|【Reference】 The role of The chief compliance (and ethics) officeris currently a hot, if con- fused topic. What does she do—ensure good process or enforce strict compliance？ To whomdoes she report—GC/ CFO or to CEO/board？ What is herrole in shaping the company's voluntary adoption of ethicalstandards—beyond what the law requires？
This issue has been thrust into high relief by regulatorsand enforcers who, in light of various scandals, want amore independent compliance function in corporations.For example, changes in the federal sentencing guidelineswould give corporations extra credit if the “specificindividual” in the corporation with “day-to-day operationalresponsibility for the compliance and ethics program” hasdirect access to the board of directors. The issue has alsoreceived attention in the resolution of various high-profilecases, including a recent Pfizer Inc. settlement of criminaland civil matters with the U.S. Department of Justice andthe U.S. Department of Health and Human Services, whichrequired that the company's chief compliance officer bypassthe GC and report directly to the CEO.
Let me offer a somewhat contrarian, more nuancedview about the critical importance of a chief compliance0fficer, but in a right-sized role.
There are three broad organizational options：
Ⅰ The chief compliance officer is independent of theGC and CFO and reports directly to the CEO and board.
Ⅱ The GC is also the chief compliance officer (CCO).
Ⅲ The CCO reports to the GC and the CFO, anddeals primarily with the process of compliance across allsubstantive subject-matter areas.
I favor the last option as the practical ideal becauseit builds on the vital need in a corporation for a strong,broad- gauged GC (see my essay, “The General Counselas Lawyer-Statesman,” Harvard Program on the legalprofession,2010,law.harvard.edu/programs/plp/pdf/General-Counsel_as_Lawyer-Statesman. pdf)，
because it avoids significant organizational overlapand confusion and because it focuses the CCO on criticalprocess management, uniformity, and rigor across thecorporation.
Here are some of the key reasons for my view.
Many experts,not one. Compliance is not onesubstantive subject, it is many： competition law, employmentlaw, environmental law, labor and employment law,international law, accounting rules, and disclosure law.Compliance also involves particular subject-matter areasgoverning specific industries (health law, communicationslaw, banking law, etc.).
Experts report to GC/CFo. The substantive experts inall those areas of formal rules, legal and financial, need toreport either to the GC or to the CFO. They must not only beat the core of all compliance functions in their substantiveareas but they are also involved in myriad business andpolicy issues beyond compliance. It makes absolutely nosense to duplicate that expertise by having a second set ofexperts who report to the chief compliance officer
The GC's role in individual decisions. Thesesubstantive experts staff the GC or the CFO for meetingswith the CEO and the board to define and discuss criticaldecisions with a legal or ethical component—a new deal,a new product, a new geography, a new governmentinvestigation. The general counsel and the CFO shouldbe at the table, supported by substantive experts insidethe company who work for them. Indeed, the growingimportance of “business- in-society” issues in majorcompanies means that the GC is becoming equal inimportance to the CFO in the eyes of the CEO and theboard of directors
What is “right”？ In these individual decisions, it shouldbe the role of the GC not only to address the question of“what is technically legal,” but also to raise and help analyzethe question of “what is right.” This second question requiresassessment of the spirit of the law, ethics, reputation, publicpolicy, and societal expectations in light of the corporation'senlightened self-interest. It is ludicrous to suggest, as somedo, that the GC only worries about what is “legal” and thechief compliance officer worries about what is “right.” The“what-is-right” set of issues is at the center of the role of themodern, broad-gauged general counsel as wise counselorand leader.
Compliance is a core GC job. At the dead center ofthe GC (and CFO) job is responsibility for adherence to theformal and ethical rules binding the company. They mustbe partners to the CEO, but first and foremost they mustbe guardians of the company on the three essentials ofcompliance： prevent, detect, and respond.
Experts and compliance basics. The fundamentalresponsibility in a good organization for fusing performancewith integrity lies with the CEO and top business leaders.But it is the substantive experts reporting to the GC andCFO who must work with businesspeople to map corecommercial processes, assess where risks exist, andthen devise risk mitigation procedures. Their substantiveexpertise and involvement is vital in developing educationand training, in devising techniques for checking andbalancing, and in creating appropriate monitoringmechanisms and in investigating, disciplining, and rebuildingfailed systems.
What is the role of the chief compliance officer whenhe or she reports to the GC and CFO？ Put simply： processintegration and rigor. Because there are so many differentsubstantive areas of compliance, handled by differentexperts, it is vital that these threads be woven togetherinto a coherent compliance program. There must be asingle code of conduct and uniform set of policy guides.There must be integrated general education and trainingfor all employees. There must be an integrated methodfor tracking individuals who move into high-risk jobs： riskassessing those jobs across several compliance areas andproviding tailored, individualized courses. There must be asystematic company method to process map, assess risk,and mitigate risk. There must be oversight of the ombudssystem to ensure that it is being operated fairly, promptly,and without retaliation. There must be a continuing,energetic search for best compliance practices outside thecompany. In sum, there must be an overall assessment ofhow compliance processes are working beyond reviewsof particular substantive areas (e.g., competition law orenvironmental protection) and beyond individual businessunits.
Although substantive lawyers have expertise andknowledge to assess legal and ethical risks in their areas,and to design specific mitigants, they may not have theprocess skills that great compliance leaders possess.(Compliance leaders may not even be attorneys butcan, for example, be ex-military officers with outstandingorganizational and process skills.) Working with the GCand CFO and with the substantive compliance experts, thecompliance officer assists business leaders in embeddingintegrity processes deep into business operations. Make nomistake, I believe process management across the wholecompliance system is a central and vital job.
But, as noted, it makes no sense for the chiefcompliance officer to be “independent” and to hire thevarious substantive experts who must work on compliancebut also on business problems for the GC and CFO. Thatdoesn't amount to appropriate “checks and balances,” butis a source of bureaucratic waste, confusion, and possibleturf-fighting. Similarly, the GC should not be CCO in thesense that I have used it here because rigorous oversightof the compliance processes demands too much time, anda direct report to the GC (and CFO) needs an important titlelike CCO to command the respect this critical job requires.
The main objection to the position I am advocatingis expressed in one phrase： lack of independence. Atheadquarters, the GC and CFO will be compromisedby their relationship to the CEO, and their fear of losingunvested options or restricted stock units or deferredcompensation. Down in the organization, division lawyersor finance people will be afraid to speak candidly to theirbusiness leaders and afraid to report up to the company GCor CFO
The short response to this objection is one word：culture. In a good company— a company with a high-performance, high-integrity culture-the CEO leadspersonally and directly on integrity and, with the board‘sexplicit support, makes clear that she wants the GC andCFO to be rigorous and candid on issues of legal, financial,and ethical rules. Creation of such a culture turns on topleadership, not on the chief compliance officer.
In such a culture, the chief compliance officer attendsall integrity reviews with top leadership and, like the headof the company audit staff, can report directly to the auditcommittee of the board periodically on the strengths andweaknesses of compliance processes (to satisfy the newif ambiguous language of the Sentencing Guidelines).Indeed, I would go so far as to have the board and the CEOcommit to give the chief compliance officer access to themat any time when the CCO believes that the company is nothandling a compliance issue properly, including misbehaviorby the GC or CFO.
In a bad company, with a poor culture, a distant boardand an indifferent CEO (or worse), independent voices—whether from a chief compliance officer or the GC/CFO—will be muffled and discouraged. neither a general counselnor an independent chief compliance officer can changea bad environment, which deeply affects how people feel,think, and act. If tone at the top is rot at the top, then littlecan be done without the CEO or board being removed.Indeed, the misguided (in my view) enforcement thrust for aCCO wholly independent of the GC and CFO has stemmedfrom major scandals caused by senior leadership's unlawful,unethical, or negligent behavior and by board indifferenceor negligence. If the GCs (or CFOs) were complicit ornegligent, enforcers should press for their replacement, notfor supplanting them.
To me, one good example of the approach suggestedhere is Siemens AG. Following a massive bribery scandal,its new CEO (Peter Loscher) and new general counsel(Peter Solmssen) undertook an intense effort to resolveoutstanding cases, change the culture, redesign complianceprocesses, and make adherence to law and ethics a criticalpart of performance appraisals. To help address integrityissues in the future, a newly energized chief complianceofficer and compliance function have been established.They report to the general counsel.