Recently, a reporter for Corporate Counsel (an affiliate of the N.J. Law Journal) decided to ask the five largest law firms about their internal compliance programs, and was met by either 1) platitudes or 2) crickets. In most cases, the reporter’s call was transferred to the firm’s PR manager faster than you could say “billable hour.” Nothing to see here!

This is curious, since you would think that law firms would want to show clients that their “expert advice” on compliance programs is backed by some institutional experience with such matters.

In this spirit, we offer some “inconvenient truths” for the law firm management committee:

1. When it comes to compliance risk, law firms aren’t all that “special.”

Fact 1: People create risks. Fact 2: Law firms have people.

Law firms already have protocols covering a few obvious risks: professional ethics, segregation of client funds, management of conflicts and billing (although recent headlines about billing practices may suggest this last area could use more scrutiny). But beyond the risks that are typically associated with legal partnerships, what about those additional risks common to most organizations: e.g., sexual harassment; discrimination; fraud; theft; social media, privacy and cybersecurity; insider trading; and even money laundering, bribery and kickbacks? Don’t look now, but a quick Google search will turn up law firm scandals in all of these areas. Inconvenient truth: a code of professional responsibility is not the same as a code of conduct. A credible compliance program, starting with a meaningful risk assessment and a code of conduct, would proactively identify and manage all top risks of the law firm organization.

2. When everyone is responsible for feeding the dog, the dog starves.

Merely appointing a number of “go-to lawyers” as subject matter experts for ad hoc training or issue resolution does not a compliance program make. (Your corporate clients would never get away with that.) If those experts carry a certification, such as one of those offered by the Society of Corporate Compliance and Ethics, that’s terrific — but still a far cry from having an experienced chief ethics and compliance officer (CECO) with single-point accountability, empowerment, autonomy and line of sight over all areas of compliance risk, and the mandate to develop a robust program to address them.

If you do not assign responsibility to one empowered CECO to do the job, the job will not get done (and the dog will starve).

3. Appointing a general counsel is not a compliance program.

“Oh, we’ve got that covered. We have our own general counsel!” If what you have is a general counsel, good for you … but a general counsel is not a compliance program. Every big company that has gotten into trouble over the last two decades probably had a general counsel. Not once in that time did any government agency give credit for a compliance program just because someone had an in-house lawyer.

And what about all those companies whose general counsels your firm told needed to have a compliance program? A general counsel is what you need as a firm to give you legal advice. A compliance program calls for much more than legal advice. We think law firms should follow their own client advice.

4. Compliance is a small price to pay for reputation.

We can hear the grumbling: compliance is a cost center! CECOs have been dealing with that reality since 1991. But a cursory survey of recent law firm scandals — overbilling, sexual harassment, accounting fraud, theft and insider trading, to name a few — makes a strong case for a more serious approach to compliance as a guard against reputational damage and other liability.

For those who say, “We can’t afford all that,” the quick answer is a free brochure published by the Society of Corporate Compliance and Ethics, “Compliance and Ethics on a Dollar a Day.” Although the brochure was written for small to medium-sized organizations with significant resource challenges, any law firm could benefit from implementing some of its common-sense ideas.

5. What gets measured is what gets done.

The recent overbilling scandal at DLA Piper — complete with highly embarrassing emails (“Churn that bill, baby!”) — should have come as no surprise in an industry that is driven by the billable hour. Where associates and partners are measured in their billable hours, with no balancing incentive for ethical leadership, transparency and accountability, trouble ensues.

Maybe law firms should take a page from their corporate clients that are increasingly tying performance evaluations and compensation to compliance and ethical leadership metrics. And, as many of your corporate clients say: “Inspect what you expect.”

6. Legal compliance is only half of the equation.

A robust program is more than just legal compliance — perhaps a counterintuitive concept for an organization of lawyers. A meaningful approach to compliance uses all the tools of a risk-management system (e.g., management role-modeling, risk assessment, training, engagement, incentives, discipline, monitoring, audit, reporting mechanisms, etc.) to foster an ethical culture and drive the desired behavior in all aspects of organizational life (see No. 5 above).

This requires a multidisciplinary, coordinated approach and doesn’t just happen all by itself, or from a “Kumbaya,” all-join-hands-and-sing approach. An experienced, empowered CECO should have the single-point accountability and oversight of the design and implementation of this system, and periodically report on it to the management committee. The CECO should also network with peers at other organizations to ensure they are using best practices.

7. The unthinkable: a law firm confidential employee reporting line.

Will we ever see a law firm confidential reporting mechanism for employees? This is probably the scariest element of a compliance program for a profession that is famously risk-averse (a close second to formal risk assessment). But without this feature, a law firm simply does not have a compliance program. A law firm that funnels complaints to the managing partner, general counsel or management committee can be assured that few complaints will ever see the light of day — and maybe that’s the goal. Any risk assessment, training and controls that exist on the front end of a program are of minimal value unless the feedback loop is completed with a safe, reliable way for employees to report problems (and a credible nonretaliation program to back it up).

8. If it isn’t in writing, it didn’t happen.

When companies with no compliance program are confronted with this gap, they typically respond by claiming that of course they do all those things. But when it comes time to prove it, once again the sound of crickets echoes in the air. Law firms, if they are willing to even discuss the topic, typically will list things like their new general counsel, their lawyer ethics committee, a strict adherence to the Code of Professional Responsibility and the firm’s overall commitment to integrity of all their lawyers.

But the Sentencing Guidelines’ list is specific and straightforward, and none of these excuses meet the standards. You either have the elements or you don’t. If you don’t have them in writing in a way that is provable, and if interviews about the compliance program with a random selection of employees draw blank stares, you don’t have a program.

9. The Big 4 accounting firms are way ahead of you.

Somewhere along the way, the Big 4 accounting firms — PwC, Deloitte, Ernst & Young and KPMG — figured out that if they are going to offer compliance services, they’d better have a compliance program, too. (Evidently, the Big 4 don’t regard themselves as too “special” for compliance.)

OK, maybe that’s too cynical. But it is also fair to note that these firms initially did not think any of this applied to them — until they started to get into serious trouble, saw the folks with guns and badges at the door, and decided maybe rigorous programs were a good idea. It’s clear that for whatever reason, the Big 4 have taken a purposeful approach to compliance and ethics, dedicating significant resources and talent to compliance and ethics programs, including confidential employee reporting lines.

This has earned their CECOs speaking slots at the top compliance and ethics conferences, where they share details on some of their leading best practices. Go ahead, take a look, they’re waving at you from their rear-view mirror.

10. Compliance is a competitive advantage.

The first law firm that can boast of a robust compliance program will be unique in the field. That’s called competitive advantage. And perhaps this is not so far away, as the 22-lawyer firm Smith Debnam, based in Raleigh, N.C., has just announced the appointment of Jenifer Quillen as a full-time compliance officer. Quillen is a former FDIC bank examiner with 19 years of experience in risk management and internal controls.

What’s impressive is that the firm has dedicated one full-time professional to the new role (i.e., not just slapping an additional title on a partner or associate with extra time on their hands), reporting directly to the managing partner, Jerry Myers. According to Myers, that decision was “market-driven” by the expectations of the firm’s financial services clients for more than just “window dressing” when it comes to the physical security, data security, and privacy of their information.

And in addition to addressing the risks of the firm’s financial services practice, the new CCO will have the broad mandate to identify and address all other key compliance risks of the organization. “Law firms don’t like to admit that we are vendors, but that’s what we are,” observes Myers, “and our clients need to know that their vendors are serious about compliance. At some point, all law firms will need to be able to demonstrate that they take compliance seriously.”

From the sound of it, this firm is serious about compliance. If Smith Debnam has the resolve and foresight to appoint an experienced, full-time CCO for its 22 lawyers, what excuse does Big Law have for its continued head-in-the-sand approach?

A few months ago, the legal world was abuzz about a “scathing memo” sent by a law firm partner to colleagues and clients as he exited the firm, taking along members of his team. In it, he alleged issues of discrimination, harassment, privacy and retaliation. A shocking and highly unusual one-off case? Maybe not. Even a casual unpacking of that story would make any good CECO ask hard questions about the firm’s discrimination and harassment policy, email and privacy guidelines, confidential means of reporting problems, investigation protocols and non-retaliation program — all elements of a basic Compliance 101 program like the ones law firms prescribe for their clients. Unfortunately, you won’t find the answers to those problems in the lawyer’s code of professional responsibility. In other words, maybe it’s finally time for big law firms to feed that hungry dog at the door. •