Global Corruption Enforcement

Of the nine areas the DOJ claims to evaluate when deciding whether to bring a criminal case against a business, it has focused on the effectiveness of compliance programs as a key surrogate in its decision-making process. The nine stated areas include: 1) seriousness of the crime; 2) pervasiveness of wrongdoing within the business; 3) history of similar misconduct; 4) voluntary disclosure; 5) existence and effectiveness of a compliance program; 6) remedial actions; 7) collateral consequences; 8) adequacy of individual prosecutions; and 9) adequacy of other remedies. The DOJ has recognized that “no compliance program can ever prevent all criminal activity” by employees, but it nevertheless intends to focus on compliance program “design and good faith implementation and enforcement” and whether the program promotes a “culture that encourages ethical conduct and a commitment to compliance with the law.”

Formal Programs

After the Federal Sentencing Guidelines laid out the benefits of having a compliance program, many well-intentioned companies adopted formalistic programs. However, certain “check-the-box” compliance programs were ineffective, inefficient, and drove a wedge between operations and the compliance personnel. Many of these initial programs were not designed to address a specific business's practices, needs, risks, and challenges. Further, the programs were not able to adjust with acquisitions, product launches, regulatory transformation, or global political changes. Thus, over time some compliance programs have become frustrating for operations and viewed as restraining productivity.

The problems with these initial compliance programs were numerous. When independent compliance departments were created, they were too far removed from the business functions and management. This led to a perception at some companies that the compliance personnel were policing business in an adversarial manner. Further, managers tended to see business functions as their responsibility, and compliance as the responsibility of the compliance department. Training implemented by compliance personnel tended to be formalistic and removed from real-world, industry-specific examples because it was not designed by operations. With increasing expectations from governments worldwide that companies manage risk effectively, moving to embedded processes and structures that focus on the value of business integrity can improve compliance and avoid some of the problems with older model programs.

Business Integrity Plans

In its guidance, the DOJ asserts that corruption is anti-competitive, increases the cost of doing business, inflates the cost of government contracts in developing countries, and introduces uncertainty into business transactions. In addition, directors and managers understand that corruption is bad for business and that an ethical culture with the appropriate “tone at the top” is important. One message that may have been forgotten is that companies can directly market integrity to gain an advantage. As counsel, expressly advocating for comprehensive embedded processes can reduce potential risk and exposure, and it can be a component of improving company stature and image. In turn, if company counsel should ever need to directly address the DOJ, it should be prepared to address governmental concerns at a level that should discourage intervention. Companies also need to consider that corruption is bad internally because it can undermine confidence in management and can cultivate employee self-dealing.

In 2011, the National Business Ethics Survey singled out “[e]thical culture” as “the single biggest factor determining the amount of misconduct that will take place in a business.” Such a finding, however, is not much help to businesses that want to take affirmative steps to improve compliance. Embedding compliance means establishing incentives, penalties, and transparent processes that reward and punish employees on integrity based issues.

Companies can start by integrating compliance programs into business functions and decision-making. Encourage the following steps: appoint and rotate compliance officers from within business units; require managers to incorporate compliance in daily decision-making; increase individual accountability; place compliance-related requirements in performance plans; and staff compliance committees with individuals from varied business units.

In addition, companies should enact concise, communicated, accessible, and attainable codes of conduct. The code needs to be applied uniformly to all employees. The code and all compliance procedures should be developed based on the company's business model, including its products and services, third-party agents, customers, government interactions, and industry and geographic risks. Not all businesses face the same risks, so it is wise to consult with counsel who understands your business sector, as well as the enforcement and regulatory environment. Companies should do risk assessments within divisions and business units to identify areas that present high-risk transactions and geographic locations and allocate resources accordingly, with a focus on high-risk transactions and locations.

The DOJ explained that “[d]evoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company's compliance program is ineffective.” Also, “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counter-productive” as it diverts resources and attention away from high-risk areas. Simply put, companies should be less concerned with technical compliance and legal ambiguities, and more concerned with reflecting good business judgment, proper intentions, and a desire to do business with integrity.

Management must invest in the process to embed principles and practices into their daily lives. After educating management on existing laws, the regulatory landscape, and enforcement trends, have the business units in key areas compile lists of high risk activities and warning signs. After evaluation, focus integrity training programs around these lists and update the process based on new discoveries. Employee training should be based on key principles (e.g., financial integrity, record-keeping, sound business judgment, and promoting integrity to gain business advantage) with industry specific examples. Ask management how to design processes that eliminate frustration with compliance bureaucracy and try to develop ownership in values-based decision-making.

When an issue arises, companies need to fully and expeditiously investigate. If integrity violations occurred, those responsible should be disciplined and the responsible business unit needs to address the risk by identifying the root cause and any systemic weaknesses.

Conclusion

The primary goal of compliance should be establishing and fostering a compliance culture. Only secondarily should companies consider how effective plans can serve to assist in the event of a government investigation. The idea of proving up the effectiveness of compliance programs in the face of an investigation may seem counterintuitive. However, companies that are prepared can substantially reduce expense and overall risk by establishing the effectiveness of embedded compliance program

Kirk Ogrosky and Jeffrey Hessekiel are members of the White Collar Criminal Defense and FDA/Healthcare Practice Groups at Arnold & Porter LLP. Prior to joining the firm, Mr. Ogrosky was the head of healthcare fraud enforcement in the Criminal Division of the U.S. Department of Justice from 2006 to 2010, and Mr. Hessekiel was the Chief Compliance Officer of Gilead Sciences Inc. from 2007 to 2012.

Editor's note: Counsel, directors and managers of multinational companies that have corporate compliance programs and codes of conduct in place may think the company has done all it can to reduce the risks posed by potential corrupt employee actions. But these things may not go far enough to decrease the risks of corporate liability. Instead, as the authors noted in the first part of this article, it is wiser to embed compliance doctrine within operations. They conclude their discussion herein.

U.S. Enforcement

FCPA enforcement is different than most federal criminal laws. First, the FCPA is enforced by the Fraud Section (FRD) of the DOJ Criminal Division in Washington, DC. At its discretion, the FRD may delegate authority to any U.S. Attorney's Office to join an investigation and prosecution. Otherwise, it is a limited group of prosecutors at main justice handling the cases.

Of the nine areas the DOJ claims to evaluate when deciding whether to bring a criminal case against a business, it has focused on the effectiveness of compliance programs as a key surrogate in its decision-making process. The nine stated areas include: 1) seriousness of the crime; 2) pervasiveness of wrongdoing within the business; 3) history of similar misconduct; 4) voluntary disclosure; 5) existence and effectiveness of a compliance program; 6) remedial actions; 7) collateral consequences; 8) adequacy of individual prosecutions; and 9) adequacy of other remedies. The DOJ has recognized that “no compliance program can ever prevent all criminal activity” by employees, but it nevertheless intends to focus on compliance program “design and good faith implementation and enforcement” and whether the program promotes a “culture that encourages ethical conduct and a commitment to compliance with the law.”

Formal Programs

After the Federal Sentencing Guidelines laid out the benefits of having a compliance program, many well-intentioned companies adopted formalistic programs. However, certain “check-the-box” compliance programs were ineffective, inefficient, and drove a wedge between operations and the compliance personnel. Many of these initial programs were not designed to address a specific business's practices, needs, risks, and challenges. Further, the programs were not able to adjust with acquisitions, product launches, regulatory transformation, or global political changes. Thus, over time some compliance programs have become frustrating for operations and viewed as restraining productivity.

The problems with these initial compliance programs were numerous. When independent compliance departments were created, they were too far removed from the business functions and management. This led to a perception at some companies that the compliance personnel were policing business in an adversarial manner. Further, managers tended to see business functions as their responsibility, and compliance as the responsibility of the compliance department. Training implemented by compliance personnel tended to be formalistic and removed from real-world, industry-specific examples because it was not designed by operations. With increasing expectations from governments worldwide that companies manage risk effectively, moving to embedded processes and structures that focus on the value of business integrity can improve compliance and avoid some of the problems with older model programs.

Business Integrity Plans

In its guidance, the DOJ asserts that corruption is anti-competitive, increases the cost of doing business, inflates the cost of government contracts in developing countries, and introduces uncertainty into business transactions. In addition, directors and managers understand that corruption is bad for business and that an ethical culture with the appropriate “tone at the top” is important. One message that may have been forgotten is that companies can directly market integrity to gain an advantage. As counsel, expressly advocating for comprehensive embedded processes can reduce potential risk and exposure, and it can be a component of improving company stature and image. In turn, if company counsel should ever need to directly address the DOJ, it should be prepared to address governmental concerns at a level that should discourage intervention. Companies also need to consider that corruption is bad internally because it can undermine confidence in management and can cultivate employee self-dealing.

In 2011, the National Business Ethics Survey singled out “[e]thical culture” as “the single biggest factor determining the amount of misconduct that will take place in a business.” Such a finding, however, is not much help to businesses that want to take affirmative steps to improve compliance. Embedding compliance means establishing incentives, penalties, and transparent processes that reward and punish employees on integrity based issues.

Companies can start by integrating compliance programs into business functions and decision-making. Encourage the following steps: appoint and rotate compliance officers from within business units; require managers to incorporate compliance in daily decision-making; increase individual accountability; place compliance-related requirements in performance plans; and staff compliance committees with individuals from varied business units.

In addition, companies should enact concise, communicated, accessible, and attainable codes of conduct. The code needs to be applied uniformly to all employees. The code and all compliance procedures should be developed based on the company's business model, including its products and services, third-party agents, customers, government interactions, and industry and geographic risks. Not all businesses face the same risks, so it is wise to consult with counsel who understands your business sector, as well as the enforcement and regulatory environment. Companies should do risk assessments within divisions and business units to identify areas that present high-risk transactions and geographic locations and allocate resources accordingly, with a focus on high-risk transactions and locations.

The DOJ explained that “[d]evoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company's compliance program is ineffective.” Also, “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counter-productive” as it diverts resources and attention away from high-risk areas. Simply put, companies should be less concerned with technical compliance and legal ambiguities, and more concerned with reflecting good business judgment, proper intentions, and a desire to do business with integrity.

Management must invest in the process to embed principles and practices into their daily lives. After educating management on existing laws, the regulatory landscape, and enforcement trends, have the business units in key areas compile lists of high risk activities and warning signs. After evaluation, focus integrity training programs around these lists and update the process based on new discoveries. Employee training should be based on key principles (e.g., financial integrity, record-keeping, sound business judgment, and promoting integrity to gain business advantage) with industry specific examples. Ask management how to design processes that eliminate frustration with compliance bureaucracy and try to develop ownership in values-based decision-making.

When an issue arises, companies need to fully and expeditiously investigate. If integrity violations occurred, those responsible should be disciplined and the responsible business unit needs to address the risk by identifying the root cause and any systemic weaknesses.

Conclusion

The primary goal of compliance should be establishing and fostering a compliance culture. Only secondarily should companies consider how effective plans can serve to assist in the event of a government investigation. The idea of proving up the effectiveness of compliance programs in the face of an investigation may seem counterintuitive. However, companies that are prepared can substantially reduce expense and overall risk by establishing the effectiveness of embedded compliance program

Kirk Ogrosky and Jeffrey Hessekiel are members of the White Collar Criminal Defense and FDA/Healthcare Practice Groups at Arnold & Porter LLP. Prior to joining the firm, Mr. Ogrosky was the head of healthcare fraud enforcement in the Criminal Division of the U.S. Department of Justice from 2006 to 2010, and Mr. Hessekiel was the Chief Compliance Officer of Gilead Sciences Inc. from 2007 to 2012.