The test of any compliance program is simple. All you have to do is look to the Chief Compliance Officer and ask these two basic questions:
1. Does the CCO have independent authority and reporting access?
2. Does the CCO have the resources needed to carry out the job?
If the answers are no, the program is not adequate. In 9 cases out of 10 where the answers are no, if you look under the hood, you will see a disaster waiting to happen.
If the answers are yes, you will probably see an effective compliance program.
Too many companies have the basic “bare bones” compliance program. They are inadequate and accomplish very little in making sure that a company complies with the law. A “bare bones” program consists of:
1. A Code of Conduct and an FCPA Compliance policy (on the company website)
2. An employee hotline
3. An annual training program (and for new hires)
4. A CCO who reports to the General Counsel or the Internal Auditor.
5. A CCO with a staff of less than five employees buried somewhere in the corporate infrastructure.
I have seen this picture all too often. It looks more and more like a “Gilligan’s Island” re-run.
I want to try and get back to basics. Here are three basic requirements to get started on an effective compliance program:
The first step – and perhaps the most important step – that a company can take in compliance — is to elevate the CCO. Forward-thinking companies are not relying on the General Counsel to ensure compliance. They are empowering their CCOs by elevating them to senior management. When important business issues come up, the CCO is at the table. CCOs are becoming proactive problem-solvers. It is about time.
Second, cutting-edge companies (big and small) are establishing direct lines of authority between the CCO and the CEO, as well as the Board’s Audit or Compliance Committee.
Third, CCOs are given sufficient resources to carry out their responsibilities. CCOs should never be pigeon-holed in a legal office or buried in an auditing office. They need to be a separate and distinct office, with a C-Level office and designation, and with full authority to carry out their mission.
As I have written and said for many years, CCOs are the unsung heroes of the compliance world. When something goes wrong, they are the first to be blamed. When CCOs need authority and resources, they are the last to get what they need.
Companies that want to elevate their corporate governance and ethics values need to make sure that they start with their CCO and empower the CCO to design and implement an effective compliance program.
Companies that are committed to promoting corporate governance and ethics are willing to restructure their management to elevate the compliance office, and match this structure on the board by creating a Compliance Committee. The CCO should have direct reporting authority to the Compliance Committee. This structure sends the right message to everyone that the company is committed to forward thinking on risk and compliance responses.
It is fascinating to me how Risk Management or Risk Officers have become the latest fad in corporate governance. To me, that is an unnecessary duplication of functions that naturally can be handled by the Compliance Committee and the Chief Compliance Officer. After all. to ensure compliance, you need to know and assess your risks.