Shop Talk: When Compliance and Legal Intersect

Any chief compliance officer worth his or her salt knows that the compliance function is supposed to report directly to the CEO or the audit committee—and that idea sounds great in theory. Most corporations, however, are not hurrying to achieve that transition.

THE PANELISTS

The following executives participated in the July 20 roundtable on the overlap of legal and compliance at public companies.

Douglas Barnard,

General Counsel,

CF Industries

Lezlie Bartz,

GM, Legal Compliance & Regulatory Solutions,

West, a Thomson Reuters Co.

Matt Broad,

General Counsel,

OfficeMax

Michael Byrnes,

Associate General Counsel,

Rockwell Automation

Richard Crist,

Chief Ethics & Compliance Officer,

Allstate Insurance

Chris Dekker,

Associate General Counsel,

Brunswick Corp.

Bradd Easton,

Associate General Counsel,

Anixter International

Barbara Halpern Furey,

Chief Compliance Officer,

Unum Corp.

Gary Hagopian,

Associate General Counsel,

Procter & Gamble

Bob Herst,

Chief Compliance Officer,

Kraft Foods

Jeffrey Hessekiel,

Chief Compliance & Quality Officer,

Gilead Sciences

Mark Johnson,

Chief Compliance Officer,

CNO Financial Group

Steve Koslow,

Chief Ethics & Compliance Officer,

CUNA Mutual Group

Rick Kulevich,

Senior Director, Ethics & Compliance,

CDW Corp.

Stephen Liccione,

Director of Corporate Compliance,

Johnson Controls

Michele Mayes,

General Counsel,

Allstate Corp.

Betsy Moran,

Chief Compliance & Ethics Officer,

UnitedHealth Group

Mark Ohringer,

General Counsel,

Jones Lang LaSalle

Liz Ricci,

Director, Governance, Risk & Compliance,

Procter & Gamble

James Wooten,

General Counsel,

Illinois Tool Works

For More Information on Compliance Week Roundtables

So said a bundle of CCOs at Compliance Week’s most recent editorial roundtable, hosted with Thomson Reuters in Chicago to talk about the overlap of corporate legal and compliance functions. Of the 20 compliance officers who attended, 14 said their compliance departments still report in some form to the legal department. Those 14 cited a variety of reasons for why they retain that structure, but they mostly echoed the explanation offered by Barbara Furey, chief compliance officer of Unum U.S.: “Our compliance unit has always been housed within the legal department, and it has worked well.”

Some attendees expressed more prosaic reasons for keeping compliance within the legal function. For example, several people weren’t comfortable with leaving ethics and compliance in the hands of someone who isn’t a lawyer, should an investigation be necessary and the company wants to protect itself with legal privilege. Others hesitated to move forward with a strong, stand-alone compliance function because they might not be able to undo that corporate bureaucracy in the future if they wanted to change course.

“My personal view is that because it’s compliance, if you build it, it’s even harder to unbuild,” said Matt Broad, general counsel of OfficeMax. From the regulator’s perspective, “taking away compliance resources is never good,” he said, so incremental steps forward are usually the best policy.

Another attendee took the same cautious view. “We don’t want to go too fast,” said the executive, who asked not to be named. “We want to be very thoughtful about it.”

All that is not to say chief compliance officers like the idea of keeping compliance subordinate to legal, either. Roundtable attendees were well aware of recent amendments to the U.S. Sentencing Guidelines that encourage companies to nurture a strong compliance function (ideally answering directly to the audit committee). They also pointed to numerous other statements from government regulators essentially pushing for that same goal of independence.

Jeffrey Hessekiel, chief compliance and quality officer at Gilead Sciences, observed that compliance is multi-disciplinary and generally “more hands-on” than the traditional corporate legal function. As a result, the best structure might be to include lawyers in the compliance department, but still have the department exist outside the standard legal function.

Steve Koslow, chief ethics and compliance officer of CUNA Mutual Group, agreed. “When you’re trying to wear both hats, it’s very difficult,” he said. “They are different disciplines that require distinct perspectives if you are going to serve your company well.” However, he stressed, “it’s an evolutionary type of understanding; it’s not going to happen overnight.”

Hessekiel also said that since regulators prefer the compliance and legal departments to be separate anyway, corporations—especially in highly regulated industries—might as well anticipate that pressure and remain “masters of your own fate.”

And in case things weren’t complicated enough, several attendees said their boards are now trying to assign them responsibility for enterprise risk management. Those efforts have not been well received.

“They tried to kick that onto my plate,” one compliance officer said. “I kicked it right off.”

Several attendees said they worried that many risks their companies face are primarily financial, and compliance officers and lawyers might not have the expertise to handle them. More broadly, they said, risk management is supposed to be something all executives across the company worry about, rather than compliance officers.

“So much of [risk] is financial that our [compliance] group just doesn’t have the financial acumen to deal with it,” the executive explained. “We can do operational risks, but when you start talking about the material risks that can actually take a company down … I’m just not going to take on that responsibility.”

Lezlie Bartz, vice president at Thomson West and co-host of the roundtable, suggested that corporations are on the right path when they at least try to divide the legal and compliance functions.

“From an examiner’s or auditor’s view, there may be more comfort in a separate reporting structure for regulatory compliance risk management,” she said. “Enterprise risk management can function as an independent body and can provide oversight when considering business impacts associated with regulatory change. Generally, regulatory compliance can have an impact on not just legal aspects, but also product, operations, technology and, ultimately, key revenue drivers.”

Compliance Charters

Another topic of discussion were charters specifically for the compliance function—a relatively new phenomenon that some attendees have adopted to strengthen the independence of their compliance departments. Allstate Insurance, for example, created a charter for its compliance function while the board’s audit committee was reviewing its own charter.

“We had a window of opportunity with the audit committee viewing their charter,” said Richard Crist, chief ethics, compliance, and privacy officer at Allstate. “We decided we’d jump through the window and take full advantage of it to ensure our roles and responsibilities are clear and current.”

Koslow said CUNA Mutual Group is taking a similar approach, first revising its audit committee charter and then looping the compliance function into the process after that. Since CUNA’s compliance function has evolved over the last three years, the charter is being revised “to better reflect the audit committee’s responsibilities as they relate to internal audit, compliance, and legal, so that there is greater clarity around those responsibilities,” Koslow said. “We hope to evolve to an ethics and compliance charter in the near future.”

Bartz endorsed the idea of compliance charters wholeheartedly, although she agreed that the practice is still new. “Seeking input from colleagues at similarly situated companies or from other members in an association are great ways to get started with a compliance charter,” she said. “However, depending on your area of business, it may be just as important to identify key stakeholders in any compliance decision and try to incorporate those [stakeholders’ perspectives] as well.”

Michele Mayes, general counsel at Allstate Insurance, offers her views on compliance; at left is Bradd Easton of Anixter International.

Rick Kulevich,

senior director of ethics and compliance at CDW Corp., speaks up. At right is Matt Broad of OfficeMax.

Steve Koslow,

chief ethics and compliance officer at CUNA Mutual, stressed the importance of ethics. At right is Gary Hagopian of Procter & Gamble.

For example, Bartz said, some companies might have greater need for external communications with consumers or have greater risk of reputational damage stemming from a compliance problem. “That could be disclosure related, or it could focus on product level responsibilities and how they are perceived or viewed as being valuable to the consumer,” she said.

Ethics

Roundtable attendees also said they worry a lot about ethics. More than one lamented that for all the compliance policies and procedures and monitoring, in the final analysis, a compliance infraction happens when an employee still consciously decides to commit some sort of misconduct. And too often, other employees know about the misconduct but still don’t step forward to report it.

“I find very few cases where we’ve had breach or a violation where somebody didn’t see something early on, so I’m worried about those folks not stepping forward, and not stepping forward early enough,” Crist said. “On an ongoing basis, it is tough to get everyone to buy into the notion that we all have to police our culture and everybody has to speak up.”

Another part of the challenge is teaching ethics. Ethical behavior itself isn’t necessarily easy to measure or sustain, Bartz said. Companies can also fall into the habit of drilling rote compliance behaviors into the workforce, when teaching by example might be the better route for ethics.

“Organizations with strong leaders who have demonstrated their values to a community or industry help foster that same view in their employees,” Bartz said. “Openness, respect, and valued opinions commonly are driven from the top down, but they are brought to life by all employees.”

Teaching ethics to new employees, especially in the wake of a merger with another company, can be especially challenging. “It takes years to establish an ethical culture,” said Douglas Barnard, general counsel of CF Industries. “We reinforce our culture by taking ethical lapses very, very seriously.” At a minimum, he said, the CEO gets involved; more often than not, the board does as well. The whole process is “quite visible throughout the organization,” he said.

Koslow stressed that ethics and compliance officers should foremost focus on how to help employees “evolve to … a more mature thinking around business ethics, and what that means.”

“While I spend most of my time in the compliance world, what keeps me up at night concerns the ethics world,” he said. “An ethics issue will trump a compliance issue every day; you can have the most rigorous compliance program in the world, but if the ethics in your organization isn’t sound, your company’s headed for trouble.”