In this post melt-down climate, the regulatory environment raises questions about the compliance function in large, publicly traded corporations. What is it? What purpose does and should it serve? How is the compliance function different or the same as the legal, ethics, or risk management functions? And who should oversee compliance? Although some exists, more empirical research should be done on what function a compliance department serves, where compliance is currently housed in large, publicly traded corporations and, more importantly, why corporations have located the compliance function within or outside the legal department. Further, no other study to date entails qualitative research with United States’ general counsels, chief compliance officers and other non-lawyer senior management on these issues. The purpose of this project is to explore the following questions: (i) What is compliance? What is the major purpose of a compliance department, what areas does it cover (ii) How is it managed and where is it currently housed in large, publicly traded corporations, and (iii) What are the risks and benefits of having the compliance function separated from the legal department and run by non-lawyers (or non-practicing lawyers) that report to the CEO and/or board of directors? To investigate these questions, I i) talked briefly with forty general counsels of S&P 500 corporations in banking, pharmaceutical, and petroleum industries about compliance within their organization; and ii) conducted thirty in-depth qualitative interviews with general counsels and chief compliance officers of large, publicly traded corporations across a variety of industries. The research analysis will lead to a series of articles. The first article, Transitioning Corporate Governance to Compliance will take the position that a transition in corporate governance has occurred over the past 20 years. What might have been thought of 20 years ago as the basic corporate governance function is now being ceded to compliance departments in large publicly traded organizations. This article will overview of what role the compliance function at some large, publicly traded corporations serves. Through the voices of the Compliance Study interviewees, it will analyze and present a typology of roles that compliance officers may play and recommend which role is the ideal one. The second article, The Government’s Unofficial Stance on Compliance Departments: To Comply or Not to Comply? will analyze the question of whether whether compliance should be separated from the legal department. To that end, it will explore the risks and benefits of such a structure and the limitations that exist when the compliance function is led by the general counsel.

1. Beyond Benchmarking:
How Should Law and
Corporate Compliance
Intersect?
MICHELE DESTEFANO
FOUNDER, LAWWITHOUTWALLS
Associate Professor of Law, MiamiLaw
Program on the Legal Profession
13 November 2012

2. Corporations Around the Globe
Are Facing a HUGE challenge
11/14/2012 DeStefano 3

3. Despite the current freeze
on legal expenditure
corporations
are having to
invest
HEAVILY
in compliance
...
11/14/2012 DeStefano 4

4. . . . in managing the legal risk of business
11/14/2012 DeStefano 5

5. Questions?Questions?Questions?
Where does legal How Is Compliance
end and compliance Managed and by
start? Whom?
Who Should
be
Responsible
for
Compliance?
And What about Ethics and Corporate Culture?
11/14/2012 DeStefano 6

6. In large publicly traded corporations,
*historically*
the compliance department
was part of the legal department
...
Overseen or even run by
the chief legal officer
...
11/14/2012 DeStefano 7

7. In many respects,
this is
still true
today
11/14/2012 DeStefano 8

8. Many corporate practices, and mandates put
compliance in the hands of lawyers . . .
11/14/2012 DeStefano 9

9. Practice/Mandates/Guidelines
ABA Task Force on 46% of ACCA survey
Corporate
Responsibility respondents claim
recommended that that Compliance was
general counsels ultimately overseen
oversee compliance
(with direct oversight by the GC or the GC
by the Board) serves as the CCO
MR 1.13 and SOX §307 puts the GC
in role of whistle blower/gatekeeper
11/14/2012 DeStefano 10

10. Recently, this has begun to . . .
11/14/2012 DeStefano 11

11. Although the government
(e.g., OIG of the SEC and the DHHS)
does not
*require*
that corporations
separate
the compliance and legal functions
...
11/14/2012 DeStefano 12

12. ...
their
unofficial
stance
is
that
they
*should*
11/14/2012 DeStefano 13

13. Indeed,
the SEC and the DHHS
have forced corporations
that have misbehaved
to do
just
that
...
11/14/2012 DeStefano 14

14. To develop
distinct
Compliance Departments
And
designate
a Chief Compliance Officer
*that does NOT report to the GC/CLO*
and that has
direct access
to the Board
11/14/2012 DeStefano 15

15. Consider
the
following
Four
examples
11/14/2012 DeStefano 16

16. 2004 – Medicaid Pricing Fraud
11/14/2012 DeStefano 17

17. In its Corporate Integrity Agreement (CIA),
Schering-Plough had to
pay $293M,
establish a hotline,
revise corporate conduct code/training
and
designate a CCO
to report directly to the CEO or President
*and NOT the GC*
with direct access to the Board
11/14/2012 DeStefano 18

18. 2004 – Fraudulent Revenue Projection
11/14/2012 DeStefano 19

19. In settlement,
Quest
agreed to
pay $250M,
and
create a CCO position
that would
*report directly*
to the CEO
with direct access
to the Board
11/14/2012 DeStefano 20

20. 2009 – Illegal Promotion of Drug Uses
11/14/2012 DeStefano 21

21. Pfizer paid $2.3 BILLION,
plead guilty to a
felony criminal violation,
and signed a 5-year CIA
mandating
that it create a hotline,
heighten training,
And designate a CCO
that would not be
subordinate to the GC/CLO
and would have direct access
to the Board
11/14/2012 DeStefano 22

22. 2010 – Insider Trading Investigation
11/14/2012 DeStefano 23

23. To appease,
the SEC created
a “real”
and singular
compliance department
with oversight
by one
designated CCO
11/14/2012 DeStefano 24

24. In Sum, the reaction by the DDHS
and SEC has been to
11/14/2012 DeStefano 25

25. To emphasize
the structure,
management,
policies,
and programs
around compliance
11/14/2012 DeStefano 26

26. To demand
that
malfeasant
corporations
separate
compliance
from the
legal department,
11/14/2012 DeStefano 27

27. Designate a CCO
that is
not also
the GC
and
does not
report to
the GC
11/14/2012 DeStefano 28

28. And
that has
direct access
to the
Board
Of
Directors
11/14/2012 DeStefano 29

29. This Reaction is Consistent with
Recent Laws and Recommendations
SECs Compliance Federal Sentencing
Rule 2004 requiring Guidelines defining
each SEC registered what is an effective
investment compliance program
company/advisor to and providing extra
designate a CCO to credit for corporations
oversee compliance that designate separate
and report directly to CCOs with direct
the Board reporting to the board
Guidelines by Professional Associations (OIG/ILA)
recommending the same
11/14/2012 DeStefano 30

30. And more and more corporations
seem to be following suit
11/14/2012 DeStefano 31

31. Over the past few years,
in the wake
of corporate scandals
that span industries
e.g., pharma,
insurance,
financial services,
health care,
consumer products,
11/14/2012 DeStefano 32

32. There
appears
to be
an
emerging
trend
11/14/2012 DeStefano 33

33. to separate
the
compliance function
from
the legal department
and create
new
distinct
compliance departments
11/14/2012 DeStefano 34

34. compliance departments
largely led
and comprised of
non-lawyers
and
non-practicing lawyers
that report directly to the CEO
and
have direct access
to the board
11/14/2012 DeStefano 35

35. Why and Should This Be So?
Why Have Organizations
Adopted this new stance
on the
organizational structure of
compliance?
AND
Is this Best Practice?
11/14/2012 DeStefano 36

36. Questions?Questions?Questions?
Do Inhouse Lawyers
- when they work
in the legal department -
somehow impair
ethics and compliance?
11/14/2012 DeStefano 37

37. Questions?Questions?Questions?
Are lawyers
– acting as lawyers –
less able to prevent,
uncover,
and stop
malfeasance?
11/14/2012 DeStefano 38

38. Questions?Questions?Questions?
Does taking compliance
out of the hands
of practicing lawyers
create
the type of change that is
needed
to ensure a culture of
compliance?
Or are these new compliance departments
just a formal solution to appease?
11/14/2012 DeStefano 39

39. “ A number of the early mover companies
that created compliance departments did
so as part of resolving a major mishap or
high profile problem -- so it was not
necessarily a best practice. But after a
number of major companies have done it
over the years, it starts to look like a best
practice. Once in that position, it becomes
hard for a major corporation to explain
why they don't need a compliance
department.” (FGC-2)
11/14/2012 DeStefano 40

40. Purpose: Explore 3 Questions
(i) What is “compliance”?
(ii) How is it managed, where is it
currently housed in large, publicly
traded corporations and why
(iii) Who Should Oversee Compliance:
What are the risks and benefits of having a
distinct compliance function run by non-
lawyers (or non-practicing lawyers) that
report to the CEO/Board?
11/14/2012 DeStefano 41

41. Research Methodology
Stage 1
• 2007 - completed before meltdown
• 40 brief interviews (avg. 8 min) with
General Counsels of S&P 500 corps in
banking, pharmaceutical, & petroleum
11/14/2012 DeStefano 42

42. Research Methodology
Stage 2
• 2010-present
• 30-40 in-depth interviews (avg 60 min)
with General Counsels and Chief
Compliance Officers of large, publicly
traded corporations
• 6 industries: Pharmaceutical, Energy,
Healthcare, Consumer Products, Financial
Services, and Misc
11/14/2012 DeStefano 43

43. Research Methodology
Stage 2 Goals:
1. 30-40 interviews comprising of 2 to 3
companies per industry
2. 1 ex-GC in each industry
3. 1 lower level compliance manager in each
industry
4. 1 to 2 nonpublic companies (GC and CCO)
5. 1 senior manager that works or used to
work in compliance at the SEC, OIG
6. 1 to 2 compliance consultants/activists
11/14/2012 DeStefano 44

44. Caveats
1. Sample size is very very low
2. Still in the process of coding some
interviews
3. This study is not comprised of a random
sample and is based on self-reports by
senior executives which arguably have
certain stories to tell
11/14/2012 DeStefano 45

45. Key Findings to Date: Stage 2
Who Oversees Compliance?
• GCs had ultimate responsibility for the
compliance function for the majority of
corporations interviewed
– But the Compliance Department is
considered distinct from the Legal
Department
– And the CCO has a dotted line to Board
11/14/2012 DeStefano 46

46. Key Findings to Date: Stage 2
Who Oversees Compliance?
• Where GC/CLO did not have ultimate
oversight, generally compliance was
overseen by a former in-house lawyer,
often the deputy general counsel, that
reports to the CEO with access to the
board
11/14/2012 DeStefano 47

47. Key Findings to Date: Stage 2
Who Oversees Compliance?
• Compliance Departments are made up of
a lot of lawyers
11/14/2012 DeStefano 48

48. Key Findings To Date:
Role of the CCO vs the GC?
11/14/2012 DeStefano 49

49. Problem often faced
by the CCO
is the giving of legal advice
...
Hard not to do
given the
nature and scope
of the job
and that often the CCO
was trained
as a lawyer
11/14/2012 DeStefano 50

50. Role of the CCO vs the GC?
Consensus Similarity
Legal and Compliance Departments
rely on
legal expertise and
have a shared goal
to increase compliance
with the law
11/14/2012 DeStefano 51

51. Role of the CCO vs the GC?
Consensus Distinction
The CCO focuses on
1) building policies and procedures;
2) monitoring adherence;
3) training and educating employees on
specific regulatory obligations; and,
4) testing employees on adherence.
11/14/2012 DeStefano 52

52. Role of the CCO vs the GC?
Claimed Distinction 1
Compliance Officers (vs. GC)
care about
preventing misconduct,
neutral fact finding,
acting in the interest of stakeholders,
uncovering misconduct,
ethics, and
culture
53

53. Role of the CCO vs the GC?
Claimed Distinction 2
Compliance Officers
have different reporting obligations,
aren‟t acting as lawyers,
and
can‟t garner
attorney-client privilege protection
54

54. Role of the CCO vs the GC?
Claimed Distinction 3
Compliance requires
management know-how in
training,
HR matters,
communications,
auditing,
and internal controls ,
While legal work
Requires
training in the law
55

55. Role of the CCO vs the GC?
Claimed Distinction 4
Lawyers
tell you what the law
says
and are concerned with
legal liability and
vigorously defending
the corporation
at all costs
56

56. Role of the CCO vs the GC?
Claimed Distinction 5
The lawyers
tell you whether you
can
do something,
and compliance
tells you whether you
should
57

57. Role of the CCO vs the GC?
Typical Quote
“The General Counsel‟s job is . . . to advise
[the company and senior managers] of the
legal risks but not initiate the conversation
over what is the right thing to do –
the General Counsel‟s job
is more black and white.”
58

58. But
these distinctions
appear
to be
a bit
artificial
11/14/2012 DeStefano 59

59. If you have a broad view
of the role of the GC;
If you believe
(as many do)
that the GC has
or should have
some gatekeeping
responsibilities
11/14/2012 DeStefano 60

60. If you think
The GC
should play
the role of counselor
in charge of
corporate culture
and ethics
and the corporate conscience
...
11/14/2012 DeStefano 61

61. Then
these
distinctions
are
a
bit
artificial
11/14/2012 DeStefano 62

62. Many GC interviewees saw these
distinctions in reverse
11/14/2012 DeStefano 63

63. They claimed
that the GC
(as opposed to the CCO)
is in charge
of the ethics
and corporate culture
and that the CCOs
can sometimes
be seen as just . . .
11/14/2012 DeStefano 64

64. Traffic Cops
11/14/2012 DeStefano 65

65. So
Perhaps
it is the
philosophy of the role
that matters
more
than
the titles
and segmentations
11/14/2012 DeStefano 66

66. A Typology of Roles:
Not All CCOs are Alike
11/14/2012 DeStefano 67

67. Automatan
11/14/2012 DeStefano 68

68. Investigator
11/14/2012 DeStefano 69

69. Mark Wahlberg: The Departed
11/14/2012 DeStefano 70

70. Spy
11/14/2012 DeStefano 71

71. Counselor
11/14/2012 DeStefano 72

72. Counselor
“I like to play the business card game with my CEO.
Whenever there is a tough conversation around
ethics and compliance and the law, I ask my CEO to
take out his business card. I point out, as we look
at the cards, that his card says „president, CEO, and
chairman.” My card says „VP, GC, and counsel.” I
explain that want to concentrate on the counsel
part. My card gives me the right to counsel you and
you can disregard it. But I get to say I told you so . .
.”
11/14/2012 DeStefano 73

73. Involved Parent
11/14/2012 DeStefano 74

74. Business Bottom Liner
11/14/2012 DeStefano 75

75. Scarecrow
11/14/2012 DeStefano 76

76. Which Way Do We Go?
11/14/2012 DeStefano 77

77. “Throughout the organization, we don‟t have
someone named as a compliance officer –
meaning that, if one person is in charge of
compliance, nobody else has to worry about
it.” (GC large petroleum company)
11/14/2012 DeStefano 78

78. Given that
there are so
many different
archetypes,
perhaps
the right
Question
is:
11/14/2012 DeStefano 79

79. What
are the
risks
and
benefits
of having
the two
Segregated
departments?
11/14/2012 DeStefano 80

80. Does
segregation,
in and of itself
create specific
negative
repercussions
or
positive
consequences?
11/14/2012 DeStefano 81

81. Risks if Combined:
Conflict of Interest
11/14/2012 DeStefano 82

82. Risks if Combined:
Shield of Secrecy
11/14/2012 DeStefano 83

83. Risks if Separate: Turf Wars
11/14/2012 DeStefano 84

84. Risks if Separate: Inefficiencies
11/14/2012 DeStefano 85

85. Risks if Separate: Communication
Issues & Loss of Shared Learnings
11/14/2012 DeStefano 86

86. Unidentified Risks if Separate:
Revival of the Legal Technician
11/14/2012 DeStefano 87

87. Unidentified Risks if Separate:
Decrease in Gatekeeping &
Counselor Role
11/14/2012 DeStefano 88

88. Unidentified Risks if Separate:
Increase in Information
Protected by the Attorney-Client
Privilege
11/14/2012 DeStefano 89

89. Unidentified Risks if Separate:
Terminator CCOs
11/14/2012 DeStefano 90

90. Unidentified Risks if Separate:
Increase in the UPL
11/14/2012 DeStefano 91

91. Unidentified Risks if Separate:
Increase in the UPL
“There is no such thing as a non-practicing
lawyer – purely practical – if you are a lawyer
you are a lawyer doesn‟t matter if licensed to
practice law or not – people look at you as a
lawyer and rely on you as it to dispense legal
advice despite of title . . and therefore in my view
I‟m a GC of company if one my lawyers screws up
– I‟m responsible - - I can‟t say that‟s lawyer in
compliance and I get by . . I think its functionally
wrong . . but reasonable people can differ”
11/14/2012 DeStefano 92

92. Unidentified Risks if Separate:
Rise of the Law Consultant not
bound by the MRPC
11/14/2012 DeStefano 93

93. Unidentified Risks if Separate:
Just Another Risk to be Managed
11/14/2012 DeStefano 94

94. Unidentified Risks if Separate:
Increase in Strict Liability?
11/14/2012 DeStefano 95

95. Unidentified Risks if Separate:
Just a Copy-Cat Move
11/14/2012 DeStefano 96

96. But the only way
to determine
who should oversee
compliance
and whether
the departments
should be segregated,
is to
agree on what are
the objectives
...
11/14/2012 DeStefano 97

97. Are the objectives
to increase
the corporation‟s
Compliance
with the
rule
of
law?
11/14/2012 DeStefano 98

98. Are the objectives
to increase
the corporation‟s
normative
commitment
to
compliance?
i.e., to establish
a culture
of compliance?
11/14/2012 DeStefano 99

99. Or are
the objectives
to enhance
the expectations
society has of lawyers
and their role
as gatekeepers,
counselors,
keepers of the corporate conscience?
11/14/2012 DeStefano 100

100. Arguably, the current
trend/mandate applauds
form over function and fails to
deliver
11/14/2012 DeStefano 101

101. Although
it is true
that the SEC has
claimed
it will
assess whether
a company
has a
“culture of compliance”
11/14/2012 DeStefano 102

102. Recent
Mandates
by
the government
including the SEC
do
not appear to
to be doing so.
They do NOT even
consider
11/14/2012 DeStefano 103

103. The Importance of Collaboration
to Effective Compliance & Culture
11/14/2012 DeStefano 104

104. Instead
they prize
Independence
and traditional
notions
of control
OVER
interdependency,
embeddedness
And collaboration
11/14/2012 DeStefano 105

105. They
emphasize
the
outward
formal
organizational
structures
and programs
...
as if they are
proxies
for effective compliance
11/14/2012 DeStefano 106

106. The Org Chart
11/14/2012 DeStefano 107

107. A Code of Conduct
11/14/2012 DeStefano 108

108. Training Manuals & Programs
11/14/2012 DeStefano 109

109. In order
to find
the critical gaps,
the focus should be
on the
Internal:
1) How people
interact
11/14/2012 DeStefano 110

110. Informal Cultural
Communication Norms
11/14/2012 DeStefano 111

111. It is the
hidden norms
and social networks
that impact
the choices
employees make
NOT
the public,
formal,
ethics programs,
codes of conduct,
and missions statements
11/14/2012 DeStefano 112

112. Researchers agree that
formal systems are
the weakest link
in the organization‟s
ethical infrastructure
and are typically
far eclipsed
by their informal
counterparts
11/14/2012 DeStefano 113

113. In order
to find
the critical gaps,
the focus should be
on the
internal:
2) How people
are
motivated
11/14/2012 DeStefano 114

114. Carrots? Or Sticks?
11/14/2012 DeStefano 115

115. While it is true
that many
compliance functions are
“route” or “check-the-box,”
and malfeasance with these task
is easy to uncover and
compliance is
easy to motivate
11/14/2012 DeStefano 116

116. When the choice
involves
non-routine tasks
and deliberation
involving
morals,
ethics,
personal preferences,
malfeasance is much harder to control with
carrots or sticks
11/14/2012 DeStefano 117

117. Indeed, monetary incentives
can take the good
out of doing good;
and If-then
carrots or sticks
neglect the ingredients
of
Genuine motivation
11/14/2012 DeStefano 118

118. External or Internal
11/14/2012 DeStefano 119

119. In order
to find
the critical gaps,
the focus should be
on the
internal:
2) How people make
ethical
decisions
11/14/2012 DeStefano 120

120. How Does Ethics Intersect with
Compliance and the Law?
11/14/2012 DeStefano 121

121. Compliance
initiatives
do not account
for the reality
that employees
do not necessarily
recognize a dilemma
as an
ethical one
11/14/2012 DeStefano 122

122. Many Ethical Dilemmas Result
from Blind Spots
11/14/2012 DeStefano 123

123. ...
Think Pinto
...
Think The Challenger
11/14/2012 DeStefano 124

124. Desensitization and Ethical Fading
11/14/2012 DeStefano 125

125. Preliminary
Conclusions:
1) large, publicly traded
Corporations
should not
preemptively comply
with the government‟s
unofficial preference
towards stand alone
compliance departments
11/14/2012 DeStefano 126

126. Preliminary
Conclusions:
2) Instead of focusing
on the outward
form and structure
of an organization
or formal exemplifications
of compliance,
assessment should look inward,
at the informal communication,
value chains, and
culture of the company
11/14/2012 DeStefano 127

127. Preliminary
Conclusions:
3) Bonus points should be given
to those corporations
that take an inward look
at how work is actually
being done
and the networks
and ethical culture
that exists beneath and beyond
the Org chart,
the mission statement,
and the code of conduct
11/14/2012 DeStefano 128

128. Questions?Questions?Questions?
Are lawyers better Is the culture of the
able to run company determined
compliance than by the tone at the
nonlawyers? top? Or the tone at
Should them middle?
Compliance
be separate
from Legal?
Is having a compliance department more
important today than 5 years ago?
11/14/2012 DeStefano 129

129. MICHELE DESTEFANO
FOUNDER, LAWWITHOUTWALLS
Associate Professor of Law, MiamiLaw
md@law.miami.edu
11/14/2012 DeStefano 130