In your reading, have you ever seen pieces on the topic of why compliance programs fail? I come across them from time to time, and particularly from legal scholars. They are typically premised on instances where companies broke the law and especially on those with repeat offenses.
Often these articles then tell us what we in compliance and ethics (“C&E”) are doing wrong, or why the idea of compliance programs is completely wrong or misdirected. In the Wells Fargo case, for example, writers state that there were many compliance people there, but still the violations occurred.[2] Ipso facto, C&E failed and that is why the violations occurred.
But is there something missing in this apparently simple exercise in logic?
Where were the lawyers? Note the unstated premise: if something goes wrong it is the fault of C&E/the compliance program. But not so long ago when there were major corporate scandals there was the question: “Where were the lawyers?”[3] Whatever happened to that question?
Consider the role of lawyers in companies.[4] Why are they now omitted from the analysis of what happened in violations? Are they just distant from all the important matters in the corporation and are simply bystanders, so they should not even be considered when discussing why wrongdoing happened? Or is it appropriate to ask if there was any failure to speak up or act on their part? When they dealt with instances of wrongdoing did they fail to do root cause analyses to identify broader problems that needed attention? Do they perhaps even play a role to some extent in limiting the ability of C&E to actually prevent misconduct?
A comparison: CECOs & GCs. Should we be asking these types of questions when we are trying to understand more about corporate scandals, and assessing who is really in a position to play a role in preventing misconduct? If the C&E people were in a dominant position and legal in a subordinate role, that might well support the implicit idea that the fault in violations rests with C&E. But does an examination of the facts support that idea? Or does the actual distribution of power undercut the idea that C&E is the only place to look for responsibility? Here are some questions to consider:
First question: If we are first to blame the CECO, then should we ask how many general counsels (GC’s) report to chief ethics and compliance officers (CECOs)? If there is any place where this happens it is extremely rare.[5]
Second question: How many CECOs report to the GC? Estimates vary, but it is a large number. Moreover, it seems to be the case that many if not most GC’s consider compliance to be part of their turf.
Third question: How many companies lack an actual CECO and instead just have a GC who has the Compliance Officer title, but no training or experience in the C&E field[6]?
Fourth question: In companies where the CECO does not report to the GC, how many of these CECOs are considered more powerful and better positioned than the GC? Again, to the extent there are any it is exceedingly rare.
Fifth question: Between the CECO and the GC, who is more likely to:
My experience as a lawyer and a C&E person tells me it is the GC.
Sixth question: Did the lawyers resolutely help the C&E program, or did they undercut its effectiveness? Did the GC ever weaken the program, for example, by providing advice to:
So is it even necessary to ask who has more power and responsibility whenever there is a management decision that would likely lead to violations? Consider who was best positioned to prevent wrongdoing. Consider also who is most likely to be the one telling the CECO not to do things that could discover or prevent misconduct, because they might present even a small risk in litigation?[7]
I do not recall seeing any assessment of these types of questions in any of the literature that concluded that “the compliance program failed.”[8]
Realistically addressing corporate crime. We as a society are legitimately concerned about organizational misconduct. Those who join in this concern will be much more effective if they can take an open-minded approach in this area. There is much we can do to improve our ability to prevent and detect misconduct, including examining all the relevant facts with genuine curiosity about how things actually work in companies, and the humility to accept that there is much that can still be learned from asking more questions. If we put aside prior assumptions against C&E and decide to work cooperatively, I am certain we can do a better job to prevent corporate misconduct[9] and protect those who are the victims of this scourge.
[1] I would like to thank Professors Jennifer Arlen, Todd Haugh, Arthur Laby and Danny Sokol for their helpful comments on this paper. However, please don’t blame them for anything that follows.
[2] When dealing with examples from the financial field, commentators typically do not address a key point that compliance programs in banks are not voluntary; the details of such programs are dictated by law and do not reflect the rigor or depth of comprehensive standards like the US Organizational Sentencing Guidelines. In programs that are not mandated companies typically have broad discretion on how they implement their compliance programs but have key elements that are not optional if one wants credit for an effective compliance program. There should at least be discussion of this important aspect – mandated steps are significantly different from those promoted by incentives, and may indeed cause the compliance program to be narrowly siloed. In incentive-based systems companies have more discretion in how they implement a program, but paradoxically the standards are far more robust than those dictated by law or regulation.
[3] This question is first attributed to Stanley Sporkin, based on his experience at the SEC and as a judge in addressing corporate scandals of an earlier era. It should also be noted that, aside from C&E and Legal, there may be other control groups that could and should have played a role in preventing misconduct. This comes through clearly in the Wells Fargo case, for example, as demonstrated in the independent directors’ review of how the misconduct occurred and continued; see Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report (April 10, 2017) https://embed.documentcloud.org/documents/3549238-Wells-Fargo-Sales-Practice-Investigation-Board/ .
[4] References here to “companies” and “corporate” apply as well to other types of organizations including universities, non-profits and government entities.
[5] There is no suggestion in this article that the GC should, in fact, report to the CECO. The point is only that if we are asking how to prevent corporate crime and misconduct, we need to look at who the key players are, and whether the focus should ignore the lawyers.
[6] This is not to say that a lawyer cannot be an effective compliance and ethics professional – there are many who are. But they do need to understand and accept the major differences between the two different functions and be open to learning entirely new skills and perspectives not taught in traditional law school courses.
[7] For a powerful explanation of the impact of having the CECO report to the GC, see “Caught Between Conscience and Career: An E&C Leader’s Confession,” Corporate Compliance Insights (Apr. 23, 2025) (anonymous). The author, reporting to the GC, observes that “I am told explicitly that I am pursuing more than someone in my role should and that in doing so I am creating potential legal risks that must be avoided.” https://www.corporatecomplianceinsights.com/caught-between-conscience-and-career/ .
[8] In the present article I do not address the separate analysis of how the legal system itself undercuts the ability of CECOs and C&E programs to prevent violations. That is a subject that also deserves attention, and is covered in much more detail in Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421 (2017), http://www.rutgerslawreview.com/wp-content/uploads/2017/07/Joseph-Murphy-Policies-in-Conflict-69-Rutgers-U.-L.-Rev.-421-2017.pdf .
[9] Nothing in this article should be read to suggest I believe C&E programs are where they should be. Anyone who reads this newsletter knows of the many practical things that need to be done to improve C&E programs. The examples are many, e.g.: CECOs need real empowerment, independence and direct access to the highest governing body in the company, programs need to address incentives, and practical steps need to be taken to prevent retaliation. But any examination of corporate scandals should be as realistic as possible, including paying attention to the power dynamic in companies.
Search the site
Telling people simply to ‘be ethical’ is not enough when values conflict. Loyalty, fairness, honesty, and compassion can point in different directions, and the law exists to help society prioritize
Joe Murphy was building the foundations of compliance before there was a compliance profession to build. Across decades of scholarship, institution‑building, mentorship, and advocacy, he has shaped not just programs
For him, compliance was never just a job. It was a calling, a commitment that shaped how he lived and who he became. Once he committed to something that mattered—to
Retaliation rarely looks like misconduct. It hides in everyday management decisions—changed schedules, missed promotions, quiet exclusions. Managers may see routine actions, but employees experience punishment for speaking up. That gap
Subscribe now to keep reading and get access to the full archive.