The Chief Compliance Officer’s (CCO) roles and responsibilities at organizations are broad and far reaching. These responsibilities require the CCO to both drive a culture of ethics and compliance, and monitor ethics and compliance activities across the organization. This daunting task with additional expectations continues to be placed on the CCO, constantly asking them to dive deeper into the overall effectiveness of their compliance programs. In the coming series of blog posts, I will be examining the CCO’s oversight role and how GRC technology solutions are being utilized to support this responsibility.
The Federal Sentencing Guidelines puts the responsibility of ethics and compliance oversight on the governing authority (i.e., Board of Directors), which relies directly on the CCO to be the conduit between the organization and the Board. Typically, this includes the CCO providing periodic reports to the Board regarding the state of ethics and compliance programs, covering key compliance risks and ethics metrics (e.g., hotline calls, investigations, substantiation rates, etc.). Ethics reporting has long been established as a standard metric most CCO’s are able to provide to the board. However, in recent years, CCO’s are being pushed to provide greater detail and visibility regarding broader compliance activities in the organization, which typically do not directly report to the CCO. As a result, this leaves the CCO to develop methods to collect information and cobble together reports regarding compliance effectiveness from across the organization. These reports are typically inconsistent and do not provide a true understanding of the compliance stature of the organization. In the ideal state, a CCO would have visibility across the organization on the effectiveness and maturity of its various compliance programs through standardized reporting techniques that provide reliable information that can be shared with the Board.
Challenges in Enterprise Compliance Oversight
At most organizations, compliance programs have organically grown over several years as new compliance risks are identified. Typically, a program is created to manage the compliance risk inside the business unit and operations continue with little thought on integrations to other parts of the business. For new CCOs stepping into the oversight role, they are faced with the task of identifying all the compliance risks across the organization and what compliance programs or processes exist to mitigate these risks. It is a daunting task and even once the data’s collected, the program does not provide a method to clearly report the effectiveness of the compliance programs. Additionally, each compliance program operates independently, utilizing different terminology, processes, and reporting structures. Thus, any attempts to try to create standardized reports for the board result in anecdotal statements regarding compliance effectiveness or the maturity of the program.
The CCO GRC Vision
Enterprise Governance, Risk, & Compliance (eGRC) technology solutions continue to grow in popularity amongst risk & compliance professionals for their ability to automate processes and provide real-time reporting. However, the CCO’s need for standardized compliance oversight is often overlooked. The primary vision of a GRC program intended to be utilized by the CCO should be to support the CCO’s compliance oversight role at the organization. Furthermore, an eGRC technology solution should be used to help aggregate compliance & risk data from across the organization to provide the CCO with reasonable assurance that their compliance programs are operating effectively.
Unfortunately, at the time of purchase, most eGRC technology solutions are sold to help automate or increase efficiency of individual risk & compliance processes, with a brief acknowledgment that the solution will provide leadership with better “visibility”. Under this scenario, organizations typically experience improvements in efficiency for the individual process, but the CCO is left with reports that ultimately do not provide the desired enterprise visibility.
At Cential, we advocate that a GRC vision statement is developed at the start of an enterprise implementation that focuses on the CCO’s role of oversight, while still addressing the individual business needs to automate manual processes. By establishing the vision early in the implementation lifecycle, future requirement and design decisions can be pointed back to the overall vision for alignment and prioritization.
In coming blog posts, I will continue to discuss the role of GRC from the lens of a Chief Compliance Officer. Diving deeper into topics around “why GRC solutions have failed to meet the CCO’s needs,” “risk-based approaches to compliance oversight”, “what is reasonable assurance for CCOs”, and “how to accommodate program variations in a GRC solution.”
Want to share your Chief Compliance Officer CCO experience? Contact us.