Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, begin your free, no obligation 5-day trial.

Separation Conundrum: Should Compliance Be Independent of Legal?

Joe Mont | November 11, 2014

The push to divorce compliance from the legal department is nothing new. For several years, regulators—from the Department of Justice to Health and Human Services—have advised and even mandated autonomy for the compliance department.

The Federal Sentencing Guidelines also stress the importance of independence for the compliance function. Some are now arguing, however, that one structure doesn’t fit all, and that the compliance department can still be independent even while it resides inside the legal department.

The crux of the argument for cleaving the functions is that while legal has the job of protecting the firm, the role of compliance must always be free of potential conflicts of interest as it works to prevent and detect violations.

But is separating them a move that should be made universally? While it is hard to imagine objections to ensuring that compliance officers have adequate authority and resources, there is nevertheless backlash against blanket statements about the need to separate compliance from legal.

Rubin-brian-1114 “I don’t think there is a right or wrong answer,” says Brian Rubin, a partner at the law firm Sutherland Asbill & Brennan. “If compliance does report through the general counsel’s office, there should be good communication, adequate resources, and privilege properly asserted at the correct times. But it depends on the business model, the people who are involved, and the compliance culture of the company. You may have a regulatory requirement to have a CCO for certain functions; the question is whether those duties can be performed adequately regardless of who that person is reporting to.”

Statistics on how many companies have split compliance and legal vary. The 2014 “State of Compliance” survey, conducted by PwC and Compliance Week, found that only approximately 20 percent of companies still have compliance reporting into the general counsel’s office. A larger number, 40 percent, emerged from research by Mitratech, a provider of enterprise legal management technology.

“Irrespective of whether the reporting relationship is to legal or somewhere else, the legal department still has a pretty significant role and in some areas that role is actually increasing.”

Martin Goulet, Project Manager, Mitratech

The numbers may not be as far off as they seem, and differences may come down to semantics and how roles are defined within each company, says Martin Goulet, project manager at Mitratech. More important, perhaps, is a finding that, no matter the organizational structure, legal and compliance remain intertwined. “The role of the legal department in enterprise compliance is more likely to increase than decrease by a 5-1 margin,” the Mitratech study says.

Goulet-martin-1114 While Goulet expects the number of companies that separate legal and compliance to increase, “that doesn’t mean the involvement of the legal department is going to go away,” he says. “For any firm it is really about figuring out what is the right role for legal.”

“Irrespective of whether the reporting relationship is to legal or somewhere else, the legal department still has a pretty significant role, and in some areas that role is actually increasing,” Goulet says. “They tend to own the interpretation of regulations to make sure that the obligations are well understood.”

Even as more CCOs report independently to the board and C-suite, what companies are asking the legal organization to do regarding compliance efforts “is still fairly significant and in some areas definitely increasing,” Goulet says, adding that “regulatory change management” is one of the drivers—“here is a regulatory change, help me understand what it means to be compliant.”

While the relationship between GCs and CCOs continues to evolve, “there is no one-size-fits-all” solution and the relationship is best determined on a company-by-company, industry-by-industry level, Goulet says. Nevertheless, many companies are reorganizing due to regulatory pressure. “Who wants to fight that fight? If you end up in a compliance dispute do you really want to be arguing over why you didn’t have your organization structured the way some people say is best practice?” he asks.

Function Over Form

Heineman-ben-1114 It is possible to maintain an effective compliance program that reports into legal, says Ben Heineman, a senior fellow at Harvard University’s Belfer Center for Science and International Affairs, former law clerk to Supreme Court Justice Potter Stewart, and one-time general counsel and secretary for General Electric.

“Both the CCO and GC must be strong independent voices on ensuring that high performance is fused with high integrity,” Heineman says. “The CCO is critical in driving a uniform approach to compliance on everything from code of conduct to education and training to ways in which substantive experts can assess and mitigate risks. Technical and organizational formalities may vary, but what is important is a strong partnership between the CCO, GC, and CFO under a very committed CEO.  As always, it is function, not form that matters."

A combined role could make sense depending upon whether the CCO is viewed as part of senior management, Rubin says. “If that person is reporting to the general counsel who works well with them and is viewed as part of senior management, that still gets compliance a seat at the table. It depends on the role of the general counsel and his or her background. If he or she isn’t on top of compliance-type issues, and is dealing more with contract or employment law for example, it may not make sense.”


Research by Mitratech found that general counsel legal held primary responsibility for the firm’s enterprise compliance program in 40 percent of firms it surveyed. But, despite a push for separation, the role of the legal department in enterprise compliance is increasing as the responsibilities of the CCO and GC more tightly intertwined. See the charts below.

Role of Legal Department in Enterprise Compliance

Legal Role

Change in Role of Legal Department in the Last 18 Months

Change In Legal

Source: Mitratech.

Rubin points out some advantages a company might find from linking legal and compliance. For example, because the general counsel is actively involved in strategic business decisions, and frequently consulted by senior management, they may have greater insight into potential compliance issues. Matters may also be more quickly resolved with combined functions due to the increased clout legal often has.

There is an important warning, however, for companies that do not split the two functions. “The compliance function is not protected by attorney-client privilege, because it is a required function and regulators would not agree that the communications compliance folks have are protected,” Rubin says.

Pushing Back

Ide-bill-1114William Ide, a partner at law firm McKenna Long & Aldridge and chairman of The Conference Board’s Governance Center Advisory Board, doesn’t think that regulators should push companies to separate the functions. “My greatest concern is that the enforcement community has manufactured this concept that the general counsel should not be the chief compliance officer, or have compliance report to them, because they have a ‘conflict of interest’ because they are management,” he says. “That is a total misunderstanding of what lawyers do. They have ethical obligations to represent the entity. They don’t represent management.”

In his view, it is still the chief legal officer who has ultimate responsibility for making determinations concerning an entity’s compliance with laws, and “pressures to the contrary effectively deny entities the right to counsel.”

The goal, for each company as it builds a compliance program, “should be to get the right system in place for it to protect itself,” Ide says. “The enforcement community is wrong to say that the compliance function and legal cannot be intertwined and acting as though there is some kind of inherent conflict of interest. That’s just wrong and defeats the concept of self-policing, because you need to turn to your lawyer to make sure you don’t violate any laws.”

Whatever approach a company takes to the once joined-at-the-hip role of legal and compliance, the ultimate goals remain the same: “The most important things are good communication, adequate resources, and the overall culture of the firm,” Rubin says.


Order a Reprint