Today we have another Radical Compliance podcast interview, this time talking with Ling-Ling Nie about how she is trying to build the first formal ethics and compliance function at Georgia Tech.
Nie joined Georgia Tech last March after a distinguished career in the corporate sector. Her objective since then has been to build a formal, university-wide ethics and compliance program after misconduct scandals that erupted last year.
Long story short: Georgia Tech sacked numerous senior administrators in 2018 for improper relationships with the school’s vendors or for improper spending. For example, one administrator required a bookstore vendor to pay for a suite at the school’s football stadium, which Georgia Tech employees then used to cheer on the Yellow Jackets. Another resigned after news reports that he spent $1 million on “morale” events such as trips to the local aquarium and go-kart races.
Well, Georgia Tech isn’t the first large organization to suffer a series of scandals and then decide to give ethics and compliance more attention. So how has Nie been approaching that project and deciding what to do?
You can hear our full conversation at the top of this post. Meanwhile, here are a few of my own observations.
First, Take Inventory
Even when your mission is to build the organization’s first formal ethics and compliance program, all organizations have at least some ethics and compliance capability already — even if those capabilities aren’t terribly effective; even if they’re scattered in various parts of the enterprise and don’t have any way to act as a cohesive whole. You need to know what those capabilities are.
“Coming in, the first order of business was to identify: What are all the existing ethics and compliance functions?” Nie told me. “Where do they live and what are they doing? And are they doing it well?”
Coincidentally, the chief audit executive of a state out west (I’m not allowed to say which one) recently told me much the same about his early days on the job. His first act as state auditor was to audit all the audit functions across state agencies, so he could understand where they excelled and where they didn’t.
To put it another way, this CAE wanted to understand the risks in his function’s ability to assess risk. Nie did the same thing from an ethics and compliance perspective.
Georgia Tech is a sprawling organization (33,000 students across 28 schools; 16 affiliate organizations; $1 billion in sponsored research annually), so Nie did indeed find pockets of ethics and compliance capability — some in internal audit, some in HR, some in operating units. Once she took that inventory, she could begin matching those capabilities to Georgia Tech’s most pressing risks (athletics misconduct, gender equity, and research compliance, to name a few).
Second, Think About Personnel
One of Nie’s recent actions was to promote Georgia Tech’s director of affiliated organizations, Aisha Oliver-Staley, to be the university’s first chief ethics and compliance officer. I asked Nie why she did that, and her answer said a lot about how you move from taking inventory of compliance capabilities and needs to bringing a new compliance function to the organization.
Oliver-Staley has been at Georgia Tech for nearly 10 years, including several months running ethics and compliance on an interim basis before Nie arrived. That means Oliver-Staley knew all the people in the university “who somehow touch ethics and compliance,” as Nie put it, so Nie and Oliver-Staley could reallocate that expertise in a more unified way. Top compliance officers should always be so lucky to have a No. 1 like that.
That said, Nie also expects to hire at least some talent from outside Georgia Tech. And what skills does she need to bring in, exactly?
“The communications, engagement, and branding and marketing part of running an ethics and compliance program,” Nie said. Right now, what Georgia Tech has for an ethics and compliance function doesn’t include much on those capabilities.
Those words made me think of another conversation I had with a different chief audit executive, who was the first person to hold that role at her organization. As that company, other parts of the enterprise weren’t specifically hostile to the arrival of an internal audit function; rather, they didn’t understand why the woman was there, or what the purpose of an internal audit function was.
That probably sounds familiar to many CCOs who had to build the first compliance function for their organizations. The challenge is about showing the rest of the enterprise why compliance (or audit) is there to help those other parts of the business do their jobs better.
That hasn’t always been true. Twenty years ago, compliance was much more about double-checking contracts and submitting regulatory filings on time. Today it’s much more about embedding awareness of risk and good business conduct into daily operations. So it’s no surprise that communications and branding are such important skills now.
In our podcast, Nie and I also talk about data analytics (Nie says Georgia Tech is good at that, given its scientific and research expertise), the differences between working in the corporate and academic worlds (things are much slower and consensus-driven now), and lots more.
Have a listen, and let me know what you think.