More than 17 years ago, I left Baker & McKenzie to join Thomson Reuters as a compliance attorney, back when you still had to explain to people what the word "compliance" meant. Since that time, I have held a number of different legal leadership roles in the company, sometimes heading compliance functions, sometimes leading legal teams. At times, I tracked toward becoming a Chief Compliance Officer (CCO) and other times toward being a General Counsel (GC). I wondered what I would do if I would have to choose between being a CCO or a GC. Unexpectedly, when the choice did come, I chose to be both as I became CCO for Thomson Reuters while maintaining my then-role as GC of our emerging markets business.
While holding those two different roles at the same time might strike some as an odd pairing, it has given me an amazing opportunity to drive compliance as CCO with the pragmatism of a GC, and navigate the dynamic and sometimes challenging world of business in the emerging markets with the sensibilities and risk management approach of a CCO.
Furthermore, I have discovered that – beyond the benefits to my own experience – there is much that CCOs and GCs can learn from each other as they play key complementary roles to ensure that companies operate in compliance with increasingly complex laws and regulations across a broad number of different industries. While the GC oversees the legal affairs of the company and is seen at times as the company's legal advocate, the CCO has specific responsibility for the company's compliance program, responsible not only for helping to prevent misconduct but also for identifying misconduct that may have occurred.
While there is obvious overlap and alignment, these roles are in fact different. In addition, GCs and CCOs frequently have different mindsets and approaches. Collectively, these differences may lead to challenges as CCOs and GCs must work closely together to help a company be successful.
With that in mind, I pulled together some of my thoughts (and polled some very generous colleagues who were kind enough to share their thoughts with me), which I have captured in the following few principles that, if kept in mind, will help make the working relationship between a GC and a CCO as effective as possible.
Three things a GC wants a CCO to know
1. Understanding the business is key.
GCs work hard to earn a seat at the top executive table, to be part of key discussions and strategic decision-making for the business. Successful GCs are valued by their CEOs and fellow executives for their sound judgment and deep understanding of how the company operates and what works well within the culture of that business.
CCOs need to have that same kind of deep understanding of the business, so relevant risks can be identified and managed. A CCO needs to tailor the compliance program to her own company, so that it resonates within the cultural context of that organization, is aligned with overall business objectives, and effectively works within the dynamics of how that company operates. Furthermore, a successful CCO will have a program grounded in reality, not based on theoretical risks.
Understanding the business, coupled with having the right specialist subject-matter knowledge and experience, enables a CCO to focus and prioritize on the highest risk areas. Like GCs, CCOs must understand how a business operates in order to be successful.
2. Effective regular two-way communication is essential and leads to better outcomes.
As in any partnership, how successful the working relationship between the GC and the CCO will be depends, in large part, on how effective they communicate with each other. Although the GC and the CCO have complementary roles, the fact that they have different remits but are operating in the same areas within the business landscape means there is potential for lack of alignment, inefficiencies, and perhaps conflict.
Regular feedback loops help the GC and CCO stay aligned, share important information and insights, ensure proper prioritization and focus, and deploy their resources with the greatest effect and impact for the organization. This close working dynamic is particularly key the larger or more matrixed an organization is.
To make these communications as effective as possible, it is helpful for a CCO to not only provide a GC with data, but to help find the signal in the noise by identifying significant trends, being thoughtful in highlighting what the real takeaways are, and working in tandem with the legal department to think through how the GC and CCO can work together to be more strategic and proactive.
3. Lawyers in the business can help advance the compliance agenda and assist in the work, but need support and guidance from their partners in the compliance function.
Members of the legal department who support the business can be extremely helpful to their colleagues in the compliance function by acting as another set of eyes and ears, lending their support to compliance initiatives, and helping to influence business stakeholders.
In addition, the lawyers in the business, once given the requisite training and opportunity to work with compliance colleagues to gain relevant experience, can be an effective resource and help "grow" the size of the compliance team.
This experience can be a significant development opportunity for lawyers in the legal department as businesses increasingly look to senior lawyers to not only help drive growth and execution, but also to help navigate the compliance landscape.
Three things a CCO wants a GC to know
1. Understanding risk helps structure better deals and run business more effectively.
For a CCO, it is imperative that a GC understands what risks are generated by particular business activities; this will lead the GC to better structure deals on the front end and manage projects and run business more efficiently and effectively. Those who do not understand the true potential cost of decisions cannot make truly informed decisions. Knowing what the nature, amount, and likelihood of risk is enables better decision making.
This goes beyond simply deciding whether to engage in a particular business or not to knowing how the economics of that business model should be dealt with to reflect the risk that a business takes on in conducting that business. For example, she should make sure the business can generate sufficient margin to fund appropriate controls to manage that risk.
In addition, when the CCO and her team are brought into the handling of specific business matters earlier as opposed to later, the compliance team can help the business navigate various challenges and actually can help drive revenue and overall success.
My own personal experience, having been a litigator and then a compliance specialist, helped me actually structure and drive revenue-generating work as a business lawyer and then a general counsel as I understood the full life-cycle of a transaction, including how deals can go wrong and how to help ensure that does not happen.
2. Merely acquiring a company is just the start of the journey.
Whether an acquisition ultimately will be considered a success depends on how that company is integrated, whether its performance meets expectations and whether there are significant risks, liabilities, and other nasty surprises that come to light after the acquisition.
While a legal department may focus a tremendous amount of energy on ensuring that M&A deals close successfully, a GC must be aware of what happens afterwards, in terms of how resources are dedicated to ensuring operational controls are working and that the proper culture is in place. These need just as much attention. In addition, the level of talent that is assigned by the legal department or the business to integrating an acquisition should be comparable to the level of talent and leadership that was assigned to handle the deal in the first place.
Ensuring the successful integration of businesses helps ensure that adequate controls and safeguards are in place and that risks are not missed or forgotten in the process. In addition, it is important to keep in mind that sometimes it is the small acquisition in a noncore part of the business or far from the corporate center that can create risk.
3. Having operational controls embedded in business processes is a compliance best practice.
After ensuring that the foundational elements of an effective compliance program are in place – a corporate culture that values ethics and compliance, reflected in policies and a Code of Conduct, with associated training, investigation, and remediation for noncompliance – a CCO should turn her focus to operationalizing compliance controls within actual business processes. For example, she should ensure certain due diligence is conducted on any new third-party supplier or embedding "privacy by design" into the product development process.
The implantation of these controls can create organizational friction, and business leaders may turn to the GC to challenge the CCO on the need for these operational controls. While it is good to be thoughtful about the efficacy of any control, if that analysis holds up, the CCO truly needs the support of the GC to maintain the integrity of those standardized controls. This is especially true when the business leader is looking to the GC for not only a legal judgment on the need for that control, but also for their own good judgment on whether or not this particular control is reasonable or needed.
By lending her strong support to a CCO attempting to establish an operational control, a GC will be helping the company to greatly enhance the control environment.
There is much a CCO and a GC can learn from each other as they work together in their respective leadership roles to help their company achieve its business goals while properly managing risk. The more closely and seamlessly the Legal and Compliance functions of a company can work in conjunction with one another, the more each function will be able to achieve even greater effectiveness.
About the Author
Thomas Kim is both the Chief Compliance Officer for Thomson Reuters as well as the General Counsel of its emerging-markets business (Global Growth & Operations). As the company's Chief Compliance Officer, Thomas leads enterprise-wide compliance efforts across all of Thomson Reuters businesses around the world, including with regards to anti-bribery, data privacy, business ethics, and trade control issues. As the General Counsel of Global Growth & Operations, Thomas oversees a diverse global legal department that supports all Thomson Reuters businesses emerging-market countries spanning Asia, Eastern Europe, the Middle East, Africa and Latin America, as well as overseeing Thomson Reuters operational centers around the world.