Defining and Building Your In-House Compliance Committee
People say that effective corporate compliance is a team effort—and every overworked, overwhelmed CISO knows that statement is true.
Then comes the next logical question: How do you assemble that team?
For just about every organization, you’ll need to create an in-house compliance committee. This is the group of executives from across the whole enterprise who somehow play a role in risk management, and who therefore should also play a role in shaping the compliance program to govern the risks your business faces.
OK, the concept is clear enough. Next come the practical questions: Exactly who should serve on the compliance committee? What issues should it address, or not address? And what role does the compliance officer play as leader of this committee?
Let’s take each question in turn.
Who Serves on the Compliance Committee
One guiding principle should be that everyone whose business function either creates risk or manages risk should serve on your compliance committee.
For example, in a high-growth tech business, you would want to include the heads of sales and business strategy, since their plans for growing the business can create compliance risks. You also want to include the heads of human resources, IT, and legal, since their functions help to manage compliance risk.
As you can see, the compliance committee is a mix of leaders from the first and second lines of defense. Selecting participants from the second line is easier to do, because those functions are mostly the same across every business: HR, legal, IT, and the CFO. If the CISO and the chief compliance officer are separate roles in your business, include them both. If you have an internal auditor (the third line of defense), that person should be on the committee too.
The exact membership of the compliance committee will vary for each firm, depending on its size and business operations. For example, a larger consumer-facing firm might have a chief privacy officer and a head of customer service; they would be candidates for the committee. A biotech company might have a vice president of regulatory affairs, and that person should certainly be a member.
Another important consideration: who should not be on the compliance committee — namely, the CEO and those on the Board Directors. They have day jobs setting broad strategy for the business and developing an appropriate corporate culture; compliance risks are a level of detail beneath their pay grade. They should be briefed about compliance risks regularly, but that’s not the same as them participating in compliance committee discussions. Let the CEO and the board focus on other matters, while those closer to the duties of compliance and risk mitigation focus on this.
What is the Compliance Committee’s Scope
So what does the compliance committee address, exactly? Several important points.
First, the committee defines potential compliance risks based on business operations and regulatory requirements. This is where representatives from the first line of defense can talk about business activities that might trigger new compliance risks: “We want to launch a new version of our flagship service for children!” The second line can then reply with what that means for risks and internal controls: “Our privacy and security risks will skyrocket! How do we fix that?”
The above example shows why a compliance committee should include voices from across the whole enterprise: because risks arise when one part of the enterprise doesn’t know about, or respond to, what the other part is doing. When people toss around the buzzword of “siloed risk management,” that’s what they mean.
So a second duty of the compliance committee is to avoid siloed risk management by developing policies, procedures, and internal controls that keep pace with business activities and whatever compliance obligations the organization faces.
Continue with our example on a service for children above: the legal team would note that the business needs a mechanism to obtain and preserve parental consent. The CISO would propose to store that consent and the children’s personal data either internally or with a secure data storage vendor. The CFO would consider the costs of those options, and marketing and strategy would weigh whether all of these steps would still make their proposal worthwhile.
You can see the competing interests here. The compliance committee’s job is to sort those interests into viable strategy — to decide how much security is “enough,” or how many steps are necessary for “effective” compliance.
All of that is true whether the compliance committee is considering a new risk such as our example above, new internal operations that might affect compliance (say, outsourcing important IT systems),or new rules that apply to the business (e.g.,a new privacy law such as the California Consumer Privacy Act).
The compliance committee is meant to be a clearinghouse of compliance concerns, where all parties can hear what’s happening and offer their perspective on a response.
What Does the Chief Compliance Officer Do
The chief compliance officer should act as the chair of this committee. He or she sets the meeting schedule (quarterly will usually suffice; more often if you’re in a specific compliance crisis), sets the agenda, and drives the discussion.
For example, the compliance officer might present the results of recent testing or monitoring. (Testing or audits should be done either by the compliance team or by external partners versed in the specific issue, such as a cybersecurity or audit firm.) He or she could also review high-priority investigations, the results of a risk assessment, the board’s priorities for risk management, and so forth.
The compliance officer can also drive the conversation about compliance operations. For example:
- Are any new business expansion plans afoot, such as new products or new markets, that might trigger new compliance risks?
- Are any internal changes pending, such as a restructuring plan, furloughs, IT upgrades, or new compensation plans, that might affect compliance program operations?
- Who is complaining about the practicality of compliance policies, procedures, or controls? What are they saying?
- How are risk mitigation or remediation plans moving along? What steps are encountering trouble, and why?
How the Compliance Committee Stays on Track
Given the many issues and details the compliance committee might oversee, mechanisms to hold the committee accountable for their objectives are critical.
If you already use a GRC tool that allows you to assign remediation tasks to specific people, see if you can use that capability to assign necessary tasks here. If such a tool isn’t available, look for some other tool or application that maintains version control and allows everyone on the committee to view progress. Even a secure, shared spreadsheet will do in a pinch.
The point is that compliance committees shouldn’t exist just for the sake of talking about compliance. They need to get things done to maintain a strong compliance program. They need to set objectives for better compliance, assure that actions to meet those objectives are taken, and that the objectives themselves ultimately accomplish what the committee wants those objectives to do.
For more guidance on how to build an effective compliance program, check out our ebook 10 Key Elements to An Effective Compliance Program.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.