Effective training has long been recognized as the cornerstone of a best-practice ethics and compliance program, but the consensus on what “effective” means has shifted over time. In the early days, compliance programs were focused on an audit trail: Does your program have these key elements in place? Can you prove it? Like the other key program elements, training is just as critical today, but simply proving you have a program is no longer sufficient. Instead, compliance practitioners must dig deeper to ask—and answer—the question: Is there a robust training program in place, and does it work?
“Does it work?” is a more complex, less-binary question than “do you have it?” and answering it with confidence requires a well-thought-out point of view supported by some evidence—preferably hard data.
The Case for Training
Where does the training requirement come from? Like many aspects of compliance programs, we can first point to the U.S. Sentencing Guidelines. This document included “conducting effective training programs” as a factor the U.S. Department of Justice (DOJ) will consider when a company that is accused of misconduct is being evaluated for a sentence reduction. There are also a range of inputs and influences beyond that document, including:
United Kingdom (U.K.) 2010 Bribery Act: The U.K.’s Serious Fraud Office is an enforcement agency for the U.K. Bribery Act. In 2010, the Serious Fraud Office published a guidance document which included six key principles for prevention, including communication and training (Principle 5).
U.S. Department of Health and Human Service (HHS) Office of Inspector General (OIG) Compliance Guidance Documents: Like the Sentencing Guidelines and Serious Fraud Office’s guidance, the HHS OIG has published documents outlining the key components of an effective training program, which include training and education.
In short, a variety of enforcement agencies addressing a range of industries and geographies have advised organizations to include training as part of a robust compliance program. In some cases, this guidance includes detailed suggestions on how to approach training, including which topics, how to train new employees, and how to involve managers in training initiatives.
Training as a Defense
In a landmark case in 2012, DOJ declined to prosecute Morgan Stanley for violations of the Foreign Corrupt Practices Act (FCPA). Morgan Stanley employee Garth Peterson, who subsequently pled guilty, paid a kickback of $2.5 million to a Chinese government official to close a real estate transaction. While Peterson was prosecuted, Morgan Stanley was not, in part thanks to its ability to prove that Peterson had received seven anti-bribery trainings and 35 reminders in his time with the company.
The DOJ’s press release announcing Peterson’s guilty plea specifically mentioned the company’s system of internal controls, which included its training program:
“After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.”
Four years later, the companies Nortek and Akamai received declination letters from DOJ, which were subsequently made public. Both companies received credit for fully remediating initial anti-bribery training deficits, among other issues.
Attorney Paul Weiss commented:
“The [DOJ letters] may shed some light on the type of remediation the DOJ believes favors declination. The SEC non-prosecution agreements with both companies provide extensive details about the nature of each company's remediation, which included disciplinary measures, expanded anti-corruption training, enhanced internal accounting controls, and strengthened anti-corruption polices.”
More than 20 years after the first release of the U.S. Sentencing Guidelines, government enforcement agencies continue to view training as a critical part of any defensible compliance program strategy.