Sign in Subscribe
By Zahn Alimbay

WSJ Chief Compliance Officer Council Summit: Key Takeaways (Part I)

WSJ Chief Compliance Officer Council Summit: Key Takeaways (Part I)
Zahn Alimbay

This week, I attended the inaugural The Wall Street Journal Chief Compliance Officer Council summit in London. We discussed the latest trends in ABC, geopolitical risks and sanctions enforcement, cybersecurity and AI regulations, industry best practices in training and third-party management, and the evolving role of the CCO.

These are the key messages from enforcement agencies on both sides of the Atlantic (US DOJ and UK OFSI) and thought leaders across various compliance fields.

Enforcement

Cooperation among enforcement agencies is on the rise, not only in terms of policy alignment but also “on the ground” work from start to finish. And they want companies to know this.

National security considerations are at the top of the enforcement agenda and similarly need to be high on the companies’ priority lists. But there is more to this. It is now a US DOJ policy, and we already started seeing this in some of the recent enforcement actions, to look at issues holistically. If it starts with the US FCPA, the review will trigger AML/CTF, export controls, fraud, FEPA and other considerations. DOJ Message: companies need to look at it holistically and break the silos between different branches of compliance.

All recent DOJ policy announcements (Whistleblowing program, emphasis on self-disclosures and others) have one underlying theme: it's time to focus on “prevention and detection”. The Department wants to help companies build the right prevention mechanisms and capabilities and make it easier for businesses to comply and come forward where they identify non-compliance.

Recent policy announcements aim to give companies predictability and clarity: DOJ expectations, what happens if companies identify issues and self-report, credit (or even declination) they can get when they self-disclose and have an effective program in place, and what the “stick” looks like if they do not follow the path.  

DOJ is committed to making an extra effort to ensure that its disclosures are clear on the “why” and the “what” of resolutions. By providing greater transparency and predictability and removing uncertainty, it wants to incentivize companies to improve prevention and detection and make the decision-making process about whether to self-disclose easy.

When it comes to compliance programs, the design is not the only factor that matters. The program should be agile enough to identify emerging risks and trigger compliance response. Static programs will not get credit. Companies should also look at what is happening on the market and what their peers do in terms of compliance programs. Benchmarking is an important element of keeping your program dynamic.

A special message for non-US businesses: As long as they touch the US financial system (through the use of US Dollars or otherwise), the DOJ has jurisdiction over all types of issues (AML, sanctions, ABC). Period.

 The Future Role of CCO

In recent years, the CCO's remit has grown dramatically, as have the CEO and CFO roles. It is a fair question to ask: How much is too much?

CCO’s responsibilities continue to grow in the context of a changing regulatory landscape, markets and stakeholder expectations. This is what the CCO role is about – my key takeaways from the discussion:

  • It’s less about the “check the box” regulatory compliance and more about risks and synergies.
  • Strategic and cross-functional focus. Look across and put pieces together.
  • Elevating conversations from what must be done to what should be done: risks, conduct, and values are at the heart of it.
  • At the end of the day, it’s all about partnerships with businesses and other corporate functions and focusing on the value compliance brings to the table.
  • Building relationships with the Board and committees is critical, so if you ever need a direct line, you can take it.
  • Talking to peers from the industry and keeping a finger on the pulse of the market is part of the CCO job.

Personal relationships matter, too: It’s much easier to have a difficult conversation when you build rapport, and having someone who talks good about you when you are not in the room helps. No Zoom or Teams call can replace a face-to-face meeting and discussion.

Board perspective: with oversight expectations continuously growing, directors need all the help they can get. CCO can play a critical role in helping them to get the right level of comfort in understanding how the company deals with compliance risks.

  • Know your business, assess the risks, and tell them how you will deal with those. Be honest—if there are gaps, tell them there are gaps, but also what you are going to do to fix them.
  • Data is only half of the story. It’s insights and foresight that matter.
  • Anticipate the risks – help them to look around the corner and understand what to worry about.

The Future of Training is Storytelling

If you haven’t heard about the Microsoft Trust Code Series, you better check this out (You can find their Trust Code for Partners content here: Trust Code for Partners: Onboarding (19020) (microsoft.com))

Microsoft uses a storytelling format to help employees and partners navigate the world of ethical dilemmas and learn how to make the right choices. I first read about it in May 2023 back in WSJ (here is the article: Microsoft Employees Are Hooked on the Company’s Training Videos - WSJ), and I have been fascinated to learn more about it since then. Talking with Mike Jackson, Microsoft’s Head of C&E Governance, Training and Culture, I finally had a chance to see it with my own eyes and ask questions. This is what I learned:

  • It’s about engagement as much as rules and ethics.
  • Life is not “black or white”, nor should your training be. It’s a growth mindset that matters. Pause, think, ask - talk about it, discuss and debate.
  • It also needs to be dynamic, relevant, and reflective of the social context—the real world around us and the challenges each of us faces.
  • It’s the content but also the way information is consumed nowadays: shorter attention span, fast-changing news cycle, and our addiction to personal tech and social media.
  • The solution to learning fatigue is finding the right balance between quality and quantity.

In assessing the effectiveness of your training and whether it actually achieves the intended outcomes – employee feedback is essential. In addition to the post-training surveys and face-to-face engagements, Microsoft has implemented a Global Employee Listening System. It allows employees to share their feedback and views on how the company is doing in terms of ethics and compliance, and for leadership to hear what their employees think. These questions are asked multiple times a year in different contexts.

This is very similar to the Self-reflection exercise that my team and I implemented in QatarEnergy in 2019, where after the annual Code of Conduct Acknowledgement, we invited employees to share their perception about the organisation, its commitment to ethical standards, conduct, and Speak Up practices among others.

Geopolitical Landscape and Sanctions Enforcement

It’s not only that geopolitical risks continue to dominate public and corporate agendas, but fundamentally, the world-order architecture built post-WWII does not fit the current state of affairs.  

Businesses need to take a “bigger picture” view and build the right “architecture of inputs” – breaking organisational siloes and bringing all inputs into one place. Once again, complex issues require taking a holistic approach. And this is where CCO experience can bring a lot of value.

These are the priorities that dominate CCO’s agendas in terms of geopolitical risks:

  • New sanctions and a fast-changing enforcement environment
  • Siloed national regulatory policies and “cross-talking” jurisdictional regimes
  • And then there is a “Lawful but awful” category of issues (term courtesy of brilliant Ziad Haider, Partner and Global Director @ McKinsey) – those are technically legally permitted actions but which stand on the edge of ethics. This is where CCO’s moral compass can and must lead companies in the right direction.

And then this: It’s not only the insights and oversight that we, as CCOs, need to pay attention to — it’s foresight that matters, too — the ability to look around the corner and foresee the scenarios that can play out in the mid- and long-term.

Listening to OFSI, the UK’s financial sanctions enforcer, I could see three top priorities for the companies in terms of sanctions compliance:

  • Detecting and preventing sanctions evasion
  • Building effective sanctions compliance programs that can timely detect and escalate red flags, and
  • Going “above and beyond” technical compliance.

 These are just some of the key messages I took from the discussions, and I will incorporate more insights into the future issues of my newsletter. Until then, if there is anything that caught your attention and you would like to discuss, reach out!

Otherwise, we will reconnect next Saturday!

 

Comhla Intelligent Compliance

At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. By leveraging our in-depth governance, compliance and internal control expertise, actionable data insights and cutting-edge applied research in organisational science, we help our customers build effective regulatory and compliance management to safeguard their license to operate, protect the bottom line and enhance reputation as responsible businesses.

Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic 

Learn More https://comhla.co

We aim to publish once a fortnight.  The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.

Subscribe to Breaking the Mould

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe