Three Types of Protectors: The Board, the Compliance Department, and the Regulator
“Independent” is defined as “not influenced or controlled by others in matters of opinion or conduct.”
Just as society needs businesses to provide goods and services, and to provide jobs to people who want to use their talents and support their families, society also needs to ensure that business is done in a way that supports broader society at large.
Three types of controls have been created to ensure that business is done the right way and in accordance with the law – the Board, the Compliance Department, and the Regulator.
A company’s board of directors is comprised of individuals with a fiduciary duty to ensure that the business is run in a profitable way within the bounds of the law. In more and more countries, board members have personal liability for their conduct when it comes to the company following the law.
The imposition of this liability is intended to incentivize board members to act independently from the desires of those inside the company who may be motivated by greed and internal pressure to push the limits. The Board is meant “not to be influenced or controlled” by the opinions of the internal business leaders when it comes to making decisions about doing business within the bounds of the law.
Regulators and prosecutors exist because society needs the capacity to enforce the laws it creates. They too must be independent in their oversight. In countries where the regulators, prosecutors, and judiciary are not independent, bribery and illegality tend to escalate rapidly.
The Internal Champions: The Compliance Function
The compliance function is the only internal check on how a company operates. The legal function plays much of the same role in many companies; however, the legal function tends to be focused on contracts and what is possible under the law as opposed to focusing on corporate ethics, integrity, and doing the right thing. In larger companies, compliance alone is tasked with creating the processes that will prevent and detect misconduct.
Regulators Expect the Compliance Function to be Independent
Regulators expect the compliance function to be independent and to have access to the board.
In the Department of Justice’s guidance on the Evaluation of Corporate Compliance Programs, prosecutors are told to ask whether the compliance function has “direct reporting lines to anyone on the board of directors and/or audit committee?” They are also asked to evaluate whether compliance has sufficient autonomy from management, such as “direct access to the board of directors or the board’s audit committee.”
Lastly, the guidance asks prosecutors to evaluate whether the compliance function is “an independent function reporting to the CEO and/or board.”
The Independent Compliance Function: Best Practices
Compliance officers are in a complicated position because they are in the company but in some critical ways, outside of it as well.
The best compliance officers form close bonds of trust with the business’ leaders and are aware of what is going on throughout the business. Keeping one’s independence can be challenging when human emotion is involved, and that is why structural controls promoting and enforcing independence are so critical. Some best practices that allow this to happen include:
Compliance Should Regularly be on Board Meeting Agendas
Compliance should be a regularly scheduled agenda item at board meetings.
NAVEX Global recently published its annual State of Risk and Compliance Report which analyzes thousands of survey responses. In compliance programs classified as mature, 62% deliver periodic reports to the board of directors, and 52% participate in private sessions with a board-level committee.
These regularly scheduled interactions will allow the board members to fulfill their legal obligations, as well as to build rapport with the compliance officer and team, which can be critical if a high-profile investigation begins.
The Best Reporting Structure: Compliance to the CEO
Best practice is for compliance to be its own independent function reporting to the CEO.
The reason for this is that there is no interference between the highest leadership and reports of potential misconduct. The lower down in the hierarchy the compliance function, the less likely that unfiltered information will get to the CEO.
However, this is not the only reporting line that will work. Approximately half of all companies have the compliance officer reporting to the General Counsel or legal function. In smaller companies, the General Counsel may also be the Compliance Officer.
There is no single approach, but the general rule is that the fewer layers there are between the CEO and the Compliance Officer, the better.
There Should be Regularly Scheduled Meetings between the CEO and Compliance Officer
Whether the Compliance Officer reports to the CEO directly or not, the CEO should have regularly scheduled meetings with the Compliance Officer to discuss the status of the program, any new laws that are on the horizon, and any important investigation. Ideally, these meetings would occur on a monthly basis (or more frequently).
Compliance Officers Should have the Independent Capacity to Contact Board Members
At a conference I attended, a prosecutor stated that one of his favorite questions to ask compliance officers during an investigation was, “How many board members’ phone numbers do you have in your phone?”
Compliance needs to have the capacity to go directly to the board. If a company or its leaders is hiding misconduct, it is the Compliance Officer’s imperative to bring that to the attention of the board.
This is not an easy thing to do, and it can have grave political fallout. Regardless, prosecutors expect that Compliance has independent relationships with board members including a direct and open line of communication.
Compliance’s Bonus Structure Should Not Be Entirely Tied to Corporate Financial Performance
Very mature companies do not tie compliance officer bonus payments entirely to the company’s financial performance. The reason for this is that it creates a conflict of interest within the compliance officer. If the compliance officer looks the other way or doesn’t interfere with potentially unethical behavior, he or she might get a bonus, while saying something may result in bonuses not being awarded.
By taking financial performance out of the mix in favor of other metrics, compliance officers are able to be unconflicted in performing their duties.
The Compliance function’s ability to be effective is directly tied to its ability to be independent. Indeed, one of the most critical and underestimated abilities of a good compliance officer is the capacity to speak truth to power.
The battle for the independence of the compliance function is one worth waging. Companies and society will be all the better for it.