Risk Management, the Chief Financial Officer, Internal Audit, direct to the CEO, a Board Member, a composite Compliance, Ethics and Investigation (CEI) function? I have even heard it raised that the compliance function should report to a committee of the Board.
John McGuckin, the General Counsel of Union Bank of California, offered some sage comments on the two reporting paradigms of compliance (Corp. Legal Times, Oct. 2005 at 78): to the GC or to someone else. With the GC reporting line, “how do you know when the general counsel is speaking in a legal capacity or as a non-legal company officer? While there is greater coordination between Legal and Compliance when both report to the general counsel, confusion of roles and risk to the attorney-client privilege require careful attention.”
Under the second paradigm, which reports compliance outside of legal, compliance officers become clients of the law department. Then, what happens when these clients are in conflict over interpreting a law or regulation, or assessing the legal compliance risk? McGuckin’s answer, which applies at Union Bank: “the company has to create a shared understanding of the respective roles of Legal and Compliance by the board, executive management and the business and support personnel with whom Compliance and Legal constantly interact.” Essentially, lawyers interpret the law as it applies to the facts and compliance professionals help assess the reputational, operational and other risks before the client makes an informed business decision.