The appropriate place for compliance in the organizational structure of large and more sophisticated companies has been a matter subject to substantial debate within company management, and it is fair to conclude that the stakeholders in this debate—senior management, external boards, the office of general counsel and senior compliance officials—do not necessarily see eye to eye. General counsel often chafe at the prospect of independent compliance management that operates outside their direct reports. Increasingly anxious boards oppose filtered compliance information, and senior management may balk at too many channels for reporting of critical information. Compliance professionals increasingly are more uniform in their view. They want direct reports to the CEO and the audit committee of the board. They need to know that their reports and information get to those with ultimate authority unvarnished. Compliance needs to stand on its own.
Having recently left the Fraud Section of the Department of Justice’s (DOJ) Criminal Division, where my responsibilities routinely involved interacting with internal and external counsel for multinational companies during the course of Foreign Corrupt Practices Act (FCPA), financial fraud and other investigations, I have undertaken an entirely unprofessional and statistically insignificant survey of senior compliance professionals who have been more recently appointed to their posts. All are currently employed by larger multi-national companies with international operations. They represent different industries including oil and gas, pharmaceuticals, manufacturing, financial services and technology. With some modest accommodations for the different organizational structures, all have direct reports to the senior executive and often the audit committee of the board as well. Several indicated that the reporting line was essential to their acceptance of the position.
This new corporate organization is simply a reflection of the maturity of compliance in management space. Compliance began as an irritating cost center that frustrated management and impeded business development, or such is the view one would hear not too long ago. That has changed, particularly in more sophisticated and international business organizations. To be sure, compliance departments remain controversial, because among other responsibilities they direct business units to give up work. But compliance is now essential to effective business operations and critical to management decision-making. More importantly, a compliance program that does not have direct access to the CEO is flawed from the outset.
In today’s increasingly regulated business and operational environment, compliance is the safety officer with diverse responsibilities for enabling a company to be compliant. A company that is not compliant is not going to succeed as a business in the long term. Whether it is the FCPA or other anti-bribery laws, anti-money laundering (AML) provisions and related sanctions regime issues, technology transfer limitations, privacy laws, nuanced labor and employment rules, or simply ethical governance, compliance officers are the thin blue line in the corporate suite.
Because of this, compliance officers generally and the chief compliance officer will be the bearer of difficult and often bad news. They will initiate reviews, new training and investigations that will be costly and potentially embarrassing. They will, in short, tell the CEO and the board things they may not like to hear, but which they must hear. The DOJ, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and other national and international investigative and enforcement authorities do not simply hope that this is the case—they expect and demand this ownership of compliance responsibilities by senior management.
The new normal for compliance placement within the reporting lines of senior management in larger companies is the product of a quite natural corporate governance evolution. Sarbanes Oxley, Dodd-Frank and the increased enforcement and prosecution of FCPA and AML violations, among other legal developments, have increasingly placed senior management in the position of having a personal stake in a company’s compliance. Compliance needs its independence to provide senior management with the advice they require to succeed.