The role of the chief compliance (and ethics) officer is currently a hot, if confused topic. What does she do — ensure good process or enforce strict compliance? To whom does she report — GC/ CFO or to CEO/board? What is her role in shaping the company’s voluntary adoption of ethical standards — beyond what the law requires?
This issue has been thrust into high relief by regulators and enforcers who, in light of various scandals, want a more independent compliance function in corporations. For example, changes in the federal sentencing guidelines would give corporations extra credit if the “specific individual” in the corporation with “day-to-day operational responsibility for the compliance and ethics program” has direct access to the board of directors. The issue has also received attention in the resolution of various high-profile cases, including a recent Pfizer Inc. settlement of criminal and civil matters with the U.S. Department of Justice and the U.S. Department of Health and Human Services, which required that the company’s chief compliance officer bypass the GC and report directly to the CEO.
Let me offer a somewhat contrarian, more nuanced view about the critical importance of a chief compliance officer, but in a right-sized role.
There are three broad organizational options:
- The chief compliance officer is independent of the GC and CFO and reports directly to the CEO and board.
- The GC is also the chief compliance officer (CCO).
- The CCO reports to the GC and the CFO, and deals primarily with the process of compliance across all substantive subject-matter areas.
I favor the last option as the practical ideal because it builds on the vital need in a corporation for a strong, broad-gauged GC (see my essay, “The General Counsel as Lawyer-Statesman,” Harvard Program on the Legal Profession, 2010, available here), because it avoids significant organizational overlap and confusion and because it focuses the CCO on critical process management, uniformity, and rigor across the corporation.
Here are some of the key reasons for my view.
- Many Experts, Not One. Compliance is not one substantive subject, it is many: competition law, employment law, environmental law, labor and employment law, international law, accounting rules, and disclosure law. Compliance also involves particular subject-matter areas governing specific industries (health law, communications law, banking law, etc.).
- Experts Report to GC/CFO. The substantive experts in all those areas of formal rules, legal and financial, need to report either to the GC or to the CFO. They must not only be at the core of all compliance functions in their substantive areas but they are also involved in myriad business and policy issues beyond compliance. It makes absolutely no sense to duplicate that expertise by having a second set of experts who report to the chief compliance officer.
- The GC’s Role in Individual Decisions. These substantive experts staff the GC or the CFO for meetings with the CEO and the board to define and discuss critical decisions with a legal or ethical component — a new deal, a new product, a new geography, a new government investigation. The general counsel and the CFO should be at the table, supported by substantive experts inside the company who work for them. Indeed, the growing importance of “business-in-society” issues in major companies means that the GC is becoming equal in importance to the CFO in the eyes of the CEO and the board of directors.
- What is “right”? In these individual decisions, it should be the role of the GC not only to address the question of “what is technically legal,” but also to raise and help analyze the question of “what is right.” This second question requires assessment of the spirit of the law, ethics, reputation, public policy, and societal expectations in light of the corporation’s enlightened self-interest. It is ludicrous to suggest, as some do, that the GC only worries about what is “legal” and the chief compliance officer worries about what is “right.” The “what-is-right” set of issues is at the center of the role of the modern, broad-gauged general counsel as wise counselor and leader.
- Compliance IS a core GC job. At the dead center of the GC (and CFO) job is responsibility for adherence to the formal and ethical rules binding the company. They must be partners to the CEO, but first and foremost they must be guardians of the company on the three essentials of compliance: prevent, detect, and respond.
- Experts and compliance basics. The fundamental responsibility in a good organization for fusing performance with integrity lies with the CEO and top business leaders. But it is the substantive experts reporting to the GC and CFO who must work with businesspeople to map core commercial processes, assess where risks exist, and then devise risk mitigation procedures. Their substantive expertise and involvement is vital in developing education and training, in devising techniques for checking and balancing, and in creating appropriate monitoring mechanisms and in investigating, disciplining, and rebuilding failed systems.
What, then, is the role of the chief compliance officer when he or she reports to the GC and CFO? Put simply: process integration and rigor. Because there are so many different substantive areas of compliance, handled by different experts, it is vital that these threads be woven together into a coherent compliance program. There must be a single code of conduct and uniform set of policy guides. There must be integrated general education and training for all employees. There must be an integrated method for tracking individuals who move into high-risk jobs: risk assessing those jobs across several compliance areas and providing tailored, individualized courses. There must be a systematic company method to process map, assess risk, and mitigate risk. There must be oversight of the ombuds system to ensure that it is being operated fairly, promptly, and without retaliation. There must be a continuing, energetic search for best compliance practices outside the company. In sum, there must be an overall assessment of how compliance processes are working beyond reviews of particular substantive areas (e.g., competition law or environmental protection) and beyond individual business units.
Although substantive lawyers have expertise and knowledge to assess legal and ethical risks in their areas, and to design specific mitigants, they may not have the process skills that great compliance leaders possess. (Compliance leaders may not even be attorneys but can, for example, be ex-military officers with outstanding organizational and process skills.) Working with the GC and CFO and with the substantive compliance experts, the compliance officer assists business leaders in embedding integrity processes deep into business operations. Make no mistake, I believe process management across the whole compliance system is a central and vital job.
But, as noted, it makes no sense for the chief compliance officer to be “independent” and to hire the various substantive experts who must work on compliance but also on business problems for the GC and CFO. That doesn’t amount to appropriate “checks and balances,” but is a source of bureaucratic waste, confusion, and possible turf-fighting. Similarly, the GC should not be CCO in the sense that I have used it here because rigorous oversight of the compliance processes demands too much time, and a direct report to the GC (and CFO) needs an important title like CCO to command the respect this critical job requires.
The main objection to the position I am advocating is expressed in one phrase: lack of independence. At headquarters, the GC and CFO will be compromised by their relationship to the CEO, and their fear of losing unvested options or restricted stock units or deferred compensation. Down in the organization, division lawyers or finance people will be afraid to speak candidly to their business leaders and afraid to report up to the company GC or CFO.
The short response to this objection is one word: culture. In a good company — a company with a high-performance, high-integrity culture — the CEO leads personally and directly on integrity and, with the board‘s explicit support, makes clear that she wants the GC and CFO to be rigorous and candid on issues of legal, financial, and ethical rules. Creation of such a culture turns on top leadership, not on the chief compliance officer.
In such a culture, the chief compliance officer attends all integrity reviews with top leadership and, like the head of the company audit staff, can report directly to the audit committee of the board periodically on the strengths and weaknesses of compliance processes (to satisfy the new if ambiguous language of the Sentencing Guidelines). Indeed, I would go so far as to have the board and the CEO commit to give the chief compliance officer access to them at any time when the CCO believes that the company is not handling a compliance issue properly, including misbehavior by the GC or CFO.
In a bad company, with a poor culture, a distant board and an indifferent CEO (or worse), independent voices — whether from a chief compliance officer or the GC/CFO — will be muffled and discouraged. Neither a general counsel nor an independent chief compliance officer can change a bad environment, which deeply affects how people feel, think, and act. If tone at the top is rot at the top, then little can be done without the CEO or board being removed. Indeed, the misguided (in my view) enforcement thrust for a CCO wholly independent of the GC and CFO has stemmed from major scandals caused by senior leadership’s unlawful, unethical, or negligent behavior and by board indifference or negligence. If the GCs (or CFOs) were complicit or negligent, enforcers should press for their replacement, not for supplanting them.
To me, one good example of the approach suggested here is Siemens AG. Following a massive bribery scandal, its new CEO (Peter Loscher) and new general counsel (Peter Solmssen) undertook an intense effort to resolve outstanding cases, change the culture, redesign compliance processes, and make adherence to law and ethics a critical part of performance appraisals. To help address integrity issues in the future, a newly energized chief compliance officer and compliance function have been established. They report to the general counsel.