Making a Compliance Charter Work
Compliance officers are always looking for ways to help the board of directors oversee the ethics and compliance function, so today let’s explore one way to do that by adapting an idea from the internal audit function: a charter that spells out board oversight duties.
Specifically, the audit committee of the board is charged with overseeing the annual financial audit. That can be a complicated task. So over the years best practices have emerged where the audit committee has a charter to define what those oversight duties include; and internal audit teams reporting to the audit committee can use a “charter matrix” to guide the committee through its work.
Well, why can’t compliance officers do the same for the ethics and compliance program?
This idea came to me as I was talking with a chief compliance officer the other day, who was preparing to deliver a talk at an upcoming conference of corporate directors. He and I were brainstorming ways that compliance officers can help board directors understand (1) the importance of the ethics and compliance function; and (2) how the board can provide useful oversight and input to your ethics and compliance program.
The beauty of a charter and a charter matrix is that together they put structure to that oversight. After all, no sensible board director is opposed to a strong ethics and compliance function; on the contrary, most directors would jump for joy upon hearing that their organization has a strong culture of ethics and compliance.
The problem is that corporate boards as a whole, and individual board directors, don’t know how to be helpful to the ethics and compliance program. Contrast that to the annual financial audit, where our understanding of what the audit committee must do and the process for doing that work is much more mature.
The compliance community needs to bring a similar level of understanding to ethics and compliance. Charters are an excellent vehicle to do it.
Template Charter and Matrix
So what should a compliance committee’s charter include? I asked ChatGPT to draft a template charter that any organization could use. It wrote a perfectly fine example that any board could use. Some of the highlights include:
- Purpose: the committee assures that the company’s compliance programs are effective in preventing, detecting, and responding to legal and regulatory violations, while promoting a culture of ethical conduct across the organization.
- Composition: the committee should have at least three members, the majority of them being independent.
- Access to management: the committee should have direct access to the company’s senior management, including the CEO, CCO, general counsel, and other key executives as necessary.
OK, so far so good. What about the specific ethics and compliance issues that the compliance committee should oversee? The template had plenty to say about that, too.
- Monitor the company’s process for identifying and assessing compliance risks, such as by reviewing the company’s risk assessments.
- Review and assess the design, implementation, and effectiveness of the company’s ethics and compliance programs.
- Ensure that the chief compliance officer has direct access to the Committee and that the CCO provides regular updates on the company’s compliance activities
- Periodically review the CCO’s performance and the adequacy of resources allocated to the compliance function.
- Oversee the company’s efforts to promote a strong culture of ethics and integrity, including the periodic review of the company’s Code of Conduct and related training programs.
Another important duty of the compliance committee should be to review and approve a charter for the ethics and compliance function. So I also had ChatGPT draft a template charter for the compliance function too, and again it did a perfectly fine job.
A compliance committee charter, however, will only tell committee members what they are supposed to do. A charter matrix organizes each of those responsibilities, matches them to specific steps the committee should take, assigns specific dates to when those steps happen, and confirms that the tasks get done on time.
This brings us back to the internal audit team. A chief audit executive I know provided me with a template charter matrix that he uses with his audit committee to guide them through their oversight of the internal audit function. You can download it as a Word document if you like. Figure 1, below, gives you a sense of what the matrix looks like.
Your goal, then, is to take the template compliance committee charter from above and put it into a matrix like this one for the internal audit function. So a rough example of that, based upon Figure 1 above, might look like Figure 2, below.
I am not a master at converting a charter into an action matrix. Your internal audit team might be able to help, or any number of compliance consulting firms out there would be happy to assist you (for a reasonable fee, of course).
Why Bother With a Charter and Matrix at All?
Drafting a charter for the board and a matrix of how that charter will be fulfilled can help the compliance officer on several fronts.
First, it helps everyone gain confidence that the board is exercising proper oversight of the compliance function — and that includes the board directors themselves, who might like the idea of a strong compliance function but not be confident that they have the knowledge to exercise that oversight. A charter will spell out exactly what oversight they’ll need to do, and a matrix will help them do it.
Second, a charter and matrix could be especially handy if you have a regulatory settlement that requires more board oversight. That’s exactly what happened last week with Wells Fargo, where banking regulators told the board that it had to be much more involved in oversight of the compliance function, starting with the establishment of a dedicated compliance committee. A charter could align board duties with regulator obligations, and a matrix could then be valuable evidence if you need to make progress reports to the regulator about how improvements are proceeding.
Third, a charter and matrix could help the chief compliance officer to be more independent of legal or senior management. For example, you might want to brief the board directly on the state of the compliance program, but perhaps the GC or CEO say nope, they’re going to brief the board themselves. Or maybe you can brief the board, but the GC will be in the room staring at you to be sure you stay on the pre-approved message.
A charter and matrix could help the CCO keep those intrusions at bay; sorry, GC, but the charter says I have to brief the board separately, so please go pound sand.
We should always remember this idea is more complicated than it looks at first glance. Many smaller organizations won’t have a board of sufficient size for a dedicated compliance committee, so you’ll still be stuck presenting to the audit committee. That committee already has a charter full of duties to juggle, and squeezing your priorities into it won’t be easy. Plus there’s still the reality that we have too few compliance professionals in the boardroom who understand the purpose of a program; you’ll still need to do lots of education no matter what.
That said, charters and matrices can be a nifty tool. If you have the chance, use them.