Not long ago we had a post about how chief compliance officers can support local compliance officers in business divisions. Today we’re going to explore a related topic: how CCO's can strengthen relationships with business unit leaders generally.
After all, most business unit leaders aren’t opposed to ethical conduct per se. On the contrary, they want to run their functions well, and that includes acing expectations for good conduct.
So how can compliance officers avoid (as much as possible, at least) the friction that we encounter in the practical world?
Embedded compliance procedures into operations
We all know the quip that the compliance function is “the Department of No.” Implicit in that wisecrack, however, is the idea that the business team has already decided that it wants to do something, and is asking the compliance function whether that action is allowed.
Which also means, by definition, that the business unit doesn’t know what compliance will say. That’s the disconnect a compliance officer wants to avoid. It implies a world where “the compliance check” comes at the end of the business unit’s idea.
In a better world, there is no compliance check at the end. Instead, compliance controls and procedures are baked into business processes from the start: automated and preventive controls, rather than manual and defective ones. Then the Department of No never emerges at a late stage, because business units have been guided toward permissible conduct from the earliest stage.
Consider delegating procedural questions to the business unit
Sometimes business units will have legitimate concerns that they can’t follow a specific procedure. That’s especially if the unit is based overseas and worried about the local law. Some countries might restrict access to confidential information you want for investigations or regulatory reporting; others might impose limits on how whistleblower hotlines operate.
Can the compliance function permit every deviation from procedure that a business unit might want? No. But the success of the compliance program depends more on clear policies, good conduct objectives, and ethical priorities. So if a local unit can achieve those ends, but wants to use a procedure that lets the unit conform to the local law or other restraints, consider how to make that work.
Develop risk monitoring tools business units can use themselves
This is a tactic compliance officers can steal from internal audit functions. Audit teams are under more pressure these days to develop better risk analytics and monitoring tools. After the teams do that for their own auditing purposes, they can leave those tools with the business function, so operating executives can monitor risks more effectively themselves.
Compliance functions can do something similar for regulatory and conduct risks. Indeed, you already should be doing this for your own purposes, developing key risk indicators that might feed into a compliance dashboard you use.
Well, wherever possible, share those risk monitoring tools with the business unit leaders. That won’t be feasible in every instance (for example, you might not want to share metrics about investigations into business units), but remember what we said at the start: most operations executives want to lead ethical teams, so long as those compliance functions aren’t overly disruptive. Giving those executives tools to see how their unit is faring is one way to do that.