I had a discussion recently with two highly ambitious Copenhagen Business School students, writing their bachelor project. We discussed which measures you need to take in order to best protect your compliance officer.

This is a discussion that is dear to my heart, having worked for +20 years in banking, where 7 of those years were within operational risk and compliance. First of all it’s important to understand why and what you are trying to protect - why is this even an issue?

➡️ Your compliance officer is the most important protection for any executive officer, as she can both make you aware of unwanted risks, undesired culture, and even recommend concrete mitigating actions.

➡️ Your compliance officer is your internal truth-teller, so you need to make sure that nothing stands in the way of her saying her honest opinion about anything.

➡️ There is very little upside in not listening to your compliance officer.

➡️ Regardless of strong culture, an internal truth teller will always hit internal resistance - even people with good intentions, will try to water down the messages, as the messages very often include pointing towards lack of performance in one way or another.

Therefore the question is, how do you make sure that your compliance officer has the freedom to say what she needs to say? It's not enough to claim your culture is amazing and everyone has high integrity, so there is no resistance towards the compliance officer.

It’s also not enough to say that you hire compliance officers with extreme high integrity (and to some degree lack of social skills), so regardless of push-back from 1st LoD, she will still say what she thinks.

Both of the above will absolutely help, but you also need to put in place some mechanics.

✅ Governance

All compliance officers should report (indirectly/directly) to the head of compliance, and this person should report at least to the CEO. Hire, fire and salary is therefore set by CEO with no interference by 1st Line of Defense LoD.

✅ Reporting

The reporting (sending compliance reports) should go to the recipient without too many options to impact the wording. This is something to pay attention to: How much watering down is there of the wording from 1st version to final version of the report.

✅ Mandate

Define the mandate of the compliance officer in a board policy and give her significant authority and autonomy.

✅ Culture

Secure her effectiveness by constant support through clear tone from the top. Always support her in public - and if she is wrong, close the door and give clear feedback. Even the small thing matters - at larger meetings insist on sitting next to her, show the organization you listen to her.

The last part is not to be underestimated. I had a CEO that was amazing at this, and it ended up being just as important as any of the governance structures.

‍

***************

WANT MORE? SOME RELATED KYC ARTICLES

The Three Lines of Defense: Simple in Theory, Tougher in Practice

Competence vs. Culture: What Really Drives Better Decisions in Risk Management?