Don’t Divorce the GC and Compliance Officer

Editor’s Note: Ben W. Heineman, Jr. is a former GE senior vice president for law and public affairs and a senior fellow at Harvard University’s schools of law and government. This article originally appeared in Corporate Counsel magazine.

The role of the chief compliance (and ethics) officer is currently a hot, if confused topic. What does she do — ensure good process or enforce strict compliance? To whom does she report — GC/ CFO or to CEO/board? What is her role in shaping the company’s voluntary adoption of ethical standards — beyond what the law requires?

This issue has been thrust into high relief by regulators and enforcers who, in light of various scandals, want a more independent compliance function in corporations. For example, changes in the federal sentencing guidelines would give corporations extra credit if the “specific individual” in the corporation with “day-to-day operational responsibility for the compliance and ethics program” has direct access to the board of directors. The issue has also received attention in the resolution of various high-profile cases, including a recent Pfizer Inc. settlement of criminal and civil matters with the U.S. Department of Justice and the U.S. Department of Health and Human Services, which required that the company’s chief compliance officer bypass the GC and report directly to the CEO.

Let me offer a somewhat contrarian, more nuanced view about the critical importance of a chief compliance officer, but in a right-sized role.

There are three broad organizational options:

  • The chief compliance officer is independent of the GC and CFO and reports directly to the CEO and board.
  • The GC is also the chief compliance officer (CCO).
  • The CCO reports to the GC and the CFO, and deals primarily with the process of compliance across all substantive subject-matter areas.

I favor the last option as the practical ideal because it builds on the vital need in a corporation for a strong, broad-gauged GC (see my essay, “The General Counsel as Lawyer-Statesman,” Harvard Program on the Legal Profession, 2010, available here), because it avoids significant organizational overlap and confusion and because it focuses the CCO on critical process management, uniformity, and rigor across the corporation.

Here are some of the key reasons for my view.

  • Many Experts, Not One. Compliance is not one substantive subject, it is many: competition law, employment law, environmental law, labor and employment law, international law, accounting rules, and disclosure law. Compliance also involves particular subject-matter areas governing specific industries (health law, communications law, banking law, etc.).
  • Experts Report to GC/CFO. The substantive experts in all those areas of formal rules, legal and financial, need to report either to the GC or to the CFO. They must not only be at the core of all compliance functions in their substantive areas but they are also involved in myriad business and policy issues beyond compliance. It makes absolutely no sense to duplicate that expertise by having a second set of experts who report to the chief compliance officer.
  • The GC’s Role in Individual Decisions. These substantive experts staff the GC or the CFO for meetings with the CEO and the board to define and discuss critical decisions with a legal or ethical component — a new deal, a new product, a new geography, a new government investigation. The general counsel and the CFO should be at the table, supported by substantive experts inside the company who work for them. Indeed, the growing importance of “business-in-society” issues in major companies means that the GC is becoming equal in importance to the CFO in the eyes of the CEO and the board of directors.
  • What is “right”? In these individual decisions, it should be the role of the GC not only to address the question of “what is technically legal,” but also to raise and help analyze the question of “what is right.” This second question requires assessment of the spirit of the law, ethics, reputation, public policy, and societal expectations in light of the corporation’s enlightened self-interest. It is ludicrous to suggest, as some do, that the GC only worries about what is “legal” and the chief compliance officer worries about what is “right.” The “what-is-right” set of issues is at the center of the role of the modern, broad-gauged general counsel as wise counselor and leader.
  • Compliance IS a core GC job. At the dead center of the GC (and CFO) job is responsibility for adherence to the formal and ethical rules binding the company. They must be partners to the CEO, but first and foremost they must be guardians of the company on the three essentials of compliance: prevent, detect, and respond.
  • Experts and compliance basics. The fundamental responsibility in a good organization for fusing performance with integrity lies with the CEO and top business leaders. But it is the substantive experts reporting to the GC and CFO who must work with businesspeople to map core commercial processes, assess where risks exist, and then devise risk mitigation procedures. Their substantive expertise and involvement is vital in developing education and training, in devising techniques for checking and balancing, and in creating appropriate monitoring mechanisms and in investigating, disciplining, and rebuilding failed systems.

What, then, is the role of the chief compliance officer when he or she reports to the GC and CFO? Put simply: process integration and rigor. Because there are so many different substantive areas of compliance, handled by different experts, it is vital that these threads be woven together into a coherent compliance program. There must be a single code of conduct and uniform set of policy guides. There must be integrated general education and training for all employees. There must be an integrated method for tracking individuals who move into high-risk jobs: risk assessing those jobs across several compliance areas and providing tailored, individualized courses. There must be a systematic company method to process map, assess risk, and mitigate risk. There must be oversight of the ombuds system to ensure that it is being operated fairly, promptly, and without retaliation. There must be a continuing, energetic search for best compliance practices outside the company. In sum, there must be an overall assessment of how compliance processes are working beyond reviews of particular substantive areas (e.g., competition law or environmental protection) and beyond individual business units.

Although substantive lawyers have expertise and knowledge to assess legal and ethical risks in their areas, and to design specific mitigants, they may not have the process skills that great compliance leaders possess. (Compliance leaders may not even be attorneys but can, for example, be ex-military officers with outstanding organizational and process skills.) Working with the GC and CFO and with the substantive compliance experts, the compliance officer assists business leaders in embedding integrity processes deep into business operations. Make no mistake, I believe process management across the whole compliance system is a central and vital job.

But, as noted, it makes no sense for the chief compliance officer to be “independent” and to hire the various substantive experts who must work on compliance but also on business problems for the GC and CFO. That doesn’t amount to appropriate “checks and balances,” but is a source of bureaucratic waste, confusion, and possible turf-fighting. Similarly, the GC should not be CCO in the sense that I have used it here because rigorous oversight of the compliance processes demands too much time, and a direct report to the GC (and CFO) needs an important title like CCO to command the respect this critical job requires.

The main objection to the position I am advocating is expressed in one phrase: lack of independence. At headquarters, the GC and CFO will be compromised by their relationship to the CEO, and their fear of losing unvested options or restricted stock units or deferred compensation. Down in the organization, division lawyers or finance people will be afraid to speak candidly to their business leaders and afraid to report up to the company GC or CFO.

The short response to this objection is one word: culture. In a good company — a company with a high-performance, high-integrity culture — the CEO leads personally and directly on integrity and, with the board‘s explicit support, makes clear that she wants the GC and CFO to be rigorous and candid on issues of legal, financial, and ethical rules. Creation of such a culture turns on top leadership, not on the chief compliance officer.

In such a culture, the chief compliance officer attends all integrity reviews with top leadership and, like the head of the company audit staff, can report directly to the audit committee of the board periodically on the strengths and weaknesses of compliance processes (to satisfy the new if ambiguous language of the Sentencing Guidelines). Indeed, I would go so far as to have the board and the CEO commit to give the chief compliance officer access to them at any time when the CCO believes that the company is not handling a compliance issue properly, including misbehavior by the GC or CFO.

In a bad company, with a poor culture, a distant board and an indifferent CEO (or worse), independent voices — whether from a chief compliance officer or the GC/CFO — will be muffled and discouraged. Neither a general counsel nor an independent chief compliance officer can change a bad environment, which deeply affects how people feel, think, and act. If tone at the top is rot at the top, then little can be done without the CEO or board being removed. Indeed, the misguided (in my view) enforcement thrust for a CCO wholly independent of the GC and CFO has stemmed from major scandals caused by senior leadership’s unlawful, unethical, or negligent behavior and by board indifference or negligence. If the GCs (or CFOs) were complicit or negligent, enforcers should press for their replacement, not for supplanting them.

To me, one good example of the approach suggested here is Siemens AG. Following a massive bribery scandal, its new CEO (Peter Loscher) and new general counsel (Peter Solmssen) undertook an intense effort to resolve outstanding cases, change the culture, redesign compliance processes, and make adherence to law and ethics a critical part of performance appraisals. To help address integrity issues in the future, a newly energized chief compliance officer and compliance function have been established. They report to the general counsel.

Both comments and trackbacks are currently closed.

4 Comments

  1. Robert J. Morrison
    Posted Monday, December 27, 2010 at 2:12 am | Permalink

    The issue as it relates to bad companies could do with more attention here. From my experience as a member of two rather poor, though not criminal, boards, I would say there are several important considerations that bear mentioning.

    1) Periodic access for the CCO to the audit committee will often, from the perspective of the board, not be enough. On both boards where I served, a number of directors were devoted to the cause but had at best a vague sense of what was really going on inside the company. And they were too inclined to take everything the CEO said at face value. One or two appearances per year by the CCO before the audit committee would simply not have built enough trust/dialogue that it would have sunk in at the level of the entire board, especially if any concerns expressed by the CCO were discounted by the CEO. If there were criminal activity involved that would be different, but at this company where I served it was more a matter of a generally sloppy culture.

    2) More independence for the CCO, and direct access to the CEO and–especially–independent board members, will put heightened pressure on the CCO to be squeaky clean. For a CCO there will surely be far more downside, legal and professional, in moderately fudging a report to the independent board members as opposed to one to the GC.

  2. Jeffrey M. Kaplan
    Posted Monday, December 27, 2010 at 6:32 am | Permalink

    There is a great deal of practical wisdom in Ben Heineman’s analysis of compliance reporting relationships. I would add only that some companies seeking to adopt his middle way have addressed independence-related expectations not only through the types of information reporting he advocates (CCO’s reporting periodically to the board on the compliance program and also having direct board access in case of perceived compliance problems) but also by mandating that neither the CCO’s responsibilities nor her compensation can be reduced without the prior written approval of the audit committee (or other board committee charged with compliance program oversight.)

  3. Ian Stock
    Posted Monday, December 27, 2010 at 11:18 am | Permalink

    Happy Boxing Day, Ben, and thanks for your analysis.

    But since when do CEOs in your experience seek to be advised on what is right, rather than what is technically legal, when it’s time to make the quarter or break into that new market he’s been gunning for? Even what you call a “good” company can lose touch with what is right (in the broad sense of the word that you use) when the pressure’s on.

    Many Boards are themselves asking for counsel from lawyers outside of the company. They are perhaps influenced by the big law firms who profit from the kind of duplication in expertise that you rightly deplore, as much as by concern about their particular CEOs. But a Board’s logic of seeking to find advisers who do not depend on the CEO is inescapable in the real world.

    Shouldn’t your GC report first and foremost to, and depend first and foremost on, the Board? Isn’t that the simple answer?

  4. Roy Snell
    Posted Tuesday, December 28, 2010 at 12:14 pm | Permalink

    Ben:
    There should be no duplication of work between the Compliance Officer and the General Counsel. It’s much like the Audit function. There is little if any duplication of work between Audit and Accounting. Auditors don’t post entries or do financial statements; they audit the posted entries and the financial statements. The auditors also need independence, to be free of conflict and report to the Board. COs do not practice law and they need independence.

    COs audit, monitor, educate, investigate, manage an anonymous reporting mechanism, enforce, discipline, report to the Board, etc. COs have a different focus and a different function than the GCs. Now, it’s entirely possible that GCs should have been responsible for compliance and prevention, but it didn’t happen to a degree that society found acceptable. The GCs were too busy or they were conflicted. Either way, it didn’t get done, just like Audit wasn’t adequately handled by the CFO, which ultimately resulted in the creation of the audit profession. (Later I make an argument as to why the GC should want these functions separated.)

    You mention that the Pfizer settlement forced Pfizer to remove the CO from the GC’s purview; however, you didn’t say why. It was because the GC was inappropriately filtering compliance reports. The OIG/DOJ wanted independence for the CO because the GC was conflicted. The GC was doing his job of vigorously defending the company, as well he should. The GC just shouldn’t have been asked to also oversee Compliance. The US Sentencing Commission just updated the US Sentencing Guidelines to suggest that the CO report to the Board. The USSC wanted independence for the CO because the GC was conflicted. How did the USSC arrive at that conclusion? They talked to many companies and found that the compliance effort was being “filtered” by the GC. As a result, most COs report to the Board. The SCCE did a very interesting survey related to the reporting issue.
    http://www.corporatecompliance.org/staticcontent/2010BoardCompOfficerSurvey_report.pdf

    The government is very angry and they have asked us to stop combining the CO and GC function. After, WorldCom, HealthSouth, BP, Pfizer, Tyco, Madoff, and many other corporate problems, making a case that the government is overreacting by asking for an independent CO is weak. The Department of Justice, Office of Inspector General, and many other agents have walked into the aforementioned companies and found, in some cases, the GC was aware of the problem and failed to prevent it. In some cases, the GC was actively involved in the decision not to address the issue. In the case of Enron, their outside counsel was very involved in the suggestion not to deal with the problem. These bad apples have made it very difficult for all of us, Ben.

    Suggesting that the CO report to the GC is like suggesting the auditor report to the accountants. It just isn’t going to work. Nobody is going to buy it. The more we try it, the more regulations we are going to get. The auditors recently lost their independence, and the government regulated auditors (Sarbanes Oxley) right back into independence. We don’t need more regulations. We don’t need hundreds of millions of our tax dollars used to fight corporate America. All they are asking is for a proper reporting relationship, just like Audit. This isn’t that tough a request to comply with. It’s inevitable. Those who resist are just going to get hammered.

    Frankly, if I were the GC, I wouldn’t want this reporting relationship either. One of the main functions of the GC is to defend their company, and they are given great latitude to do so. The compliance officer is asked to defend the stakeholders of the company. They are given very little latitude. If a GC does the CO’s performance review or has hire/fire responsibility over the CO, it’s an entirely different game. If the GC has responsibility for compliance and they do not disclose information or deal with a problem properly, they are going to get hammered. Combining this function takes the GC from a position of effectiveness to having their hands tied.

    If I were the CEO, I wouldn’t want this reporting relationship either. I want a vigorous compliance program; however, if I have trouble, I want someone to defend my organization vigorously. If the GC has hire/fire and annual review of the CO, this dual function just can’t operate effectively. With the two functions combined, I am either going to get a GC who is too cautious or a CO who is not cautions enough. Nobody should want this function combined. It is a recipe for disaster.

    COs collaborate all year long with GCs. They share resources and information. They can be an effective team. But every once in a while, the CO has to work independently. However, you can’t do that with the CO’s annual review and hire/fire determination being made by the GC. Ben, I invite you to meet more compliance professionals. SCCE has an annual meeting of 500 compliance professionals, and I would like to comp you to that meeting. Because this profession is so new, COs have many interesting dilemmas. You sound like the kind of person who would find this very interesting and we sure could use your help.

    Roy Snell
    CEO, Society of Corporate Compliance and Ethics