Where Should Compliance & Ethics Report?
Having an opinion of where corporate compliance and ethics should report outside of legal is like the opening sequence to Indiana Jones: Raiders of the Lost Ark.
Indiana carefully makes his way through the jungle, while his colleagues are taken out by traps. But Indy is cautious and experienced. He gets deep into the jungle following his map to find the caverns with the ancient artifact. He navigates the traps of the cavern to get the treasure, he works meticulously. He finds the gold idol, and then chaos breaks loose.
The cavern begins collapsing, he is betrayed, traps are sprung as he runs, the huge boulder comes crashing down behind him, the local natives chase him to his plane. He barely escapes with his life.
Having an opinion that compliance and ethics should report outside of legal tends to upset some of the natives of legal. Despite caution, careful crafting of argument, and presentation you find that some natives of legal are upset as you just rocked their domain.
You may have guessed, but I am an advocate that corporate compliance and ethics needs to report outside of legal and have direct lines of communication to senior executives and the board.
That position being stated, I know of many corporate compliance and ethics programs that are very well structured, matured, and operate well under legal. I do not deny this.
Michael Rasmussen is founder of GRC 20/20 Research, LLC, and an internationally recognized pundit on governance, risk management, and compliance. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” – being the first to define and model the GRC market in 2002 while at Forrester.
My position is an ideological position. Legal, at its core, has a duty to deny and protect the organization. Compliance and ethics, at its core, has a duty to discover and fix. While compliance and ethics may work well under legal in many organizations, ideologically it faces a clash and conflict that can surface in the organization.
A 50/50 split in ethics and compliance reporting
This is a concern of law enforcement and regulators. Over the past 15 years, we have seen a number of consent decrees, deferred prosecution agreements, non-prosecution agreements, and corporate integrity agreements that have required compliance and ethics to report outside of legal. The U.S. Sentencing Commission uses where compliance reports in criminal sentencing of organizations on compliance matters.
Where compliance and ethics reports is an important consideration. For the past several years, based on my research, it is split 50/50. With compliance and ethics reporting into legal in about 50% of organizations, and outside of legal in the other 50%.
Acknowledging that there are good compliance programs within legal, I advocate that organizations should have compliance and ethics report outside of legal (but have a strong relationship with legal). Not only to satisfy law enforcement and regulators, but to have a strong program that has its own budget, lines of accountability, and can have direct and unfettered access to the board and executives.
It’s essential to support a compliance and ethics program
With the dynamic, distributed, and disrupted nature of business today it is essential that organizations across industries and of various sizes have a funded and structured compliance and ethics program that is responsible for guiding and developing a culture of integrity around the organization’s stated values, ethics, commitments, and integrity. If I could rename the Chief Ethics and Compliance Officer (CECO) it would be the Chief Integrity Officer (though the acronym conflicts with the Chief Information Officer).
In an era of ESG reporting coming upon organizations around the world, involving environmental, social, and governance integrity, more responsibilities will be put on the compliance and ethics department to lead ESG and monitor and maintain the integrity of the organization within its internal conduct and operations but also across the extended enterprise.
This does not mean that there is a wall between compliance and legal, as there has to be collaboration. In one large global organization I did some advisory work in, they had a strong collaboration with distinct functions that worked together.
Within legal there was legal compliance that would monitor the laws and regulations and interpret and apply them to the organization’s specific context. Then there was operational compliance outside of legal, where the CECO was responsible for the day-to-day management of compliance throughout the operations and conduct of the business and reported to senior executives and the board. That was a model I particularly liked, one that addressed the concerns and established a collaborative approach that involved legal and addressed legal’s concerns.
The world is not black and white, but there are shades of grey. In your organization, there may be very good reasons for compliance and ethics to report into legal. I would love to hear your thoughts on this challenging question that many organizations are facing right now?