When one considers the Roman Empire at its zenith, one might think of it as what New York Times columnist David Brooks characterized as “a mighty fortress in a dangerous world,” whereas the focus of the Athenian Empire was more about debate, democracy, and “creative crossroads leading an open and fundamentally harmonious world,” Brooks wrote.
I thought about Brooks’ characterization as an excellent metaphor to explain the difference in roles between that of a corporate legal department and a corporate compliance function. Understanding these differences in roles helps to explain why a chief compliance officer should not be housed in legal, but rather should lead a separate corporate function.
The role of a legal department is to be the fortress that protects a corporation. It uses the legal tools available to it: attorney-client privilege, the attorney work-product privilege, and other trappings to keep information from getting outside of a corporation to be used against it by shareholders, regulators, or third parties. It is not designed to be open facing, but rather closed, thereby (hopefully) shielding the company from not only unwanted eyes, but also fines, penalties, and lawsuit payouts.
The role of a compliance department, on the other hand, is to prevent, detect, and remediate. These difference in roles between that of a corporate legal department and a corporate compliance function are starkly laid out in the “Evaluation of Corporate Compliance Programs,” a document published in February by the Fraud Section of the Department of Justice’s Criminal Division that provides a list of sample topics and questions in evaluating a corporate compliance program.
One of the first inquiries listed by the government in its document, for example, concerns a root-cause analysis and whether those factors unearthed in the root-cause analysis were remediated through a continuous improvement process. The document continues on to inquire how the company not only considered its compliance program going forward, but what it did with the information obtained in the continuous monitoring process.
A corporate law department does not operationalize its function throughout an organization. Quite the opposite, the law department often draws back information into its fortress function.
Thus, when someone asks you the difference in roles between legal and compliance going forward, explain to them it is akin to the differences between Rome and Athens.