What is Compliance?
Compliance is the system of internal policies and regulations, developed by businesses and industries, to operate within the constraints of existing laws and guidelines. For instance, public companies must be organized and regulated so that they remain a ‘going concern’, meaning that at any point in time they are actually making money, not just ‘fluffing’. Or, businesses who operate within or near bodies of water must comply with environmental regulations concerning pollution, emissions and waste disposal. Now, both are huge and successful industries. However, environmental laws came about for a reason. And that reason is most important to those who develop and maintain compliance systems.
Demonstrating compliance with federal or state laws and regulations, concerns, above all else, protecting the business from being cited for a violation, both civilly and criminally. On top of that , demonstrating compliance also protects the officers and directors of the business from being individually punished for the wrong-doing of their company. There are myriad examples of this; the impacts can be significant to the individuals involved, and even more so to those individuals who are on the board of directors of a company with major compliance failures, as we saw in the Baylor University / Art Briles situation recently.
Moreover, compliance is intrinsically connected to industry. Indeed, many compliance obligations actually arise out of the requirements of a business’s industry. Further, business’s care about not just complying because it may be an essential part to the reputation of its business. (i.e., oil, gas, coal, environmental, etc.) Because of these factors, those who "do compliance" must understand their obligation within the organization.
What is Legal?
Unlike compliance, legal requirements are not voluntary; companies must adhere to them because a law or regulation mandates it. The legal requirements companies are subject to are determined by the laws of countries in which they have physical offices or operations, as well as the laws governing the countries with which they do business. Legal requirements essentially establish the rules employers must follow. When legal requirements are not followed, penalties such as fines or private lawsuits can be imposed. Companies have a legal department whose sole job it is to ensure that the company diligently follows the laws and regulations. Legal departments often times are called upon to review internal policies and procedures to ensure compliance with applicable laws and regulations that govern employer-employee relationships (i.e., workplace safety, employee relations, and pay practices). Legal departments may also be called upon to draft new policies in order to comply with newly enacted laws, advise on potential liability exposure as a result of a new policy, or negotiate with the employees’ union representative before policies are implemented.
Important Distinctions between Compliance and Legal
Compliance and legal are distinct approaches to managing risk and both represent alternative but complementary modalities to consider how necessities can be effectively addressed.
Scope:
Compliance is generally narrower than legal in terms of where risk is addressed. In large, high compliance industries like financial services and healthcare, there are specific laws, regulations and rules that dictate what must be done in order for a company to be considered compliant. Therefore, the scope often tends to end there as long as the company is in compliance with those specific requirements.
Legal may broadly overlap with compliance, but its scope is much wider than the specifics of who must do what in order to stay compliant. In addition, there are gray areas where it may not be clear whether something is legal or not. For example, it may not be illegal to use a product but it is not necessarily compliant with certain regulations to do so.
Objectives:
Compliance has a specific and defined objective with a stated result necessary and mandated by law or regulation. The objectives of compliance are typically both socially and individually altruistic. The social perspective generally relates to protecting the interests of society (e.g., protecting the environment). The individual perspective generally relates to protecting the rights of people (e.g., safeguarding personal data).
Legal can be specific but often has a variety of objectives. Legal may mean different things to different groups. Individuals working in the legal department tend to focus on addressing risk to the specific business they’re working at. Lawyers tend to focus on the laws and rules impacting the industry as a whole. In addition, outside of compliance, some lawyers have a general focus on laws, rules and regulations that have potential implications for any business or organization. For example, labor, tort, employment and trade law is a broad basis for legal businesses to engage with regarding litigation or risk management.
Methodologies:
Compliance has a limited methodology because there are specific compliance requirements and little flexibility in how to accomplish the goal of getting into compliance with them by performing the required tasks. Compliance is primarily about performing the necessary actions to remain compliant. Therefore, compliance tends to fall under an operational or administrative approach.
Lawyers take a problem-oriented approach with the goal of creating a solution to the problem that is acceptable to all parties involved. Legal professionals employ multiple methodologies to address and mitigate risk. For example, litigation, transactional work and regulatory enforcement or advocacy to name a few. Lawyers have multiple methodologies to choose from in order to meet their objectives which is why their approach to the risk may appear more comprehensive than that of a compliance professional.
Examples:
With compliance, the entire focus is on the law and monopolizes most risk management activities. An example of a compliance management system is the Federal Sentencing Guidelines. Some organizations use these guidelines to implement a corporate compliance program to reduce the risk that they will be unsuccessfully prosecuted and to minimize the potential penalties they would face if successfully prosecuted. Compliance professionals generally focus on implementation while legal professionals may focus on the debate surrounding the guidelines.
A lawyer works for a CEO or other executive in order to address risk being introduced by working with or for another company while trying to ensure the best deal for their company when establishing a partnership or merger. Legal professionals with a transactional background might oversee the transaction taking place between the two companies; they’ll determine and mitigate any potential risks associated with the new transaction and then finalize the agreement. They have the translation responsibilities to ensure their client fully understands the risks and terms of the deal; generally they perform research and ask for clarification of any legalese unclear to the CEO.
How Compliance and Legal Intersect
Collaboration between compliance and legal departments is essential for the overall success of any organization. While their roles are distinct, they complement and reinforce each other in many ways. For example, compliance may uncover a need for a legal opinion on an issue it has investigated or act on – such as a conflict of interest or an interaction with a foreign public official. Legal may be called on to offer its expertise to compliance to inform an investigation or to seek enforcement action against a policy violation or a law (such as antitrust or environmental rules). Both parties may insist that management seek a legal opinion when there is trust necessary for compliance and ethical obligations of the company. Compliance also works closely with legal on creating policies, procedures and controls, managing investigations and remediation efforts, and testing compliance measures.
Compliance works with these departments:
For Ethics Accurate representation of the company and its work to the media and public is essential to accurate disclosures.
Programs – Effective compliance and training, and investigating violations, concerns and whistleblower complaints.
Policies – Oversight of company policies to comply with government regulations and laws.
Case Studies Exploring Compliance and Legal in Practice
Case Study 1: Financial Services Firm Sheds its Compliance Department to Stay Compliant
In a 2013 case study, a financial services firm faced an investigation by the U.S. Securities and Exchange Commission for failure to disclose hundreds of thousands of fraudulent transactions. In this case, Legal and Compliance had been operating pretty distinctly with each other. Despite their successful collaboration in finding other types of fraud, they hadn’t tackled this kind of fraud before.
Legal and Compliance shared a Compliance Officer but otherwise worked separately within their own departments. Each department had different goals and used different messages to communicate with the firm. While Legal issued advisories and notifications, Compliance issued guidance, policies, procedures and best practices.
The lack of cooperation between Legal and Compliance was highlighted when it was discovered that the Compliance-related reports showed that the firm’s procedures were up to snuff, even as the SEC was investigating the firm for failure to disclose those very procedures.
The firm restructured its approach to risk and compliance, creating an Enterprise Risk Management (ERM) function that linked all parties, including Legal, Compliance, the business and IT. The evolution was born out of necessity to avoid regulatory scrutiny, but the case study points out that "the launch of the ERM program also coincided with research showing that "highly effective" organizations have linked risk management programs, engage in cross-functional communication, and offer a more holistic approach."
Lessons Learned
A key driver behind this case study was that the firm needed to avoid regulatory scrutiny. However, it created an effective Compliance program through:
Case Study 2: "Broadening the Role of Risk and Compliance Teams"
This case study details how a major firm with a large compliance unit was able to leverage the parallel development of its compliance and risk management processes to better streamline and improve both.
In insurance and reinsurance, the concern is about risk management, and the firm had created a dedicated Operational Risk (OpRisk) unit in 2005 to handle these issues . However, the OpRisk unit began to notice that there was overlap between the work that they do and the work that compliance does, but that neither department was capitalizing on the benefit of that overlap. For example, both units worked with finance, IT, and other areas of the company.
The OpRisk unit decided that there needed to be closer collaboration between the two units to increase productivity and leverage resources. The interest in merging was further accelerated when a Compliance personnel left the company, took another position, and reported back that his new company’s compliance team took a "holistic approach" toward compliance, which integrated into the risk management unit in order to better understand and communicate "the importance of sound risk analysis and management."
The OpRisk unit and the Compliance team set up meetings to create a "business case" for a new team, combining OpRisk and Compliance. They addressed how the new team would be structured and how the merger would be communicated to the business units. They also addressed budgetary issues.
The merger was finalized and a new team was formed, now named the Risk and Compliance team. The new team has set up regular committee meetings with the business units, with team members assigned to those business units to help face to face communication and engagement. They have established industry-leading best practices in the area of compliance risk management.
Lessons Learned
Many firms or organizations have already established risk management units but aren’t taking advantage of merging their risk units with other departments. This case study highlights some converging issues that may be a source of inspiration for others facing the same situation, including:
Additionally, as highlighted in the case study, "Having one cohesive team eliminates confusion and oversights, and gives individuals a better understanding of how risk and compliance decisions affect their coworkers…also, it minimizes the overhead required to establish the infrastructure for these cross-functional relationships."
Navigating Challenges between Compliance and Legal
A tension between compliance and legal is common for many organizations. A few major challenges contribute to this quadrant: the ability to do both compliance and legal work, the ability to allocate the resources and budget to both sides (which includes balancing those versus having enough resources), and the need for collaboration.
The ability to do both compliance and legal work is often difficult. For some people, they might be a better lawyer than a compliance officer. For others, they might be a better compliance officer than lawyer. But that does not mean that neither job should involve the other if an accurate and thorough job is to be done. While the lawyer side of the house may think the compliance side can talk to the legal side, often it limits their ability to get advice, guidance, or advocacy when needed.
The challenge of resources and budget now comes into the fold. The budget for legal work often is much larger than the compliance budget. If you can only fund one, which gets funded? Or, more accurately, how does funding, resource allocation, and budget play together? If you do only fund one, does that send the message that one is prioritized over the other, leading to resentment and mistrust?
Finally, without good communication, these quadrants will not survive. If the compliance team and legal team are not communicating with one another on business issues that impact both areas, it leads to distrust and misinformation. If the compliance and legal teams do not communicate with appropriate business units in the first place, that too can lead to missed opportunities and misunderstandings. It is also important that compliance communicates with the business units, as it is a key oversight function of compliance to the board or whatever group has ultimate oversight responsibility (such as the board of directors and its various committees and/or senior management). The same goes for the business unit and legal department.
Future Trends in Compliance and Legal Collaboration
The future landscape for both prescriptive compliance and behavior-based compliance will be significantly influenced by the acceleration of technological change, the globalization of norms and standards, and the maturing regulatory environment. Behind these factors is the digitalization of commerce, which has a significant influence on the expectations of authorities, customers and the public.
Technological advancements such as Artificial Intelligence, Blockchain, self-driving cars and AWS (or the Cloud) are driving a new wave of pre-determined rules or ex-ante controls that have much broader reach than traditional regulations. Self-driving cars will drive up traffic fines and accidents, while AI will inevitably transform specific professions and open up new pathways for cybercrime. These controls will run afoul of our current privacy regulations, which are not designed to manage publicly available information .
Regulatory and compliance standards and authorities are also becoming more globalized, at least at a soft law level. For example, Libra is facing scrutiny from regulators around the world. More broadly, such scrutiny indicates that national authorities are looking for a global or harmonized solution to technology’s risks. It will be interesting to see if they succeed in getting companies to follow uniform standards.
And lastly, as discussed in the previous section, the regulators are leaning toward a supervisory and whistleblower-driven model, which puts a high premium on good faith reporting and remediation. The precise way in which national authorities exercise their oversight of compliance is necessarily evolving to keep pace with the digital economy, which will also drive cross-border cooperation.