Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

Volume 13, Number 1 - September/October 2003

The case for compliance
Now it's a necessity, not an option
    By John J. Fons

Your client could be the next Enron. Ready for that? Think compliance.

With the new era of corporate fraud that began in the fall of 2001, all lawyers who counsel organizations need to question whether or not their clients have minimized the risks of being the next corporate disaster.

The federal government has responded to these high-profile cases of fraud.

On July 9, 2002, President Bush signed Executive Order 13271, establishing the Corporate Fraud Task Force. According to the Department of Justice (DOJ), "The Corporate Fraud Task Force has enjoyed tremendous success in bringing "real time," decisive criminal and civil enforcement action against those who have traded on their positions of trust to defraud their investors, their employees and the public."

On July 30, 2002, the Sarbanes-Oxley Act of 2002 (S-O Act) became law. This act is the federal government's furthest reach into how organizations govern themselves. While the legislation principally applies to publicly traded corporations, some provisions apply to all organizations, including the criminalization of a prohibition on retaliation against employees who cooperate with a government investigation (whether or not related to securities laws) and the expansion of what is considered to be the criminal destruction of documents to include destruction when an enforcement action is merely "contemplated."

In response to directives contained in the S-O Act, the Securities and Exchange Commission has issued a stream of new regulations, and on Jan. 25, the U.S. Sentencing Commission implemented emergency amendments to its Organizational Sentencing Guidelines (Guidelines), which were first issued in 1991. These amendments became permanent on April 18.

On Jan. 20, 2003, the DOJ issued revised Principles of Federal Prosecution of Business Organizations (Principles) to make clear that an organization's steps toward the "quick and effective exposure of the complete scope of wrongdoing under investigation" are considered by the DOJ when determining whether or not to prosecute, and to ensure that the corporate governance mechanisms in place "are truly effective rather than mere paper programs."

The American National Standards Institute (a private, nonprofit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system), at the suggestion of the Ethics Officer Association, proposed that the International Organization for Standardization (ISO) develop a business conduct management system guidelines standard, similar to ISO 9000 for quality management, and ISO 14000 for environmental management.

In its 2001 survey of senior executives, Spherion Corp. found that, for both in-house and outside counsel, the executives said that being the organization's ethics adviser was counsel's second most important role, and being the organization's compliance officer was counsel's fourth most important role.

Unfortunately for outside counsel, the executives rated their performance as "excellent" or "very good" only 31 percent and 25 percent of the time, for those two respective roles. In-house counsel did much better, receiving an "excellent" or "very good" rating 92 percent of the time for the ethics officer role, and 87 percent of the time for the compliance officer role.

Before stating the business case for an effective compliance program, it may be helpful to review some common objections and how to respond to those objections.

"We already have policies, and have done training." While many organizations have some types of policies in place, many do not have all of the policies that they need. For example, it is common to have a "sexual harassment" policy. While prohibiting sexual harassment is important, harassment is also prohibited on the basis of a person's national origin, age, race, disability or any other status protected under applicable laws. Additionally, with the constantly changing law, every organization needs to refresh its compliance program.

Moreover, having policies in place, but not following them, may be worse than having no policy at all. If an organization has not looked at its policies in comparison to how it actually operates, it is setting itself up for disaster. Finally, if an organization does have an effective program in place, it needs to document its program, in order for it to get credit from a prosecutor, investor or director.

"We haven't had a problem, so we don't worry about litigation." A.k.a., "if it ain't broke, why fix it?" If an organization has not assessed its compliance with the law recently, it really has no idea if it is violating the law. As we all know, the "ostrich defense" seldom worked in the past, either in a court of law or the court of public opinion. In light of the developments since the fall of 2001, the ostrich defense no longer works at all. To reduce the likelihood of a violation, to reduce the severity of any violation and to reduce the punishment for any violation, an effective compliance program is an essential business practice.

"But if you find something, we will have to fix it." Any organization aspiring to be successful in today's marketplace must demonstrate its commitment to best business practices. Failing to assess whether or not a problem exists is like a person who doesn't go to the doctor because the person doesn't want to learn what is wrong. Discovering a problem before a prosecutor does will always cost less. Failing to respond to a problem that is discovered is akin to letting a roof leak: At first the leak is small, but over time, the roof will collapse. The cost of fixing the roof will be dwarfed by the cost of repairing damaged machinery and equipment, as well as the disruption of operations.

"Only the big companies need to do these programs." Certainly the big organizations need these programs, but the smaller companies need them just as much, even if privately held. Many big organizations have a long-term commitment to compliance and so are much less likely to violate the law. The Guidelines apply to all organizations with two or more employees. The Guidelines do recognize explicitly that the compliance program of small organizations can be more informal than the programs put in place by large organizations. The difference between small and large organizations is a matter of degree, and is not clearly defined.

"We need to focus on making money in this economy, and we have nothing in the budget for a program." In this era of reductions in force, the likelihood of having a dreaded "disgruntled former employee" who reports its former employer to the government is extremely high. Prosecutors, who previously may not have wanted to take on the complexities of white-collar fraud cases, have seen the success of the case against Arthur Andersen, as well as the publicity given to other prosecutors. They are now very motivated to take such cases.

With the losses that investors have endured over the past few years, they are looking for a way to recover some of those loses. The pressure on business managers to "make their numbers" creates an environment in which compromises might easily be made. Finally, few organizations put into their budgets the costs of responding to a charge by the DOJ. It's easier to find resources to build or update a compliance program at a reasonable pace than to respond frantically to a charge.

"How much cost and disruption will such a program cause?" The next portion of this article answers this concern.

The following business case identifies the benefits versus the costs of a compliance program:

For publicly held corporations, with the passage of the S-O Act, having no compliance program is, for all practical purposes, no longer an option. Failure to have such a program may result in the corporation being de-listed from the stock exchanges. The corporation must report to the SEC the absence of a program, and the reasons for the absence.

For publicly held corporations now, the only real question is how extensive the compliance program should be. As the Guidelines and Principles require a program to be "effective," the compliance program must have more than a "mere paper" program, it must be a living, breathing program. It must reflect the commitment of the board and senior management to having an effective compliance culture.

For privately held organizations, there is no "requirement" to have such a program. Likewise, there is no requirement that an organization be certified as being ISO 9000 or ISO 14000 compliant. The same reasons organizations choose to get such certifications apply here: having an effective compliance program is a best business practice.

An effective compliance program will:

  • Significantly reduce the likelihood of a violation of law. Identifying those areas of an organization's operations that expose it to the risk of a violation of law, determining the organization's standard of behavior, communicating that standard of behavior, and giving employees the tools to operate legally (through training), will minimize the risk of a violation.
  • Lower the costs of a violation. With an effective program in place, an organization will likely discover violations much sooner, allowing it to minimize damages. Its directors and officers will have significantly less risk of being criminally charged with violations. The DOJ (through the Principles), and other governmental agencies — such as the Environmental Protection Agency, the Equal Employment Opportunity Commission and Occupational Safety and Health Administration — promote self-reporting and prompt remedial action by allowing such reporting and action to affect the decision to charge an organization, its directors or officers.
If a charge is brought, the Sentencing Guidelines explicitly provide for a reduction in penalties if an effective program is in place. In the employment context, under the Supreme Court's Farragher, Ellerth and Kolstad decisions, an organization with effective policies, training and a reporting mechanism has greater protection from certain types of harassment. Under Delaware's Caremark decision, the presence of an effective program may shield directors from personal liability.
  • Help build a values-based culture. A survey of employees by Blessing White Inc. found that employees of organizations that have intentionally established a value- based culture are more likely to be proud to work at their organizations (85 percent) than employees at other organizations (66 percent). According to the survey, the payoff for intentionally establishing a value-based culture is alignment between employees and management when making decisions.
A values-based culture drives behavior — doing the "right thing" when policies don't address an issue, as well as creating better brand awareness and a positive "buzz." An example of a values-based culture is Southwest Airlines.
  • Satisfy the requirements of an organization's customers. More and more companies who buy goods and services from other companies are demanding that their suppliers have effective compliance programs in place and are auditing to assure the effectiveness of those programs. Lacking a program — or having an ineffective program — may freeze an organization out of a major market.
  • Reduce the cost of capital for organizations. The losses suffered by investors because of an organization's failure to have an effective program have caused pension funds, mutual funds, insurers and other major investors to increasingly demand the presence of an effective compliance programs.
  • Aid in attracting high-quality directors and in placing D&O insurance coverage for those directors. Directors are exposed to personal liability under Delaware's Caremark decision. Failing to have an effective program may drive away current directors and discourage prospective directors. Additionally, D&O premiums have significantly increased. Demonstrating the presence of an effective compliance program will help an organization negotiate a reduction in its rates.
  • Be a required business practice. The growing globalization of business, as well as the globalization of compliance problems, means that organizations outside the United States are affected as well. To respond to this situation, the ISO is, almost certainly, going to issue a business conduct standard.
"OK," says your client, "but what will this cost?"

One size doesn't fit all when considering compliance programs. The program must reflect the culture of the organization, as well as its size, business risks, complexity, industry, history and geographic scope. Remember, the Guidelines explicitly anticipate that small organizations will have more informal programs. Given that each program must be custom-fitted to the organization, it is not possible to provide generalizations about costs, but it is possible to provide a framework for determining the costs.
  • An organization's risk of committing a violation of law must be assessed. That will require that documents (such as policies and procedures currently in place) are reviewed, key employees and officers interviewed, and a compliance committee is formed. A report on the results of these activities should be prepared and presented to both the senior management and to the board of directors. Cost: similar to due diligence efforts prior to determining whether or not to make an acquisition.
  • The overall plan for the compliance program must be constructed, beginning with the development of a code of conduct. This code will need significant suggestions from the board and senior management, and must be suitable to, and reflect the values of, the organization. Cost: measured primarily in the time that the board and senior management spend, along with the costs of any staff or consultants used. If done as part of the organization's strategic planning process, the costs of creating the code of conduct should be minimal.
  • When the code has been completed, someone within the organization must be designated to have overall responsibility to oversee compliance. Cost: if this person is only assuming compliance as an additional role, then an organization's cost for this component may be little or nothing. On the other hand, there are now more than 800 ethics officers in the Ethics Officer Association, "a professional association of practitioners in the field of business ethics, supported by many Fortune 500 companies." In today's environment, the roles of compliance/ethics officers are only going to expand. For most mid-sized organizations, at least one dedicated compliance professional is likely to be needed.
  • The organization needs to communicate the code of conduct as well as the identity of the person designated with overall compliance responsibilities. It also needs to train its employees. Cost: depends on the risk assessment. While some types of training, such as employment law, need to be given to all employees, other types of training, such as training on the Foreign Corrupt Practices Act, needs be given only to employees whose duties could expose the organization to violations of such a law.
Training can be accomplished in a variety of ways, which have different costs: in person (employee to employee, or outside sources to employee), or electronically. In-person training can be "stand alone" (classes for that sole purpose) or can coincide with other gatherings, such as sales meetings and trade shows.
  • After the program is "rolled out" to the employees, the organization must have a method to "audit" the program's effectiveness. That will require establishing a base line, as well as a program to audit participation and behavioral change. Cost: depends on whether or not it is performed internally. During the risk assessment stage, the committee should establish the base lines. Thereafter, the organization's compliance officer, internal auditors, or in-house legal staff can measure the effectiveness. If those don't exist, or are unavailable, outside sources are available.
  • Under the S-O Act, as well as the Farragher, Ellerth and Kolstad decisions, a means for complaints to be raised without the fear of retaliation is essential. Internal complaint procedures, a hotline or an omsbud program can accomplish this. The hotline and omsbud can be manned internally or externally. Cost: depends on the number of employees.
  • Should a complaint be raised, the organization will need to investigate promptly. An outside party may better perform this process, as internal investigation can be emotionally difficult and the attorney-client privilege might protect the investigation, but care must be taken to not violate the Fair Credit Reporting Act. Cost: depends on the number of the complaints, as well as the complexity of the complaints.
If the complaint is deemed to be valid, the costs of responding can be very high, but not as high as the costs of not responding. The organization must determine if an employee needs to be disciplined, and whether or not to self- report to the government. The costs for this portion are determined by the situation. The costs of failing to discipline a person who has violated a law or policy will be the response of the government, damage to the morale of the organization's employees as well as damage to the organization's image. The cost of self-reporting is that the government may assess a penalty for a violation that it might have never discovered.

Conversely, if the organization does not self-report and the government later discovers or is alerted to the violation, the organization will get little, if any, credit for its compliance program. Additionally, whether a violation of law or policy occurs with a lower level employee or with the president, the organization must be consistent in its response. Failure to do so exposes the organization to claims of disparate treatment.

  • Finally, a compliance program cannot be a one-time exercise. At least annually, the committee, together with the board and senior management, must re-examine the program, and determine what portions of the program need updating. Clearly, training is a continuing process. Cost: If the organization has built an effective program, the re-examination should be much less than the initial costs of the risk assessment.
Of course, in order for the organization to get credit for all of its work, it is essential that all of its efforts be well documented. This is a common business practice and should add little cost.

In today's environment, every organization must have an effective compliance program. Such a program is no longer just for large organizations, and is as essential to a business as having liability insurance. In fact, an effective compliance program will actually decrease an organization's risks. Having no compliance program — or an ineffective program — will generate no sympathy with investors, employees and the public, let alone the prosecutors.

An effective compliance program is not just a best business practice — it is an essential business practice.

Fons is president of Law Serve, LLC, in Milwaukee. His e-mail is fons@lawservellc.com.

Back to Top