In his June 1, 2017, Business Law Blog article, "Risk and Governance Issues for Midsize Companies," Joseph Masterson discusses compliance issues that midsized companies should not overlook. For example, he cautions that imposing a confidentiality obligation on current or former employees, which discourages them from reporting potential law violations to enforcement agencies, is unlawful.
This article is an extension of Masterson's. It explains what compliance programs are, outlines why companies of all sizes should have them, and suggests core features of a good compliance program.
It also explains why compliance programs often fail to address cultural and ethical aspects of compliance, and what firms can do to increase the success of those programs in promoting ethical, compliant conduct.
In general, compliance programs are formal systems of policies and procedures adopted by businesses to promote compliance with law by employees and other agents. Those systems also detect and prevent violations of law.
Firms implement compliance programs for many reasons. For one, instituting a compliance program can help a firm avoid the liability and distraction that flow from a violation of law. Firms also institute compliance programs as a market differentiator, to attract customers who demand products and services supplied through legally compliant methods.
Moreover, a company with an effective compliance program is a more attractive to a contractual counterparty – leading the counterparty to trust that the company has policed its legal compliance and is unlikely to incur liability due to non-compliance. In addition, these programs bond employees to their employer, as employees implement the company’s business goals in a way that ensures their interests are respected and protected.
Firms also institute compliance programs because it is required by corporate fiduciary law. For Delaware corporations, the fiduciary duty of oversight under In re Caremark requires directors to oversee a firm’s adoption and implementation of a compliance program that satisfies the U.S. Sentencing Guidelines’ requirements.1 Such a program must satisfy the U.S. Sentencing Guidelines (the Guidelines), because a board cannot fulfill its duty of oversight if it fails to take advantage of the opportunity for reduced sanctions under the Guidelines.2
Seven Requirements of Effective Compliance Programs
Wisconsin corporate law does not clearly set out a standard of liability for failing to oversee a compliance system.
However, Wisconsin corporation directors who deliberately fail to oversee the firm’s adoption and implementation of a compliance program satisfying the Guidelines’ requirements could face a “willful misconduct” violation under Wis. Stat. section 180.0828(1).3
For a compliance program to be effective under the Guidelines – thereby making the adopting firm eligible for reduced sanctions – such a program must meet the following seven requirements.4
1).The program must set out written standards and procedures to prevent and detect criminal misconduct by employees and agents.
Tip: Such standards and procedures should be clear, comprehensive, and internally consistent.
2). The program must be instituted by high-level personnel and overseen by the board of directors (or comparable governing body), who must be knowledgeable about the program. In addition, the people who implement the program on a day-to-day basis must be given adequate resources (including funding and personnel), authority, and direct access to the board.
Tip: While the Guidelines do not specify the tenure of the personnel who design and implement the compliance program, if they can be fired for reporting shortcomings with the program, that could undermine the success of the program.
3). The program must not include in the high-level personnel of the firm anyone who has engaged in illegal activity or other conduct not consistent with compliance.
Tip: It is good practice to perform a background check any time someone is promoted to a high-level position.
4).The program must be communicated throughout the firm periodically, including through appropriate training.
Tip: There are some legal obligations that apply throughout an enterprise, and on which all employees should be trained. However, other obligations are at risk of being violated on by specific functions.
For example, there might be a risk of someone in the sales department violating antitrust laws by fixing prices with a competitor, whereas the same risk does not exist for engineering personnel. What is appropriate training for one department may not be appropriate for other departments.
5).The program must be monitored and audited to ensure the program is being followed. In addition, the program must periodically be reviewed for effectiveness and have a publicized system through which employees and agents can seek anonymous guidance regarding potential or actual criminal conduct without fear of retaliation.
Tip: It is often recommended to perform regular audits as well as unscheduled spot checks to ensure the program is being followed. Internally disclosing the results of these audits, at least on an aggregate basis, can show the firm’s commitment to compliance and increases accountability.
In terms of anonymous reporting, firms usually create hotlines that employees and agents can call. In designing these hotlines, the person or people who receive and investigate complaints should not be someone potentially charged with wrongdoing, such as the reporting person’s manager.
6).The program must be promoted and enforced consistently throughout the organization, including through appropriate incentives for compliant conduct and disciplinary measures for engaging in or failing to prevent or detect criminal conduct.
Tip: A component of compensation could be tied to compliance. Compliance personnel should be consulted on the structure of bonuses to ensure the structure will not lead to perverse incentives that undermine compliance.
7).The program must require reasonable steps to respond to criminal conduct after it occurs, and to prevent further similar conduct.
Tip: Each response should be measured and consistent based on the nature of the wrongdoing. Responding to such conduct might also merit a re-thinking of the training aspect of the program. And it might merit self-reporting to a regulator and cooperating in any investigation.
The Guidelines also require a firm to periodically assess the risk of criminal conduct. It must then take appropriate steps to modify its compliance program to reduce that risk. Under this requirement, a firm should constantly be vigilant as to new risks the company faces. For example, because of the increasing instances of data breaches, a company might now attach a higher probability to such a breach occurring than it had before. It might also increase the potential size of the impact from such a breach given the financial and reputational effect seen from such breaches at other companies. Consequently, the company might decide to enhance its systems to protect the security of its data.
The U.S. Attorney’s Manual also implements the Guidelines by specifying that one of the factors prosecutors will use to determine whether to charge a corporation with a crime is the existence and effectiveness of the corporation’s existing compliance program.5 While the Wisconsin Attorney General has not issued similar guidance, the Wisconsin Attorney General likely also gives some credit for a firm’s adoption of a compliance program.
Compliance Programs, Ethics, and Culture
The Guidelines actually require firms to adopt compliance and ethics programs. Moreover, according to those Guidelines, such a program must not only be designed to prevent and detect criminal conduct, but it must also “promote an organizational culture that encourages ethical conduct.”6
To implement this requirement, a compliance program must be more than a formal program of express policies and procedures – it must also be reflected through all informal channels. Thus, it must pervade all actions and communications throughout the enterprise; it must be expected by everyone at all levels of the organization; and it must be constantly recognized and reinforced in a way that creates a shared attitude about the importance of compliance.
Moreover, that culture must not merely reflect a tone of compliance, but also a tone of ethicality. For businesses, it means ensuring those formal and informal systems promote the creation of a culture of honesty, fairness, and truthfulness.
By supporting these complementary formal and informal systems, compliance with legal as well as ethical standards become more than a check-the-box exercise – instead, it becomes a way of doing business at the firm.
1 See In re Caremark, 698 A.2d 959 (Del. Ch. 1996).
3 See, e.g., Data Key Partners v. Permira Advisers LLC (WI 2014).
4 See U.S. Sentencing Guidelines §§ 8B2.1 et seq.
5 U.S. Attorney’s Manual 9-28.800.
6 U.S. Sentencing Guidelines § 8B2.1(a)(2).