Transcript: Gail Wessels podcast

In this podcast, GRC expert Gail Wessels helps CCOs navigate their path to the board of directors.

This is a transcript of the podcast episode Gail Wessels on governance and CCO engagement with the board featuring a discussion between US content manager Julie DiMauro and GRC specialist and lawyer Gail Wessels.


Julie DiMauro: Hello and welcome to a Global Relay Intelligence and Practice podcast. I’m Julie DiMauro, the US content manager for the Intelligence and Practice Thought Leadership site we call GRIP, which you can find at And please, while there, check out our other podcasts, daily articles, and special reports.

I’m so pleased today to be joined by governance risk and compliance expert and lawyer, Gail Wessels. And I’d be so pleased, Gail, if you’d introduce yourself to our listeners before we get started.

Gail Wessels: Hi, Julie. And firstly, thank you for making the time for us to speak. And also thank you to your colleagues at GRIP. So thanks to everybody who’s involved.

So you’ve asked me for an introduction. Let’s see, where do I start? I’m South African, so hence the accent. I have been in Spain for the last 16 years, so I’ve become bilingual in the process. And that probably muddies my accent even further. So that’s basically where I come from, from a cultural perspective. And for those of you who are not familiar with South Africa, it’s extremely diverse.

With that diversity comes complexity and challenge, but also offers some amazing opportunities to reflect and inspire and innovate. And I think that, in a sense, explains why I have become a GRC specialist in that sense, because it’s very similar in the sense that it’s diverse, it’s complex, but it certainly offers many opportunities to innovate and to reflect on how we can do things better.

Professionally, I started my career as a lawyer, and I think once a lawyer, always a lawyer, so that’s just the way it is. And then proceeded to move into financial services. And I spent about the last 20 years working in different organizations, from Barclays Bank to setting up an online bank from scratch in Spain and Portugal, and also doing a few projects with organizations like Credit Suisse, Santander, and a few others. So I’ve seen quite interesting environments, and I really enjoy that. I love moving from different sectors as well, so I’ve also spent time in tourism, believe it or not, more than just the traveler, and that was insightful. But I then also spent some time in mobility, so I like moving across sectors. I think there’s a lot of lessons one can learn from one sector and pass to the other. So I suppose if I had to describe myself in one word, it would be diverse.

Julie DiMauro: Gail, thank you so much. Now, just to make sure we’re all on the same page about this topic today, can you tell us what you mean by GRC, and why should we be talking about it?

Gail Wessels: OK, GRC, as with many acronyms, needs a bit of unpacking, so I’m going to try and do that. But before I get into trying to explain the terminology, again, if I could choose one word to describe GRC, I would say protector. So GRC is the protector of the organization.

It’s about the governance around leading the company into the right direction, steering the organization, making those tough decisions around strategy and objectives, and that governance that of course the acronym starts with the G, so governance is where it all really starts. And that governance relates to the way decisions are made, setting up the right committees, making sure there’s an adequate and transparent and relevant flow of information to those key people who make decisions in terms of what the company will and will not do.

So that’s the G. The R is of course risk. Risk is about dealing with uncertainty, and that’s a common, and every business is about risk. Mature businesses know how to bravely manage risk, and you can only manage risk if you know what your risk is. So again, it’s about information flow. It’s about having a skill set that can understand how things come together, how risks are interrelated.

Compliance, the last letter in the acronym, compliance is about acting not only within the expectations or in line with expectations from regulation, but also in line with those principles of integrity and sound business. So that’s GRC. That’s how I would like to unpack it. But again, as a simple one-worder, I would say it’s the protector of the organization.

Julie DiMauro: I love that characterization of it. Thinking about changing expectations in light of governance, risk, and compliance, and about how those three components work together, can you describe what the landscape has been in terms of what changes you’ve seen and the different stakeholders and what their expectations are?

Gail Wessels: Well, it’s interesting that you mentioned expectations because everything really flows from expectations. And we can see a definite change in that. That also requires organizations to manage the expectations as well. So let me unpack that a bit more. We see that we’re working in this or living in what’s often termed the VUCA environment, the VUCA being another acronym. So we’re filled with acronyms today.

So VUCA basically means volatility, uncertainty, complexity, and ambiguity. So that’s the VUCA world we live in. It’s about understanding why that is the case. Now, an organization functions within a broader ecosystem. We have expectations that come from society, that come from other stakeholders like our employees, our regulators as well. And it’s important that we are aware of what those expectations are. And a very clear example of the change in expectations and how that’s affecting organizations is the focus on increased shareholder activism for one.

So typically when we talk about governance, one of the primary objectives of good governance is to treat all shareholders fairly and properly, ensure that there’s access to information, et cetera. What we are seeing is that there is definitely increased shareholder activism. So shareholders are really using their power to direct how organizations are being run. Barclays issued a report on shareholder advisory, looking at the way shareholders have been responding during the year of 2023. And it was found that there’s been at least a 15% increase in shareholder activism.

And surprisingly enough, they identified 171% increase in shareholder activism campaigns in Canada, in the UK, 71% increase. And that gives an indication of how shareholders are holding corporations and boards responsible. So they are using their votes to not only ensure that the right board members are in place, so we can see that shareholder activism has accounted for an increase in the way and the amount of board members that are selected. It’s also been interesting to see that shareholders are driving M&A activities as well. So we can really see that shareholders are no longer sitting back and waiting for board members and senior executives to drive the organization. They are actively getting involved. And that’s on the shareholder front. When we start looking at stakeholder expectations, and when we talk about stakeholders, that group is a lot broader. And especially when it comes from the expectations that society at large has of organizations.

There’s a very clear expectation that organizations, companies truly see themselves as being part of something broader than just the organization, appreciating the context within which they function, understanding that they are in it together. And that’s a very clear marker of a big change. And one example of where we can see that actually affecting the way we operate is, of course, the ESG agenda, another acronym. And I’d like to mention that it’s the same G that we have in GRC. So we can see that falling into sharp focus, and we can see how regulation is actually giving life and giving structure to those changing expectations from especially stakeholders as a broader group, further than only the shareholder perspective.

Julie DiMauro: Thank you so much for that. And Gail, what I noticed too, and just regular public discourse, there’s an increased awareness of what shareholders are doing, what their activism is about, their lawsuits, their proxy voting, their agitation in terms of moving the corporate direction or corporate goal setting. And I think that that, to me, is a change in the past decade. Does that appear to be the case with you? Is that your perception as well?

Gail Wessels: Absolutely. There’s increased scrutiny, both from an informal and formal perspective. So from a more formal perspective, we have the CSRD that has been launched in Europe. So that’s the Corporate Sustainability Reporting Directive, which again, is shedding light and conveying that expectation of companies that they need to report on their activities around ESG. What are they actually doing? You can’t report if you haven’t been doing anything. So yes, it’s kind of starting at the end of the line and focusing on reporting obligations.

But once that starts maturing, we would then have a lot more access to information around what really makes a good company, what makes a company sustainable, resilient, what makes a company a true partner with the rest of the value chain that they operate within. So that’s definitely top of mind for all organizations, not only because the regulation then applies to them, but also because you now have access to information, you have free access to publication as well. If you want to analyze a company and then do a blog, run a podcast, write an article, you can do so. So there’s a lot more scrutiny, both formally from a regulatory perspective, but also from an informal perspective, where individuals have the power to scrutinize organizations, form an opinion, and then publish that. And we do see a lot more of that. And it ties in with those changing expectations that we see.

Julie DiMauro: Thank you so much. And I want to get back to how compliance professionals can interact and should interact with their boards and the nexus between the G and the C components. But before we do that, since we’re on the topic of the very important role that boards play, I want to drill into the skill sets required of boards, maybe how that has changed through the years. And what are the expectations of them in fulfilling their role? Because they have to responsibly exercise their discretion. What does that mean? And how do they do it? What skills take them there?

Gail Wessels: When we look at the typical composition of boards, and we can do that for multiple companies, we can interestingly see the mix of skills. Various banks would publicly disclose their board members, of course, and their skills base. So it’s typical to see a bit of a mapping in terms of skills at a board level. If you look at any organization’s public information, you’ll probably find that there. What’s interesting to see is that, yes, there’s reference to risk management skills. There’s of course reference to financial skills. So those are your typical skills base. But very seldomly, do you see governance and compliance skills.

So the question is, why is that so? My sense, and based on what I’ve been exposed to, I do see that the skills around governance, risk, and compliance are often very well-built at a senior management level or at a head of department level. But often, it doesn’t feed up into the board. So we need to reflect on why that is the case. Maybe it’s the way we have been dialoguing about compliance. Maybe we haven’t connected compliance to the corporate strategy and the importance of compliance being part of informing strategic objectives.

That’s also highlighted in how certain companies could suffer from a very siloed approach. In some cases, you have governance, risk, and compliance very separate. Often, there is a gap in the way communication is shared. In some cases, you see the risk function also very divided and siloed, where you would have operational risk on one side, compliance risk somewhere else, and et cetera. So the challenge here is really to combine that, to connect it all together. And the board’s role is exactly to see the company the way it is connected together.

So what I see we could definitely want, where there’s a definite opportunity, is to engage more with the board on governance, risk, and compliance issues. But for that, the skills that we’ve spent many years building in organizations at a senior and executive level, those skills need to be equally matched at a board level so that the right questions can be asked, so that the right challenges can be made. So it’s about ensuring that at a board level, there’s that adequate representation of skills. And in addition to that, reflecting on the comments we’ve just made about changing expectations, it’s also having individuals at a board level that can holistically understand those expectations.

Typically if you look at the composition of a board, you would see board members that are, you know, they come from the same industry. So financial services, if you look at the board structure of a big bank, you’ll probably find multiple ex-bankers. Where is the representation of the other stakeholders in the value chain? So it’s at that level where maybe we need to do a bit of shuffling up, you know, a mixing of different experiences. And I’m not saying that the board of a financial institution should not have board members who come from the financial sector.

That’s definitely not what I’m saying. What I’m suggesting is that there is a broader and a more diverse blend of skills. Because at that level, it’s so important to be able to join the dots together and make informed decisions. And if you’re not asking the right questions, because you either have not lived it yourself or you have not, you know, in somehow been exposed to it, then the conversation is all the weaker, isn’t it? And given that we’re very much functioning in this world of interconnectedness, interdependencies, that needs to be reflected at that senior level, at that board level, and not only building it up to your typical level of head of compliance, it needs to go higher.

Julie DiMauro: I’m so glad you brought all of this up, because I’m thinking about how the SEC is requiring some registered firms to have board members that are well versed in cybersecurity issues and can have an intelligent conversation with their chief information security officer, be able to vet that person’s qualifications and the reports submitted by the CSO. So there is that expectation that there is some tech competency, cybersecurity competency, in particular. But I’m also wondering, with all of the activism around ESG, do we have the skill sets that are necessary to be able to understand climate change, right? And the metrics around it, benchmarks that are achievable, etc. So it’s interesting what you bring up in terms of, you know, the evolving nature of these skill sets and maybe they need to be revisited.

Gail Wessels: I think it was the Department of Justice who specifically made reference to when assessing the effectiveness of compliance programs, one of the questions is there the availability of compliance expertise to the board?

Julie DiMauro: Exactly.

Gail Wessels: That kind of implies what to the board is that, you know, do you get in some consultants? Maybe you should be at the board as well. I’ll show that was a deliberate mention of, you know, choice of preposition. But I think the message is clear. There needs to be that compliance expertise at the board or present at the board and how that works structurally. Yeah, I think, of course, and as regulators often do, then they leave firms to work that out for themselves.

Julie DiMauro: Absolutely. And that’s a good segue to I mean, DOJ has really provided a great blueprint for what they consider an effective compliance program, and their corporate enforcement policy as well, lays out, you know, exactly what they’re looking for in terms of that. And I want to ask you about compliance working with their boards. I mean, ideally, a compliance officer has some access to the board or a board committee. And what is that? What should that look like ideally, Gail, and if they don’t have it, maybe how could they agitate to get it?

Gail Wessels: If they don’t have access to the board, then the board would not know the board might, well, the board is unlikely to have that perspective. So ensuring that the compliance voice is present at the board allows for that, that broader perspective and compliance risk, that is something that feeds through an organization like two threads in an enormous tapestry, which you will always see it there and together with governance, you know, governance being the lead thread, if I actually if I have to use the imagery of tapestry. So you have governance, which is the lead thread, that’s how the organization is run, that directly talks to the function of the board. But in conjunction with that thread, that thread needs to be supported by compliance and risk.

If not, we just don’t see the whole picture. So how we work out the structure of, you know, our different committees and who reports to who, I think we need to be driven by principles, the principles of ensuring that the board has all relevant information for them to be able to make informed decisions. So that risk and compliance perspective and information needs to get there. So the next question is, well, how do we make sure that it gets there? If we have a compliance area reporting into multiple in between structures, the risk is, of course, that the message gets diluted. That’s inevitable.

Now how do we ensure a direct line between compliance and risk to the board? It’s about setting up your organizational structure for one that facilitates that flow and that partnership. It’s about relationships, and relationships can only be built if there’s interaction. So we need to facilitate that. So it’s about the structure.

But more importantly, it’s about having the right skills at a compliance and risk level. So it’s having individuals and teams who can manage the complexity that we referred to earlier, individuals who can talk about the changing regulatory landscape, what’s driving those changes. And a big part of what’s driving the changes would be the change in expectations from stakeholders and being able to guide the board through that decision making process. So the end game is that the board has the complete picture and of course, in a digestible way, in a way that they can understand it so that the board can effectively and also in an extremely proactive manner join the dots.

It’s also about no surprises. You can only have no surprises if you have all the information. So it’s about getting all the information there because compliance and risk, those aren’t comfortable conversations, are they? I was reading a fantastic report by the OCEG, which is the Open Compliance and Ethics Group. They have a fantastic resource called the Red Book.

And that was issued. I think the last version is January of this year. So it’s quite a quite a recent revised document. It’s 257 pages. So good luck on the read. But some messages that really resonated with me was the reference to wicked problems. And when I think about risk and compliance, immediately I think, gee whizz, those are wicked problems. And the definition of a wicked problem, and apparently this is an accepted term, which is often used in design, policymaking, and social science. The definition of a wicked problem is a problem that’s complex, dynamic, multifaceted, and very difficult or completely impossible to solve 100%. And that has been my experience in governance, risk and compliance. We deal with wicked problems. And the board needs to be well versed and very comfortable to know that the wicked problems are being dealt with.

Because if we don’t do that, well, then we’re not a true partner. We’re not a protector. We’re doing the three wise monkeys act. The three monkeys of kind of see no evil, hear no evil, speak no evil. You know, have your ears closed, your eyes closed, your mouth closed. That is not GRC. GRC and wicked problems is about unveiling those three wise monkeys, you know, opening the eyes, opening the ears and opening the mouth. And that needs to resonate with the board. If the board is and those individual members, because we also use these terms and we get a sense that there aren’t any people behind it. There are real people behind it. There are real board members and companies made of people to hopefully in somehow ensure that those individuals sleep better at night, knowing that those wicked problems are being dealt with and that they know what the wicked problems are, and also building the confidence that they can manage those wicked problems. And I think that allows everybody to sleep a bit easier. Hopefully.

Julie DiMauro: Yeah, I love it. I mean, who can say that GRC podcasts are boring when we’re talking about wicked problems and these colorful, dynamic monkeys?

Gail Wessels: Well, you know, Julie, when, when I say to people, you know, when I say, well, what do you do, Gail? I say, well, I do governance, risk and compliance and that doesn’t get any easy reactions. You know, you can’t find ways to make it sound more interesting because, you know, being a GRC expert and a lawyer, that leaves me cold. But when I do what I do, I love it, you know, because of the diversity, because of all the imagery that we can use and because, you know, at the end of the day, we’re dealing with people. How do you get people excited about these aspects that truly matter? Because companies, those decisions made at a board level, they have an impact on other people. So understanding that we’re part of a broader ecosystem, part of a bigger value chain than we ever imagined and taking responsibility for that.

So that speaks, you know, to stuff that I absolutely love. And as you can tell, you know, I do a lot of training as well. So I’m really trying to get people excited about this because even though it sounds really boring, it has so much potential and a definite potential of bringing different functions across organizations together. You know, seeing the picture in its entirety and understanding the role that every individual has in protecting the organization, of course, protecting the sector within which that organization functions, but taking it to a very personal level, protecting the world we live in. So as a result, you know, the ESG agenda and focus is giving a much needed boost to GRC because it’s the same G, it’s about how companies are driven, but it’s also focusing attention on reporting new activities around ESG.

There’s not as much expectation around reporting when it comes to GRC, but, you know, I’m very enthusiastic and hopefully, you know, the ESG regulation and disclosure requirements and also the expectations around due diligence and supply chain risk will further help to boost the work that teams in the GRC space are engaged with or towards the same end, which is protecting organizations.

Julie DiMauro: Absolutely. And I want to ask you about personalities because you brought up relationships, very important. Organizations are built on relationships. And, you know, boards and the exercise of their discretion and carrying out their fiduciary duty, they also have to deal with senior directors that can have outsized personalities and big egos. How do they do that? They have to protect the company, but they do have to at some level appease directors and certainly work with them. How do they manage them?

Gail Wessels: I think it’s a process of continuous improvement. You know, you touch on ego, human behavior. A lot of about compliance is directly related to behavioral science. You know, I suppose what isn’t about behavioral science? So, yes, it’s, you know, being able to manage that team. How do we put that team together? How do you look at certain skills, competencies, personalities? And ensuring that, you know, every individual is focused on the right stuff. Maybe that touches on how the board displays the company values in terms of selecting people who actually display those values and being able to communicate very transparently around their selection process. But I think it’s you’re right. It’s it’s it’s complicated. There’s no one size fits all. But again, it’s getting the right mix of skills and competencies and of course personalities.

Julie DiMauro: I think it’s an ongoing challenge for boards. It really is. They have some very colorful personalities and CEOs that they have to deal with. And actual board mates, other fellow directors that have their own agendas maybe and personality traits. So, I think that that’s an there might not be a playbook for how to deal with it. But like you said, strategizing around what skills sets you need to bring in, maybe having an outlined framework about what values that they’re bringing to the table and organizing themselves around certain principles could help.

Gail Wessels: Absolutely. And being open to those uncomfortable conversations. So what kind of team composition do you require to facilitate the uncomfortable conversations? Because for mature organizations, that that uncomfortable conversations need to be normal. It needs to be the usual. It’s not supposed to be comfortable, but it doesn’t mean that in the discomfort, it needs to be destructive. So how do you encourage the team structure and composition in the best way to facilitate and to hold those uncomfortable conversations? And for that to happen, you need people with different perspectives. If not, there’s a high risk of groupthink. You know, everybody nods together. The image of the three wise monkeys come up again. And and that’s just not good enough anymore.

Julie DiMauro: Absolutely. Now, I wanted to end on, again, another colorful note is you said that there is some really nice real life examples that drive home some of the themes that we’ve been discussing today, especially about expertise and oversight. Could you share a couple of those examples?

Gail Wessels: So, Julie, one of the key case studies that I can mention is that of Westpac. Westpac relates to a financial organization that received one of the biggest fines in Australia in 2020 and about one point three billion. And that’s related to AML failings. So basically, when they did their post-mortem internally, you know, setting up an independent committee to understand what went through, what went wrong, what led to these failures. They identified a lack of sufficient or the lack of the right anti-money laundering skills at a board level. So that was one of the root causes of failure.

And then secondly, the lack of AML or financial crime information being shared with the board as well. So, earlier, we spoke about what information the board needs to receive, because that, of course, is the basis of decisions, etc., etc., making decisions around investment, making decisions on risk appetite, risk tolerance as well. If the board is not receiving information relating to financial crime, AML, as in the case of Westpac, of course, the decisions are all the poorer for for that. And as a result, immense weaknesses in the entire compliance program around managing AML. And that led to a very, very uncomfortable situation for them, clearly. So that’s one example. Now, I could mention quite a few others.

Boeing is certainly top of mind and that’s hit the newspapers yet again. Another example of where there’s an absolute need for board members to understand what’s truly happening in an organization, making sure that the information reaches the board, they can make informed decisions. There are quite a few others. But what I do see in terms of common causes of these failures, it’s often linked to risk blindness. So pretending it’s not there, maybe thinking of an ostrich sticking its head in the sand.

So there’s risk blindness. And risk blindness is also related to not asking the right questions. So, again, you can’t ask the right questions if you don’t have those perspectives, if you don’t have those competencies. And the board’s primary function is, of course, leading the organization, making sure that there’s overall strategic guidance. But also being able and willing to challenge senior managers, to advise them and to guide them.

So if they’re not doing that, of course, if you don’t ask the right questions, you won’t get the answers. So that ties into that risk blindness aspect, groupthink as well. Often we see that it’s not clearly defined what information needs to go to the board as well. So that needs to be looked at very closely to ensure that they receive the right information.

Also, the lack of independence. And that’s where the need for the right independent directors at a board level becomes more important, to introduce that independence and to make sure that that’s guarded and facilitated. And then, of course, sometimes not having a clear view of the risks and dependencies. And that’s where when we look at enterprise risk management, having one version of the truth, making sure that that version of the truth is shared with the board. And then, of course, the right questions and challenges flow from that.

Julie DiMaro: Yeah, this has been a terrific conversation. Thank you so much for this very helpful overview of the GRC landscape. I really appreciate it.

Gail Wessels: Well, Julie, it’s been my pleasure. It’s quite a bag of wicked problems that, of course, requires equally wicked solutions. It’s a space that offers immense value and some good dinnertime conversations as well. So it’s been a pleasure spending the time with you.

Julie DiMaro: Absolutely. Yes, you must come back. And thanks to everyone for listening today. This has been a Global Relay Intelligence and Practice GRIP podcast. You can find us at and on LinkedIn. Please follow us there. And thanks again to Gail Wessels for joining us today and everyone have a great day.

Listen to the audio.