There is little formal guidance concerning the choice of a compliance officer. The Federal Sentencing Guidelines Manual states that “high-level personnel” should have overall responsibility for the compliance program, but makes no recommendations about what positions may appropriately be combined with the compliance officer role.
The Office of Inspector General, in its Compliance Program Guidance for Home Health Agencies, states, “Designating a compliance officer with the appropriate authority is critical to the success of the program, necessitating the appointment of a high-level official in the home health agency with direct access to the home health agency’s president or CEO, governing body, all other senior management and legal counsel.” Almost identical language appears in OIG Compliance Program Guidance documents for other kinds of health care providers. In a footnote (which also appears in other CPG documents), the OIG states:
The OIG believes that it is not advisable for the compliance function to be subordinate to the home health agency’s general counsel, or comptroller or similar home health agency financial officer.
Free-standing compliance functions help to ensure independent and objective legal reviews and financial analyses of the institution’s compliance efforts and activities. By separating the compliance function from the key management positions of general counsel or chief financial officer (where the size and structure of the home health agency make this a feasible option), a system of checks and balances is established to more effectively achieve the goals of the compliance program.
The OIG adds, “When a compliance officer has other duties, the other duties should not be in conflict with the compliance goals... e.g., companies should not choose a sales manager who may be pressured to achieve high sales, which might result in a conflict with compliance goals.”
The CEO has the advantages of freedom of action and full access to company records and personnel, and has the authority to require conformity with compliance policies. However, there are at least two substantial arguments against assigning the compliance officer role to the CEO. The first is simply that the CEO may not be able to commit sufficient time to the role to be an effective compliance officer. The provider may not necessarily need a full-time compliance officer. However, it does need someone who can spend a large part of his or her time on compliance and, equally important, who can give compliance matters precedence over his or her other responsibilities when necessary. The CEO cannot have compliance at the top of his or her priority list all the time.
The more important reason why the roles of CEO and compliance officer should not be combined is that there are inherent conflicts between the two roles. The compliance officer is required to be independent and objective, acting in some ways as an outsider with respect to the company. The CEO, as the insider who oversees the activities of all of the other insiders, is unsuited for this role. The CEO is responsible for the financial performance of the company, and in that respect is somewhat like the sales manager mentioned in the OIG compliance guidance. Vigorous compliance enforcement may have a negative effect on financial performance in the short term. It may also reveal problems of which the CEO should have been aware. Any compliance issue that comes to light involving activities that took place on the CEO’s watch may call the CEO’s performance into question. The compliance officer may be required to report to the board that the CEO has failed to exercise adequate oversight of his or her subordinates, or even that the CEO has been complicit in improper activities. It is not realistic to expect the CEO to be objective in investigating and reporting on his or her own performance.
If the CEO is also a significant shareholder in the company, discovery and disclosure of compliance problems may have a direct negative impact on his or her financial status.
Finally, when a compliance issue is discovered, the CEO is usually the one who decides how the company will respond. Especially if the issue is not black-and-white, this responsibility often requires a balancing of legal and business risks that is foreign to the role of the compliance officer. A CEO who is also a compliance officer would have to ignore other business considerations while investigating potential issues, but would have to take those issues into account in making a decision about responding.