twitter icon facebook icon linkedin icon rss icon
Home / Compliance / Stronger Spotlights, Larger Stages: The Expanding Role of the Chief Compliance Officer

Stronger Spotlights, Larger Stages: The Expanding Role of the Chief Compliance Officer

March 7, 2011 by

chief-compliance-officersThe role of the chief compliance officer (CCO) has changed dramatically over the past decade.  Beginning with the Sarbanes-Oxley Act of 2002 (SOX) and continuing with increased regulatory vigilance, new compliance demands and governance standards have put CCOs under a brighter spotlight on a larger stage, and the trend has intensified.

Many public company CCOs have risen to the greater demands of their expanding roles, yet others have some catching up to do.  This article examines those demands and recent developments likely to further expand the role of the CCO, as well as useful responses.

Risks, Not Just Rules

Under what might be viewed as the first generation post-SOX compliance model, CCOs acted primarily as dispensers of rules—codes of conduct—and as investigators of code, and sometimes regulatory violations.  However, they often fell short in driving control enhancements, compliance monitoring, and IT aspects of compliance.

While providing a level of assurance and something of a “policing function,” this model of compliance provided little validation of effectiveness (except the absence or occurrence of violations).  It generated even less information on the internal control environment and on the risk management benefits of compliance efforts.

What might be termed a second generation of CCOs emerged in the second half of the post-SOX decade.  While continuing to serve their former roles, these CCOs also act as architects and catalysts of the nonfinancial control environment, and provide validation of effectiveness.  These CCOs also make the critical connection between compliance and risk management, on the one hand, and, on the other, their ability to positively impact business performance, which drives profitability, growth, and shareholder value.

Given this elevated role, these CCOs tend to carry more responsibility and occupy higher positions, with direct access to the CEO and the board.  This stands in marked contrast to CCOs operating solely in legal and regulatory compliance modes.

In this context, organizations face new demands in areas such as controls enhancement, incident analysis, loss event monitoring and reporting, response preparation and deployment, risk management, IT, and communications.  These demands can be identified and addressed in the context of Risk Intelligence.

Risk Intelligence, Deloitte’s* approach to risk management, enables organizations to identify risks and relationships among risks, examine risks across silos, create common risk terminology and metrics, and consider risk taking for reward rather than pure risk aversion.  This in turn calls upon CCOs—in concert with boards, management, and business units—to prioritize issues, secure funding for compliance initiatives, educate the organization, shape the control environment.

On the latter subject, Deloitte has found that corporate compliance programs can be classified into three stages of development: the building stage, refinement stage, or advanced stage.

  • In the building stage, the enterprise implements a baseline compliance program, usually consisting of policies, codes of conduct, training, and incident response procedures.
  • In the refinement stage, the enterprise improves processes and reporting mechanisms to achieve operational excellence, characterized by organizational accountabilities, process protocols, and compliance measures and indicators.
  • In the advanced stage, it employs risk management, enterprise control enhancements, compliance auditing, sophisticated risk and compliance data analytics, and strong governance practices to create a culture of compliance that supports, and indeed accelerates, progress toward strategic corporate goals.

Each stage places unique demands on the CCO, whose role concurrently evolves from program organizer, to process manager, to compliance risk executive.  At every stage, the CCO also plays the role of expert, advisor, and leader, supplying the knowledge and guidance required given the enterprise’s industry and compliance needs.

To bring this discussion into sharper relief, we turn to current challenges resulting from recent regulatory changes and to the IT revolution that is driving further changes in the CCO’s role.

What Drives New Demands?

A broad trend has taken root in the business environment, and it continues to transform the compliance function.  This trend has created an environment of ever-increasing disclosure, transparency, accountability, and regulatory sanctions, and thus of an ever-increasing need for effective governance and proactive compliance risk management.

This environment is evident in developments such as the Foreign Corrupt Practices Act of 1977 (amended in 1998), SOX (2002), the Wall Street Reform and Consumer Protection Act (“Dodd-Frank,” 2010), and the Amendments to the Federal Sentencing Guidelines (2010).  Such developments have elevated risks in areas such as international transactions, financial reporting, and public disclosures, and have led to a corresponding emphasis on strong compliance programs.

Recent developments in this environment are exemplified by the proposed Whistleblower provisions in Dodd-Frank and by the 2010 Amendments to the Sentencing Guidelines.

Dodd-Frank Whistleblower Provisions

Dodd-Frank, signed in July 2010, significantly changes regulation of the U.S. financial services industry and affects all industries in some areas.  That legislation includes new incentives to whistleblowers who inform the SEC of securities law violations which lead to an enforcement penalty of $1 million or more.  This part of the legislation applies to all industries.

We expect Dodd-Frank to encourage increased reporting of violations, both internally and to the SEC.  The final rules under which the law will be implemented will presumably balance the goal of encouraging compliance programs that can address allegations internally versus the legislation’s goal of providing an alternative avenue for whistleblowing when companies fail to maintain strong compliance programs.  Yet it appears that even if internal reporting is encouraged, enterprises will need to respond quickly and clearly to allegations, most likely within 90 days.

Compliance functions will need to quickly understand, investigate, evaluate, respond to, and report on allegations made as a result of this law.  All this will require far more nimble and responsive investigative, triage, analytical, and governance capabilities than typically present today.  It also will require deeper monitoring within the organization of “faint signals” that can indicate compliance breakdowns.

Amendments to Federal Sentencing Guidelines

The United States Sentencing Commission issued Amendments to the Federal Sentencing Guidelines, which became effective in November 2010.  The Amendments raise the bar for internal controls that signify an “effective” compliance program, that is, one sufficient to prevent compliance problems or to detect them before they become severe.

Significantly, the amendments require that the CCO have “direct reporting obligations” to the board of directors or a subgroup thereof, and that the organization promptly self-report certain offenses in order to obtain avoidance or mitigation benefits.  These changes signal that boards must attend more closely to compliance programs, and we expect this to further expand the role, and the reporting relationships, of CCOs.

Dodd-Frank and the Amendments to Federal Sentencing Guidelines are only two recent examples of the need to respond proactively to regulatory developments.  Such developments can present risks to strategy, brand, and reputation that can far outweigh the associated direct financial risks.  CCOs must increase awareness of the stakes in compliance in these areas, and assist in developing the proactive posture and efficient control environment required to achieve that compliance.

Yet legislative measures are only one driver of new demands on CCOs.

IT and Compliance:  Problems and Solutions

As in every area of the enterprise, technological advances create new compliance challenges even as they generate new opportunities and solutions.  IT and regulatory developments continually challenge compliance to adapt IT systems, incorporate IT controls into business processes, and optimize compliance data management.  Today’s CCOs are thus ever more focused on areas such as data privacy and data movement regulations, external communications and social media, and data management across disparate systems in anticipation of regulatory inquiries and exams.

IT can help to address those issues, while accelerating the development of the compliance function.  For instance, when applied to processes and control mechanisms, IT can assist in aggregating compliance data across the enterprise, monitoring and reporting key performance measures, and identifying control weaknesses, and enhancement opportunities.  CCOs can also help build and maintain an enterprise-wide risk data management program that enables executives and the board to make strategic decisions based on robust, risk-based analysis.

IT compliance shows signs of becoming a discipline unto itself.  Indeed, a number of leading edge companies are establishing IT compliance units to protect their IT investments, mitigate associated risks, and ensure compliance with security, privacy, customer data protection, record retention, and other standards.

IT generates significant exposures, especially given technological convergence, data aggregation, and risks posed by cyber criminals, hackers, and intellectual property pirates, and by technologies such as mobile devices, social media, and cloud computing.

Yet many CCOs are unaware of or unprepared for the IT dimensions of their roles.  Most rely on the company’s IT department, internal audit, or risk management to cover the regulations and risks, while many companies lack a coordinated approach.  Some CCOs lack the skill sets and organizational abilities to address these matters.  However, IT compliance and risk issues expand CCOs’ roles still further.  This calls upon CCOs to develop a deeper understanding of IT, of how operational processes are enabled by IT and the risks that those processes—and IT—pose.

Steps to Stepping Up

Most executives grasp the importance of getting compliance right, given its reach into virtually every area of the enterprise and the enormous costs when serious problems are missed or ignored.  They recognize that good compliance is good business, because it helps companies navigate the ever-changing regulatory environment.  In Deloitte’s experience, these executives see effective compliance as a competitive advantage because it enables companies to safely assume more risk than they otherwise could.

Thus there are ample opportunities for CCOs to expand their roles appropriately.  Indeed, many enterprises have vacuums waiting to be filled by CCOs willing and able to do so.  CCOs can fill these vacuums by viewing compliance enterprise-wide, which is the risk intelligent context in which management, the board, and board committees must also view it, and by taking the following steps:

  • Develop situational awareness: Develop a deep, ongoing awareness of regulatory, legal, business, and technological developments with the potential to affect enterprise compliance and related risks.  This should be done with a global perspective and by tapping sources of information and expertise in every industry and jurisdiction in which the enterprise operates or may operate.
  • Build capabilities that support strategic initiatives: CCOs should understand business goals and strategies and their potential to generate compliance and other risks.  This entails speaking the language of business to senior executives and business unit managers and hearing their concerns. Aim to have a seat at the table, not merely to point out compliance risk, and to enable them to reach their goals while achieving compliance and risk management goals.
  • Assess the maturity of the compliance function: In their roles as architects, builders, and stewards of the control environment, CCOs should understand the past, current, and emerging compliance needs—and capabilities—of the enterprise.  Only then can they achieve congruence between compliance needs, capabilities, strategies, and solutions.
  • Lobby for appropriate investments: Appropriate investments are those that bring compliance capabilities to the level required given the enterprise’s needs.  Few executive teams want to forgo promising initiatives due to compliance requirements.  Instead, they want to know what those requirements are and how the enterprise can best meet them while investing in the initiatives.
  • Shape the culture: In effective companies, compliance responsibilities are embraced by business leaders and managers, not imposed and done grudgingly.  They understand that compliance, done correctly, supports and accelerates growth and value.  They work with their CCOs to maximize compliance effectiveness and build a culture of compliance throughout the organization.
  • Lead the way: CCOs who are prepared for their new roles can lead the enterprise to new levels of efficiency, effectiveness, and performance.  This calls for analytical, communication, risk management, and organizational skills that may be underdeveloped in some CCOs.  However, given the positive ways in which many CCOs have responded to the challenges of the past, there is every reason to believe they are equal to those of the future.

Whether or not they openly say so, executives and directors want compliance to be forward-looking and proactive.  They want the enterprise to manage compliance and related risks as the business pursues its goals.

CCOs have the enterprise-wide viewpoint, the professional objectivity, and the responsibility to lead their enterprises’ response to compliance challenges.  It is now time for CCOs to recognize that their roles are expanding even more rapidly and to broader dimensions.  It is also time for them to embrace these expanded roles—and for their organizations and boards to support them as they do so.

*As used in this article, “Deloitte” means Deloitte & Touche LLP and Deloitte Financial Advisory Services LP, which are subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright © 2011 Deloitte Development LLC. All rights reserved.

**********

Rob-Biskup

About the Authors

Robert T. Biskup is a director within Deloitte Financial Advisory Services LLP. With more than 25 years of experience in the corporate sector and private professional settings, Rob specializes in implementing effective global compliance programs, and on international financial investigations and corruption matters.  Before joining Deloitte, he was global head of compliance at a Fortune 10 company.  Rob can be reached at rbiskup@deloitte.com.

George-HanleyGeorge Hanley is a director in the Governance, Regulatory & Risk Strategies practice of Deloitte & Touche LLP.   Specializing in the insurance, asset management and securities industries, he has led numerous engagements to benchmark and assess the effectiveness and efficiency of companies’ compliance and risk organizations.  George came to Deloitte with more than 30 years of industry experience at a leading insurance and investment management company where he served as the global chief compliance officer for its US and international insurance and investment businesses.  George can be reached at ghanley@deloitte.com.

Kevin-McGovern

Kevin McGovern is the managing partner of Deloitte & Touche LLP’s Governance, Regulatory & Risk Strategies practice.  He specializes in providing advice on regulatory compliance, operational and technology consulting services to organizations in the financial services industry.  In addition, Kevin regularly works with internal and external counsel in addressing issues affecting regulatory compliance and issues related to risk management and mitigation.  Kevin can be reached at kmcgovern@deloitte.com.

Related content:

  1. Sharing the Load on Compliance Risk…and Changing Mindsets Along The Way
  2. Integrated Compliance and Risk Management: An Unconventional Approach
  3. Managing Human Capital Risks: Whose Responsibility Is It Anyway?
  4. Whistleblowing After Dodd-Frank — Timely Actions for Compliance Executives to Consider
  5. 10 Ways to Help Curb Cybercrime in 2012
Print Friendly Print Get a PDF version of this webpage PDF
Filed Under: Compliance, Featured Article, Governance Tagged With: , , , , , , , ,

Speak Your Mind

*