Attention to the company culture is a must following a compliance failure
Originally appeared in InsideCounsel on May 26, 2015.
In December 2008, the U.S. Department of Justice (DOJ) and German regulators announced a $1.6 billion settlement in the Siemens case, $450 million of which was paid to DOJ, blowing all prior records in foreign bribery prosecutions. In the years that followed this settlement, the company conducted a very public overhaul of its management structure and global compliance organization. Those efforts involved a number of significant changes to Siemens’ operations, aimed at reinforcing throughout the company’s, board’s and management’s determination to operate the business in an ethical and compliant manner. It has since been reported that Siemens is more profitable than it was before, suggesting that investing in and communicating a strong compliance culture does not hurt profitability and may, by enhancing corporate reputation and employee morale, improve it.
For many corporations’ board members and managements, the Siemens bribery prosecution was a “let’s get serious” moment. Some initiated formal assessments of the risk of a similar crisis occurring within their own organizations. Many learned from that effort that it takes more than instituting complex compliance structures to address compliance risk. To prevent compliance failures, a company must be prepared to change the culture and ensure that company employees are properly focused on doing business with ethics and integrity. According to Siemens’ chief executive, “[o]perational excellence and ethical behavior are not a contradiction of terms. We must get the best business—and the clean business.”
Where does a company start after a significant compliance failure? An independent and thorough investigation, in many instances, will provide a roadmap for correction, by identifying rogue employees, failed internal controls and risks. But there is scant reason to think that a company and its employees will automatically learn from past mistakes. An overhaul of its business and compliance processes may be required, and attention to the culture is a must.
Top down and bottom up
To begin the process of recovery, a corporate board and senior executives must set a strong “tone at the top.” This is critical in a weak global economy and a push for business in emerging markets where conduct is often governed by different legal standards. In this regard, senior management’s perceived and continued tolerance for misconduct can be devastating. A recent example involves a large U.S. retailer reportedly who, despite allegations that a division CEO was the key architect of a foreign bribery scheme, publicly extolled his virtues and gave him a promotion.
“Top” means very top: the board of directors. The U.S. Federal Sentencing Guidelines requires boards to exercise reasonable oversight in connection with the implementation and effectiveness of the organization’s compliance and ethics program. The Delaware Chancery Court’s opinion inIn re Caremark International Inc. Derivative Litigation confirmed a board’s fiduciary duty to oversee a corporate compliance program.
It is equally important to foster a culture and practice of listening to what is being said by rank and file employees. A staggering percentage of whistleblowers say that they reported suspected violations internally before going to the government. An effective system must be designed to ensure that complaints are heard and properly vetted.
Implement a strong compliance structure
Over the years, government regulators have made known their views about the components of an effective program. For example, according to prosecutors, one of Siemens’ essential modifications was to shift control and accountability for compliance to a chief compliance officer who reports directly to the general counsel and the chief executive officer. Any company serious about compliance that does not have a chief compliance officer should have one. Assuring that the chief compliance officer has the clear ability to report to the CEO and the board is equally important. Moreover, the compliance function in a major corporation, particularly one with global scope or ambitions, is not a one-person job. It is critical that sufficient resources, at headquarters and on the ground in subsidiaries and distant operations, have local compliance presence with clear communication lines to the chief compliance officer.
The U.S. Federal Sentencing Guidelines provide useful insight into what the U.S. government expects. Under these guidelines, to have an effective ethics and compliance program, an organization must act to prevent crime and promote an organizational culture that encourages lawful behavior. If a company is prosecuted, the severity of the potential penalty can be reduced if an effective compliance program was in place at the time of the misconduct.
Following the Sentencing Guidelines, other regulatory bodies have issued written guidance describing effective compliance programs and policies. However, it is not enough to have policies and a program. The FCPA Resource Guide jointly published by the U.S. Securities and Exchange Commission, and the DOJ notes that:
A well-designed compliance program that is not enforced in good faith, such as when corporate management explicitly or implicitly encourages employees to engage in misconduct to achieve business objectives, will be ineffective. DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.
A recent case in the Northern District of California federal court illustrates the point. Following a conviction on antitrust offenses, a federal judge sentenced AU Optronics (AUO), a Taiwan-based corporation, to three years’ probation and imposed a $500 million fine. As part of the sentence, the court required that AUO “develop, adopt and implement an effective compliance and ethics program.” The government recently accused AUO of violating the court’s directive. The government cited the company’s failure to hire a chief antitrust compliance officer and its board of directors’ failure to exercise the appropriate oversight over antitrust compliance. A hearing is currently scheduled for May 29.
AUO’s alleged compliance failures should be contrasted with Siemens’ successful implementation of its program. Based on the Siemens’ efforts, as documented by a corporate monitor, the government concluded that the company had complied with the requirements of its plea agreement and its final judgment in the SEC civil action.
Training is key
It is not uncommon for companies experiencing a compliance failure to have had a training program in place. The failure is often perceived to suggest some deficiency in the program. Distributing an ethics policy, or even having periodic general lectures on compliance, is unlikely to create either a compliance culture or a sufficiently educated workforce. It is also unlikely to impress prosecutors in the event of a compliance failure.
In addition to straightforward explanations of the types of prohibited and expected conduct, employees should be given information designed to help them understand the reasons behind the compliance policy. Such training should also be tailored to the employees’ functions; “cookie cutter” web-based training will not suffice. For individuals in high risk positions, in-person training is ideal.
A compliance failure is likely to be expensive, even if the government does not pursue enforcement action. The money is not all wasted if the company takes the “opportunit[y] that comes from a good crisis” to invest in a stronger compliance function that is better suited to the company’s specific business and culture, as well as today’s ever-changing conditions. Effective leadership, clearly articulated standards, robust employee education, and user-friendly reporting lines might make the difference in the future between reporting questionable conduct by a colleague or external contact and ignoring or, worse, concealing it.