Can the chief ethics and compliance officer maintain the true independence and clout necessary to be effective while reporting to the general counsel—or to anyone else other than the CEO or the board of directors? The consensus of compliance experts and practitioners is decidedly indefinite. Basically, they all say, it depends.

What does matter is unfiltered access to the CEO and the board when needed. If, in practice, reporting to the GC or another corporate executive (say, the CFO) impedes such access—either on paper or in actual practice, or both—it may be a good idea to change the reporting structure.

This question has taken on added importance recently. In a number of compliance areas—most prominently, in enforcement of the Foreign Corrupt Practices Act—the authorities have indicated they will ramp up prosecutions of individual high-level executives. Speaking just last month at Compliance Week 2010, Assistant Attorney General Lanny Breuer noted that 46 individuals have been charged with FCPA or bribery-related offenses since 2009—a trend Breuer vowed to continue as part of a “deliberate enforcement strategy to deter and prevent corrupt corporate conduct.” That can mean problems when the CCO reports through the GC to the CEO or the board. Defense of the company (and perhaps of high-level corporate executives) could, under some circumstances, end up pitting the general counsel and his concerns against the CCO’s push for robust compliance.

Notably, on April 29, the U.S. Sentencing Commission submitted to Congress proposed changes to the U.S. Sentencing Guidelines which, among other things, seek to bolster the authority and independence of the CCO to address such a situation. Under the amended guidelines, if the CCO has direct access to the board (and the corporate malfeasance was addressed in an appropriate manner) a company may still receive sentencing credit for having an effective program. Without direct access to the board, the company cannot obtain credit for its compliance program when a high-level corporate executive has committed an offense.

And over in the pharmaceutical sector, the Office of the Inspector General of the Department of Health and Human Services has taken a clear position: Compliance and legal functions should be separate, and the CCO should not report to the general counsel. That separation, OIG guidance says, “helps to ensure independent and objective legal reviews” and fosters “a system of checks and balances … to more effectively achieve the goals of the compliance program.”

The OIG has put these words into action, too. In a corporate integrity agreement it signed with Pfizer in 2009, for example, the inspector general mandated that the CCO “shall report directly to the chief executive officer.” And Pfizer’s CIA—as well as those of healthcare giants such as Merck, Bristol-Myers-Squibb, Quest Diagnostics, Aventis, and Bayer—all specify that the CCO cannot be, or be subordinate to, the general counsel or the CFO.

In a perfect world, the goals of the legal and compliance departments should largely complement each other in ensuring compliance with all applicable laws. In practice, sometimes differences emerge. For example, as I mentioned above, the general counsel may view his duty to defend the company and its senior officers from legal peril as paramount, and consequently he might take a different view on some topics (say, self-reporting violations) than the CCO would. The question isn’t whether which view is correct; it’s whether the board and CEO get to hear both views before making important decisions.

In a perfect world, the goals of the legal and compliance departments should largely complement each other in ensuring compliance with all applicable laws. In practice, sometimes differences emerge.

“It all turns on the strength and attitude of the GC,” the CCO of a large financial services company told me. (He reports to the general counsel.) “Do they understand what the compliance function really is? Do they have the necessary appreciation for their colleagues who are critical to a strong compliance program?”

This CCO believes the highly regulated nature of financial services, with its intense focus on rules and regulations, has augmented the general counsel’s role in compliance for that sector. As long as the CCO has unfettered access to the board, audit committee, the CEO, or a high-ranking compliance committee, reporting to the general counsel isn’t a problem, he maintains. To the contrary, if the responsibility for law and compliance is clearly delineated, the two functions should be “joined at the hip” since they both have responsibility for ensuring compliance with the applicable laws and regulations.

The view from another sector—diversified industrial manufacturing—is similar. “There is no one-size-fits-all,” says the CCO of one such company; it boils down to the communicative culture of the company. Having the CCO report to the general counsel works well at his company, as there is “openness and trust within and among the CCO, GC, senior management, and the board, and free flowing communication between them.”

In other companies with less transparency and more rigid communications structures among senior management, direct reporting to the CEO or the board might be the better idea. In all cases, my manufacturing CCO tells me, the CCO should report to the board at least annually to ensure “that the board has an opportunity to regularly assess the compliance program without any filter from senior management.”

Jeffrey Kaplan of Kaplan & Walker, whose firm provides compliance program advice to companies, proposes a three-part test on where the CCO should report:

Is the law department itself a foreseeable source of compliance and ethics risk? If so (and that has been the case in pharmaceuticals and healthcare), the CCO probably should not report to the general counsel, since a member of the law department cannot be expected to police his or her superior.

Is the law department seen as principally in “defense counsel mode” for the company rather than a “preventive law” function? If so, that could harm the willingness of employees to report compliance concerns to the law department and suggests separation of law and compliance.

If the compliance function is separate, does it have sufficient clout and resources to meet the letter and spirit of the definition of “high-level personnel” under the Sentencing Guidelines? If not, then maybe compliance should report—at least administratively—through a department that does have such clout, which the legal department typically has. But in such instances, the CCO should still report “informationally” to the audit committee and the CEO.

All agree that protecting the independence of the CCO is key to successful execution of the role. One important safeguard which many companies employ: insulating the CCO from summary termination through an employment contract. A survey conducted last year by the Society of Corporate Compliance and Ethics found that 30 percent of respondents said the CCO in their company had such a contract.

The same survey showed a plurality (45 percent) of CCOs reported directly to the CEO, with only 17 percent reporting to the general counsel. Tellingly, a much larger number of those surveyed (77 percent) believed the CCO should report directly to the CEO. This disparity tells me that many want the reporting structure in their companies changed to have the CCO report directly to the CEO.

There is no question that clout, resources, independence, and access to the board are substantively vital to an effective CCO; to whom the CCO reports is less important. However, many of those who know compliance best seem to believe those attributes may more likely exist where the CCO reports directly to the CEO. And perhaps external developments, such as the increased focus on prosecution of high-level corporate executives promised by the Justice Department in the anti-bribery area, will catalyze the spread of this reporting structure beyond the pharmaceutical sector. Time will tell.