Compliance programs as quality control

Corporations face growing demands not only to comply with all the laws and regulations that apply to their business but also to organize their compliance efforts in a way that stands up to scrutiny. That scrutiny can come from both internal sources, such as the company’s board, and external ones, such as a government enforcement agency investigating possible wrongdoing.

To measure up to that scrutiny, prudent companies implement effective compliance programs. What blueprint should a company use to construct its program? While a variety of risk-specific models exist for compliance efforts in fields including financial services and healthcare, only one model enjoys the imprimatur of federal law as the way a company should structure its program for meeting the full range of its duties. That model is Section 8B2.1 of the US Sentencing Guidelines, and it sets forth the requirements for an ‘effective’ compliance and ethics program. 

One would think, then, that 8B2.1 has gained universal acceptance among responsible organizations; yet it hasn’t. Many organizations embrace it only cosmetically or half-heartedly, if they embrace it at all. Others nibble at its edges, incorporating some of its elements and rejecting others. And they happily note that 8B2.1 remains a guidance model only. No company is compelled to adopt a program meeting its requirements, and many do not, instead choosing a design more to their liking, or in some cases, no design at all.

That is a mistake. Companies should embrace 8B2.1 wholeheartedly. The most compelling reason, which commonly escapes lawyers’ attention, is that 8B2.1 embodies proven quality control methodologies. Companies routinely apply similar methodologies, such as ISO 9000 or Six Sigma, in their core business functions. Those methodologies produce high-quality outcomes in manufacturing and business processes. Section 8B2.1, the close cousin of those same quality control methodologies, will yield predictably similar benefits in the function of meeting legal obligations.

Compliance not crime

Commentary on 8B2.1 has tended to miss this point. Much of it concentrates on issues that barely register on the radar screens of business people in the real world. At one extreme is a theory that shares Hollywood’s mindset about the intrinsic evil of corporate America. It maintains that statutory encouragement of internal compliance mechanisms, as in the Sentencing Guidelines, might do more harm than good because they tempt corporate leaders to install compliance programs precisely to facilitate illegal behavior.

Here’s how the corporate decision-making unfolds under this counterintuitive theory: a company’s amoral leaders reason that one or another illegal venture could yield handsome profits. The risk of criminal penalties gives them pause, but they see a clever way around that problem. They design a compliance program that ostensibly hits each marker on the checklist of the statutory test of effectiveness. But in actuality their compliance program is a charade, window dressing that is intended not to prevent or detect misconduct but only to buy leniency if the criminal enterprise is discovered. If the company does end up getting caught for its crime and is then convicted in federal court, the hapless sentencing judge, ill-equipped to recognize the compliance program for the sham that it really is, will reduce the convicted company’s sentence, as instructed in the Sentencing Guidelines. The company then can pay the reduced fine and pocket the much larger fruits of its crime. As Kimberly Krawiec, professor of law at the University of North Carolina, discusses in her publication Organizational Misconduct: Beyond the Principal-Agent Model (2005), far from preventing misconduct, the compliance program can actually aid and abet the criminal enterprise.

The vision of corporate culture that animates this theory is difficult to connect to any reality familiar to readers of Corporate Secretary. Executives are not always Boy Scouts, to be sure.  But those who reason this way, if they exist anywhere outside the imaginings of academia or Hollywood, strike me as too misinformed to rise to the top of an organization capable of executing any business plan, ethical or otherwise. Be that as it may, for executives in the business of pursuing legitimate success — which is to say virtually all of corporate America — we need to look elsewhere for a reason to institute an 8B2.1 compliance program.

We will not find that reason in the statutory inducement that supposedly rewards companies for installing it. That inducement is the promise of a relatively lenient financial penalty if the company is convicted of a federal crime. The Delaware Court of Chancery has declared this to be a ‘powerful incentive’. So said former Chancellor William Allen in the 1996 Caremark case, observing that the Sentencing Guidelines expose convicted companies that lack an effective compliance program to ‘penalties that equal or often massively exceed those previously imposed on corporations.’

Regrettably, however, Allen was wrong. Experience shows that the prospect of a sentencing downgrade is no incentive at all. While personal prosecutions of corporate executives are routine, corporations today are unlikely targets. Enforcers are mindful of the danger that assessing huge financial penalties can be counterproductive. As per the 2006 McNulty Memorandum, current US Department of Justice (DoJ) policy cautions federal prosecutors to consider collateral effects — harm to innocent employees and investors — when deciding whether to prosecute the corporate entity and to bear in mind that equally large monetary policies might be available in a far less destructive civil action.

No rest for the wicked

In the relatively rare situation when a corporation is criminally pursued and convicted, sentencing leniency based on having a compliance program almost never happens. From the first adoption of the organizational sentencing guidelines in 1991 through to 2004, a total of three companies received a sentence reduction for an effective compliance program, according to University of Missouri law professor Frank Bowman III in his Wake Forest Law Review article, ‘Drifting Down the Dnieper with Prince Potemkin’ (2004). In the carrot-and-stick logic of the Sentencing Guidelines, the supposed inducement of a sentence downgrade based on having an effective compliance program has been aptly described as ‘a carrot that virtually no one ever really gets to eat.’

If the sentence downgrade is an empty inducement, what about the expectation that if the company commits a violation, prosecutors will temper their charging decision in recognition of the company’s good compliance program? This potential is more real; prosecutors do indeed look more favorably on a company with a respectable compliance program than on a company without one, or with only a flimsy program. This benefit of an 8B2.1 program, while valuable, is less than it might appear. Enforcement agencies regard an effective program only as a ‘plus factor.’ They weigh it against other factors in arriving at their decision. The DoJ stated its policy most recently in the McNulty Memorandum. Of the nine factors it identifies as relevant to prosecutorial discretion, one is ‘the existence and adequacy of the company’s pre-existing compliance program.’ That leaves eight other factors, and those have nothing to do with compliance programs. An 8B2.1 program, in other words, cannot be counted on to impress a prosecutor enough to make a big difference in his or her decision.

Doing your duty

So is it worth bothering with an 8B2.1 program? Not if the goal is to impress sentencing judges or prosecutors. But what if the goal instead is simply to make sure that the company performs its legal duties? What if business leaders want to try diligently to obey the law not just to stay out of jail, but because they regard doing so as a basic and unremarkable responsibility of corporate governance? For executives with that frame of mind — the vast majority — an 8B2.1 program should be a compelling choice. In their core functions, business leaders take the benefits of quality control disciplines as an article of faith. They will have the same respect for 8B2.1 when they recognize that at its heart it is simply a quality control discipline like the ones they already trust.

To demonstrate the quality control focus of 8B2.1, let’s examine its elements one by one. As with any quality program, we must start by understanding our objective, that is, the company’s legal duties. These must be identified, prioritized and documented. The Sentencing Guidelines call for this by requiring a ‘periodic risk assessment’. This assessment gives us, for starters, a complete inventory of the company’s legal obligations, and beyond that a basis for deciding how to allocate resources appropriately among them.

Next, quality protocol must assign accountability for meeting the objectives. The Sentencing Guidelines state that requirement clearly. They call for compliance responsibility to be assigned at all levels of the organization. A good compliance program, like a good quality control program, should be top-down. Accountability starts with the board, to which the Sentencing Guidelines assign ultimate accountability. It continues through senior leadership and on down to the people with day-to-day responsibility for compliance.

Then the program needs mechanisms for achieving the desired result, and this means establishing policies, codes of conduct, accounting procedures and dos and don’ts akin to operating manuals. Employees, in turn, must be educated and trained in these standards and procedures. This requirement is stated in the educational provisions of the Sentencing Guidelines. They demand training from top to bottom, starting with the board and its responsibilities for the overall program. 

All quality control systems call for affirmative efforts to detect defects, and so do the Sentencing Guidelines. In our analogy, the product defect is a legal violation. The guidelines require active efforts to discover violations through monitoring and auditing, as well as by encouraging employees to report violations. Here our analysis might provoke some protests. As attorneys are often quick to point out, special risks arise when the ‘defect’ we uncover is a legal violation. Don’t we risk trouble when we document a legal violation? Perhaps, but that would be a poor reason to omit this essential component of effective compliance. Good lawyers, we can remind the naysayers, should know how to help clients manage the risks of sloppy documentation. 

Nor is it a valid objection that the documented occurrence of a legal violation will hurt the cause by proving to observers that the compliance program is ineffective. How can the program be effective, they might ask, if a violation occurred? The answer is that prevention and detection are twin elements of compliance, as the Sentencing Guidelines themselves make clear. Half the equation is detection, and detection presupposes violations. ‘The failure to prevent or detect [a particular violation],’ the guidelines state reassuringly, ‘does not necessarily mean that the program is not effective.’

Detect and address

The Sentencing Guidelines also require that if defects are detected, they be addressed. In addressing defects, individual violators must be disciplined and the compliance process adjusted as appropriate to reduce the risk of repeat violations. Depending on the violation, operators of the compliance program might do that by modifying a training course or tightening an accounting practice. This feedback element is vital, and helps the program move closer to that unattainable goal of zero violations.

Finally, the Sentencing Guidelines require self evaluation: what has the program accomplished and can it be improved? At the front end, risk assessment means taking inventory and prioritizing the company’s legal obligations. At the back end it means reviewing that front-end assessment and asking whether the inventory is complete and properly prioritized. It also means looking ahead to emerging trends. This is an opportunity to conduct inquiries into the process, examining the adequacy of resources devoted to compliance, the clarity of the ‘tone at the top’ and the quiet concerns of the people who operate the program.

All the elements of quality control are embedded in 8B2.1. Leaders conspicuously embracing and rigorously applying the model show that their companies approach legal duties with the same seriousness as core business functions. Most leaders do not need to be persuaded that this is an important priority; they know it already.