What do compliance officers, social media marketers, and 3-D designers have in common? They are all members of relatively new specialties, attempting to carve out areas of expertise to meet the evolving demands brought on by economic, technological, business, and social change. Once these fields have emerged, it is easy to forget that there was nothing inevitable about them and that all new specialties struggle to define themselves in contrast and in competition with older players in the field. They must make themselves seem distinct, uniquely qualified, and irreplaceable—despite their recent entry into the marketplace.
This is certainly true for the field of compliance. Since its emergence in the early 1990s, compliance work has grown from a set of tasks into a full-blown specialty, replete with specific training programs, professional associations and organizations, conferences, codes of conduct, academic research, and even lobbying. Indeed, compliance is now considered a critical component of how companies, organizations, and institutions function. Nevertheless, questions remain about who should manage this important function and how it should fit within the larger organizational structure. In particular, compliance is often overshadowed by broader conceptions of the legal profession, even as champions of the specialty attempt to establish it as a field unto itself based on expertise and skill sets broader than just law. As Michele DeStefano argues in the lead article to this issue of The Practice, whether or not compliance should be departmentalized from the related work of the in-house legal department remains an open—and hotly debated—question. Related to this is determining whether lawyers are best suited to do compliance—and therein whether it is even a profession unto itself. What sorts of skills and training do compliance professionals need? And what position should they have within the organization?
This article discusses the rise of compliance and reviews how those within the field are seeking to define their professional identity, assert their own unique qualifications, and establish coherence among a broad set of participants.
A new field emerges
As DeStefano notes in her article, the history of compliance begins in the early 1990s with the Federal Sentencing Guidelines for Organizations (FSGO). In an effort to stimulate better corporate practices and self-policing, the new legal framework introduced the possibility of lenient punishment for organizations that had “effective” compliance and ethics programs in place at the time of any offense. In 2004 the guidelines were modified to clarify and specify what compliance programs should encompass. Overall, the guidelines provided a broad incentive for companies to implement formal compliance and ethics programs and presented what would become the standard for how these programs should look. For instance, compliance programs were to have written procedures, oversight mechanisms, training programs, and a means to receive and process reports of wrongdoing—all of which we typically associate with compliance work today.
In the 1990s, as part of an effort to stimulate better corporate practices and self-policing, a new legal framework introduced the possibility of lenient punishment for organizations that had “effective” compliance and ethics programs in place.
In addition to federal guidelines, other motivators arose that encouraged companies and organizations to create compliance divisions. The New York Stock Exchange and the NASDAQ Stock Market adopted compliance and ethics requirements into their listing standards. In 2009 the Organisation for Economic Co-operation and Development (OECD) issued a report emphasizing, among other things, the role that strong compliance and ethics programs can have in combating bribery and corruption. Furthermore, the major corporate scandals of the first decade of the 21st century and the corresponding risks of serious fines all came to make compliance seem less like window dressing and more like a fixture of good business. The cost of misconduct was so great—to companies, shareholders, and the public at large—that companies now had an obligation to find ways to prevent offenses before they occurred.
As the stakes of compliance work became higher and as external institutions began putting pressure on companies, there were corresponding changes in how compliance work was envisioned and organized within companies themselves. (By 2015, more than three-quarters of CEOs surveyed in a PricewaterhouseCoopers (PwC) report noted that regulation—and all the associated compliance issues—was the top threat to business growth.) Issues that had previously been managed by a loose grouping of attorneys, accountants, and human resources employees were gradually, but systematically, consolidated under the broader title of “compliance and ethics” (see “Six Keys to Compliance: Perspectives from the Field”).
As DeStefano argues, this was in part a result of the structural incentives toward departmentalization of compliance, which was intended to ensure the independence of those working in this area. Compliance officers implemented and enforced best practices within the company, identified risks, and investigated misdeeds—all of which required a degree of autonomy from other company leaders.
As the stakes of the work increased, so did the status of those working in the field. The number of lawyers working in compliance, particularly in the heavily regulated financial sector, increased as attorneys were often viewed as the most capable of assessing risk, interpreting an ever-changing regulatory framework, and exercising good judgment. However, while these compliance lawyers may have shared a degree and professional experience with those working in the in-house legal department, they came to be part of a larger movement toward professionalizing the field of compliance.
Among the primary accomplishments of this movement was the establishment of a new senior position that often had its own budget and direct reporting line to the board or CEO: the chief compliance officer (CCO). Although it is argued that CCOs, particularly those who are not double-hatted as general counsel (GC), have not yet achieved the internal stature of GCs (in the United States, upwards of 90 percent of GCs report to the CEO; see “Corporate Purchasing: A Center on the Legal Profession Study”), it is nonetheless clear that in little more than a decade, compliance has emerged from the shadow of the legal department and carved out its own territory within organizations.
While legal structures may have provided the groundwork necessary for compliance to evolve into its own specialty, the accompanying cultural, associative, and training practices have really signaled its maturation into a profession. For instance, in 2004 the Society of Corporate Compliance and Ethics (SCCE) was established to provide compliance professionals with networking and training opportunities and other resources for professional development. Since its founding, the SCCE has grown into an organization with more than 5,000 members. In 1999 the Health Care Compliance Association (HCCA) established the Compliance Certification Board (CCB) with the mission of creating an examination and certification program for health care compliance professionals. This charge was later expanded, and today the CCB manages the accreditation process for certifications in five fields, including two outside of health care: health care compliance, health care research compliance, health care privacy compliance, compliance and ethics, and compliance and ethics—international.
Perhaps most indicative of the profession’s maturation has been the development of a cottage industry of consultants and experts on compliance.
Currently 11 universities participate in the CCB accrediting program, including Northwestern University’s School of Professional Studies and George Washington University’s College of Professional Studies. Law schools are also partnering with the CCB accrediting program, including DePaul University College of Law and Cleveland-Marshall College of Law. Indeed, law schools have begun to develop their own compliance certification programs, such as Seton Hall University School of Law’s Compliance Education for Working Professionals program, as well as specific areas of compliance research, such as New York University Law School’s Program on Corporate Compliance and Enforcement and specific academic journals devoted to the topic (see “From the Journals“). It is important to note that, while varying by industry, these compliance certifications are often considered to be a demonstration of competency rather than a requirement for hiring.
In addition to training and accreditation programs, there are also professional development and networking activities for those working in compliance. The SCCE hosts the Compliance and Ethics Institute, an annual conference that brings together compliance officers from across the spectrum of specialties. Compliance Week, a news and information outlet dedicated to governance, compliance, and risk issues, was founded in 2002 and has become a leading resource for compliance professionals in the United States. In addition to providing news and coverage of issues related to compliance, the organization also provides podcasts, webcasts, e-books, and other resources to the compliance community. In 2006 it began to host yearly conferences, which have now became a mainstay for many professionals working in the field.
There are also organizations that are devoted to specific fields of compliance. In addition to the HCCA—which targets health care compliance officers—there is also the National Society of Compliance Professionals, a professional organization for those working in compliance in the financial service sector. While there remain major distinctions among the different fields, a professional coherence, uniting the sub-specialties, is beginning to emerge.
Perhaps most indicative of the profession’s maturation has been the development of a cottage industry of consultants and experts on compliance. Young compliance officers can now fill their bookshelves with titles such as 501 Ideas for Your Compliance and Ethics Program and How to Be a Wildly Effective Compliance Officer: Learn the Secrets of Influence, Motivation and Persuasion to Become an In-Demand Business Asset. Large consulting firms, including Deloitte and PwC, offer services in risk management and compliance, advertising their skills in helping companies navigate a changing regulatory landscape and develop robust compliance departments. PwC, in particular, has paid special attention to the growing field of compliance. Since 2011, PwC has conducted an annual survey on the state of compliance, interviewing compliance executives on their roles and responsibilities within organizations. The 2015 report emphasizes, among other things, the need to elevate the compliance function within companies and the role of the CCO among corporate leadership.
In addition to large firms, boutique consulting groups are also meeting the demand of companies seeking to develop and hone their compliance departments. Some of these consultants, such as Donna Boehme, the principal of Compliance Strategists, have also become thought leaders of the compliance movement, championing the important and distinct role that compliance officers play in business and society. In addition to having worked for more than 20 years in designing and managing compliance and ethics solutions, Boehme also previously worked in corporate legal practice. Despite this legal background, she firmly believes that having a J.D. does not automatically qualify someone to be able to do compliance work. She has written extensively on the importance of recognizing a distinct compliance expertise and of honoring that by not making compliance merely a subsection of legal. Boehme elaborates,
A persistent myth in the boardroom and the C-suite is that anyone with a J.D. is qualified to do compliance. This is often propagated by some in the legal profession through the flawed reasoning that “if it involves legal, it must be a part of legal.” If that argument had any merit, then HR and Audit should also report to Legal, because each of those functions regularly deal with legal risks. But the board and C-suite must understand that each of these functions discharge important mandates for the organization, and thus each must possess and employ a distinctly different subject-matter expertise. A CCO needs to possess certain skills not usually associated with legal: managing and building a compliance team, project management, influencing and collaborating, and risk management—along with other business processes.
The extent to which compliance champions such as Boehme assert the distinct expertise of compliance executives reveals how much the legal profession continues to loom over the nascent field. Thus, as much as compliance executives have defended their own area of expertise and professional identity, the specialty is still grappling with the question of where exactly legal stops and compliance starts. Boehme explains,
The best relationship is for each of these functions [legal and compliance] to have a clear unambiguous mandate and to collaborate with one another as independent experts. We are headed toward that kind of relationship because we are moving swiftly away from the old, flawed Compliance 1.0 model, where compliance is treated like a captive arm of legal. Now entire industries such as health care and big banking, and leading companies such as Walmart, Volkswagen, and Siemens, have embraced Compliance 2.0, in which the two functions sit side by side and collaborate as equals.
A J.D. glass ceiling?
So where do lawyers fit within this new picture of compliance? It is a complicated question, particularly since a significant part of compliance was carved out of what was previously legal territory. While champions of compliance argue that compliance officers are a new breed of experts, it is clear that it is incredibly valuable to have a J.D. in this field.
While champions of compliance argue that compliance officers are a new breed of experts, it is clear that it is incredibly valuable to have a J.D.
Compliance departments in heavily regulated fields, such as finance and banking, are still likely to be dominated by lawyers. And, despite the emergence of new certifications and training options, lawyers still seem to punch above their weight. In a recent survey by the SCCE, CCOs with J.D.s were disproportionately represented among the highest-paid and most powerful CCOs. While CCOs with J.D.s made up no more than 37 percent of those surveyed, they represented:
- 50 percent of those who managed budgets between $1–$2 million, and 49 percent of those who managed budgets of more than $2 million
- 47 percent of those whose organizations were larger than 30,000 employees
- 57 percent of vice presidents, the most highly compensated position, averaging $179,552 per year
This isn’t to say that compliance work requires a J.D.—or even a legal skill set. Charles Senatore, who has more than two decades of experience managing compliance and ethics departments at two major financial service firms (Fidelity Investments and Merrill Lynch) and is currently executive vice president at Fidelity overseeing regulatory coordination and strategy, suggests that while legal training is helpful, management skills will make or break a good CCO:
The skills to be a compliance officer transcend those that are traditionally associated with being a good lawyer. One certainly needs the skills of a lawyer to interpret and understand the context around laws and regulation, but you also need to have skills that one would expect from a business leader. Because, unlike someone in a purely legal role, a compliance officer actually has accountability to see that things get done. As such, you need to have management skills. You need to have leadership skills. You need to be emotionally intelligent and able to influence others, often in the absence of line authority. You need to be able to navigate a complex organization and drive outcomes as opposed to the more classic lawyer’s role, which focuses on giving advice.
Senatore believes that the skills of successful CCOs are actually similar to the skills of successful CEOs, particularly the abilities to communicate, marshal resources, influence outcomes, and lead a large organization. This should come as no surprise, given how much successful compliance rests on a firm’s ability to create a positive culture within the organization.
Others are also noting the close relationship between business and management skills and compliance work. Based on its surveys on the state of compliance, PwC predicts that by 2025, the CCO will be “the star” of the C-suite. In addition to J.D.s and the professional certifications, M.B.A.s are likely to be increasingly common among the top compliance officers (see “Speaker’s Corner“). And given the diversity of issues on a compliance department’s plate—such as cybersecurity—other skills and experiences will certainly be valued. Thus, while legal training may help officers develop good judgment and abilities in legal interpretation, it may not be a requirement to succeed in the field. Rather, the prevalence of lawyers in the field—particularly in the higher ranks of compliance work—may be a holdover from an era in which compliance was merely one part of the legal department.
Only time will tell if the champions or the critics of compliance departmentalization are correct. No doubt that, like the legal profession more generally, compliance officers are most likely to need multidisciplinary tool kits that span law, compliance, technology, HR, and other critical functions to address the most fundamental problems. Further research is needed to assess not only the changing relationship between the compliance and legal departments but also the changes within the responsibilities, profiles, and power of those working in compliance. Nevertheless, what is clear is that compliance has arrived, and while its shape may change, it won’t be leaving anytime soon.