A review of David Hess, Advanced Introduction to Corporate Compliance (Edward Elgar Pub. 2024)

When I first saw the title of this book providing an “Advanced Introduction,” I was struck by an apparent anomaly in something being both an introduction and advanced. But a sentence on the first page gave a good clue on why this made sense:

“Compliance is not a legal field but is multi-disciplinary.” 

This one sentence previews why this introduction is “advanced.” If you only want a “how to” explanation of the USSGs legendary “seven elements” then the introduction does not need to be advanced.  But given the depth of explanations provided by Professor Hess relating to the different disciplines that make up our field, the title fits well. 

Why you will enjoy this book. If you have a genuine interest in exploring this field then you will be delighted by a feast of ideas and analyses, history and predictions about the field.  When you read it give yourself time to go back and forth with the author as you delve into this work.  If you have been around for a while you will find some old friends (e.g., the Milgram experiments, the Israeli childcare story) and likely some new perspectives (e.g., the idea that the concept of corporate culture could be further divided into such concepts as “ethical climate”).  If you are like me, you can have an animated discussion with the author by writing “yes” and “no” notes in the margins as you proceed.  If you are new, take this as an invitation to explore more, and also be ready to challenge things you have not found to be consistent with your own experience. 

Some very cool aspects of this work. Throughout I found particular points that commend the book.  First the scope is appropriately broad, going beyond just compliance with American criminal law. It also has realistic assessments of some of the aspects of current practices.  For example, it notes the negative impact of the suspicion and guilt-laden elements of some approaches to harassment training, versus the positive reception seen for intervention training, which assumes the best of the audience. On page 97 the author makes an excellent point about training managers on active listening.  I am 100% for this, and believe it can make an amazing difference for everyone. 

Prosecutors who believe you have committed a crime are easy to convince and readily take your word for it that your compliance program was perfect. Said no one, ever.  Yet that bit of reality does not seem to interfere with criticisms of compliance programs that are discussed in chapter 3.  In the critical literature there is generally no recognition of what should be fairly apparent: experienced government professionals can effectively smoke out fakes in the normal course of an investigation (remembering especially that the burden of proof is on the company).  There is also a tendency among some critics to pretend that complex companies and other huge organizations are really just giant, single-minded individuals intent on gaming the system. In our field we need to have a degree of skepticism as professionals, and it can be well applied in examining the discussions and assumptions by these critics.

In the discussion about the role of compliance programs in dealing with the government on page 56 the author says use of compliance programs in government enforcement depends on “trust.”  I like to remind people that I am an “antitrust” lawyer – I oppose anything based simply on trust.  I would suggest that empirically there is no basis I have seen anywhere for this assertion. Government credit for compliance programs does not depend on trust, and I have just not met enforcement people whose inclination is to trust those who are charged with crimes or other offenses.  First and most fundamentally, as noted, the company bears the burden of proof. This is a substantial barrier, to prove that something was “effective.” Moreover, smart prosecutors do not wait for a company’s dog and pony show.  The compliance program evaluation should start from the very beginning of an investigation. As the DOJ Antitrust Division notes in the first page of its “Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations” (Nov. 2024), prosecutors are to:

“obtain information necessary to evaluate compliance programs throughout the course of their investigation, including asking relevant compliance-related questions of witnesses.  Accordingly, prosecutors should not wait for companies to offer a presentation before beginning their evaluation of the program.”

On the trust point, it is also useful to consider that in a criminal case DOJ has serious investigative tools like grand juries.  You have employees, managers, agents and others testify in secret.  It becomes very clear very quickly whether there is a real compliance program.  There is no trust involved. A prosecutor would have to deliberately wear blinders not to notice if people never mention the program, are clearly cynical about it or have never heard of it.  The idea that a company with thousands or tens of thousands of employees would convince them all to lie about having a compliance program is whimsical. 

Companies are constantly gaming the system and getting off because they have fake compliance programs. This is another implication of the critics that is embarrassing in its lack of logic or actual experience. Aside from the mistaken idea that prosecutors are naïve pushovers, the big question is: where, exactly are all these cases?  If someone wants to undertake deeper analysis to find some, that would be very educational.  For me, I cannot find even one, either from the Criminal Division or the Antitrust Division, since the 2012 MorganStanley case. The only cases that say anything at all about compliance programs are exclusively about how the company reacted once a violation occurred. There are no published cases where a company got off simply because of a PRIOR-EXISTING compliance program. Even worse, there is not even one case where DOJ, in its published statements about its corporate cases, has even mentioned a company’s prior existing compliance program. Note, for example, that DOJ has not openly given credit for a prior program in the decade since MorganStanley.  For practitioners this has been a constant weakness – there are no stories to back up what they say to clients when telling them that effective compliance programs really matter to enforcers.  We have no cases we can cite. 

The famous 2012 MorganStanley case. No discussion of criticism of the Criminal Division’s approach to compliance programs is complete without looking at MorganStanley – the one case everyone cites for a company getting the benefit of a prior existing compliance program.  To read the critics, MorganStanley scape-goated a victimized employee, and snowed the government simply by telling them they had trained everyone 54 times. Based on this fake compliance program this criminal company got off.  Very compelling story.  And complete nonsense.

The reality is that MorganStanley is basically the type of case American prosecutors do not pursue.  The company was itself the victim of fraud by the culpable employee. The company discovered the wrongdoing, fully disclosed the matter and fully cooperated.  That would typically be enough to justify not prosecuting.  But critics fell for one of the oldest tricks around:  an employee blaming the company for his or her actions, even when they were cheating the company.  Moreover, the critics simply ignore the actual description given by DOJ about the company’s compliance program.  Yes, DOJ noted that the company trained employees in that part of the world 54 times, but also highlighted other no-nonsense steps:

“Morgan Stanley’s compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments.  Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners.” 

I should note here that in the review of the literature in this chapter the author recounts to readers the criticisms of the compliance approach.  My analysis here is not critical of the author, but of the sources he presents. 

Chapter 4 on Behavioral Approaches.  The author goes in-depth regarding behavioral approaches to compliance and ethics. There is much value in this tool, as he well illustrates. But a newly emerging trend is to have such approaches also informed by a balanced approach to neurodiversity – recognition that what works for most may not work for all, given the significant differences in how we each process inputs. One concern about behavioral approaches is that they sometimes seem geared toward what works on averages or to influence most people.  Getting 75% of employees to do something is necessary, but it is never sufficient.  The other 25% or 15% or even 1% can get companies in serious trouble. We need to dig deeper and start asking such questions as which parts of behavioral approaches do or do not work on sociopaths (Anti-Social Personality Disorder) who may make up 1-5%, with a likely higher percentage at the top of organizations? (See Patric Gagne, Sociopath:  A Memoir for more insight on sociopaths). What factors mold behavior best for those on the autism spectrum, or with ADD or even just what used to be called “type A” people (like me – those who can actually use the detail that seems to be disdained by some behavioralists). 

Behavioralism is a useful tool, but just one of many.  It is worth keeping up with the area, but not replacing other elements.  C&E people should also study various types of controls, learn from internal audits, and study recent scandals and schemes in their industry.  In other words, the field is truly multidisciplinary.  Behaviorism is an important discipline that is worth studying along with a range of other useful disciplines.

There also may be a tendency among some of those taking the behavioral approach to overstate the novelty of the learning in this area.  For example, the book correctly cites the more recent 2000 edition of the seminal work, Kennedy and Deal’s Corporate Culture, but it is worth remembering that the original book came out in 1982 and was something we were aware of even in the ancient days of compliance.

Corporate culture: great wisdom from Olympus, or based on what the bosses actually do? On page 74 the author offers valuable insight about corporate culture, quoting a source on this point: When managers act as role models these can serve as the stuff of organizational legend.  This is a key point that does not get enough attention in others’ discussions of culture.  Executives seem to think that if they go off on some resort retreat and contemplate their corporate values this will be a big step forward.  But even one real story shared by executive assistants about office misconduct by executives can eviscerate such efforts.  Culture is made up of the stories that people tell.  If executives boldly champion what is right and strongly resist what is wrong, that is what sets the culture (my language here is taken from similar words of a company founder almost a century ago, but still quoted in the company because they know he lived those words).  The author also makes the important point, sometimes overlooked by those discussing our field, that in organizations there may be different cultures or subcultures.  As one who worked in a company for 20 years, this was certainly my experience.

Exploring the area of incentives. One super strength of this book is that it addresses incentives directly. (Disclaimer – like many writers I appreciate when someone cites my work, and Professor Hess does this with my white paper on incentives.)

On the negative side there are a couple references that could lead a reader astray. Page 83 suggests managers are focusing on incentives and discipline like using a carrot to move mules.  But of course, a major and consistent failure in our field is managers and companies doing nothing at all connecting incentives to the compliance program.  Page 104 reports that DOJ says to use incentives to “encourage ethical behavior,” i.e., perhaps rewarding people for not being indicted.  For companies that do use incentives, it is not as a reward for not breaking the law, but as recognition for leadership in such things as promoting the compliance program and setting examples for others by their actions.  Use of incentives would also include things such as checking on the impact of corporate incentive systems and treating promotions as an incentive element that needs to be tied into the compliance program.  

Cases on incentives gone wrong.  On page 99 the author recounts the California Sears brake repair scandal, which was the incentive story we used to tell before WellsFargo.  A manager at Sears came up with the “genius” idea of giving rewards/incentives for selling new brakes to those who came into the shop.   There was no effective check on the brake repair people, despite clearly asymmetrical knowledge about brake conditions.  A failure to have someone there when this incentive system was being developed, asking “what’s the worst that could happen,” was a fateful mistake, illustrating why compliance needs to be involved when incentive systems are being developed.

The CECO “reporting” to the board.  The author shows excellent insight in examining the tricky ambiguity of the English language in using the word “reporting,” as in describing how a CECO “reports” in a company.  Reporting can be anemic – issuing a one page memo that has been completely scrubbed by legal so it says nothing.  Or it can mean that the senior executive or board committee the CECO reports to controls the CECO’s pay and life in the organization. Merely providing useless semi-annual sanitized memos to the board is worthless.  The CECO should report directly to a source of real power in the organization.

Professionalization of C&E.  In looking to the future there is a helpful discussion on the professionalization of C&E. This includes reference to SCCE, but in a future edition it would be good to examine SCCE’s code of professional ethics for C&E professionals (I was a co-author).  Part of what makes them professional is that they have a duty outside of the entity.  They are not simply there to help the organization achieve its missions.  They must raise issues even if it impedes that mission, in order to protect from misconduct those who are affected by the organization.  

Reporting to the audit committee. The author questions whether the CECO should report to the audit committee. This is the type of useful, practical question that the author examines throughout the book. To this day it remains an open question. In my experience the advantage of the audit committee is that this committee typically has power, it is independent, and it is taken seriously.  A new C&E committee might not have any of that.  The author is right that C&E is certainly broader than the scope of internal audit, but no committee is going to have the full scope and expertise that C&E needs. The better course is for companies to recruit to their board a CECO sitting in another company.  This would make enormous sense for an audit committee and ensure intelligent review and reception of the compliance program reports.

I recommend reading Professor Hess’ book and having the kind of debate on some of the issues that I have included in this review.  It will be time and intellectual energy well spent.