By Miren Lartigue, Journalist, Dalloz Actualités
The growing importance of compliance issues has led to an increase in the power and professionalism of the compliance function within French companies. Here we take a look at the impact of this development on lawyers and the trends that are emerging.
The landscape has changed radically in the space of a decade. For a long time, compliance issues were confined to a handful of sectors (banking, pharmaceuticals, construction, defence) and to companies subject to foreign legislation such as the US Foreign Corrupt Practices Act. The proliferation of laws and regulations is setting new requirements in this area. This proliferation has drastically extended the scope of the companies and subjects concerned. Initially, the references were mainly Anglo-Saxon. French and European laws and regulations now provide the framework for many of today's requirements.
"Compliance is no longer an option".
The range of compliance issues facing French companies today is far greater than it was ten years ago: anti-corruption and conflicts of interest, compliance with competition rules, anti-money laundering and financial fraud, duty of care, personal data protection, compliance with economic sanctions, export controls, internal alert rules, cybersecurity... The Sapin 2 law (adopted at the end of 2016), the duty of care law (March 2017) and the RGPD (which came into force in 2018) have clearly marked a turning point in France for companies. The latter have international exposure, even if the movement had already been launched with the first sanctions handed down by the Competition Authority.
This increase in the risk of non-compliance has been accompanied by a significant rise in the penalties incurred. Criminal sanctions are often added to administrative sanctions, aggravating both financial and reputational risks. In listed companies, the growing importance of governance issues is leading board members, who may be held liable, to be increasingly demanding when it comes to extra-financial reporting.
Compliance is no longer an option", says Blandine Cordier-Palasse, founding partner of BCP Partners. "It is an obligation for certain companies above a certain threshold in terms of turnover and headcount, but it is also an obligation for other companies that work with partners who are not compliant. It is an obligation for other companies that work with partners who need to show that they are good performers.
"If the manager doesn't believe in it, it will remain cosm'ethical".
The growing importance of these requirements has contributed to the development of compliance, risk management and internal control functions. The compliance function has grown in all business sectors, with specific profiles such as Data Protection Officer (DPO). The function has also expanded to include more general functions, such as compliance officer or director. Their role will be to spread the word and train teams in all departments of the company and its subsidiaries.
But this function can only be deployed effectively with the support of senior management. "We need to distinguish between companies that have integrated compliance into their strategy, upstream of their thinking and operations, and those that still see it as an area of expertise, a legal constraint. As a result, it is less integrated into the company's organisation. There is less buy-in from management and staff", explains Blandine Cordier-Palasse. "If the manager doesn't believe in it, it will remain 'cosm'éthique'.
Between specialisation, versatility and outsourcing
The scope of the function is variable, depending on the company's business. It also changes according to the company's exposure to risk. There are a wide variety of ways in which the function is organised internally. There is a clear trend towards specialisation in large companies.
"In large companies, the compliance function is now entrusted to increasingly specialised individuals, with responsibility for a given area of compliance", explains Catherine Stavrakis, Vice President Compliance at Cap Gemini. "For me, for example, it's anti-corruption", she adds. At TotalEnergies, "the compliance department is responsible for anti-corruption and anti-fraud", explains Stéphane Alaphilippe, head of the group's compliance and governance department. "Another team is in charge of antitrust, and another of vigilance. The Audit department is responsible for level 1, 2 and 3 controls.
The situation is very different in smaller companies. "In small and medium-sized businesses, we especially need highly versatile lawyers who can handle several or even all aspects of compliance", explains Sophie Leclerc, Chief Legal & Compliance Officer of the Seris group. "That's also what makes the subject so interesting, and in my case it's a choice," she adds.
"We work in project mode on assignments with teams that may include people from HR, finance, IT, etc. I rely heavily on the finance department for the audit, on the IT department for the IT, and on the legal experts in the subsidiaries. We call on law firms for one-off expertise needs and for anything that can't be done in-house due to lack of manpower - such as risk mapping - as well as to benefit from the lawyer's professional secrecy on certain subjects, such as internal investigations".
The use of external service providers remains a default choice. "Compliance does not lend itself well to outsourcing. Programmes need to be tailored as closely as possible to the company's business and culture", points out Sophie Leclerc. Nevertheless, it remains essential for companies that do not have the critical mass to recruit the necessary skills.
What role for lawyers?
Catherine Stavrakis, Stéphane Alaphilippe and Sophie Leclerc, all lawyers by training, share the chairmanship of the Compliance Committee of the Cercle Montesquieu. This committee was created in 2013. Today, it has the largest number of members in this association of legal directors. Proof, if any were needed, of their interest in the subject.
According to the results of the 2020-2021 edition of the Ethicorp-AFJE survey, carried out among lawyers and compliance players representing more than 1,500 French companies, it is the legal department that is in charge of compliance in 63.72 % of cases. When the function is entrusted to a dedicated department, the Legal Department remains closely involved. According to the Mapping of Legal Departments 2021, produced by LEXqi Conseil for the Cercle Montesquieu and the AFJE, the main compliance risks that the legal department is called upon to manage are "data protection, the fight against corruption, money laundering and the financing of terrorism, CSR and governance, respect for human rights and diversity".
"Initially, it was the lawyers who got to grips with compliance issues. We had to dissect the regulations and no one wanted to make them their own", recalls Blandine Cordier-Palasse. "Now the teams are growing. You still need to be sensitive to legal issues. But to do financial or industrial investigations, for example, it's useful to have a complementary profile of auditor or engineer in the team.
"The origin is legal and regulatory. But then we're not so much dealing with the law as with project management," points out Stéphane Alaphilippe. "The law and regulations remain fundamental. But policy implementation and monitoring are processes. This part of the business requires financial rather than legal profiles", explains Catherine Stavrakis. "As lawyers, we are used to analysing and assessing risks. But we don't really have any training in risk management", Sophie Leclerc points out.
A wide range of people and skills
At Total Energies, Stéphane Alaphilippe heads the anti-corruption and anti-fraud team. It includes "a financial communications specialist, a legal expert specialising in contracts and a legal trainee specialising in risk management", he explains. "The compliance officers in each section of the company come from HR. In the subsidiaries, they are mainly financial managers. And on the due diligence side, we have chosen to give responsibility to operational staff. They are the ones who know our customers best.
Responsible for driving and steering these policies, the compliance officer must have a number of skills and qualities. "You need an experienced profile. They need to know the business in order to be able to propose compliant solutions to operational staff", explains Blandine Cordier-Palasse. "You need to be courageous, diplomatic and a good communicator. The aim is to inspire confidence so that managers and operational staff come to discuss sensitive issues with you". "It is desirable for the compliance officer to report to a member of the executive committee. He or she should also report to the Risk Committee in order to have the necessary legitimacy, both internally and externally.
All these requirements tend to favour senior profiles. "The maturity of a company's compliance function can be measured by the experience of its compliance officer. It can happen that an experienced profile is limited in what it can do. The same profile may find its influence limited by the lack of resources allocated to the function", she continues. "Some companies contact us because they are looking for a more senior profile than the one they had chosen two years earlier, in order to establish the position and roll out the programme effectively.
A market under pressure
Is it easy to find experienced compliance officers on the market? "No, there aren't many people yet who have acquired solid experience", replies the headhunter. What's more, "you need to adapt the profile of the candidates you are looking for to the maturity of the company, the sector of activity that is more or less transposable, and the culture. Above all, it needs to be adapted to the values of the company and the candidates. Their experience is more or less valuable. This depends on whether or not the company had recourse to law firms with experience in these areas. It may not be worth much if the law firms did everything. It may also be the case if the compliance officer had to deal with a management team that didn't believe in it, or with devious operational staff.
This difficulty in finding the right profiles extends to all levels. "There is tension in the recruitment of trainees and work-study students. There is also pressure on the recruitment of people who already have experience", observes Stéphane Alaphilippe. This raises the question of "retaining talent, given the market value of someone who already has two or three years' experience".
This gap between supply and demand is set to narrow. This is because training, both initial and continuing, is expanding and existing professionals are gaining experience. "It's a function that's maturing and growing in all organisations. So the challenge today is for managers to understand that compliance contributes to the company's performance. To achieve this, managers need to provide the human, financial and technical resources. They must provide the tools - to deploy and monitor an effective programme and instil this culture throughout the organisation", concludes Blandine Cordier-Palasse.