Chief compliance officer
In an increasingly regulated world where laws cover a widening range of public and private entities, complying with overlapping regulations is a challenge. The good news is that tackling compliance—particularly when regulations share common goals—can be made easier by charging a Corporate Compliance Officer (CCO) with oversight responsibility. The CCO is the focal point for regulatory compliance. It is that person's job to learn what is expected of the organization and ensure that appropriate steps are taken to comply with regulations. This is akin to legal counsel and risk management roles, since the CCO helps the organization avoid legal risks associated with failure to comply.
The CCO may develop a structure over discrete programs such as an information security program, a privacy program, and a financial controls program. Similar to an internal audit function, the CCO needs to ensure that those programs are effective by establishing compliance oversight processes. Through those processes, the CCO periodically evaluates the effectiveness of the underlying programs.
Compliance comprises administrative, physical, and technical processes including policies, procedures, documented roles and responsibilities, training, technical tools, and physical controls. The intent of the resulting ongoing processes is to demonstrate compliance with relevant regulations. Typically, someone other than the CCO develops these processes. The CCO may report to the CSO or CISO, and key responsibilities will most often include those listed below.
- Staying current with new and updated regulations. These may include state and federal laws, as well as industry-based accreditation requirements.
- Developing and maintaining a repository of regulations and the organization's compliance status. This provides a quick snapshot and a valuable reference document. When new regulations emerge, this tool can identify any overlap with preexisting regulations.
- Understanding how each regulation affects the organization and explaining the impact of non-compliance to leadership.
- Developing cooperative relationships with those charged with implementation, such as the ISO and the Privacy Officer.
- Developing documented and repeatable evaluation processes to verify that underlying controls are adequate to meet requirements.
- Periodically performing evaluations and reporting outcomes to senior management.
- Developing processes for the workforce to report non-compliance issues to the CCO and how the CCO will respond to those issues.
- Reporting compliance deficits and lapses to senior management and ensuring they are remedied.