Where Should Compliance & Ethics Report?

My position is an ideological position. Legal, at its core, has a duty to deny and protect the organization. Compliance and ethics, at its core, has a duty to discover and fix. While compliance and ethics may work well under legal in many organizations, ideologically it faces a clash and conflict that can surface in the organization.

A 50/50 split in ethics and compliance reporting

This is a concern of law enforcement and regulators. Over the past 15 years, we have seen a number of consent decrees, deferred prosecution agreements, non-prosecution agreements, and corporate integrity agreements that have required compliance and ethics to report outside of legal. The U.S. Sentencing Commission uses where compliance reports in criminal sentencing of organizations on compliance matters.

Where compliance and ethics reports is an important consideration. For the past several years, based on my research, it is split 50/50. With compliance and ethics reporting into legal in about 50% of organizations, and outside of legal in the other 50%.

Acknowledging that there are good compliance programs within legal, I advocate that organizations should have compliance and ethics report outside of legal (but have a strong relationship with legal). Not only to satisfy law enforcement and regulators, but to have a strong program that has its own budget, lines of accountability, and can have direct and unfettered access to the board and executives.

It’s essential to support a compliance and ethics program

With the dynamic, distributed, and disrupted nature of business today it is essential that organizations across industries and of various sizes have a funded and structured compliance and ethics program that is responsible for guiding and developing a culture of integrity around the organization’s stated values, ethics, commitments, and integrity. If I could rename the Chief Ethics and Compliance Officer (CECO) it would be the Chief Integrity Officer (though the acronym conflicts with the Chief Information Officer).

In an era of ESG reporting coming upon organizations around the world, involving environmental, social, and governance integrity, more responsibilities will be put on the compliance and ethics department to lead ESG and monitor and maintain the integrity of the organization within its internal conduct and operations but also across the extended enterprise.

This does not mean that there is a wall between compliance and legal, as there has to be collaboration. In one large global organization I did some advisory work in, they had a strong collaboration with distinct functions that worked together.

Within legal there was legal compliance that would monitor the laws and regulations and interpret and apply them to the organization’s specific context.  Then there was operational compliance outside of legal, where the CECO was responsible for the day-to-day management of compliance throughout the operations and conduct of the business and reported to senior executives and the board. That was a model I particularly liked, one that addressed the concerns and established a collaborative approach that involved legal and addressed legal’s concerns.

The world is not black and white, but there are shades of grey. In your organization, there may be very good reasons for compliance and ethics to report into legal. I would love to hear your thoughts on this challenging question that many organizations are facing right now?

[bctt tweet=”Legal, at its core, has a duty to deny and protect the organization. Compliance and ethics, at its core, has a duty to discover and fix. – Michael Rasmussen” via=”no”]