Ethics and Legal Compliance in Business The Sentencing Guidelines, Sarbanes-Oxley, and Beyond
Background: Sentencing Reform Act of 1984 “Sentencing crisis” in 1980s: wildly divergent sentences for similar crimes. 1984 Act established mandatory guidelines for judges. 1991 Sentencing Guidelines added corporate crimes for the first time, to make corporate sentencing more standard and more punitive.
“In the 1980s, the average federal criminal fine for an organization was approximately $10,000. “Under the corporate sentencing guidelines, fines have gone as high as $500 million (in a 1999 case against Hoffman- LaRoche), and multi-million dollar fines have become relatively commonplace (such as a $160 million dollar fine levied [Sept.2004] in a criminal antitrust case). “ SOURCE: Jeffrey M. Kaplan, The Next Generation in Compliance Programs, the Corporate Governance Advisor, November 1, 2004.
1991 Sentencing Guidelines A carrot-and-stick approach to corporate liability for employee crime: the carrot: an incentive to implement ethics & compliance programs the stick: possibility of "ruinous fines”
Intent …to reduce white collar crimes resulting from pressure or from confusion about what the law requires. For example: "bonuses" that are really cash bribes inflated invoices on cost-plus jobs shipping bricks instead of disk drives (Miniscribe case)
The doctrine of corporate criminal liability holds that corporations can be held criminally liable for the actions of their employees. The Sentencing Guidelines, and the effective compliance programs they encourage, allow the company to "drive a wedge" between itself and its employees in cases of criminal conduct.
How Are Fines Established? Total fine = Base fine x Culpability score Base fine is determined by the profit made by the company and/or the loss suffered by others because of the crime. Or, a fine table can be used, with fines up to $75 million.
Culpability score is calculated from several factors: how high in the organization the crime was committed the company's prior criminal record whether the investigation was obstructed whether the company reported the offense whether the company pleaded guilty or cooperated in the investigation whether the company has an effective program to prevent and detect violations of law.
What Is an Effective Program to Prevent and Detect Violations of Law? It is not enough for managers simply to insist on ethical behavior. An effective compliance program will have: Standards capable of reducing crime (a code of conduct). Communication channels: written materials training programs
A high-level person in charge of the program Methods of achieving compliance: auditing & monitoring a way to report violations without fear of reprisal consistent enforcement of standards
Feedback and learning loops so that when problems arise, the compliance program is changed accordingly. Emphasis on due diligence in not hiring people with a propensity to commit crime.
How to Begin a Compliance Program? Take stock of the risks the firm faces; do an exposure/liability inventory. Investigate sources of liability information such as: civil and criminal litigations board minutes customer complaints accounting work papers interviews with employees industry journals and newsletters
Ask about: actual problems experienced near-misses imaginable problems competitor problems
Using the liability inventory, design a compliance program that makes sense for the company: Does the code of conduct actually address foreseeable violations? Does ethics training reflect specific possible liabilities or violations? Are the auditing/monitoring systems effective? Is the compliance program up to industry standards?
REMEMBER: Corporations can be held liable for the crimes of their employees. Under the Sentencing Guidelines, corporations can be fined less if they have an effective compliance program, and more if they do not. (The carrot-and-stick approach) Actual fine = base fine x culpability score An effective compliance program reflects the company's liabilities and vulnerabilities.
Summary of 1991 Requirements: An effective compliance program has a code of conduct, written materials and training, a higher-up in charge, communication and reporting channels, monitoring and auditing, consistent enforcement, and feedback loops.
Effects of 1991 Guidelines Ethics Officers Assn. formed in 1992 with 20 members; now has more than ALL Fortune 500 companies have compliance programs that hit all the bases. Boards were eventually judged to have responsibility for ensuring compliance programs. Compliance programs spread to non-US companies.
BUT… Ten years later, a new wave of corporate financial scandals broke. Enron, WorldCom, Tyco, and all the rest HAD compliance programs.
Sarbanes-Oxley and After Sarbanes-Oxley Act of 2002 mandated a review of the U.S. sentencing guidelines to assure that the guidelines “deter and punish organizational criminal conduct.” 1991 language was “detect and prevent violations of law.” 2004 Sentencing Guidelines mandated ETHICS programs, not just legal compliance, for companies. Companies must "promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law."
2004 Sentencing Guidelines To benefit in sentencing, the company must: have standards & procedures to prevent & detect criminal conduct. Code of conduct, employee handbooks Management information systems Monitoring and auditing procedures Other processes, as needed have Board of directors oversight of program implementation & effectiveness.
have a high-level manager in charge, and a specific individual with day-to-day operational responsibility. Provide the operational manager with "adequate resources, appropriate authority, and direct access" to the board or appropriate board committee. conduct training programs and disseminate program information to all employees and, as appropriate, agents of the company.
Topics for training may include (among others): Bribery and kickbacks International trade and commerce Employee political activities Insider trading Conflicts of interest Corporate opportunities Supplier and customer relations Community relations Corporate-government relations and public affairs Privacy of records, document retention Product liability and labeling
Program must be monitored, audited and periodically evaluated for effectiveness. Program must be promoted and enforced consistently throughout the company, with appropriate incentives for compliance and disciplinary measures for violations. Company must use reasonable efforts to ensure management employees have not previously engaged in illegal or unethical conduct. (due diligence in hiring)
Company must respond appropriately after criminal conduct has been detected. Company must periodically assess the risk of criminal conduct and take appropriate steps to design, implement or modify each element of the program to reduce the risk of criminal conduct.
Some Questions for Discussion: How can smaller companies meet the guidelines? How does a company build an ethical culture? What’s the role of compensation and incentives in all this?
Developing a Compliance/Ethics Policy Statement Define the program’s purpose & limits Specify all duties and who has them (board, TMT, department heads, etc.) Overview the program’s components: Risk analysis Training Standards Auditing and monitoring Incentive systems
Include related documents: Code of conduct, mission/vision/values Training and communications plan Investigation & reporting procedures Disciplinary guidelines, appeals process
The new sentencing guidelines are currently mired in controversy from a Jan Supreme Court decision that ruled them ‘advisory’ rather than ‘mandatory.’ Sarbanes-Oxley, too, is not yet fully implemented and many aspects are being contested.
Final question: Is it worthwhile for a company to develop a compliance & ethics program even if the law does not require it?