United States: Podcast: Common Risks And Challenges In Running A Global Ethics & Compliance Program

As global regulations proliferate and become more complex, so too do the challenges of maintaining a high-performing global ethics & compliance program. While no two days are alike for compliance officers, they do face some common risks and challenges. In this podcast, Ropes & Gray litigation & enforcement partner Ryan Rohlfsen is joined by Glenn Leon, Senior Vice President, Deputy General Counsel and Chief Ethics & Compliance Officer with Hewlett Packard Enterprise, to discuss best practices for mitigating risks and meeting global expectations. The podcast covers:

  • Striking the right balance between in-house and outside counsel
  • Using data analytics to help manage your compliance program
  • Practical ways of fostering a positive ethical tone at all levels of the organization
  • Managing and mitigating third-party risk
  • Staying current with regulatory and enforcement trends around the globe


Ryan Rohlfsen: Good afternoon. This is Ryan Rohlfsen, a partner with Ropes & Gray in the litigation & enforcement practice group. I'm here with Glenn Leon, senior vice president, deputy general counsel and chief ethics & compliance officer with Hewlett Packard Enterprise. We're talking today about common risks, challenges and opportunities in running a global ethics and compliance program. Thanks again, Glenn, for taking a few minutes to chat with us today. What does a typical day look like for you in running Hewlett Packard's global ethics and compliance program?

Glenn Leon: Well, it's fair to say that there is no typical day – probably all of us could say that about our respective jobs. My team handles the core workstreams we have are investigations, our most serious ethics investigations. We have a separate anti-corruption program. We have a global trade team. We have a privacy team. We also spend a lot of time with policies, training, running our mailbox and our open door policy. And then we also have a separate, what we call, a SER program, a social and environmental responsibility program. At a high level, that's what my team does. I would say I spend certainly the majority of my time focusing on anti-corruption issues and investigations, and less so perhaps on a day-to-day level on some of the other issues.

Ryan Rohlfsen: So Glenn, where would you say you're spending a majority of your time and resources right now in terms of mitigating risks for the company? And how are you tackling it?

Glenn Leon: A few areas. We are spending a lot of time on training. We're actually in the process right now of reviewing our SBC, our standards of business conduct – it's a very good product. It hasn't been revised in five years and we're making it better. We're making it more targeted to our particular areas of risk. We're making it more readable. We're making it more interactive. So training, communications is a big priority of ours. Anti-corruption, FCPA is a big area of risk, so we do spend a lot of time auditing our anti-corruption programs, auditing our partners as appropriate, making sure that the various systems that we have in place in-house can improve. We're always looking for areas to improve in our anti-corruption space – that's another big area.

Ryan Rohlfsen: Do you see any regulatory or enforcement trends, whether in the U.S. or abroad, that will be particularly in the forefront in the next year or two that not only HPE is focusing in on, but you think it's your understanding or impression, that other multinationals are looking to very closely?

Glenn Leon: Yes. Well, picking with the GDPR, that's important to all multinationals. I think there's going to be an interesting tension, if there isn't already, between the push that the GDPR is imposing on a lot of multinationals to be more sensitive to privacy issues and putting that against the threat coming in the cyberspace. So I think we have a potentially interesting tension where we're going to have more and more efforts needed, from a law enforcement perspective, to really fight cybercrime and issues that many multinationals face as an existential threat to their companies if they really have a real serious cyber threat, and weighing that against the GDPR and the push, particularly from the European community to respect individual privacy laws of individuals. That's a trend, I think, that we're kind of experiencing now and it's going to increase, so that's certainly one. And again, staying with anti-corruption, certainly the DOJ and SEC have been leaders in this space, but certainly we are seeing more and more and more countries taking anti-corruption prosecutions and investigations very seriously. And that's really now a true multinational and global enforcement trend throughout the world – it's only increasing.

Ryan Rohlfsen: One thing we could talk a little bit about, given what HPE does in terms of big data and managing, you know, enterprise-wide data, are there any tools or trends that you're seeing, whether it's now or coming online in the future, of trying to use data and data analytics to help you in your job in managing, you know, a really large global ethics and compliance program?

Glenn Leon: So that's a good question. We've identified three really big areas of risk that we do cover from an investigation standpoint, the kind of issues that I report up to the audit committee, for example – anti-corruption being one. The other two: one is off-book funds and the other is revenue recognition misconduct. And anything in the off-book fund or rev rec space is of particular interest to us – we pay particular attention and we take those allegations very seriously. Off-book funds and rev rec in particular, we believe that there are opportunities to do some better detection through data analytics. So for example, revenue recognition misconduct is basically improperly stuffing the channel, getting in your numbers at the end of a quarter through site agreements or other improper means to make your numbers for the quarter. At its high level, that's what it is. So we're partnering right now with our internal audit team to look at trends and to see well, maybe there are certain things, certain red flags that pop the last few weeks of any quarter that might be things that we can observe and measure and then use from a data analytics standpoint to catch things going forward. So that's one thing we're working on right now.

Ryan Rohlfsen: A key thing that everyone focuses on with a global ethics and compliance program is the concept of tone at the top. How is it that you address fostering a positive ethical tone at the top as well as tone at the middle, at the company?

Glenn Leon: So yes, tone at the top – a lot of lip service is given to it, it is very important. I'm proud in saying that we do have a strong tone at the top. I think we have that in several ways. One is we had a big FCPA settlement and that gets a lot of people's attention. And frankly, you know, I think we took advantage and made the most of a bad situation, so I can truly say we have the buy-in of the people who really run the company, so that's kind of point one. Point two is we have various measures that are in place where we get engagement with the business, not just legal but business, HR, finance, and legal. So we have in addition to regular contact with the audit committee, we have a separate ethics and compliance committee – that's a separate committee that I chair. It has many members of the executive committee, many members who report, business leaders who report to the CEO. And I meet with them once a quarter and I talk to them about trends, issues, key investigations, remedial efforts, things like that. That's another way to keep engagement tone at the top. We have other systems in place where we have very regular contact with key business leaders to let them know about issues, trends that we're seeing. So that's not just tone at the top, but then to your other part of your question, tone at the middle. I've got two calls, for example, scheduled next week with a group of people who we call liaisons. Those are people who are more senior level middle managers who are particular leaders in the regions in particular countries. And we're going to sit with them, two different calls for an hour each, and talk to them about investigations we're engaged with, remedial efforts, trends, positive and negative, and getting direct engagement with them. Another thing I'm going to be doing, I'm going to be flying around the back end of this year with several leaders of mine, my other directs, to go and do face-to-face training. Go to countries, go engage with business leaders really at that more middle manager level to let them know what we're seeing, want to hear what they're seeing, and have very frank conversations. And those are just some examples I have when we've engaged at the tone at the top as well as tone at the middle.

Ryan Rohlfsen: Are there any practical things that you've found, whether it's, you mentioned, for example, talking to, you know, senior middle management in terms of trying to foster a positive tone at the middle. Are there other things that you've found particularly successful in fostering that tone at the middle?

Glenn Leon: Yes. It's a good question. I would say we are doing a few things in that space. One of the things we've heard other companies doing and we're doing it, and we're getting some good engagement on this, is sharing kind of ripped from the headlines. So we are taking actual investigations where we've seen misconduct and sanitizing the fact patterns, so we're not outing a particular team or a particular person – but making it clear this happened at our company, this is wrong, this is why it's wrong, these people got fired or these people got sanctioned, this is what we've done to fix it. We're getting buy-in and a lot of positive reactions from the business who actually likes that. And the last thing I'd say on that is we will send out those communications not from me as the head of ethics compliance – we'll ask business leaders to actually send out those communications. We have found that it is more effective, more impactful and frankly those communications are read more carefully if a message like that is being sent by the guy or woman who signs their paycheck, who is responsible for their bonus and their review, rather than some guy like me in Washington who's the ethics guy. It sends a good tone at the middle where it's the manager, the business leader who's sending that ethics message rather than me.

Ryan Rohlfsen: We talked a little bit about training and how important that is to your program. Obviously, when you're thinking about a global ethics and compliance program, you're talking about a lot of different laws, a lot of complex issues, whether it's privacy, anti-corruption, accounting treatment, revenue recognition, a whole host of cybersecurity, a whole host of issues that could have not only a variety of different laws in the United States, but also multiply that by the number of countries you're operating in. How is it you're able to effectively communicate those complex, sometimes contradictory, laws and concepts to a broad group of employees around the world?

Glenn Leon: So, and not every company does it this way – the way we do it is as follows. We have very little mandatory training. To my knowledge, we only have two trainings for the whole company that are mandatory, required, every employee from the most senior to the most junior, and including board members, have to take. One is SPC, the standards of business conduct, our code of ethics – every employee has to take that once a year. And the other is cybersecurity, cyber training. There is a lot of other training at the company and that is targeted for particular teams. So the public sector team has to take separate public sector training. People who do particular work in the global trade space may have to take particular global trade training and on and on and on. But the only required training we have is our SPC annually and our cyber training. And when you look at our SPC training, our code, once a year, we have boiled that down to about an hour. One thing we've done in the last couple of years which, I think, has been a nice move is instead of having one training that everyone has to take that frankly used to be, like, an hour and a half, now we've boiled it down to three different modules. Depending on the kind of employee profile you have, if you are more back office, finance, you may have a training that focuses more on books and records and financial issues. If you have more of a job that's more sales and external facing, you may have more of a training that has a higher emphasis on the FCPA. Everyone takes the main areas, but we will modulate a bit to your particular profile. But we take the approach that if it's an employee's time, it's valuable. We're not bombarding them with a ton of required mandatory training. And in terms of the mandatory training, we try to make it very risk-based. We try to focus it on what is the kind of risk that this particular employee is most likely going to face? Trying to target it to that employee's profile and making the mandatory training pretty specific and targeted. Having said that, we have a lot of other training that, again, is situational, is regional – it's run more by country counsel, local counsel with support from ECO, my team, but it really is much more situational.

Ryan Rohlfsen: Do you ever train your third-party business partners?

Glenn Leon: We do. It's a good question. We do. We require all of our partners, and we have a lot of partners, to certify that they're familiar, have read, and certify that they're familiar with our partner code of conduct. We require that certification to be renewed on a fairly regular basis. And then when we see issues through an audit or in other areas, we will require training.

Ryan Rohlfsen: So, I mean, to state it somewhat obviously, I mean, one of the biggest risks for every company in the world is third-party engagement. That's obviously the risk that you see in virtually every enforcement action under the FCPA as well as several other laws. What is the most powerful tool that you have available, or that you believe is most successful, in terms of managing and mitigating third-party risk for the company?

Glenn Leon: Well, couple things. One is we can always fire them and get rid of them, and they know that and we do that. We try not to – that's a last resort, but we certainly do that. And frankly, the more we do that, even if it's the exception, not the rule, the more other partners see that and that drives behavior. We also have audit rights, and we do that and we're doing more of that, and that certainly drives behavior as well. Partners don't want to be audited. Frankly, a lot of our internal members of the business don't want the partners to be audited, but we do it and we hold them to it. But the other thing is obviously on the front end, we do have a very, very rigorous due diligence process on the front end. My anti-corruption team actually gets quite engaged pretty early on if there are any real red flags and then we will look under the hood even further. To your point, that's where a lot of the mischief is, whether it's with FCPA, off-book funds, you know, and you've got to make sure that you hold partners to a high standard.

Ryan Rohlfsen: About how many business partners does HPE have?

Glenn Leon: HPE has conservatively well over 10,000 partners. When you include partners tier-one, tier-two, systems integrators, consultants, and if you loop everyone in, well over 10,000.

Ryan Rohlfsen: And are all those parties run through some level of diligence?

Glenn Leon: Absolutely. Yes, everyone.

Ryan Rohlfsen: And how do you draw the line, practically speaking, between those that get, let's call it, like, a basic diligence versus enhanced diligence versus extra-enhanced diligence?

Glenn Leon: Yes. So we do that in a couple of ways. One is obviously, tier-one, the people that we are directly engaged with are going to get more scrutiny than a second- or third-level partner. Doesn't mean that tier-two and three don't get scrutiny, but the ones we directly engaged with certainly get more. The other is we do have on top of our due diligence of our partners, we have other anti-corruption programs that overlay on top of that. So for example, any public sector deal in particular countries, particular high-risk countries over a certain amount of money, gets scrutinized by my team, or they don't happen. So that's one example of a few examples where we have additional checks on particular high-risk deals. So that's another example of where a deal would be scrutinized and the partners would be scrutinized as well.

Ryan Rohlfsen: So what's next for HPE's program?

Glenn Leon: Good question, Ryan. So what's next for our program? Just picking up on what I was saying earlier, the way a good program or a very good program, I think we have, stays very good and gets better is you've always got to be evaluating, you've always got to be changing. And again, using the example I gave earlier with our FCPA program, we had a world-class FCPA program four years ago because we had to because we were entering into this big settlement with the DOJ and SEC. And I have every confidence that our program today four years later is better than it was then – and the only reason for that is we've hired more good people, we've stayed on top of trends, we've engaged with good outside counsel, and we're auditing and we're trying to continually improve. We've not just done that with the FCPA, but we've done that with the GDPR with some of the things we've just talked about this afternoon – training, compliance. We haven't even really talked about our SRC, our social environmental responsibility program, but we're doing a lot of things in the human rights space, supply chain ethics, what have you. So I'm confident – in this role, I've been here three years, I can say with confidence I inherited a strong team, which I was lucky to do, but it has gotten better. So the future is just continuing to improve and figure out other places we can continue to improve.

Ryan Rohlfsen: Thank you again, Glenn, for taking the time to chat with us today. And thanks everyone for listening. Please tune in to our other podcasts on topics related to international risk mitigation and management. You can find them on our website at www.ropesgray.com. And of course, if we can help you navigate any of these challenges, please don't hesitate to get in touch. Thank you.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions