Useful Practices for Compliance Committees
Chief compliance officers tend to serve on lots of committees: a compliance risk committee, investigation committees, emerging risk task forces, and so forth. As one compliance officer told me, “I live for the conference table.”
So today let’s look at some wise practices for managing committees. Lately I’ve been reading Passion for Leadership by former Defense Secretary Robert Gates, who had much to say about committees and how to make their work more useful. His observations have plenty of relevance to the corporate compliance world.
First, remember how the ideal committee is structured. It exists only for a fixed period of time, to address a specific issue, with members from every part of the organization that will be affected by the issue at hand. The committee will also have a written charter to keep the scope of its purpose clear, and the public support of senior business leadership (usually the CEO).
That’s the dream, at least. In the real world compliance officers face, not all the above criteria apply. Foremost, if your organization has a compliance risk committee (a group that meets to review regulatory risks the business has), that committee probably won’t have a fixed expiration date—since a company never “finishes” compliance the way you finish a software upgrade.
In fact, at this point we might want to consider a distinction Gates makes between a committee and a task force. Committees should have a deadline to fulfill their mission, but that’s not always going to be the case. A committee’s purpose might primarily be to bring together people whose teams encounter some issue in the broader business world, so those people can brief each other about what those issues are. Compliance risk committees fit that bill perfectly.
A task force, on the other hand, should exist to address one specific question—perhaps to develop a new policy, or to investigate a new flaw in your corporate culture, or to implement a software product. Once that mission is done, so is the task force. Sometimes a committee might also act as a task force, to solve a problem related to whatever issue the committee exists to address.
The exact nomenclature isn’t as important as the broader point here: understand what you want your group to accomplish. Is it solving a specific problem, or coping with a long-term condition the business faces? The answer to that question will influence who serves on the committee (or task force), the scope of its mission, how often you meet, and most importantly, when you can stop meeting.
The Role of the Leader
In his book, Gates stresses that committees should not decide what to do. They should decide how to do it. The purpose of a committee should be to develop implementation ideas for goals that the CEO has already articulated. That’s a powerful idea that compliance officers should pursue shamelessly.
First the chief compliance officer can pursue it upward, forcing the CEO to define the mission of your compliance committee—essentially to tell the CEO, “The compliance committee will be happy to find ways of implementing whatever goals of ethical conduct and corporate culture you want. What are those goals, exactly?”
From there, you can convene your compliance committee and lead the members through a discussion of possible solutions. For example, if the CEO wants to reduce the risk of improper payments through third parties, you could consider everything from enhanced due diligence, to stronger accounting software, to sales structures that rely less on third parties, to enhanced surveillance so you can catch fraud quickly.
For a truly effective compliance committee, however, the CCO should also pursue Gates’ point downward to everyone serving on it. That is, now you get to play the role of leader and tell them, “These are our compliance goals. How can we implement them?”
That approach fits nicely with the mantra that “the business owns the risk” while you, the compliance officer, act as counselor to help the business devise practical ways to achieve compliance. You set the goals, they find the implementation strategies. Otherwise, if the compliance officer finds the implementation strategies, the business units will assume you own the risk.
Ultimately, as head of the compliance committee, you want to return to the CEO (or audit committee) with a set of recommendations to achieve his goals. Then the leader makes a decision, and the subordinate executives carry it out—which brings us to a few other points of wisdom from Gates, on how to make sure those decisions are implemented.
Get Input, Not Consensus
If the goal is to make a decision, implement it, and then make that change stick, your committee needs input—as much as you can get. Input lets employees feel like they’ve been heard, and that their opinions were taken into account. That feeling alone will work wonders when you need to implement your final decision, even if that decision isn’t to some employees’ liking. (Spoiler alert: changes to compliance processes or procedures often fall into that category.)
You can collect input by circulating the charter of the committee or task force widely. Circulating the charter is a great way to discover what’s missing from it, or to find people in the organization who can help to address your problem. This technique could be invaluable to win support for a formidable compliance task, like reducing the risk of improper payments through third parties. After all, nobody knows more about how to scam the company or sneak something by the boss than the little guy.
Likewise, circulate the final report and ask: can we do these things? That lets you avoid mistakes later, when critics emerge to say your plan hadn’t accommodated circumstances X, Y, and Z.
When your committee presents a list of options to the CEO or other senior leader, do be sure that it’s actually a list of options rather than a binary choice of “yes we do this; no we don’t.” If you frame an issue in yes-or-no terms, you’re more likely to get a dissenting group on the committee publishing a minority report or otherwise arguing against you. A smarter way to handle the challenge is to include all options—including the dissenters’ recommendations—and then let the CEO choose what to do. That is the CEO’s job.
Lastly, remember one point about leaks, cynicism, and generally snarky attitude: that those things are a problem of internal culture. If your senior leaders have built a strong, respectful corporate culture, and you’ve included the right people on the committee or task force from the start, you’re less likely to encounter resistance like this. Most people are professional, and will respect a committee’s work even if they dislike the final result—assuming that your committee respected them first.