Successful Compliance with a Yes Before No Approach with Joe Habib (Ep. 12)

Liisa Thomas: Welcome to Compliance Chronicles, we learn from professionals shaping the world of compliance. ⁓ your host, Liisa Thomas, ⁓ Privacy and Compliance counsel an professor at Northwestern Law School, and a lifelong learner of organizational change. ⁓ From journeys to hard-written lessons, ⁓ these the Chronicles that inspire and guide. ⁓ Let's in. ⁓ Welcome back and ⁓ today I am thrilled to be joined by Joe Habib. So Joe, I will turn the floor over to you to give us a quick introduction.

Joe Habib: Great, thanks Liisa. So I am Joe Habib. I am Veeam's legal director, senior counsel, leading privacy, AI, and regulatory matters. It's quite an adventure lately with privacy and AI as it's evolving and ⁓ that's me.

speaker-0: Well, let's talk about your journey. How did you get to this role that you've

speaker-1: I started right out of law school as a compliance specialist with Quicken Loans and that was right as the TCPA was coming live and class action litigation was all the rage around telephone calls. After we built a really great compliance program at Quicken Loans, they asked me what I wanted to do and I said I really enjoy privacy and technology. So I spent almost three years after that building out their privacy and technology in compliance legal program with another senior turning over there. Then I decided I was ready to take on global privacy, legal compliance, and I went over to Alex partners. Then I decided I wanted to get into tech. So since then I've been with Splunk, Wiz, and now with Veeam building out privacy and well now AI legal compliance programs and legal governance for that, what happens.

speaker-0: When I think about like when we interact with the business teams, they're often not really thrilled to talk to legal or compliance. So how do you get them on your side?

speaker-1: I have two kind of maxims in how I perform my work. The first one is understand the technology before you approach your technical teams. I spend a lot of time working with the architecture teams to understand the technology. So that way when I go and approach these guys is I understand what their pain points are already. I understand whether some flexibility, maybe some things we could improve on. And then I always approach them with a solution instead of problems.

speaker-0: So let's turn now to talking about challenges. What in your experience has been the most challenging aspect of navigating these laws, privacy, compliance, AI? What has been the most difficult and how have you managed it?

speaker-1: I think the hardest part is really getting the resources needed to meet the compliance of the law in the right way and keeping people happy while they do it. How I go about that is a lot of deal making. It's a lot of prioritizing and saying we can, we can knock out the tier one and tier two risks this quarter. Next quarter we'll knock out the tier three risks. You need to show them how they're going to benefit from either doing these actions that they don't want to do, kind of like going to the gym, right? Like You don't want to go to the gym sometimes, but like you're really happy that you did and you you're healthy and you got everything. That's really what it comes down to is like showing them that it's in their best interest to follow your guidance and building yourself out as a trusted guy.

speaker-0: go back to one of the things you said about the trusted advisor. How did you create that?

speaker-1: I make it a point to schedule one-on-ones with them and I make them pretty regular. And the first 15 minutes is talking about March madness, dogs, what the weather is like, where they're at. It's really building those relationships on a personal level. And I think that's where all trust starts, right? That trust is my currency. That is my everything. Cause if I lose trust, I lose my ability to perform my job. I lose my ability to protect the company. Being right isn't necessarily having the right answer, but it's having the right answer for your organization. And starting with small wins, you identify what you can get a small wins for your team and then let them enjoy the spoils of those victories. They realize that they're getting praise from leadership or having less demand letters. But when you're wrong, you go to them again with a solution. say, Hey guys, I was wrong last time. Here's my new solution. And I think you apologize. And I think you recognize that it may have taken either resources away from a project that they wanted to put those resources towards someone else. It caused unnecessary stress. Whatever.

speaker-0: things that change management always teaches us is that we as lawyers love to solve a problem, but it's better not to rush to a solution. You're slowing it down a little bit, which is just not our natural habit.

speaker-1: That's something I think is really important. Most business people, I mean, I know lawyers may disagree, especially in the heat of the moment. Most business people are very rational people. And I think if you explain it to them in a rational, calm way, and not with ultimatums, not, oh, if you do this, it's gonna be 4 % of your global income. I think if you just explain to them practically what's gonna happen and you speak to them in their terms, most will come around, most will account.

speaker-0: Okay, so switching gears, what are some key lessons that you could share that you've learned through your experiences in your roles? How have they shaped you?

speaker-1: I'll say I was very fortunate to start off at Quicken Loans. And the reason why I say that is they had these things called ISMs and they were company culture guideposts. And one of them was, and it still stuck with me 10, 12 years later, is yes before no. You know, as a lawyer, you come in and it's so easy to say no to everything, right? Like you can avoid risk just by not doing it. But the company culture there was taking a yes before no approach. And I carry that with me every place I've been, I still think about it today. One of the biggest learning points was taking a yes before no approach to everything. And what I mean by that is it's kind of what we were already discussed, right? Someone comes to you with an idea, don't shoot it down right away. Even if you know the answer is going to be no, pressure test it. See what you can extract out of it. Maybe you might not take any of their proposed solution or their proposed answer, but you can understand their true pain point. Come the end of the day, we're emotional people. We want to feel like we got the win. If you can make people feel like that, and give them their business win and you take your legal win, that's a victory. And so really taking that yes before no approach gives you a lot of opportunity. know, one of the things I've learned too is like, if you know something's gonna fail, but there's not a lot of harm or no harm gonna come from it, maybe just hold that person's hand as they go down in flames ⁓ and then be there to help build them back up. you know, I mean that semi-honestly, right? Because... You could start a whole argument if you know that the result is not going to cause no harm to your company or to people. Maybe it might cost a little bit of money or something like that, but nothing catastrophic. Say, all right, I don't think this is the right path, but I'll go with you down it. Then all of a sudden, when it doesn't work out, you're there to help pull them up and help build them up. Going back to parenting, much like my three-year-old, I'll let you fall off the bike. I'll be there to pull you back ⁓ up. No harm done, no broken bones, no head concussions. scrape knee maybe. But then you build that trust because you're like, all right, Joe rode with me on this one. I'll ride with him on that.

speaker-0: Do you have an example you could share that might give people some comfort, how they could apply it in their own situation?

speaker-1: And we kept having to deny. had guidance from the leadership. Then all of a sudden, we started to realize that that model wasn't meeting our needs. And all of a sudden, we had to scramble. We had to onboard models immediately, do quick risk assessments. We had to onboard the contracts quickly. ⁓ And so there was no harm. It was just work that had to be done. But it was one of those where was like, I could have sat there and could have argued with the executive. From a compliance perspective, what happens if one of them was magically labeled as a chain, a supply chain risk or whatever the models was breached or compromised and we can no longer use it. You want to have that backup, you want to have that resiliency. But you know, my calculation was there wasn't going to be a lot of risk to being a one model company. So I said, you know what, let's ride and let's see what happens. All of a sudden it didn't work out great, right? We had, we had some issues that come up that I can't necessarily share. We had to onboard more models. All of a sudden you had that executive coming to me and said, Joe. You were right. I'm like, yeah, was. And all of a sudden now it's like when I did speak after that event, I was like, hey, let's hear what Joe has to say instead of you know, glossing off. Another great example I could think of is around cookies, right? So, you you have this global patchwork, right? Of like, you need active consent, you need passive consent. You don't even need consent depending on the jurisdiction that you're in. And what you will find is you have a lot of these products out there in the environment. We'll say, ⁓ we can manage all your different cookies. You want to this banner pop up in this geo, great. You want to have this banner pop up here. You don't want a banner at all here. In one of the previous companies, I really loved the idea of just having all the options for all the different geos. What ended up happening is when you have to manage your cookies, You have to ensure that they're consistent across the board. You have to update five or six different banners every time. The cost in terms of people, labor, and stress skyrockets, to be honest with you. I went to the business and I said, let's have one. Let's just fall back. Everyone consents. Or let's have two, one that is like very heavy consent and the other is like an acknowledgement. Oh no, no, no, Joe, we're going to take advantage of every law in every corner we can. If we don't have to show a banner, we're not going to do it. Okay, fine. All of a sudden you had the technology team asking for more headcount ⁓ to manage the cookie program. They're like, ⁓ this is going to cost us literally tens of maybe 100 grand, 150 grand per year. Well, let's knock it back down to two. We knocked it down to two. Didn't need the headcount anymore. You didn't have any issues. Bought trust with the technology leadership, right? Because, you know, I said, hey guys, this is not the right path.

speaker-0: So as we think back of all of this amazing advice that you've given us and the information that you've shared about your journey so far in your career, any parting advice that you could share with others, either those that are starting out or that have been doing this for a long time and are looking for a little spark of inspiration.

speaker-1: I think for everyone, regardless of if you're started off first year, fresh out of law school, or you've been doing it for 30 years, always be a student, always keep learning. Technology is evolving incredibly fast. The laws are evolving, not as fast, but fast-ish, depending on your jurisdiction. And the environment in which we operate is consistently changing because of those two factors. I think if you become stuck in your ways, if you don't bother to understand not only where things are now, but where they're going. If you kind of rely on the fact that you've been doing this for 20 or 30 years and that's how I've always done a type of deal, not only will you lose trust with your business, I think you'll also be doing your business a disservice. If you show your learning and you ask inquisitive questions of people in your business, everyone wants to teach. Everyone wants to feel like they imparted knowledge on someone else. I think if you're always learning, if you're always just genuinely curious, You build great relationships, you put yourself in a better position, you put your company in a better position, and there's nothing bad that can come from learning. Literally nothing bad. Even if you choose not to use the information. You've learned now that that is bad information and don't use it. So always be learning.

speaker-0: This is wonderful. Joe's so inspirational. Thank you so much. I really appreciate you making the time to have this conversation. I hope you enjoyed this episode of Compliance Chronicles, where we look for guidance and inspiration from the personal journeys of compliance professionals.