Eighteen billion dollars. And counting. Volkswagen’s widening emissions scandal seems to have no end. Sadly, it’s only one of many stories we have seen over the past few years where organizations are unable to detect or prevent misconduct until it becomes a headline. Even more troubling is the still strong perception that it’s just the big corporate names that make the headlines that have to fear the most serious repercussions. The headlines can be misleading, and in fact most organizations that face the serious repercussions brought on by being found guilty of a federal felony offense are usually much smaller. According to the U.S. Sentencing Commission, 90.2% of all organizations sentenced in 2014 had fewer than 500 employees, and 70.6% of those organizations had less than 50 employees. These organizations were unable to work out non-prosecution or deferred prosecution agreements and likely will suffer serious consequences beyond costly fines and attorney’s fees. These organizations will often be under a court’s supervision for a period of years, have court-ordered restitution and compliance requirements, and will likely face devastating collateral consequences such as debarment from future government contracting work.
So now that I have your attention, what is an under-resourced law function in a small to medium-sized organization able to do to avoid the most serious repercussions? The Department of Justice has been pretty clear about what they look for when assessing an organization’s commitment to compliance and ethics and there is plenty that can be done with even limited means.
First of all the management must care about compliance. US Sentencing Commission data shows that 59.6% of organizations sentenced in 2014 were found to be directly involved or “tolerant” of the criminal activity. I think it’s safe to say ethical culture and tone from the top were clearly missing in these cases. That is something that any organization can address head on. Does your CEO regularly talk about ethics to the rank-and-file directly? If your organization doesn’t conduct a stand-alone culture survey or ask about issues like misconduct reporting and retaliation in a larger human resources survey what are your data measures for culture? If your organization doesn’t have a well-publicized reporting and anti-retaliation policy that is consistently reinforced through training and communication how do you cultivate a “speak up” culture? Addressing tone doesn’t need to be resource intensive, just well-planned and thought through.
That brings us to a second important point. Having a tailored plan. Another area that the Department of Justice and the Securities and Exchange Commission in particular have stressed is the importance of having a “risk-based” compliance and ethics program. The DOJ has made clear that “[e]ffective programs are tailored to the company’s specific business needs and to the risks associated with that business.” This means that all organizations, regardless of size and scope, should be assessing their business risks with an eye toward tailoring their program resources in line with those risks. Having a plan to address the structure and resources for a program, as well as considering periodic review and update, is key to any effective program.
A third area that the DOJ and SEC have specifically mentioned is that a “good compliance program” is a program that is “regularly” reviewed and improved to avoid going “stale”. The clear expectation is that all compliance and ethics programs must be periodically reviewed and updated as needed. Any plan is incomplete without consideration of assessment of the program. A strong review or assessment should reveal the areas of the program that need improvement. Whether that is training, written standards, monitoring or program structure and resources will obviously vary from organization to organization, and each organization that conducts a “risk-based” review will have different answers and different aspects of their program that will need attention. Be wary of solutions that address training or some other aspect of the compliance and ethics program before an assessment or review has determined their necessity and relative importance to other needed initiatives. Similarly, a strong review or assessment will focus also on the specific compliance risk topics that need to be addressed through policy, training, monitoring or some other resource. An organization’s compliance risk profile will be just as unique as any other aspect of the organization. There are compliance risks that most organizations share, to be sure, but making a determination about addressing particular risks without first assessing their applicability, and the current state of the program, is sometimes little more than guesswork. At any rate, for organizations with limited resources having a clear understanding of what risks the compliance program should be addressing is a better route to an effective program than adding resources before an assessment or review.
Finally, once your organization has a tone from the top, a plan for the program and has conducted an assessment, be ready to continue making compliance a priority – forever. The process of addressing corporate ethics and culture, and the structure and operation of a compliance program, is not a “one-and-done”. These expectations are not going to go away and there is no simple fix. The real key to success is changing internal expectations around compliance and ethics so that everyone feels ownership and consideration of compliance and ethics becomes an operational part of the business. We are all being moved by external expectations, from the government, the public and other stakeholders, but the real change happens when internal expectations for integrity blossom.
See These for Reference:
Volkswagen Posts Deep Loss After Taking $18.28 Billion Hit on Emissions Scandal, The Wall Street Journal, April 22, 2016 (http://www.wsj.com/articles/volkswagen-posts-deep-loss-after-taking-18-28-billion-hit-on-emissions-scandal-1461333307).
Size of Organizations Sentenced by Number of Employees, U.S. Sentencing Commission's Interactive Sourcebook (isb.ussc.gov) using the Commission's fiscal year 2014 Organizational Datafile, CORPFY2014.
Organizations Sentenced Under Chapter Eight: Culpability Factors, U.S. Sentencing Commission's Interactive Sourcebook (isb.ussc.gov) using the Commission's fiscal year 2014 Organizational Datafile, CORPFY2014.
Foreign Corrupt Practices Act ("FCPA"): A Resource Guide to the U.S. Foreign Corrupt Practices Act ("FCPA Guide"), pages 56-60 and 61-62 (https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf¬).