The Traditional Roles of the GC and CCO
To understand the risks associated with consolidating the GC and CCO positions, consider first their primary roles, responsibilities, and duties. Contrary to public perception in the United States and overseas, the roles of the GC and CCO are not usually coextensive.
In general, the GC is the organization’s lawyer with general supervisory responsibility for the corporation’s legal affairs. More specifically, the GC often serves as legal counsel to the organization’s board of directors and helps the organization comply with applicable laws and regulations, as well as identify and evaluate business concerns related to those legal risks.
The CCO, on the other hand, is a relatively new position entrusted to reduce a company’s risk by focusing on both ethics and legal compliance, instead of relying solely on the law. More specifically, the CCO shoulders the responsibility for not only preventing corporate misconduct but also uncovering and investigating it. In that role, the CCO must act as a neutral fact finder in the interest of the organization’s stakeholders.
Thus, unlike the GC’s job, the CCO’s job is to help ensure compliance rather than just advise about it. Moreover, far more than being a management resource, the CCO has independent duties to the board of directors and is part of today’s governance “checks and balances.” Failure to appreciate these bedrock distinctions can result in business- disrupting government intervention and unwanted, costly litigation.
The Appeal and Risks of Consolidation
The most common arguments for consolidation are cost and efficiency. Other organizations, whose budgets are less of a concern, see consolidation as a practical approach to fulfilling their compliance and legal needs.
The benefits gained from consolidation often exist at the expense of other important corporate interests. GCs around the globe are responsible for a wide array of day-to-day legal issues, from general corporate legal advice to employment matters, contract drafting and negotiation, and litigation management. Attention to any one of these responsibilities means less attention paid to compliance. Large litigations, for instance, can be extremely disruptive to the normal duties of the GC.
Multinational organizations face particular complications as they are subject to regulatory schemes in various countries of operation that are not always consistent with one another (indeed, often the opposite is true). A prime example of those competing interests is the whistleblower provisions in the Sarbanes-Oxley Act. These provisions are frequently at odds with the competing privacy-driven laws and regulations in the European Union and elsewhere. It is crucial that an organization have a CCO focused on understanding the applicable and sometimes conflicting regulations.
The consolidated model may also jeopardize an organization’s privileged communications. That is, a GC may find himself or herself conducting typical CCO duties—which are viewed more as business, rather than legal, functions—and, at the same time, providing legal advice to the organization. Because not all communications flowing from the GC are privileged, issues arise as to which are protected. Communications intended as business advice rather than legal counsel are not protected by the attorney-client privilege.
This, of course, becomes crucially important when the organization finds itself involved in litigation or, worse, in the crosshairs of a governmental investigation. Deciding which documents are privileged is increasingly difficult if the GC regularly provides legal and business advice as part of the same communications. In addition, there is precedent holding that communications between a GC who also acts as a CCO are not protected by attorney-client privilege. U.S. courts, moreover, have routinely rejected the argument that a CCO’s communications are privileged. This puts organizations at an increasing risk of disclosing and waiving arguably privileged communications.
U.S. federal regulators and prosecutors, for their part, have made clear that they disfavor the consolidated model. Recent federal prosecutions of financial and health care industry organizations illustrate this point.
In December 2012, United Kingdom-based HSBC agreed to pay $1.92 billion for failure to comply with anti-money-laundering laws. HSBC avoided indictment in part because it separated the CCO from the legal department and gave the CCO direct reporting lines to the board of directors. In 2013, J. P. Morgan Chase & Co. settled a host of regulatory and legal issues with federal regulators and, as part of that process, agreed to divide its compliance and legal departments. Also in 2013, Johnson & Johnson made a similar deal with federal prosecutors, and other companies in the health care industry have followed suit.
While the reasons for this preference are not entirely clear, experience demonstrates that federal investigators have grown increasingly skeptical of the consolidated model, in part because of a perception that organizations take an aggressive approach to claims of privilege. Another reason may be a belief that separate roles create and foster specialization and reduce conflicts between the CCO and the GC.
- While there is no absolute right or wrong way to structure an organization’s legal and compliance departments, trends suggest that organizations are better served if they have separate GC and CCO positions.
- If that is not possible, steps should be taken to ensure that the person acting in the consolidated role pays ample attention to both typical GC and CCO roles.
- The organization should appropriately safeguard its privileged communications and documents by separating them from normal business activities, marking them appropriately, and expressly stating that communications are for the purpose of requesting and providing legal advice.
- As appropriate, management should ensure that all personnel involved understand that the CCO is acting at the request of the legal department.
- Steps should be taken to avoid involving non-lawyers (including the CCO) in privileged communications under circumstances that might threaten the privilege.