Chief Compliance Officer: Ensuring Self-Governance Responsibilities

Article excerpt

In the past 20 years, there have been spectacular scandals involving major businesses, savings and loan associations, and brokerage houses. Executives and their accountants cooked the books and then shredded and altered documents to cover their misconduct. This provided the impetus for the Sarbanes-Oxley Act of 2002 (SOX), which requires publicly traded companies to adopt and periodically review the effectiveness of their internal controls systems.

Brokerage houses have responded to SOX by creating an internal office of compliance, headed by a chief compliance officer (CCO). While some organizations have appointed a new vice president, others have added the CCO title and responsibilities to the duties of the organization's chief legal officer or chief financial officer.

The CCO movement has spread internationally, and under Germany's Corporate Governance Code (2002), multinational firms have set up a compliance office to enforce a zero-tolerance policy toward legal and ethical violations.

Hospitals and other health care institutions are complying with the new privacy regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) by appointing a CCO to monitor HIPAA and other regulatory compliance. Banks and other financial services companies also have embraced the CCO concept. And a financial CCO certification program is offered by various organizations.

Common threads among organizations with CCOs is that they are substantially affected by federal and/or state laws; they operate under a considerable number of opaque regulations; they are particularly susceptible to media scrutiny; and they are frequently exposed to serious liability claims. Because police agencies and correctional institutions operate in a similar environment, the concept of a centralized compliance office warrants serious examination by local government managers.


Successful businesses have learned that you can pay now for risk reduction systems, or you can pay later in the form of lawsuits and jury verdicts. Almost always, an after-verdict payment is larger than the cost of prevention. Police and corrections agencies can be slower than the private sector to adopt controls, in part because judgments are usually paid from a general fund and not out of the agency's own annual budget.

Police administrators, however, must actively monitor such concerns as:

 1. Adherence to constitutional requirements relating to the use of
    force, arrests, the stopping of pedestrians and motorists, searches,
    seizures, electronic surveillance, infiltration, and interrogations.
 2. Violations of internal rules, regulations, policies, procedures, and
    standards of conduct.
 3. Unauthorized releases of criminal histories and driver information.
 4. Improper disclosures of personnel information.
 5. Illegal or unethical access to restricted data or privileged
 6. Inadequate investigations of citizen complaints about officer
 7. De-policing, profiling, and other equal protection failures.
 8. Adherence to injunctions and other judicial decrees.
 9. Misuses of funds, equipment, or personnel.
10. Safety violations.
11. Employee whistle blowing.

Jail administrators must actively monitor similar matters, including:

 1. Proper adherence to constitutional requirements relating to the use
    of force, prisoner and cell searches, and access to courts and
 2. Violations of internal rules, regulations, policies, procedures, and
    standards of conduct.
 3. Improper disclosures of personnel information.
 4. Deficient investigations of inmate complaints about officer
 5. Indifference to inmate-on-inmate physical or sexual assault.
 6. Inadequate sanitation and medical care.
 7. Wrongful censorship of inmate mail.
 8. Proper adherence to injunctions and other judicial decrees. …