Jack Holleran, a principle at Ernst & Young, succinctly states the responsibilities of a chief compliance officer (CCO). Holleran, writing in Met. Corp. Counsel, Vol. 17, May 2009 at 8, notes that the “chief compliance officer does not own any substantive risk area but rather serves as the architect and steward of the compliance program.”
Since some general counsel shoulder these responsibilities and some CCOs report to general counsel, I have quoted his “five basic questions” a CCO is accountable to answer. Similar questions deserve answers from a general counsel.
“What are the company’s most significant compliance risks?” Substitute “legal” for “compliance” and chief legal officers own the challenge.
“Who within the company owns those risks and is accountable for managing them?” Within a law department, the responsibility for legal risks need to be doled out.
“What controls do those risks owners have in place to manage those risks?” What oversight, guidelines, training and other risk-mitigation tools and practices are in place for lawyers?
“Are the controls working?” Ah, the $64,000 question, and the hardest to answer for lawyers.
“How do we know, that is, how do we measure the effectiveness of what we have in place and drive continuous improvement based on that information?” This question overlaps with the fourth, but continuous improvement should be a watchword for legal departments (See my post of Aug. 22, 22006: the power of kaizen; Nov. 16, 2005: constant incremental improvements add up; July 5, 2006: the Horndal effect; Sept. 13, 2006: focus on common good practices, not novel “best practices”; Nov. 6, 2007: focus on execution more than on innovation; July 11, 2008: execution-as-efficiency and execution-as-learning; and (See my post of Feb.14, 2009: best practices with 24 references and one metapost.).