Advertisement
Follow ABA
myABA | Log In
JOIN THE ABA
Membership
ABA Groups
Resources for Lawyers
Publishing
CLE
Advocacy
News
SHOP ABA
About Us
MEMBER DIRECTORY
Home
Membership
Events & CLE
Committees
Initiatives & Awards
Publications
About Us
Contact Us
Volume 13, Number 1 - September/October 2003
10 steps to a better day
The key components of compliance
By Karen L. Shapiro
Compliance has been an issue for business lawyers for more than a decade.
Lately, though, it's become a bona fide hot topic.
More than 10 years ago, the Federal Sentencing Guidelines for Organizations were
adopted to bring consistency to punishment of organizations. The guidelines
recognize the need to provide for companies that try honestly to operate in
compliance, and so give federal judges discretion to mitigate penalties against
companies that had an effective compliance program when the violation occurred
(see sidebar on page 41).
Since then, it has been necessary for lawyers representing organizations to
understand and, when asked, develop compliance programs. In the rubble-strewn
aftermath of Enron, WorldCom and the like, it's become even more important for
counsel (both outside and in-house) to understand what it means to have an
effective compliance program.
"Why," you might ask, "should business lawyers care about how to do'
compliance? The Compliance Department has to make sure its program works."
Business lawyers should care because they advise clients on the need for
compliance programs. They meet with regulators and prosecutors and then advise
clients to make promises about compliance to avoid or diminish the severity of
proceedings.
To do this effectively, lawyers need to understand what it means to adopt,
implement and maintain an effective compliance program. It's their job to
CALENDAR
understand what promises to regulators in settlement orders about compliance
involve, so they understand whether their clients can do what they've promised,
within the time they've agreed to do it. This matters, since violating undertakings
in a settlement order could lead to further charges.
Regulators and courts take a dim view of recidivists. This will be even more true
post-Enron and in light of the Sarbanes-Oxley Act's new requirements for public
companies. As a result, counsel can expect boards of directors and corporate
executives to have little tolerance for repeat deficiencies. Business lawyers need a
solid understanding of how effective compliance programs work so they can help
their clients avoid repeat failures.
Before we turn to 10 best practices, remember that compliance doesn't occur in a
vacuum. Keep a few thoughts in mind as you consider how these best practices
might apply to your clients:
What is the size and complexity of the client? Large, medium and small
companies have different capabilities to support compliance programs.
Are compliance processes manual or automated?
Are these processes conducted in-house or have they been outsourced? If
outsourced, are there quality assurance standards binding the provider?
Does your client view compliance as the minimal steps necessary to avoid
violations, or as a moral compass guiding its business?
With these thoughts in mind, let's go to the list:
No. 1: Know what you need. Legal and regulatory obligations are the
beginning, not the end, of understanding compliance requirements. You also
need to understand how your client's business operates. What is the flow of
activity and information? The success of the compliance program will turn on
whether it accurately tracks the business process. Building a successful
program differs from company to company. There's no one-size-fits-all
approach. As you discuss the program with your client, make sure everyone
focuses on integrating the compliance program into the business.
No. 2: Perfection is elusive, but sometimes you have to go for it. There's
a saying that "the perfect is the enemy of the good." Indeed, striving for
perfection could get in the way of implementing a good, effective program if
the quest for perfection delays taking any action. Still, sometimes "good" isn't
good enough.
Think back to competing for grades in law school. A former colleague used to
say that scoring 95 on a 100-point exam was an A+ performance. Then he'd
translate 95-percent compliance success to the context of retail sales: Take a
company with 10,000 salespeople. A 95-percent compliance rate means
9,500 of its representatives comply with applicable requirements. That's
great.
That only leaves 500 other salespeople who, every day, are making sales
most companies wouldn't want if they knew how those sales were made. And
those 500 folks are out there selling right now, even while you're here
reading this article. In other words, 95 percent is nice, but an effective
compliance program should strive for more.
So how do you do it, if you're not satisfied with 95 percent but can't hold out
for perfection? To begin with, keep it simple. A compliance program only
works if it can be followed. Lawyers could prepare elaborate procedures that
would tightly control every imaginable type of misconduct or mistake. Avoid
that temptation — if procedures are too detailed, pieces of the program will
slip sometimes or not be done at all. And, if regulators and courts dislike
companies with no compliance program, they have an even bigger problem
with companies that have a program and don't follow it.
To design compliance policies and procedures that work, keep in mind the
"three Cs": clear, concise and complete.
Clear speaks for itself — policies must be easily understood. A good rule of
thumb is to consider whether three employees from separate parts of the
company would give similar answers to deposition questions about what a
policy means. (Don't assume this issue away. You may think you know the
answer, but if you wrote the policy, you already know what it means.) If, in
discovery, it turns out that no two people had the same understanding of a
policy, you've lost the battle to prove it was effective. To build a clear
program, involve people who aren't legal or regulatory experts. Employee
focus groups can help here.
Training is essential to promote understanding of the compliance program.
Make sure everyone in the organization knows there are compliance policies
and procedures, how to find them and whom to contact if they have
questions.
Concise, tight wording helps make policies clear. And, by avoiding extra
words, you avoid extra questions in those employees' depositions. Say what
you need, and need what you say. Everything else is unnecessary and could
be a problem later.
Complete brings us back to policies having to fit the company's operations.
Compliance can't be bought "off the rack." If policies and procedures don't
comprehensively cover the business processes, the program could have gaps,
leading to surprises later.
How do you avoid those gaps? Test the procedures with employees from
different parts and levels of the company. The people in the trenches will
know if you've missed something important. Effective compliance requires
help from people who live in the real world governed by the program, to
make sure that the rules cover the ground and can be clearly understood and
consistently followed.
No. 3: What gets measured gets done. First, the good news: What gets
measured eventually gets done. People generally try to perform to known
expectations. If a company wants its procedures followed, it should set
performance standards, measure how the organization satisfies them, and get
the numbers out to staff and management. Also, include this performance in
compensation decisions. It may take awhile, but the alignment between
measurement and performance should improve.
Most functions we measure quantitatively also have a qualitative dimension.
So, we also have to make sure the function is done correctly. This brings us
to the bad news: What does not get measured may or may not get done.
That sounds obvious, but for any task the company wants to complete within
a specified time, also measure how well the transactions are done. If you only
measure timeliness, quality of execution may deteriorate in the crush of
deadlines.
Qualitative performance failures don't appear in real time, like missed
deadlines. They're a lagging indicator. You won't know you have a problem
until you have a problem that could have been preventedby qualitative
measurements.
No. 4: Monitoring helps, but it isn't everything. An effective compliance
program must include monitoring, but reports alone aren't enough. Is
information important? Absolutely — no compliance program that works
without exception reports to focus management's attention where it's needed.
Will good reports make the program effective? No. Effectiveness takes
judgment to evaluate exceptions and takes managers willing to deal with
whatever the reports uncover.
This goes back to guarding against having a compliance program that isn't
followed. Once you implement exception reports, you have to act on what
they find. Thus, the corollary to rule No. 4: Don't cast the net too widely or
you'll catch more than you can manage.
Let's be clear about what that means and doesn't mean. It does not mean a
company should ignore genuine misconduct or negligence. It does mean,
however, that if exception reports don't differentiate between jaywalking and
murder, they will produce more items than the company can effectively
handle.
Remember, hindsight
anything because it
program didn't work.
to show the company
is 20/20. If a company has a problem, and no one did
was buried in an exception report, the compliance
Failing to act on significant exceptions makes it harder
takes compliance violations seriously.
Once the reports are coming, a compliance program needs to differentiate
among exceptions to allow a flexible response. Build your program with the
full range of possibilities in mind. Then, think about whether an exception
resulted from lack of knowledge or deliberate wrongdoing. If the employee
didn't understand the conduct was wrong, and there was no material harm or
deliberate misconduct, training may be an appropriate response. (This only
works for the small stuff — you shouldn't count on persuading anyone that
someone committed fraud with a pure heart and an empty head.)
A progressive discipline policy providing a range of sanctions from warnings
through termination will give management the ability to deal with similar
situations flexibly but consistently. The sanctions should match the offenses
proportionally, so they convincingly demonstrate the company's intolerance
for bad actions, without going overboard.
No matter how unpleasant it is, companies sometimes have to fire people.
But, not all violations require termination. If the compliance program shows a
commitment to doing business the right way, the company can respond to
situations flexibly and still foster an environment of responsibility and
accountability.
No. 5: Learning from your mistakes is good; learning from someone
else's mistakes is better.
Read the newspaper. Talk with colleagues who practice in your client's
industry. If a competing company was just disciplined in a regulatory
proceeding and there's a lesson to be learned, let your clients learn it on the
other guy's nickel. If they're in the same business and they have a control
weakness, your clients should examine their organization for that risk. The
lesson learned will be no less valid just because someone else paid for it.
Of course, companies also have to learn from their own mistakes. If your
client's company gets caught up in a proceeding that reveals a control
weakness, fix it as quickly as possible. You may be able to mitigate the
consequences if you can show that the company corrected the problem as
soon as it could and made things right with anyone who was harmed. Learn
from mistakes while they're still fresh. Companies will never be more sensitive
to the need for a compliance program than right after they've paid for
compliance failures.
(Somewhere around now, clients start to grumble, "This never ends!" Right?
Exactly right: Compliance programs are never done. They should always be
works in progress. While a company shouldn't issue new policies so often that
updates lose significance, the program must be able to handle new issues.
Update the program when it's necessary.)
No. 6: You get what you pay for. This is a two- part rule. Here's the easy
part:
Compliance costs money. If a company tries to develop a compliance
program on the cheap, it will be disappointed when it doesn't get all the
protection it expected. Good people cost money. Good training costs money.
Good systems cost money. Let's come back to the point about good people. If
a company is just beginning to formalize its compliance program and doesn't
yet have a compliance officer, advise the company to appoint someone with
sufficient knowledge, experience and stature to get the hard decisions made.
Selecting someone inexperienced may save money in the short run, but could
cost a lot later if that person doesn't spot the issues, recognize their
significance and fix them.
Now for the harder part: You get what you pay for, and that includes
behavior. Think about which people companies value most highly. In a sales
organization, big producers are highly valued. But, is revenue all the company
values? Or, does it value and reward the quality of business? If it only
recognizes and rewards production, the company will get what it paid for —
high production, regardless of how people brought it in.
If you want people to behave well, reward good behavior and punish bad
behavior. People need to understand it's not just about how much business
they do. It's also about how they do the business. This requires evaluation
and compensation systems that reward good compliance and mark people
down for poor compliance.
The same is true for supervisors. If a company pays managers for recruiting
and production, they will focus on hiring and production targets. At best, this
leaves supervision in third place. Make sure managers understand they are as
accountable for their staff's problems as they are rewarded for their
successes. You get what you pay for.
No. 7: Risk is to be managed, not feared. "Doing business the right way"
has two parts. The part about doing business is important, too. In designing a
compliance program, you could try to identify every risk confronting the
organization and drive a stake through its heart, but if you raise
insurmountable barriers to doing business, you haven't moved the ball down
the field. Risk cannot be eliminated.
The hard work is balancing compliance risk against flexibility. The challenge is
to build controls that let good business be done without unnecessary
impediments.
No. 8: Auditors are your friends. The company's auditors can help get new
compliance policies off to a good start, and they help keep programs
effective. You won't know if controls are any good until you know they work,
and you find this out by testing them rigorously.
After your client installs a new compliance program, give it some time and
then have the auditors kick the tires. If the controls work, that's good. If
they don't work, it's better to find out quickly. Don't let gaps surprise you
later during an investigation or lawsuit.
Will this testing be privileged? It depends on who directs it, how it's done,
and the privilege rules in your jurisdiction. Even if it isn't privileged, though,
companies generally get more mileage out of finding and fixing problems than
for correcting them after they're in trouble.
No. 9: Be careful what you promise (or imply). It's the end of the year.
Your client is having the annual budget meeting with the chief executive
officer. If you did substantial legal work on the compliance program, the CEO
is looking at some hefty bills.
The CEO flips through pages of disbursements and says, "We spent a lot of
money on this compliance thing, didn't we?" Your client nods apprehensively.
Then the bomb drops: "But," the CEO continues, smiling, "that's it, right? No
more grand juries? No more class actions? No more regulators beating us up?
No more hits in the press? Now, we can get back to running the company,
right?" As your client gropes for words, you remember you never explained
the limits to what all that money would buy.
What you meant to say was: "A good compliance program is essential. But,
don't expect more from controls than they can deliver. A compliance program
won't immunize the company against all future compliance failures. No
controls are so good that they can't be deliberately thwarted."
"What a compliance program can do is: prevent and detect most violations;
reduce financial, litigation, regulatory and reputational harm; get mitigation
credit under the Sentencing Guidelines; and help set a tone in investigations
that shows the company cares about doing business the right way. But it's
not a guarantee."
If you haven't already had that conversation, now's the time to deliver the
message, along with something from the last of our best practices:
No. 10: Hindsight is 20/20; good peripheral vision is better. We
considered earlier the importance of learning from mistakes. As important as
good hindsight may be, though, it's limited.
What does that mean? It means don't be satisfied with solving yesterday's
problem. Don't be satisfied with what's going well. Think about what might be
a problem tomorrow. Be alert to possible vulnerabilities the company hasn't
found yet. Think about them as creatively as the problems you've already
identified.
If you represent a client in a matter that apparently involves an isolated
incident, advise the company to see if the problem is more widespread. Read
trade publications: Are there rumors about your client's competitors or
industry, or even about your own client? Advise clients to follow up on those
rumors and figure out if something's going on. Don't dismiss the rumors and
presume that sort of thing couldn't happen to your client.
Watch for early warning signs. Are employees complaining about ethical
matters? Is there a way for them to complain? Is there an anonymous hot
line or e-mail account? Or, even a suggestion box? The people in the
trenches know how business is really done, and they know it better than just
about anyone. Find a way to listen to them, in a manner that assures they
won't be harmed if they deliver bad news. The ability to let management
know about problems is important, since it's required by Sarbanes-Oxley and
is a specific element of an effective compliance program under the Sentencing
Guidelines.
If companies watch for possible new concerns, they can do minor repairs
before major work is necessary. Compliance will become a matter of finetuning, with occasional overhauls for new legislation and the like. Compliance
won't be an intrusion into business — rather, doing business the right way
will be built into the organization.
A final observation: Building or upgrading a compliance program is
challenging, hard work. It can also be tedious. Sometimes, it's like being the
plumber after someone else noticed a leak under the sink. You're the one who
has to find the drip, figure out where it's coming from, tear out the bad pipe,
install a new one and then run the faucet awhile to make sure the leak is
really fixed. But, after you've done your job, your clients will be better off.
They will be better protected against a compliance failure than they were
before they had a compliance program. Management will be able to focus on
running the business with less distraction from compliance problems. For
these reasons, building and maintaining an effective compliance program is
well worth the effort.
What do the Sentencing Guidelines say?
The Federal Sentencing Guidelines for Organizations offer guidance for when a
company's compliance program will merit mitigation of a sentence:
"The hallmark of an effective program to prevent and detect violations of the
law is that the organization exercised due diligence in seeking to prevent and
detect criminal conduct by its employees and other agents. Due diligence
requires at a minimum that the organization must have taken the following
types of steps:
(1) The organization must have established standards and procedures to be
followed by its employees and other agents that are reasonably capable of
reducing the prospect of criminal conduct.
(2) Specific individual(s) within high-level personnel of the organization must
have been assigned overall responsibility to oversee compliance with such
standards and procedures.
(3) The organization must have used due care not to delegate substantial
discretionary authority to individuals whom the organization knew, or should
have known through the exercise of due diligence, had a propensity to
engage in illegal activities.
(4) The organization must have taken steps to communicate effectively its
standards and procedures to all employees and other agents, e.g. by
requiring participation in training programs or by disseminating publications
that explain in a practical manner what is required.
(5) The organization must have taken reasonable steps to achieve compliance
with its standards, e.g. by utilizing monitoring and auditing systems
reasonably designed to detect criminal conduct by it employees and other
agents and by having in place and publicizing a reporting system whereby
employees and other agents could report criminal conduct by others within
the organization without fear of retribution.
(6) The standards must have been consistently enforced through appropriate
disciplinary mechanisms, including, as appropriate, discipline of individuals
responsible for the failure to detect an offense. Adequate discipline of
individuals responsible for an offense is a necessary component of
enforcement; however, the form of discipline that will be appropriate is case
specific.
(7) After an offense has been detected, the organization must have taken all
reasonable steps to respond appropriately to the offense and to prevent
further similar offenses — including any necessary modifications to its
program to prevent and detect violations of the law."
Shapiro is chief compliance officer of the International Insurance operation of
Prudential
Financial
Inc.,
in
Newark,
N.J.
Her
e-mail
is
[email protected].
Back to Top
For the Public
ABA Approved Law Schools
Law School Accreditation
Resources For
Bar Associations
Diversity
Public Education
Government and Public
Sector Lawyers
Judges
Public Resources
Law Students
Lawyers of Color
Lesbian, Gay, Bisexual &
Transgender Lawyers
Stay Connected
Twitter
Military Lawyers
Senior Lawyers
Facebook
ABA Career Center
Solo and Small Firms
Women Lawyers
Contact Us Online
Young Lawyers
Lawyers with Disabilities
Terms of Use
|
Code of Conduct
|
Privacy Policy
|
Your Privacy Rights
|
Copyright & IP Policy
|
Advertising & Sponsorship
|
© 2012 ABA, All Rights Reserved