What are your company’s objectives in establishing an ethics and compliance program? For many years, and for many organizations, meeting the normative standards has been enough. The seven steps of an effective program set out in the US Federal Sentencing Guidelines for Organizations have been the benchmark for more than 25 years.
But the seven steps are not magic beans. Despite the tremendous effort it takes to build the framework of a program, a framework alone is just the starting point. Organizations that are committed must honestly ask, how will enacting the standards effectively reduce the risk of misconduct in our organization? While few companies would say that their objective in setting up a compliance program is to “check the box,” it is increasingly clear that an effective program requires more than just establishing a compliance program that meets the seven steps of the Sentencing Guidelines.
What else is needed? What many organizations have known for years is now clearly in the sights of regulators and prosecutors: Corporate culture is a significant influencer of behavior. To have an effective compliance program, an organization must understand how its work environment influences positive and negative behavior. Ethics and its role in influencing corporate culture need to be taken quite seriously. What was once seen as a soft “nice to have” is now the baseline.
In 1991, when the Sentencing Guidelines were first drafted, not only was the term “ethics” not included, neither was the term “compliance.” The original objective was to establish “an effective program to prevent and detect violations of law.” An effective program was one that prevented and detected criminal conduct.
In the intervening 25 years, the emerging standard now looks more deeply at corporate culture as a root cause of misconduct. Programs are now expected to address preventive measures, and companies are being held accountable for the effectiveness of their programs. So, what are the new standards?
In June 2020 the U.S. Department of Justice (DOJ) published updated guidance for prosecutors on evaluating compliance programs.
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”
To guide the program evaluation, the document lays out three “fundamental questions” prosecutors must ask:
1) Is the corporation’s compliance program well designed? Does the program address the specific risks faced by the organization? Are their adequate policies and procedures? Are training and communication efforts tailored to the unique requirements and needs of the organization?
2) Is the program adequately resourced and empowered to function effectively? In other words, is the program being implemented effectively? “The company’s top leaders—the board of directors and executives—set the tone for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.”
3) Does the corporation’s compliance program work in practice? “To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”
While this guidance is not law, best practices in the ethics field have always been to meet and exceed standards and guidance laid out by the DOJ or the U.S. Securities and Exchange Commission (SEC). All companies should seek to be at a normative baseline compared to other companies in their industry.
So now the bar has been raised. How should organizations work toward ensuring these guidelines are met?
Defining Ethics and Compliance
What Needs To Be Included in a Basic Ethics and Compliance Program
The seven steps of the Federal Sentencing Guidelines are far from obsolete. To review, they are:
Organization establishes standards and procedures to prevent and detect criminal conduct
Oversight by high-level personnel
Due care in delegating substantial discretionary authority
Effective communication to all levels of employees
Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal
Consistent enforcement of compliance standards, including disciplinary mechanisms
Reasonable steps to respond to and prevent further similar offenses upon detection of a violation 
Research undertaken by the Ethics & Compliance Initiative (ECI) has shown that in organizations that maintain even minimum standards, such as adhering to the seven criteria of the Sentencing Guidelines, employees are still twice as likely to report misconduct than companies that have no program in place.
Nevertheless, these guidelines alone won’t help an organization meet the current standards expected by the DOJ. So, what else is needed to ensure that an organization is doing all that could be reasonably expected to deter misconduct?
In 2016 ECI issued a report of a blue-ribbon panel that outlined 15 objectives which define a high-quality ethics and compliance program. In comparing ECI’s 15 objectives with the Sentencing Commission’s guidelines, it’s apparent that best practices have evolved from creating a program to effectively managing a program. ECI reported in its Global Business Ethics Survey that organizations which achieved some or all of these objectives had created an organizational culture that was meeting the highest standards of deterring misconduct.
To understand the significance of this shift, we first need to have working definitions of compliance, ethics, and culture.