The Chief Compliance Officer of the Future: Embracing a Risk Intelligent View
Deloitte Insights video
Over the past decade, heightened regulations related to the Patriot Act, Sarbanes-Oxley and Dodd-Frank have elevated the importance and visibility of the chief compliance officer role. Now an official member of the c-suite, compliance leaders are tasked with building comprehensive and robust programs that not only address existing requirements, but also anticipate regulatory changes and their likely impact. Tune into this episode of Deloitte Insights to learn more.
Tom Rollauer, Director, Deloitte & Touche LLP
Jeffery Williams, Vice President of Compliance, Pfizer
Sean O’Grady (Sean):
Hello and welcome to Insights. Today’s topic is the “Chief Compliance Officer of the Future,” and with us in New York for the discussion on this topic is Tom Rollauer, former Chief Compliance Officer of Citigroup, who is now also a Director at Deloitte & Touche LLP. We also have Jeffery Williams, Vice President of Compliance at Pfizer. So, gentlemen, I know that we are going to be talking about the role of compliance in the future, but I would like to begin by taking a look back before we go forward. Since clearly you have both been in the role, Tom, how do you feel that the job has changed in the past decade?
Tom Rollauer (Tom): The position of chief compliance officer has changed dramatically over the last decade, given the plethora of regulations that were put in place over that time period and had significant impact on Corporate America. Starting with the Patriot Act in 2001, after the 9/11 crisis, then Sarbanes-Oxley, and then most recently the Dodd-Frank Wall Street Reform and Consumer Protection Act, significant regulations came out of that legislation -- and that falls primarily on the shoulders of the chief compliance officer of a corporation. That person has the responsibility of ensuring that the company is in compliance with laws, regulations, and internal policies. So it is a major undertaking to get that right and to be able to demonstrate to the regulators that you are in control -- and to your stakeholders, the board, shareholders, and senior management.
The role of the chief compliance officer has been elevated, because of the importance of the role and the visibility that it has now with the stakeholders, including the regulators. So, the chief compliance officer is now, typically, an official member of the C-suite, if you will, whereas in the past it was often sort of a subpart of the legal division, in most cases. It is now in the spotlight and the chief compliance officer has to put in place a very comprehensive and robust compliance program which takes into consideration all these new requirements, and to stay ahead of the curve and anticipate new requirements coming down the road.
So the role has changed dramatically in concert with the increased regulations and the standards that the regulators expect of a chief compliance officer. In the financial services sector, for example, the Federal Reserve Board has put in place minimum guidelines for the enterprise-wide compliance program for large, complex banking institutions, and they examine the function against those requirements. So, the standards have been raised, the bar is high. The chief compliance officer has to make that all come together in a comprehensive way.
Sean: How about you, Jeff? Would say that your view and experience is in line with that?
Jeffery Williams (Jeff): I would say it is. I agree with everything Tom has said. I think it has become particularly challenging if I look at the evolution of compliance functions in the biopharmaceutical industry. Ten years ago the industry was really just getting started in a lot of ways in developing its compliance programs and now the expectations have evolved to a point where there is a very strong expectation that the chief compliance officer is going to be on top of key risks in all facets of the business, starting with research and manufacturing, all the way through marketing and promotion. It is a very challenging task, especially in a global environment. Regulations are increasingly developing and are a continued area of focus. With evolving notions of corporate responsibility and individual responsibility, you see an environment where there is law enforcement scrutiny. When you add to that the fact that businesses are very innovative and are always looking for new ways to carry out operations, new avenues for revenue, strategic partnerships, and joint ventures in emerging markets, it becomes a key responsibility for the chief compliance officer to make sure you are one step ahead of the potential risks resulting from business innovation. So you really need to be as innovative with your compliance program as the business is with its operational programs.
Sean: I liked your use of the word innovative, because if we look at the marketplace and if you we look at your roles, respectively, this seems to be one of those critical junctures. Given
Dodd-Frank, and the changes in the U.S. Health Care System, I am interested to know from the two of you, in your experience, have you overseen compliance at a time of change, at a time of that shift, and if so, how did you manage that opportunity and make it successful for yourselves?
Jeff: We continue to oversee compliance at a time of dramatic change. I think the key to managing it is moving from focusing on individual compliance problems or issues (and solving those issues) to really creating an environment where you are working with the business as a key partner to identify potential, significant compliance risks that may come out of a developing or evolving business strategy, or as a result of it being operationalized. I think it is particularly important to really be embedded with your business partners to understand what those risks might be, so that you can work together and collaborate on figuring out how to address unknown risks or emerging risks before they become a significant compliance problem. You are going to be successful to the extent you understand where your business is going, you are staying in tune with them and their innovation, and you are matching their innovation with the compliance plan. The idea is to get those risks on the table with the key business leaders, so that they can be addressed appropriately and they don’t become significant compliance issues.
Sean: Thank you for that. Tom, same question over to you, making the most of that opportunity.
Tom: Clearly, 10 years ago the compliance function was very much a silo-driven business. There was a compliance officer per business, if you will, and there was a team in place to oversee the compliance risks of that particular business. We have evolved now to more of an enterprise-wide approach where you need uniformity in terms of being able to gather information in a consistent fashion, to be able to escalate it to the board and senior management, and be able to voice and present the state of compliance for that organization. In the past, again it was very silo driven, so you didn’t have that enterprise-wide view. So what many institutions have done (and in my prior life as a chief compliance officer), is to create an overall global compliance policy which laid out the roles and responsibilities for the three lines of defense. And the first line is clearly the business managers themselves that manage the day-to-day risks. The second line of defense would be the compliance function, the independent compliance function in this case. The third line of defense is internal audit, but all those three lines of defense each have a primary role and responsibility in managing compliance risk. So often times you know compliance is everyone’s responsibility. Having a global policy in place, it lays out the roles and responsibilities and then driving it down into the various businesses and geographies that you are in, is key to a successful compliance program. Because you need to have information bubble back up to the top and escalate it in a uniform way and to be able to manage that information and make course corrections as necessary. The key to a compliance risk management program, the centerpiece, is a compliance risk assessment. As Jeff was saying, you need to be able to identify the risks associated with non-compliance for the given law or regulation, and what the inherent risk is associated with that. That is driven by the nature of your business, the volumes, etc., and the exposures that you have and then the controls over that inherent risk. Then what is the residual risk that remains, and are you willing to live with that residual risk on a go-forward basis? So you need that knowledge to be able to manage compliance risk uniformly and on an
Jeff: To the point that Tom is raising, I think it is critical for the chief compliance officer and the compliance program to really be plugged into and embedded with the enterprise risk management program that has been established at the company, or to establish a program. Then you are going to be in a position where you are collaborating with your enabling functions, your financial functions, your business and commercial functions to really figure out on a company-wide basis what the key risks are.. You can use the enterprise risk management tool as a way to focus resources and efforts around ensuring that that those key areas of risks do not become systemic compliance problems, because you have business leaders at the table, you have the attention of your board, you have the attention of senior leadership and, to Tom’s point -- with specific accountabilities that tied back into the business units for making sure that there are not systemic compliance issues or risks as a result of the review.
Sean: I think you touched on this a little bit but I would like to explore it some more and as we are talking about breaking down silos and collaborating more across the enterprise, we are talking about being more intelligent about risk. Do you have any suggestions drawing upon your experience on how folks in your role could go about doing that?
Tom: Sure, and it really starts with the tone at the top of an organization. So, the chief compliance officer and the board and the senior management have to be on the same page. It is important for the chief compliance officer to really strengthen those relationships at the top of the house. They will have exposure to the board independently on a regular basis, so having that bond between the senior-level management team and the board and the chief compliance officer is key to be able to take the journey together and to drive that message down into the organization. To again create this risk-based approach to compliance risk management, there are so many laws and regulations out there you have to be able to prioritize them and to understand what could impact your organization the most. So it is important to have that risk-based compliance framework in place, because it involves a lot of resources to get this right -- but you have to be able to create efficiencies along the way and to be able to leverage. As Jeffery has mentioned, the enterprise risk management framework is usually in place already to deal with the other risks within the organization where there is credit risk, market risk, or operational risk, so that you don’t reinvent the wheel, but compliance is very unique in terms of dealing with the law and the regulations that go with it. It is a different type of risk and it has lots of corollary risks attached to it, specifically reputational risk. If you have a noncompliance situation and you get in the headlines, think of what that does to your business. So, it is about preventing reputational risk and working with the business to make sure they understand it, so the Risk Intelligent CCO, if you will, needs to be aware of the importance of the function, the need to leverage existing infrastructure and to work closely with the top of the house to get it right.
Jeff: I think the Risk Intelligent CCO is also in a position to continuously monitor and evaluate the effectiveness of the compliance program. Once you have put your program in place and you are focused on the key elements that Tom has described, you need to be able to evaluate the effectiveness of that program -- you need to be able to draw on metrics and information from the organization coming from the bottom up, coming from the top down -- to really understand if your program is as effective as you need it to be. Then you need to be open to and not afraid to challenge how effective that program is by bringing in independent legal counsel, by bringing in independent auditors and others in order to assess whether you have a compliance program that is going to be successful at addressing the types of risks that you are facing. You always need to be open to monitoring and evaluating the quality of the program because your business leaders are going to evolve in their thinking and approaches to how they bring in revenue and what strategies that they are operationalizing. It is important to be a part of the development of those strategies and a part of evaluating and understanding how those strategies are actually working in the field with your sales force, with key business partners that you maybe in a joint venture with, or within an emerging market where the risks might be higher than in certain other markets. Being open to evaluating and understanding risk on a continuous basis is a very important thing for the Risk Intelligent compliance officer.
Sean: Now we have been talking implementing initiatives, but as the adage goes, “the best laid plans of mice and men often go awry”, and since the two of you have been in this role and have had the opportunity to implement things, there are pitfalls, there are roadblocks, and there are barriers. And so for folks in your role, I am interested to look around the corner with you; what do you see coming as potential pitfalls and what would be your recommendations for folks trying to implement a compliance process?
Jeff: I think the whole notion of pitfalls in this context is very interesting because much of what we do is judged with the benefit of hindsight and hindsight is an absolutely brutal judge. I think some of the most successful compliance programs going forward will be the ones where the chief compliance officer has established, with the board of directors and the senior leadership, the value proposition of understanding risk and being in a position to mitigate those risks to prevent what might otherwise be huge compliance problems that really could sidetrack the business in a way that would be detrimental from a legal perspective, or from a public relations or publicity perspective, as Tom mentioned earlier. I think the more a chief compliance officer can work on developing relationships with key business leaders and understanding how the business works, listening very closely about how business plans are being operationalized, then they will stand the best prospect of success.
Sean: Final thoughts to you, Tom.
Tom: I think one of the key pitfalls, if you will, is to get complacent about your program. Say you have built this great enterprise-wide compliance program: it has to be continuously refreshed. Dodd-Frank is a great example. We have a brand new regulation facing the financial services industry, you have to be able to anticipate that to understand what is happening in the legislative process, and to start to communicate internally as to what the impact will be for the organization and how to deal with that going forward. So get ready for new changes and regulations, keep it fresh, as I said, and also partnering up with the business, because as the first line of defense they have processes in place. You need to continually provide training and awareness to the business to make sure they understand the importance of compliance risk and how they should continually manage it through the self-assessment process and quality assurance processes and other techniques. Then team up with the other control functions -- risk management, finance, operations, and technology -- to make sure that you share this important responsibility in ensuring compliance risk. At the end of the day, internal audit can also play a role in validating the program to make sure that you have leading practices in place and that you are anticipating what is coming around the corner.
Sean: So now that we have changed, get ready to change again. Gentlemen, thank you both for your time today. We have been talking about the “Chief Compliance Officer of the Future” with Tom Rollauer, a director with Deloitte & Touche LLP, and Jeffery Williams, Vice President of Compliance for Pfizer. If you like to learn more about more about Tom, Jeffery, or the topics discussed on this broadcast you can find that information on our website. It is www.deloitte.com/insightsus. For the all the good folks here at Insights, I am Sean O’Grady, and we will see you next time.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited.
Join the Conversation