"Wait, so are you like the legal team?”
How many times have you received that question? And how well do you think your answers have gone over?
Probably not very well. Because a lot of the traditional (and correct) answers to that question either get overly technical or stay so high-level that the distinction is easily lost.
Start talking about the Federal Sentencing Guidelines? Game over; you're in the weeds. (And worse, you're talking about a law, so now everyone's confused again.)
Say "prevent, detect, fix"? That's better, but it's too high level—other functions can say that too (cybersec, health and safety), so you'll just have to explain it more anyway.
If you've been following us, you know we're big on analogies—both in making them ourselves (here) and critiquing ones that don't quite work (here). And because corporate functions like "legal" and "compliance" are fairly abstract concepts to most people, drawing an analogy to something more accessible is usually the best way to explain it to folks who don't live and breathe risk management.
So, here's an analogy that we think gets the job done: the next time someone asks you to explain the difference between legal and compliance, put it in terms of safety and insurance.
Preventing liability versus preventing fire.
Here's the analogy: imagine that your company processes dangerous, flammable chemicals at several of your sites.
Having fire insurance will reduce your company’s financial liability if one of your facilities burns down. You should definitely have fire insurance and keep all your fire insurance documents in order—and that is the insurance team's job.
On the other hand, your safety team's job is to prevent your facilities from burning down in the first place. They help determine how your workers handle the chemicals through policies, training, and controls. They then make sure their policies, training, and controls are working by monitoring what people do, and they separately run audits to make sure that the outputs of those processes are reliable. If something does happen, the safety team investigates to figure out why and fixes it.
Of course, the safety team cannot prevent every fire. That is why you have insurance. But just having insurance does nothing to prevent fires. (It actually makes it more likely in some respects—that's the concept of moral hazard.)
Ultimately, both the insurance team and the safety team protect the company, but in different ways.
The insurance team protects the company from fire liability; the safety team protects the company from fire itself.
You're the safety team.
In this analogy, compliance is the safety team; legal is the insurance team.
That is, lawyers focus on reducing legal liability, not preventing the stuff that causes liability. That's how lawyering works: lawyers help protect their clients with legal clauses and agreements in case things go wrong, but it’s up to the client to actually make things go right or wrong in the first place.
By contrast, compliance focuses on the "make things go right or wrong in the first place" part.
There is obvious overlap between those roles, of course, and that's true for safety and insurance too. Some of the things your safety team does are necessary to allow the insurance team to prove a fire wasn't the company's fault. And likewise, some of the stuff the insurance team has to do to qualify for insurance will probably help prevent fires.
But no one would think that the safety team and insurance team do the same thing; that's ridiculous.
Likewise, it's ridiculous to think that legal and compliance are the same; they are fundamentally different functions (and different career paths), and being good at one is no guarantee of being good at the other.
It's just less obvious because "legal vs compliance" is a little more abstract than "fire safety vs fire insurance"—which is why drawing an analogy to those more accessible functions helps set things straight.