In a world of regulations, recession and corporate scandal, the creation of compliance and ethics roles has been on the rise. But what is dropping is the number of those newly created positions that are in any way tied to the legal department.

“The lawyer serves the corporation as a client, and it could engender a conflict of interest for the lawyer to also wear the hat of compliance officer or ethics officer,” Bentley University Center for Business Ethics Counsel John P. Hansen said.

Hansen, who also serves as chairman of the Association of Corporate Counsel’s compliance and ethics committee, said the number of organizations and support services that have popped up in relation to compliance and ethics is further proof of the increasing importance of the role. The ACC’s committee is just about a year old, he said, and already has 1,600 members.

“It was almost a secondary role 15 years ago, whereas it has evolved into a much more strategic and critically recognized function in an organization today,” Hansen said. “That is largely because of regulatory and legal inducements, but I think also companies just as a matter of governance see it as a prudent business practice.”

Historically, the ethics and compliance programs have been integrated into the legal department, with either the general counsel serving a dual role as chief compliance officer or the CCO reporting to the legal department, Hansen said.

In the past five years, there has been a shift in that trend, the committee’s vice-chairman, Robert Roach said. The compliance and ethics roles, which are most often handled by the same person regardless of their title, are now reporting either directly to the chief executive officer of the company or to a committee of the board, most often the audit committee, said Roach, who is the Chief Compliance Officer of New York University.

This shift was brought on, in part, by a number of corporate scandals in which lawyers had to make interpretations of law in some gray areas. That backfired in some cases, he said, citing the Hewlett-Packard case in which the president was in a dispute with board members over leaking information to the press.

Corporations are starting to think it makes sense to have a check on the general counsel as well. Even if the CEO is doing something questionable, the CCO should put his job on the line and tell the board, Roach said.

Hansen said the U.S. Department of Health and Human Services recommends the compliance officer not be part of the legal department, which he said is “a recognition that law and compliance serve different masters.”

the Next Step For Compliance

Beyond just moving the compliance role out of the legal department, companies are beginning to focus on a new, more encompassing compliance program known as GRC, Roach said. GRC stands for governance and risk management compliance.

“Enron had one of the best corporate codes going,” Roach said. “On paper they were fabulous, but they didn’t have the internal ethical environment, and what [Sarbanes-Oxley] was about and what the newer movement is, is a recognition to try to give meaning [by setting the] tone at the top.”

Risk management has been a particularly hot topic since the recession, which has demonstrated that short-term gain can motivate people to take greater risk, Roach said. Peoples’ ideas of risk vary and the concept of enterprise risk management works to instill a vocabulary where people think about risk in the same way, on a regular basis, he said.

Employees should know a company’s risk tolerance, and someone should be responsible for analyzing potential risks across all company sectors. Credit rating agencies are going to start taking enterprise risk management programs into account when determining bond ratings, which essentially means these programs are going to be required, Roach said.

Compliance officers are often ideally situated to advise on governance structures and meeting the requirements of SOX and other laws. They also typically get the responsibility for creating risk management programs, he said.

In addition to GRC programs, Roach said companies are also beginning to incorporate social responsibility programs into their compliance functions.

Corporate social responsibility initiatives have typically been housed in public relations departments because it seemed like good publicity to do good things. But after scandals over sweat shops, tainted food and lead toys from overseas, companies are beginning to ensure their supply chains are meeting certain standards beyond just regulatory compliance, Roach said.

“[Companies are creating] contracts that require certain standards and people who check those standards, not because they are required by law, but because it is bad for the corporate reputation [not to],” he said. “So here there is a blending of corporate responsibility and compliance.”

Who’s Right For The Job?

While certain industries are required to have programs, there isn’t a company that couldn’t decide on its own to have one.

“Every company warrants the adoption of a program and there is legal vulnerability for not having a program in place,” Hansen said.

Compliance is more robust in places like academic medical centers and pharmaceutical companies, Roach said. Those companies are much more specific in their want ads, seeking people with specialized knowledge of the regulations in those industries. A “plain vanilla” corporation, on the other hand, may accept a broader array of backgrounds. Often a former federal prosecutor fills the role, he said.

“Where the industries are heavily regulated, you tend to have more of a compliance focus by necessity … whereas [with] a standard corporation, that office will be much more code-of-conduct and general ethics-focused,” he said.

Within a compliance department, companies will often have people with specific knowledge of their risk areas. In an international oil company, for example, people who understand the Foreign Corrupt Practices Act should be on hand.

Oftentimes the CCO is a lawyer, but there are also Ph.D.s in philosophy who were brought on to handle the ethics component, Roach said. Knowledge of accounting principles is important on the fraud side, and half of the university-world CCOs are heads of internal audit departments, he said.

“The truly best-qualified compliance officer will be multi-disciplinary,” Roach said.

Frank D’Amore of Attorney Career Catalysts has placed a few compliance officers in local corporations in the past few years. He said the trend is clearly for them not to be housed within the legal department.

That trend has created issues for career advancement and made recruits think harder about whether they wanted to take on a compliance role, even if it is the head of their department.

“If you’re not in the legal department, you’re in a weird position because what is the career advancement?” D’Amore asked.

CCOs can max out and become pigeonholed, he said. They do achieve broad exposure within the company, including among the board members who are often high-ups in other corporations. That could lead to a general counsel position at another company, but those positions often require experience in managing layers of staff and departments. A compliance officer usually only has a small contingent of staff reporting to her, so that could hurt future career prospects, he said.

CCOs, particularly at the larger companies, are paid a salary equivalent to a deputy general counsel or the number-three lawyer, D’Amore said. •

Gina Passarella is a senior reporter for The Legal Intelligencer , a publication affiliated with GC Mid-Atlantic . She can be reached at GPassarella@alm.com.