More Compliance Departments Reporting Directly to the CEO

There's little doubt that the compliance officer is becoming a vital part of the senior management team at most large companies, but exactly where the compliance function should sit within the company continues to be a subject of great debate.

Since the compliance function involves managing legal and regulatory risks, many companies have long preferred that it fall under the legal department, and for many it still does. Over the last few years, however, companies increasingly are splitting the roles of legal and compliance into separate departments, each reporting directly to the chief executive. 

According to a recent survey on compliance programs conducted by the Association of Corporate Counsel and ethics and compliance consulting firm Corpedia, 39 percent of 631 compliance executives polled said they report directly to the CEO. The second highest number of respondents (36 percent) said they report to the chief legal officer or general counsel.

“We see a pretty steady uptick in the number of compliance officers reporting into the CEO,” says Erica Byrne, executive vice president of compliance and governance solutions for Corpedia.

Those findings are in line with PwC's 2013 State of Compliance survey, which found that compliance officers reported on a formal basis to three main groups: chief executives (27 percent), general counsels (25 percent), and boards (23 percent).

Byrne says part of what is driving the shift in reporting structure toward the chief executive role is an increasing “recognition on the part of companies that, in order for compliance to be seen in the organization as a strategic function, the compliance officer has to have a seat at the senior table.”

Still, other companies have been pushed along in this direction by changes in the U.S. Sentencing Guidelines, which explicitly call for chief compliance officers to report directly to the board if a company hopes to gain the most cooperation credit possible during a federal investigation.

Corporate integrity agreements between federal agencies and several companies also commonly call for separation of the CCO and general counsel roles. For example, a Nov. 4 corporate integrity agreement between Johnson & Johnson and the Department of Health and Human Services stated that the CCO “shall not be, or be subordinate to, the chief legal officer or chief financial officer.” Similar provisions have also been included in agreements reached with GlaxoSmithKline, Pfizer, Eli Lilly, and many more companies.

Form vs. Function

Even as regulators explicitly call for separation of the legal and compliance functions, many compliance executives continue to maintain that where the compliance function sits in the company and to whom the position directly reports are less important than the level of support that the compliance function receives.

“What matters is that the person you're ultimately reporting into is an active advocate for the ethics and compliance program in the company,” says Steve Koslow, chief ethics and compliance officer of CUNA Mutual Group. 

At CUNA Mutual, for example, Koslow reports directly to Chief Legal Officer Faye Patzner, who reports directly to the CEO. “I don't report to her in her capacity as chief legal officer,” he says. “I report to her in her capacity as a senior-level executive in the company.”

It is important, Koslow says, for companies to understand the role of the individual to whom the chief compliance officer reports. “Is it simply administrative, or is it to have another set of eyes evaluating the effectiveness of the program?”

Once you define that, then you can determine where the compliance function should report, Koslow says. “I am very fortunate that I do not simply report to [the CLO] from an administrative perspective.  Rather, she continuously helps me assess the effectiveness and direction of our ethics and compliance strategy.”

In its FCPA Resource Guide, the Department of Justice and the Securities and Exchange Commission similarly recognize each company's unique reporting structure. “Depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within a company,” the guide states.

Requiring compliance to report into legal simply works well at many companies, particularly when it also reports to the board. At Chiquita Brands, for example, Chief Compliance Officer Allyson Bouldon reports directly to both the general counsel, as well as to the chairman of the audit committee of the board.

“In my view, this is an ideal structure for compliance functions generally and not just for Chiquita,” says Bouldon. “This structure provides direct, ongoing access both within the organization and with the external board. I believe both are key compliance program success factors.”  

“What matters is that the person you're ultimately reporting into is an active advocate for the ethics and compliance program in the company.”

—Steve Koslow,

Chief Ethics and Compliance Officer,

CUNA Mutual Group

“Ties and support within the organization are critical because without them, you really can't learn the business,” adds Bouldon. “Over time, if this learning does not occur, the ability to deliver impactful compliance program components will likely suffer.”  

Some companies are creating more touch points between compliance and business units. Intertek, a global product testing company, for example takes what it calls a “matrixed” approach to organizing compliance. Intertek's compliance function is organized based on a combination of geographic regions—Americas, Europe-Middle East-Africa, and Asia Pacific—and three internal strategic units: products, commodities, and industry. 

Q VanBenschoten, regional compliance officer for the Americas at Intertek, says that having this matrixed structure enables the compliance function “to leverage the industry knowledge of the compliance officers in each of the strategic units, as well as their regional or market-specific experience, to ensure we meet any specialized business needs or regulatory requirements.”

From time to time, matters may arise in which the “professional experience, support, and additional objectivity” of outside directors may be beneficial, Bouldon says. “In these cases, the ability to quickly reach out, utilizing established reporting relationships, is significant,” she says.

Another vital element of an effective compliance function is independence and ensuring the position has access to the right people throughout the company. Stacey Babson-Smith, chief ethics and compliance officer at Terex Corp., for example, says compliance should have the ear of those in the highest positions at the company. “There is nothing that limits my access to the CEO or to the board,” she says.

Executive Support

“The support you get from your CEO and executive leadership team directly impacts the success or failure of the compliance function,” says Babson-Smith. “The reporting structure is important, but I don't know that that drives the value of compliance through the organization as much as the sponsorship and engagement.”

At Terex, Babson-Smith has two direct reporting lines. “One is to the general counsel,” she says. “The other is to the governance and nominating committee of the board.”

TO WHOM DO YOU REPORT?

CCOs responding to ACC and Corpedia's 2013 benchmarking report were asked who they currently report to. Results are in the chart below.

Three out of four respondents report to either the chief executive officer or the chief legal officer/general counsel. Associate general counsel, VP compliance, and corporate compliance officer were the three most common responses provided by respondents who answered “other.”

Sources: ACC/Corpedia.

That reporting structure works well, she says, because of the support that comes from the top. “We have a very engaged CEO and executive leadership team, and it's very well demonstrated throughout our company,” says Babson-Smith.

This year, for example, when Terex rolled out its code of ethics and conduct, the company did a top down approach, in which the CEO trained his direct reports, who were then tasked to train their direct reports, and it filtered all the way down, explains Babson-Smith. “So there was engagement at all levels of the organization, driven by our CEO,” she says.

Another element of a strong compliance program is the extent to which all employees, not just the executive team, value the importance of compliance in the company, says Byrne. “Tone-at-the-top is important, but it's also important how employees perceive the relative worth of compliance within the organization,” she says.

Koslow agrees. “It's important that there be multiple advocates of compliance,” he says.

“Every company is different, and so I don't believe that there can be a one-size-fits-all approach,” says Bouldon. “Instead, I think the focus should be on what is necessary in a given company to ensure the compliance function has the professional heft and the other tools needed to be effective.”

In all cases, the chief ethics and compliance officer must have support from the highest echelons of the company and be allocated the necessary resources and independence to serve as a vital member of the senior management team.