In last year’s program management section of the Risk Forecast Report, we looked at the ethics and compliance (E&C) program characteristics of independence and authority in light of the level of board oversight of the program and the positioning of the Chief Ethics and Compliance Officer (CECO) within the management structure of the organization. This year, we will again look at the key program characteristics of independence and authority, with a focus on (1) the relationship between ethics and compliance (E&C) and the Legal Department, and (2) structuring E&C liaison networks effectively. Both of these aspects of program management, while distinct, have enormous capacity to contribute to the level of independence and authority of an E&C program.
The Relationships Between E&C and the Legal Department
In recent months, the E&C profession has re-energized its discussion of the appropriate relationship between the Legal Department and the E&C function. Several new surveys have produced fairly different results regarding the number of E&C programs that report to the general counsel or are otherwise positioned in the Legal Department—some indicating that the number is falling significantly, and others indicating that it is holding steady at around 40 to 50 percent. Regardless of the accuracy of the data, however, the surveys have invigorated the healthy debate regarding the appropriate relationship between Legal and E&C, a discussion that is largely focused on three questions:
- Does Legal have the appropriate expertise to oversee an E&C program?
- Does the relationship between Legal and E&C provide E&C with the recognition and authority it requires to implement an effective program?
- Does having E&C reside in Legal create a conflict of interest between the two functions?
What often seems to be missing from this debate is a close look at the primary purpose of the E&C function, and whether a given organization’s program structure furthers that purpose. It is helpful to go back to the basics and ask the question of what E&C seeks to accomplish in order to assess how it can best do so.
In conjunction with asking this fundamental question, you should also consider reviewing the E&C program charter for your organization (and, if you do not have one, consider drafting such a document). It is helpful to ask whether the program charter adequately reflects the goals that the organization has created for the program. And if not, it may be appropriate to reconsider the charter or reconsider the goals, and to obtain feedback from both senior leadership and the board on these framework questions.
So what are the goals of an E&C program? For most organizations, the primary goals of the program are to prevent, detect, and respond to misconduct. Additional goals, which serve to further the primary goals, are to (1) enhance the culture of compliance and business ethics, and (2) serve as a check on the business and other functions. The traditional elements of an E&C program are all carried out in furtherance of these primary goals. Thus, for example, in order to prevent misconduct at an organization, it is necessary to assess legal and compliance risks; utilize due diligence in hiring and entering into agreements with third parties; and educate and raise the awareness of employees and others through policies, training, and communications. And, in order to detect and respond to misconduct, one utilizes the traditional program elements of monitoring, auditing, reporting systems, investigations, discipline, and otherwise enhancing controls to prevent future similar misconduct. (The detection and response elements are also helpful in preventing misconduct, of course. For example, knowing that one’s work is being monitored or may be subject to audit, and knowing that misconduct may be reported, investigated, and disciplined, all serve as effective deterrents.)
The relationship between E&C and Legal should be assessed and determined in light of the goals of the program and the E&C activities conducted in furthering those goals. Many of these activities can effectively be carried out by an E&C function that is part of Legal. Legal is typically a good resource for assessing legal and compliance risks, conducting investigations, structuring due diligence for both employees and third parties, and some forms of monitoring and auditing. However, there are other E&C activities at which Legal has not historically been as adept, such as creating engaging training and communications and some aspects of culture promotion. Each organization should consider the goals of its program and the primary activities of the function in determining the most effective program structure.
With respect to the second question (regarding recognition and authority of the program), at some organizations, if E&C is not part of Legal, it simply will not have the clout it needs to operate effectively. And while it may be easy to say that an organization should simply give E&C the clout it needs, that is often not possible—at least in the short- and medium-term—depending on the culture, history, and existing management structure of an organization. Related to this question of recognition and authority is the consideration of whether having E&C as part of Legal impacts the perception of employees and others regarding the role of the E&C Department. If this structure has the impact of sidelining the E&C department, or diminishing the sense that E&C is a part of the business, then that weighs in favor of separating the functions.
The final question of whether combining E&C and Legal creates a “conflict” because of E&C’s role in serving as a check on the business and other functions is a more nuanced question than some commentators indicate. In considering this question, it is important to consider whether the Legal Department is a foreseeable source of risk to the Company (and hence would benefit from the “checks” that could be performed by a separate department). It is also important to consider whether E&C’s ability to serve as a check on the business and other functions would be diminished by separating E&C from Legal. Sometimes E&C relies on Legal as a source of authority and clout necessary to serve as an effective check.
For all organizations, the question of the appropriate positioning of E&C with respect to Legal should be answered following a careful assessment of the goals of the program, and whether separating E&C from Legal will further those goals or hinder them. Likewise, the extent to which any given program structure enhances or impedes the program’s level of independence and authority will differ for every organization. However, understanding the primary goals of a program, and understanding that independence and authority are simply program characteristics that service those primary goals, will assist organizations to make more accurate assessments. An organization’s structure should be determined not on the basis of convenience, but on the basis of effectiveness.
In recent years, many organizations have adopted networks of E&C liaisons. At some organizations, these liaisons are part-time and report primarily to other functions (such as Legal or HR) or to the business, but they typically also have important responsibilities for implementing the E&C program in their geographies or businesses units. Structured effectively, these positions can have an enormous impact on a program and on the culture of compliance within an organization. Liaisons can help make E&C programs more relevant to the local business they serve; they can provide critical input to the E&C office regarding the effectiveness of the program “on the ground,” and they often play an important role in implementing certain aspects of the program, such as rolling out training, receiving reports of suspected misconduct, and conducting E&C investigations.
A few critical requirements of an effective E&C liaison network include clearly articulated responsibilities and ensuring that liaisons have sufficient training, time, resources, and accountability to perform those responsibilities. In addition, the reporting relationship of E&C liaisons is an important factor in creating a successful program structure. Where liaisons have a solid-line or even a dotted-line reporting relationship to E&C, the likelihood of creating a successful E&C network is significantly increased. And where a CECO or E&C Committee has the ability to provide formal feedback to E&C liaisons regarding their work, including through input into the liaisons’ performance evaluations, the level of accountability—and thus the chance of success—is enhanced.
Conversely, where the E&C liaison does not have a reporting relationship to the E&C office, there is typically a negative impact on the level of effectiveness of the liaison network. E&C has long dealt with this same concern with respect to E&C investigations that are performed by employees in functions other than E&C. Where E&C has no ability to provide formal feedback to investigators, there can be a negative impact on effectiveness.
Not only does reporting to the E&C function help ensure accountability, it also enhances the level of independence of the E&C liaison, and thereby of the entire E&C program. When the E&C liaison has a formal reporting relationship of some type to E&C, the ability of the liaison and the entire program to serve as a check on the business and other functions is thereby enhanced.
Recent deferred prosecution and corporate integrity agreements emphasize the importance of an effective reporting relationship between E&C directors responsible for particular subject matter areas (such as anti-money laundering) or particular geographic regions or businesses and the CECO. These agreements require E&C directors to report directly to the CECO—not to the business or region where they are located. While solid-line reporting may not be possible where, for example, the E&C liaison is a full-time member of the Human Resources or another function, the importance of some type of formal reporting relationship is highlighted by these agreements.
In addition to independence, E&C liaisons should also possess an adequate level of authority within the business or region that they serve—another topic that has been the focus of E&C agreements, some of which have required E&C directors to be a member of senior management of the relevant business unit or geography. The same reasoning applies to E&C liaisons. In order to conduct investigations, oversee controls, and otherwise implement an E&C program effectively, the liaison must have an adequate level of authority within the relevant business or geography.
While E&C programs have made great strides in recent years, many organizations continue to grapple with questions of how best to structure their programs to ensure the level of independence and authority necessary for effectiveness. In tackling these questions, it can be helpful to focus on the principal goals of an E&C program (which, for most organizations, are to prevent, detect, and respond to misconduct). Program structures will undoubtedly change over time, but continually revisiting the question of how best to achieve the program’s goals, and how best to maintain independence and authority, should help ensure both an appropriate relationship between E&C and Legal and an effective network of E&C liaisons.
 These goals obviously come right out of the U.S. Sentencing Guidelines, but they are also the primary goals of most E&C programs—whether articulated or not. U.S. Sentencing Guidelines Manual § 8B2.1(b).
 See, e.g., the deferred prosecution agreement between the Department of Justice and HSBC Holdings plc (2012) and the corporate integrity agreement between the Office of Inspector General of the Department of Health and Human Services and GlaxoSmithKline LLC (2012).