In this post melt-down climate, the regulatory environment raises questions about the compliance function in large, publicly traded corporations. What is it? What purpose does and should it serve? How is the compliance function different or the same as the legal, ethics, or risk management functions? And who should oversee compliance? Although some exists, more empirical research should be done on what function a compliance department serves, where compliance is currently housed in large, publicly traded corporations and, more importantly, why corporations have located the compliance function within or outside the legal department. Further, no other study to date entails qualitative research with United States’ general counsels, chief compliance officers and other non-lawyer senior management on these issues. The purpose of this project is to explore the following questions: (i) What is compliance? What is the major purpose of a compliance department, what areas does it cover (ii) How is it managed and where is it currently housed in large, publicly traded corporations, and (iii) What are the risks and benefits of having the compliance function separated from the legal department and run by non-lawyers (or non-practicing lawyers) that report to the CEO and/or board of directors? To investigate these questions, I i) talked briefly with forty general counsels of S&P 500 corporations in banking, pharmaceutical, and petroleum industries about compliance within their organization; and ii) conducted thirty in-depth qualitative interviews with general counsels and chief compliance officers of large, publicly traded corporations across a variety of industries.
The research analysis will lead to a series of articles. The first article, Transitioning Corporate Governance to Compliance will take the position that a transition in corporate governance has occurred over the past 20 years. What might have been thought of 20 years ago as the basic corporate governance function is now being ceded to compliance departments in large publicly traded organizations. This article will overview of what role the compliance function at some large, publicly traded corporations serves. Through the voices of the Compliance Study interviewees, it will analyze and present a typology of roles that compliance officers may play and recommend which role is the ideal one.
The second article, The Government’s Unofficial Stance on Compliance Departments: To Comply or Not to Comply? will analyze the question of whether whether compliance should be separated from the legal department. To that end, it will explore the risks and benefits of such a structure and the limitations that exist when the compliance function is led by the general counsel.
Virtual Third Places, Making Room in the Law Market
Beyond Benchmarking, How Should Law and Corporate Compliance Intersect
1. Beyond Benchmarking:
How Should Law and
Corporate Compliance
Intersect?
MICHELE DESTEFANO
FOUNDER, LAWWITHOUTWALLS
Associate Professor of Law, MiamiLaw
Program on the Legal Profession
13 November 2012
3. Despite the current freeze
on legal expenditure
corporations
are having to
invest
HEAVILY
in compliance
...
11/14/2012 DeStefano 4
4. . . . in managing the legal risk of business
11/14/2012 DeStefano 5
5. Questions?Questions?Questions?
Where does legal How Is Compliance
end and compliance Managed and by
start? Whom?
Who Should
be
Responsible
for
Compliance?
And What about Ethics and Corporate Culture?
11/14/2012 DeStefano 6
6. In large publicly traded corporations,
*historically*
the compliance department
was part of the legal department
...
Overseen or even run by
the chief legal officer
...
11/14/2012 DeStefano 7
8. Many corporate practices, and mandates put
compliance in the hands of lawyers . . .
11/14/2012 DeStefano 9
9. Practice/Mandates/Guidelines
ABA Task Force on 46% of ACCA survey
Corporate
Responsibility respondents claim
recommended that that Compliance was
general counsels ultimately overseen
oversee compliance
(with direct oversight by the GC or the GC
by the Board) serves as the CCO
MR 1.13 and SOX §307 puts the GC
in role of whistle blower/gatekeeper
11/14/2012 DeStefano 10
11. Although the government
(e.g., OIG of the SEC and the DHHS)
does not
*require*
that corporations
separate
the compliance and legal functions
...
11/14/2012 DeStefano 12
12. ...
their
unofficial
stance
is
that
they
*should*
11/14/2012 DeStefano 13
13. Indeed,
the SEC and the DHHS
have forced corporations
that have misbehaved
to do
just
that
...
11/14/2012 DeStefano 14
14. To develop
distinct
Compliance Departments
And
designate
a Chief Compliance Officer
*that does NOT report to the GC/CLO*
and that has
direct access
to the Board
11/14/2012 DeStefano 15
15. Consider
the
following
Four
examples
11/14/2012 DeStefano 16
17. In its Corporate Integrity Agreement (CIA),
Schering-Plough had to
pay $293M,
establish a hotline,
revise corporate conduct code/training
and
designate a CCO
to report directly to the CEO or President
*and NOT the GC*
with direct access to the Board
11/14/2012 DeStefano 18
19. In settlement,
Quest
agreed to
pay $250M,
and
create a CCO position
that would
*report directly*
to the CEO
with direct access
to the Board
11/14/2012 DeStefano 20
20. 2009 – Illegal Promotion of Drug Uses
11/14/2012 DeStefano 21
21. Pfizer paid $2.3 BILLION,
plead guilty to a
felony criminal violation,
and signed a 5-year CIA
mandating
that it create a hotline,
heighten training,
And designate a CCO
that would not be
subordinate to the GC/CLO
and would have direct access
to the Board
11/14/2012 DeStefano 22
23. To appease,
the SEC created
a “real”
and singular
compliance department
with oversight
by one
designated CCO
11/14/2012 DeStefano 24
24. In Sum, the reaction by the DDHS
and SEC has been to
11/14/2012 DeStefano 25
25. To emphasize
the structure,
management,
policies,
and programs
around compliance
11/14/2012 DeStefano 26
26. To demand
that
malfeasant
corporations
separate
compliance
from the
legal department,
11/14/2012 DeStefano 27
27. Designate a CCO
that is
not also
the GC
and
does not
report to
the GC
11/14/2012 DeStefano 28
28. And
that has
direct access
to the
Board
Of
Directors
11/14/2012 DeStefano 29
29. This Reaction is Consistent with
Recent Laws and Recommendations
SECs Compliance Federal Sentencing
Rule 2004 requiring Guidelines defining
each SEC registered what is an effective
investment compliance program
company/advisor to and providing extra
designate a CCO to credit for corporations
oversee compliance that designate separate
and report directly to CCOs with direct
the Board reporting to the board
Guidelines by Professional Associations (OIG/ILA)
recommending the same
11/14/2012 DeStefano 30
30. And more and more corporations
seem to be following suit
11/14/2012 DeStefano 31
31. Over the past few years,
in the wake
of corporate scandals
that span industries
e.g., pharma,
insurance,
financial services,
health care,
consumer products,
11/14/2012 DeStefano 32
32. There
appears
to be
an
emerging
trend
11/14/2012 DeStefano 33
33. to separate
the
compliance function
from
the legal department
and create
new
distinct
compliance departments
11/14/2012 DeStefano 34
34. compliance departments
largely led
and comprised of
non-lawyers
and
non-practicing lawyers
that report directly to the CEO
and
have direct access
to the board
11/14/2012 DeStefano 35
35. Why and Should This Be So?
Why Have Organizations
Adopted this new stance
on the
organizational structure of
compliance?
AND
Is this Best Practice?
11/14/2012 DeStefano 36
36. Questions?Questions?Questions?
Do Inhouse Lawyers
- when they work
in the legal department -
somehow impair
ethics and compliance?
11/14/2012 DeStefano 37
37. Questions?Questions?Questions?
Are lawyers
– acting as lawyers –
less able to prevent,
uncover,
and stop
malfeasance?
11/14/2012 DeStefano 38
38. Questions?Questions?Questions?
Does taking compliance
out of the hands
of practicing lawyers
create
the type of change that is
needed
to ensure a culture of
compliance?
Or are these new compliance departments
just a formal solution to appease?
11/14/2012 DeStefano 39
39. “ A number of the early mover companies
that created compliance departments did
so as part of resolving a major mishap or
high profile problem -- so it was not
necessarily a best practice. But after a
number of major companies have done it
over the years, it starts to look like a best
practice. Once in that position, it becomes
hard for a major corporation to explain
why they don't need a compliance
department.” (FGC-2)
11/14/2012 DeStefano 40
40. Purpose: Explore 3 Questions
(i) What is “compliance”?
(ii) How is it managed, where is it
currently housed in large, publicly
traded corporations and why
(iii) Who Should Oversee Compliance:
What are the risks and benefits of having a
distinct compliance function run by non-
lawyers (or non-practicing lawyers) that
report to the CEO/Board?
11/14/2012 DeStefano 41
41. Research Methodology
Stage 1
• 2007 - completed before meltdown
• 40 brief interviews (avg. 8 min) with
General Counsels of S&P 500 corps in
banking, pharmaceutical, & petroleum
11/14/2012 DeStefano 42
42. Research Methodology
Stage 2
• 2010-present
• 30-40 in-depth interviews (avg 60 min)
with General Counsels and Chief
Compliance Officers of large, publicly
traded corporations
• 6 industries: Pharmaceutical, Energy,
Healthcare, Consumer Products, Financial
Services, and Misc
11/14/2012 DeStefano 43
43. Research Methodology
Stage 2 Goals:
1. 30-40 interviews comprising of 2 to 3
companies per industry
2. 1 ex-GC in each industry
3. 1 lower level compliance manager in each
industry
4. 1 to 2 nonpublic companies (GC and CCO)
5. 1 senior manager that works or used to
work in compliance at the SEC, OIG
6. 1 to 2 compliance consultants/activists
11/14/2012 DeStefano 44
44. Caveats
1. Sample size is very very low
2. Still in the process of coding some
interviews
3. This study is not comprised of a random
sample and is based on self-reports by
senior executives which arguably have
certain stories to tell
11/14/2012 DeStefano 45
45. Key Findings to Date: Stage 2
Who Oversees Compliance?
• GCs had ultimate responsibility for the
compliance function for the majority of
corporations interviewed
– But the Compliance Department is
considered distinct from the Legal
Department
– And the CCO has a dotted line to Board
11/14/2012 DeStefano 46
46. Key Findings to Date: Stage 2
Who Oversees Compliance?
• Where GC/CLO did not have ultimate
oversight, generally compliance was
overseen by a former in-house lawyer,
often the deputy general counsel, that
reports to the CEO with access to the
board
11/14/2012 DeStefano 47
47. Key Findings to Date: Stage 2
Who Oversees Compliance?
• Compliance Departments are made up of
a lot of lawyers
11/14/2012 DeStefano 48
48. Key Findings To Date:
Role of the CCO vs the GC?
11/14/2012 DeStefano 49
49. Problem often faced
by the CCO
is the giving of legal advice
...
Hard not to do
given the
nature and scope
of the job
and that often the CCO
was trained
as a lawyer
11/14/2012 DeStefano 50
50. Role of the CCO vs the GC?
Consensus Similarity
Legal and Compliance Departments
rely on
legal expertise and
have a shared goal
to increase compliance
with the law
11/14/2012 DeStefano 51
51. Role of the CCO vs the GC?
Consensus Distinction
The CCO focuses on
1) building policies and procedures;
2) monitoring adherence;
3) training and educating employees on
specific regulatory obligations; and,
4) testing employees on adherence.
11/14/2012 DeStefano 52
52. Role of the CCO vs the GC?
Claimed Distinction 1
Compliance Officers (vs. GC)
care about
preventing misconduct,
neutral fact finding,
acting in the interest of stakeholders,
uncovering misconduct,
ethics, and
culture
53
53. Role of the CCO vs the GC?
Claimed Distinction 2
Compliance Officers
have different reporting obligations,
aren‟t acting as lawyers,
and
can‟t garner
attorney-client privilege protection
54
54. Role of the CCO vs the GC?
Claimed Distinction 3
Compliance requires
management know-how in
training,
HR matters,
communications,
auditing,
and internal controls ,
While legal work
Requires
training in the law
55
55. Role of the CCO vs the GC?
Claimed Distinction 4
Lawyers
tell you what the law
says
and are concerned with
legal liability and
vigorously defending
the corporation
at all costs
56
56. Role of the CCO vs the GC?
Claimed Distinction 5
The lawyers
tell you whether you
can
do something,
and compliance
tells you whether you
should
57
57. Role of the CCO vs the GC?
Typical Quote
“The General Counsel‟s job is . . . to advise
[the company and senior managers] of the
legal risks but not initiate the conversation
over what is the right thing to do –
the General Counsel‟s job
is more black and white.”
58
58. But
these distinctions
appear
to be
a bit
artificial
11/14/2012 DeStefano 59
59. If you have a broad view
of the role of the GC;
If you believe
(as many do)
that the GC has
or should have
some gatekeeping
responsibilities
11/14/2012 DeStefano 60
60. If you think
The GC
should play
the role of counselor
in charge of
corporate culture
and ethics
and the corporate conscience
...
11/14/2012 DeStefano 61
61. Then
these
distinctions
are
a
bit
artificial
11/14/2012 DeStefano 62
63. They claimed
that the GC
(as opposed to the CCO)
is in charge
of the ethics
and corporate culture
and that the CCOs
can sometimes
be seen as just . . .
11/14/2012 DeStefano 64
72. Counselor
“I like to play the business card game with my CEO.
Whenever there is a tough conversation around
ethics and compliance and the law, I ask my CEO to
take out his business card. I point out, as we look
at the cards, that his card says „president, CEO, and
chairman.” My card says „VP, GC, and counsel.” I
explain that want to concentrate on the counsel
part. My card gives me the right to counsel you and
you can disregard it. But I get to say I told you so . .
.”
11/14/2012 DeStefano 73
77. “Throughout the organization, we don‟t have
someone named as a compliance officer –
meaning that, if one person is in charge of
compliance, nobody else has to worry about
it.” (GC large petroleum company)
11/14/2012 DeStefano 78
78. Given that
there are so
many different
archetypes,
perhaps
the right
Question
is:
11/14/2012 DeStefano 79
79. What
are the
risks
and
benefits
of having
the two
Segregated
departments?
11/14/2012 DeStefano 80
80. Does
segregation,
in and of itself
create specific
negative
repercussions
or
positive
consequences?
11/14/2012 DeStefano 81
91. Unidentified Risks if Separate:
Increase in the UPL
“There is no such thing as a non-practicing
lawyer – purely practical – if you are a lawyer
you are a lawyer doesn‟t matter if licensed to
practice law or not – people look at you as a
lawyer and rely on you as it to dispense legal
advice despite of title . . and therefore in my view
I‟m a GC of company if one my lawyers screws up
– I‟m responsible - - I can‟t say that‟s lawyer in
compliance and I get by . . I think its functionally
wrong . . but reasonable people can differ”
11/14/2012 DeStefano 92
92. Unidentified Risks if Separate:
Rise of the Law Consultant not
bound by the MRPC
11/14/2012 DeStefano 93
93. Unidentified Risks if Separate:
Just Another Risk to be Managed
11/14/2012 DeStefano 94
94. Unidentified Risks if Separate:
Increase in Strict Liability?
11/14/2012 DeStefano 95
96. But the only way
to determine
who should oversee
compliance
and whether
the departments
should be segregated,
is to
agree on what are
the objectives
...
11/14/2012 DeStefano 97
97. Are the objectives
to increase
the corporation‟s
Compliance
with the
rule
of
law?
11/14/2012 DeStefano 98
98. Are the objectives
to increase
the corporation‟s
normative
commitment
to
compliance?
i.e., to establish
a culture
of compliance?
11/14/2012 DeStefano 99
99. Or are
the objectives
to enhance
the expectations
society has of lawyers
and their role
as gatekeepers,
counselors,
keepers of the corporate conscience?
11/14/2012 DeStefano 100
100. Arguably, the current
trend/mandate applauds
form over function and fails to
deliver
11/14/2012 DeStefano 101
101. Although
it is true
that the SEC has
claimed
it will
assess whether
a company
has a
“culture of compliance”
11/14/2012 DeStefano 102
102. Recent
Mandates
by
the government
including the SEC
do
not appear to
to be doing so.
They do NOT even
consider
11/14/2012 DeStefano 103
103. The Importance of Collaboration
to Effective Compliance & Culture
11/14/2012 DeStefano 104
104. Instead
they prize
Independence
and traditional
notions
of control
OVER
interdependency,
embeddedness
And collaboration
11/14/2012 DeStefano 105
105. They
emphasize
the
outward
formal
organizational
structures
and programs
...
as if they are
proxies
for effective compliance
11/14/2012 DeStefano 106
111. It is the
hidden norms
and social networks
that impact
the choices
employees make
NOT
the public,
formal,
ethics programs,
codes of conduct,
and missions statements
11/14/2012 DeStefano 112
112. Researchers agree that
formal systems are
the weakest link
in the organization‟s
ethical infrastructure
and are typically
far eclipsed
by their informal
counterparts
11/14/2012 DeStefano 113
113. In order
to find
the critical gaps,
the focus should be
on the
internal:
2) How people
are
motivated
11/14/2012 DeStefano 114
115. While it is true
that many
compliance functions are
“route” or “check-the-box,”
and malfeasance with these task
is easy to uncover and
compliance is
easy to motivate
11/14/2012 DeStefano 116
116. When the choice
involves
non-routine tasks
and deliberation
involving
morals,
ethics,
personal preferences,
malfeasance is much harder to control with
carrots or sticks
11/14/2012 DeStefano 117
117. Indeed, monetary incentives
can take the good
out of doing good;
and If-then
carrots or sticks
neglect the ingredients
of
Genuine motivation
11/14/2012 DeStefano 118
119. In order
to find
the critical gaps,
the focus should be
on the
internal:
2) How people make
ethical
decisions
11/14/2012 DeStefano 120
120. How Does Ethics Intersect with
Compliance and the Law?
11/14/2012 DeStefano 121
121. Compliance
initiatives
do not account
for the reality
that employees
do not necessarily
recognize a dilemma
as an
ethical one
11/14/2012 DeStefano 122
125. Preliminary
Conclusions:
1) large, publicly traded
Corporations
should not
preemptively comply
with the government‟s
unofficial preference
towards stand alone
compliance departments
11/14/2012 DeStefano 126
126. Preliminary
Conclusions:
2) Instead of focusing
on the outward
form and structure
of an organization
or formal exemplifications
of compliance,
assessment should look inward,
at the informal communication,
value chains, and
culture of the company
11/14/2012 DeStefano 127
127. Preliminary
Conclusions:
3) Bonus points should be given
to those corporations
that take an inward look
at how work is actually
being done
and the networks
and ethical culture
that exists beneath and beyond
the Org chart,
the mission statement,
and the code of conduct
11/14/2012 DeStefano 128
128. Questions?Questions?Questions?
Are lawyers better Is the culture of the
able to run company determined
compliance than by the tone at the
nonlawyers? top? Or the tone at
Should them middle?
Compliance
be separate
from Legal?
Is having a compliance department more
important today than 5 years ago?
11/14/2012 DeStefano 129
129. MICHELE DESTEFANO
FOUNDER, LAWWITHOUTWALLS
Associate Professor of Law, MiamiLaw
md@law.miami.edu
11/14/2012 DeStefano 130