HIPAA Survival Guide Newsletter January, 2021
What makes a Compliance Officer Competent?
In other words, what are the professional characteristics, including emotional IQ, that an individual must possess to be a competent compliance officer ("CO") in the 21st century? To begin with let's use Steve Hardy's framework for what constitutes a "creative generalist" as a starting point for exploring this question. Paradoxically, a CO's job, even if they focus only on a single compliance regime (e.g. HIPAA, or GDPR, or SOX) constitutes anything but a niche specialized gig. Without using hyperbole in the least, I want to make the argument in this article that a CO's job is one of being a creative generalist at a minimum and a good one at that. Now of course if I made the argument that a CO needed to be a renaissance person that would be hyperbolic. I do not want to overstate the case.
In addition to using Steve Hardy's framework for exploring this question we are going to postulate that a CO's primary job function is to solve a wicked problem; one that has far more organizational complexity than technical complexity; although the latter challenge is by no means trivial.
Wander & Wonder
A CO must have a curious mind precisely because the required skillset spans the law, technology, process engineering, communications, and institutional knowledge-just to name a few subject matter domains ("SMDs"). This is the antithesis of STEM (i.e. Science, Technology, Engineering & Mathematics). The former implicates a true liberal arts education; one that is so frowned upon and yet so needed in today's market.
Given the intractable problems that we face today, meaningful regulatory compliance being one of them, I would argue that we need more Winston Churchills and less Steve Jobs personas. Now I happen to be a big fan of both, but the former is much better suited to help us solve today's problems than the latter. There's no doubt that we will have to innovate our way out of problems such as climate change, income inequality, affordable health care, massive corruption, etc., etc.; and therefore, technology will play an important role-but technology won't solve the problem, it is necessary but not sufficient.
One characteristic that this list of problems all have in common is that we will need smart regulations to create that kind of normative conduct required for the next world order-one where we can be assured that all the previously dominant economic "isms" would have demonstrably failed to achieve progress: communism, socialism, and yes Darwinian capitalism (the latter does not exist anywhere in the world as a practical matter; Social Security and Medicare are counterexamples in the U.S.). Where there are regulations there will be a need for regulatory compliance. Where there is a need for compliance there will be an increasing need for 21st century (and beyond) CO's. You read it here first. A CO's job will increase in stature over time as they take a well-deserved seat at the C-suite table.
Synthesize & Summarize
Because a CO is going to be working across SMDs communications skills will be paramount. You must have the ability, innate or acquired, to synthesize, summarize, and communicate succinctly, effectively, and persuasively. You must do much more than simply define the problem. You must have the capacity to develop and implement practical cross-functional solutions that drive down costs while improving effectiveness and efficiency. In short, as a CO your principal job is that of a change agent.
There is no way you can be successful as a 21st century CO if you view your job as some dead-end necessary evil, that is nothing more than a cost center to the organization. If you want a seat at the table then you must earn it by demonstrating that your programs can have a positive impact on both top and bottom lines. Nothing else will do. Companies are drowning in compliance costs because of organizational silos and a 20th-century approach to a problem that threatens to consume more and more resources while delivering increasingly inadequate results. If you want to transform your organization's compliance DNA you must first transform your own.
I think it was Einstein that once said that "problems cannot be solved by the same minds that created them." If you are part of the "old guard" you need to get busy "synthesizing and summarizing" or risk finding yourself among the highly educated unemployed. You need to recognize that GRC is DOA and that Agile Compliance is the only methodology worth discussing going forward. Iterate. Iterate. Iterate.
Link & Leap
As counter-intuitive as this may sound, a CO must learn to become a risk-taker. As discussed above, to create cross-functional solutions a CO will have to get out of their comfort zone if they expect to break silos and drive down costs. COs must become comfortable speaking the language of the law, finance, marketing, and technology-linking stakeholders in a manner that persuades them to take the leap into compliance's brave new world with you; one where what you and your staff do is perceived as mission-critical to your organization's value proposition-not some big-brother mandated "bolt-on" that sucks costs without delivering any perceptible value. Show many a country, state, city, community, or organization that does not self-regulate and I will show you an entity that is headed for the abyss.
This is not an argument of more (or less) regulation. It is just an acknowledgment that in the 24/7 365 online world that we all now inhabit; regulation is a constant fact of life. Sure, the objective for all of us is to work toward "smart regulations" but in the meantime, we must recognize that the law lags reality and we must cost-effectively deal with the ugly reality on the ground. We cannot be Pollyannaish about what confronts us, for COs to impact the top and bottom lines they are going to have no choice but to advocate for taking calculated risks. There is no budget anywhere to deal with all potential regulatory risks. CO's are going to have to learn to deal with uncertainty, and that sometimes (almost always) good enough is the best that your organization can do.
Mixing & Matching
If you are going to be a "creative generalist" then you must learn to "mix & match." Ah. But what does that mean? It means, in this context, being able to draw upon knowledge from various disciplines to deliver holistic solutions. This article has already discussed some of the SMDs that require more than just cursory knowledge. This is a challenge of continuous education on steroids. In a world dominated by geeks, only the literate survive. I once asked a client of mine, who pulled out a book during a break in a deposition, "How many books do you read a year?" His answer will remain with me forever: "not enough." This individual is one of the most successful people I know, financially and otherwise. Sure, we all know the platitude "readers are leaders," but that does not make it false. As a CO you must find time to read across disciplines so that you can mix & match problems with solutions. There is nothing easy about being a creative generalist. You are not going to be able to fake it. That doesn't mean you have to have all the answers. It does mean that you must be willing to turn over a LOT of rocks until you find them.
In addition, you are going to have to master bringing people from various disciplines together to collaborate on solutions. You need not be a genius, but you will often have to facilitate the collaboration between them. You don't have to master their respective SMDs (a complete impossibility) you do have to know enough of their grammar to have a meaningful conversation with them; and enough of other people's grammar when you need to translate.
Experience & Empathize
Tom Peters, the world-renown management guru, is a source of many quotes for me. One of the ones that I like best is "the soft stuff is the hard stuff." Experience speaks to your credentials. How good a creative generalist are you? Have others already taken notice of the results you have produced? Are you walking-the-walk in a visibly demonstrable way? The "experience" part kind of speaks for itself. The "empathize" part is a little trickier. For several reasons, ones that CO's understand all too well, your job will of necessity require "more carrot than stick." Part of empathy is having respect for what your colleagues do including the day-to-day struggles they face, personally and professionally. You are going to need LOTS of allies to accomplish your mission. There are no cookbook formulas for obtaining them.
Not much of what we have discussed in this article will do you much good unless you have or can develop, the emotional IQ necessary for the job. Aargh. Organizational change is hard. Personal change is harder. However, there's little chance of the former without the latter. You want to change the organization then start with you. For me, there is no doubt that personal change is, by far, the most significant challenge.
People & Process over Platform
Because this article postulates that CO's are required to solve a wicked problem, it follows that of the three P's (i.e. People, Process, and Platform) the first two predominate. This article supports this conclusion as well. A CO is tasked with solving an organizational problem. The only way to do that is through people and process acumen. Sure, Platform (i.e., technology) is going to play a critical role but approached merely from a technology perspective, your compliance initiative will be doomed to certain failure. Technology is necessary but not sufficient. It certainly plays a critical role in potentially driving down costs, but only to the extent that stakeholders have bought into it. This "buy-in" must be organically supported from the top, the middle, and the bottom. Even if a CO had the position power to mandate a program (they do not) it still would fail miserably. Users will sabotage Platforms that change their work processes when they have had no input pursuant to the change.
A Changing Compliance Landscape
- Worldwide compliance losses and fines topped 300 Billion;
- Senior managers remain uncomfortable with managing compliance risk; and
- Even though compliance expenditures have increased dramatically over the last decade, improvements in effectiveness have not followed.
Although this survey was limited to banks, it is indicative of the crisis that the compliance function finds itself in today. This level of spending without improved effectiveness is unsustainable. The compliance function as it exists today is broken. Unless it undergoes a radical transformation, that sucking sound you hear will be top and bottom lines shrinking.
This article suggests a way forward for transforming the compliance function. It does so by postulating the professional characteristics that the CO of the future must possess. That future is upon us although the compliance industry, writ large, remains mostly in the dark as to the inflection point that has occurred. The waves from the compliance tsunami have already started hitting the shore, but the largest ones are still in the visible distance. Analogous to the "perfect storm" there will be considerable destruction before the rebuilding can begin. To quote Hugo: "There is one thing stronger than all the armies in the world, and that is an idea whose time has come." Compliance or anarchy, you choose.