People often say successful corporate compliance is a team effort. They say that because it’s true. So today let’s answer one fundamental question about how to make that team effort work: What is a compliance committee, and who sits on it?
What is a Compliance Committee?
At the highest level, a compliance committee is a group of in-house executives at a company who can help the business navigate its regulatory compliance obligations. The committee tries to assure that the company is doing everything it’s supposed to do to fulfill those obligations, and nothing it shouldn’t do that might violate them.
That’s it, really. That’s the concept compliance professionals should understand at an abstract level.
At the practical level, every company will structure its compliance committee in whatever way makes the most sense for that business. There might be different executives who serve your own compliance committee; they might meet at different frequencies from other firms. They certainly will talk about different issues.
But without a compliance committee, the compliance officer potentially faces deep trouble. You won’t necessarily know what’s happening within the company to achieve compliance, nor will you know about business activities that might be changing the company’s risk profile. Above all, you won’t have help to steer the company toward an effective compliance posture. You’ll be doing it all yourself.
So having a compliance committee is important. It’s something just about every business should do.
Who Serves on a Compliance Committee?
As we mentioned above, the people who serve on a compliance committee can vary greatly from one company to the next. The best way to choose those members is to ask the following question:
Who has some responsibility for addressing compliance issues within our organization?
Framed that way, several executives emerge as obvious participants. They include:
- Chief Financial Officer
- Chief Accounting Officer or Controller (if your organization has one)
- General Counsel
- HR Director
- IT Director
- Chief Information Security Officer or Chief Privacy Officer
- Head of Procurement (again, if your organization has one)
- Internal Audit
All these roles are in the “second line of defense” for risk assurance (with the exception of internal audit, which is by itself in the third line). They help to manage the business and to steer operations toward certain objectives—including ethics and compliance objectives. So in almost every circumstance, these executives should be on your compliance committee.
A few other usual suspects come from operating units in the first line of defense. They might include leaders from:
- Sales & Marketing
- Customer Service
- Product Design
This is where compliance officers want to consider the organization’s significant compliance risks based on the operations you have. For example, if you’re in construction or utilities, you would want to include the Head of Sales because your risk of bribery might be high. If you’re in pharmaceuticals or technology, you have a higher risk of research espionage or “deemed export” violations from foreign nationals taking valuable knowledge back home—so your head of R&D should be on the committee.
If you’re in retail, don’t overlook the customer service center. As one compliance officer once told me: “All day long they listen to customers telling us how we’ve screwed up. Why would I not want them on my committee?”
Whatever your company’s principal operations are, they touch compliance risk somehow. Find the leaders in those functions and ask them to serve.
The Compliance Officer’s Role
Ideally, the compliance officer chairs the compliance committee. That might not always be the case, especially if the General Counsel and compliance officer roles are held by the same person. But usually, since this committee is meant to assess and guide the company’s compliance posture—you should be the one leading that effort.
An analogy helps here. The compliance officer’s role is like that of a primary care physician (PCP). He or she is responsible for the overall health of the patient and works with various specialists to devise a care plan depending on exactly what’s wrong. The PCP assures that proper care is delivered, but he or she doesn’t deliver much of that care directly—the specialists do. The PCP listens to the patient, reaches a diagnosis, and monitors progress for follow-up care as necessary.
The compliance officer’s role should be a lot like that. You might review internal data to identify something that’s amiss, such as a spike in complaints about office bullying or a drop in completion rates for third party due diligence. Then you’d work with HR to develop new policies, or with procurement or sales to discover what’s causing that due diligence drop. You’d help those business functions to manage the risk, but you wouldn’t solve those problems yourself.
Sure, “work with” might feel a lot like “do the work” at some organizations; let’s have no illusions that we’re only describing an ideal here—but that model of a primary care physician leading a team of experts is the ideal.
What Does the Compliance Committee Do?
The compliance committee meets at regular intervals to discuss emerging compliance risks and to chart progress on keeping older compliance issues at acceptable levels.
For example, the compliance officer could open the meeting with a discussion about the Justice Department’s new crackdown on procurement fraud, and ask other members to consider whether the company has any risks in how it bids for government contracts. The CCO might ask the Head of Sales to compile a list of all trade events employees attend where they hob-knob with competitors and ask HR or Legal to review company policies to see whether they’re clear about what anti-competitive behavior is and why employees should not engage in it.
The meeting might then pivot to cybersecurity, where the Chief Information Security Officer presents a report that many third parties touching the company’s confidential data haven’t been vetted. Compliance could then lead a discussion about whether the company needs to shut off some high-risk third parties completely (which might alienate employees in R&D or product design, so good thing the heads of those functions are present too), or just increase disciplinary policies for employees who flout procedure.
Then perhaps internal audit closes out the meeting with a preview of its audit plan for the coming year, where compliance and other committee members offer input. Meeting then adjourned, with the CCO then sending out action items to be reviewed at next quarter’s meeting.
You get the idea. A compliance committee gathers the company’s important operational leaders to consider emerging compliance risks, and to measure their progress on existing compliance risks. It’s an invaluable mechanism to keep the whole enterprise moving focused on the same objectives and priorities—even if forward motion on some of those tasks can be painstakingly slow.
Which is still a lot better than the compliance officer trying to do it all alone.