By: Bruce A. Ortwine
Introduction: Legal and compliance are two essential functions in any contemporary organizational structure. The specific relationship between these two functions, including reporting lines and division of responsibilities, may well vary depending on the particular organization, but effective communication, coordination and cooperation (the “Three C’s”) between the two functions in all cases are essential. Additionally, legal must be heavily involved in helping compliance develop an effective organizational compliance framework. A failure to develop and maintain the Three C’s increases the prospect of a failure or breakdown in the organizational compliance framework. Once that failure occurs, legal must, by necessity, become heavily involved in attempting to mitigate the damages that have already resulted. Constant enforcement of the Three C’s can help prevent a compliance failure or mitigate the risks to the organization if it does occur.
Organizational Relationship Between Legal and Compliance: In today’s world, an organization of any significant size must include in its organizational structure both legal and compliance functions. Smaller organizations may out of practicality or necessity combine the two into a single function with perhaps two or more persons sharing these separate responsibilities. Even if only one person performs both functions, the separate characteristics of these functions should nonetheless be recognized.
Legal is not compliance and compliance is not legal. The two functions are not synonymous but instead are both substantively different and at the same time highly complementary. Legal should be comprised solely of attorneys who are knowledgeable of the organization’s activities and capable of analyzing, assessing and interpreting the laws and regulations that affect the organization and its business operations.
Compliance may or may not be comprised in whole or in part by attorneys, but its function is clearly distinguishable from legal. Compliance does not perform the responsibilities of legal. Rather, its function is to utilize legal’s analysis, assessment and interpretation of those laws and regulations, and to develop, in cooperation with legal, an effective organizational compliance framework in which the organization is required to comply with those laws and regulations. Compliance then is responsible for monitoring and testing the organization’s actual compliance with the specifics of its compliance framework.
The reporting lines between legal and compliance will vary from organization to organization. In some, compliance reports to legal; the reverse should never be the case. In others, compliance may be completely separated from legal and report to a different function, such as chief financial officer, chief executive officer, or internal audit committee of the board. No matter what their respective reporting lines may be should not in any way affect or impede the need for a constant Three C’s relationship between the two functions. It cannot be overstated how essential this relationship is for an organization to attain and maintain an effective organizational compliance framework.
Legal and compliance must be viewed as equal partners in the development of an effective organizational compliance framework, no matter what an organization’s particular reporting lines may be. Legal and compliance must recognize their obligations as equal partners and invoke and carry out the Three C’s on a constant basis. Insularity, competition, gaps in respective responsibilities, or lack of communication between these two functions increases the risk of a compliance failure or breakdown, and is a recipe for what can quickly and uncontrollably escalate to disastrous consequences.
Legal Involvement in Developing an Effective Compliance Framework: Legal should be actively involved in all stages of the development, implementation and ongoing maintenance of an effective organizational compliance framework. Because of its training, experience and orientation, legal brings a unique perspective to how a specific law or regulation should be interpreted and, from a practical perspective, incorporated into an overall organizational compliance framework. An untrained person in compliance may misinterpret the practical ramifications and requirements of a specific law or regulation, either by minimizing or overstating them. A skilled attorney can provide an often calming and reassuring interpretation of the law or regulation and advise compliance as to how best and most efficiently the organization can comply with it.
Specifically, legal should develop the universe of laws and regulations that apply to the organization’s business activities and operations. For an organization operating solely within the U.S., the universe would be comprised of relevant Federal, state and local laws and regulations. For an organization operating in multiple jurisdictions, the universe would also need to include the relevant laws and regulations of each of those jurisdictions.
The relevant universe will vary from organization to organization and should be “granular” in nature, that is, tailored to the organization’s specific business activities. All organizations have certain relevant laws and regulations in common, especially those criminal in nature. However, the universe of laws and regulations of an organization engaged in financial services, for instance, will differ significantly from that of an organization engaged in manufacturing and, also, from that engaged in social media, as will that of an organization whose business activities are purely local versus an organization whose activities are global.
The laws and regulations that comprise that universe should be accurately and completely summarized in clear and understandable language so that non-lawyers are able to understand them. In a multi-jurisdictional organization, the laws and regulations should be tailored to the requirements affecting the employees and their job-related activities in that particular jurisdiction. They should be compiled into a handbook or comparable document and shared with all employees of the organization. That document, in turn, should form the basis for compliance’s organizational compliance risk assessment.
Compliance, with the assistance of legal, should analyze and assess the universe of laws and regulations applicable to the organization, and develop an organizational compliance risk assessment. The risk assessment should assess the overall potential risks of each specific law or regulation, both in terms of the likelihood of the law or regulation impacting the organization and, if it were to do so, the severity of the impact it would have on the organization. This analysis will facilitate the prioritization of each law or regulation depending on whether, as a result of this analysis, it poses an inherent High, Medium or Low risk to the organization.
Compliance should then analyze how the organization is addressing each specific law or regulation, whether the risks related to the particular law or regulation can be prevented or otherwise controlled or mitigated through after-the-fact detection. Compliance should then assess the existing organizational compliance framework and determine the extent to which the controls in that framework adequately control each particular risk. All gaps that exist between these risks and the existing controls should be identified and an action plan for corrective action should be developed and implemented with specified timeframes as to how these gaps can be eliminated or otherwise effectively controlled or mitigated. This analysis determines the residual High, Medium or Law risk of a particular law or regulation.
Compliance should then develop comprehensive training and communication programs, in which all employees of the organization are informed of the relevant laws and regulations that apply to their respective job responsibilities, and their responsibility to fully comply with them. Training should be both mandatory and periodic (annual or semi-annual) and should also include the testing of employees on their knowledge of their responsibilities and require that employees sign periodic certifications that they both understand and are in full compliance with those responsibilities. Training on these issues should also be a part of the orientation program for each newly hired employee.
Throughout this process, compliance should consult on an ongoing basis with legal, and legal should be readily available to lend its assistance and support to compliance. The Three C’s are an absolute requirement in order to make this process constructive and lead to a successful outcome.
But what might happen if legal and compliance do not engage in the Three C’s? What if legal is not involved in the development of an organizational compliance framework or, if it is, its involvement is inadequate, ineffective, or both? What if, for some other reason, the organization’s compliance framework is deficient?
Examples of Compliance Framework Deficiencies: In recent years in the U.S. a number of highly reported public enforcement actions have been brought against organizations, especially organizations in the financial services industry. The specific compliance failures have often occurred in one of several different areas, including violations of anti-money laundering laws and terrorist financing prohibitions; LIBOR or foreign exchange rate or other price rigging or anti-trust violations; fraud, including in the sale of mortgaged-backed securities; and bribery of foreign governmental officials. In all of these cases, the specific compliance failures have resulted in massive monetary fines, enhanced monitoring by regulatory agencies through mandatorily appointed independent monitors and severe reputational loss.