Compliance Oversight: How and What to Communicate to Your Board
How can you be sure you’re giving your compliance oversight team exactly what they need to know—no more, no less? Here’s what an attorney and a board member have to say.
At its core, workforce compliance oversight is about finding the right balance between too much information and not enough information. Clearly, an organization’s leaders wouldn’t be able to make decisions without reports about what’s happening on the ground. But it’s also true that an exhaustive, minute-by-minute account of every employee’s activities wouldn’t exactly clarify the decision-making process, either.
How can a compliance manager avoid TMI (or NEI) and give executives and board members exactly what they need to know—no more, no less?
[We’ve got a cheat sheet to help you out too – check out the Communicating to Your Board Cheat Sheet]
Attorney Michael Semanie and Compli board member Kirby Dyess offered some insight into that question In the concluding portion of our recent webinar, Executive Oversight: What regulators say, and what your execs want to know. If you watched the webinar, or if you read our previous two articles recapping it, you already understand why boards of directors and other executive oversight teams are ultimately accountable for their organizations’ compliance programs, and the 4 essential requirements of compliance oversight. In this article, we’ll put it all together and explain how and what to communicate up to your oversight team.
What to Report to the Board: 3 Fundamentals
“From my perspective, it’s real simple,” Michael said of reporting compliance data. “It’s ‘What happened?’, ‘Why did it happen?’, and ‘What can we do to fix it?’”
In other words, compliance managers creating reports for the board should…
- identify what has happened during the prior period,
- identify the reasons why any new issues have arisen and the context,
and - identify a proposed plan (or plans) to resolve the issues.
“We’re talking about identifying what happened over that past period—from the last board meeting—and reporting that to the board of directors, so that they understand what’s going on in the field,” said Michael. “To the extent you can use any kind benchmark or KPI through which they can a bit of a feel for the magnitude of these things, that’s helpful as well.”
Michael pointed out that context matters, and that compliance doesn’t happen in a vacuum—there’s frequently more going on than an organization meeting or not meeting its internal goals. He discussed a few of the potential external issues that may arise and impact an organization’s compliance program:
“Was it because of a change in the law? A new interpretation of the law? Was it a technology change? Was it the development of a new technique with respect to something like the way an organization should handle customer data?”
Lastly, he expressed the legal importance of having a plan to address any current compliance issue, and explained how a compliance manager should take the lead in developing the plan:
“The people who are reporting to the board are the ones who are going to be able to say, ‘look, I think if we address this part of the issue, we can fix it.’ And if nothing else, it threads the needle a little bit for them to get started. From a legal perspective, I would want to have all that documented of being reported: what happened, why it happened—and the context for it—and then what we’re doing to fix it.”
How to Report Compliance Data: A Board Member’s View
Kirby built on Michael’s points by giving us firsthand perspective about what board members expect, as well as a few tips about how to make life easier for the compliance oversight team. She told us that decision makers want to know…
- “Is my company on top of changing regulation and relevant court cases?”
- “Are we updating your compliance approach with the changing times?”
- “What’s going well? What needs work”
- “What’s the status of open issues and when will they be closed?”
The key is to communicate digestible compliance data that is appropriately specific. Information presented in clear, contextual terms helps the board to correctly assess risk and should be reported and reviewed at every meeting.
Kirby provided a few real-world examples of how broader legal and social developments could influence an organization’s compliance approach, and thus be of interest to the board:
“Obviously, harassment in the workplace is a big deal at this point. It went from almost nothing to a 10 on the Richter scale relatively quickly. And because of that, companies need to pay a lot of attention to this, not just from a regulation standpoint but risk from a reputational risk standpoint.
“Sales tax is another issue in the news, following Amazon’s decision to collect all state sales taxes. Whether it’s right or wrong doesn’t make any difference relative to Amazon. What makes a difference is people not charging sales tax in the right way—that’s a big deal. And so making sure that that is part of your reporting—in other words, thinking in terms of what’s in the press— matters. What happens to your reputation happens to your business. It’s incredibly important not just from a legal perspective but also from a shareholder and reputational perspective.”
She then brought the conversation back to accountability: “When everybody owns something, virtually nobody owns it. It’s really important to have some assignment as to who owns the pieces of your compliance program.”
Finally, Kirby gave us some wisdom about framing data in terms of a board member’s needs and point of view:
“Waving our hands and saying, ‘gee, we don’t have any issues adhering to laws,’ is not really helpful to a board member. What we need is ‘this is where we adhere, this is where we’re at a gray area, this is where we’re feeling that we’re not quite there and we need to do some work on it.’ It’s very, very important to be transparent about that information for your board. And they are there to get to help and bring up other issues, not because they’re trying to deter your business—they have every reason to make sure your business is wildly successful—but they’re there to make sure that you don’t get caught in something that’s going to spiral the business down, and give you unintended consequences.”
We’ll leave you with one more piece of advice: consider investing in an automated compliance system. Boards and executive oversight teams have a lot on their shoulders, to put it lightly. If you can make compliance reporting painless and easy, it frees them up to spend time on the myriad of other responsibilities they have. Compliance automation makes it possible—not just for your board, but for your entire organization. With an automated compliance management system, board members can rely on thorough, ongoing, real-time insight into their compliance activity and outcomes across the organization.
An automated CMS…
- provides you with compliance data and deep insight at your fingertips;
- creates consistent processes and ensures that the right things are taking place at the right time;
- allows the organization to stay flexible in the midst of new laws and legal interpretations,
- provides visibility into potential areas of noncompliance;
- improves your board’s ability to be proactive in discovering and addressing emerging issues;
and - gives the organization a defensible framework for compliance when responding to regulators, lawyers, external auditors, or internal stakeholders.
Ready to see an automated CMS can give you—and your board—peace of mind? Schedule some time to take a tour of Compligo and discuss your unique compliance challenges with our team.
