• United States

Executive enforcers

News Analysis
Sep 06, 20047 mins
Enterprise ApplicationsRegulation

Chief compliance officers ensure corporations toe the line.

The wave of accounting scandals that swept through corporate America a few years ago and the resulting Sarbanes-Oxley Act have intensified the pressure on businesses to keep their books and conduct clean. As companies work to develop more-stringent corporate controls, an increasing number of them are adding chief compliance officers to their executive suite.

Compliance officers tend to have legal or financial backgrounds and rarely come from IT. But IT directors should know about the position because in many cases they’ll have frequent interaction with the person who holds the compliance officer post.

Cheryl Wagonhurst, who joined Tenet Healthcare in Santa Barbara, Calif., last year as its chief compliance officer, includes IT representatives in the group of about a dozen company executives who work together on compliance initiatives.

“Our compliance is very systems-based. That’s the key to making sure that the channels of communication are open, and IT has played a key part of developing those systems,” she says. “They’ve designed database systems for us and put in place other processes that allow us to better communicate the information we need to track.”

The compliance officer job description isn’t entirely new: Firms in heavily regulated industries, including financial services and pharmaceuticals, have long needed executives to enact and enforce compliance policies. But companies that previously distributed compliance duties among executives in several departments now assign those responsibilities to a dedicated executive.

“This is a division of labor. Two years ago, you wouldn’t have found many of these people anywhere,” says Steve Mader, CEO of executive search firm Christian & Timbers in Boston. “We’ve been approached at least a dozen times over the last year.”

Filling the position isn’t easy or inexpensive. Chief compliance offers usually report directly to a company’s CEO or board and need years of expertise. For larger organizations, salaries start at about $250,000 and can climb into the high six figures, Mader says. Candidates tend to come from financial or legal backgrounds.

The job can vary widely from company to company, as businesses tailor the position to their specific needs. At a healthcare organization, navigating the intricacies of the Health Insurance Portability and Accountability Act (HIPAA) might be the officer’s top priority. At a company recently caught breaking laws, adding and checking financial control mechanisms might be the first task.

Computer Associates, which is rebuilding after an accounting fraud decimated its management ranks, says it is recruiting for the newly created position. And in at least one scandal-scarred industry, having a chief compliance officer is now compulsory. A new Securities and Exchange Commission rule requires mutual funds to have chief compliance officers installed by early October.

Mortgage financier Freddie Mac in McLean, Va., recently decided to create a chief compliance officer role. “We had historically asked a variety of people in control functions and business functions to assume compliance-related responsibilities, and it seemed appropriate to bring all that together,” says Jerry Weiss, who took on the position in October. He previously spent 10 years at Merrill Lynch’s fund management division, where he ultimately served as the group’s global head of compliance.

Weiss’ first priority was to assess Freddie Mac’s compliance culture and to conduct a legal and regulatory gap analysis. While his most direct day-to-day work is done with the front-line managers of Freddie Mac’s various businesses, his office coordinates with several other departments, including legal, finance, operational risk management, and information systems and services.

Weiss is collaborating with Freddie Mac’s IS group to develop Web-based training on compliance and business ethics for managers. He also has partnered with Freddie Mac’s IS team to create monitoring and surveillance tools to ensure the company’s investment securities are traded in a manner consistent with regulatory guidelines.

“We view IS as a key partner in allowing us to first develop a vision for our compliance program, and ultimately implement and execute it,” Weiss says.

But not all companies have their IT and compliance strategies aligned. A recent Meta Group report found that CIOs are rarely involved in the final decision-making stages of developing compliance-solution processes. With compliance budgets rising quickly – half the companies surveyed without a fund for compliance initiatives intend to create one within the next 12 months – CIO involvement in planning is particularly critical, Meta says.

Terri Curran, a longtime IT consultant, sees compliance duties seeping into the list of tasks falling to IT strategists, particularly at smaller organizations where executives wear multiple hats.

Tenet Healthcare’s chief privacy officer, Connie Emery, found her career path shifting along those lines as the company’s compliance responsibilities increased. Initially Tenet’s security officer, she took on the privacy role as regulatory requirements such as HIPAA linked the functions. “It’s hard to separate the two. You can’t have privacy without security,” she says.

HIPAA, Sarbanes-Oxley and a California data-security law known as SB 1386 have pushed Tenet to scrutinize its entire data infrastructure. “We had to inventory all of our systems. We have over 1,300 clinical applications. Initially, the difficulty was just in getting the inventory completed,” says Emery, who collaborates with Wagonhurst’s office. “Then we did risk analysis to identify areas to address. There were some issues with access controls. We’re putting corrective action in place and making progress on our remediation plans.”

As companies sort out their internal tangles and keep their executives from running afoul of new laws, expect a growing number to install compliance officials. Adding the position is one way for boards and CEOs, who now have to personally sign on the dotted line to vouch for their organization’s good corporate conduct, to assuage nightmares about hatching the next Enron.

Regulation: Gramm-Leach-Bliley Act (also referred to as the Financial Modernization Act of 1999).Applies to: Financial institutions, such as banks and securities firms, and related businesses, such as lenders and financial counselors, that have access to protected information.Deadline: Most provisions took effect in 2001.What it means to IT: Organizations must enact safeguards to protect consumers’ financial data. Technology is critical for enforcing provisions such as the act’s opt-out rules, which let a customer prevent financial institutions they do business with from sharing their data with businesses not affiliated with the customer.
Regulation: Health Insurance Portability and Accountability Act (HIPAA)Applies to: Healthcare providers and related businesses that receive protected information.Deadline: The first set was issued in 2002, but more are coming. April 21, 2005, is a major deadline for compliance with the other security regulations.What it means to IT: Companies already have had to meet HIPAA deadlines for complying with privacy rules, so most affected organizations already have the outlines of their HIPAA strategies worked out. The 2005 deadline relates to protection of electronic information; CIOs and CTOs will be intricately involved in ensuring their companies have systems and controlled processes in place for handling sensitive data.
Regulation: Sarbanes-Oxley ActApplies to: U.S. publicly traded companies.Deadline: Staggered. The looming one is compliance with Section 404, which requires companies to report on their internal financial controls. Rolled back several times, the Section 404 deadline is now set for Nov. 15 for the first wave of affected companies, those with a public float of at least $75 million.What it means to IT: The act requires deep visibility into companies’ finances, controls, operations and processes. For some companies, gaining that visibility will require implementing entirely new systems. For most, it means a thorough examination and update of those already in place, a process requiring collaboration between IT and other corporate departments.