Editor: With federal and state prosecutors more aggressively pursuing companies, how important is it for companies to take the Thompson memo into consideration in shaping their compliance efforts? Is training an important element in those efforts?
Brigham: Although the Thompson memo does not refer to training programs specifically, it does state that an effective compliance program should be considered in determining whether or not to prosecute and in shaping the terms of a non-prosecution agreement. Training has always been included as part of an effective compliance program. Its importance is emphasized in the Sentencing Guidelines. The Thompson memo has been updated and a lot of companies are following it because they understand that if they find themselves in a prosecutor's gun sights their efforts will be deemed a mitigating factor, just as they are following the Sentencing Guidelines to mitigate penalties if they should be convicted.
Companies are doing whatever is necessary to meet the requirements of an effective compliance program, ranging from 'tone at the top' to compliance training at all levels and enterprise risk assessments. Most companies already have some of the elements mentioned in the Thompson memo in place. Therefore, they are focusing more attention on those things that the Thompson memo uses to test the sincerity of a company's compliance efforts, such as engaging the board and the CEO in active efforts to evidence a positive 'tone from the top.' Some companies are taking this very seriously by having their directors take training programs such as ours and having them spend considerable time learning about their company's compliance programs.
Editor: What role should industry associations play in this?
Brigham: The Defense Industry Initiative is a good example of an effective association in an industry that is highly sensitive to the catastrophic consequences of criminal prosecution. It provides its members with a very effective way both to work with the government to set standards for compliance programs and to keep an eye on what peers are doing. Measuring up to the compliance standards followed by others in your industry is one of the new elements in the Federal Sentencing Guidelines definitions that companies are focusing on. The other areas that are fairly new to a lot of companies are measuring the effectiveness of programs and risk assessment. The top elements in the Thompson memo are now: tone at the top, measuring the effectiveness of a program, meeting industry standards and finally risk assessment. A lot of companies are building on what they already have and putting emphasis on the new elements.
Editor: Have companies subject to suspended prosecution agreements stepped up their training efforts?
Brigham: Currently we are advising three of the companies that are operating under such agreements. These companies made a commitment to train all their employees, to repeat training every year and to get the CEO involved in training programs by doing an introduction or otherwise signaling his/her personal commitment. Companies find that giving training to all employees is not easily accomplished, particularly if the employees are widely dispersed. An e-learning program can be effective, but provides no assurance that you will reach everyone since some employees do not have access to computers. Companies going down this path need a vendor that can be creative with technology as well as in-person programs (e.g. 'train the trainer') in order to reach the entire workforce in a cost-effective and time-efficient manner.
Editor: Is it necessary to target training to meet the special needs of employees based abroad?
Brigham: Yes, violations of foreign law are treated by U.S. authorities as breakdowns in a company's compliance system. Looking at compliance internationally, one of the big areas of concern continues to be the Foreign Corrupt Practices Act (FCPA). Enforcement is no longer focused pretty much exclusively on engineering or military projects; other industries are now being targeted. Healthcare and some of the emerging markets like China are attracting attention. One of the most recent major settlements with the Department of Justice involved FCPA violations in a company's Chinese healthcare business.
Editor: Isn't it possible that U.S. and foreign law may be inconsistent?
Brigham: Yes, Section 301 of Sarbanes-Oxley requires companies to have hotlines that protect the caller's identity so that compliance failures can be reported without fear of retribution (we offer a third-party hotline as part of our consolidated solution). However there are inconsistencies and conflicts with certain EU country laws that do not allow for anonymous allegations as the parties in question need to be able to defend themselves.
Editor: Are you sometimes brought in when a company is being investigated by a prosecutor for possible compliance failures?
Brigham: Outside counsel for the company usually brings us in. A law firm does not want to have its client sitting around doing nothing to prevent the situation from happening again when the company knows it had a compliance failure and is facing an investigation and probable indictment. We are brought in to demonstrate that the company is taking immediate action to prevent similar problems from occurring in the future, one of the elements of the Sentencing Guidelines being self-remediation. We have also been brought in as part of a suspended prosecution agreement as one of the conditions of the settlement. Interestingly, none of the clients that retained us before there was any hint of prosecution have faced prosecution.
Editor: Do any of the companies you work with have court appointed monitors and do they focus on employee training?
Brigham: Yes, to both questions. It is part of a monitor's function to know who is going to be trained in what subjects. A good court appointed monitor recognizes that each company's culture is unique and that its business success is attributable to that culture. He/she realizes that a compliance program has a better chance of success if it is compatible with that culture. A good monitor knows that you have to find a balance and cannot eliminate all risk. Therefore, working with us and designated company personnel, he /she requires the company to do a risk assessment to measure and prioritize the risks. Obviously by virtue of being in a situation with a court-appointed monitor there are certain compliance failures that need to be remedially addressed. However, oftentimes there are greater cultural and other risk areas that need to be solved. A good and defensible risk assessment identifies the appropriate subjects and people for compliance training. If there is a breakdown, even if it was caused by just a few people, the monitor will want to know whether the breakdown was attributable to just an isolated group of people or whether there was a firm culture that encouraged testing the limits of the law. This is why a good monitor will also want assurance that the company has an overall culture of ethical behavior that creates a climate supportive of its training programs.
Editor: What types of companies tend to lag in their compliance efforts and thus have the greatest need for effective compliance programs?
Brigham: There is a big difference between the heavily regulated industries and those that are not. Companies in heavily regulated industries have robust compliance departments. Outside such industries, however, the compliance department can oftentimes be appallingly small considering what they are expected to accomplish. It is not uncommon to have organizations of more than 15,000 employees with only one or two full-time people dedicated to compliance. It is hard to imagine how such a small staff can effectively manage an employee training program, oversee a hotline system, collect reports and handle and investigate disclosure and code of conduct signoffs. To be effective, such companies often find it desirable to outsource large components of their compliance program to an organization like ours. In this way they build an outside knowledge bank which can provide an institutional memory. It makes a lot more sense for a smaller compliance department to manage us as an outside vendor rather than trying to manage everything internally.
Our experience working with many companies gives us the ability to evaluate a compliance program objectively and measure its performance against that of other companies. If there should be a compliance failure, the company is in a position to point out that its training programs are based on a careful risk assessment, done in conjunction with an experienced consultant, and were targeted to the areas and people found to be most likely to be involved in compliance failures.
Editor: Do records that rogue employees took training courses help a company to distance itself from the actions of those employees?
Brigham: We have seen such records introduced and they have proved to be important in convincing prosecutors that the company did not condone the wrongdoing. However, the case becomes more problematic where more than one employee was involved or where supervisors were aware of the behavior and passively accepted it.
Editor: Is it likely, given the SEC's more targeted approach to the areas to be covered by future Section 404 audits, that prosecutors will accept a targeted approach to compliance training?
Brigham: I cannot believe that what now seems evident to the SEC will not be equally apparent to prosecutors. If a company and its advisors have done a thorough risk assessment study and established a training program that addresses significant risks identified in that study, I doubt that prosecutors can in good faith conclude that the company has a less than sincere dedication to compliance. Nevertheless, it makes good sense for a corporation to have its directors, officers and employees take ethics training courses of the kind we offer. Ethics training can go a long way in establishing that the corporation maintains an ethical culture that provides guidance as to the ethical considerations that should be a part of any business-related decision (irrespective of whether that type of decision was specifically addressed in a training program).
There is another interesting development worth pointing out. Now that compliance departments are undertaking more formal risk assessment analyses, we are finding that a well-done, objective and defensible risk assessment may be usable not only by the compliance department but by the auditing function as well. This is because if you can prioritize where the biggest risks lie, you may have a good case for discussing with your auditors basing their priorities for the purposes of Section 404 on your risk assessment results. This in turn can lower auditing transactional costs.
Editor: You are affiliated with the Practising Law Institute. Do your clients benefit from that relationship?
Brigham: It has been tremendous. Lawyers are by nature specialists, and we have found the type of lawyer that works with PLI to be ideal. They are not only leaders in their disciplines, but responsive and forward-thinking. As a result we can provide better services when we can tap into a huge network of specialists that can address any issue with input from the best experts in the field in a cost effective manner. It has not only helped us in developing off-the-shelf programs, but also in tailoring programs to meet our clients' special needs. They are pleased that we can draw on the expertise of lawyers skilled in issues in the relevant industry and practice area.