Oversight is a floor, not a ceiling.
Board-level responsibility for compliance is, in the formal governance frameworks of most jurisdictions, framed in terms of oversight. The board oversees management. It satisfies itself that adequate systems are in place. It receives reports. It asks questions. It approves the policies that management develops. Within this framework, the board's compliance role is essentially supervisory — a check on management rather than a participant in the work itself.
This framing is not wrong. The distinction between the board's oversight function and management's executive function is foundational to good governance, and confusing the two creates its own category of risk. A board that attempts to manage compliance directly, rather than overseeing management's management of it, is a board that has lost sight of its own role.
But there is a version of the oversight framing that has become, in many organisations, a way of describing a level of engagement that is genuinely insufficient. A board that receives a compliance report quarterly, approves a code of conduct annually, and considers its responsibilities discharged has not misunderstood its role. It has defined that role at the level of its minimum requirements — and in doing so, has missed the most important contribution it could make.
The questions a genuinely engaged board asks.
The difference between a board that oversees compliance and a board that is accountable for it is visible in the questions it asks. An oversight board asks: do we have a compliance programme? Does it meet the relevant standards? Has there been any significant enforcement action? An accountable board asks something harder: how do we know the programme is working? What does the culture actually look like below the management layer? What are we not being told, and why might that be?
These are not comfortable questions. They are not questions that a management team that has invested significant effort in building a compliance programme always welcomes. But they are the questions that a board with genuine accountability for compliance culture has a responsibility to ask — because the compliance failures that cause the deepest damage to organisations are almost never the ones that appeared in the reports that management presented to the board.
In practice, genuine board accountability for compliance requires access to information that does not pass through management. Periodic direct interaction with the compliance function, without management intermediation. The ability to receive, and act on, concerns that are escalated directly to board level. A board member — or audit/risk committee — with sufficient knowledge of compliance to evaluate what they are hearing, rather than simply receiving it.
A useful test of genuine board engagement is this: if the compliance officer wanted to tell the board something that management did not want the board to hear, is there a credible mechanism for doing so? The existence — and the known existence — of such a mechanism is itself a compliance control. Its absence is a governance gap.
What the board models matters as much as what it monitors.
The board's contribution to compliance culture extends beyond its formal oversight function. Board members are, for many organisations, the most senior visible representatives of what the organisation stands for. Their behaviour — in how they conduct themselves, in the questions they ask and the ones they do not, in how they respond when difficult things are raised — communicates something about the organisation's values that no policy document can replicate.
A board that asks tough questions about how commercial results are being achieved — not only what results are being achieved — sends a signal downward through the organisation that the question is legitimate at every level. A board that tolerates opacity or deflection in its compliance reporting sends a different signal: that the formal structures of compliance accountability are less important than the appearance of their functioning.
This is not an argument for boards to become compliance managers. It is an argument for boards to understand that their oversight function has a cultural dimension that is at least as important as its formal governance dimension — and that the culture a board creates around its own engagement with compliance is visible to, and internalized by, the organisations they lead.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. Organisations seeking guidance on specific obligations should consult qualified counsel in the relevant jurisdiction.
Télécharger cet article
Enregistrez une copie PDF pour la lecture hors ligne ou partagez-la avec un collègue qui pourrait la trouver utile.