As an organization’s data is increasingly seen as a valuable business asset, it makes sense that those in charge...
of protecting it -- the chief compliance officer and the compliance department -- would see their roles expand.
The risk landscape is growing; the board is asking for more information. Who is the one person they are going to for that type of information?
Data now has huge value -- it's something that can be bought, sold and used against an organization for competitive advantage, said Jeffrey Ritter, CEO at the Ritter Academy, during a session at the Compliance Week 2012 conference in Washington, D.C., earlier this month. Because data is a property, protecting it is evolving into a significant part of business strategy.
"What we're beginning to do now, at the beginning of this century, is put in place the rules that ensure that property retains its value," Ritter said. "Information security is just part of that process. We often think of it as a technical issue, rather than thinking it's an economically significant strategy for the business."
As a result of this trend, the compliance officer’s responsibility is expanding, according to the findings of the "State of Compliance 2012," a report released by PricewaterhouseCoopers LLP (PwC) and Compliance Week during the conference. A survey of 120 senior-level compliance officers found that for every risk or regulatory issue -- anti-trust, ethics, supply chain, etc. -- the compliance department is at least partially involved.
As regulatory and business complexity grows, boards and senior executives want a single source of information about compliance and risk.
"The risk landscape is growing; the board is asking for more information," said Sally Bernstein, a PwC principal and co-leader of its ethics and compliance practice. "Who is the one person they are going to for that type of information?"
That source, increasingly, is the chief compliance officer.
The expanded compliance department role led 71% of survey respondents (up from 51% in 2011) to say they have an in-house compliance committee to identify risk and coordinate efforts that address these risks. But because compliance departments are small, they often have to get creative when it comes to risk management, said Barbara Kipp, a PwC partner and co-leader of its ethics and compliance practice.
Compliance officers usually have to identify areas of risk but leverage other resources in the company to alleviate that risk. As such, Kipp compared compliance officers to a primary care physician, working with several different departments and specialists to provide guidance on governance, risk and compliance (GRC) issues.
"The primary care physician in our personal lives is someone who is charged with helping our whole system, our health system, with staying healthy, but not being an expert in any one particular area," Kipp said. "They know when to call in the experts, know what tests to order."
With the compliance department's expanding role, increased importance has been placed on ensuring the effectiveness of GRC efforts. Regulators, audit committees and business partners were all cited by survey respondents as groups that want to see evidence of GRC effectiveness.
More from the Compliance Week conference
Kipp noted that compliance officers should take advantage of their increasingly valuable voice in the organization, and work with function leaders to garner metrics that might not otherwise be readily available to the compliance department.
"The key is to engage with those other leaders," Kipp said. "That's going to give compliance leaders a better sense of specific risk metrics and indicators -- both leading and lagging -- and that fills in the picture of overall effectiveness."
Staffing levels in the compliance department are further evidence of its increased importance: Nearly 80% of respondents said their departments grew at least modestly in the past year, and 25% said their compliance department grew by more than 10%. Only one-third experienced no change.
Due to the growing the number and complexity of compliance regulations, coupled with aggressive enforcement of these rules, the compliance department can expect a continued spotlight on its efforts, Kipp said. In the coming years, the involvement of compliance officers and their teams in overall business strategy will grow even more, she added.
"What we are seeing at a high level is that compliance and ethics officers are involved in a lot of areas of risk in the company, in very increased roles," Kipp said.