Getting Serious About Compliance: The Evolving Role and Definition of the Chief Compliance Officer
(This article was contributed to Corporate Compliance Insights by Ms. Mary Somerville, a director in the Washington, DC office of global consulting firm LECG. Mary Somerville can be contacted via email at msomerville[at]lecg[dot]com.)
——————–
Getting Serious About Compliance
The Evolving Role of the Chief Compliance Officer
Just 10 years ago, if the job existed at all, it was a middle-management job, probably reporting into the General Counsel. But today the Chief Compliance Officer (CCO) – and, increasingly, that is the title – is a high-powered position, sometimes reporting directly to the Chief Executive Officer, or if not the CEO, then into the Chief Financial Officer or, especially in banking, the Chief Risk Officer. The CCO role packs clout, influence, and in many organizations when the CCO blows a warning whistle, work stops right there on the project that has caused the CCO to arch an eyebrow.
Question: how did this once functionary job become so important? Read on for a fast history and also a look at where this position may be going.
Baseline Definition of the Chief Compliance Officer
Today, says Wikipedia, the CCO is tasked with managing all compliance issues within an organization. That is a broad definition and, in practice, the CCO’s purview indeed is broad. He or she is charged with making sure the organization is in sync with regulations, laws, and also with internally-generated guidelines and credos (a high-sounding employee handbook is of little use if no one follows it – the CCO is there to ensure that the guidelines are indeed followed). That is a busy job, precisely because there are so many laws and regulations that demand compliance, particularly today as the federal government extends its involvement in the private sector.
What’s interesting is that – powerful though the CCO may be – but the job is in fact very new. Where the CCO position first took root, according to my research, was in financial services companies around 20 years ago. In part, this was fueled by the then savings and loan crisis in the 1980s (when some 745 S&L’s failed, mainly due to a frothy real estate market and lending unaccompanied by due diligence – sound familiar?). An upshot was a legion of new regulations. Somebody had to tally the organizational response to the regulations – indeed somebody had to keep track of the regs simply to know which had to be complied with – and that person usually was in the General Counsel’s office, frequently working without a specific title pertaining to compliance. But, little by little, the number of regulations needing compliance – involving everything from affirmative action to records retention – has kept growing.
At the same time the penalties involved in falling out of compliance – both financial fines and impacts on an organization’s reputation – have also kept growing. Failing to comply now can be very, very costly and that has helped transform the job into a formalized, much higher profile position. No company wants to be tagged a compliance deadbeat and, nowadays, that particular buck stops at the desk of the CCO.
Kicking Up the CCO Function
Where the proliferation of high-level CCOs – and their increase in authority – really took off is probably due to two things. First: the adoption of new, pervasive laws with accompanying regulations such as Sarbanes-Oxley, which penetrates to the very core of what organizations can and cannot do and what records they need to maintain regarding actions taken and not taken. SOX alone, in a very few strokes, introduced radical transparency and accountability to the boardroom.
SOX set the stage with its 2002 passage, and then SEC Commissioner Cynthia A. Glassman gave a September 2002 speech that became the speech heard ‘round the corporate governance world. In her talk titled “Sarbanes-Oxley and the Idea of ‘Good’ Governance,” Glassman explicitly urged organizations to create what amounts to the CCO job. To quote Glassman: “In terms of trying to personify the corporate conscience, there is something not specifically required, but which I feel is essential nonetheless. While the CEO cannot delegate his or her ultimate responsibility, to fully carry out the mandate of Sarbanes-Oxley and the Commission’s rules, a company should have an officer with ownership of corporate compliance and ethics issues, and of what Title III of Sarbanes-Oxley broadly refers to as ‘Corporate Responsibility.’” [emphasis added]
Glassman proceeded to tick off what she saw as the four key characteristics of the person holding the job:
- “He or she should have sufficient seniority and authority to take the actions necessary under the circumstances.”
- “The position should have the full support of the CEO and senior management, both in theory and in practice. The corporate responsibility officer should have access and provide regular reports to senior management.”
- “…the corporate responsibility officer should have the ability to report directly to the board (for example, to the audit committee chairman).”
- “The responsible officer should have sufficient time and adequate resources to implement the company’s corporate responsibility program in an effective manner.”
One reality: without top-level buy-in for the CCO position, it isn’t a job that can be done. The CCO, definitionally, needs to be able to butt into many departments and ask potentially embarrassing questions. Getting honest answers requires doing this with the full backing of the CEO. It just won’t work without it.
Another reality: the CCO has to come to the position with the knowledge acquired performing senior roles within the industry. You have to know what the secrets are before looking for where they are buried. A person can learn what’s involved in being a good compliance officer but they have to come to the job with breadth and depth of knowledge and experience in this specific industry. That’s proven to be a key.
Quite honestly, there still are plenty of incompetent compliance officers out there – but every year there are fewer because senior management increasingly recognizes how important this job is to the organization.
The Continued Evolution of the Chief Compliance Officer Role
Glassman’s talk was given seven years ago and what’s most exciting about the evolving role of the CCO is that, importantly, the position (as Glassman suggested in 1992) finally now usually includes a dotted line relationship to the organization’s board of directors – either to the Lead Director, head of the Audit Committee, or an independent Chairman. Exactly where the CCO reports into on the board matters less than that the CCO in fact has an open line into the board and may talk to the board without involving the CEO or CFO or CRO, when appropriate.
Many directors now recognize that the way to get into trouble is to not ask questions, and they also see that the CCO is an important asker of questions that just may matter. The rub against the CCO is that the position rarely adds to the bottomline but, nowadays, more and more directors see that preventing compliance problems before they become front page news is an indirect way to augment an organization’s balance sheet.
That’s why the CCO role is a position with a very bright future, in just about every organization that interfaces with the federal government and that means pretty much everybody. It’s a job whose time truly is now.
**********
Mary Somerville is a director in the Washington DC office of global consulting firm LECG. She has extensive experience with compliance-related issues for banks and other financial institutions. Ms. Somerville has served as head of compliance for banks and has advised numerous organizations on policies and procedures as a consultant. She holds the Certified Regulatory Compliance Manager designation. She also has experience and advises companies on credit administration, risk management, fair lending and anti-money laundering programs. She can be contacted at 202.973.6644 or msomerville[at]lecg[dot]com.
Tags: cco definition, chief compliance officer, chief compliance officer role, corporate governance, history of chief compliance officer, sarbanes-oxley
I enjoyed the article. It provides a nice introduction to the role of the CCO. I was particularly struck by the comment that “the position rarely adds to the bottomline”.
Clearly, regulatory compliance is perceived to be a minimum standard for business. In other words, the CCO is on the defensive line (to use a football metaphor), as is the CFO, Corporate Counsel, Chief Ethics Officer, the entire risk management team and quality control. In fact, many also see the board of directors as being on defense. If those roles are perceived to be defensive, what would be the offensive positions? I suspect most would also agree that the CEO, CMO, etc., any anyone else responsible for revenue belong to the offensive line. I guess, there are also positions whose role it is to support the two lines, such as HR, operations, manufacturing, procurement, IT, etc. But what’s to say that non-functional roles, such as compliance and risk management, could not also play a supporting role for the offensive line, much like IT and HR.
OCEG advocates for a unified Governance, Risk and Compliance approach to improving efficiencies, based on principled performance. However, they are still playing defense. I believe there is a compelling case to be made for Governance, Risk, Compliance & Trust. I call it Trust Enablement and introduced it recently in a presentation I delivered to KPMG (see http://trustenablement.com/local/GRCT-KPMG.ppsx). A Chief Trust Enablement Officer could provide a far more valuable business role that support both the defensive and offensive objectives of the business.