I read with great interest the Corporate Counsel article, “An Independent CCO is a Compliance Program Requirement,” by Michael Volkov, founder and CEO of the Volkov Law Group.
In the article, Volkov discusses the ongoing resistance to empowering a Chief Compliance Officer (CCO) separate from the General Counsel (GC) and the legal department. He notes that, despite a poor track record of GCs serving as CCOs and various government guidelines that encourage separation, there are still many who argue that this is a preferred option. I agree with the basic premise of his argument, however:
- there are situations where this is still the right decision for some organizations (particularly in small to mid-size companies); and,
- I am concerned, most importantly, that this argument doesn’t address the real crisis of current compliance officer reporting lines.
The real crisis of compliance officer reporting is not whether the role is with the General Counsel or another separate high level executive – both of whom will likely have direct and frequent access to the Board and CEO.
The real crisis in the profession today is that the reporting level of the actual compliance position (the person doing the day-to-day work) has dropped like a rock in the organizational reporting structure over the last 10 years.
Related Article: Fauxtroversy: Combining or Separating GC and CCO Roles?
What used to be a position that reported to the CEO is now too often managed by someone two or three levels below the General Counsel (or some other high level executive). With this arrangement, the busy high level executive has far less visibility into the daily challenges and issues addressed by the program, and is more likely to only really focus on these matters periodically, such as in preparation for Board reporting.
Certainly today’s compliance position isn’t managing less risk than 10 years ago and there is no shortage of new and unplanned challenges for today’s compliance officer. So why are organizations dropping the position to lower levels at a time when compliance risks are growing as fast as global expansions?
Related Article: Chief Compliance Officers: Mitigating Personal Liability Risk
Reasons given are typically complacent statements like “we won’t have a problem here,” or “we haven’t had a problem here.” But, perhaps the real culprit is the attitude (spoken or unspoken) that “we don’t need a highly paid executive to rollout policies, training and farm out hotline calls. And we certainly don’t need this person to challenge our business decisions.” In my opinion, this negative attitude toward the role and value of the compliance function is what most often leads to the major failures noted by Volkov. However we got here, relegating compliance to a project management role is a higher risk to organizations than whether the GC is also the CCO.
In our advisory practice, we have seen many successful and committed GCs function in the CCO role. The most effective compliance officers are truly empowered, respected members of the executive team who have regular direct access to the CEO and Board, along with the clout to raise tough issues and drive executive-level conversation about risks, rewards and the right thing to do. This person is a reflection of a strong organizational culture, sound leadership priorities and the right tone at the top – not a keeper of check-the-box exercises. Lower level managers are not in a position to recognize potential higher-level risks to the organization or participate in – let alone influence – strategic business thinking and decision-making conversations.
From Volkov’s perspective as a former prosecutor and a white collar crime defense attorney, he typically only sees the colossal failures with GC-led programs so I understand and appreciate his argument. But many GC-led programs work well and we don’t hear about them because they are successful. They are successful because the GC takes the position seriously and uses the access and clout that comes with the position to positively impact the dialog and decision-making.
I suggest we first focus on getting the compliance function back to the executive suite and then we can focus on which executive should lead the charge.
