Keys to Effective Board’s Oversight of Compliance, Ethics & Culture – Management Approach

It’s long been said that an effective compliance (program) can’t exist without a strong ethics and compliance culture; and critical is tone from the top, without which there’s no clear directive for the organization and employees on the importance of compliance. The board of directors play a critical role in setting the right tone.

While regulatory non-compliance presents reputational risks, they generally pale next to those stemming from culture risk. The media and public often have difficulty understanding regulatory violations, but a violation of the trust built up over years between an organization and its stakeholders makes for a dramatic, readily understood — and often very damaging — story.

Addressing culture risk does not mean creating a “culture of compliance.” Such attempts tend to preserve a narrow, rules-driven view of compliance and culture and addressing culture risk calls for a new view of compliance. This view calls for operating not only within legal and regulatory bounds, but also in ways that reflect the core values of the organization.

With so many strategic issues to address, how can a board most effectively execute its responsibility to oversee compliance, ethics and culture?

#1. Ethics and compliance must move into mainstream

It is a must that major corporations and their boards adhere to compliance mandates, placing compliance-related issues at the top of a board’s agenda. “Compliance can’t be last on the agenda….it needs to be moved to the top with strategic discussions,” said Irena Gecas-McCarthy, at Deloitte & Touche LLP.

#2. Share a sense of responsibility between the board and senior management

To create and maintain an effective ethics and compliance program, both the board and senior management must work in tandem to protect shareholders. “This compliance culture must be owned by all throughout the entire organization, without exception,” according to a June 2014 Deloitte Report. “The entire organization is accountable. Words without actions are an empty chalice,” the report added.

According to Joanne Pace, a board member at Oppenheimer Funds and Horizon Blue Cross Blue Shield, “Understanding the compliance rules and regulatory framework that governs the company for the board you serve on requires a major commitment and focus. A board needs to stay current to effectively fulfil its oversight role,” stressing the importance of staying current.

#3: Understand the Organization’s and Board’s Culture Risk Posture

Culture has difference dimensions but essentially, it is the sum of the values that drive people’s behavior within the organization. Those values are reflected in hiring, compensation, promotion, investment and other decisions at all levels and culture determines which behaviors are accepted and encouraged in the organization.

Vague notions of culture create culture risks and undermine oversight of the culture so there is the need to embark on a journey within organizations to understand insider threats and to build out a broader culture risk program that enables management to identify areas where culture risk might emerge and how to address it.

Like culture risk, conduct risk which includes the risk of fraud and embezzlement and is often monitored in very specific areas (e.g., in procurement in manufacturing or trading in financial services) also needs attention and for that reason, a focus on conduct risk can lead to a siloed approach to culture risk and overlook larger cultural issues.

And it is not just a management issue; a board should also understand and periodically reflect on its own culture and risks associated with its behavior.

#4. Understand potential risks through assessments

With major corporations being hacked on what seems like a daily basis and everyone worried about being the next victim of a potential cyber-attack, ethics and compliance risk assessments have never been more important. Not only do they provide the foundation for what next steps need to be taken to avoid, mitigate or remediate these risks, but they also act as a tool for how to allocate scarce resources across these risks. “You must monitor implementation via the testing format to truly see the impact of an action rather than the activity,” said Cynthia Krus, Partner, Sutherland, Asbil & Brennan LLP.

#5: Promote the Use of Technology
Currently available technologies can help organizations to address compliance and culture risk. Technology-supported compliance programs manage ongoing compliance and reporting based on defined regulatory requirements. These programs enable management, audit committees and boards to know, on a quarter-to-quarter or month-to-month basis, that the organization follows applicable rules and where issues of noncompliance could emerge.

Similarly, a technology-supported insider-threat program can monitor employee behavior in various ways e.g., surveillance of emails and texts can identify individuals or pockets of individuals who may be engaged in or close to engaging in behavior outside legal, ethical or cultural bounds. Such cases should be referred to the relevant channel for consideration and potential action, which may include remediation, training or other steps.

Cultural attributes can be identified and measured and then monitored by tech-supported programs. While less prevalent than compliance and insider-threat programs, culture monitoring programs are gaining traction. Some culture-monitoring programs are geared more toward human resources concerns – for example, tracking employee morale – while others also monitor broader behaviors.

Any tech-supported compliance, insider threat or culture monitoring program should be implemented by, or with direct input from, the business if it is to serve the needs of management and the board. IT can support the implementation, but it shouldn’t drive it.

#6: Ask Culture-Related Questions
In its risk oversight role, the board can broaden management’s approach to compliance to include conduct and culture risk. This entails broadening the conversation around compliance to include culture.

Some useful questions to ask include:

• To what extent and in what ways are we using technology to monitor compliance? To what extent are we using it to monitor conduct? Do we have an insider-threat program?
• What have we done to define the values and the culture that we need to support people in their pursuit of organizational goals?
• How are we communicating our organizational values inside and outside the enterprise?
• What are our greatest conduct risks and culture risks?
• How are we measuring conduct risk and culture risk?
• How are we monitoring and managing those risks?
• How have we prepared for the reputational impact of a compliance, conduct or culture risk event?

While broadening the discussion, the board must of course continue to receive adequate assurance that the organization is operating in regulatory compliance.

Conclusion
Keeping in mind the context of a board’s risk oversight responsibilities, compliance should be viewed more broadly. Employees can operate within legal and regulatory rules while behaving in ways that do not reflect the values of the organization. Such behaviors generate culture risk. Left unchecked, those behaviors can multiply, negatively impacting customers, suppliers, investors, community members and other key stakeholders. Those negative impacts can give rise to other risks – particularly reputational risk.

Focusing on the strategic issues and implications that compliance — and culture — present can engage board members at an appropriate level and enable the board to expand its oversight role which in turn, can support the executive team in its efforts to create a culture that supports people in their efforts to reach the organization’s goals.

Reference: Chuck Saia, (conselium.com); fwa.org; corporatecomplianceinsights.com;

About the Author
A Financial Reporting/Analysis, Audit and Tax professional, a Consultant at Danisa Consult (Accounting, Audit & Tax) and a Facilitator for Accounting, Tax and Audit at Global Institute of Resource Development (GiRD), a Capacity Development and Training Institution. A member of the Institute of Chartered Accountant, Ghana; Chartered Institute of Taxation, Ghana; Association of International Accountants, UK; International Association of Accounting Professionals, UK; Association of Certified Fraud Examiners, US; Southern African Institute for Business Accountants, SA.

Comments and suggestions to [email protected] /0242844114