Legal Professionals

In the space of just a few years, the challenges facing compliance departments have witnessed explosive growth. Few job profiles have changed as dramatically as those of the two executives at the top of the compliance tree: the General Counsel and the Chief Compliance Officer.

Compliance is not a recent invention. Companies have always had to respect the law. Certain industries, and the financial industry in particular, have a long tradition of compliance and compliance management functions. But in the last five years, compliance has seen a huge surge in significance and topicality on account of a variety of developments. Emerging economies like China and India are writing new laws onto the statute books at enormous speed. It may sound like a paradox, but the general trend towards creating free competition by deregulating certain industries, especially those that were traditionally state controlled, was only made possible by prescribing a wider but nonetheless regulative framework for these industries.

Along with deregulation came globalization, with companies expanding their geographical coverage to compete on an increasingly global scale. Breakthrough innovations in communication systems both facilitated and accelerated this trend. As a result, today more and more companies operate in multiple jurisdictions, each with its own specific legal system and rules. Global players combine a great variety of cultures and business philosophies under one roof, including different attitudes to what constitutes compliance. Globalization is also reflected in global access to capital. Regulation of the capital markets, which has become more stringent, has worldwide ramifications. A company quoted on the New York Stock Exchange, for example, is subject to the Sarbanes-Oxley Act wherever it operates, even if the focus of its activities and/or its head office are outside the U.S.

Abuses large and small, either new or no longer tolerated, have led regulators to act. The business environment today is less forgiving than it used to be. The fraud cases that hit the world at the start of the new millennium, when senior executives manipulated financial statements, have resulted in invasive scrutiny on the part of the regulators. Small investors and funds have become less tolerant and have joined forces to organize closer surveillance of corporate management.

Some new issues needed new answers: Consider only the (mis)use of the Internet at the workplace or e-commerce. Other malpractices, some having acquired a misplaced patina of tolerability through long use, have come under the spotlight of public scrutiny, e.g. sexual harassment, lax approaches to data protection, or gifts to political parties.

In this new environment, compliance has become a must. A business decision that is not compliant is by definition a bad business decision. Inadequate compliance has caused major damage to corporate reputations, destroying much value in the process.

Faced with an ever-growing tangled jungle of rules, in an atmosphere far more repressive than in the past, companies have no option but to take compliance seriously. There are many symptoms of this evolution. Compliance departments are becoming bigger; boards often set up a Compliance Committee; and companies hasten to establish Codes of Conduct and invest substantial resources in ensuring that they are communicated, respected and monitored.

The world has changed

We are also witnessing a tendency towards more principle-based compliance. Where traditionally, especially in the U.S., numerous precise rules were enacted to govern all kinds of situations, today there is a widespread awareness that it is impossible to cover all eventualities in this way, and that there will always be loopholes that “creative minds” will exploit. Principle-based compliance puts business leaders under greater stress. The time when everything that was not explicitly forbidden was allowed is history. Their fiduciary duty towards the company and its shareholders obliges directors and corporate officers to abide by the spirit of the law and no longer the mere letter.

Gone are the days when compliance was a matter of avoiding legal sanctions. Today it embraces sets of ethical rules that have become industry standard or that companies choose to embrace, sometimes with the aim of gaining a competitive edge. In this way, compliance has been transformed from a necessary evil into a new source of value for companies. Companies that are known for their organizational integrity attract and retain the best talent. And the stricter the principles a company complies with, the more attractive it is perceived to be by potential investors. Compliance, then, is today about personal conduct, about mindsets, about corporate culture. It does not work, however, without systems and processes. These systems have to be designed to prevent, detect, and resolve problems. Successful compliance is a combination of the right culture and the right infrastructure. Both are indispensable. Global and multinational companies in particular face the challenge of assuring that all constituencies march to the same tune, following the same guidelines.

Obviously these systems should be aligned with the corporate values. All too often we encounter appraisal and reward systems that are focused on results, with no eye for how and to what extent the individuals concerned showed integrity in the way they achieved those results. Controls are important and necessary, especially as a company becomes larger and more complex. But control in itself does not improve performance. It avoids value destruction, but it does not create value.

How to organize compliance

Before developing such systems, a number of questions need answering: Who is responsible for compliance? Should there be a separate compliance department along with the classical legal function? If so, where does one draw the dividing line between the responsibilities of the General Counsel and those of the Chief Compliance Officer? To whom should the Chief Compliance Officer report? Should he or she be recruited externally or be promoted from within?

There is no one-size-fits-all solution. Many different factors come into play in defining the best solution for a particular company. In the first place, the type of industry will be an important consideration in deciding how to organize the compliance function. The more regulated the industry, the more heavyweight the compliance function will need to be. In some industries – banking and insurance, for example – companies are required by law to install a specific compliance function. Pharmaceutical companies too have complex compliance structures – for obvious reasons, dealing as they do with other people’s lives.

At the other end of the scale there are major industrial companies that have only a handful of compliance officers, if any. They have less rules to worry about and will typically allocate compliance management to the legal department, the audit department or a mixture of functions, each taking responsibility for compliance in its particular field.

There can be good reasons for keeping the compliance function separate: Compliance officers need to be very close to the business and will preferably be sourced from the operational side of the company. This guarantees that they understand the implications of rules for day-to-day business practices. It also gives them the credibility to tell the people on the business side what must be done and enforce the guidelines. Also, compliance is about systems and processes and this should not be the prime focus of a legal department. Moreover, it is more than likely that legal counsels will not have the skills and talent to design and manage such systems and processes.

Arguments in favor of integrating the compliance function into the legal department include the fact that compliance is about respecting the law and is therefore an essential part of the legal function. What must be avoided at all costs is that different interpretations of a particular rule exist within the same company.

What is vital is that the General Counsel should be closely involved in the organization and management of the compliance function. Some compliance issues, such as those related to securities laws, stock exchange regulations, anti-corruption and antimoney laundering laws, anti-trust laws and corporate governance rules, are and must remain the prime responsibility of the General Counsel and the legal team. The legal team will also normally play a key role in training employees in compliance matters.

The reality today is that, in a majority of companies that have a Chief Compliance Officer, s/he reports to the General Counsel. But even if the Chief Compliance Officer reports to the General Counsel from an organizational point of view, s/he still needs a direct line to the CEO and the Board of Directors (via the Compliance Committee or the Audit Committee, if these exist).

It remains the case, however, that in a vast majority of companies, the General Counsel is de facto the Chief Compliance Officer. The profile of the ideal General Counsel is, however, different from the profile of the ideal Chief Compliance Officer. To put it simply: The General Counsel is above all an advisor; the Chief Compliance Officer is first and foremost a manager. The General Counsel is expected to help make business decisions, taking into account what the rules say and arbitrating between what is wanted and what is allowed. The Chief Compliance Officer is concerned with the rules and processes that keep the organization compliant and will ideally be a champion in process leadership. Legal skills will, however, allow the Chief Compliance Officer to better understand the value and – more important still – the spirit of the different rules.

In a business world obsessed with compliance, the life of the General Counsel has not become any easier. Common sense and sound legal reflexes no longer suffice. General Counsels need to know the content of the rules, their background and intention. But the applicable rules are sometimes conflicting. Take the well-known example of U.S. regulations on whistleblowing or the request from the U.S. Department of the Treasury to disclose certain financial transactions to help fight international terrorism, which are not compatible with the EU Directive on data privacy.

From reaction to action

The traditional, old-style approach of the General Counsel is essentially reactive. He or she defends the company’s interests whenever they are attacked and gives advice whenever asked. The General Counsel of the future will need to be more proactive. In the role of legal risk manager, the General Counsel needs to anticipate risk and prevent it happening, rather than solving a problem after it arises.

This requires an understanding of the strategic direction of the company. The General Counsel is not necessarily a contributor to the strategic development of the company, but will invariably be a strategic minesweeper, clearing the way ahead to avoid painful accidents. This pro-activity also involves an active dialogue with regulators to assure they understand the business imperatives and find the best solution for all parties involved.

General Counsels also need to understand the interests and expectations of the different stakeholders in the company, be it employees, investors, customers, consumer associations, environmental or human rights activists. Whenever they are asked for their opinion, they need to take not only the regulatory environment but also other related or peripheral issues into account. The Counsel’s role is no longer to say what is legal and what is illegal, but to say what is right and what is wrong with a view to the broader context of corporate image, ethics and good governance. In this respect, the General Counsel is more than ever the conscience of the company.

To play this role, General Counsels need sound judgment based on a mixture of knowledge, wisdom and self-confidence. Their knowledge will embrace not only legal developments but also social trends, history, cultural differences and the context in which laws are created. Their wisdom will endow them with an understanding of human behavior and a sense of perspective that helps them see the long-term effects rather than the short-term advantage. Their self-confidence will enable them to speak up with conviction, to avoid corruption, and to be strong enough to put the company’s interests above their own. Also, they must be impervious to any outside influence, including the influence of the CEO or board members.

Paradoxically, the more independently the General Counsel acts, the more likely he or she is to develop a relationship of trust with the CEO and the board. While there are often occasions involving a conflict of interests between giving impartial advice and being considered a strategic partner to top management, in the long run, these may prove to be the occasions when trust is really built.

The role of General Counsel has become more challenging and risky as expectations have soared. On the upside, the role has gained in importance, profile and compensation. Careers of candidates for these roles need to be well planned and monitored in order to ensure that a vacuum does not occur when the General Counsel retires or… has to go.

For further insight, download the first issue of "Experts" published by the Legal Professionals Practice of Egon Zehnder International: The Compliance Challenge