Compliance Week took to the road again last week, this time hosting an editorial roundtable in Chicago with Thomson Reuters to talk about the overlap of corporate legal and compliance functions. Apparently we hit upon a popular subject; normally our roundtables attract about 12 to 14 compliance executives, but this one had 20 attendees. Conversation was lively, and we’ll have complete coverage of the discussion in our Aug. 3 newsletter. For now, however, let me give a few initial observations.

The general counsel is still the boss. Yes, I know, the revised U.S. Sentencing Guidelines say companies should have an independent compliance function, with a chief compliance officer who answers to the CEO or (ideally) the board. Well, that’s not happening yet. Fourteen of our 20 attendees said they report into the legal function; only two reported directly to the audit committee. Some attendees said their company was in the midst of creating an independent compliance function, but by far and away, corporate compliance was still subordinate to the legal department.

At firs that surprised me, since every best practice in the universe says an independent CCO is vital for compliance. But another theme from the roundtable was that these companies and their leaders do want a strong compliance function; they just don’t know what steps they should take to get there. They are terrified of adopting some organizational structure that can’t be changed easily, should the need arise (say, in a restructuring). They are terrified of leaving ethics and compliance in the hands of someone who isn’t a company lawyer, should an investigation be necessary and the company wants to protect itself with legal privilege. Everyone wants to take incremental steps to achieve strong compliance, but they all start from the general counsel’s office.

Coming soon to a compliance function near you: charters. Two attendees said their companies have charters specifically for the compliance function. This intrigued everyone else, and one of the two said his company adopted a charter to adhere to the U.S. Sentencing Guidelines. Another person quickly shot back: “Wait a minute—we need a charter to be in compliance with the guidelines?”

“Not yet,” the first attendee replied, “but that’s where this is going.”

There’s a lot of wisdom in that response, as cynical as it may be. Charters probably are the way of the future, especially if you’re in a highly regulated industry and want to appear nice and clean to your regulators. At the very least, a charter can’t hurt. It sends a message of seriousness, and if tone at the top really does matter to regulators, then a charter would fit the bill.

So where do charters come from? Apparently one emerging habit (I won’t call it a best practice, but it seems sensible to me) is to crib the language of your internal audit department’s charter, or the language of your audit committee’s charter if you don’t have an internal audit function per se. You’ll want the compliance charter to specify what information about ethics and compliance will be reported to the audit committee. You’ll also want it to specify who gives that information to the committee—which forces the board to address that question of whether compliance is an independent function, or reports into the legal department. There’s a deft piece of office politics for you.

Ethics matters. One attendee approached me just before the roundtable started to ask why Compliance Week doesn’t devote more attention to problems of ethics. I answered honestly: because we’re so busy following all the minutiae of regulatory compliance that we just don’t have time for ethics, and most of our readers are in the same boat. So as much as I enjoy discussing ethics—which I do—why bother? I can’t say I like that answer, but it’s the truth.

Well, as the roundtable closed, this same attendee gave an excellent reason why we should bother. At the end of the day, for all our regulations and policies and procedures and monitoring, misconduct comes down to one employee deciding whether or not to behave in some improper way. We can either monitor that employee (and all the others) constantly, or we can trust him to do the right thing—if he has a good sense of ethics. Or, as this attendee put it, “That’s what I worry about. An ethics problem will trump a compliance problem any time.”

You know, he’s right.