CCOs Cannot Ignore C-Suite Risks
As the headlines continue to point to major misconduct and scandals involving senior corporate executives, compliance officers need to refocus their efforts and address a critical need.
All too often, CCOs have difficulty in requiring board members and senior executives to undergo annual training programs. Board members and senior executives often laugh off such requirements by arguing that they know the code, the policies and procedures and will never engage in misconduct. If you believe that, we are all living in a fantasy land.
In fact, the contrary is true. Senior executive misconduct is often a company’s most significant risk. Consider that a single senior executive can engage in serious misconduct that can place the entire company at risk. The litany of corporate scandals we have witnessed – financial accounting, stock option back-dating, healthcare fraud schemes, and many, many more, all underscore the significant risks that a company faces with C-Suite misconduct.
CCOs have a choice – they can hide their head in the sand, or they can address the issue directly.
First, at a minimum, a risk and compliance program assessment has to include the C-Suite risks, meaning: (1) what is the potential for misconduct in the C-Suite? (2) what controls are in place to prevent and detect C-Suite misconduct? and (3) what steps can be taken to mitigate these risks?
Second, the board and the C-Suite must complete a comprehensive annual training program. I know, I can see all the rolling eyes right now, but if you want to implement a commitment to corporate culture, the participation of the board and the C-Suite in a compliance training program is essential.
Third, a CCO must work closely with internal audit to monitor the C-Suite and compliance with all applicable policies and procedures. A senior executive who fails to obtain prior approval for entertaining a foreign government official consistent with the company’s gifts and hospitality policy, should be subjected to the same discipline that a sales staff member would incur if he or she committed the same violation.
A CEO and his or her senior executive team is either part of the solution or a big risk of becoming the major problem. In crafting a risk assessment of the C-Suite, a CCO has to consider a variety of risks, some of which are limited to the senior level.
For example, in the GM or the VW scandals, it is clear that misconduct occurred at the senior levels of the company, including possibly VW’s CEO. The perception that these senior executives may have escaped scrutiny erodes a company’s ability to instill an ethical culture and a speak up culture. In these circumstances, the risk of corporate misconduct by one or more senior executives has to be analyzed and addressed.
A holistic view of corporate risk must include the C-Suite for obvious reasons. Just as important, however, is an effective monitoring and audit program. In several recent cases, for example, internal auditors or other corporate compliance staff detected FCPA violations or serious risks involving senior officials. When these concerns were raised, the senior executives were either able to order the internal audit staff to back down or to circumvent the objections through other means. Such a scenario is not so far-fetched and can lead to the death knell of any corporate culture of ethics.