In this wide-ranging discussion, Best Buy’s current Chief Risk and Compliance Officer Todd Hartman, along with the company’s former Chief Information Security Officer Deb Dixson, chat with Ethisphere Magazine about Best Buy’s evolution on cyber security, compliance, and risk over the last decade, which culminated in the integration of all three into a single, centralized risk function.
Tyler: Can both of you quickly introduce yourselves and your roles, and briefly overview Best Buy’s transition to an integrated risk management function?
Todd: I was Best Buy’s first Chief Compliance Officer in 2006. They gave me a pretty open canvas to create what I thought we needed, which started out focusing on corporate governance and some baseline legal compliance, especially in the securities area, and then evolved from there into what we might call a more classic corporate compliance department. In August of last year, we reorganized, and now I serve as the Chief Risk and Compliance Officer for the company.
Deb: I began my career at Best Buy in the IT department, with responsibility for the retail and dot-com payment systems. With a focus on putting the customer in the middle of everything that we did, I proposed the creation of a team focused on protecting the data of our customers. After a major retail data breach became public, I got the job as the first CISO and the responsibility to build a team and grow the function.
I retired in February, but part of a vision that I’d always had was pulling the often-disparate functions that deal with various components of risk inside of an organization under one umbrella to help make it more efficient from an operational and a financial perspective. The combined capabilities would provide the Executive Team, the Audit Committee, and the Board a more cohesive picture of where risk sits. So, Todd and I partnered on the creation of this Enterprise Risk & Compliance organization.
Todd: After some companies were in the spotlight for putting too much pressure on short-term incentives, leading to illegal behavior and eroding customer trust, I approached my bosses to say, “We need a function that is truly focused on compliance, not compliance as just an extension of the legal job.” I’d become convinced that legal support is fundamentally different from compliance work. Studying other institutions helped me better understand the way chief risk officers normally operate, and I said, “This is almost exactly how a fully empowered compliance officer should operate.” What also made sense to me was that we couldn’t deliver what the company now needed unless we had the resources to take compliance risk management seriously, and that combining compliance with Deb’s Information Security Organization would put us in the best position to manage risk.
Deb: The heart of so much of what the security team looks at is the data. It made sense to pull teams together to have a shared view of comprehensive data sets to be able to follow, as opposed to the previous model, with separate reports, independent of each other, being presented to the Audit Committee and expecting that they could figure out the interplay of one risk to another. I believe that a holistic risk management approach enables the company to take on greater risks because it has a clearer picture of what the greatest risks are and where they sit.
Todd: An illustrative example of exactly what Deb was talking about in terms of the confusion that can be created when Boards are presented multiple competing risk voices is the tension between security and privacy. It can be difficult to brief a board on information security without them automatically assuming the privacy realm is covered somehow; however, privacy is a separate function, with separate concerns. With our current structure, we’re in a much better position to be able to show all of those risks in balance with each other.
Tyler: It sounds like in some way, bundling compliance into a broader assessment of risk, and then bundling information security into that as well, makes each of those three functions seem less like a control function, which people tend of think of as a barrier to business opportunities, and it makes you more of an asset to the business.
Deb: Yes, absolutely. We’ve seen a shift in various business teams bringing us in much earlier in the process, which is what you want as a valued business partner. And because we’ve got this bundle, as you call it, being able to consolidate that, it’s far more efficient for the business partners, and therefore they want to bring us in early.
Todd: Being able to provide them that full picture has enabled this group to be a strategic value to the enterprise as opposed to a gatekeeper. And frankly, it is much easier to have a risk organization that leaders go to for all the traditional risks. Information security risks, privacy risks and compliance risks are considered within the context of business processes, enabling leaders to make well-informed, holistic risk-based decisions.
Deb: Another advantage is that when you have a larger, more diverse group of folks working closely together, you provide the people on the team opportunities to be cross-trained or to recognize ways to approach solving problems differently. They’ve got growth opportunities on a bigger scale than they would have had siloed in their individual disciplines, and they are more engaged because they are contributing to a greater mission and vision
Tyler: What trends led you to toward this reorganization?
Todd: In terms of the trends we felt we were capitalizing on, combining compliance and enterprise risk management has been a trend that we’ve seen at several different companies. The other trend we’ve seen is compliance becoming a separate function from legal, and that’s always been important in, say, a financial services industry, but we’re seeing it across others. That means being able to focus on transparency and accountability without having to worry about litigation defense and strategy, which may be at odds with compliance goals.
The final trend is information security needing to be independent from the information technology organization. For us, it seemed obvious and very much something that we would think all companies would trend towards, given the metrics by which you would measure an IT organization versus the metrics by which you’d measure a security environment.
Tyler: And particularly the way that info-sec risk has exploded for companies in recent years.
Todd: And I think you’re seeing a separate trend at work that could be productive, which is CIOs see security as being so critical that it’s harder for them to separate security concerns from the rest of their job, which is a good thing. But it also enables companies to say, “Well I’ve got a CIO who is incredibly concerned about security, so I am comfortable having them combined”. While it might help enable security by design a little bit better, IT and Information Security are a dangerous combination as a governance matter. Speed, cost and innovation are always going to have tension with security and compliance.
Deb: Any time in an organization where you have a role that’s dependent on that human being’s personality to reach beyond probably what they’re incentivized to be responsible for, that represents a risk in and of itself.
Tyler: Looking forward, what do you all think that the next steps will be, in terms of the evolution of this integrated risk role? Where would you like to see the function two years from now, in terms of growth and evolution within the organization?
Todd: I’m focused on, how do I position the organization in a way that adds strategic value at the senior leadership level? I know all our business leaders think about security issues; I know they think about compliance issues. But how do I create a risk portfolio view that leverages the right data within the organization and adds a different lens to those conversations that’s helpful?
Looking even further forward, how do I integrate that view and thinking into the regular business review processes of the company? We have regular business reviews that look at a wide variety of metrics. But what I don’t have is a risk, compliance, and security lens to all of those pieces where I can provide relevant data on things that either they aren’t looking at or things that we would think they should be monitoring to ensure the health of the organization.
Deb: I think Todd’s exactly right. All of these functions grew up separately, so they had their own set of processes, their own systems and tools that they used to gather and manage data, and consequently, it’s grunt work right now—“Well I’ve got this, you’ve got that, how do we mash it together?” Part of that is landing on some consolidation of systems and processes in order to be able to make it easy and more natural.
Tyler: What advice would you give to a company who would like to adopt a similar structure for their own all risk management?
Deb: They just need to start. Put some thought into what it could look like and find the champions that would understand the benefits and start working towards that. There will likely be initial resistance, but small wins will help pave the way for bigger changes.
Todd: The first goal we set for our team members when we formed this group was that we add value to the enterprise. I would start with thinking about and demonstrating how you add value to what you’re trying to accomplish in the business. We’re going to be able to be more efficient. We’re going to be able to give a comprehensive view, not a piecemeal view. We’re going to be able to leverage combined resources rather than having to build separate resources.
But I think the most important value a function like ours can bring to an organization is the ability to identify and escalate a problem before it gets too large. When companies make headlines for the wrong reasons, there are always a number of places where, if somebody really had seen the full picture at the right time, they could have avoided disaster. There’s often a failure to identify a material and persistent risk to the organization, and even when it’s identified, the right individuals may not be empowered to really do anything about it. We feel we are now in a much better position to identify and address risks before they become material.
Deb: At all levels, people could start talking. They don’t even have to have a specific organizational structure in place, but security can start talking to privacy and can start talking to compliance, and as those conversations are taking place and that muscle is exercised, the more they do it, the more parallels they will find. Stuff surfaces in those conversations that you didn’t know was going on, and that’s a good thing from a risk perspective, to be able to build that trust that people will come to you and tell you, “I don’t think this is the right thing,” or “Should I be worried about this?”.
Tyler: To get people to come and tell you those things and not feel like they’re tattling on someone, right?
Deb: You know, it goes to changing the attitude. You’re their partner; you’re not there as the cop to catch them doing something wrong. Rather, how do you help them be even more successful in their business goals with the least amount of risk that you possibly have.
Todd: One really key revelation of this combination that has been already immensely successful was bringing ethics into the risk management conversation. One of the things that I’ve been able to emphasize with everybody is that, the best risk mitigation in any organization is an ethical culture. Best Buy, like many other companies, is a company that is driven by its culture. We have strategy, we have process—but we are driven by our people and our culture. From that perspective, combining compliance, ethics, and risk seems almost obvious.
About the Experts:
Todd Hartman is the Chief Risk & Compliance Officer for Best Buy Co., Inc., a leading provider of products, services and solutions. In this role, he is responsible for leading the company’s enterprise risk and compliance capability across all channels and geographies. These functions include enterprise information security, data privacy, global security, enterprise risk management, enterprise fraud prevention, investigations, crisis response and operations, business continuity and disaster recovery, product safety, regulatory compliance and global business ethics.
Deb Dixson spent fourteen years at Best Buy over the course of several tours of duty. She returned to Best Buy in 2015 as Senior Vice President, Global Chief Information Security Officer (CISO). In preparation for her retirement in February, Deb partnered on the creation of a new Enterprise Risk & Compliance function which combines previously separate teams charged with managing risk under a unified umbrella to provide a more comprehensive view of risk for leadership and the Board. For the last six months of her tenure Deb served as an advisor to that team. During her previous time at Best Buy, Deb became the organization’s first Chief Information Security Officer (CISO) and set up the original Information Security team. She established a board-mandated Global Information Security office and governance that set the foundation for a holistic, sustainable approach to security.