The Chief Compliance Officer

Lead Article From The Practice July/August 2016
Should there be a new “C” in the C-Suite?

This article is derived from a more expansive work previously published in the Hastings Business Law Journal.

Corporations around the globe are facing a daunting challenge in the emerging area of compliance and ethics. This is no wonder, given the economic downturn of 2008–2009, changing technologies, and rapid globalization. Increased global complexity and new demands for privacy and data protection have required companies in virtually all industries to deal with new regulations across multiple jurisdictions, higher penalties for noncompliance, and more-stringent application of the rules. Not only are the large publicly traded U.S. corporations on the line, but so are the individuals who are specifically tasked with leading compliance and ethics programs within their corporations. Indeed, the subject line of the recent Yates Memorandum (see “In the News”), written by Deputy Attorney General Sally Yates, is “individual accountability for corporate wrongdoing.”

Should there be a specific department led by a chief compliance officer within the company hierarchy?

Unsurprisingly, in study after study, general counsels (GCs), corporate executives, and compliance officers alike name regulatory risk as one of the greatest threats to their business. Also, despite budget freezes (including on legal), corporations are putting significant resources and funding into compliance and ethics initiatives—or what might be better called the legal risk of business. In doing so, they are creating new departments, positions, and ethics-training programs. For many corporations, there is now a new “C” in the C-suite—the chief compliance officer, or CCO (see “The Emergence of Compliance: A new profession?”). This, of course, raises a central question: Should there be a specific department led by a CCO within the company hierarchy? Or should compliance initiatives occur within preexisting corporate governance structures in which the compliance function generally reports to the GC?

The Takeaway

During the past few decades, publicly traded companies have increased attention and resources devoted to the compliance function. Many are creating a new “C” in the C-suite—the chief compliance officer, or CCO—and departmentalizing the compliance gatekeeping function from the legal department so that the CCO does not report to the general counsel (GC). By examining the literature and conducting interviews with 70 GCs and CCOs, I hypothesize that preemptive departmentalization may not be in the public’s best interest due to potential unintended consequences that offset the alleged benefits of departmentalization. Specifically, departmentalization may not increase transparency into compliance transgressions at corporations, actual compliance by corporations, or corporations’ commitment to a culture of compliance and ethics.

Instead, departmentalization might actually disempower the CCO, create barriers to collaboration between departments, decrease corporate transparency, and increase the perception of lawyers as amoral, legal technicians. Such structural reorganization may applaud form over function, thereby creating a false sense of complacency that distracts from the substantive cultural change that should be integrated throughout all levels of the organization. Ultimately, a focus on culture and informal norms may have more potential to meet the public’s objectives than a focus on organizational structure. The government may therefore have reason to revise its current focus from the external manifestations of compliance to the inward, cultural change that promotes public access to information about compliance transgressions, actual compliance by corporations, and a culture of compliance and ethics within a corporation.

Of course, the answer to this question might change depending on the skills and training of the specific person who fills the role of CCO and how he or she plays it. Indeed, in a related, forthcoming article, I identify the ideal core skills and training every compliance officer should have and explore a typology of different roles that CCOs play to effectuate compliance in large publicly traded corporations. (For a preview, see the sidebar “A typology of styles” at the end of this article). This essay, however, focuses not on who should fill the role of compliance officer or how, but instead on the structure and organization that corporations adopt to effectuate compliance. It attempts to answer whether the CCO should be a new “C” in the C-suite (that is, in charge of a compliance department that is separate from the legal department and does not report to the GC). To make this determination, I attempt to uncover the underemphasized and perhaps unintended consequences that might occur when corporations departmentalize the compliance and ethics function from the legal department so that the CCO does not report to the GC.

Who should be in charge?

With the increased emphasis on—and resources devoted to—the compliance and ethics function at large publicly traded corporations during the past 10 years, a debate has begun over who should be in charge. Two questions dominate the literature and lore:

  1. Who should be in charge of compliance and ethics: the GC or the CCO?
  2. Should the compliance and ethics department be separated from the legal department entirely?

Historically, in large publicly traded corporations, the compliance and ethics function was overseen by the chief legal officer (CLO) of the company (which could be the CLO or the GC). Often, the compliance function reported to the GC, and sometimes the GC simultaneously served in the CCO role. And this often remains true today. Many GCs of publicly traded companies either oversee or serve as the heads of compliance—for instance, Mark Chandler of Cisco holds both the GC and CCO titles.

Yet, and in no small part due to corporate scandal after scandal in industry upon industry during the past 10 years, there has been a growing trend toward separating the compliance function from the legal department by creating independent compliance departments comprised of people with legal training. These independent compliance departments are developing compliance and ethics programs to prevent noncompliance and to monitor compliance with the law and ethical obligations.

Studies by PricewaterhouseCooper (PwC), the Association of Corporate Counsel and Corpedia, and the Society of Corporate Compliance and Ethics (to name a few) show a steady decline in the past five years of CCOs reporting to the GC. As a GC interviewee explained to me:

A number of the early-mover companies that created compliance departments did so as part of resolving a major mishap or high-profile problem, so it was not necessarily a best practice. But [because] a number of major companies have done it over the years, it starts to look like a best practice. Once in that position, it becomes hard for a major corporation to explain why they don’t need a compliance department.

Whether these moves represent best practice or knee-jerk reactions, they have potential repercussions that run deeper than a simple change in the organization chart. They move a piece of the gatekeeping function out of the GC’s hands and place it within a new department that is often filled with lawyers who are now not practicing law. The obvious question, then, is: what’s wrong with that?

The answer likely depends on the perspective of the questioner. In this debate, a variety of stakeholders are asking that question, including the GC, the CEO/board, the newly minted CCO, the government, the corporate entity, the legal profession, and the public. And each of these stakeholders likely has different goals for the organization and the structure of the compliance department, ranging from increasing power and influence, to mitigating repercussions of future misconduct, to protecting reputation, to deterring misconduct. Those in favor of preemptive departmentalization invariably purport that it is in the public’s interest and will increase:

  • Transparency into the corporation so that misconduct can be uncovered and prosecuted and future misconduct deterred
  • Actual compliance with the law
  • The ability for a corporation to establish a functional culture of ethics and compliance that goes beyond the letter of the law

The common argument for separating compliance from legal goes as follows: Lawyers, given the rules and standards of the profession and their duties to their clients, are not independent enough to be able to report corporate malfeasance. By working separately from the GC’s office (and outside the lawyers’ rules of professional conduct), the CCO will have the requisite autonomy to uncover and report noncompliance, thereby increasing transparency into corporate misconduct—especially during governmental investigations or queries. Further, by creating a separate compliance department and changing the reporting structure (having the CCO report to the board, for example), the company will both be in a better position to prevent and stop corporate misconduct and send a message to employees and regulators that it takes compliance seriously and malfeasance will not be tolerated.

So, back to the question, What’s wrong with that line of thinking? If the only things wrong with departmentalization are what opponents emphasize—such as the risks of turf wars, inefficiencies, and the demonstrated success of lawyers in managing the conflicts of interest that exist between compliance-reporting obligations and protecting the corporation—then what’s the big deal?

A series of underemphasized and unintended consequences of departmentalization are important to draw out in order to answer the “so what” question more appropriately.

Interviews and surveys of GCs and CCOs

To outsiders (and maybe even insiders), an apt metaphor to the compliance and ethics function at large publicly traded corporations is a black box with mystery contents. The words “compliance and ethics function” mean different things to different organizations and to different people in and outside of those organizations. It also has potentially differing meanings around the world. Even if we focus only on what could be coined “legal” compliance, a picture of what compliance professionals do and how they do it is, at best, fuzzy. Contributing to this confusion is the excess of secondary material on compliance and the lack of scholarly, qualitative research about the compliance function in large publicly traded corporations.

Therefore, to generate hypotheses about the questions posed in the introduction, I interviewed 70 GCs and compliance officers of S&P 500 corporations across a variety of industries including banking, pharmaceutics, and petroleum. While there are some limitations to the study (such as a small sample size and nonrandom selection), the data and the stories of respondents—combined with relevant secondary material and other surveys—provide powerful insights into the current and potential future of the compliance function. In this essay, I use this research mainly to animate otherwise underemphasized potential problems that may result from departmentalizing the compliance and ethics function by removing the GC from the role of compliance gatekeeper.

Unintended, underemphasized consequences of departmentalization

There are seven potential consequences of departmentalization that are not often highlighted in the ongoing debate.

1. Departmentalization ostracizes compliance and creates a “C” in the C-suite without the requisite influence.

To start, titles and reporting lines do not equate to power and influence. The latter takes years to build. Indeed, much has been written about the time it took for GCs to get their seat in the C-suite—to move from being considered second-class citizens to being one of the highest-ranking, highest-paid, and most influential corporate executives at large publicly traded corporations. Before departmentalization, the compliance function was historically under the purview of the GC. Today, when departmentalizing, corporations often simply promote the associate GC to the CCO role. This move from associate GC to CCO of a new, smaller department—which, by the way, is an additional cost center—does not, by itself, provide a seat at the table despite the “C” in the title. As one CCO interviewee (who was formerly the associate GC) explained:

Even if the chief compliance officer reports to the [board] or CEO, [he or she is] going to have the same problem, because chances are, the CEO is going to want to listen to the [GC] . . . because [the GC is the] trusted legal advisor. Very rarely [does] the compliance officer report to a CEO because that’s what the CEO wants. In other words, simply because the chief compliance officer has a “C” for “chief” in their title does not mean they have clout and credibility with the board, CEO, or other business leaders.

Titles and reporting lines do not equate to power and influence.

Worse yet, separating the compliance department from the legal department risks ostracizing compliance professionals as outsiders or watchdogs (like in-house counsel once were). As one CCO interviewee aptly explained, for some, “compliance is the world’s longest four-letter word, and it initiates a negative response in people.” The interviewee went on, “Compliance officers are often seen as outsiders, not good team players.” The last person employees want to see strolling down the hall is the CCO.

While no one disputes the importance of compliance and those who do the work, it can indeed be lonely. As many compliance officer interviewees bemoaned, “People are afraid to talk to you or invite you to the table because we are not obligated to keep confidences and they understand that there is no privilege.” As such, separating the compliance function from the legal department may disenfranchise compliance professionals from important conversations and corner them into the role of a cop or glorified tattletale, preventing them from being insider change agents and what Christine Parker calls “persuasively relevant.” So, while they may have autonomy and access to the board, they may not have the network and ability to prevent and persuade. Many of the CCO interviewees emphasized the importance of having an insider view on what is happening and being a trusted ear for employees so that they can identify potential compliance issues before they spiral. Thus, for the CCO, it isn’t just lonely at the top—it may also be disempowering.

2. Departmentalization prizes independence over collaboration.

Second, the emphasis on the independence of the compliance department from the legal department risks impeding open communication and a spirit of collaboration that in today’s world is essential to creating effective compliance solutions. As mentioned earlier, one of the top concerns of senior executives at large publicly traded corporations is regulatory compliance. The problems posed to multinational corporations today are more complex than ever before, requiring teams of people with different expertise to collaborate to understand what the regulations require, where to apply them, and, most important, how to comply and implement them. Collaboration is required at every step: it’s important for identifying and weighing risks, for devising solutions, and for execution. Compliance officers must secure the commitment and cooperation of employees around the world to design, promote, implement, and monitor compliance programs.

The message that formal departmentalization sends to middle and lower management is one that prizes independence and separation as opposed to interdependence and collaboration

Even if the turf wars do not erupt, there is a simple mathematical problem: in a corporation, one plus one does not always equal two. Instead, one plus one can equate to corporate process mazes, stopgaps, and redundancies that not only are inefficient but also inhibit easy information sharing. Over time these divisions can create silos—and silos are the death knell for the cross-fertilization between different departments that is needed to create new solutions. Research studies have consistently shown that open environments and information exchange among people with different experiences, roles, and expertise enhances problem solving.

Although it is true that multidisciplinary and multifunctional collaboration is possible between two separate departments within an organization, having compliance departmentalized from the people who interpret the law and gauge the risks hinders the department’s ability to create effective programs and secure the commitment and cooperation from employees around the globe. Although many of the GCs and CCOs interviewed claimed that their relationships were open and collaborative, the message that formal departmentalization sends to middle and lower management is one that prizes independence and separation as opposed to interdependence and collaboration, which are essential to effective compliance program development and adherence.

3. Departmentalization decreases transparency.

Proponents of departmentalization contend that separating the compliance function from the legal department increases transparency into corporate conduct during corporate investigations or inquiries because it weakens the corporation’s ability to shield information under the corporate attorney-client privilege. The thinking is that the privilege will not be applied because the compliance officers—even those who are lawyers—are not part of the legal department, not acting as lawyers, and not providing legal advice. Putting aside the valid argument that privilege is becoming a nonissue because it is the first thing waived by corporations in an investigation, this argument about transparency still fails.

The common view in the literature, in many governmental agencies and regulatory bodies, and in my interviews is that compliance professionals—even if they have a law degree, passed the bar, and/or have served as lawyers for the corporation in the past—are not acting as lawyers or providing legal advice when performing compliance functions. As two interviewees stated:

The entire legal department—which includes compliance, by the way—does report up to me as the chief legal officer but we are organized across business lines as well. We have a lot of attorneys in our law division who are in the compliance department. Compliance is not part of the law. We have to say they’re working as compliance professionals, not lawyers, but there’s an [un]godly number who have a law degree.

I am a lawyer, but I am not acting as a lawyer. I’m not acting as an in-house lawyer on behalf of the company. There is sometimes some confusion within the law department itself as far as that distinction is concerned, and there is also sometimes confusion from internal clients [who] think, “Oh, I can just go straight to the [CLO] for legal advice,” and I have to tell them, “I’m glad to talk to you, but I’m not acting as a lawyer; what we’re talking about is not privileged; and if you want legal advice, you will probably have to go down the hall to somebody else.”

Even if we accept this view as true, it does not necessarily follow that less information about corporate misconduct will be able to be shielded by claims of privilege. Indeed, the opposite might be true. Courts protect communications by practicing lawyers who mix business and legal advice as long as they are “predominantly legal” or “made primarily for the purpose of generating legal advice.” This is because it is almost impossible to distinguish between business and law, and in the course of performing their jobs, most corporate lawyers mix legal and business advice. However, courts are more reluctant to protect communications from in-house counsel because they worry that corporations are purposefully including lawyers in communications in order to use the attorney-client privilege argument to shield information. Thus, if the CCO is also the GC (or a lawyer who reports to the GC in the legal department), courts may deny attorney-client privilege protection because the advice sought was not primarily legal but, instead, for compliance purposes. On the other hand, if the compliance officer is not and does not report to the GC, whenever someone from the compliance department consults with the GC or another lawyer in the in-house legal department, there is a stronger argument that the primary purpose for the communication with someone from the legal department was to seek legal, as opposed to compliance, advice. Essentially, the separation of departments and roles supports the argument that the lawyer within the legal department is serving as a legal, as opposed to a business, adviser in this circumstance and being called on to provide the legal point of view, thereby enhancing the potential that the privilege will be applied.

Departmentalizing will not necessarily increase transparency into a corporate misconduct investigation but, counterintuitively, may increase the amount of information shielded by the attorney-client privilege.

Many, though not all, of the agreements with governmental agencies and regulatory bodies state that the CCO “may seek legal advice from internal or external attorneys outside the Compliance Department without waiving any applicable privilege.” Arguably, before departmentalization, corporations padded their argument for privilege in much the same way by hiring external counsel. As one CCO interviewee explained, “A lot of times I will retain counsel to advise me or to help make sure that the work can be privileged.” After departmentalization, the corporation gets the same benefit without the costs. Departmentalizing will not necessarily increase transparency into a corporate misconduct investigation but, counterintuitively, may increase the amount of information shielded by the attorney-client privilege.

4. Departmentalization silences the “lightning-rod man” and decreases the emphasis on risks.

Research by Robert Eli Rosen, Christine Parker, and Vibeke Lehmann demonstrates that a corporation’s perception of legal risk is heightened when practicing lawyers are in charge of compliance. They posit that a lawyer in charge of compliance is like the title character in Herman Melville’s The Lightning-Rod Man, who scared people into buying lightning rods by going door-to-door threatening folks that lightning will strike. Rosen et al. found that when a lawyer, as opposed to another type of professional, is in charge of compliance, the company has a higher perception of being watched, has increased awareness of the risks associated with noncompliance, and is more fearful about regulatory breaches. Evidently, lawyers have (or portray that they have) a heightened awareness of risk that creates the impression that the regulator is watching—that lightning will strike at any moment—unless action is taken. By separating the lawyers from compliance oversight, this fear of regulatory capture might dissipate. True, these new compliance departments are filled with lawyers. However, the lawyers, once part of the compliance department, are no longer acting as lawyers and therefore may no longer play the role of the lightning-rod salesman as effectively. Although Rosen et al. found that lawyers are not as adept as other professionals at creating effective programs and procedures to prevent risk, their research supports a structure in which the lawyers are the ultimate superintendents of it.

5. Departmentalization risks turning in-house lawyers into mere legal technicians.

Lawyers who have moved into the compliance department are not the only ones who might experience a (negative) shift in power and influence as a result of departmentalization. Creating a separate and distinct department and assigning it the role of keeper of the corporate conscience creates a risk that the legal department will be viewed as disconnected from the ethical responsibilities of the corporation. There is agreement among GCs and CCOs about the general job that compliance professionals do: build policies and procedures; train, educate, and test employees; conduct neutral fact finding; prevent, uncover, and report misconduct; and remediate.

A CCO of a large bank described the compliance department’s role as to:

… raise awareness among employees that we do have policies and procedures that cover a lot of what they do and [they have a] responsibility to be aware of them and [that] claiming to be not aware when violating [them] is not a defense we accept. Our job is to raise awareness that there is an ethical obligation to be aware of what is allowed, which in the end is in the best interest of clients, and that includes reporting if they see something that should not be done or could harm the company or clients.

In this view, the compliance department’s role is more process and results oriented in some ways than that of the legal department. As one CCO explained to me, the best part of the job:

…is that I get to do something about things. That’s why I moved from legal. In legal you [recommend], and business gets to say yes or no, take advice or not. But in my job, I say, “I think you should fire this person,” and they just have to unless [they can] give a really good reason why they shouldn’t.

Another put it this way:

Most of the time you actually stop things, make things better, get things done . . . you can come in every day and make someone’s workplace better: remove the employer retaliating or the person stealing—[which] improves employees’ work environment.

There is also agreement that compliance is about more than merely complying with the letter of the law. As one interviewee said, “The goal is to have them trained well enough and sensitized about the permissible but also about the right thing to do . . . the right thing sometimes is more than the legal thing.” But, when it comes to identifying who is in charge of the corporate conscience, who is the creator of the corporate ethical culture, who is supposed to tell senior management what they “should” do versus what they “can” do, there is major disagreement between GCs and CCOs.

Interestingly, the CCO interviewees—even those who were formerly practicing attorneys and often associate GCs within the legal department—distinguished between lawyers and compliance professionals, saying that whereas lawyers tell you what the law says and are concerned with legal liability and vigorously defending the corporation at all costs, compliance officers:

… care about doing the right thing the right way for the right reasons. In any business . . . the right way is often debatable, because, in any business, if we do X, we’ll make a trillion dollars, but there may be a lot of legal risk. And if we do Y, we’ll make a billion dollars but have no legal risk. My job is to help people understand the potential impact of those risks, to make sure those conversations occur. It is not just about money but [if] a successful business is doing the right thing.

The compliance officer interviewees consistently made a demarcation between “can” and “should.” One interviewee said, “The lawyers tell you whether you can do something; compliance tells you whether you should.” Another said, “The general counsel’s job is … to advise [the company and senior managers] of the legal risks, but not initiate the conversation over what is the right thing to do. The general counsel’s job is more black and white; [for example,] ‘These are the legal risks.’”

Compliance, on the other hand, is also about ethics:

Legal tells you what you can do to comply with the law—what you literally need to do to comply with the law. Compliance tells you [that] what you should do to comply with the spirit of the law may be more than legally required. Ethics takes it a step further [and] tell[s] you to ask yourself, [even though] it may be legal and it may be within the spirit of law, is it really in the best interest of [your] client and [your] firm?

All these quotes are from legally trained professionals who were formerly practicing attorneys and are now leading compliance departments.

It is important to note that the GC interviewees did not agree with this picture of the legal department being concerned only with the black letter of the law. They felt that legal is still in charge of the “should,” not just the “can.” Be that as it may, if departmentalization creates the perception that the in-house lawyer’s role is no longer concerned with ethics or morals, it may become expected that lawyers play the role of legal technician telling clients what they “can” do within the letter of the law, not what they “should” do based on the spirit of the law, ethics, and considerations beyond law.

If departmentalization creates the perception that the in-house lawyer’s role is no longer concerned with ethics or morals, it may become expected that lawyers play the role of legal technician telling clients what they “can” do within the letter of the law, not what they “should” do.

Thus, while in-house lawyers might not view their role so narrowly, other professionals in the company might and therefore pressure their lawyers to provide truncated advice. In essence, the expectation that the lawyer play the role of legal technician devoid of any ethical “should” function traps lawyers in an attorney-client relationship that is one of agency wherein the lawyer, as agent, owes a duty to his or her client (the corporation) to promote the client’s interests above all else. Although consistent with some forms of practice, such an attitude is the opposite of the way most GCs view their role, which is one that includes being responsible for gatekeeping, creating culture, and protecting the corporate conscience of the company. Departmentalization, therefore, might decrease the level and type of influence the GC has in the corporation, an influence that has taken more than 30 years to cultivate. Moreover, it might also work against the recent movements to hold lawyers more accountable to more constituents for their behavior and for the social consequences of their corporate clients’ conduct.

6. Departmentalization fortifies role differentiation as justification for following the letter (instead of the spirit) of the law.

The risk is not just that lawyers may be viewed as technicians and (choose to or be pressured to) refrain from counseling their corporate clients on the social, ethical, and moral risks of legal decisions. In fact, the risk is much, much larger. Lawyers might be expected to help the corporation find loopholes in the law. According to Rosen, Parker and Nielson, lawyers have a “cast of mind” that may hinder compliance initiatives. In a recent research study comparing lawyer-led compliance programs with non-lawyer-led compliance departments, Rosen et al. found that lawyers are followers: “They follow their company’s normative orientation. When companies are committed to compliance, lawyers in charge of compliance structure their company’s compliance practices and behaviors accordingly,” but “when companies are not committed to compliance, lawyers do not … promote compliance” and “may even aid their clients to resist and subvert regulation.”

Departmentalization may be just another trapping that is adopted by corporations as a best practice without any resulting change. Worse yet, it may create a false sense of complacency about compliance

Thus, Rosen et al. found that lawyers can behave as “gamesters,” treating the law as “a game of loopholes” and litigation as unavoidable. Further complicating the scenario is the fact that many compliance departments are run by lawyers. As mentioned above, lawyers serving as compliance professionals are neither structurally classified as part of the legal department, nor are they functionally considered as practicing lawyers. As such, the former lawyers, now compliance officers, may not consider themselves bound by the model rules of professional conduct. Thus, there may be double trouble. If there is a risk that the compliance officer is vying for power and influence, arguably, he or she may also succumb to using his or her cast of mind and freedom from the model rules to do more bad than good. Thus, departmentalization may not change the status quo in the way it is intended, and it may fortify a lawyer cast of mind that enables more corporate misconduct as opposed to less.

7. Departmentalization applauds form over function.

As mentioned above, one of the three goals of departmentalization is to create a culture of ethics that is ingrained in the organization so that malfeasance is deterred and prevented. Yet departmentalization—like codes of conduct, revisions to mission statements, and formal training programs—is merely a formal exemplification or structural manifestation of a commitment to compliance. Empirical evidence generally does not demonstrate that structural manifestations of compliance are effective at deterring malfeasance. Departmentalization, similarly, may be just another trapping that is adopted by corporations as a best practice without any resulting change. Worse yet, it may create a false sense of complacency about compliance. The structural manifestations put the corporation and its employees at ease that compliance and ethics are being covered when the manifestations are actually ineffective at creating real change and, indeed, have been identified as the weakest part of the ethical infrastructure of an organization.

One main reason for this is that structural manifestations, such as changing the organizational chart or departmentalizing, do not account for:

  • The impact that internal networks have on effective compliance
  • How compliance and ethics intertwine
  • How people are motivated intrinsically and extrinsically

Impact of internal networks on communication and culture: It is wrong to focus on the formal organizational structure of a corporation to gauge the effectiveness of its compliance program. According to leading sociologists Rob Cross and Andrew Parker, interaction and communication among employees defies static organizational flowcharts. Instead, to find critical gaps and to ensure that a corporate culture of compliance is integrated throughout the organization, we need to look at the internal social networks of connection; for example, how people actually work together. A common emphasis is on the importance of the tone at the top in establishing a culture of compliance. While that is most likely true, it is also probably true, as one interviewee explained, that the tone set at the middle—the intersection of social networks—matters just as much:

I don’t worry about the tone at the top; I worry about the tone in the middle, and that’s what I focus on. So I tell people, “We can have great tone at the top, but the people in the warehouse look at their supervisor, they look at their manager. So if their manager is having sex with the secretary, they don’t believe anything about the ethics program. You know what I mean? The secretary can come in late, but they can’t come in late. They don’t care what we tell [them] about ethics. That’s what ethics means to them, because if they are going to get fired because they are late, but the secretary gets to stroll in late because she’s sleeping with the supervisor, that’s what ethics means to them.

Implementing structural manifestations of compliance is not sufficient. Instead, a culture of compliance needs to be created not just from the top down, but throughout the organization.

Ethics intertwines with compliance: blind spots and ethical fading: Formal changes and controls like ethics programs, codes of conduct, mission statements, and reorganization are completely decoupled from what we know about ethical decision making. According to leading sociologists and legal scholars, one of the reasons for this is that compliance initiatives do not recognize that employees, like cars, have “blind spots,” as Max Bazerman and Ann Tenbrunsel have noted. People do not necessarily recognize an ethical dilemma as an ethical dilemma when it is presented to them. Thus, many ethical violations are unintentional. These blind spots occur when there are functional boundaries within an organization that enable decisions to be labeled and segmented as something other than ethical ones; for example, a decision is viewed as an engineering, marketing, or financial decision. The launch of the Challenger, despite the evidence that overwhelmingly predicted its demise, is an example of such segmented decision making: the group that recommended launching it (despite the evidence) couched the decision as a “management” one.

People do not necessarily recognize an ethical dilemma as an ethical dilemma when it is presented to them. Thus, many ethical violations are unintentional.

Another example is the Ford Pinto. The decision to sell Pintos despite evidence that the vehicles would cause accidents resulting in death was couched as a “business decision” made for financial reasons. In other words, how people classify a decision affects the decision they make. And how people classify a decision is impacted by the structural hierarchies that exist within the organization that help disconnect people from the decision’s impact and work to protect groups and people from internalizing their actions or blaming the people they work with. Further, people generally feel less concerned about unethical behavior that is perceived as indirect as opposed to direct. This is extremely problematic in a large organization where decisions can be segmented by department (or cultural and geographical) lines, making it difficult to get a bird’s-eye view or foresee the domino effect.

Another contributing factor is “ethical fading.” Ethical transgressions are a slippery slope in that people become desensitized to them the more they occur, and if they occur in small increments, they pile up without notice. A good example of ethical fading is lawyers reporting billable hours. To increase transparency and ensure that lawyers were billing ethically, firms began demanding lawyers report their time spent per client in smaller and smaller increments. However, this proves very difficult to do. To provide more detailed reporting of hours, law firms had to create more and more codes and labels for the services lawyers provide to clients. Because it was nearly impossible to decide on which of the many options a specific service falls into, let alone with six-minute intervals, lawyers had to guesstimate. Research found that once lawyers started to make small guesses, guessing became acceptable in general, and eventually turned into larger and larger guesses and rough estimates. Combine this with human beings’ tendency to re-create history and view their own actions as more ethical than they were (for example, sugar coating) and it is no wonder that systems designed to promote ethical behavior fail.

Intrinsic and extrinsic motivation: the problem with carrots and sticks: Formal manifestations of compliance and basic, routine check-the-box processes do not take into account complicated intrinsic motivation factors. According to Daniel Pink, people are not entirely rational. Although they are motivated by external or economic incentives (“carrots”) to perform routine tasks, this is not necessarily the case when it comes to more complex work or decision making that involves using judgment, ethics, and creativity. Indeed, Pink posits that incentives can sometimes serve as horse blinders narrowing off the bigger picture and future forward thinking. Thus, the risk is that an economic incentive can induce people to choose the quicker road over the higher road. Further, economic incentives or extrinsic rewards can demotivate behavior. Studies done on monkeys and people show that although extrinsic rewards can work in the short term, over time they can actually make subjects lose interest in solving the puzzle or working on the problem. Worse yet, extrinsic rewards can even take the good out of doing good. A recent study showed that people were less apt to donate blood when offered a monetary reward. According to Pink, this is because “it tainted an altruistic act and ‘crowded out’ the intrinsic desire to do something good,” which is commonly held as the motivation for donating blood. Evidently, sticks (like carrots) are often ineffective motivators as well. For example, a study on day care centers implementing late fines for parents picking up their children after the deadline showed that when there is an economic penalty (or “stick”), parents are less likely to view the decision to pick up their children late as an ethical one about what is “right” and “fair” to the day care employees, as Pink argues. Instead, it is a practical, economic decision based on a cost-benefit analysis.

It appears that departmentalizing compliance, instead of being best practice, may elevate form over function.

If this is all true, then one starts to wonder why government and regulatory bodies are asking corporations to change their organizational charts and adopt other structural manifestations of compliance when these recommended tactics don’t take into account how to develop compliance programs that incent real compliance and create a culture of ethics at the top, middle, bottom, and in between. Thus, it appears that departmentalizing compliance, instead of being best practice, may elevate form over function. Such a move may, in some circumstances, generate consequences that subvert the potential benefits of departmentalization and create a false sense of complacency that distracts from substantive cultural change. Further, departmentalization is doomed to failure if the decision to do it, and the resulting compliance department, does not reflect and/or promote the necessary values, norms, and ethics of the corporation.

A typology of styles

In a forthcoming article entitled “Identifying the chief compliance officer: counselor, cop, or the spy who loved me,” I develop a typology for the different roles played by CCOs. Like characters in a play, the same actor may find him or herself playing a different part at different times. Do any of these characters sound familiar?

The automaton – The automaton role is about building policies and procedures, training and testing employees on specific regulations and obligations, and monitoring adherence.

The investigator – In this role, the compliance officer is someone who openly searches to uncover noncompliance and is looking for the hidden risks. Noncompliance is seen as intentional, and attorneys and non-attorneys alike need to be trained and caught.

The cop – Cops are there to help and to make sure employees are behaving. They “patrol the neighborhood” to ensure employees are complying with the legal and ethical rules, and keep employees from getting into trouble—but they also have the power to stop misconduct once it starts.

The spy – The spy is most akin to an independent monitor. They see their role more as the eyes and the ears of the regulators than as a member of senior management.

The counselor – In this role, the compliance officer serves as a consigliore to senior management, offering judgments that span compliance, law, politics, and other arenas. The typical counselors believe they are the chief ethics officer and main steward of the corporate culture.  They guide but do not demand adherence to their guidance.

The involved parent – In this role, compliance officers view themselves as ethics coaches. They focus on training and helping employees understand how to make good decisions and how the decisions impact the company.  Like a parent, these CCOs give tough love, and if necessary, will demand adherence.

The bottom liners – In this role, the compliance officers are trying to find the upside to a potential risk and therefore, are comfortable with going right to the ethical or legal line.

The scarecrow – The scarecrow role is played when no one person is in charge of compliance at the corporation as “compliance is everybody’s business.”  Rather than specifically designating someone as a CCO, a more open organizational structure means that everyone—from management all the way down to front line workers—is concerned with compliance issues.

What’s next?

In this article, I have attempted to focus on the underemphasized drawbacks to departmentalization, such as the disempowerment of the CCO, the creation of barriers to collaboration between departments, a decrease in corporate transparency, and the potential evolution of lawyers into amoral, legal technicians. Ultimately, my analysis indicates that we shouldn’t rush to put a new “C” in the C-suite. Departmentalization is the wrong answer because the right question is not about the CCO’s independence or the corporation’s organizational structure, but instead about function: how can a corporation leverage the research on connectivity, informal norms, ethics, and motivation to create effective compliance and ethics initiatives and culture? If this is what the job entails, the job of a compliance officer is measurably more complicated, and the level of influence and power, along with the personal, leadership, and communication skills of the compliance officer, become even more important.

This conclusion leads to unanswered but important questions: Regardless of the organizational structure and title, who should oversee compliance? What expertise and skills should these compliance officers have? Should they have legal, management, or other training like psychology, sociology, or organizational motivation? Lastly, what roles should compliance officers play to best execute the compliance function? Should they serve like cops, counselors, spies, a blend of the three—or something else altogether? Before we put a new “C” in the C-suite, we may want to spend more time defining the CCO’s function and identifying who can best fill it.


Michele DeStefano is a professor of law at the University of Miami School of Law. She is also the founder and director of LawWithoutWalls and the founder and content curator of the Compliance Elliance Journal.

Event

Women’s Leadership Initiative

Executive Education
January 28, 2025 - January 31, 2025