The Securities and Exchange Commission's new whistle-blower programme could cause headaches for GCs

Both the Sarbanes-Oxley Act 2002 in the US and the UK Corporate Governance Code (formerly 
the Combined Code) require listed companies to conduct a review of the effectiveness of their risk management and internal 
control systems covering all material controls, including financial, operational and compliance controls.

In the US, this has been seen in the rise of the chief compliance officer (CCO), whose role is increasingly being seen as separate and different from that of general counsel. While this has given rise to a debate as to whether the CCO and GC roles should be separate, an even greater threat is faced by the new 'cash for tips' approach adopted by the US Securities and Exchange Commission (SEC), which will allow internal whistle-blowers in search of millions of dollars to leapfrog internal reporting procedures and go to the SEC with a hot tip.

The CCO of a company is generally seen as responsible for supervising and managing compliance issues within an organisation. The job description came from a 2002 speech by then SEC commissioner Cynthia Glassman urging that:

• a company should have an officer with ownership of corporate compliance and ethics issues;

• he or she should have sufficient seniority and authority to take the actions necessary under the circumstances;

• the position should have the full support of the chief executive officer (CEO) and senior management and the ability to report directly to the board on matters of significant import to the company or matters involving misconduct by senior management; and

• the responsible officer should have sufficient time and adequate resources to implement the company's corporate responsibility programme in an effective manner through development of internal controls and mechanisms.

With the growth of the role of CCO, a question many companies in the US face is whether this role should be standalone or whether the role should be assumed by the company's GC. Ben W Heineman, Jr, former General Electric Company senior vice president-general counsel, who is currently a senior fellow at Harvard Law School, has identified three broad organisational options:

• the CCO is independent of the GC and chief financial officer (CFO) and reports directly to the CEO and board;

• the GC is also the CCO; or

• the CCO reports to the GC and the CFO, and deals primarily with the process of compliance across all substantive subject matter areas.

Heineman favours the last option because it "builds on the vital need in a corporation for a strong, broad-gauged GC while avoiding significant organisational overlap and confusion and because it focuses the CCO on critical process management, uniformity and rigour across the corporation".

In contrast to Heineman's view, some organisations have chosen to completely separate the CCO function from that of the GC. This viewpoint is supported by research showing that whenever a company has combined the GC and CCO roles and found itself the subject of a US Government investigation, the company quickly separated the dual role once their ethics and compliance programmes were brought into question.

The investigations referred to were healthcare fraud cases – Tenet, WellCare and Pfizer – one of which (Pfizer) now requires the company's CCO to leapfrog over the GC and report directly to the CEO.

Sven Erik Holmes, vice chair of legal and compliance for KPMG and a former US federal judge, warns against this separation of the CCO and GC functions: "Although it is debatable whether such separation creates a better governance model, one thing is clear: separation of the roles can have negative consequences, such as siloing and turf wars, if the responsibilities of the two positions are not clearly defined."

Holmes points to differences in how the GC and CCO conceive of their roles: the GC is charged with defending and preserving the legal position of the company while the CCO has to take a more conciliatory approach ("mistakes have been made, lessons have been learned") to the very same problem.

Now, with the introduction of the new Dodd-Frank whistle-blower programme that allows whistle-blowers to skip internal reporting and go directly to the SEC in search of cash rewards, there is the potential for both compliance and legal departments to be completely blindsided in addressing issues that may exist in their company. This, in fact, may be an even bigger threat to the success of the legal and compliance departments than poorly divided responsibilities and role formation between the two departments.

Former Secretary of State Donald Rumsfeld, in talking of the Iraq War at the time, unwittingly described the paradox of the compliance function in a company today: "There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know."

The problem is that if the new Dodd-Frank whistle-blower programme is successful, whatever structure a company adapts to mediate the relationship between legal and compliance will be undermined if "known unknowns" are transformed into "unknown unknowns" because people seek cash at the expense of improving the corporate governance of the company that employs them.

Dr Stuart Weinstein (pictured) is associate head at the University of Hertfordshire School of Law. He is chairing the inaugural Legal Week Corporate Governance and Risk Forum on 30 November in London. For more information see www.corporategovernanceandrisk-forum.com

• Click here for the latest reader comments as they come in