The changing role of the chief compliance officer

If Bernie Madoff’s now-defunct firm had had adequate and effective compliance procedures in place, would his Ponzi scheme have escalated to the massive scandal it became? James Fanto, a specialist in public companies and broker-dealer compliance and a professor at Brooklyn Law School, explains that a chief compliance officer (CCO) with a proactive approach to his job would have mitigated the scandal as it unraveled. ‘That’s what  compliance is all about,’ he says.

In the early 1990s, compliance was not the term or the practice that it is in the 21st century – in fact, many companies did not know what to call it. Today, as we stand on the precipice of a new era, it appears that every business has a compliance division led by a CCO.

Although the role of the CCO has long existed in organizations that operate within heavily regulated sectors such as government, financial services and healthcare, many companies beyond these particular areas are now reconsidering whether they need such an
executive.

Many experts in the industry, however, argue that the role of CCO is evolving as opposed to becoming obsolete. ‘The CCO has always occupied a special place in any financial firm,’ says Fanto. ‘He or she has this role partly because he or she has the inside knowledge about the firm that is difficult for regulators and law enforcement personnel to attain.’

The traditional role

Without a doubt, traditionally the primary responsibility of the compliance officer was to ensure the company was is in compliance with all laws, rules and policies, both nationally and internationally. Beyond that, a crucial function of the position entailed establishing an acceptable ‘risk appetite’ and developing a mitigation process to manage both inherent and future roadblocks.

In a nutshell, the CCO was expected to serve as conductor of the orchestra.

While the function has existed for some time, it has typically been hamstrung by a lack of funding and top-level internal support. This situation is changing, however, as the regulatory framework becomes more complicated and the government and other plaintiffs take a more aggressive stance on compliance violations.

‘Formerly, CCOs were found only at mid-sized and larger corporations, and they oversaw small departments that put in place compliance procedures in common areas such as labor and employment,’ explains Gregory Husisian, an attorney at Foley & Lardner. ‘Infact, at some companies the CCO did not even really oversee a department, and primarily acted by him or herself. CCOs tended to have fewer training responsibilities as well, and conducted training on a somewhat sporadic basis, primarily with new hires.’

Modern twist

Today, however, CCOs have a lot to deal with. In an April 2010 report in online news source Corporate Compliance Insights, author Chris DePippo, a compliance and risk management expert, mentions that in heavily regulated industries such as financial services, ‘the chief compliance officer may be the most important figure aside from the CEO.’

DePippo goes on to say that these legal and ethics specialists ‘work closely with the business to recommend new [risk] mitigation strategies.’ Among them, he adds, could be new or improved controls that include review and authorization protocols, policies, procedures and standards coupled with reengineered workflow, employee training, management training and system controls.

Now, the CCO, as a top-level executive, takes on many functions and must collaborate with the finance, risk, legal, information technology, human resources and employee service departments, in order to drive the business to success while fulfilling all of its compliance needs. Additionally, effectively communicating strategy, policy and costs with the board requires significant planning and political dexterity. A CCO must be able to navigate the shifting landscape with foresight, and have a set of solutions in place in case a crisis hits.

As the compliance sector continues to be shaped by the changing regulatory environment, a new question of how best to align the various functional efforts of the CCO has emerged, making it difficult to categorize the role’s duties. Reporting lines are also changing: for a long time the CCO function was seen as a subset of the legal team, but there is a growing move to separate compliance from legal; many CCOs are now reporting directly to the board and bypassing general counsel.

‘The role of the CCO has only expanded,’ Husisian says. ‘The job now involves a greater number of compliance procedures, a more global view of compliance to take into account the laws of multiple countries, increased tailoring of programs to the risk profile of the corporation, and consideration of areas where compliance procedures may not be mandated by law but nonetheless require increased management of potential risk scenarios. Additionally, smaller companies have begun to implement this same function.’

Not a new role

Matthew Tanzer, chief compliance counsel at Tyco International and a compliance industry veteran, points out that, in some industries, the compliance officer’s role is not new. In the areas of healthcare, construction and utilities, complying with regulation has long been an everyday issue.

‘The responsibilities for CCOs are increasing,’ Tanzer states. ‘New areas are rapidly becoming important, like data privacy, which was once essential mainly for healthcare companies but is now applicable to nearly all businesses. Even retailers need to be concerned about data privacy – look at TJ Maxx, which recently had a huge data privacy issue. The growth in regulation is exponential, and companies doing business internationally must be especially aware of the increasing complexity and corresponding compliance risks, which are causing the role to change and increase in scope.’

Todd Hartman, CCO and associate general counsel at Best Buy, feels the rise of the CCO function marks a turning point in the way companies deal with compliance. ‘The post of CCO is evolving in a way that spans a variety of roles,’ he explains. ‘It’s evolving into
an expanded function to the point where it touches upon other roles in the enterprise that were previously distinct, such as those of the corporate secretary and general counsel. It’s also playing a bigger role in managing legal risk in the enterprise.’

As the evolution continues, it is becoming obvious that the CCO is no longer just tasked with compliance but plays an integral role in managing IT services, crisis communications and the company’s overall operations. But while this may seem like a natural
development, and is definitely exciting for those involved in the function, it’s not always recommended by the experts.

‘Risk management and compliance should be conducted by someone who is independent of business pressures,’ Husisian asserts. ‘Some corporations put this function with the legal department, or even with the human resources department but, in general, larger companies are increasingly of the view that compliance deserves the undivided attention of a specialist.’

Background of the role

In the wake of the Enron scandal in 2001, when the Texas-based energy company was slapped with charges for alleged corporate fraud due to weak governance and compliance practices, a new wave of regulation and legislation was swiftly enacted, including the
game-changing Sarbanes-Oxley Act.

Questions about compliance surfaced once more when the Bernie Madoff scandal came to light in 2008. Many securities industry experts were troubled by the losses relating to the $50 billion Ponzi scheme associated with Madoff Investment Securities, becausecompliance was one of the main functions of the firm. As the scandal unraveled, it became evident that Madoff’s CCO was either complicit in the fraud or did not sufficiently fulfill his responsibilities.

‘Clearly, there was a massive breakdown of compliance in the Madoff firm – a breakdown that was particularly highlighted by the obvious failing of having compliance officers who were all Madoff family members,’ explains Fanto. As the flood of regulatory
changes began sweeping across the industry, the Dodd-Frank Wall Street Reform and Consumer Protection Act went into effect last year and the SEC’s proposed new whistleblower provision resulted in even more confusion about the functions of the CCO.

‘When you create new whistleblower incentives, it hamstrings compliance officers’ ability to do their jobs properly and can potentially limit how responsive they are when a situation does crop up,’ Hartman points out. ‘I am worried that with this provision the duties of the CCO to report on and address wrongdoings internally will be seriously undermined.’

What does 2011 and beyond mean for CCOs?

As our understanding of the compliance officer’s function changes, industry observers are curious to see what will happen to these executives as the years roll by. The future doesn’t seem too bleak: in April 2010 the SEC named its first CCO as part of an ongoing effort to strengthen its internal compliance program. With the economic downturn came a significant amount of budget and employee cuts, and these have driven unethical workplace activities within the last two years. Corporate Compliance Insights reports that with the uptick in unethical behavior, CCOs should use this time to strengthen their companies’ ethics and compliance programs.

‘This area is only going to continue to grow in importance as laws regulating corporate conduct continue to become more strict and the costs of non-compliance rise,’ says Husisian. ‘The days of treating violations of the law as an unlikely source of corporate risk due to infrequent prosecution and low fines are long over – and will not be coming back.’ ‘The role is now taking shape, and it will never be eliminated,’ Tanzer concludes. ‘After all, every corporation needs a CCO.’