I recently spoke about the board-compliance officer relationship to a group of sitting audit committee chairs at major, publicly traded corporations. During the presentation the discussion turned to board structures and whether companies need a separate committee to oversee compliance (as opposed to the compliance function reporting directly to the audit committee).
I think it’s worth exploring the arguments for and against establishing a “compliance committee” at your company, and I’ll also offer some suggestions for those companies that decide a compliance committee is not for them.
In Favor of a Compliance Committee
Let’s start with why your company should consider a separate board committee for the oversight of compliance.
First, a dedicated compliance committee will help to ensure better oversight of the compliance function, consistent with the guidance issued by the U.S. government over the past two decades. In today’s world, with so many compliance and culture failures even at companies with significant compliance programs, wouldn’t a higher level of oversight make sense from a governance perspective?
Second, most audit committees (and those working under their oversight) are plenty busy already. Between signing off on financial statements, overseeing the internal control and internal audit functions, and managing the relationship with the company’s external auditors, audit committees are always busy. The compliance function at many companies gets minimal time and attention from the audit committee.
Third, audit committee members don’t necessarily have the right skills to oversee today’s corporate compliance function effectively. Audit committee members often have financial and business backgrounds, but may not have expertise in today’s requirements for corporate compliance. Since compliance may not be second nature for most audit committee members (whereas something like internal audit usually is), it’s not surprising to learn that at most companies the audit chair spends more time with the head of internal audit than he or she does with the head of compliance.
Fourth, the realm of “compliance” keeps growing, with the regulatory environment getting more challenging each year. New issues like the #MeToo movement, along with the growing body of evidence linking strong corporate cultures and effective compliance programs, make it harder and harder for audit committees (with all of their other responsibilities) to stay on top of so many moving parts. One can certainly argue that a dedicated compliance committee, staffed with board members who have the right skills to oversee compliance, would be better equipped to ensure that the compliance function is robust and operating effectively.
Finally, by establishing a committee exclusively devoted to compliance and ethics, boards will elevate the compliance function and the overall importance of ethics and compliance at the company. We often talk about companies establishing the correct “tone at the top,” and I can think of no better endorsement of a company’s commitment to ethics and compliance than the establishment of a board committee directly responsible for overseeing this important area.
And the Arguments Against
Perhaps you’re already convinced that boards need to add a separate committee to oversee compliance. Before you make up your mind, also consider why boards shouldn’t do so.
First, many board members will say that some companies have too many board committees; directors are spread too thin, making it difficult for them to fulfill their core oversight responsibilities. When you add more committees to a board, it can dilute the board’s overall effectiveness by creating unnecessary confusion (and conflict) about who is responsible for what oversight. This additional complexity can also result in additional work for management, as executives try to navigate which board committees should be informed about which issues. It’s a real risk that an additional board committee will increase complexity without necessarily adding value.
Second, for many companies that aren’t in regulated industries or don’t have operations in high-risk places, there simply isn’t enough work related to compliance oversight to justify a dedicated compliance committee. Some compliance officers might scoff at that notion, but the reality is that a well-structured audit committee should be adequately equipped to provide the required oversight to the compliance function.
Finally, there are compelling reasons why compliance, finance, internal controls and internal audit should all report to the same board committee. We’ve all read about the Three Lines of Defense, and having all gatekeeping functions report into a single committee ensures that the audit committee has a complete picture of everything the company is doing to protect shareholder interests. As I’ve written many times, if the gatekeepers aren’t aligned in their mission, it’s nearly impossible to have an effective compliance program. A single committee overseeing these various gatekeeping lines of defense can foster that needed alignment.
If You Stick With the Audit Committee
From many discussions I’ve had with corporate board directors, my sense is that most boards are reluctant to create additional committees. The reluctance is mostly an issue of bandwidth; directors worry that too many committees will spread them too thin and make it hard for them to fulfill their oversight responsibilities. If that’s the case, I have a few suggestions for audit committees that will help them in their oversight of the compliance function.
First, consider adding someone with compliance experience or expertise to your audit committee. This doesn’t necessarily have to be someone with chief compliance officer experience. Plenty of current or former chief financial officers thoroughly understand today’s compliance function and regulatory expectations in this area. If you include this skill set as part of the required background for new audit committee members, you can bring on board members who can add value in the oversight of compliance.
Next, considering how busy the audit chair usually is, perhaps the primary point of contact for the compliance function should be someone on the audit committee other than the chair. Appointing someone with the time (and, ideally, compliance expertise) will help to ensure the audit committee is fully engaged in its oversight responsibilities and strengthens the relationship between the CCO and the Committee. The CCO should still be able to go directly to the audit chair with concerns when necessary, but much of the day-to-day board oversight of the compliance program can be delegated to someone other than the chair.
Finally, at least once per year the audit committee should request a report on everything the various gatekeeping functions are doing together to help increase transparency, support corporate culture, and enhance the company’s overall control environment and culture of integrity. Too often, gatekeeping functions work in silos, and nobody presents a complete picture to the board of how all this work can be optimized for the good of the company.
I don’t believe in one-size-fits-all solutions for corporate compliance programs, and there’s no right or wrong answer to whether your company needs a dedicated board compliance committee. For some, a compliance committee probably makes sense; for others, probably not. I hope some of the suggestions here will get board members and CCOs at least thinking about whether their approach to compliance oversight is the right one for their company.
Joel Katz has worked in corporate legal and compliance departments for the last 20 years. He writes and speaks frequently on ethics and compliance issues, is a member of the board of directors of the Ethics & Compliance Association, and is a Kallman Fellow at the W. Michael Hoffman Center for Business Ethics at Bentley University. Katz has been recognized as a “Top Mind” by Compliance Week Magazine and a “Top Ethics & Compliance Officer” by the Ethisphere Institute.