Positioning Compliance for Effectiveness
Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board want the function to play. An understanding of those roles provides a powerful context for evaluating how to position the compliance function within the organization.
Regulatory settlements addressing egregious non-compliance issues sometimes stipulate a different line of reporting for a company’s compliance officer. For example, it is not unusual for settlement deals to stipulate that the chief compliance officer (CCO) not be subordinate to the chief legal officer or chief financial officer and that he or she should report directly to the chief executive officer (CEO) and the board. But the question remains: What is the CCO expected to do?
Generally, a company’s compliance function is responsible for overseeing or coordinating compliance efforts, ensuring that the company and its employees understand and comply with applicable laws, regulations and internal policies. Some functions may deal with all compliance matters. Depending on the organization’s industry, other functions may focus on specific compliance domains, such as environmental, health and safety contracting; product quality; employment and labor; and anti-corruption. Ethical and responsible business behavior (including privacy and use of customer data) may also fall within the scope of a compliance function’s responsibilities. With the numerous IT regulations coming into effect in recent years, IT compliance is a growing and complex area of responsibility for the CCO.
A compliance function may be led by someone designated as the compliance officer or an equivalent title. If responsible for overall compliance, that person may be the CCO, which we use here to refer to the function’s leader. We see two distinctive CCO roles in practice, as well as variants of each.
- The “Champion” CCO advances the framework for identifying the applicable compliance requirements (as defined by laws, regulation, contracts and internal policies), aligning policies and processes with those requirements, and assessing risk of noncompliance and closing gaps to ensure ongoing compliance. The frontline operating units and process owners are responsible for applying the compliance framework. They retain primary ownership of the risks created by their respective units and processes.
- The “Line of Defense” CCO undertakes the activities of the Champion CCO and, in addition, is authorized to do a combination of the following:
- Evaluate the (1) state of compliance; (2) quality of compliance risk assessments; (3) implementation of risk mitigation plans; and (4) operating effectiveness of those plans, all in coordination with internal audit and other evaluators.
- Establish standards and implement procedures to ensure that the organization’s compliance programs are cost-effective in preventing, deterring and detecting noncompliance with applicable laws and regulations, contracts and internal policies, and making necessary corrections through enhancement of existing policies and improvement of compliance infrastructure.
- Approve policies and compliance mitigation plan designs to address identified risks.
- Coordinate internal compliance reviews of lines of business functions and monitoring activities to ascertain whether compliance programs are working.
- Escalate issues to executive management, including the CEO, and through appropriate channels, the board of directors.
- Veto activities affect compliance with the organization’s mission-critical policies.
- Arbitrate disagreements between operating and functional units affecting compliance.
When applying the above principles to the CCO (among others) the key question is: What do the board and the CEO expect from compliance? Effective compliance management starts at the top. If a viable line of defense is intended, the Champion CCO will not be able to deliver.