Playbook: Compliance Build Out

When Steven Lowson joined Sequa Corporation 20 years ago, the company was public, and the general counsel and CEO were business partners. When both passed away in their 90s, Sequa was sold and taken private by the Carlyle Group, a new CEO was hired, and Lowson was appointed general counsel—and tasked with building a global compliance function from the ground up

Modern Counsel: What did Sequa’s compliance function look like when you became general counsel in 2008?

Steven Lowson: It was essentially nonexistent. In fact, I recently gave a presentation that had a slide for the compliance programs in 2008, and the slide was blank. There were a number of people doing things around compliance, but there was no centralized compliance function and no policies or programs being adhered to and audited. For example, one of our major companies, Chromalloy, had someone who was “in charge” of compliance, but he wasn’t a compliance professional in the sense that he had the necessary background, and he wore about six different hats. So they were doing things on an ad-hoc basis. They had training programs—an ethics program, a code of business conduct—and if there was a fire, they were putting it out. But they didn’t have uniform processes in place around how they approached compliance, and it wasn’t clear to each and every employee how to go about the whole compliance function.

MC: What risks was the company facing by not having formal compliance policy?

SL: Compliance is critical to our business. Chromalloy, for example, is international, which means it faces many issues in regard to export control, transfer of technology, and foreign nationals. Before we formalized compliance, we were facing significant risk of a government agency coming in, auditing us, and finding violations that could lead to a number of problems—significant monetary fines among them. More importantly, we do a lot of work with the US government, and if we were found to be in violation of compliance statutes, we were looking at being prohibited from doing such business, which would have been devastating. Moreover, a lot of our larger joint-venture partners and customers have really buttressed their compliance programs and are requiring in their contracts that the companies they do business with have significant compliance initiatives in place.

MC: Is compliance different in a private company versus a public company?

SL: We were public before the Carlyle Group bought us, though we had a majority shareholder who owned 53 percent of the stock, so we weren’t run in the manner of a typical public company. That said, being public versus private, there are differences in terms of Sarbanes Oxley financial reporting and all of that. At the same time, when you’re owned by a private equity company like the Carlyle Group, which itself is public, you end up going down that path anyway. We do a lot of things here that are very similar to what public companies do, such a SEC Form 10-Q and 10-K equivalents. We don’t file them with the Securities and Exchange Commission, but we still create the documents and audit our finances.

MC: What was your process for building a compliance program from the ground up?

SL: There were three immediate steps: I hired someone who had spent her life in another corporation living, eating, and breathing compliance; I went to a number of seminars to get up to speed on the key compliance statutes and processes I needed to implement; and I tapped the right outside counsel to help me pull this all together.

MC: What challenges did you face?

SL: I already had so much on my plate in terms of leading the company in a new direction from a legal standpoint and putting out the fires of the everyday business. We had some monumental issues come up in 2008, 2009, and 2010 around contracts that the previous administration had entered that were not favorable to the company and had to be arbitrated. While I was doing that, it was hard to get management to approve programs that weren’t really visible. Additionally, a lot of the compliance world is about taking preventative measures, and I had to convince the company to spend its limited resources to prevent something that wasn’t occurring instead of implementing programs that generate revenue.

But I will say, I had the support of senior management and our owners, the Carlyle Group, in embarking on this. I went to board meetings and explained the issues, and they recognized that we needed to come at this with a robust compliance process.

MC: How long did the process take?

SL: It took a good two to three years to really get all of the processes in place, but it’s not enough to have written policies and procedures; you have to implement them and audit them, and more importantly, you have to get people to think about them on a daily basis and integrate them into the business practices. Every day it’s evolving. Now we’re refining it and developing the right organization to ensure that it’s ingrained. We’re building out the compliance organization to create regional leaders who live and breathe compliance every day and ensure the people on the ground in each unit are doing what they need to do. Some of our units are there; some aren’t. But I’m proud to say that when the Carlyle Group, which has hundreds of companies in its portfolio, needs a model for a compliance program, we’re one of the companies it taps.

MC: You said you had the support of senior management. Does that mean there wasn’t tension between compliance and the business side?

SL: There are challenges every day. People want to sell products and raise revenues. But the point companies really need to strive to reach, which we have, is fostering a culture of compliance, a culture in which people are thinking about it. It’s okay to expand in other parts of the world in places that don’t do business exactly like the Western world does. You’re going to lose some individual battles because people are always going to make mistakes, but as long as you have people thinking about compliance from a cultural perspective, you’ve won the war.

Essentially, we’re ingraining this culture of compliance in our business management operating system. If you don’t do that, people are not going to be constantly reminded of it, and you’re going to have a lot more opportunity for people to not follow the rules.