Leprechauns, Unicorns, Chief Compliance Officers, and Other Mythical Creatures

The US Federal Sentencing Guidelines’ “Seven Elements of an Effective Compliance and Ethics Program” (the FSGs) are 26 years old now. First published in 1991, and subsequently amended in 2010, 2011, and 2013, the FSGs are intended to induce organizations to “achieve reasonable prevention and detection of criminal conduct for which the organization would be vicariously liable.” The FSGs are designed to achieve this objective by offering significant penalty reductions to companies convicted of crimes, provided that the companies can demonstrate that they have taken reasonable steps to implement an “effective” compliance and ethics program.

The US Department of Justice (the DOJ) has sought to amplify the FSGs’ incentives by publishing a series of letters promising leniency for organizations that satisfy its requirements. The DOJ has since codified this policy by adding the “Principles of Federal Prosecution of Business Organizations” to the US Attorney’s Manual (the Manual). This section of the Manual outlines nine factors that prosecutors must consider when determining whether to charge a corporation for a crime. One of these factors is “the existence and effectiveness of the corporation’s pre-existing compliance program.” Corporations that satisfy this and several other factors may substantially reduce their criminal liability for crimes committed by their employees. In some circumstances, corporations might avoid prosecution altogether.

In response to these incentives, thousands of corporations have launched “compliance and ethics programs” and have appointed chief compliance officers (CCOs) to run them. The following is an excerpt from the FSGs detailing a CCO’s key attributes:

The authors of the FSGs appear to have envisioned CCOs with broad, enterprise-wide responsibilities to develop and implement “compliance programs” that effectively manage their organization’s entire portfolio of legal and ethical risks. This vision of a CCO’s role is one shared by me and many other compliance and ethics professionals. It is a governance model in which CCOs are assigned the responsibility to assess enterprise-wide legal and ethical risk, strengthen compliance management systems, promote an ethical culture, monitor program performance, and take corrective actions when problems are detected. It also describes a mythical creature that is no more real than leprechauns or unicorns.

If you doubt this assertion, consider for a moment the daunting constellation of legal and ethical risks confronting corporations. Labor laws; tax laws; regulatory mandates; accounting rules; financial reporting rules; safety, health, and environmental laws; anticorruption laws; antitrust laws; insider trading laws; data privacy laws; and many more. To assure compliance with such legal mandates, responsible corporations invest in corporate functions comprising an army of trained professionals who can expertly manage a particular slice of the legal and ethical risk pie. Such corporate functions carried this burden long before the 1991 launch of the FSGs and continue to do so today. Despite the hundreds of corporate scandals evincing the need for an FSGs-style governance model with CCO oversight, leaders of corporate functions generally do not permit CCOs to meddle in their affairs.

As a consequence, the vast majority of CCOs have a much narrower role than the one envisioned by the FSG’s drafters. In most corporations, CCOs are assigned responsibility for performing ministerial tasks no other corporate function cares to manage. These generally include:

• Managing a segment of the company’s policies and procedures;
• Drafting and publishing a code of conduct;
• Operating the company’s help-line;
• Assisting with the creation of compliance management systems that other corporate functions have not taken responsibility for;
• Performing investigations of employee misconduct; and,
• Providing online and live compliance and ethics training programs on selected topics.

These are significant responsibilities in any organization, and I don’t mean to diminish the importance of effectively performing these duties. However, this narrowly defined CCO role is miles away from the broad, programmatic responsibilities suggested by the FSGs.

There is nothing inherently wrong with this state of affairs. The FSGs do contemplate that the compliance program might be carried out by “Specific individual(s) within high-level personnel.” These “specific individuals” could be the heads of each corporate function. However, in many corporations with CCOs, companies play a game of make-believe by pretending that their CCOs are the “specific individual” responsible for the company’s entire compliance program.

I think it is important for board directors and corporate leaders to face reality. Either acknowledge that their CCO is merely heading another corporate function with narrow responsibilities, or (and I prefer this option) empower them to also provide oversight for all corporate functions that manage legal and ethical risks.

Corporate politics may make this latter outcome the exception rather than the rule. More often than not, the heads of corporate functions outrank the CCO. And even when the CCO is part of the senior management team, few other heads of corporate functions are likely to welcome this oversight. Nevertheless, the firms that embrace such a governance model and make such a “leprechaun” real will not only be acting in concert with the FSGs mandates but will also strengthen their ability to manage both legal and ethical risks in a way that may allow them to find the pot of gold at the end of the rainbow — and keep it.