There’s been a good deal of discussion recently about organizational location and reporting lines for a company’s compliance function. Some are stand alone, though many are embedded within the legal department, with concern of legal privilege among the considerations. Some report to the CEO, though for many others the reporting line is to another senior executive. And to further complicate matters, some compliance functions also have responsibility for ethics, with some being asked to take on even greater responsibility.
Certainly there are pros and cons to each organizational structure. What I’d like to focus on here is the critical relevance of a few key factors. One is to be sure a chief compliance officer, wherever he or she appears on the company organization chart, has the ability to bring relevant information directly to the chief executive and where necessary the board of directors. Depending on the nature of identified non-compliance events or associated risks, such access is essential. Also relevant are the recent amendments to the U.S. Sentencing Guidelines, which call for the compliance officer to report regularly to upper management and the board of directors or audit committee.
Another key factor is clarity around the compliance office’s scope of responsibility. Is It responsible for establishing a process for effecting compliance with all relevant laws and regulations to which the company is subject? That’s a good start. Does the scope include compliance with internal polices? That’s typically the case as well, and makes sense. But does the CEO and board think the compliance office can possibly ensure compliance? You and I know it can’t – the compliance function needs to focus on process and protocols, with direct responsibility for effecting compliance resting with line and staff unit leadership. Clarity around responsibility is essential. Amazingly, some company boards are looking to the compliance function to also take on responsibility for enterprise risk management! Fortunately chief compliance officers have fought the attempt, for good reason.
And another factor is the compliance function’s relationships with the legal and ethics functions, if separate. Certainly compliance processes must adequately reflect the legal and regulatory realities, and we know there often is a fine line between – and sometimes a forerunner or impetus for – unethical behavior crossing over to illegality. So clearly there must be close coordination to ensure information flows, policies, procedures and reporting mechanisms are in sync.
Of course each company needs to determine organization, reporting and responsibility for compliance to fit its own culture, management style and personnel. Getting this right will serve your organization well.
© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.