Who Should Do What on Legal and Regulatory Risk?
The enterprise needs compliance systems and processes that provide early warning of legal and regulatory dangers, that trigger timely actions against those dangers, and that, ultimately, can prevent them from mutating into something worse. Those systems and processes should report up to the CEO, COO, or CFO (or some other senior executive who possesses proven management capability), not to a general counsel or other practicing lawyer who lacks proven management capability.
One lesson of the Boeing 737 Max crashes, General Motors ignition switch tragedy, Blue Bell Creameries listeria outbreak, and dozens of similar compliance misses (see Part II of this IV-part series): in each case the C-suite was blindsided by a devastating legal or regulatory surprise, and Legal was excused from accountability for that surprise by an “ignorance defense” (Part III).
The corporate law function is disinclined to manage the sorts of systems and processes that offer a reasonable chance of nipping such incipient dangers in the bud. So business executives need to be put in charge of this management task by having Legal report directly to one of them. General counsels and other practicing lawyers should be called upon to support legal and regulatory compliance aspects of that task by providing advice as subject matter experts. Continue reading