As the regulatory environment continues to evolve, corporations may find they can get ahead of the enforcement curve by establishing a program to deter wrongdoing, develop an ethical and self-policing culture, and catch and correct their own problems.
Bad corporate behavior is all around us—or at least it seems that way, given the regular media stories of corporate wrongdoing and the whistleblowers and government investigators who uncover it. And the statistics support the headlines. In 2009, 177 organizations either pled guilty or were tried and convicted of at least one federal offense.1 While prosecutors avidly pursue enforcement opportunities, and they should, the government also provides a quieter way out for organizations that have a preventative and long-term mindset. For years now, the government has encouraged every corporation to develop an ethical and self-policing culture through creation of an “effective compliance and ethics program.” Establishing such a program, if done right, serves the dual purposes of deterring wrongdoing and allowing an organization to catch and correct its own problems.
The common understanding of what constitutes an “effective” program has continued to mature and evolve as new bad behavior has stimulated new ideas about how to best prevent it. In April 2010, the U.S. Sentencing Commission finalized amendments to the Federal Sentencing Guidelines that strengthen the incentives for corporations to adopt an effective compliance and ethics program and add nuance to the requirements.2 These changes, which became effective November 1, 2010, along with evolving compliance and ethics program requirements in other government enforcement documents, provide insight into the government’s expectations. A corporation’s choices about its own ethical culture have real-world ramifications, not only influencing how the government perceives the organization in the event of a criminal offense, but also shaping how the public, Wall Street, and even a civil jury perceive and potentially might punish the organization. These are key considerations to take into account when evaluating a compliance and ethics program for effectiveness. Understanding the requirements is the first step.
The Effective Compliance and Ethics Program
In 1991, the U.S. Sentencing Commission published the Federal Sentencing Guidelines which, while establishing sentencing parameters for organizational defendants, also provided instructions on how to avoid being in a position of being sentenced at all:
These guidelines offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program. The prevention and detection of criminal conduct, as facilitated by an effective compliance and ethics program, will assist an organization in encouraging ethical conduct and in complying fully with all
Having an effective compliance and ethics program means that “an organization shall (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”4 While the Federal Sentencing Guidelines speak in the language of criminal conduct, the additional emphasis on “ethical conduct” and “compliance with the law” indicates broader expectations.
The Federal Sentencing Guidelines set forth seven elements that constitute the minimum requisites of an effective compliance and ethics program. The idea that truly effective programs are structured around the unique risk areas in an organization overlies and modifies all seven elements: “In implementing [the seven elements] … the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each [of the seven elements] … to reduce the risk of criminal conduct identified through this process.”5 Just as organizations and their risk areas are different, so too should the compliance and ethics programs be different.
The seven elements continue to be upgraded and refined, not only through amendments to the Federal Sentencing Guidelines but also through reiteration and explanation in other government enforcement instruments, such as Corporate Integrity Agreements (CIAs), Deferred Prosecution Agreements, Consent Decrees, and government agency-drafted guidance documents directed to specific industries. While these documents do not apply to all organizations as the Federal Sentencing Guidelines do, they give additional context to the government’s expectations.
Strengthened incentives in the new amendments show the government’s seriousness about wanting organizations to develop effective compliance and ethics programs. Now, for the first time, organizations can get credit for having an effective program even if management6 is involved in wrongdoing, as long as the compliance professional in charge of the compliance and ethics program was not involved in the wrongdoing and other criteria are met.
The Seven Elements
The seven elements of an effective compliance and ethics program as set forth in the Federal Sentencing Guidelines afford a context for discussion of key directional changes in enforcement. They are:
1. Develop Standards and Procedures. This bedrock requirement has not changed, but it is one where organizations still falter. The Federal Sentencing Guidelines are clear that standards and procedures should provide sufficient and effective controls that take into account the highest risk areas, given an organization’s business. In regard to understanding risk, the Guidelines’ examples are telling:
[A]n organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.7
Organizations experiencing government enforcement are usually required to rewrite and upgrade their standards and procedures, particularly in the area of the trouble.8 Developing practical standards and procedures that control high risk areas will put organizations significantly closer to having an effective compliance and ethics program.
2. Establish the Right Program Oversight and Reporting Relationships. This is one of the hot spots for change. The government continues to define the oversight and reporting structure that will best position a compliance and ethics program for success. Recent amendments to the Federal Sentencing Guidelines follow a trend of enhancing the independence and empowerment of the compliance and ethics professional in charge of day-to-day program operations, while also expecting increased knowledge and involvement on the part of the board of directors (or highest level governing body).
Organizations can now get Guidelines credit for an effective compliance and ethics program even if management was involved in the offense, but only if, among other criteria, the compliance professional in charge has “direct reporting obligations” to the board or a subgroup and in no way participated in, condoned, or was willfully ignorant of the offense.9 “Direct reporting obligations” means the compliance professional has express authority to communicate personally to the board “on any matter involving criminal conduct or potential criminal conduct, and … no less than annually on the implementation and effectiveness of the compliance and ethics program.” This amendment emphasizes the independent role of the compliance professional in charge. Along similar lines, recent CIAs have taken independence and empowerment to a new level by requiring that, for work-performance purposes, the compliance professional in charge should report directly to the CEO and not report to or be subordinate to the CFO or the general counsel.10
3. Screen Personnel. An effective compliance and ethics program controls the hiring and promotion of personnel to ensure that individuals who have “engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program” are not put into sensitive positions.11 This element has not changed recently, and the idea is echoed in CIAs, which usually restrict how an organization can employ individuals who are ineligible to participate in federal health care or other programs.
4. Train and Communicate. In an effective compliance and ethics program, standards and procedures and other aspects of the program are communicated to all levels of the organization, including the board, employees, and agents.12 In recent CIAs, computer-based training has been expressly allowed, and the time allotment for training on general ethical standards, including the corporation’s code of conduct, is generally one hour.13 When evaluating this element, government prosecutors also look to whether the training is “real” and “user-friendly” and whether it addresses the high risk areas of the organization.14
5. Verify Compliance and Evaluate Effectiveness. For the compliance and ethics program to be effective, the organization must verify that the program is being followed (or not) and evaluate whether it is working. The government expects a certain level of success at rooting out misconduct. A new Guidelines amendment states that, to receive full credit for an effective compliance and ethics program even when management personnel are involved in an issue, the organization must itself have found the criminal misconduct before it was discovered by persons outside the organization or before such discovery was reasonably likely.15 Practical tools to help find misconduct include monitoring and auditing and having a system where employees and agents can report misconduct or seek advice about potential misconduct without fear of retaliation. Once in the government enforcement realm, what’s needed to verify compliance gets more complex and expensive, frequently involving independent compliance assessments by outside monitors or independent review organizations.
In evaluating program effectiveness, the government continues to stress the need for organizations to learn from past experience and encourages the use of independent third parties, as needed, to look at a compliance and ethics program with fresh eyes. A new Application Note in the Guidelines reiterates these points, particularly the expectation that the program should be assessed and modified on an ongoing basis to ensure effectiveness.16
6. Consistently Promote and Enforce the Program. Although the Society of Corporate Compliance and Ethics, in testimony before the Sentencing Commission, requested further guidance here, this element was not expanded and continues as a blanket statement that organizations should promote their compliance and ethics programs by establishing incentives for employees to comply and discipline for those who do not.17 One incentive typically required in CIAs is the inclusion of a compliance and ethics section in annual performance reviews.
7. Appropriately Respond to and Remediate Problems. A new amendment to the Guidelines reiterates the necessity of self-reporting, making prompt “reporting of the offense to the appropriate governmental authorities” prerequisite to getting Guidelines credit for an effective compliance and ethics program when management personnel are involved in the offense.18 This emphasizes the prior rule that an organization cannot receive credit if it “unreasonably delayed reporting the offense to appropriate governmental authorities.”
As regards remediating problems, the new amendment provides additional language describing the “reasonable steps” needed to respond to and prevent further similar misconduct and to remedy the harm resulting from the criminal conduct.”19 The Guidelines provide new, optional examples of how to respond to criminal conduct, including: (1) providing restitution to identifiable victims, (2) providing other forms of restitution, (3) self-reporting, and (4) cooperating with authorities. As for preventing further harm, an organization should assess the program in light of the misconduct and make any necessary modifications.20
The Guidelines and “Good” Organizations
Having an effective compliance and ethics program is relevant to organizations not currently under federal investigation, not subject to a CIA or other government enforcement instrument, and not anticipating criminal behavior or the need to understand the Federal Sentencing Guidelines anytime soon. Misconduct will happen at every organization, eventually. Research indicates that in 2009, 49 percent of employees in the United States observed at least one violation of the law or their employer’s ethics standards.21 Although not all of these instances likely were criminal in nature, the government has successfully prosecuted approximately 200 organizations every year since 2006, with the bulk of the violations being in the areas of antitrust, bribery, environmental, import/export, FDA/consumer products, fraud, immigration, and money laundering.22 Even for “good” organizations there are reasons to establish an effective compliance and ethics program. Among these are:
1. Hedge Your Bets. In a worst-case scenario, if criminal misconduct occurs at an organization, then an effective compliance and ethics program will help address and correct the issue before it becomes larger or systemic. The government is willing to give credit for that in a way that translates into dollars. The Federal Sentencing Guidelines allow an organization to receive a three-point reduction in its culpability score if “at the time of the offense it had in place an effective compliance and ethics program.”23 Depending on other factors, including the number and level of offenses, a three-point reduction in culpability could result in a fine reduced by thousands or millions of dollars.24 Even if your organization has confidence that it will never be in the government’s cross-hairs for criminal wrongdoing, an effective compliance and ethics program is a way to hedge your bets.
2. Preserve Shareholder Value. An effective compliance and ethics program is a good business practice that can save an organization a lot of money and headache. Catching an issue internally and dealing with it outside of the government and public eye is an affordable luxury. Research indicates that loss of reputation is the single biggest reason for loss in shareholder value.25 Companies have experienced sharp dips in stock price as a result of corporate scandal.26
An effective compliance and ethics program has the added benefit of reducing misconduct by as much as 75 percent. According to the Ethics Resource Center’s National Business Ethics Survey, organizations that adopt the seven elements of an effective compliance and ethics program as modeled in the Federal Sentencing Guidelines experience not only a drop in misconduct, but also a doubling in instances of reported misconduct (thus allowing the company to deal with the issues internally), and the virtual elimination of retaliation against whistleblowers.27 To the extent CEOs ask their lawyers to make the organization bullet-proof—and some do—having an effective compliance and ethics program looks like pretty good armor.
3. Mitigate Litigation Risks. Lack of effective compliance and ethics controls is a growing focal point in civil litigation against organizations. This is especially true in the context of shareholder derivative lawsuits where shareholders sue the directors and management of an organization for failing to ensure the right compliance and ethics controls, thus harming the organization. The following are compliance-type allegations found in recent shareholder derivative lawsuits: 1) board’s failure to install and maintain system of internal controls caused substantial damage; 2) officers and directors breached fiduciary duty by failing to prevent bribery; 3) lack of a compliance program for FCPA requirements caused millions in losses.28 In a best-case scenario, having an effective compliance and ethics program would head off these types of lawsuits entirely, but in any scenario it would at least provide a defense.
3. It’s the Right Thing to Do. Many organizations speak of compliance and ethics as the right thing to do and pledge to uphold high standards of ethical conduct notwithstanding shareholder value, government threat, or potential civil lawsuits. These organizations should have in place an effective and properly resourced compliance and ethics program to ensure that they meet their own high standards.
Evaluating a Compliance & Ethics Program
Many organizations have some or all of the elements of an effective compliance and ethics program already in place. Because government requirements continue to evolve, however, it is a good idea to update and document an organization’s program annually. Keep in mind that an effective compliance and ethics program should fit the organization, taking into account industry standards and government requirements for that industry, the size of the organization, and any prior misconduct. One size does not fit all. Here are some key considerations when evaluating an organization’s compliance and ethics program in light of recent developments:
- Reevaluate the Organization’s Risks. What are the risk areas? Are they changing or evolving? What are the areas of significant government regulation? Where are companies in similar industries getting into trouble? Is the organization doing business in countries with a high-risk profile? Has there been high turnover in personnel? These are some initial questions to ask when evaluating the risks at an organization. The analysis should go deeper. Risk areas are where a company needs intentional and heightened compliance and ethics controls in place.
- Review Standards and Procedures. Given an organization’s risk areas, what standards and procedures address those areas? Are the standards and procedures documented, controlled, and regularly updated to reflect changes in government requirements? If any compliance and ethics issues arose in the recent past, could standards and procedures be changed to prevent those issues from recurring?
- Establish the Right Program Oversight and Reporting Relationships. Who has day-to-day responsibility for the compliance and ethics program? What is that individual’s access to the board or highest governing authority? What is that individual’s role on the executive management team? How is the board knowledgeable about and overseeing the compliance and ethics program?
- Ensure a Screening Process. What is the process for identifying individuals who have engaged in past misconduct prior to their being hired or promoted?
- Review the Training and Internal Communication Plan. Does the organization have a training and communication plan for its compliance and ethics standards and expectations? Who receives training and how often? How does the training and communication plan focus on the organization’s risk areas?
- Reexamine the Process for Verifying Compliance and Evaluating Overall Program Effectiveness. What processes are in place to verify that compliance and ethics standards are being followed (or not)? What does data reveal directionally about compliance at the organization? Is an annual assessment of the effectiveness of the program being performed?
- Ensure Program Enforcement and Promotion. Are incentives for compliance and ethics in place? Is discipline levied for violations of the compliance and ethics program?
- Reassess the Response and Remediation Process. What is the organization’s process if it concludes that misconduct has occurred? Does the process include consideration of both remediation of harm and prevention of recurrence?
As in many other areas, organizations that put the most into a compliance and ethics program will get the most out of it. Because government expectations continue to evolve in the compliance and ethics arena, organizations need to stay well-informed of changes and commit to periodic reevaluation of their programs. There are benefits to this course, and the government certainly wants organizations to do this. However, some organizations may determine that the costs of maintaining an effective compliance and ethics program are not worth the benefits absent immediate government attention, and they will rely on good legal minds to assist them if troubles occur in the future. Because of the varying courses organizations may take, the one certainty is that the lawyers on all sides (inhouse counsel, prosecutors, plaintiff-side attorneys, defense-side attorneys, compliance counselors) will benefit from understanding the continually evolving standards of an effective compliance and ethics program.
1 U.S. Sentencing Commission’s Sourcebook of Federal Sentencing Statistics, FY 2009, Table 51. See www.ussc.gov/annrpt/2009/SBtoc09.htm.
2 Amendments to the Sentencing Guidelines, Policy Statements, and Official Commentary (April 30, 2010).
3 U.S.S.G., Ch. 8, Sentencing of Organizations, Introductory Commentary (2010) (online manual and appendices).
4 U.S.S.G. §8B.2.1(a) (2010).
5 Id. at §8B.2.1(c).
6 The Federal Sentencing Guidelines use the terms “high-level” and “substantial authority” personnel. Definitions are at: U.S.S.G. §8A1.2 (Application Instructions – Organizations). For ease of use, this article uses “management” in place of those terms.
7 Id. at §8B2.1, Commentary, Application Notes 1, 7(A)(ii).
8 See, e.g., recently executed Corporate Integrity Agreements at http://oig.hhs.gov/fraud/cia/cia_list.asp.
9 U.S.S.G. §8C2.5(f)(3)(C).
10 Recent CIAs consistently contain this requirement. See http://oig.hhs.gov/fraud/cia/cia_list.asp. The Ethics Resource Center supported this type of reporting structure in its public comments to the U.S. Sentencing Commission in March 2010, saying that this structure promoted a compliance professional’s credibility while also facilitating that individual’s participation as an equal player on the management team during strategic discussions. Letter from Patricia Harned, President, Ethics Resource Center, to U.S. Sentencing Commission (03/10/10).
11 U.S.S.G. §8B2.1(b)(3) and Application Note 4.
12 Id. at §8B2.1(4).
13 See recent CIAs at http://oig.hhs.gov/fraud/cia/cia_list.asp.
14 Ronald Berenbeim and Jeffrey Kaplan, Ethics and
Compliance Enforcement Decisions – the Information Gap. The Conference Board Executive Action Series, No. 310, June 2009, at 5.
15 U.S.S.G. §8C2.5(f)(3)(C).
16 Id. at §8B2.1, Commentary, Application Note 6.
17 Id. at §8B2.1(b)(6), Application Note 5. See Testimony submitted by SCCE to U.S. Sentencing Commission of Mar. 17, 2010, found at http://community.corporatecompliance.org/CORPORATECOMPLIANCE/CORPORATECOMPLIANCE/eGroups/Message/Default.aspx?MID=4789.
18 U.S.S.G. §8C2.5(f)(3)(C).
19 Id. at §8B2.1, Commentary, Application Note 6.
21 2009 National Business Ethics Survey, Ethics Resource Center, at 9. Survey can be downloaded at www.ethics.org/nbes.
22 U.S. Sentencing Commission’s Sourcebook of Federal Sentencing Statistics, FY 2006-2009, Table 51.
23 U.S.S.G. §8C2.5(f).
24 Id. at §§8C2.1-2.10.
25 Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer, Ethics Resource Center (2007), at 24 (citing R.G. Eccles, S.C.Newquist, & R. Schatz, “Reputation and Its Risks,” Harvard Business Review, February 2007, pp. 1-12).
26 For example: AES, $45M; AOL TimeWarner,
-59%; Computer Associates, -73.58%; Halliburton,
– 56.51%; Im Clone Systems, -52.34%. Id. at 12 (citing information from a watchdog group called Citizen Works).
27 See Letter from Harned, Pres., Ethics Resource Center to U.S. Sentencing Commission (03/10/10) (citing information from the Ethics Resource Center’s National Business Ethics Survey).
28 See discussion of shareholder derivative lawsuits at http://www.mainjustice.com/justanticorruption/tag/fcpa/.