Let’s be clear. There’s nothing wrong or inappropriate about a chief compliance officer-to-CEO reporting relationship. That’s the way it was originally drawn up on the white board post-Sarbanes.

Indeed, it’s a relationship that can offer many benefits to the CCO, CEO, and the company’s culture of compliance.

But it’s not a one-size-fits all standard. Not in this age of complicated corporate portfolios, broad-based organizational hierarchies and complex compliance and risk profiles.

Coordination of the company’s compliance and other risks may require the CCO to have multiple reporting relationships, to the CEO and board, its audit committee, and the chief legal officer.

Of course, CEOs must have a reporting connection with the CCO. It’s essential for CEOs to be aware of the compliance risks of the organization if they’re to maintain the requisite tone at the top.

But the CEO has lots of direct reports with whom to engage. It’s time-consuming and sometimes not as in-depth and personal as anyone would prefer. And the CEO is unlikely to readily understand the legal implications and significance of particular compliance risks.

So, supplemental reporting relationships can make sense. This is even more so following the Delaware Chancery Court’s decision last March in the McDonald’s Corporation shareholder derivative litigation that corporate officers have fiduciary responsibilities for compliance oversight.

It’s also important given the broadening scope of the Department of Justice’s corporate compliance initiatives.

But these supplemental relationships must be consistent with the CCO’s senior status in the organization and should not serve to diminish the resources available to, or prominence of, the organization’s compliance program.

For example, a reporting relationship with the chief operating officer might be an alternative in some organizations, where the CEO confronts multiple, significant demands on her time.

The reliability of such a reporting relationship is typically dependent upon the CCO having parallel, unrestricted access to the CEO, and an internal compliance department that occupies a senior level in the corporate hierarchy.

Some form of reporting relationship to the board of directors is critical. The Delaware Courts have made clear that the board’s Caremark obligation to exercise oversight of the compliance risks of the organization is an enduring fiduciary theme.

If the board, or its audit/compliance committee, is to have an effective compliance information system, it’ll benefit from a supplemental reporting relationship with the CCO.

But a supplemental CCO reporting relationship to the CLO may make the most sense, given the vital role of the CLO in advising the organization on technical legal risks, as well as its role as “wise counselor” to management.

This is particularly the case with large companies, that rely on the CLO to coordinate the various organizational functions involved with enterprise risk. 

Indeed, a CCO-to-CLO reporting relationship is becoming increasingly popular.

According to the 2023 Chief Legal Officer Survey from the Association of Corporate Counsel, nearly 80% of responding chief legal officers indicate that they exercise oversight of compliance (in which the CCO reports to the CLO). Yet even in many of those arrangements, the CCO retains some form of parallel reporting relationship to the CEO.

The CCO’s internal reporting relationships will always count – not only to the organization itself, but also to the government when evaluating compliance program effectiveness. But the structure of that relationship needs to evolve with the nature of the company’s business.

And while it’s always important that the CCO have direct access to the CEO, it is increasingly important that its reporting relationship be flexible enough to accommodate other vital organizational interests as well.

The old ways of a siloed CCO and compliance department, operating without coordination/communication with other organizational departments and executives, worked well in the aftermath of Sarbanes. But they don’t work well now.