GRC: The Evolution Chief Ethics and Compliance Officer Role

By Scott Giordano Jun 9, 2011

Today's organizations face constant demands from an evolving global economy and increased regulations. To help deal with these demands, a new role has evolved: the CECO — Chief Ethics and Compliance Officer. Here's a look at its evolution.

The last decade saw the emergence of several new C-level roles within the corporation in response to sweeping changes in the global economy and the imposition of complex new compliance regimes by government agencies. Perhaps most prominent of these new roles is that of the Chief Compliance Officer (CCO). Prior to the spectacular failures at Enron and other corporations, and the subsequent imposition of Sarbanes-Oxley (or “SOX”), the position of the CCO was limited to highly-regulated industries. Today, that office is commonplace, and the CCO is responsible for managing externally-imposed compliance expectations from government agencies and industry self-regulatory organizations (SROs), and for contractually-imposed expectations from business partners.

The latter half of the decade also saw dramatic increases in criminal prosecutions and civil enforcement action by government agencies against corporations involved in bribery, insider trading, fraud and other corrupt activities. As a consequence, the role of CCO evolved to meet the challenge of building an ethical framework for the corporation and maintaining it to withstand the potential for corruption inherent in competing in the global marketplace. That expanded role is now commonly referred to as the Chief Compliance and Ethics Officer, or CECO. Among the various disciplines that the CECO must master are the enterprise-wide setting of policies, the minimization of risk and the enforcement of the expectations imposed upon it. This collection of disciplines is grouped under the unwieldy rubric of “governance, risk management and compliance,” or GRC.

CECOs as a Separate Entity from the General Counsel

Given that the office of the CECO and that of the General Counsel (GC) are both involved in protecting the corporation and in acting as a police officer, why create distinct positions? Indeed, many legal departments already address compliance matters in addition to their traditional legal duties. The answer lies in the GC’s dual and sometimes contradictory role of being a partner to the business and a guardian of its reputation and integrity.

There is a conflict, for example, when the GC’s compensation package is tied to company profitability and stock options. It raises questions of impartiality when there is a personal incentive to disregard playing the corporate cop and maximize payouts that might be a result of manipulated financial numbers. Similarly, when an M&A or joint venture may affect the GC’s company shares, it raises the question of whether the GC will advise the board as a lawyer or as a business executive interested in passing an initiative.

Adding GRC duties on top of this—risk assessments, policy management, internal investigations, corporate social responsibility and compliance management—only exacerbates the problem. The solution is the creation of a distinct office that directs its efforts toward the day-to-day blocking and tackling that GRC requires. Moreover, the CECO typically reports directly to the CEO, the board or the audit committee rather than the GC as a means to preserve his/her ability to offer unbiased analysis and opinion.

Balancing Collaboration and Independence

The many areas that the CECO is responsible for — understanding the compliance, ethics, and cultural obligations and risks faced by the organization — necessitate his/her collaborating with a broad spectrum of C-suite executives and company managers. For example, the CECO needs to collaborate with the CFO on the imposition of controls over financial reporting. Such controls could also benefit operations outside the CFO’s office and an enterprise-wide strategy on controls developed in concert with the management team will drive technology purchasing decisions and implementation projects.