The DOJ has made clear over the years the importance of this hallmark. In the FCPA Guidance it states, “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization.” But this person must also have the expertise and resources to adequately fill that role. This last point was made clear when the DOJ announced its Pilot Program in April 2016.
Here we refer to the 2011 Amendments to the US Sentencing Guidelines, §8B2.1 (b)(2)(C), which specified:
Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
There once was an ongoing debate in the compliance world about whether a company can or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). However it would appear that initial debate has ended because of the differences in focus. The GC and legal department are present to protect the company. The CCO and compliance function exist to prevent, detect and remedy issues as they arise.
In the 2015 Deloitte/Compliance Week Compliance Trends Survey, it reported, “Out of 364 respondents, 57 percent now say their CCO reports directly to either the chief executive officer (CEO) or the board. This number has fluctuated over time (from as low as the mid-40s), but is now clearly marching upward. Fifty-one percent say the CCO has a seat on the executive management committee, and 59 percent say the CCO job is a stand-alone position. Fifty-five percent say they regularly brief the board on the company’s overall ethics and culture.” These changes “suggest that most CCOs, especially those at larger corporations, now have an opportunity to participate in high-level discussions about corporate strategy, values, and culture.”
Neither the DOJ nor SEC have taken a formal position on which approach they favor. Whichever structure your company may utilize, it is incumbent that any CCO must have “sufficient authority and independence to oversee the integrity of the compliance program.” Indeed the DOJ Pilot Program specifies this with the following language, “The independence of the compliance function”. Some indicia of independence would include a reporting line to the company’s Board of Directors and Audit/Compliance Committee with, more importantly, “unfiltered” access to the Board. There should also be employment protection including an employment contract with a “nondiscretionary escalation clause” and a requirement for Board approval for any change in the terms and conditions of employment, including termination. There must also be sufficient resources in the form of an independent budget and adequate staff to manage the overall compliance program.
A Board’s duty under the FCPA is well known. In the FCPA Guidance there are two specific references to the obligations of a Board. The first in Hallmark No. 1, it states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second here in Hallmark 3, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?
A Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.
Funding your compliance program is always one of the biggest challenges for any CCO. Short of being in the middle of a worldwide FCPA investigation you are never going to receive all the funding you want or even think that you are going to need. But this corporate reality is not going to save you if the government comes knocking. The FCPA Guidance provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” In the Pilot Program it requires only “the company dedicates sufficient resources to the compliance function.”
But there are some things that a CCO might do to try and obtain the resources needed. One thing you can do is have a list of information prepared and be ready to present to the Board or CEO who may provide funding is for your compliance function. If you lay out the information in a coherent manner, it would allow the Board or senior management to get some perspective on the compliance function; what you are asking for and why.
Once again recognizing that every compliance function will always be resource constrained, you can look to other areas in your company to assist the compliance function. An obvious starting place is Human Resources (HR). Internal Audit is another function that you may want to look at for assistance as they should have access to your company’s accounting systems, which allows them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. A corporate IT department has several functions that can assist compliance. Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence.
For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.
You can listen to a podcast on this Hallmark No.3 by clicking here.
What autonomy, resources and oversight is required in a best practices compliance program?Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016