No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

The Top 5 Mistakes Boards Make in Overseeing Compliance

by Cynthia Dow
September 15, 2017
in Featured, Governance
large hand pointing at businessman

How to Avoid Costly Missteps

Russell Reynolds Associates’ Cynthia Dow and Anthony Goodman, compliance and board experts, interviewed leading chief legal officers, chief compliance officers, former investigators and board directions to under the biggest compliance missteps boards make.

with co-author Anthony Goodman

We can all easily recount a recent compliance problem that became front-page news. But what’s not so easy to recall is an instance in which a board director from such a company is then appointed to your board. The reputational damage from a compliance misstep taints even the best and most blameless of directors.

To understand the biggest compliance oversight mistakes boards make — and how to avoid them — we talked to preeminent chief legal officers, chief compliance officers, former investigators and board directors at leading public and private companies both in regulated and unregulated industries. The following five themes emerged from our discussions.

#1: Treating Compliance as a Check-the-Box Exercise

Boards are busy. And, unfortunately, compliance can be seen as a distraction from the board’s “real business” or as an administrative burden.

It is all too easy for boards to nod through its approval to a compliance program without applying any real thought to it. One expert who advises audit committees closely told us, “The biggest mistake is separating compliance from strategy. That is what leads to a check-the-box mentality.”

A great compliance program can be a competitive advantage for companies – especially those in highly regulated industries. A well-designed program tied closely to strategic goals can differentiate a company and establish authentic credibility with clients and customers.

Best-in-class boards of all types should insist on a strategic compliance plan that ties programs to key risk areas and is continually revisited and refreshed as needed. Compliance activities should be seen as business issues. One chief compliance officer of a global and highly regulated company noted, “The board should look for tangible evidence – documents, communications – that compliance is truly embedded with and integral to the business.”

To accomplish this, you have to develop an efficient and timely approach to compliance, one chief legal officer of a highly regulated company told us. “Let your competitors be paralyzed by it.”

#2: Underappreciating the Role of the Board in Demonstrating Leadership on Compliance

When boards think about tone at the top, they first think about the CEO and the senior team. There is no doubt that the leadership team has the single biggest influence on the organization. As one major bank’s chief compliance officer told us, “Boards need to focus on having the right leadership at the top of the house – the CEO and the succession plan for the CEO – and then empower them to drive culture and conduct.”

However, boards often underestimate their own power and influence. Think about the signals that are sent to the organization when the board spends barely 60 minutes a year reviewing a compliance report. Or how influential the chief compliance officer can be if he or she never has access to the board directly. These decisions – and they are decisions – also set the tone.

Likewise, if the relationship between the board and management – or more particularly, the relevant committee chair and the CCO – is not functioning well with respect to the flow of information or robustness of the compliance strategy, program and reporting, then the directors must take action to engage differently, clarify flows of information or ensure the requisite leadership strength is there.

The best boards are actively engaged in compliance. They see reports, yes. But they also give the head of compliance the opportunity to address the board or audit committee directly, sometimes in executive session. One former chief compliance officer, now a board director said, “The board can help the chief compliance officer get visibility.” The board can also ensure the chief compliance officer has the resources they need. A chief legal officer told us, “This is an area where the board can go deeper and give counsel to staff.”

Boards can also ask to see benchmarking of compliance: what are your competitors doing? “Getting outside the four corners of our world is really important,” said one compliance chief.  As a CCO to a highly regulated company put it, “boards don’t know what they don’t know and they don’t always ask the right questions.”  Boards should exercise a healthy degree of challenge and skepticism, asking questions such as “Why are we not getting hotline reports from 32 of 35 countries, and how do we change that?” Or “Why is our business so much better this quarter, in this sector or geography than our competitors?  What could be amiss?”

There also needs to be an “escape valve” allowing escalation of critical issues directly to the board or a board committee. Defining a reportable event to the board can be a useful exercise to ensure mutual understanding between the board and the compliance function.

The board itself can participate in the compliance training program and a director can address staff that are involved in education programs to underscore the importance of the work they are doing. “That’s one way to make sure it’s good training,” a board director noted. These actions all indicate that the board takes compliance seriously and wants management to take it seriously, too.

#3: Lack of Clarity About Board and Committee Roles and Responsibilities

There is often a vexing question of where compliance sits in the organization and to whom the chief compliance officer reports. A similar question needs to be answered by the board. Board committees typically review their charters annually. Where compliance reports in is important. Is it a full board matter or one for the audit committee or a risk committee (if it exists)?

It is often the audit committee that takes on compliance oversight. Indeed, NYSE listing requirements put it there. However, the audit committee is often overwhelmed by issues from the enterprise risk process to cyber risk. In the absence of a standalone compliance committee, boards have to work out the best way to handle compliance while giving it the time it needs.

There is also a role for the compensation committee in reviewing incentives that could create a compliance risk or linking executive compensation to compliance outcomes.

Boards need to avoid the twin confusions of gaps and overlaps between committees. Having the audit and compensation committees meet jointly once a year to discuss compliance risk is an emerging best practice, as is having an overlap of membership or a meeting of committee chairs to ensure coordination. Letting the head of HR occasionally report to the audit committee and the compliance head to the compensation committee can also help keep issues top of mind for the board.

#4: Assuming That Culture is Not a Board Oversight Responsibility

Boards often regard corporate culture as outside their purview and too nebulous to devote board attention to. Sometimes, in the U.S., it takes a deferred prosecution agreement from the Department of Justice before the board takes an interest. As one board director wryly admitted, “Every board is great when reacting after the event.”

Contrast that with the U.K., where the Financial Reporting Council has added board oversight of culture to the corporate governance code for all public companies.

Corporate culture and conduct are key dimensions of compliance. There is much boards can do to oversee culture. As one director told us, “The board has an obligation on behalf of the shareholders to push in.” Boards can review employee engagement surveys that reveal “tone at the bottom.” These surveys are a great way to assess the organization. One chief compliance officer shares the key points of employee survey and action plans with the board but cautioned, “Don’t drown them in data.”

Boards can ensure that hotline reports come to them in an unfiltered form so they can look for patterns of management weakness. If the audit committee only reviews complaints referencing accounting issues, then other red flags may be missed. As one expert said, “Boards look at the big picture and connect the dots, and they can often do that better than management.”  They can see patterns of activity or complaint that may point to a larger risk or compliance area that needs addressing.

Directors can make an effort to talk to employees from all levels of the organization by holding board meetings in key markets and operations. One audit committee chair said, “We rarely have a board meeting at corporate HQ. We meet in the business. That way the board can assess what is important to that business, how they react to management pressure and the levels of transparency.”

#5: Ignoring Third-Party Risk Management

The board may not understand the breadth and depth of compliance risk faced by the organization outside their walls and subject to the execution of the company’s partners and vendors. If the board’s oversight of compliance stops at the company’s borders, then directors are going to be unpleasantly surprised when a third-party issue blows up. One director said, “It’s not just SOX and FCPA, it’s also issues like data privacy and cybersecurity.”

Compliance risk increases significantly when vendors are not thoroughly vetted, trained on your culture and policies and monitored. The most recent example is cyber risk where a number of breaches have occurred because of vendor or partner weakness. This is a reputational risk for directors, too.

Boards can make better use of external advisors to help them identify and monitor third-party risks. A director told us, “At my company we have an outside firm come in every other year to do an update.”

We have outlined five big mistakes boards could make when overseeing compliance and plenty of suggestions for how to avoid them. What could possibly go wrong? Reputation is hard won and easily lost. So, more to the point, what could go right given the appropriate degree of engagement by the board and its advisors?

______________________________

Anthony Goodman is a consultant in the Board & CEO Advisory Group, a division of Russell Reynolds Associates. Based in Boston, Anthony works with board directors and the investor community and specializes in the alignment of leaders and organizations for effective corporate governance and improved relationships with stakeholders.


Tags: Board of DirectorsCorporate CultureTone at the Top
Previous Post

The Battle for Call Recording Compliance

Next Post

A Decade of Digital: Keeping Pace with Transformation

Cynthia Dow

Cynthia Dow

Cynthia Dow leads the Legal, Regulatory and Compliance Officers Practice at Russell Reynolds Associates. She is also a member of the Consumer and Board & CEO Practices. Cynthia focuses on general counsel, chief legal officer, chief compliance officer and other board and corporate governance assignments across a broad range of industries, including legal, consumer, industrial, technology, energy, sports and entertainment, health care and financial services.

Related Posts

stress at work concept

Caught Between Conscience and Career: An E&C Leader’s Confession

by Anonymous
April 23, 2025

The mental health crisis among ethics and compliance professionals has remained largely unspoken despite its prevalence. Drawing on personal experience...

hedge maze

The Beauty of Bureaucracy: Good Governance Clarified

by Anna Romberg and Julia Haglind
April 15, 2025

Systems thinking, human-centered design and cultural alignment transform bureaucracy into business advantage

signing deal signature

When the Ink Dries: 6 Critical Post-Transaction Areas That Make or Break M&A Success

by Jim DeLoach
April 14, 2025

Poor follow-up once the deal is closed can cause culture clashes & value erosion

LRN E&C Program Effectiveness in Financial Services

Ethical Gaps in the Financial Services Sector

by Corporate Compliance Insights
April 11, 2025

What ethical gaps might be lurking in your organization? Insights From 2025 Benchmark Report Ethical Gaps in Financial Services What’s...

Next Post
A Decade of Digital: Keeping Pace with Transformation

A Decade of Digital: Keeping Pace with Transformation

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights