A chief compliance officer’s job can be challenging, to say the least. When things are going smoothly the CCO may be seen as an inconvenience, a cost center to be consulted only occasionally and perfunctorily to minimize drain on the company’s budget and management’s time. But when a compliance failure occurs, the CCO must immediately be on top of the situation, brimming with business-minded insights and advice delivered with conviction and creditability borne of unquestioned independence and expertise. What could be easier, right?
One key to a CCO’s success is his or her ability to establish that essential credibility from the outset and then maintain it through thick and thin. An indicator of that success is the extent of the CCO’s access to the company’s board of directors. Unfortunately, sustained substantive access to the board can be tricky to pull off. After all, the CCO generally has little influence over the board’s agenda and may feel that it is inappropriate to interact directly with board members outside of a formal board meeting.
Yet, it is the board that has ultimate responsibility for the effective operation of the company’s compliance program, as well as for establishing an enterprise-wide compliance culture. Therefore, the CCO’s success and the board’s success are directly aligned. This means that CCO face time with the board is fundamental to effective compliance.
#1: It’s all about relationships. It is your job to be accessible to your fellow officers and teammates, but when the focus is on board access, your rapport with fellow officers becomes mission-critical. Lunch, golf, walking meetings—use whatever means of relationship building suits your culture. The goal is to be open to others’ concerns, be certain they understand fully what the compliance program can do for their own business goals, and let them know you are more than just a resource—you are their ally. Once you’ve established that rapport, ask them for their help in establishing relationships with your board.
#2: Educate senior management on the importance of CCO board access. The key to board access is the chairman, and access to the chairman usually depends on the CEO. Engage the CEO regarding the SEC, Justice Department, U.S. Attorney, and Federal Sentencing Guidelines, emphasizing connectivity between the CCO and the board. But be specific about your plans for the next one, three, and five years, and illustrate a plan for board training and communication. And while you are at it, involve other members of senior management in similar conversations.
#3: Proactively and visibly build your expertise. You cannot do any of the above if you are not solid in your own knowledge of the field. There are several excellent organizations out there that provide training, content, and opportunities for you to become a leader in the field. Take advantage of these low-cost options. And to the extent that you are able, research your peers to understand how they are structured and what has worked for them with regard to training. Don’t be shy about demonstrating the complexity of effective compliance and your command of the topic. Others often don’t realize the expertise that is required.
It’s all about relationships. It is your job to be accessible to your fellow officers and teammates, but when the focus is on board access, your rapport with fellow officers becomes mission-critical.
#4: Understand your company’s business lines and strategic goals. As you meet with your peers, listen to their motivators. What is driving their business goals? What metrics do they use? How can you help them achieve those goals? Ask to sit in on their staff meetings; offer to provide training for the team on a specific topical area. For example, the sales and marketing teams will appreciate a deeper dive into antitrust than you can possibly provide in a computer-based training course.
#5: Make your board presentations efficient and effective. Once you have the buy-in from the leadership team, you must perform. It is important to have a regular presentation at every meeting of a board committee with oversight responsibility in its charter. Because your time will be limited (unless there is a crisis), a standard format is wise. Once a year, present your program overview: how you are structured, the training and communication plan, and your opportunities for improvement. Quarterly, report on your work. How many allegations are you receiving, from what sources, and how many are found to be with merit? What about your training? How many courses, for whom, with what percentage of completion? Use charts and graphs—pictures do tell a story. Compare your data quarter to quarter, year to year. Trends are important. Strive to show constant improvement and awareness.
#6: Provide regular board training. Involving the board in compliance training is a must, though there is no need to go over the top. You can, and we believe should, use the training you provide your employees. It is a powerful message to your rank-and-file employees to state with honesty that “the board sat through this exact training just last month.” You may need to add a few enhancements but there is no need to reinvent the wheel.
Using outside professionals to reinforce the CCO’s message can also be a cost-effective way to provide board training. There are no shortages of relevant topics or professionals willing to provide low-cost (free?) training. But note to the wise: Be certain you yourself have personally seen the presentation and with near certainty know that it will be well-received by your board. You are the expert; it is your reputation that rides on your choice of speakers.
#7: Be honest and open with your board. If they ask an uncomfortable question, then answer it with honesty. Board members are incredibly successful and smart people. You cannot outwit them. They deserve your honesty; you will earn their respect. And when you need them, they will respond as they should if you have laid a proper foundation.
#8: Demonstrate how compliance actually adds value and facilitates revenue and profit growth, rather than merely avoiding costs by reducing breaches. In every interaction, shift the conversation away from loss prevention and toward value-adds. If you are a highly regulated entity, a clean compliance record and robust program will aid when it comes time to talk to the regulators about pricing or other revenue-enhancers. In fact, employees—especially millennials—report that they want to work for and are motivated by companies that truly live their values. And if you are in the market for money, or growing to eventually sell your business, consider that a compliance breach will lead to less value. The correlation is true also: A healthy compliance culture with minimum compliance mistakes will protect top dollar.
#09: Lead by example. Like Caesar’s wife, the CCO must, at all times, be above suspicion. Beyond the talk, you have to walk it. You wrote the training, but yes, you also have to take it. How do you respond when an employee walks into your office with a compliance concern? Does your own behavior model a strong culture of compliance? You are the COO and everyone—including the board—will be watching.
#10: Listen. Listen to what is going on around you. When you attend meetings, actively listen. Do not jump in immediately with questions or solutions. Do not cross-examine everyone. Just listen. If you must, write yourself a note as soon as you sit down at a table meeting. An effective “shut up, [insert your name]” written on the top of your note page can be a self-deprecating way to remind yourself.
But listen also to the little voice inside your head—a little constructive paranoia can go a long way toward success. When that little voice does speak to you, it may be time to stop listening and start talking.
Doug Harmon leads Parker Poe’s Securities & Corporate Governance group and its Public Company Growth & Compliance group and co-leads the Governance, Risk & Compliance group. With more than 30 years of experience, he represents domestic and international public and private entities in a full array of capital markets and finance, merger and acquisition, securities compliance, and corporate governance risk, and compliance matters. He may be reached at (704) 335-9020 or email@example.com.
Jane Lewis-Raymond co-leads Parker Poe’s Governance, Risk & Compliance group and is a member of its Energy group. With more than 25 years' legal experience, including a decade as general counsel and chief compliance officer of a publicly traded company, she has significant depth of knowledge relating to all aspects of corporate law, including enterprise compliance, securities, public company legal and governance issues, as well as board oversight of cybersecurity, crisis and risk management. She may be reached at (704) 335-9882 or firstname.lastname@example.org.