What is Compliance SME?

In 2016, two researchers from the University of Michigan’s Stephen M. Ross School of Business published a report on their study “Why Don’t General Counsels Stop Corporate Crime?” The simple answer: “Because it’s not their job!”

This is precisely why true compliance subject matter expertise, earned in the field and with the profession successfully designing and managing compliance programs (“Compliance SME”), is the first and foundational element of the modern Compliance 2.0 model. The modern 2.0 model recognizes compliance as an independent profession, distinct from Legal, with the subject matter expertise (SME) needed by senior management to lead and advise its approach to the modern and existential issues of compliance, ethics, culture and reputation.

The modern Compliance 2.0 model takes the place of the failed Compliance 1.0 model that was based on a naïve and misinformed assumption by boards and CEOs that compliance should be structured as a captive subset of legal and thus driven solely by the legal mandate and mindset. That flawed model failed to accommodate the stark realities that compliance and ethics was emerging as a completely separate profession and SME from legal, with very different mandates, core competencies, practices and skill sets. At the same time, advocates for the in-house bar were sensing an opportunity to respond to the chaotic legal services market and claim the new role of Chief Compliance Officer for the legal field. Yet, in their zeal to claim the CCO role as nothing more than a “legal lieutenant” and a “process integrator,” these voices resulted in driving compliance into a flawed model destined to fail because it lacked true compliance SME and positioning to drive its distinct independent mandate.

Thus, the first generation of legal-driven compliance programs had in common two fatal threads:

1. a profound absence of any actual compliance SME and
2. a compliance program being managed through an often conflicting Legal mandate and mindset.

Some of these failed programs became notorious as examples of Compliance 1.0 “train wrecks,” including the General Motors delayed ignition switch recall, the VW extensive emissions software fraud and the Wells Fargo fake accounts and customer abuse schemes, to name a few.

Here’s a reminder of these three striking case studies that illustrate the need for a dedicated independent compliance mandate and SME (as I first noted in my Corporate Counsel column, “Why Don’t GCs Stop Corporate Crime?”):

• General Motors: The legal-driven compliance program failed to detect the deadly ignition switch defect linked to at least 124 deaths, an oversight that resulted in a long-delayed recall during a period where legal took action to train employees never to use the “69 Naughty Words” — such as “rolling sarcophagus” — and preached a policy of no notetaking in certain meetings — while in house lawyers were “quietly settling cases” with plaintiffs.
• VW: The labor law partner-turned-CCO designed and managed a compliance program that failed to surface warnings from two employees and a vendor to bring the enormous emissions cheating scandal to senior management for earlier resolution.
• Wells Fargo: The cross-selling fiasco, where the long-embedded misconduct by managers and employees was obscured by a pattern of retaliation against employees who tried to report the misconduct to an internal “ethics line.”

A review of all the Compliance 1.0 train wrecks to date makes it clear that any board of directors or CEO that entrusts “bet the company” issues such as compliance, ethics, culture and reputation to an executive or manager lacking a demonstrated track record of true compliance SME is committing nothing short of management malpractice!

In fact, once those senior managers have been adequately educated about the substance of compliance and ethics as a new and distinct profession and SME from legal (as noted in the University of Michigan study discussed above), they must then comprehend the peril of appointing an executive with no demonstrated prior experience or SME to perform such a profoundly critical role! Even the average homeowner looking to hire a contractor to remodel their home understands the value of prior experience and results – and this common-sense concept is no different for topics as important and complex as compliance, ethics, culture and reputation.

When asked to demonstrate prior compliance experience or SME to an uneducated board or CEO, a law firm partner may offer work defending a matter in a particular risk area (i.e., FCPA) or working with government officials for a client, as would most law firm partners or ex-prosecutors. But such matters are miles away from actual experience in the trenches, designing and managing compliance and culture issues within an organization. Boards and CEOs should not  permit their important oversight duties to be superficially satisfied by a candidate intent on “name-dropping” specific laws on which they are the acclaimed authority or specific legal matters and government agencies with whom they have worked. None of those areas can replace true compliance SME earned in the field!

Instead, to more responsibly understand the breadth and depth of the candidate’s true compliance SME, the board or CEO might initiate a discussion on a few sample topics:

• What are the various roles and responsibilities of managers from legal, HR, audit and the business units themselves (vis-à-vis compliance personnel) in supporting and facilitating a strong effective compliance program and ethical leadership culture?
• What is the best plan for ensuring that internal investigations on potential misconduct will succeed in finding and remediating or preventing that misconduct before it is discovered by third parties (independent investigators, prosecutors, government agencies, the media or whistleblowers) and then be resolved on terms demanded by those third parties (i.e., large fines and civil penalties, criminal prosecutions, court-appointed monitor, etc.)?
• How is the legal mandate different from that of compliance?

I have often advised new CCOs to remember that they are the compliance SME for the organization and that no compliance knowledge comes into their respective companies unless brought and diligently applied by them. Seasoned CCOs know that any compliance and ethics program is only as good as the individual managers who must own or manage parts of the program through their specific roles and responsibilities. This is the reason so many of the first generation of compliance programs failed to meet their goals, with spectacularly damaging results. The experienced CCO is not a lone ranger, cop or “legal lieutenant.” She is the seasoned compliance SME who understands on many levels the multidisciplinary nature of the work, the optimal way to educate and facilitate collaboration by the different managers supporting the program and what can realistically be achieved through each carefully managed phase or cycle of a strong, effective compliance program. This is the reason true compliance SME is the first and most foundational element of a strong compliance program that works to achieve management’s goals.

Boards of directors, CEOs and other corporate gatekeepers must do better!