Analytics or automation alone don’t stand a chance of helping any CCO deal with every challenge they face. In a business world filled with growing demands, these leaders need to personify no fewer than four different models, or postures, argues Chris Audet.
Chief Compliance Officers (CCOs) can be forgiven for feeling as if they are being pulled in multiple directions at once. Their checklists have expanded in every direction, from new and evolving regulatory requirements, to business model transformation, enforcing health and safety protocols and monitoring ESG metrics while maintaining a strong corporate culture in oftentimes 100 percent virtual settings.
The solutions up to this point have pointed in the correct direction, but they are often myopic or one-dimensional. We frequently hear that CCOs must work to gain more business influence. We also hear that CCOs need to not only be technologically fluent, but also champion analytics. While these singular solutions are helpful, they are far from comprehensive. And when reviewing the varied number of demands on the CCO’s office, it was never likely that one singular posture or area of focus would be enough to meet them.
In some recent Gartner research, we started with the basic idea that the CCO would need to play more than one role in the organization. Which role would depend on the stakeholder they are engaging with, the technical nature of the challenge or threat and the communication style needed to effectively deliver durable corporate policy.
Below we’ll look at why an expanded and empowered CCO is more important than ever before, the current climate of corporate culture in the pandemic era and the new and varied challenges the CCO’s office is facing. Finally, we’ll outline the four models, or postures, the modern CCO must assume in managing today’s compliance mandate.
A Culture of Compliance (Under Threat)
Before assessing the new responsibilities facing the CCO and their team, we should look at what stakeholders have always expected from the CCO role: leading and maintaining a strong culture of compliance. Gartner survey data shows that 86 percent of business leaders expect the CCO to drive a strong corporate culture.
This has never been more challenging for CCOs amid a dislocation in the physical workforce that makes promoting a culture of integrity from the top all the more difficult. New and different kinds of employee misconduct may proliferate in a full-time remote work setting, while benchmarking annual performance in the shadow of the pandemic makes consistent metrics reporting all the more challenging.
“We frequently hear that CCOs must work to gain more business influence. We also hear that CCOs need to not only be technologically fluent, but also champion analytics. While these singular solutions are helpful, they are far from comprehensive. And when reviewing the varied number of demands on the CCO’s office, it was never likely that one singular posture or area of focus would be enough to meet them.”
This foundational role has become even more critical as the costs of noncompliance have risen. Just in the month of September, we have seen the second largest GDPR fine levied in history, with a potential price tag of more than $265 million. In the U.S., it seems clear that new regime changes at the SEC, FTC and other regulatory bodies will shift toward a more aggressive regulatory posture, as well as increasing state-oriented regulations such as the CCPA.
And data privacy is just one of the many spheres CCOs are asked to monitor. It is not hyperbole to state that the CCO has never been more important to overall corporate success and maintaining (or in some cases, rebuilding) a strong culture of compliance.
The New Compliance Mandate
Quite aside from the pandemic-related challenges of prolonged business model disruption, hybrid working, vaccine mandates and huge employee attrition, CCOs are also being tasked with improving how they deliver guidance to the business. As the number of regulatory, risk and embedded compliance challenges proliferate, so has the amount of associated assurance functions and reporting. Perhaps the highest level of risk for a COO today comes from “compliance fatigue” among stakeholders and front-line employees.
The CCO is increasingly tasked with leading an “aligned assurance” function, where compliance, audit, ERM and other assurance functions have clear lines of ownership and communication to better streamline and elevate the most important organizational risk information up to the C-suite and board in a timely fashion. Beyond simply coordinating within the assurance functions, CCOs also need to communicate with business leaders of all kinds, who may have differing views on the importance of a particular risk factor of new initiative.
The role itself is also expanding: CCOs are now also expected to manage the next generation of organizational mandates, including ESG, CSR and DEI initiatives, which organizations are increasingly evaluated on by investors, the media and their own diverse set of stakeholders.
Perhaps these challenges and new responsibilities would be more manageable if compliance was expecting a commensurate raise in resources. Unfortunately, according to Gartner’s latest compliance spend data, this is not the case. Spending on compliance appears to have plateaued in 2020, with the median headcount for full-time compliance staff actually decreasing between 2017 and 2020 from 12 full-time employees to 10.
The Multifaceted CCO
With growing challenges materializing from all directions and resourcing flat or even declining, it’s no wonder that a CCO can’t be great at just one facet of their role. Increasingly technological capabilities, while important in meeting the challenge, cannot alone fill all the gaps. The CCO must sharpen their skills in advocating for additional resources from the business, be a master communicator both within and beyond the assurance functions and continue to find creative ways to steward culture and ethics in an unusual environment that may never fully return to what they previously appreciated as “normal.”
Therefore, Gartner has introduced a new framework for the modern CCO that incorporates and helps them visualize four main roles embedded in their position. Depending on the business context, a CCO will likely feel comfortable aligning to one of these models, but they must be aware of the need to “flex” among the other three when the situation arises.
These flexible roles provide the CCO with the best chance of being able to meet the challenges coming from a variety of different and essential business contexts:
The “Strategic Business Advisor” CCO
This CCO model focuses on providing compliance advice that influences and strengthens an organization’s strategic direction. This type of CCO seeks out a clear understanding of business objectives, proactively advises leadership on compliance risks associated with business growth and provides their own guidance based on clear metrics that will influence an organization’s strategic direction. Organizations rely on this type of CCO when going through business model changes, launching a digital transformation or entering new markets.
The “Culture and Ethics Steward” CCO
This CCO model promotes a strong corporate compliance culture to build shared accountability and influence business direction. Specifically, these CCOs focus on reinforcing the organization’s culture in a changing environment and creating policies and communications that maximize transparency and minimize employee misconduct. This has been most critical in organizations facing rapid change and is especially pertinent to newly hybrid or fully remote work environments.
The “Tech and Analytics Champion” CCO
This CCO model focuses on supporting technology initiatives to improve risk mitigation outcomes and functional effectiveness and promote technical skills development function-wide. This model emphasizes a growing adoption of analytics, automation and artificial intelligence (AI) to augment the capabilities of their staff. This type of CCO recognizes an opportunity to provide complementary risk information within organizations that rely on data to understand potential risk trends and implement new risk management initiatives. This is also a critical role for CCOs to assume when faced with resource-pressed staff or who face the need to do more with less.
The “Aligned Assurance” CCO
This working model focuses on establishing strong partnerships throughout assurance functions with clearly enumerated risk ownership, accountability and reporting roles. While operating in this role, the CCO addresses concerns related to “stakeholder assurance fatigue” and allows for a comprehensive and consolidated view of risks that threaten the organization. This role is most pertinent in organizations that have siloed assurance functions that run multiple reports.
There is no way to sugarcoat the challenges faced by CCOs at a time when they have never been more important to the health of an organization and its culture. By reevaluating their mandate and embracing the need to pivot among different roles depending on the context with which they are faced, the CCO has a fighting chance to meet today’s demands.