Who reports to whom?

Pharmaceutical giant Pfizer recently paid a $2.3 billion fine, one of the largest settlements in US corporate history, partly for not responding to repeated requests by the government to do certain things in certain ways. Pfizer also aggravated the government by not setting up a compliance and ethics program properly. The Office of Inspector General (OIG) told Pfizer that, as part of its latest settlement, it could not have the compliance officer (CO) report to the general counsel (GC). The CO now has to report to the CEO.

According to a report published on www.law.com, OIG chief counsel Lewis Morris says the change aims to ‘eliminate conflicts of interest and prevent Pfizer’s in-house lawyers from reviewing or editing reports required by the agreement. Lawyers tell you whether you can do something, and compliance tells you whether you should. We think upper management should hear both arguments.’

I would have made the point a little differently: if the lawyers were telling the CEO whether he/she ‘can do something’, they obviously got it horribly wrong. For COs, it’s not a matter of can vs should. COs tell you what is legally appropriate and legally inappropriate, not whether you should or shouldn’t do something. My guess is that the lawyers were telling the Pfizer leadership what it wanted to hear, as opposed to what it needed to hear. COs don’t calculate the risk of getting caught, or discuss whether the regulation is fair. They ignore peer pressure – or at least, they are supposed to.

Most of all, COs should avoid conflicts of interest. They are not responsible for the profit ratios, product sales or public relations of the organization, nor for defending it. They state the facts and stand their ground. It’s not a matter of can or should: it’s a matter of follow the law, end of story.

Consensus of opinion
The OIG is not alone in thinking there is a problem with this reporting situation. Senator Charles Grassley once sent a letter to Tenet Healthcare stating: ‘It doesn’t take a pig farmer from Iowa to smell the stench of this conflict.’ He was referring to the GC managing the compliance program. The government eventually went after Tenet’s GC, and Tenet paid several multi-million-dollar fines.

Judges have weighed in on the issue through the US Sentencing Guidelines (USSGs), which dictate that if you have a compliance and ethics program, you should get a break. If you don’t, you should pay double or treble fines. The guidelines also say the compliance officer should be free of conflicts and able to operate independently. In the November 2004 amendment to Chapter 8 of the USSGs, the wording emphasized that the person responsible for the compliance and ethics program ‘must be given adequate resources, appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority.’

The issues of effective reporting lines and compliance function independence are not just a concern for healthcare companies. If the government finds this to be a conflict of interest for one company, it could deem it a conflict of interest for you: independence of the compliance officer is a universal concept.

If you defy this idea and continue to have the CO reporting to the GC, you will have to explain a few things. Why did you ignore the USSGs? How can your CO be responsible for defending others from your organization, yet report to someone who defends your organization from others? Many organizations from many industries are already having the CO report to the CEO with a dotted line to the board.

In fact, some of the most experienced COs are refusing to accept job offers where they would have to report to the GC. They are concerned not just about the reporting relationship, but also about the implication that if the organization would do this, there may be more problems. They don’t think it works, and they don’t want to be there when the company finds out it doesn’t work. Keeping this reporting relationship could hurt your recruitment of an effective CO. 

Preaching to the converted
I recently attended a meeting of 470 compliance professionals from around the world. Between them, I estimate there were COs from about 30-40 different industries, from around a dozen countries. Because of the recent Pfizer settlement, the GC/CO reporting relationship issue was widely discussed.

Many of those present were asked if they reported to the GC, and many replied that they did – but few thought it was appropriate. Much of the discussion centered on their frustration over their lack of independence and how they could correct the problem. Many felt they could not approach the subject without angering people. The point is that the profession thinks it’s a bad idea, and those expecting compliance professionals to do their job will be taking this into consideration.

Cynics believe the reason many GCs insist on compliance reporting to them is to keep COs under their thumb. Some even believe CEOs want the CO to report to the GC to keep a lid on the CO; almost all investigators I have met believe it is done for this very reason. One technique I have seen investigators use is to interview employees until they find one who says, ‘I think they have the CO reporting to the GC to prevent the CO from doing his/her job.’ Investigators always seem to find one, and it makes them feel there is an attempt to cover up wrongdoing.

Dangerous position
What I don’t understand is why GCs want to expose themselves to this. It’s rare for GCs to be prosecuted by an investigator when they are doing their job defending their firm, but if the GC is managing the compliance and ethics program and can be shown to have blocked remedial action of a known problem, he/she becomes part of the problem; that is what happened at Tenet.

The greatest line I have ever heard related to this issue has been used by more than one investigator I know. He/she starts the initial investigation with two questions directed at a table full of the company’s key leaders. The investigator asks, ‘Who here is responsible for defending the company?’ The GC raises his/her hand. The investigator then asks, ‘Who here is responsible for defending others from this organization?’ The GC raises his/her hand again. It is then that the investigator’s mind is made up. Right or wrong, it’s happened before and it will happen again.

The bottom line is: why do you have the CO report to the GC? What is the advantage? And is that reason/advantage worth the potential negative consequences? Actually, the real bottom line is: do you want to have an effective compliance and ethics program? If so, you should not have the CO report to the GC, regardless of what the government or the investigators may tell you. Independence for the CO is key to the success of any compliance and ethics program.

A compliance officer without independence is like an auditor who is unable to audit, or a risk manager who can’t perform a risk assessment, or a lawyer who doesn’t know the law. It just makes no sense. 

Reprinted with the permission of the Society of Corporate Compliance and Ethics Social Network