5 Ways Boards Must Improve Compliance Oversight
Control or be Controlled: 5 Problem Areas for Boards
Compliance is evolving, and board members may now be unsure of their related responsibilities. Board members are more and more reliant on the data obtained from information systems to make their decisions. How can they use this information, and what are the traps they need to avoid?
The role of the board of directors is increasing in importance and complexity. One major aspect is the oversight of compliance. Compliance has continually evolved, making board members unsure of the nature and span of their responsibilities. It is more necessary than ever for boards to be actively engaged in their compliance functions and more sensitive to the corporate tolerance for risk and how it is monitored. With this, board members are increasingly dependent on technology, the information it provides and the impact on their businesses. With the rapid movement in compliance oversight, there are several areas where boards prove their worth or hold the organization back.
#1: Failing to Pay Attention to Culture
The board drives corporate culture. If it does not, get a new board. When it comes to corporate compliance, establishing the desired corporate culture is the critical first step. However, board members may not realize they have an essential role to play in establishing that culture. Decisions made by the board about finances, compensation or other matters directly impact the corporate culture and thereby impact financial results. Failing to establish a strong culture where compliance plays a prominent role can be a major flaw. Promoting a culture where quality corporate governance and compliance are ingrained will lead to a self-policing organization with greater awareness, few compliance issues and more substantial return for shareholders.
#2: Persecution of the CEO
The CEO is often the sacrificial lamb for the board. However, to move the organization forward, the board should create a secure atmosphere for the CEO to provide feedback to the directors. CEOs must be able to bring forth difficult issues and propose innovative solutions without the fear of reprisal. The CEO needs to propose policies the board can either approve, modify or reject. To succeed, CEOs must be adept at supplying the board with the appropriate level of detail. Information must be presented with the appropriate business context and in language that is readily understandable by board members. If the CEO cannot comfortably provide compliance-related metrics and propose compliance solutions, the organization will suffer.
#3: Held Back by Dead Weight
Often, directors have limited experience in compliance oversight. This can lead to a lack of confidence in making decisions and providing oversight on risk and compliance matters. At times, directors can become “dead weight,” not adding any insight, avoiding decisions and kicking the can down the road. There is a natural inclination for people to gravitate to matters they understand, but a consistent lack of direction can cause frustration, missed opportunities and significantly more risk for the company. Organizations need to pare board members that are consistently refusing to add value and provide direction.
#4: Lack of IT Knowledge
According to Accenture1, most directors lack a technology background or IT expertise. This is at a time when some of the most significant challenges facing organizations are centered around technology. Directors have the task of identifying existing risks and trying to forecast future risks while planning for corporate growth. As the pace of business increases, the associated technology risks are that much more complicated and are central to ensuring corporate compliance. However, reporting about IT risks is often done using technical jargon. This can be beyond even the most tech-savvy board members and can lead to misunderstandings and improper guidance. It is a challenge for both the CEO and CIO to provide sensible reporting to directors in a manner that is in line with business activities. For their part, board members must be either recruited with the appropriate level of technology knowledge or must be trained on technology-related compliance risks. Now more than ever, directors need an understanding of technology to make informed decisions.
#5: The Missing Risk Assessment
Often, board members are provided details and metrics on risk assessments. However, these assessments are often focused solely on either operational or financial risks. Compliance monitoring requires assessments that examine the specific regulatory risk areas based on the scope of corporate compliance policies. A control framework must be established to address these risks. Controls must be measured and tested periodically to ensure adequate maturity levels of protection for specified risks. Board members must receive periodic risk assessment reporting from management to identify new risks and report on the effectiveness of controls over existing risks. The reports must provide suitable levels of detail in a well-understood business context to enable directors to gauge the health of the business, as well as the effectiveness of the organization’s efforts in compliance management.
Boards have the interests of the organization as their focal point, but directors do not always have the experience, training or business context metrics to produce the proper guidance, guard against excessive risk or make decisions to move the organization forward. Boards must be actively engaged in compliance oversight, not passive bystanders. For its part, the organization must provide board members with the tools and contextually pertinent data to make decisions. Done properly, directors will have the insight and understanding to steer the ship. Done poorly, it is like putting on a shackle and walking the plank.
Chris is VP Marketing and a co-founder of Teleran. He has over 30 years’ experience in helping companies manage, leverage and protect their business-critical information.