As discussed in our last post, an organization’s board plays a critical role in compliance. It can help set the tone at the top and provides important oversight over the overall compliance program (see USSG §8B2.1(b)(2)(A)). The chief compliance officer (CCO) is typically the board’s primary compliance resource. Consider the following ways that a CCO can help board members meet their oversight obligations through communicating with them about certain critical aspects of how their organization’s program operates.
Be clear about the definition of “compliance” for the organization
“Compliance” means different things to different organizations, and is linked to the entity’s facts and circumstances. A compliance function typically exists to proactively manage the organization’s higher risk legal/regulatory obligations; it is not normally responsible for other legal work (although in some situations this is effectively the case because the CCO and the general counsel are the same person).
The distinction should be clear for all internal parties, and the CCO should delineate during initial contacts with the board what falls within and what falls outside the CCO’s scope of responsibility, based on the organization’s particular approach to legal/regulatory risk management. At a minimum, this demarcation will help eliminate inefficient and confusing operational overlaps between compliance and legal. More significantly, this clarity helps to reduce the possibility that a key task might “fall between the cracks” and only be discovered when a problem arises.
Provide guidance on applicable laws, regulations, and standards
Since a full-time CCO is immersed in compliance issues on a daily basis, he or she is well positioned to help board members appreciate the basics and nuances of mandatory (e.g., law and regulation) and voluntary (e.g., industry and certain other standards) boundaries. Through new cases and settlements, shifting enforcement priorities, and emerging standards (e.g., draft ISO 37001 – Anti-bribery management systems), the compliance landscape constantly changes. The CCO should therefore provide periodic updates about current compliance trends and developments. These briefings could include, for instance, reports on enforcement actions involving similarly situated companies, current investigation and prosecution trends, and leading compliance practices used by industry peers and others to prevent or detect misconduct.
Emphasize the relationship between the risk assessment and compliance program operations
Compliance programs do not exist in a vacuum; they are directionally driven and shaped by a prior risk assessment. Risk assessments, in turn, are a function of the business. And as the business changes by introducing new products or services, expanding into unfamiliar regions, engaging in mergers and acquisitions, or otherwise, the entity’s risk profile similarly evolves. Such changes may require new risk assessments. The CCO who successfully instills the importance of this cycle into board members makes his or her own job easier, since board members will come to understand that compliance program evolution is a natural part of a growing and dynamic business.
After a compliance program has been designed (guided by the risk assessment) and rolled out, the CCO should keep the board reasonably informed about the program’s implementation and operations. A board’s particular areas of compliance interest and the organization’s past compliance history will likely drive the appropriate level of detail.
Metrics concerning training, communications, and hotline contacts are helpful for tracking core compliance activities. Increasingly important in the anti-corruption arena—given the US Department of Justice’s and ISO’s respective emphases on the operational aspects of compliance—is qualitative information regarding how the compliance function works with other company functions, such as sales and marketing, to drive compliance closer to risk sources. In this latter area, a prudent CCO will develop creative ways to meaningfully gather and report data related to operationalizing compliance.