Forum Magazine: Moving Your Compliance Program to the Next Level

Topics: Compliance, Forum Magazine, Government, Law Firms, Regulation & Compliance, Risk Management


Steve Grimes is a partner in the Chicago office of Winston & Strawn. He is a former federal prosecutor, an experienced trial lawyer and a former chief compliance officer at Tenneco, a global publicly traded Fortune 500 manufacturing company. Grimes is a co-leader of Winston’s Privacy and Data Security Task Force. His practice focuses on compliance and data security counseling, sensitive internal investigations and complex litigation. Forum magazine recently sat down with Grimes to discuss how his in-house experience gives him a unique perspective and aids his ability to provide tailored advice to companies and boards seeking to build, improve and defend compliance programs. 

FORUM: Can you give me an overview of the practice group you’re co-leading at Winston and what you’re doing to help clients develop compliance programs?

STEVE GRIMES: Coming from an in-house position as a chief compliance officer, I’m building a practice around and capitalizing on the insights that I gained while in-house and structuring the practice group to meet the specific needs of companies concerning compliance and data security programs. We are trying to take up the advice that many law firms are giving to clients and break it down into the specific business action steps that the companies should take to comply with regulatory requirements. We’re making clients aware of risks and giving them general guidance on how to mitigate the risks; and making sure that there are specific steps, internally, that clients can take with HR and IT teams to move to the next level.

“A compliance program is an investment in the culture of the company.”

FORUM: Can you describe the “next level” for clients?

GRIMES: A good example is the most under-represented risks out there right now around trade secret theft and the theft of IP. I think we’re all aware of the risk as it stems from third-party hackers. What is not receiving attention and the bulk of the problem is the departing employee or current employee who is stealing information for a future personal use or competitive business use. And there’s a lot that companies can be doing that they’re not doing right now. In the first instance, better guard against that type of action. There are a lot of practical things companies can do to guard against it and prevent it or lessen the chance that it can happen. Secondly, there are many steps that companies can take to put themselves in a position that if they are on the bad end of a trade secret theft, that they have best positioned themselves to get legal recovery. There are criminal and civil injunctions and other avenues for recovering information and getting non-competes in place.

FORUM: No client is equal with respect to where they are regarding compliance. Do you have a standard model to identify where clients are and where they need to be?

GRIMES: Absolutely. I call it the maturity model. It’s an efficient way, a blueprint, for a company to say here’s our risk, what are the things that we as a company can do to mitigate or lessen the chance it’s going to happen and position ourselves to be able to get the full remedies if it does happen. You take each risk and put it into a basic framework of risk assessment maturity from no formal risk assessment (immature) to informally assessed risk based on limited, subjective views of legal compliance to a formal, annual risk assessment done in-house or by external firms (mature).


Steve Grimes is a partner at Winston & Strawn LLP. He was formerly the chief compliance officer and senior litigation counsel to a Fortune 500 company.

FORUM: When you’re identifying risks within a maturity framework, where are the details to implement the compliance program?

GRIMES: The framework is the management tool. It spots the issues and lays the groundwork to address them, and the client must execute on it. For much of this work, clients have the internal resources to address the compliance issue, but they need help organizing and prioritizing. There’s no better sales pitch than to be able to get in and show a client that you understand their issues, help organize and prioritize them, and if they need help, we’re happy to engage.

FORUM: What are some of the things you took away as a compliance officer at Tenneco and brought to your practice at Winston?

GRIMES: The recognition of the internal corporate audience of every recommendation you make as an outside lawyer and the various levels of different functional groups and functional approvals that need to happen within a company to make organizational changes that you’re recommending as part of a compliance program. I took away a much more significant appreciation for how that works. The way that I now advise clients is very different than before I went in-house for a couple of years.

FORUM: How hard is it to convince a company that compliance has a return on investment outside of going into the negative aspect of avoiding fees, prison time, etc.?

GRIMES: Avoid the negative sell but make it clear that there are substantial costs that clients are avoiding with regulatory compliance. I genuinely believe, and there’s research to support it, that engaged employees who feel that their company values ethics are going to be more productive and profitable because they are going to have fewer issues that come up that require time and labor. A compliance program is an investment in the culture of the company.