ComplianceOnline Interview with David W Huber: Practical Lessons for CFOs - Doing What is Right and More.

Our guest today is a Senior Finance Leader with over 23 years of experience in providing CFO services to small, medium and large organizations.

His philosophy is around building a healthy culture that is committed to doing what is right, irrespective of whether or not it is also easy.

Currently, he is Vice President at Marsh and McLennan Companies where he is responsible for better service to shareholders and ensuring
compliance in an ever-changing regulatory environment.

Now let's get a scoop on CFO Best Practices...

David Huber.

David W Huber
  1. As part of your role as a CFO, we understand that you are required to ensure compliance in an-ever changing regulatory landscape. What are some of the challenges you face in managing regulatory compliance?
  2. The biggest challenges I see in managing regulatory compliance are: detecting risks, anticipating future threats and the risk of ethical misconduct. The regulatory environment is rapidly evolving which increases the vulnerability of most organizations to compliance risk. The risk of ethical misconduct by an employee is what keeps me up at night.

  3. How has the role of a CFO shifted when it comes to managing regulatory change, driving growth, and investment decisions?
  4. At one time the traditional stereotypical view of the CFO was that of a "bean counter" who quotes rules from a handbook and was hidden in the back room to avoid contact with others. The world has changed dramatically since then and the role of the CFO has evolved with it. Business is more competitive, technology is advancing at lightning speed and any ethical or compliance breakdowns can destroy a company. The CFO role has grown to include: driving sustainable growth, strategy formulation, and managing ethics and compliance in order to remain a going concern.

  5. How can a CFO master the complexity of financial reporting and compliance in today's continuously changing regulatory environment?
  6. It is a challenge to master the complexity of financial reporting and compliance. In my opinion a CFO must rely on: people to report any breach of compliance, processes to identify risks in order for you to deal with them and technology (where possible) to help you monitor the risks identified. The individuals with the day-to-day responsibilities for risk mitigation need to be properly empowered and resourced.

  7. How do you keep up with so many sweeping changes to compliance issues? What do you see as the roadmap for Governance, Risk, and Compliance in your organization and where do you see investments coming for companies like yours in the future?
  8. It is important to build a framework and methodology because the compliance risks facing an organization are typically very complex; an organization should adopt a framework and methodology to assess compliance risks. A framework will discuss an organizations compliance environment while the methodology will adopt both objective and subjective ways to assess risks. Once you have a framework and methodology in place it is important to periodically perform a risk assessment and to follow up with the results.
    I would expect the framework and methodology to evolve over time as the compliance environment and threats are constantly changing.

  9. What are your recommendations to finance professionals who want to build a career like yours, what are the best practices to adopt, where should they start, what should they practice?
  10. Adopt a framework of ethical practices in your life. Always show integrity in all your actions and dealings. Work hard and listen to your managers.

  11. Can you shed some light on how you manage your compliance program or a company like yours can manage their compliance program? What are the core aspects or best practices of your compliance program?
  12. The core aspect of any successful ethics and compliance program is the board & senior management and their commitment to protect their shareholders' investment from financial loss. An ethics and compliance culture must permeate the entire company and start at the top. Deviations in integrity at the top is the fastest way to poison the culture of any organization and set back any compliance program.
    Having the board and senior management on board is the first step and from there you need to create a framework and methodology to assess risks, perform periodic risk assessments on an enterprise level and continually test and monitor the results. Desired behaviors must be reinforced and undesired behaviors corrected.

  13. What are some risks of non-compliance with upcoming changes regarding lease accounting, revenue recognition, and SEC requirements?
  14. Risk of non-compliance includes not meeting financial reporting deadlines with the threat of delisting from the stock exchange. This can also involve personal risks for the directors and officers of a company as the US Federal Sentencing Guidelines (Nov 2013) call for significant penalties for not developing effective compliance risk mitigation programs and safeguards to protect against corruption and fraud.

  15. What compliance gaps have you helped resolve recently?
  16. Sorry, I cannot discuss specific items. But I can say that compliance risk mitigation programs must be continuously monitored and evaluated.

  17. How have you enabled the first line of defense and instilled a culture of compliance in the organization?
  18. The first line of defense for any successful program is always your employees. They will be the first to encounter ethical or non-compliant situations. How they react to these situations will be dependent on the organization's "Tone at the Top", employee training and the employees themselves.

  19. What according to you are the top five opportunities for organizations to enhance their GRC program and improve their efficiency and effectiveness?
  20. The top items that I would consider to enhance their GRC program include:

    • Gather input from a cross-functional team. It is the managers on the floor that truly understand the business risks. Any methodology that is created in a vacuum by senior management will struggle.
    • Establish clear risk ownership of specific risks and establish the corresponding authority to mitigate and manage these risks.
    • Don't be scared to use external experts to help. When I was trying to assess risk for a South American subsidiary, I didn't hesitate to use an expert and found their advice very useful.
    • Repeat the risk assessment periodically and keep in mind the framework and methodology are living documents that are expected to evolve.

    Thanks for joining me. It's been very enlightening. Your responses are extremely valuable.