Maybe Chief Compliance Officers are starting to get the respect they deserve. According to noted FCPA legal expert Tom Fox, writing for Corporate Compliance Insights, the DOJ is taking a harder look at organizations and how they position the role of CCO. Fox says that, per the DOJ’s recent Deferred Prosecution Agreement with Pfizer, the DOJ wants to see “whether [the CCO position] has adequate staffing and resources to accomplish its mandated tasks in a minimum best practices compliance program under the Foreign Corrupt Practices Act.”
A CCO now has to be a senior-level employee within the company, at a level of responsibility and compensation equal to the General Counsel. The Pfizer DPA is one in a line of DPAs and Non-Prosecution Agreements (NPAs) where the DOJ and the Securities and Exchange Commission (SEC) have made this clear, sending the message that the role of the CCO is one of leadership and proactive compliance, not just one of legal reports and enforcement action.
As Deloitte’s Tom Rollauer points out in the Deloitte Insights video entitled, “The Chief Compliance Officer of the Future: Embracing a Risk Intelligent View,” it’s the CCO who must bear the responsibility of ensuring organizational compliance with laws, regulations and internal policies. With all of the regulations and increased scrutiny of the past decade, it’s up to the CCO to demonstrate to the regulators that the organization is maintaining control, and demonstrating that control to stakeholders, the board, shareholders, senior management – and the employee workforce.
According to recently released FCPA guidance, CCOs must have appropriate authority within the organization as well as adequate autonomy from management. The latter generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee). Pfizer’s VP of Compliance Jeffrey Williams, in that same Deloitte video, believes such autonomy will allow the CCO to collaborate with enabling functions, financial functions, business and commercial functions to really figure out on a company-wide basis what the key risks are. The CCO has to be able to discuss risks on the table with the key business leaders, so that they can be addressed appropriately and they don’t become significant compliance issues.
And, perhaps most importantly, the CCO must have sufficient resources to ensure that the company’s compliance program is implemented effectively. The DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure and risk profile of the business.
It is important for the CCO of the brave new world to follow these evolving best practices, so that they can add to the credibility of their defenses if their company becomes involved in a FCPA investigation or enforcement action.