In the “Ask Amii” monthly mailbag, executive coach and former Chief Compliance Officer Amii Barnard-Bahn responds to your anonymous questions on some of the grayer areas compliance officers face, such as culture, hiring, training, and ethics. Click here to submit your own for inclusion in our next edition.
Q. In your opinion, is the compliance function recession-proof? I admit I am a little worried with the current state of the economy. – Anonymous
Amii: Unfortunately, the compliance function is not recession-proof. In any circumstance when finances get tight, there is pressure for short-term savings, so non-revenue-generating company functions (e.g., compliance, HR, and audit) often find their budgets at risk. Cutting back on compliance may put the company reputation at even greater risk, because employees might be more likely to cut corners to “make the numbers”—this can lead to compliance and ethics failures.
These ups and downs are inevitable business cycles, so be prepared (see our third Q&A below about making a strong business case for compliance). If budget cuts are proposed, be ready to explain the concrete impact—such as reduced controls, lack of responsiveness in investigations, or elimination of training. Approach compliance as a business imperative, have a solid plan, be engaged, and find ways to be as efficient as possible.
Q. I love my job (I’m in compliance) but do not like the company I am working for. Ideally, I’d like to move on, but I’m wondering what the job market is like for compliance professionals. I see stories about compliance’s role expanding but with fewer resources … are you seeing that in practice or is the job market still hot for people with a compliance background? – Brad
Amii: All indicators point to the job market for compliance professionals as being overall healthy but with pockets of both growth and stagnation. With a median annual salary increase of 4.2 percent (see BarkerGilmore’s2018 Compliance Compensation Report), the compliance function is globally valued.
Beyond this generalization, the job market for compliance depends on industry, geography, and some future unknowns (e.g. Brexit, potential Trump policies such as deregulation). Specialized compliance skills in technology, cyber-security, data privacy, and AI are highly sought after, and I expect we will see growth in these compliance areas and a reduced growth for the generalist jobs that were in demand a decade ago. Where there is new regulation, there will be a temporary hiring spike until the program is implemented (such as experienced by Wall Street after the financial crisis). Companies in high-cost locales also continue to relocate jobs to lower-cost areas (e.g. in the United States, from New York and California to North Carolina, Texas, Florida, Utah, and Arizona). If you are flexible geographically, explore countries that are cracking down on corruption, such as Brazil and Japan.
Lastly, consider opportunities in the broader compliance field—such as with vendors and consultants in programs and risk assessment, expert witness work, training, recruitment, and communications. Your corporate experience is valued by B2B compliance partners. Good luck!
Q. What are some realistic best practices for getting owners/executives to buy into the compliance program and spend hard dollars on compliance staff, resources, and technology? – Lisa
Amii: Owners and executives buy into a compliance program when they view it as an inseparable part of their total success strategy. A persuasive business plan is essential. Key elements include: (1) align your business need with strategic goals; (2) analyze risks and opportunities; (3) to the extent possible, calculate ROI; and (4) tell stakeholders a compelling story in terms that they understand, based on their roles. Examine the investment from the executive team’s perspective. Would you put your money down?
Q. Brexit is going to impact my company in a big way, no matter how it falls. We have contingency plans in place, but I am afraid to move too far in any single direction due to the fact that we still really have no idea how this is going to play out. In your view, am I taking too much of a risk in not starting to implement a worst-case-scenario plan? – Nick
Amii: If you haven’t already, facilitate a dialogue regarding the projected compliance impact of Brexit. I’m picturing a compliance “war room,” where you have engaged in detailed scenario planning and mapped out risk management contingency plans. But are your CEO, board, and executive team in the room with you? Present an inventory of potential actions, costs, and consequences of action—and inaction. With the approval of the appropriate governing authority, decide which actions to implement now vs. those for which your organization will adopt a “wait-and-see” approach. Compliance is a team effort that requires input from key stakeholders.
Q. In your view, what’s the biggest risk in “outsourcing” the compliance function to a third party? I am with a small company, and we are currently considering it. – Britt
Amii: The biggest risk in outsourcing compliance is the potential to create a functional gap between corporate behavior and accountability. You can’t delegate program oversight, disciplinary enforcement, or accountability for the effectiveness of the program. Successful compliance programs keep risky corporate behaviors on a tight leash. Ethical culture and compliance controls yank back risk and prevent, detect, or deter non-compliant behavior so that remedial action can be ta
With outsourcing, make sure you don’t over-delegate. While you may outsource certain activities, your compliance team must possess the management skills necessary to effectively manage and oversee the third party. You want to be holding the leash so you can feel tension and react promptly and responsibly.
Other compliance functions, however, lend themselves quite well and often benefit from third-party management, such as anonymous helpline reporting, misconduct investigations, and training.
As a small company, it’s understandable to consider outsourcing key portions of your compliance program. It can be more cost-effective to partner with a third party that focuses solely on your industry’s regulatory landscape, has sophisticated compliance technology capability, and possesses specialized talent that would be cost prohibitive for you to maintain in-house.
Q. I was recently promoted and for the first time have people who will be reporting up to me. What can I do at the outset to send the message to them that I have their backs? – Mark
Amii: Congratulations, and welcome to your leadership journey! You want to immediately start building trust with each of your team members. We trust people when we believe they care about us and are open to our influence.
As a new manager, I recommend an initial check-in meeting with each employee to ask how they want to receive feedback. This will help create a solid foundation for your new relationship and reduce potential anxiety around future performance discussions. Here are some questions for you to ask your team members in the meeting (you may want to send these in advance):
- What’s important to know about how you like to receive feedback? (Do you prefer a softer, less-direct approach, more direct, or something in between?)
- What doesn’t work well for you in receiving feedback?
Prepare for each of these meetings in advance by considering the following:
- What information do I want my employee to know? How do I want them to feel?
- What do I believe is most important to them? How can I support their professional growth?
- What might surprise them, and how will I prepare them for this?
Remember to listen more than you talk. There is a handy saying—we have two ears and one mouth for a reason. Use them in that proportion. I highly recommend monthly team meetings and bi-weekly one-on-ones with direct reports. Good luck, and let us know how it goes!
Q. Another day, another screwup from one of the giants of the technology industry (this time I’m talking about Facebook). What advice would you give to Facebook on how to get ahead of some of the issues [it] seems to be continually facing, especially in the area of data privacy? – Paula
Amii: I can’t imagine Facebook getting ahead of ALL its privacy risks and keeping its user base. The company failed to adequately assess its risks up front and is trying to gain control in a VUCA world of its own making while sustaining user and confidence losses. Sheryl Sandberg posted a long missive on FB on Dec. 29 regarding the five areas the company is committed to improving: (1) growing the safety and security team (now up to 30,000 employees from 10,000 in 2016); (2) protecting elections; (3) blocking terrorist content and hate speech and reducing the spread of misinformation; (4) increasing transparency; and (5) safeguarding information. I would have added a sixth area of improvement—focusing on users’ happiness. People joined Facebook to engage with friends and family and to build authentic community.
The lesson learned for so many founders and boards—such as Tesla, Papa John’s, and Theranos—is to ensure a thorough risk assessment up front while you are building and before launching new services and products. We all know this up-front investment is more effective, efficient, and cheaper.
As a postscript, I think it’s time for a new, non-founder CEO (it worked great for Uber).
Q. I’ve been tasked with monitoring the social posts of certain members of senior leadership and other public-facing employees. Do you know of a simple best-practices social media “dos and don’ts” training program? I feel like most of it is common sense, but I want to make sure I cover all my bases. – Bobbi
Amii: That’s great that your company is being proactive with social media risk, which I’m guessing might be a direct result of Elon Musk’s famously flawed $40M tweet this past year.
When you are monitoring senior executives, I always recommend conducting customized training in person (or live virtual, if you are geographically dispersed). There is no substitute for in-person discussion on important compliance issues and the chance to have a two-way dialogue vs. a one-way training. I designed a social media training for my executive team a few years ago with the following elements:
- Make it simple, catchy, and memorable. We created a “10 Commandments“ of social media. Use impactful examples from the news (so many to choose from in 2018!) to imprint on people’s memories. Keep it under 20 minutes and allow 10 minutes for Q&A/discussion.
- Agree on core rules of dos and don’ts. Be as specific as possible. For example, never comment on competitors, stock price, or pending business deals; and avoid language that could reflect negatively on the company, such as the use of aggressive language, profanity, or sarcasm. Better to forewarn people and have rules in place before you need them.
No comments yet