Main Responsibilities of a Risk and Compliance Manager at Google
Aditya's career in risk management at Google involved both proactive measures, such as "routinely train[ing] employees" on the code of conduct and conducting risk assessments of vendors, and reactive measures, including investigating allegations of code of conduct violations and managing incidents involving vendors with access to sensitive employee data. This experience highlights the multifaceted nature of risk management in a large multinational corporation, particularly the need for careful vendor management and the significant financial and reputational consequences of compliance failures, as "foreign corrupt practices act violations are not cheap."
Risk Management, Compliance, Investigations, Vendor Management, Employee Training
Advizer Information
Name
Job Title
Company
Undergrad
Grad Programs
Majors
Industries
Job Functions
Traits
Aditya Ravikumar
Risk & Compliance Manager
UC Irvine, 2014
UCLA Andersson, MBA (in progress)
Economics
Technology
Legal
None Applicable
Video Highlights
1. Aditya's role involves proactive employee training on Google's code of conduct, covering various policies and their implications for all employees and contractors.
2. His responsibilities include risk assessment and due diligence for vendors handling sensitive employee data, ensuring compliance and data access control.
3. Aditya also manages incident response and investigations related to code of conduct violations and vendor-related issues, advising on best practices and rectifying situations
Transcript
What are your main responsibilities within your current role?
As a risk manager, I held a couple of risk management roles, so it depends on the function. I can talk about both.
Initially, I was within the ethics and compliance team. There was a more proactive and a reactive side to it. The proactive side had two parts. The first was employee training. We were responsible for being the gatekeepers of the company's code of conduct.
We would routinely train employees to ensure they understood the different aspects and policies that come into play under the code of conduct. This applied not just to full-time employees but also to contract workers. That was a significant portion of the role.
On the other hand, for the proactive piece, we would routinely meet with teams heavily interacting with the government or in higher-risk roles. This included sales, policy, government relations, and marketing teams. These were people interacting directly with government or working with vendors who would interact with the government on the company's behalf.
The goal was to ensure they employed best practices in conducting business. We also wanted them to be aware of potential red flags or nefarious activity so they could report it promptly. Violations of the Foreign Corrupt Practices Act are not cheap; companies caught violating it can face hundreds of millions, if not billions, in fines.
We had to be very careful, not just because of the financial penalties but also due to reputational damage. Many people don't realize that corruption has a trickle-down effect and can indirectly affect many more people than one might initially think. That covered the proactive side.
On the reactive side, as gatekeepers of the code of conduct, we investigated any allegations of code of conduct violations or bribery by employees or contractors. The investigative aspect was the reactive side.
This required coming into it with a neutral mindset, understanding that everyone is innocent until proven guilty. It was about fact-finding, asking the right questions, identifying the right witnesses, and conducting a thorough and fair investigation. We would present our findings to the leadership of the employee involved.
Ultimately, we provided guidance on what we thought would be an appropriate decision. More often than not, they followed our guidance. That was pretty much the role on the ethics and compliance side.
I was also a risk manager within our HR organization, specifically in a sub-team called the Vendor Management Organization. Our team was responsible for managing relationships with vendors providing critical HR services.
This included tasks like sending offer letters, supporting employees with relocation, and answering benefits-related questions. We had a large vendor workforce performing various services. These vendors were sensitive because they often had access to personal employee information to do their jobs adequately.
On the risk and compliance side, we again had proactive and reactive duties. Proactively, we conducted risk assessments of all engagements, understanding exactly what vendors were doing and what data they accessed. We ensured they completed all required compliance and due diligence procedures before onboarding.
This included having a legal contract in place and completing due diligence processes, such as the anti-bribery checks I mentioned earlier. We also ensured they only had access to data they absolutely needed. This can be a messy process in a large, fragmented multinational corporation, so we spent a lot of time constantly reviewing it.
On the reactive side, we managed incident management processes for the company. Anytime there was an issue related to a vendor in the HR ecosystem, especially our vendor, we would jump in immediately.
We handled communications to employees and managed investigations or inquiries with the vendor company. Because we worked with the biggest suppliers and had significant experience, other vendors outside our portfolio with issues would often seek our advice on how to deal with those situations and rectify them.