On this blog, we often talk about how compliance programs work, or how compliance officers can succeed in running them. However, today we’re going to be a bit more existential. What is a compliance officer, exactly? Why does a company need one?
The question is worth exploring because interest around the topic has increased. A quick search on Google Trends revealed that the phrase “compliance officer” has steadily become a more common search term, roughly twice as popular today as it was 15 years ago.
For individuals, corporate compliance can be a long and lucrative career path. For corporations, corporate compliance is a staple item on the board’s agenda—and those boards need someone who helps them manage compliance. That person is the compliance officer.
While this all sounds nice in theory: what is a compliance officer, and what does that person do?
What is a Compliance Officer: The Dictionary Definition
For a traditional definition, we could say that a compliance officer is the person responsible for assuring that the company can fulfill all its duties under whatever laws and regulations apply to the business. They are in charge of identifying and mitigating risk. That is, he or she assures compliance. Hence the phrase.
We should remember two specific points about that definition.
First, the compliance officer is responsible for assuring that the company can fulfill its duties—not for doing those duties directly. Typically someone else in the company must actually perform whatever those duties are. The compliance officer’s job is to assure that the policies, tools, and training to do all that work actually exist.
For example, the EU General Data Protection Regulation (GDPR) says that EU citizens have the right to view, correct, or delete any personally identifiable information your business collects about them. The compliance officer doesn’t have to handle those requests personally, or even build the tools to let EU citizens view data themselves.
The compliance officer needs to assure that the company has some mechanism to handle those requests. That might include developing procedures for how employees in customer service centers handle such requests and training employees on what those procedures are. It might also include working with IT to develop “self-service” procedures so EU citizens can find their data themselves.
Second, the compliance officer is responsible for assuring that the company can fulfill its duties—not that the company will fulfill those duties, perfectly and in every instance. The company won’t fulfill its duties perfectly. Sooner or later some employee or business partner will commit fraud or make a mistake. That’s fine. Regulators can be a forgiving bunch if they see that the company was making a good-faith effort to care about compliance.
For example, the Foreign Corrupt Practices Act (FCPA) outlaws the bribing of foreign government officials to win a business contract. Compliance officers work to assure that the company has drafted anti-bribery policies and trained employees on what those policies are. That’s part of the compliance officer’s job.
Well, an employee might ignore that policies and training, and bribe a foreign government official anyway. But the company will be in a far better position with regulators if it can demonstrate that it tried its best to reduce the instances of FCPA violations. In that scenario, a stubbornly errant employee is the problem.
On the other hand, if a company made no effort to bother with compliance—never adopted any policies, never trained employees, never examined potentially sketchy business partners—regulators will be much more likely to decide that the company is the problem because it didn’t take compliance seriously.
That’s what a compliance officer is: the person who helps the company to take its compliance duties seriously.
The Intangible Qualities of a Compliance Officer
That’s the nuts-and-bolts definition of what a compliance officer does. Compliance officers also fill many other roles that are a bit more metaphysical in their nature. Let’s consider those, too.
Compliance officers encounter suspicious issues all the time. Some are anonymous reports, others are the results of audits, and yet more might be the product of your own gut instinct that something is amiss. Compliance officers need to investigate those questions (or parcel them out to others who can) and find answers.
The hard part isn’t understanding what a compliance officer does; it’s understanding how to administer all those duties at scale—with thousands of employees, tens of thousands of third parties, and potentially millions of transactions. Compliance officers need to use technology shrewdly to automate and then analyze, as much of that work as possible.
Compliance officers sometimes need to make difficult decisions about what the best course of action is in complex, ambiguous circumstances. They might also need to define ethical principles for the company, so others know how to make similarly difficult decisions. That requires an ability to sit back and think about ethics, and how those values fit into your company’s everyday transactions.
Compliance officers train others. Sometimes they train employees; sometimes they train managers who train employees. Sometimes they brief the board on ethical conduct and duties required under the law. Whatever the setting, compliance officers need to be comfortable teaching others.
This is a corollary to the technologist role, above. Compliance officers also need to design business processes that employees and third parties can use, to fulfill whatever compliance duties the company has—and that you’re putting upon them. If those processes are too burdensome or don’t work, employees will see compliance as an intrusion on their “real jobs,” and then you’re sunk.
Sometimes employees will come to the compliance officer with a question or concern, uncertain how to proceed. The compliance officer needs to be ready to offer advice.
Likewise, employees may come to the compliance officer to confess misconduct they’ve already done. Yes, they may be looking to unburden their soul or save their job. The compliance officer needs to hear that confession and then help employee and company alike to do the right thing.
Why Your Company Needs a Compliance Officer
The best way to answer this question might be to imagine the converse: a large company without a compliance officer.
In all likelihood, that company’s executives and employees will still want to be an ethical company. Various groups will try their best to obey the law, follow regulations, and act in an ethical manner.
But does anyone really believe that the company will succeed at the goal? The plain truth is that most companies need someone assigned to compliance because corporate compliance has become such a complex and wide-ranging endeavor.
Leaving each business department to manage its own compliance affairs is a bit like letting a group of medical specialists care for a patient without a primary care doctor to monitor the patient’s overall health. Sure, everyone means well, and you might get great treatment for specific ailments—but you won’t get any holistic sense of how healthy you are, and lord knows how much more money you end up paying for unnecessary treatments and co-pays.
Compliance without a compliance officer is a lot like that: undisciplined, scattershot, effective in some ways but ineffective in others, and expensive.
The good news is that anyone can be a compliance officer; no special license is necessary, as is the case for lawyers or public accountants. A compliance officer only needs the skills outlined above (admittedly not easy), and a desire to help the company succeed in today’s complex business environment.
Companies need compliance officers because that complex business environment is here to stay.