A chief risk and compliance officer recently told me about a dilemma he faced with his board of directors. Compliance monitoring had uncovered a control failing that meant his firm seemed to be in breach of a regulatory policy.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

The requirement was for a manufacturing firm to collect information regarding fees charged to customers along the whole of the supply chain. The intent of the rule was obvious: for the manufacturing firm to assess whether the ultimate price charged for the product was fair and good value. The board’s decision was to ignore the requirement, their reasoning being collecting and maintaining the information across all its distribution channels, partners, and products would be onerous and disproportionate.

Further, the impact on intermediaries in the supply chain would be even more burdensome. Each would be expected to report on its product fees to each of the manufacturers it dealt with, even when they had no direct relationship with the manufacturer. That would be a difficult sell to the firm’s partners. In a market where no other manufacturer seemed to be demanding such data, my colleague’s request for compliance with the rule was declined.

True risk appetite

Although we, as risk and compliance professionals, would like to think otherwise, such risk decisions are common in our industry.

A scan of final notices published by the U.K. Financial Conduct Authority reveals multiple examples of willful noncompliance in pursuit of profit. Examples include nondisclosure of key financial facts to avoid share price drops, weak anti-money laundering (AML) processes that enable lucrative business, and deliberate misadvising pensions transfers.

That such scenarios appear common is testament to the enormous challenge supervising a market represents. Many regulators are under-resourced, have difficulty recruiting skilled staff, face limited and expensive legal interventions, and are required to regulate large numbers of market participants. The truth is that in every regulated market only a small number of the most significant breaches will face any sort of censure.

When making anti-regulatory decisions, a board is expressing its real risk appetite. Despite what it probably outwardly expresses as a “minimal” appetite for regulatory breaches, the cost of the mitigating controls is considered too great when compared with the risk of regulatory intervention.

This can be frustrating, even bewildering, for compliance professionals, especially when rules are clear and explicit in their expectations. It is, however, the role of the board to make such decisions. Uncomfortable as that may be for compliance staff, those choices set the strategy and culture of the firm.

Practical steps

What should we do when we find ourselves in this situation? Our role, especially if we are a regulatory approved person, is to challenge. This takes independence, bravery, and a broad range of influencing skills.

The following approaches might help, once you’ve decided what you feel is the correct course of action.

Look for factors that might not have been considered during the decision-making process. It is likely the board considered only those arguments that supported the financial aims of the firm. After all, that is what most boards are there to achieve—profitable growth for stakeholders and investors.

Listen to their position carefully. Our role is to bring in opposing perspectives and arguments, but we can only do that if we understand what they have already considered and not considered. Here are some examples of the right arguments to make:

  • “The rule is there to deliver fairness for our customers.”
  • “AML checks prevent our firm being used for terrorism and organized crime.”
  • “Dishonesty in the market makes us like Enron.”

Such alternative positions can prevent “groupthink,” where cohesive teams reinforce each other’s ideas, disregard pertinent information, and seek only confirmation.

Challenge some of the underlying, but untested, assumptions in the board’s reasoning. Boards can often develop unchallenged beliefs about a market or business which turn out to be inaccurate.

It might be, for example, several of the firms in the supply chain have information readily available but have never been asked for it. Some might even be supplying it to others without issue, about which the board is unaware. Assumptions about the ways in which a business operates tend to be cemented in a firm’s beliefs but have never been investigated or tested.

Consider whether you can take actions that will go some way toward mitigating the impact of the decision. There might be some occasions when you must live with the board decision, but even here you can take some steps to reduce the impact of a breach.

Clearer statements regarding fees in customer literature, managing fee data from larger distribution partners, and speaking with peer compliance officers in the supply chain will all go some way toward minimizing the impact of the risk without full mitigation. The extent to which you undertake such mitigations will depend upon how serious you consider the breach to be. Such “halfway house” solutions, however, might make you feel too uncomfortable when managing serious risks.

Appeal to individuals on the board whose role includes expectations of regulatory adherence. Several roles on boards are designed to provide checks and balances for regulatory purposes. Audit committee chairs, senior nonexecutive directors, and chief risk and compliance officers should all have components of their role profile designed to maintain regulatory balance in board decision-making. A reminder of that obligation would be timely.

Consider appealing to a higher authority than the local board. Should all else fail and you consider the potential breach suitably serious, look to authorities higher than your board. This could be an owning group or higher board in the governance structure. It might even be a regulator.

Needless to say, such a step should not be taken lightly. Even though you see this as an imperative escalation given the seriousness of the breach, your local board—who are, let’s face it, your employer—is likely to close ranks and see it as troublemaking.

A career in governance, risk, and compliance is challenging. You are the person walking toward issues when others are walking away from them—it is you asking the difficult questions and challenging the cozy status quo of the group.

To succeed in the role requires strength of character, influencing skills, and a strong moral compass. Only then will we be capable of balancing regulatory risk with opportunity within our organizations.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.