Liability is something chief compliance officers have secretly worried about since the role was first created. They often joke, grimly, about becoming the “designated felon.” The joke may have been more prescient than intended. According to a fascinating article by Jaclyn Jaeger in Compliance Week, it seems that recent regulator and enforcement actions have driven the monster out of the closet and into the light. According to a Thomson Reuters poll cited in the article, 53 percent of the 600 compliance professionals think their liability is increasing.
Increasing Risk of Financial Penalties for CCOs
Compliance officers can play a role in illegal activity like anyone else and always could be held liable for those actions. But financial penalties are now being charged against chief compliance officers (CCOs) for implementing inadequate risk controls in their organizations—and potentially for the wrongdoing that occurs.
This is the secret fear made flesh. Add to that the unwelcome surprise from the financial industry, where compliance professionals in supervisor roles are being held responsible by the SEC for supervisory liability—the failure to identify and correct fraud within their area of responsibility. Such supervisory responsibility apparently may go unrecognized because it can be several levels or departments removed from the bad actor.
How CCOs Can Mitigate their Own Risk
In light of this new reality, what should a compliance officer do? The big-picture answer is what it always has been: keep doing the job and do it well. But now, CCOs need to take additional, practical steps to protect themselves.
For example, it is more important than ever for compliance officers to implement strong, effective compliance programs built on solid, current risk assessments. They also must conduct a thorough review of their programs at regular intervals, utilizing an outside third party at least every four to five years to minimize the myopia of evaluating their own work. And identified gaps must be remediated in a timely way.
Further, CCOs must share the risk and program assessment results with the board, so that the governing body is aware that appropriate controls are in place or are slated for improvement. This is another reason to ensure that the CCO has independence—or at least easy and regular access to the senior executives and the board. The company should have a clear, written escalation policy which has been agreed to in advance by senior management and the board. (For more on best practices for engaging boards, see our white paper on effective board reporting.)
Going the Extra Mile: Implementing Risk Controls and Review Processes
In her article, Jaeger suggests compliance officers take a defensive approach to their personal job practices by documenting all their decisions and having them reviewed by a third party. It is a good idea to go even further to include risk controls in the document and review processes.
A good defense also includes making sure discovered misconduct is appropriately addressed. The reality in many organizations is that reports of wrongdoing are either vaulted out of the compliance office to HR or management, never to be heard of again; or they are found to be substantiated and management decides to take action that is inadequate. And what about reports of misconduct made to line managers? Can a CCO be charged with supervisory liability if a manager mishandles the issue?
The new hard truth is that the compliance officer may now be held responsible for making sure that wrongdoing is appropriately handled—including ensuring that no retaliation occurs. The scope of that responsibility appears to be still expanding.
CCO Role: Courage Required
Clearly, the role of compliance officer is not for the faint of heart. Written charters and job descriptions for compliance officers may need to include a new section on liabilities in addition to the typical responsibilities and authorities, so that candidates benefit from full transparency and think carefully before taking a position. Organizations should consider making sure that the CCO role provides for support and defense in the event of an investigation or indictment. This is a standard protection shared by almost all members of the C-Suite.
Perhaps the interview process for a new CCO also should also include questions about nerve. A compliance officer needs a healthy dose of courage to do the job, now more than ever. Ultimately, compliance officers must also consider the nuclear option: walking away and quitting the job if they see unacceptable misconduct or believe that they are not receiving the support, resources or access needed to ensure an effective compliance program.