Despite 20 years of SOX, many companies still fail to prioritize compliance programs until it’s too late. Maria D’Avanzo of Traliant makes the case that the law should be amended to address compliance programs specifically and the government should do more to motivate companies to support CCOs so they can help prevent misconduct before it happens.
During my tenure as the chief compliance officer of a global publicly traded company, I heard many people, including some in the C-suite, say that I had one of the hardest jobs in the company. Truer words have never been spoken. At ethics and compliance conferences, where my compliance colleagues and I always enjoyed chatting about our programs and engaging in informal benchmarking sessions, one thing became clear: Companies often don’t prioritize compliance unless forced to do so, usually as the result of a compliance failure or when required to do so by industry regulations.
I have heard of situations in which senior members of management tell the compliance officer that the program needs to be “bronze, rather than gold.” I have also heard high-ranking executives ask if the company really needs someone to hold the title of CCO, suggesting that the role isn’t on par with other members of senior leadership. Businesses that wonder why the company even has a compliance function don’t realize that a strong E&C program results in a strong reputation, which is good for business and serves as a competitive advantage in the marketplace.
AAG Polite recognizes CCOs’ challenges
Meanwhile, the Department of Justice expects the CCO to create a “well-designed corporate compliance program that is adequately resourced, empowered to function effectively and work in practice.” CCOs want the same things, while struggling to get the support they need to be successful in an environment where management expects the CCO to do more with less.
Assistant Attorney General Kenneth Polite Jr., head of the DOJ’s Criminal Division, acknowledged these challenges during a speech in May. During his career, Polite served as a prosecutor, defense attorney and CCO of a Fortune 500 company. He recognized that “perhaps the most challenging of those roles was as a compliance officer.” Polite quite rightly pointed out “the resource challenges that [CCOs] face … the challenges that [CCOs] have related to accessing data. The relationship challenges. Often, our compliance functions are labeled as cost centers not contributing to the bottom line of our organizations.”
To help CCOs combat these challenges, Polite asked his team to “consider requiring not just chief executive officers but also chief compliance officers to certify that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law.” He believes that such a requirement will help ensure “that chief compliance officers receive all relevant compliance-related information and can voice any concerns that [he/she] has prior to certification.”
Yes, while certifications by the CCO after a compliance failure can be helpful, the government needs to do more to motivate companies to support their compliance programs so that CCOs can help prevent misconduct before it happens.
Amend SOX to address compliance programs
The Sarbanes Oxley Act (SOX) was enacted 20 years ago in response to a series of dishonorable and disabling accounting controversies involving companies like Enron and WorldCom. While SOX does contain some specific compliance-related provisions, such as a mandatory code of ethics for senior financial officers and whistleblower protections, its main themes are the prompt and accurate disclosure of a company’s financial condition and the prompt and complete disclosure of material changes to financial status and operations.
The effectiveness of compliance programs is not included among the other SOX requirements, and perhaps it should be. If my colleagues are right that companies won’t focus on compliance unless forced to do so, SOX should be amended to address compliance programs specifically. A handful of key provisions could be added to SOX to help CCOs overcome the challenges acknowledged by Polite and increase the likelihood that a corporation’s compliance program is effective before a compliance failure occurs.
Using the 2020 guidance as a guide, SOX could be amended to require the CEO, CFO and CCO to meet annually to review the compliance program and certify that (1) it is adequately designed for the entity; (2) properly resourced and empowered to function correctly; and (3) working in practice. The company’s external auditor should also be able to attest to the accuracy of management’s certifications regarding the compliance program. Failure to comply with these requirements should subject the company to significant fines.
If the government does that, you’ll see how fast companies elevate the importance of the compliance program and reap the reputational benefits.