Although the internal audit function and corporate risk management have been present for some time in organizations of a certain size, this question becomes relevant when deciding to incorporate the compliance function into the organizational chart. The reason lies in the dilemma presented by the possible creation of a management position (usually at the C-Level) to lead this new function, and the principle of independence required for it (and for internal audit). The decisions made in this regard can conflict, so it is necessary to seek a balance and guarantee the overriding objective: improving the organization’s control environment through a comprehensive management of corporate risks (including compliance).
To provide some context, let’s address the background and more general characteristics of each function, viewed individually (stand-alone).
- Internal audit:
This is perhaps the most consolidated area (along with risk management) in organizations. Its role was strengthened by the provisions of the Sarbanes-Oxley Act (SOX) in 2002 (United States), which gradually expanded throughout Latin America and worldwide. In its most basic concept, internal audit is responsible for overseeing the organization’s internal processes, enabling the identification of risks, the development of improvement plans, and business assurance. Typically, this function is located within organizational structures in two ways: one with a single report to the general manager or CEO (a practice not recommended as it diminishes its independence) and another with a direct functional report to the board of directors or the board committee established for this purpose and an administrative report to the general manager (a best practice as it ensures the role’s independence).
- Corporate risk management:
This function has also coexisted within the organizational sphere for some time and its main focus is identifying, assessing, and managing risks within the organization. Typically, companies have assigned this function to the finance department, among other things, due to their knowledge of numerical prioritization and quantification methodologies, but also for strategic reasons related to the definition of corporate risks provided by the Institute of Internal Auditors (IIA): “The possibility of an event occurring that could affect the achievement of the organization’s objectives…”. In this regard, it is important to note that a significant percentage of an organization’s objectives are financial in nature. Furthermore, when a risk materializes, its effect can impact on the organization’s financial indicators such as revenue, EBITDA, net profit, cash flow, etc.
- Compliance:
Although more recent in corporate organizational charts, it has become so important that it is rare to find organizations of a certain size without this area in their organizational structure. Its expansion in Latin America has occurred as a result of provisions originating in the 1970s, such as the Foreign Corrupt Practices Act (FCPA) (United States) and the national provisions that have emerged in different countries. As with (internal) audit, the best practice is to have a direct functional report to the board of directors or the board committee established for this purpose, and an administrative report to the general manager (best practice and ensures independence for their role). In fact, this structure facilitates and provides better tools for compliance officers (COs) and is related to the level of stress it can generate in them (Half of Compliance Officers Have Anxiety; Their Org Chart Might Be the Culprit – 2025, Corporate Compliance Insights).
The following table summarizes the most common scenarios (combinations) regarding the decision to merge these functions (stated in orange) in an organizational design for a medium-to-large organization, based on the C-level positions typically established in almost all organizations: Finance (CFO) and Legal (CLO) in blue.
NOTES:
- BoD: Board of Directors, CEO: Chief Executive Officer, CAE: Chief Audit Executive, CFO: Chief Financial Officer, CLO: Chief Legal Officer, CCO: Chief Compliance Officer, Risk: Risk function (not Officer), Compliance: Compliance function (not Officer).
- Reference is made only to the characteristics most relevant to the topic under discussion and does not include others that should also be considered in the organizational design in each case, including: size of the organization, level of exposure to compliance risk, jurisdiction where operations are located, and specific regulatory requirements.
As can be seen scenario 3, although it creates a CCO reporting to the CEO ensures that the compliance function develops with greater independence and focus without affecting the audit function. It is highly recommended that the organizational design includes the creation of a committee that allows these functions to coordinate and align.
It is important to note that placing this CCO reporting to the CEO does not necessarily imply that the position must be equal to the C-Level. It can initially be established as a lower-level position, and over time it can be adjusted based on the maturity of the function and other criteria such as the size of the organization or growth of operations, level of exposure to compliance risk, jurisdiction(s) where the operations are located, and specific regulatory requirements. Another aspect to consider is that these functions cannot be viewed as “cost” but rather as an “insurance” for the organization. When strengthening corporate assurance this “triad” often prevents risks from materializing. When it fails to do so, it prevents the impact from becoming greater by shielding and mitigating the effects, being them reputational (limiting the scope of legal issues in trials) or financial with figures that far exceed the investments made to strengthen organization as a whole.
How can we support you?
Our experts in risk management and organizational design can assist you in diagnosing your organizational structure and recommend implementations that ensure compliance with the organizational strategy and objectives, guarantee a controlling environment aligned with the organization’s needs and at the same time maintain a balanced economic environment. Our consulting services include:
- Understanding the need
- Benchmarking with other organizations in the same industry
- Conceptual and detailed design of the solution
- Review and adjustment of related processes or policies
- Other activities according to the specific needs of each of our clients.
