Here’s How They’re Failing
The relationship between compliance officers and the company’s top leadership is a hot one these days, and there are specific ways CEOs can be more effectively supporting compliance practitioners. It’s a complex relationship, but one bears improving in many cases. Avani Desai offers insights into just what executives can do better.
When speaking with CEOs and boards of directors, most of the time they say their relationship is with the CEO, COO and CFO and that they have no relationship with the CISO, CCO and CPO. Ten years ago, this would have been fine, as stock prices, bonuses and shareholder performance measures were all based on the financials. However, the environment has changed, and there are so many additional factors to a company’s performance. Take a look at a retail store like Target, which saw a significant decrease in stock price, profits and reputation due to a data breach.
When we saw Sarbanes-Oxley come into effect, they said it was mandatory to have a financial expert on the board, which made sense in that day (and still does), but now I think it is mandatory to have a compliance person on the board, too – someone who understands governance, risk and compliance.
I think CEOs and the board see compliance as something you “do” or a box you check, and that isn’t the case – maybe it was in the area of bank regulations, where you need to check the box, pay the fee and move on. But we’re in a new era now, in which compliance is integral in all we do. You can’t just “do” compliance like a task or activity, and that mindset needs to be changed by the CEO and board; you have to make it part of your culture to begin being compliant.
This is a dynamic and ongoing process, and it can’t be done once. I think that is where the disconnect is. Compliance teams need the resources, money and buy-in from CEO and the board, but the CEO and board think of this as a cost center – until there is a breach and they realize they needed an incident response and disaster recovery plan. They may have had to check the box, but it was never tested or wasn’t open to all the teams, so gaps remained.
CEOs and the board need to change the compliance culture to be a partnership, not a cost center or a check-the-box activity. They must weave compliance into all aspects of the business and to make sure that when systems are built, the developers and product managers rely on “compliance by design” rather than treating compliance as an afterthought and trying to retrofit compliance into the system. When hiring leadership, see what experience they have with compliance, how they see it as a positive point in an organization and why they embrace it, rather than setting it on the back burner.
Also, CEOs and the board need to make sure that the compliance officer has a straight line to them, not to the CIO (they have different initiatives and goals, which can be contradictory). Compliance officers need to have a seat at the table during strategic sessions, large process changes and technology decisions.