The Complete Compliance and Ethics Manual (CCEM) will guide compliance professionals to maintain and improve all components of a compliance and ethics program. However—as with any journey—it helps to have a roadmap to provide some context along the way.
Ethics. Compliance. Culture. Even 30 years after the first publication of the U.S. Sentencing Guidelines Manual, there is not a clear consensus in the field of the differences between “ethics” and “compliance.” Nor is there clarity on the role that organizational culture plays in reducing the risks of misconduct. Yet, these terms and the concepts behind them are each important in creating an effective program. Your job is to understand what that balance among them needs to look like in your organization.
The goal of this introduction to CCEM is to provide some insights into how to create that balance.
What Is “Good Enough?”
What are your company’s objectives in establishing an ethics and compliance program? Not getting into trouble is certainly high on the list. Equally important is to avoid corporate culpability if an employee does go off the rails. Some companies want to reach higher than pure risk mitigation and demonstrate integrity as a key corporate value. For most companies the question of program objectives is answered by looking at what the normative standards in the industry are and then gauging if the program meets those standards.
For many organizations, those normative standards have been the seven steps of an effective program set out in the Federal Sentencing Guidelines for Organizations, first published in 1991.
The seven steps of the Federal Sentencing Guidelines are:
Establishing standards and procedures to prevent and detect criminal conduct.
Oversight by high-level personnel.
Due care in delegating substantial discretionary authority.
Effective communication to all levels of employees.
Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal.
Consistent enforcement of compliance standards, including disciplinary mechanisms.
Reasonable steps to respond to and prevent further similar offenses upon detection of a violation.
These standards have set a solid foundation over the years. Research undertaken by the Ethics & Compliance Initiative (ECI) has shown that in organizations that maintain even minimum standards—such as adhering to the seven steps of the Sentencing Guidelines—employees are still twice as likely to report misconduct than companies that have no program in place.
But the seven steps themselves are not magic beans. Despite the tremendous effort it takes to build the framework of a program, a framework alone is just the starting point. Organizations that are committed to building an effective program must honestly ask: How will enacting the standards effectively reduce the risk of misconduct in our organization? While few companies would say that their objective in setting up a compliance program is to “check the box,” it is increasingly clear that an effective program requires more than just establishing a compliance program that meets the seven steps of the Sentencing Guidelines.
What else is needed? Managing the organization’s culture. What many organizations have known for years is now clearly in the sights of regulators and prosecutors: Corporate culture significantly influences behavior. To have an effective compliance program, an organization must understand how its work environment influences positive—and negative—behavior. Ethics and its role in influencing corporate culture need to be taken quite seriously. What was once seen as a soft “nice to have” is now the baseline.
Expectations have evolved since 1991. When the Sentencing Guidelines were first drafted, not only was the term “ethics” not included, neither was the term “compliance.” The original objective was to establish “an effective program to prevent and detect violations of law.” An effective program was one that prevented and detected criminal conduct.
The emerging standard now looks more deeply at corporate culture as a root cause of misconduct. Programs are now expected to address preventive measures, and companies are being held accountable for the effectiveness of their programs.
So, what are the new standards? A new baseline has been established by the U.S. Department of Justice (DOJ) in guidelines, titled “Evaluation of Corporate Compliance Programs.”
In recent comments, Assistant Attorney General Kenneth Polite explained the goal of the ECCP this way:
“As our Evaluation of Corporate Compliance Programs guidance makes clear, we expect an effective corporate compliance program to be much more than a company’s policies, procedures, and internal controls. We expect companies to implement compliance programs that: (1) are well designed, (2) are adequately resourced and empowered to function effectively, and (3) work in practice.”
Let’s look more closely into these three criteria:
Is the corporation’s compliance program well designed?
Does the program address the specific risks faced by the organization? Are there adequate policies and procedures? Are training and communication efforts tailored to the unique requirements and needs of the organization?
Is the program adequately resourced and empowered to function effectively?
In other words, is the program being implemented effectively? “The company’s top leaders—the board of directors and executives—set the tone for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.”
Does the corporation’s compliance program work in practice?
“To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”
While this guidance is not law, best practices in the ethics field have always been to meet and exceed standards and guidance laid out by DOJ or the U.S. Securities and Exchange Commission (SEC). All companies should seek to be at a normative baseline compared to other companies in their industry.
So now the bar has been raised. How should organizations work toward ensuring these guidelines are met? As a first step, we need to have working definitions of compliance, ethics, and culture.