Why should you have a compliance program? The Legal Case

In a prior edition we discussed the Business Case for having a Compliance and Ethics  (“C&E”) program.  Here we review the Legal Case.  The legal case for having an effective C&E program is often what causes companies to initiate C&E programs. The are several pieces to this.

Legal requirements

In certain risk areas and/or industries the C&E elements may be legally required. Where C&E elements are mandated, not having them can itself be a legal violation, with a range of penalties, including disruptive and expensive investigations, fines, and even prison. These requirements can be highly detailed, such as those seen in the finance sector dealing with risks like anti-money laundering.  There are also requirements related to specific risks that apply across all industries, such as required harassment training.  In the US, for example, this may be imposed at the state or municipal level. 

Mandated programs can seem to those in government as a quick fix to prevent misconduct.  Instead of relying on incentives, which was the approach of the US Sentencing Guidelines starting in 1991, the regulatory instinct is to dictate what is to be done.  But while this seems logical to governments, there are some deep flaws in this logic. The government typically requires things that are quantifiable and easy to assess. Mandates will call for specific forms to be completed in a fixed amount of time and for employees to be corralled into classrooms for specific training.  Mandates tend to pull toward box-ticking, so compliance with the mandates is easy to count.   

What is often missing from government mandates are the steps that really make a difference and could actually prevent serious violations.  These would include having a real Chief Ethics and Compliance Officer with power reporting to the board and sitting with the other top leaders such as the CFO, CEO and General Counsel. Mandates would typically not cover incentives, or require actual, meaningful steps to prevent retaliation. 

The government also misses a reality of corporate life. The required minimum can quickly become the lawyers’ maximum.  If two hours of training are legally mandated (as California requires for harassment training every two years), then that may be all the company ever does, even if the training does not work.  One can picture the lawyer sitting there counting out the minutes to be sure the training lasts exactly 120 minutes, and then ending the session.  Moreover, for the government to enforce these mandates the burden of proof is typically on the government. It could take a lot of work for enforcers to prove that a program failed to address more substantial compliance program elements such as incentives, or that a compliance officer  lacked “power.”   Bean counting is always easier than trying to determine if something worked, especially when the burden is on the government to prove the company’s failure to do difficult things the right way.  Tick-box exercises are more countable and easier for enforcers to prove to a court that they did not occur.

Avoiding costly litigation, losses in civil cases, and criminal penalties.  

Creating a compliance program because it is mandated can be seen as just another burden imposed by government.  But having a program to prevent bad things from happening is a more constructive approach.  It only takes a bit of thinking to realize all the bad things that can happen when a company goes astray.  For a starting point, C&E professionals can get their people to imagine if there is litigation how much time they will have to spend with lawyers and away from doing their jobs.  Reminding managers of how much time they will need to spend preparing to testify, being in depositions, responding to document requests and in the worst case having to testify in court is definitely something normal people will earnestly want to avoid.

There is also the disruption to the business.  Personnel can be dragged into this from the top to the bottom of the company.  All kinds of important functions and plans in the company can be disrupted in preparing for government investigations and litigation.

Many forms of misconduct can lead to civil cases, even if no criminal violations are at issue.  These can bring the disruption of discovery in its various forms.  Damages can be substantial.  In American antitrust cases, for example, treble damages are mandatory. In other cases there may be the risk of punitive damages.

Going up the ladder of legal horrors, at the top are the criminal violations.  This is an area where lawyers can wax poetic about all the bad things that can happen. Here there can be fines, injunctions and even prison terms. This is an area where real life stories from similar companies help convey the message.

A very effective way to bring this to life and make it starkly realistic is to have the lawyers first do a bit of digging around the company.  This is perhaps a frightening concept, but it is very likely that if you do even a small amount of digging – interviews, site visits and file reviews – you will find some really scary things in your own company. You may find records that document something that was perfectly legitimate, but that use terms guaranteed to get executives’ attention as they picture the impact these words would have in litigation (or in the news reports). These types of documents help convince otherwise skeptical managers that, indeed  “it can happen here.”

Then there is a very special kind of possible disruption – the appointment of a monitor.  This is disruptive and intrusive possibly for a painfully long period – having the government require a monitor in the heart of the business.  The impact and cost of this one, highly disruptive element can on its own be enough to motivate companies to do what they can to avoid problems.  Even if management is not fond of their own company lawyers, they will find them much preferable when compared to a government-designated expert watching every move management makes. 

Compliance & ethics:  A defense when something goes wrong.

We’ve all heard the point, that no matter how good your C&E program, you cannot always prevent misconduct. But the value of the legal case comes sharply into focus in those circumstances.  The existence of an effective C&E program can reduce the impact from investigations and prosecution, and in some cases even be a defense. 

In the US, for example, under the Federal Sentencing Guidelines fines can be dramatically reduced.  Even more important, the US DOJ takes programs into account in determining whether to prosecute and how to treat the offending company. 

While usually a C&E program is just an ameliorating factor depending on enforcers’ discretion, there are instances where it may be a defense.  In the UK, for example, this is the case in foreign bribery cases.  In the US it can be a defense to some harassment cases and a defense to punitive damages in some employment discrimination cases.

A C&E program may also unearth problems before the government discovers them, allowing the company to pursue a government voluntary disclosure/leniency program.  In antitrust, for example, these can even exempt a company from prosecution.   

Why the “legal case” matters so much in getting C&E programs to be real. 

In the US for criminal cases, the powerful benefits from C&E programs are discretionary with enforcers.  This means the burden of proof is on the company to show its C&E program was effective.  The government has issued extensive guidance on what it looks for in programs; these factors tie back to the Federal Sentencing Guidelines standards. These standards call for no-nonsense steps.  Unlike the bureaucratic box-ticking elements when the government tries to dictate programs, when the roles are reversed and the government has discretion in how to proceed against a company, the government standards can be meaningful and real.  Prosecutors  can require the company to prove that its program was effective, that it addressed incentives in it’s the program and that it actually took steps to prevent retaliation. Box ticking gets the company nowhere if the company cannot prove that its steps were diligent and actually worked. 

Consider, then, that happens when you are only relying on government compliance dictates to develop your C&E program.  You will get the minimum the government dictates.  There is no incentive to do more.

Alternatively, is you are simply relying on the business case, it may be true that management will agree to adopt a C&E program based on the business benefits.  But what will be in the program?  Without doubt there will be a code of conduct and some lectures. But business managers very likely will not readily go for you having any role in incentives or promotions, nor will they welcome having you reporting directly on an unfiltered basis to the board.  They will not see why they need real measures to address the risk of retaliation (since they believe they would never retaliate).  Likely managers will offer their own judgment on what should be in the program.  They may see possible business benefits from the program, but may still have their own judgment on what needs to be included. They may not see a clear case why they should give you actual power over them or accept the other types of elements needed to be really effective.  

We can wish this were otherwise, but the reality is that only the government with its leverage can get the senior executives to yield enough power and control and provide the resources that are enough to make a real difference. History shows the government will not mandate by regulation the things that matter most, nor will senior management voluntarily adopt those measures which actually limit their own power. Neither a business case nor even an argument for what is “right” will get people to yield power.

On the other hand, where the government holds the cards and the burden is on the company to prove its program merits better treatment, the government has the leverage to move company executives to adopt strong and essential C&E elements. Government’s effective (and visible) use of its leverage is the key for getting to that level.

In a following issue we will discuss the moral case, and also some conclusions.