It wasn't until the advent of Sarbanes-Oxley (SOX) in 2002 that compliance became a standard component of corporate structure. But the prominence SOX directed toward compliance hasn't faded into the sunset. As legal trends go, it seems that the focus on compliance only increases in fervency.
The recessionary climate of the past two years certainly hasn't done anything to slow the movement. Securities and Exchange Commission (SEC) investigations, scrutiny of overseas activities under the Foreign Corrupt Practices Act (FCPA) and employment law issues have all contributed to the increased attention.
"Put simply, there are more laws than there used to be," says Patrick Daugherty, a partner at Foley & Lardner.
But because the intense need for a compliance function is still relatively new, questions of who should fill the head compliance role and how to structure the program continually face debate.
"The activity level among regulators has clearly picked up over the last few years," says Jay Mumford, global ethics and compliance director at Accenture. "Organizations need to be aware of that and need to be continually looking at what structures they've put in place to meet those requirements."
Finding a Home
One of the biggest questions most companies face is who should lead compliance--the general counsel, another senior lawyer, a non-lawyer executive or a lower level auditor.
Who heads compliance depends on its function in a particular company, says Scott Mitchell, president and CEO of the Open Compliance and Ethics Group (OCEG). If the general counsel is a business partner who deals in executing strategic issues such as mergers and acquisitions, then it makes sense for that role to include compliance. But when the GC is primarily a litigator rather than business strategist, Mitchell says it makes more sense for someone else to assume that role--perhaps even someone outside the legal department.
"If compliance is led by someone who thinks primarily about litigation, his bias is going to be, 'How do we structure things so we don't get sued?'" he says. "That's an important element, but it should not drive the overall compliance structure." Instead, Mitchell says compliance officers need to think like a business person.
Daugherty notes that nearly every in-house lawyer plays some role in compliance. Project-related compliance questions tend to be better served by legal departments because they beg the question of whether the ideas are legal. A company's day-to-day adherence to statutes, however, needn't necessarily be overseen by a lawyer.
Regardless, Daugherty says compliance works best when a defined officer is in charge. And in most cases, that officer should be a very experienced lawyer because the job is so varied.
"It requires the ability to assess a situation and act quickly, like an emergency room physician," he says.
At the Helm
AGCO General Counsel Debra Kuper, who also oversees compliance, says it's crucial that the chief compliance role at her company be filled by a lawyer because so many of the compliance questions she encounters revolve around legal issues. The company hired her in 2008 specifically to strengthen its compliance program.
Now that the revamped compliance program is up and running, Kuper plans on divesting the chief compliance role from her GC duties within the next year. The role will be filled, however, by another senior-level attorney.
In Accenture's model, Mumford says compliance and ethics is embedded within the legal department, which then spreads the message of compliance throughout the company's infrastructure. Many compliance team members are lawyers who drive compliance functions related to their area of expertise, as well as the specific issues associated with the region in which they work.
Daugherty agrees that it's important to position specialists in compliance roles, particularly when dealing with global issues such as FCPA.
"Common sense is not an adequate guide to compliance," he says. "You really need training, and there needs to be an ongoing system for monitoring and correcting small problems before they become large problems."
Although a structure that intertwines ethics and compliance with legal has served Accenture well, Mumford says every company needs to find the structure that works best for its particular needs. "My question would be, has the organization constructed a structure for success that allows the global messages to be embedded into local vehicles and customized for the local audience?" he says. "If they've done that, they've done a very important thing."
Whether a company's head of compliance has a J.D. or an MBA, compliance should be integrated into corporate culture from the ground up.
Mitchell says compliance programs can learn a lot from how quality control departments have evolved over the past few years. Initially, quality control involved catching problems in the finished product. The second phase built quality checks by a manager into the assembly line. In the final phase, each person running a machine held responsibility for ensuring quality.
"The idea that really resonates for me is that every employee is part of the compliance staff," Mitchell says.
Kuper strengthened AGCO's compliance program by creating a top-to-bottom system composed of both lawyers and non-lawyers. Under her supervision, regional ethics and compliance officers, who are attorneys, evaluate risk. Non-lawyers in local, onsite compliance roles do more administrative tasks, such as running names on terror watch lists. When a red flag goes up, they send the information to the regional level for assessment.
She says she sees her role like that of an orchestra's conductor, making sure all of the pieces work together. "People are really open and teachable," she says. "They will pick up [responsibility] and run with it."
Mumford says the key to successful compliance is embedding the function into every employee. He suggests that scandal-plagued companies often tacked on compliance programs--sometimes very thorough- looking from the outside--without altering the basic company culture.
"The legal team needs to take ownership," he says. "Building in compliance instead of bolting it on is much more effective in getting rules followed."
Ultimately successful compliance depends on how well the program is implemented, regardless of who takes the reins.
"Ethics and compliance can be successful as part of legal. It can be successful outside of legal. It really depends on the organizational culture that you're looking at," Mumford says. "You cannot succeed in spite of people. You can only succeed in tandem with people."