Role of the Compliance Function

In our recent blog post “Issues Management for Compliance,” we introduced consulting firm KPMG’s survey of chief compliance officers at 62 major U.S. firms across seven industries.

The survey report (The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate, by Nicole Stryker) addresses nine core compliance components: governance and culture; risk assessment; people, skills, and due diligence; policies and procedures; communication and training; technology and data analytics; monitoring and testing; issues management and investigations; and reporting.

The KPMG model (Stryker, 2017, p. 1) shows the compliance function, with its role to “advise, challenge, and assess,” as one of three lines of defense for organizational compliance. The other two are the internal audit function, responsible for independent assurance, and the internal line of business management and operations, responsible for design and execution of controls.

The compliance function, according to the survey report, monitors compliance risks and controls in support of management. It is responsible “for driving the overall design and implementation of the organization’s compliance function, advising management and the Board, and assessing the effectiveness of the organizations control environment to help ensure that the business is designing and implementing effective controls intended to mitigate risks.”

The survey report advises that to effectively identify, assess, and mitigate compliance-related risk, compliance leaders must have “a seat at the table,” especially (but by no means only) when new products or services are being developed and introduced or when the organization is expanding into new geographies. The compliance function role, in those circumstances, is to “ask questions and understand the new/emerging compliance risks in advance [and to] assist the organization in realizing [if] the proposed change will breach the risk tolerance, even with mitigating controls, and also assist with the design of mitigating controls.”

To be effective, the compliance function must be valued and empowered. Corporate compliance attorney Michael Volkov tells us the Wells Fargo “fiasco” may well have gotten as bad as it did because of the absence of an independent and empowered compliance function (Volkov, 2017). Corporate culture plays a role; per KPMG, “when compliance can be overridden by the business, and improper conduct exists without accountability, the compliance function may be rendered ineffective.”

The compliance officer role, says the report, is continuing to expand beyond “mere regulatory and legal compliance” to include a wide range of concerns, such as ethical standards and sustainability. At the same time, compliance officers must successfully manage pressure to reduce costs and improve efficiencies, implement new technologies and analytics, and deal with constantly changing global regulatory requirements and expectations.

The report advises compliance officers to respond to the latter challenges as follows:

  • Use company-wide compliance risk assessment to identify potential control gaps, control weaknesses, and risk trends, and then prioritize attention on those.
  • Integrate and automate compliance activities across the organization.
  • Develop five- and ten-year projections of what the future compliance program will need to look like.

Doing so can only enhance the compliance function’s ability to “advise, challenge, and assess” on behalf of the organization.

Ethical Advocate assists companies of all sizes in creating a culture of ethics and accountability by providing ethics and compliance training, confidential and anonymous hotlines, and assistance in meeting regulatory and reporting needs. Contact us for more information.


Stryker, Nicole. The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate, KPMG survey results, March 2017.

Volkov, Michael. “Wells Fargo’s Desperate Need for a Compliance add Business Ethics Function (Part III of III). Corruption, Crime, and Compliance blog, April 11, 2017.