C&E officer reporting relationships: a tale of two recent surveys

More than a decade ago, Iowa senator Charles Grassley famously said of a company’s general counsel also serving as its compliance officer: “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement,…” And since then, there has been a lively (albeit not always as colorfully expressed) debate involving C&E practitioners, lawyers and others concerning the issue of to whom should the C&E officer report.

Earlier this month a survey conducted by NYSE Governance Services and the SCCE  captured considerable attention in the C&E field with its finding that 38% of  persons “with overall responsibility for the compliance program” in their companies reported to the CEO, 19% reported to the board of directors and only 18% did so to the general counsel. This led the Wall Street Journal to proclaim: “Legal [is] losing its grip over risk and compliance.”

However, two caveats should be borne in mind here. First, the specific question in question – “To whom does the person with overall responsibility for the compliance program report?” – could be read to include merely informational reporting (i.e., the C&E officer meets periodically with the CEO) as opposed to the more significant administrative kind (i.e., the CEO is the supervisor of the C&E officer). Having heard  many C&E officers speak over the years about their reporting relationships in a way that uses the two types interchangeably I would be surprised if this ambiguity didn’t account for a slice (and perhaps a large one) of the CEO and BOD numbers.  Second, nearly a third of the survey respondents were from the “health care and social assistance fields” – which is much higher than the percentage of such organizations in the economy generally; this is significant because, for regulatory reasons, reporting to the BOD and CEO are more common than in these types of entities than in most others.

A less noticed but no less notable contribution to this debate was the report of a survey published only a few weeks earlier by Mitratech (a provider of  enterprise legal management solutions for legal departments).  While not posing the same question that the NYSE Governance Services one did, this report noted (among other things) that “[t]he legal department owns the enterprise compliance function in 40% of respondents’ organizations and owns a portion of compliance functions in another 24% of organizations” and also that “[t]he role of the legal department in enterprise compliance is increasing as the responsibilities of the Chief Compliance Officer (CCO) and General Counsel become more tightly intertwined.”  These results feel closer to the actual practices I’ve seen in business organizations than do those in the other survey.

Granted, I have never been a pig farmer from Iowa, but I have been around this issue for a long time (my first experience with it dating back to the mid-1990’s when I was asked by a client whether the C&E officer should report to the GC or its Chief Operating Officer). Based on my experience since then, I can say with some confidence that there is no one-size-fits-all approach to the question of to whom the C&E officer should report.

Certainly, in a company where the GC herself is likely to be a source of risk then the case for independent reporting is clear enough. (This is not about the GC being honest as an individual but, rather,  giving advice regarding or otherwise playing a role in company activities that are relatively likely to be scrutinized in an enforcement context.)   Also, in industries where the government has expressed a preference for not including the GC in the C&E officer’s line of administrative reporting, then that is entitled to a fair bit weight. And, where employees are likely to see the GC as an aggressive defender of the company’s interests – which is sometimes the case where the company is the subject of high-profile litigation – then having the C&E officer subordinate to the GC could inhibit employees reporting suspected wrongdoing.

But there are many other situations where not reporting to the GC would effectively make the C&E officer an organizational “orphan,” because the CEO or BOD – who have a  vast array of responsibilities – would in fact do less for her (and the program) than would a GC whose duties and skill set naturally lend themselves to promoting C&E.   Indeed, I recall one case where the C&E officer did in fact report administratively to the audit committee;  it was a well-intended approach, but the committee gave him little day-to-day guidance, which sadly seemed to contribute to his losing his job. More generally, as C&E program requirements increasingly become part of the sinews of US business law (a trend that seems inevitable), then the case for administrative reporting to the GC may actually be enhanced.

Finally, even if a company does opt for this latter approach, care must be taken to protect the C&E officer’s independence – both actual and apparent – through other means.  One of these is having her reporting periodically to the relevant BOD committee in executive session.  Another is to provide that the C&E officer’s duties and compensation cannot be adversely affected without prior approval of such committee.  Finally, a GC to whom a C&E officer reports should take steps to ensure program independence by other members of the law department – such as through training them on their “reporting up” obligations under S-Ox section 307.

(For additional reading on BOD oversight of C&E programs please see this post by my partner Rebecca Walker and me on the Harvard Law School corporate governance blog.)