Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

At Large: How chief compliance officers became today’s ‘super executives’

The DOJ released the first version of its Evaluation of Corporate Compliance Programs in 2017. That document (with its 2019 and 2020 updates) completed the chief compliance officer’s amazing transformation from part-time generalist to today’s highly specialized “super executive.” How did it happen, and why?

A bit of background. The U.S. Sentencing Commission arguably created the modern compliance function with the 1991 release of the Organizational Guidelines. The DOJ’s Evaluation of Corporate Compliance Programs paid homage to the Organizational Guidelines. But the DOJ’s document “personalized” compliance in the new way that started after 9/11, and it elevated the CCO to a special level within the C-suite.

Here’s what I mean.

The Organizational Guidelines famously set out the elements of an “effective compliance program.” One of those elements required companies to place responsibility for the compliance function on “high-level personnel of the organization.” The U.S. Sentencing Commission defined high-level personnel as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization.” They could be “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.”

Responsibility for the compliance function was left vague. It could fall somewhat randomly among any of several layers of governance and management, from a board member to anyone already in management. In other words, the compliance function, as the Organizational Guidelines conceived it, was a part-time role added onto someone’s existing full-time job.

Change came after September 11, 2001. In the decade after 9/11, the federal government came to see graft as a national and global threat. Attorney General Eric Holder said in 2012, “[A]s we’ve learned, corruption often is a ‘gateway crime’ — one that allows money laundering, gang violence, terrorism and other crimes to thrive.”

Holder’s words were an early signal that combating corruption had become too important to be left with random “high-level corporate personnel.” Instead, companies would be expected to place more responsibility (and accountability) on specific individuals. In 2014, SEC Chair Mary Jo White picked up that theme. She talked about corporate gatekeepers — “auditors, lawyers, and others who have professional obligations to spot and prevent potential misconduct.”

SEC enforcement chief Andrew Ceresney went further. He put the spotlight on compliance officers. In 2015, he said the SEC would make some corporate charging decisions after asking:

  • Are compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do compliance officers report to the CEO and have significant visibility with the board?
  • Is the compliance department viewed as an important partner in the business and not simply as a support function or a cost center?
  • Is compliance given the personnel and resources necessary to fully cover the entity’s needs?

The SEC also began charging compliance officers themselves, including CCOs who “exhibited a wholesale failure to carry out his or her responsibilities.”

Then the DOJ released its Evaluation of Corporate Compliance Programs. That document (originally just eight pages in 2017, but now 20 pages after updates in 2019 and 2020) isn’t law. It’s internal guidance for DOJ prosecutors, but made public. Very likely, few board members will ever take the time to read it. But every lawyer and risk-management professional advising the board of a global company will read it, study it, and craft advice based on it. So the influence of the Evaluation of Corporate Compliance Programs is now everywhere.

What does the DOJ want to know? Questions from the Evaluation of Corporate Compliance Programs include:

  • How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?
  • What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?
  • How has the company responded to specific instances where compliance raised concerns?
  • Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

Beyond that, the DOJ said in the document that prosecutors should also ask whether compliance personnel are well qualified, adequately funded, autonomous from the rest of management, and directly reporting to and informing the board? And, do compliance officers have access to enough internal data “to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”

The DOJ has conferred a special status on the compliance function and compliance personnel by asking those questions (and giving companies credit for the “right” answers). That special status — and above all, being autonomous from the rest of management — has completed the transformation of CCOs into today’s “super executives.”

Share this post



  1. CCOs will never be the force they should be in a corporation until they are paid commensurate with their peers.

  2. Very important guidance, Richard. Two added comments:

    First, you will see this same pattern in advice from governments around the world. The Chief Ethics and Compliance Officer (CECO) needs to be empowered and independent. Enforcers and regulators understand power. If your CECO is just a figurehead or junior lawyer buried in the law department, you are wasting your time. The position needs to be real.

    Second, the government is still missing an extremely important step. Guidance is helpful, but where are the cases? When we start seeing actual cases where the government did not give a program credit because the so-called CECO was a farce with no power, no independence, and no ability to investigate or get things done, then we will have much more ability to convince managers and boards that the government is serious.

    DOJ tells us in their guidance that training using actual examples is more effective. This is true for the government as well. Show us the cases. Give us real examples to use with management.

  3. Another interesting angle would be to survey global CECOs whether they have ever left a company due to lack of empowerment or other factors that’s too the guidelines…I know I have…

    • Essentially true. If CCOs are given the opportunity to guide, many organizations will run in line with established protocals.

      Qualified CCOs are in real sence Corporate Internal Auditors who need to work quite indepently, of corporate crooks whom the world has never been short of.

Comments are closed for this article!