Supervising Compliance functions: uncomfortable questions Boards should be asking (and CCOs should know the answer to)

In recent scandals, Boards have complained that they were not fully informed on a critical matter which has led to significant regulatory or reputational damage for the institution. Of course, such damage calls into question whether the Board are carrying out their supervisory responsibilities adequately.

In my experience Board members take different approaches to assessing what they are being told – sometimes more collaborative and thoughtful, others more combative.

But being properly informed usually involves asking the right questions, especially when the Board or Audit Committee are required to review and sign off annually on the institution’s compliance program and its related compliance risk assessment.

Here are some tips on what a Board should look for when conducting this assessment:

1. Trust but verify: how can the Board know whether the CCO is painting a particularly rosy picture of the Compliance environment? After all, unless the CCO is new and has been appointed to correct prior failings, it may be in their interest to confirm that Compliance risk is stable. Ask the CCO to identify the indicator or metric that puts the Compliance program in the worst light, and work from there. This will give you insights into whether the CCO has a sufficiently detailed knowledge of what’s going on and how capable they might be of sugar-coating the message.  Of course, you’re right to be concerned if a CCO always directs the hard questions to their subordinates.

2. Fundamentals: Ask the CCO why they believe the Compliance program is effective in managing Compliance risk. Which foundational elements does the CCO single out? e.g. regulatory inventories, risk and control frameworks, testing and surveillance, training, metrics? How clear is the CCO’s strategy? Are documented milestones in place for progress? What concretely is getting fixed this year?

3. Forward-looking risk: does the Compliance risk assessment focus mainly on known gaps already identified by regulatory incidents or poor audit outcomes? Ask the CCO whether they kicked the tyres on risks that are out of focus today but may come back to bite, especially in the absence of the right fundamentals? And are the same old “emerging” risks being served up without much thought – ESG, crypto, geopolitical?

4. Effective remediation: if the institution has spent significant costs remediating a compliance risk (e.g. financial crime, conflicts of interest, fraud), ask the CCO whether the risk assessment shows a reduction in risk to reflect that investment? If not, why not? And given the remediation spend, shouldn’t the fundamentals now reflect best practices in compliance and risk mitigation? Have processes been automated to reduce the compliance burden on client-facing employees and reduce operational risk? Are the metrics insightful?

5. Conduct and behaviour:  Of course it’s important to compare conduct and disciplinary outcomes against the picture you are given of the health of the Compliance program. But also ask the CCO how behavioural science has informed their view. Is the Compliance program designed to drive more compliant outcomes by deploying “nudges” to overcome “sludge” (bureaucratic time-intensive processes requiring use of different IT systems)? Or is the quality of policies, processes and training unsatisfactory: form over substance, prosaic, and dull?

6. Culture: ask the CCO to assess the culture across each business unit. Do they present a uniform picture that isn’t credible? Can they talk cogently about how to drive cultural change? How do they personally support a speak-up culture and encourage dissent? Is there evidence that their subordinates are prepared to challenge their business partners when needed?

Overall do you have the impression of a progressive forward-thinking risk-focused Compliance function; or do you see a Compliance program that has lost sight of its true purpose, bloated and going through the motions without real accountability?

Getting it right for the Board can avoid the creation of what might become tomorrow’s “legacy” compliance matter with all of the legal and reputational costs that brings.


Independent Consultant, General Counsel | Regulatory Compliance | Corporate Governance | Conduct and culture

About Julian GOoding

Julian is an experienced regulatory lawyer and compliance professional working in the financial services industry.

Recent Posts

Should banking regulators seek to supervise culture in the same rigorous way they assess liquidity or balance sheet risks. Not everyone is …

The recent IMF Working paper “Good Supervision: Lessons from the Field” considered the impact of supervision on recent bank failures, and identified …

In recent scandals, Boards have complained that they were not fully informed on a critical matter which has led to significant regulatory …

Let's talk

Book an introductory call to discuss what you need.