Compliance executives often complain that they have little sense of how a “typical” compliance department operates. New research from Compliance Week shows those frustrations to be well founded.

An exclusive survey of 284 executives at more than 230 public companies paints a diverse picture of compliance today. No clear rules exist for who “owns” compliance, who reports to whom, or how much attention to give overseas business units. Even when grouped by industry, revenue, or size of workforce, only the broadest of patterns emerge.

Slightly more than 40 percent of executives who oversee compliance do have the word “compliance” in their title. Thirty-one percent are simply chief compliance officers, while the rest are “compliance and ethics” officers, “compliance and governance” officers, or vice presidents of compliance and ethics.

Beyond that group, 12.7 percent of respondents listed themselves as general counsels or some legal executive one step below that (assistant, associate, or deputy general counsel). But while compliance typically involves considerable attention to matters of corporate law, financial executives in charge of compliance actually outnumber their legal counterparts: A total of 17.3 percent of controllers, vice president of internal audit, or even CFOs said they were the top compliance officers at their companies.

Thirty-five percent of compliance executives said they report directly to the CEO. The next largest reporting relationship was to the general counsel (20.8 percent), followed by reporting to the chief financial officer (19 percent) and reporting directly to the audit committee (10.6 percent). Only 2.5 percent report directly to the full board of directors.

But when the person doing the reporting holds the title of chief compliance officer, the numbers change significantly; more report to the general counsel, and fewer to the CFO. The difference points to how companies define “compliance” on a case-by-case basis. Those that report to the CFO typically view compliance through a financial reporting lens; CCOs typically view it through the legal lens.

Keith Darcy, executive director of the Ethics & Compliance Officer Association, says the Compliance Week findings are consistent with the ECOA’s own research. A September 2007 survey of 261 ECOA members found that 32 percent report to the CEO, while 7 percent report to the board; 41 percent report to the general counsel. He attributes that to uncertainty about how independent a compliance executive should be.

“We’re seeing some debate among members about whether the ethics and compliance function should report to the GC,” Darcy says. “The general feeling is that the general counsel has only one client, the firm. Therefore, there should be someone with an independent view of the issues—someone who can voice those views independent of the client relationship.”

That movement toward more independence, he says, means giving the top compliance officer—whatever his title—more access to the top of the organization, whether it’s the CEO or the board.

HEADING UP COMPLIANCE

The following chart from Compliance Week’s recent “Compliance Oversight Survey” polled readers on who “owns” compliance at their companies.

Who “owns” compliance at your company?

Total

Respondents

Chief compliance officer

90

31.7%

General counsel

31

10.9%

Other ethics, compliance title

27

9.5%

VP of internal auditing

21

7.4%

Controller, chief accounting officer

17

6.0%

CFO

11

3.9%

Multiple people

8

2.8%

Assistant or associate GC

5

1.8%

Other title (20+ other titles given)

74

26.1%

Total

284

Source

CW Oversight and Reporting Structure Survey (March 2008).

One school of thought is that the board itself should hire, set the salary of, and have the power to fire the top compliance executive. Darcy, however, says another argument is that reporting to the CEO gives the compliance executive “a seat at the table,” so he can hear about the company’s strategic issues. But, he adds, even under that relationship, the board should still play an “active” role in the ethics and compliance function.

Mitchell

Scott Mitchell, head of the Open Compliance and Ethics Group, endorses the idea of the board hiring and firing the CCO. That gives the compliance officer more freedom to pursue violations, he argues, including ones that reach into the C-suite. Mitchell also is surprised at the number of companies where the CCO reports directly to the CEO, which he says is rare.

Lines of Control

When a company’s top compliance officer is the general counsel or chief auditing executive, that person usually reports to the CEO, Mitchell says. Otherwise, the person tends to report to the GC or the head of auditing. But regardless of that “hard line” to a superior officer, most compliance executives also have independent access (the so-called “dotted line”) to the audit committee as well, he says.

Mitchell also notes that most large companies do have a compliance executive who works outside the legal and auditing departments, a trend Compliance Week’s survey also shows to be true. Of the 65 companies surveyed that had $10 billion or more in annual revenue, 36 had a chief compliance or chief ethics officer (55.4 percent). But at the 46 companies with less than $250 million in revenue, only 12 had chief compliance officers (26 percent).

In smaller organizations, Mitchell adds, companies are more likely to assign compliance to a general counsel or internal auditing chief. Giving such a job to the general counsel is “ill-advised,” he says, because of the inherent tension between finding and fixing problems versus trying to protect the company’s legal exposure. Having the top audit executive pull double-duty as the CCO is fine, “as long as the compliance officer is about compliance assurance rather than execution.”

Jack Holleran, leader of Ernst & Young’s corporate compliance practice, says that “structurally, there’s no conflict” in the general counsel and chief compliance officer being the same person. But he agrees with the emerging practice of making the CCO job a wholly separate position.

TRAINING TIME

More statistics from Compliance Week’s recent “Compliance Oversight Survey” revealed who is responsible for our readers’ compliance training.

Who oversees compliance training?

Total

Respondents

Compliance Department

142

50.0%

Personnel Department

36

12.7%

Legal Department

36

12.7%

Financial/Accounting Department

23

8.1%

Multiple Departments

26

9.2%

Internal Audit Department

5

1.8%

Other

12

4.2%

No answer

4

1.4%

Total

284

Source

CW Oversight and Reporting Structure Survey (March 2008).

Heller

Dave Heller, chief ethics and compliance officer at Qwest Communications, reports to the CEO for his ethics and compliance responsibilities and to the general counsel for all other responsibilities, which include regulatory compliance and risk management. Qwest’s compliance organization has a staff of 10 and an investigative function comprised of another 10 people.

“The more sophisticated the understanding of risk, the more likely the company is to have a stand-alone CCO,” he says. “You have two sets of eyes and ears looking at the issues.”

While Heller is evaluated by the CEO, the audit committee must make an affirmative determination to retain him on a yearly basis, which he says is a “means of protecting the independence of the compliance function.”

“It’s all about independence and access,” he says. “I have a clearly articulated responsibility to get to the board and audit committee in real-time when there’s alleged misconduct and also on a regular basis.” Heller also speaks regularly with the chairman of the audit committee, attends audit committee meetings, and meets at least twice a year with Qwest’s independent directors.

At gas and electric utility Aquila, the compliance function is dispersed throughout the organization, says Lynn Fountain, vice president of risk assessment and audit services. Aquila (which is in the midst of a sale to split up the company) completed a Six Sigma project in 2007 to evaluate all of its compliance risk.

“Because management of compliance is dispersed, we wanted to make sure we know who the owners of our various risks are,” Fountain says.

Fountain

Fountain’s group manages Sarbanes-Oxley compliance. She reports to the CEO and the audit committee. A compliance officer who reports up through human resources (and has a dotted line to the audit committee) focuses on code of conduct and personnel-related compliance issues and Federal Energy Regulatory Commission compliance. Separate groups manage regulatory and environmental compliance. A chief legal officer reports to the CEO and to the board.

Holleran says many companies are developing compliance committees, typically comprised of the CCO and other key internal stakeholders with a significant role in compliance and risk management, such as the general counsel, head of internal audit, and sometimes senior finance and human resources executives.

“A compliance committee fosters greater clarity about who plays what roles,” he says, “and helps engender quicker buy-in from other senior executives and the rest of the organization.”