A compliance mindset and framework can double as a way for compliance professionals to assess their own career skills and capabilities and help their organizations build their teams and identify areas for improvement, according to the vice president and chief compliance officer for The Ohio State University.
Gates Garrity-Rokous explained that the organizational strategy that enables compliance activities to transform into a full-fledged program also can be used as a career framework for compliance professionals. “We have the expertise as compliance experts, as compliance officers, to build a compliance program. And how we build that compliance program may be applicable to how we organize our compliance careers through the organizational compliance competency,” he said at a Jan. 30 webinar sponsored by the Society of Corporate Compliance and Ethics.[1]
The 100 or so compliance professionals at The Ohio State University use a simple framework to assess their skills, Garrity-Rokous said. “All I’ve done here is applied a compliance approach toward the challenge of career development: identify each career domain or general area of skills within that framework and defined those skills in terms of competencies in their optimized state. Then I applied a maturity scale that was consistent to enable assessment of each domain against that optimized state.”
Six Areas of Competence for a Compliance Career
Ohio State has organized the components of its compliance program into a framework that is scalable for the university and all its units. The program has five main elements: risk assessment and abatement, communication, operational controls, evaluation and issue response and reporting. All the elements can be measured, and they center on the organization’s ethical values and leadership engagement. The framework maps to the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs (updated in 2023).
To take a similar approach to career development, Garrity-Rokous outlined what he called “six core areas of competence” for a compliance career. The first five are integrity culture and leadership, regulatory expertise, compliance expertise, process expertise and crisis management expertise.
The order of the first five domains follows a typical compliance career pathway, since most people enter the field in the regulatory space and move up from there, he said. The sixth core area of competence is defined as “values, behaviors, and skill acquisition.”
Compliance professionals need to acquire skills in multiple areas, Garrity-Rokous noted. They may be HIPAA experts, but they must be able to transfer their expertise to a compliance program using a risk assessment, policies and training controls, testing, and other tricks of the trade. “Being a regulatory expert is not enough.”
Core competencies can be measured on a maturity scale that includes five scores, Garrity-Rokous said:
-
1/rating of initial means competencies are unknown, or are implemented rarely or in ad hoc ways;
-
2/rating of developing means competencies are developing, and the daily role involves their infrequent use;
-
3/rating of repeatable means competencies are developing, and the daily role involves their regular use;
-
4/rating of managed means competencies are developed and regularly improved, and the person is acknowledged as an industry expert; and
-
5/rating of optimized means competencies are fully developed and routinely improved, and the person is recognized as an industry leader.