Daniel Coney (email@example.com), based in Lakewood, Colorado, USA, has been a law enforcement professional for more than 35 years, with the last 29 years being both an agent and supervisor in four different Office of Inspector General organizations.
Compliance can be a difficult and thankless job—until you’re needed. Then the work you’ve been doing behind the scenes is crucial to the long-term sustainability of the company, the board, and leadership. Your diligence is particularly important when law enforcement comes calling—not just having an effective compliance program in place, but in demonstrating that it is worth the paper it is written on. With that in mind, I thought it would help the practitioner to see what advice I’ve given the agents who work for me in the value of understanding the intersection of investigative work and the discipline of corporate compliance.
This article introduces a tool (Table 1) derived from the source that the U.S. Department of Justice uses to evaluate company compliance plans, the Filip Factors. The tool identifies key factors that law enforcement will seek information about and particular questions they may be asking. Taken from the viewpoint of a compliance professional, however, the tool also provides a road map useful in negotiating the nuances behind what makes up a comprehensive program that addresses the seven elements.
The view from my gumshoes
One of the reasons I am myself a CCEP, and why I am sold on the field of corporate compliance, is the truth that corporate compliance, if done properly, will weed out accidental and irresponsible acts. This, in turn, enables government oversight to focus on investigating those who are intentionally trying to thwart the systems in place for their personal advantage. For that reason, we should all applaud and hold in high regard the work of compliance officials.
However, not all companies are created equal. Enron had a model ethics and compliance program—the joke is that former employees of Enron put the model plan on eBay to sell after the company’s collapse…still in the shrink-wrap. The problem with Enron was not that they didn’t have a compliance program, but that the culture of the company was such that everybody knew it was lip service.
For those companies that do have a compliance plan, I point my agents to what they should expect to see: the seven major elements of an effective ethics and compliance plan, which are outlined in chapter eight of the Federal Sentencing Guidelines and are listed below. These components were augmented in the 2010 revisions with the addition of a risk assessment process.
The company should have standards of conduct that are understandable and provide the overall tenor of ethical conduct expected at the company. The standards feed into current, updated policies and procedures.
The company should name a compliance officer that has adequate authority.
There should be an education and training delivery system that focuses on key risk areas for employees and anybody who does business with the company.
The company needs to have a plan for how it is going to monitor those risk areas.
There must be a system in place for reporting. Employees need to have some way to report problems, and that typically is complemented by an ability to remain anonymous. Non-retaliation policies should also be in place such that there is not a chill placed on employees. That reporting system should trigger the company to undertake some kind of investigative steps to validate the complaint.
A company needs to have consistent enforcement when poor conduct is discovered. The minute its top salesperson gets a pass for conduct that another employee was fired for, the compliance program has lost all credibility.
The company needs to demonstrate consistent and appropriate responses to identified problem areas. Such responses could include steps that might involve remediation and prevention.
A means to evaluate compliance programs
It’s one thing to say a company should have these seven criteria met, quite another to measure it objectively. From an investigative standpoint, I encourage agents to collect evidence not only of the underlying conduct, but also concerning whether a compliance plan was in place, is operational, and incorporates the seven elements. To do this effectively, I built a tool based on what the Department of Justice calls the Filip Factors, named after then-Deputy Attorney General Mark Filip. Dated 2008, the Filip Factors stem from a memo from Filip and were later incorporated in the United States Attorneys’ Manual. The Filip Factors lay out how the Department of Justice evaluates business organizations for prosecution, hence my interest in making sure we investigators collect appropriate evidence to be able to answer the questions posed in the guidance memo.
The Filip Factors look for the hallmark features that together make an effective compliance plan. The concepts present in the Filip Factors permeate through the questions we ask during interviews, what we seek to obtain in subpoenas or search warrants, and how we conduct investigations. The tool is a checklist that helps break down each of the factors and asks key questions designed to elicit the information that forms the basis for determining how your compliance plan stacks up. If it’s important to how we pursue investigative leads, it likely has relevance for the compliance officer in evaluating risks and designing ways to address the questions we’re likely to ask you.
What investigators want to see
So, you’re no doubt puzzling over what this looks like in real life. By way of example, as infrastructure goes, there is nothing more important to a compliance program than the effort being launched by the governing board, typically through a formal resolution of the board and perhaps even by the direct hiring of the chief compliance officer (CCO). This demonstration of commitment to the compliance effort goes a long way toward building a culture that values ethics. It also demonstrates that the board is aware of, and serious about, their fiduciary responsibility, and is not simply being a rubber stamp club. The fact is, the board is ultimately responsible for the company’s conduct, and that could result in personal responsibility if they do not take steps to ensure a compliance program is effective. You might, therefore, see us use subpoenas to ask for the board resolution(s) that established the compliance plan, standards of conduct, and communications regarding the establishment and implementation of a compliance program.
The company’s standards of conduct are a statement of values—it establishes the ethical attitude of the company. Interestingly, the Sarbanes-Oxley Act required publicly traded companies to publish their standards on their website. Think of these as the “constitution” that applies to all employees (management, executive, and line), suppliers, third parties, contractors, and the board of directors. Companies with more sophisticated compliance programs may even integrate the code, or at least the spirit of the code, into employee performance plans as a way to ingrain an ethical culture. The old saying is people do what gets measured.
Flowing from the standards of conduct are the individual policies and procedures. According to the Federal Sentencing Guidelines, the policies must be “reasonably capable of reducing misconduct.” The courts have counseled that those who are subject to the policies should annually acknowledge that they understand their responsibilities and have received a copy of the policies and procedures. They make clear to employees how they are to act as an employee, and what will happen if they digress. The discipline for nonconformance with policies of the company should be clearly spelled out.
How do the courts expect us to measure whether policies and procedures are calculated to reduce misconduct? Without getting too detailed, suffice it to say policies should be specific and address identified risk areas. They should be consistent with laws, regulations, and industry best practices or standards. Further, they should be up to date and accessible to employees. Questions to ask include how policies and procedures are applied each day (i.e., is practice inconsistent with policy), how the policies and procedures are communicated and accessible to employees, whether and how they are tied to performance reviews, whether internal audits have identified duplicative or inconsistent policies, whether version control is in place, and how often they are reviewed and updated. Another quality inquiry would be whether the employee was trained or otherwise schooled on standards of conduct or policies and procedures.
All of this is just a portion of what we might explore in just the first element of corporate compliance plans. I could go on to explore differences in authority and reporting structures for the CCO and attempt to discern why differences exist, because they could be indicative of an ineffective compliance and ethics program. Questions concerning barriers to board access for the CCO and unfettered access to information within the company would be in play. The C-suite, including the general counsel, has a stake in the outcome of compliance functions, and since often they are involved with approving policies that will be the focus of a compliance inquiry, the conflict of interest is inseparable.
Finally, while not part of the original seven elements, the updates to the Federal Sentencing Guidelines added a major element of conducting risk assessments. These assessments form the basis for much of the rest of the compliance program’s activities. Management is responsible for developing an action plan, carried out through the compliance infrastructure, to mitigate the identified risks. While there is no one way to conduct a risk assessment, I advise my investigators—for their purposes—to see whether the company did one. If they did, I ask them to consider whether the compliance plan actually addresses the identified risks, particularly if one of those risks involves the conduct that gave rise to our investigation. This could open the door to proving intent elements of a crime.