Corporate compliance programs have matured considerably since their
beginnings several decades ago. A new career ("compliance officer," "ethics
officer" and several variations of those terms) has arisen, a trade association
devoted to "[b]eing the leading provider of ethics, compliance, and corporate
governance resources to ethics and compliance professionals worldwide" came into
being in the early '90s and government regulators have adopted compliance and
ethics protocols in their regulatory regimes.
Compliance and ethics programs received additional imprimatur from the United
States Sentencing Commission in late 2004 when changes to the Sentencing
Guidelines for Organizational Defendants (the Guidelines), which it had proposed
earlier in the year, took effect. Those changes provided considerable detail as
to what the Commission expects an "effective compliance and ethics program"
Though a company need not limit its program to this, the primary areas of
focus for an effective compliance and ethics program, as set out in the
Guidelines, are the following:
1) Established standards and procedures to prevent and detect criminal
2) Appropriate delegation of responsibility for compliance and ethics among
the board of directors, senior management and other responsible employees
3) Efforts to prevent the appointment among a firm's "substantial authority
personnel" of individuals who have engaged in illegal activities or other
conduct inconsistent with an effective compliance and ethics program
4) Periodic, practical communication of the firm's standards and procedures
and other aspects of the compliance and ethics program to all employees and, as
appropriate, agents of the firm including, at least, training "appropriate to É
individuals' respective roles"
5) Appropriate monitoring and auditing for criminal conduct, periodic
evaluations of the compliance and ethics program's effectiveness, some sort of
hotline or other reporting mechanism for employees and agents to ask questions
or report potential or actual criminal conduct
6) Consistent promotion and enforcement of the compliance and ethics program
by appropriate incentives and discipline
7) Appropriate responses to criminal conduct if detected, so as to correct
the impact of such criminal conduct and prevent similar conduct in the future
The Commission also included, as an overview element, the need to assess the
risks that an entity confronts in its business.
Even though they've assumed a "top of mind" place in the thinking of several
groups, including in-house attorneys, government regulators and prosecutors,
investors, courts and observers of the legal "scene, it seems that corporate
compliance and ethics programs have yet to penetrate fully the day-to-day life
of most organizations. Despite the attention from government officials and the
specificity with which those officials have identified the elements of a
compliance program that they (the officials) would deem acceptable, many
programs fall short of those standards.
Integrity Interactive Corporation and Altman Weil recently surveyed 468
companies about their compliance programs. Of those invited to take part, 64
answered the survey (a 14% response rate). When asked what constituted their
compliance programs, they identified the following as the most common elements
in descending order of prevalence:
a. A code of conduct or business practices (61, or 96.8%)
b. Training of employees and agents on compliance topics (61, or 96.8%)
c. A hotline or other reporting mechanism (60, or 95.2%)
d. Periodic employee certification of compliance with the code of conduct
(52, or 82.5%)
e. An audit committee of the board of directors (51, or 81%)
f. Chief compliance officer (46, or 73%)
g. Periodic reports to the audit committee/directors about compliance (46, or
h. Periodic risk assessments (40, or 63.5%)
i. Compliance program audits (37, or 58.7%)
j. Periodic reviews of the compliance program's effectiveness (36, or 57.1%)
k. Audits for violations of law (32, or 50.8%)
l. A compliance committee of senior management (31, or 49.2%)
m. The appointment of compliance managers (25, or 39.7%)
n. A code of conduct for senior/financial managers (25, or 39.7%)
o. Letters to suppliers/vendors regarding compliance (22, or 34.9%)
p. Compliance-related contractual provisions (21, or 33.3%)
q. Compliance officers/directors for business units (16, or 25.4%)
r. A code of conduct for discrete business units (8, or 12.7%)
s. Compliance reviews with departing employees (7, or 11.1%)
t. Positive incentives for compliant behavior (6, or 9.5%)
When you examine the identified elements of the compliance programs of the
respondents to the Integrity/Altman survey, you note that each of the elements
included in at least 70% of programs of responding organizations respond to only
four of the seven main structural components of an "effective compliance and
ethics program" under the Guidelines: established standards and practices;
appropriate delegation of responsibility for compliance and ethics; periodic,
practical communication regarding those standards and practices; and appropriate
monitoring and auditing. Many fewer programs of the responding firms seemed to
include elements that would respond to the other three main components described
in the Guidelines - procedures to prevent the inclusion among substantial
authority personnel of those whose past conduct was demonstrably inconsistent
with compliance, the use of incentives as well as discipline to promote and
enforce compliance and ethical behavior, and appropriate responses to detected
criminal conduct. Other surveys have revealed less conformity with the
guidelines, than the Integrity Interactive Survey. In light of the time that has
passed since the Sentencing Commission first issued the Guidelines in 1991 and
the considerable attention that the Guidelines and the 2004 revisions have
received, the absence of complete mapping between the programs represented in
the survey and all the expectations expressed in the Guidelines seems
What might explain this disconnect? Perhaps the answer lies in some common
misperceptions about compliance and compliance programs. Let's examine a few.
The likelihood of my company being convicted of a federal crime is
minuscule so the Guidelines don't mean much practically speaking.
Few organizations face sentencing in federal court. The United
States Sentencing Commission reported that in fiscal year 2003 only 90
organizations were sentenced using the culpability factors of the Guidelines to
increase or decrease the organization's punishment. While those numbers seem to
support this perception, it represents too narrow a view."
A compliance program serves many goals in addition to constituting a basis
for a lesser sentence from a federal court upon conviction. For example, when
federal prosecutors review the possible culpability of an organization while
they are considering whether to file charges and, if they determine to do so,
which charges to file, the existence of an effective compliance and ethics
program plays a large role in their calculation. The "existence and adequacy of
the corporation's compliance program" is one of nine factors listed by Deputy
Attorney General Thompson in his memo to United States Attorneys titled
"Principles of Federal Prosecution of Business Organizations" dated January 20,
2003. Since prosecutors review the behavior of many more organizations than they
indict or than ultimately endure a criminal trial and suffer conviction,
adequate compliance programs play a larger role in this area than the statistics
of the Sentencing Commission suggest.
In addition, a corporate compliance and ethics program should improve a
firm's defenses to civil litigation. The facts that comprise a compliance
failure also provide an opportunity and a rationale for litigation by another
party. To the extent a firm can argue that the lapse represents an unusual
event, as demonstrated by the existence of an effective program of training,
auditing, etc., such a firm should better withstand such litigation attacks. The
absence of an effective program, on the other hand, enables a plaintiff to
argue, as has happened on several occasions, that a defendant should be liable
for punitive damages because its conduct demonstrated a disregard for prudent
In short, the limited applicability of the Guidelines does not detract from
the benefits of applying their elements. Satisfying the standards for a
compliance program contained in the Guidelines should provide benefits far
beyond, and much more certain and immediate than, those available exclusively
from the application of the Guidelines in a sentencing context.
The Guidelines constitute only advisory materials for a federal judge
during sentencing. Slightly more than one year ago, the Supreme Court issued
a pair of rulings in which it determined that the Sentencing Guidelines must be
advisory only in order to render the Sentencing Reform Act of 1984
constitutional. If the Guidelines are advisory only, can we consider their terms
for assessing the effectiveness of a compliance and ethics program useful?
Yes, the specifications in the Guidelines for an effective program can and
will continue to serve as helpful guidance on how to organize a corporate
compliance and ethics program. First, federal prosecutors still refer to the
Guidelines during their pre-indictment calculations. Second, federal judges
likely must continue to consult the Guidelines during their sentencing
deliberations even if the Guidelines are only advisory. Third, many regulators
view the Guidelines as helpful touchstones for consideration when reviewing
The amount that we spend on compliance training and other program efforts
would be wasted. Funds spent for a corporate compliance and ethics program
serve multiple purposes. To the degree that they increase the likelihood that
the firm's actions will comport with the expectations of government and private
regulators of corporate behavior, those expenditures will avoid costs related to
noncompliance, such as responding to regulators.
In addition, an effective, well-designed compliance program dovetails with
other corporate programs and serves other objectives. For example, effective
litigation management includes a step that one might label a "post mortem," an
"after action" or "lessons learned" when a particular litigation matter ends.
Such a protocol closely resembles the periodic assessment of risk expected by
the Sentencing Commission to appear in an effective compliance and ethics
program. That process also serves the purpose of a total quality management
program by helping to identify defects in the business process that might call
for improvements. Compliance programs also help to prevent and detect misconduct
where the company is itself the victim, such as vendor fraud and employee theft;
savings in this arena alone can exceed the program's cost.
You should consider the cost of an effective compliance and ethics program in
a broader context than simply assuring compliance or creating the proper
environment for ethical action. Rather, efforts to inculcate ethical behavior
and compliant actions within the corporate politic will make the organization
more efficient and more effective. To the degree that employees better
understand the expectations of regulators, investors, corporate management and
other relevant audiences, they're better able to avoid compliance failures and
Compliance training and compliance would merely add a layer of
bureaucracy. As noted, at least some of the steps called for by the
Sentencing Commission can fill multiple roles within a business organization. To
that extent, then, they do not represent totally new bureaucracy. Moreover, by
taking care when designing the program, one can minimize the additional burden
that results from the compliance and ethics program. Indeed, the design of the
program should include consideration for adding as little burden as
possible. Finally, one should also take note of research on
the value of an effective compliance and ethics program. As reported by Standard
& Poor's Managing Director and Global Practice Leader for Governance
Services, one study "found that a significant majority of institutional
investors were willing to pay a premium for well-governed companies."
Well-governed includes effective compliance and ethics programs.
While corporate compliance and ethics programs have gained considerable
stature within the ranks of American business, they still appear less frequently
than one would expect in light of their significance and the prominence they
receive from government and other regulators of corporate behavior. If that
shortfall results from the concerns described above, perhaps corporate managers
should re-examine the basis for those concerns. They might very well find that
an effective corporate compliance and ethics program will assist the
organization to move to a higher plane of action - one that includes less
litigation-related skirmishing as well as fewer disputes with government
officials and other corporate audiences. Corporate compliance and ethics
programs offer many benefits that companies may have overlooked in their
analysis of whether and how to implement them. Don't make that
1 General Electric inaugurated its compliance program
after several companies were convicted in the early 60s for antitrust violations
in the electrical equipment industry. Environmental enforcement in the 70s and
then enactment of the Foreign Corrupt Practices Act in 1977, following
disclosure of instances of bribes paid by American corporations to foreign
government officials to secure business and congressional hearings into the
prevalence of such payments, led more and more companies to institute compliance
programs. Several companies in the defense and aerospace industries came
together to create the Defense Industry Initiative to promote ethical behavior
among members of the defense and aerospace industries, including companies'
"obligation to self-govern by implementing controls to monitor compliance with
federal procurement laws and by adopting procedures for voluntary disclosure of
violations of federal procurement laws to appropriate authorities." See the
fourth of "The DII Principles" contained at href="../artNov/http://www.dii.org/Statement.htm."
target="\'_blank\'">http://www.dii.org/Statement.htm. The defense and
aerospace industries have, as a result, among the most mature compliance
programs in American business.
2 See Murphy & Leet, "Working for Integrity"
(Society of Corporate Compliance and Ethics, June 2006).
6 The Sentencing Commission itemized seven main areas of
focus for a program, though the precise number of elements might vary depending
on how one classifies or breaks them down. For example, another organization
identified "nine elements necessary for achieving an effective compliance
program to detect and prevent criminal conduct and promote ethical behavior,"
including among those nine elements the "[a]bility to [q]uery and [g]enerate
[r]eports." See page 7 of "Framework for Corporate Culture and Integrity http:
7 Other surveys yielded different results. See for
p. 14 (less than 30% of respondents already had whistleblower programs, rather
than the 95.2% of respondents to the Integrity/Altman survey that had a hotline
or reporting mechanism in place. This may be explainable, at least in part,
because Integrity's clients, which comprised approximately half of those invited
to participate in the Integrity/Altman survey, were pre-disposed to having more
comprehensive compliance programs as demonstrated by their use of online
compliance training from Integrity for their programs. The survey by Protiviti
and Operational Risk magazine "focused on financial institutions" and may have
been weighted more toward companies based outside the United States, since
survey responses originating in the United States comprised only 12% of the
total. Id., at 3.
8 A former chair of the Sentencing Commission (and
federal circuit judge) reviewed the first ten years of experience under the
Guidelines in Murphy, The Federal Sentencing Guidelines for Organizations: A
Decade of Promoting Compliance and Ethics, 87 Iowa L. Rev. 697 (2002).
9 Since the Integrity/Altman survey invitations went to
firms with which Integrity Interactive and Altman Weil had had some contact,
those invitees probably were among the more proactive organizations in terms of
their compliance programs. Integrity's business centers on compliance- and
ethics-related training and Altman Weil often works with companies that have
in-house law departments. A survey population truly representative of all
businesses in this country likely would include a greater proportion of firms
that have devoted less attention to this subject.
target="\'_blank\'">http://www.ussc.gov/ANNRPT/2003/table54.pdf. Those 90
organizations constitute a subset of the 200 organizations sentenced in federal
court (as to which the Guidelines would have been legally applicable). Of those
200, 101 "had fine guidelines application data missing or inapplicable due to
[G]uideline provisions such as a 'priliminary determination of inability to pay
fine.'" Ibid (note 1). See table 52 at href="../artNov/http://www.ussc.gov/ANNRPT/2003/table52.pdftarget=\'_blank\'>http://www.ussc.gov/ANNRPT/2003/table52.pdf
12 That other party could be an employee, employment
applicant, transaction counterparty, partner, government regulator, consumer or
any of the innumerable groups with which an organization deals on a daily
13 See Carr & Lauer, "Compliance Programs Reduce
Litigation Exposure," The National Law Journal, vol. 27, no. 33 (April 25,
2005), p. S3.
14 See United States v. Booker, 543 U.S. 220
15 See Carr & Lauer, supra, n. 12, and Chema
& Lauer, "A Holistic Approach to Corporate Compliance and Dispute
Management," The Lawyer's Brief, vol. 34, no. 24 (Dec. 31, 2004), p. 2.
16 Carr & Lauer, supra, n. 13.
17 Spinnato & Lauer, "The Big Picture: Compliance
and Knowledge Management in Today's Law Department," GC New York (ALM
Publications, May 9, 2005), p. 2.
18 Lajoie & Lauer, "Business Ethics and Compliance -
Establishing an Effective Program," The Lawyer's Brief, vol. 34,
no. 3 (Feb. 15, 2004), p. 2 .
19 Dallas, "Governance and Risk: An Analytical Handbook for
Investors, Managers, Directors & Stakeholders"(McGraw-Hill 2004), p.
Steven A. Lauer, Director of Integrity Research for
Integrity Interactive Corporation, was an in-house counsel for over thirteen
years and a consultant to law departments for seven years. For footnotes, see
our Website, www.metrocorpcounsel.com.