No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

5 Ways to Elevate the Board’s Oversight of Compliance

by Chuck Saia
September 29, 2017
in Featured, Governance
woman looking through binoculars

Expanding the View to Include Culture

Does your organization view compliance as a “check the box” exercise? Many companies do. Chuck Saia, CEO of Deloitte Risk and Financial Advisory, feels differently and shares five ways a board can start broadening its view – and management’s view – of compliance to include issues of culture.

With so many strategic issues to address, how can a board most effectively execute its responsibility to oversee compliance?

The answer: by taking a broader view of compliance.

Many boards see compliance as a check-the-box exercise — a relatively mundane matter to be quickly dispatched so they can focus on more strategic issues. If you view compliance in those terms, then a check-the-box approach actually makes sense.

But, after countless conversations with board members and executives on the topic of overseeing compliance, I’m convinced that this issue needs to be looked at from a different angle — one that helps a board understand the culture of the organization it is overseeing.

Keeping in mind the context of a board’s risk oversight responsibilities, compliance should be viewed more broadly. Employees can operate within legal and regulatory rules while behaving in ways that do not reflect the values of the organization. Such behaviors generate culture risk. Left unchecked, those behaviors can multiply, negatively impacting customers, suppliers, investors, community members and other key stakeholders. Those negative impacts can give rise to other risks – particularly reputational risk.

While regulatory noncompliance presents reputational risks, they generally pale next to those stemming from culture risk. The media and public often have difficulty understanding regulatory violations, but a violation of the trust built up over years between an organization and its stakeholders makes for a dramatic, readily understood — and often very damaging — story.

Addressing culture risk does not mean creating a “culture of compliance.” Such attempts tend to preserve a narrow, rules-driven view of compliance and culture. Addressing culture risk calls for a new view of compliance. This view calls for operating not only within legal and regulatory bounds, but also in ways that reflect the core values of the organization.

Here are five ways a board can start broadening its view, and management’s view, of compliance to include issues of culture.

#1: Grasp the Nature of Culture Risk

Culture risk is a strategic risk – that is, a risk that can undermine the ability of the organization to implement its strategies and achieve its goals. Culture risk also poses financial risks and risks to data, intellectual property and other assets. Yet reputation risk may be the most serious threat, because loss of reputation directly undermines the organization’s ability to implement strategies and achieve goals, often for months or years to come.

As the ultimate overseers of risk and guardians of reputation, the board is responsible for setting the tone at the top and promulgating the right values. The board is also responsible for overseeing culture, reputation and other strategic risks — bearing in mind that regulatory noncompliance also presents reputational risk.

#2: Understand Your Organization’s and Board’s Culture Risk Posture

Culture can be defined in various ways, but essentially, it is the sum total of the values that drive people’s behavior within the organization. Those values — and the culture — are reflected in hiring, compensation, promotion, investment and other decisions at all levels. Culture determines which behaviors are accepted and encouraged in the organization.

Vague notions of culture create culture risks and undermine oversight of the culture. Early in my tenure as Deloitte’s Chief Risk, Reputation and Regulatory Affairs Officer, I was asked about our level of culture risk. Truthfully, I had only a vague, finger-in-the-wind idea. So, we embarked on a journey within our organization to understand insider threats and to build out a broader culture risk program that enables management to identify areas where culture risk might emerge and how to address it.

One caution: Culture risk and conduct risk are not the same. Conduct risk, which includes the risk of fraud and embezzlement, is often monitored in very specific areas (for example, in procurement in manufacturing or trading in financial services). For that reason, a focus on conduct risk can lead to a siloed approach to culture risk and overlook larger cultural issues.

And it is not just a management issue; a board should also understand and periodically reflect on its own culture and risks associated with its behavior.

#3: Promote the Use of Technology

Currently available technologies can help organizations to address compliance and culture risk. Technology-supported compliance programs manage ongoing compliance and reporting based on defined regulatory requirements. These programs enable management, audit committees and boards to know, on a quarter-to-quarter or month-to-month basis, that the organization is in compliance with applicable rules and where issues of noncompliance could emerge.

Similarly, a technology-supported insider-threat program can monitor employee behavior in various ways. For example, surveillance of emails and texts can identify individuals or pockets of individuals who may be engaged in or close to engaging in behavior outside legal, ethical or cultural bounds. Such cases should be referred to the chief ethics, legal or risk officer for consideration and potential action, which may include remediation, training or other steps.

Cultural attributes can be identified and measured and then monitored by tech-supported programs. While less prevalent than compliance and insider-threat programs, culture monitoring programs are gaining traction. Some culture-monitoring programs are geared more toward human resources concerns – for example, tracking employee morale – while others also monitor broader behaviors.

Any tech-supported compliance, insider threat or culture monitoring program should be implemented by, or with direct input from, the business if it is to serve the needs of management and the board. IT can support the implementation, but it shouldn’t drive it.

#4: Ask Culture-Related Questions

In its risk oversight role, the board can broaden management’s approach to compliance to include conduct and culture risk. This entails broadening the conversation around compliance to include culture.

Some useful questions to ask include:

  • To what extent and in what ways are we using technology to monitor compliance? To what extent are we using it to monitor conduct? Do we have an insider-threat program?
  • What have we done to define the values and the culture that we need in order to support people in their pursuit of organizational goals?
  • How are we communicating our organizational values inside and outside the enterprise?
  • What are our greatest conduct risks and culture risks?
  • How are we measuring conduct risk and culture risk?
  • How are we monitoring and managing those risks?
  • How have we prepared for the reputational impact of a compliance, conduct or culture risk event?

While broadening the discussion, the board must of course continue to receive adequate assurance that the organization is operating in regulatory compliance.

#5: Start Small, But Get Started

A check-the-box mindset can be hard to overcome, yet given the speed of social media and the durability of internet-based reports, noncompliance can create reputational risks. As we have all seen in various media stories, even more damage can stem from breaches of ethical behavior or betrayals of organizational values.

Technologies that enable continuous monitoring, data visualization and real-time reporting can ratchet up the efficiency of compliance programs. That positions the organization to direct resources toward addressing culture risk. Many organizations begin by instituting a robust, tech-supported insider-threat program. If such a program already exists, it can often be built out into a broader culture-risk monitoring program.

Boards must also bear in mind that culture monitoring programs call for robust governance mechanisms, which typically involve the board as well as the chief legal, ethical or risk officer.

Beyond Table-Stakes Compliance

Today, regulatory compliance programs represent table stakes. Costs of noncompliance can range from minor to major, but when it comes to risks, compliance issues such as regulations often lag behind emerging challenges. Additionally, as they have done to date in financial services, they may also stress the importance of a sound culture while leaving organizations to define what that means and how to go about achieving it.

Focusing on the strategic issues and implications that compliance — and culture — present can engage board members at an appropriate level and enable the board to expand its oversight role to include conduct and culture. This, in turn, can support the executive team in its efforts to create a culture that supports people in their efforts to reach the organization’s goals.


Tags: Board of DirectorsBoard Risk OversightConduct RiskCorporate CultureTone at the Top
Previous Post

Thomson Reuters Introduces LEI Profiling Service to Ease MiFID II Preparedness

Next Post

What Money Laundering Looks Like in Community Banks

Chuck Saia

Chuck Saia

Chuck Saia headshotChuck Saia is CEO, Deloitte Risk and Financial Advisory. Chuck leads a risk consulting and financial advisory business comprised of 12,500+ professionals. Deloitte Risk and Financial Advisory helps organizations turn critical and complex business issues into opportunities for growth, resilience, and long-term advantage. Chuck has more than 24 years of experience advising clients on corporate governance, regulatory issues, risk management, and internal controls. Chuck serves on the Executive Committee of Deloitte and reports directly to Cathy Engelbert, CEO of Deloitte. He has an unwavering commitment to the success of our firm, our professionals, and our clients. Prior to his current role, Chuck served as the chief risk, reputation and regulatory affairs officer for Deloitte. In this role, he led the transformation of Deloitte’s approach to risk management, changing the conversation around reputation in the marketplace, and serving as a valued advisor to clients, nonprofits, and global organizations. Chuck oversaw strategic and reputational risk management; regulatory affairs; ethics and compliance; confidentiality and privacy matters; independence and business conflict; reputational sensing; and crisis management. He has been instrumental in advancing Deloitte’s brand through frequent client C-suite interactions and marketplace eminence. Chuck developed and drove the enterprise-wide effort to protect, preserve, and enhance Deloitte’s reputation to clearly distinguish the organization as the leader in professional services in the marketplace. He developed and executed on a comprehensive strategy that aligned Strategic Risk, Reputation and Regulatory Affairs (SRRRA) with other organizational interdependencies. By engaging with leaders and professionals at all levels of the enterprise, he drove cultural change across the organization and set the tone on reputation, ensuring that Deloitte’s people understand the critical role they play in safeguarding Deloitte’s reputation. Under his leadership, SRRRA transformed Deloitte’s focus on risk from a traditional enterprise risk management (ERM) approach to one that’s more strategic and nimble, repositioning risk as a key enabler to the different businesses so they can adjust and mitigate top and emerging risks, accordingly. Chuck led SRRRA in creating world-class strategic risk management capabilities, including reputational sensing (reputational, regulatory, vendor, etc.), competitor disruption, portfolio fit, culture risk, insider threat monitoring, third-party risk management, and a comprehensive regulatory strategy and stakeholder wiring map. Previously, Chuck led the governance of Deloitte’s most strategic risks and related opportunities as Deloitte’s chief risk, reputation and crisis officer. He was responsible for overseeing the US organization-wide reputation and risk governance practices. He oversaw the strategic risk management program and led the efficient and effective governance of Deloitte’s most strategic risks and related opportunities. Chuck also oversaw all functional risk leaders while reporting directly to the CEO. In previous roles, Chuck oversaw the Advisory Business Risk Service Area practice (formerly known as AERS Advisory), leading various market offerings, service lines, and regions. In addition, he served as the lead client service partner and lead risk partner for several high-profile clients. Chuck has developed relationships at the C-suite level with Deloitte’s key clients and meets with them regularly to discuss current trends in strategic risk, reputation, and regulatory issues while advising client teams dealing with various complex client engagements. He has represented Deloitte as the keynote speaker at high profile events such as the Extended Enterprise Risk Management Executive Summit and the Million Women Mentors Summit and Awards Gala on the Hill. Chuck contributes frequently to thought leadership, reporters’ requests and publishing bylines on strategic and reputational risk, crisis response, compliance issues, and other subjects related to reputation and corporate governance. His recently published titles in industry-leading outlets include: “Managing Risk with Digital Technology” and “Turning Reputational Risk into Opportunity,” in the WSJ Risk & Compliance Journal; “To be the disrupted or the disruptor? That is the question,” in CEO Magazine; a three-part series on reputational risk in Directors & Boards; “Triple threat: How to handle three top risks to reputation” and “Practical Ideas on Managing Reputation Risk” in Compliance Week; and “Here’s the best advice I can give you about protecting your reputation” in Business Insider. Chuck utilizes social media (Twitter, LinkedIn) to build Deloitte eminence and spark conversations around leadership, diversity, and strategic and reputational risk. His insights are regularly featured on various industry groups handles. Chuck has held various leadership positions at Deloitte, including National Leader of Business Risk Service Area; Northeast Leader of Enterprise Risk Services; National Leader Risk Advisory—Financial Services. Chuck has also served as Lead Client Service Partner and Lead Advisory Partner for multiple multinational banking and financial services clients. He is a Certified Public Accountant and has an MBA from Quinnipiac University with a focus on internal controls. He serves on various boards, including the Lupus Foundation of New Jersey, the Quinnipiac University’s Business School NYC Advisory Committee, and the Mustang Travel Sports Club of NJ. A father of two boys and resident of New Jersey, Chuck is committed to giving back to his community through volunteering and pro bono efforts. Chuck is an avid runner, a passionate fisherman, and a devoted fan of the New York Yankees, New York Giants, and New York Knicks.

Related Posts

hidden value abstract

CCO Insights: How to Articulate the True Value of Your Compliance Program

by Kenneth Koch and Phillip Ostwalt
May 14, 2025

Benefits of robust programs aren’t always obvious, but buy-in remains critical

seeing outside the box

Disrupters See the World Differently — and Act Accordingly

by Jim DeLoach
May 13, 2025

Critical differences in culture, technology adoption and talent strategies determine which organizations shape markets and which scramble to respond

stress at work concept

Caught Between Conscience and Career: An E&C Leader’s Confession

by Anonymous
April 23, 2025

The mental health crisis among ethics and compliance professionals has remained largely unspoken despite its prevalence. Drawing on personal experience...

hedge maze

The Beauty of Bureaucracy: Good Governance Clarified

by Anna Romberg and Julia Haglind
April 15, 2025

Systems thinking, human-centered design and cultural alignment transform bureaucracy into business advantage

Next Post
dirty handprint on bank note

What Money Laundering Looks Like in Community Banks

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights