Revisiting Compliance Program Reporting Relationships

Corporate leaders may wish to revisit the important yet sensitive topic of reporting relationships in compliance programs following the release of new guidance from the Department of Justice’s Criminal Division.

That guidance, entitled Evaluation of Corporate Compliance Programs[1], (The “New Guidance”) discusses in detail the three main thematic questions that prosecutors should apply in evaluating corporate compliance programs and how those questions can be used to elicit information as to compliance program adequacy and effectiveness. One of those thematic questions is whether the corporation’s compliance program is being implemented effectively. The autonomy of compliance program leadership is one of several cited indicia of effective implementation. This is certainly consistent with the significant value historically attributed to the organization’s compliance function and to the role of chief compliance officer (“CCO”).

The New Guidance directs prosecutors to examine whether those charged with a compliance program’s day-to-day oversight have, among other factors[2], “sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.” [3] What is “sufficient” will depend on the company’s size, structure, and risk profile.[4]

Related areas of prosecutorial focus include the frequency with which compliance authorities meet with the board, whether members of senior management are present for such meetings, and other steps the corporation takes to assure the independence of compliance and control personnel.[5]

The New Guidance offers no specific perspective on the autonomy implications of the reporting relationship between a company’s CCO and its chief legal officer(“CLO”). Rather, prosecutors are encouraged to ask about where within the company the compliance function is housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO or board). They are also encouraged to ask, to whom does the compliance function report?

But, consistent with its facts and circumstances approach to program effectiveness, the New Guidance neither recommends nor proscribes a specific reporting relationship; the emphasis is more generally on autonomy. This is notable in the context of CCO-to-CLO reporting relationships, which have long been a controversial topic. Some oppose such relationships due to perceived concerns with bias or conflicts of the CLO and with the potential for excessive application of the attorney-client privilege.[6] Others view such relationships as enhancing communications critical to the success of organizational legal compliance. The New Guidelines suggest that there is no one-size-fits-all approach to CLO autonomy; certain types of reporting relationships that support program effectiveness in some circumstances may hinder effectiveness in others.

Many corporate boards interpret their Caremark obligations as extending to the autonomy of the CCO and to the preservation of an effective working relationship between the CCO and the CLO. To that end, they have sought to address autonomy concerns through a combination of measures, including (i) establishing direct access of the CCO to the CEO; (ii) establishing a regular reporting relationship from the CCO to the board’s audit and compliance committee; (iii) charging that committee with specific responsibility for monitoring the autonomy of the CCO; (iv) establishing specific job responsibilities for the CCO and the CLO; and (v) adopting policies governing the application of the attorney-client privilege.

It is in this context that the New Guidance’s additional focus on continuous improvement looms large. As part of the larger thematic question of whether a company’s compliance program works in practice, prosecutors are to consider whether the program has evolved to address existing and changing compliance risks.[7] “A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards”.[8]

Increasingly, large corporations are pursuing efforts to recalibrate organizational compliance efforts to be more responsive to factors such as corporate growth, global footprint, evolving leadership duties, and implementation of formal enterprise risk functions.[9]  Central to many such efforts is some form of internal partnerships among key functions across the enterprise, including front-line businesses, office of legal counsel, enterprise risk management, internal audit, and compliance. The goal is, through coordination and cooperation, to better identify, mitigate, and manage existing and emerging legal, regulatory, and reputational risks. The expectation is that valuable collaboration among enterprise risk-related officers can proceed while simultaneously preserving appropriate levels of CCO autonomy.

The New Guidelines appear supportive of such recalibration initiatives in at least four different ways. First is its articulation of measures which support CCO autonomy. Second is its rejection of a rigid formula to assess the effectiveness of a compliance program.[10] Third is the emphasis on a compliance program’s “capacity to improve and evolve; to ensure that it [does not become] stale”.[11] Fourth, and perhaps most notable, is its unwillingness to reflexively proscribe certain forms of CCO reporting relationships or otherwise encourage compliance silos.

The hope is that such a facts and circumstances approach from DOJ will help organizations avoid dogmatic positions that, if applied, could frustrate otherwise necessary and important types of CCO relationships and communications with other corporate officers, including the CLO. The factors contained in Section II.B of the New Guidance provide a pathway for preserving the autonomy of CCOs in the context of those relationships and communications.

Organizations that seek to implement innovative enterprise risk management structures that envision more horizontal and vertical communications between officers with legal, compliance and risk responsibilities can thus refer to the New Guidance when designing such structures to assure a satisfactory level of CCO autonomy.

The compliance themes reflected in the New Guidance are of great importance to the governing board in the exercise of its Caremark-grounded compliance oversight responsibilities. In that regard, it will want to focus particularly on the New Guidance’s treatment of compliance officer autonomy and reporting relationships. This is with respect to not only its obligations to implement an organizational culture of compliance, but also support efforts to continuously improve the compliance program in the context of a complex and rapidly evolving business and risk environment.


[1] U.S. Department of Justice Criminal Division, “Evaluation of Corporate Compliance Programs” (Updated April 2019).

[2] Other referenced factors include (1) sufficient seniority within the organization and (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis. Id, at p. 10.

[3] New Guidance, at II.B, p. 10-11.

[4] Id.

[5] Id, at p. 11.

[6] It should be noted that with regulatory settlements that are the byproduct of allegations of fraud and significant compliance program weakness, the government will often insist on the appointment of a compliance officer who shall report to the CEO and shall not be, or be subordinate to, the GC or the CFO. See, e,g., /fraud/cia/agreements/Insys_Therapeutics_Inc_06052019.pdf.

[7] New Guidance, at III.A, p.13.

[8] Id, at p. 14.

[9] See, e.g., Sue Reisinger, “Wells Fargo General Counsel-Turned-CEO Creates New Regulatory and Compliance Group”.

[10] New Guidance, at Introduction, p.1.

[11] New Guidance, at III.A, p.14.

This post comes to us from Michael W. Peregrine, a partner at the law firm of McDermott Will & Emery, who advises corporations, officers, and directors on corporate governance, fiduciary duties, and officer and director liability issues. His views do not necessarily reflect the views of the firm or its clients.