Establishing an effective corporate compliance program to prevent and detect wrongful conduct is like building a house. Many components and skill sets are involved:
- A risk assessment that acts as a blueprint by identifying areas that need risk appropriate coverage for the company to protect itself against its unique business risks;
- Familiarity with, or opportunities for, consultation regarding the laws and standards that apply in view of these risks—the underlying foundation of any compliance program;
- A framework of policies, procedures, and controls that can be used to govern day-to-day operations and are communicated through regular training sessions and corporate communications;
- Consistent operational integrity in monitoring and enforcing the program, along with regular “stress tests” in the form of internal audit and independent third party reviews; and
- Given that the personnel at any given company are the real “owners” of compliance, a genuine commitment to compliance set by senior management that is recognized and followed by employees.
One could view the Chief Compliance Officer (CCO) as the general contractor in this building project. The CCO and his or her team are responsible for making sure all of these pieces come together to create a solid and durable compliance program.
The following are some characteristics of an effective CCO
Knowledgeable about applicable laws, regulations, trends, and leading practices. The CCO typically oversees compliance with laws and other applicable authority. Therefore, it goes without saying that the CCO needs to continually educate him or herself about current legal developments and other material compliance-related trends. Of course, no one can know everything. The CCO should consult with the company GC (if the two separate roles exist), outside counsel, advisors, peers and other professionals—and not be afraid to ask questions.
Independent, senior and accountable directly to the CEO or board. In the best-case scenario, and in most large companies, the role of CCO is independent of other functions, reporting directly to the CEO and/or board of directors. Other arrangements may be necessary in smaller companies, where managers often wear more than one figurative hat. The CCO role should also be at a senior level—as an indication of the weight and seriousness that the company places on compliance.
Adequately resourced. Enforcement authorities care about whether a company’s compliance function has adequate resources to prevent and detect wrongful conduct. Former SEC commissioner Luis A. Aguilar has stated quite simply that CCOs “play an important and crucial role in fostering integrity” and “are responsible for making sure that their firms comply with the rules that apply to their operations. … Given the vital role that CCOs play, they need to be supported.” The resources spent on compliance will necessarily depend on the company’s particular risk profile and overall resources. Just be sure your company is not shortchanging your CCO’s ability to do his or her job effectively.
Aligned with company operations and strategies. The CCO cannot sit in an ivory tower simply issuing directives. As a member of the senior management team, the CCO not only needs to understand company operations and strategies, but also needs to actively participate in developing them as a key business partner. This means establishing a strong working relationship with the CEO and other senior management members (particularly those heading the higher-risk operations), as well as lower-level employees. It also means finding ways to demonstrate compliance’s value as a business-facilitating asset, thereby changing the perception held by revenue producers and senior management at some companies that compliance is a pure cost center.
Respected as a voice of authority. The CCO role needs to be taken seriously at all levels of the organization—from the boardroom to the break room—if the CCO is to succeed. Other senior management, especially the CEO, can help set this tone of respect. The CCO, in turn, should visibly support the business and its operations as much as possible, while still emphasizing compliance priorities, to help maintain and build that respect.
Alert and prepared. To keep compliance programs active and dynamic, the CCO needs to seek out and act upon trends and developments that offer possibilities for program improvements, risk reduction or other benefits. Similarly, when enforcement trends adversely change the overall risk environment, such as the DOJ’s 2015 issuance of the Yates Memo, CCOs should respond and make program changes and/or change existing program priorities accordingly.
Preparation for the proverbial “knock at the door” from regulators or the potentially alarming call to the company hotline is highly advisable. When instances of suspected misconduct arise, the CCO should be ready to: (a) promptly access the relevant program information and report internally through use of the company’s compliance system of record; and (b) otherwise fairly and responsibly lead (or support, as the case may be) the investigation, remediation and related efforts.
