Andy Hinton, vice president, ethics & compliance at Google
Accountability. Compliance. Risk. These are more than just buzzwords in business today. In recent years, the chief compliance officer (CCO) has climbed up the ranks as one of the most important roles within the C-suite. But as the role of the CCO has evolved to become more integral to business operations, so, too, has the CCO’s relationship to the general counsel.
This is due, in part, to the evolution of the position of the chief compliance officer over the last 10 years or so, to become a more strategic area for businesses, according to Suzanne Rich Folsom, executive vice president, general counsel and CCO at ACADEMI LLC.
“It has evolved in the past decade,” Folsom explains. “Previously, those companies that had a dedicated compliance officer, it was more of a supporting and reactionary function. More companies today have a compliance function, whether they have a CCO or not, or if it’s part of the general counsel’s role. More have it in the C-suite than a decade ago.”
A 2013 study by Deloitte also sheds some light on the way the CCO fits into the larger scheme of management. The study, which surveyed 189 compliance executives across corporate America and overseas, found that in 37 percent of companies, the CCO is a standalone position while in 13 percent of companies, the general counsel holds the post.
This is often a function of size, says Carrie Mandel, consultant with Spencer Stuart and part of the North American Legal and Compliance Practice there. “In smaller banks, often the GC is the CCO,” she explains. “But either way, the positions need to be symbiotic and interactive. The CCO needs to have independence and authority to stand alone, performing responsibilities independent from the business and, increasingly, independent from legal.”
The maturity of the compliance program can also be a factor in the relationship between the GC and the CCO, says Andy Hinton, vice president, ethics & compliance at Google, speaking from his own perspective, and not that of his employer. “I see them at the beginning of the maturation curve of the compliance function as being very closely aligned… As the function matures, you do run into more and more areas of tension based on emphasis. There are times when the GC’s emphasis is on defending the company, while the CCO’s emphasis is on protecting the company.”
The distance between the CCO and the GC is increasingly evident. The Deloitte study shows that only 20 percent of CCOs report to the GC, while 34 percent report to the CEO, 17 percent to the board and 7 percent to the CFO.
“For large U.S. banks,” Mandel says, “few—if any—still have compliance reporting to legal. This is in response to legislative initiatives that say that compliance has to be independent and stand alone, distinct from legal. It used to be tucked under legal, seen as the ‘related but less-important cousin.’ That has changed.”
Mandel’s primary area of expertise is the financial space, but that is not the only business sector that is heavily regulated. And the relationship between the GC and the CCO does vary by industry.
“I think the reporting line and location of the function is based on the degree of regulatory overlay on the operations of the company/sector,” says Julie Preng, managing director, legal practice and office manager at Korn/Ferry. “For example, in pharma, companies of any size and scale (i.e., having commercial products and $1 billion in revenue), as well as medical devices companies and financial services institutions, there tends to be a structure where compliance does not report through legal. This started in large part because the regulators mandated separation in all the CIAs or DPAs imposed by the FDA, DoJ, etc. In other sectors with less regulatory scrutiny on day-to-day operations—like many industrial or consumer businesses—the line for compliance through legal is still quite usual.”
Folsom agrees that different arrangements work best in different situations. “I don’t think there is one model that fits every company out there. There’s not one model that is the best. You have to consider the type of company, the industry, the specific risks, the countries you are in, the threats to operating requirements, reporting lines and people. If you have a CCO and a GC who work well together, great,” she says. “If not, that is problematic.”
Especially, says Hinton, since those roles can clash. “It’s not conflict; it’s tension based on emphasis… If you are dealing with misconduct that can lead to potential liability—especially if it involves senior executives, the CCO’s job is to determine what happened, root out the cause of any misconduct, fix the cause, and make sure anyone that engaged in misconduct is appropriately disciplined.”
The GC, though, may want the CCO to wait before launching an investigation, so the company can be a bit more in the clear in regard to lawsuits. It’s for reasons like this that many CCOs now have a direct reporting line to the CEO or the board instead of or in addition to reporting to the GC.
Steppingstone or top of the ladder?
Even though the role of the chief compliance officer has grown in importance and prominence, its position in management hierarchy and as a steppingstone in one’s career path remains a bit unclear.
Mandel sees the CCO as an end in itself. “Being a CCO is, in its own right, the endgame for a lot of talent, including lawyers. Many top CCOs were lawyers who consciously decided to be CCOs… It’s not the objective for a senior compliance exec to be a GC. Some of them already have been, and have chosen compliance because it is closer to the business and is a mission-critical function.”
Folsom views the role of the CCO a bit differently. “The CCO is a potential steppingstone to become a GC, if you are a lawyer holding the role… It’s not the end of the career ladder for someone, especially if you are an attorney. You may not go onto something else in the C-suite, but it is a seat at the table and for those that aspire to be GC, it can be something on the resume that is appealing to boards and CEOs.”
The difference in opinion over whether or not the role of chief compliance officer is an end in itself likely has a lot to do with the changes of the last decade or so.
“I see the CCO as more and more an end in itself. This used to be a bad thing, but as the role matures, and becomes more and more important, that’s not necessarily the case,” says Hinton. He also sees some overlap between the role of chief compliance officer and that of general counsel.
“I can imagine, in the right circumstances, a CCO having the right skill set and background to be a GC, but that is relatively unusual… Some place in complete distress, that needs to set the right tone, could bring in a heavy hitter to run legal with an emphasis on compliance. Some place that had a massive FCPA investigation might make a CCO the GC.”
Vital cog in the executive machine
But no matter the ultimate career goal, the role of the chief compliance officer takes a unique skillset that is different from that of the typical general counsel and other members of the C-suite. “In order to be successful,” says Hinton, “a good CCO has to understand risk and the business and has to be willing to give clear, easy-to-understand, precise and considerate advice… If you want to be a lawyer who is a business partner and who has a seat at the table, give good advice.” Also, he says, you need operational expertise, but if you don’t have that, you can hire someone who does.
The chief compliance officer needs more than just a certain skill set, though. A strong CCO will have a certain personality and attitude. “It’s not for the faint-hearted. You have to deliver news that people don’t always want to hear,” adds Folsom. She says that, while integrity is the most important quality, a successful CCO will also have courage and judgment.
No matter who fills the shoes of the chief compliance officer, whether that person is the general counsel or aspires to be one, and no matter the relationship with the board, the fact remains that the CCO is now a vital cog in the executive machine. It is a role that can “create the values foundation for a program,” as Hinton puts it. And, with that mission statement, it’s clearly a job that means a great deal more than it once did.
“When I went to law school, people didn’t even go to the professional responsibility class,” says Folsom. “I wonder if it’s better attended, now that it is a career track. It wasn’t seen as such a decade ago.”
As career tracks go, it can be challenging—dealing with the tangles of regulations and the complex balancing act between risk and reward. But, in Hinton’s case, the scale certainly tips to one side.
“It’s a fantastic job. The balance of risk and legal advice, even the operations side,” he says. “For me, there’s nothing better.”