Ross Marrazzo and John P. Carey
September 5, 2018
Today’s chief compliance officers (CCOs) face the daunting challenge of protecting both the institutions for which they work and their personal reputations. Reputation has become a growing focus as more and more CCOs have left their roles. Some have departed of their own volition; some have been severed; and some have been fined and sanctioned by regulators and law enforcement. Untimely turnover in the C-suite is a cause for concern at any time, and especially so when the CCO or the bank leadership may have fallen short. At the same time, we have recently begun to see institutions elevating CCOs to their board of directors, bringing them greater prominence but also exposing them to more reputational risk.
This article examines what makes a CCO effective, viewing the role through two lenses: First, we examine what makes the CCO successful in the eyes of compliance professionals; and second, we look at how senior business leaders interact with and think about the CCO. Certain core attributes are needed by all effective CCOs, including integrity, leadership, work ethic, substantive knowledge and meaningful experience. In an environment of ever-changing regulatory expectations, however, more is needed to ensure success. CCOs who do not exhibit all of these attributes need to recognize the gaps and fill them with senior team members who do have them.
From the lens of a chief compliance officer
Today’s CCO requires a working knowledge of legal requirements and regulatory expectations, along with the ability to operationalize those requirements and expectations. But compliance expertise is only the start of what it takes to be effective. CCOs also need political savvy and backbone to be able to navigate the first, second and third lines of defense in order to implement and maintain processes required for robust, enterprise-wide compliance programs.
Know your limits. No one knows everything, and this goes for CCOs, too. Strong CCOs leave their egos at home and recognize their weaknesses. They hire and promote staff who complement their own experience, filling gaps by welcoming the expertise others have to offer. They build organizations and surround themselves with team members who have the skills and backgrounds they don’t necessarily have. Good CCOs lead through management and oversight, and solicit advice and assistance from their peers, staff and, at times, external stakeholders.
Know your department. Establishing appropriate key risk indicators and key performance indicators is critical to ensuring that departmental operations are robust and yielding useful insights into departmental operations for management, the board and regulators. These metrics also provide insight into staffing performance and needs, and provide support for the department’s effectiveness and efficiency. There is nothing more powerful than robust metrics to support why your department is both effective and efficient.
Efficiency is not a bad word. CCOs tend to cringe at the word efficiency, and rightly so. Too often efficiency has been just a euphemism for cutting staff. However, every department within an institution, including the compliance department, should operate in an efficient and effective manner. Knowing the department, having clear metrics such as those discussed above and routinely reporting on those metrics are all ways to demonstrate that the compliance department is operating efficiently. This is where credibility with both management and regulators is important. Effective communication can counteract challenges to staffing needs and processes to ensure program effectiveness.
Know your colleagues. Every person in the company and every third-party service provider has an impact on the compliance program. An effective CCO is a thought leader, a diplomat and a salesperson who knows how to facilitate the implementation of the compliance program in a way that the first, second and third lines of defense management can understand, agree to and rally around. These stakeholders may not like every aspect of the compliance program, but they will support it because they know that without it, there will be no business.
Partner with your colleagues. Too often, CCOs may alienate critical areas within their companies, by slipping into the role of the enforcer. This can be the root of a great deal of conflict, especially with internal audits. CCOs can gain the trust of their counterparts in internal audits as well as business lines by cultivating reputations as problem solvers, not cops and judges. It’s important to bring compliance testing and internal audit into sync, and that depends on building a partnership. The CCO should work closely with the chief audit executive and approach the audit department as valued advisors. As the third line of defense, the internal audit is the team that protects the company before regulators and law enforcement parachute in. First- and second-line colleagues—the front line and risk management—are important to program implementation and sustainability. The first line has to be fully supportive of the program in order for the program to be effective and sustainable.
Know your regulators. While some regulators may desire a less friendly relationship, good CCOs have an established, regular rhythm of interaction with their examiners. Ongoing and frequent interaction with the regulator, both formally and informally, helps ensure a transparent and trusted relationship. Most regulators are more interested in helping to ensure their regulated entities are in compliance than in the opportunity to levy an enforcement action or fine.
Know your management and board. Management and boards should have compliance top of mind, but they must also contend with costs. An effective CCO is plugged in to the concerns of senior management, the board and the chief financial officer (CFO). He or she leverages his or her department metrics to keep these key audiences informed of the compliance team’s performance in terms of both effectiveness and efficiency. Compliance departments are often viewed as revenue drains. However, with good metrics and communication, CCOs can ensure that management and boards comprehend how the compliance team actually protects revenue.
Know your team, and treat them well. Ensuring the compliance team understands the CCO’s vision for the compliance department is a priority. It’s essential to communicate with team members, and to treat them well. This doesn’t require showering them with money, but it does mean promoting an environment in which the team enjoys coming to work, even when things at the institution may be difficult. The CCO cannot manage the team from 30,000 feet away. Forget hierarchies, and treat everyone as if he or she is as important to the team as the next person. It doesn’t matter how large the team is or how geographically dispersed it is. Regular communication rhythms—such as emails, town halls and even site visits—help keep the team motivated and on track.
Have a strong second-in-command and a succession plan. Even a CCO who thrives on challenges needs time to rest and refresh. To be able to step away periodically, the CCO needs a strong second-in-command and even a third back-up on the team. Likewise, developing a robust succession plan is an investment in the future of the compliance program that the CCO has painstakingly put in place. CCOs owe it to their institutions and to themselves to plan ahead for their eventual departure. Doing so reduces disruption, provides continuity of vision, preserves the CCO’s legacy, and reflects favorably on the CCO long after his or her departure.
Know when to pick your battles. The ability to say “no” is the CCO’s superpower. Any CCO who is being asked to accept products, services or strategies with which he or she cannot live should state his or her objections clearly and stand his or her ground. But not every situation is worth going to war over. Credibility can suffer when the CCO fights everything. Getting a reputation for being “Dr. No” sometimes suggests rigidity rather than rectitude. Effective CCOs take time to seek understanding and develop solutions rather than proceeding straight to the role of kneejerk deal-killer.
Know when to leave. When career credibility is in jeopardy, a CCO may have no choice but to resign. If the CCO has lost confidence in the board and management’s willingness to be forthcoming, that is a serious problem. If leadership is unwilling to listen to the CCO or suggests actions that would put the CCO at personal risk, it is time to look for a new role. A CCO’s personal credibility is worth far more than loyalty to an executive team that is not committed to doing the right thing.
From the lens of a senior business leader
The interactions between compliance and a bank’s business leaders require balance. CCOs must be independent, objective and tough-minded to fulfill their obligations to boards, management and regulators. At the same time, CCOs are most effective internally when they lay a foundation of trust and cooperation and demonstrate an understanding of the business imperatives driving the organization. There is no avoiding the fact that at times the goals of compliance and business leaders are in conflict. But healthy interactions between compliance and business units are not only possible, but vital. A CCO who really understands the business can be both a source of support and a much-needed reality check for business leaders. Business leaders can and do understand the value of having a CCO who can put the brakes on excessive risk-taking.
Of course, the heads of the bank’s various lines of business have their own perspectives and expectations about what makes a CCO effective. What they want above all is a CCO who truly takes time to understand the businesses the regulatory compliance of which they oversee.
Know the drivers of the business.
To achieve credibility with business partners, successful CCOs must understand how the business makes money, how it delivers its products and services to customers, the value it provides, and its strengths and weaknesses. This includes knowing its strategy, financial metrics, customers, operational challenges and risks. Speaking the language, knowing the acronyms, and understanding all of the nuances that create a successful business line are positive qualities. Being facile in this area establishes credibility with the CCO’s business counterparts. Business leaders want to see that the CCO knows what makes the business go.
Stay current on emerging trends, technologies and more efficient ways to deliver.
From a business leader’s perspective, the compliance function is overhead that cuts into operating efficiency and profitability. Any opportunity to reduce this expense allows the business leader to invest further in the business or improve the bottom line. Regtech, machine learning, effective outsourcing and collaboration with other control and risk functions can all lead to a more effective and efficient delivery of compliance. CCOs can deliver wins for both their businesses and their own teams by seeking ways to maintain or enhance the compliance framework while gaining operational efficiency. Staying current on better, cheaper and faster ways to manage compliance risk demonstrates the kind of partnership business for which leaders are looking.
Define responsibilities clearly.
Since the global financial crisis of 2007-08, many financial institutions have reacted to the expectation of enhanced risk-and-compliance oversight by adding activities and responsibilities across the organization, gradually creating confusion. Effective CCOs work closely with colleagues in the various risk functions across the three lines of defense to find and eliminate duplication of efforts, while championing sound oversight. Insisting on role clarity means determining who is both accountable and responsible for the management of particular functions or issues. Defining roles and responsibilities clearly across the compliance, risk and control functions leads to greater efficiency, better accountability and a stronger risk-and-compliance framework. And business leaders appreciate the CCO’s efforts to streamline the layers of risk-and-compliance oversight.
Escalate early and with facts.
Business leaders depend on CCOs to escalate issues early, objectively and with facts to back them up. General statements about compliance risks without clear facts, an analysis of the problem and proposed solutions frankly isn’t helpful. Business leaders by definition are focused on operations. They expect that when CCOs identify problems, they will describe them clearly and concisely, provide concrete examples, and propose ways to set things right. When CCOs are prepared with facts and solutions, business leaders are more likely to aggressively address concerns.
Keep your communication lines open.
CCOs must stay connected and communicate fully and clearly with business leaders; risk, control and audit partners; regulators; and the board. Communications can take the form of personal interaction; one-on-one meetings, both formal and informal; ongoing reporting; and full transparency to all stakeholders. CCOs should consider operating under the rule of “no surprises”. Avoid jargon, meandering emails and “compliance-speak” when communicating with business leaders and other stakeholders around the organization. Addressing and presenting issues early with clarity and focus will generally drive the interaction and engagement CCOs need to succeed.
Assume positive intent.
Too often people make assumptions and decisions based on incomplete facts. Further, without having the benefit of a full understanding of the nature of the problem or issue, we often draw adverse conclusions and impute improper motives on the part of the actor. Assigning blame too quickly can be a trap for CCOs. Business leaders trust the CCO to assume positive intentions and motives while they are still digging through the facts. Jumping to conclusions without having the benefit of understanding the full story can severely undermine a CCO’s credibility and standing within the company.
Effective CCOs by their nature tend to be leaders who do their homework, thrive on facts, and sweat the details. They succeed by working to fully understand the facts, undertaking appropriate diligence and analysis, seeking counsel from trusted partners, and making judgments based on the best interests of the company.
Above all, CCOs must have the courage of their convictions and be willing to stand their ground even when their decisions are unpopular. This is what the management team and the board expect. Anything less puts the company, the CCO’s reputation and possibly his or her career at risk.
In short, lean forward; be seen by all stakeholders as inquisitive—a problem solver, a clear communicator and a critical thinker.
As appeared in International Banker.