What is Compliance and Legal?
Compliance and legal are often used interchangeably in conversations about organizational risk management and processes, leading to confusion over their distinct roles. Understanding the basics of compliance and legal is crucial to recognizing their differences.
Compliance, in a general sense, pertains to companies adhering to external regulatory standards or mandates (regulations, laws, voluntary guidelines). These requirements touch on nearly every aspect of business – from environmental stewardship to fair labor practices to export controls, and even IT security policies. In other words, compliance is a way for an organization to minimize risk and maximize adherence (and understanding) to mandated regulations.
On the other hand , legal as a function within an organization consists of those internal policies and procedures that companies use to mitigate risk and potential legal disputes, whether civil or criminal.
Simply put, within an organization, compliance serves as the forward-facing, external liaison while legal is focused inward, on the company’s business. To reduce the risk of fines or legal action against your organization, compliance must be concerned with external mandates (including those of your own business sector) and how they affect your overall operations. Legal exists within your organization to identify and reduce potential liability from internal actions, risks, business strategies, etc.
While these fields may seem similar, and even superficial interactions between them may occur, they do not overlap in any significant way.
Compliance: Monitoring Adherence to Policies
In the business world, compliance is the process of adhering to specific policies, laws, regulations, standards, or guidelines. Complying with laws and regulations is essential for companies operating in any industry, but the demand for compliance with voluntary standards such as ISO and NIST has also gained traction in recent years.
The purpose of compliance varies depending on the industry and regulation. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates Healthcare providers, insurers, and their business associates and requires that they meet strict requirements for handling protected health information. In contrast, the Federal Risk and Authorization Management Program (FedRAMP) aims to help cloud computing providers demonstrate they are properly "baselineed" to meet federal security requirements.
It is possible for products to be certified to prove they are compliant with various standards, such as those accredited by The American National Standards Institute (ANSI).
You may also see certifications/accreditations that are not from ANSI, such as the ISO 27000 family, an array of standards for information security management systems from the International Organization for Standardization (ISO), or Control Objectives for Information and related Technologies (COBIT), defined by ISACA, a nonprofit advocating for governance, risk management, and compliance (GRC) best practices.
Other examples of recent compliance measures you may have heard of include the EU’s General Data Protection Regulation (GDPR), which overhauls how companies collect, use, and protect personal data from European Union citizens. It lays out new consent requirements for obtaining personal data and mandates that companies implement and demonstrate proper security practices or face significant penalties.
The Legal Component: Your Legal Obligations
The role of legal is to identify and minimize legal risks through evaluation and consultation. The legal department is responsible for drafting many contracts, such as leases and vendor agreements. Further, the legal department is often consulted to draft and review organizational policies. Legal is responsible for advising on compliance requirements concerning labor and employment, antitrust, and intellectual property. Many disputes that arise in a company are handled by the legal department. Therefore, the legal department often plays an important role in monitoring, reviewing, and drafting organizational policies and is also responsible for advising on legal requirements and addressing legal disputes.
Where Compliance and Legal Functions Overlap and the Differences Between Them
Both compliance and legal departments are essential aspects in a company’s ability to stay aligned with laws and regulations. But compliance has some distinct responsibilities that are non-existent in the legal department. For instance, CCOs coordinate and implement process-driven policies such as systematic and evidence-based training measures for a compliance program. Law departments cannot make or implement policy because of the potential for conflict of interest. This is particularly relevant when compliance and legal operate as independent third-parties with regard to the FCPA, and other regulatory events that may put a firm’s future at risk.
But there are many areas where the two departments overlap. The process-driven nature of compliance not only allows for direct investigations, but for the sharing and storing of information that is highly relevant to legal. In a recent panel, Greg Keating, General Counsel of Rosetta Stone, explained that he has used outside counsel to conduct a FCPA investigation due to the nature of their independence. They could make the changes to policies and procedures that a CCO would be unwilling to do because of their vested interest in a potential bad report finding. However, one of the downsides of this is that the policy changes that stem from a FCPA investigation or other regulatory event may lack the kind of data documentation and analytics that would support a pro-active compliance program.
It is important that compliance and legal work together to avoid discrepancies in training, e.g., the legal view of what is required for internal accounting controls or creating an internal audit process that allows for a cross-departmental approach to avoid the silo mentality. When compliance and legal are on the same page, they can avoid potential rework and the substantial cost that often goes with it. In the long run, compliance can save legal departments time and resources.
Why a Robust Compliance and Legal System Matters
Maintaining a strong compliance and legal framework is crucial for companies in all industries. By establishing a clear framework and developing a culture that supports both, a company is able to ensure both legal and ethical behavior, protect employees, and create a positive reputation for the company. When a legal framework is not in place, companies may find themselves subject to consequences and liability. In some jurisdictions, regulators will prosecute companies when they fail to have effective compliance and legal frameworks.
Creating a culture where both compliance and law are respected is vital to reaping the benefits of each . A strong compliance and legal framework can help create a positive reputation for the company. Transparency in the laws and regulations related to compliance is critical to the continued health of a company.
A failure to have a clear framework in place for both areas can result in reputational damage, loss of business, and regulatory penalties. This can impact both the bottom line as well as the company’s relationship with employees and other stakeholders. While compliance and law are generally two separate areas, they must work together to develop an ethical company culture and prevent misconduct.
Impacts of Managing Compliance and Legal Separately
A critical challenge when it comes to managing compliance and legal functions separately is the inherent coordination issues. There is often a dual-track path that the compliance and the legal functions must run when investigating potential regulatory violations. Compliance teams—or other staff—are often responsible for gathering information, such as witness statements, or handling certain matters without legal counsel. While that may be enough in some instances, especially if there is a strong and direct communication between the compliance and legal departments, those paths often come together and require more involved coordination. Compliance teams may have to seek guidance on topics that have legal consequences. Compliance teams may handle other activities on their own. And, as a consequence, decision-making often can suffer.
Those operating without a clear understanding of the existing barriers between compliance and legal may face a costly and time-consuming series of events. Putting an M&A transaction together, for example, may require compliance teams to push forward with diligence and continue to operate under the assumption that certain compliance requirements are met, that certain compliance personnel will remain in place at the acquisition target, or that certain compliance arrangements (such as contractual provisions in third party agreements) exist. Clients regularly encounter situations where compliance functions have already put resources toward preparing documents or materials only to find that those documents—or even the underlying deal—require a substantial amount of rework or worse yet, cannot go forward in the way that the parties had originally anticipated.
Tips for Integrating Compliance and Legal Functions
The interplay between compliance and legal functions is critical, particularly in regulated industries. Compliance and legal functions can both help maintain regulatory compliance, ensure legal rights are protected, and mitigate and manage risks. Thus, a unified department or collaboration between the two departments is often the best practice. However, when the compliance and legal functions are separate, then fostering communication and aligning goals is essential to organizational success.
To start, each department must understand the other’s roles, responsibilities and limitations. For example, compliance and legal groups may implement redundant services that can be merged, such as initial business risk assessments. Both sides should routinely explain what they do and why their job is important to the company. Employees may view compliance as an invasive policing group while legal may be seen as prolonged and overly conservative when it comes to advice or approvals. Better communication by all parties can improve overall perceptions. Responsiveness and transparency can support this.
Challenging or supporting business decisions may be the responsibility of either group, depending on the issue. However, the end goal — setting a company up for success while protecting its’ interest —should be viewed as common ground that both groups share.
Next, it is important to define boundaries and roles. Collaboration is critical, and operationally, this means that redundant reviews should be avoided to reduce potential conflict and delays. For instance, if both departments work on due diligence , it should be determined which will be responsible for a particular project or matter (with the other party providing support when requested). Responsible parties should be required to get approval for any request of support that delays progress (e.g., submitting an inquiry for signature).
Further, there should be no interference with other’s work by either group. It is reasonable for the legal department to communicate directly with business functions, but the compliance group should also be interfacing with the business directly. Collaboration and communication between the two functions should be encouraged.
Expectations should be made clear for both groups. Explain the level of independence that each department will have in making decisions (e.g., will there be coordination among teams or decision-making will be completely separate?). Significant changes should involve both departments for any agreement or approved action. This decision should depend upon the specific circumstances, but constant involvement in a situation does not promote efficiency and may become costly. Decide what level of involvement is required when the issue involves both groups.
Finally, one of the main challenges for both the compliance and legal functions is that both appear to place increased focus on regulatory compliance. Agree upon and define the top several priorities for both groups, and include those priorities in the annual operating plan and budget. This should include resources needed to successfully fulfill the expectations including, but not limited to, a work plan, staff and/or contractors, and budget considerations.
