The Fourth of July. The storming of the Bastille. Cinco de Mayo. Countries throughout the world have celebrations and remembrance days to observe when their freedom was gained or a battle toward their independence was won. Battles for independence can be long and filled with difficulty, including moments where freedom fighters feel defeated. As a profession and department, compliance is still young. Debates still rage about whether compliance needs to be independent, and what “independence” actually means in practice.
By Kristy Grant-Hart
Three Types of Independent Review: The Board, the Compliance Department, and the Regulator
“Independent” is defined as “not influenced or controlled by others in matters of opinion or conduct.” Just as society needs businesses to provide goods and services, and to provide jobs to people who want to use their talents and support their families, society also needs to ensure that business is done in a way that supports broader social values. Three types of controls have been created to ensure that business is done the right way and in accordance with the law – the Board, the Compliance Department, and the Regulator.
A company’s board of directors is comprised of individuals with a fiduciary duty to oversee that the business is run in a profitable way within the bounds of the law. In more and more countries, board members have personal liability for their conduct when it comes to the company following the law. The imposition of this liability is intended to incentivize the board members to act independently from the desires of those inside the company who may be motivated by greed and internal pressure to push the limits. The Board is meant “not to be influenced or controlled” by the opinions of the internal business leaders when it comes to making decisions about doing business within the bounds of the law.
Regulators and prosecutors exist because society needs the capacity to enforce the laws it creates. They too must be independent in their oversight. In countries where the regulators, prosecutors, and judiciary are not independent, bribery and illegality tend to escalate rapidly.
The compliance function is the only internal check on how a company operates. The legal function plays much of the same role in many companies; however, the legal function tends to be focused on contracts and what is possible under the law as opposed to focusing on corporate ethics, integrity, and doing the right thing. In larger companies, compliance alone is tasked with creating the processes that will prevent and detect misconduct.
Regulators Expect the Compliance Function to be Independent
Regulators expect the compliance function to be independent and to have access to the board. In the Department of Justice’s guidance on the Evaluation of Corporate Compliance Programs, prosecutors are told to ask whether the compliance function has “direct reporting lines to anyone on the board of directors and/or audit committee?” They are also asked to evaluate whether compliance has sufficient autonomy from management, such as “direct access to the board of directors or the bord’s audit committee.” Lastly, the guidance asks prosecutors to evaluate whether the compliance function is “an independent function reporting to the CEO and/or board.”
The Independent Compliance Function: Best Practices
Compliance officers are in a complicated position because they are in the company but in some critical ways, outside of it as well. The best compliance officers form close bonds of trust with the business’ leaders and are aware of what is going on throughout the business. Keeping one’s independence can be challenging when human emotion is involved, and that is why structural controls promoting and enforcing independence are so critical. Some best practices that allow this to happen include:
Compliance Should Regularly be on Board Meeting Agendas
Compliance should be a regularly scheduled agenda item at board meetings. One benchmarking report noted, “It is fairly typical and a best practice that boards or board committees meet and receive reports from the compliance officer on a quarterly basis.” (Cosmos: Quarterly reports to the board Audit & Compliance Committee: Tips 2019/03) NAVEX Global published a whitepaper benchmarking interaction with boards, which states, “Reports should be delivered at least quarterly along with an annual report at the end of the year.” These regularly-scheduled interactions will allow the board members to fulfill their legal obligations, as well as to build rapport with the compliance officer and team, which can be critical if a high-profile investigation begins.
The Best Reporting Structure: Compliance to the CEO
Best practice is for compliance to be its own independent function reporting to the CEO. The reason for this is so that there is no interference between the highest leadership and reports of potential misconduct. The lower down in the hierarchy the compliance function, the less likely that unfiltered information will get to the CEO. However, this is not the only reporting line that will work. Approximately half of all companies have the compliance officer reporting to the General Counsel or legal function. In smaller companies, the General Counsel may also be the Compliance Officer. There is no single approach, but the general rule is that the fewer layers there are between the CEO and the Compliance Officer, the better.
There Should be Regularly Scheduled Meetings between the CEO and Compliance Officer
Whether the Compliance Officer reports to the CEO directly or not, the CEO should have regularly scheduled meetings with the Compliance Officer to discuss the status of the program, any new laws that are on the horizon, and any important investigation. Ideally, these meetings would occur on a monthly basis (or more frequently).
Compliance Officers Should have the Independent Capacity to Contact Board Members
At a conference I attended, a prosecutor stated that one of his favorite questions to ask compliance officers during an investigation was, “How many board member’s phone numbers do you have in your phone?” Compliance needs to have the capacity to go directly to the board. If a company or its leaders is hiding misconduct, it is the Compliance Officer’s imperative to bring that to the attention of the board. This is not an easy thing to do, and it can have grave political fallout. Regardless, prosecutors expect that Compliance has independent relationships with board members including a direct and open line of communication.
Compliance’s Bonus Structure Should Not Be Entirely Tied to Corporate Financial Performance
Very mature companies do not tie compliance officer bonus payments entirely to the company’s financial performance. The reason for this is that it creates a conflict of interest within the compliance officer. If the compliance officer looks the other way or doesn’t interfere with potentially unethical behavior, he or she might get a bonus, while saying something may result in bonuses not being awarded. By taking financial performance out of the mix in favor of other metrics, compliance officers are able to be unconflicted in performing their duties.
The Compliance function’s ability to be effective is directly tied to its ability to be independent. Indeed, one of the most critical and underestimated abilities of a good compliance officer is the capacity to speak truth to power. The battle for the independence of the compliance function is one worth waging. Companies and society will be all the better for it.
Kristy Grant-Hart is the CEO of Spark Compliance Consulting, a London, Los Angeles, and Atlanta based group. She is the author of the best selling book, “How to Be a Wildly Effective Compliance Officer.”