Does investing in a corporate ethics and compliance program to reduce the likelihood of future regulatory fines or penalties make good business sense?
The leaders of many companies seem to think so, and the ethics and compliance profession is booming as never before. But the assumption that underlies those investments is not as straightforward as its appears, and compliance personnel can find themselves between a rock and a hard place even as they work to implement solid programs. The rock: federal prosecutors; the hard place: executive leadership.
The U.S. Sentencing Guidelines, which originated in the 1980s, are the foundation for corporate ethics and compliance programs. The Guidelines indicate that organizations that implement effective ethics and compliance programs will get tangible benefits in the form of reduced penalties, fines, and sanctions if they ever face federal criminal charges down the road. In their current form, the Sentencing Guidelines lay out the basic elements for an effective compliance and ethics program for organizations. They have been a major factor in the development of ethics and compliance as an essential component of corporate governance.
Corporate fines and penalties are a significant risk factor to consider in conducting business. The size of settlements of corporate wrongdoing negotiated in New York alone is such that U.S. Attorney for the Southern District of New York Preet Bharara has described his office as a major profit center for the federal government. Just look at the nearly $9 billion in combined state and federal penalties recently assessed on French banking giant BNP Paribas for the bank’s illicit work for Sudan, Iran, and Cuba.
Even the relatively paltry $3 billion in fines imposed during the last five years by Department of Justice prosecutors under the Foreign Corrupt Practices Act has a major effect on the companies involved. Adding to the risk, FCPA and other criminal prosecutions frequently get personal for executives. The Justice Department’s recent indictment of five executives of Direct Access Partners (including the former general counsel) for paying bribes in Venezuela, are in line with the watchdog’s ongoing focus on prosecuting executives.
For many executives, good ethics and compliance are part and parcel of corporate values and identity, as well as a means of protecting shareholder value—and their careers—from devastating consequences in the event something goes wrong. But the leniency enshrined in the Sentencing Guidelines has proven illusory in practice and increased the burdens and pressure on in-house compliance teams.
Mind the Gap
What does an effective program under the U.S. Sentencing Guidelines look like? Thousands of prosecutions later, nobody really knows. The goalposts are constantly rolling away from the end zone. Take, for example, “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” published in 2012 by the Justice Department and the Securities and Exchange Commission. Although the FCPA Resource Guide represents a prodigious effort and was intended to be helpful in setting standards for ethics and compliance programs in this area, it also illustrates the problem facing compliance professionals.
What does an effective program under the U.S. Sentencing Guidelines look like? Thousands of prosecutions later, nobody really knows. The goalposts are constantly rolling away from the end zone.
The Guide advises on the need for institutions to translate their Code of Conduct “so that employees in foreign subsidiaries can access and understand it” (page 59). Every employee? Every subsidiary? Every language? What if only two employees speak Kazakh? And one turns out to have violated U.S. law? The Guide further recommends that corporate training programs use different hypotheticals for sales professionals, accounting staff and other groups. But if your training lacks hypotheticals for human resources personnel (or does include some hypotheticals, but not any similar to corruption that occurs) and they fail to spot an anti-corruption issue, is your program nonetheless “effective”?
At a recent conference on FCPA compliance, an SEC attorney from the Enforcement Division specified “data analytics” as a key component of a company’s internal controls—a topic not mentioned in the Resource Guide. The implication is that a compliance program lacking data analytics could be flawed in the eyes of the government if something goes wrong. Ideally, the government truly is trying to help by suggesting these measures. The effect in the real world, however, is to create more, not less, uncertainty.
At the same time that they provide direction and input on compliance programs, government speakers almost always caution that implementing these or other specifications they espouse doesn’t guarantee a tangible reduction in corporate liability; only that such efforts will be taken into account. Just how far into account isn’t clear, as the leaders at Johnson & Johnson found when they paid a $77 million penalty in 2011 for FCPA violations despite having a widely regarded compliance program. Or when General Electric, generally viewed as the gold standard in the ethics and compliance area, paid $23 million in 2010 to the Securities and Exchange Commission for oil-for-food related FCPA problems in some subsidiaries.
GUEST COLUMNIST BIO
Susan Divers is a senior advisor to the Ethisphere Institute, a leading international think tank dedicated to advancing best practices in ethics. Prior to joining Ethisphere in January 2015, Divers served as AECOM’s assistant general for global ethics & compliance and chief ethics & compliance officer. Under her leadership, AECOM’s ethics and compliance program garnered six external awards in recognition of its effectiveness and Divers’ thought leadership in the ethics field. In 2011, she received the AECOM CEO Award of Excellence, which recognized her work in advancing the company’s ethics and compliance. Divers’ background includes more than thirty years’ experience practicing law in these areas. Before joining AECOM, she worked at SAIC and Lockheed Martin in the international compliance area.
Prior to that, she was a partner with the D.C. office of Sonnenschein, Nath & Rosenthal. She also spent four years in London and is qualified as a solicitor to the High Court of England and Wales, practicing in the international arena with the law firms of Theodore Goddard & Co. and Herbert Smith & Co. She also served as an attorney in the Office of the Legal Advisor at the Department of State and was a member of the U.S. delegation to the United Nations, working on the first anti-corruption multilateral treaty initiative.
Divers is a member of the D.C. Bar and a graduate of Trinity College, Washington D.C., and of the National Law Center of George Washington University. In 2011, 2012, 2013, and 2014 Ethisphere Magazine listed her as one the “Attorneys Who Matter” in the ethics & compliance area. She is a member of the Advisory Boards of the Rutgers University Center for Ethical Behavior and the New York Stock Exchange Governance Group.
In 2012 prosecutors heralded a Morgan Stanley FCPA case, where they declined to prosecute the company, as proof that the Sentencing Guidelines work. They noted that the rogue employee in Hong Kong paying bribes to Chinese officials had been trained on FCPA matters no less than seven times, several times in person, an unrealistic standard for most companies. In that case, the errant employee deserved punishment, but not Morgan Stanley for all its efforts to keep that person on the right side of business.
The Best Practices Trap
Chief ethics and compliance officers are besieged by an array of experts happy to help in the quest for an “effective” compliance program. These include law firms and accountants, plus those selling integrated solutions, tracking tools, online training, enterprise risk management, data analytics, benchmarking, hotline outsourcing, newsletters, policy module development, risk assessments, conferences, due diligence products, and more. The experts are out to convince CECOs that they must implement the latest best practice or system to avoid regulatory Armageddon should the government come calling.
Many of the compliance products and services are useful, and can save time and money in the long run—as well as mitigate risk, if implemented thoughtfully. But government’s ambiguous and evolving standards and uncertain rewards for good behavior have placed the goal of an “effective” compliance program just out of reach. Spending your way there isn’t going to work.
The Rock and the Hard Place
Neither the general counsel nor the compliance team can or should guarantee that their program is perfect and has no gaps, as the standards by which it may be evaluated are neither fixed nor transparent. Company leadership should not ask them to do so. The focus should be on creating and sustaining a good program that is workable in practice, not a perfect one on paper.
Plan for the worst while expecting the best. More and more companies are responding to informal “inquiries” by prosecutors, frequently fueled by whistleblowers seeking huge rewards. No matter how strong your ethics and compliance program, it will not preclude the need for a vigorous and robust defense if prosecutors start asking questions. Proving a negative can be expensive and unfair, but necessary to avoid a fine, penalty or indictment. Smart, prudent CEOs will plan for this contingency, as they would for any other and be prepared to deal with it.
Setting realistic expectations can help eliminate a panic response or overnight makeovers to existing compliance programs that turn out badly and cost too much. Just as long-term corporate planning to upgrade IT or financial reporting systems makes sense, so do regular upgrades and budgeting for compliance systems as part of the corporate infrastructure.
Chief ethics and compliance officers must bridge the gap between the Sentencing Guidelines’ demand for an “effective” compliance program and the real world where the challenges and costs of sustaining a solid program are significant and the rewards uncertain. Company leadership and ethics and compliance officers need to be frank with each other about these challenges to avoid mismatched expectations or conflicts down the road.