In our decades working with complex organizations on their Ethics & Compliance (E&C) programs, my colleagues and I have seen a wide variety of structures. We've seen stand‐alone programs, programs that fall within the control of a law department, and outsourced programs. We've seen programs run by E&C professionals, programs run by a multi‐hatted GC, and programs run by outsiders. While we readily concede there is no one way to structure an E&C program, we have come to believe there are a few traits common to the best programs:
- A designated, committed leader. As a
general rule, we prefer to see an E&C program run by a
dedicated Chief Ethics and Compliance Officer (CECO) rather than
one run by a different business leader (e.g., the
CAO, the GC, the COO) wearing two hats. It's certainly
reasonable to vest an existing executive (e.g.,
the GC) with CECO responsibility, but for a number of reasons
it's not ideal.
- A high ranking leader. A successful
CECO must be able to command the attention of others in the
organization. It's hard to conduct an investigation into the
actions of the VP of Sales when the leader of the
organization's E&C organization is only at a director
level.
- Clear reporting authority to the CEO and the
Board. While reasonable people can argue about the
best placement of a CECO (e.g., reporting to the CEO,
reporting to the GC, etc.), there are no good arguments against
ensuring the CECO has the ability (and the responsibility) to take
appropriate matters directly to the CEO and/or the Board.
- A written program. It's hard to
implement, enforce, and evaluate a program that exists only in the
ether. Meaningful E&C programs should be targeted, organized,
and memorialized in writing. And employees should know where to
find them.
- A clear investigations plan. Even the
best E&C program will not prevent transgressions. Thus, there
should exist a thoughtful and consistent plan to look into and deal
with non‐compliances. The plan should incorporate the roles
of the various stakeholders, including the Law Department, HR,
Internal Audit, E&C, and others.
- Adequate resources. In a recent
speech, DOJ's lead criminal prosecutor Kenneth Polite offered
his views on steps corporations should take to ensure a meaningful
E&C program. Properly resourcing the program was very high
on his list. This includes adequate facilities, resources,
professional development opportunities, and, of course,
staffing.
- A distinction between the Law Department and the E&C Office. Many organizations house the E&C function within the Law Department. While there is no prohibition against this, I contend there are benefits to a stand‐alone E&C function. Among other things, a stand‐alone E&C function provides greater protection to the Law Department's attorney client privilege. And the Law Department still can take advantage of the E&C professionals to support investigations with a properly worded (and enforced) deputization letter. If the E&C Office and the Law Department are to be combined, it is critical to develop procedures and practices to determine on what side of the line any given activity falls.
We don't mean to suggest these are the only best practices in standing up an effect E&C program, or even that these are the best best practices. But our experience strongly suggests these are really good starting points. Perhaps you have others. We'd love to hear from you.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.