Category: Compliance Programs

Betting the Corporation: Compliance or Defiance

Lawrence D. Finder, Ryan D. McConnell & Scott L. Mitchell drafted a paper surveying the sixteen corporate deferred prosecutions and non-prosecution agreements entered into by the Department of Justice in 2008.

Betting the Corporation: Compliance or Defiance? Compliance Programs in the Context of Deferred and Non-Prosecution Agreements – Corporate Pre-Trial Agreement Update – 2008

In 2008, every agreement contained some sort of corporate compliance reform provision – continuing a trend we have seen over the last few years. This trend is the focus of this update. Aside from building on prior observations, this piece attempts to draw empirical observations about the types of compliance programs that come out of corporate pre-trial agreements. The authors recognize there is no one-size fits all template for corporate compliance programs. But by examining compliance programs in the context of DPAs and NPAs, the authors strive to provide a picture of what types of compliance measures are negotiated by the DOJ and corporate targets to resolve internal control and other business deficiencies that resulted in criminal wrongdoing. We hope that this will provide some guidance for attorneys and other professionals who deal with compliance issues.

The authors note that one of the big changes in 2008 was the DOJ’s implementation of a new charging policy. (You can find it at 9-28.000 of the U.S. Attorney’s Manual.) Although the policy is no longer associated with a particular person (like the 2006 McNulty memo, the  2003 Thompson memo and the 1999 Holder memo), the nine factors for charging a corporation are still the same:

  1. the nature and seriousness of the offense;
  2. pervasiveness of wrongdoing;
  3. the company’s history of similar conduct;
  4. the company’s timely and voluntary disclosure;
  5. the existence and effectiveness of a pre-existing compliance program;
  6. the company’s remedial actions;
  7. the collateral consequences (including harm to shareholders) of a conviction;
  8. the adequacy of prosecution of individuals; and
  9. the adequacy of civil or regulatory remedies

There is a new statement in USAM 9-28.200:” In certain instances, it may be appropriate, upon consideration of the factors set forth herein, to resolve a corporate criminal case by means other than indictment. Non-prosecution and deferred prosecution agreements, for example, occupy an important middle ground between declining prosecution and obtaining the conviction of a corporation.”

A second change in 2008 was the issuance of the Morford Memo that addresses the use of corporate monitors, providing guidance on issues that may arise in the selection of a monitor and the monitor’s duties.

2008 STATISTICS:

Total Number of Agreements: 16
Number of Privilege Waivers: 2   (13%)
Number of Agreements with Compliance Monitors: 6   (38%)
Number of Agreements With Compliance Reforms: 16 (100%)

The link above is to a draft copy of the paper. The final version is scheduled to be published in the South Texas  Law Review in May 2009.

Seven Questions to Ask to Optimize Your Compliance Programs

compliance_week_logo

Compliance Week put on a webinar covering Practical Guidance: Seven Questions to Ask to Optimize Your Compliance Programs. Bruce McCuaig, Vice President, Risk and Compliance and Mike Rost, Vice President, Marketing of Paisley presented.

Mike started off with some background of Paisley, then moved onto the “Why?” of Compliance. Companies want to avoid the downside that comes from compliance failures.

Bruce then took over and set forth the seven questions:

  1. Do you have an effective compliance program?
  2. Have you assessed the scope of your compliance program?
  3. Is your compliance program risk-based?
  4. Do you have effective controls over your compliance risks?
  5. Is your compliance program integrated?
  6. Are you leveraging technology to support your compliance program?
  7. Do you have a plan to instill and sustain your compliance program processes?

Effectiveness has a basis in the federal sentencing guidelines. You need to have culture of compliance. You need to be effective in prevention. You need to document standards and procedures. You need to communicate and report. There is a need for continual improvement.

In assessing the scope of your compliance program, you need to look at the laws, standards and regulations that you must comply with. What jurisdictions to you operate in? What subjects do I need to pay attention to? You need to take a top-down risk-based approach to address the scope of your program. You need to find the most significant risks to compliance.

To think about if your compliance program is risk-based, you need to look at the root cause of possible failure. They break it into three pieces. You need to look at behavioral or cultural factors, impact factors and external factors. Behavior focuses on people. Do your people know the rules. Impact factors look at systems and external are things outside your control.

For effective controls you need to know the rules, know the rules have to be followed. You also need to know when the rules are broken. If they are broken they need to be penalized for failure. It is important that employees read and certify that they understand the rules. Where compliance failures are a risk, the regulators expect there to be a dedicated compliance officer. You need to use compliance metrics.

An un-integrated approach has redundancy in testing and documentation, with common activities across business lines. Bruce sees five point of convergence:

  • Shared context in organization and process structure
  • Common language of risk and control
  • Common methodology
  • Enterprise wide reporting
  • GRC convergence technology

Bruce thinks technology is important. You need a library of intelligent information on laws and regulations. You need to manage the life-cycle of the policies and procedures. They are useful to show that everyone has read and affirmed their understanding of the policies.

Bruce labels the four steps of maturity: (1)  reacting, (2)  anticipating, (3) collaborating, and (4) orchestrating.

See also:

Conducting C-Suite Investigations

ethicspoint-logo

EthicsPoint presented a webinar on conducting C-Suite Investigations, with Sally Rhys, BA, MS, CCEP of Business Ethics FocusNo-one wants to believe that allegations against the C-suite (Senior Executives) could be true. But with daily news reports of more cases of illegal and unethical transgressions by senior leaders, we all know that every organization is potentially at risk. It can happen at any time, even in your own organization. Are you prepared to handle such a crisis? These are my notes from the presentation.

sally

Sally Rhys started off with a fraud scenario involving the CFO: A call from someone that she thinks the CFO is overstating earnings and has convincing reports.” What do you do now?

Investigating C-suite involves bigger risks. There are also psychological barriers involving loyalty to the organization and its management. Sally points out the need for a plan:

  1. Secure a sponsor.
  2. Engage a a stakeholder team to act as a sounding board.
  3. Identify the positions which require an investigation protocol.
  4. Create plans for each position that needs a protocol. You may want to have an outside investigator for some positions. You may also want to have a PR plan and methods for dealing with clients, employees and other stakeholders. You also want to well document the steps and the investigation. You also want to be clear about the non-retaliation policy.
  5. Seek board approval. Craft a persuasive message to convince the board to approve a C-suite protocol.
  6. Publish the protocol. Write it down, publish it in the code and make it accessible. Only do this if you are actually going to follow the protocol.

It is good to have some method for quickly determining if there is some basis for the claim. You need to show that take the allegation seriously, but you want to move quickly to respond appropriately.

It is important to show the board where executives go wrong.

The attendees said the most likely chilling effect on a C-Suite investigation is the concern that you will not be supported.  Of the attendees, 46% picked this choice out of the four.

It is important to protect yourself. Make sure you have support of the board or other key stakeholders. Be professional and leave emotions at the door. be respectful and thorough. You need to stay credible.

Sally thought it was important to separate the role of general counsel and the compliance officer/investigator. Of course, you need to have a protocol for yourself/your position.

See also:

Cost-effective Compliance Risk Assessment

rees morrisonRees Morrison, publisher of Law Department Management,  is hosting a series of articles on Cost-effective Compliance Risk Assessment. This series is written by Jeff Kaplan of Kaplan & Walker LLP.

The first article was on Three trends regarding the costs of ineffective compliance. Jeff first focused on the increasing occurrence of the “mega fine.” Then noted that desperate times tend to breed desperate deeds. Lastly he noted that the new attorney-general is the same official who set compliance and ethics standards as part of the DOJ’s enforcement decisions.

The second article was on non-costly ways to achieve C&E program successes. Jeff noted that it is more cost-efficient to build the compliance assessment into other functions.

The third article focused on how to embed risk assessment into the process of drafting “third-party” codes of conduct. Jeff points out that handing your employee to third parties will just lead to confusion. In drafting a code, make sure you elicit comments from the people in the company with direct third party dealings.

The Inside Story on the Breakdown at the SEC

Time MagazineAdam Zagorin and Michael Weisskopf wrote a very critical article in Time Magazine about Christopher Cox’s tenure with the Securities and Exchange Commission: The Inside Story on the Breakdown at the SEC. The authors use Cox as a symbol of what went wrong with the US financial system, resulting it its current meltdown. They paint a picture of a leader who avoided dealing with investment banks and pushed for de-regulation at a time the markets needed more regulation.

Long an evangelist for deregulation, the affable 56-year-old conservative former California Congressman took a custodial approach to a job that called for muscular leadership. . . . . Indeed, longtime observers say, Cox allowed complacency and drift at an agency that was created to issue warnings and limit the potential for wider damage from financial malfeasance at publicly traded companies.

Bashing the SEC has gotten very popular lately. This article continues the trend, placing the blame at the top.

Policies for Private Use of Company Computer Systems and Mobile Devices

edward_angell_logoMark E. Schreiber and Barbara A. Lee published an article on the New Liabilities and Policies for Incidental Private Use of Company Electronic Systems and PDAs.

The discussion in the article comes from the decision in Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892 (9th Cir. 2008). In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.

The authors point out that the decision in Quon deals with constitutional questions involving government employees.  The same positions may not be true for non-government employees.  But there are still lessons to be learned:

  • Policies regarding employee use of email, internet access, and mobile devices should be clear that employees have no expectation of privacy
  • Policies should make it clear that employees can expect their use of computer systems and devices, including personal use and messages, to be subject to monitoring and access by the employer with or without notice.
  • Carefully draft service agreements to comply in advance with the SCA and other wiretap type statutes with “consent” language.
  • Update subpoena and document response policies and protocols to comply with the SCA and,  if the company operates internationally, foreign laws.

The 2008 LRN Ethics and Compliance Risk Management Practices Report

lrn_logoLRN published their 2008 LRN Ethics and Compliance Risk Management Practices Report (.pdf) (free registration required)  The report is based on a survey of senior ethics, legal, risk and audit professionals, with 461 completed surveys.

The key findings of the report:

  • Ethics and compliance programs are maturing
  • Companies identify their top two ethics and compliance risks as electronic data protection and data privacy
  • A majority of companies perform formal risk assessments involving multiple functions
  • Companies cite engaging employees and making education more relevant as their top challenges in prevention
  • Detecting violations still presents a significant challenge
  • Multinational companies face bigger challenges at their international regions than at headquarters
  • Few larger companies actively manage ethics and compliance risks within their supplier and partners’ network
  • Lack of resources – budget and staff – continues to be the leading challenge in conducting risk assessments and in implementing prevention programs

LRN conducted a similar survey in 2007, so this report is able to identify trends (to the extent two data points make a trend). I hope that they conduct a survey this year to see if these trends stay true.

“More and more companies are recognizing that ethics and compliance is the new frontier of business strategy. Increasing research demonstrates that forward-looking companies that put in place comprehensive and holistic ethics and compliance programs – i.e., programs that do not simply ensure the organization meet all regulatory requirements but that embed values-based business conduct into their culture – enhance their capabilities to compete in the marketplace. Without the distractions that accompany conflicting ethical viewpoints and goals or concerns over potential and actual rules infractions. Companies should concentrate on the workforce or the management of compliance infractions, companies can thrive through inspiration, motivating employees to be their best. An ethical work environment leads to more productive and profitable organizations.”

The report also pitches the LRN Ethics and Compliance Risk Management Process:

An integral component of enterprise risk management is to holistically build a strong
control environment with a culture of corporate ethics, by defining, preventing, detecting,
responding and evaluating as part of five key steps for building a sustainable compliance risk
management process:

  • Define business ethics and corporate compliance risks to create a comprehensive risk profile.
  • Prevent ethics and compliance lapses/failures with hard and soft controls, including business ethics and corporate compliance training.
  • Detect noncompliance with the law, regulations, company code of ethics and corporate governance practice via multiple reporting methods.
  • Respond swiftly and publicly to allegations and potential violations.
  • Evaluate results and make continuous improvements.

An LRN illustration of their process:

lrn-process

Roundtable Discusses Supply Chain Risks

compliance_week_logo

On Jan. 27, 2009, Compliance Week and Integrity Interactive presented an editorial roundtable focusing on supply chain and vendor management risks. They were kind enough to invite me to participate. There is an article about the roundtable in the next issue of Compliance Week and a copy is available on line: Roundtable Discusses Supply Chain Risks. (subscription required)

One theme from the discussion was a desire for an industry or third party standard for compliance. We all thought it would be great if some industry association or auditing firm could review vendors and give the reliable ones a seal of approval.

Dave Curan, the Chief Executive Officer of Integrity Interactive, recommended that all companies have a separate code of conduct that applies to their suppliers. Many in the audience pointed out that vendors often have there own code of conduct which precipitates a “battle of the codes.”

The Unexpected Benefits of Sarbanes Oxley

coverThe April 2006 issue of the Harvard Business Review has an article by Stephen Wagner and Lee Dittmar on The Unexpected Benefits of Sarbanes Oxley.

Although the article is somewhat dated when it talks about the second year under Sarbanes Oxley, it foretells some of the current thoughts in compliance. Compliance is good for business. Two and a half years later, the Madoff scandal illustrates the need to be more transparent to your investors and for investors to look closer at their investments. Documenting business process and putting controls in place will make your business run better.

Good governance is a mixture of the enforceable and the intangible. Organizations with strong governance provide discipline and structure; instill ethical values in employees and train them in the proper procedures; and exhibit behavior at the board and executive levels that the rest of the organization will want to emulate.