At Protiviti, we often receive questions regarding the proper positioning of compliance in an organization. The debate often centers on addressing to whom compliance reports. Unfortunately, this line of inquiry does not focus on the fundamental issue of roles and responsibilities. One reason there is disparity among organizations in positioning compliance is that there are different views regarding the responsibilities expected of the function. Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board wants that function to play. An understanding of these roles consequently provides a powerful context for evaluating how to position the compliance function within the organization.
Generally, a company’s compliance function is responsible for overseeing or coordinating compliance efforts, ensuring that the company and its employees understand and are complying with applicable laws, regulations, and internal policies. Some functions may deal with all compliance matters. Depending on the organization’s industry, other functions may focus on specific compliance domains, such as environmental, health and safety, contracting, product quality, employment and labor, and anti-corruption. Ethical and responsible business behavior may also fall within the scope of a compliance function’s responsibilities.
Regulatory settlements addressing egregious noncompliance issues sometimes stipulate a different line of reporting for a company’s compliance officer. For example, it is not unusual for settlement deals to stipulate that the chief compliance officer (CCO) not be subordinate to the CFO or chief legal officer and that he or she should report directly to the CEO and the board. A compliance function may be led by someone designated as the compliance officer or an equivalent title. If responsible for overall compliance, that person may be the CCO, which we use here to refer to the function’s leader. But the question remains: What is the CCO expected to do?
We see two distinct CCO roles in practice, as well as variants of each. An understanding of the two roles provides context for framing the positioning conversation.
The “Champion” CCO advances the framework for identifying the applicable compliance requirements (as defined by laws, regulations, contracts, and internal policies), aligning policies and processes with those requirements, assessing risk of noncompliance and closing gaps to ensure ongoing compliance. The frontline operating units and process owners are responsible for applying the compliance framework. They retain primary ownership of the risks created by their respective units and processes. The Champion CCO:
- Enables and supports the application of the compliance framework by providing tools, guidance, and other resource materials.
- Educates primary risk owners on the proper use of the framework, providing them with appropriate insights and offers consultation upon request.
- Coordinates and integrates cross-unit and cross-functional applications of the framework to ensure that effective practices to address enterprise compliance matters and common risks are shared.
- Facilitates risk assessments and the formalization of risk mitigation plans and supports executive management in communicating relevant compliance messages.
- Prepares reports on the state of compliance, typically on an annual basis, and either presents that information to the board or assists a senior executive who presents that information to the board.
- Reports compliance activities with periodic summaries to appropriate executives and the board, including an assessment of risks and the potential impact of noncompliance against the estimated costs to achieve compliance, along with recommended compliance funding priorities and initiation of appropriate corrective actions.
The “Line of Defense” CCO undertakes the activities of the Champion CCO and is authorized to do a combination of the following in addition to the above duties:
- Evaluate the state of compliance, quality of compliance risk assessments, design and implementation of risk mitigation plans, and operating effectiveness of those plans, all in coordination with internal audit and other evaluators.
- Establish standards and implement procedures to ensure the organization’s compliance programs are cost-effective in preventing, deterring, and detecting noncompliance with applicable laws and regulations, contracts and internal policies, and making necessary corrections through improving existing policies and compliance infrastructure.
- Approve policies and compliance risk mitigation plans.
- Coordinate internal compliance reviews of lines of business and function and monitoring activities to ascertain whether compliance programs are working.
- Escalate issues to executive management, including the CEO and, through appropriate channels, the board.
- Veto activities affecting compliance with the organization’s mission-critical policies.
- Arbitrate disagreements between operating and functional units affecting compliance.
The Line of Defense CCO may not be authorized to do all of the above, but the position clearly extends beyond that of an advocate because this role has the teeth of escalatory and/or veto authority.
These descriptions are not exhaustive, but they clearly differentiate the two roles. We can use them as a context for articulating several principles relating to the positioning of compliance within organizations.
The Line of Defense CCO must have sufficient stature with business-line leaders and across the organization to serve in the role effectively. Stature comes from the authority, compensation, and direct reporting lines that command respect. The authorities of the Line of Defense CCO should convey to the organization, as a whole, that this executive is a player. To illustrate, this positioning is accentuated if the Line of Defense CCO:
- Reports to someone who has strong influence in the organization, such as the CEO or executive committee (perhaps with administrative reporting to another C-level executive) or the chief risk officer in ways that establish the CCO’s independence from core business activities;
- Is vested with the authority to escalate issues to a senior executive who has access to and influence with the board and, in appropriate circumstances as determined by the board, has direct access to a standing board committee;
- Engages in mandatory and regularly scheduled executive sessions with the board or a standing board committee;
- Has influence on compensation practices incenting the desired compliance behaviors; and
- Is sufficiently resourced with a support staff commensurate with his or her responsibilities.
A Line of Defense CCO also:
- Needs an escalation process that is formalized, meaning written procedures and agreements requiring escalation of any significant issues raised by the compliance function that are being challenged by business-line executives; and
- Should be a centralized role, meaning that all personnel with compliance responsibilities report through the CCO’s line rather than through their respective lines of business.
In addition to the above positioning, some believe that the authority to hire and fire the Line of Defense CCO should be vested in the board. We are not convinced this is necessary, although there may be circumstances where a board may conclude that it is.
In heavily regulated industries, the Line of Defense CCO model is likely the preferred option. In other industries, and in situations where management expects the CCO to focus primarily on understanding and coordinating an organization’s fragmented compliance efforts and reporting on the state of compliance, the Champion model might be more appropriate.
If the CCO or equivalent executive plays the role of the Champion, that person may report to a C-level executive (e.g., chief administrative officer, chief operating officer, chief legal officer, general counsel) or to a direct report of a C-level executive, and operate with adequate support staff commensurate with his or her designated responsibilities. While independence may be desirable, the Champion CCO doesn’t necessarily need to be independent. In fact, depending on the nature of the designated responsibilities, the Champion CCO may not even be a full-time job. In practice, the Champion CCO typically reports to the board of directors or a standing committee of the board only by invitation. A prime issue with the Champion CCO is clarifying how the compliance function interfaces with the lines of business.
When applying the above principles, the key question becomes: What do the board and the CEO expect from compliance? Effective compliance management starts at the top. If a viable line of defense is intended, the Champion CCO will not be able to deliver.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
- If the organization has a compliance function, is the board satisfied with the scope of the function’s roles and responsibilities and that it is getting the insights it needs from the function?
- If there isn’t a compliance function, is the board satisfied a cost-effective plan is in place to monitor the top compliance risks and oversee implementation of the organization’s compliance program?
- If the organization has implemented the Champion CCO model, is the board confident that compliance programs are updated periodically in light of changes in the company’s needs and in applicable laws, regulations and contractual requirements?
Jim DeLoach is managing director with Protiviti, a global consulting firm.