Few ideas are as universally accepted in the compliance community as the belief that the chief compliance officer should be a strong, autonomous role that reports directly to the board or CEO.
Getting everyone else in the company to believe the same—that’s the tricky part.
According to PwC’s State of Compliance survey in 2016, only 39 percent of compliance officers report to the CEO or the board. Thirty-six percent report to the general counsel, and 17 percent report to other senior executives.
And all those numbers are only for the 70 percent of respondents who said their company had a named chief compliance officer at all. Among the 30 percent without one, half said their general counsel fills that role.
Preserving autonomy as compliance officer is a tricky thing, intertwined with the companion challenge of securing sufficient resources to run an effective compliance program. In my previous post, we explored how to run compliance on a shoestring budget, and the idea that independence and respect are more important than budget and staff. If you have the former, you can still manage the art of ethics & compliance without much of the latter.
“Independence and respect” are just other words for “autonomy.” So how can a compliance officer achieve it? And, more practically, how do you know when you truly have it at your organization?
Start With the Top… and Stay With the Top
As cliche as it seems, start by considering your CEO. What are the hallmarks of a CEO who respects the chief compliance officer’s position?
Above all, that would be a CEO who dwells at least as much on ethics as much as he or she does on compliance. Indeed, a good CEO should spend more time thinking about ethics, since compliance isn’t his or her job.
A company that flouts compliance obligations risks real penalties: fines, monitors, litigation, and the like. A company that flouts ethics, on the other hand—well, that behavior often brings no tangible consequence. Legal but unscrupulous business practices, or jerks who treat employees and customers rudely: they happen all the time. Seldom do they carry the same immediate threat of financial pain that can focus the C-suite’s attention like poor compliance does.
Good ethical conduct, in contrast, is demonstrated by following your core values, by “doing the right thing,” even at the expense of the company’s own advantage—and especially when nobody is watching.
I’m hard-pressed to imagine a CEO who would care about ethics to that level, and still prefer an ethics & compliance function subordinate to other interests. Even if the compliance officer’s exact title seems limited, the crucial elements for autonomy are your freedom to speak to senior executives about ethics and compliance; and their willingness to listen.
A CEO eager to talk about good business practices is going to fulfill those two requirements for autonomy. Once he or she sets that tone, the other senior executives will follow.
The U.S. Sentencing Guidelines allude to that idea in their prescription for an effective compliance program. They never specify that a compliance officer must report directly to CEO, although clearly that’s the ideal. They only say that the person responsible for daily oversight of compliance “shall report periodically to high-level personnel and, as appropriate, to the governing authority.”
You can report directly to a CEO who says, “Just tell me the minimum requirement to make compliance go away.” That does you no good. Even if you don’t report to the general counsel or some other high-level executive in that organization, those people won’t have any interest in cooperating with you. That’s not autonomy, as much as it’s isolation.
A CEO who respects the compliance function, who lets it speak and tells others that they should listen to it—that is the in-house manifestation of the Sentencing Guidelines’ principles. That’s what you need to look for in your company’s senior leadership. That gives you the freedom to act in theory, and a path to act in practice. Then you’re going places.