What Is a Good Compliance Reporting Structure?
What does a good compliance org chart look like? How your compliance function is composed and to whom it reports can have a huge impact on your overall program effectiveness.
We advise a few key considerations: team composition, where the team sits, and what not to do.
Team Composition
Ethisphere data tells us that teams are becoming increasingly diverse, professionally.
- We see more companies with communications professionals that are part of the compliance team and responsible for drafting compelling communications that employees actually want to engage with.
- We see more companies put people with data backgrounds on the team and those people are responsible for data analytics and looking at different dashboarding and ways that data can tell an organization how the program is performing.
- We see more teams with auditors on them or forensic accountants—particularly if you are in an industry where you might have to do a lot of forensic work as part of an investigation. By that token, we are seeing a lot people with investigations backgrounds on teams, also.
- Lawyers, of course, continue to be very prevalent on teams, as well.
Overall, we see increasing specialization on compliance teams across a broad range of backgrounds. More often than not, we will see teams that have people who specialize in particular pieces of the program, so you might have somebody who focuses on your third-party risk management, or training, communications, manager preparedness, and things along those lines. But of course, we are also seeing a lot of people who are compliance managers and other kinds of generalist roles.
Where the Function Sits
On the age-old question of where does the compliance team sit within the organization, again, we are seeing a fair amount of diversity on that.
We still see a majority of compliance functions rolling into legal where the person who is running the program—the chief compliance officer—is increasingly not dual-hatted. While we do still see some compliance officers who are also the general counsel, increasingly, we see a recognition on the part of companies that those are two different full-time jobs, and you should designate the person who is actually running the program accordingly and give them the appropriate level of gravitas in the organizational chart.
We also see—and this is being driven by regulatory expectations—a lot of programs where the person who is running the program also has a direct line in to the chair of the relevant board committee that oversees the program. They are having their own direct conversations with that individual that do not go through the general counsel. This is very important. Having direct access to the board is a pretty clear regulatory expectation.
Things Are Different in Healthcare
An important caveat: The one place where we see a different reporting structure is for organizations that are subject to the oversight of Health and Human Services here in the U.S. That entity has been very clear that they believe that compliance reporting into the legal department is bogus. They want to see compliance as its own independent function.
That is driving the fact that in about 40% of the Ethisphere dataset, we see compliance reporting outside of Legal, and either directly to the CEO or somebody else in the C-suite (chief operating officer, administrative officer, etc.). These positions, of course, have that critically important direct line into the chair of the board committee.
What Not to Do
You do not want to see four levels between compliance and anybody who is ultimately responsible for the behavior of the organization. The farther down you are in the org chart, the less likely your information is getting to the people it needs to reach. For example, if there are a number of stops along the way, your information can get watered down, and you won’t have direct access to the chair.
If you have that kind of structure and you wind up in front of any regulatory body, they will not look favorably upon it. Going back to the 2010 amendments to the Federal Sentencing Guidelines, the federal government set an expectation for compliance to have unfettered access to the board. The primary reason for that was a case in which the general counsel was actually involved in misconduct and he board had no idea, because the general counsel prevented the compliance team from getting information to them.
So, since 2010, we have seen a very clear expectation from regulators that the people who are responsible for compliance on a day-to-day basis need to have unrestricted access to the board or to the chair of the committee that oversees the compliance program, where nobody else is filtering the information that compliance provides. Compliance should be able to sit in the executive session with that board committee and be able to talk on a regular basis with the chair. That has been the clear regulatory expectation for the last 14 years. You can find details on how to make a case for appointing a Chief Compliance Officer here.