NDMA Home Page
Index of topics on this NDMA website
Search this NDMA website on Google
© 2024 N. Dean Meyer and Associates Inc.
Excerpt from www.NDMA.COM, © 2024 N. Dean Meyer and Associates Inc.

Analysis: Chief Compliance Officer Accountable for Compliance

making a compliance officer accountable for compliance (or cyber-security for security) introduces big risks

by N. Dean Meyer

[excerpt from the book, Principle-based Organizational Structure]

Allison was appointed Chief Compliance Officer in the IT department of a huge financial services company. She enthusiastically told me of the importance of compliance in their industry, and hence the stature of her position as the one person accountable for the compliance of the entire IT function. "Our CIO gave me the authority to make that happen," she proudly asserted.

"The regulators require a single point of contact," she explained. "And we need to ensure consistent processes and metrics throughout the organization."

Time and time again, history has proven that this approach doesn't work. Here's why:

Systemic Forces at Work

"Let's look at their incentives," I replied. "Sure, if something bad happens, the whole organization suffers. But whose job is it to fix the mess; or in the worst case, who gets fired? It doesn't do any good to fire you when the managers running the business made poor decisions and caused a serious problem. In fact, using you as a scapegoat only reduces others' incentives for real compliance."

She eagerly agreed. "Scapegoat doesn't look good on a resume!" she said.

Others have businesses to run, and they're not going to let a peer get in their way. Sure, they'll comply when it's easy or when they really have to -- with the big, visible initiatives.

But on a day-to-day basis, Allison had three factors working against her:

  • Allison is accountable for compliance, not her peers. They won't put much effort into something that's not in their own performance objectives.

  • Others are accountable for business results, and they're not going to compromise their missions to help Allison with her objectives. In fact, they may have incentives to thwart her if compliance gets in their way.

  • The third factor is the killer. Others don't need to worry about compliance. It's Allison's problem. So if they mess up and bad things happen, she'll take the blame. Allison may as well have been given the title, "Chief Scapegoat."

All these factors encourage Allison's peers to find ways around her controls to get their jobs done.

Who Decides the Trade-offs?

After I explained this, Allison objected, "But what if one guy takes a risk and something bad happens? Then the whole organization suffers the consequences."

"Allison, would you advocate zero risk?" I asked.

"In public, I might have to say yes," she said. "But I know that would be unrealistic. Zero risk would force us to shut down the business, at least for a while. Obviously, we can't do that."

Idealists may claim that compliance helps achieve business results. But realists know that there are trade-offs. To illustrate this, consider the extreme: If compliance means shutting down the business for a while, maybe the right answer is to wait to implement controls, and hope that nothing bad happens in the meantime.

On the other hand, if the risks of non-compliance are huge (such as people getting hurt or very large fines), a rational person would choose to shut down the business to implement controls.

Allison agreed that trade-offs had to be made with a full understanding of both risks and business impacts.

"So," I said, "somebody has to decide these trade-offs. No matter who that is, if something bad happens, the whole organization suffers the consequences. So the only question is, who should make the decisions -- you, or the managers running the business?"

Either Allison could study the business and make the decisions, or she could teach others the risks and let those who know the business decide.

Allison honestly felt she was in the best position to decide the trade-offs. "They always sacrifice compliance for near-term business results. I represent the compliance perspective, so I'd make it a priority. I'd take far less risk than they would."

Now we have a battle brewing. Allison is fighting to minimize risks, while managers fight to maintain operations. Are the best decisions really going to come from internal fighting? Unlikely. It would be far more effective if the decisions were collaborative.

Everyone Must Be Accountable

There's only one way to make managers want to collaborate with Allison. "What if they're all held accountable for their own compliance?" I asked.

She had to grant that this would swing the balance somewhat. But she still wasn't satisfied that they'd make the right decisions.

"You know there's a good chance you'll make the wrong decision too, Allison. Given your position, you'll opt for more compliance than they would, and in doing so you might sacrifice critical business results -- maybe without even knowing it since you're not in the trenches delivering services."

I reminded her of the Golden Rule: authority and accountability must match. If she makes the decisions, then she has to be held accountable not just for compliance but for everybody's business results. Otherwise, what's to stop her from deciding in favor of too much compliance, sacrificing business results, and letting others take the blame when critical services fail?

"I can't be held accountable for everything going on in the whole organization!" she cried.

"Exactly," I said. "Therefore, you can't be given the authority to make these decisions."

The right approach is to hold everybody accountable for their own behaviors, including for their own compliance. Then, they'll willingly implement compliance initiatives to protect their own hides. Overall, the success rate of compliance initiatives is higher, not lower, when authority and accountability are in the right place.

"Okay," Allison sighed, "I'll grant that if they were really accountable for compliance, we could let them decide the trade-offs. But how do we get them to take that accountability seriously?"

"Your first job," I said, "is getting your boss to put compliance in everybody's performance objectives, and to measure them on it."

Compliance as a Service

When everybody is accountable for their own compliance, the organization doesn't need someone who forces others to comply. But it still needs Allison.

The job of a Compliance Officer is to help others succeed with their compliance accountabilities. It's a service based on expertise in how regulations affect the organization and its clients.

"But," Allison said, "regulators require a single point of contact. And even if it weren't required, compliance processes cross organizational boundaries. Someone has to look after the big picture."

Allison was right. Compliance is a Coordinator function. It helps others succeed at their accountabilities, including helping them agree on shared decisions and processes.

If regulators request information or impose an audit, she can coordinate the organization's response and serve as the communications channel to the regulator (that single point of contact). But she's just accountable for those coordination services, while everybody is accountable for their own portion of the response.

She also can help individual managers put together their own policies and plans. At a higher level, she can bring stakeholders to consensus on shared policies and plans, and consolidate their individual plans into an integrated organizational plan.

Similarly, Allison can help others agree on shared initiatives that improve compliance. Then, she can help them implement the agreed changes, not as the manager who's accountable for results but rather as a facilitator and subject-matter expert.

As a Coordinator, Allison can manage tests of plans, while everybody remains accountable for their own groups' responses.

Through all her services, Allison can teach others the regulatory requirements, the risks of non-compliance, and the kinds of changes required to mitigate those risks. Educating others equips them to better decide the trade-offs.

Oversight

"One final concern," Allison said. "What if they just don't do anything about compliance? Who's to catch them? Their bosses may not know enough about the regulations to know that they've got a problem."

There may be a need for oversight, I granted. But it shouldn't be mixed with her service role.

"Remember," I replied, "the real auditors are outside -- the regulators, hackers (in the case of security), or Mother Nature (for business continuity). If you are seen as an auditor, doors will close as you approach, and you won't have much impact.

Remaining service oriented, Allison can sell "compliance assessment studies" that help managers get ready for the real external audit (or know how their subordinates are doing).

"Describing it this way keeps you on their side of the table," I explained, "there to help them, not judge them. You've got to maintain good relationships to implement meaningful change."

Happy Ending

Allison could have stubbornly insisted that someone needs to be in charge or it won't happen. But fortunately for her, she saw the light. "I've got to go back to my boss and renegotiate this position," she said.

"Absolutely right!" I said. "It's the responsibility of your CIO to get accountabilities sorted out properly, and never to put one manager at odds with peers or set someone up to fail."

Allison positioned herself as a facilitator and coordinator, not a "czar." She went on to build a highly effective compliance program that engaged her peers without becoming their adversary.

The Scapegoat Trap

Many functions can fall into the scapegoat trap by claiming authority over, and hence accepting accountability for, others' behaviors. Chapter 9 described the case of a Safety group that thought it was accountable for safety. Others who might make this same mistake include:

  • A "security" group that thinks it's accountable for security, rather than helping everyone to operate in a secure manner.

  • A "business continuity" group. that unilaterally designs the plan.

  • A "quality assurance" or "testing" group that tries to take accountability for quality through inspection and control, rather than by providing a testing service to others who are accountable for producing quality products.

  • An IT function that accepts responsibility for implementing business-process rationalization as part of an ERP project.

These are all examples of a familiar theme: Total Quality Management. Quality, in all its forms, is an attribute of a product or service, not a separate deliverable. Producing products, and the quality of those products, are not two distinct jobs. Experiences in every industry prove the same principle: Responsibility for compliance, safety, security, and every other aspect of quality should never be separated from responsibility for doing the work.

In every case, better results are achieved when everybody is held accountable for their own behaviors. Coordinators help others with their accountabilities. And if oversight (Audit) is needed, it must be kept arm's-length from service-oriented Coordinators.

Bottom Line

Controls that attempt to force people to do something counter to their incentives are rarely effective.

The answer is not to demand altruism (self-sacrifice for the greater good) and then attempt to enforce it -- a losing battle.

Instead, incentives should be aligned. In the case of regulatory compliance, cyber-security, standards compliance, or any other form of compliance, everybody must be held accountable for their own behaviors. Staff can then offer services to help everybody succeed at this requirement.

Abstracts

Free library

Books

Speech abstracts

NDMA coaching/consulting services

UP....

NEXT PAGE....