[00:00:00] Speaker A: Hi, everyone. The Business Ethics Leadership alliance has questions and we have answers. I'm your host, Bill Coffin. Welcome to our special episode, the Best of Bella Asks.
This year, Bella chair Erica Salmon Byrne and I answered some 50 questions from the Business Ethics Leadership alliance community covering every aspect of the ethics and compliance discipline as we bring 2024 to a close. We thank everyone who submitted a question to the Bella Concierge Service and we look forward to answering more of your questions in 2025. As a special year end recap, we invite you to take in this series on senior ethics and compliance leadership, including how to name a chief compliance officer, what good compliance reporting structure looks like, and how to onboard senior ethics and compliance team members. Enjoy.
[00:01:01] Speaker B: So, Bill, a couple of pieces in this particular question. I am assuming that the question is coming from a company that has people who are working on compliance, but they don't have someone with that chief title. Right. They don't have somebody who is at that level where they're carrying that CCO nomenclature. And so I want to bifurcate my answer into two buckets. The first is benchmarking. So part of making the case is looking at other organizations in your space, your industry, your revenue, your headcount, your global footprint, whatever your space means to you, and seeing the extent to which they have someone who carries that Chief Compliance officer or chief Ethics and compliance officer, or chief Integrity officer, whatever the title is. Right. Some indication that there is someone who has a high level senior title relevant that is related to this particular set of responsibilities.
And we've got lots of data on that in the sphere, depending on what industry you're in, what sector you're in, the trend will vary the extent to which we see people with that chief title. So the benchmarking pieces is piece number one from a case perspective. The second bucket I want to talk about is a little bit more of the kind of philosophical why should I have a chief compliance officer in the first place Bucket. Because when you can answer those questions, then you can make both the philosophical argument and the benchmarking argument to have this kind of a role. And it really goes to the point of a compliance program in the first place. So here at Ethisphere we are fond of saying that org charts send messages, that your organizational chart sends a message to your employees of the things that are important to you. And you probably have a head of internal audit or a chief audit officer. You probably have a head of human resources or a chief HR officer or chief people officer. You probably have a chief technology Officer, maybe you have a chief product officer. All of those roles are indications to your employees of the things that matter to the business. And if you have all of these other chiefs, people with senior titles that are responsible for these particular functions, and you don't have somebody with that title who's working on business integrity and making sure that employees have the tools necessary to do their jobs in the way the company needs them to, then you are telling companies something, or telling employees, rather something subtly about what matters to the business. And so that would be sort of one of the philosophical questions that I would ask the person who asked this question.
What message are you sending internally and externally if you don't have someone who is designated at a senior level that is responsible for business integrity? Now, a lot of companies have that person who serves also as the general counsel. And you and I, Bill, have talked about the dangers of dual hatting because at the end of the day, being the chief compliance officer and being the general counsel, those are both full time jobs. And if somebody is wearing both hats, then that means they're doing neither job with all of their time and attention. And they may have people who are designated to be doing both of those jobs or taking on pieces of those jobs that are junior to them. But again, that sends a message about how the company thinks about this particular role. So it's part of the reason why I'm heartened to see that we now are seeing about 40% of compliance officers reporting outside of legal into, you know, either directly into the CEO or into a chief operating officer or chief administrative Officer, somewhere along those lines. And I think that's reflective of an increasing understanding that the whole purpose of the three lines of defense, where the employees are the first line, compliance and other control functions are the second line, and audit is the third line. You know that it is important to make sure that you are devoting the right amount of time, energy, attention, budget and seniority to that compliance role and designating the title appropriately.
Bill, this is a very interesting question because what the person asking the question did not specify is are they asking about compliance lead down reporting structure, like who should be on my team, what roles do they have, what responsibilities do they have? Or are they asking about reporting lead compliance person up, which is a different question, like do I report into the CEO, Do I report into the administrative officer, Do I report into the chief operating officer or the general counsel? What does my reporting relationship look like with the board? Right. Those are different questions to be asking when it, when it's, it's time to think about your reporting structure. So I'm going to give a little bit of insight into both directions and then for anybody listening in who is curious about either one of these pieces and would like to go into more detail, we have a lot of data in the sphere about what, you know, FTE levels look like, what backgrounds on teams look like, what budget levels look like, and then also what reporting lines up look like in terms of where the compliance function sits in inside the organization. So what our data tells us, I'm going to start with compliance officer or chief compliance officer down. What our data tells us is we are seeing an increased diversity of backgrounds on the team. We are seeing more companies with communications professionals that are part of the compliance team and responsible for drafting compelling communications that employees actually want to engage with. We are seeing more companies put people with data backgrounds on on the team and those people are responsible for data analytics and you know, looking at different dashboarding and different ways that data can tell an organization how the program is performing. We are seeing more teams with auditors on them or forensic accountants, particularly if you are in an industry where you might have to do a lot of forensic work as part of investigation. People with investigations backgrounds, real broad, you know, lawyers of course, continue to be very prevalent on teams. Really, really broad backgrounds on compliance teams across the organization. And more often than not we will see teams that have people who are specializing in particular pieces of the program. So you would have somebody who works on your third party risk management, you would have somebody who is really focused on training, somebody who is thinking about communications and manager preparedness things along those lines. So increasing specialization on teams from a background perspective and increasing specialization on roles. But of course also we're seeing a lot of people who are compliance managers and other kind of generalist role as well. On the time tested, age old question of where do I sit inside the organization?
Again, a fair amount of diversity. We do still see a majority of programs, a majority of functions rolling into legal where the person who is running the program, the chief compliance officer, is increasingly not dual hatted. So while we do still see some compliance officers who are also the general counsel, increasingly we are seeing a recognition on the part of companies that those are two different full time jobs and you should designate the person who's actually running the program accordingly and give them the appropriate level of gravitas in the organizational chart. And so we are seeing a separation of those two hats off of one person. But we do still see a lot of programs rolling into the legal department where the person who's running compliance is reporting to the general counsel. We also see, and this is being driven by regulatory expectations a lot of programs where the person who is running the program also has a direct line in to the board, relevant chair of the relevant committee that oversees the program and that they are having their own direct conversations with that individual that do not go through the general counsel. Very importantly, you know, they have direct access to the board, which is a pretty clear regulatory expectation. The one place I will caveat that we see a a different structure is if you are subject to the oversight of health and human services here in the US that entity has been very clear that they believe that reporting into the legal department is bogus. They don't want to see it. They want to see compliance as its own independent function. And I believe that is driving the fact that in about 40% of the data set at this point, we do see compliance reporting outside of legal and either directly to the CEO from a managerial perspective or to somebody else in the C suite, whether that be a chief operating officer or chief administrative officer or something along those lines. And then of course that critically important direct unfettered line into the chair of the board committee.
[00:09:24] Speaker A: Erica, what don't you want to see on a compliance reporting org chart?
[00:09:29] Speaker B: You don't want to see four levels between you and anybody who is ultimately responsible for the behavior of the organization. The farther down you are in the org chart, the less likely your information is getting to the people it needs to get to. So you don't want to see a board reporting line, for example, where there's a number of stops along the way where your information can get watered down and you don't have direct access to the chair. If you have that structure, I can guarantee you that if you wind up in front of any regulatory body, they are going to look quite askance at that. Because you know, again, even going back bill to the 2010amendments to the sentencing guidelines, part of the reason we saw those amendments is because in 2010 we saw the federal sentencing guidelines get amended to really talk about that unfettered access to the board. And the primary reason for that was the GC was actually involved in the misconduct at issue and the board had no idea because the general counsel kept anybody on the compliance team that was trying to get that information to the board from getting that information to the board. And so since 2010 we have really been seeing a very clear expectation from the regulators that the people who are responsible for compliance on a day to day basis need to have unfettered access to the board, to the chair of the committee that oversees the program, where nobody else is filtering out the information they're providing. There's no, there's no approval of their board materials. They are able to sit in executive session with that committee. They're able to talk on a regular basis to the chair. That is the clear regulatory expectation and has been for the course of the last 14 years.
It's a great question because. And a timely one because we are seeing so much change in roles in the ethics and compliance community. I cannot log into LinkedIn these days without seeing at least three or four job announcements. Right. People are a lot of changes happening right now in terms of people's roles. So if you are in a position where you've recently added to your team, you may well be sitting there going, okay, hired this professional. They've got a great background. Where do I start? And I've got a couple of thoughts on this one. If you've done a recent risk assessment, I would start there because particularly the question said senior ethics and compliance team member. And so that is going to be somebody who's going to be very involved in strategy. That's going to be somebody that's going to be very involved in all of the different aspects of planning and executing on the ethics and compliance program, presumably based on the, you know, including senior in the, in the, in the question. So looking at risks, business strategy, right. As Matt Galvin said at the Global Ethics Summit, one of the primary things a compliance professional needs to understand is how their company makes money, because that's where a lot of the risk lies. So it's going to be as much about orienting them to the business as as it's going to be about orienting them to the program. And a recent risk assessment, business strategy, five year plan, product roadmap, right. Those are all going to be kind of key documents that you want to make sure are part of the process. And then the other thing is, you know, getting that person out there so they start to build relationships and learn the business as well. So those would be a couple of my kind of immediate thoughts. If you've got somebody who's coming in, maybe, and this is another trend we're seeing, Bill, which I love, this senior ethics and compliance person was a senior person somewhere else in the business that is newish to ethics and compliance, right. So we're definitely seeing people being brought in with different backgrounds. They've got an operations background, they've got an IT background. They've got a supply chain background and then it's really about teaching them the discipline, not the business. And so if that's kind of the direction you're in, then, I mean my go to all the time is, is the DOJ's evaluation of corporate compliance programs and the documentation that goes along with that. But HHS OIG has come out with really good guidance on what a good program looks like. The new Australian Adequate procedures guidance is really good. It's very straightforward, well written. So there's lots and lots of different kind of documentation and resources that you can look at. So a little bit of it depends on Are you onboarding a senior ENC person that's new to the business? Are you onboarding a senior business person that's new to encourage? It's going to be. You're going to start from different places depending on the circumstances.
[00:13:51] Speaker A: Now, if I can ask you a follow up question, I'd like to dive deep into culture a little bit and this is something that's a topic near and dear to both of our hearts. We talk about a lot in this show. Ethisphere talks about it a lot. It's crucially important to the E and C function. You know, we're talking about a senior ENC team member. So presumably they've done a great deal of work on the ethical culture or whatever organization they were at previously. That strikes me as a, as a possible vector for having a little bit extra baggage in terms of maybe things you have to unlearn or things you would love to impart upon your new workplace that may be a challenge or an opportunity. So I'm just kind of curious, you know, from your standpoint that proximity to culture that you get by being a senior ENC leader. Have any advice or any thoughts on how to broach that particular topic and you know, make sure that that's not a challenge, that is an opportunity and that's a way to go from strength to strength as you're going from one team to another.
[00:14:41] Speaker B: Yeah, no, it's a good question, Bill. And I wouldn't have really thought about it from a baggage perspective. I would think about it more from a lessons learned kind of perspective. But I do think it's a fair point. You know, for those of you out there who are familiar with our Etunes, which is our, our line of cartoons that we work on with the New Yorker cartoonists, my new favorite ethitune is on the one side you have some of the Monopoly game figurines, you've got the car and the hat and, and, and, you know, the horse. And then on the other side, you have a couple of chess pieces. And the tagline on the, on the cartoon is maybe at your former employer, you were allowed to move diagonally.
[00:15:21] Speaker A: Yeah.
[00:15:23] Speaker B: And so I do think there's a, there's that element of, you know, helping that new team member start fresh, helping that new team member, you know, potentially figure out what are the things that, from their prior experience that they are trying to hold on to and what are the things that they need to let go of. And I do think that's absolutely something that you need to give some time and energy to, almost doing sort of a debrief of, you know, what worked, what didn't work with the program that they had been involved in previously. What were the lessons learned, and what do we need to leave behind?
[00:15:54] Speaker A: To learn more about Bella, please Visit@the sphere.com Bella to request guest access to the member resource hub and to speak with the Bella engagement director. And if you have a question that you would like answered on Bella Asks, be. Be sure to use the Bella Concierge service and we'll get to your question just as soon as we can. I'm Bill Coffin, and this has been a special Bella Asks episode of the Ethicast. For more episodes, please Visit the Ethisphere YouTube
[email protected] ethisphere if this is your first time enjoying the show, please make sure to like and subscribe on YouTube, Apple Podcasts or Spotify. Thanks so much for joining us. And until next time, remember, strong ethics is good business.
