The Case for Having a Chief Compliance Officer

Compliance Officer Day is on September 26th, and it’s a celebration of all the hard work that compliance officers do for their organizations. This day of recognition was established to show appreciation for the people who take responsibility for helping organizations adhere to their values and for preventing unethical behavior. Should your company have a compliance officer? Should your compliance officer be a senior executive or have a seat on the executive team? There are clearly pros and cons, so let’s explore the question.

Do You Need a CCO?

Today, more so than ever, companies are required to comply with an increasing amount of regulations and reporting. There are significant penalties for non-compliance both in terms of reputation and fines, and since rules often stem from both federal and state governments, staying on top of and adapting to changes can be challenging.

Often trusted advisors such as outside counsel and accounting firms can provide guidance. Depending on the size of your organization your internal legal, finance and HR teams may have insight into specifics that apply to their functional areas. But, these all tend to be narrower views and simply being aware of the compliance thresholds is not the same as developing systematic processes that will help your company avoid unnecessary risks and mitigate potential exposure.

A compliance officer position goes beyond simply managing risk for the company. It also puts businesses in a situation where they become more agile in assessing potential risks and proactively managing potential problems with comprehensive processes. Below are just a few of the responsibilities that could be assigned to a CCO:

  • Staying up-to-date and informed on the latest laws and regulations, as well as any changes.
  • Providing guidance to upper-management and the organization as a whole on compliance programs and the state of adherence.
  • Developing and overseeing the implementation of an effective compliance program including monitoring and reporting of progress and gaps.
  • Ensuring that all team members are properly educated and trained on the pertinent federal and state standards and that records of this training are accessible should they be needed to respond to a compliance audit or incident.
  • Coordinating periodic compliance reviews throughout the organization to assess new risks and adapt to changes in the statutory requirements.

Let’s take a look at a specific compliance category that is often overlooked. Without a CCO, responsibility for duties such as records and information compliance often gets assigned to people without a background in risk management. Because they may not fully understand the systems and regulations required to remain compliant, your organization could end up with one or more costly lawsuits or fines on your hands This could stem from not having the records needed to support an audit, or conversely, from having documents on hand that should have been destroyed and which demonstrate some kind of lack of compliance or liability that would not have been discoverable had a document retention plan been properly enforced.

A Records and Information Management (RIM) team could act as the guide for compliance practices that allow your organization to stay on top of records and information management. They could, and should, collaborate with department leaders from across the organization to ensure that the company’s information is protected and properly governed. But, the old saying “if multiple people are in charge, then no-one is in charge” would apply. Having a compliance or risk officer that is ultimately responsible for driving compliance with the company’s document lifecycle management plan would clearly help manage this specific type of risk.

Managing Risk Beyond Statutes.

Continuing with our example, broader principles such as information governance (IG) may be directly or indirectly linked to a CCO’s scope of responsibility and encompass the records and information management framework noted above. IG may be straightforward in instances where it is well known how long you should keep a corporate tax return or personnel file, however, in other instances it is not always so clear. Who at your company determines whether you need to keep text or instant messages, and for how long should they be retained? What about social media posts made on behalf of your company? A proactive approach to both IG and compliance is needed, especially in more highly regulated industries, and having a clearly identified person or persons focused on IG and compliance would protect you and the company from risks you may not have even considered.

Compliance Is a Journey in an Ever-Changing Landscape

The example discussed is one of a large set of issues that companies face and each is more complex and intricate than most people understand or acknowledge. Having a compliance officer or someone focused on managing risk and ensuring behaviors support the company’s risk profile is an important piece of the puzzle.

Outside partners can help as well. When you partner with a Records and Information Management (RIM) provider such as Access, you can streamline your compliance efforts while getting the support you need. A RIM partner can help implement a standardized IG strategy and security plan that manages compliance throughout the entire organization. This broad oversight may not fully replace a CCO but can address the point solution for records management and information governance as it pertains to documents and retention strategies.

This Compliance Officer Day, look intently at your organization’s approach to compliance and consider how you are managing your risk exposure. If you aren’t sure you have the right processes and solutions in place to systematically address the multitude of regulatory requirements you face, then it may be time to consider creating a compliance officer position in the coming budget year.