Vital link: the evolution of the CCO
December 2018 | COVER STORY | BOARDROOM INTELLIGENCE
Financier Worldwide Magazine
December 2018 Issue
From relative obscurity to a place at the top table, the role of the chief compliance officer (CCO) has evolved rapidly in recent years to become a vital link in the corporate chain.
Indeed, the role’s importance has grown to such an extent that today’s CCO oversees all company policies, procedures, products and services in order to ensure compliance with increasingly complex regulatory requirements.
According to BarkerGilmore’s ‘2018 Compliance Compensation Report’, there has been a significant increase in the need for top compliance talent across all industries within the last five years, with senior executives and board members recognising how important it is for the compliance function to be integrated within their organisations as an independent entity, separate from the legal department.
John Gilmore, founding partner of BarkerGilmore LLC, considers the role of the CCO to be more critical than ever. “Not having a CCO in place suggests to regulators, customers and vendors a lack of commitment to compliance,” he says. “Compliance can be viewed as a burdensome expense until an unforeseen incident takes place. We often hear about companies searching for their first CCO after a major malefaction occurs due to a compliance breach, resulting in serious consequences.”
Further evidence of sway attained by CCOs in recent years can be found in a 2016 report by Russell Reynolds Associates – ‘A function in transition: how the chief compliance officer role is transforming across financial services’ – which notes a “startling turnover” of CCOs over a two-year period, with 35 percent of companies surveyed having appointed a new CCO, 43 percent of these being external hires. As a result, the compliance function is now much more change-oriented and risk-savvy.
Clearly then, the responsibilities accrued by the CCO are now way beyond those of back-office, process-driven personnel. “CCOs are now executives helping to evaluate the risks and opportunities of new products and services,” says Zac Cohen, general manager at Trulioo. “CCO input influences go-to-market strategies, many of which are embedded into the customer experience – a critical element in every company’s success – and is an integral part of executive teams fostering ethics and compliance.”
However, it has been said that with great power comes great responsibility and the CCO is now very much in the firing line should things go wrong. There have been numerous examples in recent years of officers fined, suspended or compelled to leave a position on account of a compliance breach.
Ranking and reports
Given their evolution and ascent to distinction, where CCOs now rank within the corporate structure and to whom they report are matters which certainly warrant examination.
“The CCO has moved from being a head of a sub-division of the legal team to the C-suite,” observes Samuel Haskins, regulatory expert at PA Consulting. “The role has become increasingly critical in responding to regulatory change and the shift from supervision to an emphasis on culture and judgement-based decisions. The CCO now has to not only develop robust compliance programmes, but also stay ahead of the curve and anticipate new requirements.”
While the clamour to have a CCO on board is generally viewed as a fairly recent trend, there are many who feel that compliance should have always been top of the agenda. “There are many examples over the years of the decline of businesses due to a compliance breach,” says Jennifer O’Connell, head of European legal, regulatory and compliance practice at Russell Reynolds Associates. “However, compliance is a relatively new focus for many organisations, with some still without an independent compliance function. In such instances, compliance is typically covered by the legal function.”
Here, perhaps, lies the crux of the matter. Changes to global regulation following the financial crisis and external factors such as cyber attacks have increased the internal and external profile of compliance to such an extent that it is now readily accepted for compliance to run separate from legal, with the CCO reporting to the chief executive or directly to the board.
“Although some companies still have general counsel serving as CCO or have the CCO reporting to the general counsel, there is increasing acceptance for a new reporting structure which sends a clear signal, internally and externally, that the tone at the top is committed to ethics and compliance,” says Mr Gilmore.
With the elevation of the role and its responsibilities now largely entrenched, an obvious question to ask is how the modus operandi of today’s CCO can be best aligned with an organisation’s operational requirements, particularly in entities with long-established corporate structures.
“The best CCOs balance their independence with business collaboration to identify and respond to emerging compliance risks,” observes Mr Haskins. “The industry has moved to a much more enterprise-wide approach to compliance – making it the responsibility of all rather than a siloed, prevention function. However, this transformation is not complete and there are big differences in approach in different sectors and industries.”
Helping to accelerate this transformation, says Mr Haskins, is the introduction of the UK’s Senior Managers and Certification Regime (SM&CR) which, he believes, “should help reinforce the importance of compliance, as well as provide welcome clarity around each senior manager’s role and responsibilities for overseeing it”.
For many practitioners, compliance, if used and structured properly, should be viewed as a competitive advantage and a business enabler. “This requires a high-quality compliance function able to deliver on that and educate the wider organisation,” says Ms O’Connell. While this should be a matter that is foremost in senior managers’ and the board’s minds, it must also be a topic that is accessible to and understood by everyone in the organisation. This is where many CCOs and organisations fail.”
Indeed, failure to achieve an organisation-wide understanding of why compliance is a business enabler is a common reason why compliance practitioners throw in the towel and seek new opportunities – a scenario often compounded by a lack of resource commitment from the top, if not a forced reduction in the compliance budget.
“When a CCO’s plan for compliance cannot be fully executed due to a lack of funding, they feel vulnerable to potential breaches and the legal and reputational risks associated with these breaches,” explains Mr Gilmore. “If a CCO has a lack of confidence in the strength of the compliance programme, it is time to find something new. Many times, the lack of funding for compliance is a result of a lack of understanding of the mechanics necessary to operate the most effective compliance programme.”
Although there has been a rapid escalation of responsibilities pertaining to the role in recent years, regulatory compliance remains the raison d’être of the CCO. “Compliance is a wide ranging and highly complex topic, with the potential to bring down organisations if they get it wrong,” acknowledges Ms O’Connell. “While the focus on the CCO role predominantly started with financial institutions, the reality is that this is a topic that all businesses need to take seriously.
“Expecting existing legal or risk functions to pick up responsibility for building and running an effective compliance function is a risky approach,” she continues. “That said, it is essential that all functions work closely together to ensure there is appropriate assessment and mitigation of risk. There needs to be a relationship of both independence and codependence.”
Certainly, whether led by a CCO or chief risk officer (CRO), a strong relationship between compliance and risk is an important dynamic given the resource-intensive and risk-based nature of compliance programmes.
“For firms without a CCO, increased regulatory scrutiny has often fallen to the general counsel or the CRO,” says Mr Haskins. “With a wide variety of compliance risk areas that are growing in complexity, CCOs must be able to prioritise compliance activity based on a clear understanding of what risks have the biggest impact. CCOs can benefit from the expertise of CROs to help them manage these risks. They should also use the existing enterprise risk management process to ensure compliance concerns are being escalated to senior management, and that resources are allocated to address them before they can become systemic problems.”
Breach and responsibility
While there is no shortage of examples of CCOs being hung out to dry following a compliance breach, the vexed question of the extent of personal responsibility remains. For some, the CCO role is largely a device, a convenience when apportioning blame in the event of non-compliance and penalties.
“The question of culpability should depend on the nature of the compliance breach and what caused it,” says Ms O’Connell. “The SM&CR has sought to place a greater burden and potential culpability on individuals, but breaches are rarely as black and white as the regime implies. It is also important to think about the impact the SM&CR and automatic assumptions of responsibility have on hiring, as individuals are becoming less keen on taking on such roles and companies often have to pay significant sums for top talent, which can feel unnecessary when there is no obvious burning platform.”
Of course, there will undoubtedly be occasions when a breach of compliance is the result of a lacklustre compliance programme or a neglect of new regulations. However, pointing the finger at the CCO is not always appropriate. “When a sound compliance programme is in place and a malicious employee steps out of bounds, it is unfair to place blame on the CCO,” believes Mr Gilmore. “In either case, it is the reputation of the CCO that takes a hit.”
That said, it should be noted that the CCO tends not to be paraded as a public scapegoat in the event of non-compliance. Instead, companies can and often do take the opportunity to refresh their personnel in the wake of a breach. “When a breach happens they usually want to hire a well-known and respected ‘name’ in the space in order to send a message to the market,” suggests Ms O’Connell. “A top quality CCO will then expect to see genuine buy-in from the board and the executive committee around the topic of compliance.”
So, while the CCO is the one responsible for designing the compliance programmes and control frameworks that enable a firm to comply with relevant laws and regulations, in order to avoid non-compliance penalties being centred on one individual, i.e., the CCO, the wisdom is that compliance needs to be a shared corporate responsibility.
“An effective compliance programme must start at the top, with the company’s senior leadership instilling a culture of compliance that encourages everyone to take breaches seriously,” asserts Mr Haskins. “CCOs can face serious consequences for deficiencies in compliance programmes. However, regulators are unlikely to bring enforcement action against CCOs who can demonstrate they did their jobs competently, diligently and in good faith, to protect consumers.”
In the years ahead, when regulatory complexity may have spiralled, compliance practitioners may well look back in disbelief to a time when the presence of a CCO was considered anything but a crucial appointment within the corporate structure.
“The CCO should be an essential role within any business,” believes Ms O’Connell. “Its importance is only likely to increase and in time the candidate pool will deepen as the approach businesses take diversifies, allowing them to make subjective risk-based assessments and be less constrained by existing practices. This will require bold and courageous CCOs.”
In the view of Mr Haskins, the mandate of the CCO will continue to broaden to encompass issues such as conduct and culture. “Historically, compliance functions’ primary focus has been to define the rules and framework to meet the requirements of relevant laws and regulations,” he says. “However, business practices are also facing increasing scrutiny from external stakeholders. Those with questionable business practices but without a strong culture can soon find themselves facing potential reputational damage. What is needed is a move away from the setting of ‘rules’ to the provision of ethical business practices and principles.”
That said, whether a standalone CCO should be solely responsible for communicating this message across the breadth of an organisation or is a task best shared is dependent on a number of interlinking factors, including the sector in which the organisation operates, its size, the extent of its geographical operations and its inherent complexity, among other considerations.
Undoubtedly, the role of the CCO will continue to evolve. Now viewed as virtually essential, today the CCO function truly has its feet under the top table, as a business driver and key decision maker.
© Financier Worldwide