The accounting scandals in the US a few years ago and the resulting Sarbanes-Oxley Act have intensified the pressure on businesses to keep their books and conduct clean. With more-stringent corporate controls, an increasing number of companies are adding chief compliance officers to their boards.
Compliance officers tend to have legal or financial backgrounds. But IT directors should know about the position because they will have frequent interaction with the person who holds the compliance officer post.
Cheryl Wagonhurst, who joined Tenet Healthcare last year as its chief compliance officer, includes IT representatives in the group of about a dozen company executives who work together on compliance initiatives.
"Our compliance is very systems-based. That's the key to making sure that the channels of communication are open, and IT has played a key part in developing those systems," she says. "They have designed database systems for us and put in place other processes that allow us to better communicate the information we need to track."
The compliance officer job description is not new: Firms in highly regulated industries, such as financial services and pharmaceuticals, have employed executives to enact and enforce compliance policies. But companies that previously distributed compliance duties among executives in several departments now assign those responsibilities to a dedicated executive.
"This is a division of labour. Two years ago, you wouldn't have found many of these people anywhere," says Steve Mader, CEO of executive search firm Christian & Timbers. "We've been approached at least a dozen times over the last year."
Filling the position is not easy or inexpensive. Chief compliance officers usually report directly to a company's CEO or board and need years of expertise. For larger organisations, salaries start at about $250,000 (£140,000) and can climb into the high six figures, Mader says.
The job can vary widely from company to company, as businesses tailor the position to their specific needs. At a healthcare organisation, navigating the intricacies of the US Health Insurance Portability and Accountability Act might be the officer's top priority. At a company recently caught breaking laws, adding and checking financial control mechanisms might be the first task.
Computer Associates, which is rebuilding its board after an accounting fraud decimated its management ranks, says it is recruiting for the newly-created position.
In at least one scandal-scarred industry, having a chief compliance officer is now compulsory. A new US Securities and Exchange Commission rule requires mutual funds to have chief compliance officers installed by early October.
Mortgage financier Freddie Mac, recently decided to create a chief compliance officer role. "We had historically asked a variety of people in control functions and business functions to assume compliance-related responsibilities," says Jerry Weiss, who took on the position in October. "It seemed appropriate to bring all that together."
Weiss previously spent 10 years at Merrill Lynch's fund management division, where he ultimately served as the group's global head of compliance.
His first priority was to assess Freddie Mac's compliance culture and to conduct a legal and regulatory gap analysis. While his most direct day-to-day work is done with the front-line managers of Freddie Mac's various businesses and with legal, finance, operational risk management, and information systems and services departments.
Weiss is collaborating with Freddie Mac's IS group to develop web-based training on compliance and business ethics for managers. He also has partnered with the IS team to create monitoring and surveillance tools to ensure the company's investment securities are traded in a manner consistent with regulatory guidelines.
"We view IS as a key partner in allowing us to first develop a vision for our compliance programme, and ultimately implement and execute it," Weiss says.
But not all companies have their IT and compliance strategies aligned. A recent Meta Group report found that CIOs are rarely involved in the final decision-making stages of developing compliance-solution processes.
With compliance budgets rising quickly - half the companies surveyed without a fund for compliance initiatives intend to create one within the next 12 months - CIO involvement in planning is particularly critical, Meta says.
Terri Curran, a long-time IT consultant, sees compliance duties seeping into the list of tasks falling to IT strategists, particularly at smaller organisations where executives wear multiple hats.
Tenet Healthcare's chief privacy officer, Connie Emery, found her career path shifting along those lines as the company's compliance responsibilities increased.
Initially Tenet's security officer, she took on the privacy role as regulatory requirements linked the functions. "It's hard to separate the two. You can't have privacy without security," she says.
Sarbanes-Oxley and other US laws have pushed Tenet to scrutinise its entire data infrastructure. "We had to inventory all of our systems. We have over 1,300 clinical applications," says Emery, who collaborates with Wagonhurst's office. "Initially, the difficulty was just in getting the inventory completed.
"Then we did risk analysis to identify areas to address. There were some issues with access controls. We're putting corrective action in place and making progress on our remediation plans," Emery adds.
As companies sort out their internal tangles and keep their executives from running foul of new laws, expect a growing number to install compliance officials.
Adding the position is one way for boards and CEOs, who now have to personally sign on the dotted line to vouch for their organisation's good corporate conduct, to assuage nightmares about hatching the next Enron.
Stacy Cowley writes for IDG News Service
This was first published in September 2004