Rebecca Walker (firstname.lastname@example.org) and Jeffrey M. Kaplan (email@example.com) are partners in the law firm of Kaplan & Walker LLP in Santa Monica, California, and Princeton, New Jersey, USA.
The issue of whether the chief ethics and compliance officer (CECO) should report to the general counsel (GC) has been a hot-button issue in the compliance community for many years. Indeed, as far back as 2003, US Senator Charles Grassley famously said, “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement.”
But does this reporting relationship necessarily create conflicts of interest? Can CECO-to-GC reporting be effective? These questions are somewhat contentious, even in our very civil and civilized compliance and ethics (C&E) community. Indeed, if there is any “third rail” in the C&E field, it is this.
A CECO who reports directly to the CEO with a seat at the senior leadership table, a budget on par with the law department, a strong voice in strategic decision-making, and a close relationship with the chair of the audit committee certainly sounds ideal, but that structure is simply not feasible in many organizations. And—hold on to your hats—it is not, in our experience, typically necessary for the program to report directly to the CEO for it to be effective. We have seen numerous empowered, independent, effective compliance functions that exist inside the law department, reporting to the GC.
There can, of course, be disadvantages to the CECO-to-GC reporting relationship, and there are issues to consider in this—as in any—reporting relationship. In this article, we will explore the advantages and disadvantages of this reporting relationship and provide some practical suggestions for enhancing the independence and authority of the CECO, regardless of the reporting structure.
Which type of reporting?
One of the reasons that this issue can be challenging to explore is that there are two related but clearly distinct types of reporting relationships, and it is not always clear which is being discussed. One of these is informational reporting (e.g., providing information in written reports, oral presentations). There will generally be plenty of benefit and little downside to the CECO’s reporting informationally to both the board of directors and the GC (and perhaps also the chief executive officer). Indeed, the reporting relationship between the CECO and the board or a board committee (often the audit committee) is the most important means of ensuring that a C&E program possesses sufficient independence and authority, as we discuss in more detail later.
The other type of reporting is administrative or, in other words, supervising the CECO on a day-to-day basis, including setting goals and compensation. It is this type of reporting that presents the more challenging issues when structuring a C&E program.
The disadvantages of CECO-to-GC reporting
There are, of course, some organizations for which an independent compliance function is clearly preferable. For example, where a company is in a very highly regulated industry, such as healthcare or banking, the role of the GC might be more closely aligned to the business than in a less-regulated industry. In that case, it may be preferable to have an independent compliance function. In addition, if an organization’s legal department has been under scrutiny by law enforcement in the past, it is likely preferable to have an independent compliance function that reports directly to the CEO. However, for many other organizations, compliance can thrive inside the law department, particularly where additional protections (discussed later) are put into place.
The ultimate goals
Whether a C&E program is effective depends on several factors, but the attributes that are most critical to an effective program are independence, authority, reach, and resources. These are the characteristics that compliance professionals, regulators, and enforcement officials have long recognized as necessary to an effective program. For example, in the Evaluation of Corporate Compliance Programs, guidance issued by the Department of Justice (DOJ), the DOJ asks prosecutors to evaluate the authority of a program, the independence of a program, and the resources the company has dedicated to the program. Programs also require sufficient reach throughout the organization, both in a program’s ability to reach employees and others proactively (e.g., through training and awareness-building) and in its unimpeded access to employees and information for purposes of performing investigations, monitoring, audits, etc.
While there are plenty of other attributes that contribute to a program’s efficacy (e.g., the expertise of program personnel, senior leadership’s commitment to the program, the quality of training and communications), independence, authority, reach, and resources are directly related to a program’s structure, including reporting relationships. Thus, when analyzing the efficacy of a particular reporting structure, it is helpful to consider how the structure affects each of these program attributes.
The field of behavioral ethics teaches that we are all subject to enormous pressure to conform (conformity pressure), to obey authority (obedience pressure), and to protect our self-interests and the interests of those in our in-group. It also teaches that how we frame an issue (e.g., is this a business question or an ethics question?) has significant implications for how we answer questions and resolve issues. These findings should also be considered as we consider program structure.
Like the internal audit function, C&E cannot function effectively without being independent of the business and other functions. C&E is charged with both monitoring the behavior of employees—including senior leaders—and conducting independent investigations of suspected misconduct. These activities require independence. While the CECO’s reporting to the GC affects the CECO’s independence vis-à-vis the GC and the legal department more generally, administrative reporting to the CEO also affects independence to the business/CEO. Considering the impact of in-group bias, conformity pressure, and obedience pressure, it is unclear whether an individual would feel more pressure to accede to questionable conduct as part of an organization’s senior leadership team or separate from it as part of the legal department.
Whether part of the senior leadership team, the legal department, or both, CECOs must balance the need to be a strategic adviser to the business in a way that ensures they have an opportunity to scrutinize, modify, and even stop transactions as a result of compliance concerns, while at the same time maintaining sufficient separation and independence to monitor and investigate, as needed.
In our view, the best way to achieve those objectives is through an opportunity to report to the CEO and senior leadership team informationally on a regular basis, combined with a strong relationship with the relevant independent committee of the board.
A program’s level of authority is also critical to ensuring that the program can function effectively. This has been the focus of significant attention from regulators of late, with the DOJ guidance asking how the compliance function compares with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers.
Of course, if compliance reports to the GC, the CECO is not of an equal stature with the GC. However, the reporting relationship can lend the C&E function the respect, credibility, and gravitas of the GC, rather than detracting from the level of authority. That will vary, of course, depending on the support of the GC and their genuine commitment to the program. But in a world where direct reports to the CEO are limited, the GC can provide much-needed credibility and authority for a program.
In addition, as a general matter, GCs have a broader and deeper understanding of what CECOs do than is the case with others in the C-suite. This can translate to higher-quality supervision, which can be critical to achieving the goals of a program.
In some companies, having the CECO administratively report to the GC can help ensure that the company devotes adequate resources to the compliance program. This is because the legal department budget is often given greater leeway (as a general matter) than the CECO’s. Indeed, over the years, we have heard several CECOs say that they felt “protected” from a resources maintenance perspective by being part of the legal department.
Requiring the audit committee to review and approve the C&E budget is another important measure to protect the resources of a program. This is a practice that we have seen more companies adopt in recent years, and it is a helpful means of both facilitating program independence and ensuring sufficient resources.
There are many facets to the issue of “reach”—i.e., how far the C&E program extends into the organization—but perhaps none is more important than having a seat at the table when new business plans are developed and implemented. The DOJ guidance asks, “What role has compliance played in the company’s strategic and operational decisions?” While the GC is often part of those discussions, standalone CECOs are less likely to be included. The CECO may have a better chance of being part of important strategic discussions when operating under the umbrella of the legal department. Note that this can be a particularly important consideration for global companies seeking to grow by acquisition.
In addition, the legal department in an organization is typically made up of more people than the C&E function. Being part of the legal department can help expand the footprint of the C&E function, thereby extending its reach throughout the organization.
Protecting the compliance function
When the CECO reports administratively to the GC, companies can take steps to address any disadvantages that may flow from this type of reporting relationship. For instance, the CECO can provide regular in-person reports to the audit committee and meet regularly in executive sessions (i.e., without the GC or other members of management) with the audit committee. The audit committee can also be charged with overseeing the budget, staffing, and annual plan of the C&E department. Also, companies can prohibit the CECO from being fired or from any reductions to the compensation or duties of the CECO without prior approval of the audit committee. All of the above, by strengthening the CECO/audit committee relationship, also enhance the independence and authority of a program. In addition, these requirements can and should be articulated in appropriate documentation, such as program and audit committee charters.
Effective compliance within the legal function is possible
In our many years of advising companies on programs, we have seen some truly extraordinary programs that exist inside the law department, but they have had the all-important relationship with the audit committee to facilitate independence and authority. We have also seen many programs struggle, of course, including those that report directly to the CEO. In those instances, the focus of our advice is not typically on the reporting structure inside the organization but is instead directed at strengthening the relationship between the audit committee and the C&E department; this relationship is the key to an independent, effective C&E function with sufficient authority, resources, and reach.
If there is any “third rail” in the C&E field, it is the issue of the chief ethics and compliance officer reporting to the general counsel.
Compliance and ethics cannot function effectively without being independent of the business and other functions.
Where the legal department has been under scrutiny in the past, it is likely preferable to have a compliance function that reports directly to the CEO.
When analyzing the efficacy of a particular reporting structure, consider how the structure affects independence, authority, reach, and resources.
A chief ethics and compliance officer’s relationship with the audit committee is critical to creating an independent compliance and ethics function with sufficient authority, resources, and reach to be effective.