As the role of the chief compliance officer (CCO) takes on more prominence, many CEOs and boards must evaluate whether their general counsel (GC) can take on this second role or if the function should be led by a separate executive. After the financial crisis, Enron, and growing privacy, corruption, and whistleblower actions, the glare of the regulatory spotlight seems as certain as sunrise. According to Deloitte, “One of the most important regulatory and policy developments in recent years has been the government’s heightened scrutiny of the effectiveness of an organization’s compliance program in making decisions regarding both liability and cooperation.” It doesn’t take a fortune-teller to predict that corporations will increasingly grapple with the dual-role question.
Are GCs One for Two?
Let’s start by considering the traditional role of lawyers. Lawyers give legal advice and advocate to gain the best outcomes for their clients. When a government subpoena or legal claim arrives on their desk, they gear up to do whatever is necessary to avoid costly judgments or fines, reputation hits and even jail time for their C-suite colleagues. They are protectors and risk managers.
Of course, lawyers also interpret regulatory requirements and things like SEC No Action letters to keep their company within the letter of the law. Many argue that the GC/CCO dual role makes sense because regulatory noncompliance issues ultimately can turn into legal risk-management challenges.
Specialized skills for compliance policy development and program execution, even if not in the direct hands of the general counsel, can reside in a chief compliance officer reporting to the GC. In some organizations, especially where the CCO role is newer, having a GC/CCO one for two can boost the clout of compliance based on strong GC/C-suite relationships.
General counsels that have both roles need to be careful in sending emails, taking care to distinguish between when they are providing privileged legal advice and when they are acting in the compliance role.
Separate but Equal CCOs
The Society of Corporate Compliance and Ethics (SCCE) has long held that compliance must be a separate role. They espouse the two-for-two approach.
Chief compliance officers are the architects of the enterprise compliance strategy, structure and processes. They must understand complex regulations and laws and simplify them down to required behaviors in a policy document. They must create education, monitoring and detection programs. Evangelizing a culture of accountability and compliance is central to the role. Whistleblowers must feel safe to come forward to report any unethical behavior or other misconduct. SCCE believes these functions are very different than giving legal advice.
The CCO serves as the primary contact to the regulators and works closely with the GC during investigations and audits. PWC reports that 62 percent of pharmaceutical companies have a separate compliance role, frequently reporting to the CEO.
The government increasingly sees the CCO as a “watchdog” that must inform and stand up to executives when a business decision would violate regulatory or ethical standards. The argument goes that clever lawyers will find loopholes in regulations that the business can lawfully take advantage of in its decision-making, while the CCO would focus discussions on the ethical and reputational fallout from such actions.
After a record-setting 2009 corporate integrity agreement and $2.3 billion settlement with a pharmaceutical giant, federal authorities commented that “[t]he lawyers tell you whether you can do something, and compliance tells you whether you should. We think upper management should hear both arguments.”
In recent months, a drug company raised the price of a toxoplasmosis drug by 5,000 percent, with major reputation hits quickly following. Another pharma company increased a cardiac drug price by 525 percent after acquiring it. Both moves were within the letter of the law, no doubt designed to increase shareholder value. Yet they sparked huge ethical debates, with the cardiac drug company experiencing a 91 percent drop in share price in the last year.
A blood-testing biotech company appointed a chief compliance officer amidst government investigations and the fall of their CEO. The new compliance officer came from a pharma company where he was a regulatory AGC.
In 2016, Bloomberg reported that a major U.S. bank shifted its compliance group from legal to risk management under pressure from regulators. The concern was that the legal group was trying to minimize rules application. Other major banks similarly took the CCO role out from under the direction of the GC following government settlements.
Just like any other department in the enterprise, the legal team could potentially be investigated for wrongdoing. This potential conflict of interest problem is a frequent discussion point in the two-for-one conversation. Although the vast majority of corporate lawyers operate ethically and comply with policies, problems can occur. During the General Motors scandal, two assistant general counsels from GM’s legal department were let go for wrongdoing. This raises questions about what happens if the CCO is accused of wrongdoing.
What’s the Chief Compliance and Ethics Officer?
Perhaps a critical inflection point in the “two-for” debate is arriving as corporations wrestle with the balance between the objectives of the role and how much weight to put on building an ethical, value-based culture versus one based on monitoring and detection. There seems to be a trend of morphing the CCO title to chief compliance and ethics officer (CECO), putting more emphasis on the ethical bullhorn aspects of the role.
Clearly, the compliance role is still emerging and taking shape inside corporations. A July 2016 survey conducted by SCCE and the Health Care Compliance Association shows 49 percent of CCOs see ethical culture as their primary objective, with 35.4 percent citing preventing misbehavior as primary. Yet 42 percent of CCOs felt that meeting regulatory requirements is No. 1 for management, and 29 percent think management sees preventing and detecting misconduct as the primary objective. CCOs see the promotion of an ethical culture as the primary objective for management at 13.3 percent. The respondents thought their board had yet additional divergent priorities for the role.
Specific Factors to Consider
Culture building and architecting policy and programs to detect transgressions seem quite different than giving legal advice and protecting corporate interests at all costs. Can the two live in one? There are many factors to consider when making the two-for-one decision.
Company Size. A small company with less than 25 employees may not be able to afford to pay two people. Companies with tens of thousands of employees might want separate compliance and legal advocacy executives, given the sheer volume and scale needed to monitor compliance. On the other hand, a GC/CCO can employ a compliance director to develop and execute programs under their supervision. Technology can be leveraged to scale for enterprise-wide compliance efforts.
Legal vs. Compliance Needs. Highly regulated industries may have a more acute need for separate roles. Less regulated industries may combine the roles. Some businesses that don’t have a lot of legal issues don’t have a GC. When legal issues or major regulatory inquiries come up, they prefer to use outside counsel. Yet they may have a CCO or director of compliance to file regulatory reports, for example.
Culture Building. FINRA, for one, has been hot on requiring a “culture of compliance.” Dodd-Frank and Sarbanes-Oxley certainly call for integrating a compliance culture into operations. This need leans toward having a separate CECO who focuses on culture more than legal advice.
Compliance Skill Set. A key factor to consider is the skill sets needed in the newer, emerging compliance role. Ask yourself if the GC in a dual role is in the best position to develop policies and processes and conduct audits. We lawyers didn’t learn these skills in law school. But the new emphasis on project management and process know-how in legal department operations is growing these skills in lawyers.
Who Should Compliance Report to? Reporting lines vary from the separate CCO reporting to the CEO, the board, risk management, the CFO and the GC. Some say the position must report to the board to elevate it to a strategic governance focus. The counterargument is that the board is not in a position to manage an operational function.
Ethics Culture vs. Detection and Monitoring. With reputations and stock prices taking big hits over corporate ethics, and whistleblowers earning millions of dollars in payouts for exposing bad behavior, ethics weighting may become a bigger factor in two-for-one discussions.
Are you a two-for-one or a one-for-two company? Corporations must sort through these issues and perspectives to choose the best approach for their compliance initiative. The only thing that is certain is that the sun will rise tomorrow, along with a glare on corporate regulatory, ethical and reputation strategies.
 “Why Chief Compliance Officers Are More Important Than Ever,” John Browning, D Magazine
Published August 25, 2016.