Joe Murphy (firstname.lastname@example.org) is a Senior Advisor at Compliance Strategists, SCCE’s Director of Public Policy, and Editor-in-Chief of CEP Magazine.
It’s a question you repeatedly see in surveys: To whom does your chief ethics and compliance officer (CECO) report? But how much do you really know when you see the answer to this question? Probably not much.
First, you still have to find out who the CECO is. Often the general counsel grabs the title, even though they do nothing in the actual program. The real compliance people are below the general counsel and are never going to have time in front of the audit committee. So in reality, this is fake reporting. Although the language in the U.S. Sentencing Guidelines calls for reporting by the person with day-to-day responsibility, that is simply not happening.
But suppose there is an actual CECO, who is neither the general counsel nor a subordinate of the general counsel, and who “reports” to the board. Here we hit a serious ambiguity in the language. Report can have different meanings. It can mean that once every three months the CECO writes a bare-bones report that is scrubbed clean by the general counsel. This is reporting in a meaningless sense. For real reporting, the CECO should be appearing personally and regularly at the audit committee meetings, with no one from management present.
Even if this is done, however, there is still a piece missing: To whom does the CECO report? (meaning, who controls the CECO? Who controls pay, resources, evaluation, and career potential? Who can fire the CECO?) At this point we hit the real issue: power. For a CECO to be effective, he/she needs independence and empowerment; but if other officers control the CECO, neither of these things exist.
This question ties in with one of the common flaws of compliance programs: failure to recognize that senior execs are the highest risk group in the compliance sphere. If the CECO is to address this risk, this person needs to be empowered. To ensure this, the board needs to have control over the CECO (i.e., reporting to the board in its fullest sense). Of course, someone in management can sign the routine vouchers and other paperwork, but the board needs to step up to its responsibilities with a CECO who truly reports to it.