An interview with Bob Bostrom, general counsel of Abercrombie & Fitch and Best Lawyers Advisory Board member.
At Abercrombie & Fitch, you have a lot of roles. You are the senior vice president, corporate secretary, and you also act as general counsel. How did you get involved with the company?
I was originally contacted by an executive recruiting firm about the position. I had been executive vice president, general counsel and corporate secretary at Freddie Mac for about six years before, during and after the 2008 financial crisis. I went back to private practice for a couple of years at
I read that when you first started at Abercrombie, you and your legal team worked on institutionalizing best practices around enterprise risk management, crisis management, data security, and diversity. Can you tell me about some of the changes you made and best practices you and your team implemented?
Sure, I would also add to that list compliance and ethics, which I will start with. We embarked on a very bottom-up approach to creating a best-in-class compliance and ethics function. We did an assessment and survey of everyone engaged in compliance activities throughout the company, and then developed a program and structure consistent with the DOJ Sentencing Guidelines. Previously the elements existed, but there had not been any reporting line from the associates engaged in compliance activities into a central compliance function. So we institutionalized all of that. We rewrote and updated the code of conduct and business ethics, anti-bribery policy, and numerous other policies. We created regular meetings of all the
So that’s the ethics and compliance space. As for enterprise risk management, the company always had an enterprise-wide risk management process. We really took that very solid foundation and added on best practices. I co-chair the Enterprise Risk Management Committee with our COO. It’s comprised of about 20 people who represent the senior people in the company from the brands, the business units, and all the corporate shared services. We meet quarterly and report to the Audit Committee quarterly. We do high-level assessments of all risks the company faces and identify, assess, and prioritize risks and seek risk mitigation opportunities. We have a risk ranking system that we look at every quarter and between quarters to decide whether the risks as ranked should be changed or moved, whether they’re trending up or down, and whether mitigation activities are being engaged in appropriately by the owner of that risk. The ERM Committee deep dives on each of our top 10 risks at least once a year at our quarterly meetings, and we report on those to our Audit Committee. It is a very structured and very bottom-up approach with each risk owner having a responsibility to do a bottom-up identification and assessment of risks and mitigation activities.
All the leaders of the company are at the table, which creates, again, a culture of the importance of enterprise-wide risk management. It is important to consider risk-adjusted analysis into expansions of products and businesses so the cost of associated from increased risk and true return on capital can be assessed.
Our diversity and inclusion efforts include the legal department as well as company-wide efforts. Within the legal department, we have followed a number of best practices and maybe even gone beyond best practices. We require that diversity be a part of our performance evaluation system within the legal department. We require that a minimum of 5 to 10 percent of each associate’s balanced score card performance evaluation be based upon their contributions to diversity and inclusion. This starts from the assistants, right up through me. Everyone has a role to play; everyone can play a role. Obviously, dependent upon your particular role and responsibility in the company, that will vary, but everyone is expected to contribute or it will affect your review and your compensation.
We’ve also adopted a policy
We are also very involved with a number of organizations, including the Minority Corporate Counsel Association and the Leadership Council on Legal Diversity (LCLD). We have actively participated in the LCLD intern and fellowship programs. We actively promote our lawyers speaking at diversity and inclusion events. We’ve spoken at probably 20 or so this year. Another group we participate in is The Institute for Inclusion of Legal Profession. We also support scholarships and internship programs for law students of diverse backgrounds in the Columbus area.
We engage with our primary outside counsel to encourage them to have diverse lawyers working on our matters. We encourage them to focus on diversity and inclusion in their own hiring and promoting and provide opportunities for lawyers of diverse backgrounds in their firm. We have extensive outreach programs with them and partner with them in some programs and participate in their programs.
On a company-wide basis, we formed an executive council for diversity and inclusion in the company that I chair. It consists of a cross-section of diverse associates from various parts of the company. We meet quarterly and develop relationships with diversity and inclusion groups outside of the company. We work with the diversity and inclusion department to provide a point of view on diversity and inclusion. We advocate as a group on company-wide diversity and inclusion initiatives. The council is a great sounding board for ideas from the associates. It’s a great chance to discuss programs, ideas, concepts,
Again, one of the ways that we actively engage our associates in the process is to get them to believe and buy into the fact that diversity is really good for the brand. If you love the brand then you want to focus on diversity and inclusion.
The company had a crisis management program in place when I joined. I now chair the Crisis Management Committee. We’ve spent a lot of time updating it and we have done some table top exercises. We’ve communicated to the executive team how important it is to have a plan and to do some table top exercises
Data security, obviously, is very important, and the boards have significant responsibilities in the data and cyber breach space. So we’ve created a data breach committee that reports
You’ve had a lot of leadership positions. What lessons have you learned along the way?
I think probably the most fundamental lesson is to always do the right thing. I think a lot of times there is too much pressure to do the legal thing, which sometimes isn’t a high enough standard. I’m a big advocate of this, and there’ve been a few books written about this. Norman Veasey wrote a tremendous book, The General Counsel as the Persuasive Counselor, where he talks about the general counsel as being the conscience of the corporation and being the voice in the room that always talks about not just doing what is legal but doing what’s right. Not that a lawyer necessarily has a monopoly on morality and doing the right thing any more than anyone else. But it is someone who ought to be the voice in the room to remind people and be the conscience of the corporation. You only get to do that by developing the trust of the executive leadership and the C-suite. So doing the right thing and being the conscience of the corporation would be first and foremost.
The second part of leadership is to be a role model, to be a north star, to work and closely align these values
You have experience in both private practice and in-house. What do you think are the biggest differences between those two? What are the benefits and challenges of each?
I think there are a number of areas where they are different and raise different challenges. Being in-house, you tend to be 100 yards wide and a mile deep. You are deeply engaged in your client—your one client. The positive of that is you get to know your one client better than anybody. The negative is that, unless you make a sincere effort to get out and speak, to attend programs, to network, you don’t have as good a sense of the market as you might have. You don’t have a sense unless you are extraordinarily proactive of that headline training, of seeing where others have gone wrong, seeing what other issues people have faced, and seeing how they reacted to other issues and how they solved them. Whereas when you’re a partner in a law firm and have multiple clients and multiple partners to talk to, you tend to be a mile wide but only six inches deep because you see much more of the market, much more of what’s going on in a broad sense, but you may not have the opportunity to get a mile deep into a single client. So they are very different unless you’re fortunate in private practice to have one or two very large, very substantial clients.
You also get segmented in private practice: you are a securities lawyer; you are a litigator, or maybe an employment lawyer. And so there you are a mile deep in your functional
A great anecdotal story for me is when I went to my first general counsel position at a large bank. I was a fairly young lawyer and it was a great opportunity. A former general counsel who was at the firm said to me, “Bob, I have one important thing to tell you. For six months, listen before you speak.” He never quite explained why, but I quickly understood why. General counsels have become much more than just a lawyer in the company. They’re looked at and looked to by executive management and the board to be true business leaders, to bring more than just their legal skills to the table in a lot of intangible ways. That opportunity makes you realize that business decisions don’t always make legal risk the first and foremost. The NACD just launched a whole new program, “the strategic asset general counsel,” which recognizes this new role. There may be times when legal risk is number one and other times where it is not. Being respectful, mindful, and observant of those situations and when they vary is important to
I think the biggest advantage—or the disadvantage—is that you have one client. If you have a conflict with one client, you’re unemployed. I tell lots of young, aspiring general counsels that because of your ethical responsibilities and the responsibilities imposed upon you by the SEC and the Justice Department, you always need to be prepared to quit because, ultimately, if you have a board or a CEO that engages in either deliberately illegal behavior or rationalized illegal behavior you may need to resign. The Guttfreund Order by the SEC following the Salomon Brothers Bond Bid-Rigging scandal back in the early 90s is a good reminder. The Order stated: “If such a person [the general counsel] takes appropriate steps but management fails to act and that person knows or has reason to know of that failure, he or she should consider what additional steps are appropriate to address the matter. These steps may include disclosure of the matter to the entity’s board of directors, resignation from the firm, or disclosure to regulatory authorities.” This has become significantly more important in the past 20 years as the regulators have increasingly looked to lawyers to be gatekeepers and, in some cases, initiated enforcement actions. So the tension of being the general counsel, which has really become a challenge I think, is the oft-quoted cliché of being a business partner, being a can-do lawyer— “don’t tell me what I can’t do; tell me how I can do it, how I can get around the law to do it” —is now significantly tempered by the regulators’ view and increasingly challenging ethical issues arising from a different role for the lawyer as the gatekeeper. The challenge is to balance being a cop because you’ll lose the trust of your business partners, but also being able to say, “That’s not the right thing; we shouldn’t be doing it.” A general counsel has to balance that fine line being truly a business partner to the business, but also maintaining your role and responsibility as a lawyer gatekeeper. It’s a very tough balancing act for general counsels, which has become one of the biggest challenges.
What do you think has been some of the keys to your success and/or what strategies have you implemented to be so successful?
I think a lot of it goes back to those lessons learned that we talked about earlier. Always doing the right thing, making sure that everyone knows that’s your philosophy, that’s your culture; doing your best to hire people who think like that, who believe in that. As I’ve said many times, you can have all the policies, procedures, practices, and cultural characteristics, but if you hire people who aren’t ethical people, then you can corrupt all of your work to create an ethical culture in your company. So part of that is making sure people you hire understand your perspective, your cultural imperatives on these issues, the importance you attribute to them, really being a role model. Walking the walk and talking the talk. You don’t just talk about it, you lead your life in a way at work and outside of work that reflects those values. You teach by example. It has to be a conscious, proactive effort. It doesn’t just happen; you have to make it happen. I think that
Is there anything else we didn’t touch on that you’d like to add?
The other part of being successful is to remember that your success is really a collective success of a lot of people doing the right thing. I think it’s critically important that you challenge “everybody’s doing it” justifications. I think it’s critically important, as I said, that you really become an advocate to foster and nurture ethical conduct and an ethical culture.
Always remember that someone has to be the conscience for the corporation, someone’s got to be that voice in the room, but it doesn’t mean it always has to be you. It doesn’t mean you’re always going to be right; it doesn’t mean you’ll always be listened to. But it’s really important.
The other thing is, which is a little of what we were talking about earlier, why and how people are successful. I think it’s because you never lose sight of the fact that it’s always a collective effort. You’ve got to maintain your personal credibility, your reputation, and the trust of others. “Others” includes management, the board, prosecutors, employees, vendors, the public, everyone you interface with. You have to be a leader; you have to be a role model. Again, this doesn’t happen passively; you have to be proactive to inspire and lead, especially in moments of stress and crisis. At Freddie Mac, after the conservatorship in the midst of the 2008 Financial Crisis, employees were worried about losing their jobs, losing their retirement, losing their equity, wondering if they would have a job the next day. Following the conservatorship and government takeover, senior executives were terminated, the board of directors was suspended, and there was crisis everywhere in the country. The media, Congress, and the administration were blaming Freddie Mac and Fannie Mae for the financial crisis. The way in which those of us in leadership positions rolled up our sleeves, worked 24/7, ate stale pizza out of cardboard boxes at 1 o’clock in the morning, remained positive, optimistic and enthusiastic role models even as we felt scared and uncertain—I’m convinced that was a very key part of holding those companies together at a time when less resilient, dedicated, mission-focused people could have rapidly spun out of control. This was even more so after the acting CFO committed suicide. So, maintaining a relentless enthusiasm, dedication, and commitment. And then lastly—I think you can’t say this enough—I think it gets back to that notion that success is a collective process; it’s a result of a team effort. One of the most important things I’ve always believed in is to say thank you—constantly and proactively show your appreciation, respect, and recognition for everybody’s contribution to a successful outcome.