|
|
|
Features
< Back
Sarbanes Oxley : Governance : Chief Compliance Officer
Chief Compliance Officer Headache #1
Getting the Compliance Function Under Control An Emerging "C-Level" Role
By
T. Mark Morley
|
|
T. Mark Morley
Chief Operating Officer of Obian Inc.
Obian
|
Seventy years ago, a new position emerged in corporate leadership: the Corporate Controller. Imagine being hired as one of those first Corporate Controllers, and being asked to bring the organization's financial systems under control. Early controllers had to work with manual bookkeeping procedures based on paper records and then, thirty years later, very limited computer automation. Somehow the Controller had to figure out how to achieve his or her objectives, without the benefit of an automated General Ledger system.
Seventy years later, the role of Controller is well-established, and the market for General Ledger software is mature. Every organization, down to the smallest business, understands the value and purpose of this kind of software.
Today, the emerging corporate leadership role is the Chief Compliance Officer. Sometimes this is an official title. In many cases, the role has been added to an existing leader?s portfolio. The General Counsel, Vice President of Internal Audit, or even Controller, may be asked to take on this newly critical responsibility in addition to already existing duties.
In some industries the Compliance Officer role is not new. In the businesses of healthcare, utilities, construction, financial services, and government contracting, complying with regulations has long been an everyday matter. Achieving strategic accreditations, or demonstrating superior adherence to corporate standards of behavior, can offer competitive advantage in industries as varied as manufacturing, retail, and hospitality. Investment companies and investment advisers are now required by SEC regulation to have a Chief Compliance Officer with significant independence from the company?s executive leadership. But even for companies with established compliance programs and leadership in place, the recent accounting scandals and the Sarbanes-Oxley Act of 2002 have moved the compliance officer role to a more senior enterprise level.
Similarly to the pioneering Controllers of the 1930?s through the 1950?s, the Chief Compliance Officer today must work with compliance systems that involve manual processes combined with limited and discrete automation, and few or no formal controls. What is needed are formal compliance controls and established processes. In a crisis, for example when a violation of the law is uncovered, there will not be time to develop and implement policies and procedures, much less train executives about their specific responsibilities. What is reported to executive leaders, to the Board, to the government, and to other stakeholders must be consistent and appropriately updated as compliance requirements and organizational strategies evolve. To achieve this position requirement, Chief Compliance Officers must have controls and response processes in place before out-of-bound events occur.
In reality, the role of Chief Compliance Officer is being expanded and transformed within the context of rapid change in the organization?s leadership and governance. However, the new face of corporate compliance may be poorly understood by executive peers.
The new Chief Compliance Officer generally lacks the tools to monitor, update, and implement continually evolving and emerging compliance frameworks. Operational units are loath to change their business processes to accommodate compliance reporting or implement new compliance-driven procedures. Status reporting of compliance and accreditation initiatives will be periodic, decentralized, and assembled manually with spreadsheets. Outsourcing, joint ventures, partnership arrangements, plus mergers or acquisitions in various stages of completion, all serve to increase the compliance challenges and obstacles even further.
Above all, the Chief Compliance Officer must manage the cost and risk trade-offs of compliance efforts. Without effective leadership, an organization?s ?firefighters? are prone to simply pour all available resources into the hot-button compliance activity of the day ? and the Chief Compliance Officer must be capable of reining in this tendency. Such restraint may be difficult if a company is facing a large fine, lawsuits, and criminal penalties for past breaches. But the high-level, long-term, holistic view shaped around a value-building strategy supported by ongoing compliance initiatives is what the CCO should bring to the table. How should resources be planned for and allocated across the different compliance and accreditation requirements? Is the organization spending too much, or too little? Does the organization have a way to assess the likelihood and impact of events such as a missed deadline or a ?surprise? audit finding, and does the organization have a planned response for high-risk/high-impact situations?
Defining the Job
Getting the Compliance Office under control should be the first task of a new CCO. Achieving that end will make all the other objectives attainable. Just like a Corporate Controller without an automated General Ledger, the Corporate Compliance Officer needs to gather existing processes, policies, frameworks, and work assignments into a streamlined, effective system that can be managed, monitored, and reported on.
Many articles in the business press have covered the conundrum of how to align various functional efforts to best support Corporate Strategy which by its nature must be reinforced across the information and management ?silos? of the organization. The Corporate Compliance function brings its own set of organizational-role questions where there are probably no right answers that apply to all situations. Should the compliance function act as impartial judge or ombudsman? Or should the role be more involved, either coaching, or policing, or both? In short, when a new Chief Compliance Officer takes the reins, he or she must decide on and establish the appropriate tone at the top.
In addition, the Chief Compliance Officer must build positive working relationships with other executive leadership functions. CCOs will need to expand beyond the perspective they bring from their prior functional roles, whether they have legal or financial backgrounds. Even the most consummate communicator will be challenged by symptomatic ?turf wars? over resources and responsibilities. The new compliance function demands increased collaboration and attentiveness to different points of view.
Ideally, the systems that foster a healthy compliance culture are flexible enough to support and enable, rather than hinder, necessary organizational change. Unfortunately, the new Chief Compliance Officer may be stepping into a role created precisely because a company has been caught breaking the law, and the existing or prior compliance systems may themselves have been broken or proven ineffective in the midst of other corporate governance and leadership changes.
Depending on the industry, the organization?s size and culture, the number and urgency of crises, high-stakes ?near miss? situations, or looming deadlines, the Chief Compliance Officer?s day to day activities and priorities will vary greatly. Nevertheless, in order to achieve and maintain the ability to lead, the Chief Compliance Officer in every case must first and foremost succeed in getting the compliance function itself under control.
Getting the Resources and Systems to Do the Job
When computers first came into existence for managing financial reporting processes, the new Corporate Controller was not in a position to simply issue a purchase requisition for an automated General Ledger system. To the extent that such systems existed, they were still new and corporate leadership needed to be educated on the value such systems could bring to the organization. In an immature market, the criteria for evaluating, purchasing, and implementing the right systems needed to be developed by those first business pioneers.
Today, the Chief Compliance Officer is asked to monitor and periodically report to the CEO and Board of Directors ? but report on what? And how are the reports generated? Where is data gathered? Which aspects of the reports should be quantitative; which qualitative? What are the controls to ensure consistent and accurate reporting?
Imagine the Controller of forty years ago, walking down the hall to what was then called the Data Processing Department, and asking for an automated General Ledger system. Today, the Chief Compliance Officer is in the same position, working with the Chief Information Officer and Chief Technology Officer to create systems to support the compliance office.
Leading Sarbanes-Oxley analyst John Hagerty states in an AMR Research Report, Planning for a Sustainable Compliance Architecture, ?Companies are turning increasingly to systemically managing governance, risk and compliance throughout the business. Planning for sustainable, repeatable compliance architecture should begin now to capitalize on existing SOX momentum and set your firm up for an agile, active approach to governance and compliance.?
Also, Deloitte, in its Sarbanes-Oxley Section 404 Methodology, recommends that ?Technology Assessment and Selection? occur at the very initial stages of the Section 404 compliance effort.
What is clear is that traditional Project Management software is not the answer. Very few organizations are able to fully centralize compliance. Compliance has, until now, been handled at the departmental or business unit level. There needs to be a way to centralize the reporting and the repository of status information and a way to foster collaboration among compliance teams, auditors, and content experts who may be internal staff or external consultants. Further, the entire system needs to itself be audit-ready, with policies in place to deal with inquiries, subpoenas, formal audits, external reviews and investigations.
Part of the tone-at-the-top requirement involves assessing the organization?s compliance culture and designing training programs to address gaps. This effort typically works with existing human resources systems to achieve rapid results.
There may already be work-in-process to create a compliance assessment and gap analysis for one or more of the legal, regulatory compliance, or strategic accreditation initiatives and a system to share and build on this existing work, rather than the need to re-create compliance evidence from scratch. Such a system, if it exists, will save time and more importantly, increase buy-in from those who have worked on compliance prior to the new Chief Compliance Officer role being established. Similarly, there will be a need to gather, analyze and build on existing knowledge of the changing, and sometimes conflicting, requirements an organization must attain. For example, the different compliance needs in different governmental jurisdictions and different business units are probably best understood by the ?feet on the street? who may be intimately familiar with specific quirks and ?gotchas?.
So the question becomes, what is the Chief Compliance Officer?s job? If he or she is to establish a compliance office with its own staff and budget, what will that office?s relationship be to all the ongoing departmental and functional compliance efforts already underway? Should the compliance function remain decentralized, leaving line management in charge of compliance activities, reducing the Chief Compliance Officer to a channel for communication of status, or escalation of problems? And how can this new compliance office establish positive collaboration with and avoid duplicating the efforts of the existing internal audit, risk management, human resources, and other compliance-related functions. Who has control of the potentially multiple compliance budgets? And what are the right skills, activities, and incentives for the new compliance staff?
By maintaining a focus on bringing the compliance office under control, the Chief Compliance Officer will be able to make these critical decisions against a background of real knowledge and understanding of what is happening and what needs to be improved in order to ensure the organization has effective compliance programs.
Similar to the internal auditor ? who must be able to audit ?independently? of management ? the Chief Compliance Officer needs to balance the need for impartial judgment calls with the need to encourage and spearhead effective compliance programs. At the end of the day, getting the compliance office under control is an essential first step to exercising truly independent and impartial leadership.
There are precedents for this type of independent, impartial leadership from the human resources function. Many Chief People Officers have demonstrated success in training and enforcing corporate behavior and ethics standards that go beyond the letter of government regulations and other external imperatives. Today it is widely accepted that a diverse, harassment-free workplace contributes to the corporation?s overall profitability and competitiveness. But this awareness has taken many decades to evolve. Corporate management today will not allow the compliance function to wait more than three years before it must be clearly recognized as a contributor to bottom-line results, rather than a nuisance factor or expense that diverts from the strategic goals of the organization.
Putting the right systems in place
With little luxury to dwell on a vision of what will be in fifty years, the Chief Compliance Officer is forced to think quickly and make decisions impacting today and tomorrow. To get the compliance office under control, the Chief Compliance Officer must put the right systems in place quickly. Eight years from now no doubt there will be a mature market in ?automated compliance? systems, but today the terrain remains to be mapped. Like the blind men and the elephant, different individuals will bring to the table their own perspectives and definitions of what the systems need to be, but a wrong choice could be literally fatal to the organization in the short term.
What is clear is that as the overall technology environment is changing, the so-called ?compliance software? of yesterday cannot support the Chief Compliance Officer?s mandate in the current decade and beyond. The database-driven compliance tools that track signoffs and checklists, generally applying to only one compliance requirement, perhaps specialized for a vertical market, may still have a role to play at the departmental or functional level, but cannot provide the basis for an enterprise ?compliance management system? with automated controls and reporting at the global level.
As the compliance and reporting requirements of government regulations, strategic accreditations, and competitive quality programs overlap, intersect, and increase in number and complexity, the laundry list of legacy compliance tools snowballs. The older systems created for Windows PCs on client-server networks are costly to implement and maintain. There is no enterprise standard for reporting. ?Bolt-on? electronic file management systems may hold vast stores of working papers and reports, but are no more audit-ready than the bulging paper file drawers and boxes of paper records of past years.
Before the Chief Compliance Officer walks down the hall to talk with the Chief Information Officer and Chief Technology Officer about an ?automated compliance system,? he or she needs to identify the capabilities required that will maintain controls regardless of the regulatory framework, the deadlines, the compliance team members, the locations, the languages, or the governmental jurisdictions or business units involved.
Compliance Management Automation
John Logan, in his book, Evolution Not Revolution (McGraw-Hill 2002), points out, ?Historically slow-to-change companies tend to promote executives who can improve the firm?s ability to manage current operations smoothly ? not dramatically change the way the organization operates internally and externally.? However, Sarbanes ?Oxley has thrust many slow-to change companies into the quick-to-change category.
The danger to a Chief Compliance Officer is clear: simply identifying, and maintaining, the existing compliance systems is an approach that will not keep pace with the ever-changing compliance environment, nor will it deliver the dramatic improvements that could provide a competitive advantage. Only by establishing enterprise-level, automated control of the compliance function can the Chief Compliance Officer succeed in changing compliance from an expense line into a strategic asset for the organization.
|
|
|
|
