Is Cyber Driving the CCO-Board Relationship?

We begin this week with yet another compliance benchmarking report, this time from Navex: a deep look at how compliance officers engage with senior management, and whether cybersecurity concerns, rather than anti-corruption, might be driving the board’s attention to compliance these days. 

Navex published the report late last week. It polled more than 1,300 compliance professionals mostly from North America and Europe, asking them about the maturity of their compliance programs, the top risks occupying their time lately, and the tools compliance officers are using to manage their programs. (Disclosure: I occasionally do paid work for Navex. The company did not pay me to write this post, nor get to see the post in advance.)

Let’s start with the question of compliance program maturity. The good news is that a majority of survey respondents (53 percent) rated their program as mature, meaning those programs contained most of the elements defined by the Ethics & Compliance Initiative as part of its High-Quality Program Maturity Model. That’s up from only 38 percent who rated their program as mature in 2022.

Of course it’s good news that more companies have mature compliance programs, but I was more interested in what “mature” means in practice — and specifically, how the compliance officer for those mature programs interacts with the board. Navex had some findings along those lines, too. Among those respondents who said they had a mature program:

  • 67 percent deliver periodic reports to the board of directors;
  • 55 percent have compliance experience or expertise on their board
  • 52 percent participate in private sessions with a board-level committee
  • 25 percent say compliance is an independent function reporting directly to the CEO or board. 

In other words, mature compliance programs feature a good working relationship between the chief compliance officer and the board. The CCO has regular access to the board, including sessions without management present; and the board has at least one director who understands compliance and can speak the CCO’s language. 

Two questions do strike me, however, as I ponder those findings. 

First, when the CCO does meet with the board or a board committee — which one, specifically? I suspect for most companies it would be the audit committee, although I don’t like that answer; the audit committee has enough to do worrying about audit issues. The ideal would be a dedicated compliance or risk committee on the board, but that idea hasn’t gained much traction beyond the Fortune 500. 

Second, who is driving that closer relationship: the CCO, or the board? For example, are compliance officers providing great insight about employee behavior and risk, which catches the board’s eye? Or is it the board feeling pressure to do better at regulatory compliance, and therefore pulling compliance into the boardroom?

Navex itself asks that same question more eloquently than me:

While it is beyond the scope of this research to determine whether program maturity is a cause or result of executive-level interest, it seems logical that more mature programs would produce data and results with strategic implications worthy of executive attention. It is also quite possible that a sophisticated board might require a more mature compliance program be in place and expect regular reporting on its performance. This is reflected in ECI’s model, which specifically identifies board engagement as a factor in moving a program to greater levels of maturity. 

If you want to share observations about how it works at your company, drop me a line at [email protected]. I’d love to hear your thoughts, even confidentially.

Cybersecurity Driving Compliance

The Navex report also dropped some fascinating hints about the extent to which cybersecurity concerns might be driving compliance these days. 

First we have Figure 1, below, showing where the compliance function resides. The top answer was that compliance existed as its own function (22 percent), but notice that the IT function was a close second, at 18 percent. 

Source: Navex

A bit further down, Navex also asked respondents about the compliance issues their companies had suffered in the last three years. By far and away, the top answer was a cybersecurity or privacy breach, cited by 30 percent. More traditional ethics and compliance failures trailed far behind at roughly 18 percent. See Figure 2, below.

Soucre: Navex

Then Navex asked about upcoming training priorities — and cybersecurity topped the list, cited by 60 percent of respondents. Privacy came close behind, cited by 58 percent. On the other hand, whistleblowing and anti-retaliation training was cited by only 39 percent of respondents. Anti-bribery and corruption training was cited by only 33 percent. 

One can see how this emphasis on cybersecurity and board-level engagement with the compliance program fit together — and if cybersecurity is the thing driving the board’s attention to compliance, that has important implications for the chief compliance officer and the program you run.

What I mean is this. Yes, anti-corruption compliance is a major concern for the board, that’s only because regulatory enforcement of corporate corruption is high. Cybersecurity compliance is a major concern for the board because cybersecurity failures lead to costly regulatory enforcement and they are an operational nightmare. Weak due diligence processes that allow an FCPA violation don’t cause your major IT systems to shut down. Weak due diligence processes that allow a ransomware attack through your supply chain do. 

Moreover, plenty of firms have low corruption risk, either because they don’t do business with foreign governments or they work in low-risk regions or for some other circumstance. All businesses face cybersecurity and privacy risk, including startups and companies far removed from FCPA risk. Plus, for publicly traded companies, a cybersecurity failure can easily mean your internal control over financial reporting is weak, so you might have a SOX violation on your hands too. 

So it’s understandable that boards might be engaged with compliance and want to see a mature program — but that word “compliance” might mean something very different than anti-corruption and whistleblower issues. Those boards might be far more concerned about cybersecurity due diligence, vendor risk management, IT general controls, and breach disclosure. That’s what “compliance” means to them. 

Now consider what that means for the compliance officer on the other end of that CCO-board relationship. For example, you’d need a much closer relationship with the CISO, and you might well be reporting to the CISO. (I’m not at all surprised by the 18 percent of respondents in Figure 2 who said they do.) You’d have a different compliance risk assessment process. You’d need a different set of tools to perform due diligence on vendors. You’d need different expertise on your team, even if the basic structure still follows the training-monitoring-investigations triad we see at large companies. 

I often say compliance officers are entering a brave new world where cyber issues dominate the conversation, but maybe that’s not the case. Maybe we’ve already entered it.

Leave a Comment

You must be logged in to post a comment.