Setting tone at the top is in large part the board’s job
Companies have come to accept that it’s the responsibility of the board and senior management to set the ethical tone at the top. Consensus has also developed around what the key ingredients of a sound corporate ethics and compliance program should be in the post-Sarbanes-Oxley era. But as companies develop real-world experience with modern compliance programs, several obstacles to a truly effective program have emerged, both counter-intuitive – ‘state–of–the–art dilemma’ and ‘police-state dilemma’ – and straightforward – ‘distant-board dilemma’ and ‘confidentiality dilemma’.
The board’s role
The current reinvigorated focus on tone at the top dates back at least two decades, when the National Commission on Fraudulent Financial Reporting (the Treadway Commission) used the phrase. Its study concluded that a company’s culture is causally linked to a company’s misbehavior and emphasized that a company’s leaders must create a culture that promotes appropriate business conduct. A corporation’s culture is defined as the company’s ‘norms of daily behavior, heroes, rituals, stories and language’ and its ‘shared set of norms and beliefs.’
The United States Sentencing Commission (USSC) embraced this concept in late 2004 when it amended the Organizational Sentencing Guidelines (OSG) to state explicitly that ‘to have an effective compliance and ethics program … an organization shall ... promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.’ The revision stipulated that a ‘governing authority’ (the board of directors) should oversee the compliance and ethics program.
In September 2002 then SEC commissioner Cynthia Glassman addressed the American Society of Corporate Secretaries and stated that SOX, and the SEC’s rules implementing it, were focused on ‘insuring that those who act on behalf of a company give life to the corporate conscience.’ Regulators and legislators were quick to agree that boards should foster this culture.
The courts have also affirmed the obligation of boards to assure that their companies’ compliance programs are effective. In the seminal Caremark decision, the Delaware Supreme Court made clear that boards have an important role in ensuring management adopts procedures that can detect potential misconduct and address it, and that directors act at their peril if they disregard the OSG’ compliance program criteria. In short, directors can face the prospect of personal monetary liability if they fail to discharge their obligations with respect to their companies’ compliance programs.
Does the board accomplish this task simply by assuring the right compliance procedures are in place? For Julie O’Sullivan, ad hoc advisory group reporter for for the OSG, the answer is yes. O’Sullivan testified before the USSC that ‘if you follow the seven steps that are articulated [in Sec 8B2.1(b)], you will have done the minimum required both to satisfy the due diligence requirement and to satisfy this requirement that you must promote an organizational culture.’ The seven procedural steps include: establishing standards and procedures to prevent and detect misconduct; assuring that high-level personnel including the governing authority are knowledgeable and responsible; assigning the right personnel to the program and providing adequate resources; communicating and training; monitoring, auditing and evaluation; providing a retaliation-free system for reporting; enforcing the standards consistently and responding appropriately to misconduct.
Just doing ‘the minimum required’ isn’t always sufficient, and certainly not enough in the aftermath of a major compliance problem. As Linda Klebe Trevino noted in the Brooklyn Law Review 1195 (2005), article 1202, the issue is whether the corporate culture ‘indicate[s] to both insiders and outsiders whether the formal systems are actually implemented or merely a façade.’
State of the art dilemma
Ironically, as the business world has embraced formal compliance programs, a new risk has emerged: that workers will believe that the company’s state-of-the-art compliance program is merely going through the motions that are required by regulators.
As more companies adopt programs that a decade ago would have been cutting edge, directors can no longer count on employees to perceive new processes as sincere commitments to ethical behavior. Codes of ethics, toll-free helplines and all the other indicia of modern ethics and compliance programs lose force when everyone has a strong set and regulators expect every company to have them.
Even after companies implement all the components essential to an effective program in today’s compliance-heavy regime, the next phase can actually be a great deal more difficult. Directors must make sure employees regard the compliance and ethics program as both a system of procedures and an embodiment of the company’s fundamental values to which senior leadership is committed. In support of this dual emphasis, the Department of Justice stated that in order for the government to give a company ‘credit’ for having an effective compliance program, federal prosecutors must ‘determine whether a corporation’s compliance program is merely a paper program or whether it was designed and implemented in an effective manner’ and make sure employees ‘are convinced of the corporation’s commitment to it.’
That objective is made all the more challenging by three additional dilemmas: in large companies the board is far removed from employees; privacy and liability concerns make it difficult to disclose specific actions that show the company is serious about its program; and the risk that the implementation of a sound compliance and ethics program may be perceived as imposing something akin to a ‘police state’ on the company.
The distant board
In the typical large company only members of senior management routinely meet with the directors. Middle managers tend to view the board as more of a theoretical construct than a group of active managers. In fact, board decisions have little to do with the day–to–day lives of the company’s workers, and consequently tend not to affect the ‘norms of daily behavior’ that comprise company culture.
Even though the selection and compensation of the CEO is important in setting the corporate culture, directors’ personal conduct in their interactions with company employees must also be beyond reproach. Any lack of candor or questionable conduct by a director will spread quickly through the corporate grapevine.
While getting these fundamentals wrong can create the wrong culture, getting them right will not by itself lead employees to believe the company’s ethics and compliance program is meaningful. This disconnect between the board’s activities and the corporation’s daily norms is significant. Directors typically obtain company knowledge from senior management, which likely holds far more influence on corporate culture than the board. From the perspective of a board member who visits the company six times a year, the obligation to affect company culture may seem daunting, unrealistic and unfair. Nonetheless, directors can take steps to insure the tone they set will trickle down the corporate hierarchy.
The confidentiality dilemma
Another obstacle to demonstrating a commitment to ethics is informing employees that code of conduct violations are appropriately penalized. The textbook approach instructs that misconduct and disciplinary actions must be disclosed internally, which can effectively prove a program’s strength. While discharging an employee for serious misconduct is all well and good, if co-workers believe that the miscreant left voluntarily, the program’s effectiveness may be undermined.
Unfortunately, privacy and liability concerns can make it problematic for management to let employees know what discipline has been meted out. All too often employees fired for misconduct negotiate a separation agreement that includes a confidentiality commitment. If an employee’s misconduct warrants censure, compensation reduction or promotion deferral companies may conclude that it would be unfair to disclose disciplinary action as the employee’s ability to perform effectively could be jeopardized.
Despite these countervailing interests, internal disclosure remains critical to an effective compliance program, and directors can make sure companies consider certain processes so that disclosure is consistent with other legitimate interests.
The police-state dilemma
One rarely articulated dilemma is the cost of a poorly executed program. An important part of compliance culture is the obligation of employees to report questionable conduct so that the company can correct, and ideally prevent, any wrongdoing. While reporting programs are susceptible to baseless allegations, there is a line between encouraging the reporting of good faith suspicions and fostering an environment of mistrust.
When devising compliance programs and selecting operational staff, companies must tread a careful line between what Ben Heineman, General Electric’s recently retired general counsel, describes as ‘a self-cleansing culture that demands immediate discussions about what the right thing is to do and requires immediate notification when the wrong thing is being done’ and ‘a climate of fear and backbiting.’ The former is the Holy Grail; the latter can be the result of a poor execution of an otherwise well-designed program.
Taking all these considerations into account there are numerous steps directors can take – and assure management is taking – to discharge their tone at the top responsibility. Assuming that the company has adopted all of the procedures recommended by the OSG and is applying them appropriately, the next few paragraphs provide insight into some additional key items that directors and management should consider.
Director action
While talking the talk is no substitute for walking the walk, directors, like management, must model ethical behavior personally and, importantly, communicate the company’s values whenever possible. Although senior management can discuss ethics with the company more often, directors also have many opportunities. Outside of the periodic report to the audit committee, directors should discuss ethics via direct communication vehicles to overcome the distant-board dilemma. For instance, questioning management on the company’s sensibility to ethical culture. If such questions regularly occurred at board meetings, management would likely come prepared to address them and middle managers would generate appropriate remarks to the board.
When the board visits the field – such as a production facility, a subsidiary abroad or a key office – directors can make comment or ask a question that emphasizes company values, which can be supported by a video expressing their views posted on the company’s intranet site or used in the company’s ethics and compliance training program.
The audit committee, which is typically responsible for the compliance program, could occasionally meet with middle managers to learn first-hand about their thoughts on company culture, the effectiveness of the ethics and compliance training, the company’s commitment and whether the compliance program is sensibly administered.
Although the establishment of a new compliance or ethics committee can reinforce the board’s commitment to ethics, the other actions described above can have a more meaningful effect within the company than transferring responsibilities among committees. And of course, it needs to be said that the CEO’s role in establishing and nurturing the corporate culture is, if anything, more critical than the board’s, and it is important that the CEO be closely associated with the company’s statement of its core principles and its business conduct policies.
Success starts inside
While the single most effective step management can take to persuade employees that the company is dedicated to compliance is internal disclosure, there are legal and HR challenges. Boards should consider ensuring that the company publish statistics on the number of terminations, deferred promotions, reduced option grants and other actions taken in response to violations of the compliance and ethics program. Audit committees or the full board should increasingly review such statistics as part of their review of the compliance program. There appears to be little reason that such data should not be shared broadly within the company. In addition, the audit committee can release detailed reviews of actual cases (with names and facts changed to protect individual identity) that can help inform employees of program effectiveness.
One of the steps set out in the revised OSG is that a company ‘shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify [its compliance program] to reduce the risk of criminal conduct identified through this process.’ But the guidelines are conspicuously thin when it comes to how a company goes about doing a risk assessment. As a result, companies have considerable latitude in the ways in which they perform the necessary compliance risk assessment.
Although it may not be intuitive, the risk assessment process can help convince employees of the company’s commitment to ethical culture. Directors can accomplish this by making sure their companies apply a broad definition of compliance risks in the periodic assessment process. Beyond that, the way the company chooses to undertake the assessment can pay dividends internally. That’s a choice that should be managed carefully.
Some will favor a ‘top-down’ exercise, in which the senior compliance professional, perhaps assisted by several other staff, identifies the legal and business risks and evaluates the effectiveness of the company’s processes that address them. Others may outsource the process, and outside counsel or one of the growing number of compliance consultants will provide the assessment.
A third, and possibly more effective method is a ‘bottom-up’ review in which employees in each of the company’s business and staff units are assigned to work with the compliance professionals and in-house (and perhaps outside) counsel and are integrated into the assessment process.
Regardless of who performs it, any assessment should involve compiling and reviewing information about past violations, the results of external and internal audits, claims asserted in litigation and by employees through the company’s hotline, results of employee surveys and perceived vulnerabilities. By enlisting the businesses to play a key role in the assessment, business leaders will become considerably more familiar with this information than would otherwise be the case. More important, arranging to have the business leaders participate in the formulation of the identification of risk areas is likely to create buy-in for the goals of risk assessment and ownership.
In conjunction with the ‘bottom-up’ approach to risk assessment companies should consider having the employees who participated in the risk assessment present the findings to senior management or perhaps present to the board. The combination of a ‘bottom-up’ approach and a presentation to senior management can persuade the participating employees – and by extension, their colleagues – that the company is committed to its ethical values.
Needless to say, multiple challenges pose very real obstacles to the board’s – and to senior management’s – ability to set an effective and meaningful tone at the top. The good news is that directors can take some action to help assure employees that the company really ‘means it’ and that the compliance program isn’t a mere façade. By also making sure a company thoughtfully discloses discipline internally and takes appropriate advantage of the periodic risk assessment process, directors can assist in achieving an overall dedication to compliance.
Research assistance by Center for Ethical Business Cultures
