We’ve all heard the cliche that “The only constant is change.” Well, those words are not true—because for 15 years, compliance officers have asked me the same question over and over.
“How can I run a compliance department on a shoestring budget?”
The question is more common than you might think. Sure, we can expect it from a company just starting to build a compliance function, while the CCO and executive team assess the company’s compliance needs. But I’ve also met some very large companies with very small compliance functions: Fortune 500 businesses with a chief compliance officer and one or two assistants, overseeing thousands of employees and a wide range of compliance risks.
How is that possible? Compliance officers in that position have two challenges. First, you need to ensure that the day-to-day chores of corporate ethics and compliance get done. Second, you have to succeed as a compliance officer. The two are separate challenges.
The Crucial Issue
Compliance officers succeed with small budgets by convincing other parts of the enterprise—legal, HR, IT security, internal audit—to assist with compliance risk oversight. That means the most important factor for success is how the rest of the enterprise perceives the chief compliance officer: as someone with an important mission, who deserves cooperation and support; or someone who can be ignored.
Therefore, if you are going to fight a pitched battle over anything, fight for the compliance officer’s independence and authority; they are far more important to success than a large budget or staff. Ideally, the CCO will report to the CEO or (even better) the board—and he or she will not also have any other role.
That doesn’t happen as often as it should. According to PwC’s 2016 State of Compliance Report, which surveyed more than 800 CCOs, 36 percent reported to the general counsel, 21 percent to the CEO, and 18 percent to the board or audit committee.
What’s more, the CCO should also sit on the executive management committee, participating in strategic planning. According to Deloitte’s Compliance Trends Report for 2015 (the last study I could find that asked this question), 51 percent of compliance officers do—or did at that time.
The more independence and authority you have, the earlier you can participate in important decisions about business operations—and then you can steer the enterprise to “do business in a compliant way.” Otherwise, those business functions make decisions without considering compliance. The CCO arrives at the end of the conversation, where you either: (a) veto the idea, and earn the dreaded “department of no” reputation; or (b) go along with the idea, straining your shoestring resources all the more.
Your budget will never be large enough. Respect and authority, however, are free—so long as you secure them through competence, negotiation, and clarity. So if you fight for anything, fight for them.
The Daily Grind on a Shoestring
After securing that authority and respect, with other parts of the enterprise eager to help as they can, you still have to manage and monitor all those compliance chores. That requires two more skills: assigning compliance tasks to the proper risk owners, and cultivating effective communication channels back to you in compliance HQ.
GRC technology can do a lot of that—although the premise of this post is that you might not have the resources to buy that assistance. You may need to work with (gasp!) spreadsheets or other desktop technology where cracks in risk oversight can emerge. That, in turn, means you must pay close attention to policy and procedure for conveying information back to, or among, the Second Line of Defense Functions, so those cracks don’t widen into chasms.
Shoestring budgets are never easy. But as any seven-year-old knows—once you get the hang of it, if you’re careful, shoestrings can get the job done.