The test of any compliance program is simple. All you have to do is look to the chief compliance officer and ask these two basic questions:
- Does the CCO have independent authority and reporting access?
- Does the CCO have the resources needed to carry out the job?
If the answers are no, the program is not adequate. In nine cases out of 10 where the answers are no, if you look under the hood, you will see a disaster waiting to happen.
If the answers are yes, you will probably see an effective compliance program.
Too many companies have the basic “bare bones” compliance program. They are inadequate and accomplish very little in making sure that a company compliance with the law. A bare-bones program consists of:
- A code of conduct and an FCPA compliance policy (on the company website)
- An employee hotline
- An annual training program (and for new hires)
- A CCO who reports to the General Counsel or the Internal Auditor.
- A CCO with a staff of less than five employees buried somewhere in the corporate infrastructure.
I have seen this picture all too often. It looks more and more like a “Gilligan’s Island” re-run.
I want to try and get back to basics. Here are three basic requirements to get started on an effective compliance program:
The first step – and perhaps the most important step – that a company can take in compliance is to elevate the CCO. Forward-thinking companies are not relying on the general counsel to ensure compliance. They are empowering their CCOs by elevating them to senior management. When important business issues come up, the CCO is at the table. CCOs are becoming proactive problem-solvers. It is about time.
Second, cutting-edge companies (big and small) are establishing direct lines of authority between the CCO and the CEO, as well as the board’s audit or compliance committee.
Third, CCOs are given sufficient resources to carry out their responsibilities. CCOs have sufficient staff and resources needed to promote and ensure compliance.
CCOs should not be pigeonholed in a legal office. They should not be sitting with the internal auditors. They need to be a separate and distinct office with full authority to carry out their mission.
As I have written and said for many years, CCOs are the unsung heroes of the compliance world. When something goes wrong, they are the first to be blamed. When CCOs need authority and resources, they are the last to get what they need.
Companies that are recognized for cutting-edge governance need to make sure that they start with their CCO and empower the CCO to design and implement an effective compliance program.
Michael Volkov is a shareholder at the national law firm of LeClairRyan. His practice focuses on white collar defense, corporate compliance, internal investigations and regulatory enforcement matters, and he is a former federal prosecutor with almost 30 years of experience in a variety of government positions and private practice.