Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

A Chief Compliance Officer’s Role in Risk Management

October 26, 2015 6-min. read

It is vital for any company to be able to utilize the compliance function to effectively and efficiently manage risks associated with meeting stakeholder expectations. This can prove to be a difficult task, especially when the chief compliance officer (CCO) is not viewed as an organizational leader, not focused on the right risks, and/or not utilizing the proper technology to gather relevant data. This survey, administered by a collaboration of Deloitte and Compliance Week, In Focus: 2015 Compliance Trends Survey, identifies commonalities among companies in various industries to help identify strengths and weaknesses of corporate America’s compliance functions. The results of the survey are broadly organized into four categories: availability of resources, responsibilities of the compliance function, specific compliance risks, and the use of information technology. 

Authority and Resources Within The Organization

Despite the variety of corporate structures and organizations, the compliance function is now more fully developed and authoritative than in previous years. In the survey, just over half of the 364 responses indicated that CCO’s are directly reporting to either the chief executive officer (CEO) or the board. With companies becoming progressively more dependent on the CCO, the number of those reporting to the CEO is expected to grow. The CCO position is also being transformed into a stand-alone position separate from other functions: 59% of respondents said their position is not combined with any other role. This indicates that the compliance function has become more demanding in scale and scope, requiring a full-time individual. 

In the aggregate, the results of the survey suggest that CCO’s are being included in high-level management discussions about the company’s strategy and culture. Around 50% of the executives are now being invited to participate in management meetings, a significant increase from only 37% in 2014.  However, despite being recognized as an integral part of the company by executive management, it is unclear as to whether the CCO role is seen as authoritative throughout the entire organization. This concern is fueled by the fact that only 43% of respondents have compliance officers within the organization; however, of this 43%, fewer than half report directly to the CCO. With this deep divide, it could pose an issue for CCO’s who strive to develop a more transparent and resilient organization.  

Another issue that CCO’s face is a lack of resources to allow them to achieve their compliance goals. The survey shows that, even in large organizations (those with $5 billion or more in annual revenue), there are relatively small compliance teams with fewer than five employees dedicated to the compliance mission. Over 40% of respondents reported having a total budget of $1 million or less. With this strain on resources, it is important for a CCO to actively work with other departments in the organization, such as human resources, legal and internal audit, in order to achieve the compliance goals. However, this cross-functional integration is dependent upon whether the CCO’s peers view the CCO as someone with authority and importance. In smaller organizations, predictably, there are even fewer resources available. With smaller budgets and even smaller teams, it is unlikely that a smaller organization will even have a designated CCO. However, a notable trend shows that budgets are likely to increase for smaller companies over the next couple of years when compared to larger organizations. 

The study also found that industries vary in terms of compliance dedication. To no surprise, the financial services industry exceeds other industries beginning with increased budgets and larger compliance teams. A total of 73% of companies in the financial services industry had a stand-alone CCO, who often sits in on executive committee meetings. Subsidiary compliance officers were even found to report directly to the CCO more often than officers in other industries. 

Risk Assessment and Responsibilities

In the 2015 survey, the CCO’s reported their top three responsibilities to be the same as last year: compliance training, code of conduct, and the whistleblower hotline. Similarly, the lower three responsibilities were also ranked the same as last year. The responsibilities deemed to be of least importance to a CCO include regulatory relationship management, records management, and culture assessment. When something as important as culture assessment ranks in the bottom of a CCO’s responsibilities, a concern arises: if not the CCO, who is actually responsible for establishing and monitoring corporate culture? Culture is an important determinant of how well risks are assessed within a compliance program. Assessment of culture can be a responsibility of human resources or compliance – but more often than not, it is not clear to whom the job actually belongs. When a responsibility as important as this does not belong to any one person, it is likely that failures or faults occur. Regardless of ownership, culture should be assessed sufficiently to prevent jeopardizing the CCO’s other priorities. 

In addition to the top three responsibilities reported, 80% of all respondents perform an enterprise-wide compliance risk assessment. This job consists of assessments split equally in three ways: a stand-alone process, as part of internal audit’s assessment, and as part of a general enterprise risk assessment. It is important for CCO’s to perform risk assessment because the effectiveness and efficiency of an organization’s compliance efforts are dependent upon the quality of the risk assessment process. When this process is in place, the priorities in compliance monitoring and testing will be identified. Of course, even with an effective monitoring process, a company always faces risks in working with third parties, such as outsourcing a compliance function. To mitigate the effect of third party compliance risks, CCO’s perform background checks, require training and certifications, and audit their compliance efforts against policies or regulations. 

Information Technology and Compliance 

According to the survey, 58% of all CCOs are confident or very confident that they have the proper metrics in place to gauge how effectively their compliance program is operating. However, 59% are only somewhat confident or not confident at all that the IT systems used in the compliance function can fulfill the CCO’s reporting tasks and responsibilities. One cause for this gap involves the increasingly large amounts of data required for a CCO to effectively perform their job, yet the data is not easily accessed. This data is often difficult to obtain because it comes from various, incongruent parts of the organization; this copious amount of data then needs to be gathered and reconciled by the CCO. 

Another source of a lack of confidence relates to the lack of resources that an organization may face. Smaller teams and smaller budgets often make it difficult for compliance departments to invest in the technology it needs to maintain adequate compliance monitoring. Interestingly, smaller organizations reported having more confidence in their IT systems than larger organizations. While this may seem counterintuitive, it is important to note that smaller business are often able to easily manage risks centrally due to the size of the enterprise in comparison to larger firms.

However, growth in a company’s IT system may need to occur without an increase in budget. To move forward, CCO’s may need to work on developing internal relationships with chief information officers to better understand what tools the company already possesses. The CCO can then leverage the existing tools and relationships to better assess the compliance function. 

Though the survey indicates that a CCO position is becoming increasingly high profile, there are still challenges that each compliance function faces. Technology issues and shortcomings could cause setbacks in the compliance efforts within an organization. However, with a strong alignment with executive management and increased awareness of key risks, a CCO can make great strides to an improved compliance function and contribute to the corporation’s growth and value creation efforts. 

Click the link below to download the article. 

Original Article Source: “In Focus: 2015 Compliance Trends Survey” Deloitte and Compliance Week, October 2015 

More From Enterprise Risk Management Initiative

5 Questions to Identify Potential Risks on the Horizon

Processes to Identify Risks
2024 The State of Risk Oversight Report featured image

2024 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 15th Edition
Assessing How Org Culture Impacts Risk Mgt

ERM Tool: Assessing How Organizational Culture Impacts Risk Management