Note: The first paragraph of this article has been updated, at the request of the author.
Hello, Ben. In 2009, when you and I sat together on a panel for the PBS documentary In Search of the Good Corporate Citizen, I recall your statement that the real chief ethics officer of the company is the CEO, and that although the chief ethics officer has the nominal title, that role is really held by the CEO. I agreed with you in principle that the CEO must drive the right ethical behavior from the top, but countered with, The last time I looked, [CEOs] had day jobs. You have championed a structure where the chief compliance and ethics officer reports to the GC, with the GC and the CFO apparently splitting the compliance role at meetings with the CEO and board (staffed by “their” subject-matter experts), with the CCO nowhere in sight.
I was very encouraged to see, in your recent interview with Corporate Counsel, your public recognition that the CCO is in fact a full-time role that cannot be filled by merely tacking on an extra title to the GC. This is tremendous progress for the in-house bar, and since it runs counter to the views of many of your GC colleagues, I wholeheartedly commend you for your leadership.
That said, the rest of your positionthat the CCO is merely a process integrator and that the CCO must report to the GC as a legal lieutenanttells me that you do not fully understand the modern CCO role and the thriving, multifaceted compliance and ethics profession On a Venn diagram, Compliance would not be a subset of Legal, but instead would touch a piece of Legal, a piece of HR, a piece of Audit, and would have significant interfaces with many other functions of the organizationand of course, deep connection into the business operations.
Most former and practicing CCOs will tell you that compliance is far from a legal function. In fact, it is more of a management and control function that impactsand requires the engagement and support ofall other functions and businesses. Most of the skills and competencies that are the mainstay of a high-performing compliance function have nothing to do with legal.
The legal and compliance functions certainly have areas of overlap, but so do HR, internal audit, communications, safety, security, environmental, IT, and many other functions. This is because compliance is a multi-disciplinary field. Legal is a key enabling partner to compliance. Legal participates as a subject-matter expert in a number of the risk areas covered by the compliance program (but not all, as can be seen in areas like safety, environment, export control, and many HR issues where the expertise is often in other departments), and has a key role to play in supporting training, risk assessment, and investigations, where appropriate.
But legal also has a separate and distinct mandate from compliance, and the two mandates will differ on any given day, week, or time of crisis (e.g., when there are differences between how legal and compliance want to treat internal whistleblowers). When this happens, it is critical to the organization that legal and compliance are equal partners and that both voices are heard at the top. Many companies that have placed the CCO under the thumb of the GC, and have viewed compliance purely through a legal prism, have paid a steep price for that misstep. Just ask Tenet Healthcare, Pfizer, Hewlett-Packard, and now Wal-Mart about that one.
Today, courts, prosecutors, regulators, policymakers, and boards are finding compelling reasons to bolster the CCO role with levels of independence from the GC and management, in order to empower the CCO to do the job, usually as a direct report to the CEO with unfiltered access to the board of directors. Why would all this be happening if the reporting line to the GC that you advocate so strongly were working? Simple answer: its not.
Consider the recent trend in corporate integrity agreements and deferred prosecution agreements that specifically state that the CCO should not be, or be subordinate to, the GC or the CFO [PDF]. Since Republican Iowa Senator Chuck Grassleys famous 2003 observation in the Tenet Healthcare fraud caseIt doesnt take a pig farmer from Iowa to smell the stench of conflict in that arrangementthe call for separation of the GC and CCO roles has grown from a whisper to a roar. The U.S. Department of Health and Human Services Inspector General has similarly set out guidance for various segments of the health care industry, all of which consistently recommend levers of CCO independence, including separation from the GC and CFO functions to ensure adequate checks and balances.
In the financial sector, Rule 38a-1 of the Investment Company Act has, since 2003, required safeguards for CCO independence from management, including direct reporting to the board. The GC-CCO reporting arrangement didnt work out too well for Fannie Mae, either. And despite intense lobbying from the in-house counsel bar, the 2010 amendments to the Organizational Sentencing Guidelines established support for the direct, unfiltered reporting relationship to the board for the person with day-to-day responsibility for the compliance program. Fast forward to 2012, with warnings from Carlo di Florio, the Securities and Exchange Commissions chief of compliance investigations and examination, that the regulator will be scrutinizing closely how much support and independence Boards and management provide for their compliance functions.
And now we have the rapidly escalating Wal-Mart bribery scandal. According to reports, when faced with alarming indications of a vast bribery scheme in its Mexico operations, the general counsel and a small group of top execs decided to transfer the investigation back to the Mexico GC who is alleged to have authorized the bribes in the first place. Not surprisingly, the case was closed and conveniently buried with a finding of nothing to see here. Whatever else may unfold about this evolving story, Wal-Mart is Exhibit A, B, and C for an independent CCO. A properly positioned and independent CCO could have been a cautionary voice in that C-suite, and would have had unfiltered access and reporting obligation to the board. But we know now that didnt happen. Instead, Wal-Mart has lost $10 billion in market share and looks to be on its way to becoming the defendant in a landmark FCPA case.
The modern CCO works across the organization with key executives, managers, enablers, risk owners, compliance champions, and subject-matter experts in the businesses and all corporate functions to develop and oversee a management system with a critical and broad mandate: to support a culture of integrity and accountability, to prevent and detect wrongdoing, and to advise and report to the board on these matters. The most effective way for the CCO to fulfill this mandate is as an equal and mutually supportive partner of the legal function, not as a process integrator trapped within legal. In response to your article Can the Marriage of GC and Compliance Officer Last?, I would suggest that the happiest marriage between the two functions is one born of mutual respect and independence.
Certainly, there are companies where the CCO reporting to the GC appears to have worked. When it does, its usually because the GC understands that he has neither the time nor the competencies to be the CCO and allows the CCO to operate independently. The problem is, this arrangement works . . . until it doesnt. An argument of our GC is totally awesome may sound great internally, but it is a woefully flimsy hook on which to hang your entire companys reputation and share price. Remember that the same argument used to be made for why companies needed no compliance programafter all, they only hired good people, so nothing could possibly go wrong.
Dont get me wrong, as a former in-house lawyer, I both respect and understand the in-house mission. Many great CCOs are lawyers, and some are former GCs who have embraced the CCO orientation. But any company that decides to place the CCO in the GC reporting line should have the absolute burden to demonstrate levers of independence for the CCO, and that includes more than just a direct access to the board (which in the business world usually means asking your boss permission). This argument should hold up better for a small-to-medium-size enterprise [PDF] than for a large, well-resourced company with complex risks that is clearly in a position to have a fully empowered, standalone CCO role.
Ben, I appreciate your vigorous advocacy for the in-house bar, but I think a service can be done for the legal profession by recognizing that compliance and ethics is a fully realized profession of its own, with an equally important and independent mandate that transcends legal. Because as Victor Hugo observed in 1877: Nothing is as powerful as an idea whose time has come.
Donna Boehme is an internationally recognized authority and practitioner in the field of organizational compliance and ethics, designing and managing compliance and ethics solutions within the U.S. and worldwide. As principal of Compliance Strategists LLC, Boehme advises a wide spectrum of private, public, governmental, academic, and nonprofit entities.