Ensuring Compliance: Your Year-Round Job

By Mark Wilson, Esq. on April 02, 2015 | Last updated on March 21, 2019

Compliance, compliance, compliance! Why does it seem like over half of the legal department's job is to make sure the corporation is dotting its I's and crossing its T's?

Because that is a large part of the legal department's job, especially in publicly traded companies where the shadow of the SEC looms like the background like Sauron. (OK, maybe not that menacingly.) Ebenezer Scrooge said he learned to have Christmas in his heart the whole year; that's the attitude GCs need when it comes to regulatory compliance.

A Man, a Plan, a Canal

Compliance shouldn't be an afterthought, remembered only when the auditors come calling. It needs to be an ingrained part of the legal department -- and beyond. The legal department must take the lead not only in crafting compliance policies, but in showing other necessary departments that it's part of their day-to-day job, too.

The "support" wings of the company, like finance, HR, and IT, all must also be involved in keeping an eye on things in their respective zones. The legal department undoubtedly lacks the resources and expertise to perform all the necessary compliance functions throughout the company.

Implement Policies

The substance of different policies themselves is important. Does your company have a plan for a data security breach? If clients are mostly other businesses, who will tell those clients? If clients are mostly ordinary consumers, who will tell them? And how? Having documented policies means that, in the event of a crisis, you can focus on managing the crisis rather than trying to make up some plan. (Don't forget two backup plans, as well.)

Anyone in the company should be able to read a binder full of information and know what to do. As the ski instructor from "South Park" might counsel, "If you rely on institutional knowledge in an emergency, you're gonna have a bad time."

Oh, and Make Sure Things Work

So, part of your compliance policy is that you maintain off-site backups of critical business data. But do those backups actually work? Are you sure? The time to answer that question isn't after the data are compromised. Periodically, throughout the year, you should test the systems you've put in place. Get those off-site backups, stick them into your backup tape library, and attempt to recover the same kind of data you would in a real emergency.

The same goes for other departments, where that practice is called "auditing." Check to ensure the finances are in order. Review personnel files to make sure all the right employee documentation is there.

Maybe if Gandalf had been a little more focused on Middle Earth security compliance, Sauron wouldn't have been such a problem.

Related Resources:

Copied to clipboard