How to Avoid Costly Missteps
Russell Reynolds Associates’ Cynthia Dow and Anthony Goodman, compliance and board experts, interviewed leading chief legal officers, chief compliance officers, former investigators and board directions to under the biggest compliance missteps boards make.
with co-author Anthony Goodman
We can all easily recount a recent compliance problem that became front-page news. But what’s not so easy to recall is an instance in which a board director from such a company is then appointed to your board. The reputational damage from a compliance misstep taints even the best and most blameless of directors.
To understand the biggest compliance oversight mistakes boards make — and how to avoid them — we talked to preeminent chief legal officers, chief compliance officers, former investigators and board directors at leading public and private companies both in regulated and unregulated industries. The following five themes emerged from our discussions.
#1: Treating Compliance as a Check-the-Box Exercise
Boards are busy. And, unfortunately, compliance can be seen as a distraction from the board’s “real business” or as an administrative burden.
It is all too easy for boards to nod through its approval to a compliance program without applying any real thought to it. One expert who advises audit committees closely told us, “The biggest mistake is separating compliance from strategy. That is what leads to a check-the-box mentality.”
A great compliance program can be a competitive advantage for companies – especially those in highly regulated industries. A well-designed program tied closely to strategic goals can differentiate a company and establish authentic credibility with clients and customers.
Best-in-class boards of all types should insist on a strategic compliance plan that ties programs to key risk areas and is continually revisited and refreshed as needed. Compliance activities should be seen as business issues. One chief compliance officer of a global and highly regulated company noted, “The board should look for tangible evidence – documents, communications – that compliance is truly embedded with and integral to the business.”
To accomplish this, you have to develop an efficient and timely approach to compliance, one chief legal officer of a highly regulated company told us. “Let your competitors be paralyzed by it.”
#2: Underappreciating the Role of the Board in Demonstrating Leadership on Compliance
When boards think about tone at the top, they first think about the CEO and the senior team. There is no doubt that the leadership team has the single biggest influence on the organization. As one major bank’s chief compliance officer told us, “Boards need to focus on having the right leadership at the top of the house – the CEO and the succession plan for the CEO – and then empower them to drive culture and conduct.”
However, boards often underestimate their own power and influence. Think about the signals that are sent to the organization when the board spends barely 60 minutes a year reviewing a compliance report. Or how influential the chief compliance officer can be if he or she never has access to the board directly. These decisions – and they are decisions – also set the tone.
Likewise, if the relationship between the board and management – or more particularly, the relevant committee chair and the CCO – is not functioning well with respect to the flow of information or robustness of the compliance strategy, program and reporting, then the directors must take action to engage differently, clarify flows of information or ensure the requisite leadership strength is there.
The best boards are actively engaged in compliance. They see reports, yes. But they also give the head of compliance the opportunity to address the board or audit committee directly, sometimes in executive session. One former chief compliance officer, now a board director said, “The board can help the chief compliance officer get visibility.” The board can also ensure the chief compliance officer has the resources they need. A chief legal officer told us, “This is an area where the board can go deeper and give counsel to staff.”
Boards can also ask to see benchmarking of compliance: what are your competitors doing? “Getting outside the four corners of our world is really important,” said one compliance chief. As a CCO to a highly regulated company put it, “boards don’t know what they don’t know and they don’t always ask the right questions.” Boards should exercise a healthy degree of challenge and skepticism, asking questions such as “Why are we not getting hotline reports from 32 of 35 countries, and how do we change that?” Or “Why is our business so much better this quarter, in this sector or geography than our competitors? What could be amiss?”
There also needs to be an “escape valve” allowing escalation of critical issues directly to the board or a board committee. Defining a reportable event to the board can be a useful exercise to ensure mutual understanding between the board and the compliance function.
The board itself can participate in the compliance training program and a director can address staff that are involved in education programs to underscore the importance of the work they are doing. “That’s one way to make sure it’s good training,” a board director noted. These actions all indicate that the board takes compliance seriously and wants management to take it seriously, too.
#3: Lack of Clarity About Board and Committee Roles and Responsibilities
There is often a vexing question of where compliance sits in the organization and to whom the chief compliance officer reports. A similar question needs to be answered by the board. Board committees typically review their charters annually. Where compliance reports in is important. Is it a full board matter or one for the audit committee or a risk committee (if it exists)?
It is often the audit committee that takes on compliance oversight. Indeed, NYSE listing requirements put it there. However, the audit committee is often overwhelmed by issues from the enterprise risk process to cyber risk. In the absence of a standalone compliance committee, boards have to work out the best way to handle compliance while giving it the time it needs.
There is also a role for the compensation committee in reviewing incentives that could create a compliance risk or linking executive compensation to compliance outcomes.
Boards need to avoid the twin confusions of gaps and overlaps between committees. Having the audit and compensation committees meet jointly once a year to discuss compliance risk is an emerging best practice, as is having an overlap of membership or a meeting of committee chairs to ensure coordination. Letting the head of HR occasionally report to the audit committee and the compliance head to the compensation committee can also help keep issues top of mind for the board.
#4: Assuming That Culture is Not a Board Oversight Responsibility
Boards often regard corporate culture as outside their purview and too nebulous to devote board attention to. Sometimes, in the U.S., it takes a deferred prosecution agreement from the Department of Justice before the board takes an interest. As one board director wryly admitted, “Every board is great when reacting after the event.”
Contrast that with the U.K., where the Financial Reporting Council has added board oversight of culture to the corporate governance code for all public companies.
Corporate culture and conduct are key dimensions of compliance. There is much boards can do to oversee culture. As one director told us, “The board has an obligation on behalf of the shareholders to push in.” Boards can review employee engagement surveys that reveal “tone at the bottom.” These surveys are a great way to assess the organization. One chief compliance officer shares the key points of employee survey and action plans with the board but cautioned, “Don’t drown them in data.”
Boards can ensure that hotline reports come to them in an unfiltered form so they can look for patterns of management weakness. If the audit committee only reviews complaints referencing accounting issues, then other red flags may be missed. As one expert said, “Boards look at the big picture and connect the dots, and they can often do that better than management.” They can see patterns of activity or complaint that may point to a larger risk or compliance area that needs addressing.
Directors can make an effort to talk to employees from all levels of the organization by holding board meetings in key markets and operations. One audit committee chair said, “We rarely have a board meeting at corporate HQ. We meet in the business. That way the board can assess what is important to that business, how they react to management pressure and the levels of transparency.”
#5: Ignoring Third-Party Risk Management
The board may not understand the breadth and depth of compliance risk faced by the organization outside their walls and subject to the execution of the company’s partners and vendors. If the board’s oversight of compliance stops at the company’s borders, then directors are going to be unpleasantly surprised when a third-party issue blows up. One director said, “It’s not just SOX and FCPA, it’s also issues like data privacy and cybersecurity.”
Compliance risk increases significantly when vendors are not thoroughly vetted, trained on your culture and policies and monitored. The most recent example is cyber risk where a number of breaches have occurred because of vendor or partner weakness. This is a reputational risk for directors, too.
Boards can make better use of external advisors to help them identify and monitor third-party risks. A director told us, “At my company we have an outside firm come in every other year to do an update.”
We have outlined five big mistakes boards could make when overseeing compliance and plenty of suggestions for how to avoid them. What could possibly go wrong? Reputation is hard won and easily lost. So, more to the point, what could go right given the appropriate degree of engagement by the board and its advisors?
Anthony Goodman is a consultant in the Board & CEO Advisory Group, a division of Russell Reynolds Associates. Based in Boston, Anthony works with board directors and the investor community and specializes in the alignment of leaders and organizations for effective corporate governance and improved relationships with stakeholders.