Bang & Olufsen’s Chief Compliance Officer Nicolai Ellehuus was headhunted by the Danish luxury brand in the summer of last year, to help them set up their global compliance program. With over 10 years of experience from the financial, and pharmaceutical sectors, he came with a wealth of knowledge about working with compliance in highly regulated industries. But the change from heavily regulated institutions to a consumer facing luxury brand meant an adjustment in how to think abouts risk, especially when it comes to ethics, compliance, and brand reputation.
We spoke to Nicolai to get some insights on the importance of compliance, ethics and good behaviour for consumer brands.
I have previously worked in very heavily regulated industries, so it has been an adjustment to think about risk assessment and prioritisation for a luxury consumer brand. It is much different from the financial sector where you are constantly audited on your compliance-level by the Financial Supervisory Authority.
With a consumer facing brand, you have to think about risk not only in terms of the authorities, but also about what your consumers think of you. There is a bigger focus on your brand's reputation, and public perception. You have to think about risk analysis in a different way, because if the public, which could be a single person, are offended by something you have done, then you may have to change an entire campaign. It is harder to foster brand loyalty, and the consumer can easily and quickly move to another brand, if they don’t like the way the company behaves.
We’re in the early phase of a three-year project establishing the global compliance program at Bang and Olufsen, so my work is very project-oriented. The projects usually run for three - six months each.
At the moment, I am evaluating whether we have the proper guidance, training, and controls in place, in the most essential risk areas. The prioritisation is based on the different phases in the three-year overall project. I initially conducted a gap analysis in the existing compliance program, and made a list of all the possible risks there could be for the company. From this I have created a risk register, which will be a key tool for me in everything I do.
“With a consumer facing brand, you have to think about risk not only in terms of the authorities, but also about what your consumers think of you. There is a bigger focus on your brand's reputation, and public perception.”
I am part of the Corporate Social Responsibility committee at Bang & Olufsen. We have outlined a number of sustainable development goals, which include, making sure that third parties we work with are not using child or forced labour, and that workers have good working conditions. Privacy and compliance are both areas with increasing focus from the authorities and consumers. And because we are consumer facing, one we take very seriously.
The millennial generation don’t want to work for, or buy products from a company who are unethical or don’t take their responsibilities seriously. So I think it is important for a brand to commit to a higher purpose, and contribute to society more than just selling their products. The other side of the coin, is also that even without specific CSR goals, nobody wants a shitstorm. It can be difficult to win brand loyalty from consumers, and really easy to lose it again if you get a bad reputation for behaving unethically.
“The millennial generation don’t want to work for, or buy products from a company who are unethical or don’t take their responsibilities seriously. So I think it is important for a brand to commit to a higher purpose, and contribute to society more than just selling their products.”
With the different markets we are in, we focus on making sure that we adhere to the different privacy and marketing legislation that applies across each market. The online market is a huge area for us, and we sell directly through our own website, and also through shops owned by third parties. So, an online presence is hugely important for us both for selling and from the data perspective. We are like many companies increasing our focus to the digital area, and if we are to succeed we need to know our customers. The right data helps us to make more informed business decisions, and tailor our messaging, to make sure that we are equipped to sell them the right product at the right time.
My biggest headache with GDPR is making sure that we have a Data Processing Agreement with each vendor when we enter into a new agreement with them. And then that an audit takes place to make sure that they live up to the agreement. A lot of our other internal processes, e.g., for data-breaches, run like clockwork. But, the challenge is that it is difficult to gauge what a 'normal' amount of incidents looks like. We may see a vendor process a large amount of personal data, but without communicating any incident. So it is hard to know whether there are none, or if they are underreporting the issue. Because, mistakes happen, we are only human. Vendors should be reporting all the small incidents to us. And right now, there isn't the same level of communication of breaches across the vendors, which makes audit prioritisation harder.
At B&O we also use influencers, and have to make sure we comply with the various relevant legal requirements. The way we solve it is raising the influencers’ awareness level of the relevant laws, and to make sure that there is full transparency of the commercial ties to influencers.
It is a challenge to keep up with all the changes, when you have a central function in a global company, so it is important to prioritise. But I subscribe to newsletters from law firms, compliance organisations, and focus my energy on the key markets we are in. Europe is our biggest market which I am quite in tune with, and then in the future China and the US. So I definitely prioritise my focus to fit with relevant markets for us. I also make sure to talk to key stakeholders at work, who keep up with risk mitigation within a specific area, such as IT-security or the GDPR.
This advice is perhaps on a more personal note, but it is something I learned the hard way. As a compliance officer in a company of this size, you are really a project manager. So in this way it differs a lot from other legal areas. I failed miserably at this at a previous job when I was younger, because at the time I didn’t recognise project management as a skill you needed to have in the role as a compliance officer in a global company. But, it was something I have worked on, and works well now.
Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.Apply to join
Join our free bi-weekly newsletter focused on news and updates from the legal landscape of data privacy.