What a difference a decade makes.
When the first batch of chief compliance officers had their baptism by fire with the Sarbanes-Oxley Act, the reality was that many simply made up their plans as they went along—and the only goal was grinding through those first years of SOX compliance.
Flash forward to 2015. Times have changed. Regulators readily establish their expectations on corporate conduct for disclosure, anti-corruption, supply chain risks, and even SOX compliance like old times. Corporations trying to juggle all manner of risks now rely on the CCO as a member of the inner circle far more often, hoping that a solid ethics & compliance program now can help ease regulatory and risk headaches later.
If you’re a compliance officer who can carry that mantle of leadership, that is. CCOs have wanted to lead a strong and important function for 10 years. Now the question—one that took center stage at Compliance Week 2015—is how you can do it.
“More and more compliance officers are being asked for a leadership vision,” Janice Innis-Thompson, chief compliance and ethics officer for TIAA-CREF, said during a panel discussion on CCO leadership. “They are expected to move the company ahead and make it more competitive.”
“More and more compliance officers are being asked for a leadership vision. They are expected to move the company ahead and make it more competitive.”
Janice Innis-Thompson, Chief Compliance and Ethics Officer, TIAA-CREF
Maureen Mohlenkamp, a principal in enterprise compliance services at Deloitte, put some numbers to the evolution. The 2015 Compliance Trends report that Deloitte conducted with Compliance Week found that 57 percent of compliance officers now report directly to the CEO. Fifty-one percent are part of their companies’ executive management team.
“That is a huge change for this profession,” Mohlenkamp said. “We have been talking for years about wanting to have a seat at the table, getting out from under general counsel, and having that direct reporting line.”
That empowerment comes with great expectations: influencing strategic decisions and integrating ethics and compliance “so it’s not an afterthought and is part of the business model and decision making,” she said.
So what does leadership look like for a CCO? What skills and competencies does a good chief compliance officer need to have?
“It is not about the activities; it is about the outcomes,” said Ronnie Kann, managing director at CEB, an advisory firm.
In his firm’s research, top CCOs usually have three specific strengths. They are role models who uphold the values of the organization. They create a culture where employees feel safe coming forward with questions and concerns. They also bring specialized expertise to the conversation, translating their efforts to a business context.
And the bad news? CCOs still struggle to anticipate compliance issues before they affect the business; and to understand the needs of the business.
A CCO trying to establish his or her leadership (either because you just got promoted, or are taking over as CCO from the outside, or you just need to elevate your organization) should define his or her priorities and don a four-cornered hat of strategist, communicator, risk manager, and steward. “Aspirationally, all the compliance officers we work with have the hope of becoming greater strategists and communicators, because that’s where they get to have the greatest degree of influence in their organizations,” Mohlenkamp said.
Mohlenkamp stressed the importance of “getting out into the lines of businesses, asking tough questions, and finding out where your organization is vulnerable and how you can enhance that,” she said. “By building bridges across all those silos and ivory towers that companies seem to foster, compliance can evolve from the folks who say no to leaders with business advisory relationships.”
“You are still going to be the ones that have to hold the line,” she said. “But if you have that collegial and collaborative relationship, and you have open communication with the lines of business, you can help them get to yes without putting the organization at risk.”
Standing your ground when needed comes with the territory, others said, especially when forced to warn a CEO or sales executive that he or she may miss sales targets because of your objections.
In those situations, Innis-Thompson said, she subtly reminds executives of personal liability with a, “I am not going to jail for you.”
Tactical Tips Too
Assuming a leadership role can be difficult when rising through the ranks at one company, and more so for someone new to an organization or filling a new compliance role.
“Like any new position, when you start a new role, a critical first step is to really understand the business,” said Karen Griffin, chief compliance officer for MasterCard, who also held the top compliance job at Visa, Alcatel-Lucent, and elsewhere. “For the CCO, building the needed coalitions and support from the top and key stakeholders really needs to start on Day 1.”
MOVING ON UP
The following, from the 2015 Compliance Trends Survey conducted by Deloitte and Compliance Week, illustrates the increasing prominence and independence of the compliance function.
Sources: Compliance Week; Deloitte.
Working closely with directors, internal audit, finance, and human resources can help you “understand, from their perspective, what is working well and where there are opportunities for improvement,” she said.
An early, baseline assessment should identify laws and regulations specific to the business. “It may take a couple of years” to centralize these laws and regulations in a database if they are not organized that way, Griffin said. Then try to pair those risks with controls and executives in charge of those controls.
Consume data voraciously, Griffin added. Scour helpline data, disciplinary actions, litigation issues and survey results, in addition to your own risk assessments. “Every company has its own unique risk profile,” she said, stressing the need to have all stakeholders buy into, and evangelize, the CCO’s mission and work with compliance to identify where the control gaps are and prioritize improvement opportunities.
“You’ll start to open up a dialogue with the business leaders and really start to get a sense of what is the corporate risk appetite, and start to think about how we can resolve some of these issues,” she said. “If you can come in early on and identify specific initiatives you are going to lead that are going to drive success and manage the company’s risks, that can make an immediate impact.”
Raphael Richmond, global director of compliance at Ford, advised a reality check on the state of the compliance program before your arrival and assessing whether resources are adequate to make the program work. Does the old program still fit your business model? Are you empowered? “You do not want to be the figurehead when regulators come in and ask what you are doing,” she said. “That is not the time to say you weren’t sufficiently empowered.”
Richmond also warned that a strong compliance leader also knows when to push something off his or her plate. “Compliance can become the dumping ground for everything that no one else wants to do,” she said. “To a certain extent, everything is compliance. Look around and see what have you ended up with that really belongs somewhere else or isn’t adding value.”
As for the pushback a new CCO might encounter, Jeffrey Wu, director of global internal control and audit for China-based Haier group, suggested exercising that newfound clout. “Play nice, but with a big stick,” he quipped. “Then the relationship will follow.”