by Stephanie Gallagher, JD
stephanie.gallagher@corporatecompliance.org
The role and reporting structure of the Chief Compliance Officer (CCO) is a hot topic in the compliance profession that has inspired much recent debate. I read an interesting article on Law360 today that really got me thinking about this topic.[1] There are a few different takes on what the reporting structure should look like (i.e. should the CCO report to the Board/CEO, or to General Counsel (GC), or to the CFO?).
I maintain that the independence of the CCO in the reporting structure is key to maintaining a compliant infrastructure, and therefore the CCO should be separate from both the legal and finance departments in an organization. Not only is this beneficial to the organization’s compliance program, but it is also better for the CCO, as recent decisions have indicated that a CCO can incur personal risk and liability for intermingling with the role of a GC.
First and foremost; what does it mean for a CCO to be independent, and why is this important? The answer is seemingly obvious. If a CCO must make difficult and impartial decisions, it is problematic to burden the process with layers of middle management, thus creating a situation where a conflict may be perceived. It is of utmost importance that a CCO avoid any real or perceived vested interest in the outcome of an investigation. This is important not only to maintain the integrity of the investigation, but to maintain personal integrity within the organization as well. If the CCO reports to the individual or group that is being investigated, there is a potential interest in the outcome. The interest, whether real or perceived, may be reason enough to call the CCO’s credibility into doubt.
The question now becomes: How can a CCO establish and maintain independence? At minimum, a CCO should have a direct line of communication to the board of directors or CEO. Ideally, the CCO would report directly the board or CEO, and not through layers of management, or through the organization’s general counsel or finance department, again, to avoid real or perceived interest in outcomes.
In order for the CCO to be truly independent, he cannot take on managerial responsibilities. When the CCO takes on management work, he becomes management. When he becomes management, he cannot be independent. In discussions about recent high-profile failure-to-supervise cases, Marc Powers, a partner at BakerHostetler, states that “when a CCO is deemed a supervisor in regulators’ eyes, the individual becomes subject to failure-to-supervise charges.”[2] In other words, this opens the CCO up to personal risk and liability. Not only can a CCO in the wrong reporting structure have his independence called into question, but he can also be held personally liable for the misdeeds of others within the organization.
It is in the best interest of the organization and the CCO to build a compliance program around the theory of independence and freedom from interest in outcomes. In addition, taking the CCO out of the reporting structure to the GC or CFO, and out of a managerial position, will lessen his personal risk. Structuring a program with these key components will ensure that your CCO is not left unprotected.
[1] “The Compliance Issues Putting GCs In Regulators’ Crosshairs” Law360. Maleske, Melissa. 29 Feb. 2015
[2] Id.
We concur. Our rule for at least the last ten years has been the CCO cannot be part of business development, finance/accounting, legal or operations. Of course this is scalable depending on the size and revenue of the company. We discourage dual hats, let alone multiple. The only true independent CCO has direct, unencumbered reporting to an independent board of directors (i.e., those with no business ties/compensation from the company), whose authority includes review and approval of any proposed disciplinary action against the CCO.
Comments are closed.