Designing the Right Structure for Your Compliance and Ethics Program
This article originally appeared in Michael Volkov’s blog, Corruption, Crime & Compliance, and is reprinted with permission.
People love to make mountains out of mole hills. Or to put in another way (as my daughter might say), “She/he is a drama freak.”
When it comes to structuring a compliance and ethics program, and the reporting lines, I have been accused of being a “drama freak,” meaning that I have advocated for an independent and empowered chief compliance officer. What does an independent and empowered chief compliance officer look like (aside from handsome or beautiful)?
Many answer this question with the Federal Sentencing Guidelines and provide the simplistic answer of: “Well, CCOs just have to report to the Board or the Audit/Compliance Committee?” That is a little too simplistic. It is worth taking a moment to define what is meant by a direct reporting relationship.
In management organizational terms, we are entering the world of dotted and straight lines. Some like to think of this issue in those terms. In most cases, the CCO should have both worlds — a dotted line to the board or board committee and a straight line to the CEO, or to the CCO, depending on the size and structure of the company’s senior management team.
To organize this inquiry, I like to break the issue down into three steps.
Step One is a basic but necessary step: The Company has to demonstrate its commitment to compliance by committing to creating an ethical culture. That is more than just the CEO saying the company is ethical and making such pronouncements from Mt. Olympus once every quarter. Do not get me wrong – a CEOs statement of commitment is an important action but it is really only one piece in the entire puzzle. The commitment to ethics and compliance has to permeate the company’s structure, at all levels, and become part of the fabric, the day-to-day operations of the company.
Assuming that the commitment is there, the question then is structuring the compliance function. It amazes me that in this day and age, after the 2010 Sentencing Guidelines amendments, 40 percent of all companies continue still have their chief compliance officers reporting to the general counsel. How can that be? What planet are these companies on?
Step Two then requires the empowerment of the chief compliance officer – that means, in practice, having the chief compliance with an independent line of reporting to the board or the audit/compliance committee. The CCO has to have the authority to report directly to the board. In practice, that does not mean day-to-day reporting; instead, it means at least quarterly reporting to the board or the audit/compliance committee and continuing, informal communications with the head of the audit/compliance committee. If necessary, the CCO has to be able to circumvent senior management and report to the board and/or board committee.
The Federal Sentencing Guidelines amendments of 2010 were intended to create such a relationship because of the need for CCO independence. As a consequence, the board would become more actively involved in the supervision of the compliance and ethics program and ensure that the CCO has adequate authority, autonomy and sufficient resources.
The question then becomes to whom does the CCO report on a day-to-day basis? That is Step Three and the answer really depends on the management structure and size of the company. JP Morgan recently made news by creating an independent and empowered CCO who report directly to the Chief Operating Officer. In a company as large as JP Morgan, that makes sense. In a “smaller” company, the CCO typically reports to the CEO. That also makes sense.
The CCO’s daily reporting relationship is not as important so long as one prerequisite is met – the CCO has to sit in the C-Suite. This is an important requirement and demonstrates the company’s commitment to compliance and ethics. If you ask CCOs what they want (beyond adequate resources), the CCO will invariably reply – senior management support and visibility. Support and visibility give the CCO the credibility they need to carry out their job, to walk into a room and know that the CEO backs the CCO and that the CCO has influence within the organization, meaning that the CCO is viewed as a valuable member of the business team.