Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« Akamai, Nortek settle China bribe cases with SEC non-prosecution agreements | Main | Richard Bistrong: My Ten Commandments of Goal Setting »

Julie DiMauro: Best practices for today's CCO

Let's start this discussion with: Know the business.

In addition to knowing their regulatory-reporting obligations, compliance officers should understand what their managers do, what products and services their company offers and the systems that sustain these products and services.

If a compliance officer lacks this background, it can be acquired through research, on-the-job training, observing business associates, and asking for outside educational opportunities.

Another method for ensuring compliance officers understand their business is for them to get involved, where possible, in the development and creation of new business services and business units. This can also help ensure compliance is embedded in new activities from the outset.

Reporting lines. Institutions with elevated regulatory compliance risk profiles may want to have the CCO report directly to the chief executive, and CCOs should advocate this model. The relationship with the CEO can help lift the prominence of the CCO function, promote the compliance program's importance throughout the organization and hasten reporting and response time for any incidents.

Compliance officers should seek to set out how the business has managed risk through regular reports to the board or senior management.

This is likely to include how the compliance program has handled any extraordinary employee incidents, what the team has changed within the compliance program since the last meeting, how it is handling any regulatory investigations or meeting the terms of any deferred or non-prosecution agreement, how it has mitigated any bribery or other corruption issues or insider trading concerns, and the state of its cybersecurity preparedness, at a minimum.

Avoid companies lacking a compliance culture. There is little reason to commit time and talent to a business environment where reputational threats lurk around the corner because a strong culture of ethics and compliance is lacking.

Regulators have been referencing "culture" in enforcement decisions because they have come to the realization that businesses that view their ethics and compliance programs as a set of check-the-box activities are more likely to ignore the ever-evolving risks facing them.

An organization could have an impressive-looking ethics and compliance program, but without a commitment by all levels of employees to reference it and abide by it, and by top executives to promote it and encourage adherence, the program is insufficient.

There is no need to linger in this type of atmosphere if there is little to no support from the top in altering it.

Get the help you need. There are so many aspects to the compliance officer's role that require the support and active engagement of other teams and individuals. Besides getting demonstrable support of senior management, compliance officers must make sure their efforts align with other groups, such as human resources (disciplining, plus hiring and firing employees), IT (data privacy policies and cyber security protections), audit (testing and monitoring controls) and marketing (reviewing advertising and social media communications).

Rules do not exist in a vacuum at any business. Having other departments reinforce your messaging and reminding their teams of how to alert you to potential problems will go a long way in making your program more effective.

Keep learning. There are so many certification, continuing education programs, conferences and seminars available to compliance and risk professionals that offer opportunities to learn from peers and network. In particularly ever-changing areas like the use of financial technology, these learning opportunities can help compliance professionals implement state of the art techniques at work and hopefully provide leverage with employers in terms of compensation.


Julie DiMauro, a Contributing Editor of the FCPA Blog, is a regulatory intelligence and e-learning expert in the GRC division of Thomson Reuters Regulatory Intelligence. She'll be a speaker at the FCPA Blog NYC Conference 2016.