What Your GC Isn’t Telling You About Compliance Risks

General counsels have evolved to become far more than just corporate lawyers. They are now a core part of executive teams, expected to show expertise in a range of financial and business areas, plus oversee legal and compliance matters. And that’s where trouble may lie.

These overworked executives often have an air of infallibility about them; company boards and C-suite execs expect them to possess almost superhuman level of knowledge and understanding of the organization’s legal risks. There’s a dangerous tendency to assume that as long the company has a competent GC, it automatically has a firm handle on compliance risks.

But even the best GCs will privately admit that there are plenty of legal risks and potential blind spots that keep them up at night. Is the company up to date with the latest data privacy compliance regulations? Are there any hidden third- and fourth-party supplier risks?

Executives should be alert for telltale signs that their GC may not be sharing everything they—and their boards—need to know about compliance. Maybe the GC doesn’t realize a particular duty falls under their purview. Perhaps communication has broken down internally. Whatever the reason, companies should ensure there are systems in place to address any risks that cause reputational damage or result in expensive enforcement actions. Here are three things your GC may not be telling you.

1. Our compliance programs are insufficient.

Some GCs might believe their company’s compliance risks are covered because they made sure necessary legal language is included in every contract their company signs with vendors and distributors. But just because your company has something in a contract with a third party that addresses, for example, contract language involving bribery and corruption obligations, this does not mean a sufficient compliance program is in place.

Other times, GCs recognize there are compliance gaps, but they take the position that the problem should be obscured until a full solution becomes available. Their attitude is, “we just need to fix a few things before putting in a program.” That’s problematic because a good program is always going to reveal compliance gaps that could be making the company vulnerable right now.

Finally, even when companies have established programs, there may be gaps. Perhaps the programs aren’t measuring adjacent risks such as data privacy or IT security of third parties. No GC or compliance leader can roll out a program that covers every risk in one fell swoop. But they should be highlighting to you what’s missing now — and a plan to address adjacent risks in the future.

Good GCs will always have one eye on the horizon. Does yours assure you that the company’s program is complete? Or do they acknowledge that specific risks aren’t well managed at the moment? The latter is more honest and leads to conversations to solve the problems.

2. There’s a dangerous lack of resources.

When companies cut budgets across the board, compliance programs often suffer. GCs may see the lack of resources either as an excuse to either stop pushing for compliance program updates or to cut some systems all together.

Of course, cuts are inevitable sometimes. But good compliance leaders will properly weigh the savings from reducing compliance against the potentially crippling costs of an enforcement action.

They will initiate a dialogue over how to maintain as robust a compliance system as possible, looking at lower costs tools and options that use more technology to create efficiencies.

Is your GC openly communicating with leadership on possible compliance risks, as well as solutions such as asking vendors for lower-cost solutions?

3. I’m not close enough to the business.

A great GC will understand the business, how it operates, the way it goes to market and the value it brings to clients. These pros quickly ascertain what compliance risks apply, and when.

But even the most experienced may miss something, either because they aren’t as close to the business as they think they are or because of poor coordination and a lack of clear responsibilities. For example, your GC might be aware of personally identifiable information (PII) data held by your company—a well-known compliance hot spot—but may have a lesser grip on the PII held by an outsourced payroll provider in India.

One of the biggest telltale signs of a GC who’s not close enough to the business: Consistent friction between the legal department and the sales or marketing channel. If, for example, compliance regularly pokes holes in the details of new sales contracts, it could be a sign they don’t have a good program in place. Questions like, “Who is this party?” or “How can you prove to me this party won’t resell our product into a third-world market?” are good queries but an established compliance program should have already addressed them. When GCs demand that the sales team reiterate information, it shows they—or their program—might not be up to speed.

No single GC can oversee every aspect of their company’s compliance risks. A good one will be transparent about holes in the firm’s program, the dangers of cutting costs and whether they do not grasp some key aspects of the business.  Those who don’t openly share this information put the company at risk of costly enforcement actions.

The solution is inexpensive and straightforward: Good communication, always. Start by asking your GC these simple questions, “What might we be missing? What are we not covering?”

The answers can help your GC engage proactively and constructively, while initiating steps that protect the company’s reputation.