“The first thing to bear in mind is that executive teams and boards need their legal teams to understand the broader organizational risks and to ensure their advice reflects these. Risk and compliance management isn’t just something that another team does and the legal team doesn’t need to know about.”
The position of in-house counsel is universally recognized as a pivotal ‘gatekeeper’ role, offering advice to the corporation while minimizing risk. But recently, there has been a blurring of the line between the functions of in-house counsel and that of the Chief Compliance Officer. As regulatory complexities render greater exposure to risk, the CCO and in-house counsel need to team up to protect against such vulnerabilities.
Add into the mix the increasing problem of data protection against cyber-attacks—and even accidental data leaks—and you have a clearer picture as to why risk knows no title-specific nor functional boundaries.
CCO and General Counsel
The CCO and General Counsel are generally regarded as two separate advisory positions within an organization, with the CCO being responsible for ensuring compliance with laws and regulations and the General Counsel being charged with offering legal advice across a wide variety of transactions. But there is no question that in the current risk and compliance environment, there is substantial overlap between the two positions, despite the organizational mandate in most companies that the two roles remain separate.
So, once we have established where the two roles converge, we need to also understand where they diverge.
Disparate Areas of Expertise
The CCO and the General Counsel focus on different areas of expertise: The CCO generally looks to prevent noncompliance by maintaining a close watch over the rapidly changing regulatory landscape and crafting policies and procedures to avoid or at least minimize exposure to compliance risk, while the General Counsel deals more with the day-to-day transactional issues, contract management, dispute resolution and participation in litigation, IP monitoring and protection, and other matters where legal and operations intersect.
In terms of reporting, the CCO most often reports directly to the Board of Directors, and the General Counsel serves in a senior management position and is accountable to the CEO. Oversight as to compliance and legal affairs is therefore apportioned throughout corporate governance authority.
Combining the Roles—Pros and Cons
CCO regulatory monitoring might, in some cases, lead the CCO to advocate for operational and/or managerial changes that he or she sees as serving the best interests of the organization, against which the General Counsel might argue just as strongly that such changes could adversely impact marketplace standing or share value. Thus, a conflict of interest can arise between the two positions being advocated. An illustration of this conflict can be seen in the situation whereby the CCO might uncover certain unethical behavior implicating senior management, and there may consequently be pressure not to pursue enforcement action because of the likelihood of reputational or even financial loss. Or, if a senior executive seeks advice from the General Counsel regarding how to resolve a compliance issue without causing an adverse regulatory action, the two advisers may very well be at odds as to upholding the law versus unwanted consequences.
Tailoring the Structure to the Organization
Some experts view the inherent tension between the two roles as fundamentally healthy because of the checks-and-balances safeguards inherent in such tension. However, another point of view argues that it is specifically because of the internal conflicts of interest that the roles should be combined so that the organization can benefit from hearing one unified voice on difficult issues. Advocates for combining the roles note the element of improved organizational efficiency, a more coordinated flow of information to the stakeholders, and, last but not least, the lowering of costs should the positions be merged.
Despite arguments on both sides, the decision as to whether to merge the roles or not will often come down to a case-by-case analysis depending upon the nature of the organization and which legal/compliance structure best fits their needs. The size of the organization, its risk level under industry-specific regulatory regimes, as well as its exposure in dealing with IP infringement threats, ascending competition, and other factors all tend to dictate whether separation or merger between CCO and General Counsel is advisable.
Compliance, Risk, and Data
Perhaps one of the most hazardous areas of noncompliance and risk lies in the field of data security. In the U.S., data breaches that expose a patient’s private health information in violation of HIPAA can result in criminal prosecution and penalties that include imprisonment. In Europe, the EU General Data Protection Regulation (GDPR) is viewed as one of the world’s toughest data protection laws, which provides authority for imposing fines up to the equivalent of more than $20 million or a whopping 4% of worldwide turnover for the preceding financial year – whichever is higher. Since the GDPR went into effect in 2018, over 900 fines have been issued, including an $877 million fine against Amazon, $275 million imposed on Facebook, $255 million against WhatsApp, and several multi-million dollar fines against various Google entities.
But it is not just the high-tech sector that has run afoul of the GDPR, but also such clothing giants as H & M ($41 million fine) and Italian communications company TIM, which was fined $31.45 million for bombarding millions of potential customers with sales calls and other unsolicited communications, despite many of the individuals being listed on no-contact lists.
Could the GDPR Fines Have Been Prevented?
Many observers point to a lack of rather basic adherence to data security and privacy laws as the reason so many companies got caught up in GDPR noncompliance. The failures entailed everything from a lack of obtaining cookie consent or a compliant refusal mechanism to a lack of transparency as to how personal data would be processed and collecting data for use in making employment decisions. However, the common denominator underlying the huge fines was a misfeasance as to the gatekeeper function by those responsible for protecting the companies against such exposure.
Regardless of whether these failures occurred due to internal conflicts within the organizations, the placing of market competition concerns over compliance, or otherwise, the organizations overall failed to maintain a company-wide holistic approach towards risk and compliance that might have prevented these fiascos.
Not Just a Consumer Issue
Although many professionals tend to emphasize the impact of regulatory compliance—or noncompliance— on the consumer, an organization’s risk and compliance professionals must also be mindful of their responsibilities toward their employees. A 2021 Forbes investigation discovered that employee lawsuits over data privacy breaches were on the rise, with companies falling out of compliance with such data privacy statutes as Illinois’ Biometric Information Privacy Act (BIPA). The article underscored the willingness of courts to punish employers who fail to protect employees’ personal information.
The compliance, risk, and data pressures on organizations are enormous and require full-time professionals to maintain compliance and reduce or eliminate exposure to risk. The only question is: is the solution best addressed by two legal heads—CCO and General Counsel—or one? And that can only be answered on a company-by-company basis.
What are the challenges facing companies as they grapple with compliance and risk issues?
CCOs and General Counsels fulfill different roles, yet their individual areas of expertise tend to converge when it comes to compliance and risk.
The Path Forward
Which are the best compliance and risk practices for your company depends on many factors, including size, type of industry, and in which regulatory environment your organization is operating.
3 Rs: Regulatory Risk Review:
Do a comprehensive review of what regulatory risks expose your company to potential liability.
The next step is to determine whether or not your current legal structure is the proper one for addressing the compliance risks facing your organization.
Not Just Financial Loss:
In evaluating exposure to risk, consider reputational harm as well as what noncompliance might mean for your company’s bottom line.
A New Dynamic:
The world of regulatory complexity is an ever-changing one, both domestically as well as globally, and therefore at minimum, your monitoring systems must be par excellence, regardless of how structured.
- Dr. Sanjay Sharma, Data Privacy and GDPR Handbook, Wiley Publishing (ISBN-13: 978-1119594246, ISBN-10: 1119594243)