This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.
We always hear (and talk about) the rise in the compliance profession. Yes, there is increased demand for CCOs and compliance officers. More lawyers are transitioning into the compliance profession.
Out in the real world, however, there are CCOs who are under the gun – they are being asked to do the impossible. CCOs are being hired and asked to take over a non-existent or minimal compliance program and transform it into a state-of-the-art program.
The situation is more common than you think. A new CCO takes over a company after interviewing with the Board and senior management. The CEO and the Board promise the CCO their full support and sufficient resources to get the job done.
Unfortunately, when the CCO arrives, the CCO quickly realizes that the ethics and compliance program is a shambles. The CCO begins to question his or her judgment and the representations made by the Board and senior managers.
What should the CCO do?
Here are seven key steps a CCO can take to jumpstart the company’s compliance program.
- Create an Ethics and Compliance Committee – In the absence of compliance resources, a CCO has to leverage resources and seek cooperation from other compliance constituents, including human resources, legal, internal audit, information technology and the financial office.
- Conduct a Risk Assessment – A CCO (with the help of the ethics and compliance committee) should review and assess the company’s risks. There is no need to conduct a formal or expensive risk assessment; interviews of key managers will identify the significant compliance gaps. An informal risk assessment will provide valuable insights on and guidance for the overall compliance program.
- Establish a Policy Clearinghouse – In order to provide a basic structure, a CCO should review and establish a basic set of compliance policies, including a code of conduct, global anti-corruption compliance, export control/sanctions, antitrust, money laundering, data privacy and other applicable policies to the company’s business.
- Implement and Improve Employee Reporting and Investigations Management – A CCO has to create a system for reporting employee concerns. Such a system can be basic initially and replaced with more sophisticated systems later. A basic system for investigating employee concerns should also be established.
- Promote Communications and Training – A CCO can enlist the support of the CEO and senior managers (and hopefully the Board) to communicate the message of compliance. Such communications can be easily put together and disseminated at little cost. To reinforce the compliance message, a CCO has to roll out a comprehensive training program, starting with code of conduct training and then moving to other topics based on risk.
- Initiate Program Assessment Tools – While not as high a priority in the beginning, a CCO has to put in place systems to measure and monitor compliance program elements.
- Confirm a Board Reporting Protocol – Board supervision of the company’s compliance program is essential. A CCO has to establish a protocol for meaningful Board reporting. Such a protocol should include allocation of sufficient time for meaningful reports (at least 30 minutes) to the Board.