One of the items that the Department of Justice (DOJ) has increasingly focused on in its enforcement actions is the role of the Chief Compliance Officer (CCO) and whether this position has adequate staffing and resources to accomplish its mandated tasks in a minimum best practices compliance program under the Foreign Corrupt Practices Act (FCPA). In the recent Pfizer Deferred Prosecution Agreement (DPA), it stated regarding the CCO position (called Chief Compliance and Risk Officer) that:
a. Maintain the appointment of a senior corporate executive with significant experience with compliance with the FCPA, including its anti-bribery, books and records, and internal controls provisions, as well as other applicable anticorruption laws and regulations (hereinafter “anti-corruption laws and regulations”) to serve as Chief Compliance and Risk Officer. The Chief Compliance and Risk Officer will have reporting obligations directly to the Chief Executive Officer and periodic reporting obligations to the Audit Committee of the Board of Directors.
Regarding the resources which should be dedicated to the compliance function, the Pfizer DPA stated:
Pfizer has committed and will continue the commitment of significantly enhanced resources for the international functions of the Compliance Division that have reporting obligations through the Chief Compliance…
The Pfizer DPA is one in a line of DPAs and Non-Prosecution Agreements (NPAs) where the DOJ and the Securities and Exchange Commission (SEC) have made clear that the CCO must be a senior level employee within the company. I think that this requirement is absolutely mandatory to not only set the proper tone within a company but also to give the CCO and the compliance function the clout needed to implement, enhance and run a minimum best practices FCPA compliance program.
Indeed, in the recently released FCPA Guidance, the DOJ and SEC made clear that in appraising a compliance program; [we] “consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee). Depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within a company. The DOJ and SEC recognize that the reporting structure will depend on the size and complexity of an organization. Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, the DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” [Emphasis supplied]
I think that the DOJ and SEC are moving companies to not only have more robust compliance programs but the CCOs and their programs must be adequately situated within the organization and adequately funded. For CCOs I think that this means they should be at a level in the organization equal to the General Counsel (GC) and compensated at an amount equal to the GC. The reason is clear, the DOJ and SEC expect the compliance function to be a leadership function within the company’s structure and given all the respect due such a position. The days where the compliance function is viewed as something other than legal work are long gone and companies need to have their CCOs at least equivalent to their GCs. I also think that this always means the CCO must sit on a company’s Executive Leadership Team (ELT). Once again the reason is clear, Compliance must not only be shown to be Mission 1A (Safety being Mission 1) but the CCO can only manage the compliance risk if it has a seat at the executive leadership table.
These comments are consistent with the US Sentencing Guidelines which were revised in November 2010. In these revisions, there was a change in the reporting structure in corporations where the CCO reported to the GC rather than a committee on the Board of Directors. The change read “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure most probably no longer qualifies as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.
Equally important are the resources dedicated to the compliance function. My colleague Stephen Martin, a former state and US prosecutor, gives this rather straight-forward example of a question that a prosecutor would ask when confronted by a company that provides limited internal funding to the compliance function. He would ask how much does your company spend on yellow post-it notes (or paper clips or pens)? If the answer is significantly more funding than is afforded to the compliance function, his response would be “Which area is more mission-critical to complying with the FCPA; your compliance function or yellow post-it notes?”
The DOJ is clearly signally the increased importance of the CCO. The position should be viewed as co-equal to the GC. Just as clearly, the DOJ has signaled that an appropriate level of resources should be devoted to the compliance function. By following these evolving best practices you can add to the credibility of your defenses if your company becomes involved in a FCPA investigation or enforcement action.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2012