The other week I had coffee with a veteran compliance officer passing through town. This CCO has worked at numerous global organizations, some of the biggest names in his industry and to the public at large. So when my friend — we’ll call him the Dinosaur, since that’s how he described himself — started talking about how a compliance officer can succeed, I took notes.
Right away, the Dinosaur raised a provocative point.
“I don’t really care whether I formally report to the CEO,” he said. “I only care that when I call the CEO and tell him or her, ‘I need to speak with you right away,’ the CEO will listen to me.”
Hmmm. I’m not sure what to do with that statement. More precisely, I’m not sure others know what to do with that statement, which is what gives pause.
On one hand, I suspect few people would say the Dinosaur’s view is wrong. On the contrary, he’s absolutely right about the most important thing: that when you sense a compliance crisis coming, the CEO will be there to hear your concerns. That’s what matters most for a successful compliance function. Every compliance officer I know would welcome a relationship like that. (Even if actual reporting relationships are all over the map.)
On the other hand, I wonder how one would document such a relationship to satisfy federal prosecutors comparing your compliance program to the Justice Department’s guidelines on effective compliance programs. Those guidelines never expressly say that the CCO should report to the CEO, but they do imply that point via a series of questions about reporting relationships and seniority status:
- Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)?
- To whom does the compliance function report?
- How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?
How do those conversations unfold when the CCO doesn’t report directly to the CEO, but does have a strong informal working relationship with him or her? When you give an answer something along the lines of, “Yes I report to the general counsel and only have observer status on executive committee meetings, but I can call the CEO whenever the need arises” — what are prosecutors supposed to do with that? Or, what other evidence of a strong control environment and tone from the top would you need to provide?
Like I said, I wholly agree with the Dinosaur’s point. I’m just not sure how his wisdom fits into the structures of “effective compliance” that the Justice Department has etched into stone. (If you have suggestions, please email me at [email protected] and let me know.)
Why Compliance Projects Fail
The Dinosaur also talked about compliance technology, and why so many compliance investments — a new technology, or a new set of risk management procedures — don’t achieve the goals you hoped for.
The biggest challenge, he said, isn’t identifying the best technology or the wisest way to govern risk. The biggest challenge is understanding the corporate culture of your organization. He faults compliance officers for not taking the time to understand which people are in what roles at the enterprise, and how information flows through the business. Gloss over those steps, he warned, and you end up with technology and processes that look impressive, but don’t fit how your company actually works.
For example, many large organizations rely on a certain risk management philosophy or framework: COSO or Six Sigma or some ISO standard or whatever. That’s fine, but compliance officers need to be sure that any new technology you want to buy can accommodate that risk management approach. Otherwise you’ve spent a lot of money for a new toy, and soon enough, people will put it aside and go back to the old way of doing things.
The Dinosaur also stressed that this point, as obvious as it may seem today, is a still relatively new concept. Ten or 15 years ago, he said, most companies didn’t have a compliance function — they had compliance officers, alone, trying to build a sustainable compliance function.
Well, now most large organizations already do have a compliance function, complete with frameworks and workflows and “we’ve always done it this way” habits among the workforce. Maybe you’ve been hired in the wake of a severe crisis, where you have the freedom to put the organization on an entirely new path; but much more likely, you’ve been hired as the new conductor for a train already in motion. Take the time to understand that train’s momentum and direction, or else you risk getting derailed.
And with that, the Dinosaur finished his coffee, said farewell, and left me to ponder his pearls of wisdom. In my line of work, those are the best sort of meetings to have.