Critical Enterprise Risk Calls for Company-Wide, Managed Compliance — the CEO, COO, or CFO Should Take Charge of It


Who Should Do What on Legal and Regulatory Risk?

The enterprise needs compliance systems and processes that provide early warning of legal and regulatory dangers, that trigger timely actions against those dangers, and that, ultimately, can prevent them from mutating into something worse. Those systems and processes should report up to the CEO, COO, or CFO (or some other senior executive who possesses proven management capability), not to a general counsel or other practicing lawyer who lacks proven management capability.

One lesson of the Boeing 737 Max crashes, General Motors ignition switch tragedy, Blue Bell Creameries listeria outbreak, and dozens of similar compliance misses (see Part II of this IV-part series): in each case the C-suite was blindsided by a devastating legal or regulatory surprise, and Legal was excused from accountability for that surprise by an “ignorance defense” (Part III).

The corporate law function is disinclined to manage the sorts of systems and processes that offer a reasonable chance of nipping such incipient dangers in the bud. So business executives need to be put in charge of this management task by having Legal report directly to one of them. General counsels and other practicing lawyers should be called upon to support legal and regulatory compliance aspects of that task by providing advice as subject matter experts.

How I Reached this View

After having practiced law for 10 years, working in a Wall Street law firm and then trying cases before juries, I accepted a corporate client’s offer to run one of its divisions as its general manager. For 12 years, first at Whirlpool Financial and then at GE, I worked as a business executive, not as a practicing attorney. Then I returned to private law practice.

After working on both sides of the client / attorney table, I have concluded that business executives and practicing lawyers differ from each other in four important ways:

(1) their professional identity,

(2) how they engage with their work,

(3) the way they define proficiency, and

(4) how they view their reliance — or non-reliance — on others.

Business executives see themselves as individuals who identify outcomes that will benefit the enterprise, and then make them happen.  They engage with their work in the context of company strategy and tactics; not as isolated, one-off tasks. They define proficiency solely by results. And they work effectively with others to get the results they need to deliver.

Practicing attorneys, in law firms and in-house, see themselves as authoritative subject matter experts. They engage with their work as a spontaneous, ad hoc, case-by-case reaction to a problem that someone else has brought to their attention. They define proficiency as giving the best-reasoned answer to a precisely stated question. And they tend to regard their contribution as a solo performance (attorneys tend to view the many young lawyers with whom they overstaff work teams as understudies and trainees who “assist” them, not as fully-qualified colleagues with whom they collaborate).

Systems and Processes to Avoid Compliance Misses

”The essence of compliance … is management of complexity through very disciplined systems and processes. Simply stated, compliance involves ensuring across an organizationally diffuse and fragmented global corporation that such systems and processes prevent compliance misses, detect those that do occur as soon as possible, and respond quickly and effectively.

“For all the volumes on compliance, it really comes down to three words: preventdetect, and respond — and it is toward these objectives that classic management disciplines of planning, goal setting, organizing, staffing, budgeting, and auditing must be directed.”

So wrote legendary GE General Counsel Ben Heineman, Jr., in his Inside Counsel Revolution, at pp 142 to 143. (I don’t know if he would agree with my thesis here, that business executives, not general counsels, should be in charge of managing these systems and processes.)

“For all the volumes on compliance, it really comes down to three words: prevent, detect, and respond — and it is toward these objectives that classic management disciplines of planning, goal setting, organizing, staffing, budgeting, and auditing must be directed.” Business executives usually have proven themselves at management roles; lawyers in-house and in law firms usually have not.

Note: This was originally posted in this publication on April 13, 2022 as Part IV of a four-part series.

Contact Information