The Authority Problem: Why the Compliance Officer's Position in the Organisation Determines Everything

The compliance officer is responsible for outcomes they do not have the authority to produce.

The compliance officer's mandate is clear in its ambition and genuinely difficult in its execution. Design the compliance programme. Manage the risks. Train the organisation. Monitor the controls. Report to governance. Ensure that the organisation operates within the boundaries of its legal obligations and ethical commitments. Drive the culture that makes all of this sustainable over time.

The authority to do these things is a different matter. In most organisations, the compliance officer does not have the authority to compel a business unit to change a practice they have identified as risky. They cannot require a commercial team to slow down a transaction that raises concerns. They cannot force a senior executive to disclose a conflict of interest or impose a management measure on someone whose seniority exceeds their own. They can advise, recommend, escalate, and document. The decision belongs to someone else.

This is not a design flaw in the role. It reflects a genuine tension in what the compliance function is trying to do: operate as a check on executive authority within an organisational structure that is fundamentally built around executive authority. The tension is unavoidable. But its consequences — for the compliance officer's effectiveness, for the programme's outcomes, and for the organisation's exposure — depend almost entirely on how the tension is acknowledged and managed, both by the compliance function and by the governance structures that surround it.

Formal position, reporting line, and mandate are the floor. Credibility is the ceiling.

The formal elements of the compliance officer's position — their title, their place in the organisational hierarchy, their reporting line, the scope of their mandate as defined in the compliance function's charter — establish the minimum conditions for effectiveness. An organisation that places the compliance function below the business units it is supposed to provide independent oversight of, or that gives the compliance officer a reporting line that runs exclusively through the very executives whose decisions they are meant to assess, has not created the structural conditions for the compliance function to operate independently.

The independent reporting line — direct access to the board or to the audit committee, bypassing executive management — is the single most important structural enabler of compliance function independence. Without it, the compliance officer's ability to bring difficult information to the governance level, unfiltered by the management layer that may have an interest in that information not reaching the board, is dependent on their personal relationship with board members rather than on a structural guarantee. That dependence is a fragility that enforcement history has repeatedly exposed.

But formal position and reporting line establish a floor. The practical authority that the compliance officer exercises in the organisation — the extent to which business leaders take compliance concerns seriously, adapt their decisions in response to compliance input, and treat the compliance function as a genuine partner rather than a procedural obstacle — is determined by credibility. Credibility is earned, not assigned. It is built through the quality of judgment the compliance officer demonstrates, the accuracy of their risk assessments, the usefulness of their advice in situations the business actually faces, and the consistency of their behaviour under commercial pressure.

Influence is sufficient most of the time. Escalation is necessary sometimes. Clarity about when is essential always.

A compliance function that operates exclusively through influence — that never escalates, never formally records a disagreement, never uses the governance structures available to it to bring an unresolved concern to a higher level — has not built a compliance programme. It has built an advisory service whose recommendations are accepted when convenient and set aside when not. The compliance officer who wants to be liked by the business more than they want the programme to function has confused the means for the end.

Knowing when to escalate — when to move from influence and recommendation to formal recording, board notification, or explicit disagreement with an executive decision — is one of the most consequential judgment calls in the role. Too early, and the escalation mechanism loses its force through overuse; the compliance officer becomes the person who cries wolf, and governance bodies become accustomed to filtering their communications. Too late, and the escalation arrives after the damage has been done, and the question becomes why the concern was not raised sooner.

The principle that should govern this judgment is clear even if its application requires case-by-case calibration: escalate when the risk is material, when the concern has been raised through ordinary channels without adequate response, and when the documentation of the escalation is necessary to establish that the compliance function fulfilled its obligation regardless of the outcome. Escalation is not a failure of the relationship with the business. It is the exercise of a function that the governance structure exists to enable.