In an effort to gain more insight into the growing risk/compliance officer trend, I also spoke with Paul Shulz, a managing director at Protiviti. The global company provides governance and risk consulting services in a wide variety of industries, and more recently has assembled a cross-disciplinary team of experts to help those affected by the continuing financial crisis.
Like Keith Darcy, Shulz agrees that the trend is a growing one. In an e-mail, he said:
Evolving legal risks, product recalls, investments that seemed solid suddenly disappearing, mounting pressures for privacy and security...all add to and compound this trend.
He referred me to the Open Compliance and Ethics Group's definition of the Chief Ethics and Compliance Officer. The group says, in part, that this role "is a strategic position vested with accountability for executing on a compliance and ethics program." Shulz notes, too, that more often than not, the CECO has direct access to corporate counsel and the authority to take control in emergencies.
More than that, though, he said the position must be at C-level rather than lower because it's "at the fulcrum of creating and managing the mechanisms that cut across organizational and business-unit boundaries to identify, manage, and mitigate risks" wherever they happen to arise. As for effectively communicating risk-management strategy and enforcing policies, Shulz explained:
[Protiviti has] a model we call Performance/Risk Integrated Management Model (PRIM2), which promotes the idea that strategy deployment and enterprise risk management are inseparable today and intertwine in the planning, assessment, evaluation and reporting stages.... We can see the day when line managers are surrounded with as much discipline around risk management as they are for financial and operating performance.