ENGAGING WITH THE CHIEF COMPLIANCE OFFICER
Knowing how to provide oversight on compliance and deal with the CCO is a new needed board skill
Gabe Shawn Varges, Senior Partner, HCM International and Chairman of the GECN Group
Particularly since the 2008 financial crisis, it has become increasingly accepted that – as part of its supervisory duties – the board of directors provides oversight of the company’s compliance approach and practices.
Despite this, many board members remain largely unclear about what, specifically, they are to do. This includes being uncertain if or how they are supposed to interact with the head of the enterprise’s compliance function, the chief compliance officer.
This is unfortunate, not only due to potential board liability if a material ethical or compliance lapse arises, but also because in today’s ESG-conscious world, having a modern, effective compliance function contributes to the very credibility of the company’s ESG efforts. It is part of what one might call an ‘integrity agenda’.
After all, it is one thing for a company to claim it follows ethical conduct as regards customers and employees, or that it observes good environmental practices wherever it operates, but it is quite another to be able to demonstrate to stakeholders that the company has the right mechanisms, including an independent compliance function, to responsibly drive the agenda and ensure the accuracy of these claims. Even more persuasive is when one can show that the board is actively involved in providing oversight of these efforts.
Why board compliance skills lag behind
The insufficient practical know-how by boards on compliance oversight is due to several reasons. For one, boards do not always receive the right information from the company. In board trainings that I hold around the world, many board members indicate not receiving even very basic data, such as the spending on compliance, the headcount of the compliance function, or the metrics the company uses to measure compliance performance. Even more unsettling is that many board members are unable to articulate the company’s compliance strategy, often due to the fact that no such strategy has been provided to them.
“As one of the latest entrants to the C-Suite, the CCO does not always appear on the board’s list of key company leaders it needs to get to know”
But the problem is also due to another factor. While generally well-acquainted with the task of the legal function, many board members are far less familiar with the mission and work of today’s compliance function. For example, why do some companies name the function ‘ethics and compliance’, not just ‘compliance’? What methodologies and tools (including digital and behavioural) does a modern compliance function use? What are the most common obstacles it encounters in carrying out its mission? What skills are increasingly needed in a compliance function that differ from those in a legal function?
Moreover, in many companies, the board gets only limited exposure to those directly running the compliance function. In light of this, board members are not always well-positioned to pose the right questions and ask for the kind of information that would allow them to better assess the company’s compliance profile and performance.
What relationship should boards have with the CCO?
One area of particular challenge is determining how the board should engage with the company’s chief compliance officer (CCO). As one of the latest entrants to the C-Suite, the CCO does not always appear on the board’s list of key company leaders that the board needs to get to know.
This can occur when management has failed to properly position this role, such as by not making it sufficiently senior or by conceiving it more as a technical rather than a leadership role. It can also occur when the person occupying the role lacks the skills to be impactful with management or when management determines the person does not have ‘the right stuff’ to face-off directly with the board. In light of all the foregoing, what can a board do? Here are some six tips.
SIX TIPS FOR GOOD COMPLIANCE OVERSIGHT
Think of it as a duty of attention and inquiry A board’s duty can be understood in many ways, but in the increasingly complex world of ethics and compliance, it is best understood as a duty of attention and inquiry. This means being ongoingly attentive to the variety of compliance risks that can arise at the company, even within the executive team and the board itself. It also means not waiting for matters to be reported to it. The board should agree on what data it needs from the company to exercise its duty of compliance oversight. This should include not only information on risks, violations and near misses but also, and equally importantly, on the quality of the specific preventive means the company is using to reduce the chances of such risks materialising.
Demand a strategy Like any other area of corporate activity, the work on compliance cannot simply be a series of activities. A written strategy is needed to flesh out what is trying to be accomplished. For example, is the strategy limited to aiming to meet legal and regulatory obligations? Or does it also include enhancing culture and employee ability to make decisions in grey areas where values, more than law or regulation, provide the better answer? Is it connected to the ESG strategy? Is it tied to the incentive system? The compliance strategy should be subject to robust board discussion. Once approved by the board, the strategy also serves as a performance management instrument against which the board can assess the company’s compliance progress.
Don’t let management shape the CCO relationship Since the board owns its duty of oversight, it is essential for it, not management, to determine the relationship with the CCO. The most regressive practice is for someone from the executive team (the CEO, the general counsel, etc) to present to the board the compliance reports on behalf of the CCO. Equally unhelpful is when the CCO appears before the board only once a year. These practices shortchange the board; they increase the risk of filtering and reduce the board’s ability to hear directly and often enough from the person doing the daily compliance heavy lifting. Hence, it is the board that should determine how often it wishes to see the CCO, whether in the designated board committee and/or before the full board.
Have one-on-ones with the CCO A leading practice with regard to internal audit is for the board’s audit committee chair to have periodic tête-à-têtes with the internal audit head. Similarly, it is an emerging good practice for the chair of the board, or of the board committee to which the CCO reports, to have such bilateral meetings with the CCO. First, it helps establish a more relaxed rapport with the CCO. Second, since management is not present, it engenders a more open exchange. How is the CCO doing? Is he/she getting any pushback from management? Which are the thorniest issues he/she is dealing with? How could the board better help? Had these kinds of exchanges taken place early enough at companies suffering major compliance mishaps in recent years, perhaps there might have been a better chance for the board to have taken appropriate action.
Understand the GC/CCO difference The work of the general counsel (GC) is also essential for the company to operate within the law. But it differs from that of today’s CCO. The CCO’s job is to drive preventive mechanisms and help ensure compliance, not just to advise about it. Unlike the GC, whose role is primarily to ‘counsel’, the CCO’s role is increasingly being understood by regulators and the marketplace alike as having an assurance character. Since this means the role goes beyond providing guidance or reporting on non-compliance, a different CCO-management dynamic is created. While not an auditor or regulator, the CCO is not just another employee under the normal control and command of the CEO. The CCO has independent duties to the board, and in some cases to the regulator. Even where the CCO reports to the CEO, the board should keep these higher CCO duties in mind.
Don’t wait for a crisis to inquire The board’s duty of inquiry translates into very specific ‘to dos’. These are best pursued before any compliance failure arises. In addition to the points raised above, these include finding out: a) What authority does the compliance function have? Is it sufficient? Is it clearly reflected in a governance document? Do any changes to such a document require board approval? b) Is the board reviewing and approving the budget and resources of the compliance function to support yearly and multi-year objectives? c) How well is management leading by example on ethics? How does the company hold accountable those who don’t perform well on compliance? Is the board getting data on this? d) Is the board participating in the yearly performance evaluation of the CCO, in the decisions on his/her promotions or bonus, and in his/her hiring and dismissal? e) How deep is the quality of compliance talent below the CCO? What succession planning is in place?
In a business environment where integrity is becoming a critical KPI, these are the specific points a board member should keep in mind.
ABOUT THE AUTHOR
Gabe Shawn Varges has extensive international experience as an executive, advisor, and regulator, with expertise in cutting-edge areas relating to governance, compensation, compliance, risk and regulation. He specialises in advising, assessing, and supporting boards of directors (including compensation and audit committees), senior management, the heads of control functions, as well as public and international institutions and industry associations. He supports companies and other institutions in developed and emerging markets, including in the Gulf. He also serves on monitor teams overseeing the implementation by companies of specific legal, governance, or regulatory commitments. His experience includes serving as chief compliance officer of a major financial services international group, counselling large corporate clients at a leading international law firm, and heading the governance and remuneration areas of a key financial services regulator, where he also led or contributed to taskforces of international standard setters. Gabe also teaches at the University of St. Gallen in Switzerland. A Senior Partner at HCM International, he is Chairman of the Global Governance and Executive Compensation Group, the GECN Group.