Compliance Watch: The Walking, Talking Compliance Risk

Sarbanes-Oxley compliance has grown smoother now that its processes and technological support have begun to hum. So why do corporate executives have such dark circles under their eyes? It's because the human side of compliance may be the riskiest issue.

After 24 months of regulatory interpretation and two years of Section 404 audits for most public companies, finance and internal-audit executives know the drill and understand how their external auditors apply the new rules. Yet a massive unknown is making leaders toss and turn: the extent to which employees know and adhere to the regulations that apply to their companies.

By its very (human) nature, compliance's people problem is multilayered, complex and extremely expensive. Compliance executives must make all employees aware of the rules and regulations that affect their industry, company, function and individual activities. On a less tangible level, they must make certain employees understand the appropriate action to take if they should come face-to-face with an ethical challenge. That requires the right tone at the top.

Do current compliance executives have what it takes to guide employees through this minefield of compliance challenges? Regulated industries long have employed chief compliance officers (CCO) who have plenty of experience to meet the human challenges. The Sarbanes-Oxley Act stimulated large and midsize companies in nonregulated sectors to hire CCOs. These dedicated officers manage all of a company's compliance activities, which represent quite a chunk of change -- $27.3 billion on all types of compliance this year for U.S. companies, according to an AMR Research report. The single largest portion of that investment, $11.5 billion, covers the salaries for people who engage in compliance activities.

But the bull run on compliance executives has lowered the position's entry barriers and diluted the pool of expertise. To make sure their compliance chief can operate effectively and confidently with all employees whose work touches compliance, companies can take three concrete steps: