Best Practices for Good Compliance Programmes

  1. The starting point: honest evaluation of the CCO – CEO relationship
  • The first indicator of the compliance programme is the relationship between the CEO and the Chief Compliance Officer (CCO).
  • If the CEO does not devote sufficient time to compliance, the compliance programme will not be effective.
  • By practice, almost 60% of CCOs now report directly to the CEO
  • Therefore, the central question boils down to ‘What kind of relationship does the CCO have with the CEO”?
  • Hint: if the CCO and the CEO meet monthly for briefing, this is not a ‘quality’ relationship.
  • Henceforth, an effective CCO – CEO relationship entails the CCO reporting to the CEO, and ensuring when necessary that, the CEO steps out, speaks to senior staff (leaders), promotes and represents the organisation’s compliance programme.
  • It is the continuous duty of the CCO to ensure that the compliance programme represents the CEO’s commitment and direction to the design and implementation of the organisation’s compliance programme.
  • The CEO must send the message to senior managers by speaking in detail about the compliance programme, the short-term and long-term objectives, and expectations so that senior leaders are held accountable.
  • Thereupon, the CCO follows the CEO as spokesperson who builds on the CEO’s support and gains greater credibility when promoting the compliance programme. The CCO’s actions must be driven by commitment, understanding and ongoing effort – this is not a one-off job.
  • The CCO is expected to speak about the aforementioned issues to the Audit Committee when the opportunity arises, and put forward an honest opinion or appraisal of the CEO’s commitment.
  • The CCO must therefore engage the CEO professionally and communicate honestly about the expectations and requirements for an effective enterprise-wide ethics and compliance programme.
  1. Gaining a practical understanding
  • A CCO either has the support of the CEO or simply does not – there is no middle point.
  • A CEO who is really committed to ethics and compliance will back up her/his words with real actions – not just decisions and orders – i.e. through personal engagement.
  • The CEO is actually the most important communicator within the organisation in spreading the message that an ethical culture is necessary.
  • The CEO must thus respond timely to important ideas and suggestions, and communicate to senior management the reasons behind certain decisions taken as well as the vision for the organisation’s growth and stability.
  • The CEO must build a team with the same degree of commitment to ethics and compliance, and welcome the CCO to regular senior management meetings, let alone recognise the CCO’s contribution to the business leadership team.
  • Positive indicators of compliance 2.0 are: lower rates of misconduct and higher rates of reporting of breaches.
  • The CEO must hold herself/himself accountable under the organisation’s code of conduct at all times.
  1. Expectations for Board oversight of compliance programme functions
  • It is useful to ask oneself: ‘What standards from the foundation for the organisation’s compliance programme?
  • Is there an enterprise-wide confidential reporting system in place to receive reports of alleged misconduct and material breaches, and is this adequate and appropriately resourced?
  • What assurance does the Board of Director have for the timely escalation of compliance matters?
  • What level of compliance education is expected at the Board?
  • How does the CCO know that the compliance programme is effective?
  • Are the requisite human, financial and IT resources available and properly utilised?
  • Does the CCO have access to the CEO and Board whenever they are needed?
  • Do the organisation’s senior leaders set the right tone and conduct?
  • How are the organisation’s senior leaders perceived by employees?
  • How likely is it that an employee will take an issue of concern outside before reporting through internal controls?
  • How are concerns addressed about retaliation within the organisation?
  1. Roles and Relationships
  • What is the role of the Audit, Compliance, Legal Human Resources and other relevant functions in the compliance programme – are there any clearly established synergies?
  • Is the compliance function reporting relationship sufficiently independent?
  • Do the Audit, Compliance, Legal, Human Resources and other related functions have uninhibited access to appropriate a d relevant compliance information and resources?
  • Do managers understand clearly their compliance-related responsibilities?
  1. Reporting to the Board
  • Are the reports received providing metrics, context and analysis of the Ethics & Compliance Programme? And, if so, do they contribute to the organisation’s oversight and decision-making?
  • How do we know that senior management fulfil their ethics and compliance responsibilities?
  • Do we provide regularly confidential access to compliance personnel?
  1. Identification of Audit Risk Areas  
  • Is there a formal-regular process to identify ethics and compliance and reputational risks?
  • How are higher industry risks managed?
  • What industry trends are evolving in comparison to the organisation’s risk-assessment?
  • What trends in business units/locations are identified and assessed?
  • Is monitoring and auditing detecting criminal conduct?
  • Does senior management continuously review audit risk areas, and does it implement/monitor corrective action plans?
  • Are there risks that are not addressed as they should be?
  • How is self-disclosure handled and promoted within the organisation?
  • How does senior management respond to breaches and violation of regulation?
  • I everybody held accountable in the same way?
  1. Demonstrating positive results: within 12 and the nest 36 months ahead  
  • Technology: Improvements to systems and adoption of new tools and technology
  • Data: Investment in data management, analytics and controls
  • Compliance operating model: How well is compliance organised internally, including streamlining and re-scoping?
  • Collaboration within the business: How well is the relationship between the 1st and 2nd lines of defence reviewed and clarified continuously?
  • Recruiting new skills: How are relevant skills identified for the compliance function, and is recruitment aligned with the current marketplace?
  • Development of existing skills: What ‘auditable’ infrastructure is in place for the continuous development of compliance professionals, including training and development?
  • Collaboration with other functions: How does compliance work with other functions, including HR, Audit, Technology and Finance?
  • Location strategy: Tracking and monitoring changes on how compliance headcount is distributed: co-located with other business; near-shored; or far-shored?
  • Statistics: of directly reporting to the CEO; directly reporting to the Board; reporting to the Head of Legal who in turn reports to the CEO; or reporting to the Head of another programme who in turn reports to the CEO
  1. How can we best summarise the aims that reporting is meant to achieve?
  • Data integrity
  • Optimisation of internal controls
  • Re-scoping
  • Automation
  • Utilities for more effective compliance processing