Why do compliance programs fail?

In your reading, have you ever seen pieces on the topic of why compliance programs fail?  I come across them from time to time, and particularly from legal scholars.  They are typically premised on instances where companies broke the law and especially on those with repeat offenses. 

Often these articles then tell us what we in compliance and ethics (“C&E”) are doing wrong, or why the idea of compliance programs is completely wrong or misdirected.  In the Wells Fargo case, for example, writers state that there were many compliance people there, but still the violations occurred.[1] Ipso facto, C&E failed and that is why the violations occurred.   

But is there something missing in this apparently simple exercise in logic?  

Where were the lawyers? Note the unstated premise: if something goes wrong it is the fault of C&E/the compliance program.  But not so long ago when there were major corporate scandals there was the question: “Where were the lawyers?”  Whatever happened to that question? 

Consider the role of lawyers in companies.[2] Why are they now omitted from the analysis of what happened in violations?   Are they just distant from all the important matters in the corporation and are simply bystanders, so they should not even be considered when discussing why wrongdoing happened?  Or is it appropriate to ask if there was any failure to act on their part? Do they perhaps even play a role to some extent in limiting the ability of C&E to actually prevent misconduct? 

A comparison:  CECOs & GCs. Should we be asking these types of questions when we are trying to understand more about corporate scandals, and assessing who is really in a position to play a role in preventing misconduct?  If the C&E people were in a dominant position and legal in a subordinate role, that might well support the implicit idea that the fault in violations rests with C&E. But does an examination of the facts support that idea?  Or does the actual distribution of power undercut the idea that C&E is the only place to look for responsibility? Here are some questions to consider:   

First question:  If we are first to blame the CECO, then should we ask how many general counsels (GC’s) report to chief ethics and compliance officers (CECOs)?  If there is any place where this happens it is extremely rare.

Second question:  How many CECOs report to the GC?  Estimates vary, but it is a large number. Moreover, it seems to be the case that many if not most GC’s consider compliance to be part of their turf.

Third question:  How many companies lack an actual CECO and instead just have a GC who has the Compliance Officer title, but no training in the C&E field? 

Fourth question:  In companies where the CECO does not report to the GC, how many of these CECOs are considered more powerful and better positioned than the GC?  Again, to the extent there are any it is exceedingly rare. 

Fifth question: Between the CECO and the GC, who is more likely to:

• talk regularly with the CEO and with other top officers?
• have the most opportunity to interact with the board?
• know what is going on in the company, especially at the top levels?
• exercise control over all contractual arrangements, litigation and dispute settlements, which reflect important aspects of what is actually happening in the company?  

My experience as a lawyer and a C&E person tells me it is the GC.

Sixth question: Did the lawyers resolutely help the C&E program, or did they undercut its effectiveness? Did the GC ever weaken the program, for example, by providing advice to: 

• Pay off a manager who did wrong to get rid of that wrongdoer, instead of disciplining the person as an example for others.
• Instead of following up on a complaining employee’s claim of misconduct that victimized her, simply pay her money to leave under an NDA.
• Not publicize disciplinary cases for fear of litigation.
• Require that the GC edit/screen/censor C&E reports to the board and audit committee.
• Require that the GC edit C&E audit reports to exclude anything that suggests wrongdoing or that could be used against the company.
• Not support the CECO having input on senior management promotions.
• Not allow use of actual company cases in training because of litigation risk.
• Require the CECO be subordinate to the GC to protect privilege
• Not include root cause analysis in investigation reports because it might constitute admission of guilt or weakness in the compliance program.
• Limit the scope of investigations and investigation reports to avoid litigation under privacy laws.
• Exclude the CECO or compliance subject matter experts from meetings, since the GC could handle everything adequately without other voices.

So is it even necessary to ask who has more power and responsibility whenever there is a management decision that would likely lead to violations?  Consider who was best positioned to prevent wrongdoing.  Consider also who is also most likely to be the one telling the CECO not to do things that could discover or prevent misconduct, because they might present even a small risk in litigation?

I do not recall seeing any assessment of these types of questions in any of the literature that concluded that “the compliance program failed.”[3] 

Realistically addressing corporate crime. We as a society are legitimately concerned about organizational misconduct.  Those who join in this concern will be much more effective if they can take an open-minded approach in this area. There is much we can do to improve our ability to prevent and detect misconduct, including examining all the relevant facts with genuine curiosity about how things actually work in companies, and the humility to accept that there is much that can still be learned from asking more questions.  If we put aside prior assumptions against C&E and decide to work cooperatively, I am certain we can do a better job to prevent corporate misconduct[4] and protect those who are the victims of this scourge.   

[1] When dealing with examples from the financial field, commentators typically do not address the key point that compliance programs in banks are not voluntary; the details of such programs are dictated by law and do not reflect the rigor or depth of comprehensive standards like the US Organizational Sentencing Guidelines, where companies have broad discretion on how they implement their compliance programs. There should at least be discussion of this important aspect – mandated steps are significantly different from those promoted by incentives.  In incentive-based systems companies have more discretion in how they implement a program, but the standards are far more robust than those dictated by law or regulation.  

[2] References here to “companies” and “corporate” apply as well to other types of organizations including universities, non-profits and government entities.

[3] In the present article I do not address the separate analysis of how the legal system itself undercuts the ability of CECOs and C&E programs to prevent violations.  That is a subject that also deserves attention, and is covered in much more detail in Joseph E. Murphy, Policies in conflict:  Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421 (2017), http://www.rutgerslawreview.com/wp-content/uploads/2017/07/Joseph-Murphy-Policies-in-Conflict-69-Rutgers-U.-L.-Rev.-421-2017.pdf .

[4] Nothing in this article should be read to suggest I believe C&E programs are where they should be.  Anyone who reads this newsletter knows of the many practical things that could and should be done to improve C&E programs.  The examples are many: CECOs need real empowerment and independence, programs need to address incentives, and practical steps need to be taken to prevent retaliation.  But any examination of corporate scandals should be as realistic as possible, including paying attention to the power dynamic in companies.