Whose Risk is it Anyway? A Brief History of Compliance and What the Future Holds

As compliance programs have grown exponentially over the years, the question for companies that utilize them is: Where does the compliance domain end, and where should other professionals take responsibility?

Many current compliance professionals feel they are in the front seat of an intense roller coaster, with only a loose seatbelt securing them. During these uncertain times, compliance programs face new pressures to address societal concerns that may be beyond the scope of the traditional compliance department.

Ask: How can compliance professionals best serve their organizations? While we may work in different industries across the world, the answer lies in staying true to compliance’s roots, core competence, and goals.

The challenge is to find a principled way to define compliance’s areas of responsibility. “Compliance” is an elastic concept. If expanded too fast or broadened too much, a compliance program’s effectiveness will suffer. This article will examine the foundations of a compliance program and how that history can guide today’s approach to the subject of compliance. By understanding its history and breaking down responsibilities through the RACI (responsible, accountable, consulted, informed) chart, in-house counsel can help ensure the compliance department is effective and fulfilling its mission.

Where to start?

Ask: How can compliance professionals best serve their organizations? While we may work in different industries across the world, the answer lies in staying true to compliance’s roots, core competence, and goals.

Compliance as a discipline arose from criminal law. In looking at the growth and development of compliance programs over recent years, we need to be cautious when law-based compliance programs face pressure to address fuzzier, social/business risks. While companies should evaluate and address societal concerns, the questions relate to the topics, and the extent to which compliance professionals should handle general business risks and societal issues.

The key metric for judging the success of a compliance program, according to the US Department of Justice and the Sentencing Commission, is whether it is effective. If programs expand too far too quickly, then they’ll likely outpace their capabilities. Attempting to address too broad a range of issues risks similar deficiencies. One way to make something ineffective is to overload it. That is the risk we run when we expect compliance programs to focus on quasi-legal issues.

The history of compliance programs

Until a few decades ago, the responsibility for policing the behavior of business entities rested on public officials, including regulators and prosecutors. As business grew in scope and size, government officials realized that the balance of power between consumers and businesses was shifting dramatically in favor of business. Enhanced regulation re-balanced that dynamic.

The increasing application of law (both statutory and regulatory) to business operations caused businesses to increase efforts to comply with existing regulations in order to avoid fines, greater intrusion into their operations, and the resulting loss of market capitalization. Companies also began to pay greater attention to the actions and attitudes of government officials and the need to adhere to their expectations that arose from enforcement of these new laws and regulations.

Until the 1970s, compliance was not often addressed in legal literature. In that decade, certain federal statutes, such as The Occupational Safety and Health Act of 1970, created considerable incentives for businesses to approach compliance with renewed zeal. In response, many companies implemented compliance programs. New federal statutes addressed bribery of foreign government officials, antitrust, workplace safety, environmental matters, and equal employment opportunity, among other areas. Most efforts focused on narrowly defined areas of legal risk in response to those statutes, though a few companies also started to issue broader codes of ethics or conduct. One of the earliest companies to adopt a code of conduct was Johnson & Johnson. Our Credo (as that code was titled) was written by Robert Wood Johnson of that firm in 1943.

While some laws applied to companies in all sectors, certain industries, particularly ones that existed within strong regulatory frameworks, faced heightened scrutiny. Consequently, companies in those industries were among the earliest adopters of compliance efforts. The nuclear power industry is a notable example because it also included government on-site participation to ensure safety.

Most early compliance programs focused on specific legal risk areas — they were not expected to address general business risks and societal issues. In the environmental arena, for example, considerable liability existed for companies. Businesses, such as paper mills, that produced various types of contamination encountered compliance challenges distinct from those faced by a lender or equity investor. Due to the ubiquity of real estate in a wide range of businesses, though, environmental compliance, tailored to each company’s particular needs, became commonplace for a broad swath of companies.

Workplace safety and equal employment opportunity laws and regulations (at federal and state levels) also impacted a wide range of organizations. Their breadth and depth led to internal compliance programs.

Because those compliance programs addressed specific areas of law, they relied upon the expertise and efforts of the organizations’ experts in those fields. Those who did antitrust compliance were antitrust lawyers, not compliance professionals. They saw no connection to comparable practitioners in FCPA, environmental, or equal employment law. Compliance was simply a part of each distinct legal area.

As various scandals emerged, society developed heightened standards and expectations vis-a-vis corporate activity. These were most evident following the Enron, MCI WorldCom, Waste Management, Adelphi, and Tyco scandals where significant prosecutions followed. These scandals led to the Sarbanes Oxley Act (with potential CEO and CFO personal liability). The resulting pressure led organizations to weave actual compliance into the corporate fabric — such as steps for employees to escalate disagreements within companies over potential material misstatements.

The most compelling impact these scandals had was not the fines but the significant drop in the companies’ stock prices. It took years for some of these companies to recover the loss of their market cap. Others, like Enron, collapsed completely. Large public companies can weather a one-time multi-million dollar fine easier than investors’ wrath following a steep and prolonged loss of share value.

US Sentencing Commission’s Organizational Guidelines

Taking a broader look at compliance programs, the Sentencing Reform Act of 1984 laid the groundwork for the compliance programs we see today. After considerable investigation, the US Sentencing Commission issued the Sentencing Guidelines for Organizational Defendants (Organizational Guidelines) in 1991. This created standards by which courts could evaluate the compliance programs of companies “in the dock” as part of a carrot-and-stick method of influencing corporate behavior. While these guidelines were designed to ensure consistent imposition of strong penalties for corporate crime, they also were intended to give organizations an incentive to have in place an effective compliance program.

They not only encourage corporations to exemplify “good corporate citizenship,” but also provide a means to “rehabilitate” corporations that have engaged in criminal conduct by requiring them, as a term of probation, to institute and maintain effective compliance programs.

That incentive consisted of possible “credit” during sentencing after a guilty verdict in federal court, which would result in a lower fine or lesser penalty. The guidelines contained standards by which judges could measure a defendant organization’s compliance program and determine whether it was “effective.”

The guidelines had a dramatic impact. First, they directed courts to provide a significant credit if a company could establish that it had an “effective” compliance program and, second, they provided a practical standard for gauging whether such a program should be deemed “effective.” They moved away from formalistic steps, which had been previously advocated, and embraced the use of genuine management protocols to prevent and detect misconduct.

As various scandals emerged, society developed heightened standards and expectations vis-a-vis corporate activity. These were most evident following the Enron, MCI WorldCom, Waste Management, Adelphi, and Tyco scandals where significant prosecutions followed.

These standards were substantially revised in 2004, and additional adjustments were added in 2010. The 2004 amendments, for example, made explicit the role of ethics as part of an effective program. They also clarified that incentives play an essential role in effective programs. A key message was that compliance programs should encompass more than limited, discrete subject areas.

It is noteworthy, however, that in 2004 the Sentencing Commission did not accept a recommendation of its Advisory Group that “an effective compliance program should be aimed at preventing not just criminal activities within organizations, but rather all ‘violations of law.’”

Instead the Sentencing Commission declared that a compliance program should be “designed to prevent and detect criminal conduct.” The decision cautions against expanding compliance’s role too far, particularly into civil business issues.

Company leaders need to consider: “Is this really the compliance department’s job?” Or are they more of the attitude that I-asked-them-to-do-this-so-they-are-going-to-be-good-soldiers-and-get-it-done? It can be challenging to find a principled way to define compliance’s areas of responsibility.

Compliance programs today

Compliance professionals run the risk of having too much responsibility. It’s important that those professionals avoid the possibility of their programs becoming the “junk drawer” of new or novel issues that their companies face. Not everything that comes across a compliance officer’s desk is necessarily the responsibility of the compliance department. While we all want to be team players, there is a liability concern when overloading a department, particularly the compliance department.

Company leaders need to consider: “Is this really the compliance department’s job?” Or are they more of the attitude that I-asked-them-to-do-this-so-they-are-going-to-be-good-soldiers-and-get-it-done? It can be challenging to find a principled way to define compliance’s areas of responsibility. Simply put, what is appropriate for compliance personnel to handle and what is not? Leaders can start by asking: What are the core capabilities of the compliance team?

While it’s important for a compliance department to be agile, adaptable, and open to learning new things, compliance personnel should not stray too far from their area of expertise — criminal and regulatory law.

A reliable tool: The RACI chart

A helpful and venerable tool is the RACI chart, which enables you to assemble the appropriate group or team for a project or task. RACI stands for:

Responsible (those performing a key activity or doing the work),

Accountable (those ultimately accountable for the task who have final approval or veto power),

Consulted (those needed to provide ideas, perspective, and feedback and to contribute to the project) and

Informed (those who need to know of the decision or action).

The following three examples show how a RACI chart can be used.

Supplier background checks

The RACI chart can be used to create a process for conducting supplier background checks.

• Responsible — The purchasing team is most likely to be the responsible group as they will need to develop the processes and tools needed to implement the background check program.
• Accountable — The legal/compliance teams are more likely to be in the accountable group because they understand the general legal requirements for background checks.
• Consulted — The accounts payable team should be consulted on the steps to ensure a supplier is not paid until it passes a background check.
• Informed — The informed group should be those within the company who want to hire applicants or to contract with suppliers who need to pass background checks.

RACI applied in a practical way can help a compliance program to stay focused on where it should be involved, and where it should rely on others for subject matter expertise.

Conflict minerals

While supplier background checks are well established in most companies, a challenge lies in addressing emerging topics such as conflict minerals and human trafficking. Is this what a compliance department should be focused on, or is it in the best interests of the company for this topic to be managed by a different group?

Challenges and differing views will always exist in deciding what compliance should and should not tackle. As a general rule, compliance should heed the Sentencing Commission’s guidance and stay reasonably close to criminal and regulatory issues.

In late 2009, the United Nations issued a resolution condemning the purchase of certain minerals from war-torn nations that were used to fund armed conflicts. The Dodd-Frank Act requires companies traded on US stock exchanges to review their suppliers for the purpose of identifying whether and from where suppliers purchase minerals identified as “conflict minerals.” In the case of conflict minerals, then, it is primarily a reporting function following an examination of a company’s supply chain.

We know there is an underlying “legal” requirement (reporting); now we need to decide whether this resides within the core competence of securities lawyers and investor relations or the traditional compliance function. Here is how the RACI tool might apply to conflict minerals:

• Responsible — Once again, the purchasing team is most likely to be the responsible group because they are the ones who can identify what, from whom, and where the company purchases raw materials.
• Accountable — Securities lawyers and investor relations are the accountable group because they understand the general legal requirements for sourcing conflict minerals.
• Consulted — The purchasing team can also serve this function since they can see from where suppliers are shipping their products. (Keep in mind your organization’s import and export group. They may have excellent knowledge on this topic, and you should tap into that expertise.)
• Informed — The informed group should be those within the company who want to hire the suppliers that would be subject to conflict mineral requirements.

Privacy Issues Regarding the General Data Protection Regulation (GDPR)

Fines are imposed by Article 83 of the GDPR, which applies to all businesses, from multinational corporations to small companies. Some violations are more severe than others, but nonetheless, there are fines attached to violating the legal requirements of GDPR. Let’s apply the RACI model to this issue:

• Responsible — Here, the responsible group may be comprised of many different players, including any department that collects, stores, or manages personal data (and any other data protected by GDPR). You will probably need a representative from each department: the sales force collects data for leads, purchasing collects data from suppliers, compliance may collect data from hotline reports, etc. You will also a need lawyer who can review contracts to determine the data agreements in each contract. Last, you will need a project manager.
• Accountable — The company’s data protection officer fulfills the accountable role because they understand the general legal requirements mandated by GDPR.
• Consulted — Here, an IT representative who knows how and where the protected data is stored is the best fit.
• Informed — The informed group should be all of those groups within the company who will be impacted by GDPR. Make sure to include anyone within your organization who collects or uses personal data, as they will need to be informed of their responsibilities when it comes to how to store and manage this data in compliance with GDPR.

Final thoughts

Challenges and differing views will always exist in deciding what compliance should and should not tackle. As a general rule, compliance should heed the Sentencing Commission’s guidance and stay reasonably close to criminal and regulatory issues. That is its core expertise. With new legal areas such as privacy, as embodied in GDPR and the California Consumer Privacy Act, some of the organization’s lawyers will need to scale a steep learning curve to help the entity navigate new, uncharted territory. That may or may not include compliance personnel.

Compliance does not need to take a leading position on business issues or societal issues, which are better left to business leaders who are well-advised by counsel. Societal issues are better left for Investor Relations and Corporate Social Responsibility teams to address with affected stakeholders.

While there is no inherently right or wrong structure for assigning and addressing new legal, quasi-legal, and societal issues, the recommended way is to identify the most knowledgeable, experienced, and affected people in your organization and apply the RACI model.