DOJ’s Compliance Program Evaluation: the Role of the CCO (Part II of IV)
DOJ’s Compliance Evaluation highlights important trends in the role and independence of the Chief Compliance Officer. DOJ has stopped short of requiring direct reporting of a CCO to a CEO or other senior officer but it is inching closer to such a demand.
In the topic area relating to Stature [of a CCO], DOJ lists important issues for a company to consider in designing its compliance function – specifically, a company has to consider how the compliance function compares with other strategic functions in the company in terms of “stature, compensation levels, rank/title, reporting line, resources and access to key decision-makers.” Most companies will fall short on this list of key components. It is rare these days to find compliance elevated to meet all of the requirements listed by DOJ, and there does not seem to be any sense of urgency in corporations to address these important issues. To the contrary, companies claim they are moving forward on these issues but when you examine them carefully, they fall woefully short in most instances.
While there has been an important elevation in the role of CCOs in most companies, CCOs do not have the stature of comparable functions nor the “line of sight” across the organization to carry out their responsibilities. CCOs continue to lag behind comparable functions in terms of compensation, rank/title, reporting line, and access to key decision makers.
I want to highlight one area in particular where CCOs are suffering – resources. Unlike internal auditors who can demand additional resources needed to comply with basic financial Sarbanes-Oxley requirements, Audit/Compliance Committees fail to respond to resource needs in the compliance arena with any urgency, usually putting off such requests or seeking interim, band-aid, solutions. CCOs have been beaten down on this issue and need to bring this to the forefront. There is nothing more damaging to a company’s ethics and compliance program then continuing strangulation of effectiveness by lack of resources.
Companies have a better record in fostering CCO independence and autonomy. DOJ’s questions in this area, however, reinforce this trend by asking if the CCO has a direct reporting line to the board, and how often they meet. A robust reporting relationship with direct access to the board is a critical requirement for a compliance function.
DOJ’s questions, however, go a little further by asking how the compliance function performance is reviewed, who determines hiring, compensation and firing of CCOs, and other steps taken to ensure independence of the compliance function.
Companies need to focus on this question and have the board hire, fire and negotiate terms and conditions for the CCO. A corporate board is the ultimate entity responsible for compliance and this needs to be reinforced by putting the board in charge of the CCO’s contract and compensation.
DOJ’s questions on empowerment include an interesting set of questions focused on whether there have been specific transactions or deals were “stopped, modified, or more closely examined” as a result of compliance concerns? This inquiry is creative an reflects an understanding of how a robust compliance program could influence a company’s business operations.
The question, however, is misguided and reflects an immature understanding of how a compliance function may influence business operations without resulting in a specific intervention. Indeed, in some cases, a compliance function, if given a seat at the business table, may create a general frame of reference that will avoid a more specific “confrontation” between business and compliance resulting in a change in a specific deal or transaction. Nonetheless, the question sets out an interesting perspective that a CCO should consider when interacting with business operations.
Finally, the Compliance Evaluation questions focus on outsourcing of compliance functions. This is an important issue because it raises an important issue – are companies relying on outside consultants, accountants and law firms to conduct basic compliance functions? We have seen a cottage industry around compliance grow. However, it important to distinguish between day-o-day operations and functions that provide value to the overall operation of a compliance program. The question of outsourcing and what is outsources is important to consider because in many cases it may be a means to obfuscate or delay internal consideration of basic resource needs for compliance programs.