If you were building a risk and compliance function in your business with a clean sheet of paper who should these professionals report to so as to protect your organisation effectively?

Risk and compliance functions have grown considerably in importance over the last 20 years or so. They are now here to stay for large regulated organisations. Regulation is a growing area and Risk and Compliance should work to manage the impact of regulations on your business and should fit logically within your organisation.

Some important regulations state that you need these roles to show proactive management of risk and compliance but don’t really give much assistance on how these functions should report. Even global reference points like the US Sentencing Commission Federal Sentencing Guidelines for Organisations remain silent about reporting line, leaving that to the organisations. They do state that specific individuals should be assigned and given responsibility for the compliance and ethics program, but we already know that.

Equally, more specific regulations in some jurisdictions are clear that these roles are needed but not prescriptive about how they should report within an organisation. So, for example, in the UK, for regulated financial services firms the Financial Conduct Authority prescribe the existence of certain roles within their Senior Managers and Certification Regime. The CRO (SMF4) and Compliance Oversight Function (SMF16) are clearly expected to be part of a regulated firm’s governance. Again, we already know that.

It is worth mentioning that large multinational organisations which have different businesses some of which are regulated by financial services regulators and others not, can be more complex to manage these issues in. Whilst it is right to say that there are no rules by sector, regulated firms can have different norms and expectations than unregulated firms. I will discuss this in another article later.

In practice there is very little that can be used in terms of a benchmark as organisations, even within the same sector, can differ in so many respects.

So, here are some ideas on how to address the issue:

  1. Wherever these functions report, there should be a clear intention to maintain their independence. This does tend to gravitate their reporting line towards legal or finance, which have their own rules of professional conduct that arguably lend themselves to maintaining that independence. The independence of these functions is a key fundament of the 3 lines of defence model which was first used[1] within banking but has been taken up since then in a wide number of businesses and sectors and works well if properly communicated. It is also respected by regulators, where properly implemented and run.
  2. Recognise that effective structures are often based on individuals and their specific experience, calibre, and ability to juggle a broad portfolio. Some roles grow in breadth over time as the incumbent accumulates responsibilities. This leads helpfully to a third reference point.
  3. Perhaps the most important consideration in my experience is the individuals running these functions and their EQ. I have heard many forceful arguments within our professional community about why risk and compliance should report to the CEO, the GC or the CFO. Sometimes, given the context, these arguments make sense and at other times they are perhaps about the ego of the professionals involved – everyone wants to report to the CEO.

[1] First referenced by the Basel Committee on Banking Supervision in its 2011 Principles for the sound management of operational risk https://www.bis.org/publ/bcbs195.pdf


What’s most important is that these individuals are self-aware and high EQ. This will enable them to establish trust amongst their key stakeholders and to enrol and influence people to manage risk and compliance effectively whilst at the same time propelling the organisation (rather than hindering it). Finding the right person who can manage a broad portfolio, manage stakeholders effectively, is credible with the Board, and remain independent, is the best way to ensure ‘best practice’.

Does reporting line therefore really matter? Ultimately success in these roles is about demonstrable independence, trust and stakeholder management. Any regulator will want to see risk and compliance being properly overseen by an impartial second line with an active first line owning and managing the risks whilst referring to the second line from time to time to provide guidance. They will also want to see a CRO and CCO who can act on first name terms with the C Suite and feel confident about creating certainty where there is uncertainty. Surely success is not about reporting line but how the organisation carries risk and compliance.



Tim Langton is a respected risk, ethics and compliance professional with long experience of building, running and leading these functions – and complex change programmes – in major global businesses including Reuters, BOC, BP and most recently at Centrica plc. Tim has  managed disclosures and notifications to numerous global regulators and has on-boarded and facilitated the work programmes of monitors appointed by various U.S. Government Departments. Tim qualified as a Barrister in 1991 and as a Solicitor in 1998.

Tim Langton                   tim.langton@btinternet.com


Stonehaven is a privately owned, independent executive search firm with a global reach. We are driven by long-term partnerships with clients and work with a broad range of clients, dating back to the establishment of the firm in 2008.

We are a business partner with the expertise to shape opinion, the judgement to create perspective and the confidence to challenge thinking at every level. Our senior team provides genuine value through research, insight and market knowledge. Our partnering approach brings a genuinely different and personal touch, ensuring accountability and successful outcomes.

Stonehaven contacts:

Julian Ortner, Partner, Head of London                                     jortner@stonehaveninternational.com

Judith Osborne, Partner                                                              josborne@stonehaveninternational.com

[1] First referenced by the Basel Committee on Banking Supervision in its 2011 Principles for the sound management of operational risk https://www.bis.org/publ/bcbs195.pd