Editor: What are your general reactions to the hypothetical on page 3?
Jaffe: The hypothetical dramatizes that corporate counsel today must be exceedingly careful about what advice they give, its timing and how they say it. Not only is the plaintiffs' bar ready to pounce on corporations, but also the SEC, U.S. Attorney's Office and State Attorney General Offices are poised for parallel investigations.
Editor: How can a compliance program help reduce a company's vulnerability?
Jaffe: The compliance program must be designed to ensure legal and ethical behavior. When a compliance program has been implemented and reasonable steps are taken to enforce it, the company's potential liability will be reduced.
Rudewicz: A compliance program reflects the company's commitment to ensuring that its employees follow ethical and legal practices. When individuals violate ethical standards or the law, the company with the compliance program will be more persuasive in its arguments that the violation was an individual and not a corporate act.
Jaffe: Almost every industry is subject to public scrutiny and has to have a compliance program. Certainly any company dealing with a public contract or likely to come into the eye of the press will suffer if it does not do so. The bottom line is that all companies in all industries can benefit from an effective compliance program.
Rudewicz: Companies must be vigilant not only in managing their internal compliance programs, but also in ensuring that their subcontractors and vendors have effective compliance programs. Everyone who has the potential for creating liability for the company needs to understand the governing rules.
Editor: Does Sarbanes-Oxley present particular compliance problems for smaller companies?
Jaffe: Many smaller companies are concerned that compliance with Sarbanes-Oxley imposes excessive costs. The misinterpretation that every board committee needs separate accountants and lawyers, all independent of one another, is said to be leading a lot of companies to think about going private. That is not the intent of Sarbanes-Oxley. Its intent is to deter fraudulent acts, increase enforcement and raise the level of corporate governance.
Small companies implementing compliance programs can benefit from outsourcing's economies of scale. The critical point is to implement a compliance program with the degree of reasonableness appropriate for the size and nature of their business.
Editor: How important is the tone at the top?
Jaffe: Frank and I have both been involved in rolling out compliance programs where the first thing we did was to ensure buy-in from the top. Without that, a compliance program will never work.
Top management fools itself if it thinks that compliance is someone else's responsibility. Top management can expect to be held accountable by the government and the public for a company's unethical or illegal activities.
Editor: To whom should the general counsel directly report?
Jaffe: Reporting structures depend on the company's governing structure. Even when reporting to the CEO, the general counsel needs to be able to go independently to the board.
When a general counsel reports to more than one person, tensions can arise. Reporting to someone above the person who believes he or she is boss creates additional issues.
Editor: How important is it for the general counsel to have adequate staff and resources?
Jaffe: Even in the largest companies, the general counsel does not have the internal capacity for all compliance functions at all times. Additional resources must be brought in as necessary.
Rudewicz: Costs must be balanced against the risks. Sarbanes-Oxley does not mandate that every small violation must exhaust all the company's resources. Its intent is that a company put adequate controls in place to spot and address potential problems that have an impact on its financial stability.
Jaffe: You cannot conduct a massive investigation of everything that happens. Standards must be reasonable so that companies can comply with ethical and legal requirements in a way that allows them still to generate profits.
Triage requires the general counsel to determine what situations require attention and to give them that attention. If general counsel cannot deploy the needed resources, the triage will fail.
Rudewicz: The general counsel's dilemma is to say how to say "no" to management and still keep their job. With the right code of conduct and ethics, management and general counsel will be more closely aligned.
Editor: How actively involved in compliance matters should the independent directors be?
Rudewicz: Directors should be made aware of issues that come up but should not necessarily be the ones conducting the inquiry.
Jaffe: Assuming that everyone is acting in the best interests of the company, the American model has been that executives run the company and the board sets the policy. Sarbanes-Oxley changes a lot of that by saying that a board must have adequate knowledge of the company's activities. Being active as a director differs from being someone running the company. When the board is doing its job properly, it is providing active oversight and direction while management handles the company's day-to-day operations.
Editor: Is it important for a company to have both a code of conduct and a code of ethics?
Rudewicz: Absolutely. The basic distinction is that a code of ethics articulates the company's philosophy and culture. A code of conduct defines the company's operating principles and standards for behavior.
Jaffe: If the rule says that employees should not do something but there is no overarching philosophy that says that you operate as an honest company, people will not understand the rule. When the code of ethics gives employees an understanding of the purpose of the code of conduct, employees are more likely to be in compliance.
Editor: What factors contribute to a compliance program's successful implementation?
Rudewicz: Although no company today would admit that it does not have a compliance program in place, many companies do not know how effective their program is until something happens because they have not put measures in place to adequately test the program.
Jaffe: Compliance programs are like crisis management. You have to imagine what might happen and plan for it. If you only put a program in place but never test it, you cannot expect to have comfort from it. Hotlines, for example, do not always result in the reports expected. Employees often use hotlines to report HR and other personal concerns rather than activities requiring criminal investigation or exposing the company to civil liability.
I have been involved in enough cases where the prosecutors did not believe that the company had a compliance program because no one ever reported any behavior. The company must be able to show that its compliance program reasonably ensures any unethical or illegal conduct is reported by employees and investigated by management.
Rudewicz: Multiple avenues of reporting are a critical component of a compliance program. Hotlines and other reporting tools must be as convenient, as well as confidential, as possible.
Jaffe: The compliance program has to be enforced. Nothing is worse than a compliance program where nothing happens after a disclosed wrongdoing. Without enforcement, employees lose faith in the system.
Editor: Is it important to maintain a policy of both transparency and self-disclosure with respect to prosecutors and regulators?
Jaffe: What you do and when is not black and white. You have to have transparency, but the timing of disclosure and how much is disclosed depends on the facts and circumstances. If the results of an internal investigation are not disclosed, you may have a problem, but if the timing is premature, there will be other problems. That tells you that if you have an issue with an internal and external investigation, you have to conduct that internal investigation with people who are mindful of what is happening and what is being turned over so that it is carefully prepared and disclosed in a timely manner.
Editor: What are some of the downsides of such a policy, particularly with respect to sharing the results of internal investigations?
Jaffe: There are many ways to deal with it. You have to be aware of the differences in jurisdictions. Cooperation is different depending on who the prosecutor is and what state or federal district you are in. If you are in New York, for example the outcome will vary depending on which of the 62 elected prosecutors, four U.S. attorneys or the State Attorney General is reviewing your case.
Although you have to be careful about generalizations, it is clear that if you have a well thought out code of ethics and a code of conduct and you test the program and demonstrate that it is being effectively implemented throughout the company, you will be in the best position to reduce your company's vulnerability to liability arising from unethical or illegal behavior.