Why This Is Important
In an ideal world, a company that is establishing a new chief compliance and ethics officer position (CECO) would dedicate considerable time and effort to high-level strategic thinking, contemplating the mandate for the function, the proper positioning, independence and empowerment for the officer, the competencies and experience necessary for the new position, and the resources required to do the job. After all, as your mother always told you, anything worth doing is worth doing well. But all too frequently, as reflected in the steady parade of companies with failed compliance programs in the headlines, the CECO position is created in haste and repented at leisure—sometimes under the watchful eye of a prosecutor or corporate monitor. In today’s perilous regulatory environment where carefully nurtured corporate reputations and brands can be destroyed on the strength of a single individual act, revealed at the speed of a single Tweet or blog post, the CECO (together with the company’s compliance program) is the company’s first line of defense (after the business itself). Compliance-savvy boards and senior management could make no better use of their scarce time than ensuring that their CECO and compliance function are structured for success, in a manner that is fit-for-purpose for their organization’s size, scope, risk profile, industry, business structure and culture.
To facilitate this important endeavor, this chapter sets out a principles-based analysis based on six key criteria or features that are relevant to any CECO in any organization: true compliance subject matter expertise, empowerment, independence, seat-at-the-table, line of sight and adequate resources—so that companies can structure their CECOs and compliance functions strategically for success and detect, fix and prevent corporate misconduct or other big problems, before prosecutors, regulators, investors, plaintiff lawyers or other stakeholders compel them to do so on terms that they demand (e.g. huge fines and penalties, blacklisting, reputational damage, class actions, and court ordered monitors, to name a few). It is fairly easy to see from recent headlines that the companies involved would have fared much differently had they been able to discover and remedy their problems early, before landing squarely in media headlines, prosecutor’s crosshairs and a crisis/PR management war-zone.
The compliance profession has evolved rapidly over the last two decades, building its subject matter expertise (SME) in compliance, ethics and culture, and establishing itself as a separate and independent profession that is needed by management in these modern times to lead its approach to its compliance, ethics, culture and reputation issues. The emergence of a new model of compliance, known as “Compliance 2.0,” is being felt in corporate C-suites, boardrooms, and in policymaking both nationally and internationally, as more and more boards, C-suites and government gatekeepers begin to understand the role of compliance and the experienced CECO in designing and managing the organization’s approach to compliance, ethics, culture and reputation issues. They are noting that the model for compliance governance is really the single most important indicator of whether a compliance program will succeed or fail. Compliance 2.0 is the new and improved model for compliance programs that are structured to succeed, in contrast to the old legacy model of Compliance 1.0—where the general counsel or an in-house counsel without true compliance SME is expected to design and manage compliance. I call this the “DIY Compliance” version of Compliance 1.0, where the person with no prior compliance SME does no more than an elementary “check the box” version of compliance based on (a lawyer’s reading of) the seven elements of the FSG, and assumes that everything will magically “work” to fulfill the compliance mandate. Oh, but “Sorry, Charlie,” there is so much more to true compliance SME than that! A JD or golden legal resume is no substitute for true compliance SME earned on the ground and in the field.
As further discussed below, compliance SME is not taught in law schools. Producing the FSG elements is only the tip of the iceberg! Not only must the CECO and team be skilled and experienced in the best practices of how each element is designed and optimally operated, but also how they work in combination and in parallel to establish and nurture the right culture of ethical leadership, one that is sustainable and that acts as the umbrella and floor for an effective program that will work to successfully achieve the unique compliance mandate. One need only do a quick scan of Compliance 1.0 “train wrecks” over the last decade (i.e., “Ripped From the Headlines”) to understand what happens when a CECO with no true compliance SME attempts to drive the compliance and culture train, usually with a mandate that runs at cross-purposes with the mandate of compliance (as further discussed below under “Structuring for Success: Tne Six Essential Features…—Empowerment.”
GM is a perfect example of a mandate conflict that caused a large-scale compliance train wreck. According to media reports, in-house legal counsel was busy “quietly” settling cases and giving PowerPoint training on the “69 Naughty Words” that employees must absolutely avoid in all communications, rather than diligently getting to the root of the ignition switch defect and resolving it with a prompt recall, before the affected cars resulted in the deaths of at least 167 customers! That list itself became a regrettable “smoking gun” for the company, demonstrating management’s ambivalent approach to open and transparent discussion of problems and concerns, one of the hallmarks of a strong culture of ethical leadership that is supported by a strong, successful and effective compliance program. Bottom line: so many other Compliance 1.0 train wrecks in the media headlines could have had different paths and outcomes if the company had understood the value of an independent, empowered, Compliance 2.0 program that is structured and built to succeed! The analysis is even more striking when you consider that in many of these Compliance 1.0 train wrecks, employees or other parties had attempted to raise specific concerns to management, but in each of these cases, the company failed to detect or avoid, follow through and address (fix) the problems before they had to parachute into the crisis zone. A few examples:
Compliance 1.0 Case Studies (Recent Train Wrecks Ripped From the Headlines)
1)Walmart Mexican bribery scheme: A former employee reported the scheme, but the local international counsel, who had repeatedly recommended a full outside investigation into the reports, resigned after a few members of the C-suite decided to “hush up” the bribery investigation by sending it back to the very local counsel who had been involved in the problem conduct in the first place! That local counsel then dutifully closed the investigation with “nothing to see here” as the primary takeaway. While the New York Times investigative reporters won a Pulitzer Prize, Walmart lost some key executives and became embroiled in an expansive bribery investigation extending to a number of jurisdictions well beyond Mexico. Fortunately, Walmart has taken substantive steps in response to the scandal, hiring a new CCO with true compliance SME who then overhauled the compliance program making many improvements reflected in the Compliance 2.0 model, and setting an example for companies and their boards everywhere. I have covered the issue and its implications more extensively here.
2) Siemens FCPA scandal: I have written about this one in further detail here, but suffice it to say that the company failed to detect and fix the misconduct (despite being notified of the misconduct by a whistleblower) before its Compliance 1.0 failures hit the prosecutor’s desk and media headlines.
3) GM’s delayed ignition switch recall: The classic poster child for “DIY Compliance” discussed briefly above is most notable for the mandate conflict that detoured the legal department from achieving the mandate of the compliance program. Even if the lawyers had understood the compliance mandate, they lacked the true compliance SME required to design and manage their program. A CCO with true compliance SME would have understood that the “69 Naughty Words” training was sending the wrong message to the organization and undermining the speak-up and trust culture that companies should be working hard to encourage.
4) VW emissions fraud scandal: The VW emissions fraud scandal is another widely publicized Compliance 1.0 collapse. Like Walmart, the German auto giant emerged from its epic Compliance 1.0 failure by reaching for a true compliance SME (the former Daimler CECO), who was installed as a new member of the company’s supervisory board. In 2016 the company installed a new CCO reporting directly to the CEO, with unfiltered access to the Board. In a 2017 interview, Stephanie Davis, the company’s new CCO, commented:
[t]he compliance function at VW Group of America has been newly elevated. I report to the chief executive, I sit on the executive team as a member of management, and that is new. I report directly to the CEO of VW Group of America and I have an independent relationship with the board, so I report at least on an annual basis to them. I am focused on making sure this never happens again. We still are complying with the terms of the consent decrees.
5) Wells Fargo fake accounts scandal: The Wells Fargo fake accounts scandal, which resulted in a long list of terrible consequences, including a rare restriction on growth by the Federal Reserve Board, reflects a nearly perfect storm of Compliance 1.0 failures. As Mike Volkov, former federal prosecutor and recognized thought leader for the compliance profession, has noted in his blog series on the matter:
[emphasis added] If someone asks you what was the most important lesson learned from the Wells Fargo fiasco, you can confidentially respond – the absence of an independent and empowered compliance function. It is easy to imagine how such a function, if it had a seat at the business table, would have responded to a proposed sales incentive program that rewarded sales staff based on the number of accounts opened rather than focusing on promoting customer service. Numbers of accounts bears no relation to quality of service, and in the end an ethics and compliance program officer would have pointed out the problem with the sales incentives program based on its skewed and illogical incentives.
The appalling breakdown of Wells Fargo’s compliance processes could have been predicted by the compliance function’s lack of authority, inadequate line of sight into risks and the business units, toothless oversight, and absence of a seat at the senior management table where incentives and culture were discussed, all in a highly decentralized operation. In fact, with a true compliance SME at the helm, the program could have been designed with the right checks, balances and mechanisms necessary to bring the embattled bank’s culture, compliance and retaliation problems to the forefront where management could have addressed them before the scandals reached the attention of regulators and prosecutors. For instance, strict investigation guidelines (including confidentiality and non-retaliation monitoring) and training, as well as a nondiscretionary board escalation policy might have prevented the board from being “blind-sided” by the ever-expanding fake accounts scandal and the fact that over 5,300 employees had been fired in connection with the fraudulent activity, including many employees who had tried to report their concerns to the company’s internal ethics line. A true compliance SME could have designed an investigation system and supporting infrastructure (including incentives) that would have helped the company to manage its risks more successfully. It is disheartening to think how an independent, empowered compliance and ethics function with clear authority and positioning could have made a difference in this perfect storm of a Compliance 1.0 train wreck. But at the same time, it is encouraging to see that government gatekeepers and policymakers in the U.S. and around the globe are increasingly showing that they understand the value of a modern Compliance 2.0 function and program that is structured and built to succeed (and more than just window dressing), as discussed below.
Regulatory Scrutiny Around the World on the CECO Role (progress towards a consensus)
The Federal Sentencing Guidelines for Organizations (FSGO) set out for organizational compliance and ethics a roadmap of those elements viewed as critical to strong, effective programs, including senior management commitment and resources. An endless number of panel discussions and articles have been devoted to so-called “tone from the top,” which is often mistaken by CEOs as “talk at the top” (as coined by Joe Murphy, recognized C&E expert and author of 501 Ideas for Your Compliance and Ethics Program ) in the form of a video or annual letter to the troops. In fact, the most robust form of “high-level commitment”— one that is now heavily scrutinized by prosecutors and regulators—is the proper structuring and resourcing of the CECO position, and by extension, the overall compliance program. That is because how well the CECO is positioned is the single most important indicator of whether the program will succeed or fail. A board of directors or CEO that has established an independent, empowered modern Compliance 2.0 function and program shows by these very decisions their “high level commitment” to a strong compliance program that “works” to achieve its mandate, and is more than mere window dressing. As discussed further here, choices have consequences, and government gatekeepers are increasingly scrutinizing those choices.
For these reasons, the CECO position demands the close attention and deliberation of the governing authority. Under the FSGO, the board has a key role to oversee the company’s compliance and ethics program, and this starts with ensuring that management has properly structured the CECO position. In addition, the 2010 amendments to the FSGO reflected government’s strong preference for the CECO to have “direct reporting obligations” to the governing authority, intended to create a direct CECO channel to the board (or independent board committee), unfiltered by any other senior officer. Former federal prosecutor Michael Volkov asks two basic questions to gauge the strength of a compliance program: “Does the [CECO] have independent authority and reporting access?” and “Does the [CECO] have the resources needed to carry out the job?” This year, the Department of Justice and Securities Exchange Commission’s Joint Resource Guide on the Foreign Corrupt Practices Act specifically observed that the CECO [emphasis added] “must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”
The CECO also has the attention of standard-setting bodies outside the U.S. In 2010, 38 signatory nations to the OECD Good Practice Guidance for Internal Controls, Ethics and Compliance endorsed the CECO standard of a “senior corporate officer, with adequate level of autonomy from management, resources and authority.” Similarly, the Canadian Competition Bureau has stated in its Corporate Compliance Programs brochure that the chief compliance officer [emphasis added] “must be in a position to act effectively, in that there is independence, professionalism, empowerment, financial support and a solid understanding of what is taking place within the business.” Focus on the empowered CECO continues worldwide. In 2012 the French Competition Authority adopted “Procedural Notice on the French Settlement Procedure,” setting out the requirements for an effective compliance program, including a CECO who is “empowered” to implement and oversee the compliance program [emphasis added] “with the necessary autonomy and means to fulfill [the] role.” Also in 2012, the Chilean competition agency (Fiscalía Nacional Económica, the “FNE”) published new Guidelines on Competition Law Compliance Programs, including this specific guidance on the CECO role:
Finally, to the extent that the degree of market power justifies it and there are sufficient resources, the person responsible for enforcing the correct implementation of the compliance program must have full autonomy and independence within the company (for example, that person reports directly to the Board of Directors and can be removed only under specifically defined conditions).
The list of regulatory and standard-setting bodies around the world that are issuing guidelines for effective C&E programs continues to expand annually. These guidelines are increasingly addressing the seniority, positioning, empowerment, authority, independence and resources assigned by companies to the CECO role. These include:
Good Practice Guidance on Internal Controls, Ethics, and Compliance
UK Bribery Act
Anti-Corruption Ethics and Compliance Handbook for Business
Compliance Matters: What Companies Can Do Better To Respect EU Competition Rules
The ICC Antitrust Compliance Toolkit
Corporate Compliance Programs
Law on the Protection of Whistleblowers (Whistleblower Protection Act)
Guidelines for Competition Compliance Programs – Guidelines on the Structuring and Benefits of Adopting Competition Compliance Programs
ISO 37001 – Anti-bribery Management Systems 
General Data Protection Regulation (GDPR)
What the Surveys Tell Us
Recent well-regarded surveys underscore the fact that Compliance 2.0 is steadily becoming the modern model of compliance adopted by companies worldwide. According to reports, more compliance executives are confident and optimistic about their authority and agency, and are being afforded the tools and resources to fulfill their compliance mandate. According to Deloitte’s 2016 survey, 60% of compliance professionals expected an increase in budget. Even more promising is DLA Piper’s 2017 Compliance Report, which found that 84% of compliance executives felt they had “sufficient resources, clout, and board access” to run their compliance programs effectively, an increase from 77% in the DLA Piper 2016 survey. Surveys such as DLA Pipers’ also demonstrate an encouraging trend in CECO structuring, notably concerning the essential features of independence and C-suite inclusivity.
A strong indicator of this encouraging trend is the growing representation of stand-alone CCO/CECO positions in the compliance profession. While the percentage of stand-alone CCOs varies drastically on the size of the company in question, the 2015 Deloitte Compliance Trends survey found that 59% of respondents indicated their top compliance job is a stand-alone position, up from 50% in 2014 and 37% in 2013. Gone are the days when companies in want of an official “chief compliance officer” could simply slap a new title on their GC and be done with it. Even former GE general counsel and highly vocal advocate for the in-house bar, Ben Heineman, agreed that “…the CCO’s core job is to operationalize formal rules through engagement with the GC, CFO, and other experts and leaders within the company. Unless the company is very small and resource constrained, the GC should not also be the CCO.”
Equally crucial to the creation of a stand-alone role is the position, authority and connectivity the CECO has within a business’ hierarchy. A telling measure of the transition to 2.0 can be seen in the make-up of the C-Suite. In Deloitte’s 2016 survey, 43% of respondents confirmed that the CCO held a seat on the CEO’s executive management committee, or its equivalent. Meanwhile, a consensus is being reached by compliance-savvy businesses that CCO reporting structures should evolve to reflect the trend of CCO independence and encourage the E&C function through empowerment. According to reports, more compliance executives are confident and optimistic about their empowerment and levers of authority, including direct reporting to the C-suite or higher. The percentage of compliance officers reporting to the CEO jumped from 25% to 39% from 2016 to 2017 while the percentage who reported to the GC or CLO dropped from 44% to 34%. Likewise, the 2018 LRN Program Effectiveness Report found that 43% of boards have instituted a direct reporting channel from CECO to the board.
What the Settlement Agreements Tell Us (the stakes have been raised)
Other clear indicia that the stakes have been raised are the number of settlement agreements and consent decrees that place the compliance function firmly in the spotlight. A long line of health care settlement agreements have yielded a now-standard undertaking, that the CECO “should not be, and should not be subordinate to, the general counsel or the chief financial officer.” More recently, prosecutors and regulators have taken aim at the compliance programs of large financial institutions involved in money-laundering, mortgage fraud and LIBOR rate rigging, to name a few areas of headline-making scandals. In the HSBC settlement agreement, prosecutors not only demanded a separation of legal from compliance (independence), but also elevation of the CECO role to the top 50 managers (empowerment and seat at the table), revised reporting lines for firm-wide compliance officers (independence and line of sight), reformed mandate (empowerment), and a nine fold increase of the compliance budget (resources). Major overhauls of compliance functions at other big banks tell a similar story. Even in the absence of an actual settlement agreement, banks are feeling the heavy pressure from regulators and investors (and in at least one case, Senate investigating committees) and reforming their compliance functions to add one or more of the essential features discussed in this chapter. At press time for this chapter, Citigroup is working on improvements to its anti-money laundering compliance program, first flagged in 2012 in a consent decree from one of its regulators.
How can companies get ahead of this wagon train for effectively structured CECOs and compliance functions/programs? How can CECOs evaluating potential in-house positions better define their due diligence process? A review of the following essential CECO features is a start.
Structuring for Success: The Six Essential Features
Following is a discussion of six essential and interrelated features to be carefully considered by boards and senior management who are serious about structuring (or updating) the CECO position for success. Whatever an organization’s structure, size, complexity, industry, regulatory environment, or risk profile, its CECO position and compliance program must reflect the following criteria to be truly effective as intended by the FSGO:
Essential feature #1: True Compliance Subject Matter Expertise
The emergence of the compliance and ethics profession as a new, highly-valued SME needed by boards and senior management to lead and shape the organization’s approach to compliance, culture, reputational and ethical risks means that true Compliance SME is the foundational feature of the modern CECO and compliance program model. True Compliance SME is demonstrated by a successful track record of designing and managing a successful compliance program in a CECO role. Experienced CECOs and gatekeepers serious about compliance understand that successful programs require an executive with true compliance SME earned in the field to design and manage the successful and effective program and all its elements. For instance the DOJ guidance asks, “Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?”
Essential feature #2: Empowerment
The CECO must have the appropriate unambiguous mandate, delegation of authority, senior-level positioning, and empowerment to carry out his/her duties. One evolving best practice is the establishment of “compliance program charter” that sets out in sufficient detail the elements of the program and how it is expected to work, including the description of any “compliance committee” of peers to generate support, collaboration and real-world perspective for the program, and periodic reporting to the governing authority. More and more companies are opting to create the CECO mandate via board resolution, adopting the charter. The CECO’s job description is another tool to further clarify the function’s mandate, and at a minimum should encompass the single point accountability to “develop, implement and oversee an effective compliance and ethics program to detect and prevent misconduct;” but again, in order to communicate the full weight and commitment of the board and senior management, a board resolution is best practice. Above all, a clear, written mandate approved by the board and communicated to/understood by management is a critical, foundational element of a compliance function that is built to succeed. A more detailed discussion of the significance of the compliance mandate (together with sample language) is discussed here. A close working relationship with an independent board committee, unfiltered by any other company officer, is a strong indicium of both empowerment and independence (discussed separately below).
As Michael Volkov has observed: “COs should never be pigeon-holed in a legal office or buried in an auditing office. They need to be a separate and distinct office, with a C-level office and designation, and with full authority to carry out their mission.”
Regarding Empowerment, the DOJ Guidance asks the following prompting questions: “Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred?” “How has the company responded to such compliance concerns?” And, “Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?”
Essential feature #3: Independence
Closely related to empowerment is independence. The CECO must have sufficient authority and independence to oversee the integrity of the compliance program. Levers of independence include reporting line, unfiltered board access, a nondiscretionary escalation clause, an employment agreement, prior board approval required for any change in employment terms (including dismissal), an independent budget, and an adequate staff to properly oversee, manage, and support the implementation of the overall compliance program. Of these levers, reporting line has generated the most controversy, particularly on the question of whether the CECO should report to the general counsel (GC). Many in the GC community incorrectly view compliance and ethics as a strictly legal function, and champion a CECO role that is either held by the GC, or reports to the GC. In the CECO community, the call for a stand-alone position, unfiltered by the GC or any other company officer, has grown from a whisper to a roar. Corporate scandals in the headlines continue to illustrate the potential weaknesses of the GC-controlled model and spotlight issues such as conflicts of interest, competing mandates, and filtering of vital information from the governing body. Many regulators, prosecutors, and policymakers are increasingly taking the view that a reporting line to the GC provides insufficient independence and authority for the CECO. This trend is also reflected in a recent industry study indicating that the CECO-reporting-to-GC model declined by 10%, from 44% in 2016 to 34% in 2017, among the companies surveyed.
Common questions the DOJ might include when evaluating the topic of independence include: “Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors?” “How often do they meet with the board of directors?” “Are members of the senior management present for these meetings?” “Who reviewed the performance of the compliance function and what was the review process?” “Who has determined compensation/bonuses/raises/hiring/termination of compliance officers?” “Do the compliance and relevant control personnel in the field have reporting lines to headquarters?” And lastly, “If not, how has the company ensured their independence?” 
See further discussion below under “Frequently Asked Questions.”
Essential feature #4: Seat at the table
The CECO must have formal and informal connections into the business and functions of the organization—a seat at the table at important meetings where all major business matters are discussed and decided. At a minimum, the CECO should participate in budget reviews, strategic planning meetings, disclosure committee meetings, operational reviews, and risk and crisis management meetings. One barometer for “seat at the table” is whether the CECO attends the top management meetings of the company. For example, a company that holds an annual senior management meeting of the top 10% of its company leaders, but does not invite the CECO to the table, fails this criterion. In fact, many organizations with strong ethical leadership cultures regularly include on their senior management meeting agendas a session for the CECO to engage top leaders on the state of the C&E program.
Some lessons on seat-at-the-table leap out from the media headlines. With every high-profile FCPA bribery, corporate spying, money-laundering or off-label marketing scandal, one could ask “Was there a strong, independent compliance and ethics voice in the C-suite making the case for more robust protocols, resources, or a different path?” Another question highlighted in the recent DOJ guidance is “What compliance expertise has been available on the board of directors?” In one recent high-profile bribery scandal, media reports describe allegations that the top legal officer, CFO and CEO participated in a group decision to “hush up” an ongoing investigation by returning the case to the very same local counsel who had approved the illicit payments in the first place. A strong independent CECO voice in that C-suite challenging the “groupthink” momentum might have resulted in a wiser decision. Similarly, an IT giant’s decision to conduct a “pretexting” spy regime on its own board members and reporters was another disastrous idea hatched by its board chairman and general counsel in the absence of a strong independent CCO voice.  Even more recently, the ongoing saga of the fallout from the Wells Fargo fake accounts scandal is a striking reminder of the consequences that can result when the CCO lacks a seat at the table. It’s important to note that the ascension of the CECO to a seat at the table and other issues of corporate governance is not at all a “zero sum game”, and that the legal community should avoid any temptation to play “crabs in a barrel” (a phenomenon that only creates a distraction and threatens to create more risk for the organization) To the contrary, legal is and will always be a vital partner to compliance and hold many important roles in the compliance program (e.g., risk SME, risk owner, investigator, training), as designed by an experienced CECO with true compliance SME and the positioning to do her job well. As discussed by Pat Gnazzo, a longtime thought leader and trailblazer in the compliance field. 
The Department of Justice under the stature subtopic recommends the following questions: “How has the compliance function compared with other strategic function in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?” 
Essential feature #5: Line of sight
The CECO must have unfettered access to relevant information to be able to form independent opinions and oversee the program effectively. Where important areas of risk such as safety or environment are “carved out” from the CECO’s line of sight, the CECO will be unable to perform adequate oversight of the program for that risk, and oversight for related areas will be impaired. Correctly structuring the line of sight also enables the CECO to coordinate and leverage compliance activities, and to decrease “compliance fatigue” in the organization. This does not mean that every risk area or subject matter expert must report to the CECO administratively, but formal mechanisms should be established to integrate those compliance activities into the overall program, as overseen by the CECO. For example, an FCPA anticorruption compliance program is usually “owned” and implemented by legal, but should not stand outside the CECO’s line of sight. Similarly, HR “owns” and manages sexual harassment and discrimination risk, but these programs need to be integrated into the overall program. Certain other areas of compliance risk, such as safety and environmental are often of sufficient significance in some organizations to merit a separate department. But that does not mean that they should operate outside the standards of effective compliance programs or be isolated from the best practice or information-sharing critical to the company’s overall compliance approach. Each of these groups should keep the CECO regularly informed of the status of their risk area programs, and any gaps or challenges that may arise. “Line of sight” means that the CECO sets the standard for an effective compliance program in individual risk areas, even if those programs are developed and implemented by another company function—an important feature that should be expressly stated in the compliance mandate, discussed above. If any part of the organization is immune to the CECO’s line of sight, then that is the first place to look for problems.
Included in the DOJ Evaluation of Corporate Compliance Programs under the topic of compliance role are the following questions: “Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., legal, finance, or audit) ever raise a concern in the area where the misconduct occurred?” and under the topic shared commitment, “How is information shared among different components of the company?” 
Essential feature #6: Resources
Imagine a single police captain with a team of four sent in to safeguard the cities of Trenton, New Jersey or Miami Beach, Florida (both with current populations of over 80,000). In the words of Vizzini, the Sicilian boss character from the 1987 film The Princess Bride…“Inconceivable!” Yet one need not look far for CECOs who manage an ambitious mandate no less than “to develop, implement and oversee a compliance program to detect and prevent misconduct” for their organizations of 80,000 with teams of five or less. Compliance functions are often leanly staffed with matrix responsibilities—a reality discussed by Michael Volkov in his article “Person of the Year—The Chief Compliance Officer” in which he calls the CECOs the “unsung heroes” of the workplace. Assuming that all the other essential features of an effective CECO position have been established—empowerment, independence, seat at the table and line of sight—any company serious about compliance must also consider the amount of dedicated resources for the mission.
As regulators, prosecutors and investors are increasingly demanding, the CECO must have adequate resources (i.e., budget and headcount) to get the job done. The principle of independence also supports the dedication of standalone resources to the CECO and program, rather than a shared budget with another function (e.g., legal). Headcount can be either personnel reporting to the CECO, shared resources, or “dotted line” resources (part-time or full-time) identified and dedicated to the compliance program from other parts of the organization. Some companies have also developed a network of senior-level “compliance leaders” or “ethics ambassadors” in the business units and functions of the organization to implement compliance activities in their areas—an evolving best practice that also increases the CECO’s line of sight.
One important caveat that boards should note on resources: mere budget or headcount heralded in press releases to impress the media, regulators or investors is downright meaningless unless there is true compliance SME in place with the knowledge and experience required to deploy the resources properly. This was the mistake made by hedge fund giant SAC Capital, which made splashy announcements about its 38 compliance professionals and its investment of “tens of millions” to create a “cutting edge” compliance program. We all know how that turned out, as I wrote here. Due to the lack of true compliance SME, the foundational feature of Compliance2.0, neither hard cash nor headcount could save the company from an embedded culture of corruption and revenues over integrity. The company went down in flames in a firestorm of insider trading and reputational ruin, and that, as that say, is history—another Compliance 1.0 train wreck. SAC Capital paid at least $1.2 billion in fines to the SEC and ceased to exist as of 2016.
In a properly scoped compliance program, many managers outside the compliance function have some degree of responsibility, whether as SME, risk program owner or investigative leader. It’s even possible that some of these individuals are already performing these roles in practice. However, the difference between a failed program and a successful one is often the clarification and formalization of these responsibilities. All roles supporting the compliance program should be clearly defined and properly linked to the CECO and the program through dotted line reporting, performance evaluation input, job descriptions, interface tools, or other similar mechanisms. Many may row, but all must be headed in the same direction. As the organization’s true compliance SME, the experienced CECO oversees the architecture of the overall compliance program to ensure that it is supported and implemented by all the identified supporting roles in the organization- identifying and developing the needed SME to support the compliance program is one of the key duties of the experienced CECO with true compliance SME.
As we have noted, there is no one-size-fits-all model, and these essential features can take various forms depending on a company’s size, scope, risk profile and culture. But an analysis of any CECO position lacking one or more of these criteria quickly reveals the flaws in that model.
According to the Department of Justice’s Evaluation of Corporate Compliance Programs under the subtopic of funding and resources the following are common questions used to evaluate a compliance program: “How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?”
Recent Independent Research Informs Us
We can also look to some notable independent research in the compliance field to inform us further on the benefits of the modern Compliance 2.0 program model.
RAND Symposia on Compliance and Ethics Topics
The RAND Center on Corporate Ethics and Governance has published a series of groundbreaking reports on its series of annual symposia on a range of topics critical to the several facets of Compliance 2.0. Recent symposia include, “Transforming Compliance: Emerging Paradigms for Boards, Management, Compliance Officers and Government,” “Culture, Compliance, and the C-Suite: How Executives, Boards, and Policymakers Can Better Safeguard Against Misconduct at the Top,” and “Corporate Culture and Ethical Leadership Under the Federal Sentencing Guidelines.”
Each of the symposia reports are available as a free download. They include RAND invited white papers and a summary of the high-level, RAND-facilitated symposia dialogue among top thought leaders from the compliance, academic, board, government and industry communities, with key takeaways on important compliance and ethics issues, including the value and increasing demand for an independent, empowered compliance and ethics function and program.
University of Michigan Study
Another important study was conducted by researchers at the University of Michigan Stephen Ross School of Business, with their findings published in a 2016 white paper entitled “Why Don’t General Counsels Stop Corporate Crime?”
This study includes findings on the different mandate, skillsets, and knowledge base of the new and emerging compliance profession—and underscores the significance of true compliance SME to the success of any effective compliance program. The white paper underscores why true compliance SME is foundational to any effective compliance program, and why it must be structured with independence, empowerment, line of sight, seat at the table and resources to achieve its mandate. For additional context and background on the emergence of the modern compliance profession as a new SME different and separate from legal, an e-book by Michael Volkov, well-known compliance thought leader and former federal prosecutor, entitled The Revolution in Ethics and Compliance contains a useful review of this topic. Similarly, in “The Chief Compliance Officer: Should There be a New ‘C’ in the C-Suite?,” Michelle deStefano tracks the emergence of compliance as a new profession in a July 2016 Harvard Law School publication The Practice. In tracing the emergence of the new profession, de Stefano writes: “Compliance officers implemented and enforced best practices within the company, identified risks, and investigated misdeeds—all of which required a degree of autonomy from other company leaders.” She further notes that compliance “has emerged from the shadow of the legal department and carved out its own territory within organizations.”
This recent research and commentary tracks the trends for more standalone CECO roles and increasing authority and positioning for the CECO as a member of the C-suite reporting to the CEO or to the governing authority(and by extension, the overall compliance program), rather than being buried in the legal department without adequate independence, empowerment and unfiltered access to the board, as discussed above under “What the Surveys Tell Us.”
Structuring the Chief Ethics and Compliance Officer Position: Frequently Asked Questions
Set out below are some frequently asked questions when structuring a CECO position and function, and a brief reflection on these topics.
Q: What are the most common organizational models?
A: Types of common organizational models for positioning the chief ethics and compliance officer (CECO) include:
Reporting to the board (or an independent board committee)
Reporting to the chief executive officer (CEO)
Reporting to the chief financial officer (CFO)
Reporting to the chief operating officer (COO)
Reporting to the general counsel (GC) or within the Legal department
Jointly reporting to the GC and the CFO
Reporting to another senior officer
Reporting to a senior officer, “dotted line” to the governing authority
The GC (or another senior officer) is also the CECO.
Q: Isn’t ‘independence’ the same as ‘empowerment’?
A: These two features are interrelated but each has a slightly different scope. In a Venn diagram, they would certainly overlap. Empowerment is about having the senior management’s imprimatur to do the job, and that requires clarity about what the job is, what’s in and what’s out, and the badge and the gun, so to speak. It’s impossible to be empowered without independence e.g. another exec filtering your reports or vetoing your everyday decisions about how to run the program. Independence is critical to the CECO’s ability to “speak truth to power” when necessary, to be another voice in the C-suite with a lens on compliance and ethics without other considerations that create built-in conflicts of interest. Imagine a situation where the CECO has independence from legal through a dotted line to the board or escalation protocols, but is pigeon-holed doing administrative compliance work without the empowerment to discharge the broader CECO mandate. An effective CECO needs both empowerment and independence.
Q: What do you mean by direct ‘reporting’?
A: For chief ethics and compliance officers, there are two types of “reporting”: (1) information reporting to the governing authority (e.g., periodic reports on the status of the compliance program) ; and (2) administrative line reporting (e.g., “hire and fire”). The 2010 amendments to the Federal Sentencing Guidelines for Organizations (FSGO) bolstered the independence of the CECO by emphasizing the value of the CECO’s “direct reporting obligations to the governing authority.” This requirement refers to information reporting, but has been incorrectly interpreted by some as administrative line reporting. Although people often confuse one kind of reporting with the other, both are critical to the structuring of the CECO position. So, for instance, the CECO may report administratively to the CEO, and appear before the Audit Committee of the Board to deliver an (unfiltered) quarterly written report.
Q: What do you mean by ‘unfiltered’? Our GC doesn’t change the message, but is the one to deliver the CECO’s report to the board. How is that ‘filtering’?
A: Filtering is anything that impairs the quality of information being reported to the governing authority. The CECO is the subject matter expert on what makes an effective C&E program, and provides that lens to the board through periodic and ad hoc reporting. The closer the reporter is to the information, the better the information—a fact tacitly reflected in the 2010 FSGO amendments supporting “direct reporting” by the person with day-to-day operation of the program. Filtering can take the shape of a senior executive deleting unfavorable data, or changing or “watering down” the CECO’s message. But even when there is no intention to “change the message,” another executive that is once or twice removed from operating or overseeing the program (and who likely does not have the subject matter expertise) is not well equipped to know how a program really works on the ground, which aspects merit highlighting, or what details are most relevant to a Board’s understanding of the company’s C&E risks. The model of a CECO providing a report to the GC who then delivers it to the board is in increasing disfavor following the 2010 FSGO amendments and the many settlement agreements that mandate direct, unfiltered reporting. Similarly, a best practice is emerging for the CECO to report to the board quarterly, in executive session (i.e., closed to management). The fact that the board has granted such direct, unfiltered access to the CECO is one mechanism companies can employ to demonstrate, and ensure, the independence and empowerment of its compliance program.
Q: What other features are important to consider in structuring the CECO position?
A: As noted in a 2009 RAND Symposium report on the topic, “CECOs have the potential to play the pivotal role in companies, but their effectiveness depends on independence, seniority, ‘seat at the table’, and empowerment.” The choices a company makes on these essential features in the aggregate will land the CECO role somewhere on a spectrum ranging from strong and “best practice” (i.e., independent, empowered, and structured for success) to mere window-dressing (i.e., generally ineffective, by design destined to fail). That’s why it’s fair to say that every company has the kind of compliance program it wants, because the choices the board and C-suite make about howit is structured and led will ultimately determine success or failure.
Companies also make choices on whether to establish a so-called “compliance committee” populated by senior officers (e.g., CFO, GC, HR, audit) and often the business (an element which is growing steadily in popularity) and mechanisms for giving the CECO direct access to the governing body. In a recent PWC survey of CECOs in large US companies with annual revenues of more than $1 billion, 71% of those surveyed said their companies had a form of compliance committee.
Q: What is the scope of the typical compliance committee mandate?
A: The compliance committee is not a substitute for the CECO, but a senior-level peer group that can be employed to support and offer input into key aspects of the compliance program and to increase ownership and engagement at the top levels of the organization. Nor should the compliance committee act as a mechanism to filter the independent judgment and reports of the CECO to the governing body. Topics typically discussed by the compliance committee are culture, accountability, values, performance criteria, training and communication plans, resource allocation, policies, investigations, and disciplinary matters. Compliance committee responsibilities vary by company, but in all cases, the group should have a clear written mandate that is broad enough to support the compliance program (but does not interfere with or impinge the ability of the CECO to manage the program on a day-to-day basis), independently oversee the program, or have unfiltered access to the governing body. 
Q: What is meant by board access?
A: All board access is not created equal. Many companies now stipulate that a board committee or member has an “open door” to the CECO. But what does this really mean? A mechanism that “allows” a CECO to communicate on an ad hoc basis with the board or request a meeting is actually the weakest form of access, because a CECO has to affirmatively exercise his/her discretion to contact the board, making this more of a nuclear option. Depending on the relationship of the CECO to the board, this kind of access may ironically ensure that the CECO willescalate an issue if the only available option is perceived as career-limiting.
A better approach is a mandatory escalation policy that automatically raises to board attention certain types of matters, such as allegations involving a senior manager or acts of retaliation against the CECO or compliance team members. Information reporting is another form of board access, but its efficacy depends on the frequency of the reporting (e.g. quarterly scheduled sessions) and the degree of “filtering” by others in the organization. As discussed above, filtering undermines CECO independence and the quality of the information received by the board, and negatively impacts the effectiveness of the program.
Despite the strong support by the 2010 FSGO amendments for an independent CECO with unfiltered access to the board, many companies have not yet established mechanisms to do so. In fact, many firms continue to place the CECO within the Legal department, with the general counsel actively filtering reports of the CECO, a model that is increasingly disfavored. The general counsel-controlled CECO model is discussed further below.
Q: What are the current trends in CECO structure?
A: A number of highly regulated industries are leading the way with very specific guidance or standards for the CECO reporting structure, such as the mutual funds industry, where Rule 38a-1 of the Investment Act of 1940 requires the CECO to report to the fund board. In the health care industry, various guidances from the Office of Inspector General of the Department of Health & Human Services and a long line of settlement agreements set expectations for CECO independence, direct access to the board, and separation from the GC and CFO. As highlighted in the landmark 2009 Pfizer $2.3 billion settlement (which also separated legal and compliance): “The lawyers tell you whether you can do something, and compliance tells you whether you should. We think upper management should hear both arguments.”
Enforcement officials, regulators, policymakers, and members of Congress have also weighed in, taking a strong interest in CECO independence and empowerment. In 2003, Senator Chuck Grassley famously commented on the double-hatted GC/CECO role at Tenet Healthcare, “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement.” Former federal prosecutor Michael Volkov, writing in his widely-read blog “Corruption, Crime and Compliance” has said that a CECO reporting to a GC is a sign of a “bare bones” compliance program that is likely “a disaster waiting to happen.” In 2012, a senior Securities and Exchange Commission official confirmed his view that “it sends a strong message that compliance and ethics are important if a company includes an independent CECO in the C-Suite” and encouraged boards to provide CECOs with “the necessary resources, independence, standing, and authority to be effective.”
More recently, as noted above under “What Settlement Agreements Tell Us,” a series of large financial institutions have taken unprecedented action to reform their compliance functions and CECO positions under pressure from regulators, prosecutors and investors.
As discussed above, the 2010 FSGO amendments offer strong support for CECO independence. All these factors point solidly towards a trend to increase the profile and empowerment of the CECO position. That said, although the momentum for an elevated CECO position is clear, the levers of independence and empowerment remain inconsistently implemented. Anecdotally, most companies involved in headline-making C&E scandals appear to have either a poorly designed CECO position/program or a person with inadequate competencies and experience at the helm, a topic that merits the close attention of boards.
Q: Should the CECO report to the GC?
A: The CECO-reporting-to-Legal model has generated considerable controversy, particularly among some in the in-house legal community that seeks to maintain reporting control over the CECO, and in the CECO community, where the prevailing view is strongly in favor of independence. , As demonstrated by a long line of companies forced to separate their CECO from legal under corporate integrity agreements, and headlines such as the very public Wal-Mart bribery scandal earlier this year, companies that structure CECO positions lacking in independence (including independence from legal) do so at their peril. Although this structure remains common, at least one major industry survey indicates that the model is losing momentum. The 2012 PWC State of Compliance Study indicates that the number of CECOs reporting to the general counsel fell by 6%, from 41% in 2011 to 35% in 2012.
In the early days of the modern CECO position, the legal department seemed to be the natural home for the CECO in many companies. As compliance and ethics has advanced into a vibrant and multi-faceted profession, with an increasing depth of experience and evolving best practices, the distinctions between the CECO and the GC have become steadily apparent. The CECO and the GC have separate and distinct mandates and require different competencies and skills. Compliance is not a legal function, but a multidisciplinary management control function that interfaces with all of the other functions connected to the business. To quote one commentator: “It is the trained lawyer who chooses to operate in the attorney mind-set when in the compliance and ethics role who is likely to prove ineffective as a CECO.”
Former federal prosecutor Michael Volkov says “Forward thinking companies are not relying on the general counsel to ensure compliance. They are empowering their [CECOs] by elevating them to senior management. When important business issues come up, the [CECO] is at the table.” The author’s views on this model are further discussed in “The Real Happy Marriage Between the GC and the Compliance Officer.”
Q: What is your advice for CECOs looking for a role that is “structured for success”? How should CECOs seeking new roles approach this problem?
A: I’ve discussed in interviews that CECOs and compliance professionals should examine potential job opportunities critically for the level of expected independence and empowerment. I think our profession is paying attention to governance issues impacting independence and empowerment, because I’ve been told by more than one recruiter that their candidates are being “more critical about structure” Joe Murphy, one of the profession’s top thought leaders and advocates, has spent considerable time thinking about how compliance professionals should develop their SME and careers , including the due diligence they should perform before committing years and time to a new job, and that’s a good thing. As I have noted, CECOS need to “vote with their feet” so that recruiters, boards  CEOs and other gatekeepers get the memo on independence and empowerment, and recent survey results appear to bear out this is happening. See “What the Surveys Tell Us below.” I have discussed these issues with the CECO’s in my network and encouraged them to follow Joe Murphy’s approach to due diligence, but the fact is that independence and empowerment are the pieces that can be negotiated at the front end, and if those are present, the CECO can work within the system to ensure their line of sight, seat at the table and resources. This is an ongoing dialogue, which is why independence and the mandate are both so critical to the compliance program and its success.
Q: What about all the companies that seem to have a successful CECO-reporting-to-legal model?
A: We’ve discussed the historical nature of this arrangement and the fact that all CECO positions should be fit-for-purpose. Many CECOs have commented on their good working relationship with their GC bosses. The problem is that this arrangement works until it doesn’t. In addition, if the CECO is not disagreeing with the GC from time to time (such as times of crisis when an independent voice is most needed), then either the CECO mandate is inadequately defined or she probably isn’t doing her job correctly. As noted above, both the GC and CECO have critical responsibilities and mandates for the company, and when a conflict occurs, both views should be heard in the C-suite. Recent headlines reflect potential for failures when the GC can automatically veto or filter the CECO’s recommendation. When considering the structure of the CECO position, boards would be well-advised to demand an institutional model that does not depend on the goodwill, personal working relationships, or temperament of an individual GC and CECO—but instead is created with sufficient checks and balances from the outset that structure the CECO position for success.
Q: Should the CECO report to the board?
A: There are some who champion this model, looking for the strongest source of independence for the CECO. The intent is correct, but some reservations about this reporting line include: (1) boards need to oversee the program and empower the CECO, but not necessarily supervise the CECO on a day-to-day basis; and (2) the CECO who reports to the board administratively runs a risk of being disconnected from the business and viewed as a pure policeman or monitor, rather than a vital function of the organization, trusted coach/advisor, and center of excellence for compliance and ethics. This could undermine the eagerness of the businesses to invite the CECO to key meetings—one essential feature of “seat-at- the-table.” Thus, as noted below, many companies have opted for an administrative reporting line to the CEO (for connectivity) with a “dotted line” to the board (to ensure independence and unfiltered access).
Q: Should the CECO report to the CEO?
A: The CECO model reporting to the CEO with direct, unfiltered, regular reporting to the board (combined with other mechanics for board access) is increasingly regarded as a best practice structure that is gathering momentum in many quarters, including with prosecutors who negotiate corporate integrity agreements. In a 2009 survey conducted by the Society of Corporate Compliance and Ethics, 55% of CECOs surveyed reported to the CEO. The CECO-reporting-to-CEO model carries with it automatic levers of independence and empowerment, and for this reason appears to be gaining in favor. Also, as noted in “What the Surveys Tell Us” above, more boards are establishing direct, unfiltered channels for their CECOs as part of their oversight. Other levers for oversight are being explored, including mandatory escalation policies that allow boards to select categories of matters that must be escalated to their attention on a mandatory basis. As noted above under “Why This Is Important,” these are critical issues that merit serious consideration by the board and C-suite.
Q: An ex-SEC official has been quoted as saying that the CECO should not report to the CEO because that is insufficient autonomy from management. Is this a concern?
A: That would be true if there were not a dotted line to the board, direct unfiltered access (periodic and ad hoc) or other levers of independence, as discussed above. The advantage of a reporting line to the CEO is that a CECO gains a seat at the CEO’s table and is elevated on par with other important voices such as legal, the CFO and business heads. When the organization sees that the C&E program is valued highly enough to make the CECO a direct report to the CEO, the CECO gains in empowerment. Even with a reporting relationship to the CEO, the position still needs to be reviewed against all other essential features of an effective CECO role described in this chapter.
Q: What about the CECO position in small-to-medium size companies?
A: Small-to-medium size companies can make a more credible argument for a “double-hatted” CECO (where a senior officer takes on the CECO position in addition to his/her existing duties) than larger, more complex organizations with significantly more resources. That said, any company that employs this kind of structure must build it with a clear written mandate and levers of independence to strengthen the CECO position, in addition to leveraging scarce resources. Much will depend upon the individual selected to discharge the CECO responsibilities. The part-time CECO must have sufficient time, commitment, intellectual curiosity, and competencies to do the job, and be willing to become educated in how to be an effective leader and advocate for the program. That said, just because a company is small does not mean that its legal and compliance risks are minimal. Small companies with complex risks should not assume that their compliance program needs can be adequately served by a part-time CECO.
Q: Doesn’t the success of the CECO position, regardless of structure, depend on the personal qualities of the individual in the role? Are you suggesting that a best practice structure guarantees success?
A: There are no guarantees in life, and least of all in compliance and ethics! This chapter addresses the structure of the CECO role only. Equally important to the success of the CECO is what the individual brings to the table by way of meaningful compliance and ethics experience (the more demonstrated in-house track record the better), business savvy, gravitas, credibility, and critical “soft skills” such as problem-solving, project management, communication, collaboration and persuasion competencies, and of course, strong ethical leadership. This is an important topic for another paper.
The above discussion is intended to support careful deliberation by the board and company decision-makers on the positioning of the CECO, and by extension, the overall compliance program within the organization. It is a decision which has enormous bearing on the potential effectiveness of the CECO position and the compliance program, and thus merits considerable strategic dialogue within the senior ranks. If a company is truly serious about culture, compliance, and ethics, and wants a program that is more than mere window-dressing, it will take careful steps to ensure that the CECO has empowerment, independence, seat at the table, line of sight and resources to properly discharge the responsibilities of this critical position.