In an era marked by heightened global regulatory scrutiny and enforcement, the landscape of risk and compliance is undergoing an evolution making the strategic imperative for effective, risk-based compliance initiatives clear. From health and safety concerns, third-party risk management, cybersecurity, environmental, social and governance (ESG), bribery and corruption, and many more variable business risks, the risk and compliance function is increasingly involved in critical operations.
Beneath the surface of this risk landscape, a deeper narrative is taking shape – one that transcends the conventional perception of compliance as a box-ticking exercise. Now, more than ever, compliance as a strategic partner to the C-suite and board, and the intricate dance between data-driven precision and the compelling art of risk and compliance storytelling, is a strategic imperative. And specifically, it is a strategic imperative for the board of directors to effectively fulfill their oversight responsibilities.
The legal case for board involvement with Risk & Compliance
In early 2023, the Delaware Chancery Court issued a significant decision that impacts corporations and their C-suites. Now, corporate officers and boards of directors are held responsible for a fiduciary duty of oversight to their organization. This decision opens the door to legal action and liability for corporate officers to be held personally responsible for misconduct and/or third-party and shareholder lawsuits.
So, what does this mean for compliance officers? Well, in practice, for many that does depend on whether they are actually an officer of the company, something far from settled in the compliance field because many senior leaders in compliance are not technically part of the C-suite. In fact, data from the 2023 State of Risk and Compliance Report which surveyed more than 1,200 compliance leaders and professionals, shows only a quarter of organizations have a compliance function that is independent and part of executive leadership.
Personal liability aside, boards are indeed heading in the direction of more involvement with the risk and compliance function and need to be equipped to ask the right questions – some of which may yield uncomfortable answers. For example, when compliance professionals were asked in the same survey about management’s commitment to compliance in face of competing business priorities, less than half (47%) stated senior leaders persisted in their commitment. This should beg the question, “is our organization operating under the “results at all costs” paradigm?” If the answer is yes, the realities of regulatory enforcement and accountability may mean your organization could eventually be at risk.
This increased risk exposure faced by businesses today, expanding with new regulations, sanctions, third-party risk concerns and the like, contributes to a sort of forced maturity for the function – similar to the path the cybersecurity function has been on for the last several years. But in good news, there is compelling data and a legal imperative showing the compliance function is maturing. And as part of the maturity, more direct contact with and briefings for the board of directors are necessary to continue this strategic partnership.
What does program maturity mean?
At NAVEX, we spend a lot of time on compliance program maturity – from developing tools to assist organizations grow their program, to compiling data from risk and compliance leaders for use for benchmarking, and sharing information from customers and experts alike to further progress the maturity of the compliance function as a whole.
The U.S. Department of Justice (DOJ) offers specific guidance on what a well-functioning compliance program should look like, and also what role the board should play. Per the March 2023 DOJ guidance, “The company’s top leaders – the board of directors and executives – set the tone for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.”
Regarding board oversight, the DOJ asks the following questions when investigating compliance failures:
- What compliance expertise has been available on the board of directors?
- Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
- What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
Let’s tie that to what we recently learned from practitioners from across the globe. This year, in the earlier referenced survey, we learned:
- 67% of compliance leaders deliver periodic reports to the board of directors
- 55% have compliance experience or expertise represented on their board
- 52% participate in private sessions with a board level committee
- 25% indicate Compliance is an independent function reporting directly to the CEO or board
These findings are somewhat concerning as boards are expected to oversee the organization’s risk and compliance initiatives and these expectations have been in place since the original Federal Sentencing Guidelines for Organizations were issued. While (unfortunately) many organizations view their legal and compliance functions as cost centers, in reality, proper oversight, resources and action by those functions can save millions, or hundreds of millions, as recent enforcement demonstrated. Further, programs like the Securities and Exchange Commission’s (SEC) whistleblower program, which is regularly making headlines with multi-million-dollar payouts to whistleblowers, means an internal issue can very quickly become a very public external problem – one that will quickly rise to the board level.
To overcome the cost center mentality, compliance officers must be seen as a strategic partner to the business leaders and the board of directors. One place to start is by helping your board and CEO know the right questions to ask. Some of those questions could include:
- What information do you get to give you comfort that compliance risks are covered?
- Are there any risks that aren’t being addressed as they should be?
- Do leaders set the right tone? How are they perceived by employees?
- Is candor rewarded or punished in our organization? What about fear of retaliation?
- How are we at discipline? Are top performers and high-level people held accountable to the code of conduct in the same way as other employees?
- Do you have the resources you need to do your job appropriately? Do you feel you have access to the CEO and board whenever you need it?
- What trends in issue types or company locations are you seeing?
- Is there anything we should know?
- What keeps you [the risk and compliance officer] up at night?
While this list is not exhaustive, it sets the general tone for the type of information board members should know about compliance. Then it’s up to compliance leaders to tell a story that sets the context for the current risk and compliance strengths, opportunities and threats.
This combination of data (given in context), effective storytelling, and clear communication about the board and C-suite’s responsibility to be informed about compliance needs will set leaders on the right path to being seen as a strategic partner.
2024 prediction
Boards are getting smarter and savvier about risk and compliance and will continue that trend. The increased attention to cybersecurity, data privacy, human rights, third-party risk, sanctions enforcement, etc., means boards will continue to become more fluent in compliance programs and will be more comfortable asking the right questions.
As case law continues to expand requiring more board involvement, directors will either willingly run –or begrudgingly be drug – to accepting responsibility, asking the right questions and vetting the answers. One way or another, board involvement with risk and compliance will increase as we head towards increased corporate accountability.
Top 10 Trends in Risk & Compliance
For many more insights and guidance, download the full eBook and access to the accompanying webinar featuring analysis and expert insights from Carrie Penman and Kristy Grant-Hart.