Driven by major scandals, there has been a dramatic increase in regulation, enforcement, and sanctions in the past 25 years. Without question, the most basic job of the general counsel (GC) is to determine what is the law and to help shape messages, systems, and processes so that the corporation is compliant and avoids legal risk all across the globe. In addition to preventing harm, compliance also creates value inside the corporation, in the marketplace, and in broader society by underscoring the corporation’s commitment to integrity and differentiating it from less scrupulous rivals.
But it is also without question that the CEO must personally lead compliance. It is a team sport involving not just the legal function, but also finance, compliance, human resources, and risk as well as business leaders. In recent years, far too much time and effort has been wasted on debating the formalities of organization—for example, whether the CCO reports to the GC/CFO on one hand or to the CEO and the board on the other. I believe the CCO should report to the GC because the legal department is responsible for the foundational task of determining what the law is. But I offer this as a preference, not an iron-clad prescription, because companies vary in their cultures and because the right teaming arrangements are far more important than reporting relationships. Most importantly, the CEO, as the corporation’s chief compliance officer in effect if not in title, must provide intense leadership on this set of issues and must focus on function, not form, in deciding how to address different compliance issues in different corporate systems and processes in different markets posing different challenges.
What Is the Law?
A corporate program aimed at complying with the law naturally must first answer the knotty question, “What is the applicable law”? Writers about compliance often gloss over this most fundamental determination. When a company is operating in multiple countries, the GC must undertake the devilishly difficult task of determining the law that applies to each corporate function—from sales and marketing, to manufacturing and technology, to finance and human resources—in each country. In addition, there is the related problem that legal systems are constantly evolving through legislation, regulation, enforcement, investigation, and litigation. Given the law’s dynamism, the GC must make three important judgments that involve not only superb technical lawyering, but also wise counseling in answering the deceptively simple question, “What is the law”?
First, the GC must help the corporation choose among a range of reasonable interpretations of the law. For example, if faced with a “rule” that is ambiguous, how should it be interpreted in order to comply most fairly with the law? Frontier issues in business frequently put lawyers in frontier areas of interpretation, given the broad array of corporate processes and operations and the variety of regulations that may apply to each corporate function. Moreover, any given interpretation may also require a business judgment about how much legal risk the company should assume in choosing from a range of reasonable options.
The second judgment is deciding between pluralism or uniformity when the type of law in question has different interpretations in multiple jurisdictions. Should the corporation attempt an interpretation that is “reasonable” in each jurisdiction because the laws are so different (e.g., different privacy standards in the United States versus the European Union), even though that will involve significant administrative complexity? Alternatively, should the corporation decide on a uniform legal interpretation that is at the most compliant end of the spectrum and thus provides administrative simplicity but may also lead to “overregulation” in less severe jurisdictions? For example, child labor laws in various nations set different ages for when children may work (i.e., from ages 13 to 16). The GC may decide that a single age mandated in the most restrictive jurisdiction should apply, both in the company’s own facilities across the globe and in labor standards applied to third-party suppliers. In other words, the company simply will not hire anyone under the age of 16 even though a younger age is permissible in some of the countries in which it operates.
The third judgment is whether the company should adopt the “spirit” of the law, or the underlying purpose, and fashion a voluntary prescription for the company that advances that purpose but may not be technically required by the law in question. This raises difficult ethical questions for a global company that require weighing “prudential” factors (what is in the corporation’s enlightened self-interest) and “moral” factors (duties owed to stakeholders).
In determining what the law is, I must also underscore that there are certain improprieties to which a GC should never succumb when under pressure to bless proposed corporate actions. Inside counsel must never: (1) ignore the law and hope the company will not be caught (often through bribes); (2) act as Holmes’ bad man and try to assess whether the benefits of noncompliance outweigh the costs of discovery; or (3) attempt to interpret away the law’s purpose and effect through strained, hyper-technical readings that are obfuscatory and outside the range of credibility if viewed by a reasonable, independent third party. Trying to change the law or leaving a jurisdiction are acceptable alternatives to “bad” law; disobeying it or ignoring are not.
The CEO as CCO
If the foundational step is determining what the law is, the essence of compliance is management of complexity through disciplined systems and processes. Simply stated, compliance involves ensuring across an organizationally diffuse and fragmented global corporation that systems and processes prevent compliance misses, detect those that do occur, and respond quickly and effectively. For all the volumes on compliance, it really comes down to three words: prevent, detect, and respond. It is towards these objectives that classic management disciplines of planning, goal setting, organizing, staffing, budgeting, and auditing must be directed. These objectives are accomplished only when a compliance infrastructure is built into business operations that have a performance-with-integrity culture.
This is why I believe that the CEO must be the company’s CCO in at least a leadership, if not day-to-day, sense. Much ink has been spilled about the respective roles and reporting relationships among the GC, CFO, CCO, head of internal audit, ombudsperson, chief risk officer (CRO), and head of human resources. Whatever the organizational formalities, there is no doubt that these senior executives, who are jointly responsible for compliance, must work together with their respective personnel so that the program is carried out with intensity, integrity, and independence. However, there also can be no debate that, if the CEO does not view compliance as one of her core leadership duties, then the efforts of the senior executives are not worth much. Adoption of such a leadership role by the CEO means that she, in turn, holds other business leaders within the company accountable for integrating integrity into their business processes. Together they must drive this ethos of accountability down into the company so that the critical middle-management leaders of profit-and-loss segments in far-flung corners of the world know that it is the core of their job, too. Accountability is key; senior executives and middle managers alike must know that the failure to create a culture of integrity is a firing offense. General performance on integrity issues must affect promotion and compensation. Moreover, business leaders within the company must live compliance: they must speak about it both personally and publicly, emphasize integrity as the foundation of the company, lead compliance reviews, and exemplify core integrity values in their own personal behavior.
The GC and other key staff must therefore work with the CEO to ensure that operational business leaders have “ownership” of the systems, processes, and resource allocations essential to an effective integrity infrastructure embedded into business operations. Plant managers must lead environmental health and safety in their facilities. Sourcing leaders must ensure that their third-party vendors follow local law. Division heads must have a comprehensive understanding of what is needed to follow the law and reduce legal risk and then effectively build those systems and processes into the business. That is addressing complexity. That is management—systematically applying disciplines to the different elements and operational details of prevention, detection, and response. I continue to be surprised at how legal, finance, or compliance experts puff about staff roles in compliance when writing about compliance outside the corporation without acknowledging the centrality of business leaders. The reality is that the CEO and business leaders must lead on compliance with the assistance of staff. The CEO must make this crystal clear.
At the same time, however, the CEO and business leaders must embrace a paradox. Yes, compliance fundamentals must be built into business processes for effective prevention. Yes, business leaders must make this a genuine, operational priority. However, the CEO and business leaders also must embrace the critical importance of personnel—legal, finance, compliance, and risk at both corporate and operating levels—who must have an independent role in the design, implementation, and monitoring of the prevent-detect-respond systems and processes. In sum, the CEO and business leaders must unequivocally support the paradox that compliance is a fundamental business operation but also a subject requiring independent staff involvement and review.
GC, CFO, and CCO: Function Not Form
The often-debated question of whether the CCO should report to the GC/CFO or to the CEO is far less important than deep, authentic CEO and business-leader commitment to compliance. It is far less important than assessing in a particular corporation the strengths that legal, financial, compliance, risk, and human resources personnel bring to the multifaceted subject of compliance in the context and culture of the company’s particular industry. It is far less important than ensuring that personnel in each of these areas work together seamlessly on the wide variety of tasks within the broad prevent-detect-respond framework.
Assumptions about the GC
To put this organizational issue in perspective, it is important to summarize “first principles.” The CEO, board of directors, and senior executives must create a powerful culture of high performance with high integrity. They must expect the GC to be a lawyer-statesman who is concerned with not just the question of what is legal but with the ultimate question of what is “right” as seen through the lenses of performance, integrity, and risk. They must enthusiastically encourage the GC and other staff executives to be both partners in achieving corporate objectives as well as guardians of the corporation. They must want unvarnished views in discussion and debate before making decisions.
Compliance with the law is not one, substantive subject. It encompasses many subjects (antitrust, tax, accounting rules, labor and employment, etc.) that cut across the company’s multiple functions (technology, manufacturing, marketing, sales, finance, etc.). Compliance also involves particular regulatory regimes governing specific industries (health law, communications law, banking law, etc.). In most corporations most of the time, the substantive experts on what is the law work for the GC (or for the CFO on mandated financial rules). They use that expertise in a variety of ways that create value for the corporation, including, but not limited to, compliance. It is simply ludicrous to argue as a prescriptive matter, as some do, that law and finance should be involved only in “performance” and not “integrity.” It is simply ludicrous to think that the GC should be merely a passive figure doing what she is told by the CEO and other senior executives. My prescriptive approach is based on the independence of the GC as lawyer-statesman and partner-guardian advocating for what she believes is the right course of action. As former GE General Counsel, I viewed the absolute core of my role as promoting corporate integrity and adherence to law.
Role of the CCO
In my view, the CCO’s core job is to operationalize formal rules through engagement with the GC, CFO, and other experts and leaders within the company. Unless the company is very small and resource constrained, the GC should not also be the CCO. The CCO’s main skills are process integration and organizational rigor. The CCO must meld the legal and financial expertise of the GC and CFO and their personnel (as well as the expertise of the risk and human resources organizations) with the day-to-day operational responsibility of the company’s business leaders. Because there are many different substantive areas of compliance handled by different experts, it is vital that these threads be woven together into a coherent compliance approach. That is the job of the CCO. For example, there must be a single code of conduct and a uniform set of policy guidelines. There must be integrated general education and training for all employees. There must be an integrated method for tracking, training, and testing individuals who move into high-risk jobs. There must be a systematic and consistent company method to map out business processes, assess where risk exists in those processes, and then mitigate those risks. There must be oversight of the ombuds system to ensure that it is operated fairly, promptly, and without retaliation. There must be a continuing, energetic search for the best compliance practices outside the company. These are the kinds of vital process and organizational tasks for a CCO and her staff.
Thus, the CCO should first and foremost have organizational and managerial expertise. She must help create a coherent, company-wide framework that cuts across substantive areas, business groups, and diverse geographies within the company so that there is a coherent and comprehensive approach to prevention, detection, and response. Lawyers do not necessarily possess such organizational skills. Moreover, because she oversees the company’s diverse compliance activities, the CCO should attend all meetings with the CEO or senior executives involving individual cases or systemic problems relating to compliance. She should have her own independent voice and should view as central to her role the task of asking difficult questions about whether corporate actions comport with concepts of integrity. In my view, this role is analogous to the head of the internal audit staff (a position of great prestige in many global companies that reports to the CFO). Like the head of the internal audit staff, the CCO should report independently on a regular basis to the board of directors, providing her perspective on the strengths and weaknesses of the broad compliance function or her view on individual cases with which she is familiar. At the end of the day, the role of the CCO in directing process management across the entire compliance system—and making compliance operational—is a central and vital job.
As a general matter, however, there should not be duplication in the CCO’s function with the substantive expertise in the law and finance functions about the foundation of a compliance program, i.e., the formal legal and financial rules upon which compliance is built. That would be a source of confusion, waste, and possible turf fighting. The GC and CFO have primary substantive responsibility, and the CCO has primary process and organizational responsibility, but close working relationships between those with substance and process responsibilities are critical. Moreover, those demarcations are not always bright lines. Certain members of the legal team may have organizational and process skills. Certain members of the compliance organization may have substantive expertise in discrete compliance areas. For example, in financial services institutions, there may well be a compliance expert on financial regulation, while the legal team retains substantive expertise in more traditional areas like antitrust, tax, or labor and employment. In these special cases, the GC, CFO, and CCO must sort out process and substantive responsibilities and, under CEO direction, make that division clear.
Under my view of the GC as lawyer-statesman and partner-guardian, I simply do not buy the idea that the GC is less independent than the CCO. Under a good CEO, both will be respected for their analysis of problems and for their unvarnished views as to “what is right.” Under a poor CEO, both will be diminished. Let us not be naïve; compliance officers are subject to the same financial and group pressures as GC and finance personnel. Like the GCs, they, too, can be cowed by business leaders. They, too, are fired—and indicted—for improprieties.
Far more important than debating reporting relationships is creating a strong sense of shared purpose among personnel. An effective approach to the many dimensions of compliance under the leadership of the CEO and senior executives must effectively integrate law, finance, compliance, risk, and HR specialists.
The basic compliance dimensions—prevent, detect, and respond—require cross-functional integration as illustrated, for example, by competition law. First, there is the basic question of what the relevant antitrust law is that the corporation’s antitrust lawyers must differentiate and explicate among the legal regimes in different parts of the world. The legal expert on competition law can then formulate key issues that must be covered in a compliance audit; the compliance experts can present how such audits have worked across other substantive legal areas; the internal audit team (working under the CFO and with legal and compliance) can develop a work plan; the audit staff and compliance personnel can carry out the compliance audit; and personnel in all three functions—legal, compliance, and audit—can review the results and determine how to present issues and action items at compliance reviews at different levels of the corporation.
In a different context, the competition law specialist working for the GC can propose the critical rules—and the key Q&As—in the company policy guidelines, but the CCO and other experts in the compliance organization will help refine it, making it both engaging and consistent throughout the company as part of competition law education and training. If there is a serious antitrust problem and resulting government investigation, the GC, the inside antitrust leader, and outside counsel may lead the response to the subpoena, but both the compliance staff and the audit staff will help work inside the corporation to prevent document destruction, systematically gather information, and ensure that employees are both responsive to, but not terrified by, a rigorous internal probe. In addition, with the approval of the CEO and the board, the GC will either settle or litigate a case after careful consideration of what is “right,” given the facts.
Look at the strengths of each of the functions. The CCO can create the entire appearance and feel of the company’s compliance communications, from the code of conduct, to detailed policy guidelines, to education and training, to Web-based information, to a powerful video shown to new employees. Together, the CCO, GC, CFO, and CRO can design the template for annual business compliance reviews, with the CCO advising the business on how to sharpen both the form and substance of its presentation to the corporate compliance review board. The ombuds function can report to the CCO; however, determining which experts will investigate which complaints will emerge through a joint discussion among relevant personnel. The GC, CFO, and CCO will jointly analyze the results from that ombuds system to determine what is most important for business leaders and the board. Following a major compliance miss, the GC, with advice from the CCO and CRO, may develop a plan with the vice president of communications and experts in government relations for dealing with external constituencies—from Congress, to the executive branch, to the media, to NGOs. I could give literally countless other examples of compliance activity that should be cross-functional for optimal effectiveness, with different combinations of various personnel assembled for different parts of the problem.
The point is that, under the leadership of the CEO, the myriad compliance tasks are a classic matrix of activities that require seamless (and egoless) integration of the general skills of specific personnel and the specific skills of particular individuals in different combinations on a wide variety of issues. It is truly a team effort. It is comprised of many critical but varied elements of the protect-detect-respond framework. Those accountable must have a deep sense of commitment to compliance and to each other—something that cannot be captured on any organizational chart. Without that sense of joint commitment, and without seamless GC, CFO, and CCO cooperation under the leadership of the CEO, the right compliance approach cannot exist.
Thus, it is within this ethos of functional staff integration and under the broader assumptions about a “high performance with high integrity” company that I believe the appropriate model is for the CCO to report to the GC and the CFO, with the CCO having vital organizational and process responsibilities and an independent voice on both individual compliance matters and compliance system reforms. Putting the compliance function under the GC and CFO advances the ideal of personnel operating together seamlessly and avoids waste and turf fighting because the substantive expertise about the “rules” with which the corporation must comply—and which guide the entire compliance function—is found in legal and finance. This is the foundation of compliance. For purposes of the Sentencing and DoJ/SEC FCPA Guidelines, which require designation of a person responsible for compliance, the board of directors and the CEO should designate the GC and CFO with ultimate responsibility for ensuring corporate compliance with formal rules, and the CCO with day-to-day operational responsibility. The Sentencing Guidelines allow flexibility in designation of both overall and day-to-day compliance leadership.
A Final Point in Favor of This Reporting Arrangement
Being an effective business partner to the CEO gives both the GC and the CFO the vision and the credibility necessary to be powerful and effective guardians of the company. It is more difficult for a CCO, who is dealing solely with compliance issues, to gain that kind of across-the-board trust, and the CCO simply cannot be at all the top-level meetings on strategy or operations where integrity issues, including compliance problems, may arise but are not the main topic. A related point is that the credibility of the GC and the CFO comes from presenting a range of options for accomplishing business objectives with legitimate integrity alternatives. The CCO may not have the same business exposure or experience and may argue for the “safest” compliance option, which is not the only “legitimate” one.
I should also reiterate that my view about the CCO reporting jointly to the GC and CFO is a presumption and a preference, not an ironclad prescription. For example, particularly in financial services or pharmaceutical companies, a body of regulation may be so detailed and controlling that a CCO may have authority over the substantive interpretation of that body of regulation and thus an independent reporting line to the CEO (whereas the legal department is responsible for substantive interpretation on all other matters of compliance). Indeed, in financial services, the regulators may require this kind of division (at least with respect to financial regulation). Alternatively, a GC may come from the transaction side of the law, and the CCO may come from the prosecutorial, regulatory, or private litigation side of the law, and in such an instance the CCO may work more effectively in tandem with the GC rather than as a direct report. Despite my preference, my point is that function is more important than form, given the needs of a particular corporation, the realities of staff integration, and the skills of particular individuals. This is truly a case where one size does not fit all—where, under CEO leadership, functional realities rather than organization charts should control.