What’s the CIOs Role in Compliance?
post by Chris Curran on July 7, 2011How often do the Chief Compliance Officer (CCO) and Chief Information Officer (CIO) have common cause to work together?
More often than you might think.
The IT department and the technology resources and skills they contain are among those most in demand by corporate compliance officers when taking on the often enterprise-wide projects that help keep their organization’s out of legal or regulatory hot water, so says a recent survey on corporate compliance practices co-sponsored by PwC and Compliance Week.
The State of Compliance survey polled the most senior compliance executives at more than 100 companies and asked them more than two dozen questions that covered these basic topics:
- What is your role and authority in the organization?
- How does the company structure its compliance effort, from you down throughout the enterprise?
- What risks do you worry about?
- How many ― and what types of ― of resources does the company provide to the let compliance program do its job?
The survey results paint a picture that most executives are likely to find somewhat familiar and somewhat unsettling: Chief compliance officers (CCOs) still often working in the legal department worried foremost about regulatory and compliance risks, “borrowing” from other departments frequently to get the personnel expertise they need to handle tasks such as IT audits and internal investigations ― all without much clear indication of how well their compliance department succeeds at its mission.
Turns out that, after the legal, ethics, internal audit and HR functions, the IT organization and its resources are among those most frequently recruited by corporate compliance officers to help meet ongoing compliance needs and special projects. In fact, CCOs say that they rely on the support of IT up to 90% of the time.
Given the highly matrixed nature of the compliance function, effective efforts require input and guidance from many different voices in the company. So it makes logical sense that the compliance department would borrow resources from those teams to achieve its goals, rather than take the more expensive route of building its own expertise within each.
However, with such high levels of IT involvement in compliance, might it also make sense for CIOs and CCOs to explore more formal, routine ways of sharing resources than simply “making due” from project to project? Such an approach could help avoid the “accountability trap” faced by too many compliance officers who are accountable for how the organization deals with the fall-out from adherence to rules, regulations and ethical standards, but lack the reporting authority and resources to effectively ensure results.
Companies that want to stay out of the headlines, and out of court, really can’t afford to wait any longer to take this challenge seriously.
Recent data breaches and the rise in regulatory activity on the heels of the economic crisis, suggest a need for urgency. These high-profile data breaches have exposed personal information belonging to millions of customers while other security and compliance failures have upped-the-ante for effective compliance and security efforts. At the same time, an effective compliance program has now become the cornerstone of cooperation credit allowed under the U.S. Sentencing Guidelines. This has resulted in stakeholders demanding much higher transparency into how compliance risks are managed.
And survey respondents think the risks will continue ― and likely even get worse.
PwC and Compliance Week found that, over the next 18 months, CCOs anticipate significant challenges when it comes to risk. And when issues arise as a result, they expect the consequences to be severe.
When asked about several high-level categories of risk, such as compliance risk, security risk, reputational risk and others, 48 percent believed the likelihood of a compliance failure was high or very high. What’s more, 65 percent of respondents felt the impact of a compliance risk event, should it occur, would be high or very high.
Just what are you or your CIO doing to respond?
Photo shared by Ernst Moeksis