Why Compliance Doesn't Work - Part II

Part I of this article appeared in the March issue of The Metropolitan Corporate Counsel.

"Process" compliance tends to cultivate the systemic error of "consumer" complacency. Compliance "consumers" - executives, officers and directors - are used to crunching numbers and can be lulled into a false sense of security by a compliance system that reduces all issues to quantitative data. Numbers are important to many tasks, but they have built-in limitations in the compliance sphere where the company must analyze the nuances of employee conduct and imagine opportunities for bad conduct before it occurs. For instance, consumers need to know that a well functioning "know your customer" system that searches a database for customer background information will be undercut by the failure to do what investigators do - apply independent skeptical scrutiny to the information derived.

Another broad error that "process" compliance can induce is the failure to identify issues as compliance problems in the first place. As in the parable of the blind men and the elephant, specialists within the company tend to view issues solely through the lens of their own specialty. Compliance problems can crop up in many ways and do not always announce themselves as "compliance-related" nor come first to the attention of a compliance officer or lawyer. For example, human resource executives may view a potential expense account violation as an HR disciplinary issue, but may not connect the dots that demonstrate a Foreign Corrupt Practices Act violation. "Process" compliance exacerbates this problem because systems and their managers are trained to look only for specific types of issues, not think more broadly about unexpected areas of liability. If concerns are not properly identified and shared, that is, if they are arbitrarily mislabeled or "stovepiped," the compliance dimension will go unrecognized until too late. Stovepiping may also result in inconsistent management responses to the same issue. An employee's infraction that is labeled as an HR issue may receive an entirely different level of investigation and disciplinary treatment than the same action by another employee that is correctly identified as a compliance concern.

Compounding these potential errors is the tendency of many companies to assign as compliance officers employees who either lack the investigative skill set necessary to bore into the analysis of facts and identify them as true compliance concerns or are not supported by senior leadership when they try to advance compliance priorities. In large complex enterprises, compliance officers are awash in data, but do not necessarily have the training and disposition to push through the "noise" to identify relevant facts. This problem only gets worse where the company itself lacks deep background knowledge about new business lines or locations developed through acquisition or expansion. Time and again, those assigned to guard the gates approach the task with a presumption that all employees will abide by policy and law. While the majority of employees are always law abiding, that is not what compliance officers are for. Unfortunately, this syndrome affects attorneys as well, who naturally ally more readily with the business people who are the flesh-and-blood representation of their client, rather than their real client - the corporation itself - whose interests may diverge.

How To Achieve More Meaningful Compliance (Without Breaking The Bank)

As they have grown up, often organically and piecemeal rather than as part of an integrated design, compliance systems at large companies are usually based on adherence to a particular law, regulation or policy. What does the law say and how can we make sure to follow it? That mind set led to the development in the 1980s and 1990s of elaborate compliance programs, which were too often honored only in the breach.1

While compliance must necessarily take account of the law, this approach misses a key element. The better questions to ask are those that the government itself asks when investigators approach allegations of wrongdoing at a company: where are the openings for wrongdoing and incentives to stay honest? what did the company do to train and police its employees? what remedial measures did the company take when employees violated policies in the past?

In particular, questions about the effects of incentives - both rewards and punishments - are too often overlooked in crafting the compliance regime. A good example of this problem springs from a recent Fifth Circuit decision in an Enron criminal prosecution concerning the "honest services" theory of wire fraud. The court reversed the defendants' conviction, ruling that employees of Enron had not deprived the company of the "honest services" because Enron's incentive structure aligned employee compensation with the (corrupt) financial objectives of the company.2

Another example of skewed incentives operates in reverse: the failure to take adequate measures to address compliance violations and to communicate with employees about punishments. Frightened by uncertainty, the specter of public embarrassment and the threat of lawsuits, many companies take the easy way out through lenient treatment of violators and by hushing up incidents such that employees never learn of the consequences of violations. Even worse, many companies fail to keep adequate records of historical violations and punishments for fear of some future disclosure of those records. But without strict standards and a documented history of internal compliance enforcement that is communicated to the relevant body of employees, it is hard to create the proper incentives to employees and, should the need arise, doubly hard to convince the government that the compliance program has been "effective."

Creating a successful compliance policy requires managers to think first like government agents and then reverse-engineer the process. While industry-specific knowledge is important for understanding the business context, those designing, implementing and evaluating a compliance program must have sufficient independence to challenge the ingrained habits of mind that affect large business cultures. To use an only slightly exaggerated example, the company official who sees nothing wrong with closing the books for the month five days into the following month because "that's the way we've always done it," does not have sufficient objectivity. Compliance "consumers" who draw false comfort from the numbers generated from elaborate "process" compliance systems, likewise endanger the effectiveness of the compliance regime. When compliance doesn't work, the reason most often is not that the process broke down mechanically, but that employees intentionally broke it or more likely avoided it altogether. 1 See United States Department of Justice, Memorandum Regarding Principles of Federal Prosecution of Business Organizations (Jan. 20, 2003), available at www.usdoj.gov/dag/cftf/business_organizations.pdf (describing the revisions to the principles of federal prosecutions of business organizations and how they "address the efficacy of the corporate governance mechanisms in place within a corporation, to ensure that these measures are truly effective rather than mere paper programs.").

2 United States v. Brown, 459 F.3d 509, 530-31 (5th Cir. 2006). The court held that "where an employer intentionally aligns the interests of the employee with a specified corporate goal, where the employee perceives his pursuit of that goal as mutually benefiting him and his employer, and where the employee's conduct is consistent with the perception of the mutual interest, such conduct is beyond the reach of the honest-services theory of fraud as it has hitherto been applied." Id. at 31.

Status and Options