Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law


Volume 13, Number 1 - September/October 2003

Is it really so hard?
The basics of corporate compliance can be traced back to kindergarten
    By Deborah House

Complicated corporate wrongdoing continues to shock. But it can be prevented, with simple rules.

In hindsight, the federal Organizational Sentencing Guidelines (Guidelines) issued in 1991, providing the carrot of reduced sentences for corporations with compliance plans, could probably be characterized as the response to a food fight of corporate wrongdoing. In contrast, the alleged corporate misdeeds of Adelphia, ImClone, Arthur Andersen, Enron, Tyco, WorldCom and the like, have necessitated a response to a schoolyard brawl.

As a result, corporations must now address a plethora of new requirements imposed by Sarbanes-Oxley and its offshoots. Moreover, the continued scrutiny of a clamoring press, probing regulators and an outraged public present a challenge to corporations like they have never faced before.

Not surprisingly, as a consequence there is a new and expanded interest in corporate compliance. Companies whose Guidelines-generated programs have been left to lie fallow or who limited their earlier compliance efforts, are back in the game in a very big way. The new legal standards are literally being tracked on ever-revised work charts so that they can be interpreted and implemented, even while newer ones continue to rise on the legal horizon.

But what will make this effort successful where others have failed or, at best, achieved mediocrity? After all, the transgressions presented by the most recent slew of scandals parallel those presented during the savings and loan crisis in the 1980s. The improper use of corporate funds and the engagement of flocks of imaginative accountants and their legal counterparts are sickeningly familiar. And the disregard for the public good that cost the S&L taxpayer in excess of $150 billion by 1999, has been replaced by the devastating loss of the public's savings, college and retirement funds, and its overall faith in the investment market.

What is different is that the message that didn't seem to come home to all of corporate America after the '80s, now seems to be doing so. Gordon Gecko's immortal phrase "Greed is good," is no longer an acceptable corporate mantra. Rather, it is understood that the very culture of the corporation, as it is experienced from the CEO to the receptionist, must reflect the simple, firm and clear message that the corporation must comply with the law and honor its ethical obligations because it is the right thing to do.

To have a culture that dictates otherwise ignores the lessons learned in train wrecks such as WorldCom, where it was observed that: "The fraud was the consequence of the way WorldCom's [CEO] ran the company. …[H]e was the source of the culture, as well as much of the pressure, that gave birth to this fraud." (Report of Investigation, Special Investigative Committee of the Board of Directors of WorldCom Inc., March 31, 2003).

But how is this simple message successfully incorporated into a corporation's culture so that a new, revamped or revitalized corporate compliance program is successfully hatched? By breaking it down into even simpler messages. Elementary messages. Even kindergarten-like messages.

As best-selling author Robert Fulgham noted, "Wisdom was not at the top of the graduate school mountain, but there in the sand pile..." (Robert L. Fulgham, All I Really Need to Know I Learned in Kindergarten: Uncommon Thoughts on Common Things 4 (1986). This article offers similar thoughts: rules for achieving corporate compliance that have their genesis in the sandbox.

Rule No.1: The message has to come from the top.Just as the teacher sets the classroom tone through words and actions, the corporate compliance message must also be set at the top.

The CEO must convey a message that employees who do not adhere to appropriate standards will be held liable for their failure to do so. Impermissible actions must result in meaningful sanctions including loss of compensation, demotion, suspension or termination.

Performance goals must also reflect that compliance is as important as production. "Making your numbers" is important. However, making them in an appropriate way is more important. Managers should be held responsible for conveying that message all the way down to the lowest level employee by not only talking the talk, but walking the walk. Appropriate company resources — budget, staff, systems, technology — must be dedicated to compliance. Training programs must be established with mandatory participation and testing for mastery as essential components.

The board must convey this same message, albeit with a twist. The board should also make it clear within the corporation and to its shareholders that it is an independent body that ultimately is both the legislator and adjudicator of compliance with legal and ethical standards to whom even the CEO must report. To do so, the board — and particularly the audit committee — must demonstrate that it is active, engaged, knowledgeable and available.

Rule No. 2: Keep it simple. Essential to the transmission of the message is that it must be simple and clear. Don't hit anyone. Don't take things that aren't yours. Share your toys. In the past, not all corporate activities or guidelines have been a study in coherence or cohesiveness. This must change in several respects.

First, the role of the compliance office in a large corporation (or that of a sole officer in a smaller entity), and its relationship to other corporate components must be made clear. The questions answered by the traditional organizational chart, such as who answers to whom, and how offices relate, is an important step in that direction.

Second, the scope of the office(r)'s duties must be made apparent. Is it legal matters, corporate ethics, human resources, or a little bit of all of the above? Is it legal advice, training, monitoring, enforcement or some of each of those as well? Answers to all of these questions matter to those who come into contact with the office and help determine its effectiveness.

Third, in all respects, employees should be made clearly aware of what is expected of them. Clear standards of conduct and other applicable policies and procedures must be made available. Standards should cite both the rules and examples of activities that break the rules. Information as to where advice regarding the standards may be obtained and how violations may be reported should be made clear. Employee certifications of adherence to the standards will be made more meaningful if standards are kept up to date and tied to training and testing.

Many companies that went wrong had great programs on paper. However, their failure to implement a real program does not justify throwing the paper out with the bath water. Written policies are still essential.

Rule No. 3: Learn the rules and play fair.Anyone who has ever coached a team of 5-year-old soccer players knows the importance of a basic understanding of the rules. The youngsters' games will only evolve from controlled riots to successful matches if they have this knowledge.

And so it is true for corporate compliance. All employees, top to bottom, must be trained in the standards that they must meet in order to assure that they know how to play fair. Today, that training may take numerous forms as after Sarbanes-Oxley the market is replete with a wide variety of training programs designed to address every need.

Care should be taken to keep training relevant. One size does not fit all. Courses must be tailored. A course in the general rules of sports will never substitute for knowing the rules of soccer if the corporation's mission is to play soccer. If the antitrust issues are different in one business unit than another, the training should recognize that distinction.

Materials should be customized. Case studies should be real. There should be simple conceptual handouts for future reference. Tapes and videos may be made available for later study. And the human element should not be lost. Software and Web-based study, although valuable, cannot take the place of live, subject-matter experts who are able to answer questions in both training and everyday business contexts.

Finally, once is not enough. To have an appropriate effect, regular systematized training must be the norm. Standards, personnel, business practices and experiences change. Even the most committed people simply forget. All of this must be acknowledged and addressed when creating a program.

Rule No. 4: Play well together.No corporate compliance program functions effectively in isolation. The compliance office(r) cannot have sole responsibility for corporate compliance. Rather, as must be spelled out in the message from the top, it is a part of everyone's duties. This plays out in numerous partnerships between the compliance office(r) and others in the corporation.

First, essential to the proper functioning of any corporate compliance plan are the lawyers with subject-matter expertise. Whether in-house or outside counsel, these lawyers are the ones who are serving in the trenches, working with the clients everyday. They are also interpreting and applying the laws — in short, establishing the appropriate legal standard. And they are also engaged in the day-to-day education of their clients and very valuable in designing more formalized training. Finally, they are able to provide essential insight in identifying, assessing and addressing risk.

Second, the heads of business practices must work closely with the compliance officer. Corporate compliance is not a stagnant legal standard. Rather, it is the living and breathing embodiment of the message from the top that must permeate the corporation's business core.

In the end, the business heads make the choice not to divide markets, nor enter into deceptive agreements, nor submit misleading financial figures, regardless of the short-term appeal of the result. The business heads convey and live the message from the top and make it "safe" for employees, without retribution, to raise concerns. Without their cooperation, even the strongest compliance program will fail. And their cooperation will only be secured if within the corporation's culture "doing it right" is as important as "making the numbers."

Third, internal auditors and their outside counterparts are an important part of the compliance team. In most instances, corporate compliance will not be staffed to conduct its own examinations and will need audit's assistance. Auditors are also experts in the establishment and analysis of process. Today's corporate compliance is often more about having good processes then engaging in "got you" activities.

Finally, the message from the top must be lived by the lowest level employee. Like the business heads, they too make the decision to comply in their everyday efforts. They must make the time to take the training that the corporation should afford them and then apply it. Employees also serve as the eyes and ears of the corporation. They must have the courage to point out wrongdoing and seek redress and the corporate compliance officer must make it safe for them to do so.

Rule No. 5: You have to work hard.Just as the kindergartner must first sit down and carefully grind out those misshapen letters in a crayon's uncertain scrawl, establishing a successful compliance program takes hard work and an enthusiastic and analytical attendance to task. Primary among those tasks must be to identify risk areas in the company and establish the standards for compliance.

Some of these will be obvious. A wide array of statutory and regulatory requirements generally apply to corporations — such as the antitrust, securities or employment laws. Applicable foreign requirements must be assessed as well. Other requirements may arise from the regulatory framework applicable to a corporation's specific business operations such as government contracting, or environmentally hazardous activities, or health care. Finally, the need for appropriate standards may arise from the common law or by remedial statute where matters such as consumer protection or patients' rights are being addressed.

While compliance in all applicable areas obviously must be achieved, establishing a priority of efforts based on risk assessment is fundamental. These priorities should reflect: (1) areas where there is incomplete compliance; (2) areas where a regulatory framework is pervasive and invasive; and (3) areas where, given the nature of the business, failures to comply are most likely to occur.

In making this assessment, the compliance office must work carefully with its partners. For any corporation, the compliance program's success will largely be based on a thorough understanding of the business at hand. These partners will be able to help the compliance officer acquire that vast knowledge.

Rule No. 6: Tell the truth.Compliance efforts should be designed to seek "the truth " (that is, what is really happening in the corporation), to make it safe to tell the truth, and to put processes into place that allow the truth to be told. Special attention will have to be given to creating specific internal reporting systems such as those required for lawyers practicing before the Securities and Exchange Commission.

As a general matter, however, all employees must be told about and given access to reporting systems including those that totally protect their anonymity. Where an anonymous complaint is received, provisions should be made for obtaining additional information from the informant on the same basis through the use of confidential voice mail or third-party assistance.

The absence of reporting by employees should not necessarily be viewed as indicating that there are no problems. Rather, that would be a reason to explore whether the system is operating. One compliance counsel tells the story of a corporation undertaking great efforts to assure that employees had access to complaint forms that could be filed anonymously. However, the system was totally undermined when a supervisor required the employees to ask him for the form. Revelations such as these will bring realism to the process.

And such measures should not be undertaken at just the lower levels. Opportunities to speak truth to power, including to the CEO and the audit committee of the board of directors, should be made available. Compliance officials should have access to the CEO. They also should report directly and regularly to the audit committee.

Rule No. 7: Clean up the mess and put things back where they should be. No matter how careful you are and how much you plan ahead, sometimes the milk spills. While achieving compliance perfection is a worthy goal, it is simply not realistic. Stuff happens. Fortunately, neither the Guidelines nor the Department of Justice's guidance on prosecution of corporations require perfection. Rather, they only require that:

  • corporations adopt viable compliance programs headed by an appropriate official;
  • programs are reasonably designed to establish standards and procedures that are capable of reducing wrongdoing;
  • these standards are communicated to the work force;
  • their application is monitored; and
  • when appropriate, enforcement action is taken.
Then — when the milk spills — compliance officials must analyze and determine what went wrong with the system, where the process was inadequate and how to fix it. Then they must, in fact, fix it! This includes taking appropriate action against any wrongdoers and, where appropriate, reporting the wrongdoing to the authorities. The measure of a good compliance program is as much about what you do when something goes wrong as it is about avoiding those wrongs.

Rule No. 8: Playing hard can be fun. Studies have shown that children who are able to delay gratification are much more easily able to achieve their goals and are more successful overall. True compliance reaps similar benefits. If investors and shareholders trust a corporation, its ability to operate and raise capital is significantly enhanced. Affirmative benefits also include the ability to recruit and retain a work force that has respect for itself and the work it performs.

The absence of negative "benefits" is also compelling. Elimination of criminal, civil and regulatory liability certainly speaks for itself. Moreover, there is a lot to be said for not having to address the crises in public faith and reputational damage created by misstatements of financial information, insider trading or similar corporate misdeeds laid out in the news.

Henry David Thoreau said, "It is truly enough said that a corporation has no conscience. But a corporation of conscientious individuals is a corporation with a conscience."

Corporate compliance must reflect that conscience. It must be sophisticated, analytical, innovative and pervasive.

It is not, however, rocket science. The rules of kindergarten are easily applied. Simple, important messages geared to doing the right thing, implemented by people working together, identifying, facing and correcting errors along the way will make for a successful program. In the meantime, as Fulgham says, "When you go out in the world, watch out for traffic, stick together and hold hands."

Back to Top