Transcript: Marianne Fogarty podcast

Marianne Fogarty talks to GRIP about building and implementing programs designed to support business growth and innovation.

This is a transcript of a podcast featuring Marianne Fogarty, former CCO at Twitter, on building a compliance program in a conversation with GRIP’s US Content Manager Julie DiMauro on February 16, 2024.

[INTRO]

Julie DiMauro: Hello everyone, and welcome to a podcast offered by Global Relay Intelligence and Practice, or GRIP as we call it. I am Julie DiMauro, US Content Manager.

I want to extend a warm welcome to our guest, Marianne Fogarty, someone who has served as the Chief Compliance Officer at some sizable and well-known businesses.

Marianne, first of all, thank you so much for joining us. And can you please give us a few details about your background before we get started on a program that will actually include a more fulsome dive into your career?

Marianne Fogarty: Sure, Julie. Thank you very much for having me. And I’m excited to share what I can. I started out, most recently I was the Chief Compliance Officer at Twitter. I spent seven and a half years there building the compliance program from the ground up and building a program to suit Twitter’s very unique risk profile and needs. Prior to that, I was a Senior Managing Counsel at MasterCard and led the development and implementation of MasterCard’s global business ethics and anti-bribery and corruption programs. Before that, I had years of practice as a litigator and working on internal investigations at large law firms.

Julie DiMauro: Perfect. Thank you, Marianne. Now you’ve spent some time in your career building compliance programs from scratch. Can you walk us through a couple of those experiences in general terms before we wade into some specific details?

Marianne Fogarty: Sure. At Twitter, I was the very first compliance hire. And Twitter was already a public company. They had elements of a compliance program that the legal team largely had put in place to address specific risks. But I was the first person brought in to really create a program and to take some policies and give them life and ensure that they were implementable, effective, and really designed to and effectively mitigating the risks at which they were targeted.

So in any role I’ve gone into, when starting out, the first thing is to really try to understand the risk. I mean, it’s a form of risk assessment. You may not have a lot to work with, but it’s a starting point to try to understand what are the biggest risks, what are the most pressing ones, and what exists already that you can take advantage of to try to implement controls around them, or what do you need to build. And then working from there, creating usually a multi-year plan because everything can’t be done at once.

But really prioritizing to ensure that you are sure address some of the low-hanging fruit, which can help demonstrate that you’re doing something and that others across the organization can start seeing the impact of compliance quickly, but then also working on those longer-term projects that can take longer to build out.

Often, creating a new policy is not just writing a policy, but it requires a lot of cross-functional engagement and collaboration to work on change management, to bring others on board, make sure that the policy really fits the business and is really targeted at the needs of the company, and then getting feedback, tweaking it to ensure that it reflects the company and the company’s voice, that it’s relevant to employees, and then as you roll it out, communications and training, and then working on enforcement and bringing employees with you on that journey.

Julie DiMauro: Marianne, at Twitter, you were working within an organization that has a little bit of a foundation built in the legal department, like you said [Twitter had], but not a compliance program as we would know it at a lot of public companies with a compliance officer and a more formal compliance program. What was that like starting at such a ground level there?

Marianne Fogarty: There, honestly, it was amazing, which might sound unusual, but I had an incredibly supportive manager. Twitter was a company that when I joined, acted and operated in a lot of ways like a startup. A lot of people didn’t have larger or more corporate experience, and so for many, a compliance organization wasn’t necessarily a familiar concept.

There were a lot of functions that did compliance to ensure that parts of different kinds of work were being done, but a corporate compliance program focused on the broader corporate risks of things like ethics and anti-corruption and trade compliance just wasn’t well known. What was wonderful about that was I had the opportunity to introduce compliance in a way from the very beginning as a partner, as a support structure, as a guide that really made it both non-threatening and also people appreciated it as a value add. It was a wonderful experience to do it that way. At times it takes longer because there was a large educational component, but people are smart.

As you talk to them about, for example, when you’re introducing an anti-corruption program and gifts and hospitality policy, people might initially say, “Oh, you’re kidding me. I have to get pre-approval on this.” Then when you explain why, that one, it’s only at a certain level. This doesn’t apply to the vast majority of gifts and entertainment, but it applies only at a certain level. Then the real focus of it is to protect them.

It shows that it’s been considered, that everyone considers it to be a legitimate business expense so that if there are any questions about it, we have their back and we’re there at the forefront to defend it. It changes the tenor of it a little bit. Then people are like, “Oh, well, okay. That makes sense,” especially then if you were able to point to things where other companies might have had issues around that topic.

Julie DiMauro: Absolutely. With tech companies, there’s a lot of emphasis on cybersecurity. Explaining to people why there are so many rules, workarounds, and obligations and restrictions on their use, it sometimes can seem like a daily drag and a nuisance, but then you have to explain the why, the reputational damage that comes, the type of negative attention that you just don’t want paid to your product and your service. That everybody plays a role in this, that it’s not just the CISO’s obligation, but everybody has a role in the security of the firm. And getting to that, I want to talk to you about the collaboration that you talked about. Who was engaged? Who did you reach out to and how did they lend a hand?

Marianne Fogarty: At times I feel it’s easier to say who didn’t I reach out to, because my goal was really to embed compliance across the company, ensure that the values and that the goal of doing what’s best for the company to achieve the company’s goals was what it was all about. As people keep that in mind, a lot of compliance really comes naturally.

What a lot of that then comes down to is culture. I was lucky to work in companies with very, very strong culture where when there were issues it tended to be someone taking a shortcut or misstepping with the goal of doing something that they perceived would be best for the company that perhaps didn’t work out the way they intended. There was, it wasn’t an every man for himself or herself, a person for himself kind of issue. It really was people trying to do what was best for the company and either not being aware of a policy or the implications and potential ramifications of what they were doing. I have to admit, it’s a much easier environment in which to work.

It really shows how a strong culture makes compliance a natural partner, a natural component of daily work. You can show people, you’re already doing this. This isn’t, I’m not here to tell you what to do. You’re actually already doing this and I’m trying to help strengthen that. That’s what the compliance team across the board is trying to do.

We worked, information security was always a very close partner. Depending on the organization, the level of import of information security varies. That’s going to be the case with every business. The company’s risks and the core things that their users or customers value will be different for every company. That’s one thing that’s incredibly important about compliance is really tailoring what you’re doing, the risks that you’re focusing on to the risk profile of the company.

Information security was an extremely important partner from the very beginning. We worked closely in a number of ways, both to publish across the employee base and educate employees about the importance of information security and how to ensure that we were all protecting it to helping publish the policies and maintaining communications and then helping on the enforcement side as well, so that we could help enforce the policies and learn from investigations around enforcement to see whether there were gaps, if there were issues around knowledge, if there were process issues that we could address and use to help remediate the program to continue to strengthen the program and ensure its effectiveness over time.

Julie DiMauro: Terrific. Marianne, I’m sure people are wondering, and I myself just want to put a date range around your time at Twitter and when you left, if you can let us know.

Marianne Fogarty: Thank you. Yes. So first, I only worked at Twitter. I joined in August of 2015 and I left in November of 2022. I resigned, I think, November 9th or 10th of 2022.

Julie DiMauro: Got it. Okay. So you weren’t with X?

Marianne Fogarty: No, the company didn’t become X until sometime in 2023, but I left probably about two weeks after the company was taken private.

Julie DiMauro: Got it. Okay. Thank you for that. I want to ask you too about expectations of management. When you get hired to start up and build a compliance program from scratch, how do you show top executives that you’ve achieved the goals with the program that it’s capable of withstanding regulatory scrutiny?

Marianne Fogarty: That’s a great question. There are a number of ways. First, one of the things I tried to do early on was to at least introduce myself and what our goals were, but also some of the goals weren’t fixed until I had talked to them and I understood what their issues and what the risks associated with their roles were and how compliance could support them. And if there was a logical fit, that was something on which I could deliver that they would see firsthand, which was helpful in proving the value of compliance across the board.

But we also, I would provide an annual risk assessment to management and they would see as part of it what we included not only what the risks were, but then we would also talk about the compliance program, what it had done over the past year from the prior risk assessment to this one, what we had done, what we had achieved, we provided updates over the course of the year, and then we would provide the following year’s plan and we would have those very targeted and tied to the risks that were identified in the risk assessment.

Now, not everything identified in the risk assessment was a compliance risk. There are broader and a lot of things, there were risks to the company that compliance itself could not address. We would also work with those teams and follow up with those teams so that we were a little bit more of a regular presence to see and to work with them on ensuring that they were taking the steps to remediate risks for which they had primary responsibility and tracking that ensuring that was presented to management as well.

So it was a collaborative goal, building out essentially a broader risk management program, but really working collaboratively to identify those top risks, make sure that we had action plans stacked against them and that we were tracking them and trying to measure the effectiveness of them over time.

Julie DiMauro: Now, what were some of the roadblocks that you encountered in your work in crafting these compliance programs and how did you surmount them?

Marianne Fogarty: There are always challenges that programs are going to face. Some of them are going to come from competing objectives where compliance might want one thing, another team might be needed to help achieve those goals, but they have different goals.

So one of the things, there are a lot of it comes down to strategic planning and thinking well ahead of time of what you’re going to need and how this program is going to grow to really support the full breadth of the company’s business.

And as you’re doing that, you’re thinking about all the different players that are involved in achieving that goal and then working with them to bring them on board and get their buy-in and support so that when it comes time to developing the next year’s strategic plans, they’re building it in as well. So one of the things is really a lot of advanced work to get that buy-in and support for a goal and helping people understand that it is a mutually beneficial goal so that it hits other people’s roadmaps. So that’s a combination of resources and time that could be challenges.

One of the things that was also really important to learn and understand is the different languages that people use to go about their jobs and how the same words in one context for, say, security engineers might mean something different for compliance because of just the technical usage of language and how it might vary.

So it’s really important to ensure that you’re actually aligned on what you’re talking about, that you truly are talking about the same thing and achieving it in the same goal. So there’s a lot of listening and probing and follow-up questions that might be part of that to ensure that you really are aligned as you’re planning those goals. But another thing is language and culture and how different that can be from region to region. And those different cultural norms can play out very differently.

Thinking about how to address that, because you might have a policy against conflicts of interest and nepotism, but those relationships that in the United States you might say, “Oh, that looks dodgy.” In other cultures are absolutely the foundations of how businesses have been built for years. And taking that into account and understanding and finding ways to meld the two is really important as well. And whether it was in Latin America or Asia in particular, those were two of the areas where we came across that most often.

And a lot of it really comes down to just awareness rather than any real impropriety as soon as people are aware or know that they need to make someone aware of relationships or that transparency alone reduces the risks associated with any actions dramatically. So I think the different languages and then trying to find a common level across different cultural norms can be a real challenge. But it’s incredibly rewarding as it pays off and you find a way where things really synthesize and work smoothly.

Julie DimMauro: Absolutely. Great points. And you were at MasterCard for a little while as well and you were telling me that was a compliance program that was already built to an extent and you needed to broaden its reach and strengthen it in a number of ways. Correct me if I’m wrong with that.

Marianne Fogarty: I think MasterCard had a compliance program, it may not have been called that at the time. And again, it was growing, but I was at MasterCard for seven and a half years and had the opportunity to start working on investigations that I got involved in helping build out an anti-corruption program and then got more involved in ethics training and awareness and expanding those programs and pushing to get resources to really globalize the programs. I mean, they were global by definition, but all of the resources were in the United States and having the opportunity to get additional personnel and actually have people based in each of the different regions to really help embed the programs in a time-sensitive and culturally sensitive way was invaluable.

Julie DiMauro: It sounds great. And I also want to talk about your experience at a law firm. You had the external experts viewpoint on creating and remediating compliance programs as well. How is that expert consultant’s perspective different and valuable in its own way?

Marianne Fogarty: It’s different because it’s probably more objective. I will say that one of the biggest challenges when you’re external is knowing the company’s business as well as people inside the company do. And it’s a big commitment to do that. And even when you know a segment of the business, you might know that inside and out, but you don’t necessarily know the entire company business and understand the synthesis and how different things work together and what other implications it might be. So there’s a challenge there for outside counsel and outside resources. I’d say they’re a little bit more objective and they’re not… You don’t necessarily get to see what happens afterwards.

You get called on to perform a specific task or to advise on something in particular, and then you’re done. Your client may say, “Thank you very much. Really appreciate your help. Bye-bye.” And at times, this was a big litigation matter. We really appreciate your helping us get out of this issue. I hope I never see you again because if I see you again, that means I have another problem. So you don’t know what happens. And for me, that was really frustrating because I found that I wanted to not only help fix things, but I wanted to help keep bad things from happening. And that’s a very proactive role, which at the time that I was working in law firms was less the function of the legal teams.

There are more compliance-oriented practices at firms now, but at that time, that wasn’t a big focus of the work. The work was largely reactive. And so for me, having the opportunity to move in-house and to not only address issues, because I started doing internal investigations, but to not only address issues, but then find ways to help remediate, to strengthen policies and controls, raise awareness, to help keep those things from happening again, and to help strengthen culture and more broadly help keep bad things from happening was for me much more rewarding.

Julie DiMauro: So you specifically sought out the chief compliance officer job after being at a law firm because you wanted to be a part of the process and building experience?

Marianne Fogarty: Well, I didn’t start as a chief compliance officer. I mean, I went in doing internal investigations.

Julie DiMauro: Got it. Okay.

Marianne Fogarty: And then built up through my first company. And then when I joined Twitter, I wasn’t the chief compliance officer. I was the only person in compliance, but they didn’t have a chief compliance officer per se that was built up over time as I built up the program, sort of worked to embed it across the company and show the impact that we were having and the strategic engagement to, I guess, then earn the title.

Julie DiMauro: Now, I want to ask you about skill sets for compliance. And you’re talking about a background in investigation. How did that lend itself to being a more effective compliance officer? And can you talk about skill sets more generally?

Marianne Fogarty: Yeah, sure. I think that investigations was actually a great foundation because it comes from a place of curiosity and objectivity. And so really being able to listen through and collect all of the pieces to put together the puzzle objectively. Yes, you’ve got all these different voices, but you’re able to have that step back from the direct personal involvement, sometimes a lot of emotional involvement. And that can be really, really helpful.

And I found that the listening skills that came along with that were really helpful. Granted, I wasn’t great at the beginning. I think over time, I have just become more aware and more patient and better at prioritizing and also being in the moment. And that has helped tremendously.

I will say that a few months ago, I assisted Jeannine Lemker of Major, Lindsey & Africa on a piece that she wrote, The Pathway to Becoming Chief Compliance Officer. And it was, it really goes through the different skill sets and the different components of working to develop and build your career as a compliance officer and the skills that can help over time in terms of leading through risk, building relationships, moving from management to leadership, and the different components involved, and growing and managing a business because you have to be more business savvy to really understand the implications. And then just the strategic awareness and engagement. We tried to address a lot of those things in that article, but also it’s just a, again, it’s that step back.

It’s a broad look at all of the different things that go into making a really strong chief compliance officer. I don’t think anyone does all of it. But you can see it there. Try to build on your strengths and see what, and identify where you can really excel and then try to build out the rest of it as well. But there is the Chief Compliance Officer role and growing in compliance. Working just in one area will be self-limiting, right? I mean, a natural curiosity, a willing to stretch across lines, and I mean even staying within compliance.

You don’t have to step out of compliance into another function, but doing just trade compliance or just anti-corruption or just these are really, really important roles. But in order to advance to a Chief Compliance Officer role, you’re going to have to have a good sense of how those different functions operate, how they work together. And if you’re able to over time move around a bit and take on some responsibilities associated with them, work on cross-functional projects with other parts of your compliance team, that can really help build the skills and the awareness that are invaluable in really putting together the whole story and being able to look strategically at the issues confronting the company and the strategic goals of the company and really see how compliance can help protect and support the company in achieving those goals.

Julie DiMauro: It’s like you read my mind because I was going to ask you about, you know, compliance officers that are trying to scale up and climb the corporate ladder! So as they progress in their careers, I wanted to get from you some, you know, practical pointers, what you’d say to those people trying to move up that ladder. And you just outlined some. Are there some technical skills or educational pursuits or other things that you would add?

Marianne Fogarty: One, know how to balance a budget. That is, like it or not, that is a very important component to running a team and running a portion of the business. So understanding and being able to effectively manage the different components. And it’s not just people, it’s also technology, it’s also in a variety of different resources that you’ll have come into play.

It’s understanding that when you’re growing, that doesn’t necessarily mean additional headcount, right? There might be other ways to grow, including through technology that can expand your team’s capabilities and give the experts, the people on your team, the ability to do more because the technology is able to take on a lot of the manual tasks that they were doing.

So as you’re looking at growing, assessing what the options are and how to grow and what you need most and what can have the most value add is really important. Always thinking about, one thing, we over time, you know, whether you’re building a program or you’re working with a more mature program, you’re always, I’ll use the term remediating , right? Because a compliance program is not static. And so you really need to always think about what can you stop doing that you’re doing because it may not be adding the value that it was when you put it in place. Or is there a way to streamline it, to change it, thinking about both how your team works with it, but also what the user experience is? And is there a way to make it to better embed it with employees? Is there a way to streamline the process so that it’s less painful at times to engage with some of the more administrative aspects of compliance? So always rethinking what’s out there.

Another is team development is a critical, critical component of being a good manager and a good leader and helping your team achieve their goals, whether it is sort of personal growth, professional growth, understanding the skills that they want to develop and trying to find ways to give them those opportunities so that they can grow. This is, it’s critical to both program development, employee happiness, and success, but it also then helps build your succession plan, right? As you are ensuring that you have people on your team who are capable of stepping up and taking on the role should something happen to another member of the team or to you.

Julie DiMauro: Terrific advice. Can I ask you about your future pursuits or what’s on the horizon for you career-wise?

Marianne Fogarty: I mean, I think for me, my goals, I thought about a lot of different things. I’ve been looking for a little while. I’ve thought about a lot of different options and opportunities, and I’ve really come down to that. I love being a compliance officer, and that’s what I like best.

And so that’s my goal, is to be a chief compliance officer at a company and help achieve the company’s goals. I also, I mean, down the line, I think that compliance and its role in risk management is going to be an increasingly valuable skill set for boards. And that’s another avenue that I’d like to explore because it’s something that I can continue to do over time, and it would give me the opportunity to get involved or learn a tremendous amount about different industries in which I’m not currently involved.

Julie DiMauro: Terrific. Thank you so much for sharing your terrific insights and experiences with us, Marianne. I really appreciate it. And thanks to all of our listeners today for tuning in. Please check out GRIP’s array of articles, reports, and podcasts at grip.globalrelay.com. Thank you again.

Marianne Fogarty: Thank you so much, Julie. I appreciate it. Have a great day, everyone.

Listen to the audio.