New federal sentencing guidelines from the Department of Justice have cast a spotlight on the question of whom a Chief Compliance Officer should report to. Unfortunately, the guidelines themselves, which are used by judges to sentence those convicted of crimes, provide little guidance. And the result could mean that the CCO reports to several different individuals, which could lead to confusion or even conflict over compliance. But experts say that may be the price companies need to pay to make sure the CCO's voice is heard.
The guidelines amended by the DoJ in April merely state that the individual or individuals with day-to-day operational responsibility for a company's compliance and ethics should have direct reporting obligations to what they call "the governing authority or an appropriate subgroup thereof."
As a result, boards are now struggling to come to terms with the question. And the answers they're coming up with include the general counsel, the CFO, CEO, the boards themselves, or some or all of the above.
A recent survey from the Society of Corporate Compliance & Ethics found that only 41 percent of publicly traded companies had their CCO report directly to the board, which was less than those companies where the CCO reported to the general counsel or others.
If the CCO did not report directly to the board, according to the survey, they reported to the general counsel, CFO and other senior positions within the company.
Observers say the multiple reporting lines for the CCO are a natural consequence of the current emphasis on compliance, and that it's necessary to make sure it gets its due.
In particular, they say having the CCO report to the CEO alone may lead to inadequate compliance.
"Overburdened CEOs likely do not have the time to place enough constant focus on the area of risk," said Hugh Jones, CEO of National Regulatory Services, which offers compliance services to the financial industry.
Some say reporting to the general counsel makes sense because of the attorney-client privilege, which is no small matter when there's an investigation going on at a company. But the entire C-suite has fiduciary responsibilities, and CFOs may feel that because their function is required to certify internal controls are adequate, any compliance responsibilities are their domain.
"Everybody has their argument," said Sharie Brown, chair of the Foreign Corrupt Practices Act, Anti-Corruption and Corporate Compliance practice at the law firm of DLA Piper.
Whoever the CCO reports to, the role requires power and access to influence, said Sandra Pundmann, an audit and enterprise risk services partner with Deloitte & Touche. The idea, says Pundmann, "is to have the knowledge to act on things in a timely manner, to connect the dots between groups and activities, so there can be early intervention to alleviate potential risk."
That is a potential problem in a command and control culture with an aversion to bad news. In that case, experts say the CCO ought to report to the board as well as management.
Yet the CCO may find him or herself in a tug of war as a result. Says Barbara Kipp, partner, PricewaterhouseCoopers, "CCOs have pushed hard for ‘a seat at the table' to help ensure that compliance is taken seriously and to ensure that compliance is "baked in" to key strategic and operational decisions."
Multiple reporting lines, and the confusion and conflict that arises from them, may be required to assure that seat.