Tag: CCO

Categories
Blog

Auditors and Compliance: Part 2 – Ten Key Takeaways for Compliance Professionals

The PCAOB’s recent information release, SPOTLIGHT Auditor Responsibilities for Detecting, Evaluating, and Making  Communications About Illegal Acts, is a critical guide for compliance professionals. The SPOTLIGHT sets out the role of auditors in assessing a company’s compliance with laws and regulations, particularly how auditors must identify, evaluate, and communicate potential illegal acts. However, for compliance officers, the SPOTLIGHT highlights areas where compliance and audit functions intersect and emphasizes collaboration’s importance to maintaining regulatory adherence and upholding financial integrity. Yesterday, we reviewed the roles and duties assigned to auditors. Today, we will dive into the 10 key takeaways for compliance professionals, outlining what they need to know to align their efforts with audit processes and effectively support their organization’s commitment to compliance.

  • Understand the Auditor’s Role in Identifying Illegal Acts

Auditors have a duty to detect and evaluate illegal acts that could materially impact a company’s financial statements. This includes assessing the potential effect of any illegal activity on the company’s financials and reporting these issues to management, the audit committee, and sometimes to the SEC. Compliance professionals need to understand this role to support auditors in fulfilling these obligations, especially by maintaining a strong compliance program that actively monitors regulatory adherence. Compliance should ensure that internal policies align with PCAOB standards and legal requirements, helping auditors conduct a thorough risk assessment as part of their evaluation.

  • Maintain Transparent and Open Communication Channels

Transparency and open communication are vital for a successful compliance-audit relationship. Auditors depend on information from management, the audit committee, and legal counsel to identify and evaluate potential violations. Compliance professionals should facilitate open communication with auditors and provide timely access to relevant information. This includes documentation from internal investigations, responses to auditor inquiries, and any corrective actions taken to address potential illegal acts. Proactively sharing information about compliance efforts demonstrates a commitment to ethical practices and supports auditors’ work to provide an accurate assessment of the company’s financial statements.

  • Foster a Strong Internal Reporting Culture

Auditors must inquire about complaints and tips, including those from whistleblower programs. For compliance professionals, this highlights the importance of fostering an internal reporting culture where employees feel safe raising concerns. A robust whistleblower program and other internal reporting mechanisms help identify potential illegal acts early, allowing the company to take action before issues escalate. Compliance teams should ensure employees know how to report concerns confidentially and clearly communicate that the company prohibits retaliation against whistleblowers. This can help create a steady pipeline of information that aids both compliance and audit functions in proactively addressing potential issues.

  • Document Document Document

Thorough documentation is crucial in every compliance arena, whether regulatory reporting, high-value transactions, or industry-specific regulations. (The Tom Fox Mantra Document Document Document.) Compliance professionals should maintain clear records of all compliance activities, internal investigations, and responses to auditor inquiries. By providing auditors with well-documented information, companies can help auditors assess whether any potential illegal acts are isolated incidents or indicative of broader compliance concerns. Such documentation facilitates the audit process and demonstrates to regulators a serious commitment to compliance.

  • Prioritize High-Risk Areas with Targeted Monitoring

Auditors focus on high-risk areas in their evaluations, such as transactions or activities with greater potential for legal violations. Compliance professionals should proactively monitor these high-risk areas to detect and mitigate issues before they escalate. For instance, compliance in industries with high regulatory scrutiny should ensure that the organization adheres to all industry-specific legal requirements. Regularly evaluating high-risk areas through targeted monitoring helps create a solid foundation for internal and external financial statement audits, reducing the chance of undetected illegal acts.

  • Be Prepared to Act on Auditor Findings Promptly

When auditors identify potential illegal acts, it is essential for compliance to respond swiftly and decisively. This involves conducting a thorough internal investigation and determining any required disclosures or corrective actions. From there, you should perform a Root Cause Analysis and then proactively address any concerns from auditors to help the organization maintain transparency and avoid further regulatory scrutiny. A prompt response strengthens the relationship between the compliance and audit functions and demonstrates to auditors and regulators a proactive approach to managing and mitigating compliance risks.

  • Strengthen Leadership’s Commitment to Compliance

The PCAOB emphasizes the importance of a “tone at the top” in its guidance, noting that auditors consider a company’s commitment to compliance when assessing potential illegal acts. Compliance teams should work with executive leadership to promote a strong culture of ethics and compliance, as this can significantly impact employee behavior and organizational practices. A commitment to compliance at the leadership level signals to employees that ethical conduct is a priority, supporting the organization’s overall compliance efforts. When leadership promotes compliance, employees are more likely to report concerns, and auditors can rely on the company’s internal controls and integrity.

  • Prepare for Potential Notification

If auditors discover a material illegal act and management fails to take appropriate action, the auditor may be required to notify the SEC or DOJ. For compliance professionals, this highlights the importance of swift and transparent responses to any findings of illegal activity. Working closely with auditors to address material findings and avoid potential SEC/DOJ notification is crucial. When the compliance function demonstrates a proactive approach to addressing auditor findings, it helps maintain the organization’s reputation, strengthens auditor relationships, and reduces the likelihood of regulatory intervention.

  • Regularly Review and Update Compliance Training

Auditors also assess a company’s internal compliance functions, including how well employees understand and adhere to compliance obligations. Regular compliance training ensures that employees are informed about identifying and reporting illegal acts, understand whistleblower protections, and know the resources available to them. Compliance professionals should review and update training programs frequently to address any changes in laws or regulations and any emerging risks specific to the company’s industry. Effective training reinforces employees’ commitment to ethical behavior and supports the company’s internal controls, bolstering the compliance-audit relationship.

  • Emphasize Materiality Assessments in Compliance Evaluations

When auditors evaluate the impact of illegal acts, they consider both quantitative and qualitative materiality. Compliance teams should adopt a similar approach when assessing potential violations. For instance, even a small illegal payment could be material if it raises ethical concerns or results in contingent liabilities. By considering potential violations’ financial and reputational implications, compliance teams can better assess the materiality of issues and take appropriate corrective action. This approach aligns with auditor standards and helps create a thorough and effective compliance environment.

Strengthening Compliance and Audit Collaboration

The PCAOB’s guidance reminds compliance professionals that a proactive approach to detecting, evaluating, and addressing potential illegal acts is essential. By understanding the auditor’s role and aligning compliance practices with PCAOB and SEC standards, compliance teams can effectively support auditors and contribute to a thorough evaluation of the organization’s adherence to laws and regulations.

A corporate compliance function plays a crucial role in creating a transparent, accountable organization where employees feel empowered to raise concerns and management responds promptly to address potential issues. Strong compliance-audit collaboration enables companies to build trust with regulators and stakeholders, demonstrating a commitment to ethical business practices. By implementing these takeaways and fostering a culture of compliance, companies can better navigate regulatory requirements and mitigate the risk of material misstatements or regulatory penalties, upholding the integrity of their financial statements and safeguarding their reputation in an increasingly scrutinized environment.

Categories
Great Women in Compliance

Great Women in Compliance – Joy Hayes and Gitanjali Sakhuja on Expats and Repats: Working Abroad & Reentry to the US

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insights. Have you considered being an Expat and what it’s like to return after being abroad? This #GWIC episode explores what you need to know on both legs of the journey and the rich personal and professional growth that comes from immersing yourself in another culture and country.

Our expat guests, Joy Hayes, who has just moved to Geneva, Switzerland, and Gitanjali Sakhuja, who has worked in seven different countries and is now back in the U.S., share their journey, tips, and practical advice. Their insights range from when you decide to work in another country to when you return home – and some great experiences (and challenges). Ellen Hunt leads this roundtable discussion with our guests, who share their personal experiences and professional insights on becoming an expat and repat, including balancing expectations, the importance of language proficiency, and the challenges of tax and visa regulations. They also delve into the emotional aspects of adjusting to life abroad and the reentry process, offering practical tips and anecdotes. 

Thanks, as always, to our sponsor, Corporate Compliance Insights, and our wonderful #GWIC community.  You can join the Great Women in Compliance community on LinkedIn here.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending November 16, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings you the compliance professional and the compliance stories you need to know to end your busy week. Sit back, and in 10 minutes, hear the stories every compliance professional should know from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Meta fined $840MM in EU for anti-trust violations. (NYT)
  • SBF LT. Builds fraud detection tool for DOJ. (Reuters)
  • Shell wins appeal in landmark climate case. (NYT)
  • ADM CCO steps down amid probe.  (Bloomberg)
  • End of ESG and crypt initiatives at SEC. (WSJ)
  • What science reveals about corruption. (El Pais)
  • Telefónica Venezuela settles FCPA action. (WSJ)
  • Handling a difficult employee with health issues. (NYT)
  • Hidden cost of textile and apparel non-compliance. (Homeland Security Today)
  • NetEase execs arrested for bribery and money laundering.  (biz)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Empowering Middle Managers: A Compliance Training Guide

A culture where employees feel safe to voice concerns through a speak-up culture is foundational to an ethical and compliant organization. However, fostering this environment is a two-way street; employees must feel encouraged to raise issues and confident that their voices will be heard and respected. Middle managers play a vital role in this process, serving as a bridge between employees and leadership. Training these managers to be effective listeners and supportive leaders is critical to embedding a true speak-up and listen-up culture. Today, I want to provide a comprehensive guide to structuring compliance training for middle managers to empower them in this essential role.

Establishing a Foundation for Openness and Trust

Middle managers are often employees’ first contact when they have questions, suggestions, or concerns. For this reason, the training should prioritize methods to create a welcoming and open environment. Employees are more likely to speak up in a space where psychological safety is present.

Training should focus on helping managers:

  • Set a Positive Tone. Managers can model openness by actively seeking input, acknowledging diverse viewpoints, and demonstrating that they value honest feedback.
  • Practice Respectful Communication. Respect and empathy should be at the core of all interactions. Managers should receive guidance on fostering a culture where positive or critical feedback is welcomed and used constructively.
  • Address Barriers to Speaking Up. Training should include understanding common barriers, such as fear of retaliation or judgment, that might deter employees from sharing their concerns. Managers need to learn techniques to overcome these barriers, assuring employees that feedback is welcomed and issues are handled impartially

Mastering the Art of Active Listening

Active listening is the cornerstone of a listen-up culture. To create a sense of safety and encourage more openness, managers should learn to develop strong listening skills:

  • Concentrate on the Speaker. Active listening involves more than just hearing words; it means being fully engaged and present. Managers should learn techniques to eliminate distractions, maintain eye contact, and show genuine interest in the employee’s concerns.
  • Show Empathy and Support. Employees feel more valued when managers respond with empathy. Compliance training should include exercises to help managers practice empathy in real-time, learn to listen without judgment, and offer support without prematurely reaching conclusions.
  • Utilize Non-Verbal Communication. Body language and facial expressions are powerful communicators. Managers should be trained to become aware of their non-verbal cues, such as maintaining an open posture, nodding, and mirroring, to convey that they are fully engaged and receptive to what the employee shares.

Reinforcing Confidentiality and Non-Retaliation

One of the most significant obstacles to a speak-up culture is the fear of retaliation or breach of confidentiality. Employees need assurance that speaking up will not negatively impact their role or relationships within the company. Training should address these concerns by teaching managers how to:

  • Communicate Non-Retaliation Policies. Emphasize that the organization has a strict non-retaliation policy and that any reports made in good faith will not be used against the employee. Managers should be trained on what this means in practice and how to reiterate this assurance to their team.
  • Model Confidential Handling of Concerns. Managers must understand the importance of discretion and keeping sensitive information within appropriate boundaries. Training should cover practical examples and role-playing exercises to help managers practice discretion when handling real-life scenarios.
  • Know When and How to Escalate. Managers should learn the correct escalation protocols for concerns beyond their control, including when to involve HR, compliance, or other internal functions. This keeps matters within formal channels, allowing for a structured and consistent response to concerns.

Responding to Concerns with Consistency, Integrity, and Fairness

Consistency in handling concerns signals to employees that their voices are valued and treated equally. To encourage this, compliance training should incorporate strategies for managing responses to sensitive issues fairly and respectfully:

  • Role-Playing Scenarios. Managers should engage in simulated situations where they practice responding to different concerns, such as interpersonal conflicts, compliance issues, or ethical dilemmas. By exploring these scenarios, managers can prepare for potential challenges in a controlled environment, making them better equipped to handle real situations confidently.
  • Guided Self-Reflection and Assessments. Managers should regularly evaluate their response styles to ensure they meet company fairness, integrity, and transparency standards. Compliance training can include guided assessments that help managers identify areas for improvement, such as biases or tendencies that may unintentionally affect their responses.
  • Implement Escalation Protocols. Managers must understand that not all concerns can or should be handled independently. Training should include guidance on the importance of escalating certain issues, such as legal or safety concerns, to the compliance department or other designated channels. This structured process ensures consistency, limits liability, and enhances employee trust in it.

Using Feedback Loops to Promote Continuous Improvement

For a speak-up culture to thrive, there should be an ongoing feedback and improvement process. Regular communication and consistent messaging from middle managers are essential to reinforcing this culture:

  • Creating a Culture of Continuous Dialogue. Managers should be encouraged to check in with their teams regularly rather than wait for annual reviews or structured feedback sessions. This open, continuous dialogue builds familiarity and trust, making it easier for employees to speak up when they have concerns.
  • Leveraging Digital Communication Tools. Managers can integrate compliance reminders, policy updates, and reinforcement of ethical standards into digital platforms where employees frequently engage. For example, using intranet channels or corporate social media platforms allows periodic messages, reminders, and success stories to be shared, helping employees internalize compliance messages over time.
  • Self-Assessments for Managers. Incorporate periodic self-assessment exercises, where managers reflect on their actions and impact on the speak-up culture. This can include anonymous feedback from employees, allowing managers to gain insight into their perceptions and identify improvement areas. Regular self-assessments reinforce accountability and ensure that managers remain aligned with the company’s compliance goals.

Instilling the “Listen-Up” Culture in Managerial Training

A listen-up culture goes hand-in-hand with a speak-up culture. For managers to effectively handle the concerns brought forward, they must receive dedicated training on what it means to listen up:

  • Developing Emotional Intelligence. Managers should be trained to be aware of their emotions and biases. Emotional intelligence is crucial in handling sensitive topics, as it allows managers to approach discussions with patience, empathy, and a genuine willingness to understand employees’ perspectives.
  • Creating Safe Spaces in Daily Operations. Rather than waiting for formal review sessions, managers can be trained to set aside dedicated time during team meetings to allow employees to voice questions or concerns. Encouraging open discussions in a safe environment reinforces that the company values and listens to employee feedback on compliance issues.

A Continuous, Proactive Approach to Compliance Culture

By empowering middle managers to build trust, actively listen, and foster an open dialogue, a company can lay the groundwork for a resilient compliance culture. The speak-up and listen-up approach is about avoiding ethical or legal breaches and creating a workplace where employees feel valued and respected, leading to better overall engagement and performance. Compliance training that encourages middle managers to foster this culture of openness is an investment in the company’s ethical foundation and its long-term success. Ultimately, a strong compliance culture is only as robust as those who support and enact it, and middle managers are a critical part of that foundation.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – 5 Keys to Compliance Communication

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider 5 keys to building a culture of trust and engagement in your organization.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

5 Keys to Compliance Communication: Building a Culture of Trust and Engagement in Your Organization

When it comes to corporate compliance, transparent and effective communication is non-negotiable. Your employees are not only the first line of defense but are also the customers of your compliance program. A well-communicated compliance function can shift the perception of compliance from a bureaucratic formality to a valued corporate asset. To establish this, compliance professionals must adopt a 360-degree communication approach emphasizing openness, interactivity, and alignment with company values.

Here are five keys to building a robust compliance communication framework within your organization:

Start with Clear Objectives: Define the “Why”

The first step to any successful compliance communication strategy is clarity of purpose. Before launching any campaign or distributing messaging, ensure you know why you are communicating in the first place. Some key questions include: Are you aiming to educate employees about new policies?

  • Does it reinforce the importance of ethical behavior? Prompt employees to report potential issues.
  • Will each goal shape your message and each audience within your company? Tailored messaging is required to understand the importance and relevance of your compliance program from the board of directors to the newest hires (from the boardroom to the shop floor).

If you aim to increase awareness of anti-corruption policies, your communication might center around the organization’s stance on integrity and honesty. However, if you encourage a speak-up culture, the message might emphasize confidentiality, support, and the importance of reporting misconduct. Ensuring your message has a clear and measurable objective can affect how it is received and whether employees take action.

Know Your Audience: Tailor Your Message for Maximum Impact

A single compliance message may only resonate with some in your organization. In any corporation, there are multiple audiences, including employees, senior leadership, middle management, external partners, and board members, all of whom have varying levels of familiarity with compliance topics. Recognizing and addressing these differences can significantly boost your messaging’s effectiveness.

For example, your frontline employees may need a straightforward explanation of policies and accessible reporting channels. Meanwhile, senior management may focus on the high-level implications of compliance initiatives on business strategy. A one-size-fits-all approach is less effective; instead, communicate with your audience in mind, considering their needs, knowledge level, and preferred communication channels.

Embrace Two-Way Communication: Build a Culture of Trust and Feedback

One of the most crucial aspects of compliance communication is creating an open line of dialogue, both up and down the chain. Employees should feel comfortable receiving compliance information, asking questions, seeking clarification, and providing feedback. Compliance should not be a one-way street; organizations must encourage interaction and feedback to build an authentic culture of ethics and accountability.

Integrating feedback mechanisms, such as surveys, focus groups, or town hall meetings, allows you to gauge employees’ understanding of compliance topics and uncover areas for improvement. But always remember that in compliance, we are only limited by our imaginations. Dun & Bradstreet CCO Louis Sapirman implemented a “Chatter Jam” for all company employees several years ago. It was a real-time discussion on an internal platform where employees shared their views on compliance topics like the company’s Code of Conduct. This open dialogue allowed the compliance team to hear employee concerns directly and make real-time adjustments.

In addition to these formal feedback channels, informal communication should be encouraged. Ensure employees know they can speak up without fear of retaliation. In doing so, you’re promoting compliance and creating an environment where ethical concerns can be discussed openly, ultimately preventing small issues from becoming major risks. 

Consistency and Frequency: Keep Compliance Top-of-Mind

Effective compliance communication is not a one-off event but a continuous conversation. Reminders and reinforcements must be consistent and frequent for employees to internalize compliance principles. Use multiple communication channels to keep compliance messages front and center. This can include periodic emails, newsletters, short videos, or even social media-style updates on internal platforms.

Consistency doesn’t mean redundancy; it’s about finding fresh ways to reinforce fundamental compliance principles. For example, the DOJ’s 2020 FCPA Resource Guide, 2nd edition, emphasizes that regular communication about compliance expectations helps companies demonstrate their commitment to ethics and compliance. Even brief reminders can have a lasting impact. Remember Morgan Stanley’s case, where they sent 35 compliance reminders over seven years to reinforce anti-bribery policies. The company’s diligence in maintaining consistent messaging resulted in receiving a declination from the DOJ when one of its managing directors was involved in misconduct.

Regularly communicating compliance expectations also helps create a sense of normalcy around compliance issues, positioning compliance as a natural part of everyday operations rather than an occasional reminder or, worse, a reactive measure only brought up after an incident occurs.

Foster Engagement Through Storytelling and Real-World Examples

Human beings are naturally drawn to stories, so it is no surprise that storytelling is one of the most effective ways to communicate compliance issues. Sharing real-world examples of positive and negative outcomes can help employees better understand the importance of compliance and the risks associated with unethical behavior. When employees see real-life scenarios, they can more easily relate to how compliance impacts their roles and the company’s success.

Using case studies from your industry to illustrate the potential consequences of non-compliance. Highlighting scenarios where similar companies faced penalties due to lapses in compliance can make the risks feel more tangible. Conversely, sharing success stories within your organization, such as how a well-trained team prevented a potential compliance breach, can reinforce the value of compliance.

Storytelling also applies to compliance champions within the organization. Showcase individuals or teams who have exemplified ethical behavior and contributed positively to the compliance culture. Celebrate these “compliance heroes” publicly, whether in internal newsletters, company meetings, or digital screens throughout the office. Recognizing and celebrating compliance efforts in this way can have a ripple effect, inspiring others to follow suit.

Bringing it All Together: The 360-Degree Compliance Communication Model

Incorporating these five keys into your communication strategy will help establish a 360-degree approach to compliance that keeps the program visible, relevant, and actionable across the organization. It’s about more than simply sending information; it’s about creating a dynamic, two-way exchange that reinforces compliance as an integral part of your company culture. When compliance communication is objective-driven, audience-centered, interactive, consistent, and engaging, you build trust and accountability within the organization.

A robust compliance communication strategy positions your program not as a barrier to business but as an ally, helping employees navigate ethical challenges confidently. By adopting these five keys, compliance leaders can shift the perception of compliance from a mandatory obligation to a trusted, positive influence on the company’s success. It’s a win-win for employees and the organization, promoting ethical conduct while protecting its reputation and bottom line.

In the end, remember this: compliance communication is not simply about conveying rules and policies. It is also about building a culture where employees feel supported, informed, and engaged in upholding the company’s values. The real measure of success in compliance communication is when employees understand, embrace, and live out these values in their daily work.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Questions and Metrics for 3rd Party Risk Management

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what questions a Board of Directors should ask a CCO and the types of metrics they should ask for in their role of overseeing the compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Great Women in Compliance

Great Women in Compliance – Reflections and Resilience Through a Compliance Career with Karen Bertha

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insights.   In today’s episode, Lisa speaks with Karen Bertha, who has built world-class programs throughout her career, most recently at V2X.   She has significant acquisition and post-acquisition due diligence expertise, including at V2X.  After that acquisition, she was at a crossroads and needed time to take stock and pause.

Karen reflects on her work with due diligence, including how and when compliance should be involved in due diligence.  They also discuss strategies for post-integration, even if compliance is brought at some point later.  Karen has worked in highly regulated industries, such as government contracting, and those not in highly regulated industries. She shares her experiences and lessons learned.

Karen left V2X after the acquisition when she needed time for herself and other parts of her life.  She talks about how the “power of the pause” has been helpful to her.  She talks about reflecting on her work in the Ethics & Compliance profession, increasing her learning, specifically in compliance-adjacent fields like Human Resources and audit, with time to focus.  She also shares what she has enjoyed during this time, which we at #GWIC hope can inspire those thinking about your next steps or between roles.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Board Oversight of Third-Party Risk Management: Key Questions and Metrics for Effective Governance

The Telephonica Venezuela FCPA enforcement action reminds us that third-party risk management is one of the most critical components of a corporate compliance program. From suppliers and distributors to agents and joint venture partners, third parties can expose a company to significant compliance risks, including bribery, data security breaches, and regulatory violations. For a Board of Directors, effective oversight of third-party risk management is essential to fulfill its fiduciary duties and ensure that the organization mitigates these potential threats.

For boards, the responsibility involves more than just reviewing policies or compliance assessments. It requires a proactive approach, regularly engaging with the Chief Compliance Officer (CCO) and demanding specific information to confirm that third-party risks are effectively managed. Today, we will consider some key questions a board should ask and key metrics that boards should track to ensure their oversight of third-party risk management.

Key Questions a Board Should Ask About Third-Party Risk Management

To provide effective oversight, board members should ask the CCO a series of targeted questions that illuminate the strengths and weaknesses of the organization’s third-party compliance efforts. These questions can guide discussions around key areas such as due diligence, monitoring, training, and incident response.

  • What is our Third-Party Risk Profile?

This foundational question helps the Board understand the scope of the organization’s third-party network and the inherent risks involved. The CCO should be able to explain how third-party risk is assessed, classified, and prioritized. This includes geographic, industry, and transactional risks that may be more prevalent in high-risk regions or industries such as defense, oil and gas, and healthcare.

  • What Due Diligence Processes are in Place?

The Board should ask about the specific due diligence processes for third parties. This includes initial onboarding assessments, background checks, and ongoing monitoring. Understanding the due diligence process, including who is responsible, the standards used, and whether enhanced due diligence is conducted for high-risk third parties, is critical for oversight.

  • How Do We Ensure Continuous Monitoring of Third Parties?

It is not enough to perform due diligence only once. Continuous monitoring is essential to detect a third party’s risk profile changes. The Board should ask about the tools and technologies used for monitoring, the frequency of updates, and how compliance continuously evaluates third parties for new risks, such as changes in ownership, regulatory status, or financial stability.

  • How Do We Address Identified Risks?

A key component of third-party risk management is having procedures to address identified risks. The Board should inquire about the company’s approach to risk mitigation, including risk-adjusted measures for different risk levels. Are high-risk third parties subject to contract clauses or specific compliance obligations? Does the organization maintain a system to monitor the ongoing effectiveness of risk mitigation efforts?

  • What Training and Awareness Programs Do We Have in Place?

The Board should ask how compliance trains third parties on relevant laws, policies, and expectations, especially concerning anti-corruption, data protection, and ethics. Additionally, internal stakeholders involved in third-party management, such as procurement and finance, should receive specialized training to help them recognize red flags.

  • What is Our Process for Reporting and Escalating Third-Party Compliance Issues?

Knowing that issues will inevitably arise, the Board should ask how the organization reports and escalates third-party compliance concerns. Does the CCO have direct access to the Board in case of serious compliance violations? Is there a protocol for handling third-party incidents that could affect the company’s regulatory standing or reputation?

  • How Do We Measure the Effectiveness of Our Third-Party Risk Management?

The effectiveness of the third-party compliance program is a priority for the Board. Asking for metrics and other objective measures helps ensure that the program is well-designed and functioning as intended. The Board should proactively seek quantitative and qualitative evidence of effectiveness.

Key Metrics for Third-Party Risk Management Oversight

Metrics are invaluable for Board members seeking to monitor the compliance program’s health. The CCO should be able to provide regular updates on the following metrics, each offering insight into specific aspects of third-party risk management.

  • Number of Third Parties by Risk Category

This metric breaks down the organization’s third parties by risk level (e.g., low, medium, high). This provides the Board with a snapshot of the company’s risk exposure and helps them assess whether the program is appropriately resourced to manage the volume of high-risk third parties.

  • Percentage of Third Parties with Completed Due Diligence

Tracking this metric shows whether the company is adhering to its compliance policies. Ideally, 100% of third parties should undergo due diligence before onboarding, and any gaps here could signal significant compliance weaknesses.

  • Average Time to Complete Due Diligence

This metric reveals the efficiency of the due diligence process. Long turnaround times can delay critical partnerships and increase risk exposure, while excessively fast times may suggest that due diligence needs to be sufficiently thorough. Boards should look for a balanced metric that reflects both efficiency and comprehensiveness.

  • Incidents of Non-Compliance Among Third Parties

The Board should be regularly informed of compliance incidents involving third parties. This metric could be broken down by type of violation (e.g., anti-bribery, data privacy, labor practices) and severity. Tracking these incidents over time helps the Board evaluate the program’s effectiveness and whether additional resources are needed.

  • Percentage of High-Risk Third Parties Monitored Regularly

Continuous monitoring is vital to effective risk management, particularly for high-risk third parties. This metric provides insight into how often high-risk third parties are reassessed, which can inform the Board about the level of vigilance being applied to higher-risk partners.

  • Training Completion Rates for Third Parties and Internal Teams

Effective third-party risk management requires third parties and the internal teams who work with them to understand the compliance risks and policies. This metric tracks how many third-party representatives and relevant employees have completed compliance training, an essential factor in reducing risk.

  • Average Time to Resolve Third-Party Compliance Issues

This metric measures the organization’s responsiveness to third-party compliance concerns. Quick resolution times may indicate an efficient and effective response system, while delays might suggest resource constraints or procedural bottlenecks. Boards should look for a metric that balances speed and thoroughness.

  • Costs of Third-Party Compliance Program

The Board should also monitor the financial investment in third-party compliance to assess if the program is adequately funded. This includes costs for due diligence, continuous monitoring, training, and compliance technology. Comparing these costs against third-party risk levels can help determine if the program is appropriately resourced.

Leveraging Metrics for Continuous Improvement

By tracking these metrics, Boards ensure that third-party risks are being effectively managed and can drive continuous improvement in the compliance function. Over time, trends will emerge, highlighting areas where the program may need reinforcement. For instance:

  • Increasing compliance incidents among third parties could indicate a need for enhanced due diligence or more stringent onboarding criteria.
  • Declining training completion rates suggest a lack of engagement from third parties, potentially due to ineffective communication or training methods that must be revisited.
  • Prolonged resolution times for compliance issues might signal the need for process optimization or additional staff in the compliance team.

The Board should encourage the CCO to use these insights to fine-tune the program and prioritize high-impact initiatives. Additionally, boards should expect the CCO to present metrics and narrative insights, offering a holistic view of the third-party compliance landscape and how specific metrics relate to broader compliance goals.

Fostering a Culture of Accountability and Compliance

Board oversight of third-party risk management is no longer a mere checkbox—it’s a crucial part of protecting the organization’s reputation, ensuring regulatory compliance, and building a resilient corporate structure. By asking the right questions and tracking key metrics, Boards can proactively ensure that third-party risks are managed effectively.

An engaged Board that emphasizes the importance of third-party compliance sends a powerful message across the organization and beyond. When Boards hold the compliance function accountable and demand robust third-party oversight, they not only mitigate potential risks but also foster a culture of integrity and accountability that resonates with employees, partners, and stakeholders alike. This, in turn, strengthens the entire organization, building a foundation of trust and resilience that will serve it well in any compliance landscape.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – CCOs Reporting to the Board

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what a CCO needs to tell a Board of Directors.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.