CCOs and Reporting Relationships

The reporting relationship for chief compliance officers continues to teeter between the general counsel and the CEO, at least according to a fresh report from a recruitment agency that offers a few interesting points for anyone looking to move up the career ladder. 

Recruitment firm BarkerGilmore published a research paper earlier this week that surveyed more than 200 chief legal, compliance, privacy, and risk officers about their reporting relationships. Its most relevant finding: 44 percent of chief compliance officers report to the general counsel, 42 percent to the CEO. (Related: 22 percent of respondents said their company has no chief compliance officer at all.)

The ideal, of course, would be a compliance function independent of legal, where the chief compliance officer reports directly to the CEO and briefs the board regularly on matters of ethics and compliance. So says the Justice Department’s guidance on effective compliance programs as well as all the other sacred texts here in compliance land. 

The reality is more nuanced, as borne out by the BarkerGilmore report and many others before it. The larger a company is, the more likely it will have a chief compliance officer who reports to the CEO — but specific data on this point has long been all over the map. I can remember one survey I helped to conduct 10 years ago where 38 percent of large-company CCOs reported to the CEO, a number within spitting distance of BarkerGilmore’s report today. Last year the Association of Corporate Counsel published a report saying 74 percent of chief legal officers managed ethics and compliance

One question that occurs to me: For a compliance officer’s career security, is it better to be separate from the legal function and not report to the general counsel? 

My gut instinct is to say yes. An independent CCO has more exposure to the CEO and the board, giving you more opportunity to demonstrate your skills and your function’s worth. You can also operate independently from our frenemies in legal, and perhaps head off any hare-brained ideas they cook up like integrating the compliance and legal functions after a corporate integrity agreement ends. 

On the other hand, working within the legal function does give you more potential career paths. Foremost, it can be easier to move from chief compliance officer to general counsel, a time-honored climb up the career ladder. You might also have more ability to influence those hare-brained ideas from legal if you are, in fact, working among the hares. But all of this presumes that you want to stay within your corporation; maybe your company stinks and you want to jump ship — in which case, I’m not sure any of these points matter all that much. 

If you have thoughts about this question, send them to me at [email protected]. Confidentiality guaranteed, and I can run the best observations in a future post. 

Other Items on Reporting Relationships

The BarkerGilmore report had a few other findings of note, too. 

First, responsibility for ESG issues was spread among many functions. General counsels topped the list, with 22 percent of them responsible for ESG; but oversight quickly fractured after that among many other teams. See Figure 1, below.


Source: BarkerGilmore

Only 7 percent of chief compliance officers oversee ESG duties. That seems like a shame to me, because as I’ve said before, compliance officers have an excellent set of skills to handle ESG and it gives you all an opportunity to branch into more enterprise-wide, operational issues. 

Then again, a full 17 percent of respondents said they don’t even know who runs ESG at their companies. So foremost, this data tells me that ESG is still such a new field of concern for corporate management that no standard approach has emerged for how to handle it. 

Second, many companies say they don’t have a chief risk officer — except, the BarkerGilmore report doesn’t define what a chief risk officer does, and at many organizations that job would be done by a chief audit executive of some kind. So although 65 percent of respondents said they have no CRO, I wonder how accurate that number truly is. 

Among those companies that do have a chief risk officer, 45 percent said that person reports to the CEO. Another 24 percent said the CRO reports to the general counsel, and 21 percent listed the CFO.

My question here would be how the chief risk officer role is evolving, and how that person’s duties would then relate to “pure” legal, compliance, or audit tasks. For example, would a chief risk officer oversee ESG duties? Would he or she be a souped up internal audit leader, now tasked with identifying emerging risks and building processes and controls to keep those risks in check? And if so, then what about an internal auditor’s independence — does that go out the window? 

The honest answer is that we don’t know. Or perhaps more accurately, every company needs to find a solution that works for its own unique circumstances; and so far those solutions are so diverse that we can’t draw many best practices that apply broadly. 

Food for thought as you gussy up your LinkedIn profile or prepare for that next performance and salary review.

Leave a Comment

You must be logged in to post a comment.