Under increasing regulatory pressures, many firms are frantically seeking qualified people to head their compliance efforts. But in this emerging and competitive job market, hiring pitfalls abound. Where do companies go wrong when they're hiring a CCO?

By Bob Mueller

A spate of new regulations has created a hiring frenzy among firms looking for people to head efforts to meet these regulations. Variously called chief compliance officers or corporate compliance officers (CCOs), or chief governance officers, these newly minted jobs are commanding top pay for well-qualified candidates.

Still, recruiting a chief compliance officer has its pitfalls. Many organizations don't have experience hiring for compliance leadership. And, where laws mandate financial companies to hire a compliance officer, firms can be tempted to rush into hiring decisions that, ironically, end up undermining compliance efforts.

Where do companies go wrong when they're hiring a CCO? The answers range from conventional hiring errors, such as failing to define job goals, to compliance-specific issues and emerging organizational issues that impact multiple levels of IT management. In general, companies can shore up their hiring efforts by avoiding seven common errors.

1. Thinking of compliance as an IT issue

Recent regulations, including Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley, present many IT-centric challenges, notes Michael Rasmussen, vice president of Forrester Research in Cambridge, Mass. This condition has misled some organizations into viewing compliance as an IT issue and placing responsibility for it in the IT department. "There is a role and a responsibility for an IT compliance officer managing IT compliance, but that person isn't going to be overseeing all compliance issues," Rasmussen says. "You've got human resources, workforce, public safety, environmental—a ton of regulations that operate well outside of IT. IT has a role in meeting multiple compliance requirements. It can help automate and manage the documentation process for any compliance process." But the IT-specific portions of compliance are just a fraction of the total, Rasmussen states. While CCOs should have the technical savvy to understand IT's role in the compliance picture, they should generally have a broader business background and knowledge base.

2. Hiring someone without industry-specific expertise

"People think of the chief compliance officer as a horizontal function that crosses industry lines easily. I don't think that works," observes Stephen Mader, vice chair of executive recruiters Christian & Timbers. The food and drug industry, for example, functions in an entirely different regulatory environment than, say, banking. "There aren't enough people around with the credentials, so there's a lot of stretching. There's a belief somebody can learn the job if they have some compliance background," he says. Rasmussen agrees: "It's a mistake to hire [a CCO] who might have some compliance expertise, but doesn't necessarily have experience in your specific industry."

3. Failing to set job goals before hiring.

"People have an easy time thinking about job descriptions; they have a hard time sometimes thinking about output," says Mader. Most companies have never hired a chief compliance officer before, and they haven't thought through what they expect from a CCO or even what the full scope of compliance is. "It's easy to talk about the job. You can put it into some kind of commonsense terminology and it kind of sounds right," Mader says. "But you've got to go through the diligence of asking, 'What is the job when they get here?'"

4. Failing to involve departmental stakeholders in the decision.

The compliance office is not a standalone function, warns French Caldwell, Washington, D.C.-based vice president for compliance research at the Gartner Group. "It has to work very closely with the CFO and COO and, since IT organizations have a lot of responsibility under some of the news regulations, the CIO. Compliance officers need to be part of compliance councils, not just working by themselves out of the compliance office, but working through these other organizations. You can't have compliance simply by saying, 'We have a compliance officer or a compliance office.' Compliance occurs within the major business units." The temptation, Caldwell says, is to think of the CCO as a policeman, when what's needed is someone who's good at working with and aligning people under the compliance banner.

5. Undermining the position's authority.

Some companies underfund, understaff, and underempower chief compliance officers. Caldwell notes CCOs must be able to forecast coming regulations and standardize controls throughout the organization. "If you just set this office up and all you have is a compliance officer who issues memos about ethics all the time, there's not really much of a purpose to it." Adds Rasmussen, "There has to be adequate budget and staffing. Just assigning a compliance officer means nothing if that compliance officer doesn't have what it takes to get the job done." Compliance officers also need a measure of independence, he continues. The CCO needs to be able "to blow the whistle when it needs to be blown, and have enough authority to oversee that compliance is managed in the organization."

6. Omitting background checks.

At least in financial industries, CCOs should be untainted by the sorts of abuses regulations are meant to discourage—money laundering, insider trading and other illegal transactions. Sometimes, says Nicole Cox, director of legal and compliance recruitment for Robert Hadley Associates in New York, companies hire top compliance people without checking their backgrounds thoroughly. That can lead to embarrassment down the road. Similarly, checking backgrounds carefully can reveal gaps in experience that might rule out an otherwise attractive job candidate. Scrutiny of CCO candidates in fact has grown more intense than it is for most other C-level hires, Cox notes. It's not unusual to interview CCO applicants seven or eight times before making an offer, she says.

7. Low-balling compensation.

Demand for chief compliance officers greatly exceeds supply right now, says Cox. That's driven salaries through the roof. In the financial markets that Cox mostly serves, pay for CCOs starts at around $500,000. With a JD degree and some experience, salaries can easily top $1 million, she says. "A lot of mid-sized and smaller firms don't have the financial backing or do not have the interest in hiring such a senior person." For smaller firms that simply can't afford astronomical CCO salaries, it's unfortunate, Cox says. But for companies that can afford them but won't pay the going rate, it's a mistake. "A lot of these firms are experiencing a high rate of turnover because the money's not there," she notes. And, when it comes to compliance leadership, instability introduces risk.

At the end of the day, who should hold the top compliance job? Lawyers are a common choice, says Rasmussen, though some companies think of compliance as a risk management job and place it under the chief risk officer. In the financial sector, some CCOs are being hired away from the agencies responsible for enforcing regulations—such as the NASD and SEC. Despite the fact that CCO is a fairly new job definition, there are compliance experts in some industries who've been fulfilling the role's responsibilities for 20 years or more: they can also be attractive candidates. And, finally, there's talk of CCO certification programs, Rasmussen notes—but so far that's all it is.

Eventually, the supply of good CCO candidates and the demand for them will reach a sort of equilibrium. Qualified people will be easier to find, and the compensation they command might come down a bit, too. But, according to Mader, this could take several years.

"The way it will happen is that chief compliance officers will train seconds and thirds in command who will transition out of other areas of business and decide to make compliance a career path. Over time, those people will also qualify as CCOs and they'll either move up in their own companies or they'll get pulled to another company."

Bob Mueller was a contributing editor for the IT Compliance Institute.

This article originally appeared at itcinstitute.com. Copyright 2008, 1105 Media Inc. Used with permission.