Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Azish Filabi: Is your legal department creating organizational risk?

At the 2017 Global Ethics Summit, put on by the Ethisphere Institute, Caroline Rees of SHIFT spoke on a panel about business and human rights.

When asked about differences in stakeholder management approaches between European and U.S. businesses, and why U.S. companies are not as far along as their European counterparts, she highlighted that U.S. lawyers have a more dominant role.

When business leaders want to audit their supply chain, for example, lawyers often warn against such initiatives in the absence of a regulatory mandate. But, as Rees discussed, the existence of human rights risk in your supply chain is not a secret — it’s just a question of when and how it will be exposed.

Her comment reminded me of various anecdotes and conversations I have had with peers that similarly highlight how the lawyers, when pursuing their duty as zealous advocates, can be blind to the risk (and costs) thereby created.

When it comes to ethics violations and scandals, many feel that the lawyers won’t allow them to have in-depth conversations about the underlying causes of the violation, for fear of creating or documenting evidence.

One CEO of a large corporation said that after a scandal, the tendency often is to put a bag over wrongdoer’s head and walk him about the back door, thus depriving the organization any opportunity to learn about root causes or perceptive insights.

The lawyers in turn point to the regulators and prosecutors, who will take advantage of existing evidence of to build a case against the company.

The Fraud Section of the U.S. Department of Justice Criminal Division recently published guidance on how they evaluate corporate compliance programs. The first item on their list: root cause analysis.

They include a list of questions they expect companies to ask themselves about underlying misconduct, including an inquiry into systemic issues that were identified.

This is a sign that when determining discipline for organizations, prosecutors may take into account as a mitigating factor whether companies and compliance programs make an effort to ask systemic questions, even when it can expose weakness in an organization.

Companies must conduct culture audits and identify ethics risk before they become bigger problems.

As a lawyer, I have deep respect for the invaluable advisory role of lawyers. It’s imperative that they are included in strategic discussions and that compliance with law be paramount for companies.

I can also see, though, how unintended consequences can result from deference to isolated rules or legal practice without consideration of the bigger picture system in which they are intended to operate — where one could miss the forest for the trees.

In particular, if the culture of lawyering is inhibiting companies and their employees from learning from mistakes and creating informational feedback loops, it could unintentionally stifle growth and innovation.

Decades of organizational behavior and management research shows that only by becoming a learning organization can companies truly unlock potential for innovation and the ability to maximize employee talent.

A key ingredient for organizational learning is feedback and critical self-assessment — understanding where there are areas in need of improvement and subsequently embracing change.

When it comes to ethics, it means being honest about proactively identifying where corporate culture and practice is misaligned with the values that the company otherwise espouses in its Code of Conduct or other formal communications.

Digging deeper into an organization’s practices and culture before problems arise may bring up uncomfortable issues, but sincere efforts could help manage company reputation in the long run.

For many, it’s a balancing act of finding problems before they cause disproportionate damage, and protecting the company from the downside of those problems.

I don’t suggest that the dynamics described above exist in all companies.

My hope is that businesses will be cognizant of when legal advice may inadvertently create organizational risk, understanding how to learn from mistakes, ethical and otherwise.


Azish Filabi, pictured above, is CEO of Ethical Systems, a research collaboration dedicated to strengthening organizational ethics and culture through social science research. She’s a lawyer and previously served as an AVP and Ethics Officer at the Federal Reserve Bank of NY.

Share this post



  1. Thanks for a great post. The gap between an organization's espoused theories for making decisions (law, Codes, policy statements) and its actual theory-in-use (reflected and reinforced by culture and practice), is often great and frequently invisible to management. (Argyris and Schon). To protect and best serve clients, a wise lawyer will not be content to merely advise on the law, but will also help clients see the gap and make necessary adjustments.

    It's doubtful that VW's Code of Conduct encouraged environmental degradation and the deception of governments or consumers. But its theory-in-use allowed this to happen. A lawyer that fails to learn what is actually driving decisions does a disservice to her or his clients.

  2. An interesting explanation on why trust, ethics and integrity are stagnating in most public companies. How can leaders, managers or teams possibly be proactive in building an organization's reputation if the Legal Department does not allow it?

  3. This pattern plays out regularly in how the legal department responds to employee whistleblowers, most of whom raise concerns internally first in an effort to get the compliance problem, misconduct or safety issue addressed. Rather than seeing whistleblowers as the best risk management tool available, the issue becomes the risk associated with exposure of the problem rather than the risk caused by the problem itself or the root causes that (misaligned incentives, management failures, etc) created the conditions for the problems in the first place. This defensive, short-term reaction in turn–failure to address the problem and usually reprisal against the employee–creates a new risk of legal exposure in the form of a possible whistleblower retaliation claim. Beyond legal risk, all of these moves in turn invite intangible costs down the road in the form of adverse media coverage and a chilled workplace that creates a breeding ground for more compliance problems and ethics lapses. It consistently amazes me that the attitude that vilifies rather than values whistleblowers continues when the actions that flow from this problematic paradigm are the real sources of risk to an organization.

  4. Azish's post addresses the organizational risks created by the inherent conflict between the accountabilities of the in-house legal department vs those of the ethics and compliance program generally and the chief ethics and compliance officer in particular.

    Providing legal judgment and defending the company is not the same as building and maintaining an effective ethics and compliance program. It is the difference between a company that achieves "legal compliance" vs a company that achieves "effective ethics and compliance." Too often, many companies mistake one for the other.

  5. I believe you make good points, but lawyers do not raise these concerns from thin air. Rather, we may be missing a larger point. The legal system should promote and respect company efforts at self-policing. The regulators and courts should promote compliance and ethics programs. The sad reality, however, is that they often actively undercut compliance and ethics efforts. Our efforts to prevent company misconduct may, in fact, be used against us by regulators and adversaries in court. This is very bad policy, but it comes from those in government not caring about compliance and ethics efforts. So while we should resist lawyers being overly cautious, we should also be active in the regulatory and legal environment to resist unwise governmental actions that hurt compliance efforts. See Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 2 (forthcoming 2017), draft available at

    Cheers, Joe

Comments are closed for this article!