-functional crisis management teams should be set up in every important location to deal with the substantial risks that are identified - and then those teams should be coordinated and trained to deal with the eventualities. Again, both senior management and the board need to be fully engaged in this significant area.