You have just been hired as the new Chief Compliance Officer of a global company operating in over 80 countries, including numerous high-risk corruption countries. You have no staff and have been given a budget to hire 5 full-time professionals, support staff, and technology, if reasonably priced.
When you look into the existing compliance program, you realize that everything is a mess. There are no real controls in place, third parties are being hired with perfunctory diligence, and training has only focused on the company’s code of ethics and compliance. Your code is strong but nothing has been done, in reality, to implement or enforce it.
Internal audit has not focused on any aspect of the company’s code of ethics or compliance program but instead has conducted a variety of inquiries relating to corporate finances and reporting.
What should you do?
Well, resignation is not an option. Instead, you need to roll up your sleeves and get started on cleaning up this mess.
How do you do that?
The first thing you need to do (besides drinking a glass of wine or a beer) is to take a deep breath and develop a realistic timeline for action. At a minimum, turning this program around will take two to three years, unless the government has launched an investigation of the company.
So, once you have a timeline in mind, and a realistic set of expectations, where do you start?
One key time-intensive function is to identify staff and begin the hiring process. Most CCOs underestimate the time it takes to put together a new staff. It can take two years to find the right people with the appropriate skill set.
Assuming resources come in to the CCO as needed, the CCO has to conduct a realistic appraisal of risks and ongoing (or expected) activity. A formal risk assessment is not needed; instead, a CCO has to rely on a gut-check risk assessment and put together an action plan. In this circumstance, the CCO has to stop the bleeding – identify and patch together controls to mitigate the most significant risks.
One area that should be avoided is putting a significant effort into creating or promoting an ethical culture. I do not mean to suggest that an ethical culture is not important but in terms of priorities, the CCO has to develop some of the compliance infrastructure before enlisting the CEO and senior management to step up and promote an ethical culture.
As an initial matter, it is important for the CCO to develop internal relationships by demonstrating compliance solutions, fixing the program that everyone knows is not working (but probably will not say), and establishing working relationships with important internal allies, especially in legal, audit, human resources, and finance functions.
Once the significant projects are identified, the CCO has to take steps to address the deficiencies. One area where the CCO is likely to start is on training. An ineffective training program has to be fixed right away to ensure that everyone understands the law, company policies, and what is required to ensure compliance.
A code of conduct training initiative is a strong start but much more is needed, particularly in complex areas like anti-corruption, export control/sanctions, and antitrust. There is nothing more dangerous to a company than to have lawyers, business managers, and employees operating in a risky world with no clear understanding of what the law and compliance requires.
Aside from training, a CCO has to focus on another key risk. In many cases, a company with a compliance mess may not have a real due diligence program for third parties or vendors/suppliers, or an established export control/sanctions screening compliance process.
Depending on the nature of the risk, the CCO should target a compliance fix in the high-risk area. If the CCO explains what he or she is doing and why to the business side, the managers will easily understand why the CCO is putting in controls and how the compliance effort will protect the company’s business operations. It is a quick and easy way to demonstrate the CCO’s competency and practical approach to solving compliance problems.
For the CCO who walks into a compliance mess, my key advice is to be realistic, demonstrate your competency, and build internal relationships that will lead to (relatively) easy successes.