Tag: Board of Directors

Categories
Blog

Directors and AI: Do’s, Don’ts, and Compliance Lessons

Artificial intelligence (AI) has rapidly become embedded in the daily workflows of executives, employees, and, increasingly, board directors. From drafting strategy summaries to analyzing industry data, directors are turning to AI chatbots and transcription tools in the same way they once adopted email, spreadsheets, or virtual board portals. However, unlike those earlier technologies, AI presents new risks, and for directors, these risks intersect directly with fiduciary duties and corporate governance obligations.

A recent memorandum by Skadden, Arps, Slate, Meagher & Flom LLP, published through the Harvard Law School Forum on Corporate Governance, outlines practical dos and don’ts for directors using AI in their board roles. The message is clear: while AI offers great promise, directors must use it with caution. For compliance professionals, this guidance provides important lessons not only for boardrooms but also for the governance structures that surround them.

The Temptation of AI in the Boardroom

Boards are expected to absorb massive amounts of information, such as financial results, strategy papers, compliance reports, cybersecurity dashboards, and often under tight timelines. It is easy to see why a director might feed these materials into an AI tool to produce summaries or ask for red flags. Similarly, transcription services appear attractive for documenting complex board meetings and discussions. But here lies the trap: not all AI tools are created equal. Publicly available chatbots often train on user inputs, meaning that confidential board information could be incorporated into the system and potentially regurgitated to other users, including competitors.

Just as you would never allow directors to send board books through unsecured email, AI tools need guardrails.

Key Risks Identified in the Director’s Guide

The Skadden memorandum outlines several risks directors must consider when using AI in their corporate capacities:

  1. Confidentiality and Data Leakage – Uploading sensitive materials into public AI systems risks exposing trade secrets or personal data. Even if the information is deleted from a user’s history, the AI vendor may still retain and train on it.
  2. Discovery and Litigation Risks – AI chats are records. Like emails, they may be discoverable in litigation or regulatory reviews. Regulators could demand access to AI interactions if they involve matters under scrutiny, such as antitrust reviews of mergers and acquisitions (M&A) activity.
  3. Loss of Privilege – Using AI to transcribe board meetings or communications with counsel risks waiving attorney-client privilege. Once third parties have access, privilege may be lost forever.
  4. Accuracy and Hallucinations – AI outputs can be wrong, biased, or outdated. Treating AI results as authoritative without verification exposes directors to poor decision-making and potential breaches of fiduciary duties.
  5. Erosion of Human Judgment – Over-reliance on AI to make HR, strategy, or other critical decisions risks abdicating the duty of care and loyalty. Directors must remain firmly “in the loop”.

Compliance Lessons for Professionals

From these risks, we can distill key lessons for compliance officers advising boards and executives on AI governance.

1. Confidential Information Must Stay Inside the Perimeter

Compliance professionals should establish clear rules: no uploading of board materials, personal data, or trade secrets into public AI tools. Instead, direct the board to company-approved platforms that are vetted for security and configured to prevent training on sensitive inputs. This is not just a best practice; it may also be required to comply with contractual obligations, privacy laws, and internal data-protection policies.

2. Treat AI Chats as Discoverable Records

Boards should assume that anything shared with AI may one day be discoverable by others. Compliance professionals must include AI chats and transcripts in records-retention policies and advise directors to avoid discussing sensitive legal or competitive issues in public AI systems. This lesson mirrors earlier corporate missteps with text messages and messaging apps. AI is the new frontier for discoverability.

3. Preserve Privilege by Avoiding AI for Legal Matters

Directors must not use AI to record privileged discussions with counsel or board meetings, as this would violate the attorney-client privilege. Compliance officers should make this an explicit policy. Approved transcription tools may be used for training sessions or customer service calls, but never for board-level deliberations. Losing privilege could cripple a company’s defense in litigation. Compliance officers should hammer this home during board training.

4. Verify Before You Trust

AI has a well-documented tendency to “hallucinate.” Directors must be reminded: AI is not a single source of truth. Compliance programs should emphasize verification. Encourage directors to cross-check AI outputs against trusted sources and ensure management reviews AI-generated analyses before relying on them for decision-making.

5. AI Is a Tool, Not a Decision-Maker

The most important compliance lesson: AI augments but does not replace human judgment. Directors remain bound by duties of care and loyalty. Compliance professionals must make clear that delegating decision-making to AI tools could not only harm the company but also expose directors to personal liability.

Building a Compliance Framework for Board Use of AI

The Skadden guide closes by urging boards to develop clear policies for AI use, including approved tools, acceptable uses, and required disclosures. For compliance officers, this is an opportunity to lead.

Here are key framework elements to consider:

  • Approved Tools List – Maintain a list of AI platforms validated by IT and legal for security and compliance.
  • Acceptable Use Policy – Define when and how directors may use AI (e.g., industry research, summarizing public filings) versus prohibited uses (e.g., uploading board decks, transcribing meetings).
  • Training and Awareness – Provide directors with training on AI risks, including confidentiality, discoverability, and hallucinations.
  • Monitoring and Audit – Periodically review the use of AI by directors to ensure compliance with relevant policies and regulations.
  • Disclosure Requirements – Require directors to disclose if AI tools were used to generate or summarize board-related materials.

Final Thoughts

The “Do’s and Don’ts of Using AI” is a timely reminder: AI governance is not only about company-wide adoption. It also starts at the top, with the board itself. Directors tempted to use AI in their own roles face unique risks. These risks could compromise confidentiality, destroy privilege, or erode fiduciary oversight.

For compliance professionals, this presents an opportunity to serve as both educator and enforcer. Just as compliance led the charge on insider trading policies, conflicts of interest, and anti-bribery training, so too must we lead on AI governance.

The bottom line is that AI can be an extraordinary tool for directors. But without compliance guardrails, it can also be a governance trap. Our role is to ensure the boardroom and the company stay on the right side of that line.

Categories
Blog

Building a Compliance Playbook for AI: Board – Level Lessons in Cybersecurity Oversight

Artificial intelligence (AI) has been heralded as one of the most transformative technologies of our time. It promises efficiency, productivity, and entirely new business models. Yet, as with any tool of such power, AI is both a friend and a foe. For corporate directors, compliance officers, and risk professionals, AI presents a dual challenge: leveraging its defensive strengths while preparing for its potential weaponization by malicious actors.

The National Association of Corporate Directors (NACD), in partnership with the Internet Security Alliance (ISA), has released a special supplement to its Directors’ Handbook on Cyber-Risk Oversight devoted entirely to AI in cybersecurity. It is a timely publication. As adoption rates soar, 72% of companies were already using AI in 2024, and the risks are accelerating just as fast. For the compliance community, the report provides a roadmap for oversight, governance, and practical questions boards must ask management.

AI as Both Force Multiplier and Risk Multiplier

On one side of the ledger, AI enhances cybersecurity by automating threat detection, reducing false positives, identifying malware, and analyzing oceans of log data. Used wisely, AI allows companies to “get ahead of theft”. This includes identifying vulnerabilities before criminals exploit them. Generative AI and large language models (LLMs), in particular, can speed detection, enrich threat indicators, and even suggest remediation steps.

However, these same capabilities are available to cybercriminals. AI lowers the barrier of entry for less sophisticated hackers, turbocharges phishing and social engineering campaigns, and allows nation-states to refine cyberattacks at scale. This duality makes AI unique: it amplifies both opportunity and risk simultaneously.

Oversight Imperatives for Boards

The handbook identifies four key imperatives for boards responsible for overseeing AI and cybersecurity.

1. Director of Education – Boards must commit to continuous learning about AI’s risks, benefits, and regulatory developments. Few leaders yet possess the technical grounding needed to appreciate AI’s implications.

2. Threat and Opportunity Awareness – Directors must understand not just the dangers but also the strategic benefits AI can bring.

3. Regulation and Disclosure – Boards must anticipate evolving rules and disclosure obligations. AI oversight will require the same level of rigor as financial and ESG reporting.

4. Board Readiness – Boards must ensure management builds governance structures, ethical use frameworks, and clear communication channels about AI’s role.

Compliance Lessons from the NACD AI in Cybersecurity Handbook

1. Third-Party and Supply Chain Risk Will Intensify

Boards are advised to scrutinize vendors’ AI tools and data sources. As the handbook emphasizes, AI models can be trained on data with questionable provenance, intellectual property, personally identifiable information, or even classified information. Using such models can expose organizations to liability. For compliance professionals, this means conducting enhanced due diligence on third-party AI systems. Ask vendors how they source training data, what models they use, and whether they have human oversight mechanisms in place to ensure quality. AI risk is now a key component of supply chain risk.

2. Transparency Is a Non-Negotiable

AI systems often function as “black boxes.” Their lack of explainability poses reputational and legal risks when decisions cannot be justified. Boards are urged to push for transparency in AI deployment, both internally and in customer-facing applications. For compliance professionals, this means incorporating explainability into your AI governance framework. Require documentation of training data, decision-making logic, and model limitations. If regulators ask, you must be able to demonstrate your homework.

3. Continuous Monitoring Is the New Standard

As highlighted in the AI Seven-Step Governance Program, AI oversight requires more than pre-deployment testing. Continuous monitoring, auditing, and retraining must occur throughout the lifecycle of AI tools to ensure their effective use. For the compliance professional, this means your program must move beyond “check-the-box” vendor certifications. Build ongoing monitoring and assurance processes. Think of AI oversight as dynamic, not static.

4. Regulation Will Come Fast and Furious

The NACD warns that while regulators often lag innovation by three to five years, the window for AI is already shortening. Boards relying on a “wait and see” approach will find themselves overwhelmed when rules arrive. Clearly, the compliance function must do more than wait for the regulators. Even if the US government were inclined to do so, the necessary political will would not exist to allow for an agreement. This means you should align your approach today with emerging frameworks, such as the EU AI Act, the NIST AI Risk Management Framework, and OECD principles. Position your company to demonstrate proactive governance.

5. Disclosure Expectations Will Rise

AI adoption carries disclosure obligations across transparency, risk assessment, and incident reporting. Boards must assume that regulators and investors alike will demand clear, timely disclosure of AI-related incidents and governance practices. Compliance must lead the way in your corporation to build AI into your disclosure controls and procedures now. Ensure incidents involving AI failures are reported with the same rigor as material cybersecurity breaches.

6. The Board Must Get Educated—and Fast

The handbook emphasizes director education. Boards that lack AI fluency will struggle to provide proper oversight. Worse, they may overestimate management’s ability to mitigate AI risks. You should encourage board training through NACD, Carnegie Mellon’s CERT program, or trusted third-party advisors. Education is no longer optional; it may well become a fiduciary duty.

7. Governance Structures Must Evolve

Some companies are considering dedicated AI committees, while others integrate AI oversight into existing audit or risk committees. Either way, boards need clear lines of accountability. The questions boards should be asking management are listed extensively in the handbook, including:

  • How are competitors using AI?
  • Do we need a Chief AI Officer?
  • What is our exposure if adversaries use AI against us?
  • Have we segregated training data to know its provenance?
  • Are our policies aligned with the EU AI Act’s risk classifications?

Start these conversations today. Board agendas must include AI oversight as a recurring topic.

Building a Compliance Playbook for AI

The compliance professional can translate the NACD’s recommendations into a practical playbook for your program, incorporating the following key concepts.

  • Embed AI governance early – Don’t bolt compliance onto AI projects after the fact. Integrate governance into design and procurement stages.
  • Adopt a human-centered AI approach – Ensure AI is aligned with corporate values and ethical principles, not just efficiency goals.
  • Use risk quantification – Treat AI risk like any other enterprise risk: quantify, compare, and integrate into ERM frameworks.
  • Demand accountability – Require clear responsibility for AI oversight, whether it sits with the Chief Compliance Officer, CIO, or a new Chief AI Officer role.
  • Engage regulators early – Use disclosure and transparency as tools to build trust with regulators and stakeholders.

The Handbook makes clear that AI in cybersecurity is not just a technology issue. It is an enterprise risk, a boardroom issue, and a compliance mandate. For compliance professionals, this means you must step into the AI oversight conversation.

As with the FCPA decades ago, regulators and stakeholders will expect companies to transition from a reactive to a proactive approach. The time to build frameworks, train directors, and embed oversight is now. AI, like every disruptive technology before it, will reward the prepared and punish the complacent. Compliance professionals are uniquely positioned to bridge the technical and governance divide. By applying lessons from the NACD handbook, we can ensure that AI becomes not just a tool for criminals but a force multiplier for integrity, trust, and resilience in the digital age.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Your First Board Seat, A Guide to Success

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we conclude our 5-part series and consider several questions about compliance officers working with or on the Board. We also consider what you need to do to be successful after joining your first Board as a member.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 5: Your First Board Seat: A Compliance Professional’s Guide to Success

Ed. Note: this blog post concludes our 5-part series this week on Board issues for the compliance professional.

For many compliance professionals, being selected to serve on a board of directors is a career milestone. It signals that your judgment, risk insights, and crisis-tested leadership are valued at the highest level of governance. But stepping into that boardroom for the first time can feel daunting. The expectations are high, the norms are unspoken, and the stakes — governance, strategy, and shareholder value — could not be greater.

The good news? Compliance leaders already have many of the tools needed to thrive. You understand oversight, you know the difference between management and governance, and you have a keen sense of risk. What you need now is a roadmap for the first 90 days and beyond. Drawing from hard-won lessons and my own experiences, here is a playbook for how compliance professionals can not only survive but excel when they take their first board seat.

Mastering the First 90 Days

How you arrive determines how long and how well you serve.

1. Listen Hard

Your first task is to absorb as much as possible. That means reading everything, including board books, minutes, charters, risk registers, and committee reports—to map who influences what and how decisions are made. Pay attention not just to the formal processes but also to the informal alliances and power dynamics. And always keep in mind the golden rule of governance: noses in, fingers out. Boards are not there to manage operations. You are there to oversee, question, and guide, not to run the business.

2. Pick Your Moments

New directors often feel pressure to speak up quickly to demonstrate their belonging. Resist that urge. Early on, focus on asking clarifying questions rather than staking strong positions. For example:

  • “Can you walk me through the assumptions behind this forecast?”
  • “How does this proposal fit into our risk appetite?”

If you sense a question may take the discussion into weeds, make a note and raise it later with the chair, CFO, or committee lead. This shows respect for the board’s time and demonstrates that you know when and how to engage.

3. Add Value in Your Lane

Compliance professionals bring unique expertise that most boards need. Use it wisely. Offer short, focused contributions that advance the discussion without grandstanding. Boards value directors who are helpful, not those who are performative. Demonstrate your ability to contribute in ways that strengthen governance. Examples include:

  • A memo on third-party risk in an emerging market.
  • A list of key oversight questions for AI adoption.
  • A template for crisis after-action reviews.

4. Build Relationships

Your effectiveness as a director depends on trust. Schedule one-on-ones with committee chairs, the CFO, the general counsel, and the CHRO. These conversations will help you understand priorities, build rapport, and identify how your skills can best complement the board. Ask open-ended questions such as:

  • “What keeps you up at night?”
  • “How can I be useful to you in this role?”

5. Model Integrity

Boards need truth-tellers, and compliance professionals are uniquely qualified for this role. If messaging strays from your values in a crisis or if you sense spin overtaking substance, speak up. Deliver the truth with respect, but do not shy away from speaking it. Integrity, modeled consistently, builds credibility faster than any technical expertise.

Learning the Subtle Arts: EQ, Voice, and Timing

Technical skills will get you to the boardroom. Emotional intelligence will determine your influence once you’re there.

1. Ask the Deceptively Simple Question

The best directors are not the ones who speak most often; they’re the ones who move the conversation the farthest. One way to do that is by asking questions that reframe the discussion. For example:

  • “What would have to be true for this initiative to fail?”
  • “Which stakeholders haven’t we heard from?”
  • “What’s our escalation trigger if this risk materializes?”

These questions cut through complexity and shift the board from passive review to active oversight.

2. Use Tone Intentionally

Tone is a powerful instrument. There are moments when it is necessary to be assertive, such as when the stakes are high or values are at stake. At other times, your role is to synthesize, invite, and build consensus.

By modulating your tone, you signal confidence without arrogance and influence without domination. Consider phrases like:

  • “I’m curious…” to open space for dialogue.
  • “I recommend…” when it’s time to guide toward a decision.

3. Find a Mentor

Every first-time director should find a seasoned board member to serve as an informal mentor. A five-minute call before or after a meeting can provide invaluable insight into board culture, expectations, and unwritten rules.

Ask them candidly: “How did I land in that discussion? Was my intervention useful? What would you have done differently?” That kind of feedback can accelerate your growth exponentially.

Beyond the First 90 Days: Building Long-Term Effectiveness

Once you’ve navigated your first board cycle, the question becomes: how do you sustain credibility and build influence over time?

1. Deepen Your Governance Acumen

Compliance professionals often arrive with strong risk instincts but limited exposure to broader governance topics, such as executive compensation, shareholder engagement, and capital allocation. Make it a goal to broaden your perspective. Read widely, attend director education programs, and seek assignments on committees outside your comfort zone.

2. Balance Oversight with Strategic Contribution

Boards do not want directors who only highlight risks; they want directors who help balance risk with opportunity. As a compliance professional, learn to frame your insights in terms of strategic choices. This positions you as a partner in growth, not just a gatekeeper. For example:

  • Instead of: “This market carries high corruption risk.”
  • Say: “Here are the three risk mitigation strategies we can pursue if we want to expand into this market. Each has different costs and oversight implications.”

3. Stay Curious and Current

The regulatory environment evolves constantly. Bring fresh insights on new enforcement trends, ESG requirements, AI governance, or data privacy. Share these in concise, board-relevant formats, such as one-page updates, dashboards, or curated case studies. Being the director who consistently adds current, relevant context makes you indispensable.

4. Protect Your Independence

Finally, never forget that your duty is to the organization and its stakeholders, not to management. Independence is your north star. If you sense pressure to conform or remain silent, remember that your value lies in your judgment, courage, and integrity. Serving on a board for the first time is both an honor and a responsibility. For compliance professionals, it is also a natural progression. You already live in the space between risk and resilience, rules and judgment, compliance and culture.

To succeed, you must combine that technical expertise with the subtler arts of listening, timing, and relationship-building. Arrive prepared, model integrity, and contribute strategically. Do that, and you will not only occupy a seat at the table but also shape decisions that steer the organization toward long-term success.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – So You Want to Be on a Board

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today’s episode continues our five-part series, considering several questions about compliance officers working with or on the Board, and moves on to how a CCO can make themselves more marketable to sit on a Board.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 4: So You Want to Be on a Board

If you work in compliance, you already speak the language boards care about risk, resilience, integrity, and long-term value. The opportunity now is to package your experience so that directors and the searchers who advise them will view you as a business voice who specializes in compliance, rather than the other way around. Drawing on insights from women leaders who have navigated their way to board service, along with hard-won boardroom lessons, we present today a step-by-step playbook for compliance professionals who want a seat at the table.

Reframe Your Value: From “Compliance Leader” to “Board-Ready Risk Strategist”

Boards add people to fill needs, not aspirations. Translate your day job into board outcomes.

As a CCO, you use judgment under uncertainty. Some of the key tasks of every compliance officer include triaging investigations, balancing disclosure risk, and managing interactions with regulators. Boards prize seasoned judgment more than technical depth. You also have a broad, enterprise risk lens. Recast hotline trends, third-party risk, sanctions exposure, data privacy, and culture measurement as strategy inputs and value protection, not just controls.

You should already have fluency crisis preparation and management. You know incident response cycles (facts are murky, pressure is high, stakeholders differ). That calm, evidence-first approach is board gold. Finally, show that you understand the boundary: boards govern, while management operates. You can probe, synthesize, and guide without taking control of the show.

Deliverable: Write a one-page Board Bio (not a resume). Lead with judgment, strategy impact, crisis experience, and committee relevance (Audit/Risk/Gov). Keep it crisp; your first paragraph must sing.

Choose Your On-Ramps: Nonprofit, Private, Public—In That Order (Usually)

Recruiters fill a minority of board seats; most come through networks and word of mouth. For many compliance professionals, the fastest on-ramp is to mission-driven or local nonprofit boards, followed by private company boards, and then public boards.

Nonprofit boards hone the muscle memory of governance, committee work, and board dynamics. You learn agendas, pre-reads, fiduciary duties, and the cadence of challenge/support. You also practice EQ moves, such as knowing when to ask in the room versus follow up offline. Private company boards value operators who have built programs and navigated growth risk, which are perfect for compliance leaders who have matured third-party, privacy, or cyber programs at scaling companies. Finally, public company boards hire for specific committee needs, prior board experience, and public company expertise (audit, compensation, nominating/governance, cyber risk).

Action to take: Pick three nonprofits whose mission you genuinely care about. Offer to help first (advisory project, committee seat), then raise your hand for the board. Passion + preparation beats paper credentials.

Build a Targeted Narrative, Not a Generic Pitch

Your pitch should not be “I want a board seat.”; but rather Here’s the problem I’m built to solve.”

If you are a controls/assurance pro (SOX, internal audit, investigations): position for Audit or Risk committee. Emphasize financial integrity, whistleblower credibility, remediation discipline, and root cause rigor. If you are a tech-savvy, privacy-conscious, or cyber-savvy CCO, aim for Risk or Technology oversight. Stress incident playbooks, data governance, AI/ML risk, and cross-functional response. If you are facing cultural/ethical issues, look to nomination and governance needs. Areas such as board composition, CEO succession risk, incentive design that deters misconduct, and culture as control.

Homework: Then do industry homework. If you’re pursuing a career in healthcare, life sciences, fintech, or manufacturing, read 10-Ks, enforcement actions, and peer risk factors; convert your experience into sector-specific oversight value.

Network Like It’s Your Job (Because It Is)

Board seats are an art, not a posting. Your path will resemble a mosaic more than a pipeline.

Warm introductions often outshine cold resumes. Tell three people each week in positions such as GCs, CFOs, fellow CCOs, auditors, and PE operating partners exactly which needs you need to fill and in which sector. Peer groups are multipliers. Join compliance councils, audit institute chapters, NACD/director forums, and alumni boards. Offer to moderate a panel on “Board Oversight of Third-Party Risk” or “AI and Culture Risk.” Finally, be visible in solving problems. Publish a short LinkedIn series on board-relevant topics (e.g., “A director’s five questions for sanctions exposure”). Speak briefly; show judgment.

Remember: Patience wins. Boards decide on quarterly cycles, not recruiting sprints.

Get Committee-Ready—Fast

Most first-time directors enter through committees. Make yourself instantly addictive:

The Audit Committee. Develop a new approach that ties investigations, SOX controls, fraud risk assessments, and hotline patterns to financial statement risk. Show how your work protected revenue or EBITDA. The Risk Committee brings a heat map that integrates cyber, third-party, geopolitical, product safety, and culture risk. Demonstrate scenario planning and escalation criteria. The Nom/Gov Committee connects incentive structures, succession planning, ethics benchmarks, and board composition to long-term value. Finally, consider the Compensation Committee by translating root causes of misconduct into incentive design advice (pay for how results are achieved, not just that they’re completed).

Deliverable: Create a two-page Board Briefing Pack you can share confidentially when asked: a sample dashboard, escalation triggers, and a case study where your counsel changed a decision.

Do the Diligence: Culture, Time, and Risk

Do not treat an offer like a trophy; do your homework for the Company and the position. Ensure you are a cultural fit. Talk to multiple directors and at least two executives. Ask how the board challenges management, how dissent is handled, and how pre-reads and follow-ups actually work. If they are reticent to connect you, that is a red flag. Make sure you understand the time reality. Beyond quarterly meetings, count committee meetings, prep, and off-cycle crises. Nonprofit boards can be especially “needy”; set eyes-open expectations. And last but certainly not least, tie down the D&O and indemnification. Always ask to see the policy and indemnity language, including limits, carve-outs, and advancement of expenses. For public or PE-backed companies, confirm coverage by entity and by capacity.

Make Your Board Bio and Outreach Ready This Month

Create a one-page Board Bio. It should contain an Opening (3–4 lines) that demonstrates your judgment, sector context, and committee fit (e.g., “Audit/Risk-ready executive who led global compliance and crisis response across 30 countries; proven board advisor on cyber, sanctions, and culture risk”). It should contain 3-5 selected impact bullets tying actions you have taken to outcomes (“Reduced investigation cycle time 40% and increased substantiation quality; informed board decision to exit a high-risk distributor, avoiding potential enforcement exposure”). Add your board interests in selected industries, committee preferences, and geography. Of course, add your contact information.

Action: Take this and create an outreach list with 15 names, including those from legal, finance, audit, PE ops partners, CEOs you’ve advised, and nonprofit leaders. Ask for needs-first conversations, not a seat at the table.

Final Word: You’re More Board-Ready Than You Think

Boards do not need passengers; they need steady judgment, crisis fluency, and a practical grasp of how controls become strategy. That’s your wheelhouse. Do the homework, shape a needs-first narrative, and start where you can make an impact now. The seat will often come from a conversation you did not know would matter.

And when it does, remember the rule that separates great directors from the rest: noses in, fingers out, with a steady hand on the compass of integrity.

30-60-90 Action Plan

Next 30 days

  • Draft board bio + two-page briefing pack.
  • Reconnect with five execs who’ve seen your judgment under pressure; ask for introductions to their board contacts.
  • Identify and approach one nonprofit and one private company where your risk expertise is directly relevant.

Days 31–60

  • Speak on one panel/webinar: “Board Oversight of Third-Party & Sanctions Risk” or “What Directors Need to Know About AI and Culture.”
  • Conduct three informational interviews with current directors and refine your narrative based on their feedback.

Days 61–90

  • Commit to a nonprofit board or board committee role.
  • Join a director education program (NACD or equivalent) and complete a module on Audit/Risk oversight.
  • Publish a three-post LinkedIn series: “A Director’s Playbook for Crisis Escalation,” “Five Board Questions for AI Risk,” “Culture as a Control.”
Categories
Compliance Tip of the Day

Compliance Tip of the Day – The CCO Role in Preparing the Board for the Next Crisis

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

We continue our 5-part series, considering several questions about compliance officers working with or on the Board. Today, we consider the role of a CCO in preparing a Board for the next crisis.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 3: The CCO’s Role in Preparing a Board for the Next Crisis

Crisis is no longer a rare event. From ransomware attacks and regulatory shocks to activist investors and CEO departures, boards today operate in an environment defined by volatility and disruption. PwC’s recent memorandum, “Being Prepared for the Next Crisis,” highlights the importance of boards adopting a proactive approach to resilience and oversight. However, while directors bear the primary responsibility for governance, a Chief Compliance Officer (CCO) plays a distinct role: ensuring that the board is informed, equipped, and prepared to respond effectively.

The CCO is often the organization’s “early warning system,” translating risks from the operating level into insights for the board. In a crisis, this role becomes magnified. The CCO must help the board anticipate threats, stress-test plans, and avoid the common pitfalls that derail effective responses. Today, we will explore how CCOs can adapt the PwC framework into a playbook to guide the board through the crisis preparedness lifecycle.

1. Before the Crisis: Embedding Compliance into Resilience Planning

The best crisis plans are living documents that are constantly updated, tested, and integrated across all functions. For CCOs, the challenge is to ensure compliance and ethics considerations are built into those plans from the start.

The CCO’s Role:

  • Cross-functional integration. Ensure that the compliance function sits at the crisis planning table alongside risk, legal, and operations. Issues such as bribery, data privacy breaches, or third-party misconduct can escalate into crises if left unaddressed.
  • Scenario planning. Push for tabletop exercises that include compliance scenarios—not just cyber breaches. A dawn raid by regulators, whistleblower allegations, or sanctions violations should all be tested with the board. Most boards are fixated on cyber exercises (81%) while under-testing activist campaigns, fraud investigations, and geopolitical risks. The CCO can broaden that scope.
  • Defining escalation triggers. Collaborate with management and the board to define when compliance issues rise to the level of a board crisis. For example, a government subpoena, a major third-party red flag, or media exposure of misconduct should be predefined as triggers for immediate notification to the board.

By embedding compliance into resilience planning, the CCO ensures that ethical and regulatory risks are not afterthoughts but central to the crisis playbook.

2. During the Crisis: Supporting the Board’s Oversight and Communications

Once a crisis hits, speed and clarity are critical. Work to avoid pitfalls such as “leaping before looking,” minimizing the problem, or losing credibility with stakeholders. Here, the CCO becomes the board’s translator and truth-teller.

The CCO’s Role:

  • Facts over speculation. Ensure that communications to the board are grounded in verified information. If facts are incomplete, emphasize transparency about what is known and what remains to be investigated.
  • Maintaining authenticity. Compliance leaders are custodians of corporate values. During crisis communications, the CCO should challenge management if the messaging strays from the organization’s ethical commitments. As PwC notes, stakeholder trust depends on alignment with company values.
  • Stakeholder inclusivity. Understand the importance of addressing all stakeholders, not just the loudest. The CCO should ensure employees are included in the communication strategy. In many crises, employees are both victims and messengers. If left uninformed, they can become sources of rumor or disengagement.

The CCO also helps the board resist the temptation to downplay severity. Regulators and investors are unforgiving of minimization. Credibility, once lost, is difficult to recover.

3. After the Crisis: Driving Root Cause Analysis and Continuous Improvement

The PwC framework underscores the importance of post-event reviews, root cause analysis, and continuous improvement. For CCOs, this is where compliance expertise shines.

The CCO’s Role:

  • Independent assessment. If misconduct or governance failures triggered the crisis, the CCO should advocate for independent investigations to determine the cause. This not only ensures credibility but also demonstrates the board’s seriousness in remediating gaps.
  • Root cause focus. Compliance officers are trained to ask “how and why.” A surface-level review, examining what happened and the actions taken, overlooks the deeper cultural or control weaknesses that enabled the crisis to occur. Without addressing these, organizations remain vulnerable.
  • Policy and training updates. Post-crisis reviews should feed directly into compliance programs. If a whistleblower report was ignored, revise reporting protocols. If a sanctions violation occurred, strengthen third-party screening.
  • Board education. Provide directors with debriefs on regulatory trends that emerged during the crisis. For example, if a DOJ enforcement action shaped the company’s response, explain the broader implications for future oversight.

By institutionalizing lessons learned, the CCO helps the board convert a painful episode into a competitive advantage.

4. The CCO as the Board’s Crisis Sherpa

PwC notes that boards must balance guiding management while not being overwhelmed themselves. In practice, this requires a trusted advisor who can translate complexity, cut through the noise, and flag issues that rise to governance levels. That advisor is often the CCO.

The CCO’s Role:

  • Regular briefings. Establish quarterly “crisis readiness” updates for the board, led by compliance. These sessions review recent regulatory developments, whistleblower trends, and geopolitical risks.
  • Committee alignment. Work closely with the audit or risk committee to ensure that crisis oversight responsibilities are clearly defined and understood. In some cases, a compliance liaison may be designated to report directly to the board during a crisis.
  • Tone from the top. Model ethical courage in board communications. If executives resist disclosure or push spin, the CCO must be willing to articulate the risks of opacity. The board relies on the unvarnished truth, even when it is uncomfortable to hear.

The CCO, in essence, becomes the board’s crisis sherpa: guiding directors through treacherous terrain with foresight, facts, and fidelity to values.

5. A CCO’s Checklist for Board Crisis Preparedness

To translate this into action, here’s a compliance-focused checklist adapted from PwC’s recommendations:

  1. Ensure crisis plans are compliance-inclusive. Integrate regulatory, ethical, and third-party risks into enterprise crisis planning.
  2. Broaden board exercises. Advocate for tabletop simulations that extend beyond cyber—encompassing fraud, sanctions, whistleblower events, and activist campaigns.
  3. Define escalation triggers. Codify the process for escalating compliance issues to the board.
  4. Champion transparent communication. Push for fact-based, values-aligned messaging during crises.
  5. Include employees. Make internal communications as robust as external messaging.
  6. Drive post-crisis reviews. Lead root cause analysis and ensure findings inform compliance program updates.
  7. Educate directors. Keep the board informed about current regulatory expectations and cultural red flags.

Preparing the Board for the Crisis That Hasn’t Happened Yet

As PwC observes, a crisis is no longer hypothetical; it is cyclical. Boards that prepare systematically will emerge stronger. But preparation is not solely the task of directors or management. The Chief Compliance Officer must bridge the gap by embedding compliance into resilience plans, guiding directors during responses, and ensuring that lessons are institutionalized after the fact.

The next crisis will come. We don’t know whether it will be a cyber, regulatory, or reputational issue. But we do know this: the boards that succeed will have a compliance leader at their side, someone who combines regulatory expertise with cultural insight, and who can guide directors through the storm with clarity and integrity.

That is the CCO’s role. And it may be the most important contribution compliance makes to long-term corporate resilience.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – A CCO Playbook to Master Board Communications

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

We continue our five-part series, considering several questions about compliance officers working with or on the Board. Today, we consider how CCOs use a playbook to master Board communications.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 2: Mastering Boardroom Communication: A Chief Compliance Officer’s Playbook

Boardroom communication is not just a matter of style; it is a skill much needed for every Chief Compliance Officer (CCO). In today’s environment of heightened regulatory scrutiny, geopolitical disruption, and rapid technological change, a CCO sits squarely at the intersection of risk, ethics, and strategy. How a CCO communicates with the board can shape director confidence, influence resource allocation, and ultimately determine whether compliance is viewed as a strategic partner or a cost center.

A recent Harvard Law School Forum on Corporate Governance article outlined five essentials for executives engaging with their boards. For CCOs, these essentials carry even more weight. Compliance is often the messenger of uncomfortable truths: misconduct uncovered, regulatory inquiries, or cultural red flags that leadership may prefer to avoid. Delivering these messages effectively requires preparation, precision, and presence. In this blog post, we will explore how CCOs can adapt these five essentials to elevate their boardroom communication.

1. Invest in Relationships: Building Trust Before the Crisis

For CCOs, credibility with the board is currency. Relationships cannot be built during a crisis; they must be established well in advance of one arriving. Intentional relationship-building with directors pays dividends. CCOs should regularly meet with audit and compliance committee chairs outside of formal sessions. These pre-meeting touchpoints allow you to test messaging, gauge concerns, and set expectations. They also build the trust needed when delivering difficult news, such as a whistleblower report implicating senior leadership or an FCPA investigation.

Equally important, CCOs must present a united front with fellow executives. Fragmented messaging from the CCO versus the CFO or General Counsel undermines board confidence. Directors want assurance that compliance is embedded across all functions, not confined to silos. Demonstrating cross-functional collaboration signals maturity and readiness. You can provide directors with candid “heads-up” updates on emerging risks. If the Department of Justice signals a shift in compliance program evaluation (as it did with the 2024 ECCP Update), brief your directors in advance. Early transparency fosters credibility.

2. Know Your Audience: Translating Compliance into Board Priorities

Directors are a distinct audience; they are seasoned leaders with broad but varied expertise. The article emphasizes the importance of tailoring messages to individuals’ backgrounds and perspectives. For CCOs, this means translating compliance risks into business-relevant language. For example, when discussing data privacy, it is best to avoid using technical jargon. Instead, connect privacy risks to reputational harm, customer trust, and market access. When discussing sanctions enforcement, frame it in terms of geopolitical instability and supply chain resilience.

CCOs must also bridge perspective gaps between management and the board. Senior executives often want boards to add expertise in emerging areas, such as AI, but directors are slower to prioritize it. The CCO’s role is to highlight how these gaps translate into real risk exposure. If the board does not see the value of AI oversight on its agenda, provide evidence, such as regulator speeches, enforcement trends, and peer actions. Do your homework: know which directors come from legal, financial, or technology backgrounds. A director with former regulatory experience will expect different details than one with private equity experience. Anticipating these perspectives ensures that your compliance story resonates.

3. Prepare What You Will Share: Making Compliance Digestible

The board’s time is scarce. As the article notes, directors want strategy, not operations. That makes the pre-read and presentation materials critical tools for the CCO. Your pre-read should strike a balance: concise enough to be digestible, but substantive enough to demonstrate rigor. A best practice is a one-to-two-page executive summary highlighting:

  • Key compliance risks and emerging issues.
  • Required board actions (e.g., policy approval, risk appetite setting).
  • High-level metrics (e.g., hotline trends, third-party due diligence outcomes).

Supporting dashboards or appendices can provide depth for directors who want to dive in. Use visuals such as heat maps, trend charts, and red/yellow/green risk indicators to cut through dense text. During the meeting, avoid repeating the pre-read. Instead, highlight the “so what”: why a risk matters now, how it aligns with strategy, and what action is needed. For example: “We are seeing a 40% increase in third-party red flags in Latin America. This aligns with the DOJ’s recent statements on third-party risk. We recommend enhanced monitoring of intermediaries before the next audit committee meeting.”

End with a clear ask: whether you need endorsement, resources, or merely board awareness. Ambiguity is the enemy of effective compliance communication.

4. Manage the Meeting: Maximizing Scarce Minutes

Most CCOs are allocated just 15–20 minutes on a crowded board agenda. This means every minute counts. Enter with a game plan: two or three key messages, delivered crisply. Speak for no more than half the time; reserve the rest for questions and answers. Board members’ questions are where trust is built and oversight is demonstrated.

If the meeting drifts into operational details, such as the specifics of a particular investigation, steer the conversation back to the strategic view: patterns, controls, and lessons learned. Capture follow-up items and commit to deliver them post-meeting. This demonstrates respect for the board’s time while ensuring no issue is left unresolved. Align with the corporate secretary to understand time allocations and broader agenda flow. If your presentation follows the CFO’s, anticipate financial framing; if it precedes the General Counsel’s, coordinate on legal versus compliance perspectives. Seamless alignment avoids director confusion and reinforces management cohesion.

Above all, project confidence. If you appear tentative when discussing risks, directors may question the maturity of your program. Credibility is as much about presence as it is about content.

5. Continue the Conversation: Compliance as a Constant Dialogue

Boardroom communication does not end when the gavel falls. You should reach out to board members to cultivate ongoing engagement. For CCOs, this is mission-critical. Complex topics, such as sanctions, cybersecurity, or ESG reporting, cannot be fully explored in a single board session. Utilize committee meetings or off-cycle workshops for in-depth discussions and analysis. For example, a compliance officer might host a session with the audit committee on DOJ expectations for root cause analysis, tying it to the company’s investigation protocols.

Follow up after meetings with concise updates. If a regulator issues new guidance relevant to a recent board discussion, send a one-page summary highlighting its implications. Demonstrating responsiveness keeps compliance at the forefront and positions you as a trusted advisor. Finally, monitor evolving board concerns. Directors’ focus shifts with the environment—activist campaigns, regulatory changes, or high-profile enforcement actions. Staying attuned allows you to tailor communications to what keeps your directors up at night.

The CCO and the 3 ‘T’s”

Boardroom communication is not about dazzling directors with slides or overwhelming them with data. For the Chief Compliance Officer, it is about trust, translation, and truth. (1) Trust, because relationships established before crises determine how your messages are received in a storm. (2) Translation, because directors need compliance framed in terms of strategy, value, and risk, not technical minutiae. (3) Truth, because your role is to surface uncomfortable realities. This means discussing topics such as cultural weaknesses, compliance failures, and regulatory gaps that others may prefer to avoid.

Board time is limited and precious. For CCOs, mastering the art of concise, transparent, and strategic communication is not optional. It is the difference between compliance being perceived as a watchdog or as a partner in building resilient, ethical, and sustainable business practices.

The boardroom is your stage. Prepare, practice, and perform with clarity. The future of your compliance program and your credibility as its leader may depend on it.