Faced with a significant increase in penalties assessed by regulatory agencies around the world and the potential for imprisonment of top-ranking officials, the boards of directors and top management of most large international conglomerates have realized that an “effective compliance and ethics program,” including a Chief Compliance Officer reporting directly to the boardroom, is no longer just a “smart option” - it is a necessity.
The question is: Do small and medium-sized companies with operations primarily located within the United States share this need?
The prudent and proactive response is that regardless of size, all organizations with operations subject to regulation enforced by criminal sanctions should strongly consider developing a formal compliance program appropriate for its size and operation.
What is an “Effective Compliance and Ethics Program”?
The blueprint for an effective compliance and ethics program can be found in the sentencing guidelines for organizations adopted by the U.S. Sentencing Commission in 1991. These guidelines allow lenient treatment for organizations that have a program demonstrating diligence in preventing and detecting criminal behavior and promoting an organizational culture of ethical conduct and compliance with law.
The guidelines specify several criteria for such a program, including:
- Establishment of “standards and procedures to prevent and detect criminal conduct,”
- Diligent oversight of the program content and operation by the board of directors or other governing authority,
- Assignment of overall responsibility for the program to specific high-level individual(s) who report directly to the board with respect to the program,
- Effective communication and training for company personnel on the purpose and requirements of the program,
- Reasonable steps to ensure the program is being followed (such as internal audits) and periodic evaluation of the program’s effectiveness,
- A publicized system that allows employees and agents to report criminal conduct anonymously and without fear of retaliation,
- Consistent promotion and enforcement throughout the organization, including incentives for compliance and disciplinary measures for criminal conduct or failure to take reasonable steps to prevent or detect criminal conduct,
- Reasonable steps to respond appropriately to any criminal conduct that may be detected and adjust the program as needed to prevent further similar conduct, and
- Periodic assessment of the company’s risk of criminal conduct and appropriate adjustment of each element of the program design and implementation as needed to reduce the risk of criminal conduct.
Although it originated in the U.S. Sentencing Commission guidelines, the concept of rewarding an effective compliance and ethics program has since been incorporated into many non-criminal regulatory programs, such as environmental protection, as well as the laws of other countries impacting U.S. companies, such as the United Kingdom’s Anti-Bribery Act.
Does One Size Fit All?
In a word, no.
Although the same degree of commitment to ethical conduct and compliance is required of companies of all sizes, the official commentary to the guidelines acknowledges that smaller organizations may meet that requirement with “less formality and fewer resources than would be expected of large organizations.” Even for a small organization, however, the program must be consciously designed. The small organization must realistically assess its risk of criminal and civil violations and confirm that its customized program addresses all program elements identified by the guidelines. The organization must also ensure that its program can be implemented effectively, sustained over time and proven to regulators in the event of enforcement.
There needs to be vigilance for new regulatory and other requirements as they emerge so that adjustments in the compliance program can be made, There must be a genuine, active commitment originating from the top. Some tasks can be delegated, but if top leadership does not show an interest, the program’s significance is seriously undermined.
Are the Benefits Tangible?
An effective compliance and ethics program helps recognize and manage civil and criminal compliance risks that could devastate the organization’s bottom line, if not the organization itself.
Even the best compliance program may be unable to assure compliance by all employees all the time. Misconduct by one individual can trigger civil or criminal enforcement against the entire organization. The existence and effectiveness of an organization’s compliance and ethics program, even if it fails to prevent a particular violation of law, is a major consideration taken into account by prosecutors and agencies when deciding whether to:
- take enforcement action against the organization,
- pursue criminal sanctions instead of non-criminal ones, or
- bring charges against the organization’s high-level officers or directors.
An effective compliance and ethics program is becoming the standard of care expected of an organization’s top officers and directors. Providing such a program puts the organization, its officers and directors in a better position to defend shareholder and other litigation arising out of a significant enforcement matter.
Of critical importance: Compliance after enforcement has been triggered is almost always more costly and with fewer options than when it has been addressed proactively.
What Types of Compliance Risks Can Be Managed by an Effective Compliance and Ethics Program?
According to data collected by the U.S. Sentencing Commission, the offenses for which organizations are most frequently sentenced occur in companies of all sizes. In order of decreasing frequency, they are:
- environmental non-compliance
- tax violations
- competition law offenses
- food and drug violations
Beyond this, each business will have its own unique blend of compliance risks:
- Any organization involved in international trade must be concerned about risks including the Foreign Corrupt Practices Act, import and export trade regulation, international privacy laws, the Toxic Substances Control Act, and rapidly evolving human rights standards, among others. Added concern is spurred by counterparts of these laws and regulations in foreign countries involved in business transactions.
- Real estate development organizations must be concerned about laws regulating financing, environmental protection, and interaction with the state and local officials who must approve development plans.
- Banking, pharmaceutical, transportation, food, chemical and manufacturing industries have suites of laws enforced by civil and criminal sanctions that are unique to each industry.
The scope of an effective compliance and ethics program is risk-based. A greater degree of risk warrants a greater degree of effort to control it, and vice versa. For example, a local paving company is expected to comply with all applicable environmental requirements, but will not be expected to have the type of robust training and auditing programs likely to be required of a large chemical manufacturing concern.
Should Effective Compliance and Ethics Programs Address Liabilities Beyond Those Enforced by Criminal or Civil Sanctions?
The answer is yes. There are some ethics and policy compliance issues that can be as devastating to a company as criminal liability, and that can be effectively managed through a well-designed program.
Organizations that are dependent on their public reputation, such as charities, companies that do business with governmental entities, and major retail organizations, would benefit from a compliance and ethics program that addresses reputational risks just as it would address legal compliance risks. Sometimes companies may even have to choose between standing on their legal rights and addressing reputational harm. For instance, purchasing or selling goods manufactured in overseas sweatshops may comply with the law but may also damage a businesses reputation.
For additional information regarding the appropriateness, design and implementation of an effective compliance and ethics program or any related concerns, please contact Raymond M. Brown or Daniel Flynn, the authors of this Alert.