Is to Compliance As Law Is to Legal and Audit Is to Audit
We Are Not Implementing Compliance Programs Because We Need More Legal Advice
Reprinted with the permission of CHC's JHCC
We do not think about independence enough. It may be the single most important factor to effective compliance. The lack of independence has caused some of the most significant compliance failures. Education, auditing, hot lines, risk assessments, et cetera are all important, but many of the most serious compliance problems go unresolved because of independence (or lack thereof). is the key to compliance.
Most problems that end up in settlements were known by someone somewhere in the organization. There was a lack of independence, however, and no action taken. Enron, WorldCom, Tyco, and HEALTHSOUTH all had problems that were known by people in the organization long before they were discovered by the enforcement community. Even the Madoff case was known by the U.S. Securities and Exchange Commission (SEC); because of conflicts of interest, however, the problem was not addressed.
They all did noting because they lacked independence. They were conflicted up to their eyeballs. If they had an independent compliance professional reporting to the board, many of these problems could have been addressed. Although it would have been hard, it would have been much better than what eventually happened to them.
The lack of independence shows up with comments like this…“Somebody would be mad if we addressed the problem, so we dropped it.” “Revenue would be lost if we addressed the problem, so we dropped it.” “It would be expensive if we addressed the problem, so we dropped it.” “We might get penalized if we addressed the problem, so we dropped it.” “We would have to disclose it if we addressed it, so we dropped it.”
Those who came before compliance did not get the job done, so people began implementing compliance programs (with the encouragement of the enforcement community). Compliance came about because many of those who came before us were conflicted. Compliance programs did not come about because there was a shortage of legal advice.
I am not talking about average, every day simple problems. The legal department gives lots of advice on simple problems without conflict. Much of the time legal and compliance can coexist without this concern about objectivity. As problems grow in size, the ability to be objective diminishes. When we really need independence is when we when we have a major issue. We need the legal department to defend the organization, and we need compliance to ensure we have an objective view of the problem.
We do not always know when we need to rely on independent thinking. We do not always know when independence is necessary or when it would save us from making a mistake. Therefore, it is best to have independence all the time. Both departments can collaborate when possible and work independently when needed.
Compliance needs independence. Our organization needs compliance to be independent. does not cause problems. People say, “We can’t have loose cannons running around because they might make a mistake.” Well, they are right. We need to make good decisions. Legal aspects of the compliance job need independent verification. should not be squashed; bad legal decisions should be squashed. We do not need to give up independence to address these concerns.
Some industries are in a lot better shape now than they were in the past. Years ago when compliance programs were first implemented, the legal department had control of many compliance programs. In some industries, it is much less of an issue now. Many legal departments are actually supportive of the need for independence. It is not true, however, for all industries. I recently attended a compliance conference for a particular industry. For the sake of this discussion, let’s call it the Ameba industry.
I felt like I was back in the mid-90s. Many Ameba industry compliance officers came from legal and reported to legal. Compliance programs were relatively new to this industry. As is often the case, leadership felt that because compliance programs related to the law it should be in the legal department. They failed to understand that compliance programs did not come about because we needed more legal advice; they came about to provide more objectivity.
Some say that the compliance department does not have the legal background to handle legal issues and, therefore, should report to the legal department. We have not eliminated the legal department because they do not have the legal expertise to handle subspecialty issues. The legal department frequently seeks outside help. The compliance department also seeks outside legal advice.
The Ameba industry leadership probably has not seen the numerous recommendations by the enforcement community that stated, “You should not have compliance programs reporting to the legal department.” Some may have simply refused to give up control. The Ameba industry has not evolved as far as some other industries.
Some of the people I met at the meeting had that “Don’t look, don’t ask, don’t touch, don’t tell” perspective. Ten years ago when I heard legal departments say this I thought it did not make sense. Now I am just plain dumbfounded. There were actually suggestions not to perform risk assessments because you might find a problem and have to deal with it. The Ameba industry compliance officers will evolve as those who came before them evolved.
is recommended in the U.S. Sentencing Guidelines (USSG) and Office of Inspector General compliance program guidance documents. When the government implements corporate integrity agreements (mandatory compliance programs frequently included with large settlements), they often state that the compliance program must be independent. Even the politicians have gotten in on it.
In an eight-page letter, Senator Grassley said, “It doesn’t take a pig farmer from to smell the stench in this conflict.” This was in reference to the general counsel and compliance officer being one in the same person in a company that had several settlements. That general counsel/compliance officer resigned stating that she had become a distraction for the company (a euphemism for, “I have almost run this company into the ground, so I better leave). The positions were separated. The organization he was referring to eventually paid over one billion dollars in fines.
I have a colleague who was a compliance officer (and also the general counsel) of a large company. He disagreed with the government’s perspective. In fact, he would defend his position publicly. He even attempted to support his position by influencing industry guidance documents to make room for cases in which compliance could report to the general counsel. One day, one of his board members got a hold of one of the aforementioned government documents. The board member asked if he was aware of this and how could he put their organization in this position? Apparently, his answer was not what the board member was seeking.
Shortly thereafter the positions were separated and he is no longer the compliance officer. He still thinks he right. He is not alone. I was going to make a joke about him also being a member of the Flat Earth Society. I did not want to refer to a group that never existed, so I looked them up. Not only did they exist, they do exist. Theflatearthsociety.org has hundreds of thousands of current posts. Round or flat, the Earth is filled with very interesting points of view.
Most every time the enforcement community goes in to investigate or settle another case, they try to establish how hard the company was trying to prevent this problem. They are trying to get a handle on the size of the message they need to send to the company.
The USSG suggests that if you are making an effort to implement or manage a compliance program, you should have significantly reduced penalties. Some enforcement professionals get more specific. One of them told me a story in which he asked leadership in their initial meeting who defends the organization? The general counsel raised its hand. He then asked who runs the compliance program or objectively looks for, finds, and fixes problems that the organization may be causing others.
Answering these two questions by pointing to the same person puts the organization in a hole. It is possible to have the compliance department report to the legal departments, but why put yourself in that position?
There are other forms of independence blocking such as finance, leadership, and so on. We do not talk about this much because nobody wants to accuse people they work with of these things. Occasionally, overzealous compliance professionals overreact to a problem and encounter legitimate resistance from leadership and label it as a lack of independence. Some compliance professionals make mistakes; however, just because there could be a problem or has been a problem, does not mean we can justify (nor would it be logical) taking away independence from compliance.
The legal department and the audit department make mistakes, but we do not take law from legal or audit from audit. Why would we take the independence from compliance just because they may make a mistake? is to compliance as law is to legal and audit is to audit. If you take independence from compliance, you have nothing.