Ignoring the Compliance Message
Companies that ignore the need for an ethics and compliance program deserve whatever they get. There, I said it. Chalk up another profound grasp of the obvious.
The latest PWC Survey on the State of Compliance (here) noted two significant results:
Size of Company | Percentage with No CCO/Head of Compliance |
Less than $1 billion | 42 percent |
> $1 and <$5 billion | 37 percent |
>$5 and <$25 billion | 23 percent |
>$25 billion | 12 percent |
The shocking results noted above are even more disturbing when you consider that 54 percent of the respondents noted that the CCO in the company wears two hats, meaning they are not a dedicated CCO but are responsible for other functions. Most of these two-hatted CCOs are also the general counsel but we all know that the general counsel and the CCO have entirely separate responsibilities and need to be separated in functions and operation.
These responses are incredible. How can a company operating today have no CCO or a non-dedicated CCO? Talk about a reckless business strategy.
The only explanation for this may be that the board and senior management from these companies have been asleep or in a cave for the last few years. I would love to hear the explanations for the lack of attention to this issue. All I can say, is I hope they have lots of insurance, but I would be surprised if any company would underwrite such a policy.
Starting from the premise that a company does not have a CCO or a dedicated CCO, how should the company catch up on compliance?
That is an interesting question. Given the risks that every company faces in the marketplace these days, catch up requires some careful thought since creating a compliance program from scratch always requires care in assigning resources.
As a first step, the board and the CEO have to join together to direct the establishment of an ethics and compliance program. A commitment to ethics and compliance has to be demonstrated and the message has to be sent throughout the company on the importance of ethics and compliance.
First, the board and the CEO have to decide on the structure of the ethics and compliance function, how and to whom the CCO shall report, and the selection of CCO. When playing catch up, it may be wise to designate someone from inside the company as the new CCO. The selection of the CCO is important and the CCO should be assigned exclusively to help launch the ethics and compliance program.
Second, as an initial step, the board, CEO and CCO have to take important steps to define the company’s ethics and compliance program, the objectives of the program, and the responsibilities of the CCO and the compliance staff. The board and the CEO have to send a strong message of support with the announcement of the program, the selection of the CCO, and the future vision of the ethics and compliance program.
Third, the CCO has to work on two immediate issues: (1) building and maintaining a culture of ethics; and (2) identifying the most significant risks that have to be addressed on a priority basis.
The CCO has to leverage the initial announcement and support from the board and the CEO to develop a message of ethics. The CCO has to conduct a round of ambassador-type meetings throughout the business to lay the groundwork for future collaboration and coordination.
At the same time, the CCO has to develop a quick priority list of risks that need to be mitigated. Rather than building entire systems to mitigate such risks, CCOs have to build risk-specific procedures that can be used initially to respond to a risk with the idea of expanding such procedures to a more system-wide down the road.
For example, if the company is planning to acquire another company, the CCO needs to participate in the due diligence process and develop a process that works for that specific acquisition. The basic outline of the process may be expanded later on to a more effective merger and acquisition process.
Similarly, the CCO has to identify high-risk third parties and develop a preliminary due diligence process for new third parties and attend to those existing high-risk third parties.
From even this brief analysis, it is easy to see that the CCO will be overwhelmed in the beginning of a catch-up process. CCOs have a tough job and one of the toughest assignments for a CCO is playing catch up.
Good article, although I do have one difference of opinion. If a company is starting from scratch, and has no experience running a compliance program, I think the worst thing, and the most common thing, is to designate someone from within as the new CCO. The new CCO in this instance needs to know how to build a compliance program, what the scope of that role is, and how to implement it. An organization with no compliance experience does not, by definition, include that skill set in its workforce. I have seen, more than once, organizations that think you can just plug someone in to the compliance role, and the program inevitably suffers. If the commitment is to having an internal person at the helm, then the organization needs to bring in a lot of expertise on the front end to help that new CCO get it right and learn the ropes. Just my thoughts…
Susan Walberg, JD MPA CHC