[Return To Selected Articles]
July/August 2004 - By Jeffrey M. Kaplan
The New Corporate Sentencing Guidelines
Since they went into effect in 1991, ethikos has closely followed the story of the ‘Corporate’ Sentencing Guidelines, including the imposition of huge criminal fines (in Daiwa Bank, Hoffman-LaRoche and other cases); the adoption of carrot-and-stick compliance program initiatives by other government bodies (such as the Department of Justice, the Department of Health and Human Services, the Securities and Exchange Commission, and the Environmental Protection Agency); the expansion of corporate directors’ fiduciary duties (in the Caremark case) to, in effect, include a requirement of compliance oversight; and, above all, the dramatic and unprecedented growth of self policing throughout the business world. Yet, for the last thirteen years, the portion of the Guidelines that triggered this Big Bang in compliance program activity itself remained unaltered.
Now, the Corporate Sentencing Guidelines are once again in the vanguard of compliance law and practice. As most ethikos readers are doubtless aware, on May 1 of this year the United States Sentencing Commission recommended sweeping changes to the Guidelines that—absent the highly unlikely event of rejection by Congress—will become effective on November 1. Because these changes largely track the recommendations of a report issued in October of last year by an Advisory Group to the Sentencing Commission that were reviewed in detail by Win Swenson in "Proposed Amendments to the Sentencing Guidelines: Changes in the Wind" in the November/December 2003 issue of ethikos, the present article will not examine every recommendation sent to Congress on May 1. Rather, it will attempt to place this latest development in a larger legal framework and also consider what for many companies may be some of the more challenging aspects of the new Guidelines.
The compliance law landscape
In 1991 the Guidelines appeared on what was virtually a clean legal slate, meaning that there were then almost no other compliance-related laws, which was partly why they proved so influential. The definition of "an effective program to prevent and detect violations of law" was a unique and well-considered model that companies and other government agencies could readily utilize.
By contrast, the revised Guidelines appear against a
backdrop of many other compliance-program related laws, rules and policies, a fact which means that—while arguably less path breaking—they will likely achieve broad influence at a quicker pace than did the original Guidelines. That is, because the latter were an acknowledged moving force for the adoption of these various other standards, the revisions seem certain to play an important role in the interpretation or application of such standards, giving the new Guidelines instant leverage that
the initial ones took years to acquire.
For instance, the Caremark requirement that corporate directors owe their shareholders a duty to act prudently to reduce the risk of a large fine under the Guidelines virtually mandates that directors consider the new compliance program standards no later than November 1 of this year—since the failure to do so thereafter could lead to such a fine. (By contrast, the Caremark decision itself did not occur until nearly five years following the issuance of the original Guidelines.) In considering the importance of the new Guidelines, companies should also bear in mind that federal prosecutors could apply these standards in determining whether to indict a company for the crimes of its employees, even absent a formal endorsement of the revisions by the Department of Justice. This is particularly so given the extensive study of compliance program experiences by the Advisory Group and the Commission that provided the basis for the new standards and the fact that, similar to Caremark, the Department’s own compliance standards—embodied in the "Thompson memo"—expressly refer to the original Guidelines. Thus, while some companies may have dismissed the 1991 Guidelines as applying only to the relatively rare situations of a corporate sentencing, no one should make that mistake with the revisions.
Risk analyses—the new foundational element
Given the abundance of changes, it is, in some sense, difficult to know where to begin in describing the most significant aspects of the new Guidelines. But in another sense it is easy—because the Guidelines have established risk assessments as what might be considered a new foundational element for the other compliance program functions.
First, the Guidelines now mandate that companies "assess the risk of criminal
conduct." Second, they must do so "periodically." Third, the results of these analyses must be considered in the design, implementation and modification of all other aspects of a company’s compliance and ethics program, meaning in policy creation, training, auditing, and so forth.
Meeting this requirement will be a major step for many companies who presently do little in this regard; who conduct risk analysis in an ad hoc way that might fail to impress most prosecutors
or courts; or for whom risk analyses are one-time events. Among other things, these efforts often fail to capture critical information about the why—as well as the what—of compliance risks, which may be necessary to meet the requirement that the design, implementation and modification of program elements be based upon the risk analysis process. Addressing the risk assessment mandate should thus—for many companies—be the point of departure in responding to the new Guidelines.
Organizational culture, ethics and incentives
Another path-breaking area in the revisions is that companies must "promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." The emphasis on corporate culture could not be more welcome, as numerous cases in recent years have shown how bad culture can "trump" seemingly good compliance program functions, in such areas as: promoting unduly risky behavior; breeding an
attitude of disrespect for customers, shareholders, fellow employees and other key corporate constituents; failing to encourage a long-term identification with the company or its products and services; and marginalizing the compliance and ethics program (or related functions—such as the law department.)
Even companies that do not suffer from such patent cultural defects should still approach this new requirement with the same degree of rigor as they do more traditional compliance
program elements, by making a meaningful effort to assess the role that organizational culture plays in promoting law abiding and ethical conduct, and in addressing any problems identified by this assessment in a results-oriented way.
In a somewhat related vein, the Guidelines have been modified to include ethics—as well as compliance—in the definition of an effective program. This is, of course, good news for ethics officers, many of whom have long argued that such a requirement
should be read into the Guidelines. But, like all of the other new Guidelines’ mandates, it will also raise significant challenges for many companies—particularly those that purport to include ethics in their programs but really offer nothing more than a watered down version of compliance. (Indeed, in some industries—particularly financial services, where broad notions of fiduciary duty have recently formed the basis for costly and embarrassing enforcement actions—having an effective ethics
element can be key to avoiding liability and reputational harm.)
Business ethics is not just a goal—it is a real field of knowledge and practice. Creating a true ethics component for a larger program—for instance, assessing the particular needs for ethics training in a given company—will often be difficult given how uncomfortable some business people are in discussing ethics. But still, companies must make real efforts to address this new requirement.
Yet another way in which
the new Guidelines go beyond the traditional boundaries of compliance programs relates to the issue of incentives, which, as Joseph Murphy has long noted, can be utterly essential in effective efforts to prevent wrongdoing. The new Guidelines address this by providing that a "compliance and ethics program shall be promoted and enforced consistently throughout the organization through (a) appropriate incentives to perform in accordance with the compliance and ethics program…."
Interestingly, the Guidelines fail to specify if this requirement includes not only consideration of incentives in the "positive" sense, meaning those that affirmatively promote law abiding and ethical activity, but also in the "negative" sense, meaning those that promote the opposite (as highly variable compensation—in some instances—can do). However, Win Swenson—who was not only a member of the Advisory Group but also is widely seen as the chief architect of the original
Guidelines—argued persuasively in a recent presentation at an Ethics Officer Association conference that the latter should be embraced, too. First, he noted that, as a matter of common sense, looking only at part of an incentive structure can provide a misleading view of what conduct is really being promoted at a company. Second, Swenson said that the broader approach (meaning encompassing negative incentive structures in compliance and ethics program assessments) is supported by the spirit
of the new Guidelines—as evidenced, among other things by the "culture" and ethics requirements—of looking beyond traditional compliance program elements to see how devoted a company really is to law and ethics.
In sum, ethics officers should begin the (doubtless difficult, but essential) process of considering how to deal with broader incentive issues in their companies.
Oversight and evaluations
Another very significant aspect of the new Guidelines concerns
corporate directors, who must now be "knowledgeable about the content and operation" of their companies’ compliance and ethics programs. (And, similar to employees, they must also be the subject of training "appropriate to [their] roles and responsibilities"—a requirement that is related to but conceptually distinct from the oversight mandate, and that involves identifying areas of legal risk arising from board service and developing effective training to mitigate such
risk.) While the nature of such oversight is still not fully spelled out, prudent directors may wish to receive reports that cover all aspects of an effective compliance and ethics program as described by the new Guidelines. Put otherwise, how could a director argue that any of these requirements were important enough for the Sentencing Commission to embrace, but not significant enough for the director to consider in his or her program oversight? Moreover, to ensure that boards (or the
appropriate committees thereof) actually perform this oversight, companies should revise board or board committee governance documentation as required.
Even greater responsibilities are placed on what the Guidelines call "high-level personnel" (basically, top-level management.) They must now "ensure that the organization has an effective compliance and ethics program…" (emphasis added). Among other things, this aspect of the Guidelines provides a powerful—and
previously unavailable—argument for ethics officers seeking resources or authority for program activity, in that top executives can hardly provide such assurance in an undernourished or otherwise poorly supported program.
Yet another important change relative to oversight concerns the role of those with "day-to-day operational responsibility for the ethics and compliance program," meaning typically the ethics officer (or person with similar function). Among other things, the
revisions provide that such individuals must have "adequate resources, appropriate authority, and direct access" to the board or appropriate board committee. All of this is, of course, good news for ethics officers and programs generally. In a related vein, Commentary to the Guidelines provides: "If the specific individual(s) assigned overall responsibility for the compliance and ethics program does not have day-to-day operational responsibility for the program, then the
individual(s) with day-to-day operational responsibility for the program should, no less than annually, give the [board or appropriate board committee] information on the implementation and effectiveness of the program."
Many individuals in the latter category have never reported to directors, and one of the most interesting issues under the new Guidelines will be whether these encounters are meaningful or whether such persons (ethics officers or those with similar
responsibilities) will be pressured (subtly or otherwise) into certifying that a program is effective, similar to what some have argued has happened to mid-level finance and accounting personnel with Sarbanes-Oxley compliance.
One means to prevent the latter from happening arises from yet another new Guidelines’ requirement—that companies "evaluate periodically the effectiveness of" their programs. By bringing an independent third-party evaluator into the discussion—who is
not subject to the pressures that internal ethics officers might feel—boards are more likely to have a meaningful and candid exchange about what a company’s compliance and ethics challenges are, and how those can be met.
Finally, as noted above, it should be emphasized that this article does not review all aspects of the new Guidelines. Among the other requirements that must await discussion in another article are those relating to training of independent agents "as
appropriate"—a more-express requirement (and, in some senses, a limitation) of what companies should have, but typically did not do, under the original Guidelines; and the intriguing directive that "[a]s appropriate, a large organization should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs."
The new Guidelines are
indeed glad tidings for those seeking to make compliance programs strong—in effect, an ethics officer’s wish list come true. But now, for many companies, the hard part begins—actually meeting these new standards.
At least initially, the original Guidelines were often seen as an experiment—and perhaps dismissed as such by some. But we are now at a very different point in the history of compliance law. In light of the new legal landscape, no prudent director or executive—let alone ethics
officer—should delay responding to these requirements, which, as described above, are likely to have an immediate and important impact in what could be issues of great consequence for a company, its shareholders, employees and other constituents.
Jeffrey M. Kaplan, a partner in the New York City office of Stier Anderson, LLC, is co-publisher of ethikos.
Reprinted from the July/August 2004 issue of ethikos.
© 2004 Ethikos, Inc. All rights reserved.
[Return To Selected Articles]