Melissa Frugé, Chief Legal Officer at Spredfast, first developed the concept of the Risk Office Committee (“The ROC”) during her time as General Counsel at Home Away, while it was preparing to become a public company. In this interview, Melissa discusses the immense potential this committee has for companies of all kinds and how to form your own.
Tell us about Spredfast.
Spredfast is a platform that helps enterprise customers to manage all of their social media network needs. We offer a comprehensive dashboard to help them engage in a number of activities, including communications, promotions and customer care as well as to compile and review various analytics.
Spredfast is about 10 years old and is based in Austin, Texas. We also have offices in Sydney, London, and Hamburg (our newest office). We are a private company.
What is your role at Spredfast, and where were you before joining the company?
I joined in March 2016 as Spredfast’s first Chief Legal Officer. Spredfast hired me as part of an ongoing effort to bring the company to the next level of maturity. I have a very small – but mighty – team, comprised of one other lawyer, one contract manager, one paralegal, and me. Prior to joining Spreadfast, I was the General Counsel of HomeAway. I joined in 2009 when HomeAway was private, led all legal aspects of its IPO in 2011 and continued to lead its legal and government relations teams until its acquisition by Expedia.
From a day-to-day responsibilities perspective, what does it mean to be CLO at Spredfast?
I’m responsible for all legal and compliance matters – but also anything risk-oriented beyond legal. I often work on a cross-functional basis on things like data privacy and security, IT issues, and strategic agreements. I also work on employee relations and human resources issues, finance projects, intellectual property matters and my team partners with the sales team on an ongoing basis (typically on operations and agreements). In terms of risk-oriented work, I run the Risk Office Committee, which is a risk-management strategy I initially created while I was General Counsel of HomeAway.
We’d love to hear a bit more about your work on the Risk Office Committee.
I created the Risk Office Committee in order to bring a regular cadence to what might otherwise be an occasional cross-functional meeting. In order to create this cross-functional risk team, I identified each significant area in the business that could involve any material risk arising on a semi-frequent basis. I then gathered the appropriate representatives, employees, and higher-level management from each of those functions to form the ROC. The ROC has regular quarterly meetings in addition to ad hoc meetings, as needed when urgent matters arise. In terms of organization, I always come prepared for meetings with an agenda, but the free-form portion of each meeting has also been extremely useful because it promotes open discussion and group brainstorming about whatever issues are most important at the time for committee participants. It enables committee members to think of their activities in different ways and identify new risks. I also take minutes of these meetings, which are used by our auditors to assess and understand what we view to be the risk factors facing the company, as well as what we’re doing to mitigate each of those risks. The minutes can also serve as a resource for third parties (whether strategic partners or companies we’re looking to do some kind of deal with) in due diligence.
This process adds even further value for public companies. For example, when I was at HomeAway, we used our Risk Office Committee to make the process of issuing our public reports much more efficient. It provided a forum for discussing our risk factor disclosures, including updating disclosures, removing those that were no longer relevant, and collaboratively articulating new key risk factors.
How did you establish the format for the ROC?
In terms of format, we generally have a formal, agenda-driven session followed by an informal open discussion. This latter freeform portion of the meeting is the part that’s evolved most over time. We didn’t always include it initially, but quickly realized that open discussion was the most helpful part of the session. Now it’s always included and emphasized. We typically go around the room and talk about day-to-day concerns or issues facing any of our teams.
In terms of attendees, though we have a core group of members, we’ve evolved to invite additional participants relevant to any of the anticipated topics on the agendas. For example, the head of customer service is not a regular attendee at the meeting because there is not usually a high level of risk in her group, but if there were to be something going on that impacts her group, I’ll ask her to participate.
Have you ever encountered situations where people disagree about risks – perhaps in the case where a business-side participant thinks a legal-side participant is being too conservative? How do you shape the conversation when this type of conflict arises?
There have definitely been differing opinions regarding magnitude of a particular risk to the business or the appropriate way to mitigate any particular risk and that usually happens when the group in the ROC doesn’t have all the data needed to make a complete assessment. Generally, in that situation, we will note the information discussed and opinions expressed at the ROC and agree to gather more data in advance of the next meeting. When we next convene, we’ll return to the issue, using the new data and information to reassess our options for indexing or mitigating the risk. In some cases, when the risk seems significant but we haven’t yet agreed on a full mitigation plan, we’ll instead decide to take initial steps to address the issue. We’ll then circle back and see what the impact of those initial steps is and determine follow up actions at a later meeting.
How did you decide who would be part of the core team? Was it at all difficult to convince those people that they should make attending the meetings a priority?
Initially, I looked at the groups who typically deal with the risks in the business. This will vary company by company, but at Spredfast we work with social media; we’re a technology company. So I invited the technology group and the security group. In addition, some members of the finance team always need to be there to know about risks and reserves for risk. I also invite human resources, which deals with employment risks across all areas and they also need to know about the business risks that employees are dealing with. Those are the key groups, and then we invite other people as needed.
And did people immediately buy into it, or did you have to convince people to participate?
I’ve been successful in establishing the group – in part by starting with commitments from senior participants. It’s become almost a coveted group at times because being part of the ROC means part of your responsibility is to review and approve key decisions for the company. More generally, the ROC process has become top-of-mind for the company. When a risk comes up in day-to-day operations, people know that they have to get ROC approval. Overall, the ROC has become a core part of our company-wide effort to get to the next level of maturity.
What is an example of the type of risks the group discusses? How does the committee think about risk assessment and mitigation?
We don’t take a particularly scientific approach to risk assessment. We don’t use a specific formula. Instead, we discuss the instincts and observations of committee members – what they’ve seen arise, what worries them and what has or could interrupt the operations of their functions. For example, when I first joined Spredfast, I found that customer contract negotiations were getting bogged down because customers often didn’t appreciate, from a data privacy perspective, where Spredfast was in the cycle of the collection, the processing, and the storage of data with respect to the social media networks. It was taking our sales and legal teams significant time to explain that our platform enables companies to connect over social media networks and to use multiple social media networks at the same time – and what that role means from a data control and collection perspective. We had to clarify that we process, but don’t control, data. We brought this issue up at an early ROC meeting – the risk being that the lack of understanding was meaningfully slowing down customer acquisition by delaying contracts and failing to timely provide assurances to customers of our data privacy practices, which are actually very strong and should not be a barrier to getting a deal done. We explained to the group that because we didn’t have any tools ready to deal with this issue, customers were giving us contract provisions from their own form contracts, which really didn’t apply to our model or the way that we conducted business. As a group, the ROC decided to go on the offensive by proactively creating FAQs and a security center on our website that explain our business cycle and where we sit in the process of data collection processing and storage. The idea was to enable our sales team to resolve the issue while also showing our customers that we’ve proactively thought about these important questions. The approach has worked really well.
What would you say has been the biggest success of the initiative thus far at Spredfast?
Having a way of approaching data privacy issues has been huge for us because it’s so important for the legal departments of our customers right now. The other thing is giving our auditors a way to get our audit done more quickly. Our auditors have gained confidence in the fact that we assess risks on a regular basis and proactively mitigate them. The same goes for our board of directors. They know about the ROC, and it gives them assurance that we are regularly looking at all of the significant risks and that we will turn to them and report to them anything that they need to know. They know that we are already asking ourselves important questions and that we will come back to them and inform them as needed.
How do you communicate the information from the proceedings in a way that gives comfort to auditors and the board of directors?
I take minutes for each meeting, recording our discussion of agenda items, the freeform conversation and any resulting action items. I always kick off the next meeting with a follow up on the action items from the previous meeting and report on what has been accomplished in the interim. It’s a way to keep the committee accountable and to make sure we’re not just talking without taking action.
What advice do you have for CLOs and GCs who are looking to create similar committees or are starting from square one in thinking about how to institutionalize a way to think about risk on a regular basis?
I would advise any general counsel to create a process like this. One great way to encourage people to partner with you on the initiative is to emphasize the importance of cross-functional risk assessment. If you don’t have a regular cross-functional meeting, start from the idea that without this analysis, your team may be less efficient with respect to risk assessment because everyone is looking at risk in a contained, cabined way instead of exploring how risks cross functional areas and impact different teams within the company. Without a process like the ROC, companies may be looking at risks in a silo or, even worse, missing risks altogether.
For CLOs and GCs trying to understand whether they have the bandwidth to run a process like this, it would be helpful to understand how much time you devote to running the ROC. How much of a time commitment is this for you?
Each meeting typically takes approximately an hour. Preparation time for each meeting really depends on what issues are at hand – and that, obviously, will vary significantly from company to company, depending on the risks and the projects going on within the organization. But actually taking the minutes and preparing the agenda doesn’t take much time at all. Typically, I email all members and ask them what’s on their minds and then combine their thoughts with mine to create an agenda. I believe it is truly more efficient than struggling to deal with risks as they arise and finding the right people to deal with them on an ad hoc basis. With the ROC you have a cross-functional infrastructure and shared mindset to address both potential and actual risks.
It sounds like the time commitment is manageable for ROC participants as well?
Definitely. I probably carry the heaviest workload for the committee. Various people do have responsibilities depending on what our action items are, but the action items are always geared toward mitigating or solving a concrete, agreed-upon problem, so people feel that time is well spent and has a clearly articulated ROI. I would contend that it may actually save time in that key risks may never materialize or may be addressed early which would save the time you might otherwise spend in cleaning up a mess after the fact.
Melissa Frugé has served as the Chief Legal Officer at Spredfast since March 2016. She is responsible for all legal matters worldwide affecting the company. From August 2009 to March 2016 she served as the General Counsel of HomeAway, the leading marketplace for online vacation rentals, which was purchased by Expedia. Prior to HomeAway she served as the General Counsel of Borland and practiced corporate law with DLA Piper. In all of her roles, Melissa has worked closely with senior management and the Board of Directors to advise on key strategic matters covering corporate, intellectual property, privacy, e-commerce, employment, regulatory and other key issues. She earned her J.D. from the Santa Clara University School of Law and her B.A. at the University of Southern California.