The inattention some companies pay to their ethics and compliance program never ceases to surprise us. You’d think the frequency of DOJ press releases and prosecutions holding companies accountable for employee wrongdoing would be enough to scare any business into directing more resources at prevention. But alas, many businesses, often over the protestations of their under-resourced Chief Ethics and Compliance Officers (CECOs), continue to think they can get by with a minimalist approach to ethics and compliance. Our experience suggests otherwise.
We have been advising companies on the need and importance of effective compliance programs since before they were considered a corporate responsibility. We have witnessed the evolution from corporate reluctance to invest in compliance programs, through the recognition that a compliance program not only is a legal obligation but an essential risk mitigation tool, to the emergence of organizational compliance as a profession unto itself. Sadly, we also have witnessed a certain compliance fatigue, as some companies have come to view compliance as a high overhead function whose value is difficult to measure. This fatigue has allowed some compliance programs to devolve into check-the-box paper exercises that provide no meaningful risk mitigation.
An effective ethics and compliance program, however, must be worth more than the paper it is written on. It requires a lot of thought, and not just traditional legal thought. In our experience, an effective ethics and compliance program requires as much behavioral science as it does legal skill and know-how.
One can see this in comments made by Assistant Attorney General Kenneth Polite at a recent program on Corporate Compliance and Enforcement. His words are worth heeding as they highlight the re-energized focus on the measurable effectiveness of ethics and compliance programs that we are seeing across the federal enforcement community. Here are a few key take-aways from AAG Polite’s recent remarks:
- DOJ expects “an effective corporate compliance program to be much more than a company’s policies, procedures, and internal controls.” DOJ expects to see programs that “(1) are well designed, (2) are adequately resourced and empowered to function effectively, and (3) work in practice.” (Our emphasis.) The focus on “adequately resourced and empowered” is important here. To be effective, a program must be risk-based and have sufficient staff, tools, and funding; and must be empowered by company leaders to take action. Such empowerment includes direct line of sight to the Board of Directors.
- DOJ will look at more than “dollars, headcount, and reporting lines” in assessing whether a program is adequately resourced and empowered. DOJ also will “review the qualifications and expertise of key compliance personnel and other gatekeeper roles.” According to AAG Polite, DOJ will “seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource.”
- DOJ expects companies to measure and test the effectiveness of their compliance programs. AAG Polite put it this way: “We are also interested in how a company measures and tests its culture—at all levels of seniority and throughout its operations—and how it uses the data from that testing to embed and continuously improve its ethical culture.” As discussed below, this is an area in which many companies are lacking. Even companies with high quality programs often forget the importance of routinely testing and measuring its effectiveness. It’s also important to focus on AAG Polite’s use of the word “culture.” In our experience, culture is the primary element of an effective risk reduction program.
- In a significant departure from past DOJ statements, AAG Polite offered the following as a tool to further empower compliance personnel: “In order to further empower Chief Compliance Officers, for all of our corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), I have asked my team to consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively.” AAG Polite went further: “In instances where a monitor is not imposed and a company is required to provide annual self-reports on the state of their compliance programs, we will consider requiring that the CEO and the CCO will also have to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete.” We expect these new certifications will accomplish DOJ’s goal of forcing companies to pay more attention to the guidance of their CECOs.
AAG Polite summed up his views this way: “Our message is clear – companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department. Support your compliance team now or pay later.”
AAG Polite is not alone in the federal enforcement community in emphasizing the importance of corporate compliance programs. The SEC’s Director of Enforcement, Gurbir Grewal, has remarked on the importance of “proactive compliance,” and made clear the SEC would bring its significant enforcement resources to bear upon companies that have not taken adequate steps to mitigate risks before they cause harm.
Deputy Attorney General Lisa Monaco echoed these sentiments in an October 2021 speech in which she stated that a “corporate culture that fails to hold individuals accountable, or fails to invest in compliance — or worse, that thumbs its nose at compliance — leads to bad results.” Rescinding prior directives to federal prosecutors, she made clear that DOJ prosecutors are “free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations.”
These remarks by senior enforcement officials serve to remind us all that DOJ is not playing around when it stresses the importance of adopting an effective ethics and compliance program. Of course, this should not come as a surprise to anyone. The government long has emphasized the importance of effective compliance programs and continually has added incentives for companies to adopt them and increased punishments for failing to do so:
- Under the United States Sentencing Guidelines, organizations can receive a reduction in their culpability score if their compliance programs meet certain requirements. This means that a company may receive a lower fine in the event it is found to have violated federal law.
- Under the Principles of Federal Prosecution of Business Organizations, DOJ prosecutors are required to consider “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” Thus, an effective and sufficiently resourced compliance program may permit a company to mitigate the terms of a criminal resolution or avoid one altogether.
- Under the civil False Claims Act, the absence of an effective ethics and compliance program will be viewed as an element of “recklessness,” which is the key element that can turn a routine contract noncompliance into a civil fraud.
- Under FAR Part 9, a suspension/debarment official will evaluate a company’s existing ethics and compliance program and updated program to determine whether mitigating factors exist that counsel against an exclusion from federal contracting.
- Under FAR 52.203.13, a contractor that does not implement adequate internal controls, including an effective business ethics program, can be found to be in breach of its contract.
- The Defense Contract Audit Agency includes a review of a contractor’s internal ethics and compliance program as part of its standard business systems audit.
In short, the federal Government across the board is very focused on corporate ethics and compliance programs. And that means we all should be too.
There is no shortage of articles, blogs, and books — including guidance from DOJ itself — regarding the components of an effective ethics and compliance program. Some of these are very good, and we will not seek to reinvent that wheel here. We will, however, end with a few common mistakes we continue to see in even pretty good ethics and compliance programs in the hope that it will inspire readers to more deliberately kick the tires of their own programs.
- Inadequate attention to prevention. Company compliance programs often fail to adequately consider measures to prevent misconduct, choosing instead to focus on detection and investigation. One novel approach to prevention is active bystandership training; going beyond training personnel on their compliance obligations to train them how to intervene effectively to prevent prohibited conduct before it occurs. Such training is founded upon the successful ABLE model we helped create to teach police officers how to intervene when they see a fellow officer about to engage in improper conduct.
- Inadequate tailoring to evolving risks. It doesn’t take long for a compliance program to become stagnant or dated. Organizations often fail to consider the evolving and dynamic nature of business. Effective compliance programs should provide for periodic updates of the company’s risk assessment and associated tweaks to accommodate new or changing risk profiles.
- Inadequate attention to measuring effectiveness. As business management icon Peter Drucker observed, companies cannot manage what they do not measure. Measuring the effective of any program is essential to know whether it is serving its intended purpose. That is certainly true of compliance programs. It is also key to demonstrating to the government that your compliance program does not just exist on paper, but works in practice. One method to test a compliance program is to periodically use a “secret shopper” approach to evaluate whether your employees understand the company’s compliance policies and expectations, and demonstrate the willingness and ability to enforce them in real time. Table top exercises can be another effective way to assess whether your compliance message has gotten through. After all, as one management consultant said, “Regardless of what you said, the message received is the message.”
- Inadequate attention to hotline patterns. Most company compliance programs incorporate some form of a hotline. And most programs have hotline response plans in place. But many do not include a provision for stepping back to analyze patterns in hotline complaints. Are more calls coming in from a certain division? A certain geography? In a particular risk area? Hotline data can be an invaluable source of information to help identify and mitigate risks.
There are more, but these are some of the most common.
These common errors are worth time and attention. The federal enforcement community has made clear that it views the effectiveness of a corporate compliance program as a critical element of an organization. DOJ has made clear that effective programs must be well-designed and tailored to updated risk assessments, and be adequately resourced. As DAG Monaco stated, “companies serve their shareholders when they proactively put in place compliance functions and spend resources anticipating problems. They do so both by avoiding regulatory actions in the first place and receiving credit from the government. Conversely, we will ensure the absence of such programs inevitably proves a costly omission for companies who end up the focus of department investigations.”
A wonderful Harvard Business Review article from 2018 noted that “While many firms continue to see ensuring compliance as a legal exercise, it is really much more a behavioral science. That assertion may make attorneys uncomfortable, but for compliance programs to have real impact, managers need to test what works and what doesn’t.” We’re attorneys and this doesn’t make us uncomfortable at all. Indeed, we founded our firm’s Organizational Integrity Group on precisely this premise. Risk is a product of your personnel’s decisions and actions. Viewing compliance and risk management as a purely legal exercise fails to address the whole problem. Reducing risk requires an understanding of and a sustained focus on human decision-making and human behavior combined with the right incentives (and disincentives) to direct human behavior to reduce risk.
By adopting such a holistic approach to ethics, compliance, and risk reduction, companies are far more likely to avoid the attention of the federal enforcement community, or, at least, render such attention less prolonged and painful.