The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. In it the 2012 FCPA Guidance focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.”
This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Over the next two posts, I will be considering how the Department of Justice (DOJ) has increased the prestige, authority and role of both the CCO and corporate compliance function.
The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position:
- Autonomy and Resources
Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?
Autonomy – Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence?
In the Policy, the DOJ laid out additional factors around CCO authority:
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
- The authority and independence of the compliance function and the availability of compliance expertise to the board;
- The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
- The reporting structure of any compliance personnel employed or contracted by the company.
There is a new requirement for compliance “independence”. The DOJ has not taken a position on whether a General Counsel (GC) can also be the CCO. However, this new language would seem to signal the death knell for the dual GC/CCO role. It may also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.
The Evaluation and the Policy build upon the 10 Hallmarks of an Effective Compliance Program and demonstrate the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about independence, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance positions in their organizations.
Three Key Takeaways
- How can you show compliance really has a seat at the senior executive table?
- What are the professional qualifications of your CCO?
- Does your CCO have true independence to report directly to the Board of Directors?
The new FCPA Corporate Enforcement Policy has amplified the requirement for CCO independence.Click to tweet
This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.