The CFPB and other regulators expect an organization’s board of directors to have oversight over the organization’s compliance management system. Here’s why the buck stops with the board—and what it really means for a “buck” to stop.
“The buck stops here.” The saying, famously emblazoned on a sign President Truman kept on his desk, has been adopted by many leaders to indicate who’s in charge—and ultimately, who’s really accountable.
But what does “the buck stops here” mean, exactly? Does the “buck” refer to a dollar, as in “I’m the one who collects the money?” Or is it another kind of buck, as in “I have the power to halt an adult male deer in its tracks?”
Neither, it turns out.
Once upon a time, there was indeed a thing called a “buck:” it was a marker, frequently a knife with a buckhorn handle, that would point to the person dealing the cards in a game of poker. If someone didn’t want to deal, they could pass the buck and thereby hand over responsibility to another player.
I share this piece of trivia not only because it’s an interesting bit of linguistic history, but because of the notion it gives us about what it means to lead. Running an organization, like playing a game of poker, involves at least some element of uncertainty and chance. People may make costly miscalculations, miss rewarding opportunities, or hide the truth in an effort to protect themselves. But someone needs to be willing to get things started, to manage resources and resolve disputes, to take responsibility for any situation—good or bad—even if they don’t have complete control over the forces at work.
In the high-stakes world of workforce compliance, the buck stops with an organization’s board of directors, executive management team, or owner.
“As a board member, we all say, ‘Well, gee, we represent the owners of the company,’ and that’s a very, very high responsibility you take on,” Kirby Dyess, one of Compli’s own board members, told the audience during our recent webinar about board of director oversight. “That is not just responsibility for the company, but it’s a personal responsibility. Many board members can get sued for not using good business judgment in taking on these responsibilities.”
Kirby was joined by Michael Semanie, a partner with the law firm Killgore Pearlman, as well as Compli Sales Director Brian Larson. The three started their presentation with a discussion about the obligations every board, management team, or owner has over their organization’s compliance program.
Michael told us that in the eyes of federal regulators, the board of directors is ultimately responsible for an organization’s compliance management system. He emphasized that regulators expect a CMS and pointed out that this guidance, which you can find in the Consumer Financial Protection Bureau’s Supervision and Examination Manual, isn’t just an invention of the CFPB:
“It’s notable that even if that CFPB hadn’t said that, that’s the way the law works anyway. And this is an important note, as well: It’s not just that they’re responsible for compliance, but they’re responsible for developing that compliance management system.
You can be compliant based on just getting along and trying to do your best to do things the right way. But to have a system in place, that is a different ballgame. And that’s actually what’s required under the CFPB, and it really does make good business sense as well.”
Why does responsibility rest with the board rather than, say, a CEO?
According to Michael, the people who are responsible to an organization’s owners—the people at that highest level of management—are the ones that need to steer a company’s direction and set strategies, which C-level executives are employed to carry out and implement:
“Depending on your organization, it’s something that you can go back to, look at, and figure out: ‘Okay, well, who is it that really should be setting the tone here? Who’s really responsible for the compliance management system?’ It does make sense to look to the board—or whoever that is in your organization—because they are the ones that have fiduciary duties to the owners and the shareholders of the company.”
It boils down to duty of care.
Michael defined this responsibility as duty of care: a board’s legal obligation to reasonably avoid organizational practices that could cause harm to others. While the CFPB is focused on harm to consumers, duty of care encompasses all potential areas of risk—another reason the Bureau isn’t the only regulatory agency to abide by.
When considering the question of who’s in charge of the CMS, Michael said it’s a good idea to develop an organizational chart that outlines specific responsibilities, rather than leaving everything up to everyone:
“When I ask the question ‘Who in your organization is responsible for compliance?’ the answer is frequently ‘Well, we all are. We all do compliance and we all make sure everything is going right.’ I think that’s where you have to look at yourself in the mirror and question whether that’s really true, because compliance is like a team sport. The whole team is responsible for winning or losing, but if you throw a football team out on the field and don’t tell them who’s going to be hiking the ball, who’s throwing, who’s passing, who’s catching, who’s blocking and tackling, you’re going to lose. Even though the team itself is responsible, you still need roles so that it’s organized, and so you can actually be effective in what you’re doing.”
- keeps an organization out of trouble,
- acts as defense if a compliance issue does fall through the cracks,
- improves business operations overall.
Expanding on that last point, he explained that more work does not equate to better compliance: “No one’s asking any companies to just do more work and that will show whether they’re being compliant or not. It’s really about being effective, which often means having systems in place that address the issues that need to be addressed.”
Kirby supplemented Michael’s legal point of view with her perspective as a board member:
“Tone at the top is probably one of the more important things that any company should have, and it needs to be genuine. Having a mission, vision, and values that nobody in the company understands nor uses doesn’t work particularly well. You have to be deliberate about how those are developed within a corporation, and also how well they are reinforced. And often, those values, and the mission and vision, are reinforced by business conduct that is a written document and which everybody usually signs onto.”
In other words, compliance in one way in which an organization lives its values. A mission statement doesn’t really mean anything unless it’s supported by policies, processes, and procedures documented within a CMS.
Kirby also told us that another focus of board oversight is reputational risk:
“In today’s world, the eyes are everywhere. You really have to pay attention to what happens to your reputation if certain things get out of line. It can be everything from data security to workplace harassment, to compensation programs that deliver bad results. The reputational risk is huge, and it certainly falls on the shoulders of whoever is representing the owners of the company.”
If an organization’s board cannot meet its compliance reporting obligations, said Kirby, the board loses its capacity to make decisions. Instead of setting and accomplishing strategic goals, the organization is stuck trying to “catch up with what’s happening in the greater world.” A CMS allows the organization to not only avoid today’s legal risks, but to stay ahead of the cultural curve.
For more guidance on board of director oversight from Kirby, Michael, and Brian, make sure to check out the on-demand webinar, Executive Oversight: What Regulators Say, and What Your Execs Want to Know.