The accounting scandals in the US a few years ago and
the resulting Sarbanes-Oxley Act have intensified the pressure on
businesses to keep their books and conduct clean. With
more-stringent corporate controls, an increasing number of
companies are adding chief compliance officers to their
boards.
Compliance officers tend to have legal or financial backgrounds.
But IT directors should know about the position because they will
have frequent interaction with the person who holds the compliance
officer post.
Cheryl Wagonhurst, who joined Tenet Healthcare last year as its
chief compliance officer, includes IT representatives in the group
of about a dozen company executives who work together on compliance
initiatives.
"Our compliance is very systems-based. That's the key to making
sure that the channels of communication are open, and IT has played
a key part in developing those systems," she says. "They have
designed database systems for us and put in place other processes
that allow us to better communicate the information we need to
track."
The compliance officer job description is not new: Firms in
highly regulated industries, such as financial services and
pharmaceuticals, have employed executives to enact and enforce
compliance policies. But companies that previously distributed
compliance duties among executives in several departments now
assign those responsibilities to a dedicated executive.
"This is a division of labour. Two years ago, you wouldn't have
found many of these people anywhere," says Steve Mader, CEO of
executive search firm Christian & Timbers. "We've been
approached at least a dozen times over the last year."
Filling the position is not easy or inexpensive. Chief
compliance officers usually report directly to a company's CEO or
board and need years of expertise. For larger organisations,
salaries start at about $250,000 (£140,000) and can climb into the
high six figures, Mader says.
The job can vary widely from company to company, as businesses
tailor the position to their specific needs. At a healthcare
organisation, navigating the intricacies of the US Health Insurance
Portability and Accountability Act might be the officer's top
priority. At a company recently caught breaking laws, adding and
checking financial control mechanisms might be the first task.
Computer Associates, which is rebuilding its board after an
accounting fraud decimated its management ranks, says it is
recruiting for the newly-created position.
In at least one scandal-scarred industry, having a chief
compliance officer is now compulsory. A new US Securities and
Exchange Commission rule requires mutual funds to have chief
compliance officers installed by early October.
Mortgage financier Freddie Mac, recently decided to create a
chief compliance officer role. "We had historically asked a variety
of people in control functions and business functions to assume
compliance-related responsibilities," says Jerry Weiss, who took on
the position in October. "It seemed appropriate to bring all that
together."
Weiss previously spent 10 years at Merrill Lynch's fund
management division, where he ultimately served as the group's
global head of compliance.
His first priority was to assess Freddie Mac's compliance
culture and to conduct a legal and regulatory gap analysis. While
his most direct day-to-day work is done with the front-line
managers of Freddie Mac's various businesses and with legal,
finance, operational risk management, and information systems and
services departments.
Weiss is collaborating with Freddie Mac's IS group to develop
web-based training on compliance and business ethics for managers.
He also has partnered with the IS team to create monitoring and
surveillance tools to ensure the company's investment securities
are traded in a manner consistent with regulatory guidelines.
"We view IS as a key partner in allowing us to first develop a
vision for our compliance programme, and ultimately implement and
execute it," Weiss says.
But not all companies have their IT and compliance strategies
aligned. A recent Meta Group report found that CIOs are rarely
involved in the final decision-making stages of developing
compliance-solution processes.
With compliance budgets rising quickly - half the companies
surveyed without a fund for compliance initiatives intend to create
one within the next 12 months - CIO involvement in planning is
particularly critical, Meta says.
Terri Curran, a long-time IT consultant, sees compliance duties
seeping into the list of tasks falling to IT strategists,
particularly at smaller organisations where executives wear
multiple hats.
Tenet Healthcare's chief privacy officer, Connie Emery, found
her career path shifting along those lines as the company's
compliance responsibilities increased.
Initially Tenet's security officer, she took on the privacy role
as regulatory requirements linked the functions. "It's hard to
separate the two. You can't have privacy without security," she
says.
Sarbanes-Oxley and other US laws have pushed Tenet to scrutinise
its entire data infrastructure. "We had to inventory all of our
systems. We have over 1,300 clinical applications," says Emery, who
collaborates with Wagonhurst's office. "Initially, the difficulty
was just in getting the inventory completed.
"Then we did risk analysis to identify areas to address. There
were some issues with access controls. We're putting corrective
action in place and making progress on our remediation plans,"
Emery adds.
As companies sort out their internal tangles and keep their
executives from running foul of new laws, expect a growing number
to install compliance officials.
Adding the position is one way for boards and CEOs, who now have
to personally sign on the dotted line to vouch for their
organisation's good corporate conduct, to assuage nightmares about
hatching the next Enron.
Stacy Cowley writes for IDG News Service