Compliance programs matter today. As company counsel you deal with the reality of tougher regulatory scrutiny and harsher enforcement actions against businesses, all in the context of such new regulatory regimes as Sarbanes Oxley. Yet, at the same time you also know that company compliance programs are increasingly important in this environment. The revised Sentencing Guidelines, the Department of Justice's Thompson memo, the Caremark case and a variety of other signals are telling us that effective programs have the potential to protect your company from legal and reputational harms. These programs have to be high on any corporate lawyer's priority list.
There is no question that compliance programs matter in the federal criminal context; although recent decisions by the US Supreme Court have made the status of the federal Sentencing Guidelines less clear for federal judges, it is fully expected that courts will continue to look to the standards for compliance programs. More important from a practical perspective, federal prosecutors have made clear they will continue to take such programs into consideration in prosecution decisions. These programs also matter to regulators and even in private cases, such as in defending against punitive damages in discrimination cases. If companies want to be treated as good corporate citizens they need to be taking effective steps to keep their employees acting legally and ethically.
But in addition to programs providing a benefit, the legal system is also flashing a warning: failure to have an effective program can lead to harm for the company. In the Medco case, for example, the government's allegations supporting a False Claims Act case include the claim that the company lacked such a program. Our firm, CSLG, has helped defend one company facing a punitive damages claim based in part on the alleged absence of an effective program. Boards of directors already know that under Caremark they can face liability to shareholders if there is not an adequate system in place. And now, the newest threat is actual legal requirements for compliance programs, such as California's recent law requiring such programs for pharmaceutical companies, the requirements for reporting systems and codes of conduct in Sarbanes-Oxley, and the growing number of consent decrees with the government requiring programs. Training in compliance areas such as harassment, which used to be just a sign of responsible management, now are becoming statutory or regulatory mandates.
Proving your program. As every lawyer knows, however, it is not enough just to have done the right thing. If you are dealing with the government or facing litigation the real question is how you prove that you have an effective program. The first step is to consider who your audience will be. First on the list are prosecutors, who typically need only consider such programs in their discretion. These may be federal, state or foreign. There is also the range of regulatory bodies, from the EPA, to OSHA to the SEC. In these circumstances you may be talking directly to government employees, or you may be presenting to experts acting for the government. This is a role that CSLG has played, retained by prosecutors to help assess company compliance programs.
In civil cases you will be dealing with discovery requests and negotiating with plaintiffs' lawyers. Consider also the impact of the recent revisions to the listing standards for the stock exchanges, such as the NYSE and NASDAQ, which require certain compliance program elements. You could find yourself trying to convince an exchange that you have met its standards. Even outside of the strictly legal context, with more and more blue chip companies concerned about compliance and ethics, consider the implications for their supply chain management. The signal from the government is that those you do business with could get you and your employees into trouble. Major companies need to look at their supply chains and business relationships as a source of risk. As a result you could even be called upon to demonstrate the bona fides of your program in a commercial context, to a customer's or potential partner's compliance officer.
How will you make your case? It is important to start with the understanding that the burden is typically on you. If you are dealing with a criminal investigation, the government may well have already begun probing your program in its investigations. For example, in the Sears bankruptcy fraud criminal case, the prosecutor has stated that he had asked employees about their compliance program during the underlying investigation of the facts. Private litigants and agencies like the EEOC will have explored this in discovery. The pattern that has emerged is that your compliance program will likely be part of negotiations, rather than an issue in an actual trial. Whether you have to pay money in settlement, how much you pay, and whether you have an onerous program imposed on you may all be determined at the settlement table, based on the credibility of your existing program. Of course, as the visibility of compliance programs continues to increase, the role in trials may also develop.
As with any issue in the legal context, you will make your case using witnesses and records. You will need to show you met all the applicable standards such as the Sentencing Guidelines, including the often-overlooked "industry practice" standard in the Guidelines (you need to show that your program is not behind other, comparable companies). You will need to show that your program included whatever was expected for programs in the risk area at issue in the case (e.g., what the Antitrust Division or the Criminal Division's Fraud Section are looking for in their respective enforcement areas). And you will need to carry the burden on the broader point of what is variously referred to as good faith, tone at the top, ethics, or culture. That is, you need to prove that your company "got it." In doing this you will need to address: a) what you had in place before the violation; and b) what you have done since, to show that you learned from this misfortune.
How do you prepare? As lawyers we live with an awareness of the litigation world and can see how each mistake would appear to a judge, jury or prosecutor. Without that insight, it is difficult to convince management of the seriousness of the risks, and the need for resources for your program. (For a broader treatment on how to sell your compliance program to management, see Selling Compliance (and the Importance of Your Job) to Management, in Murphy & Leet, Working for Integrity: How to Find the Perfect Job in the Rapidly-Growing Compliance And Ethics Field (to be published 2006)). But, while you cannot convert your management into lawyers, there is an exercise you can conduct that gives management exactly this insight. You can ensure that your program is litigation ready, and give management crucial insight about the compliance program by staging a mock presentation on the program.
We have had experience with this process, both in acting for the government and hearing real presentations, and in working with clients in staging rehearsals. Here is how the practice presentation would work.
The process begins by developing a scenario of a violation involving your company. This need not be lengthy - we have found a 1-2 page scenario works well. Through setting the facts of the scenario you can steer the focus to the things that are most important to you. It is explained to management that the facts of the scenario are not subject to debate; the issue is narrow and simple. Given the violation, which the government is sure it can prove, can your program win you a break? Everything follows from there.
You select a team of two who will play the role of prosecutors or regulators. It is best if the team is outsiders, not inside people. You do not want this to be a familiar environment to the presenters. However, in our experience it is also not a hostile engagement. There is no cross examination - there really is no need for it, since the company has to prove everything and the government is just the audience. The process is simply an objective attempt to see how the program stacks up.
The company then presents its program in a role play, to the team playing the government. If the company has prepared in advance, it will have a "presentation binder" - an ongoing compilation of the program's materials that is regularly updated. If there is no such binder then one benefit of this exercise will hopefully be the institution of such a practice. For the practice session it is best to provide the binder of material to the "government" team in advance of the session.
One thing this exercise typically shows all concerned is that if you do not prepare in advance you will not remember (or have documented) certain things that you did, or that you should have counted as part of your compliance program. We know from asking questions in this context that things end up being added to the presentation that were not originally tendered. However, you should certainly not expect the government or adversaries' lawyers to be that generous.
The "government" team reviews the documents, and then holds a session where the compliance program's managers present and explain their program. The team freely asks questions. You should expect that questions will come in two parts: 1) did you do X in the program? 2) and, if the answer is "yes," where is the documentation? The government will not take things on faith.
There are numerous excellent insights that come from this exercise. For example, if, everyone in your program is a lawyer, you will immediately realize that you have created a dilemma: you are forced to endanger privilege in order to say anything about the program. You can also see the enormous value of online training in this context. With a good online training system you will have fully documented that each person involved in the scenario was trained, what they were trained on, and (if the training is designed the right way) that the person had to get everything right to complete the training. You will be able to demonstrate to the government exactly what the training covered.
The exercise ends with a review of the lessons learned, and what follow-ups are needed. Through this exercise you and the compliance program's managers will quickly see where you need to do more, where the documentation or witnesses are weak, and where there are gaps in the program. And it is likely that everyone involved will appreciate that this time it was with an audience that was on their side. If there is a next time, they will remember that you made sure they were prepared.