Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Who Does Your Chief Compliance Officer Report To?

By Thomas Fox

I have noted with interest the excellent posts by Walker and Kaplan on the role of the Board of Directors in an effective compliance program. It brought up for me the question of who should a Chief Compliance Officer (CCO) report to in a company.

Should a CCO report to a company’s Board of Directors, or an appropriate Board committee such as an Audit Committee or Compliance Committee? Or can a CCO report to a company’s General Counsel (GC) but have access to the Board of Directors for periodic, but no less than annual, reporting? Is there any specific guidance from the Foreign Corrupt Practices Act (FCPA) or any of its U.S. government interpretations such as the U.S. Sentencing Guidelines? Is one approach more preferable than the other?

Under the 2010 Amendments to the U.S. Sentencing Guidelines now proposed to Congress, §8B2.1(b)(2)(C) requires:

Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

There has been debate in the FCPA compliance world as to what this requirement specifies. At the recent Compliance Week 2010 Annual Conference, a panel consisting of representatives from the U.S. Sentencing Commission indicated they believe the statement only requires that a CCO have access to a company’s Board of Directors. Further, this could be through a GC, so that if a CCO reports to a GC but has access to report to the Board of Directors, such a reporting structure would be in compliance with the proposed Sentencing Guidelines.

At the same conference, however, the DOJ’s Assistant Attorney General of the Criminal Division, Lanny Breuer, said a CCO should have direct access to a company’s Board of Directors, suggesting that the CCO should not have to report through a GC but should report directly to the Board.

And when the question was put to a panel from various Boards of Directors at the same conference, they responded that they only wanted the information to come to them so they could fulfill their obligations as Board members; they were not too concerned how it was presented to them or the reporting line of the person who did so.

The direct reporting approach is utilized by Halliburton, to which I posed the following question, “Who does the Chief Compliance Officer report to in your Company and why does your company utilize this approach?” Susan Ponce, Senior Vice President and Chief Ethics and Compliance Officer responded, “At Halliburton, the Chief Ethics and Compliance Officer reports directly to the company’s Board of Directors, advising both the Audit Committee and the full Board on all matters relating to legal compliance issues. We structured the CEC Office that way in order to leave no doubt that the CECO has direct, independent and unfettered access to our Board and support from Board members and our senior executives.”

The answer to the initial question posed appears to have two correct responses. The guidelines and debate go both ways. The key is in the actual reporting. As long as the CCO reports on a regular basis to the Board, both lines of authority appear to be acceptable.

So which approach does your company utilize?

Thomas Fox is an attorney in Houston, Texas, specializing in FCPA compliance, risk management and international transactions. He can be reached at [email protected]

Share this post


1 Comment

  1. What if the compliance/risk officer reports directly to the managing director and not to the BoDs?


Comments are closed for this article!