Compliance and Ethics Programs: Passivity Is Passe

One of the most significant developments consists of the changes to the Sentencing Guidelines that the United States Sentencing Commission (Sentencing Commission) adopted in 2004 (2004 Changes). The original Sentencing Guidelines have had considerable impact on the existence and form of corporate ethics and compliance programs. See Murphy: The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics. 87 Iowa L. Rev. 697, 710 (2002). I expect that the recent changes will similarly lead to considerable changes to existing compliance and ethics programs and provide greater definition to those that are still in the design stage.

What changes did the Sentencing Commission make last year? Several general themes emerge. First, the Sentencing Commission attempted to create responsibility and more direct accountability on the part of corporate management for the existence and operation of a compliance and ethics program. Second, the Sentencing Commission created some specific responsibilities, in respect of the compliance and ethics program, for the 'governing authority' of the entity, which for a corporation is the board of directors. Third, the Sentencing Commission clarified that training is a mandatory means by which to 'communicate … its standards and procedures' to all employees, including directors and management, and, as appropriate, third-party agents. Let's examine those themes in greater detail.

Management Responsibility and Accountability

The greater degree of accountability on the part of management emanates from several sources in the Guidelines as enhanced by the 2004 Changes.

The organizational leadership of a firm 'must ensure that the organization has an effective compliance and ethics program' (' 8B2.1(b)(2)(B) which should be designed to 'promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.' ' 8B2.1(a)(2).

The Sentencing Commission re-quired that '[s]pecific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program' and that '[s]pecific individuals within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program.'

Those who have day-to-day operational authority 'shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.' ” 8B2.1(b)(2)(B) and (C) of the Guidelines.' High-level personnel of the organization' means 'individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization.' See ' 8A1.2, Application Note 3(b).

The Sentencing Commission even goes so far as to direct that '[t]he organization shall use reasonable efforts not to include within the substantial authority personnel … any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.' ' 8B2.1
(b)(3). 'Substantial authority personnel' includes 'individuals who within the scope of their authority exercise a substantial measure of discretion in acting on behalf of an organization. ' 8A1.2, Application Note 3(c).

An organization shall 'take reasonable steps … to ensure that the … compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; … to evaluate periodically the effectiveness of … the program; and … to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.' ' 8B2.1(b)(5).

The 'compliance and ethics program shall be promoted and enforced consistently … through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.' ' 8B2.1(b)(6).

One cannot fail to see the implications of those changes. The Sentencing Commission wanted to assure that, in a company with a compliance and ethics program it wishes to earn the title 'effective,' specific individuals in the hierarchy must have specific responsibilities for that program and for its operation. 'Plausible deniability' by senior management (remember the defense put on by Bernie Ebbers?) should disappear as an excuse on the part of high corporate officials.

Ultimately, the Sentencing Commission hoped that a business organization that creates and operates a compliance and ethics program to meet the standards set out in the 2004 Changes would be one that 'promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law.' To fulfill that goal, managers and corporate executives must understand the purpose of the compliance and ethics program, its constituent elements and how they can and should demonstrate ethical leadership.

When those corporate leaders demonstrate ethical leadership, they also satisfy the standards set out by Congress in Sarbanes-Oxley (SOX) that a publicly traded corporation adopt a code of ethics that promotes 'honest and ethical conduct' and 'compliance with applicable governmental rules and regulations,' which code of conduct must apply to the behavior of firm's senior financial officers. See
' 406(c) of SOX. Ethical leadership now constitutes the legal standard of behavior for corporate America.

A Proactive Governing Authority

The Sentencing Commission had a great deal to say about the role of a governing authority of an organization. Generally speaking, that body 'shall be knowledgeable about the content and operation … and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.' ' 8B2.1(b)(2)(A). The firm's employees who have day-to-day operational re-sponsibility for the operation of the program 'shall be given … direct access to the governing authority or an appropriate subgroup of the governing authority.' ' 8B2.1(b)(2)(C).

The 2004 Changes require that a firm establish 'a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.' Such a mechanism closely resembles the requirement recently enacted by Congress in ' 301 of SOX that the audit committee of the board of directors of a publicly held corporation 'establish procedures for … the receipt, retention, and treatment of complaints … regarding accounting, internal accounting controls, or auditing matters … and … the confidential, anonymous submission by employees … of concerns regarding questionable accounting or auditing matters.' Elsewhere in that statute, Congress added to the criminal statutes provisions that protect whistleblowers, further buttressing reporting mechanisms from attack from within the organization. See ' 1107.

With such information-gathering processes in place, management and the board of directors likely will learn more frequently about issues and concerns that come to the attention of employees throughout the organization. In essence, such a mechanism creates a network within the organization of sensors (not censors) in respect to compliance or ethical failures or potential failures. An effective program will include follow-up steps that assure the reporting individuals that their concerns result in some sort of action by the organization. Those follow-up steps should include action (even if only recognition in its oversight role) by the governing authority. Expectations that a board of directors will take a more proactive approach to its role in the corporation reverberates throughout the recent corporate reforms, including the Guidelines, the 2004 Changes, SOX and SEC rulemakings.

This contrasts with the results that directors might have seen under the more traditional standards of court review of their actions or failures to act: 'when director liability is predicated on ignorance of liability creating activities only a sustained or systematic failure of the board to exercise oversight ' such as an utter failure to attempt to assure a reasonable information and reporting system exists ' will establish the lack of good faith that is a necessary condition to liability.' See McCall v. Scott, 239 F. 3d 808 (CA6 2001). That traditional approach suggests a very reactive role for the board, whereas the Sentencing Commission, Congress and others hope to push it into a more proactive stance.

Under the 2004 Changes, not only must the board of directors ascertain that the company has a compliance and ethics program, but it must 'exercise reasonable oversight with respect to the implementation and effectiveness' of that program. See ' 8B2.1 (b)(2)(A). What does that requirement mean? Directors must 'be knowledgeable about the content and operation' of the program. They must ensure that those to whom they delegate responsibility for the operation of that program have 'adequate resources' for that purpose. The directors must provide those individuals with 'direct access' to the board, or a subgroup of the board, for reporting purposes.

In order to fulfill those expectations of the Sentencing Commission, a company's directors require information. They need to understand the purpose of the compliance and ethics program. Why does an 'effective compliance and ethics program' matter? What components comprise an effective program and what are the existing best practices in that regard?

Training for All

This brings us to the third theme of the 2004 Changes. That theme relates to training on compliance and ethics topics. The Sentencing Guidelines had highlighted the importance of communication by an organization of its standards and procedures relative to compliance and ethics to its employees. In the 2004 Changes, the Sentencing Commission specified that training is a mandatory method by which to do so. See ' 8.B2.1(b)(4)(A). Inasmuch as government officials have previously described 'a system of effective organization-wide training on compliance standards and procedures' as a 'critical element of an effective compliance program' (see page 8 of Corporate Responsibility and Corporate Com-pliance: A Resource for Health Care Boards of Directors, which is posted at www.oig.hhs.gov/fraud/docs/complianceguidance/040203CorpRespRsceGuide.pdf), the Sentencing Commission's view should surprise nobody. The Sentencing Com-mission based the 2004 Changes on recommendations made by an Ad Hoc Group on the Organizational Sentencing Guidelines, which indicated its view 'that all organizations should engage in some form of active compliance training.' See 'Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines' (Oct. 7, 2003), p. 71.

Not only must an organization provide training on subjects related to compliance and ethics to all employees, including directors, executives and even third-party agents (as appropriate); that organization should design that training to convey 'information appropriate to … individuals' respective roles and responsibilities.' ' 8B2.1(b)(4)(A). Merely providing the exact same training to everyone ' executives, clerks, accountants and shop-floor workers ' will not satisfy the standards detailed in the 2004 Changes. In fact, such an untailored approach might suggest to prosecutors that the organization has created a mere 'paper' program unworthy of the benefits available in the Sentencing Guidelines. See the memorandum dated Jan. 20, 2003, by Larry D. Thompson, Deputy Attorney General, entitled 'Principles of Federal Prosecution of Business Organizations' (Thompson Memo): 'Prosecutors … should attempt to determine whether a corporation's compliance program is merely a 'paper program' or whether it was designed and implemented in an effective manner.'

Finally, an important consideration, in the eyes of prosecutors and courts, as to whether a program is effective is whether and when a firm voluntarily discloses to regulators and prosecutors instances of illegal conduct that it discovers as a result of the program. The 2004 Changes incorporate this factor in that an organization that 'delay[s] reporting the offense to appropriate governmental authorities' may not qualify for the sentencing reductions otherwise available for an effective program. See ' 8B2.1(f)(2). The entire organization must take proactive steps to: 1) identify noncompliant behavior; 2) correct such behavior when found; and 3) tell the government when it uncovers such behavior and the corrective steps it has taken.

Conclusion

Since promulgation of the Sentencing Guidelines in 1991, corporate compliance and ethics programs have multiplied and matured. Much of that growth resulted from those Guidelines and other related developments, such as the Caremark decision. The 2004 Changes promise to further instigate change and development of those programs. Much of that development likely will follow along the lines laid out by the Sentencing Commission. Some boards of directors have already begun to demonstrate a more proactive attitude. The need for greater accountability for the creation and operation of compliance and ethics programs and the deployment of effective compliance training among business organizations likely will continue.

Steven A. Lauer, Director, Integrity Research, for Integrity Interactive Corporation, works with the company's clients to stay abreast of developments regarding corporate compliance and ethics programs. Lauer spent over 13 years as an in-house attorney and over 6 years as a consultant to corporate law departments. He can be reached at [email protected] or 704-847-6430.

Corporate compliance and ethics programs have matured significantly from their humble beginnings. Since they appeared in the 70s in response to government investigations of overseas bribery in the aerospace, defense and armaments industries, leading to enactment of the Foreign Corrupt Practices Act, compliance programs have spread into most, if not all, other industries. Moreover, compliance programs have received official 'endorsement' by the government through the Sentencing Guidelines for Organizational Defendants (Sentencing Guidelines), which appeared in their original form in 1991 as Chapter 8 of the Federal Sentencing Guideline Manual.

The adoption of corporate compliance and ethics programs throughout many industries led to the establishment of the Ethics Officer Association (EOA) in 1992 as 'a professional association for ethics officers and the organizations for which they work, that provides for sharing of ideas and best practices, continuing education and professional development.' From its 12 founding members, EOA has grown to over 1000.

What trends and developments in the field of corporate compliance and ethics programs justify the attention of practitioners in this field? How might those trends and developments affect such programs in the future?

One of the most significant developments consists of the changes to the Sentencing Guidelines that the United States Sentencing Commission (Sentencing Commission) adopted in 2004 (2004 Changes). The original Sentencing Guidelines have had considerable impact on the existence and form of corporate ethics and compliance programs. See Murphy: The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics. 87 Iowa L. Rev. 697, 710 (2002). I expect that the recent changes will similarly lead to considerable changes to existing compliance and ethics programs and provide greater definition to those that are still in the design stage.

What changes did the Sentencing Commission make last year? Several general themes emerge. First, the Sentencing Commission attempted to create responsibility and more direct accountability on the part of corporate management for the existence and operation of a compliance and ethics program. Second, the Sentencing Commission created some specific responsibilities, in respect of the compliance and ethics program, for the 'governing authority' of the entity, which for a corporation is the board of directors. Third, the Sentencing Commission clarified that training is a mandatory means by which to 'communicate … its standards and procedures' to all employees, including directors and management, and, as appropriate, third-party agents. Let's examine those themes in greater detail.

Management Responsibility and Accountability

The greater degree of accountability on the part of management emanates from several sources in the Guidelines as enhanced by the 2004 Changes.

The organizational leadership of a firm 'must ensure that the organization has an effective compliance and ethics program' (' 8B2.1(b)(2)(B) which should be designed to 'promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.' ' 8B2.1(a)(2).

The Sentencing Commission re-quired that '[s]pecific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program' and that '[s]pecific individuals within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program.'

Those who have day-to-day operational authority 'shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.' ” 8B2.1(b)(2)(B) and (C) of the Guidelines.' High-level personnel of the organization' means 'individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization.' See ' 8A1.2, Application Note 3(b).

The Sentencing Commission even goes so far as to direct that '[t]he organization shall use reasonable efforts not to include within the substantial authority personnel … any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.' ' 8B2.1
(b)(3). 'Substantial authority personnel' includes 'individuals who within the scope of their authority exercise a substantial measure of discretion in acting on behalf of an organization. ' 8A1.2, Application Note 3(c).

An organization shall 'take reasonable steps … to ensure that the … compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; … to evaluate periodically the effectiveness of … the program; and … to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.' ' 8B2.1(b)(5).

The 'compliance and ethics program shall be promoted and enforced consistently … through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.' ' 8B2.1(b)(6).

One cannot fail to see the implications of those changes. The Sentencing Commission wanted to assure that, in a company with a compliance and ethics program it wishes to earn the title 'effective,' specific individuals in the hierarchy must have specific responsibilities for that program and for its operation. 'Plausible deniability' by senior management (remember the defense put on by Bernie Ebbers?) should disappear as an excuse on the part of high corporate officials.

Ultimately, the Sentencing Commission hoped that a business organization that creates and operates a compliance and ethics program to meet the standards set out in the 2004 Changes would be one that 'promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law.' To fulfill that goal, managers and corporate executives must understand the purpose of the compliance and ethics program, its constituent elements and how they can and should demonstrate ethical leadership.

When those corporate leaders demonstrate ethical leadership, they also satisfy the standards set out by Congress in Sarbanes-Oxley (SOX) that a publicly traded corporation adopt a code of ethics that promotes 'honest and ethical conduct' and 'compliance with applicable governmental rules and regulations,' which code of conduct must apply to the behavior of firm's senior financial officers. See
' 406(c) of SOX. Ethical leadership now constitutes the legal standard of behavior for corporate America.

A Proactive Governing Authority

The Sentencing Commission had a great deal to say about the role of a governing authority of an organization. Generally speaking, that body 'shall be knowledgeable about the content and operation … and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.' ' 8B2.1(b)(2)(A). The firm's employees who have day-to-day operational re-sponsibility for the operation of the program 'shall be given … direct access to the governing authority or an appropriate subgroup of the governing authority.' ' 8B2.1(b)(2)(C).

The 2004 Changes require that a firm establish 'a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.' Such a mechanism closely resembles the requirement recently enacted by Congress in ' 301 of SOX that the audit committee of the board of directors of a publicly held corporation 'establish procedures for … the receipt, retention, and treatment of complaints … regarding accounting, internal accounting controls, or auditing matters … and … the confidential, anonymous submission by employees … of concerns regarding questionable accounting or auditing matters.' Elsewhere in that statute, Congress added to the criminal statutes provisions that protect whistleblowers, further buttressing reporting mechanisms from attack from within the organization. See ' 1107.

With such information-gathering processes in place, management and the board of directors likely will learn more frequently about issues and concerns that come to the attention of employees throughout the organization. In essence, such a mechanism creates a network within the organization of sensors (not censors) in respect to compliance or ethical failures or potential failures. An effective program will include follow-up steps that assure the reporting individuals that their concerns result in some sort of action by the organization. Those follow-up steps should include action (even if only recognition in its oversight role) by the governing authority. Expectations that a board of directors will take a more proactive approach to its role in the corporation reverberates throughout the recent corporate reforms, including the Guidelines, the 2004 Changes, SOX and SEC rulemakings.

This contrasts with the results that directors might have seen under the more traditional standards of court review of their actions or failures to act: 'when director liability is predicated on ignorance of liability creating activities only a sustained or systematic failure of the board to exercise oversight ' such as an utter failure to attempt to assure a reasonable information and reporting system exists ' will establish the lack of good faith that is a necessary condition to liability.' See McCall v. Scott , 239 F. 3d 808 (CA6 2001). That traditional approach suggests a very reactive role for the board, whereas the Sentencing Commission, Congress and others hope to push it into a more proactive stance.

Under the 2004 Changes, not only must the board of directors ascertain that the company has a compliance and ethics program, but it must 'exercise reasonable oversight with respect to the implementation and effectiveness' of that program. See ' 8B2.1 (b)(2)(A). What does that requirement mean? Directors must 'be knowledgeable about the content and operation' of the program. They must ensure that those to whom they delegate responsibility for the operation of that program have 'adequate resources' for that purpose. The directors must provide those individuals with 'direct access' to the board, or a subgroup of the board, for reporting purposes.

In order to fulfill those expectations of the Sentencing Commission, a company's directors require information. They need to understand the purpose of the compliance and ethics program. Why does an 'effective compliance and ethics program' matter? What components comprise an effective program and what are the existing best practices in that regard?

Training for All

This brings us to the third theme of the 2004 Changes. That theme relates to training on compliance and ethics topics. The Sentencing Guidelines had highlighted the importance of communication by an organization of its standards and procedures relative to compliance and ethics to its employees. In the 2004 Changes, the Sentencing Commission specified that training is a mandatory method by which to do so. See ' 8.B2.1(b)(4)(A). Inasmuch as government officials have previously described 'a system of effective organization-wide training on compliance standards and procedures' as a 'critical element of an effective compliance program' (see page 8 of Corporate Responsibility and Corporate Com-pliance: A Resource for Health Care Boards of Directors, which is posted at www.oig.hhs.gov/fraud/docs/complianceguidance/040203CorpRespRsceGuide.pdf), the Sentencing Commission's view should surprise nobody. The Sentencing Com-mission based the 2004 Changes on recommendations made by an Ad Hoc Group on the Organizational Sentencing Guidelines, which indicated its view 'that all organizations should engage in some form of active compliance training.' See 'Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines' (Oct. 7, 2003), p. 71.

Not only must an organization provide training on subjects related to compliance and ethics to all employees, including directors, executives and even third-party agents (as appropriate); that organization should design that training to convey 'information appropriate to … individuals' respective roles and responsibilities.' ' 8B2.1(b)(4)(A). Merely providing the exact same training to everyone ' executives, clerks, accountants and shop-floor workers ' will not satisfy the standards detailed in the 2004 Changes. In fact, such an untailored approach might suggest to prosecutors that the organization has created a mere 'paper' program unworthy of the benefits available in the Sentencing Guidelines. See the memorandum dated Jan. 20, 2003, by Larry D. Thompson, Deputy Attorney General, entitled 'Principles of Federal Prosecution of Business Organizations' (Thompson Memo): 'Prosecutors … should attempt to determine whether a corporation's compliance program is merely a 'paper program' or whether it was designed and implemented in an effective manner.'

Finally, an important consideration, in the eyes of prosecutors and courts, as to whether a program is effective is whether and when a firm voluntarily discloses to regulators and prosecutors instances of illegal conduct that it discovers as a result of the program. The 2004 Changes incorporate this factor in that an organization that 'delay[s] reporting the offense to appropriate governmental authorities' may not qualify for the sentencing reductions otherwise available for an effective program. See ' 8B2.1(f)(2). The entire organization must take proactive steps to: 1) identify noncompliant behavior; 2) correct such behavior when found; and 3) tell the government when it uncovers such behavior and the corrective steps it has taken.

Conclusion

Since promulgation of the Sentencing Guidelines in 1991, corporate compliance and ethics programs have multiplied and matured. Much of that growth resulted from those Guidelines and other related developments, such as the Caremark decision. The 2004 Changes promise to further instigate change and development of those programs. Much of that development likely will follow along the lines laid out by the Sentencing Commission. Some boards of directors have already begun to demonstrate a more proactive attitude. The need for greater accountability for the creation and operation of compliance and ethics programs and the deployment of effective compliance training among business organizations likely will continue.

Steven A. Lauer, Director, Integrity Research, for Integrity Interactive Corporation, works with the company's clients to stay abreast of developments regarding corporate compliance and ethics programs. Lauer spent over 13 years as an in-house attorney and over 6 years as a consultant to corporate law departments. He can be reached at [email protected] or 704-847-6430.