View all articles | Read the next article | Take the CCB CEU quiz
Picture this: An employee reports a manager for making inappropriate comments during a team meeting. Within minutes, three different departments are CCed on the email chain. Legal wants to assess litigation risk. Human resources (HR) wants to review the personnel file. Compliance wants to check if this violates the code of conduct. By the end of the day, the employee has been contacted by four different people asking the same questions, each department has started its own file, and nobody’s quite sure who’s actually running the investigation.
Sound familiar? Welcome to the eternal corporate comedy of errors: the compliance–HR–legal triangle. It’s like an improv show where everyone’s making up the rules as they go along, except the stakes are significantly higher than audience laughter. The show’s title? Whose Line Is It Anyway?
The players take the stage
Before we dive into the chaos, let’s meet our core cast of characters and understand what they’re supposed to be doing when they’re not stepping on each other’s toes.
Legal: The rules translators
Legal departments are the company’s professional interpreters of the law’s ancient texts. They translate regulatory hieroglyphics into something the rest of us can (hopefully) understand, making sure we don’t end up in court. And when we do inevitably end up in court? They’re our professional swordfighters, armed with motions, briefs, and an impressive ability to cite case law from 1847 without breaking a sweat. They live in a world of precedent, privilege, and protecting the company from existential legal threats.
HR: The people-powered pit crew
HR is where the human element meets corporate reality. They’re the people-powered pit crew who recruit us, onboard us, pay us (thank you for that), develop us, and occasionally remind us that “no, you can’t say that in a meeting” or “yes, you do have to wear pants on Zoom calls.” They manage the employee lifecycle from first interview to exit interview, handling everything from benefits enrollment to performance management. When workplace culture meets workplace reality, HR usually stands in the middle, holding a conflict-resolution guide and a slightly forced smile.
Compliance: The friendly hall monitors
Compliance professionals are the friendly hall monitors of corporate life, making sure everyone plays by the rules, keeps their noses clean, and doesn’t accidentally become the subject of a Netflix true-crime documentary titled
The Bribery Scheme Nobody Saw Coming. We design programs, conduct risk assessments, deliver training that people actually attend (though staying awake is another matter), and investigate potential misconduct. We’re the ones who read regulatory guidance for fun and consider a day successful when absolutely nothing happens.
Where the lines get blurry
Now, here’s where things get interesting. These three functions don’t operate in hermetically sealed silos. In fact, they overlap more than a Venn diagram at a geometry conference. The friction points and areas of overlap include:
◆ Training: Who owns ethics training? What about harassment prevention? Legal needs to ensure compliance with regulatory requirements, HR focuses on behavioral and soft skills development, and compliance wants to track completion rates and measure effectiveness. Investigations: When an allegation comes in, who investigates? HR handles workplace conflicts and performance issues, legal gets involved when there’s litigation risk or regulatory exposure, and compliance investigates code of conduct violations. Sometimes all three apply.
◆ Employee discipline: After an investigation, who decides the consequences? HR typically manages the disciplinary process and maintains personnel files, but compliance needs to ensure consistency, and legal worries about wrongful termination claims.
◆ Misconduct reporting: Who manages the hotline? Who triages complaints? Who determines what gets escalated? The answer is often “it depends,” which is compliance-speak for “we’re still figuring this out.”
◆ Regulatory interpretation: When a new regulation drops, who interprets how it applies to the company? Legal reads the statute, compliance designs the controls, and HR implements the people-side changes. Ideally, they do this together. Realistically, they sometimes read different sections and come to different conclusions.
It’s worth noting that these roles vary dramatically across organizations depending on company size, industry, regulatory environment, geographic footprint, risk appetite, and organizational culture. A 50-person startup handles this differently than a multinational corporation. What works at a tech company might fail spectacularly at a financial institution. The “right” structure is the one that fits your organization’s specific needs and risks.
When nobody wants the ball
Let’s start with the first comedy sketch: the hot potato problem. An issue arises, and suddenly everyone has somewhere else to be.
Scenario: An employee reports through the hotline that their manager has been approving invoices from a vendor owned by the manager’s spouse, and the prices seem inflated.
Compliance looks at the report and thinks, “Well, this involves a contract and potential fraud, so it’s probably a legal issue.” They forward it to legal.
Legal reviews it and thinks, “This is really about an employee violating policy and might require disciplinary action, so it’s clearly an HR matter.” They forward it to HR.
HR opens the file and thinks, “This involves potential code of conduct violations and possible regulatory implications, so it belongs with compliance.” They forward it back to compliance.
Meanwhile, the fraudulent invoices keep getting approved, the whistleblower is wondering if anyone’s actually doing anything, and somewhere a regulator is sharpening their enforcement pencil.
This volleyball match of responsibility creates several problems. First, valuable time gets wasted while the issue bounces around. Second, evidence may be lost or compromised. Third, the reporting employee loses faith in the system (and probably tells their colleagues, “Don’t bother
March 2026 | CEP Magazine 23
and ensures regulatory considerations are prioritized. However, it can overwhelm compliance resources and may not be optimal for pure employment matters with no regulatory angle.
- Centralized within another function: Some organizations house investigations in legal (for privilege protection) or HR (for people expertise). This can work well depending on the nature of typical complaints, but may create blind spots for issues outside that function’s core expertise.
- Cross-functional teams: Investigations are conducted by standing or ad hoc teams with representatives from compliance, legal, and HR. This leverages diverse expertise and prevents gaps, but can be slower and requires excellent coordination to avoid the “too many cooks” problem.
- Decentralized: Business units or regions conduct their own investigations with oversight from the corporate functions. This can work for large, complex organizations but requires strong protocols to ensure consistency and prevent local teams from sweeping issues under the rug.
Most organizations use a hybrid approach, where certain types of investigations are handled by specific functions based on subject matter. The key is being intentional about the structure rather than letting it evolve organically into chaos.
Staffing your investigation function
Structure is only part of the equation. You also need to decide on staffing models:
- Full-time investigators: Dedicated professionals who do nothing but investigations. They develop deep expertise and aren’t pulled away to other projects, but they’re expensive and may not be fully utilized if investigation volume fluctuates.
- Part-time investigators: Employees who devote a percentage of their time to investigations while maintaining other responsibilities. This is more cost-effective and scalable, but can create conflicts when investigation demands spike or when someone’s “day job” interferes with investigation work.
- Mixed model: A small team of full-time investigators handles high-priority or complex matters, supplemented by trained part-time investigators for routine cases. This balances expertise with flexibility.
The right answer depends on your organization’s investigation volume and complexity, which brings us to our next consideration.
Timing is everything: Cadence and volume
Not all months are created equal when it comes to workplace complaints. Smart compliance officers analyze their data to identify patterns.
Review your complaint data for the past few years. You’ll often see spikes during certain periods:
- January–February: Post-holiday tensions bubble over, year-end bonuses create dissatisfaction, and annual performance reviews trigger grievances.
- April–May: Mid-year review season, budget cuts announced in April, spring projects create high-pressure environments.
- September–November: Return from summer holidays, fiscal year-end stress, performance reviews again, and the annual compliance training reminder emails finally get people thinking about reporting that thing from six months ago.
Investigations are conducted by standing or ad hoc teams with representatives from compliance, legal, and HR. This leverages diverse expertise and prevents gaps, but can be slower and requires excellent coordination to avoid the “too many cooks” problem.
What else happens during these periods? Performance review cycles often correlate with complaint spikes: people who receive negative feedback sometimes file retaliatory complaints. Budget season creates stress and anxiety that manifests in workplace conflicts. Annual training campaigns remind employees that they can (and should) report concerns, leading to a surge in reports.
Understanding these patterns allows you to “scale up” investigation resources during peak periods. Maybe you bring in part-time investigators, delay nonurgent projects for your investigation team, or proactively communicate with stakeholders about expected response times during high-volume periods.
How do you stack up?
The 2025 Whistleblowing and Incident Management Benchmark Report by Navex indicates that the median report volume for 2024 was 1.57 reports per 100 employees annually.1 This is a useful benchmark, but context matters.
Are you under the average? That might mean you have excellent workplace culture, strong preventive controls, and effective leadership. Or it might mean employees don’t trust the reporting system, fear retaliation, or don’t know how to report concerns. Low reporting can be either very good news or very bad news; you need to dig deeper to understand which.
Are you over the average? Again, it depends. Higher reporting might indicate cultural problems, ineffective training, poor management, or organizational changes creating friction. But it could also mean you’ve successfully built a culture where people feel safe speaking up, and you’ve made reporting easy and accessible; you’ve clearly communicated that concerns will be taken seriously.
The number itself is less important than the trend and the context. A sudden spike or drop should trigger analysis to understand what’s driving the change.
Tools and strategies: Bringing order to chaos
Ready for the practical stuff? Here are concrete tools to clarify responsibilities and prevent the scenarios described above:
- Responsible, accountable, consulted, and informed (RACI) charts: Create a responsibility assignment matrix that defines who is RACI for different types of issues. For example, in a financial misconduct investigation, compliance might conduct the investigation, the chief compliance officer is accountable for the outcome, legal is consulted on privilege issues, and HR is informed of disciplinary recommendations.
- Issue escalation maps: Develop flowcharts that show how different types of complaints are routed and escalated. A harassment complaint follows a different path than a financial fraud allegation, which differs from a safety violation. Make these visual, clear, and accessible.
- Triage templates: Create intake forms that capture key information and flag which functions need to be involved. Include fields for issue type, regulatory implications, litigation risk, personnel involved, and business impact. This ensures consistent evaluation and appropriate routing.
- Joint training and working groups: Bring compliance, HR, and legal together regularly to discuss emerging issues, review lessons learned from recent investigations, and align on protocols. This builds relationships and mutual understanding, preventing turf battles during actual investigations.
The path forward
For chief compliance officers and compliance professionals looking to bring clarity to this three-way relationship, here are the essential action items:
- Assess your investigation subject matter and complexity: What types of investigations does your organization typically face? If most are straightforward code-of-conduct violations, a compliance-centered model might work well. If you’re drowning in employment law issues, you might need HR to be more involved. High-stakes regulatory investigations with criminal exposure? Legal needs a seat at the table. Match your structure to your actual risk profile, not to a generic template.
- Assess your volume and cadence: Understand your investigation workload — average volume, peak periods, case complexity, and time to resolution. Then evaluate your available resources honestly. Can your current team handle the load? Do you need to hire, train additional staff, or adjust expectations? A mismatch between volume and resources leads to corners being cut, which leads to bad outcomes.
- Leverage liaisons to build trust: In large organizations, employees often report to local HR or management rather than calling a corporate hotline. Establish trained liaisons in local offices who can provide initial guidance, conduct preliminary assessments, and escalate appropriately. This increases accessibility and trust while maintaining appropriate oversight.
- Recognize gaps and overlaps: Conduct an honest assessment of your current state. Where do issues fall through the cracks? Where are multiple people doing the same work? Survey recent investigations, interview stakeholders, and identify the pain points. You can’t fix problems you won’t acknowledge.
- Determine your best triage team: Who’s answering the phone at 2:00 a.m. when an executive is accused of assault? Who makes the call when it’s ambiguous whether something requires immediate escalation? Identify a core group with authority to make time-sensitive decisions and ensure they have clear protocols and communication channels.
- Create common investigation protocols: Develop standardized procedures for investigation planning, conducting interviews, documenting findings, preserving evidence, and communicating outcomes. Consistency is critical for fairness, efficiency, and defensibility. This doesn’t mean every investigation is identical — you’ll scale your response to the risk — but the fundamental methodology should be consistent.
The final act
Here’s the uncomfortable truth: There is no perfect answer to “whose line is it anyway?” The right allocation of responsibilities between compliance, legal, and HR depends on your organization’s size, industry, risk profile, regulatory environment, resources, and culture. What works brilliantly at one company might fail spectacularly at another.
But here’s what doesn’t depend on any of those factors: the need for clarity, communication, and coordination. Whether your investigations are centralized in compliance, distributed across functions, or handled by cross-functional teams, everyone involved needs to understand their role, respect their colleagues’ expertise, and commit to working together.
The goal isn’t to eliminate all overlap; some redundancy provides valuable checks and balances. The goal is to eliminate confusion, duplication, and gaps that create risk.
So, take a hard look at how your organization currently handles the compliance–HR–legal triangle. Are responsibilities clear? Are there formal protocols, or are they just informal habits? Do people know who to call when issues arise? Is information shared effectively, or does each function hoard its own knowledge?
If the answer to any of these questions makes you uncomfortable, it’s time to bring the three functions together and have an honest conversation. Develop those RACI charts and establish those protocols. It might feel tedious and bureaucratic, but it’s infinitely better than the alternative: watching an issue bounce between departments while the risk metastasizes, or tripping over each other while investigating the same allegation.
In the original Whose Line Is It Anyway?, the comedy came from talented performers making things up on the spot. In corporate compliance, making things up on the spot is how you end up explaining to the board why nobody handled that whistleblower complaint that’s now on the front page of The Wall Street Journal.
Define the lines. Clarify the roles. Build the infrastructure. Your future self — and your general counsel, your board, and your regulators — will thank you.
Because, unlike the TV show, in the corporate version, the points definitely do matter.
Endnotes
1. Carrie Penman et al., 2025 Whistleblowing & Incident Management Benchmark Report, Navex, March 19, 2025, 15, https://www.navex.com/en-us/resources/benchmark-reports/whistleblowing-incident-management-report/ .
Takeaways
- Unclear ownership creates problems. When compliance, human resources, and legal lack defined responsibilities, issues either fall through cracks or get investigated multiple times wastefully.
- Match structure to your risks. Investigation models should align with your organization’s actual complaint types, volume patterns, and complexity — not generic templates.
- Use responsible, accountable, consulted, and informed charts and protocols. Formal responsibility matrices, escalation flowcharts, and triage templates prevent confusion about who handles what types of complaints.
- Understand your complaint patterns. Analyze historical data to identify volume spikes during performance reviews, budget cycles, and training periods to scale resources accordingly.
- Collaboration beats turf wars. Regular joint meetings between compliance, HR, and legal build relationships and alignment that prevent dysfunction when actual investigations arise.
March 2026 | CEP Magazine 27