March 3, 2015
March 3, 2015
At Protiviti, we often receive questions regarding the proper positioning of compliance in an organization. The debate often centers on addressing to whom compliance reports. Unfortunately, this line of inquiry does not focus on the fundamental issue of roles and responsibilities. One reason there is disparity among organizations in positioning compliance is that there are different views regarding the responsibilities expected of the function. Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board wants that function to play. An understanding of these roles consequently provides a powerful context for evaluating how to position the compliance function within the organization.
Generally, a company’s compliance function is responsible for overseeing or coordinating compliance efforts, ensuring that the company and its employees understand and are complying with applicable laws, regulations, and internal policies. Some functions may deal with all compliance matters. Depending on the organization’s industry, other functions may focus on specific compliance domains, such as environmental, health and safety, contracting, product quality, employment and labor, and anti-corruption. Ethical and responsible business behavior may also fall within the scope of a compliance function’s responsibilities.
Regulatory settlements addressing egregious noncompliance issues sometimes stipulate a different line of reporting for a company’s compliance officer. For example, it is not unusual for settlement deals to stipulate that the chief compliance officer (CCO) not be subordinate to the CFO or chief legal officer and that he or she should report directly to the CEO and the board. A compliance function may be led by someone designated as the compliance officer or an equivalent title. If responsible for overall compliance, that person may be the CCO, which we use here to refer to the function’s leader. But the question remains: What is the CCO expected to do?
We see two distinct CCO roles in practice, as well as variants of each. An understanding of the two roles provides context for framing the positioning conversation.
The “Champion” CCO advances the framework for identifying the applicable compliance requirements (as defined by laws, regulations, contracts, and internal policies), aligning policies and processes with those requirements, assessing risk of noncompliance and closing gaps to ensure ongoing compliance. The frontline operating units and process owners are responsible for applying the compliance framework. They retain primary ownership of the risks created by their respective units and processes. The Champion CCO:
The “Line of Defense” CCO undertakes the activities of the Champion CCO and is authorized to do a combination of the following in addition to the above duties:
The Line of Defense CCO may not be authorized to do all of the above, but the position clearly extends beyond that of an advocate because this role has the teeth of escalatory and/or veto authority.
These descriptions are not exhaustive, but they clearly differentiate the two roles. We can use them as a context for articulating several principles relating to the positioning of compliance within organizations.
The Line of Defense CCO must have sufficient stature with business-line leaders and across the organization to serve in the role effectively. Stature comes from the authority, compensation, and direct reporting lines that command respect. The authorities of the Line of Defense CCO should convey to the organization, as a whole, that this executive is a player. To illustrate, this positioning is accentuated if the Line of Defense CCO:
A Line of Defense CCO also:
In addition to the above positioning, some believe that the authority to hire and fire the Line of Defense CCO should be vested in the board. We are not convinced this is necessary, although there may be circumstances where a board may conclude that it is.
In heavily regulated industries, the Line of Defense CCO model is likely the preferred option. In other industries, and in situations where management expects the CCO to focus primarily on understanding and coordinating an organization’s fragmented compliance efforts and reporting on the state of compliance, the Champion model might be more appropriate.
If the CCO or equivalent executive plays the role of the Champion, that person may report to a C-level executive (e.g., chief administrative officer, chief operating officer, chief legal officer, general counsel) or to a direct report of a C-level executive, and operate with adequate support staff commensurate with his or her designated responsibilities. While independence may be desirable, the Champion CCO doesn’t necessarily need to be independent. In fact, depending on the nature of the designated responsibilities, the Champion CCO may not even be a full-time job. In practice, the Champion CCO typically reports to the board of directors or a standing committee of the board only by invitation. A prime issue with the Champion CCO is clarifying how the compliance function interfaces with the lines of business.
When applying the above principles, the key question becomes: What do the board and the CEO expect from compliance? Effective compliance management starts at the top. If a viable line of defense is intended, the Champion CCO will not be able to deliver.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Jim DeLoach is managing director with Protiviti, a global consulting firm.