The relationship between legal and compliance departments has always been complicated. Now, with fresh evidence that reporting structures significantly impact compliance officer effectiveness and well-being, law professor and compliance officer Joseph Burke explores why it’s time for organizations to finally embrace CCO independence.
Ever since the issuance of the US Sentencing Guidelines in the mid-1980s, there has been debate in the legal and compliance communities about how the compliance department should be managed and more specifically, where it should report. Traditional legal leadership has most often preferred that compliance report to the general counsel, or elsewhere within the legal department, while compliance specialists have argued for a more independent structure with the compliance leader reporting directly to the CEO of the company, or failing that, the board of directors.
Official guidance on this question of where the chief compliance officer (CCO) reports derives from, among other things, a 2020 risk alert from the Treasury Department’s Office of Compliance Inspections and Examinations (OCIE), which held that under the Investment Advisers Act of 1940, “the Compliance Rule requires … [that the] CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm. And a CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”
Peter Driscoll, then the director of the OCIE, shared his perspective on this in a November 2020 speech at the National Investment Adviser/Investment Company Compliance Outreach 2020: “Empowerment, seniority and authority. These three words matter,” Driscoll said. “We notice on exams when firms hire someone for the role to check the box but do not support or empower them. … We notice when a firm positions a CCO too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function.”
More specifically, Driscoll emphasized that “[I]n terms of authority, I am often asked who the CCO should report to in an organization. Is it to the CEO, the COO, the general counsel or directly to a board if one exists? There is no easy answer to this. It depends on the size of the organization, the leadership structure, the experience of the CCO and the compliance culture. … I do believe that, at a minimum, a CCO should have a direct line of reporting to senior management, if not be part of senior management.”
The current state of compliance leadership
According to 2024 research by recruiting firm BarkerGilmore, 53% of public company CCOs reported to the GC/managing counsel and 30% reported to the CEO, with the remaining 7% reporting elsewhere, including 1% to the board. In private companies, there was a more even split, with 43% reporting to the GC, 43% to the CEO.
The impact of these reporting structures is significant. CCI’s upcoming 2025 survey reveals that compliance officers reporting to legal departments show the highest dissatisfaction rates, with 27% rating that structure as ineffective — more than double the rate for any other reporting arrangement. In contrast, those reporting to the CEO/president or board rate their structures as most effective.
These results may be in part due to a continuing preference for general counsel to “manage” compliance despite fundamental differences between the compliance and legal functions. And this new data may not be all that surprising in light of a 2010 debate on this topic illustrated brilliantly by a series of exchanges between Ben W. Heineman Jr., former general counsel for GE, and Donna Boehme, principal of Compliance Strategists and an internationally recognized authority in the field of organizational compliance and ethics.
In a December 2010 essay titled “Don’t Divorce the GC and Compliance Officer,” Heineman presented a vision of a strong, broad-ranging GC who could manage both the legal and compliance functions without creating organizational overlap. In his view, compliance was really only a process management function and not a matter that required judgment or reasoning. His model required a strong GC who operated as a virtual “statesman” for the company, relying on years of experience and a deep and trusted relationship with the CEO to provide all compliance advice, when required, to the board and the CEO with an air of gravitas and a statesman’s influence. This model may have described his own personal experience at GE, but outside a small handful of very large companies, the model simply did not (and does not today) reflect the practical reality of general counsel leaders.
A fundamental divide?
In today’s changing corporate environment, and particularly with the rapid movement of executives in private equity-owned companies, the ability of any legal leader to develop the characteristics of Heineman’s “lawyer-statesman” is more the exception than the rule. And while many executives (including CFOs, GCs and others) cover more than a single discipline, Heineman’s model failed to explain how the lawyer statesman would develop the expertise necessary to advise senior management on compliance practice and issues. He simply implied that it was the natural ability of the seasoned “statesman” that would enable them to serve this function — despite the various non-legal elements required for successful compliance programming and without addressing how such advice might be affected by legal privilege, potential conflicts of interest and other concerns.
In response, Boehme, in an open letter titled “The real happy marriage; between the GC and compliance officer” on May 2, 2012, acknowledged Heineman’s recognition in a subsequent article that the CCO is, in fact, a full-time role that cannot be filled by merely tacking on an extra title to the GC.
“That said,” she continued, “the rest of your position — that the CCO is merely a ‘process integrator’ and that the CCO must report to the GC as a legal ‘lieutenant’ — tells me that you do not fully understand the modern CCO role and the thriving, multifaceted compliance and ethics profession. On a Venn diagram, Compliance would not be a subset of Legal, but instead would touch a piece of Legal, a piece of HR, a piece of Audit, and would have significant interfaces with many other functions of the organization — and, of course, deep connection into the business operations. …[C]ompliance is far from a legal function. In fact, it is more of a management and control function that impacts and requires the engagement and support of all other functions and businesses. Most of the skills and competencies that are the mainstay of a high-performing compliance function have nothing to do with legal.”
Why dwell on a debate that began 14 years ago? The answer is that while Heineman subsequently softened his opposition to CCO independence, he did not completely abandon his “lawyer-statesman” approach, and as we have seen year after year in surveys, the lack of public discussion on this issue has not improved the CCO’s position. To the extent that the original debate focused on the capabilities or authority of the GC, or the GC’s relative ability to influence the CEO, it missed the central point: Legal and compliance functions are so different in both structure and intent that it is quite possible that they will frequently be in conflict, even if a true conflict of interest may not exist.
CCI’s research demonstrates the tangible benefits of effective reporting structures: 72% of compliance officers with effective reporting structures report high job satisfaction, compared to only 40% of those with ineffective structures. The differences extend to stress levels and mental health impacts as well, with those in effective reporting structures reporting significantly lower job-related stress.
Compliance & legal aren’t identical
As Boehme and others have pointed out, the role of the CCO is not a purely legal role. The CCO is charged with building and developing non-legal compliance tools and programs, such as the anti-corruption program, the trade compliance program and the anti-money laundering program, all of which rely on business controls, auditing, periodic and regular training and periodic risk assessment. The CCO must develop tracking tools to report on compliance risk and trends, internal company audit trends and results and internal compliance with company controls. CCOs must also focus on building relationships with the regulators who are most important to the success of the business. Traditionally, legal departments do not build the compliance tools, processes and relationships that have today become commonplace elements of an effective compliance program but rather provide the legal analysis and advice germane to the legal function generally.
The general counsel could, of course, develop this area of compliance-building expertise, but why would the organization ask their legal leader to do so? In addition to the distraction from the core legal defense function that this would pose for the GC, the objectives of the compliance audit function’s investigation process and procedures, for one example, are likely to conflict with the legal team’s more defensive-minded approach.
When this conflict arises, does it make sense to simply defer to the lawyer-statesman to resolve this conflict? Should not the senior management team, including especially the CEO, hear out both sides in this debate? And if this conflict seems not sufficiently serious for CEO consideration, let’s consider the debate between a CCO’s proposal to initiate self-disclosure of a sensitive area of potential compliance exposure when the GC prefers that the company keep silent and take a posture of avoiding disclosure until more evidence is gathered, or perhaps until the entire matter blows over?
This question becomes even more important when one considers the areas where Boehme’s Venn diagram overlaps with departments other than legal. There should be no argument about who determines what law applies to the company, how that law should be interpreted and how the company should defend itself legally when challenged. However, when it comes to building compliance practices and reporting to senior leadership on judgment calls even when (or especially when) those judgment calls might directly contradict the legal department’s objectives for legal defense, it simply does not make sense for the company to defer the entire question to the GC alone.
The case for independence
Stephanie Gallagher laid it out in this way a decade ago: “If a CCO must make difficult and impartial decisions, it is problematic to burden the process with layers of middle management, thus creating a situation where a conflict may be perceived. It is of utmost importance that a CCO avoid any real or perceived vested interest in the outcome of an investigation. … If the CCO reports to the individual or group that is being investigated, there is a potential interest in the outcome. The interest, whether real or perceived, may be reason enough to call the CCO’s credibility into doubt.”
In fact, the only instance where a single executive is called upon to be the sole decision-maker on such issues is when the senior team does not reach consensus and must rely upon the CEO to do so. In that instance, the CEO wears the hat of the true “chief compliance officer” with ultimate authority to make the decision for the company where consensus is not reached in debate.
Radical Compliance editor Matt Kelly said in 2022, “[t]he ideal, of course, would be a compliance function independent of legal, where the chief compliance officer reports directly to the CEO and briefs the board regularly on matters of ethics and compliance.”
Still, the legacy of the lawyer-statesman lives on. The most challenging aspect of this slow march toward CCO independence is the impact it has on the CEO themselves. In effect, the intercession of the managing GC deprives the CEO of the most direct advice they can get from their chosen compliance expert on a compliance issue. In that context, the CEO’s question should be “who is in the best position to give voice to the compliance imperative based on the company’s principles, mission and vision in the context of established regulatory guidance?”
Should we expect the GC to provide a balanced view of both the legal/defensive posture and a potentially contradictory regulatory objective, particularly where there are reasonable and quantifiable differences in the legal and the compliance approaches? Is it rational to leave the CCO out of this discussion? This question, frankly, cannot be answered by the GC. That responsibility belongs to the CEO alone.
If the CEO has assessed the talent at the senior level and decided that it is the lawyer-statesman whom they trust above all others on issues of compliance despite the presence of a compliance expert on staff, so be it. If, on the other hand, the CEO has not themselves assessed the compliance expert’s advice, and instead simply relies on their trusted lawyer-statesman to cover both sides of a potential issue, their decision may come at some significant risk for the company.
Joseph Burke is an adjunct professor at Fordham University School of Law and a retired former general counsel and chief compliance officer. 
