After the CEO examines governance issues with the board, the CFO and COO
are brought into the process. Risks (including compliance issues) have been
identified and a plan of action has been drawn up, which leads to the creation
of an implementation plan. The challenge here is expressing and implement-
ing the strategic initiatives throughout the company while also translating
those strategies into tactical actions that need to be taken at the managerial
and employee levels. The implementation plan must include how to assess
the way all levels of the company are following through on the agenda. In
other words, you have to find a way to tell people what you want them to do,
what they need to do in specific terms, and then make sure they are doing it.
To do this, the governance office should write down the policies and processes
(governing frameworks) and communicate them by dashboard, Power Point
presentations, strategy documents, or in any other manner that would work
for your company (a GRC clown, billboards, blimp, fun tattoos... let your
imagination run wild.) These policies and processes are then translated into
various types of plans (that is, tactics), such as management-by-objectives,
key performance indicators (KPIs), controls such as access control and
process control (see Chapters 6 and 7 for more on these), and other over-
sight and operational tools. In other words, use what works for you to get
people to do what needs to be done.
As the implementation plans are drawn up, the CEO, along with the CFO and
COO, may determine that their efforts would be strengthened by creating a
high-level officer — with a title such as Chief Compliance Officer (CCO) —
who is given the job of overseeing that the company is complying with exter-
nal regulatory requirements as well as internal policies and procedures (the
captain of a tight ship).
CCOs are responsible for the ethical conduct of a company and are a recent
creation that has come in the wake of the passage of SOX. Additional offices
and departments can also be created depending on the needs of the individ-
ual corporation.
Depending upon the company, the CCO role could include managing policy
development; implementing and enforcing policy, which includes training,
communications and investigating policy misconduct or violations; assuring
corporate compliance with third-party (vendor or customer) guidelines and
policies, managing internal audits, facilitating external audits, and responding
to various requests from and required reporting to regulatory agencies.
Another important role played by a chief compliance officer, and one that
would translate to any company and industry seeking to strengthen its GRC
efforts, is to identify compliance violation trends.
Identifying compliance violation trends is distinct from efforts such as pre-
venting employees from downloading objectionable material from the
Internet. Rather, it involves scanning a number of resources — news media,
industry journals, regulatory Web sites, speeches by regulatory officials, and
74 Part I: Governance, Risk, and Compliance Demystified
