When Your Company Should Have a Chief Compliance Officer
from
November/December 2003
by Randy Myers
As a heavily regulated global insurance and reinsurance company, Bermuda-based ACE Ltd. has employees around the world who are expected to make sure it complies with insurance regulations that vary from country to country and, within the U.S., from state to state. ACE uses internal and external auditors to vet the accuracy of its financial statements; in-house attorneys at headquarters and various subsidiaries provide ongoing legal advice; and in keeping with governance reforms in the U.S., the CEO and CFO now personally certify the financial statements’ accuracy.
ACE clearly doesn’t think this goes far enough. In March the company yanked Robert Blee out of his job as chief accounting officer, in which he was responsible for corporate accounting policy and all corporate financial reporting, and gave him the newly created title of chief compliance officer. This top-cop job means he has to ensure that ACE meets all the new governance standards—with particular emphasis on the mandates handed down by the Securities and Exchange Commission under the Sarbanes-Oxley Act of 2002.
No law or regulation requires a publicly traded company to employ a chief compliance officer, and many do not. But the idea is slowly gaining currency among companies eager to distance themselves from the accounting scandals that have rocked investor confidence in the capital markets. The procession of those that have added the title in the past 12 months includes Bristol-Myers Squibb, Cinergy Corp., CMS Energy, Cooper Industries, Eli Lilly & Co., and Buck Consultants.
SEC commissioner Cynthia Glassman has argued that companies should consider designating what she calls corporate responsibility officers. Speaking at California State University earlier this year, Glassman said that with “adequate resources and unfettered access to senior management and the audit committee, a corporate responsibility officer would signal the company’s commitment to complying with both the letter and the spirit of the highest corporate governance standards.”
A commitment by a company’s board and top management is crucial if the compliance officer is to do his or her job (for more, see the box on page 62). ACE vice chairman Donald Kramer says that after management recommended it, the idea was an easy sell to the company’s 15-member board. “We try really hard to follow what we think are best reporting practices,” he says. “As a multinational company operating across many borders, compliance can sometimes be a daunting challenge, especially where you have conflicting laws. We’re working very hard to harmonize that, and in creating this position I think the board was recognizing that we needed to formalize this activity a little more.”
Some companies, especially those in heavily regulated industries such as banking, brokerage, and government contracting, have long had compliance officers on staff to ensure that they conform to government regulations specific to their business. Health-care providers and makers of pharmaceuticals and medical devices, which are regulated by the U.S. Food and Drug Administration, also fall into this category. In other cases companies have hired compliance officers in response to events unique to them: Microsoft appointed two compliance officers to, as a press release explained it, “enhance the company’s ability to comply with a wide range of federal, state, and legal obligations, including the proposed antitrust consent decree with the U.S. Department of Justice and nine states.” PNC Financial Services hired a chief compliance officer in September of last year, after the SEC and the Office of the Comptroller of the Currency criticized the bank’s 2001 cost accounting. But today’s chief compliance officers are being hired to fill a broader role. This includes ensuring compliance not only with Sarbanes-Oxley but also with other pending reforms, such as the director-independence guidelines issued earlier this year by the New York Stock Exchange and awaiting approval by the SEC.
Not all companies can afford to hire a qualified corporate compliance officer, concedes attorney Samuel J. Winer, head of the SEC enforcement defense practice at Foley & Lardner in Washington, D.C. Nor do all of them need one. “If you run a fairly simple company and full disclosure for you is that you sell 20 widgets, charge $10 a widget, and recognize revenue when you ship, it may not warrant having a compliance officer,” he says. Evelyn Cruz Sroufe, a partner with the law firm of Perkins Coie in Seattle, adds that a chief compliance officer may be superfluous at “companies that already have a well-functioning general counsel’s office or corporate secretary’s office, or some other function within the company that is meeting governance requirements and doing a good job of making sure the company is in compliance with the applicable rules and regulations.” But, warns Winer, the more complex an outfit’s structure and the more numerous the judgments that have to be made about its public disclosures—in other words, the more opportunity it has to run afoul of the law—the more compelling the argument for filling the position becomes.
Even a company that already has a number of people devoted to different pieces of the compliance puzzle, with strong legal and financial functions, can benefit from assigning one person to the role of top cop. “When a person in that situation says they don’t see the need for a chief compliance officer, what they’re really saying is that the costs outweigh the benefits because they’re getting sufficient coverage from other functions,” Winer says. “If I could demonstrate, which I think I could at many companies, that costs would not be significantly greater because you would be investing this officer with functions previously served by others, freeing them to do their jobs better, I think I can change the equation.” Winer adds that by having a chief compliance officer whose sole obligation is to ensure compliance, and who isn’t part of the group that has to demonstrate it has complied, a company avoids a potential conflict of interest. In that situation, “the chief compliance officer is not doing the act required by the rules or regulations,” he says, “so I think he or she brings a little more clarity and less bias to the function.”
That largely describes the compliance model at pharmaceuticals maker Lilly, which late last year tapped Lori Queisser, then the company’s general auditor, to fill the newly created post of vice president and chief compliance officer. She oversees the company’s new general auditor and its chief accounting officer, plus the activities of numerous other compliance personnel in areas like manufacturing-quality assurance and control, promotional practices, and corporate audit and consulting. “I am not accountable for substantive compliance; that’s a line management responsibility,” Queisser says. “What I’m accountable for is ensuring we have good compliance programs.”
Appointing a chief compliance officer is, of course, no assurance that a company won’t get lost among the ever-multiplying rules and regulations that govern business activity in the 21st century—just as Enron Corp.’s code of ethics failed to make Enron ethical. But it might help. For large companies with complex operating structures, it could be viewed as cheap insurance. More important, if done right, it can send a message to investors that a company is serious about meeting its governance responsibilities.
