Recently a Corporate Counsel reporter decided to ask the five largest law firms about their internal compliance programs, and was met by either 1) platitudes or 2) crickets. In most cases, the reporter’s call was transferred to the firm’s PR manager faster than you could say “billable hour.” Nothing to see here!
This is curious, since you would think that law firms would want to show clients that their “expert advice” on compliance programs is backed by some institutional experience with such matters.
And the debate continues. Last week a law firm partner posted an “Apologia” for why law firms don’t have “typical” compliance programs (shorter version: they’re “special”). Although the author has produced a thoughtful and detailed piece on the many ways that law firms discharge their professional ethics responsibilities, we still hear crickets when it comes to the kind of meaningful compliance program envisioned by the Federal Sentencing Guidelines for Organizations. (Hint: the Guidelines don’t have any “special” exemption for law firms, which are clearly covered as “organizations.”)
Another explanation comes from law firm consultant John Remsen Jr.: “Law firms like autonomy, not rules. It is a pretty loose form of governance.” We think law firms could benefit from the same robust approach to compliance as the clients that they advise . . . about compliance.
In this spirit we offer some “inconvenient truths” for the law firm management committee:
1. When it comes to compliance risk, law firms aren’t all that “special”
Fact 1: People create risks. Fact 2: Law firms have people.
As noted in the “Apologia,” law firms already have protocols covering a few obvious risks: professional ethics, segregation of client funds, management of conflicts and billing (although recent headlines about billing practices may suggest this last area could use more scrutiny). But beyond the risks that are typically associated with legal partnerships, what about those additional risks common to most organizations: e.g., sexual harassment, discrimination, fraud, theft, social media, privacy, and cybersecurity, insider trading, and even money laundering, bribery, and kickbacks? Don’t look now, but a quick Google search will turn up law firm scandals in all of these areas. Inconvenient truth: a code of professional responsibility is not the same as a code of conduct. A credible compliance program, starting with a meaningful risk assessment and a code of conduct, would proactively identify and manage all top risks of the law firm organization.
