Addressing the inherent conflict when the compliance officer is also the general counsel
In his 1588 play Henry VI, Shakespeare wrote: ‘The first thing we do, let’s kill all the lawyers’, probably to depict the layperson’s frustration with the arcane and sometimes trivial complexity of the law.
In his December 2007 Directors Monthly article, ‘Compliance, ethics and corporate culture: a call to action for board leadership’, Gary Edwards, CEO and co-founder of Ethos International and the former president of the Ethics Resource Center (ERC), makes some provocative criticisms about what he sees as problems with the structure and function of most current corporate ethics and compliance programs. One rather pointed comment he makes is that ‘the wrong people are in charge’ – and by ‘wrong people’, Edwards means lawyers.
So what is his beef with lawyers and their role with compliance programs – especially given that he trained as one? According to Edwards, ‘a lawyer’s expertise is not in ethics, but in preventing things from happening that are illegal. The law lays down minimal requirements – the floor, as it were. Some companies will decide to go below the law, to the basement, judging that the risks and penalties for getting caught are outweighed by the benefits that will accrue if they can get away with suspect behavior.’
He continues: ‘Ethics set higher standards and expectations for how we treat fellow workers, customers, suppliers and the communities in which we operate.’ And this is ‘not really the stuff of the general counsel’, whose province is more ‘what we can do and can’t do within the law.’ Put a lawyer in charge of ethics, says Edwards, and the mindset is totally different. It becomes ‘what we can do, not what we should do.’
To a degree, Edwards makes a valid point: functioning as an attorney in a compliance role does not provide the appropriate perspective to run an effective ethics and compliance program. This is an area that has been the subject of a great deal of debate lately, and although many people attest to recognizing the need for specialized compliance experts – who may well not be lawyers or even report to lawyers – the majority of companies still house compliance activities within the office of the general counsel.
That’s not to say that law is the wrong kind of professional training for running an ethics office. Several active chief ethics and compliance officers (CECOs) are former attorneys and are excellent in the role. The more accurate response to Edwards’ criticisms is that it depends. It is the trained lawyer who chooses to operate in the attorney mind-set when in the compliance and ethics role who is likely to prove ineffective as a CECO. He or she should try to take a non-legal view and consider a situation purely from an ethics perspective.
A glaring example of this is the case of Kevin Hunsaker, former senior counsel and director of ethics at Hewlett-Packard (HP), who faced criminal prosecution for his role in a pretexting incident to illegally obtain information involving company board members (DA no: 061027481, October 4, 2006). Hunsaker, when asked about the legality of some of the tactics being used by the company, reportedly stated, ‘I shouldn’t have asked…’ when told that the conduct in question was on the edge.
As a compliance professional, however, he should indeed have asked and he should indeed have done something about the situation. The response revealed the mind-set of an attorney acting as a corporate advocate rather than a compliance and ethics adviser.
CECO v general counsel
A common question that is still often raised is whether a general counsel can simultaneously serve as the CECO. Alternatively, it is asked whether the CECO should be part of the legal department and report to the general counsel.
Both the CECO and the general counsel perform crucial and related compliance functions for their organization, but is there a real distinction between the two roles? Can one individual serve effectively in both? What safeguards, if any, are needed if one does serve in a dual role? And where the two positions co-exist, how can they work together to help achieve the goals of the compliance program?
In healthcare industry sectors, these are largely settled issues. With the federal Health and Human Services compliance program guidance issued by the Office of Inspector General, it became apparent that regulators were of the view that a CECO should not be subordinate to a general counsel or a chief financial officer. The concern about how the legal department should liaise with the compliance function was made abundantly clear following a now infamous quote by US Senator Charles Grassley (Republican, Iowa) in a letter to Tenet Healthcare Corporation: ‘Apparently, neither Tenet (nor its general counsel) saw any conflict in [the general counsel] wearing two hats as Tenet’s general counsel and chief compliance officer… It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement.’
Both roles face challenges and tensions between their respective functions. Both have compliance responsibilities, but they each have distinctive roles that can result in potentially conflicting professional obligations. Various reporting models and relationships exist between the two, and approaches can be used to ensure appropriate checks and balances are in place.
Ongoing misunderstanding
Yet much of the legal profession still doesn’t get the dissimilarity between the roles, much less the distinction between ethics and compliance. A recent survey by Corporate Board Member/FTI Consulting (second quarter 2009) reports that 74 percent of general counsel surveyed believe they should be considered the chief ethics officer. Amazingly, this reveals the continuing misunderstanding of the role and purpose of a compliance and ethics program by attorneys, even those as senior as the general counsel – so maybe Edwards is absolutely right that the wrong people are in charge. Are these surveyed general counsel as familiar with the Federal Sentencing Guidelines for Organizations as they are with Section 307 of SOX?
In difficult situations, a CECO’s perspective about a controversial transaction or event would obviously go unnoticed if that person was also serving as the general counsel and happened to agree with executive management. Competing professional responsibilities need a system of checks and balances that are more difficult to achieve when all responsibilities, perspectives and knowledge are located within one person or even one function. There has recently been a rash of in-house attorneys being implicated in major allegations of misconduct, including backdating of stock options and the use of pretexting to obtain personal data.
Managers and board members do ask compliance officers and general counsel to seek another opinion if they feel the advice on a given issue is too extreme or there are strong differences of opinion. There can also be subtle pressure from management to push the compliance department away from uncomfortable issues to minimize the impact on the firm’s business operations.
These tensions can be difficult to manage because there are few really bad actors – those applying the pressure to marginalize a compliance program often have legitimate concerns. In the healthcare industry, for instance, management can question whether it is appropriate to divert significant resources to focus on a highly technical issue that has minimal patient care consequences, or whether resources would be better spent on clinical trials and improving safety. Does it really matter if the physician’s signature is stamped or in ink, as long as the physician is providing clinical quality of care?
It can be a difficult call for a compliance professional to know whether he or she is being an abrasive, inflexible nitpicker, imposing needless costs on a beleaguered system, or wearing the white hat and simply trying to do his or her job. It doesn’t help if the compliance and ethics officer is also the head attorney, who may be biased toward the interests of the company rather than doing the right thing.
One often overstated concern is the impact of compliance program involvement on legal privileges and discovery protections. A dual role or direct involvement of the CECO probably limits any assertion of attorney-client privilege, but in many instances (especially those involving self-disclosures) the privilege for practical purposes is too narrow or simply not asserted anyway. This is also easily remedied by having a protocol to assert privileges with counsel in the organization or outside counsel in appropriate situations.
Recognizing the compliance profession
Organizations need to better understand and respect the compliance profession. According to a forthcoming Compliance Week/Integrity Interactive ethics and compliance practices benchmarking survey, while companies in more regulated industries had well-established programs to address regulatory compliance before, the ethical crises of the early 2000s forced them to overhaul their integrity programs to comply with the amended US Sentencing Guidelines.
While most combined the two programs, others opted to keep them separate, fearing that if they were combined, regulatory compliance would dominate everything and ethics and values would be forgotten. In the early days (before Enron and SOX), compliance and ethics officers narrowly focused on enforcement of regulatory requirements, codes of conduct and corporate policies and procedures. Today they face expanded duties, and the role varies considerably between companies. Thanks to corporate scandals the job is broader in scope, more visible and more stressful than before, with a major change being the integration of ethics into the compliance role.
In providing legal analysis and advice on how the organization can comply with any and all applicable laws, the general counsel has a certain vantage point for guiding an entity toward attaining its business objectives. By comparison, the CECO is first and foremost a manager of a corporation’s actions in implementing a compliance plan, with legal considerations as a backdrop. He or she is obliged to do whatever it takes to detect and prevent any corporate misconduct.
As seen in healthcare, strict regulatory requirements and a unique operational environment require close coordination and cooperation between the legal and compliance functions. The key to a successful partnership is a clear understanding of each other’s role and the mutual dependencies of each. In the final analysis, a board needs to be confident that, through the structure of its compliance system, it is receiving a sufficient body of information to exercise its oversight role and prevent corporate governance failures.
A compliance program must correspond to the organization’s own structure and business imperatives. In more and more organizations, a robust compliance and ethics program with a high-level CECO, independent from the general counsel, is proving necessary.
