Greg Morical, vice president, general counsel and secretary of Calumet Specialty Products Partners, L.P., and Tabitha Meier, partner and co-chair of the compliance team at Barnes & Thornburg LLP, discuss the various ways outside counsel can help companies get their compliance programs up to snuff.
CCBJ: Why is it important for an organization to focus on compliance, and on what can go wrong if it’s not a priority?
Greg Morical: Simply put, it’s crucial to focus on compliance to avoid mistakes that could cause significant problems for the company. The first set of problems would be getting in trouble with the government, but you’ve also got the knock-on effects of the impact to your reputation with vendors, with customers, with shareholders and other stakeholders. The cost of non-compliance isn’t just whatever penalties you are assessed – it could be significantly more than that. As a result, you need your people thinking about compliance when they’re doing their activities for the business, whatever those activities are, doing things the right way to avoid negative outcomes.
Tabitha Meier: I agree wholeheartedly, and the other thing I would add is that compliance is really the best way for an organization to get its house in order. It’s a way to be proactive and align risk management with the risk priorities of the business. When companies are scanning their organizational environment and the macro industry environment, compliance doesn’t need to be perceived as this onerous set of rules that is suddenly being applied to the business. These are rules that should be organically represented within the business already, because the company has been doing business in an area that has a particular regime structure – whether it’s the Food and Drug Administration, or device regulation, or whatever it is.
Compliance is when you take a step back and look at things from a strategic oversight perspective. It’s simply saying, “OK, do we have the system in place, the compliance infrastructure in place, to mitigate risk and harm to individuals and stakeholders – as well as reputational risk?”
Within an organization, who is ultimately responsible for maintaining compliance?
Morical: Calumet is a publicly traded company, and our shareholders look to our board as being ultimately responsible for the direction and oversight of the company. The board has assigned the audit committee of the board with the responsibility to provide oversight of the company’s compliance program. The board and the audit committee look to management to enact an effective compliance program to ensure that the organization itself is compliant. If we have a major compliance issue, the senior leadership of the company will be accountable.
Meier: Greg has identified some of the key infrastructure controls within an organization – the board, the audit committee, management – and then, of course, there’s also the compliance committee. Companies will sometimes have a dedicated compliance committee made up of members of management, and perhaps a compliance department as well. But ultimately, none of it works if it’s not actually operationalized by the employees of the business. We’ve seen some great examples of companies, including Calumet, where the model is to really operationalize compliance deep within the business, designating key personnel as responsible for particular risk areas, training executives and risk owners about what an effective compliance program looks like, integrating compliance into the business and then creating a system in which the compliance department and legal are reviewing the risk owners progress against certain metrics.
Morical: At Calumet, everybody owns compliance. We don’t have a compliance officer or compliance department off to the side that’s “responsible” for compliance. The business itself needs to be responsible for compliance. The way we have structured it, which we did working with Tabitha, was first to identify all of the areas of compliance that are relevant to Calumet – relevant to how we do business and where we do business. It’s a long list! Then, for each one of those areas, we identified somebody on the senior leadership team to be the executive owner of that area of compliance. Then the executive owners of each area designated functional owners of compliance who are responsible for actually developing and implementing the compliance program for that particular area of the business. Each executive owner’s responsibility is to make sure that the functional owner has all of the resources they need to be effective, including the time, the training, and the systems – and then to knock down any barriers the functional owner encounters as they implement and maintain the compliance program in their area.
The role of our compliance department is to be an umbrella on top of this structure, to provide oversight over each of these different little compliance programs inside the business. The compliance department assesses how each one is doing and reports to the compliance committee and the audit committee on the key metrics, as to their relative health and how they’re progressing.
When Tabitha talks about operationalizing compliance, it means embedding it inside the business. There’s not some compliance person that walks down the hallway and makes people think, “Hey, I need to deal with compliance now.” Rather, there are people inside the business whose job it is to make sure that the way the business does business is compliant with the key legal requirements that are relevant to that part of the business.
Compliance is really the best way for an organization to get its house in order.
— TABITHA MEIER
What are the advantages of a company outsourcing its compliance leadership?
Morical: I’ll use Calumet as an example again. I built our corporate compliance function from scratch. We didn’t have one before I arrived. But we were able to only get so far by ourselves. We had essentially plateaued. So we brought in Tabitha about two years ago, and she really helped us make a step change. We’re a sizable company but not large enough to be able to hire a highly experienced compliance person. So by outsourcing it, we could get someone who is highly experienced. She’s an expert in this area, but we don’t need her full-time. Engaging her part-time through the firm was affordable for us. If we were going to hire somebody full-time with that level of experience and ability, it would cost way more than we could afford, and they would be bored in the role. There’s simply not enough compliance work at our company to keep somebody at that level busy. But when you only need a fraction of a resource, you can get a much higher-quality person by outsourcing that fraction.
Meier: As Greg mentioned, we try to provide clients with a nimble approach – one that fits their business and their budget and allows them to leverage existing resources. Calumet’s model does that: It’s very much leveraging the talent and individuals they already have within the business, using people who know certain risk areas but may need to be trained up and aligned on the core elements of an effective compliance program.
Morical: One of the advantages of outsourcing is that it’s flexible. At the beginning, we needed more of Tabitha’s time. Once we got the compliance program to a steady state, we needed less of her time. Now we’ve gotten to a really good place where she doesn’t need to be here frequently. But she is still available when we need her.
One of the challenges of outsourcing compliance is that in order to be an effective compliance leader, you need someone who is not only technically strong, but also understands the business. Every business is unique and has its own set of compliance challenges. In addition, the compliance leader needs to have a good relationship with key leaders in the business. That’s going to require some on-the-ground time. For us, we essentially structured Tabitha’s engagement so that Tabitha would be here more at the beginning, one or two days a week as she was learning the business and building those relationships. Now that she’s learned the business and built those relationships, she’s able to support us more remotely. Our outsourcing arrangement would have likely failed if we had not made the investment up front to bring her in to make sure she really understood our business built relationships with our people.
What approaches can be used when engaging outside counsel to serve as a compliance officer?
Morical: You can do a flat fee. There’s the classic hourly rate. Or it could be project-based. It depends on what you want to accomplish. If a company needs help developing metrics or developing a particular part of their program, they can scope it and do it on a flat-fee basis. They can do it on a daily rate basis. Or they can do it on a retainer basis for a particular year, so that people who have questions can call without racking up a bill based on hours spent. It’s really flexible, and it depends on where you are in your compliance journey and what you really want from the law firm.
Meier: Greg has just described the beginning phase of how a company might engage with outside counsel as a compliance officer – getting someone to support and do the heavy lifting of getting the project underway. He’s also described that steady state, that time in the middle when it requires less support or can be done more remotely. I would add that a third aspect or methodology that a company might consider is support in the midst of an investigation. We have seen companies that will look to outside counsel not only to handle an investigation, but also when planning for a potential negative outcome. They retain outside counsel as an independent monitor, someone who is able to review the program but is not representing the company in a true attorney-client relationship. Rather, the outside counsel is there to review the program and provide recommendations for improvement based on issues or gaps that are flowing from the investigation. Ultimately, the goal is to put a program in place to prevent another compliance breakdown – and in the case of a big companywide investigation, to proactively impact the ultimate resolution with the investigating agency.
Morical: Agreed, that makes a lot of sense, because the Department of Justice (DOJ) and federal prosecutors have specifically said that it’s important to them whether or not companies have an effective compliance program. In some ways, it’s difficult to measure. But to the extent the company is making meaningful efforts, trying hard to have an effective program, it’s going to pay dividends. In the event that something goes wrong, the government is going to consider whether or not the company has worked hard to try to be compliant. And if there has been a compliance failure, at least the company has been working to be compliant and do the right thing. That’s likely to have a positive impact.
When you only need a fraction of a resource, you can get a much higher-quality person by outsourcing.
— GREG MORICAL
What are the keys to success?
Morical: With the outsourcing model, both the company and the outsourced resource have to commit to investing the time to accomplish the goals that have been laid out. Understanding the business and building relationships are key. If either of those things doesn’t happen, it will likely fail. The outside resource needs to recognize that this isn’t merely about providing legal advice. It’s not enough to say, here’s what we think you should do, or here’s the answer, and simply send it back to the company and put it all on the company to implement the advice. When you’re the outside resource, you need to be practical and be able to actually help implement that advice. That can be a challenge for some outside counsel.
Meier: I agree, and I’ll just add that outside counsel has to be willing to give advice that’s the right size for the situation. The solution has to be one that the company has the appetite – and frankly, the budget – to implement. This is supported by the recent guidance from the DOJ, in April 2019, where they really emphasized that compliance programs should vary from company to company. A small mom-and-pop organization won’t have the same size or sophistication in their compliance program that a multinational, publicly traded company would have. That makes perfect sense. And the recent guidance also said to tailor your resources. That’s just an acknowledgement of the fact that there are finite dollars that a company will be able to spend in any one area. Companies are constantly looking at where their dollars fit best, whether it’s investing to grow the business, whether it’s compliance, or overhead costs, and the DOJ guidance really affirmed that that’s the right approach.