Sunday, November 30, 2025

Legal counsels and compliance officers: same thing?

Iratxe Gurpegui
Ethics, Culture & Leadership
Legal counsels and compliance officers: same thing?

Last week Naltilia was on site at the RDV des transformations du droit in Paris. While giving live demos of our AI platform, we spoke with dozens of professionals: some introduced themselves as “lawyers,” others as “compliance officers.” But are this two roles interchangeable? The short answer is no. Although they collaborate closely, their missions, skill sets, and measures of success are distinct.

Why the confusion persists

  1. Shared academic roots: In many organizations the first compliance hires are former in-house counsel, so the functions often start in the same department.
  2. Overlapping subject matter: Both teams handle regulations such as Loi Sapin II, ISO 37001, Spanish UNE 19601, antitrust rules, AML, etc.
  3. Similar reporting lines: General counsel frequently oversees compliance in small and intermediate-sized enterprises.

These overlaps mask fundamental differences in mandate and mindset, which become obvious once compliance moves from “checklist project” to enterprise risk controlling discipline.

Mandate: advising on the law vs preventing wrongdoing

Aspect

Legal counsel (lawyer)

Compliance officer

Primary objective

Protect the organization’s legal position, minimize liability

Design and operate a program that prevents, detects, and responds to misconduct

Time horizon

Reactive (answers questions when they arise)

Proactive and continuous

Core question

“Is it lawful and enforceable?”

“Is it permissible, ethical, and aligned with our policies and values?”

Success metric

Favorable legal outcomes, low litigation cost

Effective risk mitigation, no regulatory penalties, positive culture survey

A lawyer tells you whether a contract clause meets Loi Sapin II or whistleblowing requirements. A compliance officer builds and monitors the whistleblowing system so breaches are reported early and resolved.

Skill sets: interpret vs implement

Legal teams excel at statutory interpretation, contract drafting, and litigation strategy. Their training revolves around textual analysis and argumentation.

Compliance officers borrow from project management, behavioral science, audit, and data analytics. They need to:

  • map compliance risks (e.g. corruption, antitrust, AML) across business lines,
  • automate control testing and evidence collection,
  • roll out policies, e-learning, and culture campaigns,
  • track key risk indicators on dashboards.

Those tasks require technology fluency and change-management experience that traditional legal curricula rarely provide.

Illustration of two professionals standing back-to-back. On the left a lawyer holds legal briefs and a code book, on the right a compliance officer checks a dashboard with risk scores and policy status indicators.

Reporting lines and independence

Leading standards recommend partial independence for compliance:

  • AFA (Agence française anticorruption) guidelines on Loi Sapin II advise that the compliance officer has direct access to the board.
  • ISO 37301 and ISO 37001 call for “independence from operational management” and the ability to escalate issues without obstruction.
  • The Spanish UNE 19601 criminal compliance standard requires an autonomous “compliance body.”

Practically, many firms give compliance a dotted line to the audit committee while maintaining day-to-day proximity to legal for shared resources.

What independence really means in practice

Independence is not isolation. It is the ability to challenge the business without fear of retaliation, to escalate concerns to the board when management resists remediation, and to operate investigations free from conflicts of interest. Mature programs demonstrate three layers of independence:

  • Structural independence, clear reporting line to the board or an oversight committee, plus authority defined in a charter.
  • Functional independence, control over the design of the compliance program, risk assessments, monitoring plans, investigations, and disciplinary recommendations.
  • Personal independence, protection from undue influence on performance evaluations, remuneration, and career progression by the business units that are subject to compliance controls.

Regulators consistently test for these elements. The U.S. Department of Justice asks whether compliance has “adequate autonomy from management” and direct access to the governing body in its Evaluation of Corporate Compliance Programs.

Governance models that satisfy independence

Model

Reporting line

When it works

Risks and mitigations

Board-level CCO

Solid line to the board or audit committee, dotted line to CEO

Complex or regulated groups, high enforcement exposure

Avoid duplicating internal audit by defining scopes; schedule executive sessions with directors

Hybrid under General Counsel

Dotted line to audit committee, operational line to GC

Mid-sized firms leveraging shared legal resources

Mitigate conflicts by giving compliance its own budget, investigations protocol, and right of direct board access

Compliance within Risk/Control function

Solid line to Chief Risk Officer plus board oversight

Financial services or organizations with enterprise risk frameworks

Guard against dilution of ethics focus; ensure sufficient subject-matter expertise in compliance subject matters

There is no single correct model. Regulators care more about whether the chosen setup actually empowers the function.

Tools and technology

Law department tech still focuses on document management and matter tracking. Compliance software, on the other hand, integrates:

  • risk assessment engines that score exposure to compliance risks.
  • remediation workflow,
  • policy drafting,
  • training,
  • testing controls,
  • real-time dashboards for risk controlling.

This is precisely where AI delivers the most value. Platforms like Naltilia analyze standards and regulations, identifies risks, suggest tailored controls, and schedule evidence requests so teams can scale without headcount.

Collaboration in practice

  1. New law monitoring: Legal interprets the legal draft, Compliance evaluates operational impacts and updates risk maps.
  2. Third-party due diligence: Compliance screens vendors for compliance risks, Legal negotiates contract clauses based on outcomes.
  3. Internal investigation: Compliance runs the whistleblower channel and fact-finding, Legal assesses privilege and prepares any defense strategy.

Career path considerations

If you enjoy case-law research, advocacy, and negotiation, a legal career is ideal. If you prefer cross-functional projects, data, and culture change, compliance may be a better fit. Companies increasingly create dual-track programs so professionals can rotate between the two and gain a holistic view.

Simple flowchart showing parallel but connected paths: Legal Advice (interpret law → draft documents → defend) and Compliance Program (assess risk → design controls → monitor & report), both feeding into Corporate Governance.

Key takeaways for intermediate-sized enterprises

  • Separate the mandates: letting legal “double-hat” forever can leave compliance under-resourced and overly reactive.
  • Invest in tech: automated control testing and risk dashboards free teams for higher-value tasks.
  • Build joint KPIs: legal certainty plus effective risk mitigation provides the board with a 360° view.

Comprehensive comparison checklist

Question

Who leads?

Why it matters

Has the corruption risk map (Loi Sapin II) been updated this year?

Compliance

Ensures preventive controls are current

Are antitrust clauses in Spanish contracts compliant with the Spanish competition law?

Legal

Protects enforceability

Do we track key risk indicators monthly?

Compliance

Early warning of policy drift

Are employee sanctions fair and legally sound?

Both

Aligns discipline with labor law and ethics

Frequently asked questions

Are compliance officers licensed attorneys? Not necessarily. Many have legal training, but backgrounds in audit, finance, or operations are common.

Can one person do both jobs in a small company? Yes at first, but as the risk landscape grows, separating the roles reduces conflicts and burnout.

Does the board need a compliance committee? Large and listed companies often create one. For smaller firms assigning oversight to the audit committee with direct reporting from the compliance officer satisfies frameworks like ISO 37001.

Drive your program with Naltilia

Whether you sit in legal or compliance, Naltilia’s AI platform accelerates risk assessments, automates evidence collection, and keeps your controls in line with standards such as Loi Sapin II, ISO 37001, UNE 19601. Book a personalized demo to see how you can double team capacity without doubling headcount.

Back to blog