Best Lawyers

/ Best Lawyers

An interview with Bob Bostrom, general counsel of Abercrombie & Fitch and Best Lawyers Advisory Board member.

At Abercrombie & Fitch, you have a lot of roles. You are the senior vice president, corporate secretary, and you also act as general counsel. How did you get involved with the company?

I was originally contacted by an executive recruiting firm about the position. I had been executive vice president, general counsel and corporate secretary at Freddie Mac for about six years before, during and after the 2008 financial crisis.  I went back to private practice for a couple of years at Dentons as co-head of the global financial institutions and funds sector and then at Greenburg Traurig as co-chair of the financial regulatory and compliance practice, but I had always harbored a desire to go back in–house, and was approached about various opportunities. I had historically been more of a financial institutions regulatory and corporate boardroom lawyer, but also kind of a crisis management, “company- in-trouble” lawyer. I was intrigued by Abercrombie. They were interested in me because they were at the early stages of a proxy fight. The company felt it needed a corporate boardroom lawyer who had experience with companies going through transitions and with corporate governance and crisis management expertise and less of a lawyer well-versed in the retail business. I came out to visit and found the campus and environment very appealing. Everybody on campus was very enthusiastic and excited about the brands and what they were doing. It was infectious. The campus is an interesting combination of—as I describe it to folks back East—the nicest college campus you’ve ever seen, a Google-type campus, and the most spectacular Adirondack hunting lodge you’ve ever seen. It’s just a beautiful, beautiful place. It’s a very appealing and attractive place to be with a great bunch of associates and an invigorating and exciting environment. And so I got hooked.

I read that when you first started at Abercrombie, you and your legal team worked on institutionalizing best practices around enterprise risk management, crisis management, data security, and diversity. Can you tell me about some of the changes you made and best practices you and your team implemented?

Sure, I would also add to that list compliance and ethics, which I will start with. We embarked on a very bottom-up approach to creating a best-in-class compliance and ethics function. We did an assessment and survey of everyone engaged in compliance activities throughout the company, and then developed a program and structure consistent with the DOJ Sentencing Guidelines. Previously the elements existed, but there had not been any reporting line from the associates engaged in compliance activities into a central compliance function. So we institutionalized all of that. We rewrote and updated the code of conduct and business ethics, anti-bribery policy, and numerous other policies. We created regular meetings of all the associates embedded in the company who are engaged in compliance activities and developed brand new, state-of-the-art online code of conduct training programs as well as anti-corruption training programs. We made these policies very brand specific and culturally attractive to our associates. When you look at any of our materials in this space, they reflect our brand, our modeling, our clothing, pictures of our campus, and really instill a spirit and attitude of “if you love our brand”—and all of our associates really love our brand—“then compliance and ethics and ethical behavior are really very important.” They are important to protect the integrity of the brand. Ethical and compliance breakdowns create financial, legal, and reputational risks for the brand that could harm the brand. We really tried to enhance and nurture the pre-existing cultural imperative to do the right thing, to be respectful and responsible—an ethical, compliant culture in all respects of how we do business. We created the position of chief ethics and compliance officer. We began regular reporting to the Audit Committee. We re-did all of our ethics hotline programs to really make them as user-friendly as we could, and again as associate and brand relevant as we could, so the associates would want to use them and could feel comfortable using them. We engaged in a full-fledged effort to have all those embedded compliance associates report to the chief ethics and compliance officer initially on a dotted line, transitioning to a straight line, so that we could ensure that compliance and ethics were taken seriously throughout the company so that we have consistent policies, consistent approaches, and consistent tolerance levels for ethical behavior and compliance focus.

So that’s the ethics and compliance space. As for enterprise risk management, the company always had an enterprise-wide risk management process. We really took that very solid foundation and added on best practices. I co-chair the Enterprise Risk Management Committee with our COO. It’s comprised of about 20 people who represent the senior people in the company from the brands, the business units, and all the corporate shared services. We meet quarterly and report to the Audit Committee quarterly. We do high-level assessments of all risks the company faces and identify, assess, and prioritize risks and seek risk mitigation opportunities. We have a risk ranking system that we look at every quarter and between quarters to decide whether the risks as ranked should be changed or moved, whether they’re trending up or down, and whether mitigation activities are being engaged in appropriately by the owner of that risk. The ERM Committee deep dives on each of our top 10 risks at least once a year at our quarterly meetings, and we report on those to our Audit Committee. It is a very structured and very bottom-up approach with each risk owner having a responsibility to do a bottom-up identification and assessment of risks and mitigation activities.

The important part of this is that it is attended by all the senior businesses and senior shared business leaders. I don’t send the deputy general counsel—I go myself.

All the leaders of the company are at the table, which creates, again, a culture of the importance of enterprise-wide risk management. It is important to consider risk-adjusted analysis into expansions of products and businesses so the cost of associated from increased risk and true return on capital can be assessed.

Our diversity and inclusion efforts include the legal department as well as company-wide efforts. Within the legal department, we have followed a number of best practices and maybe even gone beyond best practices. We require that diversity be a part of our performance evaluation system within the legal department. We require that a minimum of 5 to 10 percent of each associate’s balanced score card performance evaluation be based upon their contributions to diversity and inclusion. This starts from the assistants, right up through me. Everyone has a role to play; everyone can play a role. Obviously, dependent upon your particular role and responsibility in the company, that will vary, but everyone is expected to contribute or it will affect your review and your compensation.

We’ve also adopted a policy with recruiting, whereby we insist that our recruiters bring us a full slate of diverse candidates for every position we interview for. So that means that they have to engage with a serious effort to provide us with a diverse slate of candidates. We monitor that and pay great attention to it. We make sure that hiring decisions and candidate selections internally within legal are done by a diverse group of lawyers so that we can avoid unconscious bias to the extent we can.

We are also very involved with a number of organizations, including the Minority Corporate Counsel Association and the Leadership Council on Legal Diversity (LCLD). We have actively participated in the LCLD intern and fellowship programs. We actively promote our lawyers speaking at diversity and inclusion events. We’ve spoken at probably 20 or so this year. Another group we participate in is The Institute for Inclusion of Legal Profession. We also support scholarships and internship programs for law students of diverse backgrounds in the Columbus area.

We engage with our primary outside counsel to encourage them to have diverse lawyers working on our matters. We encourage them to focus on diversity and inclusion in their own hiring and promoting and provide opportunities for lawyers of diverse backgrounds in their firm. We have extensive outreach programs with them and partner with them in some programs and participate in their programs.

On a company-wide basis, we formed an executive council for diversity and inclusion in the company that I chair. It consists of a cross-section of diverse associates from various parts of the company. We meet quarterly and develop relationships with diversity and inclusion groups outside of the company. We work with the diversity and inclusion department to provide a point of view on diversity and inclusion. We advocate as a group on company-wide diversity and inclusion initiatives. The council is a great sounding board for ideas from the associates. It’s a great chance to discuss programs, ideas, concepts, trainings, and speakers we want to have on campus to create a culture of diversity inclusion. Diversity and inclusion is reflected in the company’s marketing efforts and branding efforts. It is a commitment that is part of our culture, part of our brand.

Again, one of the ways that we actively engage our associates in the process is to get them to believe and buy into the fact that diversity is really good for the brand. If you love the brand then you want to focus on diversity and inclusion. 

The company had a crisis management program in place when I joined. I now chair the Crisis Management Committee. We’ve spent a lot of time updating it and we have done some table top exercises. We’ve communicated to the executive team how important it is to have a plan and to do some table top exercises so, when that day comes, everybody has a template to start from. Of course, every crisis is different so the template never works perfectly, but it’s an important process to become familiar with, especially in this era of data security, cybersecurity, and breaches, one of the most significant crises a company can face. Doing the table tops, going through the process, understanding the different philosophical positions and reactions to hot breaking series of events that are happening very quickly at a very high velocity, when you don’t have time to think are important. Having gone through a number of real crises and some simulated table top crises, understanding how people think about it and how they react to it gives you a big advantage when it does happen. It enables you to be able to respond in a much more proactive, informed, and educated way. This also brings to the thought process the experiences of others who run the table tops and been through crises to help provide a template to guide you through the process. An effective crisis management program also involves updating and educating the board in these areas, in terms of what our crisis management plan looks like. It involves how you react with the media, how you are with your customers, employees, vendors, shareholders, and regulators. All those things, if thought through carefully ahead of time on a clear day, become somewhat easier to deal with on a stormy day.

Data security, obviously, is very important, and the boards have significant responsibilities in the data and cyber breach space. So we’ve created a data breach committee that reports into the crisis management committee. There are escalation principles, a reporting mechanism, and a very robust, rigorous data breach committee and plan. We’ve analyzed and keep up-to-date with requirements applying to data breaches in all the jurisdictions we do business in, should anything happen. We make sure that it is up-to-date. We have pre-selected vendors that would be retained to help us in the event of a data breach. It is a very, very rigorous process, one we report to the board on to make sure that they’re able to fulfill their responsibilities as directors in overseeing and providing oversight on our cybersecurity and data breach programs.

You’ve had a lot of leadership positions. What lessons have you learned along the way?

I think probably the most fundamental lesson is to always do the right thing. I think a lot of times there is too much pressure to do the legal thing, which sometimes isn’t a high enough standard. I’m a big advocate of this, and there’ve been a few books written about this. Norman Veasey wrote a tremendous book, The General Counsel as the Persuasive Counselor, where he talks about the general counsel as being the conscience of the corporation and being the voice in the room that always talks about not just doing what is legal but doing what’s right. Not that a lawyer necessarily has a monopoly on morality and doing the right thing any more than anyone else. But it is someone who ought to be the voice in the room to remind people and be the conscience of the corporation. You only get to do that by developing the trust of the executive leadership and the C-suite. So doing the right thing and being the conscience of the corporation would be first and foremost.

The second part of leadership is to be a role model, to be a north star, to work and closely align these values into the culture of the company. I find every negative headline is a great teaching moment. One the of the best ways to remind people is to do headline training, to make sure they stay sensitive and sensitized to these situations where you think you’re doing the right thing, and making your best business judgment. But in fact, your best business judgment may be clouded by the intensity of the moment, any number of things that you believe are more important at the time or you may be rationalizing a course of action. But with the benefit of hindsight and benefit of seeing how those types of decisions can have a negative outcome, you can remain sensitized to the moment, to help you make the right decision when you are faced with some of these challenges. It can involve anything from sending a note to your executive C-suite team after the Wells Fargo situation occurred to say, “We have to make sure that we stay sensitive to sales compensation for associates. This is an area where a lot of trouble can occur.” Or a note after the Uber disclosures about abusive cultures. Without the reminders of the real life situation, where something bad happened, it’s very easy for people to say, “Hey, that’s a great idea. Let’s pay people based on production goals that are bold and audacious. It’s good for the shareholder.” So those headline moments are just great teaching and reminder moments. I think—as I’ve gone back and reviewed the reports investigating the causes of most of the major corporate crises, from Enron through to the current genre of Volkswagen, GM, Wells Fargo, Yahoo, and now Uber—you find good people doing dumb things. It’s infrequently bad-intentioned people who deliberately do something bad. For whatever reason, they convince themselves or are convinced that they are doing what they believe to be the right thing. It’s reminding people and making them sensitive to all the bad things that happen to good people that help both you, personally, as well as you, as a general counsel, to help keep that sensitivity in the culture of your company. Every negative headline that you see, that could happen here, and if you keep that in the back of your mind every day, you’re much less apt to make those bad decisions.

You have experience in both private practice and in-house. What do you think are the biggest differences between those two? What are the benefits and challenges of each?

I think there are a number of areas where they are different and raise different challenges. Being in-house, you tend to be 100 yards wide and a mile deep. You are deeply engaged in your client—your one client. The positive of that is you get to know your one client better than anybody. The negative is that, unless you make a sincere effort to get out and speak, to attend programs, to network, you don’t have as good a sense of the market as you might have. You don’t have a sense unless you are extraordinarily proactive of that headline training, of seeing where others have gone wrong, seeing what other issues people have faced, and seeing how they reacted to other issues and how they solved them. Whereas when you’re a partner in a law firm and have multiple clients and multiple partners to talk to, you tend to be a mile wide but only six inches deep because you see much more of the market, much more of what’s going on in a broad sense, but you may not have the opportunity to get a mile deep into a single client. So they are very different unless you’re fortunate in private practice to have one or two very large, very substantial clients.

You also get segmented in private practice: you are a securities lawyer; you are a litigator, or maybe an employment lawyer. And so there you are a mile deep in your functional expertise, but very narrow on top. In-house, you may have your areas of expertise but you have to—as a general counsel at least— be smart enough to learn quickly or to get a good overview of all areas of the company and all areas of the law you ultimately have responsibility for. One great thing about being in-house is that generally you are involved in a situation, with a program, with a product, with a problem, with a decision as a member of the executive team from day one. You have a chance to understand, to learn, to react, to comment, and to be part of that business process. Most of the time when you’re on the outside, you get called as the expert after a decision has been made to help implement the decision. So I personally like being at the table; I like understanding and being around how business people think. They think much differently than lawyers.

A great anecdotal story for me is when I went to my first general counsel position at a large bank. I was a fairly young lawyer and it was a great opportunity. A former general counsel who was at the firm said to me, “Bob, I have one important thing to tell you. For six months, listen before you speak.” He never quite explained why, but I quickly understood why. General counsels have become much more than just a lawyer in the company. They’re looked at and looked to by executive management and the board to be true business leaders, to bring more than just their legal skills to the table in a lot of intangible ways. That opportunity makes you realize that business decisions don’t always make legal risk the first and foremost. The NACD just launched a whole new program, “the strategic asset general counsel,” which recognizes this new role.  There may be times when legal risk is number one and other times where it is not. Being respectful, mindful, and observant of those situations and when they vary is important to having a voice at the table, being trusted and being involved in the process. Increasingly, companies and boards are now encouraging general counsels to be the strategic asset general counsel, to be more than just a lawyer. In order to function at that level, you have to learn the business. Whether it’s those intangible ways of doing the right thing, of being the voice of culture, to encourage compliance and ethical behaviors as part of the culture of the company, the fabric of the brand. Those are all things you get to do as a general counsel, but much less so from the outside.

I think the biggest advantage—or the disadvantage—is that you have one client. If you have a conflict with one client, you’re unemployed. I tell lots of young, aspiring general counsels that because of your ethical responsibilities and the responsibilities imposed upon you by the SEC and the Justice Department, you always need to be prepared to quit because, ultimately, if you have a board or a CEO that engages in either deliberately illegal behavior or rationalized illegal behavior you may need to resign. The Guttfreund Order by the SEC following the Salomon Brothers Bond Bid-Rigging scandal back in the early 90s is a good reminder. The Order stated: “If such a person [the general counsel] takes appropriate steps but management fails to act and that person knows or has reason to know of that failure, he or she should consider what additional steps are appropriate to address the matter. These steps may include disclosure of the matter to the entity’s board of directors, resignation from the firm, or disclosure to regulatory authorities.” This has become significantly more important in the past 20 years as the regulators have increasingly looked to lawyers to be gatekeepers and, in some cases, initiated enforcement actions. So the tension of being the general counsel, which has really become a challenge I think, is the oft-quoted cliché of being a business partner, being a can-do lawyer— “don’t tell me what I can’t do; tell me how I can do it, how I can get around the law to do it” —is now significantly tempered by the regulators’ view and increasingly challenging ethical issues arising from a different role for the lawyer as the gatekeeper. The challenge is to balance being a cop because you’ll lose the trust of your business partners, but also being able to say, “That’s not the right thing; we shouldn’t be doing it.” A general counsel has to balance that fine line being truly a business partner to the business, but also maintaining your role and responsibility as a lawyer gatekeeper. It’s a very tough balancing act for general counsels, which has become one of the biggest challenges.

What do you think has been some of the keys to your success and/or what strategies have you implemented to be so successful?

I think a lot of it goes back to those lessons learned that we talked about earlier. Always doing the right thing, making sure that everyone knows that’s your philosophy, that’s your culture; doing your best to hire people who think like that, who believe in that. As I’ve said many times, you can have all the policies, procedures, practices, and cultural characteristics, but if you hire people who aren’t ethical people, then you can corrupt all of your work to create an ethical culture in your company. So part of that is making sure people you hire understand your perspective, your cultural imperatives on these issues, the importance you attribute to them, really being a role model. Walking the walk and talking the talk. You don’t just talk about it, you lead your life in a way at work and outside of work that reflects those values. You teach by example. It has to be a conscious, proactive effort. It doesn’t just happen; you have to make it happen. I think that personally part of my success has been an unyielding and relentless pursuit of doing the right thing, of making sure I convey that’s how I feel, making sure I pick organizations to work for or work with that feel the same way. Whether it be diversity, ethical conduct, risk management, compliance, doing the right thing—those are all very important to me.

Is there anything else we didn’t touch on that you’d like to add?

The other part of being successful is to remember that your success is really a collective success of a lot of people doing the right thing. I think it’s critically important that you challenge “everybody’s doing it” justifications. I think it’s critically important, as I said, that you really become an advocate to foster and nurture ethical conduct and an ethical culture.

Always remember that someone has to be the conscience for the corporation, someone’s got to be that voice in the room, but it doesn’t mean it always has to be you. It doesn’t mean you’re always going to be right; it doesn’t mean you’ll always be listened to. But it’s really important.

The other thing is, which is a little of what we were talking about earlier, why and how people are successful. I think it’s because you never lose sight of the fact that it’s always a collective effort. You’ve got to maintain your personal credibility, your reputation, and the trust of others. “Others” includes management, the board, prosecutors, employees, vendors, the public, everyone you interface with. You have to be a leader; you have to be a role model. Again, this doesn’t happen passively; you have to be proactive to inspire and lead, especially in moments of stress and crisis. At Freddie Mac, after the conservatorship in the midst of the 2008 Financial Crisis, employees were worried about losing their jobs, losing their retirement, losing their equity, wondering if they would have a job the next day. Following the conservatorship and government takeover, senior executives were terminated, the board of directors was suspended, and there was crisis everywhere in the country. The media, Congress, and the administration were blaming Freddie Mac and Fannie Mae for the financial crisis. The way in which those of us in leadership positions rolled up our sleeves, worked 24/7, ate stale pizza out of cardboard boxes at 1 o’clock in the morning, remained positive, optimistic and enthusiastic role models even as we felt scared and uncertain—I’m convinced that was a very key part of holding those companies together at a time when less resilient, dedicated, mission-focused people could have rapidly spun out of control. This was even more so after the acting CFO committed suicide. So, maintaining a relentless enthusiasm, dedication, and commitment. And then lastly—I think you can’t say this enough—I think it gets back to that notion that success is a collective process; it’s a result of a team effort. One of the most important things I’ve always believed in is to say thank you—constantly and proactively show your appreciation, respect, and recognition for everybody’s contribution to a successful outcome.