not specifically driven by the legal
team, but rather, are merely supported
Commitment by your organization.
Start with the C-suite. Be sure that
the “tone at the top” is one of support
and endorsement of your compliance
initiatives and fosters a company-wide environment of acceptance.
Depending on who is driving the
motivation behind structuring or
revamping your program, this may
be less of an issue. In effort to cut off
arguments that compliance is simply
another soft cost that does not directly
contribute positively to the bottom
line, collect research on the increased
fines and the potential for personal
liability that have become part of the
regulatory arsenal. No matter how
resistant an executive may be, personal liability can be a useful tool in
You’ll likely be spending your
own political capital to implement a
program, so make it worthwhile. The
commitment you seek should include
the assets necessary to make it successful — and be sure that “assets”
include both financial and human
resources. Give the compliance team
its own identity, including a budget.
This will be vital to recruiting your
team, as no one will want to play if
they must also pay a membership fee
from their own purse.
Assuming you receive a thorough
endorsement, the next step is to turn
to the actual implementation of the
program — which should involve
IT as early as possible. Compliance
records should not be commingled in
the legal files or sprinkled throughout
various departments across the organization. Instead, these may be stored
in a shared folder with permissions
granted to those on the compliance
team who need access. The compli-ance-based records will need to be
managed in a manner appropriate to
withstand a discovery event. Records
retention rules should be considered
and set for the compliance team as
though it were its own department.
Consider creating a dedicated email
address for the individuals participating in a compliance capacity, as well as
another shared email address to use to
deliver company-wide messages from
the team. The resulting email content
should be managed by the team members in the joint file and in accordance
with the records retention structure.
Support staff can also be utilized
in the setup of the compliance team
to help alleviate the burden on the
lawyers, whether by managing records
retention, calendaring, and keeping
minutes and other records related to
compliance meetings, etc. Undertake
efforts to limit the compliance ex-
posure from spilling over into other
administrative functions for the legal
department and traditional legal work.
Meetings of the compliance team
should occur at a regular frequency,
often enough to satisfy the appetite
of those driving compliance efforts.
Prior to scheduled board meetings,
in-house counsel should compile
regulatory filings, year-end close outs
of company accounting, and budgeting efforts to be able to respond to the
oversight of regulators.
Continuous endorsement of the
compliance message is imperative,
even if the message is ghost-written
by the legal department. It should be
clearly articulated and communicated unambiguously by management at
all levels at every possible turn. Your
managers should be your model citizens, scrupulously following internal
compliance policies to the letter.
Regarding delivery of the message of compliance, talk with IT and
about the creation of an independently
dedicated intranet page for the compliance team. This can be an excellent
avenue to share noteworthy updates
in the compliance arena, whether
internal or external, provide updates
on upcoming training opportunities,
host confidential reporting outlets
(discussed below), and outline any
other information that is to be shared
throughout the company. Be mindful, however, that this should not be
the only avenue for such information.
Ensure that materials are available in
every medium and in every language
necessary to reach all employees.
Review all of the policies that your
company has on file. We are quick to
82 ASSOCIATION OF CORPORATE COUNSEL
A note on privilege
COMPLIANCE & RISK MANAGEMENT IN SMALL LAW DEPARTMENTS
How can you best undertake your compliance efforts without diluting
the attorney-client privilege and the autonomy of the legal department?
Begin by recognizing that the compliance program is going to be used as a
shield. To be afforded that protection, it must be structured accordingly.
The compliance work must be clearly distinguished from the legal work.
In a department of multiple lawyers, try to vest compliance efforts with
a single lawyer, and that work should be treated separately. Implement
a file structure that sits outside the legal group where no one else has
access other than the compliance team. In addition to clearly defining the
compliance roles, this may also alleviate the potential for privilege issues
down the road. Retention of privilege will be unequivocal for the legal work,
and although the compliance function might be comprised of murkier
privilege waters, the focus of that question will be much more narrow.