Corporate Risk and Compliance: Theory and Practice

  • Kim Otte (University of Minnesota Law)

We will answer:  What is an effective compliance program? What is a risk-based approach to compliance? What constitutes a good risk management program? How do these formal programs provide corporate controls? We will use corporate case studies to understand the Office of Inspector General’s seven elements of an effective compliance program – governance, policies, education, reporting, monitoring, enforcement, and response. We will study the still maturing definitions and indices of a good risk management program – the ability to identify, evaluate, and manage risk to maximize the objectives of the company and minimize defects. 

This course includes practical hypotheticals and samples largely from the health care industry but transferable to any industry. We will consider where and how aritificial intelligence is likely to have an impact on this work. This context is useful for the practicing lawyer and, increasingly, is a career path unto itself.

Each student will choose a corporate scandal to study in relation to each of the risk and compliance concepts covered throughout the classes. Impactful corporate scandals – Enron, Wells Fargo, Theranos, Boeing, Purdue Pharma – are the perfect learning lab for risk and compliance theory.

 

1 Big Picture 1 Big Picture

In this opening chapter, we will discuss three common mental models for corporate risk. If you are the CEO of a corporation (or any other leader), how do you think about management of risk in your company? The first is commonly referred to in risk theory as the "three lines of defense." Every employee in the first line of defense has responsibility for risk and compliance in the job they do. Then the second line of defense houses the corporate risk support functions, and the third line houses internal and external audit. Audit is unique because it is professionally obligated to remain independent from the business.

The second model below is the typical depiction of "enterprise risk management." Again, if you are the CEO of a company (or any other leader), you must consider risk in these four siloes or lanes -- strategic, operational, financial, and regulatory. 

In the regulatory risk area, that is where the compliance profession primarily works. For compliance, common rubric is the "seven elements of an effective compliance program." Chapter 2 will study the genesis of this "seven element" model for compliance.

1.1 Three Lines of Defense (Risk) 1.1 Three Lines of Defense (Risk)

1.2 Corporate Risk 1.2 Corporate Risk

*Image generated by ChatGPT

1.3 Seven Elements of an Effective Compliance Program 1.3 Seven Elements of an Effective Compliance Program

From the Society for Corporate Compliance and Ethics (SCCE)

https://assets.corporatecompliance.org/Portals/1/PDF/Resources/CCEW/scce-2025-ccew-7-elements-poster-for-web-8_5x11.pdf?_gl=1*1gyu7d4*_ga*MTM0MzUwNTY4Ni4xNzQ3NTkzOTk1*_ga_FPS6KV2QKH*czE3NDc1OTM5OTQkbzEkZzEkdDE3NDc1OTQwMjkkajAkbDAkaDA.

1.4 Pick a Corporate Scandal 1.4 Pick a Corporate Scandal

Take a quick look at the wiki summary of these scandals and pick one that you want to deep dive this semester:

https://en.wikipedia.org/wiki/Enron_scandal

https://en.wikipedia.org/wiki/Boeing_737_MAX_groundings

https://en.wikipedia.org/wiki/Theranos

https://en.wikipedia.org/wiki/Purdue_Pharma

https://en.wikipedia.org/wiki/Wells_Fargo_cross-selling_scandal