Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

Volume 13, Number 1 - September/October 2003

Putting the pieces together
A game plan for an effective compliance structure
    By Michael E. Fine

With all the talk about better legal compliance — from Washington regulators, Wall Street and the growing ranks of specialized consultants — practical advice about how to build a good program is still surprisingly hard to come by. Formal Sentencing Guidelines elements are now well-established, as is the post-Enron maxim — codified in new Justice Department guidelines — that mere "paper programs" are no longer sufficient. But how to turn well-meaning aspiration into "effective" daily practice is by no means clear.

The central message from a recent "best practices" analysis of compliance at major U.S. companies with sophisticated programs was the importance of a good concept and game plan. Of all the large and small steps being taken to improve compliance with applicable legal rules, experienced compliance managers reported that none was more important than building "the program." Good compliance requires carefully crafting structure and processes, not just articulating substantive legal rules.

In this most fundamental sense, corporate compliance can take some lessons from major league baseball and the "programs" developed by successful franchises. Winning depends not just on good players; you need a good organization that will produce a maximum result with the available resources. Success is built on a solid program, well-conceived and effectively implemented; a capable front office, smart manager and seasoned bullpen; teamwork and a winning spirit.

You need an owner who will invest in and then stand behind the program. And, as any Yankee fan will tell you, a system that when necessary can win despite the owner.

While there is no single path to the pennant, there is a formula. What follows is a step-by-step approach for building a winning compliance franchise.

Step No. 1: Get focusedThe best teams start each season with a zen-like focus on the basics — who they are, where they want to go and what they have to do to get there. This kind of self-knowledge is equally essential in a compliance setting. As Yogi Berra said, "You got to be very careful if you don't know where you're going, because you might not get there."

Getting focused starts with developing a good working definition of "compliance." Program designers need to ask such obvious but also essential questions as what areas of law and practice the program needs to cover, for which personnel, in what manner, and to what end. Core legal requirements may be apparent (for example, waste disposal for a chemical manufacturing operation). But without a formal procedure for coverage determinations, it can be easy to miss other important areas (such as export controls or bribery prohibitions when sales expand offshore). Likewise, judgments need to be made about which employees to train in what areas, and with what methods and learning objectives.

The task is further complicated by the very different perceptions and objectives people within an organization may bring to compliance. As you would expect, lawyers tend to see compliance in legal terms (often limited to their own special niche), HR personnel through a softer business "ethics" lens, and auditors as a function of the company's financial reporting obligations. Year-end revenue objectives set the basic framework for business managers (particularly at lower levels), while for directors this is more likely to come from Caremark and Sarbanes- Oxley mandates. Such varied viewpoints enhance the overall program. But in compliance, as on a baseball diamond, success requires some broader shared vision of the project.

In practical terms, this means investing the time and energy to understand a particular organization (it really is true that one size doesn't fit all), and developing processes that will engage the right people, ask the right questions, and produce and then communicate a workable program baseline. (In one notable example, the new chief compliance officer at a scandal-plagued company reported taking a year to "really learn the company and its people" before instituting major structural reforms.)

Step No. 2: Develop the organizationWith everyone now focused on a common goal, you can begin to think about putting the organization together. There will be a raft of issues and details to work out, but in the broadest sense this will be about defining program objectives and figuring out how to reach them.

Why organization matters:Every summer my son asks me the same question: Why are the Yankees always so good and why don't the Orioles (our "home" team in Washington) seem to get any better? One reason even a 12- year-old can understand is "organization." New York has built a good one; Baltimore hasn't.

What sets good compliance programs apart is their attention to detail — the systems, controls and processes needed to breathe life into written policies. Substance, of course, matters. You can't expect the international sales force to comply with the Foreign Corrupt Practices Act unless you tell them something about it. But getting the law right in the business code or training materials isn't going to have much practical effect without a good system for implementation. Most companies do a reasonable job in most areas writing down the rules. The "effective" programs have developed reliable procedures for training, monitoring and enforcement.

What makes for a good organization: So, my son wants to know, why don't the Orioles just go out and get a better system? They would if they could, of course, but it's never so simple. Programs need to be tailored to particular needs and circumstances. What works in New York won't work in Baltimore, without proper adjustment for differences in culture, personnel, needs and resources. Real world compliance is no different.

Designing a good organizational structure has been made that much harder by the paucity of practical guidance. The Federal Sentencing Guidelines, for example, merely advise companies to have "a program that has been reasonably designed, implemented and enforced so that it generally will be effective in preventing and detecting criminal conduct." That's like telling the Orioles they need good pitching, hitting and fielding to get to the World Series.

Compliance managers need to answer such practical questions as what it means for a program to be "effective" and what step-by-step processes are needed to get there. This has many different applications, and the proverbial devil is very much in the details. But stripped to its essentials, the critical litmus test is whether a compliance structure can effectively address the question(s): "Who does what, when, how and for whom?" To make this more concrete, consider the scenarios described in the sidebar on this page and what structural changes would be needed to close perceived gaps in a given program.

Step No. 3: Engage the ownerThird on my checklist is giving the organization (or structure) a good grounding. This comes from the directors, who like team owners play a critical if under-appreciated role in any successful enterprise — from setting the overall tone and direction to supplying essential resources, overseeing the program and, when necessary, fixing the system.

Good compliance should both begin and end with the directors, who under established corporate governance rules (reinforced by recent Sarbanes-Oxley reforms) have ultimate responsibility for setting up the basic program and making sure that it works over time. The seminal Caremark case establishes that directors have an affirmative duty "to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists."

This duty has several discrete elements:

  • a board resolution mandating adoption of an effective compliance program;
  • appropriate delegations of responsibility and authority; and
  • an effective oversight process.
All three areas recently have been the subject of considerable scrutiny and process refinements, with particular attention to such practical issues as director education, lines of reporting and the rigor and frequency of oversight. And as in baseball, the organization needs to be robust enough to survive occasional lapses at the top.

Step No. 4: Hire the right managerThere is no more critical organizational decision than the choice of a top manager to run the team. For compliance, this has three distinct aspects: defining the job, deciding on a structure, and matching title and authority.

Defining the job: Not so many years ago, compliance officials were widely seen primarily as chief "ethics" officers charged with a general watchdog function. Whether this was ever accurate, the image no longer comports with reality. Compliance programs have changed dramatically in recent years, and at the heart of this evolution is a re-conceptualized ethics function.

No longer merely the corporate conscience, the senior compliance officer in newer programs is, fundamentally, a high-level manager charged with developing and implementing the complex program of systems and controls needed to define corporate standards and expectations, teach them and ensure that they are followed.

In this model, compliance usually is managed by a lawyer — often the general counsel or a senior deputy in the law department, although at some companies by an independent chief compliance officer. Common duties include, in addition to systems design and implementation, providing legal advice to business units, conducting investigations and periodically reviewing the program.

Deciding on a structure: One of the few specific directions found in the Federal Sentencing Guidelines is that organizations assign "overall responsibility to oversee compliance" to one or more senior corporate officials. How this is done, however, is left to individual organizations.

The choice generally is between two basic models, one focused on senior business managers and the other on a chief compliance officer. In the business manager (decentralized) model, primary responsibility for developing and implementing the compliance program is assigned to senior business managers. This usually is determined by line of business (such as, business group presidents), often with direct-line reporting to the chairman (and possibly audit committee) and a supporting role played by compliance managers.

The second model locates ultimate responsibility in a central corporate compliance officer. Senior business managers may still have a substantial role in the nuts-and- bolts of compliance and draw on the same basic resources as in the "business manager model," but the lines of responsibility are different.

Both models have advantages and drawbacks, and both can be made to work under appropriate conditions. The centralized compliance model can offer greater certainty, consistency and efficiency, but can make it harder to engage senior business managers (because bottom-line compliance responsibility lies elsewhere).

Conversely, the senior business manager model has the best prospect of breaking through common business and psychological barriers but depends on energetic and focused business managers and effective oversight and support from the center. (Both models were found in the recent "best practices" survey, in each case with examples that were more and less successful.)

Matching title and authority: The question whether to formally designate a "chief compliance officer" (CCO) often is answered by the choice of compliance systems. Companies with a centralized compliance model generally have a designated CCO, by this name or something similar. CCOs can also be found at companies with the business manager model, but that is less common and the functions differ.

In the centralized compliance model, the choice of a CCO is critically important. Experts generally point to three essential attributes needed for a CCO to be effective.
  • First and most important is appropriate seniority and access. The chief compliance officer has to be senior enough to be able to act independently, and also have (and be perceived to have) access to the highest levels of the organization.
  • The second attribute is adequate compensation — high enough to attract talented people and make compliance a desirable career path.
  • The third is independence from the business units, particularly with respect to the compensation process. Compliance officials have to be able to provide objective guidance and at times make hard decisions that may appear to run counter to narrow, short-term business interests.
Companies with the alternative business manager model may still have a designated or de facto chief compliance official but with different functions. In most cases, this person is more a "coordinator" than chief officer, charged with providing guidance, support and oversight for the business units. More often than not, the coordinating function is lodged in the law department and independence and access are lesser priorities. Resource concerns also tend to play out differently in the business manager model, with de facto compliance coordinators able to rely on or supplement existing resources rather than having to build out a designated compliance office.

A subsidiary question for companies with both formal and de facto chief compliance officers is whether to designate subordinate managers for particular substantive areas or business lines within the enterprise. Such designation can be a sensible practice (and may be required in some regulatory areas or by consent decree), provided there is adequate central control and oversight. The downside risk is that separate designations can make it even harder to coordinate and maintain consistency in a diversified, decentralized business structure.

Step No. 5: Build a good bullpenThe "bullpen" for compliance is the legal department, and there are few better ways to invest scarce compliance dollars than in its personnel and structure.

Defining the job: At most companies, lawyers have substantial (often primary) responsibility for compliance matters ranging from content development for the program and compliance training to business counseling (helping business units to apply the rules to specific facts) and investigations. In the "business manager" model, lawyers also play a significant counseling role working with senior business managers on annual compliance program assessments, including program design (such as training plans for the coming year).

Setting the rotation:Once responsibilities have been identified, an appropriate service structure can be developed for providing legal services to the business client. There are, of course, many different structuring options and no single right one. As in private practice, much depends on the "law firm" personality and culture, client risk profile and nature of the lawyer/client relationship.

At companies with a small or decentralized law function, lawyers may have to be generalists, able to address directly or to direct elsewhere a wide range of compliance issues. The managerial challenge is to cover essential bases, internally and with outside resources. In a "larger firm" setting, individual lawyers may be assigned substantive law specialties (such as, securities, environmental, employment) and, in some cases, "client" management roles with the business units. For compliance managers, the oversight challenge is more traditional.

Recruiting talent: Short-term rotation assignments are largely a function of available resources. For the long term, however, successful teams — and corporate law departments — devote considerable attention to assessing needs and recruiting new talent.

This is standard operating procedure (or should be) for most law departments, but there is an important additional consideration for compliance. For some functions, especially in the business manager model, there is a heavier than usual premium on experience. Knowledgeable managers put high value on developing good working relationships with the business units.

Achieving these relationships is no easy task, but the odds greatly improve with the right people in place. Counseling lawyers need to work directly with their business counterparts, and seasoned lawyers, who can not only offer correct legal advice but understand and work with their business "clients," are more likely to build successful relationships.

Step No. 6: Play ball After all this, your team is finally ready to take the field. But even with a winning organization, there will be little opportunity to rest on your laurels. Keeping a close eye on the compliance program will show whether any tinkering or more substantial changes need to be made.

A solid program will help to manage the inevitable surprises and control downside risks. Regular "team" meetings that bring together key people and focus their attention on compliance matters are a good practical tool, especially for picking up systemic flaws and dealing with content changes from new or changing laws or a shift in the business or risk profile.

Process auditing, which looks at the entire program structure on a periodic basis, is another important tool. Yogi Berra had it right: "You can observe a lot just by watching."

Test yourself

Does your compliance structure have clearly defined lines of responsibility and accountability for program operations — in particular, planning, education and training, legal advice, investigations, audits and board oversight? Here's a spot process audit for testing particular programs:
  • A sales manager wants to give a prospective customer an expensive holiday gift. Will he know to seek legal advice and from whom?
  • A mid-level manager has learned of possible fraud in a government procurement. Does she know this needs to be referred for investigation and to whom, and will the investiga-tion be timely, thorough and pursued to appropriate conclusion?
  • A new board prospect wants to know what compliance programs are in place and whether they really work. Can the company's senior compliance officer answer this question with a reasonable degree of certainty and detail? (And after Sarbanes-Oxley, will directors know to ask?)
  • A new employee wants to know what training he needs to take over the coming year. Will he know where to turn for this information and will he get a precise answer?
  • You read in today's newspaper that a federal court decision has dramatically changed the law governing an important part of your business. Are you confident the compliance program will pick this up and communicate it to relevant personnel in a timely fashion? How, how soon, to whom and by whom?
  • The company has decided to acquire a competitor with a manufacturing facility in Mexico. Antitrust concerns will be closely examined as part of the due diligence review. Will the deal lawyers also know to inquire about compliance with U.S. trading laws such as the Cuba embargo? What steps will be taken when the deal closes to integrate the acquired operations into the general corporate compliance program, and by whom? Organizations that can reasonably answer these questions probably have a pretty good compliance structure in place already and can focus on refinements. For others, a more thorough examination of their structure may be in order.

Fine is the principal of NXG Global Law & Compliance PLLC, in Washington. His e-mail is mfine@nxgglobal.com.

Back to Top