GC vs. CCO: The Big Debate

March 26th, 2014

With global regulators cooperating like never before and with record fines being levied against companies for noncompliant practices, there has never been a better time to revisit and discuss how companies organize themselves to mitigate risk.

From the Experts

Varun Mehta, Corporate Counsel

Companies are increasingly bifurcating their risk programs by delegating all matters of legal risk to their general counsel, while directing their chief compliance officers to address questions of organizational risk. On the outside, this sounds reasonable. But there are a number of problems that arise from dividing up the responsibility for risk management.

HOW ARE COMPANIES APPROACHING RISK?

First let’s take a look at how companies organize their risk governance. Beyond the GC-CCO division, companies use a number of different reporting structures between CCOs and GCs, and between CCOs and the organization at large. A recent three-part series by the FCPA Report, published in November-December 2013, outlines the five main reporting structures between the two and discusses the pros and cons of each. In some organizations, the CCO reports directly to the GC. In others, the CCO reports to a C-suite executive or even directly to the board. A less common alternative is having the CCO report to an internal audit division or to the head of a business unit.

As the FCPA Report describes in depth, each set-up has merits and drawbacks. Having the CCO report to the GC allows companies to meld regulatory and ethics compliance initiatives. When the CCO reports directly to the C-suite or the board, compliance becomes a more dominant and legitimized force. Tying compliance to internal audits makes sense as a preventive measure.

THE PROBLEM WITH HAVING A SEPARATE CCO

Despite these benefits, all of these reporting structures share one detriment: they obfuscate risk, an already slippery foe. Legal and organizational risks are inherently intertwined; why completely divorce the two? By dividing risk, companies may draw false distinctions between organizational and legal risk, denying the possibility that the two can be intrinsically linked.

Read the full article in Corporate Counsel.