How Boards Should Oversee Compliance

Compliance officers wonder constantly about how they should talk to the board of directors, and what issues they should bring to the board’s attention. Today let’s flip the script and ask — what should board directors be asking compliance officers? Which compliance issues should keep them awake at night? 

This is on my mind thanks to a great presentation passed along to me from Steven Gyeszly, head of compliance at an oil company in Houston and an excellent human being; and Rebecca Walker, a lawyer who has practiced in compliance law for 20 years (and also an excellent human being). Gyeszly and Walker recently spoke at a conference of corporate board directors, telling those folks how they should work with the compliance leaders at their organizations; and the two graciously agreed to share their material with us.

First, Gyeszly and Walker framed their advice as a series of 16 questions that board directors should consider asking the chief compliance officer. For example… 

  • How does the C&E Program identify, track, and respond to emerging risks, such as regulatory changes or new market conditions? 
  • What is the Organization’s approach to third-party risk management, and how are C&E risks from third-party relationships addressed?
  • What metrics or KPIs are used to assess the effectiveness of the C&E Program?

These questions all drive at how the compliance program works. You can see that they all assume the board director has a fundamental understanding of what a compliance program is; the director just needs more insight into how the program itself operates on a routine basis.

That would be a great starting point for compliance officers at new organizations (say, a joint venture or a spin-off) or at organizations just resolving some issue with regulators where the settlement included a revamp of the compliance program. 

Other Questions About the Program

Gyeszly and Walker kept going. Let’s look at a few more of their questions:

  • How is the C&E Program aligned with the Organization’s overall strategy?
  • What type of support does the C&E Program receive from executive leadership? Does that support carry through to other levels of management?
  • How does the Organization measure the cultural impact of the C&E Program?

These three questions drive more at whether the compliance program’s operations are woven into the larger fabric of the enterprise. In other words, does management tolerate the existence of the compliance program as a cost of doing business, or does it truly understand and support the role that an ethics and compliance function is supposed to play? 

And now three more questions, more about the compliance program’s performance and areas that need improvement.

  • Which elements of the C&E Program are most in need of improvement (for each region or business unit)? What is being done to address these areas of improvement?
  • What challenges or barriers does the C&E Program face in implementing the Program, if any?
  • How does the Organization ensure systematic review of C&E failures and responses, including remedial action and improvements to the C&E program?

We could keep going, but what I love about these questions is that they don’t focus on exactly what the compliance program is doing — that is, nothing about “How many calls did we receive on the hotline this quarter?” or “What is our average case closure time?” 

Board directors shouldn’t be asking about those mundane details. They need to know how the program works overall, and how it fits into and supports the larger enterprise. If anyone wants to dork out over data, the compliance officer can (and should, really) include those numbers in an appendix and leave it there.

Compliance officers need to think in these terms too. Earlier this year I moderated a webinar on CCOs reporting to the board, and I was struck by how the speakers stressed the importance of understanding your audience and telling bigger stories, rather than presenting the CCO equivalent of an after-action report. For example:

board

That’s how CCOs need to approach board presentations.

Other Stuff the Board Needs

Board directors don’t just need to quiz the compliance officer on how the program is or isn’t working. They also need to document their oversight of the program, too; and take a few other steps to demonstrate that they’re taking their oversight duties seriously.

For documentation, Gyeszly and Walker recommend that the board maintain… 

Board directors could also request a CCO’s own program assessment, any internal audits of the compliance program, employee surveys, or even industry benchmarking reports that let directors compare your company’s compliance program against others. 

Of course, the ultimate question is how to get the board to care about the ethics and compliance program in the first place. That can be challenging, but the truth is that a strong ethics and compliance program is crucial for a vibrant, high-performance organization. I think most board directors grasp that concept; kudos to Gyeszly and Walker for providing help to put that concept into concrete practice.

Leave a Comment

You must be logged in to post a comment.