Modern compliance programs risk appearing insincere
It is widely accepted today that boards of directors and senior management must set the ethical ‘tone at the top’ at their companies. Consensus has also developed around the key ingredients of a sound corporate ethics and compliance program in the post-Sarbanes-Oxley era. As companies develop real-world experience with modern compliance programs, several obstacles to a truly effective program have emerged. This article examines four dilemmas confronting directors and offers some solutions.
The board’s role
The current emphasis on the tone at the top dates back at least two decades but was given renewed emphasis when the United States Sentencing Commission amended the Organizational Sentencing Guidelines to state explicitly (in Section 8B2.1(a)(2)) that ‘to have an effective compliance and ethics program … an organization shall ... promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.’ Regulators and legislators concur that the board is expected to play an important role in fostering that culture.
The courts have also affirmed directors’ obligation to assure that their companies’ compliance programs are effective. Even stockholder activists seem to agree; it doesn’t appear that any stockholders’ rights advocate has proposed shifting responsibility for the company’s ethical culture to the stockholders.
The state–of–the–art dilemma
Ironically, as the business world has embraced formal compliance programs – spurred in large measure by Sarbanes-Oxley and the compliance program criteria in the Organizational Sentencing Guidelines – a new risk has emerged: that a company’s workers will believe that the company’s state-of-the-art compliance program is merely required by regulators rather than a sincere reflection of a commitment to an ethical corporate culture.
Until recently directors could help set a good tone at the top not only in the selection of the chief executive officer and other senior officers but also by making sure that their companies were rolling out newly-evolving compliance procedures. As it becomes increasingly common for the average company to adopt a program that a decade ago would have been viewed as cutting-edge, companies can no longer count on employees perceiving that the adoption of the new processes reflects a sincere commitment at the top to ethical behavior. Put otherwise, the first company that adopted a code of ethics or a worldwide toll-free ‘helpline’ likely impressed its workforce with senior management’s dedication to proper business conduct. However, rolling out all the indicia of a modern compliance program loses that force once regulators expect it and every company’s peers have done it. With that point now essentially reached, there’s a risk that every company’s program may be perceived by the rank and file as a ‘paper program’.
The unexpected consequence for directors is that as companies finish implementing the ingredients of an effective program, the next phase may be more difficult. It is up to the directors to make sure that the company’s compliance and ethics program is perceived by employees as sincere and not merely a ‘check-the-box’ effort.
The distant board dilemma
Another dilemma boards confront is the fact that in most companies they are far removed from the rank and file. The most visible action a board takes – the selection and compensation of the chief executive and other senior officers – is of course important in setting the corporate culture. And directors’ personal conduct must also be beyond reproach, since any lack of candor or questionable conduct by a director will spread quickly through the corporate grapevine.
Yet while getting these fundamentals wrong can certainly create the wrong corporate culture, getting them right will not, by itself, instill the right norms. From the perspective of a board member who visits the company perhaps only a half dozen times each year, the obligation to take affirmative action to affect the company culture may seem daunting, unrealistic and unfair. Nonetheless, as noted below, there are steps directors can take to maximize the prospect that the ‘tone’ they set will in fact ‘trickle down’ within the corporate hierarchy.
The confidentiality dilemma
A third significant dilemma for directors is that while informing the workforce that fellow employees have been penalized for violating the company’s code of conduct is one of the most effective means of proving the company’s commitment to its ethical culture, privacy and liability concerns make it significantly challenging for management to let employees know what discipline has been meted out, to whom and for what.
All too often employees who lose their jobs due to misconduct are able to negotiate a separation agreement that includes a confidentiality commitment. Even without an agreement, companies typically refrain from making any disclosure to avoid the expense and burden of possible defamation claims. Where an employee’s misconduct is not so severe as to warrant discharge and the right penalty is a reprimand, reduction in compensation, deferral of promotion or the like, companies may fairly conclude that internal disclosure is unfair and counterproductive. In still other circumstances, disclosure will implicate the privacy interests of third parties. For example, internal disclosure of discipline meted out for sexual harassment may carry the risk of identifying the victim. Finally, where the misconduct exposes the company to liability and the company has made the judgment that it need not report the matter to regulatory authorities, internal disclosure could well be viewed as contrary to the company’s interests.
Despite these countervailing interests, internal disclosure remains critical and directors should ensure that their companies consider taking the steps described below to make sensible internal disclosures.
The police-state dilemma
One rarely articulated dilemma posed by an ethics and compliance program is the cost to the company if it is poorly executed. While it is important to require employees to report questionable conduct so that the company can prevent or correct wrongdoing, it is a fact of life that any reporting program is susceptible to abuse by persons making baseless allegations in bad faith. Compliance programs are not supposed to foster a corporate environment of suspicion and mistrust.
Just as good corporate governance is a means to enhance shareholder value rather than an end in itself, so too a sound corporate ethics and compliance program is a means to ensure proper conduct takes place in the pursuit of the company’s business objectives rather than a free-standing private law enforcement enterprise.
In devising the appropriate compliance program for an organization and in selecting the staff to operate it, companies must tread a careful line to avoid having the compliance program viewed as an inquisition rather than an important contributor to the competitive advantage provided by the company’s reputation.
Taking all these considerations into account, there are numerous steps directors can consider taking – and make sure that management is taking – to discharge their tone at the top responsibility in the modern corporation with a state–of–the–art compliance program.
Despite the obstacles to internal disclosure of discipline noted above, boards should consider that the company take at least the following courses of action: circulate statistics internally on discipline, that is, the number of terminations, deferred promotions, reduced option grants and the like that have occurred each quarter or annually, associated with the specific business conduct policy whose violation triggered the discipline; periodically distribute internal reports that describe actual factual circumstances that have recently led to significant discipline, with names withheld and specific facts modified where necessary; and at times, accept the possible disadvantages of full internal disclosure and let the workers know that certain unacceptable behavior has occurred and the participant has been discharged as a result.
The risk assessment process
One of the new requirements set out in the 2004 amendments to the Organizational Sentencing Guidelines in Section 8B2.1(c) is that a company ‘shall periodically assess the risk of criminal conduct.’ Companies have considerable latitude in how they perform the necessary risk assessment. For starters, many sensibly broaden it to encompass all legal and business conduct issues rather than solely the risk of criminal misconduct.
Although not intuitive, this new risk assessment process can be used as a means to help persuade employees that the company is committed to its ethical culture. Directors should affirm that their company undertakes the assessment in a way that pays dividends internally. Instead of a top-down exercise (in which the senior compliance professional assisted by counsel and a handful of other staff identifies the risks confronting the company and evaluates the effectiveness of the processes that address them) or an outsourced approach (in which outside counsel, or one of the growing number of compliance consultants, is retained to do the lion’s share of the work), directors should consider recommending a bottoms-up review. In that approach employees in each of the company’s business and staff units are assigned to work with the compliance professionals and are integrated into the assessment process. In-house (and often outside) counsel also participate to assure that sensitive issues are addressed appropriately and that applicable privileges are preserved.
Any assessment, regardless of who performs it, should involve compiling and reviewing information about past violations, the results of external and internal audits and inspections, claims asserted in litigation and by employees through the company’s hotline, the results of employee surveys and perceived vulnerabilities. By enlisting employees in multiple areas to play a key role in the assessment, they will become considerably more familiar with this information than would otherwise be the case.
As part of the bottoms-up approach, companies should consider having the employees who participated in the process present the resulting findings and recommendations to senior management or the board. That final step will reinforce to the participants the importance that the company attaches to its ethics and compliance processes.
Multiple challenges pose very real obstacles to the board’s ability to set an effective and meaningful tone at the top. As outlined above, directors can take some specific actions on their own that will help employees understand that the company really ‘means it’. By also ensuring that the company is making thoughtful internal disclosure of any disciplinary action and taking appropriate advantage of the periodic risk assessment process, directors can meaningfully help achieve that objective. That is the essence of the board’s role in setting the tone at the top in today’s corporation.
According to this new report from NAVEX Global, there has been a rise in employees reporting compliance and ethics problems in recent years, and the percentage of repeat reports has more than doubled over the last five years.
Find out why and discover a range of other key statistics to benchmark your compliance program against industry standards by downloading this free report today.
This briefing contains statistics and analysis on employee reports of problems via a range of helpline methods, including:
This data comes from more than 8,000 NAVEX Global clients and provides actionable insights for policy management, training, awareness, and more.
Helpline data that is carefully tracked, reviewed, benchmarked and presented with context often provides the early warning signs needed to detect, prevent and resolve problems.
Our free weekly email newsletters are an essential bulletin of GRC updates, insight and information.
Our experienced journalists provide relevant, timely information and analysis that will keep you at the forefront of industry developments and best practice.
Sign-up to receive your copy when you register with the Corporate Secretary website for free.