When Daniel Desjardins was asked in 2005 to set up a global compliance department at Bombardier Inc., the senior vice-president, general counsel and corporate secretary said he had a clean slate to work with and the choice of two models.
He could set up a compliance department within legal that reported entirely to the general counsel, or he could structure it so that compliance operated outside legal and reported to another senior executive. “I had my own debate with myself,” he says.
One thing Desjardins knew was that “compliance doesn’t work in silos. It needs the support of many functions, including legal.”
He settled on separating “police” from “prosecution” and hired a compliance officer to help him set up the functions and processes needed to oversee the fast-growing international company, which now operates in 60 countries.
Desjardins then transferred ownership of compliance to the head of internal audit, who reports up the chain ultimately to the chief executive officer. At the same time, he kept a dotted line to the Bombardier Advisory Committee, a group of executives that includes himself, the chief financial officer, and the heads of public affairs and human resources.
The committee meets quarterly with the head of compliance to review complaints, training, internal certification and other compliance issues. “It’s a great forum to debate strategies and where we want to go on compliance,” Desjardins says. “The legal team is there to support what’s coming…so we can plan accordingly with compliance. In terms of investigations, legal supports the compliance officer. It works well for us and makes sure that compliance is well integrated. It gives it great visibility.”
With a decentralized legal department comprising 175 lawyers operating in 17 jurisdictions, Desjardins had the luxury that many general counsel in smaller operations don’t have: to separate legal from compliance. That separation helps avoid issues of conflict or concerns about which hat internal lawyers wear when advising companies—especially if they carry the dual title of chief compliance officer, which an increasing number of lawyers do.
However, as Desjardins acknowledges, there is much debate about which model is best. “Some feel they can manage this under one single function and others believe it’s better split, depending on who you are and what's your business. There’s no perfect answer on this.”
So what are the pros and cons of each model? To spur debate about this topic CCCA Magazine canvassed in-house counsel, including some who hold or have held the dual titles of lawyer and compliance officer, and asked them about the upsides and downsides.
Compliance within the legal department
Wendy King, vice president, legal, governance & risk, at Capstone Mining Corp. in Vancouver, says, “There are advantages and disadvantages to both models and it really isn’t one size fits all.”
More efficient and less costly
King, who held the chief compliance officer title in her last role at a credit union, explains “size is a factor.” Creating separate departments and reporting lines in a smaller organization “is cost prohibitive and there really isn’t a need to have them separated.” She adds, “There is a significant overlap in skill set and knowledge of the chief compliance officer and general counsel."
She says another advantage is having compliance and legal working closely together at an early stage interpreting new legislation and regulations, and discussing how best to work with business units to ensure compliance. "I think you get a stronger, better quality compliance program. Having a robust compliance program is so critical to good governance. As general counsel, governance falls under your mandate. The functions are closely tied."
Stephen Sigurdson, senior executive vice president, corporate affairs, and general counsel at Manulife Financial Corporation, adds his organization leans towards the chief compliance officer reporting to the general counsel because of the need for partnership and collaboration between the two functions. "It's rare that a compliance issue doesn't have a legal element, and it's rare for a legal matter not to have a compliance element."
He says the role of general counsel should be to engage in risk mitigation and ensure the company follows the spirit of law not just the letter of the law. By having integration with compliance it allows for better collaboration.
Better use of scarce resources
Gail Harding, senior vice-president, general counsel and corporate secretary at Canadian Western Bank and chief compliance officer for the CWB Group of companies, says another advantage is the ability to "control all the resources.”
Chief compliance officers outside of legal departments often have to battle for funding against business lines that don't see the benefit of spending money on a compliance program. “Compliance often struggles getting necessary resources. If I'm wearing my compliance hat and I have a new compliance issue or requirement that needs a lot of resources, I can move some legal resources to a project.”
Harding adds another benefit is career advancement. "Employees see that it's easier for them to move and go to regulatory for a few years and move back into legal. You do see a lot of movement between the two.”
Compliance outside legal department
Not everyone sees the upside of compliance in his or her portfolio. Doris Stamml, chief legal counsel at Ernst &Young LLP in Toronto, says, “I am very happy that we don't have overall responsibility for compliance. That’s not to say we aren’t involved in it; we just don’t have overall management of it.”
“It’s important that general counsel be thinking about regulatory and statutory compliance and need to be involved in compliance, but they don't need to own it.”
Skill sets are different
One reason Stamml prefers to separate the functions is skill set. “The traits for a chief compliance officer are very different. You need someone that is strong at process and program management. You need to design and develop policies and internal standards, and help roll out training and communication. I don't think that lawyers who are used to firefighting and problem solving necessarily have the skill set.”
Problem solvers, not police
Also, the roles are different. “You want people to come to the general counsel’s office for help with problems and difficult situations—you don’t necessarily then also want to be the police and be responsible for meting out consequences for compliance breaches,” Stamml explains.
It’s the police versus prosecution aspect that some lawyers find most troubling under a combined role. General counsel have to be much more savvy about which hat they are wearing when advising a company to avoid conflicts and maintain solicitor client privilege.
Diane Pettie, vice president, general counsel and corporate secretary at chemical manufacturer Canexus Corporation, says there are fewer chances of problems arising by separating the two functions. “If you're checking yourself, generally speaking it's less effective.”
By keeping the two departments separate, it eliminates possible conflict. “Internal audit does the investigation and we pass judgment on legal,” explains Desjardins.
However, conflicts can be managed, lawyers say, noting that the two-hat problem is a constant Albatross for general counsel in their everyday role as lawyer and business advisor. So it’s not anything new.
Stronger reporting lines to CEOs
By having reporting lines for compliance directly to the CEO, rather than the general counsel, it further reduces potential conflicts and ensures the CEO is properly informed on compliance issues. Of course, it also means more people reporting to the CEO and added demands on the boss’s time.
Ken Jull, a regulatory law professor and lawyer at Baker McKenzie in Toronto, says the real concern with compliance is reporting lines. The chief compliance officer should have direct access to the board and CEO: "They're going to be much more effective."
Better use of GC’s time
He adds that separating the two roles can mitigate recent developments in case law. He cites Global Fuels, a price-fixing case, and Metron Construction, a worker-death case, as examples where courts have expanded the ambit of who qualifies as a senior officer of a company to include middle managers and independent agents. "A compliance officer is best able to drill down and meet the whole level of middle managers and help them comply. It's going to be a time-consuming and difficult process for general counsel.”
Coping with ‘Tsunami’ of regulations
Lawyers stress that it is not so much reporting lines and departments that are important, but that companies take compliance seriously and give it the attention it deserves.
As regulation increases, the challenge for in-house counsel, explains Sigurdson, is staying on top of the “tsunami of regulation” and coping with the added workload pressures.
“For a global organization, there are not enough hours in the day for anyone to read and digest new legislation that is coming to the fore,” says Sigurdson. “You need to rely on your team to monitor what’s happening in local jurisdictions and synthesize information and feed it up so that the general counsel and other members of management are aware of the most significant developments for the enterprise. It’s impossible in today’s environment to read every new line of every piece of legislation in every jurisdiction.”
Harding adds it’s important that employees be engaged in their local business organizations and trade associations so they can keep abreast of industry changes and report those to their business units and management.
Compliance programs key to success
No matter which model, once a compliance obligation arises, having a solid system is critical, says Jull. “If you have a really good compliance program, it enhances the productivity of the firm and leads to profit.”
Pettie adds that once you put a new compliance program in place or make any changes to existing systems, “you better do change management (training) so you don't have anything drop through the cracks.”
Harding notes that a good compliance program can't eliminate risk entirely, but it can help manage risk. “We know we can put in the processes and all the training, but compliance has to be delivered at the individual level.”
There’s always a risk of non-compliance, she adds, because “you can’t control thousands of people. The issue will always be: “What is the magnitude or consequence of that non-compliance?”
At the end of the day, Desjardins says, “compliance is everybody’s business, not one entity. We push down compliance as far as we can in the company. It’s not one guy at the corporate office; it’s the responsibility of every employee.”