Thursday, February 24, 2005
Do You Need A Chief Compliance Officer?
No C-level position is the subject of more discussion than the chief compliance officer. The role has long existed at companies that operate in heavily regulated industries such as financial services, government agencies, and health care. For other companies, the rash of recent accounting scandals, the Sarbanes-Oxley Act, and the recommendations of the U.S. Federal Sentencing Guidelines are urging CCO appointments.
The responsibilities of the position often include leading enterprise compliance efforts; ensuring compliance with internal standards and state and federal laws; managing audits and investigations into regulatory and compliance issues; and responding to requests for information from regulatory bodies.
Given that the CCO's responsibilities significantly impact a company's strategic and operational decisions, senior management should carefully consider the following questions when conducting a search for the position:
Who should fill the CCO role? By choosing wisely, top executives can rest assured that when a regulatory body performs a compliance audit or an outside investigation is launched, no surprises are likely to turn up. Choosing unwisely raises the potential for the company's hard-earned reputational value to vanish.
When selecting a CCO, the company should target an individual with a deep, nuanced understanding of the compliance issues and regulatory requirements germane to the company and industry. The candidate should have a proven track record of demonstrating high integrity, good business judgment, and perseverance. And the person should be able to engender trust among company employees.
The CCO needs a thorough understanding of the expectations of the leadership team, including the CEO, CFO, CIO, board of directors, and legal counsel. And the candidate should be up to the challenge of filling an emerging position. As the role and responsibilities of the position evolve, the CCO needs to grow along with them, and anticipate and address future issues.
Most management teams have looked to their legal departments to staff the CCO position, and, in some cases, the general counsel has taken on the added responsibilities of this role. This offers several advantages in that the general counsel is familiar with critical compliance areas, likely has established relationships with relevant regulatory bodies, and enjoys access to senior management and the board.
What are the CCO's reporting relationships? To ensure that information is unconstrained and shared in a timely fashion, we recommend that the CCO report directly to the board. The board—under Sarbanes-Oxley, SEC regulations, and the Federal Sentencing Guidelines—is responsible for evaluating the effectiveness of ethics and compliance programs throughout the enterprise. Board members can be subject to prosecution for compliance violations. A reporting relationship with the board helps the CCO ensure that information regarding violations is acted upon quickly, before it becomes systemic, and that emerging issues are anticipated.
In order for the CCO to perform effectively, he or she needs a close working relationship with the CIO. One of the CCO's primary roles is monitoring compliance issues and initiatives, and periodically reporting on these to the board. In a complex and increasingly global environment, this would be virtually impossible without a robust technology infrastructure.
Ideally, the CCO should leverage a real-time, enterprisewide reporting system that provides a clear picture of the company's compliance program. The system should retain necessary records in accordance with federal and industry regulations, and gather, interpret, and generate the compliance-related data that forms the basis of reports provided to executive management. The CCO must work collaboratively with the CIO to implement and manage a technology solution that meets these needs.
In addition to providing data and managing records, the technology solution should satisfy all relevant compliance regulations. It should maintain the confidentiality of data submitted via electronic help lines in compliance with Sarbanes-Oxley section 103; ensure that required financial and audit records are retained for the necessary period of time in compliance with Sarbanes-Oxley section 301; meet best practices for electronic-communications protocols and security; and where relevant, comply with all relevant European Union privacy laws regarding employee data.
For many companies, selecting the CCO and defining the position's role is one of the most important decisions that will be made in the near term. By reflecting on the issues raised here, senior management can ensure that your company's CCO has the inherent qualities and skills to succeed.
posted by Brian Moran @ 8:34 AM