Today's organizations face constant demands from an evolving global economy and increased regulations. To help deal with these demands, a new role has evolved: the CECO -- Chief Ethics and Compliance Officer. Here's a look at its evolution.
The last decade saw the emergence of several new C-level roles within the corporation in response to sweeping changes in the global economy and the imposition of complex new compliance regimes by government agencies. Perhaps most prominent of these new roles is that of the Chief Compliance Officer (CCO). Prior to the spectacular failures at Enron and other corporations, and the subsequent imposition of Sarbanes-Oxley (or “SOX”), the position of the CCO was limited to highly-regulated industries. Today, that office is commonplace, and the CCO is responsible for managing externally-imposed compliance expectations from government agencies and industry self-regulatory organizations (SROs), and for contractually-imposed expectations from business partners.
The latter half of the decade also saw dramatic increases in criminal prosecutions and civil enforcement action by government agencies against corporations involved in bribery, insider trading, fraud and other corrupt activities. As a consequence, the role of CCO evolved to meet the challenge of building an ethical framework for the corporation and maintaining it to withstand the potential for corruption inherent in competing in the global marketplace. That expanded role is now commonly referred to as the Chief Compliance and Ethics Officer, or CECO. Among the various disciplines that the CECO must master are the enterprise-wide setting of policies, the minimization of risk and the enforcement of the expectations imposed upon it. This collection of disciplines is grouped under the unwieldy rubric of “governance, risk management and compliance,” or GRC.
CECOs as a Separate Entity from the General Counsel
Given that the office of the CECO and that of the General Counsel (GC) are both involved in protecting the corporation and in acting as a police officer, why create distinct positions? Indeed, many legal departments already address compliance matters in addition to their traditional legal duties. The answer lies in the GC’s dual and sometimes contradictory role of being a partner to the business and a guardian of its reputation and integrity.
There is a conflict, for example, when the GC’s compensation package is tied to company profitability and stock options. It raises questions of impartiality when there is a personal incentive to disregard playing the corporate cop and maximize payouts that might be a result of manipulated financial numbers. Similarly, when an M&A or joint venture may affect the GC’s company shares, it raises the question of whether the GC will advise the board as a lawyer or as a business executive interested in passing an initiative.
Adding GRC duties on top of this—risk assessments, policy management, internal investigations, corporate social responsibility and compliance management—only exacerbates the problem. The solution is the creation of a distinct office that directs its efforts toward the day-to-day blocking and tackling that GRC requires. Moreover, the CECO typically reports directly to the CEO, the board or the audit committee rather than the GC as a means to preserve his/her ability to offer unbiased analysis and opinion.
Balancing Collaboration and Independence
The many areas that the CECO is responsible for -- understanding the compliance, ethics, and cultural obligations and risks faced by the organization -- necessitate his/her collaborating with a broad spectrum of C-suite executives and company managers. For example, the CECO needs to collaborate with the CFO on the imposition of controls over financial reporting. Such controls could also benefit operations outside the CFO’s office and an enterprise-wide strategy on controls developed in concert with the management team will drive technology purchasing decisions and implementation projects.
In fact, given the broad scope of the CECO’s duties, there may be no other C-suite executive who needs to collaborate more. That need to collaborate, however, must be balanced with the need for independence. The CECO’s “law enforcement” duties require that he/she be able to take an unbiased view of activities and events that could expose the company to liability and not hesitate to direct unpleasant questions to corporate officers and managers. Moreover, the CECO also cannot hesitate to take concerns directly to the board of directors if the answers to those questions (or lack thereof) merit it.
The CECO’s Daily Duties
So, just what does the CECO do, day to day? The CECO’s duty is to manage and monitor ethics and compliance-related activities, which include:
- Developing the company code of conduct.
- Managing policies.
- Monitoring regulatory changes.
- Conducting internal investigations.
- Overseeing training programs.
- Performing risk assessments.
This list is far from exhaustive and exemplifies why a separate office is needed to address ethics and compliance obligations.
Technology plays a vital role in the success of the CECO’s GRC activities described above. Take, for example, an internal investigation. The CECO requires an enterprise-wide “system of record” that can reliably preserve information about the investigation and make them available for admission into legal proceedings. That system will link together members of the investigation team, as well as the legal and IT departments, regardless of geography, into a virtual team that enables members to make contributions while preserving the confidentiality of the matter.
It will also provide a way to trace team member actions in order to provide for individual accountability should something go wrong. These demands for collaboration and accountability apply across all GRC activities that fall within the scope of the CECO's role -- investigations, policy management and so forth. Just one of them will place great demands on the company’s technology infrastructure; attempting to manage an array of them without a dedicated GRC system is all but impossible.
A Position for the Future
The office of the CECO was created in response to a combination of new demands upon companies that did not squarely fit within scope or capabilities of other corporate offices. Over time, those demands have increased as government agencies have sought to vigorously enforce existing regulations and impose new ones. The potential for litigation related to a company’s business partners, or “third party” liability, demands its own system to protect the company from loss.
Finally, the necessity of risk management as a distinct task became apparent in the wake of the recent financial crisis. The CECO is the executive in the best position to manage a comprehensive ethics and compliance program to address existing enterprise risk, compliance obligations, and corporate governance issues and to adapt to the constant changes that the future will bring.
Editor's Note: You may also be interested in reading: