The Five Most Important Issues for a CCO to Report to the Board
Chief compliance officers have to throw out their template for charts, diagrams and data that they use to report to the Audit/Compliance Committee and start over. Slick and colorful charts and diagrams are great but CCOs are ignoring the importance of an opportunity to educate and train the board on how to monitor and oversee a compliance program.
So, let’s start over – what should a CCO tell the board in order to advance the company’s program?
Let’s answer a question with another question – what is the most important aspect of a company’s ethics and compliance program?
That is a hard question to answer depending on the circumstances, i.e. whether the company is under investigation, is involved in a new, high-risk business venture, or facing serious financial issues.
Assuming that everything is relatively calm in the company, I recommend starting with the company’s culture. What efforts have been made to communicate and measure the company’s culture? What specific areas (geographic or product/service) have been measured or identified because of culture issues?
A CCO has to reinforce the idea that a company’s culture is its most important intangible asset. Hopefully, the CCO has educated the board on the research linking a company’ ethical culture to its financial and sustainable performance. If so, the CCO has to dedicate his/her work to measuring and reporting on some aspect of company culture each quarter. This report should include data and observation reports on culture assessment and measurement areas — e.g. culture in the company’s Russia operations based on a survey, sample of interviews, or other sources of data and information. A report on the number and type of employee complaints from the hotline does not satisfy this requirement.
Second, a CCO needs to report to the board its continuous risk and compliance program efforts. In this area, the CCO needs to explain any new significant risks and gaps in the company’s compliance program. To the extent these issues are discussed, the CCO needs to report to the board on resources and time needed to address the change in risks and compliance program gaps.
Third, the CCO needs to inform the board on the operation of the internal investigation, employee complaints, and resolutions of internal investigations. This subject can be divided into three subparts – Part A is a discussion of significant internal investigations that require a specific examination of the issues that the board needs to know about; Part B is a data-driven review of number and types of complaints, number of open investigations, and average length of time that investigations are taking to resolve; and Part C should be a discussion of the discipline being meted out as part of the investigation process.
Fourth, the CCO needs to report on high-priority, high-risk operations, such as the company’s due diligence and monitoring program for managing third-party risks. If there are any specific issues that need to be addressed, the CCO should tell the board about these high-risk operations and discuss risk mitigation strategies.
For example, if the company has entered into a high-risk joint venture in China or Russia, the CCO should outline the due diligence that was conducted, how any red flags were resolved, and then outline the risk mitigation strategies. The board needs to know about high-risk business opportunities and how the company is handling such risks.
Fifth, the CCO needs to know about any significant compliance projects or areas where the company is experiencing difficulties. The CCO should not self-congratulate himself or herself by reporting on the number of training sessions, the number of attendees or the number of code of conduct certifications that have been executed. This is a waste of time. A CCO should only report on these routine issues when there are problems with compliance by senior executives, manager or employees (or the board itself that has failed to complete training).
Finally, the CCO should always take advantage of an executive session. And the CCO should discuss something at the executive session. The CCO should not be bashful and should always take the opportunity to raise concerns in this context. The board wants to hear candidly from the CCO (unless it is the last part of a board meeting and the board members are anxious to attend the cocktails and dinner at the conclusion). A CCO should not clear the boardroom and then have an empty agenda, waiting on a board member to raise a specific inquiry.