COMPLIANCE: UNDERSTANDING CORPORATE PREVENTIVE MEDICINE
Regulation is an important issue for business, particularly when failing to comply might be a crime. This article discusses the U.S. Department of Justice’s expectations regarding corporate compliance — both what the government says it wants, and what that desire actually means in practice. The Justice Department’s views about compliance are no mystery. A 2008 memorandum issued by then-Deputy Attorney General Mark Filip and the Justice Department Fraud Section’s February 2017 “Evaluation of Corporate Compliance Programs” lay out the basic points and goals for corporate compliance. The skill and art of running a high-functioning compliance program lies in the way a corporation chooses to implement the program and strive toward the government’s ideals.
First, you need a compliance program. Without any demonstrated commitment to operating a business in an ethical way, corporations suspected of violating laws or regulations will have a very hard time resolving government enforcement investigations favorably. Companies establish these programs by drafting and distributing policies and educating their workforce about how business gets done in a compliant way. It is also important to incentivize that workforce to embrace the company’s values. Corporations must empower the compliance function by dedicating resources and real authority, by taking steps to actually find and address issues, and to make these programs work even if doing so might cause some short-term pain to corporate operations.
In addition, the emphasis on good, ethical values must come from the top. If individuals at a corporation fail to adhere to those values, a functioning compliance program provides avenues for other employees to ask questions or report suspected unethical behavior. Employees who do not embrace corporate values must face consequences for refusing to operate ethically. In addition to reporting mechanisms, corporations must maintain internal controls that can detect and deal with problems.
Second, corporations must respond quickly, firmly and intelligently to the news that one or more employees may have violated compliance policies. In the real world, this means having a plan in place for who will address such issues and how they will do it. A corporation must be prepared to conduct an investigation of suspected misconduct by reviewing information, interviewing employees, and evaluating what may have occurred in a way that may force the company to confront inadequate internal controls or unacceptable behavior. The primary goals of an internal investigation are to determine The ‘who, what, when, where, and why’ of a situation; to understand how deficiencies in corporate policies and practices may have contributed to or allowed misconduct to occur; and to put the company in a position to respond appropriately.
Internal investigations may be conducted by inside or outside counsel. Corporations that may be interested in the protections available by asserting attorney-client privilege often rely on outside counsel because in-house lawyers may wear multiple ‘hats’ within a company. To the extent an inside lawyer might be operating in a business capacity as opposed to a legal advisor, the attorney-client privilege might be subject to a successful challenge by the government or civil litigants.
What constitutes an appropriate response depends heavily on the facts and often involves advice from inside or outside counsel. Corporations might have to deal with individual disciplinary issues; rectify internal procedures or policies; and evaluate whether the corporation might benefit from self-disclosing information to regulators, prosecutors, or others.
Third, compliance programs and internal investigations require appropriate oversight. The Justice Department clearly believes that such oversight must come from a corporation’s most senior leadership. In practice, this means the board of directors, and perhaps c-suite management, discuss compliance program issues and receive information about compliance successes and challenges regularly. For day-to-day oversight, corporations are well-advised to create direct reporting lines from the inside counsel or chief compliance officer to the board or a committee of the board. Internal investigations often operate on a separate reporting line to a board committee or a special board committee created for the express purpose of overseeing the investigation, or all internal investigations. Notably, creating a special committee affects the operation of attorney-client privilege, as the privilege runs between counsel and the special committee, rather than counsel and the corporation or the board as a whole. Refining the attorney-client relationship in this way can offer advantages for securing and compartmentalizing sensitive information unearthed during an investigation.
In addition to oversight, board involvement in compliance carries additional responsibilities, expectations, and advantages. Compliance programs will be taken more seriously by investigators if the message or ‘tone’ from the top of the corporation embraces and enforces good corporate ethical values and compliance. With the ‘tone from the top’ comes responsibility. If a board or board committee sets out to oversee compliance, it must then commit the time and effort to do it right. Prosecutors will evaluate a program’s effectiveness based on how it actually operates, not just on having a sound plan. Finally, compliance officers and associated board members, having taken on the responsibility to oversee the compliance function, might expose themselves to serious questions, if not an increased risk of civil or criminal exposure, for compliance failures that occur on their watch.
Fourth, the commitment to compliance should appear at every level of a corporation. Board attitudes about compliance mean little if senior or middle managers are not conveying the same message to the employees with whom they interact on a daily basis. Training about compliance should ideally place those middle managers in an active, involved role to the extent that is possible. Employees are much more likely to take ethics and compliance seriously if they believe their immediate boss cares and will enforce such policies. Indeed, outside companies and parties that have relationships with a corporation are more likely to take compliance seriously if they understand that part of doing business with a corporation is accepting that corporation’s values and ethics.
Finally, and perhaps most importantly, corporations must do their best to identify compliance problems. Toll-free hotlines, audits, internal controls and on-site compliance delegates are a start, but they cannot answer the most difficult issue compliance challenge — finding illegal or unethical behavior when the individuals involved may be highly motivated to conceal their activities. This issue, more than any other, keeps in-house counsel and compliance professionals awake at night.
There is no perfect way to address this challenge. In addition to reporting mechanisms and internal controls that corporations truly enforce, instilling a strong sense of corporate values throughout an organization almost certainly makes it more likely that employees will make that call about workplace conduct that makes them uncomfortable.
Investing in a compliance program makes good sense for business. While it may be easy to say “I don’t need this extra expense,” the costs of establishing and maintaining a compliance program are nearly always a small fraction of what a company will end up saving in outside legal fees, fines, penalties, and disgorgement if a significant compliance failure occurs despite the operation of a good compliance program.
