Ep.27: Compliance and Legal are Different . . . Right?

Remember, you can always listen here or follow us on Apple Podcasts or Spotify. Either way, thanks for supporting us.

Full Transcript:

ZACH: Welcome back to The Better Way? Podcast brought to you by CDE Advisors. Culture. Data. Ethics. This is a curiosity podcast for those who ask, “There has to be a better way, right? There just has to be.” I'm Zach Coseglia and I am joined as always by the one and only, Hui Chen. Hi, Hui.

HUI: Hi, Zach. Hi, everyone.

ZACH: Welcome back to The Better Way? We are talking today about what is really kind of an age-old question, which is the relationship between legal and compliance and how we got where we are in that relationship.

HUI: And what the significance and challenges of that relationship are—and also what do we do about them?

ZACH: Absolutely. I mean, let's dive right in. This is a topic that we've probably touched on from time to time, but one that really warrants a full discussion. And I think the best place to start here is actually with a little bit of a history lesson, Hui. And maybe you can take us back in time and help us understand how we've gotten where we are, and how and why corporate compliance functions have emerged and evolved in the way that they have.

HUI: Well, as someone who loves history, I can geek out on this forever, but I will restrain myself. I will give a very brief overview, which is really corporate compliance functions has emerged and evolved in response to regulations, scandals and enforcement.

ZACH: Wait a second. So, you're saying that it hasn't emerged and evolved because of companies’ desire to “do the right thing” and maintain and advance their business with a focus on ethics.

HUI: Shockingly, no. I wish, you, the audience out there can see the big grin on my face as Zach was saying that. Sadly, no, not exactly. The earliest route to modern compliance date back to antitrust enforcement under the Sherman Antitrust Act and the Clayton Antitrust Act, which came into place at the end of—very end of—19th century. Early compliance under these laws [is] often a little more than written policies that really hasn't changed that much for some companies, even to this day. While major corporations like General Electric, Westinghouse, Carrier were prosecuted in 1960s for price fixing despite having internal antitrust rules, it became clear that a policy on paper does not equal prevention. Voila! Something that we still need to be reminded of today.

ZACH: That's right.

HUI: In fact, when General Electric used its antitrust compliance policy as a defense, the court questioned whether the policy was there to prevent wrongdoing or was it there as window dressing. And that's the actual phrase the court used: is it window dressing to give senior executives an out when they're caught so that they can point to the policy and say, see, but we have a policy. So, that question planted the seed for what would become modern compliance, which is the expectation that companies build systems that would actually work. Then, in the 1970s, a whole new wave of new laws and regulations and enforcement bodies came into place. Foreign Corrupt Practices Act, the Bank Secrecy Act, the Environmental Protection Agency, the Occupational Safety and Health Administration, the enforcement arm of SEC—all came into place in the 1970s.

These laws and regulations expanded corporate obligations across a whole set of different areas: corruption, environment, workplace, financial. So, now, companies face complex requirements and had to learn how to build internal infrastructures to meet these requirements. By the 1990s, compliance started to be a recognizable part of corporate governance. The addition of the organizational sentencing provisions of the US Sentencing Guidelines in 1991 created incentive for effective, and that's the word that was used in the in the new part of the US Sentencing guidelines, effective compliance programs to mitigate penalties.  And in the 1996 case, Caremark International, the Delaware Chancery Court made clear that directors have a duty to attempt in good faith to ensure oversight and reporting system exist. So, now board level accountability for compliance is explicit.

Then came Enron and WorldCom, leading to Sarbanes Oxley Act, which further institutionalized compliance through mandatory ethics codes, financial controls, and executive certifications. Now we're moving to the 2010s, we are seeing record-setting corporate fines across industries, showing the scale of enforcement and growth of the compliance industry itself. We have Deepwater Horizon in 2010, $20.8 billion fine. It was the largest criminal fine against the company until VW. Some of the biggest names in financial services, Bank of America, JP Morgan Chase, Citigroup, Goldman Sachs paid billions of fines for their role in the 2008 financial crisis. Large pharmas, Pfizer, GSK, J&J, Eli Lilly, Abbott Laboratories, they all paid billions for off label promotions and kickbacks. Again, more scandals. Looking back, all started with laws and regulations, scandals for breaking them, and then more laws and regulations. Lawyers prosecuted and defended these cases, drafted the laws and regulations, advised on them, and understandably played a very big role in the birth and growth of corporate compliance.

ZACH: Indeed, what a history lesson. And it's -- it's so valuable to hear all of that because we know this, but we don't hear folks talk about the history nearly as much as maybe we should . . . when we're sort of talking about how we got where we are and why things haven't actually changed as much as we'd like them to. But when you look back, you really kind of begin to understand why the decisions that are still made today are being made.  And on the other hand, I find myself hearing that history lesson and chuckling—somewhat sarcastically—that a court all the way back in the 1960s was questioning policies and compliance programs as potential “window dressing.” And yet, here we are today, in 2026, and I'm not actually sure that much has really changed. A lot has changed, for sure, but still that policies and process over outcomes is still a real issue in the discipline.

HUI: No kidding. And we still do see it pretty frequently.

ZACH: Yeah, we do. We do indeed. Let's talk a little bit more about the composition of compliance programs today, who they are staffed by. What their focus is, and maybe even more so, where they sit within an organization. Now it's often difficult to do a really accurate, in-depth cross-industry assessment of where corporate compliance programs sit within an organization. I don't think that there is a sort of singular compendium that has told that story, and sometimes the story that's told publicly isn't necessarily the full story of how things actually operate within all of these various companies.

HUI: Very much so.

ZACH: That said, when we look across some of the biggest companies in the world, taking for example the Fortune 100 and using publicly available information, what we see is a real bias toward having corporate compliance staffed by lawyers in most cases and reporting into either the general counsel or the chief legal officer. Again, it's difficult to be super, super precise, but from our research it looks like about 50% of compliance programs or compliance officers within the Fortune 100 report directly to the GC or the Chief Legal Officer. Then you have, kind of, a smattering of placement in other places, a small percentage, less than 20%, reporting directly to the CEO; another small percentage reporting directly to a Chief Risk Officer or a risk organization that may itself report into the CEO, but more often than not is part of an operational function within the organization that then ultimately reports into the chief executive officer; you see a very small percentage, less than 5%, that are reporting directly to a board. And again, to this point about what's publicly available versus what is happening in reality, oftentimes, when you see that board reporting relationship, it comes with a dotted line to someone else internally, and that someone else internally is often the general counsel. And operationally and logistically, that typically means that while there's independence through the board reporting relationship, there's also the opposite of that, I guess in some ways, because that chief legal officer / GC / or other person internally is the person who's giving reviews, making decisions about promotions, approving budget, oftentimes is . . .

HUI: And head counts, yeah.

ZACH: . . . and headcount . . . and oftentimes is also in some ways an arbiter of what messages get to the board, because that dotted line ultimately winds up acting like a pretty solid line. And then you have a small percentage, somewhere between 10 and 15%, that are reporting in hybrid structures with dotted lines in this direction, solid lines in that direction. Or simply reporting to other parts of the organization, whether that's a chief operating officer, in rare cases a chief financial officer, and in other cases other executives. But the predominant placement is, I think, unquestionably to the general counsel, to the chief legal officer. And that's looking at the Fortune 100. It gets even more likely to have reporting into the chief legal officer of the general counsel in smaller organizations where there's less room for an additional executive to report directly to the CEO, and in most cases, far more than 50%, you see that person ultimately being sort of a next level executive reporting into someone else, and that someone else is often the GC.

HUI: That's so . . . I mean, that's so not surprising. But I also want to, you know, say that as we all know, right, that org chart only tells the—the formal story, but not the . . . not necessarily the real story. I always remember a—a compliance officer once told me that he was interviewing for a job and he was told—at a job as a CCO—and he was told that he would be reporting directly to the CEO. So, during interview he wanted to confirm that he said, you know, so I would be reporting to the CEO; and the general counsel who was conducting the interviews said yes, yes, you'll be reporting . . . on paper, you will be reporting to the CEO. But let's be realistic. He doesn't have time for you. So at least they're honest.

ZACH: Yeah, yeah. I mean, that's . . . yeah, I guess at least they were honest, but it's a story that we hear, we hear a lot. And what I think is really interesting also about those places where you do, especially in larger companies, those places where you do see a truly independent function, whether it's reporting directly to the board or reporting directly to the CEO: what you also typically will find is that there's a reason for it, and that reason looks a whole lot more like the history lesson that you gave us, rather than a true inherent commitment to a culture of ethics and compliance. There are a lot of examples of chief compliance officers reporting to the CEO because it was mandated by a corporate integrity agreement or by a DPA or by some other form of enforcement, some form of settlement. And there also are many stories where that has been mandated as a result of some sort of settlement or some sort of enforcement action, and as soon as that agreement lapses or expires, you see the compliance department shifted back . . . no longer reporting to the CEO and often now being part of the general counsel or chief legal officer organization.

HUI: Almost always. Almost always, yes.

ZACH: Almost always, yeah. So again, it's this really interesting reality on the history side, seeing how the -- the function has evolved and grown, often driven by laws and enforcement; and then on this like very specific question of where it reports, in those places where it has been more “compliance friendly,” it's often also been driven by enforcement and law rather than a true cultural, organizational, leadership driven commitment to the discipline.

HUI: Yep.

ZACH: Okay. So, that's where we've been. That's where we are today. Let's talk a little bit about, I think frankly, I think that the way we've introduced both of those, our own bias has probably showed a little bit in terms of what we think makes the most sense for compliance to sit. But let's talk about the reasons why it actually makes sense. Why should compliance sit within legal? Or why is it pseudo legal function?

HUI: I think the first thing that comes to mind on that is, is what I referenced earlier when I was talking about the history, which is lawyers have played a very, very big part in all the development that's led to the rise of corporate compliance. So, the nature of compliance work often does involve interpreting laws and regulations, and that is very much a legal expertise. So, housing compliance in legal helps make sure that there is alignment on regulatory change, interpretation, enforcement trends, risk analysis . . . so that seems to make sense.

ZACH: Yeah, yeah, 100%. And I think as an extension of that, there’s also the regulatory and enforcement expectations that come in the direction of compliance. And Regulators and law enforcement are themselves often lawyers and they are creating sort of legalistic standards and expectations that the compliance function is required to respond to. And so, what's really interesting about that to me is that we sit here and we talk all the time about, as we will more in a moment, the behavioral components, the sort of data-driven measurement focused approach, the need for sort of a multidisciplinary point of view. And yet, if we're being honest, at the end of the day, the people who are sort of judging compliance when things do go wrong are lawyers.

HUI: Exactly. And that that is a huge part of the equation.

ZACH: Yeah, yeah. And I guess what that means for me is that for all the criticism that we sometimes have of compliance functions and the discipline’s need to evolve, I think that the same applies on the enforcement side. We need to see more non-legal expertise on the enforcement side to ensure that there's balance between what people are doing and what people are expected to do.

HUI: I think unfortunately I don't see that coming anytime soon.

ZACH: No, for sure.

HUI: But I do . . . I do believe and -- and you know we -- we talked about this entire function and profession being driven by scandals, right. And -- and you make you laugh, we laughed about how it wasn't driven by a desire to perform better—to quote, to do the right thing, which is what people say day-to-day, right? But I think the real change would have to come from that kind of desire . . . and that kind of desire coming from your stakeholders: everybody from senior management to boards to your communities, your customers. And it's not an abstract sense of “let's do the right thing.” And we have criticized that a number of times now; we won't go into that here, but if anything, just to make sure. That the effort that you're making on all these compliance projects actually do some good for the company.

ZACH: Yeah, I mean, it's . . . I guess my mind goes to what would have to happen on the enforcer side or the regulator side to drive action because that's always been what's motivating it. And I think that you make a really interesting, provocative, but also kind of common sense point that change really has to come intrinsically. It has to come from that place of . . . it has to come from the place that you constantly are talking about when you're promoting your program internally and externally, from a true desire to effectuate change and to shape behaviors.

HUI: And . . . and if you do that right, you hopefully will never end up before a regulator enforcement having to explain things.

ZACH: Well, 100% and that's kind of always been my point about all of this, yeah.

HUI: Exactly. You don't want to be one of those companies that's named as, well, that this is why we have this new law, because of this company. This is why we have a new round of enforcement because of this company. You don't want to be that.

ZACH: That's right. All right. So we've talked about the legal expertise alignment. We've talked about the regulatory enforcement expectations and alignment there. What are some of the other reasons why it makes sense for this to be viewed as a semi legal function?

HUI: And I think it's just also just efficiency and coordination that the share resources and you know they -- they have legal and compliance have shared interest in investigations, regulatory monitoring, policy drafting. So, if they're together, it theoretically means better efficiency and more coordination. Part of that efficiency and coordination also includes things like escalation. High risk compliance issues oftentimes do have legal implications, so legal wants to have sort of a first cut at monitoring and deciding how to escalate and handle some of these high-risk issues. So again, from the coordination and efficiency point of view, those considerations seem to make sense.

ZACH: It's -- it's funny, I don't disagree with anything that you've said. I think though that the reality is often that it doesn't lead to efficiency and coordination. It often more leads to turf wars or—or a lack of clarity around roles and responsibilities.

HUI: Well, there's the theory, and then there's the reality, right?

ZACH: That's right. The theory is great. The reality sometimes isn't so great. Yeah.

HUI: Yeah. Exactly, cause you got human beings in the mix.

ZACH: You do. Human beings . . . We are a . . . we are a challenging bunch.  Now, there's another way to look at the efficiency, coordination and escalation points, though, and that really comes down to thinking about other functions that exist within an organization. You know, finance, for example: well, they're in the business of implementing accounting standards. They're dealing with securities regulations. They're dealing with tax law. HR is implementing labor law. They're, kind of, thinking about and implementing programs and policies around anti-discrimination law and benefits laws, both, you know, at the state level here and globally for a large organization. You've got ESG functions or sustainability teams that are focused on implementing environmental law and disclosure requirements and governance standards. You've got operations teams that are implementing safety laws, perhaps, or product regulations or other industry standards. All of these other functions exist within an organization in many cases, and most of these other functions aren't dominated by lawyers. You know, finance is staffed by accountants and controllers and auditors. And HR is staffed with human resources professionals. And there really is never the same tension between those functions and legal in the way that there is between compliance and legal. And I can't . . . I want to get your thoughts on why that is.  But I can't help but come back to the history lesson that you just gave us, which is that because compliance functions largely emerged in response to legal and enforcement risk in areas like anti-bribery and corruption, securities regulation, banking regulation, healthcare fraud and abuse . . . that their composition and that tension with legal today is somewhat just a weird kind of anomaly of historical reality or of coincidence.

HUI: Yeah, I have to think that's the reason. I also think they're really in earlier days of the compliance profession and function’s development, people took it as a matter of course, that this is since the way it arose was because of the enforcement and the laws and all of that, it was sort of natural that this was just part of legal function. And there were probably legal departments doing compliance before they started calling themselves compliance.  So, which isn't true with these other functions. They have very distinct things that they're doing that's different from the legal function and I think that goes to part of the challenges, you know, we're going to talk about this a little bit later is, is what is that distinction for compliance?

ZACH: Yeah, yeah. There's one other kind of justification or reason that we hear all the time around why compliance is sort of pseudo legal or part of legal, and that's the wonderful age-old, often misunderstood concept of attorney-client privilege. So talk to us a little bit more about why that actually may be a valid consideration in thinking about where compliance should live.

HUI: We're talking about the application of attorney-client privilege to certain types of compliance activities that legal function or companies want to have it covered. And that typically goes to advice on whether you can do something. Would that be compliant or not? Not -- not under your policy, now . . . this is, would this be compliant with law or not? And investigations, right? Investigations is where you oftentimes do anticipate litigation as an outcome of your investigation.  So, you want to make sure that all the information back and forth of how you're handling and the information you're retrieving are covered by attorney-client privilege. Or the anticipated litigation that may come afterwards. That's how it started in terms of wanting to have privilege protection for compliance activities. The problem is: compliance activities is a lot more than that, is a lot more than just legal analysis of whether something is compliant with laws and regulations. To me, compliance consideration is, is it something that we should be doing? Is it compliant with our values and our own policy stances, right? So, to me that's a different analysis than is this compliant with the law. And investigations also has different components. You -- you can look at investigations in a way that is purely for the protection of the company to minimize liability. But you can also look at investigation as a way to understand what is going on in your organization, finding root causes to misconduct. So, you have the overlap between what legal wants to get out of these communications and activities and what compliance wants to get out of it.  There is that notion that if we just put all compliance under legal, everything will be privileged. And there's this, somehow, the compliance and legal community in house have come to believe that you just put something under legal, there'll be this magical umbrella that is covering then everything you do.

ZACH: Yeah, first, yeah.

HUI: And that is really strange to me, considering that this is oftentimes driven by the legal function, is the lack of a robust analysis of what exactly is the legal protection, legal privilege protection here. Because it does not automatically extend to everything that the legal department houses. That's just not how privilege works. But what I have almost never seen is a robust analysis of this is how the privilege applies, and this is why, and this is exactly what it covers.

ZACH: Yeah, yeah. I mean, we've talked about this before. I fully agree with that. And I think that the—the result of an over inclusive or perhaps an overly sort of advantageous interpretation of the attorney-client privilege is, one, often reduced internal transparency. It's . . . we use it as a shield to actually share information that could be helpful to advance the program . . . to better shape behaviors . . . to inform people about what what's happened?  A great example of that is in the—the speak up in the culture space. But oftentimes a decision is made not to share meaningful data around that because of the fear of how that information could potentially be used against the company. And what winds up happening is reduced transparency. I also think you sometimes see in the investigative space kind of reduced operational integration.

HUI: Very much so.

ZACH: You know, we talk all the talk all the time about you know when things have gone wrong and there are disciplinary decisions to be made or remediation that needs to be put into place. Sometimes, you wonder whether or not those things can actually be effectuated when the pool of people who are brought into the circle is so small and as a result, the people who are ultimately running a business that has been subject to an investigation may not always have all of the information that they need to actually respond and to fulfill their accountability as a leader of that business, because privilege has been used to shield them from some of that information.

HUI: We've definitely seen this in in our work with -- with companies. I also will say that one of my most memorable moments at DOJ was when a company's general counsel and their chief compliance officer were before the DOJ. And we got into a discussion about some of the investigations and the CCO was visibly surprised by what she was learning about the company's investigation. And that, let me just tell you, did not make a good impression. Not of this . . . not of the CCO, but of the general counsel who clearly withheld information from compliance.

ZACH: Wow. Wow. Well, that's a -- that's a real cautionary tale there. All right, well, let's continue this line of discussion and talk a bit more about some of the issues. We've talked about some, but some of the other issues that have arisen as a result of the compliance under legal structure. This is really, I guess, the cons, so, we talked about some of the reasons why it makes sense. Wait, what are some of the reasons why it doesn't?

HUI: Well, we referenced this, the independence concern, right. So reporting into legal can create perceived or actual conflict of interest because oftentimes legal's role is to defend the organization and compliance's role is a little bit broader than that. So, that's one area of concern.

ZACH: Yeah. Can I . . . let me jump in here on this one too though, because what's the . . . what is the option that actually resolves the independence concerns? One alternative to reporting into the general counsel is reporting into the CEO, but query whether reporting into the CEO is actually addressing independence concerns in any meaningful way, because at the end of the day, you're then directly accountable to the CEO, who may in fact be part of the problem . . . and telling them that they're part of the problem may not be a particularly thoughtful path to career success for said Chief Compliance Officer.

HUI: Reporting to the board had always been a preferred, you know, reporting line for compliance, but as you pointed out, that actually happens rarely.

ZACH: And even when it does, as we talked about, are you really reporting to the board? Is the board really the entity that's accountable for you and your people and your career and your budget? Or are they simply the entity that you're reporting to . . . to make it look like there's independence, when in reality there's no more (and probably no less) independence than if you were just reporting directly into someone else within the executive structure.

HUI: Yeah. So when -- when I was at DOJ, the way we looked at it was certainly way beyond the reporting line. It has to do with who actually controls your budget and headcount. We look at communications patterns. So are you communicating? You know, you may not be reporting to the board, but you actually have a relationship with your board that you're regularly communicating with them, you know that helps.  So, you're looking at what is happening day-to-day? Who are you talking to? You're looking at decisions about hiring and firing, who gets to hire and fire the compliance officer. So you have to look at that package as opposed to just strictly reporting lines.

ZACH: Yeah. Oh, it's interesting. It's much like compliance itself. It's a complex analysis that isn't black and white, right or wrong. It's nuanced and requires a precise discussion. All right, I interrupted you. So what's another kind of con to this compliance under legal structure?

HUI: And of course, that that would be the differences in approach. Compliance is ideally a more proactive, behavior focused and system oriented and legal is much more reactive and risk minimizing. So, those are different approaches, different orientations, and housing them together can create tension because of the differences in approach.

ZACH: Yeah, for sure. Well and differences in approach often require different skill sets and—and that really leads to another of the big cons to compliance under legal and it's the under development of the non-legal skill sets that are required to really do compliance effectively. That could be data analytics for better risk identification. It could be data visualization for better internal storytelling. It could be behavioral science and human centeredness to really build systems and processes and procedures and controls that are going to meaningfully shape human behavior—and not simply check a box on a list of things that need to be done, whether it's a training or a policy or a procedure.

You know, it's funny because, I mean, we're both lawyers, so I feel like we have, you know, some amount of grace to be able to be a little critical of our chosen profession and our training. But I hear from lawyers all the time, probably more than any other profession, things like, well, I didn't go to law school to do math. It kills me. I hate it. It makes my skin crawl. But let's just say that that is in fact the case. Well, great. I think there's math involved in compliance. So let's get people who can do it so that the -- the -- the profession and the discipline can advance. I similarly hear lawyers often say things like, I'm not creative. Well, I think compliance is a discipline that demands creativity. So again, let's get people who are creative to be doing some of these things, rather than relying on a skill set that simply doesn't align with the work that needs to be done.

HUI: So, I have to sort of laugh at this because I, you know, I am not good at math, and I am not terribly creative. So I am both. But I have . . . I cannot imagine why people think it's okay to say that and then not do anything about it. The reason actually comes from my training and experience as a trial lawyer. I may not be creative, but I need to figure out how to tell a story to the jury so that they would give me that, you know, verdict that I I'm persuading them to -- to render. I have to make things understandable to them so that they would reach that decision. I have to give them evidence. I can't just get up in court and say, look, ladies and gentlemen, find this person guilty because I said so, right? So, all of these things that are . . . that we've been talking about that compliance needs to be that evidence base, that very human centered approach, that storytelling, data driven: it's all so that you can convince your stakeholders, like a jury. Of, you know, of the risks that you want them to understand, of the actions that you want them to take. So if you don't know how to do it, and I admit I'm one of those people who don't know how to do it, you work with people who can help you. Nobody can do everything.  But This is why, you know Zach, you and I make such a great team, because you are super creative and you are great at data and you are also a great lawyer, so . . .

ZACH: I appreciate that. I disagree with your assessment of your creativity. I think that you are a very creative person. You just don't . . . You don't realize it, or you don't see the things that you do that I see as creativity, as being creative. But here's the bigger issue with this: even if you have a compliance officer who acknowledges that maybe they aren't good at these things and therefore hires people or builds teams that have these things. My issue is the discipline of compliance or the -- the career path for people within compliance is still terminally limited because the boss's job, that big job of being the Chief Compliance Officer, is often off limits to people who weren't lawyers. I see so many programs where the chief compliance officer is a lawyer but builds teams that include analysts and data visualization people and data scientists and behavioral scientists; but most of the time, they're never going to become the chief compliance officer because the view is that we need these people, but the chief compliance officer ultimately needs to be a lawyer. And I just think it's really hard to recruit good talent and to retain the good talent that you have when the possibility of the top job is sort of off limits from day one, where these folks wind up maxing out fairly early in their careers because of this view of the function needing to be sort of legally driven or legally led.  And I don't think it needs to be; for all of the talk that we have around multidisciplinary teams—and frankly all of the progress that we've seen on that front—I don't see a whole lot of folks with that multidisciplinary skill set rising to the level of being Chief Compliance Officer . . . and that's a problem.

HUI: Yeah, that's a limitation. Absolutely. Yep.

ZACH: It's a real limitation. All right. So we've talked about difference in approach, we've talked about independence, we've talked about under development of skill sets and career paths. Let's talk a little bit more about the mandate and how compliance actually has a broader mandate; that legal . . . that is incompatible in some ways with the confines of a legal department.

HUI: Yes, compliance has a broader mandate, I think, than legal. Legal is there to address legal advice, legal risks. But modern compliance goes far beyond legal risks. It includes culture risks, ethics, third-party risks, data analytics, and training effectiveness. A legal structure that focuses mostly on legal risk would narrow the scope of the compliance mandate.

ZACH: Absolutely. I was actually having this conversation with someone recently in the context of training where they were telling me that they had just hired a big law firm to do a compliance program assessment for them, which in and of itself made me a little sad. But when they . . . so they described to me one of the key questions that they were responding to in the context of this assessment, and it was a gap around not doing anything meaningful when a certain percentage of people were found to have not taken their training. So, they had a 98% or 99% training completion rate—and the assessment’s question to them was, well, what about the one or 2%? What are you doing with them? And my response was . . .

HUI: That makes me sad.

ZACH: . . . it makes you . . . my response was, as I'm sure yours would have been, that they're asking the wrong question. I mean, I suppose that's a fair question to ask, but the bigger question is, what are you doing about the fact that that one to 2% who didn't take your training learned exactly the same amount as the 98% who sat through it?

HUI: Exactly. Exactly.

ZACH: And that really goes to a lot of the things that we've talked about from legalistic approach to the breadth of the mandate to the skill sets involved . . . and being able to ask that question that I think is the better question is one, a sign of a more advanced, sophisticated approach to compliance. And one that goes beyond just the law.

HUI: Yeah.

ZACH: Okay, so we've beaten that dead horse. Now let's talk about what is compliance way if it's not legal. This is a bit of an existential question, but what is it if it's not legal?

HUI: I think we we're going to have to look at this from -- from multiple perspectives; let’s start with the mission. I would define the legal function's mission is to protect the organization's legal interest, interpret laws, defend advice. That's what I think a lawyer's function obligation to a client is. Compliance’s mission in the company, I think, is different. It is much more prevention focused. It is to prevent misconduct, to design and overseas systems that promote ethical and lawful conduct. So it's much more than just giving legal advice and minimizing legal risks, but it's really to promote a certain type of behavior, promote and enable that kind of . . . that kind of behavior.

ZACH: Absolutely. I think another dimension that we could look at it from is sort of . . .  I guess maybe that the time horizon, you know, a legal function is often, not always, but often more reactive. It's more event driven. That event can be a dispute, it could be an investigation. It could be a transaction . . . but it's often still reactive. You don't do a risk assessment once. You do it continuously. Monitoring is an inherently proactive thing. It's not done because something has gone wrong. It's done because you're trying to understand how people are behaving so that you can detect issues and ultimately remediate them. Culture is the very definition of a proactive exercise . . .  

HUI: Yeah, you know how I like medical analogies. As -- as you're talking, I started thinking that really legal is more like surgeons and compliance is more like primary care.

ZACH: Absolutely. I like that.

HUI: Right. Primary care is health maintenance. You know, then you make sure you do your regular checkups. You know, you try to screen out some of the, you know, health risks, all of that, but when you when you do have a big problem that requires surgery, then you go to surgeons. It's not an exact analogy, but sort of reminded me of -- of that comparison. So . . . but I also want to go to something that I always say is the key question that drives the function. And to me, this is a big difference. So to me, the lawyer's question is what does the law require and how do we protect the company? And oftentimes that translates into can we do something? Compliance is more about how do we make sure the organization consistently meets the requirements of the law and the values articulated by the organization in practice. So, it's more like a, should we do something? Can we do something and should we do something? Are very different questions.

ZACH: And I think that that in fact dovetails well with another distinction between the two, and that's really around risk. Its . . . legal is really focused on legal liability and exposure. And this isn't to say that they're not focused on other things at times too, but in the same way that you frame that key question as can we versus should we: if legal is more focused on liability and exposure, compliance is focused on enterprise conduct risk, which, yes, legal requirements are part of that, but so are, as you said, ethical requirements. So too are reputational considerations. So too are cultural considerations. I mean, we think about culture, we think about reputation, we think about our ethics. You referenced values. We think about our values when we're having a discussion about what we should do, not necessarily when we're having a discussion about what we can do.

HUI: Yep. And I think what we should do is just as important, if not more important than what we can do.

ZACH: Well, yeah, I mean it's, I mean we have this conversation a lot, but it's like the question and this is . . . I smile, I sort of chuckle to myself as I say this because I spent a lot of money and time becoming a lawyer. But in in some ways the question of whether we can do something, like, that's a boring question to me. You know, like that's a -- that's a baseline question. You know . . . put the bar a little bit higher for us than that. And I think that's one of the things that excites me about compliance is that the bar actually is higher. It's -- it's a much different, more challenging, more complex standard because there often isn't an easy answer. There often isn't a singular right answer. And as we've talked about here before, sometimes the answer you choose is right in one context but is going to piss somebody off in another. And that's the beauty, I think, of -- of ethics. All right, what else?

HUI: Well, in terms of just daily activities, in terms of what people do day-to-day, right? So, again, lawyers, they give legal advice, they do contract reviews, they manage litigation, they interpret regulations and laws. The day-to-day work of compliance officers, actually, can be none of those. So in a way you can almost say that there can be a separation. So, day-to-day work of compliance officers: risk assessment, training and communications, policy operationalization, monitoring, analytics, remediation design. So, all of those things are, in fact, not overlapping with a lot of the legal functions that we just enumerated.

ZACH: Yeah, yeah, indeed. Or they shouldn't be. They shouldn't be. One area where there often is an overlap, and that we should talk more about, is the investigative lens.

HUI: Indeed.

ZACH: Because you see a lot of different approaches to this in terms of where investigative functions sit, even in places where there is good differentiation between legal and compliance. Sometimes investigations is part of compliance; sometimes it's part of legal; sometimes it's both, weirdly and confusingly. And when we think about legal and compliance in the investigative context, you know, I think about the approach that I often see lawyers take, which is trying to get the facts, understanding and analyzing legal exposure, being very mindful of privilege and how it applies and -- and efforts to protect it during the course of the investigation and also making decisions that are informed at times by a defense posture, you know, looking ahead toward the possibility of you know, litigation of some sort or enforcement of some sort around the issues that -- that they're addressing. All of that has value and is important and is a component of the investigative process.  But the flip side of that is, from a compliance perspective, I think it's very much also about understanding root causes—using the investigative process to identify root causes at an individual investigative level so that they can be addressed, but also using that to collect more robust data about root causes across matters so that you can identify trends . . . so that you can build better controls . . . so that you can do your job of prevention, detection, and remediation more effectively . . . so you can tell stories to the board and executive leadership about what you're finding.  It's also about using all of these things to build new controls and to address control gaps and to remediate and prevent. And what I often see is when an investigative function is overly legalistic, some of that other stuff—the root cause analysis, the data trending, the storytelling—it's not done as effectively as it could be.

HUI: It's not. It's very much limited by what we call FOFO, the fear of finding out. And FOFO is very strong when you take a legalistic approach, rather than a curiosity-driven approach. You know, trying to understand what really is going on here and in you know, in the area of investigation, there -- there really is a significant conflict. And I'm not sure uh we have the ability to resolve that conflict today, but it's worth pointing that out.

ZACH: Yeah. Yeah. Now let's talk about another big one and that is success metrics. We talk here all the time about measurement. So Hui, what is the legalistic approach to success metrics and what is the more compliance focused approach to success metrics?

HUI: Well, this goes back to the things that we always talk about, the difference between outcome and output. You know, legal started as a profession—and continues to be a profession that's based on billable hours. So even some of the in-house metrics that I have seen have been based on, you know, have – have . . . are we able to sort of reduce the number of hours used towards something? So, the number of hours and translating those into things like training completion rates, number of communications, that's what's driven a lot of those output measurements that we have seen. I think even legal though is realizing that they do need to move more towards outcome measurements. So, when I was in house with Microsoft, I was doing anti-piracy work; and back then we actually even calculated our contribution to incremental revenue increase. So, you don't do anti-piracy work just for the purpose of penalizing the people who pirated your work. The outcome you really want from that is people actually buy the genuine software rather than the pirated software. So, there was also an outcome measurement, which is how much incremental revenue resulted from your enforcement action in anti-piracy.

And -- and that was, you know, I mean I want to say that was like 30 years ago. So, so that was pretty advanced for its time. I wouldn't be surprised that there is more outcome kind of metrics that's associated with legal work these days, like maybe reduction in liability. You know, are you able to measure those things? Whereas on the compliance side, we have lots of other writings and also podcasts where we talk about the metrics that we should be using; and it is about behavior and culture and measuring the outcome of all of your output that, you know, your training, your communication, your policy, what is what are they accomplishing in terms of changing behaviors, improving culture, enhancing risk detect detection, all of those outcome metrics.

ZACH: Yeah. Lots of podcast episodes. It's sort of the -- the through line to the better way and published writing for sure, for sure.

HUI: Yes. And blog and writing, published writing. So lots of those, yes.

ZACH: All right, so let's wrap this up by talking about some kind of practical takeaways and some key questions that folks should be asking. And I want to start, first of all, by saying a lot of you who are listening probably aren't in a position to be able to say: “Hey, my compliance department's part of legal. I don't think it should be. Let's change that.” Or “hey, my compliance department reports to X, Y&Z and I don't think that that's the optimal position. Let's change that.”

And so, what I want to say to all of you is: it really is less about organizational position and more about the vision and the approach and the strategy. And so, for all of those who have been listening to us saying, well, I agree with this, but what can I change? I'd say, start by thinking about what your program is focused on doing—and in those moments where the legalistic approach seems to dominate in ways that don't necessarily support the compliance mission: push back.

 That's where there's opportunity for push back. It's in those moments when there's a decision being made around collecting more robust information about root cause analysis because there is a fear that a record is going to be created that could be problematic. That's the moment where you say, well, wait a second, I understand where you're coming from, but let's talk about the core mission of compliance and our shared interest in both protecting the company and advancing our values around ethics and integrity. And how I can't do that if we don't have good data around why this thing happened, if we don't have good data around the state of our culture, if we don't have good data around how issues have been resolved in the past. These are the moments when we can say, hey, here's our mission and the decision that's being made is somewhat inconsistent with that.

HUI: Absolutely, absolutely. And if your pushback needs some support in terms of actual experience before an agency like the DOJ, you call me if you're getting pushed back on your pushback. But I also think it's important . . . to build your allies; because we have seen when compliance people take the approach that we've been talking about, being more data-driven, being more outcome focused, they often gain support from business leaders, from the board. And if you've been presenting a particular format to a board and that has been a very sort of legal driven type of information that you've been presenting and you're getting pushed back on changing those presentation format, just use the opportunity when you're in front of the board and say, would you like to hear the data on this, right? Once you say that and the board says yes, we would love to hear more data on that, now you have a mandate directly from the board. And that could be the board, that could be a senior business leader. You have allies who want to see the kind of approach that's more evidenced and outcome-driven. So, use those allies, build those relationships.

ZACH:  I couldn't agree more. I think that the beauty of the sort of more progressive compliance, better ways is that they are often embraced by business leaders and board members, even if maybe not always embraced by a chief compliance officer or a GC who has a legal background. I mean, you will find allies in those in those corners of a company, I'm certain of it.

HUI: We've seen it.

ZACH: Yeah, we have. All right. So, let's finish this off by just identifying a few questions that folks who maybe are considering a move to a new company might ask when they're trying to not understand the practical reality of where a function sits or who it reports to, but trying to really understand what isn't going to be on paper. So for example, one of the questions that I would ask would be if I'm the chief compliance officer of this company, what kind of board access am I going to have? I might not have a reporting relationship directly there, but what is that relationship going to look like? What has it been historically and what is there an appetite for me to build proactively between myself and my function and the board or a committee of the board?

HUI: Yep. Similarly, budget and headcount control. Critical. It doesn't matter where you sit necessarily, but it is who actually has the control of that.

ZACH: It's who has the control of it and whether there is any to begin with, which, yeah . . .

HUI: You're out there. There is that. Yes, there is that.

ZACH: I think I would also ask about investigations. You know, we talked about how investigations is one of the places where there often is going to be overlap, so I think it's perfectly reasonable to try to understand who conducts them, who has access to the information from them. Because even if you as a compliance function aren't doing them, the last thing you want is to find yourself in a position where you don't have access to that information and, therefore, are unable to use it for purposes of telling the story about compliance or really just informing the decisions that you make around your own strategy and how you're going to, you know, detect, prevent and remediate stuff. And then, who controls the messaging, even if you do have access to it yourself. What else Hui?

HUI: Yep. All the things we discussed today, the -- the -- the differences between legal and compliance roles, how do they understand them in the company and are they . . . are these understandings clear to the stakeholders. They may or may not be written, but you want to understand how do they see these roles.

ZACH: Yeah. Indeed. And then finally, I think you want to understand how disagreements between legal and compliance are resolved. But I'd actually broaden that to say, if I was going to go back in-house and consider a role as a chief compliance officer, I would want to not only understand the relationship between legal and compliance, but the relationship between compliance and other functions in the company too. Because the truth is, it's not just legal that needs to be your partner. It's certainly the business and understanding that relationship is key. But it's also HR, it's also finance, it's also the operations team. If there's a risk team, it's them too; internal audit. I mean, the list probably goes on. So really understanding how compliance is positioned within the organization, how it's perceived within the organization and what those historical relationships have looked like. Because even if you are new in the role you're going to be saddled with some baggage of your predecessor if things haven't historically gone well.

HUI: Yes. And in fact, when you think about that, the list of people that you interview with is very telling. So who did they have you interview with and who's missing from that list?

ZACH: Absolutely. That's a great point. All right. Well, Hui, this has been a fun and probably long overdue conversation, and I think we'll continue to talk about this in slightly different contexts over the course of some of the episodes that we have planned throughout the year. But I'm really glad that we finally carved out some time to dive into this because it's on our minds a lot and it's something that we confront a lot in the work that we do.

HUI: Indeed, yes, yes

ZACH: All right. Well, thanks for listening, folks. This has been a good one. Thanks, Hui.

HUI: Thank you, everyone. Thanks, Zach.

ZACH: And thank you all for tuning in to TheBetter Way? Podcast. For more information about this or anything else that’s happening with CDE Advisors, visit our website at www.CDEAdvisors.com, where you can also check out the Better Way blog. And please like and subscribe to this series on Apply or Spotify. And, finally, if you have thoughts about what we talked about today, the work we do here at CDE, or just have ideas for Better Ways we should explore, please don’t hesitate to reach out—we’d love to hear from you. Thanks again for listening.