Chief compliance officers are the rising stars in the corporate governance world. However, CCOs have to avoid complacency. CCOs have a lot more to accomplish — it is almost as if the profession has put its collective foot in the door. CCOs have to be honest with themselves – it is easy to say everything is going great when some changes have been implemented. Instead, CCOs have to apply a more holistic and honest assessment of their actual role in the company applying the basic measuring framework of: authority + autonomy + resources.
Authority: A CCO has to exercise adequate authority in the company. A CCO has to be empowered to exercise independence and authority over a variety of activities outside of the management of the compliance function. Some may term this — “line of sight” across the company functions (beyond the management and control of the compliance department).
In this area, a CCO has to be empowered by the board and the CEO to intervene in important areas – business decisions that implicate the company’s ethics and compliance issues, compliance with business code of ethics, agent/distributor and supplier codes of conduct, training, communication, and internal investigations. If a company considers a business decision or practice that implicates the company’s ethical principles, the CCO has to weigh in and ensure that ethical principles and compliance issues are factored into the business decision.
In other words, CCOs have to be integrated into the business fabric and be a member of any senior business management company. If a CCO is excluded from senior business management, the CCO’s role at the company is by definition, deficient.
Autonomy: A CCO has to exercise independence. A CCO should report to a company’s CEO or COO, but has to have independent authority to report directly, on a dotted line, to the relevant board committee and entire board of directors. The dotted line is an important requirement that establishes a natural relationship between the CCO and the board of directors – it is a resource and relationship that should empower the CCO in the corporate governance environment.
CCOs should not confuse the dotted line with a broader definition of autonomy – an empowered CCO carries a broad portfolio of responsibilities and influence. If a CCO confines him/herself to operation of pure compliance functions, the CCO is failing to assume basic responsibility for the company’s ethical and compliance culture – a broad responsibility that stretches across all internal operations.
Resources: Many CCOs are suffering from resource limitations. All too often I hear from CCOs who are hampered by resource restrictions. In many cases, CCOs are not able to carry out basic functions needed for a compliance program to operate. In the end, CCOs have to delay projects to address basic risks. CCOs who face this situation use creative solutions and seek to leverage their limited resources to address as many issues a possible.
To resolve this issue, CCOs have to honestly report on resource requirements to the CEO and/or the board. A CCO who “goes along to get along” is not serving his or her interests and ultimately is sacrificing compliance for fear of upsetting his/her executive managers. Further, a CCO who reports to the board without discussing this issue and the compliance program needs is ignoring his or her important obligations. A CCO has to assess resource needs honestly and without fear of reprisals, and communicate with appropriate officials so that they are aware of the compliance program requirements.
It is easy to be complacent in this era of compliance focus. CCOs have to be mindful of where they stand in the company, their responsibilities and accountability for possible problems that may occur. Compliance requires a continuous focus, objectivity, honest communications with senior management and the board, and a steady commitment to important objectives. A CCO who keeps his/her focus on authority, autonomy and resources is well on his or her way to achieving an effective ethics and compliance program.
This article was originally published in Corruption, Crime & Compliance. It is reposted here with permission.