What CCOs (and Boards) Need to Know
Taken as a whole, this year’s survey reveals some interesting trends regarding the use of technology by compliance professionals. Although a given in most corporate functions these days, compliance has not yet fully embraced technology. While this presents an opportunity to implement technological solutions within the compliance function, how much to send on technology and how effective technology can be are open questions. And yet some of the same issues continue to challenge compliance professionals around the world – board interaction and support, training, reporting and communications. To assist compliance officers in dealing with these issues, we have assembled the following set of basic principles and best practices.
- Have a plan. When it comes to investing in technology, understand what you are doing and why. Think through what you intend to do with the information developed and how you will safeguard it from misuse.
- Data without context is meaningless. Technology, particularly data analytics applications, should help you better understand the business and its risks. But without partners from the business and service centers to help place the output into perspective, the information developed could more easily have you running in circles than speed you on the way to more sound and compliant operations.
- Leverage existing tools. Examine how other business units are using technology to compile and analyze data. The best solution for you or some form of it may already exist within your company.
- Be patient and pick your spots. Technology should make compliance professionals’ jobs easier, create efficiencies and relieve resource strain. Don’t just dive in because the business, other functional units or peers are implementing technological solutions. Do some research and benchmark. Wait until the technology meets your needs. There may be risk in being an early adopter.
- Be selective. In searching for new board members, consider their expertise and experience in compliance and, as appropriate, sub-specialties like cybersecurity.
- Many boards are targeting key members to train on compliance-related matters. This may include subjects like compliance generally, privacy, cybersecurity, anticorruption and risk assessments.
- Share the knowledge. Once you’ve identified board members with the requisite compliance expertise, it is imperative that they share their knowledge and facilitate discussions at board meetings on those compliance issues. A company-wide “speak up” culture starts at the top.
- Share more data. Many companies regularly report only hotline statistics and investigation resolution information. While this is critical, more can and should be shared. Consider adding a data analytics perspective to identify trends and forecast risks before they reveal themselves in the hotline statistics and to provide context for the information.
- Emphasize proactive risk management. Apprising your board or audit committee of how you conduct risk assessments and presenting those results allows the members to better understand and challenge how the company is mitigating its legal and regulatory risks. Consider suggesting areas they may probe with other senior executives to better understand how compliance is perceived and what the business units are doing to operate compliantly.
- Talk to your board/audit committee about resources and staffing. In exercising their fiduciary duties, your board/audit committee needs to have a clear picture of how the compliance program is resourced and functioning. Ultimately, they will be held accountable for weaknesses in the compliance function, so make sure they know what resources you have and what you need. Benchmarking is hard to do without access to a network of industry compliance contacts.
- Assume nothing. Training is supposed to be educational and designed to ensure that all directors have a working knowledge of important compliance risks. Don’t be afraid to spend a few minutes setting the table for a training discussion by first addressing the basic nature of the risks, the associated legal or regulatory context, and how directors can help.
- Make it relevant. Focus discussion around current and future risks, how board members’ responsibilities and tactical strategies can help the company avoid major missteps, and what actions they should consider should a significant challenge arise. Directors are very busy people. Deliver the training in a manner designed to get the biggest bang for the buck. Strive for interactive discussions that draw comments from all directors. It may help to talk with them first to understand their backgrounds and what engages them.
- Calibrate your compliance program. Directors should ask questions to ensure that the compliance program accounts for the geographic spread of the organization’s operations and the value and risk profile of the business conducted in each jurisdiction. If the company’s geographic reach is broad, discipline for compliance violations can be inconsistent if remediation is not tracked globally and reported to the board.
- Be flexible. Multinational organizations must remain nimble and avoid falling into the trap of applying one-size-fits-all strategies. What works in one jurisdiction may not work as well in another. Take into account changes in the business, such as new products, markets sales strategies and compensation plans.
- Acquisitions can quickly change the risk profile of a company. Proper alignment between the compliance program and business development team can prevent unanticipated and unwanted liabilities.
- Respect local laws, customs and language preferences. Make sure your code of conduct and policies and procedures are available in the language(s) most commonly spoken among employees. Promote awareness of the hotline and the importance of compliance in a way that will resonate with the local employee population and confirm that reports are handled in a consistent and timely manner across all jurisdictions.