Among the more persistent (and heated debates) in compliance circles is whether the compliance officer should report to the general counsel, as traditionally was the case; or report directly to the CEO or board to assure a stronger, more independent compliance function.
Well, a new study may make the subject even more confusing than you thought it was.
The study is LRN’s 2015 Ethics & Compliance Effectiveness Report, which finds that companies with the compliance officer reporting to the general counsel actually have more effective programs—a conclusion that runs counter to the popular narrative that the more independent the CCO, the better.
“It turns out that two hats are, for now, better than one,” says the study. It used a variety of metrics to separate top-performing companies from those floundering in their compliance and ethics duties.
That finding surprised even the LRN principal who led the study, Wayne Brody. He says the push for greater CCO independence is proceeding steadily. “One of these days, one of the paragraphs in a non-prosecution agreement or deferred-prosecution agreement is gong to say [compliance] should be a standalone function, and that will be the end of it,” he says.
Indeed, in April the Department of Health and Human Services published guidance that said pretty much that: An organization’s compliance officer should neither be counsel for the provider, nor be subordinate to counsel or the legal department.
Among the survey respondents, 29 percent of compliance programs are overseen by compliance leaders who report to the CEO, but not all of that group get the same level of influence. Roughly half of them also serve as general counsel, and the data shows that those with a dual role run programs that are significantly more effective than those of their single-hat colleagues.
“Among the lessons is that, as the compliance function steps out of the law department and into a space of its own, it must seek to replicate or improve on the paradigm successful law departments adopted decades ago.”
Wayne Brody, Member, Ethics and Compliance Advisory Services Practice, LRN
For example, those with a dual role say they can secure more training resources than their stand-alone CCOs and, the study says, “are far less likely to suffer from a lack of resources when it comes to the cost of education” and training.
Is the secret of their success simply that general counsels can get and spend more money? That question leads to another surprise. Programs led by a two-hat executive have compliance budgets that average $103 per employee, while those companies with an independent CCO average $188 per employee. Staffing is also comparatively lean, with just 1.6 full-time compliance employees per 1,000 workers on average, compared to the dedicated CCOs’ average staffing level of 2.8.
Brody’s take is that the greater effectiveness of GC-CCOs programs reflects the nature of the general counsel’s interactions and other roles within their organizations. In most companies, the general counsel serves as confidant and trusted adviser to the CEO and the board, working with them on key strategic initiatives. Members of the C-suite trust (and depend on) the judgment of the GC, and few important decisions are made without his or her input. In contrast, the stand-alone CCO is likely a newcomer to the suite, and perhaps not even a member of the “core team” despite the title.
GC-CCOs are also, according to the research, twice as likely to see their primary mission as building ethical cultures, and they may be more effective in doing so because of those higher levels of senior-level sponsorship and support. The broad purview of legal counsel, and its enterprise-wide familiarity, also provides an ability to operate across silos and enjoy greater support from middle management.
“Utility to the business and alignment with the business structure is the thing that the GCs are doing better today than the independent CCOs,” Brody says. “We were really surprised to see the finding we came up with, but it doesn’t mean that moving toward an independent CCO and function is going to fail. Among the lessons is that, as the compliance function steps out of the law department and into a space of its own, it must seek to replicate or improve on the paradigm successful law departments adopted decades ago.”
Metrics Questions as Well
As independent CCOs look to close the effectiveness gap that separates them from their colleagues under the wing of the general counsel, they will need to arm themselves with metrics that identify risk areas and help to clarify how successful their efforts are. Better programs use more and better metrics. That, however, leads to another data point in the survey that surprised LRN’s researchers: The metrics companies use, or don’t use, are all over the map.
METRICS: WHO USES WHAT?
The following, from LRN’s 2015 report, looks at the mix of metrics companies use to assess risk, measure ethics and compliance effectiveness, and report to the board.
“To me it is amazing, not just because the less-common metrics are so much less common, but that even the most common ones are not used 100 percent of the time,” Brody says.
One example: how many companies do (or do not) use Code of Conduct violations as either a risk assessment tool or a measure of program effectiveness, despite their obvious evidentiary value.
“I see that 61 percent of top programs [based on the study’s PEI index] use Code of Conduct violations as part of their risk assessment,” Brody says. “That’s good, except what is the other 39 percent doing? Why aren’t they using them? I can’t think of something that tells you more about your risk than your history of violations.”
Education and certification completion rates and test results are among the most commonly collected metrics, but they are often not used in risk assessments, the study found. Data from the HR department—employee turnover, attendance, focus groups, and exit interviews—is also used inconsistently, even though those metrics can help identify the risks the organization faces and how well the ethics program mitigates those risks.
“People just haven’t looked at all of the things that are available to them, and HR data—for example—is way down on the list,” Brody says. “But if out of four facilities, one has turnover three times greater than the other three, that’s going to tell you something about what your risk profile is and what your roadmap ought to look like.”
Compliance officers, especially as they gain independence, need to look beyond statistics on training and certifications, even if those metrics are easily audited and digested by executives and directors, Brody says. “If metrics are only to create an audit trail for certifying that you have an effective program as defined by the Federal Sentencing Guidelines, then fine,” Brody says. “But if the goals of the program are driven by your risk assessment, you want to put as many things into that risk assessment as possible—not just the obvious things that keep you up at night, but what all of the data points tell you about risk.
That, he says, will be the key to independent CCO’s closing the performance gap between their programs and those overseen by the general counsel.