10 crucial first steps for the chief compliance officer

For newly appointed CCOs, unique challenges loom on their very first day in office

Like any high-level corporate officer, newly appointed chief compliance officers (CCOs) have a limited opportunity to make the initial critical moves to set the tone and agenda for the rest of their tenure. But that’s where the similarities to other C-Suite executives end. Becoming the CCO is unlike taking the helm of other critical corporate functions. For newly appointed CCOs, unique challenges loom on their very first day in office.

The CCO position has been exponentially magnified in importance because of roiling scandals in the marketplace and the recent concomitant erosion of public confidence in business. If boilerplate compliance programs never really sufficed in the past, they certainly don’t today. Modern programs must have real teeth and be tailored to each corporate risk profile.

Conversely, compliance remains uncharted territory. The role of a CCO, the functions undertaken, and the reporting lines vary among corporations, along with the business decisions they get involved in. CCOs and their C-suite colleagues don’t necessarily face the same issues on day one, nor will similar templates guide them through the first critical tasks at hand. Yet upon assuming the role, CCOs may consider applying the existing systemic and tactical best practices identified below in a variety of corporate cultures.

1. Identify the “owners” of corporate processes

In any new position, a critical function is to learn the business. The CCO must go one step further, learning who “owns” each of the various functions touching a compliance issue: Who owns the corporate policies; who has risk management responsibility; and who conducts investigations. The CCO must quickly gather this information, contacting these individuals to discuss confronted issues, and build partnerships with the process owners.  Inevitably, the CCO needs to leverage these relationships later when undertaking the follow-on activities.

2. Assess risk impact

Every business has a unique risk profile—to the company and its industry; every CCO inherits some risk because risk is endemic to business. Risks must be identified, measured, and assigned a specific rating, as soon as possible. The assessment should include the likelihood the risk will lead to problems, the severity of the problems that would arise, the current existing controls to mitigate such risks, and the residual impact of the risks after taking into account internal controls. 

A successful risk assessment will educate the senior management on what risks the company faces, open a dialogue with business leaders on corporate “risk appetite”, and help create possible solutions to mitigate the most serious risks. A CCO can make an immediate impact if his/her work leads to successful initiatives that manage the company’s risk.    

3. Measure existing controls

A CCO should review existing core compliance functions in order to determine currently established internal controls. Although part of this analysis takes place in the risk assessment, there are areas, which may require a deeper dive.  Are there screening programs are for the company’s OFAC compliance program; is third party due diligence conducted as part of the company’s anticorruption program; does the company have a sufficient Code of Ethics and/or Code of Conduct—these types of questions must be studied.  Controls should be benchmarked against leading practices and identified gaps should be addressed.  Required remedial actions to strengthen the company’s internal controls should be identified, and an implementation plan executed with acknowledged responsible individuals and timetables.

4. Identify red flags

New CCOs will doubtlessly be exposed to capacious information from many different people in the company, varying from corporate business strategies to financial performance. A CCO must be an active listener, identifying any “red flags” that may arise during the course of these discussions. That means raising his/her hand, asking questions from the get-go, and watching for triggers that may indicate a larger issue—such as large or persistent discretionary payments; evidence, documented or anecdotal, that field offices are ignoring clear-cut direction from the corporate office; or lawsuits that might indicate patterns of non-compliant behavior (i.e. involving contract violations, employee relations, etc.).

5. Ensure existence of whistleblower reporting avenues

Does the company have a formally codified whistleblower program replete with all the features that qualify it as credible, including, for instance, practical enhancements such as hotlines? What about a clearly stated non-retaliation policy? The CCO’s immediate obligation is to create a credible process by which people can anonymously report complaints, or review the existing provisions to ensure that it can withstand regulatory scrutiny regarding efficacy.     

6. Communicate—immediately and regularly

Effective communication is vital. Employees must understand that the company’s compliance program is more than a disclaimer on a label; it is integral to the way the company does business. A CCO’s immediate task is to define the mechanisms and content – from periodic email communiques to mandatory attendance at compliance-related events – with which the compliance department and the C-Suite will deliver the message.

7. Formalize training programs

Compliance-related training should be institutionalized. The CCO must immediately create the agenda, and schedule periodic sessions segmented both functionally and regionally. Importantly, training must be tailored to the audience; with attendees free to discuss situations to which they have been exposed.

8. Set the tone

Compliance must be top-down, middle-down and every employee’s responsibility. CCOs must find ways to imbue all business operatives with a sense that the corporate leadership is utterly devoted to the ethical principles they espouse. Assuring rhetoric won‘t suffice. To achieve credibility, the CCO could encourage individualized plans to help executives and managers demonstrate their commitment. 

The CCO must be the biggest supporter of the company’s compliance program outside the organization as well.

One legitimate purpose of a sound compliance program is to show the world—customers, regulators, media—that the company has done everything possible to establish a leading corporate governance system. Even as he/she creates the program, the CCO must plan to publicize its existence, and pursue every opportunity to confirm its credibility, and thus its benefit to the company.

9. Define what you still must learn

Despite supportive C-suites and boards, there are minefields ahead because of the unknown. Early on, the CCO must determine ways to reveal potential liabilities, be they existing operational dysfunctions or burgeoning corporate plans for expanding into new industries or geographies that deliver new exposures. Those exposures must then be incorporated into the overall risk profile.    

10. Profit-centering compliance

Another critical communication opportunity for the CCO is to incentivize employees and management by demonstrating the “value-add” of compliance. It might include uncovering hidden traps in a merger or acquisition; quickly meeting standup licensing needs for new projects; or helping achieve greater consumer confidence (and sales). It’s never too soon for CCOs to dangle the carrot along with wielding the proverbial stick. 

No CCO can possibly take all of these steps during the initial moments on the job.  However, these steps are important enough that CCOs must begin planning the instant they’re offered the job.

Similar to the efforts needed to clean the Augean stables—the tasks required to keep corporations compliant is a Herculean effort.

author image

Suzanne Folsom

Suzanne Folsom is general counsel and senior vice president of governmental affairs of United States Steel Corporation.

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.