Empowering Compliance Officers: The Key to an Effective Compliance Program
The test of any compliance program is simple. All you have to do is look to the Chief Compliance Officer and ask these two basic questions:
1. Does the CCO have independent authority and reporting access?
2. Does the CCO have the resources needed to carry out the job?
If the answers are no, the program is not adequate. In 9 cases out of 10 where the answers are no, if you look under the hood, you will see a disaster waiting to happen.
If the answers are yes, you will probably see an effective compliance program.
Too many companies have the basic “bare bones” compliance program. They are inadequate and accomplish very little in making sure that a company complies with the law. A “bare bones” program consists of:
1. A Code of Conduct and an FCPA Compliance policy (on the company website)
2. An employee hotline
3. An annual training program (and for new hires)
4. A CCO who reports to the General Counsel or the Internal Auditor.
5. A CCO with a staff of less than five employees buried somewhere in the corporate infrastructure.
I have seen this picture all too often. It looks more and more like a “Gilligan’s Island” re-run.
I want to try and get back to basics. Here are three basic requirements to get started on an effective compliance program:
The first step – and perhaps the most important step – that a company can take in compliance — is to elevate the CCO. Forward-thinking companies are not relying on the General Counsel to ensure compliance. They are empowering their CCOs by elevating them to senior management. When important business issues come up, the CCO is at the table. CCOs are becoming proactive problem-solvers. It is about time.
Second, cutting-edge companies (big and small) are establishing direct lines of authority between the CCO and the CEO, as well as the Board’s Audit or Compliance Committee.
Third, CCOs are given sufficient resources to carry out their responsibilities. CCOs should never be pigeon-holed in a legal office or buried in an auditing office. They need to be a separate and distinct office, with a C-Level office and designation, and with full authority to carry out their mission.
As I have written and said for many years, CCOs are the unsung heroes of the compliance world. When something goes wrong, they are the first to be blamed. When CCOs need authority and resources, they are the last to get what they need.
Companies that want to elevate their corporate governance and ethics values need to make sure that they start with their CCO and empower the CCO to design and implement an effective compliance program.
Companies that are committed to promoting corporate governance and ethics are willing to restructure their management to elevate the compliance office, and match this structure on the board by creating a Compliance Committee. The CCO should have direct reporting authority to the Compliance Committee. This structure sends the right message to everyone that the company is committed to forward thinking on risk and compliance responses.
It is fascinating to me how Risk Management or Risk Officers have become the latest fad in corporate governance. To me, that is an unnecessary duplication of functions that naturally can be handled by the Compliance Committee and the Chief Compliance Officer. After all. to ensure compliance, you need to know and assess your risks.
Michael,
a terrific blog, which stresses the right points. This should be a must-read for every CEO. The only point where I disagree is your thought on Risk Managers and Risk Officers. The compliance risks are only one area of risks for an enterprise. There should not be different risk management procedures for economical risks and compliance risks, this should end up all in one company risk report. Of course, the CCEO has to provide his input of compliance risks in the overall risk assessment process, but responsible for the overall process and results is the risk officer and not the CCEO.
Thomas
Michael,
Another great, insightful column on the independent, empowered CCO. In a recent RAND Symposium on Leadership and Culture (May 16, report pending), a recurring strong theme was the role of the independent CCO as the single most critical factor (after active, meaningful senior management commitment) for an effective compliance program vs. your “bare bones” or paper program. I addressed this same issue in my invited 2009 RAND white paper http://compliancestrategists.net/sitebuildercontent/sitebuilderfiles/Rand1.pdf. I would add to your description of positioning 2 items 1) seat at the table where important decisions are made (not just emergency access to the board) and 2) no “carve outs”. Many companies set up a CCO with a badge and a gun and then “carve out” critical risk areas such as FCPA, Antitrust or Safety from CCO oversight and the compliance program. The CCO does not have to be the subject matter expert or doer, but she does have to hold oversight & line of sight.
On the issue of CCO as Risk Officer, in my view that’s a little tricky because compliance and ethics risks are just a subset of overall company risks, and many will be outside the natural subject matter expertise of the CCO. It can be done under certain circumstances (but not others!) but requires caution. I wrote an Op Ed on this topic earlier this year http://compliancestrategists.net/sitebuildercontent/sitebuilderfiles/agenda.11.21.2011.ceco.risk.pdf
Again, thank you for this terrific column and your strong support of the empowered CCO role.When someone of your background and expertise speaks out on this topic, it is very powerful. (I will feature it in tomorrow’s newsflash.)
Donna Boehme