Changing Roles For Today's Corporate Compliance Programs

Wednesday, December 1, 2004 - 01:00

Since the passage of the original Sentencing Guidelines for Organizations in 1991, organizations of all sorts have focused on the need to develop and implement effective corporate compliance programs. Now, through a series of independent but simultaneous legal developments, for the first time since 1991, there is a broad-based and focused effort to influence companies to revise and revisit their compliance programs, to make these programs more effective and more directly responsive to compliance concerns.

At the same time, there is a substantial debate about the role of various key participants in compliance programs - primarily General Counsel and Boards. This debate rages on - and should be evaluated by every company now in ascertaining the best approach for the company.

I. The Key Legal Developments

A. Changes to the Organizational Sentencing Guidelines

First promulgated in 1991, the Federal Sentencing Guidelines for Organizations have been widely credited with sparking organizational awareness of the importance and need for compliance programs. The Sentencing Guidelines were intended to "reward" companies undertaking compliance efforts in two ways: not only would the implementation of a compliance program ostensibly protect an organization from incurring criminal liability in the first place, but a company finding itself before a federal judge for criminal sentencing - despite its formal compliance efforts - would be entitled to a reduction of its sentence under the Guidelines.

When the Sarbanes-Oxley law placed a premium on reviewing corporate governance issues, one of the off-shoots of the main legislation is a set of changes to the compliance program elements of the Sentencing Guidelines. The primary intent of these changes is quite clear - to provide greater guidance to organizations and courts regarding the criteria for an "effective program to prevent and detect violations of law." While the Amendments (which take effect November 1, 2004) continue to utilize the familiar "seven elements" of an effective compliance program, there are substantial changes in emphasis, focusing the attention of organizations on the following issues:1

  • Ensuring that a company includes a significant "ethics" component into their overall compliance program;

  • Stressing the importance of the role of senior management and the Board of Directors in operation and oversight of the compliance and ethics program;

  • Communicating the details of the compliance program to the workforce, along with effective training programs, as a means of developing a "corporate culture" that emphasizes compliance and ethics standards;

  • Ongoing, active oversight and monitoring of the compliance and ethics program;

  • Promoting and enforcing the compliance and ethics program through consistent; and

  • Reporting and remediation of compliance violations.

B. DOJ Prosecution Guidelines

While the Sentencing Guidelines provided many incentives to create effective compliance programs, and were a key motivating factor in creating a strong compliance focus in much of the health care industry, corporations typically do not envision themselves as the target of a criminal prosecution, with the need for a reduction in sentence. While corporations presumably should be sufficiently self-motivated to look beyond only criminal problems, the Department of Justice has encouraged corporations to look beyond sentencing to the earlier stage of an investigation, when the government is deciding whether to prosecute a corporation at all.

Accordingly, in defining a set of criteria by which federal prosecutors will decide whether to prosecute corporations under the criminal laws, the Department of Justice has defined specific criteria to guide prosecutorial decision-making. See Memorandum from Deputy Attorney General Larry Thompson, to Heads of Department Components, Principles of Federal Prosecution of Business Organizations (January 20, 2003), available at (the "Thompson memo"). The DOJ has made clear that various "compliance-like" elements are a critical component of this evaluation. Moreover, the Department of Justice guidelines are explicit that the "existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal conduct." Id. at 8. Instead, the appropriate inquiry for a prosecutor is whether the compliance program is merely a "paper program" of little or no practical value or consequence, or is one that is "adequately designed for maximum effectiveness in preventing and detecting wrongdoing." Thompson Memo at 10. Accordingly, the strength of an organization's compliance program (along with its cooperation and reporting of wrongdoing, remediation of problems and corporate culture towards compliance) will play a significant factor in determining whether the Department of Justice will prosecute an organization.

C. The Medco Case - Compliance Failures as a "False Claim?"

In case the Sentencing Guidelines components and DOJ prosecution criteria are not sufficient to motivate a compliance program re-evaluation, DOJ has moved forward recently with the allegation that the failure to operate an effective corporate compliance program by itself can constitute a false claim to the government under the False Claims Act.

In United States v. Medco Health Solutions , Case No. 00-CV-737 (E.D.PA) (available at, the Department of Justice has challenged the practices of Medco Health Solutions, one of the country's largest pharmacy benefit managers. The False Claims Act complaint not only challenges a broad range of allegedly fraudulent Medco practices (such as canceling or altering prescription information and mailing prescriptions with less than the number of bills ordered and paid for). It also asserts that the existence of a weak Medco compliance program rendered "false" all claims submitted by Medco to the United States for payment for pharmacy benefit management services.

In the Medco complaint, the prosecutors alleged that Medco's reckless disregard or deliberate ignorance could be established from a number of its actions and course of conduct relating to its compliance activities, including:

  • Failure by the Board and senior management to develop an appropriate compliance reporting system;

  • Failure to make employees aware of the compliance program;

  • The absence of a senior official with direct responsibility for overseeing compliance;

  • No consistent enforcement through corrective actions; and

  • There were no systems to assure reasonable steps to respond to reported offenses, including detection of violations and investigation of violations.

II. Corporate Dilemmas

Accordingly, these developments all are pushing organizations to develop enhanced compliance programs that more effectively direct resources to the prevention and detection of misconduct. As organizations have reviewed these developments, two significant management issues have emerged - what is the role of the General Counsel in the operation and oversight of a compliance program and how best can the Board of Directors get involved in compliance issues? While these issues are still emerging, and no clear consensus has emerged, companies need to assess how their organization will incorporate these crucial players into the compliance function.

A. The Role of the General Counsel

There is a significant debate - even with the government and the leading compliance organizations - as to the appropriate role of the General Counsel in a compliance effort. The Department of Health and Human Services Office of Inspector General is uneasy with a General Counsel also playing the role of compliance officer. For example, in several recent Corporate Integrity Agreements (such as the recent agreement entered into by Schering-Plough), HHS has mandated that "[t]he Compliance Officer shall not be or be subordinate to the General Counsel or Chief Financial Officer." On a more general basis, as part of various "model" compliance programs issued for components of the health care industry, HHS has made clear that:

"The OIG believes that there is some risk to establishing an independent compliance function if that function is subordina[te] to the hospital's [G]eneral [C]ounsel, or [CFO]. . . . By separating the compliance function from the key management positions of [G]eneral [C]ounsel or [CFO], a system of checks and balances is established to more effectively achieve the goals of the compliance program."

This approach also is mirrored in the views of some in Congress. For example, in a September 5, 2003, letter to Tenet Healthcare (in the wake of an ongoing investigation), United States Senator Charles Grassley (R-IA) observed "[a]pparently, neither Tenet nor (its General Counsel) saw any conflict in her wearing two hats as Tenet's General Counsel and Chief Compliance Officer . . . . It doesn't take a pig farmer from Iowa to smell the stench of conflict in that arrangement."

The American Bar Association Task Force on Corporate Governance, perhaps not surprisingly, takes a different view of the role of the General Counsel. To the ABA Task Force,

  • Providing information and analysis necessary for the directors to discharge their oversight responsibilities, particularly as they relate to legal compliance matters, requires the active involvement of General Counsel; and

  • General Counsel should have primary responsibility for assuring the implementation of an effective legal compliance system under the oversight of the board of directors.

B. The Role of the Board

It also is essential for organizations to ensure that their Boards are sufficiently involved in compliance program oversight. The same ABA Task Force identified the typical "failures" of a Board in the past.

  • Outside directors have at times been overly dependent upon and overly passive with respect to senior executive officers.

  • Outside directors too often have relied almost exclusively upon senior executive officers for information about corporate affairs.

  • Outside directors too often have failed to devote adequate time and attention to discharge their oversight responsibilities.

With these concerns, the ABA Task Force also recognized that Directors "cannot guarantee corporate compliance; they can only be expected to undertake and execute good faith efforts to ensure that it occurs." Moreover, no recommendation can generate the "backbone" to force a Board member to act independently and objectively, which is necessary to an effective system of corporate governance. Accordingly, the ABA Task Force focused on recommendations that were designed to (1) enhance the independence and resources of outside directors and (2) increase the flow of material information and analysis to those directors. How best to "increase the material information" sent to Boards and allow for Board oversight, while not imposing unduly on already challenged Directors and operating an effective program internally, remains a significant challenge for most organizations.

III. Conclusion

In today's environment, it is critical for organizations to conduct a thorough review of an existing compliance program, to determine whether it has kept pace with both the changing legal and regulatory structure and meets the new standards being set by the government. This is not an easy task, but it is one that can be done through a reasonable amount of focused resources and efforts. In testing the sufficiency and appropriateness of a compliance program, organizations should be focused on the following key questions:

  • What are you doing differently about your compliance program as a result of the changing legal environment?

  • What is the Role of the General Counsel with your compliance program - and is it changing?

  • How are you involving your Board on compliance issues?

  • How does your organization deal with the substantial government pressure to cooperate in investigations and waive attorney-client and work product privileges?

Accordingly, within this compliance "perfect storm," companies must fundamentally re-evaluate - and re-invigorate - their compliance programs across their operations. These developments are substantial - and demonstrate, in the wake of the wide range of recent corporate scandals - a prosecutorial inclination to mandate ethical and compliant corporate behavior, and to reward those who have the right corporate culture and punish those who do not.

1 For more information on the details of the changes adopted by the Sentencing Commission and the other legal developments discussed briefly in this article, please see Nahra, "The New Incentives for Enhanced Compliance Programs," BNA Health Law Reporter (May 27, 2004).

Kirk J. Nahra is a Partner at Wiley Rein & Fielding LLP in Washington, DC, where he specializes in insurance fraud, privacy and healthcare litigation and counseling for the healthcare and property/casualty insurance industry and other industries facing privacy and other compliance obligations. He is the editor of Privacy Officers Advisor, the monthly newsletter of the International Association of Privacy Professionals, serves on the Board of Directors of the IAPP and is General Counsel of the National Health Care Anti-Fraud Association. He can be reached at (202) 719-7335.

Please email the author at with questions about this article.