Compliance Confessionals
Chief Compliance Officers – Keeping your board informed

Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.

If you have a compliance confession or are worried about emerging regulations, visit our Compliance Confession Booth.

As part of a robust compliance program, there is a regulatory expectation that the board of directors of your organization are well informed and up-to-date on the organization’s compliance program including information that supports and demonstrates acceptable risk management.

As the chief compliance officer, it is important that you are in the position to provide that information on a routine basis to include the appropriate presentation of information.

My assumption is that your organization already has the foundational elements of a good program in place and/or is well on the way to advancing that effort. Where ever you are at growing or advancing your program, you should ensure that you have good governance and reporting routines in place to match the pace.

During my time at one organization, it took a great deal of work to get not only the compliance program foundation in place but to make sure that the board was well-informed as the program grew and evolved. What I found when I started was the same thing that many smaller organizations may have in place – plenty of reporting on compliance assurance (aka testing) but little else.

At a minimum, compliance should be on the risk committee of the board’s agenda four times a year. The assumption here is that there are no “house burning down issues” that require more time and attention from the board.

What should yearly compliance planning look like?

Once compliance has the time on the agenda, the updates should look like this:

• Q1 – Annual Compliance Plan/ Quarterly Updates
• Q2 – Quarterly Updates
• Q3 – Quarterly Updates
• Q4 – Annual Compliance Report/Quarterly Updates

Now we all know that all areas of the compliance program cannot be covered in every meeting so let’s take a minute to discuss areas of the program that should be covered.

The annual compliance plan

The annual compliance plan should consist of the following areas at a minimum and what the goal and target dates are:

• Overall Compliance Dashboard
• Fair Lending/UDAAP
• Compliance Training
• Monitoring and Testing
• Risk Assessment
• Consumer Complaints
• Regulatory Change Management
• Compliance Metrics

Special Projects should be covered under the program pillar or separate line if it is a significant item (e.g., significant new tools/technology, major changes to the program). In addition, some Compliance units are responsible and therefore should cover within their plans and subsequent updates:

• Conduct and Ethics
• HMDA/CRA
• BSA/AML

Regardless of your compliance team’s responsibilities, ensure that they are covered in your annual plan and subsequently in the board updates to include key target dates for deliverables.

Quarterly compliance updates

Now let’s talk about quarterly updates. There isn’t any board meeting that has time to review 50+ page presentations no matter how early they receive the material.

To make the information useful and digestible, my team and I developed a rotation schedule. There is a set of information that is always in the presentation. For us, it was the compliance dashboard, regulatory change, and compliance metrics. The rest of the coverage areas are rotated based on when information would be likely available, with minimum coverage of at least twice a year.

At the end of the year, the annual compliance report should summarize all the accomplishments of the year and results against the plan. My warning here is don’t get into the habit of closing out items that are not complete and renaming them as another effort the next year. Compliance is not about project plans and timelines.

It is a fact that some things may not come together as initially planned and if updates weren’t provided during the year to identify delays, it can be done at this point. The most important thing here is credibility and transparency around the compliance program.

Our compliance dashboard consisted of an overall program rating and an arrow showing the risk direction. We divided this one pager into key highlights, change management, regulatory environment, and emerging risk.

The entire compliance presentation should give a good synopsis of the program and be limited to 10 pages (ideally including an appendix). Limit each area update to highlights and some graphs and/or tables. If there are additional pages for the appendix, avoid including a long list of data.

The Board does not need long lists to review.  Even when creating your metrics (KRI/KPI), limit to key metrics that will add understanding of risk or performance. My team tracked many KRI/KPIs that were categorized based on the appropriate audience – not all met board-level reporting.

Once you have the presentation well organized, you still need to pick what is covered in the actual meeting. We always considered the presentation “read” and focused on the highlights and metrics that informed the board most about the risk. Every page does not have to be covered.

Most meetings run behind schedule so take whatever time you are allotted on the agenda and figure out what you will cover if you only had half the time but make sure you have pulsed on the key areas that should be covered for that agenda (yes, what a balancing act!). There is always one or two board members that will have a question so leave sufficient time for interaction.

How to manage the compliance planning process?

Some of the ways we managed the process was to ensure that the presentation suited both the executive risk committee (ERM) as well as the risk committee of the board (RCB) –with maybe some minor tweaking. This allowed for consistency in the information provided up the chain as well as minimizing the work effort in preparing for these meetings.

If you are lucky and can negotiate well, the compliance risk assessment and BSA/AML risk assessment results should have special time carved out separately on the agenda from the rest of the compliance updates. The risk assessments contain a volume of information that provides the Board will an overall understanding of the risk within the organization and needs sufficient time to share and digest.

The review process

The last word on this topic is the review process. Some organizations require a significant review of presentations being delivered to ERM or RCB. I can appreciate the process lends to making sure the information is clear – spelling, visuals, etc.

However, be careful of not falling into trap of other teams stripping out information that you need to share. It is the responsibility of the CCO to ensure the board is kept updated so ultimately the content of your presentation and the time needed to deliver it should be at your discretion or at least a negotiation.

I have not always seen this to be the case especially when an organization’s compliance program is in its early stages of growth and individuals are not used to it getting the time or attention needed on these agendas. 

CUBE can help you keep abreast of every regulatory change and make sense of it for your business.