Compliance is often overlooked by the world’s smallest companies. However, as they grow in size and sophistication, meeting compliance obligations becomes more pressing. Indeed, many small and medium-sized enterprises (“SMEs”) struggle with compliance challenges. To an SME with limited resources, hiring a new in-house chief compliance officer ("CCO") to develop and implement a narrowly-tailored compliance program seems burdensome. On the other hand, entrusting an employee who lacks specialized training with the compliance function, might help the company reduce costs, but it might also create unnecessary risks. To avoid these consequences, many SMEs outsource the compliance function to outside compliance specialists.

Outsourcing compliance is often cheaper than employing a full-time in-house CCO and more viable than entrusting the role to a non-specialist employee who is already burdened with other duties. However, is relying on an outsourced CCO really the best option for SMEs? SMEs considering this option should carefully assess the associated costs and benefits and whether it is appropriate for their company.

BENEFIT 1: EXPERTISE IN COMPLIANCE AND REGULATION

Assuming that the outsourced CCO is an experienced compliance specialist, the CCO can bring talent, a solid knowledge base, and a structured process framework to the company. Additionally, some smaller companies find that hiring external CCOs enhance their credibility with regulators.

Risks:

1. Outsourced CCO's Lack of Knowledge about the Company or Industry

   Risk assessment is the necessary first step in developing an effective compliance program. However, if the outsourced CCO’s limited knowledge of the SME and its industry prevents the CCO from identifying business, legal, and compliance risks specific to the company, the CCO might expose the company to the risk of (i) overlooking critical areas in internal policies and procedures that should be tested; and (ii) developing compliance policies that are inconsistent with the company's actual business practices and strategies.

   
   

2. Over-reliance on Templates and Standardized Checklists

   The outsourced CCO's templates and checklists for compliance programs might be overly generic or outdated.

SME's Risk Mitigation:

1. Conduct Rounds of Interviews at the Selection Stage

   Compliance specialists across industries agree that the most important skill for CCOs is the ability to inform and influence senior management (i.e., communication skills). The company should consider using interviews to see how each candidate responds to a set of hypothetical situations.

   
   

2. Engage in the Risk Assessment

   The company should involve its board of directors and management in the outsourced CCO’s initial and periodic risk assessments to help the CCO accurately understand the company and industry.

   
   

3. Maintain Frequent and Personal Interactions with the Outsourced CCO

   According to the U.S. Securities and Exchange Commission in its 2015 report, outsourced CCOs who frequently interacted with the company and its employees—in contrast to relying on impersonal interactions, such as electronic communications and standardized checklists—tended to create compliance policies and procedures that were more consistent with the company's actual business practices.

   
   

BENEFIT 2: IMPARTIALITY AND INDEPENDENCE

SMEs’ limited resources incentivize them to assign their compliance functions to (i) a member of the executive board who holds other primary responsibilities; or (ii) a company employee who is not on the executive board but whose primary role is compliance. However, this potentially creates conflict-of-interest concerns. For example, if an SME appoints its Chief Financial Officer or Chief Operating Officer as the CCO, their primary responsibilities (i.e., overseeing the company's financial health or business operations) may conflict with their compliance responsibilities. Outsourcing can help the company mitigate such conflicts-of-interests.

Risks:

1. SME's Over-reliance on Outsourced CCOs

   Developing and implementing an effective compliance program is a collaborative effort. Both the company and the outsourced CCO must actively collaborate and build mutual trust. Over-reliance on an outsourced CCO can result in an ineffective compliance program and may even cause disputes between the company and the CCO.

   
   

2. Outsourced CCO's Limited Communication and Availability

   Limited communication and availability can turn an A+ level compliance program into a mere paper compliance program. Ensuring that compliance functions, policies, and procedures are accessible to employees is the key to effectively implementing a corporate compliance program. Outsourced CCOs who make office visits infrequently tend to be insufficiently empowered to implement important changes.

   
   

3. Outsourced CCO's Limited Authority within the Company

   Outsourced CCOs may have limited authority to independently obtain information or records necessary for various assessments. This could hurt the independence and accuracy of the CCO's risk assessments because the CCO would have no choice but to rely on the information selectively provided by the SME’s employees.

SME's Risk Mitigation:

1. Reminder: Each SME Is Ultimately Responsible for Its Compliance

   Bringing in an outside expert is not enough. The SME remains ultimately responsible for compliance and must stay actively involved in developing and implementing an effective compliance program.

   
   

2. Again, Maintain Frequent Personal Interactions with the Outsourced CCO

   The company might need to implement additional measures to improve the outsourced CCO's communication with and availability to its employees. This may incur additional costs, but is preferable to compliance gaps.

   
   

3. Regularly Introduce the Outsourced CCO to Employees at Town Hall Meetings

   Tone at the top matters. The company should send a clear message to its employees, regulators, and the outsourced CCO that the company is serious about risk mitigation and compliance.

BENEFIT 3: FLEXIBILITY AND COST REDUCTION

SMEs can use flexible implementation and remuneration models matching their needs and financial capabilities.

Risks:

1. Under-resourced Compliance Function

   Given that limited resources often drive SMEs to hire an outsourced CCO, they may also outsource other key functions related to compliance, such as software, computing, and data storage. However, outsourced CCOs may lack the authority, resources, or willingness to (i) coordinate with other outsourced entities or (ii) assert influence over them when necessary.

   
   

2. Cost Redundancy

   To mitigate the potential risks stated above—such as the outsourced CCO’s (i) limited access to the company information and (ii) restricted communication with and availability to employees—the SME may need to make extra efforts to communicate effectively with its employees and help the CCO utilize available resources efficiently.

   
   

3. Outsourced CCO Serving Multiple Clients

   The outsourced CCO may be serving multiple companies simultaneously, making the CCO potentially unable to stay sufficiently focused on each individual company.

   
   

4. Reduction in Control

   For a company’s compliance program to be effective, the company should not only implement the program, but also ensure that the program continues to operate. Therefore, ensuring the outsourced CCO’s security and stability is important. However, if the outsourced CCO is dispatched from an outside consulting firm, turnover within the firm may result in loss of institutional knowledge, inconsistent approaches, and delays, thereby negatively affecting the continuity and success of the SME’s compliance program. This will likely incur additional costs.

   
   

5. Risk to Data Security

   The outsourced CCO is obviously not the SME’s employee. However, the CCO must have access to corporate documents and information to oversee the company’s internal controls. Given the hybrid nature of the compliance function (i.e., independent from the board, but deeply involved in the management), defining the scope of access for the outsourced CCO without hindering the CCO’s job will likely be highly challenging.

SME’s Risk Mitigation:

1. Demonstrate Best Efforts

   U.S. regulators assess a company’s management of expenses to ensure compliance programs are not underfunded. Each SME should demonstrate to regulators that the company is making adequate investments to have the right personnel and tools in place for a strong compliance program.

   
   

2. Review Its Own and Outsourced CCO’s Performances Periodically

   In addition to the initial assessment, the company should periodically (i) evaluate the outsourced CCO's financial stability and facilities, (ii) monitor quality and key performance indicators, and (iii) assess its size and business complexity to decide whether it needs a full-time CCO. SMEs could utilize termination and transition clauses in the terms of agreement with outsourced CCOs.

   
   

3. Establish a Direct Reporting Line to Senior Management

   The best practice for cutting-edge companies of all sizes is establishing a direct reporting line between the CCO, CEO, and, if available, the board’s audit or compliance committees. This sends a clear message to the parties involved (i.e., company employees, regulators, and the outsourced CCO) that the company is committed to risk mitigation and compliance.

Relying on an outsourced CCO presents both opportunities and risks. Yes, SMEs can mitigate the identified risks by actively monitoring and collaborating with their outsourced CCOs. However, to oversee the outsourced CCO’s performance, the SME must be familiar with the process of developing, implementing and managing compliance functions, which many SMEs lack.

In addition, hiring an outsourced CCO may place a greater burden on the SME. With the outsourced CCO, the company needs to monitor the outsourced CCO while being monitored by regulators, the outsourced CCO, and, when applicable, an independent third-party monitor.

Each SME must determine whether outsourcing the compliance function is feasible and ideal for the company and its employees by carefully assessing the risks and opportunities associated with the option. In its cost-benefit analysis, the company must consider its size, industry, business culture, and business strategies. The analysis should go beyond evaluating whether the company has the resources to hire an outsourced CCO. The company should assess whether the company and its employees would be able to maintain active collaboration and engagement with the CCO throughout the process.

For more information on compliance programs, please refer to Integrity Compliance Programs for SMEs: Practical Guidance and Resources (“SME Guide”), a collaborative work prepared by the World Bank Integrity Vice Presidency and the Ministry of Justice, Republic of Korea. The SME Guide seeks to provide SMEs with a useful framework for developing effective corporate compliance programs that fit their own business models, budgets, and risk profiles.

Yeawon Choi

Juris Doctor (January 2025) | New York Bar Candidate