At some point in their careers, most compliance officers will spend time working at or running a small compliance program. So when I had the chance earlier this month to moderate a webinar on that subject, I took detailed notes.
I suspect many of the frustrations and issues voiced by those small-company compliance officers will sound familiar to everyone, regardless of size.
We can begin with perhaps the biggest challenge of all: how to keep making progress toward strategic goals for your compliance program (say, automating transaction monitoring), when so many immediate crises keep cropping up and demanding your attention. You can’t ignore those immediate crises — but if you let your strategic goals falter, then when the time comes for a performance review with the CEO or the board, they’ll look at you and ask, “Why haven’t you accomplished all those big ideas you promised 12 months ago?”
Any compliance officer can appreciate that challenge, but it’s especially pronounced for CCOs at small companies because, frankly, you’re on your own. You can’t delegate the immediate crises to a senior director of whatever, because there is no such person. It’s just you.
One webinar panelist had a great, pithy response to that dilemma. You need to take a risk-based approach to saying no.
That is, look at each immediate crisis or request for help, and ask, “Can this wait? Is it really the best use of my time to put aside other projects right now in favor of this new issue today?”
On one level, that’s common sense. I was more intrigued about the assumptions behind the principle. If you’re going to take a risk-based approach to saying no, you need to know what your company’s most pressing risks are. So yet again, we’re back to the importance of a good risk assessment; funny how that point keeps turning up.
Moreover, that good risk assessment is itself predicated on you having good relations with the rest of the enterprise. Especially for small compliance functions at small enterprises, you’re not going to be able to run some sort of automated analysis against existing risk management frameworks; you’re going to walk around to legal, HR, IT security, finance, and operations and ask them how things work, or how things might go wrong.
Good relationships lead to good risk assessments, and good risk assessments lead to good judgments. That’s how you develop a risk-based approach to saying no.
Your Most Important Partnerships
We also discussed who compliance officers rely on the most when running a small function. Two roles were the clear winners: whomever passes for a chief operating officer at your company; and the leader of employee engagement or outreach.
First, the COO (or the chief administrative officer, or chief of staff to the CEO, or even the CEO directly) is the person who can provide glimpses into what is coming next at the company; that lets you anticipate the compliance issues likely to arise from whatever strategic priorities or new projects are on the horizon.
Then, the leader of employee outreach (HR, an internal comms team, or even a head of diversity and inclusion) can help you communicate your compliance messages out to the workforce. They can help you explain what your compliance function needs to accomplish and why compliance is relevant to the employees’ daily jobs.
Who can give you a glimpse into the company’s business priorities, and who can help you get your compliance message out? Those are the two people you need to find at your small company, whatever their titles may be.
Again, that’s not really so different from what compliance officers strive to achieve at large companies. We hear all the time about those CCOs fighting for a seat on the management committee, or creating a dedicated role for a manager of compliance communications. Those are the same needs we just discussed, structured for a larger enterprise.
A Word on Reporting
The webinar speakers struggled with this question, which is also something I’ve heard from many large-company compliance officers. Obviously you need to supply senior management and the board with reports on pressing issues, such as open investigations or new allegations of criminal violations. But beyond that, how do you distinguish between metrics that show your compliance program is busy, versus metrics that show your compliance program is effective?
One panelist suggested looking for ways to report on how compliance is embedded into the business. For example, you could review how often other parts of the enterprise pull compliance into a project, rather than you forcing your way into it. Another said something similar, stressing the importance of how employees engage with the compliance program. That metric could even be something as simple as anonymous versus named calls to the hotline, since reporters unafraid to identify themselves are an indicator of a robust speakup culture.
Yet another speaker talked about the value of reporting “second- and third-order effects” of the compliance program, such as lower employee turnover or more efficient due diligence that your third parties perform upon you. All of that demonstrates how a strong compliance function can be a strategic advantage for the enterprise; the road to larger budgets runs through that land.