Tag: compliance

Categories
Adventures in Compliance

The Case-Book of Sherlock Holmes – Compliance Leadership Lessons in ‘The Adventure of the Sussex Vampire’

In this new season of Adventures in Compliance, host Tom Fox delves into the Sherlock Holmes collection The Case-Book of Sherlock Holmes by Arthur Conan Doyle. It is the final set of twelve Sherlock Holmes short stories by Arthur Conan Doyle, first published in the Strand Magazine between October 1921 and April 1927. This episode considers the short story, The Adventure of the Sussex Vampire. In this story, Sherlock Holmes investigates a case involving a master jewel thief and Holmes’s investigative techniques. This story provides several valuable leadership lessons for the 21st-century compliance professional.

Tom examines Conan Doyle’s short story through the lens of business ethics and corporate compliance. The tale, which initially suggests a supernatural element, is revealed to be a case of jealousy and attempted murder using poison darts. Fox draws several compliance lessons from Holmes’ approach: avoiding hasty conclusions, valuing investigation integrity, adopting holistic views, and maintaining clarity in communication. This episode is packed with insights for compliance professionals navigating complex ethical landscapes.

Highlights include:

  • The Sussex Vampire Story Unfolds
  • Business Leadership Lessons from the Sussex Vampire
  • Enhancing Compliance Leadership.

Resources:

The New Annotated Sherlock Holmes

Sherlock Holmes FAQ by Dave Thompson

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox.

Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

FT Business Book of the Year, Alison Taylor and Higher Ground

The Financial Times (FT) and Schroders Business Book of the Year Award is the most prestigious accolade in business publishing, recognizing exceptional insight, research, and storytelling in books addressing current business, economic, and financial issues.  The FT Business Book of the Year Award highlights books that significantly impact the understanding of global business issues, often bringing complex topics like economic theory, corporate culture, innovation, and ethics to a wider audience. It serves as a quality benchmark in business publishing, with many past winners going on to influence policy, business practices, and public discourse.

The Financial Times’ reputation ensures that nominated books are taken seriously by readers, reviewers, and business leaders worldwide.  The FT Business Book of the Year Award draws attention to emerging trends and thought leadership in business, with topics often reflecting current global challenges. For example, recent winners have focused on climate change, economic inequality, corporate responsibility, and technology’s impact on society. Ultimately, the FT Business Book of the Year Award plays a significant role in shaping the business conversation by identifying the most relevant and impactful works that capture the challenges and dynamics of modern commerce. To make the Long List of nominees, a book was among 16 selected out of over 600 entries.

If you are in the compliance field, you are probably lucky enough to know one of this year’s Long List nominees–Alison Taylor, whose book, Higher Ground-How Business Can do the Right Thing in a Turbulent World, has provided a fresh dialogue on the evolving role of business ethics in corporate governance. Alison once gave me the moniker The Rock and Roll Compliance Blogger. But even more importantly, Alison has long contributed to and, in many ways, led the ongoing dialogue in the corporate compliance community on compliance and ethics and sustainability and ESG on the other. Her central thesis questions why these two fields, both concerned with promoting responsible corporate behavior, remain siloed and isolated. Higher Ground bridges this gap, providing corporate leaders a roadmap for fostering a more integrated approach to ethical business practices.

Taylor opens *Higher Ground* with a case study on Starbucks—a company widely regarded as a leader in corporate responsibility. Known for benefits like health insurance for part-time employees, Starbucks has long been a model of progressive labor practices. But recently, the coffee giant has faced substantial backlash over labor rights issues as employees pushed for unionization, highlighting a disconnect between corporate policies and ground-level employee sentiment.

This disconnect between corporate identity and stakeholder perception illustrates a significant point for Starbucks: being a “good” business isn’t a shield against reputational risks. Despite its robust ESG credentials, Starbucks has been mired in controversy, underscoring that even the most well-intentioned corporations may face criticism if stakeholders perceive a misalignment between professed values and on-the-ground realities. Taylor’s analysis reminds compliance professionals that reputation and stakeholder trust can be fragile and influenced by factors beyond traditional ESG metrics.

Overcoming the Trap of Overpromising in Corporate Purpose

Taylor’s argument extends to the challenge of corporate overpromising, a pitfall many organizations find themselves in when attempting to cater to the demands of diverse stakeholders. As she points out, recent trends have created a polarized landscape where companies are criticized from both sides—either for being too focused on social responsibility (often labeled as “woke” by critics) or for not doing enough. Navigating this space requires corporate leaders to communicate clearly and make decisions based on what is realistically achievable.

In Higher Ground, Taylor encourages leaders to avoid becoming trapped by unsustainable promises. Instead, she advocates for identifying one to three critical issues that align with the company’s long-term strategic goals. Prioritizing these issues allows organizations to make meaningful progress while maintaining their efforts across many fronts. For compliance professionals, this approach emphasizes the need to set realistic, measurable goals in alignment with an organization’s core values.

Moving from Rules-Based to Principles-Based Compliance

One of the most resonant themes in Higher Ground for compliance officers is Taylor’s call to shift from a rules-based to a principles-based approach to compliance. While rules and regulations are fundamental to compliance programs, they can fall short when organizations face nuanced ethical dilemmas. Principles-based compliance, which emphasizes ethical judgment and a strong moral compass, allows organizations to respond more effectively to complex situations that cannot be anticipated by rules alone.

Taylor argues that fostering an ethical culture requires more than drafting policies and procedures. It involves setting up systems where employees feel empowered to speak up and exercise sound judgment. Compliance leaders should aim to cultivate an environment where employees are encouraged to use their ethical instincts and are rewarded.

Addressing the Generational Shift in Corporate Expectations

As Taylor observes, today’s workforce spans five generations, each with its values, priorities, and expectations from corporate leadership. Millennials and GenZers highly value authenticity, transparency, and social impact. They are also more inclined to speak up on climate change and diversity, often pushing their employers to take public stances.

This shift presents both challenges and opportunities for compliance leaders. Younger generations’ desire for accountability and transparency aligns well with the goals of modern compliance programs, which are increasingly centered around creating ethical, transparent workplaces. However, the push for corporate responsibility requires careful management to ensure that public commitments align with internal practices. Taylor emphasizes the need for open communication, a willingness to address employee concerns, and a commitment to genuine stakeholder engagement.

Balancing Impact and Purpose

Taylor posits that a meaningful corporate purpose is inseparable from measurable impact. While “purpose” has become a popular corporate buzzword, she cautions that it remains little more than marketing rhetoric without concrete actions and results. For companies to build true stakeholder trust, they must put impact at the core of their purpose, recognizing both their operations’ positive and negative effects on society.

This perspective offers valuable guidance for compliance leaders. Compliance programs must go beyond box-ticking exercises and contribute meaningfully to the organization’s ethical culture. By making decisions based on their actual impact on employees, customers, and the broader community, compliance teams can help build a more resilient and trustworthy corporate reputation.

Practical Steps for Building an Ethical, Responsible Organization

Higher Ground provides practical insights for organizations seeking to improve their ethical culture and align with evolving stakeholder expectations. Some actionable steps for compliance professionals include:

  1. Set Priorities. Instead of meeting every stakeholder’s demand, focus on one to three key issues where the organization can make a meaningful impact.
  2. Encourage Open Dialogue. Foster a culture of transparency where employees feel comfortable voicing ethical concerns, even when these concerns challenge leadership decisions.
  3. Embrace a Principles-Based Approach. Shift the focus from strict rule adherence to fostering ethical judgment and principled decision-making across the organization.
  4. Align Corporate Promises with Impact. Ensure public commitments are backed by actionable, measurable goals reflecting the organization’s values and capabilities.
  5. Engage Multiple Generations. Recognize each generation’s unique values in the workforce and create an inclusive environment that respects diverse perspectives on social and environmental issues.

In Higher Ground, Alison Taylor offers a comprehensive exploration of how businesses can bridge the gap between ethics and sustainability, building trust and integrity. By examining the role of corporations through the lens of stakeholder expectations, she challenges leaders to redefine success beyond shareholder value. Her call for a more nuanced approach to business ethics resonates strongly in today’s rapidly evolving regulatory and social landscape.

For compliance professionals, Taylor’s work is a timely reminder of the importance of staying connected to the broader organizational mission and ensuring that ethics programs are integrated into every facet of the business. Whether setting clear priorities, encouraging open dialogue, or embracing principles-based compliance, Higher Ground provides a roadmap for leaders committed to building ethical organizations in the 21st century.

If you want to explore these themes in more depth, please check out Higher Ground and join the thoughtful conversation that Taylor has started. Given the advent of the second Trump Administration, these discussions have taken on a new urgency.

Categories
Creativity and Compliance

Creativity and Compliance – Business Efficiencies from Compliance Communications

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and applies it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible. In this episode of Creativity and Compliance, host Tom Fox and Ronnie Feldman discuss the often-overlooked basics of creating an effective compliance program.

We emphasize the importance of being proactive and preventative, as reinforced by recent DOJ guidance. The focus shifts from complex compliance issues to more practical and efficient solutions that can be integrated into daily operations. One key point is reevaluating the traditional annual training approach, which often fails to efficiently engage employees and mitigate risks. Instead, the conversation centers around constant and regular communication, such as nudge learning and embedding compliance messages within the organization’s culture, to keep compliance in mind and foster a more compliant workplace environment.

Key highlights:

  • Introduction to Compliance Program Effectiveness
  • The Ineffectiveness of Traditional Training
  • Strategies for Efficient Compliance Programs
  • Embedding Compliance into Organizational Culture
  • Hill Street Blues and Compliance

 Resources:

Ronnie

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets” these 90-second commercials address misconceptions and excuses to promote speak up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance explaining policies, sharing examples and debunking excuses. 
  • Tales from the Hotline – Real speak up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Empowering Middle Managers

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today we present some tips to empower middle managers to become leading advocates of your compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge by clicking here.

Check out the full 3-book series, The Compliance Kids on Amazon.com.

Categories
Blog

Empowering Middle Managers: A Compliance Training Guide

A culture where employees feel safe to voice concerns through a speak-up culture is foundational to an ethical and compliant organization. However, fostering this environment is a two-way street; employees must feel encouraged to raise issues and confident that their voices will be heard and respected. Middle managers play a vital role in this process, serving as a bridge between employees and leadership. Training these managers to be effective listeners and supportive leaders is critical to embedding a true speak-up and listen-up culture. Today, I want to provide a comprehensive guide to structuring compliance training for middle managers to empower them in this essential role.

Establishing a Foundation for Openness and Trust

Middle managers are often employees’ first contact when they have questions, suggestions, or concerns. For this reason, the training should prioritize methods to create a welcoming and open environment. Employees are more likely to speak up in a space where psychological safety is present.

Training should focus on helping managers:

  • Set a Positive Tone. Managers can model openness by actively seeking input, acknowledging diverse viewpoints, and demonstrating that they value honest feedback.
  • Practice Respectful Communication. Respect and empathy should be at the core of all interactions. Managers should receive guidance on fostering a culture where positive or critical feedback is welcomed and used constructively.
  • Address Barriers to Speaking Up. Training should include understanding common barriers, such as fear of retaliation or judgment, that might deter employees from sharing their concerns. Managers need to learn techniques to overcome these barriers, assuring employees that feedback is welcomed and issues are handled impartially

Mastering the Art of Active Listening

Active listening is the cornerstone of a listen-up culture. To create a sense of safety and encourage more openness, managers should learn to develop strong listening skills:

  • Concentrate on the Speaker. Active listening involves more than just hearing words; it means being fully engaged and present. Managers should learn techniques to eliminate distractions, maintain eye contact, and show genuine interest in the employee’s concerns.
  • Show Empathy and Support. Employees feel more valued when managers respond with empathy. Compliance training should include exercises to help managers practice empathy in real-time, learn to listen without judgment, and offer support without prematurely reaching conclusions.
  • Utilize Non-Verbal Communication. Body language and facial expressions are powerful communicators. Managers should be trained to become aware of their non-verbal cues, such as maintaining an open posture, nodding, and mirroring, to convey that they are fully engaged and receptive to what the employee shares.

Reinforcing Confidentiality and Non-Retaliation

One of the most significant obstacles to a speak-up culture is the fear of retaliation or breach of confidentiality. Employees need assurance that speaking up will not negatively impact their role or relationships within the company. Training should address these concerns by teaching managers how to:

  • Communicate Non-Retaliation Policies. Emphasize that the organization has a strict non-retaliation policy and that any reports made in good faith will not be used against the employee. Managers should be trained on what this means in practice and how to reiterate this assurance to their team.
  • Model Confidential Handling of Concerns. Managers must understand the importance of discretion and keeping sensitive information within appropriate boundaries. Training should cover practical examples and role-playing exercises to help managers practice discretion when handling real-life scenarios.
  • Know When and How to Escalate. Managers should learn the correct escalation protocols for concerns beyond their control, including when to involve HR, compliance, or other internal functions. This keeps matters within formal channels, allowing for a structured and consistent response to concerns.

Responding to Concerns with Consistency, Integrity, and Fairness

Consistency in handling concerns signals to employees that their voices are valued and treated equally. To encourage this, compliance training should incorporate strategies for managing responses to sensitive issues fairly and respectfully:

  • Role-Playing Scenarios. Managers should engage in simulated situations where they practice responding to different concerns, such as interpersonal conflicts, compliance issues, or ethical dilemmas. By exploring these scenarios, managers can prepare for potential challenges in a controlled environment, making them better equipped to handle real situations confidently.
  • Guided Self-Reflection and Assessments. Managers should regularly evaluate their response styles to ensure they meet company fairness, integrity, and transparency standards. Compliance training can include guided assessments that help managers identify areas for improvement, such as biases or tendencies that may unintentionally affect their responses.
  • Implement Escalation Protocols. Managers must understand that not all concerns can or should be handled independently. Training should include guidance on the importance of escalating certain issues, such as legal or safety concerns, to the compliance department or other designated channels. This structured process ensures consistency, limits liability, and enhances employee trust in it.

Using Feedback Loops to Promote Continuous Improvement

For a speak-up culture to thrive, there should be an ongoing feedback and improvement process. Regular communication and consistent messaging from middle managers are essential to reinforcing this culture:

  • Creating a Culture of Continuous Dialogue. Managers should be encouraged to check in with their teams regularly rather than wait for annual reviews or structured feedback sessions. This open, continuous dialogue builds familiarity and trust, making it easier for employees to speak up when they have concerns.
  • Leveraging Digital Communication Tools. Managers can integrate compliance reminders, policy updates, and reinforcement of ethical standards into digital platforms where employees frequently engage. For example, using intranet channels or corporate social media platforms allows periodic messages, reminders, and success stories to be shared, helping employees internalize compliance messages over time.
  • Self-Assessments for Managers. Incorporate periodic self-assessment exercises, where managers reflect on their actions and impact on the speak-up culture. This can include anonymous feedback from employees, allowing managers to gain insight into their perceptions and identify improvement areas. Regular self-assessments reinforce accountability and ensure that managers remain aligned with the company’s compliance goals.

Instilling the “Listen-Up” Culture in Managerial Training

A listen-up culture goes hand-in-hand with a speak-up culture. For managers to effectively handle the concerns brought forward, they must receive dedicated training on what it means to listen up:

  • Developing Emotional Intelligence. Managers should be trained to be aware of their emotions and biases. Emotional intelligence is crucial in handling sensitive topics, as it allows managers to approach discussions with patience, empathy, and a genuine willingness to understand employees’ perspectives.
  • Creating Safe Spaces in Daily Operations. Rather than waiting for formal review sessions, managers can be trained to set aside dedicated time during team meetings to allow employees to voice questions or concerns. Encouraging open discussions in a safe environment reinforces that the company values and listens to employee feedback on compliance issues.

A Continuous, Proactive Approach to Compliance Culture

By empowering middle managers to build trust, actively listen, and foster an open dialogue, a company can lay the groundwork for a resilient compliance culture. The speak-up and listen-up approach is about avoiding ethical or legal breaches and creating a workplace where employees feel valued and respected, leading to better overall engagement and performance. Compliance training that encourages middle managers to foster this culture of openness is an investment in the company’s ethical foundation and its long-term success. Ultimately, a strong compliance culture is only as robust as those who support and enact it, and middle managers are a critical part of that foundation.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – 5 Keys to Compliance Communication

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider 5 keys to building a culture of trust and engagement in your organization.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

5 Keys to Compliance Communication: Building a Culture of Trust and Engagement in Your Organization

When it comes to corporate compliance, transparent and effective communication is non-negotiable. Your employees are not only the first line of defense but are also the customers of your compliance program. A well-communicated compliance function can shift the perception of compliance from a bureaucratic formality to a valued corporate asset. To establish this, compliance professionals must adopt a 360-degree communication approach emphasizing openness, interactivity, and alignment with company values.

Here are five keys to building a robust compliance communication framework within your organization:

Start with Clear Objectives: Define the “Why”

The first step to any successful compliance communication strategy is clarity of purpose. Before launching any campaign or distributing messaging, ensure you know why you are communicating in the first place. Some key questions include: Are you aiming to educate employees about new policies?

  • Does it reinforce the importance of ethical behavior? Prompt employees to report potential issues.
  • Will each goal shape your message and each audience within your company? Tailored messaging is required to understand the importance and relevance of your compliance program from the board of directors to the newest hires (from the boardroom to the shop floor).

If you aim to increase awareness of anti-corruption policies, your communication might center around the organization’s stance on integrity and honesty. However, if you encourage a speak-up culture, the message might emphasize confidentiality, support, and the importance of reporting misconduct. Ensuring your message has a clear and measurable objective can affect how it is received and whether employees take action.

Know Your Audience: Tailor Your Message for Maximum Impact

A single compliance message may only resonate with some in your organization. In any corporation, there are multiple audiences, including employees, senior leadership, middle management, external partners, and board members, all of whom have varying levels of familiarity with compliance topics. Recognizing and addressing these differences can significantly boost your messaging’s effectiveness.

For example, your frontline employees may need a straightforward explanation of policies and accessible reporting channels. Meanwhile, senior management may focus on the high-level implications of compliance initiatives on business strategy. A one-size-fits-all approach is less effective; instead, communicate with your audience in mind, considering their needs, knowledge level, and preferred communication channels.

Embrace Two-Way Communication: Build a Culture of Trust and Feedback

One of the most crucial aspects of compliance communication is creating an open line of dialogue, both up and down the chain. Employees should feel comfortable receiving compliance information, asking questions, seeking clarification, and providing feedback. Compliance should not be a one-way street; organizations must encourage interaction and feedback to build an authentic culture of ethics and accountability.

Integrating feedback mechanisms, such as surveys, focus groups, or town hall meetings, allows you to gauge employees’ understanding of compliance topics and uncover areas for improvement. But always remember that in compliance, we are only limited by our imaginations. Dun & Bradstreet CCO Louis Sapirman implemented a “Chatter Jam” for all company employees several years ago. It was a real-time discussion on an internal platform where employees shared their views on compliance topics like the company’s Code of Conduct. This open dialogue allowed the compliance team to hear employee concerns directly and make real-time adjustments.

In addition to these formal feedback channels, informal communication should be encouraged. Ensure employees know they can speak up without fear of retaliation. In doing so, you’re promoting compliance and creating an environment where ethical concerns can be discussed openly, ultimately preventing small issues from becoming major risks. 

Consistency and Frequency: Keep Compliance Top-of-Mind

Effective compliance communication is not a one-off event but a continuous conversation. Reminders and reinforcements must be consistent and frequent for employees to internalize compliance principles. Use multiple communication channels to keep compliance messages front and center. This can include periodic emails, newsletters, short videos, or even social media-style updates on internal platforms.

Consistency doesn’t mean redundancy; it’s about finding fresh ways to reinforce fundamental compliance principles. For example, the DOJ’s 2020 FCPA Resource Guide, 2nd edition, emphasizes that regular communication about compliance expectations helps companies demonstrate their commitment to ethics and compliance. Even brief reminders can have a lasting impact. Remember Morgan Stanley’s case, where they sent 35 compliance reminders over seven years to reinforce anti-bribery policies. The company’s diligence in maintaining consistent messaging resulted in receiving a declination from the DOJ when one of its managing directors was involved in misconduct.

Regularly communicating compliance expectations also helps create a sense of normalcy around compliance issues, positioning compliance as a natural part of everyday operations rather than an occasional reminder or, worse, a reactive measure only brought up after an incident occurs.

Foster Engagement Through Storytelling and Real-World Examples

Human beings are naturally drawn to stories, so it is no surprise that storytelling is one of the most effective ways to communicate compliance issues. Sharing real-world examples of positive and negative outcomes can help employees better understand the importance of compliance and the risks associated with unethical behavior. When employees see real-life scenarios, they can more easily relate to how compliance impacts their roles and the company’s success.

Using case studies from your industry to illustrate the potential consequences of non-compliance. Highlighting scenarios where similar companies faced penalties due to lapses in compliance can make the risks feel more tangible. Conversely, sharing success stories within your organization, such as how a well-trained team prevented a potential compliance breach, can reinforce the value of compliance.

Storytelling also applies to compliance champions within the organization. Showcase individuals or teams who have exemplified ethical behavior and contributed positively to the compliance culture. Celebrate these “compliance heroes” publicly, whether in internal newsletters, company meetings, or digital screens throughout the office. Recognizing and celebrating compliance efforts in this way can have a ripple effect, inspiring others to follow suit.

Bringing it All Together: The 360-Degree Compliance Communication Model

Incorporating these five keys into your communication strategy will help establish a 360-degree approach to compliance that keeps the program visible, relevant, and actionable across the organization. It’s about more than simply sending information; it’s about creating a dynamic, two-way exchange that reinforces compliance as an integral part of your company culture. When compliance communication is objective-driven, audience-centered, interactive, consistent, and engaging, you build trust and accountability within the organization.

A robust compliance communication strategy positions your program not as a barrier to business but as an ally, helping employees navigate ethical challenges confidently. By adopting these five keys, compliance leaders can shift the perception of compliance from a mandatory obligation to a trusted, positive influence on the company’s success. It’s a win-win for employees and the organization, promoting ethical conduct while protecting its reputation and bottom line.

In the end, remember this: compliance communication is not simply about conveying rules and policies. It is also about building a culture where employees feel supported, informed, and engaged in upholding the company’s values. The real measure of success in compliance communication is when employees understand, embrace, and live out these values in their daily work.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Questions and Metrics for 3rd Party Risk Management

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what questions a Board of Directors should ask a CCO and the types of metrics they should ask for in their role of overseeing the compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

Board Oversight of Third-Party Risk Management: Key Questions and Metrics for Effective Governance

The Telephonica Venezuela FCPA enforcement action reminds us that third-party risk management is one of the most critical components of a corporate compliance program. From suppliers and distributors to agents and joint venture partners, third parties can expose a company to significant compliance risks, including bribery, data security breaches, and regulatory violations. For a Board of Directors, effective oversight of third-party risk management is essential to fulfill its fiduciary duties and ensure that the organization mitigates these potential threats.

For boards, the responsibility involves more than just reviewing policies or compliance assessments. It requires a proactive approach, regularly engaging with the Chief Compliance Officer (CCO) and demanding specific information to confirm that third-party risks are effectively managed. Today, we will consider some key questions a board should ask and key metrics that boards should track to ensure their oversight of third-party risk management.

Key Questions a Board Should Ask About Third-Party Risk Management

To provide effective oversight, board members should ask the CCO a series of targeted questions that illuminate the strengths and weaknesses of the organization’s third-party compliance efforts. These questions can guide discussions around key areas such as due diligence, monitoring, training, and incident response.

  • What is our Third-Party Risk Profile?

This foundational question helps the Board understand the scope of the organization’s third-party network and the inherent risks involved. The CCO should be able to explain how third-party risk is assessed, classified, and prioritized. This includes geographic, industry, and transactional risks that may be more prevalent in high-risk regions or industries such as defense, oil and gas, and healthcare.

  • What Due Diligence Processes are in Place?

The Board should ask about the specific due diligence processes for third parties. This includes initial onboarding assessments, background checks, and ongoing monitoring. Understanding the due diligence process, including who is responsible, the standards used, and whether enhanced due diligence is conducted for high-risk third parties, is critical for oversight.

  • How Do We Ensure Continuous Monitoring of Third Parties?

It is not enough to perform due diligence only once. Continuous monitoring is essential to detect a third party’s risk profile changes. The Board should ask about the tools and technologies used for monitoring, the frequency of updates, and how compliance continuously evaluates third parties for new risks, such as changes in ownership, regulatory status, or financial stability.

  • How Do We Address Identified Risks?

A key component of third-party risk management is having procedures to address identified risks. The Board should inquire about the company’s approach to risk mitigation, including risk-adjusted measures for different risk levels. Are high-risk third parties subject to contract clauses or specific compliance obligations? Does the organization maintain a system to monitor the ongoing effectiveness of risk mitigation efforts?

  • What Training and Awareness Programs Do We Have in Place?

The Board should ask how compliance trains third parties on relevant laws, policies, and expectations, especially concerning anti-corruption, data protection, and ethics. Additionally, internal stakeholders involved in third-party management, such as procurement and finance, should receive specialized training to help them recognize red flags.

  • What is Our Process for Reporting and Escalating Third-Party Compliance Issues?

Knowing that issues will inevitably arise, the Board should ask how the organization reports and escalates third-party compliance concerns. Does the CCO have direct access to the Board in case of serious compliance violations? Is there a protocol for handling third-party incidents that could affect the company’s regulatory standing or reputation?

  • How Do We Measure the Effectiveness of Our Third-Party Risk Management?

The effectiveness of the third-party compliance program is a priority for the Board. Asking for metrics and other objective measures helps ensure that the program is well-designed and functioning as intended. The Board should proactively seek quantitative and qualitative evidence of effectiveness.

Key Metrics for Third-Party Risk Management Oversight

Metrics are invaluable for Board members seeking to monitor the compliance program’s health. The CCO should be able to provide regular updates on the following metrics, each offering insight into specific aspects of third-party risk management.

  • Number of Third Parties by Risk Category

This metric breaks down the organization’s third parties by risk level (e.g., low, medium, high). This provides the Board with a snapshot of the company’s risk exposure and helps them assess whether the program is appropriately resourced to manage the volume of high-risk third parties.

  • Percentage of Third Parties with Completed Due Diligence

Tracking this metric shows whether the company is adhering to its compliance policies. Ideally, 100% of third parties should undergo due diligence before onboarding, and any gaps here could signal significant compliance weaknesses.

  • Average Time to Complete Due Diligence

This metric reveals the efficiency of the due diligence process. Long turnaround times can delay critical partnerships and increase risk exposure, while excessively fast times may suggest that due diligence needs to be sufficiently thorough. Boards should look for a balanced metric that reflects both efficiency and comprehensiveness.

  • Incidents of Non-Compliance Among Third Parties

The Board should be regularly informed of compliance incidents involving third parties. This metric could be broken down by type of violation (e.g., anti-bribery, data privacy, labor practices) and severity. Tracking these incidents over time helps the Board evaluate the program’s effectiveness and whether additional resources are needed.

  • Percentage of High-Risk Third Parties Monitored Regularly

Continuous monitoring is vital to effective risk management, particularly for high-risk third parties. This metric provides insight into how often high-risk third parties are reassessed, which can inform the Board about the level of vigilance being applied to higher-risk partners.

  • Training Completion Rates for Third Parties and Internal Teams

Effective third-party risk management requires third parties and the internal teams who work with them to understand the compliance risks and policies. This metric tracks how many third-party representatives and relevant employees have completed compliance training, an essential factor in reducing risk.

  • Average Time to Resolve Third-Party Compliance Issues

This metric measures the organization’s responsiveness to third-party compliance concerns. Quick resolution times may indicate an efficient and effective response system, while delays might suggest resource constraints or procedural bottlenecks. Boards should look for a metric that balances speed and thoroughness.

  • Costs of Third-Party Compliance Program

The Board should also monitor the financial investment in third-party compliance to assess if the program is adequately funded. This includes costs for due diligence, continuous monitoring, training, and compliance technology. Comparing these costs against third-party risk levels can help determine if the program is appropriately resourced.

Leveraging Metrics for Continuous Improvement

By tracking these metrics, Boards ensure that third-party risks are being effectively managed and can drive continuous improvement in the compliance function. Over time, trends will emerge, highlighting areas where the program may need reinforcement. For instance:

  • Increasing compliance incidents among third parties could indicate a need for enhanced due diligence or more stringent onboarding criteria.
  • Declining training completion rates suggest a lack of engagement from third parties, potentially due to ineffective communication or training methods that must be revisited.
  • Prolonged resolution times for compliance issues might signal the need for process optimization or additional staff in the compliance team.

The Board should encourage the CCO to use these insights to fine-tune the program and prioritize high-impact initiatives. Additionally, boards should expect the CCO to present metrics and narrative insights, offering a holistic view of the third-party compliance landscape and how specific metrics relate to broader compliance goals.

Fostering a Culture of Accountability and Compliance

Board oversight of third-party risk management is no longer a mere checkbox—it’s a crucial part of protecting the organization’s reputation, ensuring regulatory compliance, and building a resilient corporate structure. By asking the right questions and tracking key metrics, Boards can proactively ensure that third-party risks are managed effectively.

An engaged Board that emphasizes the importance of third-party compliance sends a powerful message across the organization and beyond. When Boards hold the compliance function accountable and demand robust third-party oversight, they not only mitigate potential risks but also foster a culture of integrity and accountability that resonates with employees, partners, and stakeholders alike. This, in turn, strengthens the entire organization, building a foundation of trust and resilience that will serve it well in any compliance landscape.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – CCOs Reporting to the Board

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what a CCO needs to tell a Board of Directors.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.