Tim Murphy, General Counsel, Mastercard

An 18-year journey at Mastercard has seen Tim Murphy assume a number of business positions before succeeding to the role of the GC. He discusses an unconventional path to the top legal job for the payments giant.

I joined Mastercard in 2000 and initially spent seven years in our law department. Then, I spent seven years or so in a series of business roles – I was chief of staff to our chief operating officer doing strategic work, financial planning and sales planning. It was a senior staff role, which is often how lawyers can move effectively from the legal function to the business side. From there, I went to run our North America markets, and for the first time I had a P&L and actual account responsibility, which is a bracing challenge for anybody, but particularly somebody coming from a legal background. Because I was deep in that market and understood some of our challenges, I was asked to take on the role of chief product officer, which tested me in a whole new way.

One of the strengths of Mastercard’s culture is that it seeks to move people around and give them diverse responsibilities, and I really was the beneficiary of that. I joke that I was qualified for exactly none of the jobs I had except for the first one! And in a strange way, all that moving around made me better qualified to be the general counsel.

So, coming back into a legal role did not feel like a significant leap, because I had both wide-ranging previous experience in legal and risk management, as well as having spent seven years with a lot of access to the board of directors and helping to drive the company’s business strategy. In the product organization I had been given the opportunity to manage a relatively large team, and so the opportunity to come back into the law organization and drive a focused transformation agenda was very exciting.

It goes without saying that in the GC role you need to really make sure you put on your risk management hat. That isn’t to say that I didn’t feel accountable for risk management in my business roles, but there’s a special accountability here, and trying to be intentional about flexing that muscle, consulting widely with people and using my business experience to advise on legal risk was a key part of my initial agenda as GC. These were all an important part of coming back in to the law department.

One of the things that I’ve found is that as in-house lawyers, we need to always be selling, meaning that we can’t take for granted that our colleagues understand or appreciate the critical work we do. Business people tend to communicate simply and crisply, whereas lawyers can, at times, go on forever. Just being able to talk to my own legal teams about things like simplicity of communication, managing to metrics and leaning into the company’s strategy has been a pleasure to bring to the department. You need to tell your colleagues it’s a priority: you need to get their buy-in and acknowledgement, so when you are successful it doesn’t look like a random walk, it looks like very important strategic work, which it in fact is. That is so foundational, but it so often doesn’t happen. In-house lawyers need to be selling their services and their value.

In-house lawyers need to be selling their services and their value.

We’ve really worked hard on a metrics-based scorecard of things we wanted to achieve – some strategic and some tactical. It is such a natural instinct for business leaders – every business leader manages to a P&L or some sort of balanced scorecard of hard numeric metrics. For lawyers, on the other hand, it is really hard, and a lot resist it. But at the end of the day, if you push hard enough, I think every legal function can find a metrics-based scorecard to measure themselves. That’s really powerful because it speaks the language of business, and it’s a great way of demonstrating value to your board, your CEO and others.

We are shifting a significant portion of our work from lawyers to a shared service function with our finance team. Now, at Mastercard, if you do a non-disclosure agreement with us, it’s done by staff in the shared service function, and that shared service function has all sorts of automation and it tracks – in a very rich way – timelines and response rates and so on. It has allowed us to use knowledge in entirely different ways. We are revamping all of our customer-onboarding systems to make them much more digital- and user-friendly, we’re bringing mobile-based solutions to all compliance requirements, and we’re really trying to show up as a mobile first, digital savvy organization. If Mastercard is going to grow 10, 15%, I want to be able to support that growth, but at the same time grow our expenses only by a very small fraction of that 10, 15%.

In a legal department, it’s very easy to revert to: I’m a service organization and I will do what the business brings me. That’s reactive. We have a critical role in driving company strategy: understanding that strategy, figuring out the components of it, influencing it, and finding ways for legal and policy and other things to not only enable the strategy, but to advance it.

‘I’ll give you an example. We’re increasingly seeing that good privacy policies are a competitive differentiator. In light of GDPR, my legal team has created a groundbreaking venture called Trūata – which is a method of anonymising data so that it can be used appropriately while protecting consumer privacy, consistent with the new regulations. It came about because lawyers went to the business and said, ‘Look, we have to do this but, by the way, we can get a competitive advantage if we do it well. Let’s drive this thing.’ This is an example of how, if you’re just an order-taker, marking up contracts, then you’re not doing all that you can do.

I think that there is growing demand for the GC to be a trusted adviser to boards. The GC must be the keeper and the guardian of the company’s ethics and its culture, including in areas well beyond its traditional remit. Being part of those conversations, always doing the right thing and absolutely insisting on good ethics and compliance are so important. We’ve seen how incredibly destructive some of these divisive cultural issues can be if they’re not managed the right way.

The GC must be the keeper and the guardian of the company’s ethics and its culture.

It’s really hard to overestimate how much time and effort goes into board and governance issues. That continues to surprise me, even four years into the role. Getting the narratives right to the board, not just on my own things, but helping the company do that well overall so that we have effective meetings and get to good conversations – boy, it’s time consuming. You’ve got to make sure you’re resourcing for it, because it can take over your role.

In my job, I could do nothing but government outreach and it still would be really hard to cover everything I need to. This aspect of the job is that important and demanding. Given the choppy geopolitical waters, it has never been more important to make sure you’re not just stuck in the office, but you’re out there talking to governments and stakeholders, you’re advocating and being an ambassador for the firm. The reality is that there are only a few people in an organization who can really get top engagement, and demands on GCs are increasingly high as a result.

In terms of the role of the GC going forward, I do think new skills may be needed on the external ambassadorship side. If you can give a good speech in a TED Talks style in front of 200 economists in a leading country and come off as pretty compelling, you’re adding value to your firm. The best skill you can ever get anywhere in life is public speaking. It’s not rocket science; being comfortable in a public role can be learned.

The world is going through enormous change, not just in technology, but also geopolitics. For multinational firms, from a regulatory and public policy standpoint, the future is going to be harder. Norms that have been around since the Second World War are really changing: Alliances are fracturing, we’re seeing trade issues; we’re seeing nationalism on the rise; prevalent data privacy issues. Societies are looking for private companies to take positions on social issues that are enormously complicated. So the job is harder than it’s been because of those things and I think we need new models and approaches to addressing them. Trying to do it alone isn’t likely to be successful. Being a GC, not in a steady state, or even in a growth state with known paradigms, but in a state where all the paradigms are being thrown up is difficult, and we need to do more work on our tools.