Skip to content


Why Separate Legal and Compliance? Consider This.

By GAN Integrity (Updated )

Compliance professionals often debate the wisdom of separating a company’s top compliance and legal jobs. For one example of how sticky that question can get, look no further than Cardinal Health.

Cardinal’s chief legal and compliance officer, Craig Morford, is in an uncomfortable spotlight these days. The Teamsters’ union is calling for Cardinal to separate its CEO and board chairman roles. They claim the CEO hasn’t set the proper tone for how Cardinal should handle its distribution of opioids—and they cite bonus pay to Morford as an example of that.

The Teamsters cite numerous settlements Cardinal has made over the years to state and federal regulators, for shipping large quantities of opioids to small communities. They claim that those settlements, for the same basic type of infraction, show something amiss in Cardinal’s culture and its sensitivity to opioid addiction.

And when the board rewarded Morford with incentive bonuses for six years while those settlements were happening, “It is difficult to fathom how the board and CEO could conclude that Mr. Morford was worthy of such lucrative bonus payments, given the failures in the company’s controlled substance anti-diversion programs.”

Sharp words, for sure. But are they fair words?

Morford is Cardinal’s chief legal officer. It’s his job to reduce the company’s litigation risk as much as possible. Settling cases, skillfully and quickly, is part of doing that job. That’s what Morford did.

Morford is also Cardinal’s chief compliance officer. It’s his job to build and maintain a corporate compliance program, and to support a corporate culture, that quashes misconduct as much as reasonably possible.

But when Cardinal has multiple settlements for the same type of misconduct, and the board awards Morford a bonus for “his significant leadership role in continuing to develop our regulatory and compliance programs in a rapidly evolving regulatory landscape” (taken from Cardinal’s 2014 proxy statement)—what are investors to make of that?

I don’t know the answer to that question. But my gut tells me that assigning the compliance and legal functions to one person doesn’t help.

Legal and compliance functions are not the same thing. They address different risks, and try to achieve different objectives. It’s not correct to say they work at cross-purposes. On the contrary, most legal officers would love a strong compliance function, since strong compliance today helps to prevent legal department headaches tomorrow.

But the incentives a board creates to drive legal and compliance to their respective goals—that’s where things can get messy, when both functions are in the hands of one person. At best, others might misinterpret or misunderstand what the board and CEO are trying to achieve. At worst, the board and CEO might be undermining their own ability to keep all stakeholders (employees, investors) focused on the core mission: achieving business objectives with proper attention to risk.

Much simpler is the strategy of keeping compliance and legal separate, to give the compliance function the independence it needs.

compliance technology

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.