Chief Compliance Officer role explained. Jennifer Geary and Natalie McManus explore compliance leadership, strategy, and decision-making.

Speaker A: Compliance is not a constraint on the business. It is a signal of how the business chooses to operate. In today's regulatory environment, compliance is often treated as a function. In practice, it is a leadership discipline. Every strategic decision carries compliance implications. Regardless of the sector you operate in or the size of your organization, every operating model reflects a choice about ethics, risk and accountability. In today's episode, uh, I'm joined by Jennifer Gary and Natalie McManus, co authors of how to be a Chief Compliance Officer. Her ah, book challenges a fundamental assumption. Compliance is not something organizations have. It is something they embed, design and live through decisions. We explore how compliance becomes a competitive advantage, what the impact will reveals about effective programs, and what it truly takes to operate as a chief compliance officer Today. I'm Julien A. And this is Riskmasters M. Welcome back everyone. It's my pleasure today to welcome Natalie McManus and to welcome back Jenny Gehry. Uh, where we're going to talk about their upcoming book, how to be a Chief Compliance Officer. Welcome to the show.

Speaker B: Thank you, Julien. Good to be here.

Speaker C: Likewise. Great to be here.

Speaker A: And uh, Jenny, I think last time you were on the show, actually we were talking about that famous upcoming book. So now we are going to talk about the content. Um, and with that we go straight into the first question. Uh, and Natalie, you have, I think, a background in compliance. Avanti. So we are going to grill you a little bit about that function we haven't really explored so far on the show. Um, and in the book you argue that every senior leader in practice is a compliance officer, which I completely agree with, by the way. Uh, so what changes when compliance is treated as a leadership responsibility rather than a function?

Speaker C: I think when you think about what compliance is, which is a question that we could spend our whole podcast on, it really comes down to social purpose and harm and how your organization adds value to the world that you're in and how it makes things better or at least how it sometimes it makes things safer and more sustainable. If you want to be a sustainable leader, you need to know what harm your actions as a company can cause. And you need to know what rules you might break. And if you're not aware of those rules and you're not aware of the harm that can follow as a consequence of breaching those rules, then you're basically in the dark as to whether you're actually meeting the purpose of the organization for your customers, for your suppliers and for your people. You're putting your people at risk. You are, uh, at risk of losing, uh, really great talent. You're at risk of losing your customers, losing your customer goodwill. You're at risk of losing favorable credit terms with your, your suppliers. The list goes on and on and on. And I think the reason why we're seeing this shift in perspective is because you're in a world now where the rules that we operate under have become so complex and so integrated with socioeconomic drivers. And we have rules for non financial misconduct and sanctions and employee behavior and employee welfare. And they matter what side your organization is. Uh, the complexity of what you do, whether you're doing it cross border, whether you're doing it with a thousand people or 10 or 200,000, you're in a world where there are hundreds, literally hundreds of rules that you need to comply with. And being a compliance leader doesn't necessarily mean you know those rules, you will still take advice from your experts. But it means that you look at things through a compliance mindset. So you look at things through a sense of how could my decision impact other people? Um, and so when I talk about compliance mindset, I never use the word compliance. I talk about culture, I talk about controls, I talk about conduct. Um, because those three things to my mind are a compliance trinity. Um, and so we've really sort of evolved to this place where compliance is embedded, it's implicit in everything that we do. Uh, and so it's just disingenuous to suggest that a modern leader isn't a compliance leader. It's just whether they know it or not. Um, and so for me, putting that into a practical, um, positioning, the biggest change I think you see when someone is following, ah, a compliance or applying a compliance mindset is cultural. Uh, they lift the people up around them, they encourage open mindedness, they encourage escalation. Um, you take something like the andem cord for example where um, uh, people in Toyota manufacturing line can pull the cord to uh, stop if they see a problem, which means things get surfaced early rather than late. If you've got that mindset, if you're a leader that is encouraging that mindset, compliance issues get surfaced before they become problems, um, before they cause harm, before they cause harm to your clients, before they cause harm to your suppliers and ultimately before they cause harm to your financial bottom line.

Speaker A: Ginny, do you have any additional perspective to add on this?

Speaker B: So, um, I mean, just a little, I mean hopefully even from that intro from Natalie, uh, you can see why I knew I had found the perfect co author for this book, right? Just because, you know, people think of compliance and oh, if you're a non compliant, you know it's very rules based and very black and white. And in natal Natalie you have just this really passionate and um, principled leader. And I just love the way that she talks about compliance and reframes compliance. And the only thing I would add on top of everything that Natalie said was um, when you think of compliance in this way and you think of everyone being a compliance leader and so on, all of a sudden the organizational purpose and um, the strategy and compliance are all bound together and compliance both informs and is informed by the strategy and purpose of the organization. They're, you consider them together. And if you're a compliance professional that's where you want to be right, you want to be right in the middle, situated in what the organization is trying to achieve and finding the best way to do that. So hopefully you can already tell that this is a really fresh and engaging way to think about compliance.

Speaker A: And we'll come back to some of the points you raised uh, Natalie, because I found that quite interesting in terms of uh, the purpose of the function. Um, and what is the most common misunderstanding about the chief compliance officer role at executive level.

Speaker C: I think that depends on the maturity of the organization. So if you're a small firm, um, if you're a startup, compliance is something that's done with someone that's also doing finance and people and all your other control functions. So it gets lumped in with we just need to make sure we're following the rules and you're probably taking legal advice from an outsourced provider because you can't quite afford to bring it in house yet. Um, and even when you get to mid sized companies that's still kind of a mindset that you see. You don't see compliance as this bespoke leadership role. You see it as sort of an add on to control functions. So if you're in a smaller organization, I think the greatest misconception is that the chief compliance officer or whoever is performing that role is doing something that is leading a control function. It's perfunctory, it's retroactive, it's um, looking at ah, data, it's performing monitoring and assurances. It's akin to audit but with a regulatory lens. Um, and I think the more mature and sophisticated your companies get, the more complex they get um, the more compliance and gets isolated in this bespoke function, uh, and then it becomes very um, ah, disassociated from company purpose and strategy. Uh, and so then you still got the same misconception that compliance is about checking and challenge, um, but from an independent seat. Um, and I just fundamentally don't think in practice that that's what good chief compliance officers do. They're strategic advisors that build strategic functions. One um, of the biggest things that Jenny and I have, um, really driven to emphasize in the book is the importance of having the compliance officer in the room at the beginning of ventures to help explore the idea, surface issues early and solves the problem. Um, compliance is not a naysayer. And the biggest misconception outside of this idea that um, compliance is just a check and challenge function is that if the computer says no moment, the rule says no. We are in a world where rules are not as prescriptive as we think they are. And the role of your general counsel is often to help you navigate the ambiguity and the thoughts that you're subject to. But the compliance officer is there to help you kind of transform that advice into something really meaningful for what the company wants to do. Um, and you'll hear that throughout, throughout this, you'll hear we interchange company with sperm and organization. Um, these are universal principles. It doesn't matter if you're a uh, ah, public body or if you're publicly listed. Obviously there will be greater, more complex rule sets that you're subject to if you're a Fitz 100 company. But, um, the principles are still there. Um, and I think, Jenny, remind me, I think we've listed in the UK alone there are at least 15 cross enterprise regulators, irrespective of industry, that any company needs to be aware of. Um, and so again, if you think of compliance as check and challenge, did you follow the rule? Are you doing the checklist? You lose sight of this bigger picture which is what rules are there to do. And maybe this is me being an optimist with my, you know, my political history, um, academic hat on. But, um, I am a true believer in regulation serving a social purpose. And so if regulation is done well, and it is big if, but if it's done well, then the role of the compliance officer is to help their companies understand that those rules are there for social purpose and to help companies be better versions of themselves for their clients. Um, so, um, Jenny, sorry I crowded you up a little bit. Come on in.

Speaker B: Yeah, um, I think my biggest learning in going on this journey with Natalie and in co authoring this book, um, I probably came into it with a very black and white view of what compliance was, that it was rules based, that it was, you know, you either complied or you didn't and she's really helped me understand the degree of interpretation um, that needs to be there. You know, the possibility that, you know, there is an element of art as well as science to this and when you fuse it with what the organization is really trying to do and actually taking a risk based approach as well, which is not something I ever really thought about in terms of compliance. I thought it was, you know, you comply or you don't. Um, and Natalie has helped me see like as with risk, you know, when you're in risk management, you're always interpreting, you're always contextualizing and actually it takes an awful lot more creativity than maybe a lot of people think.

Speaker A: Unfortunately, the rules are usually non binary. So uh, it opens a door to interpretation and perhaps this one for you Jenny, if you position at function and role in the wider context of the C suite framework, how do you see nuances and subtle differences uh, compared to chief Risk officer or chief Operating officer, et cetera?

Speaker B: Yeah, well, I think as Natalie said earlier on, one of the interesting things was um, how much what she was saying really resonated with what's in the Chief Risk officer book. Um, and Natalie positioning compliance as a risk factor function. And it was really, um, yeah, it was really interesting to kind of go back and review some of the Chief Risk officer book and then juxtapose it with the Chief compliance officer role. I mean obviously the two are allies. Very, you know, generally speaking, uh, the Chief Risk officer and Chief Compliance officer will be allies and will support and reinforce one another. Um, but that kind of risk based approach definitely, um, came across in the Chief compliance officer role. And you know, one of the things um, that we always say, you know, when you're coming into that first role is you have to find your, you have to create allyships, um, across a C suite table with people who sometimes have really different agendas to yours. You know, the head of sales or marketing is going to have a different agenda. The head of products, the head of operations all have different things. And um, as Chief Compliance Officer it's no different. You have to create allyship and define shared success in that role. Um, but again, situating it in the organizational objectives is a really good place to start.

Speaker A: And I'd like to build a little bit on what uh, especially you said Natalie, effectively compliance is not a cost center or a. I'm going to translate the rules. Right. It is far more than that and done well what I get is that it's a competitive advantage. So why does that mean in Practical terms, to be a function that drive that competitive edge to an organization.

Speaker C: Oh, that's a very good question. Um, so let's talk about what it's not or perhaps what it historically was. Especially if we look at say financial services, which is arguably the most regulated industry out there, and there is a greater level of prescription. Um, your compliance officer might have historically been overseeing the due diligence on a deal or overseeing providing, um, the sign off for um, uh, a marketing communication. Does this adhere to the rules? Yes or no? Um, and that has um, shifted somewhat to being much more critical about establishing a framework through which people are taught to fish for themselves, as it were. So, um, the controls become more embedded in what we know as the first line of defense. Although I will just put a pin in that and say I have some significant issues with the three lines model.

Speaker A: I think there's an ever growing club of people having a problem.

Speaker C: Yes, yes. Uh, I think it's become a great divide. The simplicity and beauty of the three lines versus the reality that is messy and contagious and just doesn't fit a modern organization.

Speaker B: Um, when I was at asto, which was a fintech created by Santander, we were a small team and so I was literally sitting beside legal and compliance and customer services was behind me and product was in front of me. Um, and one of the things that we were able to do was to craft an end to end customer journey where compliance was so inbuilt to what was going on that it felt absolutely seamless. We were able, we only asked the questions that we needed to ask, precisely the question we needed to ask them. Um, and only when we needed to go and do a check or find something out about the customer. And the result was um, a nine minute end to end customer acceptance journey. So literally if you had your documents with you, you could go from starting to acceptance within nine minutes. And it was one of the real examples of when you think of compliance and legal in that way and you bind it in to what you're trying to do, you can create something that you know is a fantastic customer journey. Smooth, seamless and kind of invisible and built in. But with that. Let me hand the baton back, Natalie.

Speaker C: I mean, I think that comes back to the idea compliance and rules can be virtuous. Right? So this idea that there's a compliance purpose separate from customer outcomes or strategic value, it's completely nonsensical. Um, if you are, ah, effectively controlling your business, you're making good faith decisions, you're acting in the better interest of your customers, your suppliers, you're going to then see a virtuous cycle and a sustainable cycle of business coming your way. And it's very easy to call me naive for that view. Um, especially if you've ever watched a film like say, Glengarry Glen Ross, which is all about how people will swindle you out of everything. Because asymmetric information means that buyers always are the, you know, the runs rush, um, over by the, by the seller. But, um, I like to believe that there is an inherent good in people that the, the systems that they work within corrupt. Um, and uh, this is where I probably lost half your cynical audience. But, um, but if we, if we consider that people are just people and it's the system that they operate within that effectively enables them to act outside of good faith or without knowledge of what the rules actually are, or without just switching on the brain to think about this is how, if we do it this way, could that actually hurt our customers? So I worked with a client and they were having some issues with a disconnect between their fraud team who were very vigilant, uh, and were effectively switching off, um, the customer product for customers that were hitting the red flags. But the communication with the customer was breaking down. They weren't telling them, um, because they said, well, it's fraud and we don't deal with fraudsters. However, when there were false flags, there were a legitimate. You've just had your product taken away for no rhyme or reason in your eyes, which was really damaging customer goodwill. And obviously one of these things snowballed into a regulatory complaint which then became, uh, a public, I, uh, wouldn't say inquiry, but became a matter of public knowledge which then created dozens of people who then said, this has happened to me as well. And it was all because there was a disconnect between, um, what the communications team were trying to do and what the fraud team were trying to do. And if someone in that fraud team had said, hang on a minute, what if the decision we take today is either the wrong one or even if it's the right one, what impact could that have on the person who just finds that they've had their side laterally cut off? Um, if someone had asked that question, then that would have stopped the snowball and it wouldn't have stopped the historic issues. Um, but it would have meant that the way the issue got detected was a lot more, um, self serving. Sorry, probably shouldn't do it that way, but it was in the better interest of the company. But it was also in the better interest of the clients. So, um, I have a rule book full of stories that create rules like this. And I think actually this comes back to where you can't just follow the rules. You've got to think about principles. The more things like this happen, the more people legislate to try and solve the problems, when actually the principle is absolutely solid. Um, and there's been a little bit of argument about whether something like the consumer duty under the FCA was necessary, because actually the principles of treating customers fairly were good. But, um, they needed a greater push, they needed greater scrutiny, they needed a reminder in the industry that this duty to your customer should really be at the forefront of your mind. Why are you still getting it wrong? So you come back to this world of really, you've got to pick customer first. Um, and really, you've got to stop and ask the first question, not what is the rule? But what is the potential harm? And if you start with what is the harm? Chances are you'll figure out that there's an implicit rule that sits behind it. Now, that is not the case for certain jurisdictions. We know that the US Is a lot prickier and a lot more, um. Uh, there's a lot less discretion in compliance regimes in the U.S. um, and if you breach a particular U.S. filing rule on pensions, for example, there is a very specific fine you will get. Uh, and there's not a level of interpretation there. You've just got to do it. Um, but where the risk attitude comes in is, well, how much time do you spend automating the systems and controls around that framework? Um, are you going to just rely on a calendar, um, entry that says today's the day you need to get it in, or are you going to have someone like me sitting on the shoulder of that person watching to make sure they've done it within 24 hours? Um, because there's a cost to doing that. And so that's where the risk decision comes in, is how much do you trust your business to actually make these decisions and how much do they need supervising? Um, because if you put a me on someone's shoulder, you will absolutely destroy the commercial value of the organization. Whereas if you teach someone to be their own critical voice in their ear, then they will get much better outcomes and it won't have cost you as much.

Speaker A: And, uh, you probably have answered part of the question. But why do many organizations still struggle to extract value from compliance in that respect? Because when I listen to the two of you, it seems quite obvious that Getting it right for the customers or clients is good value proposition. Right. So why are companies still not doing it?

Speaker B: I mean, let me have a go at that. From a kind of an operation standpoint, I think what often happens is companies and people just get so exhausted and overwhelmed trying to comply with the breadth, uh, of regulation that there is out there. Um, and, you know, we're now in a world where it's so complex and layered. If you're any kind of an international organization or any kind of a regulated organization, it's without some kind of regtech solution, I think it's becoming pretty close to impossible to comply. Um, and, you know, I always talk about sort of strategic clarity and operational excellence. You don't get to have the clarity, um, without the operational excellence. And so I think, um, you know, there is. And, you know, Natalie is so comfortable with all of this, you know, that it maybe doesn't come out. But, I mean, like, there isn't an awful lot of operational work that comes with, you know, with the compliance of the regulation. Um, but the great news is that there's a wealth of solutions that are out there now that allow you to stay bang up to date to map your controls to regulation when regulation changes, to have those particular controls flagged up and so on. Um, and I don't want to gloss over that and just say, well, that's table stakes and that's easy and that kind of thing. You know, like, there is huge work to be done in mapping the regulatory landscape and getting the organization set up to comply with that. Um, but I think what we're kind of saying is you have to go beyond that. Like, if you want to be a great compliance leader and if you want to be strategic and involved and engaged, it's not just about, well, Rule 123 says this, and you've got to do it. It's got to be. You've got to do that, and then you've got to kind of rise above that, uh, and take it to the next level. Natalie, I don't know if you agree.

Speaker C: Oh, no, for sure. Um, and actually, it's fundamental, uh, to our program that we've designed as a bit, which we call the impact wheel. The first one is, as with all risk management, identify your risk. So identify your rules and identify the risk. But as we know, risks are dynamic. So rules change very frequently and the nuance changes very frequently. So sometimes it's not. Here is your big new, um, gold standard law that no one's ever thought about before. Um, sometimes it's not, here's a new AI act in Europe or um, you know, here's MiFID 2 for ah, financial services ratings. Sometimes it is literally, uh, a uh, regulator said something in a publication or a speech which indicates that they are suddenly much more switched on to a particular nuance of a particular rule hidden in a rulebook that is 2,000 rules long. Um, I really can't overstate just how many corporate rules and obligations exist on even the tiniest UK firm. Um, um, it is impossible, I think I can actually say it's impossible to navigate this without at least some sort of, um, large language model or some sort of pattern recognition that can actually dissect all of that information and synthesize it down to relevance. So we already have tools, we've had them for years that um, you know, your big consultancies will try and sell you to. Say here are your universal compliance rules and they will be literally hundreds of thousands of laws if you're internationally operating. What they won't say is, and these are the ones that matter, uh, or, and these are the ones that will cause you problems, you need to get ahead of them. These are the ones where actually if you don't comply, no one says it because of course no one ever writes down that they're not in compliance with laws. They never write down a risk acceptance. They pretend that they are complying with the law or they simply don't put it in writing. So there is this big sort of gross around um, our profession, uh, which really comes under the heading of risk appetite where we say we will never accept, uh, a breach from the rule because if we see a breach we need to correct it. And there are some minor, um, circumstances where we wouldn't, because there's a conflict of law between jurisdictions, for example, or because we have regulatory forbearance. But in the main you breach a rule, you have to fix it. And there's this unspoken prioritisation that just drag our feet on that one because no one really cares. Or maybe we know that that practice is problematic, but we won't take too close to look at it because we know in reality no one's going to fine us for it and it's not causing us any harm. And this type of unspoken practice actually really damages the compliance credibility of the firm if we bring it out into the light, if we are open about the decisions we're actually taking and explain them and engage with regulated the principles, um, rather than taking a litigious stance that effectively tries to argue that Black is white, that a rule doesn't actually say what it does, but it's a bad rule. We'd have a much more open discussion with regulators. We'd have a much more honest conversation about what compliance risk firms are actually taking and why. Um, but again, I'm talking fairyland here because you'll never get a compliance officer who, when they are faced with a prospective non compliance, does anything other than call up the regulator to say, well, we've got this big compliance issue, um, unless they are taking a leadership position of, okay, before we set the hair running, let's actually investigate and explore what's actually gone wrong and what rules actually are applying in this situation. Um, and so I think too often compliance officers will pick up the phone to a regulator of the first quarter call because they see themselves as an internal policeman. And some people will be former policemen or ex regulators. Now I'm an ex regulator. Um, and so it feels anathema to sit on the problem and dimension it before you share it with someone else. And it feels like it's at odds with things like Principle 11 under the FCA rules about openness and transparency. But you have to know the issue you're dealing with before you share it. Um, and so if we take the meandering route back to the question, um, ultimately I think people don't know what compliance is and so they shoehorn the CCO into a box and says, um, you will behave in this way. And that's fundamentally misunderstood what compliance is from outset. So these conversations, these honest conversations don't happen. And what then happens as a consequence is a reversion to type, it's a reversion to checklist compliance, annual risk assessments that are divorced from the reality of how compliance is managed. Instead of these very honest, very human conversations with the leaders of the firm and the mid tier management of what are we actually doing and how do we fix the problem? And yes, there may be a breach and yes, we need to be honest about it and no, I'm not backing down from this, but let's figure out the solution before we start lighting the fire. Um, and maybe that's going to get me kicked out of my two circles for saying, um, because there is an increasing body of thought that goes in the other direction that says, actually you've got to be stronger, you've got to have more rigidity. But I don't believe in the world that we're facing and this world of complexity, that rigidity is going to get you where you need to be As a firm or as a compliance officer.

Speaker A: And we come back to that around what it practically means to be a chief compliance officer. Because as I was listening to you, I had quite a few questions, so anecdotes as well that came to mind based on experience. But, uh, you mentioned the impact wheel and I'd like to explore that a little bit more without communicating what is in the book in details. Right, but I'd love to explore that a little bit more. Um, so what problem does the impact wheel solve that traditional compliance frameworks do not?

Speaker C: Another excellent question. Um, uh, integration and uh, flexibility. So if you take the ISO standards on compliance programs, they're very good. They give you all of the fundamental components of what you need, but they don't put it into practice for you. Uh, same with the U.S. sentencing guidelines. There's a real sense of, um, intuition about what good compliance looks like. It'll have some monitoring, it'll have a risk assessment, it'll have reporting, it'll have governance, it'll have policy. But the connectivity of these elements is what really makes them powerful. And by putting it through the risk management life cycle, uh, which to be fair, a lot of firms have already started to adopt, um, but not quite so simply in the way that we've done it, there's always a piece that gets left out of the model because it doesn't fit. Um, the impact wheel is meant to simplify and it give everything its home, but also show how everything works together. So, um, you take risk assessment as an example. Um, normally in traditional compliance models, uh, you do a risk assessment, it sets your book of work for the year, uh, it sets your monitoring for the year, then you come back to it in a year's time and you refresh it. And if you're really lucky, you've got the tech. You might be doing that on a quarterly basis, but risk assessment is actually a real time, dynamic, brain activated decision, uh, point. It's something that happens at a water cooler, it's something that happens when a new product is launched. It's something that happens every time you're given new information about a breach or a change in regulation or ah, an emerging risk. So what our impact wheel looks to do is say rather than disassociating your risk assessment as this siloed program, um, you weave how you would calculate risk at year end, you weave that into those points along the way. So whenever you have identified a new or changing compliance risk, that's the point at which you measure it. That's the point at which you use a consistent mechanism that then surfaces whether something's within your compliance risk aperture or not and that informs how you then take action to protect. Um, and that action might be we have to review our policy. That action might be we uh, have to increase hiring or we have to put in a technical gateway for some um, decision making point. Um, or it might simply be we have to not take a decision to launch a product and then from there uh, you go through to um, impass, uh, uh, to protect, uh, we've done identify, measure, protect, um, uh, to assess and assure. So that's when you then use all of this process to then do your monitoring. And it's iterative, it's done on the basis of the information you have at any given point in time. So it's agile monitoring and it's done um, as an activity with a sense of um, what is live, what is current, not what was relevant 12 months ago. And then from there the idea is that you surface issues which then brings you to correct. Um, but we of course know that issues get surfaced through other channels, not just M activity by compliance. A lot of it's self escalated. Sometimes it's whistleblowing and then from there you then have your tail segment of the wheel which wraps up together all of this intelligence and it then feeds straight back into identification, uh, which is exactly what you'd see in a risk wheel of that continuous dynamic cycle. Um, and I think what makes our wheel different is we do not specify that these are big C compliant department activities. We specify that this is an ecosystem of activity, um, that is done by control functions and oversight. And so if you're a small firm and you can't m afford compliance monitoring function, then audit does your monitoring activity. And if you are a firm that is lightly regulated from a product perspective, then perhaps your CFO might take on some more of the responsibilities around control and oversight. Um, and so by being team agnostic we empower organizations to take principles and essentially apply our model to their organization in a way that works. Too often you'll find um, models get wedded to a particular industry and they work up to a point and then the organization changes or becomes more complex and they cease working. And as I say, then you have these little bits of activity that get carved out of the model you've built until it becomes unmanageable. So one thing I think Jenny and I can definitely agree on is that simplicity leads to mastery. And um, the simpler your model, the easier it is for people to understand. And then they will understand their place within it. Um, so there are more complex versions of our impact wheel that do spit out your inner functions, that are your compliance hub and your outer functions, which are done by spokes within your business. But we were really keen to write a book that built on the principles that were industry agnostic and were organization agnostic, so that your new CCO can basically be creative within the purpose of their own organization.

Speaker B: And Julien, just a brief build on that. I mean, you know, the genesis of the C Suite framework books and what we always seek to do in the books is, um, yes, reference the frameworks and the things that are out there that you need to know about, but actually provide real lived experience from people who've sat in the role and to piece apart and to disintegrate the role and explain it, um, but in terms that are simple, that are accessible, um, to help people coming into a role understand the bits, fill out their weak spots, fill out their gaps and feel really equipped to go in and thrive in the role. Day one. And what Natalie's managed to do is create something, I think that's deceptively simple. There is sophistication in it, um, but also in this quite accessible, easy to remember framework. So we have three pillars of culture, strategy and execution. And those unite all the C Suite framework books. We always start with that, the six spokes of the impact wheel and then we'll come onto them in a second. But five pillars of compliance, um, and again, as Natalie said, depending on your size, you can go as deep or as sophisticated or as complex as you want to, but you've got a framework that you can always come back to. Which I love.

Speaker C: Mhm.

Speaker A: And perfect segue to the next question then. Right. How should leaders think about the five pillars as a system rather than a checklist? Right. You want to move away people based on what you're saying, from compliance is a checklist, you comply or not. So how do you make that work?

Speaker B: Shall I have a go with that? Do you want to take a breath for a second?

Speaker C: It actually stumped me, uh, trying to answer this one. Stumps me because, um, the five pillars are so, they're so, um, nebulous in and of themselves. So I'm not sure you could build a system or a checklist of them. But Jenny, if anyone could do it, you can.

Speaker B: Yeah, I mean, I think the five pillars sort of enable everything else working really well. And so for listeners, the five pillars are governance, operations, technology, data and advisory. And these are the, you know, so you Know, if you think about, you know, without good governance, you know, you haven't created the right backdrop, the right setting for how decisions are made. So it's kind of this overall enabling and oversight function that you need to have um, operate. There's a huge, there's a huge element of operational excellence to compliance, right? Whether you're dealing with surveillance, you know, trade oversight, exception monitoring, analysis, all that kind of thing. There is an execution element. And by the way, maybe we'll come to this, but I think that is an area that is going to be absolutely transformed, is being transformed by AI. Um, and uh, that's going to give us more insight and more vision than ever before. Obviously, for that to happen you need to have great technology and you need to have data in such a way that it's manageable, it's accessible, it's capable of being interrogated and so on. And then all of that. It's kind of like if a tree falls in the forest. None of that matters if you don't have a really strong and enabling advisory function. Um, so people who are able to reach out to the contacts in the business, in the front line, understand the business, translate, advise, assist along the way. So they are all absolutely interconnected. And again, we're glossing over some areas that really, where there's a, a ton of work in some very, very complex functions at times, but they do work. They work as a system and again as a new to role or aspiring cco. You take each of those in turn, you look at them and you look uh, at where you need to address and strengthen different areas.

Speaker C: And I think I'd say what makes it not a checklist is the word relationships. So every single one of these is about relationships. With your governance piece, it's the relationships you have with your company secretary function. And there's a decision there. Right. So is compliance an umbrella under which your company secretariat seat will be? Um, I think a lot of your co secs will disagree, but I've seen different operating models. There's a question about fiduciary duty. So the board has a fiduciary duty to deliver on the purpose of the organization. Increasingly, sustainability is a big part of that and that means having escalation channels for compliance and resolution protocols. M not having adequate reporting structures has gotten big firms big fines before. Uh, and so really it's about looking at things piecemeal, but also with the perspective of the bigger picture. So, um, it's very easy to say, oh, have good governance. And here's a Bit of the rulebook in the industry that you're regulated by. Um, that will tell you how to do it. Um, but again, it's coming zooming back out to the principles of how do you empower your leaders of the firm to make better decisions and have better oversight of your compliance function? And what is the relationship of the CCO to the rest of the C suite? And as Denis said before, who are your enablers, who are your. Who are your culture champions, and how are you leveraging them throughout the organization? So you do have to do a bit of a mapping exercise through your culture and through your governance mechanisms. But, um, but it's not a tick box, it's not a checklist, it's exploration, it's curiosity. So it's how does it work? Um, and the operations piece is obviously a bit more formulaic, but again, there's a huge amount of creativity within here. Is your program going to be centralized or decentralized? Are you going to empower your local control functions to be de facto compliance leads, or are you going to have your compliance function be fully centralized, um, and essentially be hounding people on a regular basis? Um, are you going. Are you big enough to require a chief of staff function, or are you managing your own independent budget? Um, so a lot of this is mechanical, and that does lend itself to a bit more of a checklist to make sure you've got all the right pieces in place. Um, but once you move through tech and data, which is so big and so meaty and such an exciting thing to explore, and you move into the advisory arm, um, which frankly, is where I think the gold is with your compliance function. That's where you really get into the weeds of what good compliance truly looks like. So these are the people that hold you to account. They're the people who ask the difficult questions. M. And there is no script for difficult questions. As I say, the one question you need to ask is, what's the harm? So what could go wrong? What's the harm, are you thinking? Um, and we actually, we talked briefly, uh, through one of the models that I've published, one of my official favorites on misconduct, called our Misconduct Ladder, which talks about the cultural scenarios that Western as you go up the ladder. Um, all from I didn't know it was wrong to I knew it was wrong, but I did it anyway to I knew it was wrong, but I didn't care to. I really cared. I wanted to do it for me. So, um, we talk about how advisors can get into the middle of that Chain and break it. Um, we talk about how advisors can nudge rather than hit people with hammers. Um, I have never known an audience respond well to a. No, I have known an audience respond well to a. I don't think that'll work. But what about this? Um, and I think again, going back to your early question at the top of the podcast, what does CCS essentially do wrong? Where do they get it wrong? Um, they fall into the trap of you can't do that within the rules, therefore we shut it down. Rather than a. There is purpose and social value in what you want to do. And I can understand. I've empathized with you. I know where you're going. I'm on the journey with you. Um, and of course that creates an independence risk. Uh, what we call going native, which obviously all risk practitioners have that risk. But this idea that your compliance officer is sat too close to you, that they can't pull themselves out, I've seen it in practice. A lot of compliance advisors call themselves line 1.5. They're really proud of the relationships they have with the business. I was when I was a, uh, uh, product advisor for compliance. I got taken out for lots of drinks. Uh, uh, my colleagues in the US would turn down coffees because they said it would compromise their independence. I did not. I would have a glass of wine in my hair. Um, because those are where decisions get taken. Um, and, um, we don't like it. We like to think we're more robotic. We like to think we're more effective at sitting down in a boardroom, and all the decisions get taken at the board table. But we know that minds are made up before they go into the boardroom. And it's exactly the same further down the organization you influence outside of the room. So that within the ring, right decision, the safest, most sustainable decision can get taken. Um, but then this comes out to one really fundamental point, which is advisory is not about taking a decision. It is about helping to show the way. Um, and the caveat here is, obviously, if you believe your firm is acting incorrectly or acting immorally or fraudulently, you've got to pick up the phone to whistleblow. That is a moral obligation of your role. But the reality is most organizations don't get that far. If you're doing your job, you've come in here before, it's got that bad. Um, and if your organization doesn't empower you to do that, it's the wrong organization for the compliance officer.

Speaker A: And I'd like to Move, um, into what does that practically mean to be a CCO? Right. So what's your playbook? And just perhaps two or three nuggets, not more on um, the first 90 days. What would you focus on as a CCO?

Speaker B: So maybe I'll kick off. So I think, um, as I say with all the C suite framework books, we start with three fundamental things. If you are new to your organization, if you're coming in new, I would say spend time getting to understand the organization, to observe the culture in action, not just what's written down, uh, to understand really fundamentally the strategy and what the organization does, what it is excellent at its competitive moat, what makes it special, what makes it different, and also the pillar of execution, how things get done around here. Take the time and even if you're not new to the organization, take the time to re examine that, uh, when sitting in the CCO seat. And I think only when you have done that and only when you've really listened and understood and, and clarify what you want to do, then start applying the compliance lens over that as to how to best achieve it. But don't rush that initial discovery, that initial time, because if you just adopt a cookie cutter approach and start blanket laying out rules and everything else, you've already kind of lost the audience and lost the context and you only really get to be new once.

Speaker C: Yeah, absolutely. And um, you need to pay attention. Um, and sometimes it's in the really small moments, it's who sat back in the meeting when you raised a concern, who lent in, um, who looked engaged, um, who is clearly going to be a problem. Um, there are some practical questions I think you really do need to work through. So you need to ask yourself, what have you inherited as a department? Um, I've worked in organisations and advise organisations where they had nothing and they were like, oh, I think we need to essentially create a compliance function they were perhaps thinking of missing and they thought that they needed that. Um, or maybe they just got the memo. Um, I've worked in organisations where the compliance departments ballooned and it needed to be completely redesigned. I've worked for organizations where compliance basically was um, put on the chopping block because of long held cultural issues that really weren't at the feet of the department, they were at the feet of leadership. But the department wasn't considered effective enough to hold leadership to account. And so there was a regulatory mandate to do it differently. So you need to understand why you're there. Why did you get hired? What did you get hired to do by the leaders of the organization. And actually, is it quite right? Is there something else you need to do? Again, you've got to pay attention. Like your mandate doesn't just come from the CEO who brought you in, it comes from the people around you and the culture that you're working in. Um, so everything starts with what the organization does, what does it sell, where does it do business. If compliance is all about the rules and the harm that falls from not following them, then the rules are all about what you sell and what you do. So rules related to digital currency obviously don't apply if you don't sell digital products. Uh, and so if you, if you don't fundamentally understand what the organization sells, the markets it sells, to, how it does business, um, you're never going to understand the compliance environment. So I would spend time mapping that out, but in order to do that, I'd need to understand the operational mechanics of compliance at the organization. So does it have a regulations inventory? If it does, do I trust it? The answer to that is always no. I never trust regulations inventory. It will never be complete. Um, it will always have been created out of beautiful, beautiful, throw money at the problem, bring in the consultants, create, you know, thousands of itinerary lists that get mapped to businesses and then the businesses will change through a restructure and the team that were updating the document will have disappeared. And as Jenny said, Without RedTech, you've got no chance that being up to date. Um, so I'd look at the compliance tools that the organization is using and I would keep in mind the fundamental tenet. You need to use what you have, not what you wish you had. So if you don't have the money to bring in an old singing or dancing AI led data engine to drive compliance risk assessment, don't even think about it. Think about the tools that you're using. Um, there's always a way through. It's just sometimes it's not as glossy, it's not as pretty. Um, and there's no point wasting time in those precious early days pontificating about what you wish you had.

Speaker A: Well, change AI policy to enable you to use ChatGPT. It can do part of the job you just mentioned.

Speaker C: Um,

Speaker A: and before we get to a close, I'd like to ask one last question around the cco. Uh, what capabilities will define a high performing compliance leaders over the next three to five years? Two, three max. Just for the sake of time.

Speaker B: Um, so I'm going to say two things. The one that you would expect me to say is data and AI, right? So having the capability to understand, map, think about data, and apply the best of the nascent capability that we have, I think, let's face it, is going to be the thing, uh, that changes and improves how we run compliance. The answer you may not expect from me and the word that I had in my mind as I, uh, heard Natalie explain the CCO role in the way that she does, was flair. And it's not a word that you would ever think of applying to compliance. Sorry, Natalie, no, no offense intended. But flair, you know, you can apply flair to how you interpret rules, to how you embed things in an organization, to how you bring things to life. And I think that for me was the huge learning about this book.

Speaker A: Nathalie, want two more?

Speaker C: Uh, curiosity, empathy, and technical brilliance. Um, too often I think technical brilliance is considered necessary, uh, but it is not sufficient. Without curiosity, you don't ask the right questions. And without empathy, you don't build the right relationships and nudge things in the right way.

Speaker A: And with that, I'd like to take the discussion to a close and ask a few again, running around the edges of the cco, um, what is the one capability leaders consistently underestimate in compliance? What is the thing they don't get right? So, almost a reverse question at what I just asked you.

Speaker B: Oh, I'm going to slightly repeat myself, I think, and kind of say, you know, I came into this project thinking that this was quite a black and white role to take and actually how much nuance and humanity that there is in this role. I think for me, that was the surprise. And in terms of these books, you know, all of the C suite books are about helping people to be more able and more capable and so on. And, you know, this book does, uh, inform you as to what the role entails, but what it brought to life for me was how multidimensional and complex and interconnected the role really is.

Speaker C: And I think for me, it's a blend of humility and rigidity. So sometimes compliance officers think being right is enough, and it's not. You, you have to read the room and you have to work really, really hard to influence it. And that is, that is wearing. It is wearing. When you are the least important meeting of someone's week, um, and it's your most important meeting, and you've prepped for two weeks to influence someone, and they've literally taken your, your meeting agenda sock from like 10 minutes down to 30 seconds. You're like, I'm not going to swear, but I want to swear, and it happens to me time and time again, and you cannot wear it on your face. And I am a very emotive thinker and speaker, so when I am angry or annoyed, I wear it. And having to mask that in a room, because it's all about everybody else, it's about them, not about you. That is very, very hard to do. And I think people who go into the CCA role sometimes underestimate just how wearing that is. Um, especially because CCOs are by their very nature very law abiding, very frank, honest people. And so to be faced with a rumor, you have to be in their mind, sometimes a little bit duplicitous to get them a better outcome can just feel like the wrong thing to do. Um, and sometimes it's polish, but sometimes it goes too far. And so when you try and overcompensate, then sometimes you do as I say, go native. And that creates really bad compliance outcomes. So being in the middle lane of those pressures is really, really hard. Um, and it can take a lifetime to get right. But. And this is the shameless plug. Hopefully if you read the book, it will give you some guidance as to how you navigate that really tricky path.

Speaker A: Well, it seems you've answered my last question, but I'm going to ask it anyway. Uh, what do you hope readers fundamentally change in how they think about compliance after reading the book? And by the way, I would put immediately the, the headline that I think more than compliance officers should read that book. Probably all execs should read the book. Like they should read the entire C Suite framework anyway, because it's very useful. Uh, so perhaps one or two nuggets each.

Speaker B: Yeah,

Speaker C: go ahead.

Speaker B: I think, yeah, I agree. By the way, I think if you're a CEO, if you're a board member, you will learn so much in terms of this book and understanding the mandate and the remit of the cco. I think I would just finish by emphasizing the need for humanity, the need for judgment, people skills. There is art as well as science to this role. Um, and, uh, you know, hopefully that has come out in, in this podcast as well. And I just want to also, you know, give a shout out to my co author because Natalie is just such an engaging and skilled writer and I think if she can't get you enthusiastic about the role of chief compliance Officer, I don't think anyone will.

Speaker C: Well, since I am in the land of, uh, karaoke. So, um, I, I moved out here to Japan, uh, last week. Uh, I think my old ADAGE about karaoke is what I lack in talent. I make up for in enthusiasm. So if you cannot bring enthusiasm and passion to the role, how on earth, uh, are people going to believe in you and what you want to sell? And. And I think the CTO role has sometimes been seen as prosaic. It's very legalistic. It does not have to be. It's about influence, change, humanity. Bring in a quote from Maya Angelou. Bring in a quote from RuPaul. It doesn't matter. Just bring something to life. Because if you can't tell an engaging compliance story, you can't win compliance decisions. And maybe I'm a minority in that, but I will fight this hill until I die because it is so fundamentally important for the new generation of people in the workforce and for the new generation of technology that we're dealing with. This is humanity at its finest, is bringing passion, bringing flair. And if you can't do that, just let ao take your job.

Speaker A: Already such a job. Well, Natalie, Jenny, it was a pleasure to have you. Emerson. I really look forward to reading the book. It's in my mailbox, so I will definitely do that straight away. Um, and I wish you best of luck for the launch. I think it's in end of April, so fingers crossed. And, uh, again, a pleasure to have you here. And, Jenny, perhaps for the next book. Sorry, I'm already mentioning that as we talked last time.

Speaker B: That's fine.

Speaker C: I think it was on your podcast.

Speaker B: I said, oh, there's, you know, I want to announce on the way. Um, so, yeah, no, and here it is. And it's brilliant, you know, to be at this point. Nat and I are so excited to get this book out there and to tell the world about it. I didn't know about the karaoke. Karaoke is optional. That might have to be another podcast. Julia.

Speaker A: Look forward to this one. You're not going to get me to sing. All right, best of luck, and looking forward to seeing you again on the show.

Speaker B: Thank you, Julia.

Speaker C: Thank you so much for having us, Julianne.

Speaker A: Um, this was my conversation with Jennifer, gary and Natalie McManus. Perhaps the real shift is compliance is no longer defined by what it prevents. It is defined by the quality of decisions it enables. The role of the CCO is not to sit outside the business. It is to shape how the business operates under uncertainty. To explore their booking insights further, I invite you to visit their website as well as connect with them on LinkedIn. If you enjoyed this episode, Follow, write and share with Masters. I'm Julie A. And this has been Riskmasters.