The Effective CCO: Independence, Authority and Resources (Part III of IV)
As Supreme Court Justice Potter Stewart eloquently opined in Jacobellis v. Ohio (1964), on the legal definition of obscenity, “I know it when I see it.” This same test applies to other issues as well — when it comes to an effective ethics and compliance program, and an effective CCO, “[We] know it when [we] see it.” Or conversely (and perhaps confusingly), “[We] know it when [we don’t] see it.”
To get out of this linguistic mess, let’s return to valuable ethics and compliance principles and CCO requirements. While there has been lots of valuable guidance and discussions relating to CCOs and their roles and responsibilities, it all boils down to three important principles — independence, autonomy and resources. When it comes to these requirements, there are no cutting corners, no hedging, and no compromises.
The Justice Department’s Evaluation of Corporate Compliance Programs recognizes the fact that corporate compliance programs can be designed properly, but that in practice well-designed programs may operate ineffectively because of lax implementation or lack of resources. This is often described with the moniker of a “paper compliance program,” that is, a program that appears well-designed, but in practice suffers from ineffective implementation. DOJ’s expectations for effective ethics and compliance programs extend to review, revision, analysis, audit, and documentation of the company’s compliance program. Further, DOJ has emphasized that effective compliance programs ensure that employees “are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.”
In focusing on the role of the CCO, DOJ has specifically identified three important inquiries:
- Whether the CCO has sufficient seniority in the organization?;
- Whether the CCO [compliance function] has sufficient autonomy from management?; and
- Whether the CCO [compliance function has sufficient resources, “namely, staff to effectively undertake the requisite auditing, documentation and analysis of the compliance program?”
These inquiries are often referred to in short hand as the requisite, independence, authority and resources to implement an effective ethics and compliance program. As DOJ stated, the bottom line is whether compliance personnel are empowered within the company.
DOJ explains how these requirements should translate in the corporate operations and governance framework. While DOJ affords flexibility to companies to structure the compliance function in the context of the overall organization, companies have to adhere to these basic principles.
First, DOJ has noted that CCOs have to possess the authority and independence to execute their responsibilities. Further, CCOs have to maintain sufficient strategic importance in the organization equivalent to or no less than other comparable strategic functions. In making such a comparison, DOJ notes important factors such as “stature, compensation levels, rank/title, reporting line, resources and access to key decision-makers.”
Second, with respect to independence and autonomy, CCOs have to maintain direct access to the board to ensure that the board is adequately informed as to the company’s ethics and compliance program. The board itself has to establish an information and reporting system “reasonably designed” to provide management and directors with timely and adequate information to allow them to reach informed decisions relating to the company’s compliance with the law.”
DOJ identified important criteria under this issue for determining the existence of autonomy — direct reporting lines to the board or subcommittee thereof; frequency of meeting with directors; presence of senior management at these meetings; and steps taken by company to “ensure the independence of the compliance and control personnel.”
Third, on the issue of resources, DOJ notes that companies have to devote adequate resources to compliance, including sufficient personnel who have the requisite expertise and are compensated appropriately in order to “understand and identify transactions and activities that pose a potential risk.”
Most importantly, DOJ has emphasized that companies have to maintain sufficient staffing for compliance personnel to execute the required functions needed “to effectively audit, document, analyze and act on results” of compliance program performance. DOJ warned that it intended to examine situations where CCOs requested additional resources and have been denied and the reasons for such a denial.