There is an ongoing debate in the compliance arena as to
whom a Chief Compliance Officer (CCO) should report. Should the CCO report to
the Board of Directors or appropriate Board committee such as an Audit
Committee or Compliance Committee? Or can a CCO report to a company's General
Counsel (GC) but have access to the Board of Directors for periodic, but no
less than annual, reporting? Is there any specific guidance from the Foreign
Corrupt Practices Act (FCPA) or any of the US government interpretations such
as the US Sentencing Guidelines, Deferred Prosecution Agreement to which the
DOJ and recalcitrant companies have entered into or Opinion Releases? Is one
approach more right or more wrong than the other?
US companies are reported to take both approaches. A recent
survey released by the Society of Corporate Compliance and Ethics, entitled "The Relationship Between the Board of Directors and the
Compliance and Ethics Officer", dated April 2010, reported that of the
publicly traded companies reporting only 41% had their CCO report directly to
the Board of Directors. If the CCO did not report to the Board of Directors,
the survey found such position could report to not only the GC but also the
Chief Financial Officer (CFO) and other senior level positions within a
company. The report concluded with two perspectives from its findings. First
that as the proposed change in the US Sentencing Guidelines would require "a
direct" relationship between a CCO and a Board of Directors, most publicly
traded companies do not meet this obligation. Second, many compliance reports
are "heavily vetted" before they are delivered to the Board of Directors so
that it may be hard to for a Board to garner a true picture of a company's
compliance program.
I.
US Sentencing Guidelines
Under the 2010 Amendments to the US Sentencing
Guidelines which are now proposed to Congress, §8B2.1 (b)(2)(C)
requires:
Specific individual(s) within the organization shall be
delegated day-to-day operational responsibility for the compliance and ethics
program. Individual(s) with operational responsibility shall report
periodically to high-level personnel and, as appropriate, to the governing
authority, or an appropriate subgroup of the governing authority, on the effectiveness
of the compliance and ethics program. To carry out such operational
responsibility, such individual(s) shall be given adequate resources,
appropriate authority, and direct access to the governing authority or an
appropriate subgroup of the governing authority.
Commentators have weighed in on this amendment. In a recent
White Paper entitled "U.S. Sentencing Commission Amends Requirements for an Effective
Compliance and Ethics Program", the law firm of Gibson, Dunn and
Crutcher noted that this amendment "could be problematic for corporations that
vest overall responsibility for compliance in a senior member of management"
such as the GC, while having operational responsibility of the company's
compliance function detailed to a subordinate to the GC. They raised the
concern that such a reporting structure might allow the GC to act as a "filter
in deciding which conduct warrants reporting" to the Board of Directors, if the
CCO reported. This would also imply there was a problem if a GC, rather than
Board of Directors, performed an annual evaluation or in some other manner
controlled the actions of the CCO.
II.
Opinion Release 04-02
Through the mechanism of the Opinion Release 04-02 the Department of Justice (DOJ) may
have provided prior guidance. The Opinion Release dealt with certain Requestors
which were desired in order to acquire a business that had admitted to FCPA
violations. As part of the proposed purchase of this "Newco", the Requestors
agreed that this Newco would adopt a rigorous anti-corruption compliance code
which would include the following element:
(B) The assignment to one or
more independent senior Newco corporate officials, who shall report directly
to the Compliance Committee of the Audit Committee of the Board of Directors,
of responsibility for the implementation and oversight of compliance with
policies, standards, and procedures established in accordance with Newco's
Compliance Code; [emphasis supplied]
III.
Industry Debates
There has been debate in the FCPA compliance world as to
what this requirement specifies. At the recent Compliance Week 2010 Annual Conference, a panel consisting
of representatives from the US Sentencing Commission indicated that they
believed that this section only required that CCOs have access to a
company's Board of Directors. Such a requirement could be fulfilled through a
reporting structure whereby a CCO reported to a GC but had access to report to
the Board of Directors, even if the CCO went to the Board of Directors with the
GC present, such as reporting structure was in compliance with the proposed
Sentencing Guidelines.
However, at the same conference, Assistant Attorney General,
Criminal Division for the Department of Justice, Lanny Breuer said that a CCO
should have direct access to a company's Board of Directors suggesting
that the CCO not have to report through a GC but report directly to the Board.
Breuer opined that the change in the Sentencing Guidelines implies that the CCO
should now report directly to the Board of Directors and not through another
person, whether the GC, CFO, Head of Internal Audit or any other person in an organization.
For yet a third perspective at the same conference, the
question was put to a panel of members who sit on various Boards of Directors
on multi-national US corporations, they responded that, as Board members, they
only wanted the information to come to them so they could fulfill their
obligations as Board members, they were not too concerned how it was presented
to them or who did so. Further they were not concerned who the CCO reported to
or which company officer or employee in the corporate structure evaluated the
CCO.
A recent webcast by the firm of Ernst and Young further
delineated this dichotomy. When posed the question of to whom should the CCO
report to; either directly to the Board or the GC, panelists Brian Loughman and
Jeff Taylor both indicated that it was important for the CCO to report directly
to the Board. Such a reporting structure made a much more positive impression
on the Board (Loughman) and that less filter of the CCO's information gave a
stronger message to the Board (Taylor) than if the CCO reported through the GC.
Loughman added that the change in the Sentencing Guidelines mandated this
reporting structure. However, panelist Amy Hawkes responded that she did not
believe the issue of who the CCO reported to was as important if there the
appropriate 'tone at the top' by the Board. By this she explained that if the
Board was committed to a compliance culture, it did not matter whether the CCO
reported directly to the Board or to the Board through the GC.
This direct reporting approach is utilized by Halliburton,
to which I posed the following question, "Who does the Chief Compliance Officer
report to in your Company and why does your company utilize this approach?"
Susan Ponce, Senior Vice President and Chief Ethics and Compliance Officer of
Halliburton responded, "At Halliburton, the Chief Ethics and Compliance
Officer reports directly to the company's Board of Directors, advising both the
Audit Committee and the full Board on all matters relating to legal compliance
issues. We structured the CEC Office that way in order to leave no doubt
that the CECO has direct, independent and unfettered access to our Board and
support from board members and our senior executives."
The answer to the initial question posed appears to
have two correct responses. The guidelines and debate goes both ways. The key
is in the actual reporting. As long as the CCO reports on a regular basis to
the Board, both lines of authority are appear to be acceptable.
So which approach does your company utilize?
A shorter version of this post appeared in the FCPA Blog, to
read click here.
Visit the FCPA Compliance and Ethics Blog, hosted by
Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms
of risk management for a worldwide energy practice, tax issues faced by
multi-national US companies, insurance coverage issues and protection of trade
secrets.
This publication contains general information only and is
based on the experiences and research of the author. The author is not, by
means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at tfox@tfoxlaw.com.
©
Thomas R. Fox, 2010