About Compliance 2.0
Many learned commentators on compliance and ethics have noted the rapid evolution of the compliance and ethics profession over the last few decades, and with that, the increasing expectations of regulators, prosecutors, boards of directors, and other key stakeholders for robust and effective compliance and ethics programs that “work” to find and fix, or prevent misconduct or problems before outside parties (plaintiffs’ lawyers, regulators, independent investigators, or media sources, to name a few) force the organization to do so, on their own terms.
One of the most visible signs of this ‘rapid evolution’ is the transformation of the governance model for Compliance within the organization from the legacy and flawed Compliance 1.0 model (Compliance as a captive arm of Legal) to Compliance 2.0, carefully structured for success and effectiveness within the organization. Compliance 1.0 arose from the dangerously flawed and simplistic assumption that “if it includes legal issues, it must be a subset of Legal.” From this enormously regrettable narrative sprang other big misperceptions and a multitude of poor organizational choices that did not address the realities of actual compliance challenges on the ground, including:
- Many badly-flawed Compliance 1.0 structures premised on the idea that any manager with a JD or legal resume was capable of the very difficult job of designing and overseeing an effective compliance and ethics program. This included
- (i) GCs as “double-hatted” Legal/Compliance experts;
- (ii) GCs as the CCO supervisor, with a member of the Legal Department acting as the operating CCO; and
- (iii) “Indiana Jones Compliance” where a non-subject matter expert with a big name, such as a former prosecutor or regulator, is appointed to impress regulators, prosecutors, and the media. #WhatCouldPossiblyGoWrong?
Thus, many of the first generation of Compliance functions and programs were established with a flawed architecture of Compliance as a mere subset or branch of the Legal function on the wrongheaded advice of outside counsel or other advisors with an imperfect and near-sighted understanding of the evolving field. Compliance 1.0 became the norm, and the failure to recognize Compliance as a different and independent subject matter expertise and profession, very different from Legal, is the cause of so many high-profile compliance scandals over the last decade, including:
The rise of Compliance 2.0 reflects the acknowledgement that Compliance is the new subject matter expert needed in organizations to design and manage their compliance programs successfully as the irreplaceable management tool that it has become and must be. This means that the first, foundational element of Compliance 2.0 is Subject Matter Expertise- embracing the new profession of compliance and ethics, and letting go of the wishful but wrong-on-so-many-levels-idea that anyone with a JD can “do” compliance. The many failed attempts at “DIY Compliance” found in the headlines show why this is a fatally flawed idea. There are 20+ years of best practice and experience behind this new, rising profession – and learning to “think like a lawyer” does not a compliance subject matter expert make. The rest of the Compliance 2.0 model is focused on creating the right ‘architecture’ to empower the CCO and Compliance function to achieve its mandate: the independence, line of sight, seat at the table and resources to do the job well.
Choices have consequences, and as the scandal headlines have illustrated, those organizations that are serious about compliance must choose the Compliance 2.0 model. Prosecutors, regulators, and policymakers are showing that they understand the difference. Some of the many signs that Compliance 2.0 is now the “new normal”:
- The OIG HHS has endorsed Compliance 2.0 in its Joint Guidance for healthcare boards.
- The much-heralded appointment of Compliance subject matter expert Hui Chen by the Department of Justice foreshadows the insertion of greater compliance subject matter expertise into the DOJ and its investigations/settlement agreements.
- PWC has called the CCO “the C-Suite star of 2025,” and many recent surveys reflect the untethering of Compliance from the Legal department and the momentum across industries towards Compliance 2.0. In the 2015 Deloitte/Compliance Week Compliance Trends Survey, only 21% of CCOs still reported to the GC while 57% reported to the CEO or the Board (empowerment and independence). Meanwhile, 50% were part of the senior management team (seat at the table) to aid in annual business strategy development.
- The Department of Justice has recently released a new guidance document – “Evaluation of Corporate Compliance Programs” – that expressly endorses elements of a modern compliance model, including true compliance subject matter expertise (SME), independence, empowerment, line of sight, seat at the table, and resources.
This tells us that Boards, government, and other gatekeepers have gotten the memo, and that the next generation of Compliance will be positioned and structured for success. It’s about time! Because #TheRisingCCOLiftsAllBoats!