CCOs Take Note: It’s the Culture, Stupid

This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.

If CCOs are really ready to take the reins and assume a real role in the C-Suite, they need to develop more mature measurements and reports for senior management and the Board of Directors. We have all seen the color-coded reports with bar charts on numbers and types of complaints and number of managers and employees who have been trained, certified or taken a blood oath to the code of conduct.

All of this is well and good, but it is time for CCOs to wake up and ask themselves some important questions about their role and what they are doing. Let me see if I can help.

What is the most important “asset” the CCO is responsible for?

If you do not get it yet, try this multiple-choice question:

What is the most effective strategy to reduce ethics and compliance risks?

1. Fear
2. Begging
3. Creating a culture of ethics and compliance
4. None of the above

I am sorry to use sarcasm, but the point should be clear. The most important responsibility of an ethics and compliance officer is to create and/or manage the company’s culture of ethics. I know this seems obvious, but for some reason CCOs are happier measuring things that are tangible, and they love multicolored presentations.

The time for change is now. CCOs need to change the focus of their presentations and message. CCOs should always start with two categories of information.

First, the CCO should report on the company’s culture and message. They need to report on an annual culture survey. If an annual enterprise-wide survey has not been conducted, they need to conduct targeted surveys that measure culture in specific offices, regions, units or even third parties.  A CCO should have at least one measure of culture to report to senior management and the Board for each quarter.

CCOs have to get creative here and monitor and report on the state of the company’s culture. If the message is getting through, senior management and the Board have to know. If the message is not getting through, then senior management and the Board needs to know that immediately.

Depending on the survey results, together the CCO, senior management and the Board have to decide how to improve the company’s culture and how to make sure the message is being communicated.

Second, the CCO has to report on significant risks and how those risks are being addressed. Depending on the business, the CCO may be responsible for several functions, including: (1) internal investigations, (2) third-party management and (3) ethics and compliance program auditing.

Given these responsibilities, CCOs need to inform senior management and the Board about the ongoing internal investigations and a specific report on those significant investigations that may warrant senior management and/or Board attention.

In addition, CCOs need to keep senior management and the Board informed of third-party risk management and how the CCO is mitigating such risks. This discussion should be kept very general and only require specific explanations for serious problems or risks.

Finally, the CCO has to bring to the Board’s attention any significant auditing results or patterns and practices that may warrant senior management and/or Board attention.

After a CCO finishes reporting on those three categories of information, then (and only then) would I recommend that a CCO report on the company’s complaint profile, with a special focus on specific trends by region, business units or products or services. Too often a macro review of complaints is worthless to assessing the compliance function.

Only after all of this is reported can the CCO talk about the number of managers and employees who have been trained or who need to be trained. I do not mean to diminish the importance of training, but there are more important issues that need to be discussed.

Whew! I feel much better getting this off my chest. I thought we were all on the same page and I was shocked to learn that CCOs have been sticking to the old reporting pattern of colored charts and bar graphs reflecting a strategy that can only be described as “measuring what is easy to measure.”