How the CEO Can Support Compliance
Many executives view compliance as a “check the box” proposition. In this column, LeClairRyan attorneys Brian Lansing and Patrick Hurd argue that a focus on compliance should permeate the entire organization, in much the same way that Amazon obsesses about customer service. It all starts at the top, with the CEO setting the tone.
with co-author Patrick Hurd
Plenty of CEOs “check the box” on compliance. The drill goes something like this: Once a year, the CCO presents the written compliance plan at a board meeting or C-suite retreat. After scanning the checklist of do’s and don’ts, the CEO basically feels satisfied the bar has been met. Time to move on to the next agenda item.
But does checking the box truly protect the company from risk? Does it enhance its business or propel its growth strategy? The likes of Amazon, Apple and Dollar Shave Club have earned kudos for building cultures permeated by a sharp focus on customer service, right down to the smallest interaction. In the same way, regulated companies need to make sure that compliance permeates the organization. The benefits go beyond risk management: A true culture of compliance feels open and honest to everyone it touches; it leads to higher morale, easier recruiting and retention, happier customers and, ultimately, higher productivity. (If this sounds like an overstatement, imagine how it would feel to be at an outfit scandalized by endless sexual harassment claims or embroiled in accusations of “Enron accounting.”) Developing a culture of compliance requires effort, but the concepts are straightforward:
Set the Tone
Setting the right tone starts with the CEO. This does not mean simply honing your message. Fundamentally, it is about integrating compliance into all that you do. The CEO should see all processes in the organization as opportunities to further the company’s culture of compliance, whether they involve the supply chain, operations, facilities, sales, marketing, HR, the board, you name it. How can you prevent costly mistakes? Where could you find opportunities to implement best practices? Have you listened directly to rank-and-file feedback about what’s actually happening on the ground? When it comes to setting the tone, remember that actions matter much more than words (which certainly matter, too). When the CEO makes a visible, daily commitment to compliance, it is easy for everyone else in the organization to follow suit. Consistency is essential. The CEO should set clear expectations and never move goalposts without thinking carefully about the fallout.
Train Your People
Like all other job responsibilities, employees must be trained in compliance. It starts with having a code of conduct, issuing copies to all employees and posting it on the company’s intranet. Consider also posting the code on your outward-facing website to demonstrate your culture of compliance to external stakeholders – customers, suppliers, business partners and the public. But don’t stop there. Train new employees on their first day. Train all employees at least annually. Develop policies and procedures, distribute and post them and train employees on the distinction. Policies have the force of “law” in a company, violations of which subject an employee to discipline, up to and including termination. Procedures are business rules for the company’s operations. Training should include a combination of facilitated in-person training and online training. Take the training yourself, ensure your executive leadership team does, too, and take it seriously. Doing so sets the example for all employees to follow (remember, tone starts at the top).
The CEO and Chief Compliance Officer must have a bond of trust. At a macro level, this starts with the CEO initiating “the talk” — a freewheeling discussion about questions like how to handle incident responses or what the CEO wants with respect to the frequency of compliance-related communications and the level of detail. Some CEOs want to know about any breaches that occur, and ASAP. Others are a bit more hands-off. The CEO should remove the guesswork by communicating openly about expectations with the compliance team.
Access also matters. The CEO should make sure the CCO and board have an open line for routine reporting and the regular exchange of information about goals, policies, processes and internal investigations. The objective here is engagement, not micromanagement. Regarding communication farther down the line, some companies suffer from disconnects between top execs and mid-level managers who implement compliance programs. In the worst cases, middle managers believe their concerns aren’t being listened to and become millionaires by turning into whistleblowers. The CEO needs to make sure employees at all levels of the organization understand that the brass wants to hear from them. Consider having an anonymous, monitored compliance hotline. This makes employees feel they are a valued part of the company’s compliance efforts. Well-run hotlines can also turn up other matters that may be important to the company. They can help boost morale by contributing to a culture of openness.
If a compliance issue emerges, the CEO should never wait and hope it goes away. To be sure, the CEO must balance a host of factors, including financial stability, impact on growth and return on investment/profitability. But decision paralysis can be devastating. It is better to act decisively on the recommendations of the CCO, one way or another. In order for CEOs to get the information they need to act swiftly, they need to make sure all parties understand they can “handle the truth.”
In today’s highly competitive environment, it is easy to feel that “now is not a good time” to focus on regulatory compliance. But CEOs cannot afford to be consumed by things like mergers and acquisitions, sales slumps or factory closures. They have to multitask and keep compliance on their radar screens. When companies build integrated, sustainable, mutually trusting cultures of compliance, CEOs would never even think about asking the question, “Why you are bringing this up now?” Nor would the CCO tremble at the thought of raising a compliance issue with a harried CEO. From the top down in such cultures, everyone understands that compliance is a daily responsibility — part of who and what you are.