As we all settle into the new year, let’s begin by continuing to debate an age-old question: What is the proper relationship among the chief compliance officer, the general counsel, and senior management?
This has been on my mind since last month, when I moderated a webinar on new guidance for compliance officers in the healthcare sector. That guidance, from the Department of Health & Human Services, declared emphatically that the CCO and general counsel should be separate in structure and in practice. The CCO, according to this guidance, should report directly to the CEO or the board independently of the general counsel.
We all know that’s not the case at plenty of companies. Plenty of companies, including some very large ones, either have the chief compliance officer report into the general counsel; or the general counsel is the chief compliance officer, and therefore he or she gets to be the supreme gatekeeper between senior management and the “true” compliance officer who is somewhere further down the org chart with a lesser title.
I’ve heard several reasons for why that’s so. Some people (general counsels, mostly) say that compliance risk is a subset of legal risk, and since the general counsel is the final voice on all legal matters, he or she also gets to be the final voice on compliance matters by default.
Other people (still general counsels, mostly) say that the general counsel reporting to the board actually helps the compliance officer — because the compliance officer is typically there to deliver unwelcome news to the board about compliance violations. So let the general counsel play that role instead; otherwise the board and senior management will view the CCO as a Debbie Downer who does nothing except deliver bad news.
Those theories were in my brain as I asked the webinar speakers why so many companies insist on keeping the CCO subordinate to the general counsel. One of those webinar speakers was the always insightful Ellen Hunt, who said, “Companies get the compliance program they want.”
Hold on. We need to pull on that thread.
Getting Compliance to a Good Place
I completely agree with Hunt’s observation that companies get the compliance program they want — but if the company wants a compliance officer kept at arm’s length from senior management, then I would humbly submit that the company doesn’t understand what a strong compliance function is all about.
Let’s go back to the stereotype that the chief compliance officer is a Debbie Downer who does nothing but bring the board bad news. If that’s truly how the CEO and general counsel view the compliance officer, then of course they’re going to keep that person away from the board. Why wouldn’t you? Who wants to hang out with Debbie Downer?
But think about the dynamics that would lead other executives to view the compliance officer that way. If you’re viewed as the person who would embarrass the CFO by raising a financial integrity issue, or embarrass the quality control officer by disclosing a quality issue, and so on and so forth — that’s a deeply dysfunctional corporate culture. It should leave any compliance officer deeply alarmed.
Perhaps you could rectify that situation by educating the board and senior executives, showing them how a strong culture of compliance — one that welcomes discussion of misconduct issues and other problems, rather than seeking to bury them — helps the company over the long run. That depends, however, on the quality of senior management and the board. They need to be humble leaders, who embrace the company’s mission over their own egos and wants.
If you have a senior management team like that, then maybe you can cure the dysfunction and bring people around to the notion of a strong compliance function. If you don’t, maybe the wiser course is to polish up your LinkedIn profile.
A Word on Attorney-Client Privilege
OK, back to the compliance officer-general counsel relationship. Another common argument for having the CCO report into legal is that this allows the legal department to exercise attorney-client privilege more easily. How legitimate is that argument?
Not very, according to the speakers on last month’s webinar — if you have a strong relationship with the general counsel based on trust.
That is, if the GC knows that you’ll come to him or her on any issues where you suspect privilege should be exercised, then compliance and legal can exist separately as that healthcare guidance recommends. But that only happens when the general counsel trusts the compliance officer’s ability to recognize serious issues that need attorney-client privilege; and the compliance officer’s willingness to bring those serious issues to the GC’s attention.
If the general counsel doesn’t trust the compliance officer on either of those points, then separate compliance and legal functions might well be a terrible idea.
Another speaker on the webinar, healthcare compliance consultant Leslie Boles, described compliance officers as “identifiers” rooting out issues that need attention, while legal officers are “defenders” who help the company to avoid legal liability. The challenge is for each side to understand when they need to work together and when they don’t.
“They need to see each other as partners — and that’s why one shouldn’t report to the other,” Boles said. “There are times they need to collaborate, and times they need to operate independent of each other.”
That’s a complicated dance, and it gets back to my earlier point about trust. If compliance officers and legal officers can trust each other, then they can make that relationship work while maintaining separate business functions. Trust makes separate legal and compliance functions work.
Such a partnership between compliance and legal is, I suspect, exactly what regulators want to see.