Turn the clock back a decade and compliance was a term limited to select industries, such as finance and pharmaceuticals. Now, every business, large and small, must deal with various compliance regulations.
“Even a one-person company selling T-shirts encounters compliance issues,” said John Bace, research vice president at market research firm Gartner Inc., based in Stamford, Conn.
As compliance regulations have increased in breadth and depth, companies have struggled to fine-tune their organizational structures so they can adequately address these new challenges. Hence, one finds compliance functions stationed in a variety of business units, reporting to a hodgepodge of executives, and run in very different ways. Companies may want to put themselves in position to comply with various regulations, but no blueprint is available to help them reach that goal.
In the past decade, the government and various industry groups have been playing leapfrog with unscrupulous management teams. The different groups have put rules in place to limit abuse and protect shareholders. As executives find ways to skirt the rules, more regulations are developed.
Consequently, compliance regulations have become broader and more all-encompassing. For instance, the Dodd-Frank Wall Street Reform and Consumer Protection Act, which became law in 2010, has six times as many pages as the Sarbanes Oxley Act. While the Dodd-Frank act stemmed from improprieties in the financial services sector, it applies to all publicly traded companies.
To deal with the additional complexity in conforming to such regulations, a growing number of companies now have an employee whose title is chief compliance officer. In fact, Gartner found that 41% of corporations had such a person in 2010.
“We have been seeing an increase of about 10% to 15% per year in the number of companies adding chief compliance officers to the executive team,” Bace said.
The rate tends to vary by industry. In markets like pharmaceuticals and financial services, government oversight has been long-standing so most of these companies have such individuals. But in an industry such as the media, the title is not as common.
Yet chances are that not even two compliance officers in the same industry have the same functions. Oftentimes, it seems as if companies have been forcing the title into their organizations whether they have qualified personnel or not.
“In about half of the cases, the title chief compliance officer is one of two (or more) on a person’s business card,” said Brian Barnier, a principal at ValueBridge Advisors and a member of the Information Systems Audit and Control Association (ISACA), which was founded in 1969 to develop auditing controls for computer systems.
The dichotomy illustrates the uncertainties that companies face as they try to incorporate compliance functions into their organization. Currently, there is no clear location for housing the responsibility. ISACA found that chief compliance officers often report to one of three areas: the CEO (44%), legal (30%) and the CFO (14%). However, more than 10% find themselves being rolled up into other departments.
The problem is that, due to the growing number of complex regulations, compliance has become a horizontal rather than a vertical responsibility. Compliance regulations now touch upon many departments: financial, IT, legal, testing and manufacturing.
Consequently, a company’s compliance officer needs myriad skills. Most managers’ experience has been limited to a select area, so how can companies find suitable compliance officers?
“In some cases, companies are sending their IT managers back to school to get a law degree,” said Gartner’s Bace.
We have been seeing an increase of about 10% to 15% per year in the number of companies adding chief compliance officers to the executive team
John Bace, Research Vice President, Gartner Inc.
But there are challenges in having a jack-of-all-trades compliance officer. Even after attending law school, the individual’s understanding of various legal issues may be superficial rather than deep.
“Many chief compliance officers are lawyers -- most of which have zero experience with IT and information security,” said Kevin Beaver, information security consultant at Principle Logic LLC. “So the position looks good on paper, but I'm not sure what value people without any IT knowledge can bring to the table."
In response to such shortfalls, some companies have begun forming compliance committees. Here, the IT manager, auditing executives and legal professionals find themselves grouped together as members of a central corporate compliance body.
There are potential benefits to making such changes.
“The compliance guidelines needed for Sarbanes Oxley are similar to [those for] the Dodd-Frank act,” said ValueBridge’s Barnier. “Rather than duplicating efforts, companies can consolidate those compliance functions and reduce their operating costs.”
However, work remains before corporations will reap such benefits. Many of these committees are new and their roles, responsibilities and jurisdiction are often unclear. So when it comes to properly rewriting the business’s organization chart to build a compliant organization, corporations find themselves with more questions than answers.
Paul Korzeniowski is a freelance writer who has been covering technology issues for two decades. He is based in Sudbury, Mass., and can be reached at firstname.lastname@example.org.
This was first published in March 2011