Compliance, Monitoring, and Future CCOs
Last week I spoke with a mid-career compliance professional, someone with 15 years experience first as an auditor and then in compliance and monitoring. This person’s LinkedIn profile had a collection of employer names and work assignments that would be as impressive as any other.
We were chatting about career prospects, and then this person asked The Question.
“Do you think I need to be a lawyer to be a chief compliance officer?”
Oh boy. That question again.
Suffice to say I hear it often, and the question always frustrates me because the short answer is, “Usually, yes.”
The thoughtful answer, however, is something quite different. That answer says a lot about where risk and compliance is going as a field — and about how Corporate America hasn’t quite grasped that point yet.
Let’s start with the short answer. Yes, usually large companies will insist that their chief compliance officer have a law degree and experience as a lawyer. Many companies still have their general counsel serve as CCO as well, or the CCO answers into the chief legal officer. Recruiters have told me, and people I know trying to advance in the profession: “It’s incredibly hard to advance far in this field if you’re not a lawyer.”
Today’s most pressing compliance challenges, however, are all about monitoring operations — usually at a scale far larger than anything corporations have had to address before.
The origins of that attitude are easy to identify. For decades corporations worried foremost about regulatory compliance: Is anything that we’re doing against law or regulation? If so, amend our operations so we’re not violating those rules, and then we can get on with business as usual.
That’s a lawyer’s job: reviewing business processes to ensure no actions the company takes break the law or increase legal liability risk. A person can’t do that work well unless he or she understands regulatory law. So in that world, of course senior executives in charge of whole compliance functions should be lawyers.
New Risks, New Skills
Today’s most pressing compliance challenges, however, are all about monitoring operations — usually at a scale far larger than anything corporations have had to address before. It’s a much larger assignment than “mere” regulatory compliance — and one that lawyers aren’t typically trained to do.
For example, everyone would agree that one formidable compliance challenge today is oversight of third-party risk. But how important is that “third” part to the overall risk, really?
In many ways, the true need is effective monitoring of parties, whether they are second parties (that is, employees), third parties, fourth parties, or any other parties along your extended enterprise. Whether the risk is data security, suspicious payments, supply chain vulnerability, or some other issue, boards and senior executives really want assurance that the whole operation works properly.
Well, that’s something auditors and risk assurance professionals do. It’s not something lawyers do.
Let’s pick on cybersecurity a bit more. Yes, cybersecurity is a pressing issue for corporate boards. Companies need to know cybersecurity law to address it, and companies need lawyers who understand what the law is.
Still, the board’s foremost fear is a breach, and you prevent breaches with strong, effective processes to govern how data is used. Lawyers might offer valuable advice on what those processes should achieve, but they have much less to say on how those processes achieve it, or how to monitor the processes for assurance about how well they’re working.
So suddenly, my friend’s experience in auditing and monitoring seems much more useful for the compliance battles to come. The ability to analyze risks, and especially the ability to design testing and monitoring procedures to govern risk, are going to be crucial. (I explored how this relates to the internal audit profession, too, in a recent podcast series with my colleague Tom Fox.)
Will they become more crucial for running a compliance function than a law school diploma and an active bar association membership? I don’t know — but that unto itself is telling, because once upon a time, it was never even a question worth asking.