A General Counsel’s obligation to heed risk and compliance challenges is like a homeowner’s obligation to keep an eye on the veggie crisper in the refrigerator. It is not necessarily a sexy task but if left neglected can lead to not-super-awesome developments. A GC must monitor risk and compliance (as well as their veggie crisper) to maintain a well-functioning environment. The GC serves as the backstop for risk and compliance related items, often in tandem with a CCO or other risk and compliance professionals and is a valued thought partner on strategic issues affecting all aspects of the company, notably risk and compliance.
Five key risk and compliance challenges currently looming over the minds of GCs include (i) the management of compensation structures around compliance objectives, (ii) employees’ use of personal devices and messaging applications, (iii) data privacy, (iv) cybersecurity, and (v) the rapid development and use of AI.
Companies are increasingly scrutinized and operating in highly regulated environments in which they must quickly learn and comply with new laws and rules spanning antitrust, export controls, sanctions, consumer protection, ESG reporting, etc. Two significant issues the DOJ has recently directed prosecutors to focus on when considering the pursuit of a criminal investigation are (i) compensation structures and consequence management and (ii) employee’s use of personal devices and personal messaging applications.
The bottom line: when it comes to the DOJ’s view on effective compliance programs, two key factors are financial penalties and incentives. Does your company include compensation claw back provisions in its executive compensation packages? Does your company’s compensation structure measure and reward compliance?
In terms of personal devices and personal messaging applications, the DOJ and the SEC are in the business of assessing fines and penalties against financial institutions for not complying with their obligations to capture, maintain, and access the underlying data, including the content of any work-related communications on personal devices or messaging platforms. This is an issue that takes collaboration around compliance, legal, IT, and operations to solve and should be led by the GC.
Data privacy and cybersecurity should be on the top of every GC’s mind, regardless of whether their client’s business is focused on tech. An alphabet soup of new regulations and laws around the world to comply with such as BIPA, CCPA, GDPR are keeping GCs on their toes. GCs are sleeping like babies – crying, screaming, and waking up every 90 minutes – due to concern over whether they have the required controls, reporting requirements and processes implemented and followed. Never mind the fear that there has already been an undetected data breach.
Lastly, artificial intelligence – both its use and misuse – is the newest worry in terms of risk and compliance hurdles. On one hand, lawyers have a professional responsibility to stay abreast of new technology and how to utilize it to best serve their clients. On the other hand, lawyers have a strict duty of confidentiality which means you cannot just yet pull up ChatGPT, punch in your client’s information around a certain issue, close your eyes, and hope for the best. While opportunities abound to streamline compliance processes, AI also poses robust compliance challenges in terms of more sophisticated hacking and phishing attempts.
It should go without saying that each GC must understand the threats and risks in the context of their client’s particular situation including the industry, geographic scope, size of legal department, resources, etc. It is a daunting task, particularly when the answer is not necessarily a one size fits all approach.
Action Items to Consider
While it is easier said than done, the sage advice provided by generations of high school football coaches of “keep it simple, stupid” works well here too. The GC, in collaboration with other members of leadership and in some instances, the board), will want to make sure that they and their team are doing the following:
Staying up to speed on developments and topics in the news. The GC must remain informed and have a general working knowledge as to changes in laws, regulations, and industry standards that might touch on their client or its business. Be sure to remain curious and proactive and make a point to seek out insight from external resources
- Conduct risk assessments, early and often. Do not wait to conduct a risk assessment postmortem. The GC should be proactively conducting regular risk assessments to identify potential compliance or risk management issues while developing appropriate strategies to mitigate and determine how to best allocate resources across the company.
- Establish, build, and maintain a culture of compliance. The GC’s role is paramount in building a culture of compliance and to establish an environment where compliance and ethical standards are table stakes for employees. The written policies should be (i) tailored to your business, (ii) designed to mitigate risks and maintain a compliant company, (iii) accessible by all stakeholders, and (iv) updated regularly and as needed. When considering criminal charges against a company, federal prosecutors ask three fundamental questions: (i) Is the compliance program well designed? (ii) is the program being applied earnestly and in good faith? (i.e., is it adequately resourced and empowered to function effectively?), and (iii) does the program work in practice?
