Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

Volume 13, Number 1 - September/October 2003

10 steps to a better day
The key components of compliance
    By Karen L. Shapiro

Compliance has been an issue for business lawyers for more than a decade. Lately, though, it's become a bona fide hot topic.

More than 10 years ago, the Federal Sentencing Guidelines for Organizations were adopted to bring consistency to punishment of organizations. The guidelines recognize the need to provide for companies that try honestly to operate in compliance, and so give federal judges discretion to mitigate penalties against companies that had an effective compliance program when the violation occurred (see sidebar on page 41).

Since then, it has been necessary for lawyers representing organizations to understand and, when asked, develop compliance programs. In the rubble-strewn aftermath of Enron, WorldCom and the like, it's become even more important for counsel (both outside and in-house) to understand what it means to have an effective compliance program.

"Why," you might ask, "should business lawyers care about how to ‘do' compliance? The Compliance Department has to make sure its program works." Business lawyers should care because they advise clients on the need for compliance programs. They meet with regulators and prosecutors and then advise clients to make promises about compliance to avoid or diminish the severity of proceedings.

To do this effectively, lawyers need to understand what it means to adopt, implement and maintain an effective compliance program. It's their job to understand what promises to regulators in settlement orders about compliance involve, so they understand whether their clients can do what they've promised, within the time they've agreed to do it. This matters, since violating undertakings in a settlement order could lead to further charges.

Regulators and courts take a dim view of recidivists. This will be even more true post-Enron and in light of the Sarbanes-Oxley Act's new requirements for public companies. As a result, counsel can expect boards of directors and corporate executives to have little tolerance for repeat deficiencies. Business lawyers need a solid understanding of how effective compliance programs work so they can help their clients avoid repeat failures.

Before we turn to 10 best practices, remember that compliance doesn't occur in a vacuum. Keep a few thoughts in mind as you consider how these best practices might apply to your clients:

  • What is the size and complexity of the client? Large, medium and small companies have different capabilities to support compliance programs.
  • Are compliance processes manual or automated?
  • Are these processes conducted in-house or have they been outsourced? If outsourced, are there quality assurance standards binding the provider?
  • Does your client view compliance as the minimal steps necessary to avoid violations, or as a moral compass guiding its business?
With these thoughts in mind, let's go to the list:

No. 1: Know what you need. Legal and regulatory obligations are the beginning, not the end, of understanding compliance requirements. You also need to understand how your client's business operates. What is the flow of activity and information? The success of the compliance program will turn on whether it accurately tracks the business process. Building a successful program differs from company to company. There's no one-size-fits-all approach. As you discuss the program with your client, make sure everyone focuses on integrating the compliance program into the business.

No. 2: Perfection is elusive, but sometimes you have to go for it. There's a saying that "the perfect is the enemy of the good." Indeed, striving for perfection could get in the way of implementing a good, effective program if the quest for perfection delays taking any action. Still, sometimes "good" isn't good enough.

Think back to competing for grades in law school. A former colleague used to say that scoring 95 on a 100-point exam was an A+ performance. Then he'd translate 95-percent compliance success to the context of retail sales: Take a company with 10,000 salespeople. A 95-percent compliance rate means 9,500 of its representatives comply with applicable requirements. That's great.

That only leaves 500 other salespeople who, every day, are making sales most companies wouldn't want if they knew how those sales were made. And those 500 folks are out there selling right now, even while you're here reading this article. In other words, 95 percent is nice, but an effective compliance program should strive for more.

So how do you do it, if you're not satisfied with 95 percent but can't hold out for perfection? To begin with, keep it simple. A compliance program only works if it can be followed. Lawyers could prepare elaborate procedures that would tightly control every imaginable type of misconduct or mistake. Avoid that temptation — if procedures are too detailed, pieces of the program will slip sometimes or not be done at all. And, if regulators and courts dislike companies with no compliance program, they have an even bigger problem with companies that have a program and don't follow it.

To design compliance policies and procedures that work, keep in mind the "three Cs": clear, concise and complete.

Clear speaks for itself — policies must be easily understood. A good rule of thumb is to consider whether three employees from separate parts of the company would give similar answers to deposition questions about what a policy means. (Don't assume this issue away. You may think you know the answer, but if you wrote the policy, you already know what it means.) If, in discovery, it turns out that no two people had the same understanding of a policy, you've lost the battle to prove it was effective. To build a clear program, involve people who aren't legal or regulatory experts. Employee focus groups can help here.

Training is essential to promote understanding of the compliance program. Make sure everyone in the organization knows there are compliance policies and procedures, how to find them and whom to contact if they have questions.

Concise, tight wording helps make policies clear. And, by avoiding extra words, you avoid extra questions in those employees' depositions. Say what you need, and need what you say. Everything else is unnecessary and could be a problem later.

Complete brings us back to policies having to fit the company's operations. Compliance can't be bought "off the rack." If policies and procedures don't comprehensively cover the business processes, the program could have gaps, leading to surprises later.

How do you avoid those gaps? Test the procedures with employees from different parts and levels of the company. The people in the trenches will know if you've missed something important. Effective compliance requires help from people who live in the real world governed by the program, to make sure that the rules cover the ground and can be clearly understood and consistently followed.

No. 3: What gets measured gets done. First, the good news: What gets measured eventually gets done. People generally try to perform to known expectations. If a company wants its procedures followed, it should set performance standards, measure how the organization satisfies them, and get the numbers out to staff and management. Also, include this performance in compensation decisions. It may take awhile, but the alignment between measurement and performance should improve.

Most functions we measure quantitatively also have a qualitative dimension. So, we also have to make sure the function is done correctly. This brings us to the bad news: What does not get measured may or may not get done.

That sounds obvious, but for any task the company wants to complete within a specified time, also measure how well the transactions are done. If you only measure timeliness, quality of execution may deteriorate in the crush of deadlines.

Qualitative performance failures don't appear in real time, like missed deadlines. They're a lagging indicator. You won't know you have a problem until you have a problem that could have been preventedby qualitative measurements.

No. 4: Monitoring helps, but it isn't everything. An effective compliance program must include monitoring, but reports alone aren't enough. Is information important? Absolutely — no compliance program that works without exception reports to focus management's attention where it's needed. Will good reports make the program effective? No. Effectiveness takes judgment to evaluate exceptions and takes managers willing to deal with whatever the reports uncover.

This goes back to guarding against having a compliance program that isn't followed. Once you implement exception reports, you have to act on what they find. Thus, the corollary to rule No. 4: Don't cast the net too widely or you'll catch more than you can manage.

Let's be clear about what that means and doesn't mean. It does not mean a company should ignore genuine misconduct or negligence. It does mean, however, that if exception reports don't differentiate between jaywalking and murder, they will produce more items than the company can effectively handle.

Remember, hindsight is 20/20. If a company has a problem, and no one did anything because it was buried in an exception report, the compliance program didn't work. Failing to act on significant exceptions makes it harder to show the company takes compliance violations seriously.

Once the reports are coming, a compliance program needs to differentiate among exceptions to allow a flexible response. Build your program with the full range of possibilities in mind. Then, think about whether an exception resulted from lack of knowledge or deliberate wrongdoing. If the employee didn't understand the conduct was wrong, and there was no material harm or deliberate misconduct, training may be an appropriate response. (This only works for the small stuff — you shouldn't count on persuading anyone that someone committed fraud with a pure heart and an empty head.)

A progressive discipline policy providing a range of sanctions from warnings through termination will give management the ability to deal with similar situations flexibly but consistently. The sanctions should match the offenses proportionally, so they convincingly demonstrate the company's intolerance for bad actions, without going overboard.

No matter how unpleasant it is, companies sometimes have to fire people. But, not all violations require termination. If the compliance program shows a commitment to doing business the right way, the company can respond to situations flexibly and still foster an environment of responsibility and accountability.

No. 5: Learning from your mistakes is good; learning from someone else's mistakes is better.

Read the newspaper. Talk with colleagues who practice in your client's industry. If a competing company was just disciplined in a regulatory proceeding and there's a lesson to be learned, let your clients learn it on the other guy's nickel. If they're in the same business and they have a control weakness, your clients should examine their organization for that risk. The lesson learned will be no less valid just because someone else paid for it.

Of course, companies also have to learn from their own mistakes. If your client's company gets caught up in a proceeding that reveals a control weakness, fix it as quickly as possible. You may be able to mitigate the consequences if you can show that the company corrected the problem as soon as it could and made things right with anyone who was harmed. Learn from mistakes while they're still fresh. Companies will never be more sensitive to the need for a compliance program than right after they've paid for compliance failures.

(Somewhere around now, clients start to grumble, "This never ends!" Right? Exactly right: Compliance programs are never done. They should always be works in progress. While a company shouldn't issue new policies so often that updates lose significance, the program must be able to handle new issues. Update the program when it's necessary.)

No. 6: You get what you pay for. This is a two- part rule. Here's the easy part:

Compliance costs money. If a company tries to develop a compliance program on the cheap, it will be disappointed when it doesn't get all the protection it expected. Good people cost money. Good training costs money. Good systems cost money. Let's come back to the point about good people. If a company is just beginning to formalize its compliance program and doesn't yet have a compliance officer, advise the company to appoint someone with sufficient knowledge, experience and stature to get the hard decisions made. Selecting someone inexperienced may save money in the short run, but could cost a lot later if that person doesn't spot the issues, recognize their significance and fix them.

Now for the harder part: You get what you pay for, and that includes behavior. Think about which people companies value most highly. In a sales organization, big producers are highly valued. But, is revenue all the company values? Or, does it value and reward the quality of business? If it only recognizes and rewards production, the company will get what it paid for — high production, regardless of how people brought it in.

If you want people to behave well, reward good behavior and punish bad behavior. People need to understand it's not just about how much business they do. It's also about how they do the business. This requires evaluation and compensation systems that reward good compliance and mark people down for poor compliance.

The same is true for supervisors. If a company pays managers for recruiting and production, they will focus on hiring and production targets. At best, this leaves supervision in third place. Make sure managers understand they are as accountable for their staff's problems as they are rewarded for their successes. You get what you pay for.

No. 7: Risk is to be managed, not feared. "Doing business the right way" has two parts. The part about doing business is important, too. In designing a compliance program, you could try to identify every risk confronting the organization and drive a stake through its heart, but if you raise insurmountable barriers to doing business, you haven't moved the ball down the field. Risk cannot be eliminated.

The hard work is balancing compliance risk against flexibility. The challenge is to build controls that let good business be done without unnecessary impediments.

No. 8: Auditors are your friends. The company's auditors can help get new compliance policies off to a good start, and they help keep programs effective. You won't know if controls are any good until you know they work, and you find this out by testing them rigorously.

After your client installs a new compliance program, give it some time and then have the auditors kick the tires. If the controls work, that's good. If they don't work, it's better to find out quickly. Don't let gaps surprise you later during an investigation or lawsuit.

Will this testing be privileged? It depends on who directs it, how it's done, and the privilege rules in your jurisdiction. Even if it isn't privileged, though, companies generally get more mileage out of finding and fixing problems than for correcting them after they're in trouble.

No. 9: Be careful what you promise (or imply). It's the end of the year. Your client is having the annual budget meeting with the chief executive officer. If you did substantial legal work on the compliance program, the CEO is looking at some hefty bills.

The CEO flips through pages of disbursements and says, "We spent a lot of money on this compliance thing, didn't we?" Your client nods apprehensively. Then the bomb drops: "But," the CEO continues, smiling, "that's it, right? No more grand juries? No more class actions? No more regulators beating us up? No more hits in the press? Now, we can get back to running the company, right?" As your client gropes for words, you remember you never explained the limits to what all that money would buy.

What you meant to say was: "A good compliance program is essential. But, don't expect more from controls than they can deliver. A compliance program won't immunize the company against all future compliance failures. No controls are so good that they can't be deliberately thwarted."

"What a compliance program can do is: prevent and detect most violations; reduce financial, litigation, regulatory and reputational harm; get mitigation credit under the Sentencing Guidelines; and help set a tone in investigations that shows the company cares about doing business the right way. But it's not a guarantee."

If you haven't already had that conversation, now's the time to deliver the message, along with something from the last of our best practices:

No. 10: Hindsight is 20/20; good peripheral vision is better. We considered earlier the importance of learning from mistakes. As important as good hindsight may be, though, it's limited.

What does that mean? It means don't be satisfied with solving yesterday's problem. Don't be satisfied with what's going well. Think about what might be a problem tomorrow. Be alert to possible vulnerabilities the company hasn't found yet. Think about them as creatively as the problems you've already identified.

If you represent a client in a matter that apparently involves an isolated incident, advise the company to see if the problem is more widespread. Read trade publications: Are there rumors about your client's competitors or industry, or even about your own client? Advise clients to follow up on those rumors and figure out if something's going on. Don't dismiss the rumors and presume that sort of thing couldn't happen to your client.

Watch for early warning signs. Are employees complaining about ethical matters? Is there a way for them to complain? Is there an anonymous hot line or e-mail account? Or, even a suggestion box? The people in the trenches know how business is really done, and they know it better than just about anyone. Find a way to listen to them, in a manner that assures they won't be harmed if they deliver bad news. The ability to let management know about problems is important, since it's required by Sarbanes-Oxley and is a specific element of an effective compliance program under the Sentencing Guidelines.

If companies watch for possible new concerns, they can do minor repairs before major work is necessary. Compliance will become a matter of fine-tuning, with occasional overhauls for new legislation and the like. Compliance won't be an intrusion into business — rather, doing business the right way will be built into the organization.

A final observation: Building or upgrading a compliance program is challenging, hard work. It can also be tedious. Sometimes, it's like being the plumber after someone else noticed a leak under the sink. You're the one who has to find the drip, figure out where it's coming from, tear out the bad pipe, install a new one and then run the faucet awhile to make sure the leak is really fixed. But, after you've done your job, your clients will be better off.

They will be better protected against a compliance failure than they were before they had a compliance program. Management will be able to focus on running the business with less distraction from compliance problems. For these reasons, building and maintaining an effective compliance program is well worth the effort.

What do the Sentencing Guidelines say?

The Federal Sentencing Guidelines for Organizations offer guidance for when a company's compliance program will merit mitigation of a sentence:

"The hallmark of an effective program to prevent and detect violations of the law is that the organization exercised due diligence in seeking to prevent and detect criminal conduct by its employees and other agents. Due diligence requires at a minimum that the organization must have taken the following types of steps:

(1) The organization must have established standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal conduct.

(2) Specific individual(s) within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with such standards and procedures.

(3) The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities.

(4) The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, e.g. by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.

(5) The organization must have taken reasonable steps to achieve compliance with its standards, e.g. by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by it employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear of retribution.

(6) The standards must have been consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate is case specific.

(7) After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses — including any necessary modifications to its program to prevent and detect violations of the law."

Shapiro is chief compliance officer of the International Insurance operation of Prudential Financial Inc., in Newark, N.J. Her e-mail is karen.shapiro@prudential.com.

Back to Top