The wave of accounting scandals that swept through corporate America a few years ago and the resulting Sarbanes-Oxley Act have intensified the pressure on businesses to keep their books and conduct clean. As companies work to develop more stringent corporate controls, an increasing number of them are adding chief compliance officers to their executive suite.
Compliance officers tend to have legal or financial backgrounds and rarely come from IT. But IT directors should know about the position because in many cases they’ll have frequent interaction with the person who holds the compliance officer post.
Cheryl Wagonhurst, who joined Tenet Healthcare Corp. in Santa Barbara, Calif., last year as its chief compliance officer, includes IT representatives in the group of about a dozen company executives who work together on compliance initiatives.
“Our compliance is very systems-based. That’s the key to making sure that the channels of communication are open, and IT has played a key part of developing those systems,” she said. “They’ve designed database systems for us and put in place other processes that allow us to better communicate the information we need to track.”
The compliance officer job description isn’t entirely new: Firms in heavily regulated industries, including financial services and pharmaceuticals, have long needed executives to enact and enforce compliance policies. But companies that previously distributed compliance duties among executives in several departments now assign those responsibilities to a dedicated executive.
“This is a division of labour. Two years ago, you wouldn’t have found many of these people anywhere,” said Steve Mader, CEO of executive search firm Christian & Timbers in Boston. “We’ve been approached at least a dozen times over the last year.”
Filling the position isn’t easy or inexpensive. Chief compliance offers usually report directly to a company’s CEO or board and need years of expertise. For larger organizations, salaries start at about US$250,000 and can climb into the high six figures, Mader said. Candidates tend to come from financial or legal backgrounds.
The job can vary widely from company to company, as businesses tailor the position to their specific needs. At a health care organization, navigating the intricacies of the Health Insurance Portability and Accountability Act (HIPAA) might be the officer’s top priority. At a company recently caught breaking laws, adding and checking financial control mechanisms might be the first task.
Computer Associates, which is rebuilding after an accounting fraud decimated its management ranks, said it is recruiting for the newly created position. And in at least one scandal-scarred industry, having a chief compliance officer is now compulsory. A new U.S. Securities and Exchange Commission rule requires mutual funds to have chief compliance officers installed by early October.
Mortgage financier Freddie Mac Inc. in McLean, Va., recently decided to create a chief compliance officer role. “We had historically asked a variety of people in control functions and business functions to assume compliance-related responsibilities, and it seemed appropriate to bring all that together,” said Jerry Weiss, who took on the position in October. He previously spent 10 years at Merrill Lynch & Co. Inc.’s fund management division, where he ultimately served as the group’s global head of compliance.
Weiss’ first priority was to assess Freddie Mac’s compliance culture and to conduct a legal and regulatory gap analysis. While his most direct day-to-day work is done with the front-line managers of Freddie Mac’s various businesses, his office coordinates with several other departments, including legal, finance, operational risk management, and information systems and services.
Weiss is collaborating with Freddie Mac’s IS group to develop Web-based training on compliance and business ethics for managers. He also has partnered with Freddie Mac’s IS team to create monitoring and surveillance tools to ensure the company’s investment securities are traded in a manner consistent with regulatory guidelines.
“We view IS as a key partner in allowing us to first develop a vision for our compliance program, and ultimately implement and execute it,” Weiss said.
But not all companies have their IT and compliance strategies aligned. A recent Meta Group Inc. report found that CIOs are rarely involved in the final decision-making stages of developing compliance-solution processes. With compliance budgets rising quickly — half the companies surveyed without a fund for compliance initiatives intend to create one within the next 12 months — CIO involvement in planning is particularly critical, Meta said.
Terri Curran, a long-time IT consultant, sees compliance duties seeping into the list of tasks falling to IT strategists, particularly at smaller organizations where executives wear multiple hats.
Tenet Healthcare’s chief privacy officer, Connie Emery, found her career path shifting along those lines as the company’s compliance responsibilities increased. Initially Tenet’s security officer, she took on the privacy role as regulatory requirements such as HIPAA linked the functions. “It’s hard to separate the two. You can’t have privacy without security,” she said.
HIPAA, Sarbanes-Oxley and a California data-security law known as SB 1386 have pushed Tenet to scrutinize its entire data infrastructure. “We had to inventory all of our systems. We have over 1,300 clinical applications. Initially, the difficulty was just in getting the inventory completed,” said Emery, who collaborates with Wagonhurst’s office. “Then we did risk analysis to identify areas to address. There were some issues with access controls. We’re putting corrective action in place and making progress on our remediation plans.”
As companies sort out their internal tangles and keep their executives from running afoul of new laws, expect a growing number to install compliance officials. Adding the position is one way for boards and CEOs, who now have to personally sign on the dotted line to vouch for their organization’s good corporate conduct, to assuage nightmares about hatching the next Enron.