Building a World-Class Compliance Program Best Practices and Strategies for Success
.pdf
School
No School**We aren't endorsed by this school
Course
AA 1
Subject
Information Systems
Date
Dec 17, 2024
Pages
321
Uploaded by MateRaccoon1435
Building aWorld-ClassComplianceProgramBest Practices and Strategiesfor SuccessMARTIN T. BIEGELMANwith DANIEL R. BIEGELMANJohn Wiley & Sons, Inc.
More Praise forBuilding a World-Class Compliance Program:‘‘For those who benefited from reading Martin’s first book,ExecutiveRoadmap to Fraud Prevention and Internal Control, you now have the‘Atlas’ on ethics and compliance. The compliance insights, poignant casestudies, and best practices provide a significant value-added read for exec-utives who must set the ‘tone at the top’ and for those who struggleday-to-day to establish and maintain ethical and compliant behavior withintheir organizations. A must-read for faculty and particularly students, forwhom the lessons so expertly presented here will shape the ethical compassof future careers.”—George E. Curtis, J.D.Associate Professor and former Director of Economic Crime Programs,Utica College‘‘Building a World-Class Compliance Programis essential reading for in-house executives of all stripes. Boards, management, legal counsel, HR,and compliance officers all will find this ‘how to’ guide filled with practicaladvice and tips. For all people interested in how to avoid their companybecoming the next Enron, this book is a must-read. It chronicles real-lifeexamples of corporate malfeasance ripped from the headlines and offerssage measures to enhance corporate compliance programs so as to detectand deter such conduct. Given the expertise of the author—with years ofexperience in both law enforcement and in-house compliance—this is thepreeminent guide to corporate fraud prevention.”—Andrew WeissmannPartner, Jenner & Block and former director, U.S. Department of JusticeEnron Task Force‘‘The globalization of business and communications presents an unprece-dented opportunity for successful growth in many industries and forcompanies large and small. Conversely, the compliance challenges facedby businesses worldwide have never been more challenging. The urgencyto develop a world class compliance program has never been greater. Thisbook is a must for all companies facing today and tomorrow’s compliancechallenge.’’—John ConnorsCFO, Microsoft Corporation (Retired) & Partner at Ignition Partners(Current)
‘‘Unbiased, well-researched, comprehensive, and interesting. A great resourcefor compliance professionals and a great read for CEOs, management andboard members who care about doing the right thing. I have been involvedwith the production of over 150 compliance articles, books, magazines, andnewsletters and Martin’s work is amongst the best I have seen.’’—Roy Snell,CEO, Society of Corporate Compliance and Ethics‘‘Martin slices through the confusion surrounding corporate complianceand offers not only useful guidelines, but a step-by-step approach to estab-lishing an effective program.Building a World-Class Compliance Programis essential for anyone concerned with compliance and ethics within organi-zations.’’—James D. Ratley, CFEPresident, Association of Certified Fraud Examiners‘‘Martin and Daniel Biegelman provide business people with an exception-ally important book inBuilding a World-Class Compliance Program: BestPractices and Strategies for Success. They demonstrate how value is addedto companies who get it right in this vital aspect of business. Each chaptercontains concrete examples of best practices ensuring compliance, backedby solid supporting examples. We hear from some of the best authorities inthis field, drawing from experience as a federal law enforcement agent, andnow as experienced executives.’’—Edward M. StrozCo-President of Stroz Friedberg, LLC and former FBI Special Agent‘‘Gone are the days when compliance programs were optional or companiescould just have faith that none of their employees would go astray. Today’sorganizations need compliance programs and strategies in place. Martinand Daniel Biegelman have written the consummate guide.’’—Joel Bartow, CFE, CPPDirector of Fraud Prevention & Investigations, Sitel Corporation
Building aWorld-ClassComplianceProgram
Building aWorld-ClassComplianceProgramBest Practices and Strategiesfor SuccessMARTIN T. BIEGELMANwith DANIEL R. BIEGELMANJohn Wiley & Sons, Inc.
This book is printed on acid-free paper.Copyright c 2008 by John Wiley & Sons, Inc. All rights reserved.Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form or by any means, electronic, mechanical, photocopying, recording, scanning, orotherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization throughpayment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the Webat www.copyright.com. Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030,(201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties with respect tothe accuracy or completeness of the contents of this book and specifically disclaim any impliedwarranties of merchantability or fitness for a particular purpose. No warranty may be createdor extended by sales representatives or written sales materials. The advice and strategiescontained herein may not be suitable for your situation. You should consult with aprofessional where appropriate. Neither the publisher nor author shall be liable for any loss ofprofit or any other commercial damages, including but not limited to special, incidental,consequential, or other damages.For general information on our other products and services or for technical support, pleasecontact our Customer Care Department within the United States at (800) 762-2974, outsidethe United States at (317) 572-3993 or fax (317) 572-4002.Wiley also publishes its books in a variety of electronic formats. Some content that appears inprint may not be available in electronic books. For more information about Wiley products,visit our Web site at www.wiley.com.Library of Congress Cataloging-in-Publication Data:Biegelman, Martin T.Building a world-class compliance program : best practices andstrategies for success / Martin T. Biegelman, Daniel R. Biegelman.p. cm.Includes index.ISBN 978-0-470-11478-0(cloth)1. Compilance auditing. 2. Auditing, Internal. 3. Corporations—Corrupt practices—Prevention. 4. Business ethics. I. Biegelman,Daniel R. II. Title.HF5668.25.B54 2008657 .45—dc222007039390Printed in the United States of America10987654321
For Joseph T. Wells:As founder and Chairman of the Association ofCertified Fraud Examiners, he has worked tirelesslyto promote fraud prevention as a key component of aworld-class compliance program.
ContentsForewordxiPrefacexiiiAcknowledgmentsxviiAbout the AuthorxixCHAPTER 1Why Ethics and Compliance Will Always Matter1CHAPTER 2Tone at the Top and Throughout25CHAPTER 3The Growth and Evolution of Compliance45CHAPTER 4Caremarkand Sarbanes-Oxley: Enhancing Compliance71CHAPTER 5CA’s Compliance Rebirth: Don’t Lie, Don’t Cheat, Don’t Steal87CHAPTER 6The International Landscape of Compliance107CHAPTER 7Compliance Programs and Anti-Money Laundering Efforts131By Marc B. Sherman, Laura Connor, and David MeilstrupAbout the Chapter Authors148CHAPTER 8Interview with an Ethics and Compliance Thought Leader149CHAPTER 9Building a World-Class Compliance Program: The Seven Stepsin Practice (Part I)163ix
xCONTENTSCHAPTER 10Building a World-Class Compliance Program: The Seven Stepsin Practice (Part II)191CHAPTER 11Recognizing Compliance Excellence: Premier, Inc. and Winning theBaldrige Award219CHAPTER 12Designing Robust Fraud Prevention Policies: The AirservicesAustralia Fraud Control Plan233CHAPTER 13The Skunk in the Room257Appendix A: Summary of the 2004 Federal Sentencing GuidelinesAmendments and Recommended Action Steps269Appendix B: Sample Compliance Program Charter277Appendix C: Resources for Compliance Professionals283Index291
ForewordBy Caren Gordon and Ronnie Kann∗AN EVOLVING FUNCTIONThe corporate compliance and ethics function has grown rapidly in the lastfew years in response to high profile governance failures and subsequentregulatory reforms. Companies have made unprecedented investments incompliance and ethics, launching new compliance organizations, buildingrisk management systems, and rolling out more comprehensive manda-tory training. This phenomenon has struck companies across a diverse setof industries, even those that have traditionally received less regulatoryattention.Now that most companies have established some basic level of compli-ance and ethics infrastructure, many are also beginning to evaluate whetherthat infrastructure is sufficient. Or, in some cases, they are simply transi-tioning into maintenance mode: solidifying their oversight and monitoringcapabilities, building permanent structures, and ensuring ongoing awarenessof compliance and ethics obligations.A FALSE SENSE OF SECURITYDespite these dedicated efforts, many organizations may have lulled them-selves into a false sense of security. Recent analysis indicates that currentcontrol and training activities hardly seem to impact the outcomes thattruly matter: (1) decreasing the likelihood of business misconduct and(2) reducing the fear of retaliation and discomfort raising concerns. In truth,employees are skeptical about their company cultures and their colleagues.∗Caren Gordon is Executive Director of the Legal and Governance Practice at theCorporate Executive Board. Ronnie Kann is Senior Director of the Compliance andEthics Leadership Council at the Corporate Executive Board. Both are based inWashington, DC.xi
xiiFOREWORDSimply put, there continues to be more widespread misconduct andless willingness to report or discuss that misconduct than anyone thoughtwhen the global wave of corporate scandals began with Enron in 2001.It occurs at all levels of the company, in all regions of the world, and itappears in organizations of all kinds. We live in a society not unlike themythical town of ‘‘Lake Wobegon’’ where everyone believes that complianceand ethics at their company is ‘‘above average.’’ And, yet, that cannotpossibly be true. The result—the culture of integrity, which regulators andBoards of Directors want to see displayed—is at best inconsistent in mostcorporations.HIGH STAKESUnfortunately, this inconsistency in establishing a culture of integrity isproblematic and masks significant potential costs from compliance andethics failures. Indeed, the implied costs from compliance and ethics gapsare staggering in terms of both direct and indirect expenses. Elevatedmisconduct levels undermine employee engagement and morale and arethe source of increasing legal and reputation liability. Moreover, there is avicious cycle that has emerged between legal and reputation risk. Legal issuesgive rise to reputation risk, and reputation issues give rise to legal issues.The bottom line is that companies are more vulnerable—and the stakesare higher—than ever before. It is no longer a matter of paying fines, butrather of protecting the company, its senior executives, and the employeepopulation from significant harm.SUPPORT FOR THIS ENDEAVORWhile daunting in its scope, the challenge that exists for most organizationsis not insurmountable. Many have made substantial progress in takingcompliance and ethics to the next level and demonstrating that there aredifferent ways to approach compliance and ethics. It is not necessary forcompanies to start from scratch or conform to a one-size-fits-all method.Rather, the last few years have given rise to a variety of principles andguidelines, tactics and initiatives that facilitate efforts to safeguard thecompany.This book sets forth a host of these solutions, illustrated with richexamples of best practices, sample programs, and individual reports fromthe front. This ready-to-use set of ideas and tools provide significant supportas organizations determine what is right for them and set their course forpursuing an ethical culture.
PrefaceWhen I wrote my first book,Executive Roadmap to Fraud Preventionand Internal Control: Creating a Culture of Compliance, co-authoredwith Joel Bartow, there was a common theme running throughout the work.It was that fraud, abuse, and non-compliance with policies and laws wouldalways be concerns for all organizations, large or small, public or private,foreign or domestic. Yet, much could be done in the way of programdevelopment, robust fraud prevention, compliance oversight, and executiveleadership to dramatically lessen compliance failures. In many ways, thisbook is a companion to that book in that it continues and expands on manyof these themes.Although the corporate scandals of Enron, WorldCom, Tyco, Adelphia,and others are mostly history now, we said that other frauds and complianceissues would continue to rear their ugly heads. It didn’t take long for ourprophecy to come true. Backdating of stock options, bribery and corruption,insider trading, corporate spying, and pretexting scandals have all madeglobal headlines over the last few years. As of the writing of this book,more than 140 corporations are under investigation by the Securities andExchange Commission and Department of Justice in the United States, aswell as subject to internal probes for backdating stock options. Corporateexecutives have been removed and some have been prosecuted and convicted.As New York Yankee great Yogi Berra has said, ‘‘It seems like d´ej`a vu allover again.’’Early in my career, I realized the importance of prevention techniquesand strategies to lessen compliance failures. As a federal agent with theUnited States Postal Inspection Service, I arrested hundreds of fraudsters.But no matter how many I arrested and sent to prison, others quicklysurfaced to take their places. Prosecutions didn’t return the financial lossesto businesses and consumers. Few cases ever resulted in full restitutionto victims. It was even harder to restore lost reputations to organizationscrippled by fraud allegations. I grasped the need to do more than justreact when a compliance failure was discovered. Even more important waspreventing these abuses from occurring in the first place.Following my career in federal law enforcement, I joined a professionalservices firm as an investigative consultant in their fraud investigationand litigation services practice. My clients included public and privatexiii
xivPREFACEcompanies, both foreign and domestic. I saw firsthand how complianceworked but more often than not, how and why it didn’t. I was shocked atthe number of companies of all types and sizes that had either no complianceprograms or poorly conceived ones. My clients never thought they would bevictims of fraud or involved in committing a fraud. The compliance failuresthey faced were a wake-up call for them. Few had ever taken Ben Franklin’soften repeated quote to heart: ‘‘An ounce of prevention is worth a pound ofcure.’’After leaving consulting, I joined Microsoft to create and lead theFinancial Integrity Unit, a worldwide fraud detection, investigation, preven-tion, and recovery program based within Internal Audit. We built a fraudprevention and compliance program from the ground up and staffed it withsome of the best people in the field. My interaction with my team and othersat Microsoft as well as counterparts at companies worldwide, has given megreat insight into best practices and strategies for success that I will sharewith you. I will also share those practices that landed some companies inhot water.As I spoke to readers of my first book and continued to work with thosein compliance, it became clear that there was a need for communicatingthese compliance best practices and success stories beyond the small groupswithin the industry. I have met people focused on building state-of-the-artcompliance programs whose experiences and expertise need to be shared.Great companies have developed excellent compliance programs that haveprotected their employees, shareholders, and reputations over the years.Some companies suffered accounting scandals and rose from the ashesof prosecution, humiliation, and loss of reputation to be even strongerorganizations today.This book applies the United States Department of Justice and UnitedStates Sentencing Commission’s Organizational Guidelines definition of aneffective compliance program and its interrelated elements. It will providechief executives, managers, board members, employees, students, and otherswith what they need to know about creating and maintaining robustcompliance programs. I will discuss the concepts of compliance as well as themany compliance requirements for corporations and other businesses. Youwill find interviews with ethics and compliance officers who provide theirinsight and knowledge. Also included are case studies and best practicesfrom ‘‘best in breed’’ companies and those emerging from compliancefailures. The companies that have had fraud issues and have now institutedstrong programs to mitigate future issues are great examples from which tolearn.The insights and strategies of corporate executives and other thoughtleaders in compliance are included in the book. There are examples from
PrefacexvUnited States-based organizations as well as from companies elsewhere inthe world. Incorporated into the book are Compliance Insights detailingcase studies, best practices, sample programs, survey findings, as wellas commentary from experts in the field on a particular aspect, topic,or best practice of compliance. Although this book is intended to be acomprehensive overview of compliance, it could not possibly cover everypossible aspect of this large and complex field. However, it is my intent tocover the underlying principles of effective compliance.The major compliance failures of recent years resulted in significantchanges to corporate cultures. Suddenly, integrity and accountability arekey elements for every organization. These elements have always beenthere, but now they are moving to the forefront. People everywhere aretalking about the importance of integrity. In fact, the word integrity was theMerriam-Webster Online Dictionary Word of the Year in 2005, reinforcingthe greater focus on integrity and ethics.Yet in 2006, Merriam-Webster named ‘‘truthiness’’ as its Word of theYear. If you haven’t heard this word before, you are not a viewer of themock news showThe Colbert Reporton the Comedy Central cable network.Stephen Colbert, the host of the show, introduced this word to his audiencein October 2005. It is defined as ‘‘the quality of preferring concepts or factsone wishes to be true, rather than concepts or facts known to be true.’’1Truthiness may be the bending and stretching of the truth to suit one’spersonal motives but it has no place in compliance. It’s the same as thesmiling, confident CEO fervently believing in his innocence while standingin the courtroom as the grim-looking jury returns with their verdict afterdeliberating through mountains of overwhelmingly incriminating evidence.I trust that the move from integrity to truthiness as Word of the Year is nota sign that we have forgotten the past.It is my hope that after reading this book, you will have a greaterunderstanding of not only how to build and maintain a truly world-classcompliance program but also the importance of creating that very specialand lasting culture of compliance.1AmericanDialectSociety,http://www.americandialect.org/index.php/amerdial/truthinessvoted2005wordoftheyear/.
AcknowledgmentsThe more I get immersed in the literary process, the more I have come torealize how much I rely on the generous assistance and wise counsel ofothers. Writing a book is an arduous task and I could not have completedthis one without the help of the many people I acknowledge here.First and foremost, I thank my son, Daniel Biegelman, who is a con-tributing author and provided extraordinary assistance. Daniel was involvedin every aspect of this book from the initial brainstorming, to research andwriting, to editing and proofing. As a recent law school graduate, he tooktime from his budding legal career to assist me. His countless hours andtireless dedication helped make this book a reality.A special note of thanks to my executive editor, Timothy Burgard, whofirst suggested the idea of writing about corporate compliance and as withmy previous book, guided me through the writing and publishing process.Tim has continuously supported my literary adventures and has given methe unique opportunity to express my thoughts and experiences in writing.I am again indebted to him.My sincere thanks to all those who provided ideas, content, inter-views, and assistance: Pedro Fabiano, Thomas Feeney, Scott Moritz, GeorgeStamboulidis, Joseph Murphy, CT Tomlin, Dick Carozza, John Gill, WaltPavlo, Jan Shanahan, David Cafferty, Dr. Haluk Gursel, Craig Greene, andDavid McCarthy.A special thanks to Pat Gnazzo, John McDermott, and Jennifer Hallahanfrom CA, Inc.; Dr. John Copeland and Holly Byars from the SoderquistCenter; Simon Zarifeh and Michael Howard from Airservices Australia;and Megan Barry and Stephanie Jenkins of Premier, Inc., who graciouslygave me access to their world-class compliance programs so I could profilethem in this book. Steven Lauer, Corporate Counsel of Global Compliance,introduced me to the exceptional Premier, Inc. program and provided muchof the research, content, and writing for that chapter. For that, I amespecially grateful.Marc Sherman, Laura Connor, and David Meilstrup of Huron Consult-ing Group wrote the excellent chapter on anti-money laundering complianceespecially for this book. They took time from their busy work schedules toxvii
xviiiACKNOWLEDGMENTScontribute their deep knowledge and experiences and I am deeply apprecia-tive for their contributions.I want to thank Rick Cruz, Caren Gordon, Ronnie Kann, and theCorporate Executive Board for providing best practices and other content.I also want to recognize Caren and Ronnie for writing the foreword for thisbook.There are also two special people I want to thank but whose namescannot be revealed. They provided me great insight into the compliancefailures at their organizations.When I wanted someone to read the completed manuscript and give mehonest feedback, I immediately turned to my old and wise friend, DeWaynMarzagalli. DeWayn, a former federal agent extraordinaire, provided theconstructive and thoughtful comments I needed.Although this work is solely ours and does not reflect the views oropinion of Microsoft Corporation, I would like to thank my company forallowing me to write this book. A special thank you to Alain Peracca atMicrosoft who leads by example with integrity and accountability, andstrongly supports a culture of compliance.And, last but not least, my gratitude to my wife Lynn, who was indis-pensable as she spent many hours reviewing the manuscript and providinginsightful feedback. Her patience as I spent all my free time engrossed in thebook is exceptional.
About the AuthorMartin T. Biegelman, CFE,is Director of Financial Integrity for MicrosoftCorporation in Redmond, WA. In 2002, he joined Microsoft to create andlead a worldwide fraud detection, investigation, and prevention programbased within internal audit. In addition to focusing on preventing financialfraud and abuse, his group promotes financial integrity, fiscal responsibil-ity, and compliance in a COSO framework of improved business ethics,effective internal controls and greater corporate governance. He worksclosely with Microsoft’s executive leadership, the Office of Legal Compli-ance, Internal Audit, and others in protecting Microsoft from financial andreputational risk.He has more than 30 years of experience in fraud detection andprevention. Prior to joining Microsoft, he was a Director of Litigation andInvestigative Services in the Fraud Investigation Practice at BDO Seidman,LLP, an international accounting and consulting firm. He is also a formerfederal law enforcement professional, having served as a United StatesPostal Inspector in a variety of investigative and management assignments.As a federal agent, he was a subject matter expert in fraud detection andprevention. He retired as the Inspector in Charge of the Phoenix, ArizonaField Office of the Postal Inspection Service.Mr. Biegelman is a Certified Fraud Examiner as well as an adjunctfaculty member, Regent Emeritus, and Fellow of the Association of CertifiedFraud Examiners (ACFE). He serves on the Board of Directors of the ACFEFoundation, the Board of Advisors for the Economic Crime Institute atUtica College, and the Accounting Advisory Board for the Department ofAccounting and Law in the School of Business at the University at Albany,State University of New York. He is also a member of ASIS Internationaland served on its Investigations Council.He is a nationally recognized speaker and instructor on white-collarcrime, corruption, security, fraud prevention, and corporate compliance.He has written numerous articles on many fraud related subjects includingcorporate crime, identity theft, Internet fraud, check fraud, fraud prevention,corporate investigations, and the Sarbanes-Oxley Act. Mr. Biegelman is theco-author ofExecutive Roadmap to Fraud Prevention and Internal Control:xix
xxABOUT THE AUTHORCreating a Culture of Compliance. He is currently working on a book aboutthe evils of identity theft. He is also a contributing author toFraud Casebook:Lessons from the Bad Side of Business.Mr. Biegelman has a Bachelor of Science degree from Cornell Universityand a Master’s in Public Administration from Golden Gate University.
CHAPTER1Why Ethics and Compliance WillAlways Matter‘‘There is no such thing as business ethics. There is only onekind—you have to adhere to the highest standards.’’Marvin Bower, former managing partnerof McKinsey & CompanyImagine this nightmare scenario: A publicly traded company whose dom-ineering leadership rules by fear. Dissenting opinion in any form is metwith immediate termination of employment. A culture where written policiesand procedures are few and far between and internal controls are shunned.Training is sporadic and lacking. Eventually, this company’s senior-mostexecutives conspire to prematurely and fraudulently recognize revenue tomeet or exceed Wall Street’s expectations. They conduct this massive fraudyear after year. The board is totally in the dark and accepts management’sexplanations and assurances without independent verification. When theiraccounting practices finally are scrutinized and the government starts aninquiry, these executives attempt a cover-up by fabricating a story, obstruct-ing the investigation, and suborning perjury by instructing other employeesto lie to the government and outside counsel. Ultimately, eight of thecompany’s senior executives including the CEO, CFO, and General Coun-sel, plead guilty to securities fraud and/or obstruction of justice charges.Shareholders lose over $10 billion due to the massive accounting fraud.Employees are left shocked and demoralized that their leaders have liedand defrauded their company. Investors are also horrified at seeing theirinvestments diminish and that no one in the company did anything to stop it.Add to this explosive mixture the fact that the company had no compliance1
2WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERprogram. That’s right, no compliance program. Think this couldn’t happen?Think again because it did.This all occurred at Computer Associates, now called CA, Inc. Theseblatant transgressions happened because an effective ethics and complianceprogram was not in place. Compliance involves many different elements;knowing and following all the relevant laws, rules, and policies is but onepart of the mix. An effective compliance program would have made adifference at CA. A strong compliance program is absolutely necessary toprotect an organization both internally and externally.Compliance means following the law and more. It’s making sure orga-nizations adhere to all applicable legal requirements. It is a detailed andcomplex process. For any particular situation one must be aware of allpotentially applicable laws and regulations—federal, state, local, as well asinternal company-instituted rules. A company is obligated to be aware ofand understand these rules and laws. That in itself can be an onerous processas even experienced and sophisticated lawyers sometimes have a difficulttime deciphering the cryptic ‘‘legalese’’ that passes for statutory language.This compliance obligation is important as everyone in authority is chargedwith knowledge of the law. Ignorance of the law is no excuse. A personcannot escape a criminal charge or civil liability by claiming that he or shedid not know the law was being broken. This is the role of compliance, tomake sure people know the rules beforehand and help to ensure that theycontinuously follow them.Knowledge and understanding of the law is the first step. Businesses alsohave to know to what and where it applies. Furthermore, once one has thisinformation, one must implement it in an effective compliance program. Butwhat does effective mean? A company must carefully craft a program, hireexperienced compliance professionals, issue detailed policies and guidance,institute training, and promote all other aspects of the program to ensurethe knowledge is spread to all who need it. This process must be continuous.The compliance program is the engine of compliance, putting all of this intoeffect.Knowing the law and following it is only one side of compliance.Compliance goes much deeper than that, true compliance anyway. Sim-ply following the law so that one doesn’t get into trouble is not fullcompliance. State-of-the-art compliance involves a successful blendingof compliance—following rules, regulations, and laws—with ethics—developing and sustaining a culture based on values, integrity, and account-ability, and always doing the right things. True compliance ensures con-sistency of actions to eliminate, or at least lessen, opportunities for harmfrom criminal conduct or other compliance failures. It means going beyondthe minimum requirements. More importantly, it involves the ongoing
Ethics is Job One3commitment from senior leaders in the organization to promote ethicalconduct and compliance with the law. Leading by example and establishingthe tone at the top set the stage for every other element of compliance.The problem that can occur is when people use compliance as an excuse;those who profess to believe in it but use a compliance program to masktheir own negligence or even wrongdoing. It may be said that this is evenmore dangerous than having no compliance program at all. That is becauseit gives shareholders, employees, vendors, and the public the false belief thatthe company cares about following the law when in fact, all it wants is todeceive others into believing so. Let us not forget that Enron had a 65-pagecode of conduct, but in the end, it was nothing more than empty words.Enacting a compliance program and instituting training programs butnot supporting them through lack of funding, lack of skilled personnel, orby management undercutting them in various ways, is also dangerous andcounterproductive. Real compliance means that one believes in what one isdoing day in and day out. It is not merely lip service; it’s putting your moneywhere your mouth is. This is the two-tiered approach to compliance—one’sactions and one’s mindset. An organization cannot have effective compliancewithout both of them. One alone will not work. This is tied into the idea ofsetting a positive tone at the top. If management believes in compliance andreinforces it by their actions, over and over again, then people below willfollow their lead.ETHICS IS JOB ONEExecutives are constantly confronted with the realities of business com-pliance. They must ensure compliance with their internal rules and poli-cies. Those from public companies must follow the requirements of theSarbanes-Oxley Act and other reporting enhancements. All organizationsmust follow federal, state, and local laws and all must comply with theUnited States’ Federal Sentencing Guidelines, which mandate the creationof compliance programs. Moreover, a raft of other laws must be compliedwith, from anti-bribery rules to free trade provisions. Yet, chief among theserequirements is the idea of ethics, the concept that lies at the heart of everycorporate governance requirement.Ethics include integrity and proper business conduct; it refers to stan-dards and values by which an individual or organization behaves andinteracts with others.1The famed Greek philosopher Aristotle in hisNico-machean Ethicsargued that ‘‘moral behavior is acquired by habituation’’and that without question, ‘‘moral behavior is good.’’2It is no differenttoday. Ethics and compliance are clearly on the minds of executives, aswell as investors, the public, and the government. Ethics has become a hot
4WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERbutton topic, thanks to the many corporate scandals of the past years. Thisis hardly news to anyone. Despite the increased awareness given to ethicsand compliance programs, the problem has not been solved. For instance,the Hewlett-Packard (HP) spying and pretexting scandal involved key exec-utives and illustrates that there is more to successful compliance than just acode of conduct. HP had a comprehensive Standards of Business Conduct(including, slightly ironically now, several pages on how to handle sensitiveinformation), yet it still was engulfed by negative front-page headlines anda shakeup among its leadership. Even great corporations like HP can, attimes, face compliance failures. Merely having a program in and of itself isnot the solution to protecting a company and keeping it in good graces withshareholders and the government. A truly successful compliance programgoes far deeper.The push toward compliance, especially since the enactment of theSarbanes-Oxley Act and the reaction to the scandal culture of the Enronera, could almost be described as an ‘‘ethics fad.’’ Sarbanes-Oxley strength-ened corporate accountability and governance of public companies throughrules covering conflicts of interests, financial disclosures, board oversight,and certification of financial statements.3The Act’s passage left companieshurrying to comply. All of a sudden, every company had to have an ethicscode; if there wasn’t one there was scrambling to get one, or else be leftbehind. This rush merged with heightened concerns stemming from thepenalties imposed on companies for ethical breaches. From the lighter treat-ment afforded to companies who came clean and ‘‘restated’’ their earnings,as compared to those formally investigated and charged by the government,companies got the message that it was in their best interest to cooperate andthat having a compliance program would be something that would lessenpotential penalties should the company commit further misdeeds.Companies that the government caught red-handed had to pay verystiff financial and reputational penalties, not to mention the personal impacton those executives prosecuted and sent to prison. This sent companiessearching for ways to avoid this disastrous outcome. At the same time,ethics enjoyed a renewed focus throughout the corporate world, first ascompanies struggled to understand the new requirements placed on them bythe passage of Sarbanes-Oxley, and then rushed to embrace ethical conductfor chief executives and others. The ethics fever swept every industry and thatwas a good thing, a very good thing. While this practice makes complianceeasier, there is still much to do as compliance lapses and criminal conductpersist. The Securities and Exchange Commission (SEC) has continued itsstrong enforcement program over the last few years. The results of SECenforcement activity in Fiscal Years 2005–2006 in Compliance Insight 1.1illustrate that we still have a long way to go for complete compliance.
The NYPD and an Ethical Culture5COMPLIANCE INSIGHT 1.1: SUMMARY OF SECURITIESAND EXCHANGE COMMISSION ENFORCEMENT ACTIVITY,FY2005– FY2006, COMPLIANCE AND ETHICSLEADERSHIP COUNCIL RESEARCH, 2007574 enforcement actions filed in 2006$3.3 billion total in disgorgement and penalties ordered againstsecurities law violators in 2006$28.5 million average settlement in 2005, an increase from $26.4million in 2004$7.5 million median settlement in 2005, a 19% increase from $6.3million in 2004657 amended filings in 2005 for financial restatements of publiccompanies due to accounting errors, a 58% increase from 2004300 officers and directors barred in the last three years due toallegations of individual malfeasance1,228 CEO departures from U.S. companies in 2005, an increaseof 102% from 2004129 CEO changeovers in the Fortune 1000 in 2005, an increaseof 32% from 2004Reprinted with permission from the Corporate Executive Board, Washington,DCc2007 based on information from the United States Securities andExchange Commission; Cornerstone Research; Challenger, Gray & Christmas;Burson-Marsteller; and United States General Accounting Office.Ethics and ethical behavior are not things that can merely be created,or attained solely through corporate expenditure. They require a deepercommitment, one that can only be achieved through time, effort, andyes, expenditure. Though it is clich´e, quality matters here far more thanquantity. In many senses, a little goes a long way. Building a world-classcompliance program requires smart decisions in building it, maintainingit, and sustaining it; by doing so, a company will be able to achieve trulyeffective compliance over the long term.THE NYPD AND AN ETHICAL CULTUREA commitment to ethical conduct cannot be accomplished by simply initi-ating a program and then checking the box that the process is complete.
6WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERBuilding a culture of compliance takes time. Integrity and character bringout the best in people and are critical components in ethics and compliance.Yet, human beings are not perfect creatures and tend to falter from time totime. The importance of ethical conduct needs to be nurtured, reinforced,and repeated over and over again lest people forget and stray from thecourse. There is no better example of this continuous need for attentionto ethical conduct than the various police corruption scandals that haveimpacted the New York City Police Department (NYPD) over the past 100years. Even legendary institutions can face the firestorm created when lawenforcement officers forget their oaths and turn to crime and corruption.Compliance Insight 1.2 details the major corruption scandals that the NewYork City Police Department has faced over the years.The feeling of d´ej`a vu that the NYPD faced was due to not learningfrom the past. The NYPD of the 21stcentury has made great stridesin understanding that ethical lapses can seriously impact a long-standingreputation. In building their compliance program, the NYPD starts withpolice recruits as soon as they enter the police academy. Look at what ispresented to recruits in theirPolice Student’s Guide: Introduction to theNYPD:Our history is a source of great pride to us, and we have verylittle tolerance for officers who do not treat our hard won rep-utation with the respect it deserves.. . .When things go right inthis Department—when we succeed in reducing crime; when wemake spectacular arrests; when we make dramatic rescues—ouractions are described in news reports throughout the country andacross the world, and our officers are treated like heroes. But, whenthings go wrong—when officers are caught in scandal, or whenthey make some tragic mistakes—the same reporters and leaderswho are quick to praise us are quick to condemn us. When thishappens, the public often does not recognize that the problem maybe limited to one or only a few officers. Instead, in the eyes ofmany people, we all become suspect, and the mistakes and sins ofa few are generalized to all of us. This breeds distrust among thepublic, and makes it tougher for all of us to do the job the way weshould.. . .Make certain that you carry yourself in a manner thatbrings only respect to yourself and to your brothers and sisters inthis Department.4Warren Buffett, the billionaire investor and CEO of Berkshire Hath-away, Inc., has said ‘‘It takes 20 years to build a reputation and five minutesto ruin it. If you think about that, you’ll do things differently.’’ The NYPDunderstands this and so must all organizations. Yet, we often fail to learn
The NYPD and an Ethical Culture7COMPLIANCE INSIGHT 1.2: A BRIEF HISTORY OF NYPDPOLICE CORRUPTIONThe New York City Police Department is considered by many to be thepremier police department in the world. Yet, even the best sometimesfalter. Police corruption can infect even the most professional oflaw enforcement organizations. Consider these very public policecorruption investigations of the New York City Police Departmentover the last 100 years:■Lexow Committee (1894):Systematic police extortion and pay-offs from gambling operations■Curran Committee (1913):Systematic monthly police extortionof gambling and brothel operations■Seabury Commission (1932):Police Department involvement inextortions from speakeasies, bootleggers, and gamblers■Helfand Investigation (1955):Large-scale protection by police ofa gambling syndicate■Knapp Commission (1972):Corrupt police officers were either‘‘grass-eaters’’ or ‘‘meat-eaters’’a■Mollen Commission (1994):Shakedowns and protection by cor-rupt officers but also trafficking in cocaine and other drugsWhy include an historical overview of police corruption in abook on compliance? To remind us that corruption, criminality, andnon-compliance are always present. It often takes a major and verypublic incident for us to take notice and do something. Approximatelyevery twenty years for the last century, corrupt police activities reachedsuch a peak that investigating bodies were commissioned to conductpublic inquiries to determine the corrupt acts and recommend solutionsto the scandals. There are important lessons for us here. Rather thanwait for the public scandal that does so much reputational damage forus to take remedial action, we must continuously apply state-of-the-artcompliance standards to ensure that history does not repeat itself, aswas the case with the New York City Police Department.aThe Knapp Commission investigation of police corruption in the New YorkCity Police Department found two categories of corrupt officers. They wereeither ‘‘grass-eaters’’ or ‘‘meat-eaters.’’ Grass-eaters were the overwhelming
8WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERmajority who generally took small payoffs from business owners, gamblers,and others to look the other way on infractions. Grass-eaters usually didnot solicit these payoffs but did not refuse them either. Meat-eaters werea small percentage of corrupt officers but were constantly on the prowl forlarge-scale financial scores involving narcotics, gambling operations, and otherserious offenses. For more information, refer to the Commission to InvestigateAllegations of Police Corruption and the City’s Anti-Corruption Procedures,The Knapp Commission Report on Police Corruption(New York: GeorgeBraziller, 1973), 65.from the past. The disclosure of stock option backdating scandals in 2006at dozens of companies, large and small, in the United States brought backdistressing memories of the accounting scandals of just a few short years ago.How could so many smart people forget the lessons of Enron, WorldCom,Adelphia, and others? The sheer number of companies involved is striking.Much of the misconduct took place a number of years ago and was onlyrecently disclosed. Still, the participants were chief executives and other highlevel employees who should have known better. More importantly, theircompliance programs did not work. A further discussion of the backdatingof stock options can be found in Chapter 2.WHAT IS COMPLIANCE?Compliance is a state of being in accordance with established guidelines,specifications, or legislation.5The Compliance and Ethics Leadership Coun-cil defines compliance as ‘‘a company’s or an individual’s observance ofrelevant laws, regulations, and corporate policies.. . .Companies must havevarious programs, policies, and controls in place in order to be definedas being ‘compliant’ with certain laws, rules, regulations, or policies.’’6The United States Department of Justice (DOJ) has strongly reinforced theimportance of effective compliance programs. The DOJ defines complianceprograms as follows:Compliance programs are established by corporate managementto prevent and to detect misconduct and to ensure that corporateactivities are conducted in accordance with all applicable criminaland civil laws, regulations, and rules. The Department encouragessuch corporate self-policing, including voluntary disclosures to thegovernment of any problems that a corporation discovers on itsown. However, the existence of a compliance program is notsufficient, in and of itself, to justify not charging a corporation for
What is Compliance?9criminal conduct undertaken by its officers, directors, employees,or agents. Indeed, the commission of such crimes in the face of acompliance program may suggest that the corporate managementis not adequately enforcing its program. In addition, the nature ofsome crimes, e.g., antitrust violations, may be such that nationallaw enforcement policies mandate prosecutions of corporationsnotwithstanding the existence of a compliance program.7The key to effectiveness is whether the program is adequately designedto ensure compliance. The United States’ Federal Sentencing Guidelinesfor Organizations (FSGO) state that ‘‘to have an effective compliance andethics program, an organization shall exercise due diligence to prevent anddetect criminal conduct; and otherwise promote an organizational culturethat encourages ethical conduct and a commitment to compliance with thelaw.’’8The constantly evolving compliance landscape requires executivesand managers to constantly ensure that their programs are ‘‘best in breed’’to fully protect organizations.Organizations that run afoul of the law and commit crimes such asfraud, face severe penalties from the courts. Under the FSGO, organizationsfound guilty can face additional penalties based on certain aggravatingfactors calculated by a ‘‘culpability score.’’ As stated in the FSGO, thefactors contributing to increased penalties and fines include whether:■Senior executives within the organization ‘‘participated in, condoned,or [were] willfully ignorant of the offense;’’■‘‘[T]olerance of the offense by substantial authority personnel waspervasive throughout the organization;’’■There was prior history of a similar offense in the company’s past;and/or■The organization obstructed justice by impeding the investigation orprosecution.9The FSGO also provide a significant ‘‘carrot’’ or benefit in that thereare mitigating factors that can significantly lessen the penalties for criminalconvictions. The questions that will determine if these factors are to beconsidered include:■If the subject ‘‘organization had in place at the time of the offense aneffective compliance and ethics program;’’■If the organization promptly ‘‘reported the offense to appropriategovernment authorities’’ once they became aware of its existence;■If the organization ‘‘fully cooperated in the investigation;’’ and
10WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTER■If the organization ‘‘clearly demonstrated recognition and affirmativeacceptance of responsibility for its criminal conduct.’’10While quality matters more than quantity, a solid compliance programneeds a proper balance between the two. An under-funded and unsupportedprogram is doomed to fail. Without sufficient support by the company andthe management, a program cannot succeed in its objectives of changingand influencing employee behavior. Compliance requires direct input bycompany leadership, and the key support of a qualified compliance officerrunning a reliable compliance department, accessible to the rank and fileto answer their questions and provide them with appropriate direction.However, spending too much money (without proper guidance on how tospend and direct funds) can lead to incredible inefficiency, and be just asineffective as not spending.The “Icarus Effect”Professor David A. Skeel of the University of Pennsylvania Law Schoolproposes an interesting theory in evaluating corporate scandals. He describesthe ‘‘Icarus Effect,’’ three factors that combine to create each of America’sgreat corporate scandals. Icarus, in Greek mythology, was given wingsmade of wax and feathers by his father, the inventor Daedalus. Daedaluswarned Icarus not to fly too close to the sun, as the wings would meltand Icarus would plummet to his death.11Sadly, seduced by his newfoundpower, Icarus disregarded his father’s warning and suffered the deadlyconsequences.Skeel identifies three ‘‘Icaran’’ factors: risk-taking, competition, andmanipulation of the corporate form. Risk-taking is perhaps inherent in thecorporate structure. The market rewards those who take successful risksin developing new products and technologies. Risk-taking often leads toinnovation. Moreover, the types of people who rise to the highest level ofcorporate America tend to be bold, confident, and willing to take risks.After all, these are the types of traits that allow one to climb the corporateladder. A would-be executive is unlikely to make it far up the corporateladder without taking some risks. Risk-taking is not a bad thing. Corporategovernance rules expressly allow for some measure of risk taking; thebusiness judgment rule, for instance, protects rational business decisions,even if a judge or jury thinks them too risky or would have chosen a differentcourse of action.Executive compensation also encourages risk-taking. The majority ofexecutive compensation is in the form of stock options. These optionsreward risk, since they are ‘‘all upside and no downside: they promise a bigpayoff if the company’s stock price goes up, but there’s no cost to the CEO if
What is Compliance?11she gambles with the company’s business and the stock price plummets.’’12Even though risk-taking has some distinct and crucial benefits, if it gets outof hand it can doom a company. Any level of risk-taking must be temperedwith reasoned and rational thought.Competition can reinforce managers’ incentives to take risks. The mar-ketplace is a tough environment with many different entities all competingfor the same dollar. Increasing market pressure to achieve a certain level offinancial success or more commonly to return to past levels of success oftenpushes management to make risky decisions in hopes of appeasing investorsand Wall Street. Unfortunately, many times these competitive-driven risksturn out to be short-sighted and ill-advised.Manipulation of the corporate form is the final factor. ‘‘The ability totap huge amounts of capital in enterprises that are set up as corporations,together with the large number of people whose livelihoods depend in oneway or another on the business, means that an Icaran executive who takesexcessive or fraudulent risks may jeopardize the financial lives of thousandsof employees, investors, and suppliers of the business.’’13Individually, all of these factors are elements of a typical market, andin fact all can be used positively. Risk-taking and competition allow forthe creation of better products, and the corporate form allows for distinctbenefits, such as the ability to raise large amounts of capital and limitedliability, and gives people an incentive to take risks and create a newand successful product or service. However, when these factors operateunrestrained, in conjunction with each other, they can create disastrousscandals. These Icaran factors will be on full display in Chapter 3 thatdetails a brief history of corporate scandals and those responsible.Compliance Program IndividualityIdeally a compliance program should be both industry-specific and unique;it should be tailored to fit the requirements of the individual company, itsneeds, and the overall compliance requirements of its particular industry, butshould also reflect the compliance requirements imposed on all corporationsand the laws that they must all follow. Each organization must ensurethat their compliance programs are getting the individualized attention theyneed. If a code of conduct is nothing more than a cookie cutter guidebook,it is unlikely to truly foster a lasting change in the corporate complianceculture. A company may spend far more time on the appearance than thecontent of these codes.With slick graphics, photos, and inspirational quotes, they may looklike little more than the advertising material given out to potential cus-tomers. In fact, when perusing through the manuals given out at various
12WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERcompanies, they all start to blend together. Many seem to come from thesame exact template, with similar language. These are, essentially, nothingmore than boilerplate codes of conduct. One even starts to see identicalquotes appearing time and time again. What this shows are the misplacedpriorities by the companies who issue them.First, as noted above, it reflects a preference of style over substance, onthe appearance over the content. Second, it shows the lack of attention paidto the full importance of a compliance program. Setting up a cookie cutterprogram means that the company scrambled to put something in place assoon as possible, such that it will not be anywhere as effective as it couldbe or the company hopes it to be, or that the company puts a low priorityon having a truly effective compliance program. For these companies, theappearance of a good program is more important than actually creating aculture of compliance. It also shows that the company has not put in theeffort needed to customize the compliance program to the individual needsof the company and its unique culture.Most importantly, the focus on image and the lack of individualityignores the great benefits a company can reap by putting a good programinto place. Among other benefits, a strong compliance program can createbetter employee productivity and morale, higher profits, and a strongerreputation among consumers and investors. It can catch problems beforethey reach the level where they can hurt the company and its stock priceas well as absorb the valuable time of employees who should be workingto benefit the company, not to clean up its internal mess. With a strongprogram, an organization can take advantage of lessened sentences underthe Federal Sentencing Guidelines for Organizations, as well as having abeneficial position when dealing with prosecutors should problems arise.It also will be more able to portray a wrongdoer as a rogue employee,rather than as a symptom of an endemic and widespread problem withinthe company.Returning to the issue of slickly produced codes of conduct, it should berecognized that allowances must be made to get the employees’ attention.It is an open question as to how many of the rank and file employeesactually take the time to read the manuals they are given, much lessinternalize and fully understand them. This gap can be filled by having solidtraining programs to engage the employees and to make sure they knowwhat they need to know and conversely, to make sure that they are notoverwhelmed with information that is above their level and is best handledby superiors.Additionally, good management oversight sets a good example for themto follow and can make sure that employees are acting in the proper manner.Having experienced compliance officers available to answer more specialized
Building the Business Case for Ethics13questions is helpful because there is no way that every contingency isaddressed in the distributed materials.BUILDING THE BUSINESS CASE FOR ETHICSRunning an ethical company that places a high value on compliance is notjust simply a good idea. It also makes good business sense. One hears allabout the importance of business ethics, the damage that can be causedby scandals, and the legal benefits and requirements, as outlined in placessuch as the Sentencing Guidelines. But less is heard about how an ethicalbusiness with strong corporate governance will outperform companies thatdon’t focus on ethics.Moreover, executives can damage their business and its future if theydo not properly value ethics. ‘‘Too many corporate executives regard anethics program as an expense that adds nothing to a company’s bottom line.Even more disturbing, some executives fear that an emphasis on businessethics could put their company at a competitive disadvantage. They areunconvinced that ethics and profits are reconcilable.’’14Of course, this isnot the case and ethics can even provide a company with an edge in afiercely competitive global economy, as a reputation for ethical behaviorcan distinguish it from rivals. ‘‘Enlightened business leaders, however, knowthat building an ethical business culture is a powerful means of maximizingshareholder value and increasing business profits.’’15In the end, ethicsincreases the bottom line. The strong link between corporate management’spublic commitment to ethics and the corporation’s financial performancehas been borne out by numerous studies.16According to Professor Curtis C. Verschoor of DePaul University,‘‘well-managed companies that take their ethical, social, and environmentalresponsibilities seriously. . .have stronger long-term financial performancethan the remaining companies in the S&P 500 Index.’’17A 2004 study,building on prior research done by Verschoor and others, demonstrates thebenefits that are associated with superior governance attributes. The studyanalyzed companies in the Standard & Poor’s 500 by measuring MarketValue Added (MVA), which is the value of a company above and beyondwhat had been contributed by investors, i.e., the company’s financial growth.Companies classified as having superior corporate governance substantiallyoutperformed their less ethically focused competitors, to the tune of an aver-age of $9.4 billion in 2004.18‘‘This study provides powerful new evidencesupporting the belief of many investors that firms having attributes of strongcorporate governance. . .actually deliver superior financial returns to theirshareowners. Corporate management and boards of directors should also
COMPLIANCE INSIGHT 1.3: BUILDING THE BUSINESS CASE FOR A COMPLIANCE AND ETHICSPROGRAM, COMPLIANCE AND ETHICS LEADERSHIP COUNCIL RESEARCH, 2005Leading Cause ofCompliance Failures Costs of Non-Compliance Benefits of a C&EProgramLegal Considerationsfor a C&E Program C&E Programs as theNorm Costs of legalsettlementsShock to companyshare priceNegative mediareferences andreputation damageAn “effective”compliance andethics program canbe a mitigatingfactor in case ofmisconductMinimizes impactof unethicalbehavior oncompanyBuilds shareholdertrust and loyaltySECDOJFederal SentencingGuidelinesRe Caremark Inc.The McNultyMemoCriminal and civilprosecutionsImproper conductat the topSystemic culture ofpressure and fearInadequatecompliance andaccounting controlsLack of duediligence in M&AprocessPoor oversight ofvendors and agentsRise in compliance budgetsMore than 75% ofsurveyedcompanies havemore than two full-time compliancestaff membersBenchmarking withC&E programs••••••••••••••••••••••Safeguards acompany’sreputationFacilitatesacquisition andretention of talent Reprinted with permission from the Corporate Executive Board, Washington, DCc2005.14
Building the Business Case for Ethics15recognize the value the market is placing on attributes of good corporategovernance, especially a well-managed program of ethics and compliance.’’19Compliance Insight 1.3 reinforces the importance of building a business casefor an appropriate compliance and ethics program.Another study, by the Aspen Institute and management consultingfirm Booz Allen Hamilton, similarly found a financial benefit from strongcorporate values. ‘‘Public companies that report superior financial resultsalso report greater success in linking values to operations in areas that fostergrowth, such as initiative and innovativeness.’’20Again, the study founda strong correlation between strong financial performance and a focus onethics and core values. ‘‘Among financial leaders—public companies thatoutperform their industry averages—98% include ethical behavior/integrityin their values statements, compared with 88% for other public companies.Far more of these financial leaders include commitment to employees,honesty/openness, and drive to succeed.’’21These same financial leadersalso report that their practices are very effective in promoting initiative,adaptability, and innovativeness and entrepreneurship, at twice the rate ofother public companies.22Ethics are also beneficial in another business area, hiring and retainingtop quality employees. Unethical behavior not only impacts a company’sbottom line, it also impacts its workforce. It affects current employees aswell as the company’s ability to attract qualified new ones. A study by theconsulting firm LRN ‘‘provides new evidence that links a company’s abilityto foster an ethical corporate culture with an increased ability to attract,retain and ensure productivity among U.S. employees.’’23Among the study’sfindings:■94% of employees say it is critical that they work for an ethicalcompany.■More than one-third of respondents reported leaving a job for ethicalreasons.■56% say their employer embraces ethics and corporate values in every-thing it does.■30% say their company merely toes the line by following the law andcompany policies.■9% say they work at a company where they do what they are told, arenot encouraged to ask questions about what is right or wrong, or theyoften see management and peers acting in questionable ways.24While most organizations value ethics, strangely, some do not as evi-denced by the many corporate frauds we have witnessed over these lastfew years. Employees are very sensitive to this, are acutely aware of their
16WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERorganization’s culture, and pay attention to the tone set from the topand around them. Unethical behavior has a strongly deleterious effect onemployee morale and distracts employees from the company’s business athand. One in four workers reported seeing unethical or even illegal behaviorwhere they work; of those who saw unethical behavior, 89% said it affectedthem.25An ethical reputation also pays dividends in hiring. Of 800 MBAgraduates surveyed, 97% were willing to be paid less to work for anorganization with a better reputation for corporate social responsibilityand ethics. This survey provides even more evidence that good corporatecitizenship helps to attract superior management talent.26COMPLIANCE OBSTACLESI met a person who works at a well-known technology firm. She and Istarted discussing compliance. She commented that with all the advancesin technology today, there had to be a way to develop software toolsto automate and ensure compliance. She felt that technology is the keyto solving compliance concerns. I remarked that that was a noble goal,and while the power of technology and software is immense, ultimatelytechnology and tools are no substitute for the human factor. It alwayscomes down to people. One cannot automate integrity and honesty. Eitherpeople have it or they do not. Compliance Insight 1.4 is a sad exampleof what can happen when a company is not committed to building andmaintaining a compliance program.True corporate responsibility requires all companies, public or private,large or small, foreign or domestic, to have effective compliance programs.An organization can have 100% of its employees complete code of conducttraining but that will not ensure that everyone will comply with the code.An organization can have a hotline in place but that will not guaranteethat an employee will call to report an allegation of fraud that he or shediscovers. Compliance must be embedded into the fabric of an organizationso that it continues no matter who the CEO is. As Thomas Friedman of theNew York Timeswrote in one of his columns, ‘‘The greatest restraint onhuman behavior is not a police officer or a fence—it’s a community and aculture.’’27KEN LAY ON ETHICAL CONDUCTOn April 6, 1999, The Center for Business Ethics at the University ofSt. Thomas in Houston, Texas sponsored a conference entitledCorporate
Ken Lay on Ethical Conduct17COMPLIANCE INSIGHT 1.4: OBSTACLES ENCOUNTERED INIMPLEMENTING A COMPLIANCE PROGRAMIt’s fair to say that building an effective compliance program is criticalto any organization today. There must be support from the highestlevels of leadership as well as an ongoing and honest commitment tosuccessful implementation. One of the worst approaches is to have acompliance program as simply ‘‘window-dressing’’ with no real intentto actually follow through on compliance requirements. The followingis an example of an actual company that did just that. Some detailshave been changed so as not to identify this company or the source ofthis information.In 2005, the company was a privately-held, service-oriented entitywith over 50,000 employees, $3 billion in annual sales, and sev-eral hundred million dollars in debt. Anticipating going public withan initial public offering and the resulting Sarbanes-Oxley reportingrequirements, a decision was made to create a compliance depart-ment with reporting to the General Counsel. Several new hires wereauthorized: a Chief Compliance Officer, a Manager of Contract Com-pliance, a Manager of Licensing, a Regulatory Specialist, and a QualityAssurance Specialist.The compliance department was initially assigned the responsibil-ity for review and oversight of the company’s licensing and regulatoryaffairs, contract compliance, whistleblower hotline monitoring andoversight, administration of corporate policies and procedures, inter-nal corporate investigations, quality assurance reviews, and fieldcompliance reviews. Initial plans also included a small staff thatwould be assigned the responsibility to conduct internal audits andinternal corporate investigations.Almost at the onset, it became clear the Compliance Departmentwas simply ‘‘window dressing.’’ Little, if any, corporate support wasprovided toward achievement of the Compliance Department’s initialgoals. The company’s strategic plan included aggressive pursuit andacquisition of a number of competitors, which required continuedin-house due-diligence procedures, corporate re-formation activities,and re-licensing and re-branding of a new business entity, all of whichwere tasked to the Compliance Department. Several months after thedepartment was formed, the General Counsel was terminated for noapparent reason, leaving this important position vacant for over seven
18WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERmonths. This left the department without vital support at the highestexecutive level.To make matters worse, the Chief Executive Officer was notinvolved in the day-to-day operations of the company and was focusedprimarily on new acquisitions. It was widely known that the ChiefFinancial Officer did not support the audit functions originally envi-sioned for assignment to the Compliance Department. As a result,the CFO provided neither financial nor other support vital for thesuccess of the new entity. The CFO was indifferent to the complianceoperation and felt no need to maintain an open line of communi-cation with any operation other than those who directly reportedto him.In early 2006, the company reported a sizable loss. Shortlyafter the hiring of a new General Counsel, the Manager of Con-tract Compliance position was eliminated and the responsibilitiesof the position were reassigned to the Regulatory Affairs Special-ist. This created a significant void in original plans to monitor andaudit any of the approximately 4,300 contracts in effect with clients,which was an important component of the original compliance pro-gram. Using the money saved from this position, the CFO reclassifieda number of financial management positions and created severalnew titles and moved the positions to his staff. Among the newtitles the CFO created was a Chief Auditing Executive, which wasdone without the knowledge of the General Counsel or Compliancestaff.Due to the poor financial earnings of the company, the audi-tor/investigator positions were never filled and the Chief ComplianceOfficer (CCO) served as the sole corporate investigator and internalauditor in addition to his other duties. The CCO monitored, audited,initiated, and conducted investigations based upon allegations receivedthrough the whistleblower hotline. Generally, following receipt andinvestigation of a hotline issue, an investigative report would beprepared and issued to corporate management.A number of investigations focused upon the allegations of‘‘ghost’’ employees within the company. If internal control deficien-cies were identified incident to an investigation, including the ‘‘ghost’’investigations, a separate audit report containing detailed findings andrecommendations for corrective action would be issued to the CFO.The CFO generally ignored these recommendations and consideredthese issues to be immaterial and not indicative of corporate-wide
Ken Lay on Ethical Conduct19problems. The Corporate Controller, whose experience was quitelimited, had a similar perception that there was little, if any, fraudinherent in his operation.There was no interaction with the external auditors regardingcompliance or fraud related issues. The auditors were shielded bythe CFO from making any contact with Compliance Departmentpersonnel. Similarly there were no interactions with the CorporateAudit Committee, who generally met only with the CEO, CFO,and Corporate Counsel. Some of the primary concerns of the AuditCommittee from a compliance perspective included their unusualinterest in providing state-by-state breakdowns in employee relationsissues, with little interest in the detection and prevention of internalcorporate fraud. Why the external auditors didn’t do more or exhibitprofessional skepticism is unknown.The CCO clearly felt there was a lack of support at the high-est levels of management. In frustration, the CCO left the companyand took a position with another organization. Following his depar-ture, there was little support demonstrated by senior executives tohire a replacement CCO. The tone at the top consisted of deafindifference to the support of a robust compliance program. Theprogram was permitted to fail, based upon the combined recklessindifference of senior executives, the board of directors, and auditcommittee.Unfortunately for this company, its lack of commitment to compli-ance led to serious harm. The company had to restate several years ofearnings because of improper accounting. This was allowed to happenbecause the compliance function languished without sufficient leader-ship or internal company support. In a true sign of this company’slack of ethical commitment, no senior executives have been fired orreprimanded, and the compliance office has all but been dismantled.This is a sure-fire recipe for disaster.Governance: Ethics Across the Board. The conference brochure at the timestated the conference ‘‘will explore the changing nature and growing impor-tance of corporate governance.’’28The late Ken Lay, who was Chairmanand CEO of Enron at the time, was a conference speaker. The subject ofhis presentation oddly enough was ‘‘What a CEO Expects from the Board.’’In his own words, Lay spells out in theory what an ethical CEO should
20WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERexpect from a board and what an ethical board should deliver. Lay said thefollowing:Like any successful company, we must have directors who start withwhat is right, who do not have hidden agendas, and who strive tomake judgments about what is best for the company, and not aboutwhat is best for themselves or some other constituency.. . .Theresponsibility of our board—a responsibility which I expect themto fulfill—is to ensure legal and ethical conduct by the companyand by everyone in the company.. . .What a CEO really expectsfrom a board is good advice and counsel, both of which will makethe company stronger and more successful; support for those invest-ments and decisions that serve the interests of the company and itsstakeholders; and warnings in those cases in which investments anddecisions are not beneficial to the company and its stakeholders.And let me conclude by acknowledging that it is not an easy taskto get all of this just right.29Whether he actually meant what he said at the time or it was just emptyrhetoric, we will never know. What we do know is that nothing of what hesaid in 1999 was of any help to the investors and employees of Enron whoultimately suffered a severe financial and emotional toll as the companyimploded. Compliance Insight 1.5 details some of the obstacles faced whenembedding a compliance program within an organization.THE WARNING SIGNS OF COMPLIANCE FAILURESMarianne Jennings is a professor in the W.P. Carey School of Businessat Arizona State University and an expert on business ethics. She is awell-known speaker and prolific author on the subject. Her latest book isentitledThe Seven Signs of Ethical Collapsein which she identifies the sevenindicators of ethical collapse. While these signs are not a guarantee of anethical collapse, they definitely can be used as potential harbingers of ethicalchallenges. These seven signs are: (1) the pressure to maintain the businessnumbers; (2) a culture of fear and silence; (3) a ‘‘bigger than life’’ CEOand awe-struck direct reports that won’t go against their leader; (4) a weakboard of directors; (5) a practice of conflicts of interest; (6) a belief that theorganization is above the law; and (7) that ‘‘goodness in some areas’’ suchas corporate giving ‘‘atones for evil in others.’’30An excellent best practiceis to always consider red flags such as these in analyzing a complianceprogram’s level of potential risk.
COMPLIANCE INSIGHT 1.5: KEY OBSTACLES TO EMBEDDING COMPLIANCE IN THE BUSINESS,COMPLIANCE AND ETHICS LEADERSHIP COUNCIL RESEARCH, 2005GoalOutcomeCritical Failure PathsThe compliancefunction seeks tobuild a culture ofcompliance andethical conduct.Goals and incentivesare consistent withethical conduct andcompliant activity.Employees striveto ensurecompliance andethical behaviorand preemptcomplianceviolations.Employeesunderstand theimportance and realconsequences ofnoncompliance.Employees undergorelevant training thatreinforces ethicalbehavior.Insufficient or MisalignedCompliance Performance Incentives Lack of Emphasis on the Consequencesof Noncompliance Generic Training Does NotInfluence Employee Behavior Pressure to meet financial goals causesbusiness units to neglect compliance Lack of compliance or ethics relatedperformance objectives “To really build a culture of compliance, we haverealized that we have to include compliance in employee scorecards. Only when compliance isincluded in performance reviews and compensation can we move it from the mission statement to daily decision making." Chief Compliance Officer Insurance Company“It’s hard for employees to understand if you don’t shownoncompliance is happening in your organization. Recounting stories about misconduct at Enron and WorldCom is well andgood, but employees can always distance themselves from thoseevents. We need to bring it home and show them that it canhappen here.” VP, Ethics and Compliance Chemicals CompanyEnterprise-standard approach to training doesnot cater to individual needs and preexistingknowledge“We have to train 40,000 employees in 25 countrieson compliance—one of the main challenges in rollingout a training program is knowing which individualshould receive specific training about which areas.”SVP, Compliance Energy CompanyGeneralized training results in wastedeffort in terms of time and resources dedicated ••Compliance messages easily dismissed by employees dueto overconfidence in company’s dedication to ethics andbelief of “that doesn’t happen here.” Companies fail to provide real examples of noncomplianceor their consequences ••••Reprinted with permission from the Corporate Executive Board, Washington, DCc2005.21
22WHY ETHICS AND COMPLIANCE WILL ALWAYS MATTERNOTES1.‘‘Preempting Compliance Failures: Identifying Leading Indicators ofMisconduct,’’Compliance and Ethics Leadership Council, April 26,2007.2.Aristotle,Nicomachean Ethics, translated by Martin Ostwald, (Engle-wood Cliffs, NJ: Prentice Hall, 1962), xix.3.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, 2006), 64.4.New York City Police Department,Police Student’s Guide: Intro-duction to the NYPD, July 2005, 4–5, home2.nyc.gov/html/nypd/html/dctraining/pdf/2005%20Police%20Students%20Guide/1st%20Trimester/01-Intro%20to%20the%20NYPD.pdf.5.Definition of compliance found at PEMCO Corporation CorporateServices library site, www.pemcocorp.com/library/glossary.htm.6.‘‘Preempting Compliance Failures.’’7.Paul J. McNulty, ‘‘Principles of Federal Prosecution of Business Organi-zations,’’ Department of Justice, December 2006, www.usdoj.gov/dag/speech/2006/mcnultymemo.pdf.8.Federal Sentencing Guidelines, Chapter 8, Part B, Effective Complianceand Ethics Programs, www.ussc.gov/2005guid/8b21.htm.9.Federal Sentencing Guidelines, Chapter 8, Part C, Fines, www.ussc.gov/2005guid/8c25.htm.10.Ibid.11.Though it is not as commonly remembered, in some versions of the taleDaedalus is also warned not to fly too low, so as to avoid the sea’spowerful waves. As Skeel puts it, ‘‘as with executive risk-taking, thisaccount suggests, there are dangers in both directions [taking too muchrisk or completely avoiding it].’’ David A. Skeel, ‘‘Icarus and AmericanCorporate Regulation,’’The Business Lawyer, November 2005, 157,n. 10.12.Ibid., 157.13.Ibid.14.Dr. John D. Copeland, ‘‘Business Ethics: Three Critical Truths,’’ 6,www.soderquist.org/resources/pdf/CopelandThreeTruths-publication.pdf.15.Ibid.16.Ibid., 9.17.Curtis C. Verschoor, ‘‘Does Superior Governance Still Lead to BetterFinancial Performance?,’’Strategic Finance, October 1, 2004, 13.
Notes2318.Ibid. Roughly 150–160 of the S&P were deemed to have ‘‘superiorgovernance’’ in the years 2000–2004. The 9.4 billion number means,that in 2004, the MVA for a company with superior governance was9.4 billion higher than a company that did not. In 2000, in the midstof the stock market bubble, the additional MVA was 28.6 billion whilein the doldrums of 2003 it was $5.8 billion. These numbers indicatedthat no matter the health of the stock market, superior governanceis always valued, and is valued even more in a rising market, as2004 was. Further research showed that the numbers were not skewedby the largest companies, as even middle-sized companies returnedsubstantially more value to shareholders.19.Ibid.20.‘‘New Study Finds Link Between Financial Success and Focus on Corpo-rate Values,’’ Booz Allen Hamilton, February 3, 2005, www.boozallen.com/publications/article/659548.21.Ibid.22.Ibid.23.‘‘New Research Indicates Ethical Corporate Cultures Impact the Abil-ity to Attract, Retain, and Ensure Productivity Among U.S. Workers,’’LRN, August 3, 2006, www.lrn.com/aboutlrn/mediaroom/pressreleases/263. LRN specializes in legal, compliance, ethics, and gov-ernance solutions.24.Ibid.25.Ibid.26.Verschoor, ‘‘Superior Governance,’’ 13.27.Thomas Friedman, ‘‘Calling All Democrats,’’New York Times, Febru-ary 10, 2005.28.The Center for Business Ethics at the University of St. Thomas, Houston,Texas, at their conference overview site, www.stthom.edu/academics/centers/cbes/CorporateGovernanceEthicsAcrosstheBoard.html.29.Kenneth L. Lay, ‘‘What a CEO Expects from the Board,’’ presentationat the Corporate Governance: Ethics Across the Board Conference,Houston, TX, April 6, 1999, www.stthom.edu/academics/centers/cbes/kennethlay.html.30.Marianne M. Jennings,The Seven Signs of Ethical Collapse: How toSpot Moral Meltdowns in Companies. . .Before It’s Too Late, (NewYork, NY: St. Martin’s Press, 2006).
CHAPTER2Tone at the Top and Throughout‘‘If ethics are poor at the top, that behavior is copied downthrough the organization.’’Robert Noyce, inventor of the silicon chipThe road to compliance starts at the top. An organization’s entire cultureis largely guided by senior management. The leadership sets the tonefor the rest of the organization, and the culture reflects their actions,whether positive or negative. This is the often-mentioned ‘‘tone at the top.’’Employees pay careful attention, whether consciously or not, to their leadersand their actions. They can tell when a CEO truly supports the mission ofthe company or if the words are merely empty rhetoric. They hear whathe or she says, and more importantly, see what he or she does. Employeeslook around their offices and understand their culture, even though it is notsomething that can readily be explained or easily put into words. Employeesknow if small transgressions are overlooked so long as financial goals aremet, or if management is weak on ethics. Lax attitudes about ethics willprevent an organization from being able to achieve a culture of compliance.A compliance program cannot operate with full efficiency and effective-ness in an environment that is not conducive to strong ethics. A negativeethical corporate culture is anathema to compliance. Of course, it should benoted that the objectives of running an ethical company that fully meets itscompliance requirements, and running a successful and profitable companyare hardly antithetical to each other. In fact, as was explained in the previouschapter, they can go hand in hand. For example, think of how beneficialit could be if a chief executive always includes comments on integrity,ethics, and compliance in every presentation he gives to employees. It’sthat constant reinforcement by an executive officer that demonstrates to all25
26TONE AT THE TOP AND THROUGHOUTemployees the utmost importance of honesty and accountability at all levelsof an organization.Tone at the top can be defined as the example set by upper levels ofmanagement, especially the CEO and the organization’s most senior people,by words and especially by actions, for the rest of the company. Actionsresonate more than words. Nothing can be more damaging to setting aproper tone than management who says one thing but does another. Thistone must also filter down throughout the management chain. Employeesneed to see that their immediate supervisors, as well as the company’s seniorexecutives, are behaving ethically and doing the right thing.While tone coming from the top of an organization is important, itis also just as critical in the ranks of junior executives and managers.Managers and other supervisors are involved day to day with employees.Their interaction with their direct reports and others reinforce policies andthe code of conduct. They are role models and lead by example. Moreoften than not, if employees want to raise a compliance concern or ask aquestion, they should first ask their managers. It can be said that tone inthe middle furthers and enhances tone at the top. In addition, these middlemanagers may climb the corporate ladder and hopefully bring the goodvalues with them.INTEGRITY AT THE TOPSo much of leadership comes from one’s integrity. Every other qualitybuilds upon integrity. Either someone has it or doesn’t. It can’t be learnedovernight or obtained from a training class. Integrity is at the very coreof compliance. Not too long ago, I read a moving quote that summed upthe importance of integrity. It was written, not by a CEO or complianceexpert, but by a man with spirit, perseverance, and integrity. Bob Croftwas a noted fraud investigator in both the public and private sectors. Bobwas always a person of learning and, while working full-time, was pursuinga Master’s degree in Economic Crime Management from Utica Collegein New York. Shortly after starting the program, he was diagnosed withAmyotrophic Lateral Sclerosis (ALS). That didn’t stop Bob. Although thedisease ravaged his body, his spirit remained strong and he graduated inMay 2001. Unfortunately, Bob succumbed to ALS in April 2003. In apaper he wrote for his Masters program entitled ‘‘The Manager in a GlobalEnvironment,’’ Bob said:My core principles that have been central to my life have remainedthe same since my childhood, in spite of the many challenges thatpresently confront me. Namely, trust in God, be yourself, believe in
Integrity at the Top27yourself, do unto others, and cherish your integrity. In my opinion,in the end—when it is all said and done, and you’re looking at theend of your life. . .the only thing you really have left to take withyou is your integrity, and not much more.Bob Croft understood the value of integrity and how very important itis in all aspects of life.Compliance, like integrity, is not something that can be easily achieved.It requires effort and commitment. A negative ethical culture, such asone where ethics is viewed as a hindrance to the business, indicates thatmanagement is not dedicated to making this commitment. In a culture suchas this, the compliance program is merely window-dressing. It has been putinto place to satisfy the barest minimums of the law and to make it appearto outsiders, such as investors or the government, that the organizationworks to achieve compliance, even though that is not really the case.A compliance officer at a public company told me a sobering story.He was specifically hired in his role as Chief Compliance Officer becausethe company had significant ethical lapses and needed to rebuild theircompliance program. The company publicly stated that it was bringing inan experienced compliance professional for this purpose. They pledged todo everything they could to ensure that the business conduct violations thathad occurred would never recur. Unfortunately, the public comments werejust a facade. The Chief Compliance Officer was never a part of seniorleadership, was kept in the dark by executive management, and had noauthority to make any real changes to the compliance program. As a result,an effective compliance program was never created, according to my source.In addition, it was learned that the company was to be sold and there neededto be a semblance of a compliance program in place to enable the sale. Thecompliance professional ultimately left the company.Tone at the top is not easily measured. It is regarded by many as oneof the scores of things that ‘‘you know it when you see it.’’ However, thereare ways to ensure that an organization has an appropriate tone at thetop. Creating a well-thought out and easily understandable code of conductis a good start. Then communicating it to all employees and reinforcingit by having each senior executive and director embody the code is next.‘‘The first and critical step in making a code workable is for the seniormanagement team and board of directors to exhibit the values embodied inthe code, effectively establishing the tone at the top. Organizations whosemanagement and board espouse a culture of integrity, high ethical standards,and compliance help to create a well-governed company, with a strong andpositive tone at the top.’’1Compliance Insight 2.1 is a story of tone at thetop and how it fosters being a good corporate citizen.
28TONE AT THE TOP AND THROUGHOUTCOMPLIANCE INSIGHT 2.1: REDFLEX TRAFFIC SYSTEMSAND DOING THE RIGHT THINGCompliance is more than just following laws, regulations, and policy.It is often about doing the right thing when faced with compliance chal-lenges. A case in point is Redflex Traffic Systems (Redflex), based inScottsdale, Arizona. Redflex manufactures photo-enhancement cam-eras to catch red-light runners and speeders.As stated on their corporate Web site, Redflex ‘‘provides inno-vative safety solutions to local and state government in the USA andabroad. Redflex partners with public safety officials in law enforce-ment, transportation, and engineering to reduce traffic crashes andeliminate the resulting injuries, fatalities, and loss of property.’’ Red-flex is the largest supplier and operator of photo enforcement in theUnited States. The market for Redflex’s cameras is growing globallyin cities and municipalities. Redflex is a division of Redflex HoldingsLimited which is a publicly traded company listed on the AustralianStock Exchange.In early 2006, Redflex salespeople met with representatives of theSt. Peters, Missouri city government to secure a contract to installdigital red light and speeding enforcement systems in the city. Asa result, in May 2006, ‘‘a bill was introduced to authorize the cityadministration to negotiate for a traffic enforcement system withRedflex.’’aThe bill was passed by the St. Peters’ Board of Aldermenon June 8, 2006.Shortly thereafter, the Mayor of St. Peters, Shawn Brown, con-tacted a Redflex representative and ‘‘threatened to veto the bill unlessthey paid him a bribe.’’bIn an example of hubris over common sense,Brown ordered the bribe be paid via a check made payable to him,and to be delivered to his home. Demonstrating that there is no bribeamount too small, Brown demanded $2,750 but that seemed to befine with him.Immediately upon receiving notice of the extortion attempt, Red-flex contacted law enforcement to report the incident. The FederalBureau of Investigation (FBI) in St. Louis, Missouri quickly opened aninvestigation and Redflex offered their full cooperation with the gov-ernment. The FBI told Redflex to go through with the bribe paymentto catch Brown in the act. The $2,750 check was delivered to Brownwho then cashed it at a local bank in St. Peters. All the while, the FBIwas covertly watching.c
Integrity at the Top29On August 17, 2006, Brown was indicted on federal briberycharges. Specifically, Brown was charged with ‘‘threatening to vetoan ordinance authorizing the city to purchase digital red light andspeeding enforcement systems unless the company paid him a bribe.’’dThe FBI Special Agent in Charge in St. Louis said that Redflex‘‘provided the information that resulted in the initiation of the caseand eventually the indictment.’’eThe FBI also sent a letter to Redflexthanking them for being a good corporate citizen and stating, ‘‘Withouthonest, courageous firms like Redflex and its employees, the work oflaw enforcement would be much more difficult.’’fOn August 21,2006, Redflex posted a press release on its Web site detailing theinvestigation and their assistance to the FBI.Due to the overwhelming evidence, Brown pleaded guilty onOctober 20, 2006 to the federal bribery charges. On January 29,2007, Brown was sentenced to 18 months in prison, followed by twoyears of supervised release.gRedflex could easily have just said no to Brown’s bribe demand andnever reported the incident. They may have lost the contract but it isalso possible that Brown was just bluffing and would not have actuallygone through with his threat. Instead, Redflex showed their cultureof compliance and did the right thing resulting in the prosecution,conviction, and removal from office of a corrupt public official.aPress Release issued by the United State’s Attorney’s Office for the East-ern District of Missouri, January 29, 2007, announcing the sentencing ofdefendant Shawn Brown, www.usdoj.gov/usao/moe/press%20releases/archived%20press%20releases/2007pressreleases/january/brownshawn.html.bIbid.cMichael Ferraresi, ‘‘Red-light Firm Aids FBI Bust,’’Arizona Republic, August19, 2006, A1.dPress Release issued by the United State’s Attorney’s Office for the East-ern District of Missouri, January 29, 2007, announcing the sentencing ofdefendant Shawn Brown, www.usdoj.gov/usao/moe/press%20releases/archived%20press%20releases/2007pressreleases/january/brownshawn.html.eMichael Ferraresi, ‘‘Red-light Firm Aids FBI Bust,’’Arizona Republic, August19, 2006, A1.fIbid.gPress Release issued by the United State’s Attorney’s Office for the East-ern District of Missouri, January 29, 2007, announcing the sentencing ofdefendant Shawn Brown, www.usdoj.gov/usao/moe/press%20releases/archived%20press%20releases/2007pressreleases/january/brownshawn.html.
30TONE AT THE TOP AND THROUGHOUTIn the end though, tone always comes back to management. It is theirinfluence that sets the tone and drives the culture. Management decidesthe rules, and thus the culture springs up around these rules, based onwhat is permissible and what is not. For compliance to flourish, there mustbemeaningful accountability. To have meaningful accountability, peoplemust take responsibility for their actions, and their actions must haveconsequences. It is not enough to catch someone who has violated a law oran internal company rule. They must be disciplined appropriately, with thepunishment fitting the action. Also, management must take responsibilityfor its actions, rather than simply pointing the finger at others. Again, itcannot be empty rhetoric, of the ‘‘I’m sorry. . .but I’m really only sorry thatI got caught’’ variety.Alan Greenspan, former Chairman of the Federal Reserve, said ‘‘If theCEO chooses, he or she can by example and through oversight inducecorporate colleagues and outside auditors to behave ethically. . .. Rulesexist to govern behavior, but rules cannot substitute for character. In theyears going forward, it will be your reputation—for integrity, judgment,and other qualities of character—that will determine your success in lifeand business.’’2The late management guru Peter Drucker reinforced theimportant concept of integrity and leadership when he said, ‘‘The proof ofsincerity and seriousness of a management is uncompromising emphasis onintegrity of character.’’3Compliance Insight 2.2 is another story of tone atthe top where compliance wins out over competition.IT’S BETTER TO BE LUCKY THAN GOODSometimes it’s better to be lucky than good, especially if one happens to bea CEO receiving stock options. In fact, this term has taken on new meaningas a result of an academic study conducted by professors from Harvardand Cornell Universities, and INSEAD, the French business school. Thisstudy was released amid a backdating options scandal engulfing numerouscompanies. Dozens upon dozens of companies have been implicated in thescandal that involved the falsification of the date of exercise of a stockoption, so as to give the recipient the maximum benefit by allowing theimproper purchase of stock at the lowest possible price. This amounts tonothing more than simple theft. This fraud, according to one study, has costinvestors over $100 billion.4While executives may have argued that theirexercise of stock options happening to fall on the date of the lowest pricewas nothing more than ‘‘luck,’’ this new study shows otherwise.In the ‘‘Lucky CEOs’’ study, the researchers studied the relationshipbetween corporate governance and what they describe as ‘‘opportunistic
It’s Better to be Lucky than Good31COMPLIANCE INSIGHT 2.2: A TRUCE IN THE COLA WARSTO PROTECT TRADE SECRETSThe century-old rivalry and intense business competition betweenCoca-Cola and PepsiCo are nothing short of legendary. Both softdrinks were invented and first marketed in the late 1800s and continueto this day as the world’s most popular sodas. Their unique tastes andimpact on people and culture are the keys to their success. Few tradesecrets are better protected than the soft drink formulas of these twocompanies. In this age of industrial espionage and theft of intellectualproperty, as well as the demand for continually improving profits,there is always the temptation to use whatever means are availableto obtain a competitive advantage over business rivals. Yet, integrity,corporate culture, and a commitment to compliance are even strongermotivators to do what is right when faced with an integrity challenge.This was the case with PepsiCo who proved that compliance wins outover competition.On May 19, 2006, PepsiCo contacted Coca-Cola in Atlanta,Georgia and provided them with a letter that they received at theircorporate headquarters in Purchase, New York. The letter was from aperson who claimed he was a high-level Coca-Cola employee and hadaccess to ‘‘very detailed and confidential information’’ about a newCoke product. PepsiCo did not hesitate to do what was right.aPepsiCoimmediately informed Coca-Cola about this theft of trade secrets.Coca-Cola quickly contacted the Federal Bureau of Investigation (FBI)in Atlanta who began an investigation. An undercover FBI agent begancommunicating with the intermediary who ultimately wanted morethan $1.5 million to hand over samples of new Coke products andrelated highly secret documents.The FBI, through various investigative techniques, learned thatPepsiCo had been contacted by an intermediary of an executiveassistant at Coca-Cola who had access to the trade secrets detailedin the letter to PepsiCo. The FBI, working with Coca-Cola corporatesecurity, were able to obtain video surveillance of the Coca-Colaemployee removing restricted documents from the office and handlinga sample of the new product offered to PepsiCo. The FBI also identifieda third member of the conspiracy who was not a Coca-Cola employee.At a meeting with the undercover FBI agent, the stolen items wereexchanged for cash. In short order, all three subjects were arrested onJuly 5, 2006 and charged with conspiracy to steal trade secrets.
32TONE AT THE TOP AND THROUGHOUTIn a letter to all employees on July 5, 2006, and posted on its Website, Coca-Cola Chairman and CEO Neville Isdell provided details ofthe trade secret leak and the arrests of the Coca-Cola employee andthe other two defendants. Isdell said:Sadly, today’s arrests include an individual within our Com-pany. While this breach of trust is difficult for all of usto accept, it underscores the responsibility we each have tobe vigilant in protecting our trade secrets. Information is thelifeblood of the Company. As the health of our enterprise con-tinues to strengthen and the breadth of our innovation pipelinecontinues to grow, our leaders and our competitive data carryincreasing interest to those outside our business. Accordingly,I have directed a thorough review of our information pro-tection policies, procedures, and practices to ensure that wecontinue to rigorously safeguard our intellectual capital.bIsdell went on to add, ‘‘I would also like to express our sincereappreciation to PepsiCo for alerting us to this attack.’’cA PepsiCospokesperson further stated, ‘‘We did what any responsible companywould do. Competition can be fierce, but it must also be fair andlegal.’’dPepsiCo’s Worldwide Code of Conduct states, ‘‘In all of itsbusiness dealing with suppliers, customers, andcompetitors, PepsiCowill: Compete vigorously and with integrity. . .. Avoid any unfair ordeceptive practice. . .. And in everything we do, we strive to act withhonesty, fairness, and integrity (emphasis added).’’eThe former Coca-Cola employee was indicted and subsequentlywent to trial. Her two associates pleaded guilty and testified againsther. The evidence was overwhelming and she was convicted afterjury trial on February 2, 2007 of conspiring to steal Coca-Cola tradesecrets. On May 23, 2007, the defendant was sentenced to eight yearsin prison. The federal judge on the case departed from the sentencingguidelines to give a longer prison sentence due to the defendant’s lyingon the stand during the trial and obstruction of justice.Both PepsiCo and Coca-Cola did the right things and followedcorporate compliance. PepsiCo followed their Code of Conduct andquickly reported the offer of trade secrets to Coca-Cola. Coca-Colaresponded by contacting law enforcement and assisting in the sub-sequent investigation and convictions. After the arrests, Coca-Colaadvised all its employees of the investigation and the involvement of
It’s Better to be Lucky than Good33one of their employees. Coca-Cola further advised that it was review-ing its protection of trade secrets to further safeguard their intellectualcapital. Compliance does work.a‘‘Two Defendants Plead Guilty in Coca-Cola Trade Secrets Case,’’ Depart-ment of Justice Press Release, United States Attorney’s Office, NorthernDistrict of Georgia, October 23, 2006, www.usdoj.gov/usao/gan/press/2006/10-23-06.pdf.bMemo from Neville Isdell, Coca-Cola Chairman and CEO, to all employeesworldwide, and posted at the Coca-Cola Web site, July 5, 2006, www.thecoca-colacompany.com/presscenter/viewpointstradesecretsinvestigation.html.cIbid.dBetsy McKay, ‘‘Coke Employee Faces Charges in Plot to Sell Secrets,’’WallStreet Journal, July 6, 2006, B6.ePepsiCo Worldwide Code of Conduct, www.pepsico.com/PEPInvestors/CorporateGovernance/CodeofConduct/english/pg1.shtml.option grant manipulation’’ for option grants made over a nine-year periodin the United States.5They found the incidence of what they called ‘‘luckygrants’’ to executives to be more likely due to manipulation than actualluck. The researchers defined a lucky grant as ‘‘grants given at the lowestprice of the month.’’ These lucky grants were more likely to occur whenthe company did not have a majority of independent directors on the boardand/or the CEO had a long tenure at the company. During the period of thestudy from 1996 to 2005, the authors estimated that 1,150 lucky grants werethe result of manipulation and that 12% of organizations studied providedone or more lucky grants to executives.6No companies or executives werenamed in the study.Some of the other revealing findings of the study included:■The higher the potential payoff, the ‘‘luckier’’ the grant.■‘‘Luck was persistent: A CEO’s chance of getting a lucky grant increaseswhen a preceding grant was lucky as well.’’■Grant manipulation was prevalent across all types of industries and notjust in new economy firms.■There was no evidence that gains from manipulated option grants servedas a substitute for compensation paid through other sources. It onlyserved to increase CEOs total compensation.■The average gain for CEOs from grants backdated to the month’s lowestprice exceeded 20% of the reported value of the grant. This resulted in
34TONE AT THE TOP AND THROUGHOUTan increase to the CEO’s total reported compensation for the year bymore than 10%.■‘‘About 1,000 (43%) of the lucky grants were ‘super-lucky,’ havingbeen given at the lowest price not only of the month but also of thequarter, and we estimate that about 62% of them were manipulated.’’■There were certain pools of grants with an especially high probabilityof manipulation. In one pool of 600 grants, 88% are estimated to bemanipulated.7The professors also conducted a companion study on stock optionsreceived by outside directors. This study was entitled ‘‘Lucky Directors’’and studied 29,000 grants awarded to outside directors at 6,577 public firmsbetween 1996 and 2005. The study found that ‘‘9% of director grants werelucky events falling on days with a stock price equal to a monthly low. . ..about 800 lucky grant events owed their status to opportunistic timing,and that about 460 firms and 1,400 outside directors were associated withgrant events produced by such timing.’’8The study also found that therewas a correlation between a director’s luck and that of an executive’s luckin the awarding of lucky grants. Thus, when executives at a company didwell in receiving the lowest options price of the month, so did the directors.The study also found that these lucky grants to directors were more likelyto occur when the company ‘‘had more entrenching provisions protectinginsiders from the risk of removal, and when the board did not have amajority of independent directors.’’9An Absence of Tone at the TopAbsence of tone at the top in the cases of these lucky CEOs and directors isobvious. In the case of directors, they are gatekeepers. The Lucky Directors’study ‘‘suggests that outside, or independent, directors—who are supposedto play a special role safeguarding against cozy board relationships withmanagement—may have been co-opted in options backdating.’’10In my2006 book,Executive Roadmap to Fraud Prevention and Internal Control:Creating a Culture of Compliance, we devoted a section to the importantrole of gatekeepers. Gatekeepers are the auditors, lawyers, analysts, andalso directors who are responsible for monitoring and oversight of othersin protecting the integrity of the financial markets. ‘‘They are the peoplein important positions to whom the investing public, the government, andothers, look for truth and honesty in financial reporting. They must bebeyond reproach and accountable for their actions.’’11There is some good news. These two studies add to the public’s knowl-edge, along with the widespread publicity surrounding the many government
Communicating Values35and internal investigations conducted for backdating and manipulating stockoption grants. With so many companies implicated and with so many exec-utives and directors removed from their positions, there is hope that thismisconduct will never again happen to this degree. A lawyer in a corporategovernance practice called this behavior of the lucky directors ‘‘appalling’’and added ‘‘Directors are fiduciaries for all stockholders; to act in their ownself-interest is a breach of loyalty. It’s the cardinal sin.’’12Nothing speakslouder to tone at the top than the actions of corporate executives and direc-tors, especially when safeguarding the interests of investors and employees.Compliance Insight 2.3 is a listing of some of the many companies namedin the probes of backdating stock options.COMMUNICATING VALUESBeyond anecdotal evidence, surveys have shown the importance of tone atthe top in the workplace. Employees really do follow the lead given by thetop, and it does resonate throughout. Moreover, an organization’s culturehas a strong role in guiding the actions of those within. Top companieshave deeply ingrained core values; these guiding principles ‘‘will. . .not becompromised for financial gain or short-term expediency.’’13These ‘‘corevalues need no rational or external justification. Nor do they sway with thetrends and fads of the day, nor do they shift in response to changing marketconditions.’’14These core values are the bedrock of a company; great valuesare directly linked to great success.Of course, companies face challenges in aligning their values withtheir business strategy, so that executives can make appropriate decisionssupporting and furthering these values. The most important way a companydoes this is through the behavior of the CEO. 85% of senior executivessaid in a recent survey that ‘‘their companies rely on explicit CEO supportto reinforce values and 77% say it is one of the ‘most effective’ practicesfor reinforcing the company’s ability to act on its values.’’15In comparison,‘‘only 34% identified training as a ‘most effective’ practice, 32% citedinternal communications, and 30% identified incentive compensation.’’16Inview of this, the CEO is the best communicator of an organization’s valuesto the executives and other employees. This is not to say that the othercited practices, such as training, internal communications and incentivecompensation, should be abandoned. In fact, the opposite is true; while theyare not as effective as the CEO in conveying an appropriate tone at the top,they do serve to reinforce the established values. Compliance Insight 2.4provides a compliance consultant’s point of view on tone at the top andother compliance issues.
36TONE AT THE TOP AND THROUGHOUTCOMPLIANCE INSIGHT 2.3: A SAMPLING OF COMPANIESNAMED IN PROBES OF BACKDATING STOCK OPTIONSAffiliated Computer ServicesAmerican TowerApollo GroupApple, Inc.Applied Micro CircuitsAtmelBarnes & NobleBoston Communications GroupBroadcomBrocade Communications SystemsBrooks AutomationCablevisionCirrus LogicCNET NetworksComverse TechnologyCyberonicsFoundry NetworksF5 NetworksHCC Insurance HoldingsHome DepotJabil CircuitJuniper NetworksKB HomeKLA-TencorLinear TechnologyMarvell TechnologyMcAfee, Inc.MedarexMercury InteractiveMonster Worldwide
Communicating Values37Openwave SystemsPower IntegrationsRambusSafeNetSanmina-SCISycamore NetworksTake-Two Interactive SoftwareTrident MicrosystemsUnitedHealthVerisignVitesse SemiconductorZoranCOMPLIANCE INSIGHT 2.4: A COMPLIANCECONSULTANT’S POINT OF VIEWScott Moritz is an Executive Director with Daylight Forensic & Advi-sory, a global regulatory compliance and investigative consulting firmadvising financial institutions, Fortune 500 companies, law firms, andgovernment agencies on regulatory and investigative issues worldwide.He has over 20 years of complex investigative, forensic accounting,compliance, court-appointed monitoring, and law enforcement expe-rience. Prior to joining Daylight, he was a director at a ‘‘Big Four’’accounting firm, where he served as both Director of Corporate Intel-ligence and Leader of the Data Governance and Privacy ProtectionTeam for the Forensic Practice. For nearly 10 years, Moritz servedas an FBI Special Agent where he was nationally recognized for hisexpertise in money laundering and asset forfeiture investigations. HereMoritz provides a compliance consultant’s point of view.THE COMPLIANCE CONUNDRUMImplementing the provisions of the Foreign Corrupt Practices Act,Office of Foreign Assets Control, USA PATRIOT Act, or the
38TONE AT THE TOP AND THROUGHOUTSarbanes-Oxley Act have proven to be extremely challenging forU.S. and foreign-owned corporations alike. The acts themselves arequite complex as are the organizations that must adhere to them.The greatest challenge to these corporations is that they require anenterprise-wide approach to effectively implement these compliancemandates.Most complex entities are organized by functional areas of exper-tise, geography, or both. These types of organizational structures,arguably comprising the known universe of modern-day companies,often result in silos which make any enterprise-wide implementa-tion of compliance protocols challenging because they require crossfunctional, cross-geographical coordination, and communication. Inaddition, most organizations don’t communicate well internally. Fur-ther fueling this recipe for compliance disaster is organizational culture.At some level, every organization suffers from the fundamental culturaldivide between compliance and business operations and sales.Organizations are established to generate revenues and the oper-ations and business development personnel are quite understandablyfocused on that objective. Compliance requirements are viewed bymany, particularly by those in operations, sales, and frequently exec-utive management, as ‘‘necessary evils’’ and an impediment to theirability to deliver on sales goals and quarterly earnings forecasts. Thiscultural divide, left unchecked, can lead to potentially catastrophicregulatory actions.‘‘Tone at the top,’’ though a much-used term, remains vitallyimportant to an organization’s culture. If senior management does notprovide meaningful support to major compliance initiatives by theirwords, actions, and budgetary allocations, the organization’s compli-ance efforts are likely doomed to failure. The result can be potentiallydevastating fines, loss of public confidence, market capitalization, andlegal liability.But tone at top alone isn’t always enough to implement a mean-ingful compliance program. Outside perspective is often required. Thiscan be accomplished in one of two ways. The organization can eitherdesignate a company insider from another part of the company toproject manage a compliance initiative or retain outside complianceexperts. The reality is that most organizations tend to utilize outsideexperts out of concern that an internal diversion of resources candamage one part of the organization while trying to repair another.Regardless of who is leading a compliance initiative, the key elements
Communicating Values39needed for a successful project are objectivity, subject matter expertise,and empowerment.OBJECTIVITY AND THE IMPORTANCE OF CROSSFUNCTIONAL COMMUNICATIONHow often have we all heard the phrase ‘‘that’s the way we’ve alwaysdone it?’’ How about ‘‘that’s not part of my department’s role.’’As a consultant, I have heard these utterances many times, oftenfrom members of senior management with wide-ranging complianceobligations. They just did not understand what their complianceresponsibilities were, gave compliance short shrift, and did not knowtheir compliance obligations affected the rest of the organization. Inorder for any compliance consulting project to be effective, the outsideconsultants have to gather and absorb a great deal of informationabout policies and procedures, whether these policies and proceduresare appropriate, and whether they are being followed in practice.In addition, the consultants must interview a significant crosssection of people throughout their organization. These interviewsallow the consultants to gauge employees’ qualifications for their posi-tions, their understanding of the company’s compliance obligationsas it relates to their positions, non-compliance implications, and howtheir business unit interacts with others both in terms of operationsand compliance. These interviews are central to any compliance con-sulting project, as they allow the consultants to give an objectiveopinion as to how ‘‘effective’’ the organization’s compliance programreally is.Because outside consultants or their internal equivalents are notinvolved in the business operations under review, they end up with aunique perspective on where the company is performing well, wherethere is room for improvement and, most importantly, they knowwhere the compliance land mines are buried. Of course, findingthese land mines is as important as making suggestions for immediatecorrective actions. Equally important, the outside consultant facilitatescommunication across the organization, raising internal awareness ofcrucial compliance issues. Most often, the difference between highperforming compliance organizations and those that perform poorlyhinges on cross-functional coordination and communication.
40TONE AT THE TOP AND THROUGHOUTSUBJECT MATTER EXPERTISEIn order to have credibility with regulators and/or prosecutors, a com-pliance remediation project must be led by one or more professionalswith relevant subject matter expertise. Indeed, financial regulatorsoften require banks that are operating under a regulatory order toseek their approval before selecting a vendor to implement some or allof the requirements set forth in the order. Although not all complianceremediation projects are subject to this level of regulatory approval, itis a recommended practice to hire only those outside parties or internalpersonnel that have the experience and subject matter expertise that isrequired.EMPOWERMENTI have led numerous training sessions for major financial institutionsregarding anti-money laundering compliance. For each session, werequest that our client have a member of senior management kickoff the training emphasizing the importance of the training and theorganization’s commitment to improving their overall compliance.On more than one occasion, the head of the business unit startedthe session with words to the effect of ‘‘this really doesn’t applyto us but we have an obligation to sit through this so we cansay we’ve all been trained.’’ By introducing me in this way, theseexecutives undermined the training session and opened themselves upto embarrassment. Indeed, they left me no choice but to contradictthem in front of their entire staff. Needless to say, their lack of‘‘buy-in’’ was in stark contrast to what is considered best practices incorporate governance.Another client training session set a very different tone for thestudents in the session. At the beginning of this session, the seniorexecutive put compliance in perspective for the students. He said‘‘every year, we have to reserve a certain amount of money forregulatory liability. This is money that is not available for otherorganization needs including bonus compensation. If we get this right[meaning compliance], we have to reserve less money every yearleaving a lot more money available to pay year end bonuses.’’ Of thetwo training sessions described here, which of the two do you supposewas a more attentive group?
Communicating Values41While these stories are about training, they are really aboutempowerment. By undermining me before the first training session,that executive made it clear that he was not onboard and sent that samemessage to his direct reports. The other executive both adopted theappropriate ‘‘tone at the top’’ and provided the students/employeeswith an important incentive to learn the subject matter. The keymessage here is that the actions and words of senior management andthe extent to which they support compliance initiatives are directlyrelated to the success or failure of a compliance remediation project.IMPLEMENTATION AND FOLLOW-UPOnce a compliance program has been developed or remediated, imple-mentation is the next critical task at hand. Failure to implementremedial changes to the compliance program can be extremely dam-aging to the organization and can provide a roadmap for prosecutorsand regulators as to where to look for substantive non-compliance.There needs to be an institutional commitment to implementing thecompliance program fully and an appreciation for how damagingfailing to do so can be.Equally important is the need to institute a system to regularlymonitor the organization’s adherence to the compliance program. Thismonitoring can either be undertaken by the company’s internal auditgroup or an outside compliance consultant. The monitoring shouldbe performed at least once annually and should include testing acrossthe entire spectrum of the compliance program. The results of thecompliance audit should be communicated to senior management andany findings should be addressed in a timely fashion and re-testedduring the next compliance audit.To summarize, an effective compliance program should considerall of the legal and regulatory mandates applicable to the organization;it should be consistently communicated in a variety of ways across theorganization; and it should have the backing of senior managementand the buy-in of the employees and officers expected to implement it.And, of course, it should be monitored regularly to ensure that thereis not any slippage that could result in regulatory or legal liability.Regularly communicating everyone’s individual compliance obli-gations and relating those obligations to their specific roles can go along way toward bridging the cultural divide between operations and
42TONE AT THE TOP AND THROUGHOUTcompliance, moving the company in the direction of being a high per-forming compliant organization, and, most importantly, protectingthe company and its executives against legal liability and reputationalharm.HOW THE CEO CAN MAKE THE DIFFERENCEJoseph E. Murphy is an acknowledged expert on corporate compliance.He has more than 30 years of experience in the full range of complianceissues including drafting code and policy documents, evaluating programs,conducting compliance audits, investigating allegations of misconduct, andtraining. He lectures and writes extensively on these topics. Murphy iscurrently of counsel to Compliance Systems Legal Group, cofounder andSenior Advisor to Integrity Interactive Corporation, and coeditor ofEthikos,a bi-monthly publication on corporate compliance and ethics.Murphy understands the importance of tone at the top. He is constantlythinking of ways to put these words into practice in an organization. Hehas put together a thought-provoking list of ideas for corporate executivesand leaders everywhere to consider when demonstrating one’s tone at thetop. Joe Murphy makes it clear that this is not an all-encompassing list butone that is a living document. It is a toolkit that should be constantly usedand added to with new ideas and practices so that a true leader can ‘‘walkthe talk.’’ People emulate their leaders and nothing reinforces appropriatebehavior and compliance like leading by example. As Mahatma Gandhisaid, ‘‘You must be the change you want to see in the world.’’ Here is JoeMurphy’s list:1.Have a used, dog-eared copy of the company’s code of conduct on thetop of your desk, and be seen using it.2.Make sure the compliance and ethics officer has plenty of clout, includ-ing direct reporting to the board’s audit committee, and is professionaland subject to strong professional ethical standards.3.At your senior executive meetings, go around the table and have eachsenior officer report on what he or she has done specifically to promotethe compliance and ethics program in his/her business unit. Be sure thecompliance and ethics officer is there to sort the wheat from the chaff inthis discussion. As is true for the CEO, just mouthing the right wordscounts for little, if anything.4.Insist that compliance and ethics be tied into the incentives and evalua-tions, including those for officers, in a meaningful way.
Notes435.Be the model in your business decisions. Turn down a trip offer froma vendor; pass on to the company a gift you received; reject a businessdeal if you think the ethical risks are too high.6.Be the model in the compliance program. Take the training first; dothe safety walk-through; call the company helpline with a question; calland ask a field line manager about his/her role in the code of conductroll-out and training. Attend a Society of Corporate Compliance andEthics (SCCE) program.7.Personally recognize outstanding compliance and ethics performance.Personally insist on the toughest discipline when one of the top brassbreaks the rule or threatens retaliation.8.Recruit a compliance and ethics officer from another company for yourboard’s audit committee.9.Get a truly independent outside review of your compliance and ethicsprogram, with the results reported directly to the audit committee.10.Ask your company’s suppliers to embrace your commitment to com-pliance and ethics, and offer your company’s help for them to dothis.11.Network with your peers in other companies on ways to promotecompliance and ethics.17Studies have shown that ethical behavior and honesty can be enhancedwithin organizations when their leaders consistently display such behavior.There is no doubt that directors and officers of corporations set the ‘‘toneat the top’’ for ethical behavior throughout their organization. Similarly,managers throughout the organization are just as important in reinforcingpositive behavior and being great role models for their employees. Leadingby example in a positive way will always be an effective way to ensure thattone at the top translates into a culture of compliance.NOTES1.Julie Walsh, ‘‘Setting the Tone at the Top,’’Law Now, February 1,2005.2.Remarks from Commencement Address by former Federal ReserveBoard Chairman Alan Greenspan at the Wharton School, University ofPennsylvania, Philadelphia, PA, May 15, 2005, www.federalreserve.gov/boarddocs/speeches/2005/20050515/.3.Peter F. Drucker, ‘‘Peter Drucker’s Essential Tips for Managers in2005,’’Wall Street JournalExecutive Career Site, www.careerjournal.com/myc/management/20050106-drucker.html.
44TONE AT THE TOP AND THROUGHOUT4.‘‘Study: Backdating Has Cost $100 Billion,’’Associated Press, December20, 2006, www.msnbc.msn.com/id/16302216.5.Lucian Arye Bebchuk, Yaniv Grinstein and Urs C. Peyer, ‘‘LuckyCEOs,’’ Harvard Law and Economics Discussion Paper No. 566,November 2006, http://ssrn.com/abstract=945392 and at www.issproxy.com/pdf/LuckyCEOsBebchuk-Grinstein-Peyer.pdf.6.Ibid.7.Ibid.8.Lucian Arye Bebchuk, Yaniv Grinstein and Urs C. Peyer, ‘‘LuckyDirectors,’’ Harvard Law and Economics Discussion Paper No. 573,December 2006, http://ssrn.com/abstract=952239.9.Ibid.10.Steve Stecklow, ‘‘Study Cites Role Outside Directors Had WithOptions,’’The Wall Street Journal, December 18, 2006, A10.11.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, Inc, 2006), 97.12.Kathy Kristof, ‘‘Doubt cast on stock options of directors,’’Los Ange-les Times Online, December 18, 2006, www.latimes.com/business/la-fi-options18dec18,1,1938511.story?coll=la-headlines-business&ctrack=1&cset=true.13.Dr. John D. Copeland, ‘‘Business Ethics: Three Critical Truths,’’ 8,www.soderquist.org/resources/pdf/CopelandThreeTruths-publication.pdf, quoting James C. Collins and Jerry I. Porras,Built to Last:Successful Habits of Visionary Companies, (New York: HarperCollins,1994), 73.14.Dr. John D. Copeland, ‘‘Business Ethics: Three Critical Truths,’’ 8,www.soderquist.org/resources/pdf/CopelandThreeTruths-publication.pdf, quoting James C. Collins and Jerry I. Porras,Built to Last:Successful Habits of Visionary Companies, (New York: HarperCollins,1994), 75.15.‘‘New Study Finds Link Between Financial Success and Focus on Corpo-rate Values,’’ Booz Allen Hamilton, February 3, 2005, www.boozallen.com/publications/article/659548.16.Ibid.17.Joseph E. Murphy, ‘‘Compliance and Ethics: How Can the CEOMake the Difference,’’ Society of Corporate Compliance and Ethics,www.corporatecompliance.org/resources/documents/HowCanCEOMakeDifference.pdf.
CHAPTER3The Growth and Evolutionof Compliance‘‘Those who cannot remember the past are condemned torepeat it.’’George SantayanaWhat is now known as corporate compliance is the result of manyyears of evolution and development. The laws covering businesseshave grown over the years in size and scope just as the ways of dealingwith these laws have grown more formal and complex. Regulation startedslowly in the 19thcentury and picked up momentum in the ensuing years.This regulation began as a response to individual scandals, and soughtto address the underlying causes of each of these scandals. By the 1960s,with increasing complexity in both the business and regulatory arenas, thefoundations of modern compliance began to emerge. This trend continuedinto the 1970s and 1980s, until it reached a tipping point with the release ofthe Sentencing Guidelines for Organizations in 1991. Compliance programsexisted well before these sentencing amendments, but the amendments gavethese programs a major push into the mainstream of business. The entirecompliance framework only developed further with the passage of theSarbanes-Oxley Act and the increased importance and role of complianceofficers in the 21stcentury.A BRIEF HISTORY OF COMPLIANCEIn many ways, the history of American business parallels the history ofscandal. This history could be accurately described as an ongoing tug45
46THE GROWTH AND EVOLUTION OF COMPLIANCEof war between regulators who seek to reign in corporate excess andbusinesses that resist regulation in order to achieve greater flexibility andinnovation.1Particularly, regulators step in during the wake of massivecorporate scandals. As devastating as they have been, these ‘‘scandalsalso have a crucial silver lining; in each case, public outrage has forcedlawmakers to step in. This pattern, as it turns out, lies at the heart ofAmerican corporate governance. For the past century, American corporateregulation has consisted of periodic, dramatic regulatory interventions byfederal lawmakers after a major scandal, together with more nuancedongoing regulation by the states.’’2In the aftermath of these scandals, thepublic outrage and calls for justice transform into broad support for tangiblereform that would be otherwise impossible had the scandals not occurred.It is important to remember that the history of corporate scandal didnot begin with Enron and end with stock option backdating, and thatSarbanes-Oxley is not the be-all and end-all of government regulation.Big-time corporate scandals have existed as long as big business has existed.In the 1860s, Philadelphia banker Jay Cooke grew to fame and fortuneby selling government bonds to raise money for the Union army. After theCivil War, he used similar techniques and extensive advertising to sell bondsto raise money for the Northern Pacific Railroad. However, he continuedto throw money into the railroad even when almost everyone else thoughtit was too risky. He ignored the warning signs of rising inflation andwidespread railroad building that far outstripped demand. The impact ofthis scandal was not so much in the way it happened, but in who it involved.Cooke’s company ‘‘had been regarded as a pillar of financial stability.’’3Tomake an analogy to the present, this would be as if financial icons Bill Gatesor Warren Buffett staked their personal reputation and their company’sfortunes on an ultimately unsuccessful venture, ruining their companiesin the process. The subsequent implosion of both Cooke’s bank and therailroad led directly to the economic depression of the Panic of 1873. Thisscandal was significant as it did not affect just the rich but also people of farmore moderate means who had invested in the bonds. Outrage came evenfrom people who had no financial stake in the railroad.4Though many people suffered in these collapses and lost a great deal ofmoney, some benefit was derived from it by the corporate reforms enactedafterwards. The railroad collapse of 1873, and the details of blatant corrup-tion, self-dealing, and bribery that emerged soon afterwards, led Congressand several states to enact statutes designed to better police corporationsand to limit their influence over the political process. The existing laws ofthe 19thcentury were designed for small-scale concerns, not for the massivebehemoths of the Industrial Age. Courts also worked to fashion a regulatoryenvironment by shaping rules to prevent the self-dealing contracts railroad
A Brief History of Compliance47managers used to siphon off company money for their own benefit. Thepanic burned itself into the memory of the nation and eventually led tosubstantive regulation of the railroads with the Interstate Commerce Act of1887 and federal regulation of monopolies with the Sherman Antitrust Actof 1890.5In this era, Congress enacted another far-reaching anti-fraud law,the Mail Fraud Statute. The Mail Fraud Statute was the first federal law toprotect Americans from fraud and scams, enacted in 1872 after an epidemicof frauds targeted consumers and business owners. Today, a multitude offrauds, including corporate frauds, are prosecuted using the Mail FraudStatute.While states did pass laws to regulate corporations, they did littleto affect the wave of mergers and unchecked corporate growth of theIndustrial Age. ‘‘The states’ abandonment of the fight against corporatecombinations shifted the campaign against corporate monopoly from thestates to Congress and federal regulators. Two decades later, a trust-bustingcampaign led by Teddy Roosevelt would firmly establish federal regulatorsas the principal guardians for competition in American industry.’’6Teddy Roosevelt and Corporate RegulationTeddy Roosevelt’s interest in regulating corporations coincided with sub-stantial public anxiety about the power, reach, and lack of accountability ofAmerica’s giant corporations of the Gilded Age. That was an era of growingcorporate power and influence in people’s lives and in the government’sbusiness on a scale never before seen, as well as the rise of muckrakers whosought to expose the ills of society and the misdeeds of the monopolies andcorporate robber barons. President Roosevelt recognized this and also sawthat the states were either unable or unwilling to sufficiently regulate them.However, even though he recognized the dangers of corporate power, he didnot seek to completely destroy it or even substantially weaken it, as he feltthat strong business was central to America’s growing economy and worldpower. Certainly he would not seek to weaken America’s economic power ata time when his ‘‘Big Stick’’ diplomacy pushed American power into placeslike Latin America and the Philippines. Roosevelt wanted to balance corpo-rate power and economic interests with public interests and the welfare ofits citizens. The way to accomplish this was through centralized governmentregulation of business activities, particularly of corporate misdeeds.7Roosevelt addressed these issues in his second State of the UnionAddress, given on December 2, 1902. This important speech set the tonefor the century of federal corporate regulation that was to follow:Our aim is not to do away with corporations; on the contrary,these big aggregations are an inevitable development of modern
48THE GROWTH AND EVOLUTION OF COMPLIANCEindustrialism, and the effort to destroy them would be futile unlessaccomplished in ways that would work the utmost mischief to theentire body politic. We can do nothing of good in the way ofregulating and supervising these corporations until we fix clearlyin our minds that we are not attacking the corporations, butendeavoring to do away with any evil in them. We are not hostileto them; we are merely determined that they shall be so handled asto subserve the public good. We draw the line against misconduct,not against wealth. The capitalist who, alone or in conjunction withhis fellows, performs some great industrial feat by which he winsmoney is a welldoer, not a wrongdoer, provided only he works inproper and legitimate lines. We wish to favor such a man whenhe does well. We wish to supervise and control his actions only toprevent him from doing ill. Publicity can do no harm to the honestcorporation; and we need not be over tender about sparing thedishonest corporation.8Unfortunately, the century that was to follow would be marked by themisdeeds of corporate wrongdoers.In 1932, the collapse of Samuel Insull’s electricity empire came duringanother economically perilous time, the Great Depression, and helpedspur Franklin Delano Roosevelt to enact sweeping New Deal corporatereforms. Insull, a former associate of Thomas Edison and a Chicago energymagnate, built a massive business empire by relentlessly acquiring andeliminating rival energy companies and other businesses.9However, theempire’s finances were nowhere as secure as they appeared. To disguise thebusiness’ precarious financial position, Insull created an elaborate holdingcompany structure, similar to what Enron would do seventy years later.Insull hid his finances in a maze of parent companies and subsidiaries, somewith substantial assets and some that were not worth the money on whichtheir charter was printed on.10Predictably, this shaky foundation soon camecrashing down and led some to describe it as one of the ‘‘biggest businessfailures in the history of the world.’’11In a particularly ironic bit of history,the accounting firm of Arthur Andersen rose to national prominence andgained a reputation of great integrity for its work in the investigation ofInsull’s firm and his subsequent prosecution.12Insull, like Cooke before him, and like many fallen corporate executivesto come, displayed incredible hubris and a feeling of invincibility that ledhim to skirt the law for his own ends. ‘‘With each of these scandals, aswith our more recent collapses, the high-flying businessmen at the heart ofthe scandals were not alone. Cooke and Insull personified a breakdown inaccountability that pervaded all of American corporate and financial life.’’13
A Brief History of Compliance49FDR and a New Deal for InvestorsFurther regulations emerged from the wave of scandals in the late 1920s andearly 1930s. Franklin Delano Roosevelt campaigned on a promise to cleanup corporate America, following in the footsteps of his cousin Teddy, andmade good on this promise as part of the New Deal. In fact, he specificallycampaigned, both in the 1930 New York governor’s race and in his firstpresidential campaign, against the ‘‘Insull monstrosity.’’14The broad arrayof sweeping reforms enacted then still provides the principal infrastructureof American corporate and market regulation today. Congress enacted thefirst securities laws in the early 1930s as a result of the stock market crashof 1929 and the resulting Great Depression. The Securities Acts of 1933and 1934 established the Securities and Exchange Commission (SEC) andintroduced extensive new disclosure requirements and antifraud provisions.The SEC’s mission was to ensure fair markets and protect investors. The NewDeal reformers also prohibited banks from engaging in both commercial andinvestment banking, and also restructured the utilities industry to preventthe kind of complicated holding company structures that Insull and othershad used to mislead investors.15By examining these scandals and the resulting legislation, a patternemerges: ‘‘A shocking scandal galvanizes attention, neutralizing the influencethat corporations have under ordinary circumstances; Congress quicklyresponds by enacting reforms that are demanded by ordinary Americans.It is these reforms that provide the federal regulatory infrastructure for thedecades that follow.’’16It is this pattern that led directly to the creation ofwhat is now thought of as compliance. Growing regulations, with increasingcomplexity required that companies find ways to ensure that they and theiremployees follow them.The Development of Modern ComplianceCompliance has always been around, in some form or another, since thebeginnings of organized commerce. Self-regulation of business stretchesback to Middle Age merchant and craft guilds setting business standardsfor themselves.17Businesses have adopted their own codes of conduct,often in the wake of other companies’ scandals. However, these types ofself-imposed regulations are voluntary, informal, and relatively simple. Asregulation grew in the middle of the 20thcentury, some companies had tofind new ways to make sure they followed the law. They needed a moreformal and structured way to deal with the complexity of modern regulation.One school of thought is that modern compliance programs were firstcreated after the electricity industry’s antitrust scandal in the early 1960s.A widespread bid-rigging and price-fixing conspiracy involving electrical
50THE GROWTH AND EVOLUTION OF COMPLIANCEequipmentmanufacturerssuchasGeneralElectricandWestinghouseresulted in dozens of individuals and corporations convicted of antitrustviolations. The enormity of the case and related publicity of the first prisonsentences handed down in the 70-year history of the Sherman AntitrustAct spurred the development of antitrust compliance codes of conductand programs.18In this period, companies in the most heavily and com-plexly regulated industries began internal compliance efforts, particularlyinvolving the above-mentioned antitrust issues. With further scandal, thesecompliance efforts would start to reach other industries.It is often public outrage combined with governmental pressure thatspurs business to adopt much-needed reforms. In 1977, Congress passed theForeign Corrupt Practices Act (FCPA) that made it a crime to pay bribesto facilitate business in foreign countries. The FCPA was enacted after theWatergate investigation discovered that companies were paying bribes toforeign and domestic officials using funds maintained ‘‘off the books.’’ Thelaw makes it a crime for American companies, as well as individuals andorganizations acting on their behalf, to bribe any foreign government officialin return for assistance in obtaining, retaining, or directing business.19The ‘‘bribery scandal, and the underlying corporate dysfunction itrevealed, accelerated the widespread development of corporate ethical con-duct codes.’’20Many companies did not have effective checks and balancesin place to regulate their behavior and internal counsel was often unable orunwilling to give clear, pertinent legal advice. Management acted overzeal-ously and took great risks, as short-term and personal concerns dominatedcorporate decision-making.21This coincided with greater public and schol-arly attention on corporations’ illegal and harmful acts, which led to furtherregulation.The Outrageous $300 HammerIn the early 1980s, the public was again shocked with news stories detail-ing questionable and highly inflated defense contracts. The United Statesmilitary had purchased outrageously priced $300 hammers, $600 toiletseats, and other such items from defense contractors. Ultimately, billions ofdollars of the defense budget were wasted. Then President Ronald Reaganestablished the Blue Ribbon Commission on Defense Management to inves-tigate and make recommendations for improved compliance. The PackardCommission, as it was commonly called after its chairman, David Packard,of Hewlett-Packard fame, made numerous recommendations in its 1986interim report to deter waste, fraud, and abuse in the procurement process.Among the findings were recommendations to ‘‘distribute copies of the codeof ethics to all employees and new hires,’’ and ‘‘make business conduct
A Brief History of Compliance51standards and typical business situations a regular part of the employees’experiences and performance evaluations.’’22It was also recommended thatinternal controls be implemented and monitored to ensure the codes andcompliance. The compliance recommendations that the Packard Commis-sion made for defense contractors were also applied to government agenciesand other businesses.23Unfortunately, fraud is a continuing plague and history often repeatsitself. In August 2007, a South Carolina defense contractor pleaded guiltyto defrauding the Pentagon of $20.5 million over a ten-year period. In oneof the most egregious examples of a pervasive pattern of fraud and deceit,the contractor falsely billed $998,798 for two 19-cent washers.24As a result of the findings of the Packard Commission, the DefenseIndustry Initiative (DII) on Business Ethics and Conduct was establishedin 1986 by 32 major defense contractors to improve compliance. As theystate on their Web site, the DII is ‘‘pledged to adopt and implement a set ofprinciples of business ethics and conduct that acknowledge and express theirfederal-procurement-related corporate responsibilities to the Department ofDefense, as well as to the public, the Government, and to each other.’’25The DII has worked extensively throughout the defense industry for morethan 20 years to design principles for achieving high standards of businessconduct and ethics. Additional information on the DII can be found inAppendix C.In 1987, the Report of the National Commission on Fraudulent Finan-cial Reporting, also known as the Treadway Commission, ‘‘studied thefinancial reporting system in the United States to identify causal factors thatlead to fraudulent financial reporting and steps to reduce its incidence.’’26The Commission’s key recommendations fall into several categories includ-ing the tone at the top as set by senior management; the quality of internalaccounting and audit functions; the roles of the board of directors andthe audit committee; the independence of external auditors; the need foradequate resources; and enforcement enhancements.During this period, there was a strong sense that corporations neededto be held accountable for their actions and that existing laws were not upto the task. This, of course, was an era encapsulated by the mantra from themovieWall Street‘‘greed is good, greed works’’ with hostile takeovers andinsider trading fueling the perception that business was out of control. Evenafter years of regulation, critics complained that the business’ behavior hadnot improved and if anything, had gotten less ethical. Conversely, othercritics blamed the Reagan-era deregulation movement as the culprit forbusiness woes.This is not to say that all businesses in the 1980s ignored ethical con-cerns. Many companies followed the lead of the DII and the Treadway
52THE GROWTH AND EVOLUTION OF COMPLIANCECommission in developing compliance initiatives and made major strides.Companies began to tackle compliance issues head on, but unfortunatelywithout significant guidance or oversight, many of these programs didnot achieve their stated goals. As noted at the time, ‘‘[m]any companiesand industries maintain[ed] their own internal compliance and inspectionprograms. . .Unfortunately, while they [were] capable of doing so, they [did]not self-regulate effectively.’’27Companies had compliance mechanisms inplace; all they needed were appropriate incentives to make their programseffective.Sentencing Guidelines for Organizational CrimeThe ongoing development of corporate compliance programs now set thestage for 1991’s United States Federal Sentencing Guidelines for Orga-nizational Crime that held organizations accountable by applying ‘‘justpunishment’’ for criminal actions and ‘‘deterrence’’ incentives to detect andprevent crime.28These Organizational Guidelines were a newer additionto the overall Sentencing Guidelines, as the original Guidelines did notaddress organizations. The United States Sentencing Commission (USSC)and many other commentators believed that due to the inherent character-istics of an organization, it needed to be treated differently than an averageoffender. The USSC recommended seven minimum requirements for aneffective program to prevent and deter violations of law that encompassedself-reporting and acceptance of responsibility. The Sentencing Guidelinesfor Organizations gave companies a strong incentive to have an effectivecompliance program, either to receive a lessened sentence or mandated aspart of probation.The seven steps first recommended in 1991 and then significantlyenhanced in 2004’s Amendments to the Federal Sentencing Guidelinesfor Organizations (FSGO) strengthened corporate compliance and ethicsprograms of business organizations to mitigate punishment for criminaloffenses.29There will be more discussion of the FSGO and effective com-pliance programs in Chapters 9 and 10. Appendix A contains a detailedsummary of the Amendments to the FSGO as well as recommended actionsteps to achieve effective compliance.Furthermore, the introduction of the FSGO helped to create an entirelynew position, that of the Ethics and Compliance Officer.30These guidelinesspurred the creation of new compliance programs or improvements toexisting ones. Companies had both proper incentives and guidance indevising a formal structure to ensure compliance with the law, as they wouldsuffer the consequences if they did not. This trend continued further with theSarbanes-Oxley Act in 2002 and the aforementioned 2004 Amendments.
Cracking Down on Fraud53The corporate scandals that led to the creation of these two complianceenhancements, highlighted by the Enron and WorldCom failures, only serveto underscore the importance of understanding the history of these scandalsand their consequences, so their mistakes will not be repeated.CRACKING DOWN ON FRAUDThe government has strongly cracked down on corporate criminals. Thanksto public outrage at the multitude of scandals, and an apparent wave of mis-behavior and malfeasance throughout corporate America, Congress and theDepartment of Justice have been given the ammunition to harshly deal withcorporate crime. Jail sentences have gotten longer in the last few years. Afterthe passage of Sarbanes-Oxley and the amendments to the FSGO, the aver-age federal sentence faced by corporate executives has more than tripled.31A twenty-five year sentence for CEO Bernie Ebbers, as part of the massiveWorldCom fraud, was found to be reasonable by an appeals court. TheCourt expressly stated that the twenty-five year sentence was not unreason-able in light of the new fraud sentencing guidelines authorized by Congress.32Additionally, another court has found a nearly ten-year sentence for afraud conviction reasonable, despite it being above the Sentencing Guidelinesrange for the offense. Even though a normal fraud conviction would notwarrant that long a sentence, the court looked at the overall severityof the fraud, which involved over one hundred million dollars and anelaborate corruption scheme.33By considering the severity of the offenseand the harm to those involved, as well as the threat to the public atlarge, courts can impose hefty sentences on those executives who violatethe law. These high sentences show no signs of coming down any timesoon, particularly now that all corporate leaders should be well aware ofthe government’s anti-corporate crime campaign and the downfall of manyof their criminally-minded peers. Ignorance is no excuse.Oftentimes, when brought before a court of law to answer for theirtransgressions, corporate officials plead ignorance, with broad assertionsof lack of criminal intent even in the face of repeated and unheededfactual red flags.34This ignorance flies in the face of common sense and areality where corporate executives keep a close watch on their businesses.Moreover, pleading ignorance is not an effective defense. This type ofdefense will be effectively undercut by the use of a standard ‘‘ostrich’’jury instruction. Essentially, the instruction tells the jury to determine thedefendant’s knowledge from all of the facts of the case and from theiractions; knowledge may be inferred by a combination of suspicion andindifference to the truth. A person cannot avoid liability by deliberatelyaverting their eyes and ignoring conduct they suspect to be improper.
54THE GROWTH AND EVOLUTION OF COMPLIANCECorporate leaders must be fully aware of the 2004 Federal SentencingGuidelines for Organizations, which emphasize that an organization mustboth promote an organizational culture that encourages ethical conduct andexercises due diligence to prevent and detect criminal conduct. As corporateleaders’ duties are well known and corporate crime is taken very seriouslyby prosecutors, they can expect stiff sentences, in an effort to create anatmosphere of general corporate crime deterrence and specific deterrence sothat the defendants will never again engage in the behavior that got theminto trouble in the first place.35Compliance Insight 3.1 is another sad storyof the fall from grace of a corporate legend who forgot his teachings.Given the high priority placed on prosecuting corporate crime by theJustice Department, it is important to understand the government’s per-spective when building a compliance program. Specifically, it is importantto understand the consequences of compliance failure, as well as the waysan effective compliance program can, to some degree, mitigate potentialdamage. The Federal Sentencing Guidelines for Organizations specificallymention an effective compliance program as a factor that influences sen-tencing decisions. Additionally, an organization’s compliance program andethical culture also factor into charging decisions by the government andin negotiations between the opposing sides. The federal government hasspecifically laid out its policies and expectations in a series of memoranda.The words I wrote about the Thompson Memo in my previous book,Exec-utive Roadmap to Fraud Prevention and Internal Control, still ring justas true when applied to the current McNulty Memo: ‘‘[B]y understandinghow the government thinks about prosecuting businesses, organizationscan implement robust compliance and fraud prevention programs to lessentheir culpability. . .Every corporate executive and general counsel shouldbe familiar with this government strategy memo. In fact, it should be readand reread by every CEO and CFO as a reminder of the consequences for aculture of noncompliance.’’36THE MCNULTY MEMORANDUMIn December 2006, the Justice Department issued the ‘‘McNulty Memo’’outlining its revised principles of federal prosecutions of business orga-nizations. This memo supplanted its predecessor, the famed ‘‘ThompsonMemo.’’ The 2003 Thompson Memo directly set forth goals of ensuringauthentic cooperation with government investigations, rather than obfus-cation and obstruction, and developing effective corporate governanceprocedures. By stressing the importance of cooperation and the euphemisti-cally named ‘‘voluntary disclosures,’’ the memo set the tone for corporatecrime enforcement.
The McNulty Memorandum55COMPLIANCE INSIGHT 3.1: EVEN A LEGENDIS NOT ABOVE COMPLIANCENormally, a retailer worries about shrinkage from shoplifting andtheft by employees. Sometimes, it is not just the lower-level employeeswho commit these crimes, but also executives paid millions of dollarsa year and responsible for corporate oversight.Thomas Coughlin was once one of Wal-Mart’s most revered andrespected leaders. A legend at the company, a close friend and huntingpartner of Wal-Mart founder Sam Walton, Coughlin was also oneof Walton’s prot´eg´es. Over a 27-year career, Coughlin worked inalmost all aspects of the company’s business, eventually rising to bethe company’s number two executive.aBut, even someone who didsizable charitable work and inspired high regard from both executivesand rank-and-file employees can still succumb to greed and arrogance.Coughlin stole up to $500,000 from the retailing giant by sub-mitting false expense reports and by misusing company gift cards. In2004, Coughlin requested 51 $100 Wal-Mart gift cards, to be given asprizes to ‘‘All-Star’’ employees. Instead of giving them out, Coughlinused them himself to pay for items such as puppy chow, vodka, threetwelve-gauge shotguns, CDs, contact lenses, and food, even though hemade over $6 million a year. In other instances, he directed employ-ees to file false expense reports and pocketed the money to pay forpersonal expenses. Coughlin made the purchases, and then had hisemployees submit the purchases as legitimate business expenditures.Wal-Mart found questionable transactions totaling between $100,000and $500,000 over a period of seven years; because the transactionswere masked as legitimate business expenses, internal investigatorshad trouble figuring out an exact dollar loss. Coughlin defraudedthe company to pay for dog care, hunting vacations, custom-madealligator boots, and a camouflage hunting vehicle.bThis whole scheme came to light thanks to an alert Wal-Martemployee. In January 2005, after Coughlin tried to use one of the giftcards, a sales clerk called the home office asking for help in processingthe transaction. A home office staffer noticed the card was supposedto be used by ‘‘All-Star’’ employees only and ‘‘could not understandwhy Coughlin would be trying to redeem it.’’cThe employee alertedthe company, who began an internal investigation. Wal-Mart trackedCoughlin’s purchases and eventually led to the discovery of the fraudand to Coughlin’s resignation. Wal-Mart then rescinded Coughlin’s
56THE GROWTH AND EVOLUTION OF COMPLIANCEretirement plan, froze millions of dollars in benefits, and sued him torecoup the lost money.dIn 2006, Coughlin pleaded guilty in federal court to charges ofwire fraud and tax evasion, while one of his deputies pleaded guiltyto three counts of wire fraud.eWal-Mart’s former vice chairmanwas sentenced to 27 months of home confinement and five yearsprobation, and was ordered to pay $400,000 in restitution. The judge,in meting out the sentence, said Coughlin had already been punishedby the publicity surrounding the case and the possibility of losinghis retirement benefits.fThe government appealed the sentence astoo lenient and a federal appeals court agreed. The court said givingCoughlin home detention rather than prison ‘‘does not fall withinthe range of reasonableness.’’ As of the writing of this book, a newsentencing hearing has not been scheduled.What can be learned from this betrayal? This illustrates both theimportance of monitoring and of vigilance. Coughlin’s scheme wasdetected by an observant and resourceful employee who recognizedsomething was amiss and alerted the proper individuals in the com-pany. However, it should be noted that it was only luck that Coughlinwas caught when he was. Had the sales clerk not called the homeoffice, who knows how much longer the fraud would have continued?Furthermore, while Wal-Mart maintains an extensive internal controlsystem, it did not appear to be focused as strongly on higher levels ofthe corporation, as the system did not flag the false transactions. Thismay be because of Coughlin’s high stature and reputation. As he had agreat deal of authority, these transactions were not questioned. This issomething all companies must be aware of. Even the most senior andrespected employees could be found to be defrauding the company,so compliance programs must monitor all levels of the organizationequally in order to be fully effective.Coughlin also pressured other Wal-Mart employees to assist himin his scheme. Fearful of being fired, theyneitherstood up to himnorreported his actions. A company must put into place measures to allowfor anonymous reporting of unethical behavior, but more importantlya company must foster an environment where a whistleblower knowshe or she will not be retaliated against for coming forward. All thehotlines in the world are useless if an employee feels that managementwill punish him or her for reporting the misdeeds of a valuable memberof the organization.
The McNulty Memorandum57The sad irony here is that Coughlin should have known better.One of his first positions in Wal-Mart was as a loss prevention officer,so he dealt first hand with theft and the impact of poor ethicalconduct. As a tough-minded Wal-Mart executive once said, ‘‘Anyonewho is taking money from associates and shareholders ought to beshot. . .That greed will catch up with you.’’gThe executive who saidthis? Thomas Coughlin.aJames Bandler and Ann Zimmerman, ‘‘A Wal-Mart Legend’s Trail of Deceit,’’Wall Street Journal, April 8, 2005, A1.bIbid; James Bandler and Ann Zimmerman, ‘‘How Gift Cards Helped Trip UpWal-Mart’s Aide,’’Wall Street Journal, July 15, 2005, B1; ‘‘Former Wal-MartExec Sentenced for Theft,’’Associated Press, August 8, 2006.cJames Bandler and Ann Zimmerman, ‘‘How Gift Cards Helped Trip UpWal-Mart’s Aide,’’Wall Street Journal, July 15, 2005, B1.d‘‘Ex-Exec’s Benefits Frozen Amid Probe,’’Seattle Times, April 16, 2005, E4;Ann Zimmerman and Kris Hudson, ‘‘Wal-Mart Sues Ex-Vice Chairman,’’Wall Street Journal, January 7, 2006, A1.eJames Bandler, ‘‘Former No. 2 at Wal-Mart Set to Plead Guilty,’’Wall StreetJournalJanuary 7, 2006, A1.f‘‘Former Wal-Mart Exec Sentenced for Theft,’’Associated Press, August 8,2006.gJames Bandler and Ann Zimmerman, ‘‘A Wal-Mart Legend’s Trail of Deceit,’’Wall Street Journal, April 8, 2005, A1.This newer memo intended to alleviate many of the concerns engenderedby application of the previous memo’s principles while still maintainingstiff penalties for offenders and a strong anti-corporate crime outlook.The Thompson Memo’s policies, while recognized for their effectiveness,faced criticism, particularly from corporations and the defense bar, fortheir rigid application and sometimes heavy handed tactics from JusticeDepartment lawyers. Critics felt the government had too much power andsometimes unchecked influence over defendant corporations. However, themost persistent criticism involved the pressure put on organizations to waivethe attorney-client privilege.37Theattorney-clientprivilegeprotectsconfidentialcommunicationsbetween an attorney and a client or prospective client. An ancient legalprotection, the privilege allows for frank and open discussions with anattorney without fear of the information becoming public. The Thomp-son Memo told prosecutors, when assessing the level of cooperation, to
58THE GROWTH AND EVOLUTION OF COMPLIANCEconsider the corporation’s willingness to waive the attorney-client privilegewith respect to its internal investigations and communications betweenemployees and counsel.38These disclosures were a boon for the government, and often led todamaging material being turned over. Corporations had to do everythingpossible to demonstrate their cooperation was ‘‘authentic,’’ by turning oversignificant amounts of privileged information and sharing all the results ofinternal investigations, or else risk the possibility of an indictment whichcould well destroy the company.39Waiving the privilege also opened upthe door for future litigation, as those future litigants would have access tothe information provided to the government, which they otherwise wouldnot. Additionally, the pressure to turn over culpable employees has led toconcerns that corporations, in an attempt to avoid the dreaded indictmentand to insulate themselves from liability, will paint the employees as havinggone ‘‘rogue’’ and will offer up lower and mid-level executives as scapegoats.This may lead to termination and public humiliation of individuals whowould not be seen as culpable had a more precise and thorough investigationbeen done.40The McNulty Memo took these criticisms to heart, as it announcedchanges in Department of Justice (DOJ) policy that aimed to placatecorporate executives, the defense bar, as well as concerned citizens and lawenforcement personnel. As then-Deputy Attorney General Paul McNultystated in the cover letter to the memo:We have heard from responsible corporate officials recently aboutthe challenges they face in discharging their duties to the corporationwhile responding in a meaningful way to a government investiga-tion. Many of those associated with the corporate legal communityhave expressed concern that our practices may be discouragingfull and candid communications between corporate employees andlegal counsel.41In recognition of these challenges, McNulty announced a shift in DOJpolicy, away from regular requests for ‘‘voluntary disclosure’’ of privilegedmaterials. Instead of regular, blanket requests for waivers, henceforth waiverrequests would be rare and only done as specifically needed. ‘‘Prosecutorsmay only request waiver of attorney-client or work product protectionswhen there is a legitimate need for the privileged information to fulfilltheir law enforcement obligations.’’42A legitimate need must go beyondconvenience or the desirability of the information; it must be somethingthat is needed and cannot be otherwise obtained, given the totality ofthe circumstances. Now, to obtain privileged material a prosecutor must
The McNulty Memorandum59make a special request to and get approval from his or her respectiveUnited States Attorney.43Waiver will not be a prerequisite to a findingthat a company has cooperated with a government investigation. Of course,waiver is looked upon favorably and is still encouraged. A corporationvolunteering to provide privileged information without being asked couldreap great benefits. As George Stamboulidis, former Chief of the LongIsland Division of the U.S. Attorney’s Office for the Eastern District ofNew York and current head of the White Collar Defense and CorporateInvestigations practice group at the law firm of Baker Hostetler, stated inan article he coauthored, ‘‘Something as seemingly trivial as relieving theprosecutor of the burden of submitting a memo to her boss for authority [torequest privileged information], could prompt her to recommend a lighterpunishment or forgo the indictment entirely.’’44Despite some adjustments, the overall Justice Department policy remainsintact. Cooperation with government investigations remains of paramountimportance, as prosecutors will not tolerate obstruction or cover-up efforts.A high value is placed on companies’ internal investigation. Rather than‘‘doing the government’s job for it,’’ these investigations are the mosteffective way to combat violations. A quicker response can be had, ratherthan waiting for a government investigation. Moreover, an internal responseis superior and more effective at catching misconduct than the governmentand regulatory action.45Prosecutors are given wide latitude in making charging decisions—thedecisions are left to their discretion, but the memo provides general guidancefor handling of corporate crimes, listing factors to be evaluated in charg-ing decisions. Part of the decision involves analysis of the corporation’spre-existingcompliance program and its remedial actions. ComplianceInsight 3.2 describes the factors to be considered by prosecutors whenpotentially charging a corporation with criminal violations.Beyond outlining Justice Department policy, the McNulty Memo alsogives executives and corporations guidance on what to expect and whatto do should a violation be uncovered. When examining this guidance,the value of a strong compliance program becomes apparent. As outlinedabove, cooperation is highly valued. In fact, it is in a corporation’s bestinterest to cooperate. How many companies have been damaged not somuch by their misconduct, but rather by their efforts to cover it up? Thiscooperation is crucial to rooting out the true culprits, as the corporationitself is in the best position to discover and evaluate relevant evidence.In return, the company may well receive more lenient treatment from thegovernment, or at least be in a better position to negotiate a more favorableplea bargain. The corporation must be willing to identify the culprits withinthe corporation, even if it includes senior management.46If a company
60THE GROWTH AND EVOLUTION OF COMPLIANCECOMPLIANCE INSIGHT 3.2: CHARGING A CORPORATION:FACTORS TO BE CONSIDEREDThe McNulty Memo lists nine factors specifically to be considered byprosecutors when assessing the criminal culpability of corporations,in addition to the typical considerations, such as the strength of theevidence and the likelihood of conviction. In conducting an investi-gation, determining whether to bring charges, and negotiating pleaagreements, prosecutors must consider:■The nature and seriousness of the offense, including the risk ofharm to the public, and applicable policies and priorities, if any,governing the prosecution of corporations for particular categoriesof crime;■the pervasiveness of wrongdoing within the corporation, includingthe complicity in, or condoning of, the wrongdoing by corporatemanagement;■the corporation’s history of similar conduct, including prior crim-inal, civil, and regulatory enforcement actions against it;■the corporation’s timely and voluntary disclosure of wrongdoingand its willingness to cooperate in the investigation of its agent;■the existence and adequacy of the corporation’spre-existingcom-pliance program;■the corporation’s remedial actions, including any efforts to imple-ment an effective corporate compliance program or to improve anexisting one, to replace responsible management, to discipline orterminate wrongdoers, to pay restitution, and to cooperate withthe relevant government agencies;■collateral consequences, including disproportionate harm to share-holders, pension holders and employees not proven personallyculpable and impact on the public arising from the prosecution;■the adequacy of the prosecution of individuals responsible for thecorporation’s malfeasance; and■the adequacy of remedies such as civil or regulatory enforcementactions.aaPaul J. McNulty, ‘‘Principles of Federal Prosecution of Business Organi-zations,’’Department of Justice, December 2006 (‘‘McNulty Memo’’), 4,www.usdoj.gov/dag/speech/2006/mcnultymemo.pdf.
Evaluating the Seaboard Criteria in Mitigating Enforcement Actions61appears to be shielding culpable employees, it will be very damaging to thecompany’s position.47While it may be a natural instinct to want to protectthem, why should a company do so? These executives are people who havedamaged the company and its reputation, and defied their fiduciary duties byputting their own interests ahead of the company’s. In the end, a company’sactions must be able to demonstrate to the prosecutor’s satisfaction ‘‘thatthe corporation’s focus is on the integrity and credibility of its remedial anddisciplinary measures rather than on the protection of wrongdoers.’’48The existence of a compliance program, prior to the alleged misconduct,is a factor to be analyzed by prosecutors throughout the investigatoryprocess. It is a factor that cuts both ways: the commission of an offensein the face of a compliance program may suggest that management doesnot fully support the program, or a strong program may demonstrate asubstantial and consistent good faith effort to achieve compliance, whichwill benefit the company’s chances.49Compliance Insight 3.3 details thefactors critical to the government’s evaluation of a compliance program.Even though the government may reduce a sentence based on aneffective compliance program, a company can’t count on it.50The main roleof a compliance program should be to root out misconduct and seek toprevent it, rather than serve as a mere negotiation tactic at the prosecutorialbargaining table. It should never be what the McNulty Memo calls a ‘‘paperprogram.’’ A prosecutor will examine the company’s true commitment tocompliance, beyond the superficial appearance of the program. Among thefactors that will be examined are: the design and implementation of theprogram; sufficient staff to audit, document, analyze, and utilize the resultsof the company’s compliance efforts; whether the company’s employeesare adequately informed about them and whether they are convinced ofthe company’s commitment to it.51‘‘This will enable the prosecutor tomake an informed decision as to whether the corporation has adopted andimplemented a truly effective compliance program that, when consistentwith other federal law enforcement policies, may result in a decision tocharge only the corporation’s employees and agents.’’52EVALUATING THE SEABOARD CRITERIA IN MITIGATINGENFORCEMENT ACTIONSOne of the benefits of an effective compliance program is the strongpossibility of reduced criminal liability in case of a compliance failure byself-reporting to government regulators and prosecutors. In some instances,self-reporting can even result in no action being taken by the authoritiesagainst either the culpable company or official. This was the case with
62THE GROWTH AND EVOLUTION OF COMPLIANCECOMPLIANCE INSIGHT 3.3: CRITICAL FACTORS INEVALUATING AN EFFECTIVE COMPLIANCE PROGRAMThe Justice Department understands that no program, no matter howwell-designed or well-supported, could possibly prevent or catch everypotential violation. Following this understanding, the McNulty Memocounsels prosecutors in their evaluation of compliance programs tolook beneath the surface of a program to assess whether it is merelya ‘‘paper program’’ or whether the company demonstrates a truecommitment to compliance. Fundamentally, a prosecutor should ask:‘‘Is the corporation’s compliance program well designed?’’ and ‘‘Doesthe corporation’s compliance program work?’’aIn answering thesequestions, prosecutors must consider:b■Comprehensiveness of the compliance program.■Extent and pervasiveness of the criminal conduct.■Number and level of the corporate employees involved.■Seriousness, duration, and frequency of the misconduct.■Any remedial action taken by the corporation, including restitu-tion, disciplinary action, and revisions to corporate complianceprograms.■Promptness of any disclosure of wrongdoing to the governmentand the corporation’s cooperation in the investigation.■Effectiveness of corporate governance mechanisms in detectingand preventing misconduct, including looking at the independenceof directors, the amount and quality of information they receive,the quality of the corporation’s internal audit function, and theboard’s adherence to theCaremarkrequirements of a reasonableand sufficient information and reporting system.caPaul J. McNulty, ‘‘Principles of Federal Prosecution of Business Organi-zations,’’Department of Justice, December 2006 (‘‘McNulty Memo’’), 14,www.usdoj.gov/dag/speech/2006/mcnultymemo.pdf.bIbid.cFor more information on theCaremarkdecision and its compliance impact,please see ‘‘TheCaremarkCase’’ section in Chapter 4.
Evaluating the Seaboard Criteria in Mitigating Enforcement Actions63Seaboard Corporation beginning with an internal investigation in 1999 andending with a SEC Report of Investigation and related findings in 2001.Seaboard Corporation (Seaboard) is a multi-faceted international busi-ness involved in food production and processing, commodity trading,containerized shipping, and electrical power production. The companyis headquartered in Shawnee Mission, Kansas with over 10,000 employeesin worldwide locations. Founded in 1918, it is a publicly traded companyon the American Stock Exchange as well as a Fortune 100 company withannual net sales in excess of $2.6 billion. On its homepage, Seaboard states:‘‘We are committed to deliver extraordinary value to our customers acrossall of our business lines with the highest degree of integrity, honesty, andsound business judgment.’’In the introduction to their Code of Ethics site, they further state,‘‘Seaboard Corporation, its subsidiaries and affiliates, strictly adhere to theprinciples of fairness and ethical conduct. We are committed to the higheststandards of personal and professional conduct.’’53Seaboard has a relativelyshort code that consists of one page plus an addendum of five additionalpages on conflict of interest and insider trading policies and prohibitions.Although short, it obviously works as evidenced by the company’s actionsin an internal probe and the subsequent very positive SEC determination.In late 1999, Seaboard began an investigation of a division controller forbooking improper entries in the financial statements that overstated deferredcosts and understated expenses. A concern raised over these unusual entriesby other employees resulted in an inquiry by the internal audit department.The controller subsequently confessed to her manager in July 2000 that shehad been making these false accounting entries for five years resulting inover $7 million in accounting discrepancies.Seaboard’s management quickly notified the board of directors ofthe incident and that its financial reports had been misstated due to thecontroller’s actions. The board retained an outside law firm to conduct athorough investigation of the entire matter. In short order, the controllerwas fired as were two other employees who failed to adequately superviseher. Seaboard issued a public statement that it would be restating itsfinancial statements for a five-year period due to the controller’s action, andself-reported the matter to the SEC.54The SEC conducted its own investigation and confirmed the findings ofSeaboard’s internal investigation that the controller had violated securitieslaws. Seaboard fully cooperated and assisted in the SEC investigation. Asthe SEC stated in its Report of Investigation dated October 23, 2001:The company pledged and gave complete cooperation to our staff.It provided the staff with all information relevant to the underlying
64THE GROWTH AND EVOLUTION OF COMPLIANCEviolations. Among other things, the company produced the detailsof its internal investigation, including notes and transcripts ofinterviews with Meredith (the controller) and others; and it did notinvoke the attorney-client privilege, work product protection orother privileges or protections with respect to any facts uncoveredin the investigation.The company also strengthened its financial reporting processes toaddress Meredith’s conduct–developing a detailed closing processfor the subsidiary’s accounting personnel, consolidating subsidiaryaccounting functions under a parent company CPA, hiring threenew CPAs for the accounting department responsible for preparingthe subsidiary’s financial statements, redesigning the subsidiary’sminimum annual audit requirements, and requiring the parentcompany’s controller to interview and approve all senior accountingpersonnel in its subsidiaries’ reporting processes.55As a result, the SEC decided not to take any action against Seaboard. TheSEC explained how the company’s swift and transparent actions includingself-reporting, benefited investors and the SEC’s enforcement program. Asa result of this case, the SEC issued four key factors and related criteria thatthey would consider in determining whether or not to ‘‘credit self-policing,self-reporting, remediation, and cooperation’’ in deciding whether to takereduced action or no action against others in future enforcement actions.56The following are the SEC’s four key factors in this regard:■Self-policing:The establishment and ongoing maintenance of an effec-tive compliance program strongly supported by executive managementand the board of directors where issues and allegations are properlyescalated and fully investigated.■Self-reporting:As a result of effective self-policing and determinationof violation of the code of conduct, the organization then promptlyand effectively discloses the violation(s) to the public, governmentregulators, and law enforcement as appropriate.■Remediation:The appropriate disciplinary process for those foundto have violated the organization’s code of conduct as well as thestrengthening of internal controls to mitigate repeat misconduct orother violations.■Cooperation:Full and complete cooperation with the SEC and otherlaw enforcement agencies including providing all relevant documentaryand testimonial evidence related to the violations and investigation athand.
Evaluating the Seaboard Criteria in Mitigating Enforcement Actions65The following are the SEC’s related criteria and questions to be askedand answered by an organization:1.What is the nature of the misconduct involved? Did it result frominadvertence, honest mistake, simple negligence, reckless or deliberateindifference to indicia of wrongful conduct, willful misconduct, orunadorned venality? Were the company’s auditors misled?2.How did the misconduct arise? Is it the result of pressure placed onemployees to achieve specific results, or a tone of lawlessness set bythose in control of the company? What compliance procedures werein place to prevent the misconduct now uncovered? Why did thoseprocedures fail to stop or inhibit the wrongful conduct?3.Where in the organization did the misconduct occur? How high up inthe chain of command was knowledge of, or participation in, the mis-conduct? Did senior personnel participate in, or turn a blind eye toward,obvious indicia of misconduct? How systematic was the behavior? Is itsymptomatic of the way the entity does business, or was it isolated?4.How long did the misconduct last? Was it a one-quarter, or one-timeevent, or did it last several years? In the case of a public company, didthe misconduct occur before the company went public? Did it facilitatethe company’s ability to go public?5.How much harm has the misconduct inflicted upon investors and othercorporate constituencies? Did the share price of the company’s stockdrop significantly upon its discovery and disclosure?6.How was the misconduct detected and who uncovered it?7.How long after discovery of the misconduct did it take to implement aneffective response?8.What steps did the company take upon learning of the misconduct? Didthe company immediately stop the misconduct? Are persons responsiblefor any misconduct still with the company? If so, are they still in thesame positions? Did the company promptly, completely, and effectivelydisclose the existence of the misconduct to the public, to regulators,and to self-regulators? Did the company cooperate completely with theappropriate regulatory and law enforcement bodies? Did the companyidentify what additional related misconduct is likely to have occurred?Did the company take steps to identify the extent of damage to investorsand other corporate constituencies? Did the company appropriatelyrecompense those adversely affected by the conduct?9.What processes did the company follow to resolve many of these issuesand ferret out necessary information? Were the Audit Committee andthe Board of Directors fully informed? If so, when?
66THE GROWTH AND EVOLUTION OF COMPLIANCE10.Did the company commit to learn the truth, fully, and expeditiously? Didit do a thorough review of the nature, extent, origins, and consequencesof the conduct and related behavior? Did management, the board orcommittee consisting solely of outside directors oversee the review? Didcompany employees or outside persons perform the review? If outsidepersons, had they done other work for the company? Where the reviewwas conducted by outside counsel, had management previously engagedsuch counsel? Were scope limitations placed on the review? If so, whatwere they?11.Did the company promptly make available to our staff the results ofits review and provide sufficient documentation reflecting its responseto the situation? Did the company identify possible violative conductand evidence with sufficient precision to facilitate prompt enforcementactions against those who violated the law? Did the company producea thorough and probing written report detailing the findings of itsreview? Did the company voluntarily disclose information our staff didnot directly request and otherwise might not have uncovered? Did thecompany ask its employees to cooperate with our staff and make allreasonable efforts to secure such cooperation?12.What assurances are there that the conduct is unlikely to recur? Didthe company adopt and ensure enforcement of new and more effectiveinternal controls and procedures designed to prevent a recurrence ofthe misconduct? Did the company provide our staff with sufficientinformation for it to evaluate the company’s measures to correct thesituation and ensure that the conduct does not recur?13.Is the company the same company in which the misconduct occurred,or has it changed through a merger or bankruptcy reorganization?57The SEC’s approach in the Seaboard case underscores the importanceof an effective compliance program and the rewarding of good behavior.The many aspects of Seaboard’s compliance program worked well begin-ning with the escalation of questionable accounting practices by vigilantemployees, the response of internal audit, involvement of management, aninternal investigation, referral to the board, disciplinary action for those cul-pable, self-reporting, cooperation with the government, and then correctingdeficiencies and enhancing internal controls. There is no guarantee that thisapproach and result will happen in all instances of compliance failures butthe precedence is there. The SEC’s four key factors and related criteria areadditional tools in the compliance toolkit to be used by every organizationin enhancing compliance.
Notes67NOTES1.David A. Skeel, Jr., ‘‘Icarus and American Corporate Regulation,’’TheBusiness Lawyer, November 2005, 155.2.Ibid., 156.3.Robert G. Caldwell, ‘‘The Social Significance of American Panics,’’Scientific Monthly, April 1932, 303.4.David Skeel,Icarus in the Boardroom: The Fundamental Flaws in Cor-porate America and Where they Came From, (New York: Oxford Uni-versity Press, 2005), 40. Like Enron, Cooke used questionable financialpractices to fund his supported venture and to keep it afloat. Furtheringthe Enron connection, Skeel compares Jay Cooke to Ken Lay, noting thatCooke had close ties at the time to President Ulysses S. Grant. In fact,Grant was at Cooke’s house the night the ventures collapsed.5.Skeel, ‘‘Icarus and American Corporate Regulation,’’ 160.6.Ibid, 165.7.The idea of government regulating business, though pass´e nowadays,was in fact a radical notion at the turn of the century. This was theso-calledLochnerera, named for a Supreme Court decision strikingdown a New York law that limited the hours one could work, onthe basis that it interfered with economic rights, even though it wasintended to prevent worker exploitation. Economic rights were treatedthen just the same as the rights of speech, religion, and so forth, andwere just as inviolate. Courts responded fiercely against any attempt byreformers to regulate business conduct.8.PresidentTheodoreRoosevelt’sStateoftheUnionAddress,De-cember 2, 1902, 53, www2.hn.psu.edu/faculty/jmanis/poldocs/uspressu/SUaddressTRoosevelt.pdf.9.M.L. Ramsay,Pyramids of Power, (New York: Da Capo Press, 1975),45–47.10.Ramsay,Pyramids of Power, 90–94.11.Hon. Richard D. Cudahy and William Henderson, ‘‘From Insull toEnron: Corporate (Re)Regulation After the Rise and Fall of TwoEnergy Icons,’’Energy Law Journal, March 2005, 73.12.Skeel,Icarus in the Boardroom, 88.13.Skeel, ‘‘Icarus and American Corporate Regulation,’’ 156.14.Ramsay,Pyramids of Power, 75.15.Skeel, ‘‘Icarus and American Corporate Regulation,’’ 160–61. Unfor-tunately, due to changing times and loosening regulations, Enron wasable to do precisely that.
68THE GROWTH AND EVOLUTION OF COMPLIANCE16.Ibid., 162.17.Charles J. Walsh and Alissa Pyrich, ‘‘Corporate Compliance Programsas a Defence to Criminal Liability: Can a Corporation Save Its Soul?,’’Rutgers Law Review, Winter 1995, 649.18.Stephany Watson, ‘‘Fostering Positive Corporate Culture in the Post-Enron Era,’’Tennessee Journal of Business Law, Fall 2004, 12–13.19.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, 2006), 318.20.Walsh and Pyrich,Corporate Compliance Programs, 653.21.Ibid.22.Dr. John D. Copeland, ‘‘The Tyson Story: Building an Effective Ethicsand Compliance Program,’’Drake Journal of Agricultural Law, Winter2000, 315.23.Watson, ‘‘Fostering Positive Corporate Culture,’’ 13.24.Renae Merle, ‘‘$998,798 Paid for Two 19-Cent Washers,’’SeattleTimes, August 17, 2007, A17.25.Defense Industry Initiative on Business Ethics and Conduct, www.dii.org/Statement.htm.26.National Commission on Fraudulent Financial Reporting,Report ofthe National Commission on Fraudulent Financial Reporting, (Octo-ber, 1987), 1, (‘‘The Treadway Report’’), www.coso.org/publications/NCFFRPart1.htm.27.Nancy Frank and Michael Lombness,Controlling Corporate Illegality:The Regulatory Justice System, (Cincinnati: Anderson Publishing Co.,1988), 162.28.Supplemental Report on Sentencing Guidelines for Organizations,(August 30, 1991), 6, www.ussc.gov/corp/OrgGL83091.PDF.29.Biegelman and Bartow,Executive Roadmap, 50.30.Diana E. Murphy, ‘‘The Federal Sentencing Guidelines for Organiza-tions: A Decade of Promoting Compliance and Ethics’’,Iowa LawReview, 2002, 710, www.ussc.gov/corp/Murphy1.pdf.31.United States v. Caputo, No. 03 CR 0126 (N. Dist. IL 2006), 24.32.United States v. Ebbers, 458 F.3 d 110, 129–30 (2 d Cir. 2006).33.United States v. Leahy, 464 F. 3 d 773 (7th Cir. 2006).34.Caputo, 27.35.Caputo, 27–28.36.Biegelman and Bartow,Executive Roadmap, 87–88.37.George A. Stamboulidis and Jamie Pfeffer, ‘‘A Quarter Century afterUpjohn, in Our Current Culture of Waiver, Do Privileges Still Exist?’’Coursebook for the 21stAnnual National Institute on White Col-lar Crime, 2007, P-37, www.bakerlaw.com/PublicDocs/News/Articles/
Notes69LITIGATION/ABA%20Stamboulidis%20Pfeffer%20March%202007.pdf.38.Larry D. Thompson, ‘‘Principles of Federal Prosecution of BusinessOrganizations,’’ Department of Justice, January 2003, 37–38, www.usdoj.gov/dag/ctft/corporateguidelines.htm.39.Stamboulidis and Pfeffer, ‘‘A Quarter Century After Upjohn,’’ P-37–38.40.Christopher A. Wray and Robert K. Hur, ‘‘Corporate Criminal Pros-ecution in a Post-Enron World: The Thompson Memo in Theory andPractice,’’American Criminal Law Review, Summer 2006, 1181–82.One of this article’s authors, Christopher Wray, is in a unique positionto critique the Thompson Memo. He worked in the Justice Departmentas Principal Associate Deputy Attorney General when the Memo wasreleased. In fact, Thompson’s preamble to the Memo states that allcomments regarding the Memo be directed to Wray.41.Paul J. McNulty, ‘‘Principles of Federal Prosecution of Business Orga-nizations,’’ Department of Justice, December 2006 (the ‘‘McNultyMemo’’), www.usdoj.gov/dag/speech/2006/mcnultymemo.pdf.42.McNulty Memo, 7.43.Waiver requests are divided into two categories. Category I covers purelyfactual information, which may or may not be privileged, relating tothe underlying misconduct. This includes factual interview memoranda,timelines, organizational charts created by counsel, witness statements,copies of key documents, etc. When analyzing the request, the UnitedStates Attorney must consult with the Assistant Attorney General forthe Criminal Division before approving it. Category II, which includesattorney-client communications and non-factual attorney work product,is only reached when the purely factual information available providesan incomplete basis to conduct a thorough investigation. This typeof information includes legal advice given to the corporation before,during, and after the underlying misconduct. Category II informationshould only be sought in rare circumstances, and will be available ineven fewer cases. Before requesting it, the U.S. Attorney must receivewritten authorization from the Deputy Attorney General.McNultyMemo, 8–10.44.Stamboulidis and Pfeffer, ‘‘A Quarter Century After Upjohn,’’ P-49.45.Wray and Hur, ‘‘Corporate Criminal Prosecution,’’ 1171.46.McNulty Memo, 7.47.Ibid., 11.48.Ibid., 15.49.Ibid., 12–13.50.SeeFrank O. Bowman III, ‘‘Drifting Down the Dnieper with PrincePotemkin: Some Skeptical Reflections About the Place of Compliance
70THE GROWTH AND EVOLUTION OF COMPLIANCEPrograms in Federal Criminal Sentencing,’’Wake Forest Law Review,Fall 2004, 685 (questioning the effectiveness of compliance programs,comparing them to ‘‘overpriced insurance,’’ and arguing that they havelittle to no impact on sentencing, and almost never directly lead to areduced sentence).51.McNulty Memo, 14.52.Ibid.53.Seaboard Corporation, www.seaboardcorp.com/about.aspx.54.In the Matter of Gisela de Leon-Meredith, Respondent, Securities andExchange Act of 1934 Release No. 44970, October 23, 2001, UnitedStates Securities and Exchange Commission, www.sec.gov/litigation/admin/34-44970.htm.55.Securities and Exchange Act of 1934 Release No. 44969, Report ofInvestigation, October 23, 2001, United States Securities and ExchangeCommission, www.sec.gov/litigation/admin/34-44970.htm.56.Ibid.57.Ibid.
CHAPTER4Caremarkand Sarbanes-Oxley:Enhancing Compliance‘‘Glass, china, and reputation are easily cracked, and nevermended well.’’Benjamin FranklinThere are many reasons to have a world-class compliance program. Oneimportant reason is to monitor and positively influence behavior in acompany to achieve desired results. Some of these reasons reflect practicalrealities, that not all employees will independently follow the rules, and thatthe presence of bad employees, if left unchecked, can negatively influenceothers around them. Other reasons reflect the legal framework in whichcompanies must operate. The law, by placing a premium on solid corporategovernance, provides many reasons to operate a truly effective complianceprogram. As discussed in the previous chapter, the Federal SentencingGuidelines for Organizations explicitly mandate that prosecutors take intoaccount the existence or lack thereof of an effective compliance program,providing opportunities for reduced sentences if such a program exists.Beyond the Guidelines, other laws and regulations give companies strongincentives and reason to put a compliance program in place or to ensurethat an existing program is as effective and runs as smoothly as it can be.In fact, there are situations where a company is legally required to havea compliance program and the company’s leadership can be liable for thefailure to put one in place. Court decisions, in conjunction with strongefforts by the federal government, have moved the issue of compliance tothe forefront of corporate law. By establishing stiffer penalties for violatorsand in stepping up enforcement of existing laws and regulations, the legalsystem has created an even greater incentive for compliance. Recognizing71
72CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCEthat existing rules have not fully stemmed the tide of corporate scandal,the government and courts have continued to push forward with strictinterpretations of the law, and will continue to do so, in an effort to changethis behavior.Compliance failures can subject a company and its directors to sub-stantial penalties and legal actions by the government and by shareholders.Court decisions, as reflected in the seminalCaremarkcase and in the lastdecade’s worth of corporate law jurisprudence, have put directors’ actionsunder the microscope, and if they are found not to have complied withthe law, they can suffer serious consequences. Courts have focused on thegood faith, or many times the lack thereof, in directors’ actions. The duty ofgood faith by corporate leaders is an important part of the analysis, playinga large role in the courts’ decisions. Furthermore, stock exchanges suchas the New York Stock Exchange and NASDAQ have enacted corporategovernance rules as a listing prerequisite. A company that does not meetthese requirements will not be allowed to be traded on these exchanges.1Additionally, federal laws, including the Sarbanes-Oxley Act, mandate acomplex compliance structure for publicly-traded companies.Other laws, such as the USA PATRIOT Act, establish stringent require-ments for companies, requirements that can only be met through the effortsof a compliance program. The Foreign Corrupt Practices Act (FCPA) fallsinto this category. Laws such as these are important in setting out a frame-work for a company’s own compliance programs. By following what judgeshave said in court cases, a company can put itself in a safe harbor by meetingthese minimum standards. These laws set out the standards for a company,in many cases explicitly stating what the minimum requirements for acompliance program are. A company must be aware of what is permissibleand what is not—not always an easy feat. This is particularly importantwhen a company does business overseas or has offices in foreign countries.United States-based companies must be acutely aware of the FCPA and thePATRIOT Act anti-money laundering provisions, both of which are heavilyenforced by the government. The FCPA, in particular, has gotten steppedup enforcement while at the same time court decisions have extended itsreach and what conduct can be prosecuted. The FCPA is discussed atlength in Chapter 6 while more information on anti-money laundering is inChapter 7. With all of these trends, a company has almost no choice but tofocus on compliance.THECAREMARKCASEOne of the most important court decisions in this area is the 1996Care-markcase. While the case is over a decade old by now, and did not have
TheCaremarkCase73as great an impact as intended, it is still an important legal milestone.As a bit of background,In Re: Caremark International, Inc. DerivativeLitigation(Caremark) involved a lawsuit by shareholders against Care-mark, a health care services company. The shareholders, in their derivativesuit, alleged violations of federal and state laws and regulations by Care-mark employees, including illegal payments to doctors to distribute specificCaremark-marketed drugs. These payments, which amounted to kickbacks,led to serious investigation and indictments against the company and twoof its officers, among others. Following this, the shareholders filed suit inDelaware; due to the large number of companies incorporated in that state,Delaware’s courts are often at the forefront of corporate law. The cruxof the suit alleged that the directors failed to appropriately monitor theiremployees, and as a result the company suffered significant financial losses,including civil and criminal fines. The shareholders could not proceed onthe typical theories of a breach of the duty of care in the directors’ actionsor for a conflict of interest, as the evidence did not support either approach.Instead, the suit alleged liability for failure to monitor. Essentially, the caseasked, ‘‘What is the board’s responsibility with respect to the organizationand monitoring of the enterprise to assure that the corporation functionswithin the law to achieve its purpose?’’2Chancellor William Allen of the Delaware Court of Chancery recog-nized this theory, novel at the time, as a legally valid one. In short, directorshave a responsibility to make a good faith effort to ensure that the law wasbeing followed and to take measures towards that end. In beginning, toanswer the question raised by the Caremark shareholders, Chancellor Allennoted the increasing role of compliance, via federal law, in the corporateworld. ‘‘Modernly, this question has been given special importance by anincreasing tendency, especially under federal law, to employ the criminal lawto assure corporate compliance with external legal requirements, includingenvironmental, financial, employee and product safety, as well as assortedother health and safety regulations. . ..The [Federal Sentencing] Guidelinesoffer powerful incentives for corporations today to have in place compli-ance programs to detect violations of law, promptly report violations toappropriate public officials when discovered, and to take prompt, voluntaryremedial efforts.’’3While federal regulation of corporations through crimi-nal prosecution has become well-established sinceCaremark, particularly inthe post-Enron era, and the Guidelines’ link to compliance is well-known,Chancellor Allen’s words still ring true today.Caremarkbegan to lay out the standards against which the direc-tors would be judged, and how the monitoring function requirement maybe fulfilled. ‘‘[C]orporate boards may satisfy their obligation to be rea-sonably informed concerning the corporation, [by] assuring themselves
74CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCEthat information and reporting systems exist in the organization that arereasonably designed to provide to senior management, and to the boarditself, timely, accurate information sufficient to allow management and theboard, each within its scope, to reach informed judgments concerning boththe corporation’s compliance with the law and its business performance.’’4The decision establishes, though with some substantial hedging, that thismonitoring duty is to be included as part of a director’s overall obligationto the company. For a director, his or her ‘‘obligation includes a duty toattempt in good faith to assure that a corporate information and reportingsystem, which the board concludes is adequate, exists, and that failure to doso under some circumstances, may, in theory at least, render a director liablefor losses caused by non-compliance with applicable legal standards.’’5Thedecision also gave companies substantial flexibility in how to meet thisstandard. Recognizing that no two companies are alike and thus no twocompliance programs will be alike, the judgment allows decision-makersat companies to decide for themselves, in good faith, what will suit theirparticular business. While they must adhere to the law, the exact method ofhow this is to be done is left to the individual companies.Obviously the level of detail that is appropriate for such an infor-mation system is a question of business judgment. And obviouslytoo, no rationally designed information and reporting system willremove the possibility that the corporation will violate laws orregulations, or that senior officers or directors may neverthelesssometimes be misled or otherwise fail reasonably to detect actsmaterial to the corporation’s compliance with the law. But it isimportant that the board exercise a good faith judgment that thecorporations’ information and reporting system is in concept anddesign adequate to assure the board that appropriate informationwill come to its attention in a timely manner as a matter of ordinaryoperations, so that it may satisfy its responsibility.6This set forth a duty to act in good faith to ensure the creation of anadequate corporate information system—a compliance program.Despite all of this language about director obligations and the duty tomonitor, the decision also established a very high standard for liability andmade it easy for directors to meet this obligation. So long as the boardof directors made a good faith effort to install a compliance program,the duty will be fulfilled. This is seemingly the only requirement; it doesnot matter underCaremarkthat the board’s efforts failed or that thecompliance program did not work, so long as they tried. In fact, thedecision states that ‘‘only a sustained or systematic failure of the board to
Caremark:A Critical Look Back75exercise oversight—such as an utter failure to attempt to assure a reasonableinformation and reporting system exists—will establish the lack of goodfaith that is a necessary condition to liability.’’7Applying this high standardfor liability, Chancellor Allen found that the Caremark board did not failin their duty to monitor, as there was no evidence of lack of good faith inthe exercise of their monitoring duties or that they consciously permittedviolations of the law by the corporation.8Under theCaremarkstandard for compliance programs, a board mustcreate a timely and accurate reporting system containing legal complianceand business information, which flows back to the board in the ordinarycourse of business. Given the decision’s frequent mentions of the SentencingGuidelines, such a program should also satisfy, at minimum, the SevenSteps.9The case did not create an independent duty of good faith forcorporate directors, but courts will analyze whether or not the directors didin fact exercise their required duties, particularly the duty of care, in goodfaith. Courts applying this standard address procedural violations in termsof good faith; they focus on whether the director’s actions established thelack of good faith that is a necessary condition to liability.10CAREMARK: A CRITICAL LOOK BACKDelaware’s courts decided theCaremarkcase over a decade ago. Itwas intended to promote enhanced corporate governance and to ensuregreater stability and compliance among America’s corporate leadership.Unfortunately, it did not achieve that goal. Within a few years of thedecision, corporate scandal after corporate scandal dominated the news,each more reprehensible than the last. WasCaremarknothing more than‘‘an empty triumph of form over substance,’’ as some commentators havedescribed it?11The Delaware court decidedCaremarkas an attempt to fill a wideninggap between federal and state corporate law, of which Delaware had beenat the forefront for most of the century. Federal law had taken a muchgreater role in corporate regulation, particularly with the passage of theOrganizational Sentencing Guideline amendments to the Federal SentencingGuidelines and other Congressional enforcement.Caremarkdid upgradethe law, but due to the limitations in the decision, it did not achieve therevolution in corporate governance that it sought. Though it did not havethe desired effect, the decision did have a great impact, as a much-discussedand analyzed case, particularly when one looks at the volumes of law reviewarticles, commentaries, and symposia devoted to the topic.Caremark’sfailure to achieve its goal was caused by its mix of loftyaspirations but minimal expectations. The decision had high aspirations,
76CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCEbut they were not appropriately enforced. It was too easy to fulfill therequirements without actually achieving what was intended, that being fulllegal and ethical compliance. Though it created a fiduciary obligation toassure that a legal compliance mechanism existed within the organization,a doctrinal and practical dilemma still exists.12Only the most egregiousviolations would be deemed to have violated the standard. Thus, as longas a director could reasonably plead that he or she acted in good faith,he or she would escape liability, no matter how badly the decision hurtthe company. Many directors, concerned with their own personal financialliability, designed programs with the goal of avoiding liability, rather thanactually preventing corporate misconduct.13In their view,[t]he more actions taken by the corporation to create complianceprocedures and regimes, the better record for liability preclusionupon judicial review. This led to a substantial increase in the sizeand scope of corporate compliance activities and ultimately thecreation of vast compliance bureaucracies within the organization.As the motivation for these actions was primarily liability-driven,their actual impact on corporate activities was questionable.14This feature of the decision had the opposite effect of what it intended. Itled to a dangerous form of board passivity. ‘‘In terms of compliance, boardswere lulled into thinking they had done their job, that their company hadan effective oversight regime simply because funds had been expended onethics and compliance officers and consultants who developed complianceprograms and information and reporting systems of Byzantine structureand complexity.’’15This focus on procedure did not see more effectiveboard compliance oversight and fewer violations of law. It did not providethe proper incentives for compliance along with the procedures. The onlyincentive it gave was for directors to create a labyrinthine web of proceduresso as to protect themselves from shareholder lawsuits. It did not motivatethem to actively root out offenders or to impose tight enough controls tomonitor and prevent their harmful actions.After the decision, corporate boards rushed to create compliance mech-anisms that served to limit the directors’ and the corporations’ legal liability,but in actuality did little else. They did not do anything to affect culturechange or to instill proper ethical values. Returning to the two-tiered com-pliance idea from Chapter 1, these corporations stayed only at the first level,not fully embracing the values of compliance. As stated earlier, a companythat gives the appearance of compliance but does not truly believe in it orpractice it is a dangerous thing.Nevertheless,Caremarkdid correctly emphasize the board’s responsi-bility to ensure proper corporate behavior.16The board’s compliance goal
Caremark:A Critical Look Back77should be long-term success of the company, involving ethical behavior andstrict adherence to the law, rather than the use of compliance mechanismsas ways to insulate itself from liability or to falsely assuage outsiders’ con-cerns regarding the company’s practices. Furthermore, the board and theexecutive suite need to pair these ethical practices with the proper tone fromthe top, resonating throughout, thus affirming the company’s commitmentto compliance.Despite all of these factors working against it,Caremarkstill hasrelevance and importance. The rules stated in the case have been appliedby two different federal courts,17while Delaware has reaffirmedCaremarkin recent rulings.18The Delaware Supreme Court inStone v. Ritterstatedthat while directors do not have an independent duty of good faith to goalong with their duties of care and loyalty, good faith is an important partof the analysis in determining whether liability will attach. TheStoneCourtlinked the good faith requirement with the duty of loyalty, which obligates adirector to act in the best interests of the company and not to put his or herown interests before the company’s. ‘‘Where directors fail to act in the face ofa known duty to act, thereby demonstrating a conscious disregard for theirresponsibilities, they breach their duty of loyalty by failing to discharge thatfiduciary obligation in good faith.’’19In restating theCaremarkstandard fordirector oversight liability, the Court stated that ‘‘the directors utterly failedto implement any reporting or information system or control, or havingimplemented such a system or controls, consciously failed to monitor oroversee its operations thus disabling themselves from being informed ofrisks or problems requiring their attention.’’20Caremarkremains important, as it shows the importance of ethicsand compliance in a court’s examination. While courts may not imposeliability often for failure to monitor, they are increasingly willing to takethese complaints, and to examine a corporation’s internal workings andits compliance program at trial. Furthermore, other states have followedDelaware’s lead in examining compliance issues in the courtroom. This casealso emphasized the importance of the Federal Sentencing Guidelines at atime when they were not as prominent. Through repeated references, thedecision raised awareness of the Guideline’s impact and importance.This decision began the change in law seen now, with an increasedemphasis on legal compliance and the internal workings of a business.As in many of the high profile prosecutions of the last few years, acompany’s internal culture can play a big role in the trial, particularlywith the board’s oversight responsibility and how it follows the law, ordoesn’t. Moreover, shareholders will allege a lack of good faith in failingto monitor in their lawsuits. Companies have to be prepared to answerthose charges by showing the compliance program, how it functioned, and
78CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCEhow the board of directors emphasized and supported it, to show thatthey acted in good faith in their actions. By not having a functioningcompliance program, shareholders could say that it wasper sea breach bythe board of directors and seek money damages against them. This might bea worrisome proposition now, especially as companies are cutting back onpaying the legal bills of their executives, particularly if there is a concurrentfederal investigation and prosecution. Companies are more than willingnow to serve up their own executives in order to save the company itselffrom harm.WhileCaremarkand the enactment of the Sentencing Guidelines didnot readily change behavior or stop scandals, one can argue now thatcompanies are more ready to change and put into place effective complianceprograms. Organizations now have a market incentive to do so becauseof the negative image of scandal-ridden companies. When evaluating theresources and effort put into compliance, the legal reasons for compliancehave to be kept in mind, but a company also has to ask itself what kind ofcompany does it want to be?SOX RECONSIDEREDThe Sarbanes-Oxley Act, or SOX as it is commonly known, is undoubtedlyone of the most controversial pieces of legislation in American history,no small feat in and of itself.21Passed in July 2002, it responded to acrisis of corporate scandals and eroded investor confidence in the financialmarkets. The Act contained a myriad of sections, covering such things asauditor independence, corporate responsibility, improved internal controls,and enhanced financial disclosures. It created a strong and independentPublic Company Accounting Oversight Board, to oversee audits of publiccompanies that are subject to securities laws. SOX promoted auditor inde-pendence by prohibiting an auditor from performing a number of non-auditrelated services, so as to avoid conflicts of interest. Companies must alsocreate a system for whistleblowers to report misconduct, and the companymust respond appropriately to such reports. CEOs and CFOs of publiccompanies must certify the disclosures they make in periodic reports. Per-sonal loans from companies to executives are banned. Additionally, a raftof enhanced civil and criminal penalties gives the Act significant teeth topunish corporate misconduct.22A company must confirm management’s responsibility for establishingand maintaining an adequate internal control structure and proceduresfor reporting, as well as evaluating the effectiveness of these controls andprocedures. The company’s public accountants must attest to and report onthe management assessment as part of the audit engagement. In the financial
SOX Reconsidered79disclosures, a company must also report any material changes to priorfinancial reports, as well as all material off balance sheet transactions.23Given the years that have passed since SOX’s enactment, it is time tolook back at it and examine the criticisms leveled against it. Critics say theAct is too expensive and inefficient and call for it to be severely reworkedor even discarded. Supporters fear that any changes to SOX’s stringentprovisions will encourage more corporate malfeasance.SOX is admittedly an easy target, given its high profile. Commentatorshave hammered at the high cost of SOX compliance, publishing numerousscreeds against it.A typical editorial seethes about its high cost, complains that it stiflesinnovation, drives away foreign business, while briefly acknowledging thepositive effects of its reforms. It usually ends by calling for either a repealof the law or significant changes to it. The persistent theme of thesecommentators is money. They see compliance only as a burden, approachingit solely from a bottom-line perspective. Since compliance, no matter howeffective, does not readily translate into quantifiable numbers, the dangerexists that its benefits can be seemingly outweighed by its costs.The unremitting focus on costs alone is a wrong-headed approach toboth compliance and SOX commentary. This leaves the impression thatthese people care only about money and not on reform. In short, theyappear to mirror the very executives whose behavior SOX sought to rein inin the first place. They do not seem to appreciate that one of the reasonsa company may be making money is due to the economic reforms putinto place, and the internal compliance efforts carried out by the companyitself. The most puzzling aspect of the criticism is the cry that Congressoverreacted by passing SOX. The country faced a wave of corporate scandalsand executive malfeasance, and a tough response was needed. Corporationsneeded better oversight to ensure they would not repeat the mistakes oftheir scandal-ridden brethren. SOX is far from perfect, and sensible changeshave been made to make it more effective. However, a purely cost-basedexamination of it accomplishes little, as there are many aspects of SOXthat should be analyzed to truly determine how best to improve corporateaccountability, rather than money alone.A common SOX worry is ‘‘regulatory overkill’’: too much red tape andoverly burdensome procedures stifling the economy and the stock market,driving investors and companies elsewhere. For instance, ‘‘policy makersand business groups have argued that post-Enron regulatory burdens havemade U.S. markets less competitive—citing as proof that many foreigncompanies list their shares in London instead of New York.’’24Anotherpoint of contention is the high cost of SOX compliance, particularly Section404, which ‘‘requires company management to develop a process to monitor
80CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCEinternal controls over financial reporting,’’25but does not give managementguidelines on how to perform this function.Despite the furor, a closer look indicates that SOX’s impact is not asdamaging to business as claimed. A 2007 study refutes the claim that foreigncompanies prefer to list their stock in London rather than New York becauseof the regulatory burden. The decline in new foreign listings is due to otherfactors, none having to do with SOX. In fact, the ‘‘research also found thatinvestors are willing to pay a sizable premium for foreign-company shareslisted in the U.S. in return for meeting tough U.S. regulatory standards.Foreign-company stocks in London received no similar premium. . ..’’26Some of the companies listing overseas would never pass the ethical andregulatory hurdles needed to demonstrate their compliance commitmentand financial stability for listing in America.Another criticism points to the drop in IPOs as proof of SOX’s harm.27The increase in foreign IPO listings, and the drop in American IPOs, may bepartly traced to the increased investment, infrastructure building, and overalleconomic boom happening in many previously underdeveloped nations. Itwould seem rational that many new companies in growing countries wouldchoose to list in an index closer to home, rather than in the United States.While there are fewer IPOs now than during the 1990s, this cannot beblamed on SOX. As many 1990s tech investors undoubtedly remember,multitudes of hot IPOs soon flamed out and the companies went bankrupt.Few of the big-time IPOs remain as successful businesses today. A drop intheir number was inevitable. SOX cannot be blamed for stifling the growthof new business, as billions of dollars in venture capital funds still financeSilicon Valley start-ups.Additionally, while SOX compliance is expensive, the costs have fallenand the SEC has taken steps to address this issue. The cost of Section 404compliance has fallen every year from 2003 to 2006. Compliance costsin 2006 fell 23% from the prior year, and 35% from the first year. Thereductions in costs came as companies became more efficient with internalreviews.28Though overall costs have fallen, external review costs remainhigh. Thus, the SEC issued new guidelines for SOX compliance to make itmore cost-effective, particularly for smaller companies.Essentially, the reforms allow for an individual tailored response to therequirements, rather than a one-size-fits-all approach. The guidelines outlinesteps that executives may take to adjust their evaluations based on the needsand requirements of their individual businesses.29It allows for a scaleableevaluation, and is a more cost-benefit type approach that will particularlybenefit smaller businesses, especially those who in the past would have beenunable to shoulder the regulatory burden. The guidelines also merge thetwo separate opinions, one on controls and the other on management’s
SOX Reconsidered81COMPLIANCE INSIGHT 4.1: THE IMPACT OF SOX‘‘Sarbanes-Oxley is a textbook case of how regulation should ideallywork in a democracy: A scandal is addressed through strong legislativereaction, followed by fine-tuning by relevant agencies.. . .Is it anywonder that variations are being adopted in Japan, France, China,Canada, and other countries around the world?’’a■The United States’ S&P 500 has increased 67% between July 30,2002 (the date that President Bush signed the Sarbanes-Oxley Actinto law) and June 30, 2007. This translates into a $4.2 trillionmarket value.bThere is no denying that SOX had a major impacton this return of investor confidence in the financial markets.■Although critics complain about the estimated $6 billion thatU.S. companies spent in 2006 for SOX compliance, this pales incomparison with the $60 billion that investors lost due to theEnron corporate fraud.c■Section 404 of SOX is working. Far fewer companies today areexperiencing internal control weaknesses. While there were 97companies reporting material internal control weaknesses in thefirst year of Section 404 reporting, that number was down to 55in the third year of Section 404 reporting ending April 1, 2007.d■Although the number of companies restating their financial resultshas increased each year since the enactment of SOX, it nowappears that the numbers are beginning to come down. In the firsthalf of 2007, there were 698 restatements as compared to 786 inthe first half 0f 2006.e■In but one of many examples from all over the United States,Invitrogen Corp., a biotechnology firm in Carlsbad, California hasthis to say about the benefits of Sarbanes-Oxley: ‘‘Sarbanes-Oxleyhelped to spur other changes that made Invitrogen a better-runbusiness. Directors meet more often without executives present.Multiple ombudsmen field employee complaints. Ethics trainingis more rigorous. And Chief Executive Greg Lucier requires hislieutenants to take more responsibility for their results.’’faThomas J. Healey, ‘‘Sarbox Was the Right Medicine,’’Wall Street Journal,August 9, 2007, A13.bIbid.
82CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCEcIbid.dGregory Jonas, Marc Gale, Alan Rosenberg and Luke Hedges, ‘‘The ThirdYear of Section 404 Reporting on Internal Control,’’ Moody’s Investor Service,May 2007, http://papers.ssrn.com/sol3/papers.cfm?abstractid=985546.eJoann S. Lublin and Kara Scannell, ‘‘Critics See Some Good From Sarbanes-Oxley,’’Wall Street Journal, July 30, 2007, B1.fIbid.process for assessing those controls, into one single opinion, as another wayto reduce costs.The Act’s authors, former Senator Paul Sarbanes and former Represen-tative Michael Oxley, reaffirmed their support for it and its goals. Oxleypoints out that SOX has resulted in greater confidence among investors,pointing to the tremendous increase in the Dow Jones industrial average, forinstance, since the bill was passed.30Sarbanes echoed these comments aboutimproved investor confidence. In his view, the Act markedly improves corpo-rate accountability, and by removing many conflicts of interests, ‘‘[c]hecksand balances are working again and the watchdogs are functioning aswatchdogs.’’31To further counter the argument that SOX has inhibited U.S.markets relative to foreign ones, he points out that other countries are mov-ing in a similar direction, with higher standards and other provisions similarto SOX. He sees the money spent on compliance as a capital investment:expensive at first, particularly for a very good system, but something thatwill pay off and cost less in subsequent years. SOX is a necessary burden, acost that must be paid to ensure that companies are held to a high standardand that people can invest their money with confidence.32Overall, the law has done far more good than harm and should notbe weakened by legislative reforms. Even those who criticize its cost andburdensome aspects acknowledge the greater boardroom accountability itproduced and how it has helped to spur further changes within companies tohelp them avoid future scandals. Boards can now address and solve internalproblems ‘‘before they fester and explode.’’33Institutional shareholdershave benefited, as disclosure and certification requirements have helped toreassure investors and restore their confidence in the integrity of companies’financial statements. Even though many companies had to restate financialresults in the years immediately following the law’s passage, that practice ismuch less common now as companies have fixed old problems and avoidednew ones. Many more companies quickly escalate discovered financial issuesand handle them immediately.34Thanks to the reforms put into place, theseusually minor issues can be handled quickly. Companies can constantly
Notes83fine-tune their procedures to ensure their compliance efforts are as robustas they can be.ADDITIONAL COMPLIANCE LAWS AND STANDARDSIn building a compliance program, an organization will encounter a widevariety of different laws, regulations, and standards. Some will give guidanceon how to best construct a program or establish the minimum requirementsrequired by the law. Others include industry standards or organizationalcertification requirements. As the topic of compliance is so broad, this bookcannot possibly cover every aspect or every law. For example, the areasof health care, environmental impact, workplace safety, and financial pri-vacy regulations have specific compliance requirements. The False ClaimsAct, the Health Insurance Portability and Accountability Act of 1996, theGramm-Leach-Bliley Act, known as the Financial Modernization Act of1999, and the compliance requirements related to the Office of ForeignAssets Control of the U.S. Department of the Treasury that enforces eco-nomic and trade sanctions against targeted foreign countries, are but a fewof the many acts and regulatory provisions requiring compliance programs.This book has tried to cover many key points but the world of complianceis so vast that no book could hope to be truly comprehensive in anythingless than several volumes. Understanding compliance from the conceptsdiscussed in this book provides the basis for effective compliance no matterwhat particular regulation or law applies.NOTES1.For more information on the NYSE listing rules, please see Martin T.Biegelman and Joel T. Bartow,Executive Roadmap to Fraud Preventionand Internal Control: Creating a Culture of Compliance, (Hoboken,NJ: John Wiley & Sons, 2006), 90–94.2.In re Caremark International Inc. Derivative Litigation, 698 A.2d 959,968–69 (Del. Ch. 1996).3.Ibid., 969.4.Ibid., 970.5.Ibid.6.Ibid.7.Ibid., 971.8.Ibid., 972.9.Stephany Watson, ‘‘Fostering Positive Corporate Culture in the Post-Enron Era,’’The Tennessee Journal of Business Law, Fall 2004, 20.
84CAREMARKAND SARBANES-OXLEY: ENHANCING COMPLIANCE10.Thomas Rivers, ‘‘How to Be Good: The Emphasis on Corporate Direc-tors’ Good Faith in the Post-Enron Era,’’ Note,Vanderbilt Law Review,March 2005, 644.11.Charles M. Elson and Christopher J. Gyves, ‘‘In Re Caremark: GoodIntentions, Unintended Consequences,’’Wake Forest Law Review, Fall2004, 692.12.Ibid., 701.13.Ibid.14.Ibid.15.Ibid., 702.16.Ibid., 692.17.The Sixth Circuit applied theCaremarkrule in 2001 inMcCall v. Scott,239 F.3d 817 (6th Cir. 2001), and the Seventh Circuit did so in 2003withIn re Abbot Laboratories Derivative Shareholder Litigation, 325F.3d 795 (7th Cir. 2003).18.Stone v. Ritter, 911 A.2d 362 (Del. 2006).19.Ibid., 370.20.Ibid.21.For more information on the background of Sarbanes-Oxley and itsprovisions, see Martin Biegelman and Joel Bartow,Executive Roadmapto Fraud Prevention and Internal Control: Creating a Culture of Com-pliance, (Hoboken, NJ: John Wiley & Sons, 2006), 63.22.Biegelman and Bartow,Executive Roadmap, 64–71.23.Biegelman and Bartow,Executive Roadmap, 71.24.Greg Ip, ‘‘Maybe U.S. Markets are Still Supreme,’’Wall Street Journal,April 27, 2007, C1.25.Kara Scannell, ‘‘Softening a Sarbanes-Oxley Thorn,’’Wall Street Jour-nal, April 5, 2007, C2.26.Ip, ‘‘U.S. Markets Still Supreme,’’ C1.27.See,e.g., Robert E. Grady, ‘‘The Sarbox Monster,’’Wall Street Journal,April 26, 2007, A19. This editorial blames Sarbanes-Oxley for causinga ‘‘precipitous drop’’ in the number of venture capital-backed startupcompanies and ‘‘killing that job-creating engine.’’ Ibid.28.Kara Scannell, ‘‘Costs Fall Again for Firms to Comply with Sarbanes,’’Wall Street Journal, May 16, 2007, C7.29.Siobhan Hughes, ‘‘Sarbanes-Oxley is Eased,’’Wall Street Journal, May24, 2007, C8.30.Alison Grant, ‘‘Corporate Reforms Working, Says Law’s Co-Author,’’Newhouse News Service, appeared in Seattle Times, April 22, 2007,F1. The Dow Jones was a little over 7000 when the bill was passed andwas over 12,500 in 2007 when the interview took place. Ibid.
Notes8531.Dick Carozza, ‘‘Sarbanes-Oxley Act Revisited: An Interview with Sen.Paul S. Sarbanes,’’Fraud Magazine, May/June 2007, 36.32.Ibid.33.Joann S. Lublin and Kara Scannell, ‘‘Critics See Some Good FromSarbanes-Oxley,’’Wall Street Journal, July 30, 2007, B1.34.Ibid.
CHAPTER5CA’s Compliance Rebirth: Don’tLie, Don’t Cheat, Don’t Steal‘‘Have the courage to say no. Have the courage to face the truth.Do the right thing because it is right. These are the magic keys toliving your life with integrity.’’W. Clement StoneIt’s not often that a person or an organization gets a second chance toright an awful wrong. But redemption and positive change can occur,even from the wreckage of corporate fraud and scandal. Such is the casewith CA, Inc. (formerly Computer Associates), which is a major technologycompany with worldwide operations. CA suffered through several years of avery public government investigation, media headlines of accounting fraudat the highest levels, prosecutions and convictions of many in their executiveleadership, and a negative impact on their reputation and shareholder value.The fact is that CA did not have a compliance program when the massiveaccounting fraud was occurring. There is a strong argument to be madethat if an effective program had been in place, this chapter would not benecessary. Yet, the very positive changes that CA subsequently made providelearning points and best practices for other organizations. Ultimately, CAendured a very painful process and survived as a company, albeit a muchchanged and better one.CA is one of the world’s largest information technology managementsoftware providers. They develop, market, deliver, and license softwareproducts that allow their customers to manage systems, networks, security,storage, applications, and databases securely and dynamically. Their goal isto help people and organizations realize the full power of IT to drive businessby unifying and simplifying IT management. The company serves more than87
88CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEAL99% of the Fortune 1000 companies as well as government agencies,educational institutions, and numerous companies in varied industries. Itwas founded in 1976 and is a global business leader with operations in 45countries. Headquartered in Islandia, New York, it is listed on the NewYork Stock Exchange with a market capitalization of $14.40 billion. Thecompany was originally named Computer Associates but changed its nameto CA, Inc. in February 2006.THE “35-DAY MONTH” ACCOUNTING FRAUDIn 2002, the FBI, SEC, and United States Attorney’s Office in Brooklyn,New York started an investigation into accounting practices at CA. Theinvestigation ultimately uncovered a massive accounting fraud perpetratedby many of CA’s senior executives from at least the 1990s through 2001.The government also found compelling evidence that company executivesattempted to cover-up and conceal the fraud and obstruct the investiga-tion through the destruction of evidence and making false statements togovernment investigators and others.In the early stages of the investigation, the government came to theconclusion that certain CA executives were not being totally cooperative inproducing documentary evidence and asked the Board of Directors to startits own investigation. CA’s Audit Committee agreed and in July 2003 hiredthe law firm of Sullivan & Cromwell to conduct an internal investigation ofthe allegations of accounting fraud. By early fall, the internal investigationconfirmed the allegations and the existence of a ‘‘35-day month’’ practice.In October 2003, the company announced that it ‘‘found improper bookingof sales.’’1In December 2003, Sullivan & Cromwell expanded its investigation toinclude obstruction of justice by senior executives. Subsequently, investiga-tors hired by the Audit Committee turned over evidence including e-mails,documents, and results of internal interviews where executives had lied. TheBoard of Directors then fired or forced out several executives including thegeneral counsel.2CA knew that the level of cooperation, the replacementof ‘‘responsible management,’’ and the ‘‘pervasiveness of the criminal con-duct’’ were all factors that the government used in determining whetherto charge the company criminally.3CA provided the results of its internalinvestigation to the government.The government investigation found that employees conducted a fraud-ulent accounting practice known internally as the ‘‘35-day month’’ becausecompany accountants would extend the booking of revenues in the finalmonth of a fiscal quarter several days beyond the actual end of the month
The ‘‘35-Day Month’’ Accounting Fraud89to prematurely recognize added revenue.4In Fiscal Year 2000 alone, CAprematurely recognized more than $1.4 billion in revenue.5The inter-nal investigation conducted by CA discovered that executives ‘‘snippeddate-stamps off faxed documents and added fake dates to contracts’’ to hidethe fraud from their external auditors.6In the early months of 2004, four former senior executives including theCFO pleaded guilty to securities fraud and obstruction of justice charges. Thesecurities fraud charges involved ‘‘a long-running, company-wide schemeto backdate and forge licensing agreements in order to allow the companyto meet or exceed its quarterly earnings projections during multiple fiscalquarters.’’7The obstruction of justice charges related to ‘‘the defendant’slying to the government investigators and concealing evidence of the secu-rities fraud.’’8The United States Attorney who was prosecuting the casestated that the guilty pleas of executives and their allocutions to their crimes‘‘demonstrate the corrupt culture in CA’s management.’’9On September 22, 2004, former CEO Sanjay Kumar was indictedon securities fraud and obstruction of justice charges for his role in themassive conspiracy. On the same day, CA agreed to a Deferred ProsecutionAgreement and also to pay $225 million into a restitution fund for investorsto settle the SEC lawsuit and avoid criminal prosecution. By agreement,payments were made in $75 million increments over an 18-month periodand all payments have now been made. The company’s agreement with thegovernment included accepting responsibility for its criminal conduct andcontinued cooperation with the government.10As part of the Deferred Prosecution Agreement, CA agreed to theappointment of new management, the addition of independent members tothe board of directors, and the appointment of an independent examiner toreview compliance with the terms and conditions of the agreement with thegovernment. CA would continue implementing remedial steps throughoutthe organization to establish an effective compliance program to ensure thatfraud does not recur. In return, CA received a deferred prosecution for thecriminal conduct of its former officers, executives, and employees.11In the criminal proceeding brought against CA by the United StatesAttorney’s Office, CA made the following stipulation of facts as to thecriminal conduct that prior management had engaged in:The central goal of the 35-day month practice was to permit CA toreport that it met or exceeded its projected quarterly revenue andearnings when, in truth, CA had not met its projected quarterlyrevenue and earnings. As a result of the practice, CA reported falselyto investors and regulators during multiple fiscal quarters, includingeach of the four quarters of CA’s fiscal year 2000, that it had met
90CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALor exceeded its consensus estimates. In fact, during each of the fourquarters of fiscal year 2000, CA improperly recognized and falselyreported hundreds of millions of dollars of revenue associatedwith numerous license agreements that had been finalized afterthe quarter close. In so doing, CA made misrepresentations andomissions of material fact that were relied upon by members of theinvesting public.12In all, eight former CA senior executives including the CEO, CFO,General Counsel, Executive Vice-President of Sales, and Head of FinancialReporting pleaded guilty to securities fraud and/or obstruction of justicecharges. Kumar received the longest sentence of 12 years in prison and an$8 million fine. CA had to restate $2.2 billion in revenues.THE DEFFERED PROSECUTION AGREEMENTThe signing of the Deferred Prosecution Agreement with the government onSeptember 22, 2004, not only resolved the government’s investigation butstarted an intensive and critical process of transforming CA and buildinga compliance program. Deferred prosecutions operate similar to probationin the sense that they give the offender an opportunity to reform andavoid prosecution; they have been particularly applied in the corporatesetting. Under a deferred prosecution agreement (DPA), the prosecutorcharges the corporation, but agrees to defer the prosecution, in exchangefor an admission of wrongdoing, an honest and significant commitmentto rehabilitation, and the removal of offending executives from within thecompany’s ranks.13If the corporation follows the agreement, cooperateswith authorities, and has been sufficiently rehabilitated, the prosecutor maydismiss the case. If the corporation breaches the agreement, the prosecutorcan move forward on an indictment, putting the corporation in jeopardy.Though they cannot face jail time, corporations are highly susceptible toconvictions, as it may result in license forfeitures or the loss of valuablegovernment contracts, as with CA. Thus, prosecutors can achieve their goalsof installing satisfactory compliance programs and removing unscrupulousemployees while the company can avoid crippling punishment.14CA acknowledged and accepted responsibility for the violation of lawthrough the conduct of certain executives, officers, and employees related tothe filing of materially false and misleading financial reports with the SEC,and obstruction of justice. As CA stated on their Web site after the signing ofthe DPA, ‘‘This marked the end of a troubling period in CA’s history, as wellas the beginning of a new era of opportunity for the company. The company
The Deffered Prosecution Agreement91has accepted full responsibility for the illegal conduct that occurred at CA,and has agreed to implement controls and governance measures to ensurethat such past practices are never repeated. Our obligation to ensure thehighest standards of integrity throughout CA is more important than anybusiness objective or other consideration.’’15CA posted the various requirements of the DPA on their Web site andover time updated it with the progress it made on the agreement. In compli-ance with the DPA, CA’s Board of Directors and current senior managementhave taken numerous remedial steps in response to the misconduct that wasdiscovered including:■Terminating CA officials and employees responsible for improperaccounting, inaccurate financial reporting, and obstruction of justice■Terminating CA officials and employees who refused to cooperate withCA’s internal investigation or who took steps to obstruct or impede theinvestigation■Appointing new management including a CEO, CFO, head of world-wide sales and General Counsel■Continuing obligation of cooperation■Payment of restitution to CA shareholders■Corporate reforms including:■Adding independent directors to the Board of Directors and under-taking corporate governance reforms■Ensuring that no less than 2/3 of the board members will be indepen-dent■Establishing a compliance committee of the Board of Directors■Establishing a disclosure committee■Inclusion of the Compliance Committee’s report on the CA Web site■Establishing new comprehensive records management policies andprocedures■Implementing best practices for recognition of software licensingrevenue■Establishing a comprehensive Compliance and Ethics Program■Providing ethics and compliance training for all CA employees tominimize the possibility of future violations of law■Appointing an independent, senior-level Chief Compliance Officer■Amending senior executive compensation plan■Reorganizing the Finance Department■Reorganizing and enhancing the Internal Audit Department■Establishing a written plan to improve communication with govern-ment agencies■Enhancing current hotline reporting16
92CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALAmong the many steps implemented by CA was the appointment ofan Independent Examiner to examine CA’s compliance with the terms andconditions of the DPA as well as the Final Judgment resulting from theSEC’s civil action. The Independent Examiner at the conclusion of his termwill report on CA’s compliance with instituting ‘‘best practices’’ including‘‘(1) practices for recognition of software licensing revenue; (2) internalaccounting controls; (3) implementation of a new ‘enterprise resourceplanning’ information technology system; (4) the adequacy of the InternalAudit Department; (5) ethics and compliance policies; and (6) managementpolicies and procedures.’’17CA also appointed a Chief Compliance Officer; appointed a Restitu-tion Fund Administrator for the $225 million investor restitution fund;selected two companies for their Worldwide Enterprise Resource PlanningTransformation; established a Disclosure Committee; and appointed a newChief Controller, Chief Accounting Officer, and Director of Records andInformation Management.CA’S FIRST CHIEF COMPLIANCE OFFICERPatrick J. Gnazzo is Senior Vice President, Business Practices and ChiefCompliance Officer at CA. He joined the company in January 2005 andis the first Chief Compliance Officer (CCO) that CA has had. Gnazzo isresponsible for developing and implementing a comprehensive complianceand ethics program. He also oversees government regulatory complianceand the establishment of a records and information management program.Prior to joining CA, Gnazzo served as Chief Compliance Officer at UnitedTechnologies Corporation (UTC) for ten years. As Vice President for Busi-ness Practices at UTC, he built and led an ethics program that is among thebest in the world. He managed more than 260 business practices officersworldwide who supported the implementation of the company’s ethics andcompliance programs for all of its 200,000 employees in 180 countries.Gnazzo held several other significant positions at UTC, including VicePresident for Contracts and Deputy General Counsel at UTC’s Pratt &Whitney division; Vice President and Government Liaison; President ofUnited Technologies International; Vice President and Litigation Counsel;and Vice President for Government Contracts and Compliance. These otherpositions at UTC provided Gnazzo a strong understanding of UTC’s businessas well as business risks that set the stage for his later role as their ChiefCompliance Officer.Prior to joining UTC in 1981, Gnazzo served as the Chief Trial Attorneyand Director of the U.S. Department of the Navy’s litigation division. He
Unfettered Access93has served on the board of directors of the Ethics Officers Association andis a frequent lecturer on ethics and compliance. He earned his law degreefrom Cleveland State University and his undergraduate degree from JohnCarroll University.In CA’s case, bringing in an experienced thought leader in compliancesuch as Gnazzo was the best thing they could do. His blend of businessacumen and reputation for compliance excellence was needed for severalreasons. More than just meeting the requirements of the DPA, Gnazzo wouldprovide needed reassurance to investors, employees, and the government.More importantly, he knew that building a compliance program isn’t easy,especially at a company trying to come back from major compliance failures.‘‘The challenges to developing an ethical culture are great. In the first place,cultural change takes time,’’ said Gnazzo. ‘‘Culture can’t happen overnight.You can write the values overnight, but culture is not imbedded until youact on the values enough times that you’re known for it.’’18When CA was looking for its first CCO, they retained a well-knownrecruiter. This recruiter knew Gnazzo and reached out to him for possiblecandidates for the position. Gnazzo was happy to oblige and providedthe recruiter with several names of very qualified candidates. After theconversation, Gnazzo got to thinking about this truly unique and challengingopportunity at CA. He had been at UTC for many years at that point and hadbuilt a world-class compliance program that was running quite smoothly. Hewas contemplating retirement but he kept thinking about how infrequentlyone gets the chance to build a compliance program from scratch, as was theneed at CA. The more Gnazzo thought about it, the more he knew that thiswas the challenge he wanted. He called the recruiter and told of his stronginterest in the position. The rest is history.When Gnazzo joined CA, his plan was to gradually build the complianceprogram at CA so that it would be permanently embedded. ‘‘I want toinstitutionalize compliance and ethics within CA,’’ said Gnazzo. ‘‘To makeit part of the company’s fabric and something that no one CEO or anyoneelse can ever take away.’’ He knew that in order to achieve a successfuland lasting compliance program, it had to be much more than simply usinga check-the-box-and-it’s-done approach. It is management’s responsibilityto drive a culture of compliance and build it element by element until allemployees understand every one of the program’s components.UNFETTERED ACCESSGnazzo had ten years of compliance experience at UTC before joiningCA. His program at UTC was well-respected and was a model for other
94CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALorganizations. He also knew what to expect in building and maintaininga state-of-the-art program. Having ‘‘unfettered access’’ and being able to‘‘buttonhole any manager from the CEO down’’ was absolutely necessaryfor Gnazzo. And he got it at CA. He has a direct reporting line to theAudit and Compliance Committee of the Board of Directors. This totalaccess provides Gnazzo with the ability to walk into anyone’s office andask a probing question or fix a potential problem quickly. Gnazzo meetsregularly with the Senior Leadership Team, the Executive Leadership Team,the CFO, the General Counsel, the external auditor KPMG, and anyoneelse as necessary. Being an executive officer with an office on CA’s executiverow also sent a strong message internally and externally about how muchcompliance was now valued at the company. The many messages thatCA and Gnazzo sent out about the program established his presence andreinforced the importance of compliance.In determining the ability of a CCO to make a difference, Gnazzo sug-gests that one look at where an organization’s ethics officer sits. An ethicsofficer may report to a general counsel, but who actually presents the periodiccompliance report to the audit committee is very telling. Gnazzo recom-mends that it be the CCO. It’s important to note that in a survey conductedby the Ethics and Compliance Officers Association (ECOA), less than 10%of public companies have a CCO with a direct reporting line to the board.BUILDING THE COMPLIANCE PROGRAMHaving a reputation as a leader in compliance made it easier for Gnazzoto build the program and walk into any office anywhere in the world atCA and ask questions. For any company rebuilding after a compliancefailure, a true best practice is to bring in a solid, experienced complianceprofessional. Someone who has developed and managed a world-classcompliance program brings immediate stature, respect, and ability to a newprogram. And no one sees this better than an organization’s employees. Ihave seen this effect at other companies where the CCO is a respected personin the field. I witnessed this impact firsthand when I was at a meeting atanother company. The CCO for this company is a former federal prosecutorand previously was a CCO at another organization. He had many yearsof experience and was a thought leader in compliance. After he spoke onan aspect of compliance, I heard an employee comment on how lucky thatcompany was to have someone with his experience. I also saw how thisperson and others in the audience looked at him with respect and awe. Thisis the impact that Gnazzo has at CA.‘‘There was a culture shock at CA,’’ said Gnazzo. ‘‘Their prior executivesfailed them [the employees] and as result everyone was tarred with a broad
Building the Compliance Program95brush. New people came to CA with new ways of doing things. Yet, theemployees thought they were doing it right before.’’ Gnazzo knew thatemployees needed strong leadership and reassurance that they would beprovided guidance on right from wrong and that their company wouldnever again fail them.Much needed to be done in building CA’s compliance program. Gnazzorealized that employee understanding and buy-in was needed from thebeginning. Early on, he held a webcast where he explained to employeeswhat he and his compliance team would be doing in the coming months.He also told them that he would be providing them periodic updates onhis progress. This lessened uncertainty among employees and gave themconfidence that CA would emerge a far better and compliant company.CA had an existing code of conduct but it needed revamping. Thecode was rarely distributed and employees were never trained on theirresponsibilities relative to the code. In addition, employees did not knowwho to reach out to if they wanted to report a fraud issue or other complianceconcern. Ironically, the only hotline available to report violations of thecode rang on the desk of the company’s former General Counsel. This wasthe same General Counsel who pleaded guilty to obstruction of justice andconspiracy to commit securities fraud and was subsequently sentenced totwo years in prison. Thus, the hotline had to be overhauled. The hotlineneeded to be outsourced to a third party vendor for independence andaccountability. Gnazzo’s experience served him well. When CA createdits hotline, there was a concern among executives that they would beinundated with issues. They weren’t. True to Gnazzo’s experience, most ofthe calls received were human resource related. Still, a significant numberof potential allegations of misconduct were reported. A hotline is not apanacea, but it is a necessary tool and an element in a robust complianceprogram.Gnazzo advised that both the NYSE and NASDAQ require a companylisted on their stock exchanges to have a code of conduct but there is norequirement that an organization have someone to actively manage the codeof conduct. At CA, their Code was completely reviewed and revised. Thiswill be an ongoing process as the compliance department has ownership formanaging the Code.CA understands that an organization’s core values are the foundationof a successful compliance program. First, focus groups of employees wereformed to learn what values were important to employees. The employeesweighed in on what they felt the core values should be. Then the SeniorLeadership Team (SLT) met to review these findings and align and finalizethe core values. Subsequently, the SLT results were sent back to employeesfor their feedback. The SLT wanted to send a strong message about
96CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALthe importance of the core values. Only then were the new core valuescommunicated to employees worldwide.CA used a survey to learn where it had strengths and where therewere opportunities for improvement. The survey showed that 94% ofemployees have read and understand the Code of Conduct and what itmeans to them. The survey showed that employees considered that 85%of the SLT, the top 40 CA executives, was ethical in their actions andwords. The survey looked at employees’ direct managers as well. 86% ofthe employees stated that their manager acts in accordance with high ethicaland compliance standards. The survey’s weakest point was that employeesdid not feel they were getting a consistent message from the SLT and thiswas addressed.CA’S REVISED CODE OF CONDUCTCA’s Code of Conduct is entitled ‘‘Business Practice Standards of Excellence:Our Code of Conduct’’ and it is very compelling. The new executiveleadership revised the code as a framework to assist employees in recognizingand responding to workplace or ethical dilemmas. They were also clear toexplain that the code was not ‘‘all encompassing’’ to cover every potentialissue an employee may face. It sends an important message to employeesthat the code is ‘‘a starting point with very clear avenues of escalation’’ forthem to use when faced with ethical issues. As CA’s CEO John Swainsonstates in the introduction to the code, ‘‘We have a shared responsibility tomake compliance and good business practices part of the fabric of CA.’’ Hegoes on to say, ‘‘we’ve developed the enhanced Code of Conduct—‘OurCode of Conduct.’ We use the word ‘our’ rather than CA because we are thepeople who will make this Code a true reflection of all that is good aboutthe company. After all, wearethe company.’’Many other aspects of the code are also excellent. In the introduction,the CEO names Pat Gnazzo as the Chief Compliance Officer and asks eachemployee to contact Gnazzo or any member of his team if there are anyquestions or concerns either about the code or related issues. The code comesright out and states, ‘‘the fundamental business rules for all CA employeesare: Don’t Lie, Don’t Cheat, and Don’t Steal.’’ It’s especially effective whenthis declaration is said in such direct and clearly understandable terms. Inthe Core Values section of the code, I also like that they state, ‘‘valuesprovide perspective in the best of times and the worst.’’CA also revised their Core Values to include Innovation, Excellence,Teamwork, Integrity, and Performance. CA states ‘‘added to the equation,and at the forefront, is Integrity.’’ CA further adds that ‘‘we are honest inall interactions’’ and ‘‘we earn our reputation by adhering to the highest
CA’s Revised Code of Conduct97ethical standards and conduct.’’ Gnazzo explained that integrity was notspecifically listed in the original core values but was always a given. It’sjust that after the government investigation, it was necessary to articulateintegrity in clear terms and detail it as a core value. CA’s management madea decision that integrity needed to be put front and center in light of whathad happened at the company. When the new Code was finalized, a copywas placed on all employees’ desks for them to read and confirm that theyhad read it and would comply with it.CA’s Code highlights important elements of compliance throughoutthe document that provide robust content in a best practices code. Thefollowing are selected examples from CA’s Code:■All of our ethical rules and principles are built on CA’s shared goalsand core values.■CA expects all employees to read and understand the Code. Employeeswho have questions about the Code should feel free to raise suchquestions with his/her manager, local Human Resources representative,and/or a member of the Business Practices and Compliance organization.It is the obligation of every employee to report suspected violations ofthe Code to management utilizing the avenues discussed in the ‘‘CA’sCommitment to Transparency’’ section of the Code.■Each year, CA will require all employees to acknowledge his/her under-standing of the Code and to report any perceived and/or actual conflictsof interest.■Violations of the Code may result in disciplinary action, up to andincluding dismissal.■Compliance with the Code is the responsibility of every CA employee.CA encourages all employees to bring issues and concerns forward tomanagement without fear of retaliation.■CA will not tolerateanyretaliation against any employee who raisesa question or concern about CA’s business practices or for utilizingthe CA Helpline. Employees must understand, however, that usingthese communication channels to report a wrongdoing will not absolvethe employee from accountability for personal involvement in suchwrongdoing.■CA’s Commitment to Transparency: Our obligation is to create acorporate culture of transparency and accountability.■Compliance with the law is mandatory.■Because CA conducts its business in over 100 countries, laws, localcustoms, and social standards differ greatly from one place to the next.CA’s policy is to abide by the national and local laws of the countries inwhich it operates, unless such laws or practices violate U.S. law. Every
98CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALCA employee has the responsibility to understand and abide by the locallaws and rules that apply where they are conducting CA business.■If you find yourself with a compliance or ethical dilemma, rememberyou are not alone. Contact your Manager, your Human ResourcesRepresentative, the Business Practices and Compliance Organization,Worldwide Law Department or call the CA Helpline.■Obviously, the Code cannot address all possible compliance or ethicaldilemmas as a CA employee may encounter in his/her career at CA.(CA then lists numerous business situations and potential complianceviolations that an employee may encounter in the course of his/hercareer such as antitrust, financial reporting, human resource related, andconflicts of interest.) Remember, these may not be the only complianceor ethical dilemmas that may be encountered.■CA does not offer or pay bribes to government officials.■CA employees working outside the U.S. should be aware that paymentsof bribes to foreign government officials violate the Foreign CorruptPractices Act (FCPA) and may also violate local laws outside the U.S. Inaddition, the FCPA requires CA to maintain proper accounting controlsand keep detailed records about all financial dealings with governments,including payments of any kind.■CA also discourages ‘‘facilitating payments’’ that are made to helpensure that public officials perform tasks they are supposed to performas part of his/her normal job functions (such as issuing licenses orpermits). All facilitating payments must be reviewed and approved by amember of the Worldwide Law Department and accurately recorded inthe appropriate financial record as a ‘‘facilitating payment.’’■As a publicly traded U.S. company, CA must comply with varioussecurities laws, regulations and reporting obligations. U.S. federal lawsand CA’s associated policies and procedures require that CA discloseaccurate and complete information regarding its business, financialcondition, and results of operations. Inaccurate, incomplete, or untimelyreporting will not be tolerated and may result in legal liability.■The fundamental rule for financial reporting is: do nothing that wouldmislead or misinform anyone about CA’s finances.19CA has done an excellent job in reinvigorating their Code of Conduct.Others think so too.Ethisphere Magazine, in their Q2 2007 edition,conducted a benchmarking exercise of the codes of conduct of 50 financialservices and technology companies. The benchmarking considered eightelements including public availability, tone at the top, readability and tone,non-retaliation, commitment to stakeholders, risk topics, learning aids, andpresentation and style. CA came away with a superb overall rating of A-.
CA’s Tone at the Top99Ethisphere Magazinecommented that CA’s code is ‘‘a very well-writtencode with strong layout. It’s obvious that CA has invested heavily in theirethics and compliance program (not surprisingly).’’20JOINING THE DEFENSE INDUSTRY INITIATIVEAs a further demonstration of a commitment to compliance excellence,Gnazzo decided that CA needed to join the Defense Industry Initiative (DII).The DII was organized in 1986 by 32 major defense contractors who pledgedto adopt and implement a strong code of business ethics. The formation androle of the DII was covered in Chapter 3 and is further discussed in AppendixC. CA does business with the government and the compliance issues thereare just as great as doing business elsewhere. Gnazzo saw several importantopportunities in joining the DII. The DII is an organization that promotesbest practices in the area of defense industry compliance. According toGnazzo, once an organization joins and gives a public endorsement of theimportance of the DII, it’s not easy to then leave. It reinforces tone at the topof CA. Gnazzo added that DII holds an annual best practices meeting wherecutting-edge benchmarking is shared with the many members. Gnazzo’saction is but another best practice that all companies doing business withthe government should consider.CA’S TONE AT THE TOPGnazzo believes that tone at the top is a critical element of every complianceprogram. ‘‘Human beings mirror their leaders,’’ he states. Yet, this messageis so important that it must be communicated by more than just senior levelexecutives and in a number of ways. ‘‘The message of compliance can’t beonly delivered by the Chief Compliance Officer, the CEO, or the CFO; itmust also come from the managers.’’ This is especially true in operationsoutside the United States where the country manager is the face and voiceof company leadership. They are the ones that local employees interact withand look to for direction. A strong message of compliance from such aperson and other managers in a country or region can do much to embedethical practices and compliance.Tone at the top can and must also be measured in a number of ways.Employee surveys, polls, compliance with code of conduct training byemployees, managers and executives, compensation reviews where compli-ance is measured, and commitment to training for all employees are but a fewof the ways to measure both tone at the top and a commitment to compli-ance. Other measurement indicators include the amount of money budgeted
100CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALfor compliance, the number of people assigned to compliance, having acompliance log of all issues communicated, investigated, and resolved.Executives are measured in many ways. Included are how they supportthe compliance and ethics program, how responsive they are to requests forinvestigative support, whether they give out appropriate disciplinary action,and how they work with legal and human resources. As much as 10%of executive compensation is based on how they handle and respond tocompliance requirements, whether they have completed the required ethicstraining, how they communicate the importance of the Code of Conductto their organization, and how they demonstrate tone at the top. At CA,executives receive the same training as any other employee and they areexpected to complete each and every training course as required. Thereare no exceptions. Taken as a whole, these measurements provide a goodindicator of tone at the top. Of note, the Ethics and Compliance OfficersAssociation has reported that fewer than 10% of U.S. based corporationstie executive compensation to the measurement of ethics and compliance.Reinforcing the importance of training, Gnazzo hired a Director ofTraining Awareness and Communication. This position has responsibilityfor promoting awareness of CA’s compliance program throughout thecompany. This Director develops and conducts training around CA’s variousethics and compliance initiatives such as the Code of Conduct and Conflictof Interest Policy.The DPA also required a comprehensive overhaul of the company’sdocument retention policies and procedures. In response, Gnazzo hired aVice President in Charge of Records and Information Management. Thisposition is responsible for ensuring that CA’s records and documents are cre-ated, retained, and disposed of properly. Having an efficient, effective, andcompliant records management policy ensures that the company meets itsbusiness needs as well as complies with all legal and regulatory requirements.Gnazzo also leads the newly created Enterprise Risk Managementgroup at CA as Chief Risk Officer. He believes that risk and compliancego hand-in-hand. If organizations identify the various risks they potentiallycan face, they are less likely to hide them. The purpose of their EnterpriseRisk Management group is to empower employees to identify risk early on.The NYSE requires its listed companies to have a policy on financial riskapproved by the audit committee.RESPONSE TO VIOLATIONS OF BUSINESS PRACTICESCA has a very professional and predicable process for responding toallegations of misconduct and conducting internal investigations. Previously,
Ensuring Future Compliance101the company had no full-time investigators to respond to allegations offraud and compliance failures. Gnazzo believes that companies must bringin professional investigators to conduct and resolve issues of fraud andnon-compliance. He described how beneficial it was to hire John McDermottas a compliance investigator. McDermott was a career United States PostalInspector who joined CA in June 2006. McDermott was both a respectedfraud investigator and manager of a team of federal investigators for manyyears in New York. McDermott investigated some of the most complex andhighly-publicized fraud cases in New York including fraudulent financialaccounting cases. He was uniquely qualified for a role in CA’s complianceprogram and has become a key member of the team. Gnazzo explains howby adding experienced professionals such as McDermott, organizations gaincredibility and compliance effectiveness.Every issue that is reported is documented in CA’s matter managementlog, which is a Web-based case management system. This includes allallegations, inquiries, and government requests. They keep metrics onthe number of cases, location of cases, types of cases, status of cases,the level and position of subjects of allegations, the losses from eachcase, and other key metrics. Gnazzo uses this reporting tool in preparingquarterly presentations to the Audit and Compliance Committee of theBoard.ENSURING FUTURE COMPLIANCEA question posed to Gnazzo was how he would respond to an employee atCA who asked how he would ensure that what happened would never againoccur. Gnazzo stated that the best assurance is open communication andto provide many avenues of communication to employees to ask questionsand escalate concerns. He explained that non-compliance can be stoppedby providing employees and others outside the company an opportunity tobreak the chain if fraud and corruption exist.Gnazzo explained that what happened at CA was a massive conspiracyinvolving numerous senior executives. No one broke the chain so the fraudlasted for many years. CA didn’t have a compliance program or the culturethat may have been able to either prevent it from happening in the first placeor at least catch it earlier. The executives who were asked about the fraudall lied and covered it up. They lied to the board. They lied to companyattorneys. They even lied to federal prosecutors. They weren’t caught untilone executive finally stopped lying. This executive hired a former federalprosecutor as his attorney and when he was questioned by federal agents andprosecutors, finally admitted he was lying all along. He confirmed the hugeaccounting fraud at CA. That broke the chain of lying and obstruction of
102CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALjustice and opened the door for acceptance of responsibility and subsequentrebirth.A well-communicated hotline, a strong and independent audit commit-tee, a professionally staffed human resources department, an ombudspersonprogram, and an effective compliance program are all key elements forsuccessful communication of compliance issues, according to Gnazzo.The Ombudsperson Program is another option for employee communi-cation at CA. It provides another platform for employees to raise concernsto someone who will maintain their confidentiality while ensuring the issueis escalated to management. In addition to a hotline, having a long-term,well-respected, thoroughly trained, and trusted employee who will listento an employee’s problem provides yet another communication option. Anemployee may be more likely to speak to someone of this stature than calla hotline. As Gnazzo said, there were many people involved in the 35-daymonth accounting fraud. ‘‘That couldn’t have happened if CA had hadthe proper compliance attitude. The best insurance that this massive fraudwill never happen again is open communication and resources to escalateissues.’’The ongoing message to employees at CA is that the compliancedepartment is a lifeline for them to ask any and all questions at any time. Itconstantly reminds management to always include compliance in their dailywork. The message also sent is that there is a personal responsibility forcompliance and that the results are measured.Gnazzo believes in communicating violations of business conductwith employees but it must be done in a productive way. CA does notbelieve in ‘‘public hangings’’ of employees involved in fraud and pol-icy violations. Employees who have been terminated for cause or givenother disciplinary action are not publicly named or otherwise identified.Instead, CA uses details of the transgressions in training scenarios to bettereducate employees by showing how others have violated CA’s Code ofConduct.Side letters are another area that CA’s compliance program hasaddressed. Side letters are after-the-fact changes to contracts includingterms, conditions, and agreements that are not specifically detailed in theoriginal contract and can result in potential financial and litigation risk.Gnazzo advised that the importance of understanding the ‘‘four corners ofevery contract’’ is one way to lessen the problem of side letters. CA requiresthat employees complete an attestation that no side letters are incorporatedinto a contract. In addition, CA educates its employees on the risks that sideletters pose. It also sends out letters to customers asking for follow-up onthe aspects of the contract so that it is clear that there were no side lettersincluded in deals.
Compliance and Ethics Leadership Council Program Assessment103BUSINESS PRACTICE OFFICERSGnazzo knew that there are different standards of business practices inforeign countries, cultural sensitivity issues, and different legal and employeerequirements in those countries that had to be dealt with. In response,he created 87 part-time Business Practice Officers (BPO) in CA officesworldwide to improve compliance. These are in addition to Gnazzo’scompliance team based in the company headquarters in New York. TheBPOs act as regional compliance deputies in countries where CA operates.Their role is to share information with management and employees, helporganize town hall meetings, discuss best practices with human resourcesand legal departments, and provide compliance awareness and education.The BPOs serve as a local connection for employees to ask questions andraise concerns.The BPOs were identified and vetted by the compliance departmentand then thoroughly trained in various ethics and compliance areas suchas handling conflict of interest issues. The BPO role is a collateral duty forthose assigned and they spend about 10–15% of their time on complianceactivities. They do not conduct investigations but collect information usedby compliance investigators. As Gnazzo explained, they are not expected toact as ‘‘police’’ and initiate investigations, but they are there to put a localface on the corporate message of ethics and compliance.COMPLIANCE AND ETHICS LEADERSHIP COUNCILPROGRAM ASSESSMENTTo further assess CA’s ethics and compliance program, Gnazzo had adetailed assessment completed using the Compliance and Ethics ProgramAssessment Wizard. The Program Assessment Wizard was created by theCorporate Executive Board’s Compliance and Ethics Leadership Council(CELC) and is a comprehensive measurement and benchmarking systemfor compliance and ethics program performance. For more informationon the Program Assessment Wizard, please see the related section inAppendix C.The CELC and the Program Assessment Wizard gave CA superior gradesin all but two of their 28 criteria. Among the areas where CA was rated withhigh performance were program structure and oversight, standards andprocedures, program measurement and monitoring, allegation reportingand investigations, communications, and discipline and incentives. The onlyareas marked for improvement were training for the Board and identifyingrisk. CA is actively addressing both.
104CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEALPAT GNAZZO’S FIVE BEST PRACTICES FOR AWORLD-CLASS COMPLIANCE PROGRAMGnazzo provided his five best practices for a world-class compliance programbut he qualified it by saying that there are other important aspects too.1.The head of compliance needs to be ‘‘seen at the table’’ with other topexecutives. That’s everyone with a ‘‘c’’ at the beginning of their title.The person must have complete access to everyone at the company,no matter their level, and not have to make an appointment to meet.The CCO must be highly visible at the company and have significantexperience and standing in the field.2.The CCO must be independent with a solid reporting line to the auditcommittee and a dotted line to the general counsel.3.The company must have an open communication program where any-one can report an allegation or issue through many different channelsand have it addressed quickly.4.The company must have a strong investigative response and process forallegations. The compliance department must have skilled investigativeprofessionals who know how to obtain and analyze information, con-duct interviews, report on findings and improve the compliance andethics program.5.Having Business Practice Officers embedded in offices worldwide is alsoa best practice.In addition, Gnazzo believes that not just the audit committee but alsothe entire board needs to be heavily involved in compliance. All boardmembers need to know the CCO and interact with him or her. They mustthoroughly understand how the compliance program works. Gnazzo findssome topic or issue to discuss in order to get before the entire board eachyear. He interacts closely with each member. This puts the complianceprogram on par with all the other business operations and programs at CA.It is clear that the CCO is a valuable part of the equation for complianceexcellence. A world-class CCO needs a variety of knowledge, skills, andabilities. Business acumen is an absolute requirement. Experience in businessand being able to understand the particular business operation and modelat their company is a factor for success for a CCO. A CCO who canmeet with a business division president and talk the same language is atremendous asset to the compliance program’s standing. When a CCOneeds to meet with a business division president and can talk the samelanguage, there is a greater understanding and benefit. Adding businessknowledge to compliance expertise is critical for a successful CCO.
Notes105Gnazzo’s experience in two business roles at UTC prior to becoming theCCO was a major factor in his ability to build a world-class program at CA.Having management experience and leading people are also important. Beingan effective communicator and being able to speak to large audiences anddeliver important messages are other absolute necessities. Being comfortablein one’s skin and being able to step up in a crisis are other key qualifications.Gnazzo has other recommendations for CCOs to follow. Become athought leader in the field of compliance. Join professional complianceorganizations and participate in roundtable sessions and sharing of bestpractices. Speak and write on the various topics of compliance.A NEW ERA OF OPPORTUNITYCA has had an impressive turnaround since the issuance of the DPA.The compliance program that CA developed is a major factor. Gnazzo’sexperience, credibility, and reputation as well as CA’s strong commitmentmade ethics and compliance the foundation for their revival. On May21, 2007, CA announced that it had satisfied the terms of the DPA. TheIndependent Examiner’s report dated May 1, 2007 to the United StatesAttorney’s Office stated that CA had ‘‘complied with’’ the DPA. As a result,the Federal Judge assigned the case dismissed all pending charges againstCA. CA will no longer be under the close scrutiny of the government toensure a commitment to ethics and compliance. ‘‘Our efforts won’t stopbecause we have met the requirements of the DPA,’’ said President and CEOJohn Swainson. ‘‘We will continue to demand a high level of transparency,ethical behavior, and integrity from our entire organization.’’This DPA was one of the first instituted by the Department of Justice inwhich the required reforms were so specific. CA spent hundreds of millionsof dollars in complying with the DPA. The improved controls and processeshave made a real difference. Now, the question is whether the changes thatCA instituted will become a part of the company’s DNA. Gnazzo sees thisas an opportunity to reinforce the message of compliance and acting withintegrity and accountability even when the government is not looking overtheir shoulder so closely. In fact, Gnazzo eagerly looks to the future as thetrue test of the new CA and its compliance rebirth. As Gnazzo states, ‘‘themeasure of a company’s success is how it deals with trouble, not that itnever had any trouble to begin with.’’NOTES1.Steve Hamm, ‘‘A Probe—and a Bitter Feud,’’Business Week, April 12,2004, 78.
106CA’S COMPLIANCE REBIRTH: DON’T LIE, DON’T CHEAT, DON’T STEAL2.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,Hoboken, NJ: John Wiley & Sons, Inc, 2006, 335.3.Charles Forelle and Joann S. Lublin, ‘‘Kumar Gives Up Leadership PostsUnder Pressure,’’Wall Street Journal, April 22, 2004, A1.4.Charles Forelle, ‘‘Ex-CFO at Computer Associates To Enter Plea inAccounting Probe,’’Wall Street Journal, April 8, 2004, A1.5.Charles Forelle, ‘‘CA Ex-Executives Plead Guilty, Call Fraud Pervasive,’’Wall Street Journal, April 9, 2004, A3.6.Ibid.7.Second Year Report to the President, Corporate Fraud Task Force, July20, 2004, www.usdoj.gov/dag/cftf/2ndyrfraudreport.pdf.8.Ibid.9.Charles Forelle, ‘‘CA Ex-Executives Plead Guilty,’’ A3.10.Biegelman and Bartow,Executive Roadmap, 335–37.11.Deferred Prosecution Agreement between the Government and CAposted on the CA Investor Relations Web site, September 22, 2004,http://investor.ca.com/phoenix.zhtml?c=83100&p=irol-govdeferred.12.Stipulation of Facts, www.ca.com/about/dpa/exhibitcstipulationoffacts.pdf.13.Benjamin M. Greenblum, ‘‘What Happens to a Prosecution Deferred?Judicial Oversight of Corporate Deferred Prosecution Agreements,’’Columbia Law Review, October 2005, 1863.14.Ibid.15.CA’s Deferred Prosecution Agreement, Investor Relations and Corpo-rate Governance site, CA, Inc., http://investor.ca.com/phoenix.zhtml?c=83100&p=irol-govdeferred.16.Ibid.17.‘‘Court Appoints Attorney Lee S. Richards Independent Examiner forComputer Associates International, Inc.,’’ SEC Press Release 2005–37,March 16, 2005, www.sec.gov/news/press/2005–37.htm.18.Gregory J. Millman, ‘‘Black and White Fever: The State of BusinessEthics,’’Financial Executive Magazine, May 2006, 26.19.‘‘Business Practices Standards of Excellence: Our Code of Conduct,’’available at www.ca.com/XXX.20.Douglas Allen, ‘‘50 Codes of Conduct Benchmarked: How DoesYour Organization Stack Up?,’’Ethisphere Magazine, Q2 2007, www.ethisphere.com/EthisphereMagazine0207/50-codes-Q2.
CHAPTER6The International Landscapeof Compliance‘‘Your beliefs become your thoughts. Your thoughts become yourwords. Your words become your actions. Your actions becomeyour habits. Your habits become your values. Your values becomeyour destiny.’’Mahatma GandhiIn today’s shrinking world, a whisper uttered in New York is heard inBeijing. A deal made in Delhi is felt in London. A company based inthe United States often has subsidiaries in dozens of other countries. Theworld economy is quickly growing at breakneck speed. The BRICs—theemerging economies of Brazil, Russia, India, and China—are expected tobe dominant forces in the global economy by the middle of this century ifnot sooner. It seems that nothing short of an extinction level event will stopthis explosive growth. Yet, there are other forces besides natural disasters,armed conflicts, and environmental issues that can severely derail businessefforts and hinder the flattening of the world.1Corruption, corporate fraud,and scandal are the end products of an ineffective corporate complianceprogram and can lead to business failure.Compliance goes beyond the borders of the United States with theglobalization of business. International compliance is a necessity because ofa confluence of several important factors. The global nature of companieswith subsidiaries, affiliates, and vendors all over the world provide greatopportunity but also great risk. U.S. law reaches all around the world andcovers the actions of U.S. corporations and their employees no matter wherethey are. Illegal actions relating to the Foreign Corrupt Practices Act or theUSA PATRIOT Act can have major implications. There are harsh penalties107
108THE INTERNATIONAL LANDSCAPE OF COMPLIANCEfor those who violate the anti-bribery provision of the Foreign CorruptPractices Act. Third party liability is another major concern as companiesare liable for the actions of people it hires, be they direct employees oragents. The solution is a strong compliance program to ensure everyoneknows what the rules are, what’s going on, and to keep track of who’s doingwhat. These themes will span this and the following chapter, illustrating theimportance of truly worldwide compliance.THE FOREIGN CORRUPT PRACTICES ACTBribery and corruption are unfortunate elements of the dark side of business.Illegal payments by public and private corporations to foreign governmentofficials to induce business dealings have long been an unscrupulous practice.These bribes, usually in the form of cash but not exclusively, are illegal andhave been outlawed by the United States for many years. A rash of briberyand corruption cases in the 1970s, and a Congressional focus resulted in theenactment of the Foreign Corrupt Practices Act (FCPA) in 1977. Violationsof the FCPA have always been taken very seriously by prosecutors inthe United States. Since the passage of the Sarbanes-Oxley Act, there hasbeen a renewed focus on investigations and prosecutions involving FCPAviolations. Thus, compliance with the provisions of the FCPA is moreimportant than ever.The FCPA prohibits individuals and companies from ‘‘corruptly makinguse of the mails or any means or instrumentality of interstate commercein furtherance of an offer, promise, authorization, or payment of moneyor anything of value to a foreign official for the purpose of obtaining orretaining business for, or directing business to, any person or securingany improper advantage.’’2Furthermore, the FCPA also requires ‘‘issuersnot only to refrain from making corrupt payments to foreign governmentofficials, but also to implement policies and practices that reduce therisk that employees and agents will engage in bribery.’’3The books andrecords provision of the FCPA requires certain corporations to create andmaintain books, records, and accounts that fairly and accurately reflectcompany transactions. The knowing falsification of company records is alsoprohibited.4Penalties include both civil and criminal sanctions against thecompany and culpable employees.The purpose of this provision is to put teeth into the statute. Logictells us that companies probably will not accurately record bribe paymentsto foreign government officials but if they do, the evidence is there for thegovernment to obtain. If companies omit or falsify transactions to hide thebribe payments, they also face legal peril. The strength of the FCPA gives
Schnitzer Steel and the FCPA109great leverage to the government in investigating and prosecuting briberyand corruption schemes. Violators are damned if they do and damned ifthey don’t. The best way to avoid punishment is not to do the crime in thefirst place.The following case is an interesting study of both an initial compliancefailure and a subsequent turnaround by instituting compliance requirements.There are many lessons to be learned from the experiences that this companywent through. The lack of an effective compliance program contributed to along-standing policy of paying bribes to foreign nationals. The developmentof a compliance program helped to expose a history of wrongdoing. Theimplementation of a robust compliance program helped the company restoreits reputation.SCHNITZER STEEL AND THE FCPASchnitzer Steel Industries, Inc. (SSI) is an old and proud company with itsroots in the United States’ Pacific Northwest. The company was startedby a Polish immigrant named Sam Schnitzer in Portland, Oregon in theearly 1900s. In 1906, Sam saw a great business opportunity in scrap metal,and started collecting and selling it. In a few years, he and a partner,H. J. Wolfe, owned two companies, Alaska Junk Company and Schnitzer &Wolfe Machinery Company. Sam continued to grow the enterprise over theyears and brought his five sons into the family business. In the 1950s, theSchnitzer family bought out the Wolfe family for sole control of the businessnow called Schnitzer Industries. Sam died in 1952 and left the business tohis sons to run. Four sons continued to do so, with one son leaving thefamily business in the mid-1950s to build his own real estate business. In1962, a Portland newspaper columnist called Sam ‘‘a brilliant immigrantwho began with a sack on his back, a horse and wagon, and whose portraithangs in the board room of the fine Schnitzer Building.’’5Over the years, SSI continued to grow its business in the UnitedStates and internationally through internal growth and by acquiring othercompanies. In 1993, SSI announced that it was taking its privately ownedbusiness public with an initial public offering. In Oregon newspapers, therewas speculation that a conflict between different generations of the Schnitzerfamily on running the business resulted in the decision to go public.6Evenafter SSI went public, the Schnitzer family controlled 95% of the votingshares. Sam’s sons and their sons-in-law controlled the majority of executivepositions at SSI. The company was a fixture in Oregon with the Schnitzerfamily one of the wealthiest in the state, and doing much in the way ofphilanthropy and civic affairs.
110THE INTERNATIONAL LANDSCAPE OF COMPLIANCEAfter going public in 1993, SSI went on an acquisition spree that sig-nificantly boosted the amount of scrap metal processed annually; revenuejumped. Millions of dollars more were spent on expansion and increas-ing capacity to process scrap metal. A journalist for a Portland businesspublication at the time wrote that the acquisitions were ‘‘an indicationof the aggressiveness of the younger generation of the Schnitzer clan. . ..The conservative and low-profile generation that succeeded founder SamSchnitzer has been replaced by a more aggressive crop of business people.’’7The journalist had no way of knowing at the time that his words would bea harbinger of events that would become public more than a decade later.Today, SSI is one of the largest recyclers of ferrous metals in theUnited States. Its three business segments include metals recycling, steelmanufacturing, and an auto parts business. The company is headquarteredin Portland, Oregon, and its common stock is listed on the NASDAQ. Thecompany has over 3,200 employees and revenue of $1.855 billion for thefiscal year ended August 31, 2006.The FCPA Violations and Subsequent DiscoveryIn doing research for this chapter, I had the good fortune to meet a formeremployee of SSI who provided me valuable information and insight onboth the company and how the compliance failures occurred. This personworked at SSI for a number of years during the period in question. I amprotecting the confidentiality and identity of this person and will only referto this person as a ‘‘Confidential Source’’ (CS) throughout this chapter.CS was in no way involved in the criminality and only learned of it whenthe general population of employees was told of the internal investigationresulting from the FCPA violations. CS was in a unique position and wasable to provide me with thoughts and opinions on what happened and why.It is a snapshot in time. CS has taken me through a period where the lackof an effective compliance program brought forth significant and painfulchanges in a very old and proud company.By going public in 1993, SSI now had the capital to grow its business.In 1995, SSI acquired a privately held scrap metal recycler in Tacoma,Washington that was the largest scrap metal recycler in the state, as wellas a leading scrap metal exporter to Asian markets. It had two subsidiariesthat SSI renamed SSI International Far East, Ltd. (SSI Korea) and SSIInternational, Inc. (SSI International). SSI Korea was based in South Korea.While this acquisition greatly improved SSI’s ability to collect and processfar greater amounts of scrap metal, there was a sinister side effect accordingto the CS. It seems that, unknown to SSI at the time of the acquisition, theacquired company had a practice of paying bribes to foreign government
Schnitzer Steel and the FCPA111officials in Asia to secure business. Unfortunately, this practice continuedafter the acquisition by SSI.The discovery of this bribery years later demonstrates the impor-tance of instituting effective compliance programs. With the advent ofSarbanes-Oxley and an increased focus on compliance, SSI started a com-pliance program. Prior to this, SSI did not have a formal code of conductthat employees were required to read and sign off on. SSI prepared a newcode of conduct with an ethics policy that was provided to employees toread and sign that they understood and would follow the policies containedtherein.About the summer of 2003, representatives of SSI’s legal and humanresources departments went to the Tacoma subsidiary and presented thecompliance policies to employees there. One of the senior employees advisedthat after reading the policy about bribery and kickbacks, he could not signthe code of conduct. He explained that he was probably doing what wasprohibited, and therefore, was in violation of the policy. As a result ofthis startling discovery, SSI started an internal investigation. Ultimately, theBoard of Directors retained a Washington, DC law firm with experiencein FCPA issues to conduct a thorough investigation. The investigationuncovered the full extent of the bribery and corruption that had been goingon since the acquisition. Subsequently, a disclosure of this illegal activitywas made to the Department of Justice and the SEC.The ConspiracyAccording to the SEC, ‘‘employees and agents of SSI International and SSIKorea made improper cash payments to managers of scrap metal customers[businesses] owned, in whole or in part, by the Chinese government.These payments were intended to induce those managers to purchase scrapmetal from Schnitzer.’’8SSI ‘‘paid over $205,000 in improper paymentsto managers of its government-owned customers in China in connectionwith 30 sales transactions’’ and their ‘‘gross revenue for those transactionstotaled approximately $96 million’’9As a result, SSI ‘‘earned $6,259,104 innet profits on these sales.’’10SSI paid two types of kickbacks to its foreign customers. One was a‘‘standard’’ kickback of between $3,000 and $6,000 per shipment of scrapmetal. The money for these payments came from the revenue earned on thescrap metal sales. The other type of kickback was referred to internally aseither a ‘‘refund’’ or ‘‘rebate.’’ To pay these refunds, the general managersof steel mills would overpay SSI for the steel purchases. Then, they would‘‘personally recover the overpayment,’’ usually in amounts ranging from$3,000 to $15,000. SSI would wire money for these illegal payments to
112THE INTERNATIONAL LANDSCAPE OF COMPLIANCEsecret bank accounts in South Korea that were opened by the head of SSIKorea. The heads of SSI Korea and SSI International then would use thesefunds to make cash payments to the managers of their customers. Besidescash payments, other gifts such as jewelry, gift certificates, golf outings, andcondominium timeshares were provided as bribes and kickbacks.11SSI Korea also acted as a broker for Japanese scrap metal companiesthat sold scrap metal to China. They made payments to managers at thesesteel mills on behalf of the Japanese companies and earned commissionsfor facilitating the illegal payments. SSI didn’t restrict their bribery togovernment officials. They also made improper payments to privately ownedsteel mills in China and South Korea. The true nature of these illegalpayments was concealed in the company’s books and records by beingfalsely described over the years as ‘‘sales commission,’’ ‘‘commission to thecustomer,’’ ‘‘quality claims,’’ ‘‘discounts,’’ ‘‘customer relations,’’ ‘‘refunds,’’or ‘‘rebates.’’During the period 1995 to 2004 when SSI was making these illegalpayments in violation of the FCPA, the company ‘‘provided no trainingor education to any of its employees, agents, or subsidiaries regarding therequirements of the FCPA’’ and ‘‘failed to establish a program to monitorits employees, agents, and subsidiaries for compliance with the FCPA.’’12The failure of thorough due diligence in the merger and acquisition phasefurther contributed to SSI’s financial and reputational damage.By May 2004, as a result of the internal investigation, SSI’s compliancedepartment learned more details of the bribery and kickbacks. Although asenior executive then prohibited any further illegal payments, this person‘‘nonetheless authorized Schnitzer employees to pay at least two additionalbribes that Schnitzer previously had promised private customers. The samesenior executive also authorized Schnitzer employees to increase entertain-ment expenses in lieu of cash payments to its private and government-ownedscrap metal customers.’’13What was this senior executive thinking? Moreimportantly, why was this person ever elevated to a senior executive posi-tion, let alone be an employee of the company? SSI Korea also destroyedincriminating documents after the start of the investigation but prior to SSI’sorder to employees to preserve all related documents.In prosecuting SSI Korea for conspiracy, wire fraud, and FCPA vio-lations, the United States Attorney for the District of Oregon wrote thefollowing in the Criminal Information that SSI Korea pleaded guilty to:From in or about 1995 through in or about August 2004, in theDistrict of Oregon and elsewhere, defendant SSI Korea did unlaw-fully, willfully, and knowingly conspire and agree with Officer A,
Schnitzer Steel and the FCPA113Officer B and other persons, known and unknown to commit thefollowing acts against the United States: to violate the ForeignCorrupt Practices Act by the use of the mails and of means andinstrumentalities of interstate commerce corruptly in furtheranceof an offer, payment, promise to pay, and authorization of thepayment of money, and anything of value to foreign officials for thepurpose of: (I) influencing acts and decisions of such foreign offi-cials in their official capacities; (II) inducing such foreign officialsto do and omit to do acts in violation of the lawful duty of suchofficials; (III) securing an improper advantage; and (IV) inducingsuch foreign officials to use their influence with foreign governmentsand instrumentalities thereof to affect and influence acts and deci-sions of such governments and instrumentalities in order to assistdefendant SSI Korea in obtaining and retaining business for andwith, and directing business to SSI Korea and Schnitzer Steel. . ..Tofurther violate the Foreign Corrupt Practices Act by knowinglyfalsifying the books, records, and accounts that were required, inreasonable detail, to accurately and fairly reflect the transactionsand dispositions of the assets of Schnitzer Steel, an issuer within themeaning of the FCPA.14Officer A is believed to be former employee Si Chan Wooh whosubsequently pleaded guilty to his involvement in this conspiracy. Officer Bas well as the other persons mentioned have not been identified or criminallycharged as of the writing of this book.SSI’s Remedial EffortsAs part of its settlement with the government, SSI agreed to a number ofremedial actions to improve its compliance program. They include:■The hiring of a compliance consultant for a period of three years toreview and evaluate SSI’s internal controls, record-keeping, and financialreporting policies and procedures relating to FCPA provisions as wellas applicable foreign bribery laws.■Full cooperation with the compliance consultant and providing fullaccess to all applicable books and records, operations, and personnel.■Evaluation by the compliance consultant of SSI’s policies and proceduresto determine if they are reasonably designed to detect and preventviolations of the FCPA and prepare a report of findings to be submittedto the SEC and DOJ.
114THE INTERNATIONAL LANDSCAPE OF COMPLIANCE■Adoption by SSI of all recommendations of the compliance consultant.SSI can propose alternative policies designed to achieve the same purposeor objective for ones that may be unduly burdensome, impractical, orcostly. If the compliance consultant does not agree to the alternativepolicy, SSI must abide by the original recommendations.On October 16, 2006, SSI finalized settlements with the DOJ and SECover the FCPA violations. SSI Korea pleaded guilty to violations of theFCPA’s anti-bribery and books and records provisions and was fined $7.5million. SSI received a Deferred Prosecution Agreement (DPA) and a $7.7million penalty in disgorgement and interest. In its 2006 Annual Report,SSI advised that it had settled proceedings with the DOJ and the SEC. Theystated that ‘‘The Company had a past practice of making improper paymentsto the purchasing managers of nearly all of the Company’s customers inAsia in connection with export sales of recycled ferrous metal.’’15The DOJagreed to the DPA for SSI and the guilty plea for SSI Korea because ofthe company’s commitment to a number of significant remedial actions andcompliance improvements including the following:■voluntary disclosure to the DOJ and SEC of the FCPA violations;■extensive internal investigation by SSI’s Board of Directors, the retainingof experienced outside counsel, and the sharing with the government ofthe results of that investigation;■extensive cooperation with the DOJ and SEC;■appropriate disciplinary actions including the replacement of certainsenior management; and■remedial steps including retaining an experienced compliance consultantand the creation of an effective compliance program to protect againstfuture FCPA and other compliance failures.On June 29, 2007, Si Chan Wooh, the former Schnitzer Steel ExecutiveVice President and head of SSI Korea, pleaded guilty to conspiracy to violatethe FCPA. In his allocution to the guilty plea in federal court, Wooh admittedthat he and others made illegal payments to government-owned customersin China for almost ten years. Between September 1999 and August 2004,Wooh paid more than $200,000 in bribes to managers of government-ownedbusinesses in China. The Department of Justice also announced that Woohwas cooperating in the continuing criminal investigation leading to thepossibility of further prosecutions of members of the conspiracy.16InCompliance Insight 6.1, an official from the Department of Justice opineson the FCPA and SSI.
Schnitzer Steel and the FCPA115COMPLIANCE INSIGHT 6.1: ASSISTANT ATTORNEYGENERAL ALICE S. FISHER ON COMBATING CORRUPTIONAlice S. Fisher is an Assistant Attorney General with the UnitedStates Department of Justice in Washington, DC. In an address beforethe American Bar Association’s National Institute on the ForeignCorrupt Practices Act on October 16, 2006, Fisher provided importantcommentary on the FCPA and related compliance programs. Whileshe was speaking to an audience of attorneys, she was also speakingto a much broader group of business leaders. She stated:a‘‘Corruption is the linchpin of so many different global problems.It undercuts democracy and the rule of law. It stifles economic growthand sustainable development. It destabilizes markets. And it createsan uneven playing field for U.S. companies doing business overseas.’’Fisher explained that strong FCPA enforcement encouraged othergovernments to step up their own anti-corruption efforts, as well asmade sure ‘‘that your competitors do not gain an unfair advantagewhen competing for business overseas. And we are ensuring theintegrity of our markets at home so that investors will continue toinvest in your companies.’’In emphasizing the importance of cooperation with Justice Depart-ment investigations, she described the Schnitzer Steel case. She pointedto the company’s ‘‘exceptional cooperation,’’ which paid strong divi-dends in allowing it to receive a deferred prosecution agreement andpay a far lower criminal fine, based on a Department recommendation,than what it would have received otherwise.Assistant Attorney General Fisher also emphasized four FCPApolicy issues including voluntary disclosures, compliance consultants,the FCPA opinion procedure, and transactional due diligence.VOLUNTARY DISCLOSURES‘‘When serious FCPA issues do arise, we strongly encourage you andyour clients to voluntarily disclose those issues. I know that there is aconcern out there that there is not enough certainty in the voluntarydisclosure process. And frankly, there are good reasons for that. . ..But what I can say is that there isalwaysa benefit to corporatecooperation, including voluntary disclosure, as contemplated by theThompson memo.bThe fact is, if you are doing the things you should be
116THE INTERNATIONAL LANDSCAPE OF COMPLIANCEdoing—whether it is self-policing, self-reporting, conducting proactiverisk assessments, improving your controls and procedures, training onthe FCPA, or cooperating with an investigation after it starts—youwill get a benefit. It may not mean that you or your client will get acomplete pass, but you will get a real, tangible benefit.’’When a company voluntarily discloses FCPA violations, in somecases it results in a guilty plea, but in other cases the company has notbeen prosecuted at all. With this in mind, Fisher underscored there isarealbenefit to voluntary disclosure and cooperation.COMPLIANCE CONSULTANTSIn several recent FCPA decisions, such as Schnitzer Steel, the Depart-ment required the offending company to ‘‘hire a compliance consultantto review the company’s system of FCPA internal controls.’’ She thenlisted some of the factors taken into account when deciding to requirea compliance consultant: ‘‘the strength of the company’s existing man-agement and compliance team, the pervasiveness of the problem, andthe strength of the company’s existing FCPA policies and procedures.’’‘‘And when we do require a monitor, we will make every effortto tailor the scope of the monitor’s work in appropriate cases. Thatbeing said, there are plainly many circumstances where a complianceconsultant is an essential component of any deferred prosecutionagreement. Those are cases where the company has simply takena ‘cookie cutter’ approach to FCPA compliance, or has a ‘paper’program without any real substance to it.’’OPINION PROCEDUREFisher outlined the FCPA opinion procedure, which she hopes willencourage companies to talk to the DOJ before they commit anFCPA violation. Under the opinion procedure, a company or indi-vidual can request an opinion on a proposed business transaction orconduct, before undertaking it. When the Department issues the opin-ion, the conduct or transaction is presumed to be FCPA-compliant.‘‘Over the years,’’ Fisher noted, ‘‘the FCPA opinion procedure hasgenerally been under-utilized, with only a handful of opinions beingrequested each year. But as Assistant Attorney General, I want theFCPA opinion procedure to be something that is useful as a guide tobusiness.’’
Metcalf and Eddy Civil FCPA Settlement117DUE DILIGENCEThe opinion procedure may also be useful in the context of joint ven-tures, mergers, and acquisitions, ‘‘when the FCPA due diligence turnsup potential problems with the foreign counterpart. Transactional duediligence in the FCPA context is good for business.’’ This was ondisplay in GE’s merger with InVision Technologies, Inc. ‘‘In that case,investigations by DOJ and the SEC revealed that InVision paid bribesin [Thailand] in connection with sales of its airport security screen-ing machines. InVision ultimately accepted a deferred prosecutionagreement (DPA) and paid an $800,000 fine.’’Thanks to GE’s due diligence, it discovered the conduct beforecompleting the merger, and avoided potential successor liability.‘‘Although GE entered into a separate agreement with the Depart-ment to ensure InVision’s compliance with the DPA, think of thepotential consequences to GE if they had not performed thorough duediligence in that case.’’aThe quotes and material in this section come from the prepared remarksof Alice S. Fisher, Assistant Attorney General, United States Department ofJustice, at the American Bar Association’s National Institute on the ForeignCorrupt Practices Act, Omni Shoreham Hotel, Washington, DC, October16, 2006. Transcript of prepared remarks found at http://skaddenpractices.skadden.com/fcpa/.bThe Thompson Memo is the informal name of the Department of Justice’s‘‘Principles of Federal Prosecution of Business Organizations.’’ This speech wasgiven prior to the Department of Justice issuance of the McNulty Memo whichupdated Department of Justice guidance on criminally charging businesses aspreviously detailed in the Thompson Memo.METCALF AND EDDY CIVIL FCPA SETTLEMENTMetcalf & Eddy International Inc., a Massachusetts-based environmentalengineering firm, was convicted in 1999 of violating the FCPA for unlaw-fully providing travel and entertainment expenses to an Egyptian publicofficial. The official was the chairman of a committee that was involvedin contract negotiations for a sewage upgrade project in Egypt that Met-calf & Eddy would work on. He received, along with his family, tripsto the United States and a per diem that amounted to 150% above therate allowed by law. Metcalf & Eddy paid for the flights, including first
118THE INTERNATIONAL LANDSCAPE OF COMPLIANCEclass upgrades, and almost all the travel and entertainment expenses, eventhough the official had already received the funds to pay for his expenses.Moreover, Metcalf & Eddy failed to accurately record these transactions,furthering the prosecution’s case that the company knowingly violatedthe law.17The civil settlement in this case required Metcalf & Eddy to institutean FCPA compliance program. This case set the standard for what thegovernment expects in such a program, and has been repeatedly followedin other cases. The standards laid out establish the minimum requirementsthat should be met when creating an FCPA compliance program.18At minimum, an effective FCPA compliance program includes thefollowing elements:■Clear FCPA policy, establishing compliance standards and practices tobe followed by employees, consultants, and agents. These standardsand practices must be reasonably capable of reducing violations andensuring compliance.■Assignment of one or more senior officials to be responsible for oversightof the compliance program. The official shall have the authority andresponsibility to implement and utilize monitoring and auditing systemsto detect criminal conduct, and when necessary, bring in outside counseland independent auditors to conduct investigations and audits. Theofficials should make any necessary modifications to the program torespond to detected violations and to prevent further similar violations.■Creating and maintaining a committee to review the hiring of agents,consultants, or other representatives to do business in a foreign country,and the related contracts. The committee will also review all prospec-tive joint venture partners, to ensure FCPA compliance, and the duediligence done in selecting the prospective partner. The committee hasa continuing responsibility to ensure subsequent due diligence in retain-ing other agents and consultants by the joint venture. This committeeshould be independent and not to be influenced by the company officialsinvolved in the transactions at issue.■Clear corporate policies to make sure that the company does not delegatesubstantial discretionary authority to individuals that the companyknows or should know are likely to engage in illegal activities.■Clear corporate procedures to assure that the necessary precautions aretaken to make sure the company only does business with reputable andqualified individuals. The policy must require that evidence of the duediligence performed be maintained in the company’s files.■Communicating FCPA policies, standards, and procedures to employ-ees; requiring regular training on the FCPA and other applicable foreign
Metcalf and Eddy Civil FCPA Settlement119bribery laws to officers and employees involved in foreign projects.Agents and consultants hired in connection with foreign business shouldalso be given appropriate training, as soon as is practicable.■Implementation of appropriate discipline measures, including as neces-sary, discipline of individuals who fail to detect violations of the law orof the company’s compliance policies.■Establishing a reporting system whereby suspected criminal conductmay be reported, without fear of retribution, and without having toreport directly to immediate superiors.■Including in all foreign business contracts provisions banning foreignbribery. No payment of money or anything of value will be promised,offered, or paid, directly or indirectly to any foreign official, politician,political candidate, or similar individual, to induce them to use theirinfluence or to obtain an improper advantage in a business dealing. Allcontracts must include a provision that all prospective agents agree notto retain any sub-agents or representatives without prior written consentof a senior company official; any breach of this provision terminates thecontract.Furthermore, an effective FCPA compliance program should alsoinclude:■Periodic review, at least once every five years, of its corporate policiesand FCPA compliance program, to be conducted by independent legaland auditing firms retained for such purpose.■Prompt investigation and/or reporting of any alleged violations of theFCPA or other applicable foreign bribery laws by the company, itsofficers, agents, or other personnel, and of any joint venture in whichthe company is a participant.Newer cases have added an additional requirement:19■The company, using objective measures, must determine the regions orcountries in which it does business that pose higher risks of corrup-tion, and then on a periodic basis, conduct rigorous FCPA audits ofits operations in such areas. The audits shall include detailed auditsof the operating unit’s books and records, audits of selected agents,consultants, and joint venture partners and interviews with relevantemployees, consultants, agents, etc.The importance of having an effective FCPA compliance program isheightened by increased FCPA enforcement in the last several years, and the
120THE INTERNATIONAL LANDSCAPE OF COMPLIANCEwidening of its scope and the severity of its penalties.20The Department ofJustice and the SEC have attacked foreign corruption the same way theyhave confronted domestic corporate scandals. Court decisions have alsofurthered these efforts, by upholding the government’s broad interpretationof the FCPA, such asUnited States v. Kay.21The government has widelatitude in enforcing the FCPA’s provisions and can harshly punish violatorsas appropriate.A case that illustrates the government’s increased efforts is the case ofthe Monsanto Corporation. An employee of the agri-business giant bribedan Indonesian official to induce him to repeal a law that Monsanto deemedburdensome. Even though the bribery appeared to result solely from theactions of a single employee operating without authorization, Monsanto’sinternal controls discovered the misconduct and punished it, and voluntarilyreported the incident to the government, the SEC still proceeded with thecase. However, because of the existence of Monsanto’s compliance programand its cooperation, it received a deferred prosecution agreement.After theKaydecision and the Monsanto settlement agreement, ‘‘it isclear that, subject to the FCPA’s limited exceptions, any illicit payment to aforeign official can run afoul of the law, regardless of whether the companyhas a potential contract on the horizon.’’22Furthermore, officials at theDOJ and the SEC have repeatedly dismissed the idea of a ‘‘rogue employee’’defense. Regardless of the fact that an individual employee acting alonein contravention of company policy caused the violation, the company isstill liable for the breach. The DOJ and SEC take the position ‘‘that anyFCPA problem must be the result of some deficiency in a company’s internalcontrols.’’23Even though the government has prosecuted companies such as Mon-santo who have working compliance programs and voluntarily reportedmisconduct, this still underscores the need for an effective complianceprogram. For one, compliance programs can always be improved andstrengthened to increase their effectiveness. Additionally, the government’sstepped-up prosecutions of FCPA violators have put corporations on noticethat their wrongdoing will be found out and severely dealt with, particularlyif they do not have a compliance program that meets the minimum standardsand do not cooperate.The complete lack of an FCPA compliance program can doom a com-pany, as was the case with the Titan Corporation, a San Diego-basedmilitary intelligence and communications firm. An SEC complaint alleged,among other FCPA violations, that ‘‘Titan funneled approximately $2million, via its agent in Benin, towards the election campaign of Benin’sthen-incumbent President. . .Titan made these payments to assist the com-pany in its development of a telecommunications project in Benin and toobtain the Benin government’s consent to an increase in the percentage
The Challenge of Implementing Corporate Compliance in Foreign Issuers121of Titan’s project management fees for that project.’’24After consentingto the entry of final judgment, Titan agreed to pay $28.4 million, at thetime the largest FCPA penalty ever, which included disgorgement of profitsstemming from the illicit payments. A merger deal with Lockheed Martinalso fell through after the discovery of the violations.25Most importantly,the SEC took the company to task for its failure to have any sort of com-pliance program or to even make any sort of substantial compliance effortat all.In its 23 years of existence prior to 2004, Titan has never hada FCPA compliance program or procedures. Titan’s only related‘‘policy’’ is a statement in Titan Corporation’s Code of Ethics,which all Titan employees were required to sign annually, stating‘‘employees must be fully familiar with and strictly adhere to suchprovisions as the Foreign Corrupt Practices Act.’’ Titan did notenforce that policy nor did it provide its employees with anyinformation concerning the FCPA.26This complete absence of compliance efforts undoubtedly factored intothe harsh penalties that Titan suffered. The government treats harshly thosecompanies that make no efforts at compliance, and will take that intoaccount when punishing them.However, the presence of an effective FCPA compliance program andcooperation with the government, while it will not preclude prosecution,will help to reduce the penalties faced by a company. In dealing withself-reporting of FCPA violations, the government has seemingly followedthe cooperation standards laid out by the Thompson and McNulty memos.27By voluntary reporting and cooperating with the investigation, a companystands a much greater chance of escaping with a deferred prosecutionagreement and lessened penalties than otherwise could have been achieved.THE CHALLENGE OF IMPLEMENTING CORPORATECOMPLIANCE IN FOREIGN ISSUERSPedro Fabiano is an international expert with more than 15 years experienceconducting fraud investigations and compliance audits, designing fraud pre-vention, anti-money laundering (AML), and ethics compliance programs,and providing consulting services in multi-industry and multi-partner envi-ronments in the United States and Latin America. He is a Certified FraudExaminer and Certified Public Accountant and is based in Buenos Aires,Argentina.
122THE INTERNATIONAL LANDSCAPE OF COMPLIANCEFabiano was elected to the Board of Regents of the Association ofCertified Fraud Examiners (ACFE) for the period 2002–2004. In 2005, hewas designated an ACFE Fellow. The Fellow Program was established torecognize outstanding achievements, significant contributions, and excep-tional service to the field of fraud examination. He is also President andcofounder of the Argentina Chapter of the ACFE, the only Chapter in LatinAmerica.He is a frequent lecturer at universities and for professional organi-zations on the topics of corporate governance, information security, lossprevention, fraud auditing, and AML. Most recently, he has developed andconducted the seminar entitledAuditing and Fraud in Financial Institutions:A Global Regulatory Perspective, for the Central Bank of Argentina.Based on his wealth of experience, Fabiano provides a unique perspec-tive on compliance challenges outside the United States with an emphasison Latin America in the following question and answer session:Q: What has been the impact on foreign private issuers as a result ofthe recent changes to laws and regulations in the United States inrelation to corporate governance and fraud prevention?A: The recent changes to laws and regulations in the United Stateswith respect to governance and fraud prevention have had a consid-erable impact on foreign private issuers and also on subsidiaries ofU.S. registered entities. A combination of Sarbanes-Oxley’s (SOX)greater focus on internal controls, the increased penalties for For-eign Corrupt Practices Act (FCPA) books and records violations asa result of SOX, and a continued aggressive U.S. government policyto target international business bribery, has resulted in a significantlevel of FCPA enforcement activity since 2002.For example, in April 2006, the SEC instituted cease and desistproceedings against Oil States International, Inc. (OSI) for viola-tions of the books and records and internal controls provisions ofthe FCPA, arising from certain payments made through its HWCsubsidiary. The SEC stated that OSI, through certain employeesof HWC, provided approximately $348,350 in improper paymentsto employees of Petroleos de Venezuela, S.A., an energy companyowned by the government of Venezuela.It is important to highlight that there is no general exemptionfrom the U.S. securities laws for foreign private issuers. If theirsecurities are offered or traded in the United States, they need toconcern themselves with these laws. The Montedison S.P.A. caserepresented the first time the SEC sanctioned a foreign issuer thathad no operations in the United States. This Italian company, whose
The Challenge of Implementing Corporate Compliance in Foreign Issuers123senior management fraudulently overstated company income by atleast $398 million from 1988 through early 1993, was orderedby the U.S. District Court for the District of Columbia to paya civil penalty of $300,000 for violating the antifraud, financialreporting, and books and records provisions of federal securitieslaws. The order was the result of a settlement between the SECand Montedison in which Montedison neither admitted nor deniedliability for the allegations in the complaint. The SEC had filed thecomplaint in 1996 and was settled in 2001.The FCPA, which was enacted in 1977, is usually associatedwith its prohibitions against foreign bribery. The provisions ofthe FCPA relating to bookkeeping and internal controls receive lesspublicity but are much more likely to form the basis of a governmentproceeding against companies subject to the Act. The most commonFCPA enforcement mechanism is a civil action by the SEC under theaccounting provisions and not a criminal charge by the Departmentof Justice (‘‘DOJ’’) or even a civil action by the SEC under theanti-bribery provision. The SEC has, in fact, used the FCPA inseveral cases to prosecute wrongdoers who have not engaged inbribery of foreign officials, but whose actions technically violate theAct’s accounting requirements, much like the federal governmenthas used tax laws to prosecute organized crime figures whose othercrimes cannot be proven.Since the passage of SOX in 2002, the accounting provisions haveassumed even greater importance because officers now are requiredto certify the integrity of their companies’ financial statements andassess the adequacy of internal controls. As a result, companiesare more frequently uncovering accounting-provision violationsin connection with internal SOX reviews and are self-reportingthese violations to regulators in hopes of mitigating penalties fornoncompliance.Several SOX provisions have contributed to the increase inself-reported FCPA cases, but two in particular, Sections 302 and404, have fundamentally changed the approach companies takein preventing, detecting, and responding to fraudulent accountingpractices. These provisions place responsibility for detecting fraud-ulent behavior and inadequate record-keeping in the highest levelsof management. In response to Sections 302 and 404, certifyingofficers are demanding greatly enhanced scrutiny of the adequacyof internal controls and procedures and other fraud-preventionmeasures, the natural consequence of which is an increase in thenumber of FCPA violations discovered internally and self-reported
124THE INTERNATIONAL LANDSCAPE OF COMPLIANCEto regulators. Moreover, certifying officers have a strong incentiveto prevent and detect fraud. Under SOX Section 906, a criminalprovision closely related to Section 302, a manager who willfullycertifies a periodic report filed with the SEC that omits the require-ments of the accounting provisions of the FCPA faces criminalpenalties of up to 20 years in prison and/or fines of up to $5million.Q: How important are foreign issuers in the U.S. stock markets?A: Roughly 1,200 foreign companies are listed on U.S. exchanges.The New York Stock Exchange (NYSE) has 450 foreign issuers,NASDAQ has about 300, and the remaining foreign companiestrade on over-the-counter exchanges.Listing on the U.S. markets carries a lot of prestige and as investorinterest in non-U.S. securities grows, the NYSE is committed to list-ing companies that demonstrate the highest standards of corporategovernance and financial strength. In 2005, the NYSE continued tobe the leading market for non-U.S. companies. As of December 31,2005, the NYSE listed more than 450 non-U.S. companies, from47 countries, representing a total global market capitalization of$7.9 trillion. The market capitalization of the 17 mainland Chinesecompanies on the NYSE increased to $329 billion, and the NYSEadded its ninth listed company from India in 2005.Latin America had 89 companies listed in the NYSE by the end of2005. The majority of these companies were headquartered in Brazil(35 companies), Chile (18), Mexico (17), and Argentina (12). Thesecompanies cover several industries including: telecommunications,gas distribution/transportation, oil/gas exploration, water utility,electric utility, and banking.Q: What are the key characteristics of the business environment in LatinAmerica that affects corporate governance and fraud prevention?A: Based on my experience, the business environment in most countriesin Latin America has two main general characteristics: a pooror not properly enforced legal and regulatory framework and avery high concentration of ownership and control. Countries inLatin America share a common legal origin: the European civilcode tradition. But the legal and judicial commonalities within theregion extend as well to the approaches taken to enforcement oflaws and contracts. In general, the incidence of civil litigation issmall in comparison to European and North American patterns,with greater emphasis placed on administrative and criminal judicialactions. Private dispute resolution mechanisms, such as mandatoryarbitration, are comparatively new and largely untested.
The Challenge of Implementing Corporate Compliance in Foreign Issuers125In many emerging economies of the region, the vast majorityof people do not trust one another. For example, the distrustsurrounding the enforceability of contracts leads to large portionsof the population believing that negotiations are not over evenafter a contract is signed. This can result in side letters and otheragreements not detailed in the contract but still enforceable. As aresult, transaction costs to protect one party from the other in suchcircumstances are much higher.A confusing, burdensome, or even unfair legislative and reg-ulatory framework increases the cost of establishing a business,discourages investors, and provides a fertile ground for corruption.In some countries, certain critics even believe that regulations areintentionally drafted in a confusing manner to provide officialswith more discretion. Under such circumstances, responsible busi-ness conduct is frequently discarded in favor of survival, or the lawis bent or interpreted to fit the circumstances.Even where laws and regulations are well drafted, they are oftenenforced unevenly—or ignored by the population—in practice.The failure to enforce the legislative and regulatory framework, orto comply with it, contributes to confusion, places the law-abidingenterprise at a competitive disadvantage, discourages investors, andextends a climate of corruption.Many firms are directly or indirectly controlled by one of thenumerous industrial, financial, and mixed corporations that oper-ate in Latin American economies. A mixed corporation is a groupof firms linked to each other through ownership relations andcontrolled by a local family, a group of investors, or by a foreigncompany. The dominant shareholders, through complex structuresincluding the use of pyramids, cross-holdings, and dual class shares,usually control these entities. High ownership concentration andmixed corporation structures also significantly affect the composi-tion of boards. Most board members in Latin American companiesare related to controlling groups through family ties, friendships,business relationships, and labor contracts.The lack of transparency that typically characterizes intra-grouptransactions and the absence of independent-level firm decision-making are now increasingly seen as obstacles to cost-effectivefinancing. In the course of the past few years, a number of groupshave begun to segregate their operations and more clearly separatethe activities, financing, and governance of group member compa-nies. How groups re-direct themselves, and the mechanisms theyput into place in response to calls for greater transparency and
126THE INTERNATIONAL LANDSCAPE OF COMPLIANCEindependent management of business lines, are important elementsof the evolution of a market economy in the region.Despite massive privatization of state-owned companies, thestate is still an important shareholder in many large companiesthroughout the region. In addition, in many cases, the privatizationprocess importantly shaped the configuration of the ownership andcontrol structures of the privatized companies.Finally, Latin American capital markets have recently experienceda wave of mergers and acquisitions where ownership of the largestdomestic companies has been transferred to foreign companies.Also, during the last ten years many of the largest Latin Americancompanies have been on the U.S. markets through theAmericanDepositary Receipt(ADR) program, while domestic trading hascontracted, presenting lower turnover ratios and a very low level ofnew equity issues.Q: What are the main obstacles faced by U.S. subsidiaries and foreignissuers in implementing U.S. standards in Latin America?A: Getting international employees to embrace U.S. standards is agreat challenge, which consists of making people in remote parts ofthe world feel like they are part of one enterprise, global in nature.Cultural issues are always an obstacle. A good example is theimplementation of a hotline. People in many parts of the worldare uncomfortable having an anonymous method of reporting aproblem, especially in places where there has been a history ofrepression or abuse. There is a real cultural aversion to that. Insome Latin American companies, although a variety of anonymousreporting mechanisms have been properly implemented, they havenot received any complaints during the first two years of existence.A common cultural difference is the attitude toward hiring rela-tives. In some countries, it is expected that owners and managerswill hire relatives as a matter of course. In others, hiring relatives isdiscouraged or, in some circumstances, prohibited.Another obstacle we often encounter is that local executives andemployees consider that the extension of U.S. regulatory directivesinto those countries is, to some extent, an expression of Amer-ican hegemony. Frequently, this creates or encourages a feelingof anti-Americanism. As a result, the initial efforts in educatingoverseas workers about U.S. compliance can be really hard. I wasrecently contracted to conduct a training program in a Latin Amer-ican company listed on the NYSE, and found that the employee’sinitial reaction was ‘‘this is a U.S. problem.’’ But the employee’sattitude changed significantly when I explained that the company
The Challenge of Implementing Corporate Compliance in Foreign Issuers127has voluntarily decided to become a listed entity in the United Statesand that this decision resulted in important benefits for the stake-holders and some specific compliance requirements. This dramaticchange of attitude showed me that the employees had not beenproperly and timely informed about the basic obligation of a for-eign issuer. This situation also demonstrates that, besides training,effective ‘‘top-down’’ communication is an essential element in anycompliance effort.The implementation of the FCPA in emerging market economiesis also a major challenge. For example, although no society openlyapprovespaying or accepting bribes, in countries where governmentemployees receive lower than subsistence-level pay, ‘‘expeditingfees’’ (also known as ‘‘grease or facilitating payments’’) oftenbecome unapproved butacceptedbehavior under local custom.In such countries, bribery is so common that even law enforcementofficials pay bribes to gain their positions.Q: Considering the cultural issues and the business environment, whatwould be your general recommendations for a successful compli-ance approach in Latin America?A: A thorough analysis and assessment of the country’s legal frame-work and its enforcement, and the local business practices wouldbe the suggested first step in designing a successful compliancestrategy.Given the country and industry differences found, it appearsto be a mistake to expect all corporate compliance programs tolook alike. Careful thought should be given to tailoring the policyto the particular firm, industry, and country. Large multinationalfirms operating in a number of countries need to consider thegeneral applicability of a code of ethics or ethics training thatwas developed in the country in which the firm’s headquarters islocated. If ethical concerns differ by country, then imposing a setof standards developed for one country on another country may becounterproductive. Similarly, expatriates working for multinationalfirms need to be aware that their own perception of ethical issuesmay not match that of their native fellow employees.The design and implementation of a global compliance programrequires extreme sensitivity to local norms, values, and standards.The program must recognize that management policies, standards,and procedures will be open to interpretation at all levels of theenterprise. For example, a shallow approach to ethical business con-duct only condemns bribes and threatens to punish those who payor accept them. However, a global compliance program takes a
128THE INTERNATIONAL LANDSCAPE OF COMPLIANCEcomprehensive approach. It recognizes such accepted behavior aspart of the obstacles facing the enterprise and addresses such issuessystemically. In other words, it addresses them at their roots byexamininghiringprocesses,compensationschemes,andtrainingandeducation; by instituting monitoring, auditing, and reporting mech-anisms; and by influencing the legislative or regulatory processes.In dealing with employees’ reluctance to accept the SOX/FCPAprovisions, training becomes essential. The first important messageto communicate during training is that they are part of a largerglobal enterprise, and that in this world of globalized technologyand information, inappropriate conduct will ultimately be exposed.It is highly unlikely that bribery and corruption going on in onepart of the world will not eventually be discovered in another partof the world. The second, and not less important message, is thatall their reputations are at stake, and a company’s most importantasset is its reputation; once we lose that, it is very hard to recover it.Finally, it is essential to convince executives and employees thatthe SOX/FCPA provisions should not be viewed as more than justanother bureaucratic measure through which businesses are forcedto jump. Instead, the provisions are highly effective tools thatbusinesses can use to prevent and detect fraud. Sound accountingpractices and internal controls often are the best defense againstfraud, especially in certain foreign countries where regulators takea less rigorous approach in enforcing rules related to financialreporting. Accordingly, domestic companies with operations out-side the United States and foreign issuers are strongly advised tomake SOX/FCPA compliance a high priority in their global businessstrategies.Q: Based on your experience, what specific best practices and strategieshave been implemented by successful companies?A: The most common best practices and strategies adopted by compa-nies in Latin America include:■The establishment of a clear, written job description for thecompliance officer, approved by senior management, and theboard. This job description is effectively communicated to alllevels of the organization.■The assignment of primary compliance responsibilities to businessdepartments (marketing, operations, finance, etc.) as compared tothose areas mainly involved in supporting compliance functions(legal, human resources, etc). These responsibilities are commonlydocumented in a ‘‘Compliance Responsibility Chart,’’ which isan integral part of the Compliance Program.
Notes129■TheComplianceProgramrequiresthatthebusinessandsupporting departments prepare quarterly reports for the Com-pliance Officer. The Compliance Officer prepares quarterly sum-mary reports and an annual assessment for the Board.■The Internal Audit Plan includes the review of the supportingdocumentation and evaluation of the reliability of the quarterlycompliance reports issued by the departments.■Senior management and board members demonstrate their com-mitment to compliance by attending training sessions and sharingsuccessful compliance experiences with the employees.■Strong formal and informal communication channels have beendeveloped between Internal Audit, Security, and the complianceexecutive.NOTES1.Author Thomas L. Freidman coined the phrase ‘‘The World is Flat,’’which is also the title of his best-selling book that examines howthe playing field of the world is being leveled through technology,competition, and innovation.2.Title 15, United States Code, Section 78dd-3.3.United States v. SSI International Far East, Ltd, defendant, criminalinformation unsealed on October 16, 2006, United States District Court,District of Oregon, 24.4.Ibid.5.Schnitzer Steel Industries, Inc. Company History, www.fundinguniverse.com/company-histories/Schnitzer-Steel-Industries-Inc-Company-History.html.6.Ibid.7.Ibid.8.In the matter of Schnitzer Steel Industries, Inc., Respondent, OrderInstituting Cease-and-Desist Proceedings, Making Findings, and Impos-ing a Cease-and-Desist Order Pursuant to Section 21C of the SecuritiesExchange Act of 1934, Securities and Exchange Commission ReleaseNo. 54606, October 16, 2006, www.sec.gov/litigation/admin/2006/34–54606.pdf.9.Ibid.10.Ibid.11.Ibid.12.Ibid.13.Ibid.
130THE INTERNATIONAL LANDSCAPE OF COMPLIANCE14.United States v. SSI International Far East, Ltd, defendant, criminalinformation unsealed on October 16, 2006, United States District Court,District of Oregon, 5–6.15.Schnitzer Steel Industries, Inc. 2006 Annual Report, November 9,2006, 22, /library.corporate-ir.net/library/87/870/87090/items/225808/2006AR.pdf.16.‘‘Former Senior Officer of Schnitzer Steel Industries Inc. SubsidiaryPleads Guilty to Foreign Bribes,’’ United States Department of JusticePress Release, June 29, 2007, www.usdoj.gov/opa/pr/2007/June/07crm474.html.17.Transparency USA Toolkit, www.transparency-usa.org/Toolkit1c.html.18.United States of America v. Metcalf & Eddy, Inc. (D. Mass No.99CV12566-NG).19.See, e.g., United States of America v. Monsanto, Deferred Prosecu-tion Agreement (Dist. D.C. 2005), www.corproatecrimereporter.com/documents/monsantoagreement.pdf.20.William B.F. Steinman and Kathleen M. Hamann, ‘‘Expanding RisksUnder the Foreign Corrupt Practices Act,’’Government Contract,September 25, 2006, www.pogolaw.com/articles/2054.pdf. (‘‘[T]herewere more FCPA cases brought in 2004 and 2005 than in the prior 26years combined.’’).21.See United States v. Kay, 359 F.3d 738 (5thCir. 2004) (holding thatwhen Congress enacted the FCPA, it intended to cast a ‘‘wide net overforeign bribery.’’).22.Steinman and Hamann, ‘‘Expanding Risks Under the Foreign CorruptPractices Act.’’23.Ibid.24.SEC v. The Titan Corporation, Complaint, Civ. Action No. 05–0411(JR) (Dist. DC March 1, 2005), 1–2.25.Fred Shaheen and Natalia Geren, ‘‘Penalties Get Tougher for FCPAViolations,’’National Defense, September 1, 2005, 50.26.SEC v. Titan, 16.27.Michael T.Burr, ‘‘Corporations Caught in Rising Tide of FCPA Enforce-ment,’’Inside Counsel, November 2005, www.insidecounsel.com/issues/insidecounsel/15168/regulatory/214–1.html.
CHAPTER7Compliance Programs andAnti-Money Laundering EffortsBy Marc B. Sherman, Laura Connor, and David Meilstrup∗In the past, a documented and reasonably functional compliance programwas adequate. Today that is not enough; the compliance program mustalso be effective. There is no better example of this than with money laun-dering. The threat of money laundering has become a serious concern forboth governments and businesses of many nations. In the United States,money laundering has long been used in criminal enterprise, includingnarcotics trafficking. While the late 1990s brought money laundering inves-tigations and prosecutions greater attention, it was the aftermath of theSeptember 11, 2001, attacks that brought it to the forefront. The globalproliferation of anti-money laundering (AML) laws and worldwide investi-gations have been utilized by authorities to confront the growing specter ofinternational terrorism.The enforcement of AML laws, however, does not only impact ter-rorism and narcotics trafficking, areas traditionally associated with moneylaundering. Vigorous international law enforcement and the breadth ofthe current anti-money laundering statutes put domestic and internationalbusinesses at risk of inadvertently violating the various laws that are at theheart of today’s anti-money laundering effort. To aid in the fight againstmoney laundering and terrorist financing activity, the United States govern-ment enacted the USA PATRIOT Act1(‘‘PATRIOT Act’’ or ‘‘Act’’), which∗This chapter was written by three forensic accounting professionals highly experi-enced in AML issues. I deeply appreciate their willingness to contribute their uniqueinsights and expertise to this book.131
132COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTSamends the Bank Secrecy Act (BSA)2and allows for better prevention,detection, and prosecution of money laundering and terrorist financing.Money laundering has long been used to hide the proceeds of crime andprevent detection and prosecution of certain illegal activity. The ability tomove and hide the proceeds of crime through the financial system facilitatescriminal activity and frustrates the ability of law enforcement to combatcrime, and more recently, terrorist financing. In order to help preventand detect money laundering in the financial system and the underlyingcriminal and terrorist activity, certain compliance requirements have beenimposed on banks and other businesses. As part of compliance, the laws andregulations impose obligations on financial institutions to monitor customertransactions and report suspicious activity.WHAT IS MONEY LAUNDERING?Money laundering is the process of filtering ‘‘dirty’’ money (criminal pro-ceeds) through a series of transactions in order to disguise or preventdetection of the source of the money.3The ‘‘dirty’’ funds are laundered togive them the appearance of proceeds from legitimate activity. By definition,money laundering consists of three separate independent steps: placement,layering, and integration.Placement, as the name would imply, is the placing of unlawful cashproceeds into commerce, whether through deposits or other means.Layeringconsists of the separating of the criminal proceeds from their source of originthrough many layers of complex financial transactions. Such transactionscan include converting cash into monetary instruments, wire transfers,stocks, bonds, and letters of credit or by purchasing valuable assets, suchas art and jewelry. Finally,integrationis the use of seemingly legitimatetransactions to disguise the laundering of criminal proceeds back to thecriminal.Money laundering can involve a variety of transaction types, buthistorically has involved a few common schemes, including structuring,4theBlack Market Peso Exchange, Mexican bank drafts, and factored third-partychecks. The Black Market Peso Exchange is the most common means ofmoney laundering in the Western Hemisphere, used most prevalently bydrug traffickers. The proceeds from illegal drug sales in the United Statesare ‘‘bought’’ by a peso broker in exchange for pesos, at a discountedexchange rate. The dollars in the United States are then re-sold for pesosto South American businessmen, again at a discount. The businessmenuse the laundered U.S. dollars to purchase goods in the United States andillegally import them into their home countries.5At the conclusion of the
Bank Secrecy Act133transaction, the drug trafficker has pesos, the foreign businessman hasU.S. purchased goods for his business, the broker has a commission forbrokering the currency exchange, and the U.S. dollar drug proceeds areinserted (laundered) into the legitimate stream of commerce.Since the enactment of the PATRIOT Act, money laundering has becomea concern for all individuals and entities conducting business within orthrough U.S. borders. In the United States, both the Internal Revenue Serviceand the Department of Justice have divisions that investigate suspectedmoney laundering crimes.6BANK SECRECY ACTMoney laundering as a means to enable other criminal activity has been afavorite of the international criminal culture for decades, and therefore, aproductive target for law enforcement. The United States Congress passedthe Bank Secrecy Act in 19707with the main purpose of preventing finan-cial institutions from being used as unwitting intermediaries for criminalactivity. The law was expected to reduce illegal activity by removing animplementation device and by providing law enforcement with anothermeans to more easily detect criminal schemes. To accomplish this, the BSAmandates that financial institutions8file certain reports with the governmentrelating to their customers’ use of currency and monetary instruments. Thelaw also requires that the institutions maintain specific records for possibleuse in criminal, tax, and regulatory proceedings.9A financial institution’scompliance with the BSA results in a paper trail that is useful in better iden-tifying and tracing money laundering activities, which in turn, is expectedto lead to identification and prosecution of the related underlying criminalactivity. This includes narcotics trafficking, terrorism, and other types ofwhite collar and organized crime.Because money laundering is such an active tool for the profiting fromand disguising of illegal activity, the government takes it very seriouslyas evidenced by the number of money laundering convictions from 1996through 2000. In fact the number of convictions was clearly on the rise evenprior to the September 11, 2001, terrorist attacks and the enactment of thePATRIOT Act. (See Compliance Insight 7.1).Reporting RequirementsThe BSA requires financial institutions to report many types of transactionactivity.Currency Transaction Reports(CTRs) are required to be filed bya financial institution with the United States Treasury Department for anycash deposits, cash withdrawals, exchanges of currency, or other transfers
134COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTSCOMPLIANCE INSIGHT 7.1: DEFENDANTS CONVICTEDON MONEY LAUNDERING COUNTS (1996– 2000)19961997199819992000ML as Primary SentencingGuideline 8539299731,0611,106ML as Any Count of Conviction1,1451,2191,3381,5421,565Total Defendants Convicted ofMoney Laundering 1,998Source: U.S. Sentencing Commissiona2,1482,3112,6032,671-2004006008001,0001,2001,4001,600# of Defendants19961997199819992000Defendants Convicted on Money Laundering CountsML as PrimarySentencing GuidelineML as Any Count ofConvictiona‘‘2002 National Money Laundering Strategy’’;Department of the Treasury& Department of Justice; July 2002, 27.of cash in excess of $10,000. A financial institution must treat multiplecurrency transactions as a single transaction if they are conducted by or onbehalf of the same individual and total more than $10,000 in cash receivedor disbursed during one business day.Suspicious Activity Reports(SARs) must be filed to report any suspi-cious activity that may relate to the violation of any laws or regulations.Specifically, SAR filing requirements compel banks10to file a SAR followingthe discovery of: any type of insider abuse; violations of federal law whenthe aggregate amount is $5,000 or more; and transactions in aggregate of
Bank Secrecy Act135$5,000 or more that may potentially involve money laundering, violationsof the BSA, attempts to evade BSA reporting requirements, or have nobusiness or apparent lawful purpose.11A bank is required to file a SAR in atimely manner, which in most cases means no later than 30 days from thebank’s initial detection of facts that may constitute a basis for suspectingthat an activity constitutes ‘‘suspicious activity,’’ and in no case more than60 days.12The law imposes similar requirements on non-bank financialinstitutions as a result of the PATRIOT Act.13Other non-bank ‘‘financialinstitutions’’ now subject to the regulations of the Bank Secrecy Act andits reporting requirements as a result of the PATRIOT Act include mutualfunds,14insurance companies,15securities brokers and dealers,16money ser-vice businesses,17and casinos.18All of these classified businesses must nowequally comply with the reporting and recordkeeping requirements of theBSA.The international transport or maintenance of cash or other assetsrequires United States persons or businesses, including financial institutionsthat are subject to U.S. jurisdiction and have an interest in, signature, orother authority over one or more bank, security, or other financial accountin a foreign country with an aggregate value exceeding $10,000 at any timeduring the year to file aReport of Foreign Bank and Financial Accounts(FBAR). The Financial Crimes Enforcement Network (FinCEN)19definesthe term ‘‘United States person’’ as ‘‘a citizen or resident of the UnitedStates, a domestic partnership, a domestic corporation, or a domestic estateor trust.’’20Record Keeping RequirementsBSA regulations require financial institutions to maintain certain records fora period of five years. The records are to be retained, in part, to allow for thereconstruction of transactions if needed. These recordkeeping requirementsinclude monetary instrument sales records and funds transfer recordkeeping(travel rule) requirements.21In addition to the necessity of filing CTRs on transactions involving cashover $10,000, a bank must maintain records of cash sales of all monetaryinstruments, including bank checks, drafts, cashier’s checks, money orders,and traveler’s checks between $3,000 and $10,000, inclusive. These recordsinclude evidence of the purchaser’s identity and other detailed information.Banks are also required to retain records of all fund transfers of $3,000 ormore that it sends, receives, or for which it acts as an intermediary. Thetype of information that the bank must retain is dependent on its role inthe funds transfer process. Also, as the transfer originator or intermediary,the bank is required to pass on certain information to the next bank in thetransfer chain.22
136COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTSUSA PATRIOT ACTSince its enactment in 1970, the BSA has undergone several amendmentsaimed at strengthening its AML and counter-terrorism objectives. Of theseamendments, the most significant is itself a new, robust, and somewhat morenovel law. On October 26, 2001, President Bush signed into law theUnitingandStrengtheningAmerica byProvidingAppropriateToolsRequired toIntercept andObstructTerrorism Act, more commonly known as the USAPATRIOT Act. Title III of the Act strengthens the laws to counter moneylaundering and makes significant amendments to the BSA.23This new lawplaces new and enhanced legal obligations on a variety of businesses in thefinancial services arena. With this heightened focus on money launderingprevention and detection, even an innocent or unintentional act falling underthe definition of ‘‘money laundering,’’ unrelated to other criminal activity,may not go as unnoticed as in the past, and may not be dealt with lightly.The PATRIOT Act is a far-reaching statute that allows for the track-ing and intercepting of communications for law enforcement and foreignintelligence gathering purposes.24It also provides regulatory authority tothe Secretary of the Treasury over U.S. financial institutions to ensure theprevention, detection, and prosecution of foreign money laundering and thefinancing of terrorism.25The Act has also significantly expanded the defini-tion of a ‘‘financial institution’’ to include new types of entities, includingall credit unions, a more detailed definition of money transmitters, futurescommission merchants, commodity trading advisors, and commodity pooloperators.26In general, the federal government’s powers are strengthenedby the Act in three areas: regulations, criminal sanctions, and forfeiture.27RegulationsThe PATRIOT Act amends the BSA and expands the Secretary of theTreasury’s authority to regulate U.S. financial institutions’ activities, espe-cially those activities dealing with foreign individuals and entities. Some ofthe regulatory changes of the amendments include ‘‘special measures’’ and‘‘enhanced due diligence’’ requirements to:■Battle against foreign money laundering,■prohibit the maintenance of correspondent accounts with foreign shellbanks,■prevent the use of a financial institution’s concentration accounts toconceal customer’s financial activities, and■establish minimum new customer identification standards and record-keeping, along with more effective means to verify the identity of foreigncustomers.28
USA Patriot Act137The Act also encourages the sharing of information regarding suspectedmoney laundering and terrorist activities among financial institutions andlaw enforcement agencies. Most importantly for financial institutions,the Act requiresall financial institutions to implement and maintain ananti-money laundering program. An effective program would, at a mini-mum, include a compliance officer; an employee training program; internalpolicies, procedures and controls; and an independent audit function.29Criminal SanctionsNew crimes were created by the PATRIOT Act, along with amendmentsto and increased penalties for previously existing crimes. The Act expandsmoney laundering within the United States to include funds that are theproceeds of foreign crimes of violence and political corruption. It also bansthe laundering of the proceeds from cybercrime and prohibits supportingterrorist organizations. The penalties for counterfeiting are also increasedby the Act and it provides the government with the authority to prosecuteoverseas fraud involving American credit cards. In addition, the Act permitsthe prosecution of money laundering in the location that the predicateoffense occurred.ForfeitureCriminal forfeiture can be ordered by the court as a sanction to an individualor entity convicted of a violation of Title 18 of the United States Code,Sections 1956, 1957, or 1960. A forfeiture finding requires the accused toforfeit to the U.S. government all property (real or personal), that is usedfor or is the proceeds of the criminal offense. Any property traceable tothe assets that are directly involved is also subject to forfeiture.30The U.S.Department of Justice has an Asset Forfeiture Program designed to seize theassets that are the proceeds of, or were used to facilitate federal crimes. TheAsset Forfeiture Program is funded by an Asset Forfeiture Fund (‘‘Fund’’) asestablished by the Comprehensive Crime Control Act of 1984. The Fund isself sustaining—it receives the proceeds of any forfeiture and in turn is usedto pay for the cost associated with future investigations and prosecutions.31The PATRIOT Act establishes two new types of forfeitures. First, the Actpermits the confiscation of all of the property from an entity or individualwho participates in an act of terrorism, either domestic or international. Anyproperty derived from or used to aid domestic or international terrorismcan also be confiscated. The Act enables the government to establish amechanism to acquire long-arm jurisdiction for forfeiture proceedings andallows the United States to enforce foreign forfeiture orders. Lastly, the
138COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTSAct permits the seizure of correspondent accounts held in U.S. financialinstitutions for foreign banks that are holding forfeitable assets overseas.32NON-FINANCIAL INSTITUTIONSWhile the BSA and the PATRIOT Act govern the actions of ‘‘financialinstitutions,’’ other types of entities should be alert to inadvertent implicationin money laundering activities. For example, persons involved inanytrade orbusiness are required to file an IRS/FinCEN Form 8300 for cash transactionsover $10,000, and can face severe penalties for failure to comply, even if nota financial institution subject to the BSA.33Rules similar to those under theBSA apply to this form if related cash transactions appear to be structuredin a manner intended to avoid a Form 8300 reporting. Violations of therequirement of a Form 8300 filing can be subject to criminal prosecutionresulting in penalties up to five years in prison or fines from $250,000 to$500,000 for individuals and corporations, respectively.34COMPLIANCE PROGRAMSAt this point, it should be clear that an anti-money laundering complianceprogram for financial institutions is no longer optional. The complexityof anti-money laundering compliance has matured over time. In the last10 years, automated software has been developed and banks have beefed uptheir AML compliance functions. Today’s software programs are sophisti-cated monitoring systems that look at transactions that come into and outof an institution and look for patterns in activity. Patterns that are out of theordinary are then signaled for further manual investigation. In addition, thegovernment has put more definition on what it expects from the financialinstitutions (e.g., the PATRIOT Act provided for enhanced due diligencerequirements and ‘‘know your customer’’ [KYC] has become the norm).Many banks kept up with the enhancements and government expectations;however, not all have.Even with the banking industry’s deep experience in the area of AMLcompliance, there are several reasons why financial institutions continue tofall under the scrutiny of prosecutors. Non-bank financial institutions arerelatively new to the AML compliance game and are short on experiencewith the regulations and with compliance program implementation. Thislack of experience puts these businesses in a position of great risk oflegal violations. The government has lost its tolerance for lax compliance,particularly given the link between money laundering and terrorism.35
Compliance Programs139Many financial institutions still have antiquated programs that have notbeen enhanced to meet the current standards of increased scrutiny. Othershave off-the-shelf AML programs that are not customized to the uniqueattributes of the specific operation. The same way that lax AML programsare not being tolerated, AML programs that are not properly or adequatelyenhanced and updated are also being targeted as money laundering activityby the government.Today the government expects effective, well-staffed AML programs.It will no longer accept an institution’s compliance efforts that are stuckin the past or otherwise unable to function in the current environment, orthat fail to meet the current standards. The government expects financialinstitutions to keep up with the requirements and the sophistication of thetimes as the regulations change to combat new methods of laundering moneyand more craftily conceal criminal and terrorist activity. The penalties forfailure to meet the requirements of the BSA and PATRIOT Act can besevere.36Today, financial institutions should not rely on their programs’past successes or their view of the ‘‘industry norm,’’ nor should they expectthat the potentially burdensome cost of enhancing their AML programswill buy them any leniency. These problems will likely affect smaller banksmore because of their lack of financial strength, regulatory sophistication,and economies of size, but larger, money center banks, that are large-scalefinancial institutions that provide numerous financial services on a nationalor international level, will be affected as well.Financial institutions often end up in the spotlight of a money launder-ing investigation through the institution’s acceptance of funds associatedwith criminal law enforcement investigations unrelated to the institution.Large banks have now had decades of time and experience refining theirAML programs and many have become reasonably adept at preventingand detecting money laundering activity. That causes illicit money to findanother path in an attempt to avoid detection. Because the large banksare more likely today to detect illicit money flowing through their moresophisticated detection programs, tainted money has begun moving throughsmaller banks, banks new to the U.S. regulatory arena, and non-bank finan-cial institutions that, from a compliance perspective, are less sophisticated.This presents a significant risk to these businesses that are now coveredby the AML laws. As time passes, these institutions can expect to see lawenforcement money laundering investigators show up on their doorstepswith greater frequency. This throws them into the heart of these inves-tigations and puts their AML compliance efforts under the microscope.Consequently, it has become a necessity that these institutions be informedon the current regulatory environment and be prepared with effective AMLcompliance programs.
140COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTSThe requirements for financial institutions to implement and maintainan anti-money laundering program is not a hollow mandate. According tothe BSA and the PATRIOT Act, financial institutions must implement acompliance program that permits them to monitor and identify suspiciousactivity, which can then be reported to the Treasury Department in a timelymanner. Compliance requirements not only apply to the corporate entity,but also to employees of the institution. The law and the government imposeobligations on the institution and the employees to watch over the proprietyof customers’ activities. The institution can be subject to fines, penalties,and criminal sanctions. In addition, employees can individually be subject tocriminal sanctions as well, including jail. Some of the common deficienciesof compliance efforts include lax programs and the continuation of olderprograms not enhanced to meet current standards, as discussed earlier. Thegovernment has proven through its prosecution efforts that an institution’sclaim that a program is on par with historically common industry practicesor that the cost of an enhanced AML program is too burdensome are notacceptable defenses. Effective compliance programs should be viewed asliving efforts that need to continually evolve with time and circumstances.As part of the requirements to establish and maintain aneffectiveanti-money laundering program, at a minimum, the institution is requiredto have a designated compliance officer; an ongoing employee trainingprogram; adequate and effective internal policies, procedures and controls;and an independent audit function to test programs.37Ultimately, theseprograms must be designed and function to prevent the institution fromactively conducting or unknowingly participating in money laundering.At a minimum, the program must be reasonably designed to captureand identify any activity that is unusual or suspicious. In order to detectunusual (and therefore possibly suspicious) activity, an institution musthave an appropriate customer due diligence program in place to ‘‘knowtheir customers’’ and have procedures and systems in place to monitorthe customer’s account activity for unusual or suspicious transactions. Inorder to adequately accomplish this requirement, most financial institutionstoday, especially banks, include as an element of their AML program anautomated monitoring system for account activity analysis.Successful activity monitoring programs consider aspects such as redflag type activity, the customer’s business, account profile, and related risks.Better procedures also call for reviews of a customer’s total relationship, notsimply an account-by-account review. In the face of an unusual transaction,isolated account analysis is viewed by prosecutors today as inadequate tomake judgments about the legitimacy of the specific transaction or thecustomer’s activity. When potentially suspicious activity is identified, theinstitution is then required by the BSA and PATRIOT Act to perform an
Compliance Programs141investigation into the potentially suspicious activity and determine whetherit rises to the level that would require the filing of a SAR.38Red FlagsMany types of transactions and conduct can constitute potentially suspiciousactivity and should signal a red flag to a financial institution. Defining andpaying attention to red flags in a monitoring system, or elsewhere, is criticalto the proper functioning of an adequate compliance program. Once ared flag is signaled, it requires the institution to further investigate thetransaction or activity and determine whether a SAR should be filed. Undercertain circumstances, appropriate action by the institution may requirethat an account be closed or customer relationship terminated. Thesedeterminations need to be part of the overall compliance program andmade on a case by case basis. Failure to take appropriate (and sometimesstrong) action against an account holder (depending on the facts) couldweigh negatively against the institution in a criminal money launderinginvestigation.The following types of activity are examples of ‘‘red flags’’ that couldsignal potential suspicious activity. These examples also instinctively pointout other necessary elements of a good compliance and customer duediligence program by the very nature of the underlying knowledge neededto spot the red flag. These examples are by no means comprehensive.1.Activity inconsistent with the customer’s business:Activity that is inconsistent with a customer’s business or stated accountpurpose should always be a red flag and at a minimum requiresappropriate inquiries. Of course, this requires a robust KYC programin order to know and understand the customer’s business from theinception of the relationship. An institution needs to protect itselffrom possible suspicious activity conducted by its customers and alsoprotect its customers from potential fraud attempts. Some examplesof potentially suspicious activity that may be inconsistent with thecustomer’s business include a retail business that makes routine checkdeposits, but rarely makes cash withdrawals for daily operations; abusiness that frequently deposits large amounts of cash, but checks,or debits on the account are inconsistent with that type of business;and a customer’s corporate account that primarily has withdrawals anddeposits in cash rather than in checks or wire transfers.2.Avoidance of reporting or recordkeeping requirements:Any attempt by a customer to avoid a bank’s (or other institution’s)reporting and recordkeeping requirements, as required by the BSA,
142COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTSshould be considered a red flag and be investigated and reported.Common schemes used in attempted avoidance include a customerintentionally withholding part of a cash transaction to keep that trans-action under the reporting threshold; a customer who is reluctant toeither provide the information necessary to file the report or to proceedwith the transaction and have the report filed after being informed ofthe reporting requirement; and a customer or group who tries to coercea bank employee into not filing any required recordkeeping or reportingforms.3.Fund (wire) transfers:Many types of wire transfers should potentially raise suspicion and because for further investigation by an institution. In fact, some of thesetypes of red flag activities may be activities for which automated systemscan routinely and easily monitor. Examples of potentially suspiciouswire activity for which an institution should monitor, automated orotherwise, include large, round number wires; frequent or large volumeof wires to and from offshore banks; payments or receipts with noapparent links to legitimate contracts, goods, or services; and wireactivity to or from financial secrecy haven countries without an apparentbusiness reason, or when it is inconsistent with the customer’s businessor history.4.Insufficient or suspicious information provided by a customer:When a bank is presented with incomplete, conflicting, or suspiciousinformation by a potential or existing customer, it should consider thissuspicious and perform further inquiries to determine whether a SARshould be filed and the relationship denied or terminated. Commoncases of such information include a reluctance by a business that isestablishing a new account to provide complete information about thebusiness’s purpose, prior banking relationships, names of officers anddirectors, or its location; a customer’s refusal to provide informationnecessary to qualify for credit or other banking services; a spike in acustomer’s activity with no, little, or illogical explanation; discoverythat the customer’s home or business phone is disconnected; and adifference in the customer’s financial statements from those of similarbusinesses.5.Certain activity or behavior by a bank employee:Not all suspicious, red flag activity is conducted outside the bank. Somered flag activity is conducted in-house by bank employees, whetherit is to aid customer illegal activity or to perpetrate some other typeof fraud. There are usually warning signs that are exhibited by bankemployees involved in these types of activities, including a lavish lifestylethat cannot be supported by the employee’s salary; refusal to conform
Compliance Programs143to recognized systems, policies, and controls, particularly in privatebanking; and a reluctance to take a vacation.6.Other suspicious customer activity:Other types of suspicious customer activity include substantial deposit(s)of numerous $50 and $100 bills; frequent exchanges of small dollardenominations for large dollar denominations; a large loan suddenlypaid down with no reasonable explanation; deposits or disbursements tocountries and jurisdictions outside of the customer’s normal geography;money orders or travelers checks, which are numbered sequentially,are in round dollars, or have unusual stamps/symbols on them and aredeposited by mail; and the use of loan proceeds in a manner that is notconsistent with the stated purpose of the loan.These red flags are not meant to represent an exhaustive list of activitiesthat suggest possible money laundering, but are rather a sample of commonexamples of red flag activity. Additionally, as those involved in launderingillicit proceeds alter their methods in new and creative ways in order toavoid detection, additional red flags will arise. AML compliance programsneed to be able to adapt to these new methods and recognize additional redflags to incorporate them into their suspicious activity detection efforts.Internal Controls and the Audit FunctionIn order to have a truly effective AML compliance program, a financialinstitution needs to have properly designed internal controls in place andthe appropriate, periodicindependentaudit function to test those controlsand the program as a whole. Proper controls should cover every aspectof the institution’s compliance program, from account opening and accep-tance to activity monitoring to employee training and suspicious activityreporting. A good control structure will have separation of key duties;proper level and separation of sign-off approvals for various acceptancessuch as account opening paper work, account monitoring, wire processing,and credit issues; defined processes for SARs, CTRs, and other reportingrequirements; and an incorporation of compliance responsibilities in jobdescriptions and performance evaluations of employees. However, havingthe policies and controls is not sufficient; they need to function effectively. Afinancial institution is also required to have an independent audit functionto test its compliance programs.39This testing should be independent fromthe institution’s management and compliance department and should, at aminimum, assess the following:■The overall integrity and effectiveness of the systems, controls, andtechnical BSA/PATRIOT Act compliance;
144COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTS■transactions, through test samples, in all areas of the institution (withemphasis on high-risk areas, products, and services) to ensure theinstitution is following the proscribed regulations and internal policiesand procedures;■the employees’ knowledge of regulations and procedures;■the adequacy, accuracy, and completeness of training programs; and■the adequacy of the institution’s process for identifying and reportingsuspicious activity.The findings of the independent audit testing should be part of theinstitution’s governance and senior management processes and given seriousattention by both.THE RISE OF FOREIGN STATUTESHistorically, the U.S. Bank Secrecy Act and related U.S. anti-money launder-ing laws were considered the model to emulate. In fact, many other countrieswere known for not having similar or complementary laws and regulations,which consequently encouraged the use of those countries as money havensand frustrated the ability to investigate U.S. money laundering activity.However, today, many other countries are following the lead of the UnitedStates and have recently enhanced their AML efforts and have enacted theirown regulations and requirements. The Bahamas, Switzerland, Indonesia,and Colombia are examples of just a few of the countries taking steps toenhance their AML protocols.Banking havens like the Bahamas and Switzerland have enacted amyriad of statutes and regulations, contributing to the global fight againstthe facilitation of criminal activity through the use of the financial systems tolaunder criminal proceeds. In fact, both the Bahamas and Switzerland haveenacted significant know-your-customer requirements, have further detailedtheir requirements for reporting suspicious activity and have increased orplan to increase the types of crimes that are predicate offenses of moneylaundering, which will include crimes related to terrorism activities.40Indonesia has recently come far in its efforts to improve its anti-moneylaundering environment. As a result of these ongoing efforts, Indonesiawas removed from the Financial Action Task Force’s (‘‘FATF’’) list ofNon-Cooperative Countries and Territories (‘‘NCCT’’) on February 11,2005, and also from special FATF monitoring one year later.41In April2002, Indonesia passed a law that made money laundering a criminal offenseand identified 15 predicate offenses related to money laundering. Indone-sia also enacted know-your-customer requirements, currency transactionreporting requirements, and suspicious activity reporting requirements.
Notes145Even Colombia,a country where the launderingof drug moneypermeates its economy and affects its financial institutions, has establishedbanking and anti-money laundering laws that in some areas are more strin-gent than those in the U.S. In fact, Colombia is viewed as the hemisphericleader in the effort to fight money laundering. Colombia criminalized thelaundering of proceeds from various types of criminal activities and it hasenacted specific laws to combat some of its specific problem areas. In October2005, Colombia made it illegal to transport more than the equivalent of$10,000 in currency across its borders, inbound or outbound. This step wasdone in order to combat the issue of bulk cash smuggling in and out of thecountry.42As now seen in the efforts of these countries, and others, the U.S. is nolonger the lone jurisdiction with significant and improving AML laws andregulations. Advancements in many countries around the world that havehistorically been magnets for money laundering activity are impressive andnoteworthy, and are indicative of the international shift to comply with astricter stance against money laundering and the underlying criminal activity.NOTES1.Public Law 107-56.2.31 U.S.C. 5311-5330; 12 U.S.C. 1818(s), 1829(b), and 1951-1959.3.18 U.S.C. 1956-1957. Money laundering is a criminal act as defined inTitle 18 of the U.S.C.4.Structuring refers to separating large cash transactions into multiplesmaller transactions in order to avoid the requirements of the BSA tofile Currency Transaction Reports (CTRs) for all cash or cash equivalenttransactions that exceed $10,000.5.Javier Sarmiento, ‘‘Money Laundering: Black Market Peso Exchange:An International Scheme,’’Fraud Magazine, July/August 2007, 24.6.www.irs.gov; www.doj.gov.7.31 U.S.C. 5311-5330; 12 U.S.C. 1818(s), 1829(b), and 1951-1959.8.The BSA has a narrower definition of ‘‘financial institutions’’; however,the PATRIOT Act further expands this definition.9.Regulatory Bulletin RB 18-6, Compliance Activities Handbook, Officeof Thrift Supervision, Department of the Treasury, March 31, 2004, 1.10.The definition of bank in the regulations (even before the PATRIOT Act)is quite broad to mean any depository institution such as a commercialbank, thrift, and credit union.11.31 CFR 103.18.12.Ibid.
146COMPLIANCE PROGRAMS AND ANTI-MONEY LAUNDERING EFFORTS13.For example, effective December 22, 2003, the Bank Secrecy Actregulatory requirements of 31CFR 103 were amended to add futurescommissions merchants and introducing brokers in commodities tothe definition of ‘‘Financial Institutions’’ for the purpose of SuspiciousActivity Reporting.14.31 CFR 103.1515.31 CFR 103.1616.31 CFR 103.1917.31 CFR 103.2018.31 CFR 103.2119.FinCEN is a U.S. law enforcement agency under the Department of theTreasury.20.www.fincen.gov/regfbar.html.21.See, e.g., 31 CFR 103.33(g)—The ‘‘Travel Rule’’ requires financialinstitutions to include certain information in transmittal orders relatingto transmittals of funds of $3,000 or more.22.Ibid.23.Public Law 107-56. The USA PATRIOT Act also includes laws on thetracking and interception of communications, the ability to detain andremove foreign terrorists within U.S. borders, and surveillance measuresregulations.24.Public Law 107-56. Also see Charles Doyle, ‘‘The USA PATRIOT Act:A Sketch’’; Congressional Research Service, The Library of Congress,April 18, 2002, 1.25.Ibid.26.Public Law 107-56 and 31 U.S.C. 5312(a).27.Public Law 107-56. Also see Charles Doyle, ‘‘The USA PATRIOT Act:A Sketch’’; Congressional Research Service, The Library of Congress,April 18, 2002, 3-4.28.Ibid.29.Public Law 107-56 and 31 U.S.C. 5318(h)(1).30.18 U.S.C. 982.31.www.doj.gov.32.Public Law 107-56.33.‘‘US indicts 23, including two Washington, DC area automobile dealer-ship organizations, salesman, and managers,’’Washington Post, March12, 1993.34.IRS/FinCEN Form 8300; www.irs.gov.35.See e.g., BankAtlantic’s Deferred Prosecution Agreement, www.usdoj.gov/usao/fls/PressReleases/Attachments/060426-02.BankAtlanticDPA.pdf.
Notes14736.See, e.g., AmSouth Bank’s $50 million penalty. (www.usdoj.gov/usao/mss/documents/pressreleases/october2004/amprsrels.htm,www.fincen.gov/amsouthassessmentcivilmoney.pdfandwww.federalreserve.gov/boarddocs/press/enforcement/2004/20041012/), Riggs Bank’s $41 mil-lion in criminal and civil penalties (www.usdoj.gov/tax/usaopress/2005/txdv050530.html and www.fincen.gov/riggsassessment3.pdf) andBankAtlantic’s penalty of $10 million (www.usdoj.gov/usao/fls/PressReleases/Attachments/060426-02.BankAtlanticDPA.pdf).37.31 U.S.C. 5318(h)(1) and Public Law 107-56.38.Even banks that were not governed by the BSA prior to the PATRIOTAct were required to file SARs under other regulations such as 12 CFR21.11.39.31 U.S.C. 5318(h)(1) and Public Law 107-56.40.See, e.g., Bahamas Security Commission Interim AML and KYC Guide-lines - April 2004; The Bahamas Financial Transactions Reporting Act,2000; The Bahamas Financial Intelligence Act, 2000.41.The Financial Action Task Force (FATF) is an inter-governmental bodywhose purpose is the development and promotion of national and inter-national policies to combat money laundering and terrorist financing.www.fatf-gafi.org/pages/0,2987,en322503793223572011111,00.html.42.Ibid.
About the Chapter AuthorsMarc Shermanis a forensic accountant and Managing Director at HuronConsulting Group, an international consulting firm. He is the Fraud, WhiteCollar, and Anti-Money Laundering Services leader for Huron ConsultingGroup, and is head of its Washington, DC Office. He was previously theNational Partner in Charge of the forensic accounting practice at a Big Fouraccounting and audit firm. Marc has led hundreds of forensic investigationsat corporate and financial institutions, both domestically and internationallyand has frequently worked as a special consultant to the U.S. Departmentof Justice Criminal Division, anti-money laundering section, and otherlaw enforcement and regulatory agencies to consult on investigations ofsuspected money laundering activity and other misconduct. He has alsoworked for foreign governments to conduct bank fraud investigations andasset recovery throughout the world. His work has included the review andconsulting on the effectiveness and adequacy of BSA/AML compliance pro-grams and the elements of those programs. He has authored several chapterson forensic accounting investigations and frequently speaks on the topics offraud investigations and anti-money laundering. Marc is a CPA, a memberof the Maryland and DC Bar, and a Certified Fraud Examiner. He is also onthe faculty of Georgetown University where he teaches Forensic Accounting.Laura Connoris a Manager in Huron Consulting Group’s Washington,DC office. Laura provides accounting and financial advice to companies andlegal counsel on a variety of issues surrounding financial investigations andlitigation. Laura has worked in a variety of industries and has extensive expe-rience assisting government investigators with Bank Secrecy Act/Anti-MoneyLaundering compliance and fund tracing investigations as well as workingwith regulators on BSA/AML compliance and fund tracing issues.David Meilstrupis an Associate in Huron Consulting Group’s Washing-ton, DC office. He has conducted investigations into financial and accountingmatters, and has assisted counsel in disputes and litigation matters. David’sexperience spans across a variety of industries, including significant expe-rience with financial institutions in the areas of money laundering activity,BSA/AML compliance, and frauds. David is a Certified Public Accountant,licensed in Virginia.148
CHAPTER8Interview with an Ethicsand Compliance Thought Leader‘‘To be good is noble. To teach others to be good is nobler. . .andno trouble.’’Mark TwainJohn D. Copeland, J.D., LL.M., Ed.D., is an Executive in Residenceat the Soderquist Center for Leadership and Ethics and Professor ofBusiness at John Brown University. Prior to these positions, Dr. Copelandwas Executive Vice President of Ethics and Compliance (1998–2003) atTyson Foods, Inc.Dr. Copeland holds a Juris Doctorate from Southern Methodist Univer-sity, a Master of Laws in Agricultural Law from the University of Arkansas,and a Doctorate in the Administration of Higher Education from the Uni-versity of Arkansas. He has twice received the American Agricultural LawAssociation’s Award of Excellence for Professional Scholarship, as well asthe University of Arkansas’ Doctoral Dissertation of the Year Award. In2001, the Center for Business Ethics, Bentley College, recognized him as anoutstanding ethics officer by naming him an Ernest A. Kallman ExecutiveFellow.Listed in Who’s Who in American Law, Dr. Copeland is a memberof the State bars of Texas and Arkansas. Following years of private lawpractice, he directed the National Center for Agricultural Law Researchand Information and was a Research Professor of Law at the University ofArkansas School of Law (1989–1998). He has authored numerous publi-cations on business ethics, employer-employee relations, environment law,insurance coverage, product liability, food safety, workers’ compensation,and zoning. Since 1989, Dr. Copeland has presented approximately 300149
150INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERlectures to universities, organizations, and businesses throughout the UnitedStates and Scotland.The Soderquist Center for Leadership and Ethics where Dr. Copelandis affiliated is a not-for-profit organization founded in 1998 in affiliationwith John Brown University’s Division of Business and Graduate BusinessStudies. Located in Siloam Springs, Arkansas, the Center is a global resourceto equip people in the corporate and non-profit world with the transformingpower of ethical leadership. The Center was named for Don Soderquist,Executive in Residence and former COO and Senior Vice Chairman ofWal-Mart Stores, Inc. For more information on The Soderquist Center, visitwww.soderquist.org.Dr. Copeland is truly a thought leader in ethics and compliance asboth a renowned practitioner and educator in the field. In this wide-rangingcommentary, Dr. Copeland discusses key issues, requirements, case studies,and related best practices and strategies for success in ethical conduct andcorporate compliance.Q: What is your definition of corporate compliance?A: Corporate compliance is the corporation’s willingness to followexternal and internal constraints. Externally, the corporation’s lead-ership and employees comply with federal and state statutes andrules. Internally the same people honor the company’s corporatecode of conduct, policies, and procedures.To be effective, however, one needs compliance combined withethics. Employees need to know more than the ‘‘dos and do not’s’’of compliance. They must believe in the corporation’s values andjudge their conduct and decisions according to those values. Ethicalconduct goes beyond mere compliance and deciding between rightand wrong. Ethical conduct means choosing the best, or mostethical, course of conduct by applying the company’s values.Q: Why are ethics and compliance so important in a corporate culture?A: How a corporation acts as an organization reflects corporate cul-ture. What a corporation’s leadership says about the corporation isimportant, but not nearly as important as business conduct. Mostcorporate policies promise workers respect and dignity. Sometimes,however, there is a difference between the promise and what occurs.Companies treat employees with dignity and respect by followingequal employment laws, paying fair wages, providing opportunitiesfor personal growth, and time to be with families. The corporateculture is the result of how employees are treated.
Interview with an Ethics and Compliance Thought Leader151Other corporate declarations are subject to the same analysis.Corporations never publicly state that they pollute the environment.Instead, they produce well-written statements of their commitmentto protecting the environment, even if they intentionally or reck-lessly release harmful contaminants into the environment.Enron publicly stated its commitment to conducting businesswith integrity. On paper, Enron had a corporate code of conductto protect its corporate values of respect, integrity, communica-tion, and excellence. The public statements of Enron’s leadership,however, disguised a corrupt culture. The company’s ethics andcompliance program did not work. The program helped hide frompublic scrutiny Enron’s corrupt culture of dishonest accounting.In comparison, an effective ethics and compliance program helpsdevelop, sustain, and protect a healthy corporate culture based onvalues that guide corporate decisions.Q: In your prior role at Tyson Foods, can you provide some illustrationshow ethics and compliance paid off?A: Tyson’s ethics and compliance program started under difficultcircumstances. The program began after the company’s guilty pleato giving the Secretary of Agriculture illegal gifts. Early in theprogram, Tyson team members were unsure of the program and hadmany questions about it. Was the program a form of punishment?How long would it continue? Could you trust the people in chargeof the program if you wanted to report a problem?Eventually, Tyson members believed in the program and effec-tively used it. They became more trusting of the helpline that theycould use to report suspected wrong-doing and do so anonymouslyif they wanted. Team members became comfortable with directlycontacting the ethics office’s personnel. They learned to trust theethics department. Team members’ use of the program allowedearly intervention to deter problems. Team members reportedpossible acts of discrimination, misuse of proprietary informa-tion, recordkeeping errors, environmental violations, and conflictbetween employees, product tampering and many other potentiallycostly issues.I knew the program was succeeding as the quantity of helplinecalls increased and the quality of the calls changed. Team membersbecame more sophisticated in the helpline’s use. Team membercomplaints became more specific. They used the helpline to reportreal concerns, rather than to complain because they were unhappywith other team members or management decisions. Team members
152INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERalso began using the helpline to get advice before they acted. If theywere uncertain about whether Tyson’s corporate code of conductcovered a proposed course of action, they would contact the ethicsoffice and seek guidance. Besides using the helpline to get advice,team members also began meeting more often with ethics officersor directly calling the department to get ethics questions answered.Ethics training sessions became more interactive. My deputydirector, Jan Barnsley, and I always made training sessions inter-active, but in time team members became more enthusiastic abouttraining sessions. Team members increasingly asked questions dur-ing sessions and challenged each other’s responses. It also becameobvious that team members were more knowledgeable about thecorporate code and determined to follow it.Q: Can ethics be taught to someone or is it a part of their makeupfrom an early age?A: This question is often debated and I have asked myself that ques-tion. There are some variations on the question. Are some peopleinherently more ethical than others? Is it impossible to teach ethicsto some people? If you can teach ethics, must it happen at anearly age so ethical behavior becomes a part of a person’s makeup?After years as an ethics officer and professor, I have formed someopinions on the issue.Ideally, people should learn ethical behavior at an early age. Theyounger someone is when taught the ‘‘Golden Rule’’ of treatingothers the way you would want to be treated, the more likely itis to become part of their character. Not everyone, however, getssuch early training or, if they do, it does not become a part oftheir character. Some people refuse to behave ethically, just as somepeople refuse to follow the law.Ethical behavior, however, can be taught to most people regard-less of a lack of prior ethics training. You teach workers whatbehavior the company expects from them. You install a programthat rewards ethical conduct and penalizes unethical behavior.Employees learn to apply the company’s values to business deci-sions. You cannot always change hearts, but you can affect conduct.Most employees will conform to the company’s expectations. Ter-minate the employment of those that will not behave ethically orlegally.Q: Who are your role models for ethical behavior?A: In the business world, Don Soderquist is my primary model forethical behavior. As Wal-Mart’s Chief Operating Officer, he set
Interview with an Ethics and Compliance Thought Leader153a high standard for corporate and individual integrity and ledby example. He continues to do the same today as he works inthe United States and throughout the world with business andorganizational leaders.The late J.B. Hunt is another good role model. With a limitededucation, he built a trucking empire; J.B. Hunt, Inc. Mr. Hunt didso with vision and integrity. He treated his employees and othersrespectfully.My father, Howard Copeland, is another role model. He owns ameatpacking plant and he is typical of many small business owners.My father gives his customers good service and keeps his word.Q: Have you seen changes in ethical conduct since the enactment ofthe Sarbanes-Oxley Act?A: Since the passage of Sarbanes-Oxley, many corporate directors aremore diligent in fulfilling their fiduciary duties to shareholders.Directors miss fewer board meetings. They put in longer hours inpreparing for meetings. Directors demand more timely informationon issues before voting on them. Many directors are no longerpassive and are more active in corporate governance.Sarbanes-Oxley improved financial reporting by making financialreports more accurate and reflective of a corporation’s income. Therequirement that a company’s chief executive officer and chieffinancial officer certify the accuracy of financial filings is reassuringto investors.All publicly traded corporations now have corporate codes ofconduct and at least some ethics and compliance training forexecutives and employees. I am aware that not every corporationplaces enough emphasis on ethics and compliance training. Somecompanies favor form over substance, but it is an improvement andI hope some of those programs will become more meaningful.The most encouraging thing about Sarbanes-Oxley is how manyprivately held companies are voluntarily adopting Sarbanes-Oxley-like practices. Some do so because they hope to someday go public.Many adopt Sarbanes-Oxley-like practices because they see thevalue in those practices and they want to be transparent companiesof integrity.Q: How best can a CEO reinforce compliance requirements within anorganization?A: The CEO is the company’s most visible leader. What the CEO does,or does not do, sets the pattern for the behavior of others. Thebest way for the CEO to reinforce compliance is to be accountable
154INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERto the same standards of behavior expected of others. A verballyabusive CEO should not be surprised when other company man-agers behave the same way towards subordinates. A CEO who usescompany assets for personal use is by example telling employees itis acceptable for them to do it as well. Of course, when lower levelemployees get caught doing so they often pay a high price for theirmisdeeds.You cannot have two different sets of compliance standards andan effective ethics and compliance program. If executives breakcompany rules without consequences, then other employees will tryto break the rules. Corporate hypocrisy is poisonous to any ethicsand compliance program.Q: What best compliance practices can you recommend for public andprivate companies?A: Design any compliance program according to the seven require-ments outlined in the Federal Sentencing Guidelines for Organiza-tions (FSGO):1.Establish standards of conduct reasonably capable of reducingthe likelihood of criminal conduct;2.assign overall responsibility for compliance to a specifichigh-level officer;3.do not delegate discretionary authority to individuals with ahistory of illegal conduct or other conduct inconsistent with acompliance program;4.communicate standards and procedures to employees andagents;5.establish monitoring, auditing, and reporting systems;6.enforce standards with discipline and incentives; and7.take reasonable steps to respond to discovered criminal con-duct.Following the FSGO, however, does not ensure an effectiveethics program. It only means you have met the minimum require-ments. Best compliance practices require more than a ‘‘bare bones’’program.In drafting a corporate code, design a code that fits your orga-nization. Involve the organization’s employees in assessing yourcompany’s risks. Fit the code to those risks and stress meeting thoserisks. Do not simply take another company’s code and substituteyour company’s name.
Interview with an Ethics and Compliance Thought Leader155Give your ethics officer and the office as much independence aspossible. Some companies place the program and ethics officer in thecompany’s legal department or within human resources. I believeto do so is a mistake. The ethics officer needs the independence andclout to deal with difficult issues. The ethics officer should reportdirectly to the organization’s CEO and board of directors.Also make sure the ethics officer receives the training necessaryto do the job. Membership in the Ethics Officer Association (EOA)and attendance at EOA training programs is essential.Introduce employees to the ethics program and corporate code ofconduct when hired. Have employees sign a statement to follow thecorporate code. Train employees on the code and repeatedly trainthem. Communicate the corporate code of conduct and companyvalues to the employees by many means of communication. Useinteractive seminars, posters, and newsletters to take the ethics andcompliance program to the employees.Include following the company’s ethics and compliance programin employees’ annual performance evaluations. Reward employeesfor ethical conduct.Design an enforcement procedure for ethics and complianceviolations that is fair to employees. Provide employees with somedue process. Quickly look into complaints while providing accusedemployees with an opportunity to respond.Whenpunishmentisnecessary,theorganization’sresponseshouldfit the offense. Not all violations should be employment-endingoffenses. Minor violations may only need a verbal or written warn-ing. Consistent enforcement and prompt responses are important.Finally, regularly evaluate your program and adjust it as needed.Even the best programs can be improved. Too many companiesnever examine, much less reexamine, the effectiveness of theirprograms.Q: What, in your opinion, makes a program world-class?A: Commitment is the difference between mediocre ethics and com-pliance programs and those that are world-class. The commit-ment starts with a company’s management. A company’s leaderscommitted to a program’s success create commitment in others.Commitment produces enthusiasm in the employees to support theprogram. Even more important, employees learn to trust the com-pany’s ethics and compliance program. Commitment, support, andtrust result in a world-class program.
156INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERQ: How does an organization choose its values?A: A company chooses its values in two ways. One is a more formalmeans. A value statement may have been set up early in thecompany’s founding. Companies sometimes use advisers or focusgroups to decide values. I teach a course on Mission, Vision, andValues and corporations use many of the same value statements.Commitment to excellence, communication, respect for employees,and respect for the environment are a few examples of what I findin corporate value statements. Too many corporations just look atwhat other companies have done and select some values that soundgood for their own company. Some companies list so many valuesthey become meaningless. There is no focus on what is importantin deciding issues.Ideally, employee representatives from throughout the companyhelp identify company values. Values are effective when decidedon and shared by the employees and management. Values go to acompany’s core and set the boundaries for decisions. Core valuesremain fixed even as a company’s business changes.A company’s values should permeate the company’s business andhelp ensure ethical and legal behavior. What values are importantto the company’s leaders and employees? More important, whatvalues are followed? Some companies have two sets of values.The first set is for public consumption. The second set is whattakes place; or rather how the company works. Employees quicklydiscover whether a company practices its publicly stated values.Employees conform to those values practiced by the organization,rather than those pronounced to the public.Q: How do you define tone at the top?A: Tone at the top of an organization includes values, observations, andexperiences with the company. First, what does management sayorally and in print about the way the company conducts business?Specifically, what are the company’s declared values? Second, whatvalues are seen being practiced when business is conducted? Whatdo employees and others see in the way management leads and doesbusiness? Do people see the company’s declared values practiced atall management levels?Finally, what are the personal experiences of employees andothers in dealing with a company’s management? For example,suppose a company declares honesty to be a core value. Honesty isstressed verbally in business meetings and the company’s literature.If employees and others see the company’s management beinghonest in financial reports and in business dealings, the company’s
Interview with an Ethics and Compliance Thought Leader157core value of honesty becomes more real to them. If in their personaldealings with management they are treated honestly, then honestyis accepted as the business tone. The business leadership is trustedto behave honestly. If someone in the company does somethingdishonest, the act is treated as a departure from the company’snormal conduct. The business tone remains the same, so long as thecompany quickly addresses the dishonest act.Q: Why is tone at the top so important in an organization?A: The tone at the top permeates the entire organization. The BusinessRoundtable’s 2002 Principles of Corporate Governance1say thatsenior management is responsible for setting the tone to establish aculture of integrity and compliance. Employees behave as the com-pany’s leadership behaves, especially those in midlevel managementpositions. Corrupt leaders naturally train followers to be corrupt.Followers who expect more from leaders will leave and go to workfor companies whose leaders show integrity and expect it of others.Q: How do great leaders demonstrate tone at the top?A: All leaders demonstrate tone at the top through their actions.Leaders are role models. A leader’s conduct must consistently alignwith the company’s values. Great leaders uphold the company’svalues during a crisis. Great leaders refuse to compromise thecompany’s core values, even if the refusal to do so is expensive. Itis because those values are shared throughout the organization thatgreat leaders can confidently take such action.Johnson & Johnson’s reaction to the Tylenol crisis of themid-1980s remains the gold standard for ethical leadership in acrisis. Through no fault of Johnson & Johnson, cyanide was foundin some Tylenol bottles. Following its credo of putting patientwelfare first, the company withdrew all Tylenol from the shelves.James Burke, Johnson & Johnson’s Chief Executive Officer, led dis-cussions on the company’s response. Burke reminded everyone ofthe company’s declared commitment to public safety. This is a posi-tion shared throughout the organization because of the company’scredo.Q: Can you provide some examples of both good and bad tone at thetop that you have studied?A: I have already described Johnson & Johnson’s response to theTylenol crisis and it is an excellent example of good tone at thetop. There is another Johnson & Johnson story, often overlooked,that is also a good example. It shows the consistency of Johnson &Johnson’s commitment to its credo.
158INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERBaby oil is an important Johnson & Johnson product. Probablymost people in the United States use the product at some point.Some people use baby oil as a tanning agent. Aware of the oil’suse in tanning, some Johnson & Johnson managers planned amultimillion dollar campaign advertising the tanning benefits ofJohnson & Johnson baby oil.The advertising campaign never happened. It was unveiled tothe company’s top management about the same time as scientificresearch began linking skin cancer with sun exposure. Johnson &Johnson’s executives requested more information on the skin cancerissue before approving the advertising campaign. After reviewingskin cancer studies, the company’s management decided it did notwant to encourage people to spend more time in the sun. Thecompany scrapped an advertising campaign because of its credo toprotect public health.Merck & Company remains an example of a visionary companywith an excellent tone at the top. With its founding, Merck’sleadership stressed the company’s vision of helping humanity bydestroying disease. The company’s cure for ‘‘river blindness’’ is agreat example of leaders fulfilling the company’s vision and values.While researching cures for animal diseases, Merck scientistsdiscovered a cure for river blindness. A parasitic worm causes thedisease that plagues millions of people in developing countries.Merck’s drug, Mectizan, proved effective against the disease, butthere was no commercial market for it. The people needing the drugcould not afford it and government agencies were not willing topay for the drug. To relieve human suffering, Merck bore the costof developing the drug, gave the drug away and paid for much ofthe drug’s distribution.Unfortunately, examples of bad tone at the top are plentiful afterthe scandals of Enron, WorldCom, Tyco, Adelphia, and others.Any of those will do as examples of wretched excess and deceptionby an organization’s leaders.Al Dunlap’s career as CEO of Scott Paper and then Sunbeamis an example of how one person can set a negative tone for anentire company. Dunlap earned the nickname ‘‘Chainsaw Al’’ forthe cost cutting measures he put into place to turn around troubledcompanies. Whenever he took leadership of a company, employeesrightfully feared for their jobs. Dunlap often quickly raised stockvalue, but his critics contend he did so by slashing research anddevelopment, and by forgoing necessary maintenance.
Interview with an Ethics and Compliance Thought Leader159Another example I use to show bad tone at the top is ArmandHammer and Occidental Petroleum. As CEO, Hammer ran Occi-dental as his personal kingdom. Using the company’s money, hebuilt a museum to house his personal art collection. This was afterthe Los Angeles County Museum refused certain demands to househis collection.Arthur Andersen is a good study of tone at the top becauseof the decay that led to the company’s death. Arthur Andersenhad a long history of integrity as a top accounting firm. Withinthe company, stories were told of how company’s managementturned away business rather than approving questionable financialpractices. The company created a public review board made up ofoutside experts to visit Arthur Andersen facilities to ensure thatcompany’s standards of integrity were met.Gradually, the tone at the top changed as the company competedfor profitable consulting contracts. The public review board ceasedto exist. The lines became blurred between the company’s auditingand consulting activities. Questionable accounting practices wereapproved to keep clients’ consulting business. Arthur Andersenbecame embroiled in Enron’s scandal and shredded Enron financialdocuments sought by federal investigators. The Enron scandaldestroyed Arthur Andersen. The company’s collapse shows theneed to establish and preserve an ethical tone at the top.Q: Can you provide some examples of effective tone at the top atTyson Foods?A: I can think of several outstanding examples. The first is Tyson’scommitment to diversity. Tyson’s chairperson, John Tyson, ded-icated himself to diversifying Tyson’s leadership and to creatingmanagement opportunities for women and minorities. The com-pany aggressively recruits women and minorities into managementtraining programs and ensures that all Tyson employees get oppor-tunities for advancement. John Tyson and Tyson Foods havereceived well-deserved rewards for the company’s diversificationefforts. Managers at all levels within the company are sensitive todiversity and the company’s dedication to diversifying management.Second, Tyson aids poultry growers in environmental protection.While I was with Tyson, the company approved my idea of a poultrygrowers’ environmental awards program. Each year, Tyson honorsits poultry growers that do an outstanding job of complying withenvironmental laws, are creative in protecting the environment,and improve wildlife habitat. Growers and the Tyson techniciansassisting them strive hard each year to win one of the awards.
160INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERBesides receiving public recognition and a trophy, a donation ineach grower’s name is made to a grower selected environmentalorganization. Tyson management’s support of the program ensuresits success.Finally, Tyson’s management established a tone of generosity indonating Tyson products to fight hunger in the United States. Tysonsupports Share Our Strength (SOS) and that organization’s effortsto feed hungry people. Tyson Foods also provides products andTyson employees to aid in disaster relief. Such efforts are successfulbecause of the tone set by Tyson’s management.Q: How does an organization best exemplify tone at the top?A: The organization’s culture best exemplifies the tone at the top.The culture is a product of the tone at the top. When complianceand ethics become embedded in a company’s culture they controlbusiness decisions. Neither management nor employees tolerateillegal or unethical conduct. The company’s values guide businessdecisions.Q: How does an organization measure tone at the top?A: Others already measure tone at the top for an organization. For-tunemagazine and other publications yearly evaluate companieson the triple bottom line of economics, social responsibility andenvironmental sustainability. An entire industry exists to evaluatecompanies for effective corporate governance. Social research firmssuch as Kinder, Lydenberg, Domini & Company (KLD) help iden-tify the best corporate citizens. The information provided by suchsources at least tells company leaders of the public’s opinion of thecompany’s tone at the top.Self-examination, however, is the best means of measuring toneand it begins with a company’s employees. Employees should besurveyed about the company’s values and how well those valuesare met. Let employees answer anonymously without any fear ofretribution. Take seriously candid assessments by employees andrespond suitably.Do similar surveys among other corporate stakeholders, such assuppliers and customers. Even if the opinions of others containsome misconceptions, knowing that those exist gives the companyan opportunity to correct them.Eventually, the marketplace measures tone at the top. Peopleinvest in, and do business with, ethical companies.Q: Options backdating is the compliance failuredu jourwith dozensof companies under investigation. Why and how did tone at the top
Interview with an Ethics and Compliance Thought Leader161fail in these cases? What could have been done to prevent this fromhappening?A: Options backdating represents two leadership frailties. The first isa false sense of entitlement. Executives whose stock option strikeprices are ‘‘cherry picked’’ from dates when the company’s stockvalues were low believe themselves entitled to financial rewardswithout working to increase company value. Backdating does notneed any business planning or leadership skills that increase share-holder value.Second, backdating shows a lack of trust by executives in theirmanagement skills. If they use as a strike price the market valueof their shares when the options are granted, they implicitly sendthe message that their management efforts increase the company’svalue. Executives and shareholders will benefit from the executives’management skills. The message sent is very different when stockoptions are backdated. Backdating says the company’s managementis unsure that it can increase shareholder value, but wants to berewarded as if it has done so. In a sense, backdating is cheating. Itis profit without risk.What to do about backdating is simple. Boards of directorsshould forbid it. Many financial abuses occur because companyboards are passive. Directors fail to fulfill the fiduciary dutiesowed to shareholders. They approve executive requests for exces-sive compensation, or, as regards backdating, rewards withoutperformance.Q: Can you provide any closing thoughts?A: I fault directors for much of what goes wrong within for-profit andnonprofit organizations. Too many directors enjoy their titles, andthe benefits that go with them, and ignore their fiduciary duties. Ioften lecture and write on the topic ‘‘Passive Board Members arePass´e.’’ I focus on the fiduciary duties of loyalty, due care, andobedience when working with directors and how the courts definethose duties. Director training includes presenting directors withsituations and asking them to respond given their fiduciary duties.Another tactic I use to educate directors is to take them throughdirectors and officers (D&O) liability insurance. Few directors areknowledgeable about D&O coverage and are too confident aboutD&O coverage protecting them from liability claims. When they geta greater understanding of D&O coverage and its limits, directorsbecome very attentive to the need to meet fiduciary duties. It hasbeen my experience that most directors appreciate thorough andchallenging training programs.
162INTERVIEW WITH AN ETHICS AND COMPLIANCE THOUGHT LEADERNOTES1.The Business Roundtable is an organization of chief executive officersof leading companies in the United States. The Business Roundtableis recognized as an authoritative voice on American business andcorporate governance. Their Principles of Corporate Governance isa publication of the Business Roundtable that details their guidingprinciples for advancing corporate governance. Principles of Corpo-rate Governance, The Business Roundtable, May 2002, available atwww.businessroundtable.org/pdf/704.pdf.
CHAPTER9Building a World-ClassCompliance Program: The SevenSteps in Practice (Part I)‘‘The time is always right to do what is right.’’Martin Luther King, Jr.For a long time, both Congress and the American public believed that thepenalties imposed upon white-collar criminals and organizations werefar too lenient as compared to other crimes. The original 1987 version ofthe Federal Sentencing Guidelines (Guidelines) only covered the sentencingof individuals. A major gap remained concerning how organizations, suchas corporations, partnerships, or other legally recognized forms of businesswould be treated if they committed crimes. Congress then directed the UnitedStates Sentencing Commission (USSC) to study this sentencing disparity andpromulgate a new set of guidelines specifically addressing organizationaloffenders. On May 1, 1991, the USSC officially promulgated the FederalSentencing Guidelines for Organizations (FSGO). They were later amendedeffective November 1, 2004 to provide even greater protection.Chapter 8 of the FSGO covering organizational crime has been strength-ened over the years, particularly by congressional directives authorizing theUSSC to tackle particular issues, such as corporate crime. The amendmentsin 2004, coming in the wake of repeated instances of corporate scandal anda growing sentiment by the public that the problem must be dealt with,addressed the perceived need for improved compliance by organizations, aswell as giving more direct guidance to those organizations that sought toenhance their own compliance efforts to prevent further scandal.163
164THE SEVEN STEPS IN PRACTICE (PART I)The FSGO were enhanced by emphasizing effective compliance andethics programs in order to mitigate punishment for a criminal offense.The FSGO requires an organizational culture that encourages ethical con-duct and a commitment to compliance with the law. Chief executivesand directors are responsible and accountable to ensure compliance. Effec-tive compliance programs must now have adequate resources, appropriateauthority, training programs, reporting mechanisms, risk assessments, andperiodic evaluations to promote an ongoing culture of compliance.1Of particular note to this book, the 2004 amendments modified thesection promulgating the sentencing guidelines for organizations, addingan official definition of an effective compliance program. These revisedguidelines specifically elucidated the importance and need for such a com-pliance program within an organization. Since these are the guidelines thatwill direct federal prosecutors and judges in evaluating an organization’sculpability (or lack thereof), it is imperative that a compliance program, atminimum, directly meet these standards.As long as the Guidelines have been in effect, they have often beena source of great controversy.2Defense attorneys and their clients decriedthe sometimes draconian sentences handed out and judges lamented theirinability to modify the mandatory minimums, particularly in cases involvingdrugs. This controversy reached the Supreme Court in 2004; many expectedthe justices to strike down the Guidelines once and for all. To the surprise ofmany observers, the Guidelines emerged more or less unscathed. In essence,through the trio ofBlakely v. Washington,United States v. Booker, andUnited States v. Fanfan, the Court decided that while the Guidelines areno longer mandatory, judges may still constitutionally follow them in theirsentencing decisions. In practice, while judges have the freedom to departfrom the recommended sentences, most of them still follow the Guidelines,or at least adhere closely to them. The same goes for federal prosecutors whostill use them in charging decisions and sentencing recommendations. At theend of the day, the Guidelines still play an important role in the legal system.THE SEVEN STEPS TO AN EFFECTIVE COMPLIANCEPROGRAMThe ‘‘Seven Steps’’ to an effective compliance and ethics program as detailedin the FSGO serve as the backbone for building such a program. Theyprovide clear guidance on how to build it, and give great insight into thegovernment’s expectations. When evaluating a potential case, prosecutorswill be looking for a program that meets the requirements of the sevensteps. If a company’s compliance program meets those steps, it can hope for
Seven Steps Overview165a reduced or suspended sentence, and at least provide more ammunition atthe bargaining table. However, if the minimum requirements are not met, itis a clear indication to the government that the organization does not place ahigh value on compliance and ethical conduct. For if an organization cannoteven adhere to seven well-known and readily achievable steps, why wouldthe government believe that it would follow more complex and difficultregulatory guidelines?According to the FSGO, to have an effective compliance and ethicsprogram, ‘‘an organizationshallexercise due diligence to protect anddetect criminal conduct; and otherwise promote an organizational culturethat encourages ethical conduct and a commitment to compliance withthe law (emphasis added).’’3Note the inclusion of the word shall; thisindicates that this requirement is mandatory for those companies with acompliance program and that the government unconditionally expects theserequirements to be followed. Even though the government expects strictadherence to the FSGO, it does recognize that not every violation willbe prevented. ‘‘Such compliance and ethics program shall be reasonablydesigned, implemented, and enforced so that the program is generallyeffective in preventing and detecting criminal conduct. The failure to preventor detect the instant offense does not necessarily mean that the program isnot generally effective.’’4The FSGO allow for the possibility that a rogue employee committedthe crime. If this is the case, and if the company had an effective complianceprogram in place, the organization may be allowed to escape unscathed,provided it cooperates in the prosecution of the employee. The FSGO rec-ognize that even the best compliance programs cannot catch every misdeed,particularly those of an employee operating alone. Of far greater concernare those misdeeds performed by those in power within the company whoactively subvert the compliance program for their own ends, or those com-panies who, upon discovery of the crimes, seek to cover them up rather thanrespond appropriately. Compliance Insight 9.1 is the story of fraud at thehighest levels of a public company and the absence of a compliance program.SEVEN STEPS OVERVIEWThe Seven Steps of Compliance as mandated by the FSGO require organi-zations to build and maintain an effective compliance and ethics programbased on the following actions:1.Compliance Standards and Procedures■The organization shall establish standards and procedures to preventand detect criminal conduct and ensure compliance with the law. In
166THE SEVEN STEPS IN PRACTICE (PART I)COMPLIANCE INSIGHT 9.1: ADELPHIA COMMUNICATIONSCORPORATION: A CEO’S PERSONAL PIGGY BANKThomas F. X. Feeney is a Client Specialist for the global law firm ofDewey & LeBoeuf. Prior to his affiliation with the firm, Mr. Feeneyworked for ten years as a U.S. Postal Inspector. For the majorityof that time, he investigated complex white-collar crimes includingsecurities fraud, commercial bribery, and mail fraud. He was com-mended by several United States Attorney’s Offices and received theExecutive Award of the Chief Postal Inspector for his exceptionalwork. Among his significant cases was the investigation of the massivecorporate fraud at Adelphia Communications Corporation. Feeney’sinvestigation gave him great insight into the compliance failures thatallowed the fraud to continue for so long without discovery. Here arehis insights from leading the investigation.When analyzing the corporate fraud at Adelphiaausing the sevensteps of an effective compliance and ethics program as identifiedin the 2004 Amendments to the Federal Sentencing Guidelines forOrganizations, the company’s failure to adhere to the Guidelines isreadily apparent. Adelphia’s most obvious failing was its lack ofcompliance with the first, and arguably most basic guideline: A firmmust have in place standards and procedures to ‘‘prevent and detectcriminal conduct.’’bNearly all of Adelphia’s problems stemmed fromits lack of established standards and procedures. Adelphia did not haveany means designed to prevent and deter criminal conduct; let alonedeal with the most basic situations. In one case, the lack of writtenprocedures to conduct a simple transaction led to concealment of thetheft of some $50 million.Adelphia’s dearth of established procedures can be traced directlyto its history. Had the company developed under different circum-stances, it might have codified its procedures, enacted internal controls,and prevented criminal conduct. In short, had the company’s historybeen different, the fraud might not have occurred.Adelphia was not like other companies because of its locationand its management. Located in Coudersport, Pennsylvania, a townof 2,600 in rural Potter County, Adelphia’s headquarters was atwo hour drive from Buffalo, New York, and a four hour drivefrom Pittsburgh, Pennsylvania. As a young engineer working for anelectronics manufacturer, John J. Rigas commute took him through
Seven Steps Overview167Coudersport, where he bought the local movie theater. He diversifiedinto providing television programming to a community that could notreceive over-the-air broadcast signals, and in so doing, became one ofthe pioneers of cable television. He founded Adelphia in 1953 and,assisted by his sons Michael and Timothy, he was still running it inthe 1990s. For years, Adelphia’s employees and management weredrawn from the area surrounding Coudersport. It became the largestemployer in the area, offering a good job in a place where few existed.Many employees had never worked at any other company and thusdid not know how odd the company’s business practices were.In 1999, Adelphia was still operating in rural Coudersport andstill run like the mom-and-pop operation it had been. But there was asignificant problem; it had become a public company in the interveningyears. Things that may be common in a small business—loans taken bythe founder, procedures created by management whim—are disastrousand potentially illegal in a public company. When John Rigas decidedto take cash withdrawals from the company, he wasn’t a smallshop owner borrowing money from the till. This ‘‘till’’ was a publiccompany; its contents were owned by its shareholders, not by itsmanagement. And though John Rigas may have founded the company,managed its operations, held a lot of its stock, and sat on its board ofdirectors, he did not own the company and thus had no right to its cash.Adelphia’s lack of standards and procedures contributed heavily tothe disastrous outcome. The company had no written procedures docu-menting under what circumstances money could be transferred to JohnRigas. He did not sign loan agreements or execute notes. He just pickedup the telephone and directed the transfers. After the company wentpublic in 1986, the employees continued transferring money to hisaccounts whenever he requested it—as they always had done. And theydid so, not because it was written in any company procedure that theyshould transfer the funds, but because it was simply the way things hadalways been. No formal guidelines existed to counteract the corporateinertia. When one employee finally questioned the loan practice, onlybecause he was not sure if there was a monthly limit, the company’sCFO determined that any amount in excess of $1 million per monthhad to be approved by him. Who was the CFO? John’s son, Timothy.A company’s procedures should ‘‘at a minimum, be in writtenform and disseminated throughout an organization with the directivethat they be followed’’.cAdelphia had no policy for the cash transfers‘‘in written form,’’ meaning knowledge of such a procedure could
168THE SEVEN STEPS IN PRACTICE (PART I)not be ‘‘disseminated throughout [the] organization’’ and remainedrestricted to those few employees who processed the transfers. Thelack of written procedures kept many from knowing about, thus beingin a position to even question, this self-dealing practice at Adelphia.Those who may have questioned the cash transfers were not aware ofthem because of the company’s lack of transparency.The unrecorded, unauthorized transfers of cash are the clearestexample of thead hocnature of certain of Adelphia’s practices and howsuch practices were contrary to the most basic corporate complianceguideline. And while such transfers amounted to more than $50million, they were only a part of John Rigas looting of the company hefounded and sold to the public. At his later trial for corporate fraud,witnesses, including his personal accountant, addressed his additionaluse of the public company’s money to fund $1.6 billion of securitiespurchases and to repay more than $250 million of margin loans.Codification of Adelphia’s procedures, especially the cash transferprocedure, should have been the company’s first step in establishingorderly operations and internal controls. Lacking written procedures,the company had no real chance of effectively and systematicallyreducing the likelihood of criminal conduct.aThis Compliance Insight addresses the fraud pursuant to which Adelphiaofficers and employees John Rigas, Timothy Rigas, Michael Rigas, JamesBrown, and Michael Mulcahey were arrested in July 2002. Many changeshave occurred at the company since then and failure to differentiate betweenthe pre-2003 Adelphia and the Adelphia of today would be a disservice tocurrent management and the honest Adelphia employees who worked so hardto right the wrongs of the company’s earlier incarnation.bUnited States Sentencing Commission,Federal Sentencing Guidelines Man-ual, 476, www.ussc.gov/2004guid/CHAP8.pdf.c‘‘U.S. Sentencing Commission Announces Stiffened Organizational Sentenc-ing Guideline in Response to the Sarbanes-Oxley Act,’’Thompson Hine,June 1, 2004, www.thompsonhine.com/publications/publication6.html.other words, an organization’s code of conduct must be robust andembed ethical conduct as an integral component of the ethics andcompliance program.2.Organizational Leadership and a Culture of Compliance■The organization’s governing authority shall be knowledgeable aboutthe content and operation of the compliance and ethics program. Thiswould normally be the CEO, CFO, and the Board of Directors.
Seven Steps Overview169■They shall exercise reasonable oversight with respect to the imple-mentation and effectiveness of the compliance and ethics program.■Specific individual(s) within the highest levels of the organizationshall be assigned overall responsibility for the compliance and ethicsprogram.■Specific individual(s) within the organization shall be delegatedday-to-day operational responsibility for the compliance and ethicsprogram. The individual(s) with operational responsibility shall reportperiodically to high-level personnel and, as appropriate, to the gov-erning authority on the effectiveness of the compliance and ethicsprogram.■To carry out such operational responsibility, such individual(s) shallbe given adequate resources, appropriate authority, and direct accessto the governing authority of the organization.3.Reasonable Efforts to Exclude Prohibited Persons■The organization shall use reasonable efforts not to include withinthe substantial authority personnel who the organization knew, orshould have known through the exercise of due diligence, haveengaged in illegal activities or other conduct inconsistent with aneffective compliance and ethics program.4.Training and Communication of Standards and Procedures■The organization shall take reasonable steps to communicate period-ically and in a practical manner its standards and procedures, andother aspects of the compliance and ethics program by conductingeffective training programs and otherwise disseminating informationappropriate to such individuals’ respective roles and responsibilities.■Training shall be provided to members of the governing author-ity, other high-level leadership, employees, and, as appropriate, theorganization’s agents.5.Monitoring, Auditing, and Evaluating Program Effectiveness■The organization shall take reasonable steps to ensure that theorganization’s compliance and ethics program is followed, includingmonitoring and auditing to detect criminal conduct.■The organization shall take reasonable steps to evaluate the effective-ness of the organization’s compliance and ethics program.■The organization shall take reasonable steps to have and publicize asystem, which may include mechanisms that allow for anonymity orconfidentiality, where the organization’s employees and agents mayreport or seek guidance regarding potential or actual criminal conductwithout fear of retaliation, such as hotlines.
170THE SEVEN STEPS IN PRACTICE (PART I)6.Performance Incentives and Disciplinary Actions■The organization’s compliance and ethics program shall be pro-moted and enforced consistently within the organization throughappropriate incentives to perform in accordance with the complianceand ethics program.■The organization’s compliance and ethics program shall be promotedand enforced consistently within the organization through appropri-ate disciplinary measures for engaging in criminal conduct and forfailing to take reasonable steps to prevent or detect criminal conduct.7.Response to Criminal Conduct and Remedial Action■After criminal conduct has been detected, the organization shall takereasonable steps to respond appropriately to the criminal conduct andto prevent further similar conduct, including making any necessarymodifications to the organization’s compliance and ethics program.■The organization shall periodically assess the risk of criminal conductand shall take appropriate steps to design, implement, or modifyeach compliance requirement to reduce the risk of criminal conductidentified through this process.5In addition to these seven requirements, there are others that mustbe implemented by an organization. An organization must incorporateand adhere to industry practices and standards of compliance as requiredby government regulation. Unless this is followed, an organization is notconsidered as having an effective compliance and ethics program. Courts arerequired to sentence the company to at least probation if the organizationfailed to have an effective compliance program in place when one wasrequired and can upwardly depart from the guidelines if a complianceprogram is not in place. Organizations must remember that the way toavoid or at least lessen the impact of prosecution is through self-reporting,cooperation with the government, acceptance of responsibility, and aneffective compliance and ethics program.6Appendix A contains a detailedsummary of the FSGO as well as recommended action steps to achieveeffective compliance.STEP 1: COMPLIANCE STANDARDS AND PROCEDURESThe FSGO require an organization to ‘‘exercise due diligence to preventand detect criminal conduct; and otherwise promote an organizationalculture that encourages ethical conduct and a commitment to compliancewith the law.’’7Organizations must therefore ‘‘establish standards andprocedures to prevent and detect criminal conduct’’8as well as ensure that
Step 1: Compliance Standards and Procedures171organizational policies and procedures are followed. This includes standardsof business conduct and internal controls reasonably capable of reducingthe likelihood of criminal conduct and other violations of policy. While thisis usually embodied in a code of conduct for the organization, somethingmuch deeper is needed. That is an ethical culture built into the structureof the organization. This institutionalization of ethics and compliance willtranscend any one person and continue far after executive leaders havecome and gone. It is hard to find an ethical collapse that would still havehappened if the company had strong and ethical people in positions ofauthority. Questions that organizations need to ask include:■Does the current ethics and compliance program emphasize ethicalconduct or just compliant conduct?■Does the company’s code of conduct encourage individual responsibilityor just provide a series of rules to follow?■Is ethical conduct an embedded component of the compliance program?■Does the organization’s code of conduct make a compelling case forethics and compliance?9An organization must encourage individual responsibility for compli-ance with standards and policies in all its employees. This begins at timeof hire and continues throughout an employee’s career. Every employee,whether the CEO or the receptionist, must make the same commitmentto ethics. Obviously, the higher level a person is in the organization, thegreater the opportunity to evangelize the importance of ethical conduct toother employees. Executives and managers have a crucial responsibility tocontinually explain the importance of ethics and compliance. Yet, there ismore that must be stated. Enron had a compliance program and a 65-pagecode of conduct. That very wordy code had absolutely no impact in pre-venting the massive accounting fraud. The branding of integrity, honesty,and compliance is important for all companies, especially those emergingfrom scandal.Code of ConductThe cornerstone of an effective compliance program and culture of compli-ance is a strong value system based on integrity. These values can best bereflected in a code of conduct or ethics to ensure that employees, vendors,contractors, and other related parties know what is expected of them soas to make the right decisions.10The code should be based on the organi-zation’s core values and clearly delineate which behaviors are appropriateand which are not. It should be written in plain language and be easily
172THE SEVEN STEPS IN PRACTICE (PART I)understandable. Consideration should be given to preparing separate codesspecifically focused on finance and procurement employees as well as ven-dors. While it is important to explain in the code what is right and wrong,it is just as critical to reinforce the need for employees and others to seekadvice and help when faced with ethical questions. Whether they are calledhotlines, business conduct lines, or helplines, reporting mechanisms must bewell-communicated and readily available for anyone seeking help. Codes ofconduct are further discussed in Chapter 10 and Appendix B.Code of Conduct Benchmarking and EvaluationAn ongoing evaluation of an organization’s code of conduct is another bestpractice. In its Q2 2007 issue,Ethisphere Magazinebenchmarked the codesof conduct for 50 finance and technology companies using eight criteria.The criteria thatEthisphereuses are tied directly to the FSGO and excellentones to consider in evaluating a code of conduct. The following are thecriteria that were used in the benchmarking:■Public Availability:A code should readily be available to all stakehold-ers. What is the availability and ease of access to the code by employeesand others outside the company?■Tone at the Top:Extent to which the senior leadership of the organi-zation is visibly committed to the values and subjects covered in thecode.■Readability and Tone:What is the style and tone used in the code? Is iteasy to read and reflective of the organization’s culture?■Non-retaliation:Is the non-retaliation policy stated and explicit? If so,how clearly is it stated?■Commitment to Stakeholders:Does the code identify its stakeholdersand what is the level of compliance commitment?■Risk Topics:Does the code cover all appropriate and key risk areas forthe company’s given industry?■Learning Aids:Does the code provide learning aids such as Q&A,FAQs, checklists, do’s and don’ts, examples of behavior, case studies,etc., to assist employees and others in understanding the importantelements of the code?■Presentation and Style:Is it a compelling read? Factors include thelayout, fonts, pictures, word usage, and structure.11Organizations would do well to use these criteria in evaluating theirindividual codes and make changes as necessary. Codes of conduct shouldbe living documents that are continuously reviewed and updated.
Step 2: Organizational Leadership and a Culture of Compliance173Being reasonably certain to reduce the likelihood of criminal actions inan organization does not mean that there never will be an instance of fraudor abuse. No program can be 100% effective in stopping all fraud andviolations of policy. A test of an effective program is how the organizationcan detect and respond to an allegation and successfully resolve that issue.Consider this example: A vendor is approached by an employee of acompany demanding a kickback. The vendor is shocked at this unethicalconduct and decides to report it to the organization. She finds the company’shotline number on the company’s Web site. She is initially afraid that herreporting of the incident may impact her relationship with the company, buther reading of the company policy on ethical conduct and non-retaliationconvinces her she is well-protected. She provides the company with specificdetails on the kickback attempt resulting in an official investigation.The vendor cooperates in the investigation, and subsequently, theallegations are founded. In addition, the company learns that its employeehas received kickbacks from numerous other vendors who did not have theethical makeup of the complainant. The employee is later prosecuted for hiscriminal activity and the vendor’s relationship with the company is strongerthan before. This is an example of an effective compliance program whereseveral different elements of the program all worked and worked well.STEP 2: ORGANIZATIONAL LEADERSHIP AND A CULTUREOF COMPLIANCEThe FSGO require that an organization’s ‘‘governing authority shall beknowledgeable about the content and operation of the compliance andethics program and shall exercise reasonable oversight with respect tothe implementation and effectiveness’’12of the program. Questions thatorganizations need to ask include:■Is it clearly articulated how senior management is engaged in thecompliance process?■How does the board strategically oversee the compliance and ethicsprogram?■What are the information-flow processes that senior management andthe board use to effectively assess the program?■How do high-level personnel actively advocate the organization’svalues?■Does the chief compliance officer have adequate resources and authorityto fully enforce the compliance program?13
174THE SEVEN STEPS IN PRACTICE (PART I)The Infosys MessageThe message that a company sends to the public about its views on corporategovernance and compliance can speak volumes about their business andhow it is run. Today, the best medium for broadcasting one’s messageto the widest possible audience is the Internet. Infosys Technologies is aglobal technology services firm headquartered in Bangalore, India. Infosysuses a compelling approach to corporate governance on their Web site.14The company states that they have ‘‘been a pioneer in benchmarking itscorporate governance practices with the best in the world.’’ They introducetheir corporate governance program by reprinting a portion of a speechgiven by Securities and Exchange Commission Chairman Christopher Coxbefore the Committee for Economic Development in Washington, DC onMarch 21, 2006. It reads as follows:Happy companies have robust growth in revenues, strong balancesheets, and healthy profits that reflect genuine business success, notphony bookkeeping.And they share other important traits as well.They abide by high ethical standards, which is a key to theirsolid success. They don’t obstruct the flow of information to share-holders, but rather view the shareholder as the ultimate boss.They choose directors on the strength of their abilities, charac-ter, and capacity for independent judgment.And their internal controls work well, so that the company’sexecutives can take immediate corrective action when somethinggoes wrong.The Role of Executive LeadershipChief executives, senior leaders, and managers set a very important toneat the top with every word they say and every action they take. They canpositively influence an organization with their accountability and integrity.A leader’s commitment to all elements of compliance sets an examplefor everyone else. If an executive does not follow company policies andprocedures, it is reasonable to assume that those below will not follow themeither. The leaders (and I use that term loosely) at Enron, WorldCom, Tyco,and Adelphia were not true leaders as they led their companies down theroad to disaster. They literally broke all the rules and they suffered theconsequences. Unfortunately, so did their employees and shareholders.Leading by example can be done in many ways. Being among the first tocomplete required compliance training, holding direct reports accountable
Step 2: Organizational Leadership and a Culture of Compliance175for also completing the training, quickly responding to business conductviolations, ensuring fair, balanced, and incremental discipline, and livingthe company values are a few examples of how a leader can set the righttone at the top.The Role of the Board of DirectorsThe Board of Directors and especially the Audit Committee of an orga-nization are the overseers of accountability and compliance. They are inmany ways the ‘‘police officers’’ of an organization acting in a ‘‘checks andbalances’’ role to executive leadership.15They must thoroughly understandthe compliance and ethics program in place. They must exercise appropriateoversight of the compliance program and ensure that it is truly effective inall aspects. The board is responsible for ensuring that the FSGO requirementthat high-level individuals within the organization be assigned responsibilityfor the compliance program is carried out. Today’s fully engaged boardmembers take an active leadership role in promoting ethical conduct in theirorganization.Identifying, measuring, and mitigating fraud risks are essential inimplementing the Seven Steps. ‘‘The audit committee should evaluatemanagement’s identification of fraud risks, implementation of antifraudmeasures, and creation of the appropriate tone at the top. Active oversightby the audit committee can help reinforce management’s commitment to cre-ating the proper antifraud culture.’’16The audit committee role in providingoversight to executive leadership must include the potential risk of fraudulentfinancial reporting and the override of internal controls or collusion.17The Corporate First RespondersThe Chief Compliance Officer (CCO) has quickly become one of the mostimportant new roles within an organization today. The CCO is often acompany’s ‘‘first responder,’’ taking action at the first sign of trouble.Like first responders, with swift and decisive action, they can minimizethe damage as best as possible. Without them, the injury could potentiallybe fatal. For an example of how a bad compliance officer can destroy acompany, see the discussion of AbTox, Inc. in Compliance Insight 9.4 laterin this chapter.Compliance officers’ roles include proactive and reactive efforts, andboth must be given emphasis to be fully effective. ‘‘Proactive efforts need toemphasize the complimentary goals of crime prevention and corporate eth-ical behavior. Reactive efforts measure how well a corporation reacts whenit learns that questionable and potentially illegal conduct has occurred.’’18
176THE SEVEN STEPS IN PRACTICE (PART I)The CCO has primary responsibility, with the strong support of execu-tive leadership, for building a world-class compliance program within theirorganization and maintaining its effectiveness. In some organizations, theCCO is the general counsel but delegates the day-to-day role to a directreport such as a Director of Compliance. A sample compliance programcharter can be found in Appendix B.Chief Compliance OfficerCompliance officers are critical to the implementation and ongoing successof the compliance program. Identifying and hiring a highly qualified compli-ance officer is a best practice that cannot be overlooked. Former prosecutorsand federal agents have significant experience that can benefit a complianceprogram. ‘‘Adding former government officials to a company’s roster bringsa certain credential of integrity to the process,’’ states Susan Hackett, VicePresident of the Association of Corporate Counsel.19For example, the newlycreated compliance program at CA, Inc. gained instant credibility when theyhired Pat Gnazzo, a highly regarded and experienced CCO, in 2005.COMPLIANCE INSIGHT 9.2: TOP COMPLIANCE ANDETHICS OFFICERS RESPONSIBILITIES IN 2006Compliance and Ethics Leadership Council Survey, 20061.Compliance and Ethics Training Program2.Development of Compliance and Ethics Policies and Procedures3.Compliance Risk Identification/Assessment/Monitoring4.Code of Conduct5.Helpline Administration6.Enforcement of Compliance and Ethics Policies and Procedures7.Monitoring and Interpreting Developments Relating to Compli-ance with Applicable Laws and Regulations8.Investigations9.Managing Relationships with Regulators10.Records ManagementReprinted with permission from the Corporate Executive Board, Washington,DC c 2006.
Step 2: Organizational Leadership and a Culture of Compliance177Hiring a talented CCO is one best practice but not the only one.The CCO must have a high profile in the organization to be effective. Ahighly visible CCO can reinforce the importance of the overall complianceprogram and explain the absolute necessity in always following the letterand spirit of the law as well as company policies and procedures. The bestway to accomplish that is for the CCO to be an executive officer with dualreporting lines to both executive leadership and the board. The combinationof integrity, reputation, independence, and authority are a potent mix for aCCO. The FSGO also mentions the need for ‘‘adequate resources’’ to buildand enforce the compliance program. A company must have at minimuman adequate number of highly skilled people with appropriate authority tosuccessfully carry out the compliance program mandate. This is especiallytrue if the organization has worldwide operations with personnel in manycountries. Just imagine a general counsel for a Fortune 500 company thatsuffered a compliance failure telling a federal prosecutor that the causewas not having enough corporate investigators to detect and prevent theoccurrence. That excuse would fall on deaf ears.Compliance and Ethics Staff Sample Job DescriptionAn effective compliance program includes several different people, respon-sible for different areas of the compliance function. Oftentimes theseresponsibilities overlap. The following are sample descriptions of individualpositions and their roles and respective responsibilities.A compliance manager designs the ethics and compliance educationprograms and compliance systems solutions and ensures their properimplementation. As part of his or her responsibilities, he or she identi-fies compliance and ethics needs and issues and responds appropriately, aswell as reviews and develops record retention policies to serve compliancerequirements. The compliance manager works with other departments suchas legal, human resources, and internal audit on various issues, such asplanning and implementing the rollout of compliance education programsand customizing the included content. A global ethics and compliance asso-ciate’s duties might include overseeing the company helpline, tracking andoversight of case management, monitoring investigations, and maintainingdatabase and report metrics. He or she would be accountable for driv-ing compliance partnerships with the business unit, line, and functionaldepartments.A manager of investigations would manage the global investigationprocess and the overall case management process. He or she would runcase reports and provide metrics for management, while helping to developcompliance training tools. A business and ethics training director would
178THE SEVEN STEPS IN PRACTICE (PART I)oversee compliance investigations, coordinate employee training, performsome training, and oversee employee certification. A records manager over-sees company-wide record management policy and execution. Reportingdirectly to the CCO, the records manager would implement new recordsmanagement/retention policies, track manual records and the administrationof electronic records, and train employees on retention policies, updatingthem as necessary.20Organizational StructuresCompanies have typically housed their compliance programs in the legaldepartment, overseen by an attorney with compliance experience. Newlybuilt or smaller compliance programs tend to be part of the legal depart-ment, while the redesigned programs discussed below work with numerousbusiness units. There are four typical designs for compliance programsutilized by companies; the first two place the compliance and ethics pro-gram outside the legal department, while the second two place it inside.These organizational models and related research come from the CorporateExecutive Board and are used with their permission.In the first model, the compliance program is part of the risk manage-ment office. The CCO reports to the Chief Risk Officer. This usually meansthat the compliance officer focuses more on risk and minimizing exposureand less formally on ethics. Under the CCO, compliance directors overseebusiness unit compliance programs. This model is typically adopted by com-panies in regulated industries with considerable compliance requirements,such as banks and financial services organizations. This structure strengthensthe CCO’s ability to identify and quickly respond to emerging risks. Compli-ance is integrated into the operational risk management process that allowsfor a better understanding of interrelationships between compliance risksand other business risks. The CCO’s direct reporting relationship with theChief Risk Officer facilitates better prevention and detection of compliancerisks. However, channeling compliance through a risk framework may lessenthe focus on promoting awareness of business ethics, and the lack of directaccess to the CEO may have an impact on compliance and ethics priorities.In the second model, the CCO reports directly to the CEO. This model isprevalent in heavily regulated industries, particularly health care; companiesrebuilding after corporate governance crises often use this model to createan independent compliance and ethics program with adequate authorityand resources. Here, the compliance office is more autonomous, with arelatively large budget to support companywide compliance initiatives.The CCO has more freedom to design the compliance program’s focusand to manage the compliance directors below him or her. The elevated
Step 2: Organizational Leadership and a Culture of Compliance179COMPLIANCE INSIGHT 9.3: TOP FIVE COMPLIANCE STAFFSKILL SETS AND RELATED ROLES AND RESPONSIBILITIES1.Problem Solving and Communication Skills■Recommend and enforce disciplinary actions for complianceand ethics violations■Report incidents and breaches to senior management and theCompliance and Ethics Officer■Respond to employee questions and concerns regarding businessstandards policy2.Program Management (Project Management, Cross-FunctionalCoordination)■Manage new central initiatives and projects driven out to busi-ness units, such as designing and implementing a compliancerisk-assessment process■Work cross-divisionally on planning and implementing the roll-out of communications from the compliance and ethics office3.Business Unit Partnership (Training and Ongoing Support)■Ensure compliance and ethics program activities align with busi-ness objectives and become integrated into business activities■Lead development of compliance and ethics training programand work with business units and functions on program ini-tiatives■Meet with business unit executives to report on and ensureadequate visibility of compliance and ethics program initiatives4.Subject Matter Expertise (Legal Area Expertise)■Provide specialist advice and assistance to business units inimplementing regulatory initiatives and policies■Provide periodic live training and education to business unitexecutives and management around specific policy issues (e.g.,insider trading, anti-money laundering)5.Industry Knowledge■Help formalize process in complying with changing state lawcompliance requirements■Develop specific training plan and course curriculum for keymanagement by function and divisionReprinted with permission from the Compliance and Ethics Leadership Coun-cil, Corporate Executive Board, Washington, DC c 2005.
180THE SEVEN STEPS IN PRACTICE (PART I)and independent position of the CCO and his or her access to the CEOprovides instant authority and stature to the compliance program. Thedirect relationship with business units facilitates compliance participationin business unit decision-making processes. This structure communicatesto shareholders that the company strives to go beyond just the minimumlegal and regulatory compliance requirements. This prominent position andincreased budget also come with increased pressure to achieve compliancegoals and to be able to measurably demonstrate to the company that theexpenditures are worthwhile.The third model places a smaller compliance program within the legaldepartment. The CCO reports to the General Counsel, while the programoperates with a limited discretionary budget, out of the legal department’soverall budget. Rather than dedicated compliance directors, part-time busi-ness unit compliance and ethics liaisons provide interface with corporatecompliance. This model is found most often in companies with a lowerdegree of regulatory requirements. Here, small staff levels are typical, befit-ting the lack of regulatory intensity. The direct relationship with generalcounsel facilitates clear alignment with legal priorities, and the staff canfocus on designing training, coordinating investigations, and promotingcompany-wide compliance initiatives. However, this structure limits theability to coordinate activities throughout the company or to respondquickly to emerging issues. Furthermore, the lack of direct access to theCEO means the compliance program does not have substantial credibilitywith business unit heads and staff.Finally, the fourth is a decentralized model within the legal depart-ment. This model is used by decentralized companies with a low degreeof regulatory intensity, such as consumer product or food and beverageorganizations. The CCO again reports to the general counsel, but the com-pliance unit serves mostly as an internal resource to the business units. Theindividual business units are accountable for their compliance responsibili-ties, assigning their own personnel to handle any issues. Business unit staffaccountability encourages the customization of training and communicationto local needs. Holding employees and functional experts accountable pro-motes local ownership of compliance and ethics initiatives. Nevertheless,this decentralized structure has its drawbacks. As it is not a full-fledgedcompliance entity, it demands extensive partnering with other functions tomanage compliance activities. Reliance upon other departments and theirstaff to handle compliance efforts means that the compliance efforts maycome into conflict with other established departmental interests, and thatthere may be a lack of consistency across the board, due to the differentstandards of each unit.21
Step 2: Organizational Leadership and a Culture of Compliance181Building an Appropriate ComplianceOrganizational ModelCompanies are shifting away from older compliance models that reportedto the general counsel, to a newer model that emphasizes greater complianceautonomy and direct oversight by and a formal relationship with the boardof directors. A 2006 survey showed that 46% of compliance and ethicsofficers planned to or were currently redesigning their function. Only 48%of compliance and ethics officers reported to the general counsel in a 2005survey, down from 74% in 2002.Several factors have driven this change. Moving the compliance unit outof the general counsel’s office avoids potential conflicts of interests betweenthe compliance function’s goal of uncovering risks and violations, and thelegal department’s role in minimizing the company’s legal liability. Compli-ance officers should be able to investigate and report wrongdoing withoutinterference from another department. The post-Sarbanes-Oxley focus onethical culture and tone at the top has also led to this shift, as it differsfrom the legal department’s typical mission and may require different skillsets to do so successfully. This priority change has emphasized ‘‘non-legal’’skills, rather than the typical liability avoidance of the legal department.Additionally, boards of directors want to improve their oversight abilitiesof compliance and ethics functions, doing so by maintaining reportingrelationships with compliance officers.Compliance and ethics may achieve more influence within the organiza-tion by reporting directly to the CEO and the Board of Directors. Businessunit executives are less likely to push back on compliance and ethics-relatedinitiatives when they know the compliance program has the support of theCEO.22A chief accounting executive for a public company told a story ofhow one of the company’s executives based in China was faced with anethical dilemma. This executive was negotiating with a Chinese companyto provide services to them. The representative from the Chinese companymade it perfectly clear that a kickback would have to be provided in orderto secure the business. The executive pulled out of the negotiations and thepossibility of a very lucrative contract rather than sacrifice his integrity andethics. This incident was escalated to senior leadership including the CCOand internal audit. A bulletin was then sent out to all employees describing,in general terms, this potential ethical lapse and how the company did theright thing. This is a great example of effective compliance in action.
182THE SEVEN STEPS IN PRACTICE (PART I)COMPLIANCE INSIGHT 9.4: YOU CAN’T SANITIZEDIRTY DEEDSWhile one does not normally see corporate compliance officers doingthe perp walk along with CEOs and crooked accountants, they are notimmune from prosecution for their actions. It is not common, but it hasbeen known to happen; prosecutors will have no trouble taking downa chief compliance officer if the circumstances warrant. Robert Riley,the former Vice-President of Regulatory Affairs and Chief ComplianceOfficer of AbTox, Inc., which was located in Mundelein, IL, is oneof only a few Chief Compliance Officers to be tried and convicted infederal court on federal fraud charges. He received a six-year sentencewhile Ross Caputo, AbTox’s President and Chief Executive Officergot ten years in jail.aAbTox manufactured medical devices, specifically sterilizer equip-ment, selling them to hospitals to clean medical tools. AbTox haddifficulty obtaining the required FDA approval to sell its product, even-tually getting the FDA to approve a smaller version for an expresslylimited purpose. However, AbTox defrauded hospitals by selling themthe larger version for general use, even though it lacked the requiredFDA approval. AbTox used numerous and continual misrepresenta-tions of material facts to make it appear as though its product wassafe and approved for use, even going so far as to use an ‘‘inde-pendent’’ outside company to validate its product’s uses (the othercompany was in fact a sister company of AbTox, but that fact wasnever disclosed).bAt trial, hospital official after hospital official tes-tified that they would not have bought the product had they knownit was not FDA-approved. The defendants proceeded in selling theproduct despite numerous warning and cease-and-desist letters fromthe FDA.cProblems mounted further for AbTox when it was discovered thatbrass instruments sterilized in the equipment developed a blue-greenresidue on them. AbTox quickly dismissed the concerns of hospitalswho inquired about the residue, telling them the instruments werecompletely safe and the residue appeared because the hospitals did notcompletely dry the instruments before using the sterilizers. Had AbToxconducted simple tests on the residue—as was recommended by oneof AbTox’s own scientists—or conducted a cursory search of medicalliterature, it would have learned that the residue was damaging to
Step 2: Organizational Leadership and a Culture of Compliance183the human eye, a fact that was well-documented throughout medicalreports.dMany of these concerns from customer hospitals went directlyto Riley. Riley distributed to these hospitals a toxicology report thatstated the residue was harmless; however, the toxicologist’s reportwas based on limited, selective information provided by Riley himself,and the report itself was edited before distribution. Riley deliberatelygave the toxicologist incomplete information to skew the findings. Theresidue caused injury to over 25 patients during minor eye operations,leaving 18 of them blind in at least one eye. Riley failed to respondto reports of these injuries and did not conduct an investigation orreport them to the FDA as he was required to by law.eRiley informedothers that the injuries were caused by soap, and not by a byproductof AbTox’s sterilization process.When hospitals stopped using AbTox’s product, the injuriesstopped as well. In the midst of this, AbTox filed a renewed cer-tification application with the FDA. The FDA again rejected theapplication, pointing out numerous defects in the product and order-ing AbTox not to sell it. Riley gave a copy of this letter to Caputo butotherwise kept it secret and continued to sell the sterilizer. Later, whenspecifically directed by the FDA to file an incident report, Riley fileda false report, blaming the eye injuries on soap, despite substantialevidence to the contrary. Riley and Caputo continued to falsely assureemployees and customers that all problems were being taken care ofand FDA clearance was forthcoming.fOverall, ‘‘defendants Caputo and Riley effectively carried out abait and switch scheme on the FDA and its customers, obtainingclearance on one sterilizer but using the clearance to sell another.The defendants continued to sell the large uncleared sterilizer, indefiance of law and FDA directives, through a pattern or falsehoodsand deception, until the company shut down operations on April 7,1998, under pressure from the FDA. In the meantime, AbTox hadillegally sold 168 adulterated sterilizers in the United States, causingan intended loss in excess of $16 million.’’gAt trial, a jury convicted both defendants of conspiracy, fraud,mail fraud, wire fraud, and the introduction of an altered or mis-branded device into interstate commerce. The ‘‘Court and the jurysaw overwhelming evidence that the defendants had engaged in aprolonged, massive fraud upon the FDA and relevant hospitals bymarketing an illegal sterilizer that ultimately put the general public at
184THE SEVEN STEPS IN PRACTICE (PART I)risk.’’hYet despite this evidence, defendants Caputo and Riley neveracknowledged their misdeeds or took responsibility. ‘‘At sentencing,it was apparent that both defendants still believed they had merelybeen convicted of technical, regulatory violations. . .Despite repeatedadmonitions and warning letters from the FDA, the defendants placedthemselves above the law, believing they had better scientific andindustry knowledge than the FDA. Essentially, both defendants viewedthe FDA as a regulatory nuisance that could be neutralized throughvarious misleading and false submissions.’’iWhen looking at the facts of this case, one would have to agreewith District Court Judge Ruben Castillo’s assessment that ‘‘[i]t ishard to imagine a more egregious corporate crime. . .’’jFurthermore,it is hard to imagine a more egregious compliance failure. AbTox’schief compliance officer took part in the crime and helped to keep thefraud covered up. AbTox’s compliance program ‘‘was a total failurefrom top to bottom.’’kCaputo chose Riley to serve as complianceofficer precisely because he knew Riley would be ineffective. Rileyhad no compliance training or background prior to being namedAbTox’s chief compliance officer. Caputo knew he could manipulateand dominate Riley, ensuring his illegal schemes would continue.lDespite Caputo’s domination of Riley, Riley was nevertheless a willingand active participant in the fraud. He went to jail just as Caputodid. The defendants should have expected a stiff sentence as JudgeCastillo is the Vice Chair of the USSC and is intimately familiar withcompliance programs and sentencing guidelines. Riley and Caputoshould serve as examples of everything not to do in a complianceprogram and remind others to take compliance seriously, because ifone fails to do so, the consequences can be severe.aUnited States v. Caputo, et al, Memorandum Opinion and Order, No. 03CR 0126 (N. Dist. IL 2006), 2.bIbid., 7-8.cIbid., 5-6.dIbid., 10.eIbid., 11.fIbid., 13-14.gIbid., 14.hIbid., 22.iIbid.jIbid., 23.kIbid., 26.lIbid.
Step 3: Reasonable Efforts to Exclude Prohibited Persons185STEP 3: REASONABLE EFFORTS TO EXCLUDEPROHIBITED PERSONSThe FSGO require that an organization must make reasonable effortsto ensure that personnel with substantial authority have not engaged inillegal activities or conducted themselves in a manner inconsistent with thecompliance and ethics program. Questions that organizations need to askinclude:■Does the organization conduct background checks on current and futureexecutive hires?■Does the organization conduct background checks for all employees?■Does the organization have a mechanism for determining whether aparticular violation is material that might require disclosure underUnited States securities laws?■Is the compliance and investigations team prepared to conduct a thor-ough and professional investigation in a timely manner?■What are the mechanisms in place for the company to learn about andrespond to violations of business conduct in a prompt manner?■Does the organization perform root cause analysis of the reasons forspecific compliance failures?23The best way to exclude prohibited persons is to ensure they never arehired in the first place. The best indicator of future performance is pastperformance and comprehensive background investigations are needed todetermine this. Background checks are a must for all new hires and shouldinclude criminal record checks, credit history, civil litigation, education,professional certifications, and reference verifications. The more sensitivethe position, the greater the degree of background review that is needed.Unfortunately, resume padding and deceit are rampant. One executiverecruiter estimates that 40% of all resumes contain some falsehoods.24Typical false statements include degrees never received, exaggeration ofachievements, overstating of titles and salary, lying about skills and abili-ties, and inflating college GPAs. The former CEO of RadioShack resignedin February 2006 after questions surfaced about college degrees he claimedto have received.25Although there were many media reports about thisand other executives’ padded resume claims, some executives failed to learnfrom this sad experience. In June 2007, the chief executive in Asia Pacific forInterContinental Hotels, the world’s largest hotel chain, lied in his resumewhen he falsely claimed to have degrees from Cornell University and Aus-tralia’s Victoria University.26‘‘He attended classes at Victoria and Cornell,but we understand that he did not graduate from either,’’ said a company
186THE SEVEN STEPS IN PRACTICE (PART I)spokesperson speaking on a condition of anonymity.27Great complianceincludes thorough background checks to include a full resume review.This background check process must also be conducted for employeesbrought in through mergers and acquisitions. Knowing the potential back-ground issues with these employees is important in compliance with thisprogram element. In many acquisitions, a larger, well-established companyis buying a smaller, privately held company that may not have a complianceprogram in place. As an example, I was once told of a company that turneda blind eye to expense reporting abuses by its employees. The company wasvery small and without adequate safeguards and controls. Employees con-sidered falsely claiming personal expenses as business expenses, a perk thatno one did anything about. When this small company was later acquiredby a larger company, would the employees readily give up their ‘‘perk’’ orcontinue their fraudulent ways?While most companies will have some form of background check at hire,very few conduct subsequent background checks. Even the best employeescan have changes in their lives that companies should know about becausethese events can impact the employers. A domestic violence arrest and con-viction can portend serious consequences at work, especially if the employeeand spouse work at the same company. An arrest for embezzlement might bevery relevant if the subject employee works in a finance role. Any number ofrelated issues should be known to an employer. Not all criminal offenses arejob-threatening or even relevant but an organization should at least be awareof them when making employment decisions, such as whether to retain orto promote the employee. Those offenses that reflect a person’s character ora pattern of criminal behavior should be red flags for a company. Thus, arecommended best practice is to have periodic updates to criminal, credit,and litigation checks. Consideration should be given to having a policyrequiring employees to self-report any relevant incidents. In addition, thereshould be new background investigations when people are promoted intosenior leadership roles where the financial and reputational risks are greater.The Investigative ResponseEverycompanythatwantstobeseriousaboutcomplianceneedsafraud-fighting unit. A robust fraud prevention program will include fraudrisk assessment, detection, education, awareness of fraud issues and pre-vention, and responsive investigations. However, preventative programs,no matter how good they are, will not stop all fraud. ‘‘Therefore, aninvestigative response component through which company investigatorscan quickly respond to allegations of fraud is needed for all prevention pro-grams. The fraud investigative unit must be responsible for the detection,investigation, and prevention of fraud and must have the strong support ofsenior management and the Audit Committee.’’28
Step 3: Reasonable Efforts to Exclude Prohibited Persons187Any unit created by a company needs to be staffed with experiencedfraud investigators. Due to the complexities of fraud schemes and theirmyriad forms, it takes many years for someone to gain the experience andskills to be an expert in fraud detection and investigation. Considerationshould be given to hiring former law enforcement professionals, corporateinvestigators, forensic accountants, and others with extensive investigativeexperience as well as those certified in related disciplines. Certified FraudExaminers (CFE), Certified Protection Professionals (CPP), ProfessionalCertified Investigators (PCI), Certified Compliance and Ethics Professionals(CCEP), Certified Public Accountants and other highly skilled investigativeand forensic experts should be part of every organization’s compliance func-tion. Beyond just their investigative skills, these investigators must also beagents of change and the voice of compliance convincing upper management(and then all levels below) of the importance of fraud prevention.29The hiring of these fraud professionals demonstrates the company’scommitment to high integrity, and with their assistance, will help thecompany embrace a robust fraud prevention and investigation program.The investigators’ skills should also be supplemented with high-tech toolsand resources to further their investigative efforts. Ongoing training of theinvestigative staff is also required. A sound recommendation is that eachinvestigator should receive a minimum of 40 hours of training each yearwith emphasis on investigative procedures, employment law, and otherlegal aspects. ‘‘The message that needs to be conveyed is that the companyis ready, willing, and able to respond quickly and appropriately to theallegations of fraud.’’30Consideration should also be given to developing an investigative frame-work for all investigations conducted. This framework would provide adetailed step by step process for investigative excellence and oversight.There should be an intake process for how compliance issues are routed forreview and an investigative determination. An assignment process must alsobe included to decide who actually conducts the investigation and underwhat oversight. Prior to the start of an investigation, a detailed investigativeplan should be created that identifies the scope of the investigation and allrelated elements. Included in the plan should be what documents will beanalyzed, what tools will be needed in the investigative process, who will beinterviewed, who will lead the investigation, what investigative assistancewill be needed from human resources, legal, investigative vendors, and oth-ers, the timeline for completion of the investigation, and other key elementsof an investigation.Investigator’s Code of ConductAnother best practice to consider is the creation of a specific investigator’scode of conduct. The role of corporate investigators and the internal
188THE SEVEN STEPS IN PRACTICE (PART I)investigative process has been the focus of media reporting over the lastfew years involving Fortune 500 companies. There were a number ofissues raised regarding the behavior of their investigators including spyingon employees and journalists, surveillance techniques, using pretextingand subterfuge to obtain personal information, and other questionableinvestigative techniques. The result has been a greater oversight of theinvestigative role in business organizations. Above all else, investigatorsmust not permit any bias, prejudice, or preconceived opinions to impedean investigation and always report facts accurately and completely. Thus,the creation of an investigator’s code of conduct that embodies professionalconduct, best practices, compliance with laws and polices, and prohibitsinappropriate and unethical conduct is another process that can furtherprotect an organization from reputational and financial risk.NOTES1.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, Inc, 2006), 98–99.2.While the Guidelines have been tremendously controversial, the FSGOhave not been for the most part. Criticism of the Guidelines focusedheavily on mandatory minimum sentencing and sentencing disparity.Application of the Guidelines often led to absurd and inequitableresults, where first-time drug offenders received longer sentences thanmurderers. Criticism also focused on the sentencing disparity betweencocaine possession and crack-cocaine possession. However, the FSGOhave not engendered anything close to the level of outrage created bythe Guidelines. This may be due in part to fairer application of theprovisions, or less public sympathy for corporations. For better or forworse, the plight of corporate executives going to jail or of corporationspaying stiff fines for criminal conduct does not stir public outrage. Infact, corporate offenders have historically been perceived as getting offeasy in comparison to their blue-collar brethren.3.United States Sentencing Commission,Federal Sentencing GuidelinesManual, www.ussc.gov/2004guid/CHAP8.pdf, 476.4.Ibid.5.Federal Sentencing Guidelines Manual, 476–81.6.Biegelman and Bartow,Executive Roadmap, 101.7.Federal Sentencing Guidelines Manual, 476.8.Ibid.9.‘‘Summary of the 2004 Federal Sentencing Guidelines Amendments andRecommended Action Steps,’’General Counsel Roundtable, June 2004.
Notes18910.Biegelman and Bartow,Executive Roadmap, 71.11.Douglas Allen, ‘‘50 Codes of Conduct Benchmarked: How DoesYour Organization Stack Up?,’’Ethisphere Magazine, Q2 2007, www.ethisphere.com/EthisphereMagazine0207/50-codes-Q2.12.Federal Sentencing Guidelines Manual, 476.13.‘‘Summary of the 2004 Federal Sentencing Guidelines.’’14.InfosysCorporateGovernancepage,www.infosys.com/investor/corporategovernance.asp.15.Biegelman and Bartow,Executive Roadmap, 368.16.Statement on Auditing Standards 99, ‘‘Consideration of Fraud in aFinancial Statement Audit,’’ Management Antifraud Program and Con-trols Exhibit, American Institute of Certified Public Accountants, 2002.17.Ibid.18.United States v. Caputo, Memorandum Opinion and Order, No. 03 CR0126 (N. Dist. IL 2006), 26.19.Connie Guglielmo, ‘‘Hewlett-Packard Ethics Chief Tackles SpyingAftermath,’’ Bloomberg.com, April 24, 2007, www.bloomberg.com/apps/news?pid=20601109&refer=home&sid=awZRPpHPAxH4.20.‘‘Establishing a Compliance and Ethics Program: Defining Staff Skillsand Responsibilities,’’Compliance and Ethics Leadership Council,October 2005.21.‘‘Establishing a Compliance and Ethics Program: Building an Appro-priate Organizational Structure,’’Compliance and Ethics LeadershipCouncil, October 2005.22.‘‘The State of the Compliance and Ethics Function,’’Compliance andEthics Leadership Council, December 2006.23.‘‘Summary of the 2004 Federal Sentencing Guidelines.’’24.Karen DuBose Tomassi, ‘‘Most Common Resume Lies,’’ Forbes.com,May23,2006,www.forbes.com/2006/05/20/resume-lies-workcxkdt06work0523lies.html.25.Ibid.26.‘‘InterContinental Hotels Executive Resigns After Resume Lies Ex-posed,’’International Herald Tribune, June 14, 2007, www.iht.com/articles/ap/2007/06/14/business/EU-FIN-Britain-False-Resume.php.27.Ibid.28.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, Inc, 2006), 239.29.Ibid., 240.30.Ibid., 239.
CHAPTER10Building a World-ClassCompliance Program: The SevenSteps in Practice (Part II)‘‘The only thing a man can take beyond his lifetime is his ethics.’’Thomas JeffersonSTEP 4: TRAINING AND COMMUNICATIONOF STANDARDS AND PROCEDURESThe FSGO require that organizations ‘‘shall take reasonable steps to commu-nicate periodically, and in a practical manner, its standards and procedures,and other aspects of the compliance and ethics program. . .. and [conduct]effective training programs and otherwise disseminate information’’1aboutthe compliance program. Questions that organizations need to ask include:■Does the organization assess its risks in order to identify an appropriatetraining curriculum for its employees?■Does the company communicate to employees the consequences forcompliance failures?■Are company values and standards communicated to vendors and otherbusiness associates?■Does the company have an adequate reporting mechanism for employeesand others to communicate incidents and issues?■How does the company identify and reach all employees for trainingpurposes?■Has the company determined who in the organization are considered‘‘agents’’?191
192THE SEVEN STEPS IN PRACTICE (PART II)■How frequently is training provided within the organization and howoften is it updated?■Are corporate values and issues of law properly communicated as rulesthat must be obeyed as drivers of the corporate culture?■Are members of the board provided relevant training at board meetingsor in other sessions?■Is the compliance program budget adequate and is there a periodicreassessment?■Does the organization establish methods for measuring effectiveness oftheir training program?■Has the organization identified any history of ethics and compliancefailures experienced by competitors, as well as any best practices thatcan be applied to the compliance program?2One of the most important elements of an effective compliance programis training for all employees from the CEO down. Appropriate trainingreinforces an organization’s commitment to ethical conduct and compliancewith policies, procedures, and laws. Training must include the organiza-tion’s code of conduct and all its various components. Key areas that needto be covered include conflict of interest policy, antiharassment and antidis-crimination policy, antitrust, protection of intellectual property, fraud risk,FCPA risk and compliance, whistleblowing and reporting of complianceissues and concerns, and protection against retaliation. The importanceof training and need for universal training should come from the high-est reaches of a company. Leading by example is another best practice.Thus, as mentioned earlier, an organization’s leadership should be amongthe first employees to complete training courses. When training is con-ducted in a classroom setting, executives should consider taking requiredtraining with the rank and file employees and sitting among them. Thiscan do much to reinforce the importance of training as well as tone atthe top.Both traditional in-person and online training should be employed.In-person training allows for greater interaction and provides the opportu-nity for the instructor to answer specific questions as they arise. In-persontraining fosters discussion of key issues to reinforce their importance. Agroup setting can also include role-playing exercises and gauge the under-standing of issues important to employees. Online training is growing inpopularity and can reach large audiences in a very cost-effective manner.Online training allows for customization by location, language, employeefunction, and subject matter. Employees can decide when they want to com-plete training and how much they want to complete at one time. Trackingof employee attendance and course completion can be easily accomplishedwith online training. Whether in-person or online, tracking of employee
Step 4: Training and Communication of Standards and Procedures193training hours must be recorded. Consideration should also be given to aminimum requirement of training hours completed per year.Designing and Distributing the Code of ConductA well-written and compelling code of conduct is a key component of asuccessful ethics and compliance program. It both establishes expectationsof conduct and communicates these expectations to employees. ‘‘A code ofethics provides a moral compass for employees by defining the company’sposition on ethical issues and promoting integrity. To be effective, man-agement has to embody the code of ethics, and all employees have to beinformed and committed.’’3Code of conduct certification programs ensurethat all employees have read and understand what the code requires of them.Disseminating the code through a variety of channels helps to furtherawareness of it. By making the code available in print, through e-mail,and on the company’s Web and intranet sites, as well as other availableavenues, the company provides employees with multiple ways to access thecode should the need arise, as well as clearly illustrating its commitmentto what’s in the code. A company that creates a code of conduct butdoes not make it widely available demonstrates the depth of its ethicalcommitment, which is to say, none at all. Beyond making it widely available,a company can take steps to make the code more accessible. They can makethe code short and use concise and easily understood language. Whilethe code should be lengthy enough to thoroughly cover the necessaryissues, it should not be so long that people will not read it. To make iteasy to understand, a company can break down a policy into ‘‘what itmeans’’ and ‘‘what to avoid’’ to aid understanding and retention. Providinga question and answer section for guidance, along with real companyexamples or scenarios, helps employees better navigate the gray areasthey face. Integrating employee code certification into performance reviewsensures greater employee participation.4Publicizing Ethical LapsesAll organizations, no matter how good their compliance programs, will haveethical lapses by their employees. It is human nature, but these personalfailures can be turned into learning opportunities for the betterment of theentire organization. Thus, communicate the impact of non-compliance. Thiscommunication is especially important when a significant compliance lapseor public event occurs such as the arrest of an employee for a criminal offenseinvolving company assets. Senior leaders need to inform the organizationabout the event, how it happened, the compliance failures involved, andwhat to do to ensure it does not happen again. These events, while painful,can be used as learning opportunities from which to grow and improve.
194THE SEVEN STEPS IN PRACTICE (PART II)Use an ongoing communication such as an ‘‘Integrity Corner’’ in internalcommunications to employees where ethics lapses and disciplinary actionsare publicized. While specific information about the employees and otherswho were disciplined is not recommended to be disclosed, the facts of thecase can be used for learning and prevention. Some companies actually liston their Web sites the number of investigations conducted into compliancefailures, the number of related employee terminations, hotline referrals,and other related information. One company uses a well-publicized rewardsystem offering up to $25,000 to employees who report violations of theircode of conduct. While very few companies offer cash rewards, it has provenvery effective for this particular company. Of course, as with any hotline orreporting mechanism, due care must be given to protect against the receiptof false allegations.Gift Policy and Cultural DifferencesMost United States companies have policies restricting the gifts that theiremployees can receive so as to limit potential conflicts of interest. Thesepolicies are necessary in protecting the organization but there must bean understanding of cultural differences elsewhere in the world. Americanpolicies restricting the giving and receipt of gifts in the course of businesssometimes are at odds with cultural traditions, particularly in Asia wherethe tradition of gift-giving is deeply ingrained. Companies must be sensitiveto these traditions but also ensure that no one is pressured into participating.In China, ‘‘red envelopes’’ or ‘‘red packets’’ are given on social andfamily occasions or holidays such as Chinese New Year. The gifts, moneypresented in a red envelope, symbolize good luck, and the amount of moneygiven is usually a lucky number itself. TheseLai Seegifts are an importantsocial tradition, because they allow the recipient to measure the strength ofthe relationship with the gift-giver, based on the amount of money received.Japan has something analogous calledotoshidama, though Japan and alsoKorea use white envelopes. Similar traditions exist throughout SoutheastAsia.5Companies doing business in Asia wish to respect native traditions butalso recognize the pitfalls with this practice. In China, for instance, thered envelope is also the standard form in which political bribes are given.6Typical company policies do not encourage the acceptance of these giftsand expressly prohibit solicitation of them, but allow for the gifts as afriendly courtesy gesture. These policies limit the amount of money givento a nominal sum. Training and communication is necessary to provideunderstanding and compliance with gift policies while limiting the risk.
Step 4: Training and Communication of Standards and Procedures195Other Training and Communication Best Practices■Training should be scenario-based using a variation of real-life eventsand compliance failures that the particular organization previouslyencountered. Web-based training is especially suited for this mode ofteaching.■Managers are role model and mentors. When employees see theirmanagers following the code of conduct and leading by example, greatercompliance occurs. Thus, the training of managers, both new andlong-term ones, is necessary in implementing a world-class complianceprogram.■Senior leadership should communicate to all employees their ongoingcommitment to integrity and compliance. This can be done via e-mailand can periodically focus on a particular area of risk such as fraudprevention or protection of intellectual property.■Address third party risk by requiring the training of the vendors andcontract employees that an organization uses. Educating vendors aboutfraud and prevention activities will yield important benefits. If vendorsdo not have their own internal compliance programs, encourage themto develop such programs. Doing this will add great value to theirorganizations and strengthen business opportunities.■Continually reinforce the importance of reporting of compliance issuesby employees and those outside the organization. This mode of com-munication is often the best way that an organization learns aboutcompliance problems.■Send e-mail reminders prior to the start of the holiday season remindingemployees of the company’s policy and restrictions about acceptinggifts from vendors. In addition, remind vendors of the organization’spolicies about the receipt of gifts and require them to comply with thesepolicies.■Make it easy for anyone accessing the organization’s Web site to find thesection on corporate compliance. Have the link prominently displayedon the home page.■Include a requirement in all mid-year and annual employee reviewsto discuss the importance of integrity, compliance requirements, theexistence of the organization’s hotline, and the need to report allcompliance issues.■Ensure that all employees know the name and contact information ofthe organization’s Chief Compliance Officer. Have regular meet andgreets with the CCO and his or her staff to hear firsthand about theimportance of compliance.
196THE SEVEN STEPS IN PRACTICE (PART II)■Use newsletters, table top tents, posters, home mailings as well ase-mails to constantly communicate the existence of the organization’scompliance program. One company prints their code of conduct onpaper placemats in their company cafeterias so they are easily andconstantly viewed.■There are always innovative approaches to compliance and ethicstraining. It just takes imagination and a commitment. One Fortune500 company held an ethics contest where employees could make andsubmit home videos on the subject. The videos were used in ethicstraining. They were well-received as they carried important messages inaddition to being entertaining.7■The Board of Directors must also receive ongoing communication onall aspects of an organization’s compliance program. These commu-nications should include updates on risk assessments, internal controlweaknesses, significant internal investigations, compliance training, andother commonly reported topics. Compliance Insight 10.1 details thekey components of a comprehensive board report.STEP 5: MONITORING, AUDITING, AND EVALUATINGPROGRAM EFFECTIVENESSThe FSGO require that organizations periodically evaluate the effectivenessof their compliance program and include monitoring and auditing systemsdesigned to detect criminal conduct. The program must ‘‘have and publicizea system, which may include mechanisms that allow anonymity or confi-dentiality, whereby the organization’s employees and agents may report orseek guidance regarding potential or actual criminal conduct without fearof retaliation.’’8Questions that organizations need to ask include:■Does the organization have an anonymous and confidential reportingmechanism to respond to people seeking guidance about complianceand ethics?■Are the current policies and procedures adequate for a robust ethics andcompliance program?■Has the company identified policies and procedures to encourageemployees to report incidents?■Has the company identified and created tools and data to assess theeffectiveness of the compliance program?■Are employees empowered by education and training to resolve ethicaland legal dilemmas?9
COMPLIANCE INSIGHT 10.1: KEY COMPONENTS OF A COMPREHENSIVE BOARD REPORT:HALLMARKS OF OUTSTANDING COMMUNICATION, COMPLIANCE AND ETHICS LEADERSHIPCOUNCIL RESEARCH, 2006CommonlyTypicalReportedReportingCategoriesFrequencyStandard PracticeEmerging PracticeRiskAssessmentQuarterly■List of key risks andassociated mitigationplans■Update on major incidents■Reporting of future risks■Changes in policies, procedures, andcontrols in response to risks■Overview of risk-assessment methodand process■Periodic review of mitigation plansTrainingQuarterly■Percentage of employeebase that has completedspecific training modules■Percentage of target audiences inhigh-risk functions that hascompleted specific modules■Outline of planned training modulesAllegationsand Investi-gationsQuarterly■Trends in volume andtypes of allegations■Data on case cycle time■Breakdown of issues by category,business unit, geography, and severity■Focus on status of complaints andopen investigations(Continued)197
COMPLIANCE INSIGHT 10.1: (Continued)CommonlyTypicalReportedReportingCategoriesFrequencyStandard PracticeEmerging PracticeRegulatoryQuarterly■Update on key regulatoryevents that affect industry■Update on ongoingregulatory investigationsand legal cases■Focus on regulatory developmentsthat pose highest risk and impactcompany strategy■Focus on business changes that affectcompliance obligationsProgramEffectivenessAnnually/Quarterly■Discussion of keyprogram elements andimportant implementationmilestones■Review of periodic auditresults■Present overview of framework thatdrives program improvement■Benchmark program elements againstexternal standards■Report key trends (compare dataover time to identify systemicproblems in the company)■Provide powerful examples of tone atthe top and positive behaviors(specifically management)198
COMPLIANCE INSIGHT 10.1: (Continued)CommonlyTypicalReportedReportingCategoriesFrequencyStandard PracticeEmerging PracticeResources andPersonnelAnnually■Annual budget allocation■Relevant staffdevelopments■Benchmark of budget againstindustry peers■Analysis of available resourcesagainst program needs (gap analysis)Annual PlanAnnually■Overview of next year’scompliance and ethicsdepartmental plan■Plan links departmental initiativesand key risk areas■Plan clearly details interim milestonesand owners across the companyEthicsAwarenessAnnually■Presentation of ethicssurvey results■Update on ethicscommunication initiatives■Analysis of survey results by businessunit and managerial versusnon-managerial responses■Benchmarking of responses againstother companies■Demonstration/visuals ofcommunication tools and complianceintranetReprinted with permission from the Corporate Executive Board, Washington, DCc2006.199
200THE SEVEN STEPS IN PRACTICE (PART II)COMPLIANCE INSIGHT 10.2: EMBEDDING COMPLIANCEIN THE BUSINESS, COMPLIANCE AND ETHICS LEADERSHIPCOUNCIL RESEARCH, 2006Recent scandals, coupled with the breadth of ongoing regulatoryrequirements, are driving interest in embedding accountability for com-pliance activities in the line and focusing employee attention not onlyon financial results but also on how these results are achieved. Coun-cil research suggests that efforts to cascade compliance expectationsand reinforce ethical behavior are often frustrated by three challenges:1) insufficient or misaligned compliance incentives, 2) lack of emphasison the consequences of noncompliance, and 3) standardized trainingthat fails to influence employee behavior. A Compliance and EthicsLeadership Council study illustrates how companies align performanceobjectives and compliance expectations and drive employee awarenessof compliance and ethics. The Council’s study found the six mostsignificant research findings are as follows:Finding #1—Focus Performance Evaluations on Both DesiredResults and Desired Behaviors.Companies are incorporat-ing compliance behaviors and ethical conduct into employeeperformance scorecards to emphasize to all employees that themeans by which business outcomes and results are achievedare as important as the results themselves.Finding #2—Outline Clear Guidelines for Consequences of Non-compliance.To articulate the consequences of noncompli-ance and ensure the consistent enforcement of disciplinarypolicies and processes across the corporation, complianceand ethics officers are providing business units with guide-lines for disciplinary action and outlining escalation paths forcompliance violations.Finding #3—Direct Compliance Messages Toward Teaching andNot Just Communication.Focusing compliance communi-cations on real ethical dilemmas and publishing the realconsequences of noncompliance through case examples andscenarios offer guidance to employees on how to both applythese policies in day-to-day situations and preempt potentialviolations.
Step 5: Monitoring, Auditing, and Evaluating Program Effectiveness201Finding #4—Cascade Examples of Noncompliance Through theEntire Organization.Leading companies are disseminatingexamples of communication using a variety of methods tomaximize their organizational reach and provide a largeraudience visibility into the real consequences of noncompli-ance.Finding #5—Develop a Targeted Compliance Training Strategy.A training approach customized to employees’ preexistingknowledge and job requirements frees compliance trainingresources (in terms of both employee time and companyexpense) and reduces the training burden on employees.Finding #6—Engage Business Managers in Compliance Train-ing.Requiring business managers (rather than third partyconsultants) to deliver compliance and ethics training allowsmanagers to more effectively tailor training to the contextof employees’ particular jobs and initiates real, honest, andrelevant discussion of hypothetical ethical issues between man-agers and their direct reports.Reprinted with permission from the Corporate Executive Board, Washington,DC c 2006.HotlinesHotlines are an excellent way to receive allegations of fraud and otherwrongdoing. ‘‘Hotlines allow employees and others outside the companyto communicate compliance concerns to the company for appropriateaction. . .If a company does not already have a hotline in place, it is puttingitself at risk.’’10Tips from employees are the most common way of detectingfrauds, and hotlines are the best way to collect this information. Withhotlines, ‘‘build it right and they will call.’’ If a hotline is built properlyand its existence is publicized to employees, it insures that they will feelcomfortable coming forward with critical information.11With hotlines, several basic rules apply. The hotline must be easilyaccessible to callers in every country where the business operates and beavailable in multiple languages. It should be staffed 24 hours a day, sevendays a week by live operators trained to handle these calls. Rather thanhandling the calls in-house, they should be outsourced to a third-partyprovider to ensure transparency and most importantly, confidentiality and
202THE SEVEN STEPS IN PRACTICE (PART II)anonymity.12Confidentiality and anonymity are the most important featuresof a hotline. Confidentiality means that the information revealed in the callis transmitted only to people who need to hear it. Anonymity means thatthe caller’s identity will be kept secret, if desired by the caller. This goesbeyond just the caller’s name; potentially identifying details should also bekept secret. An employee’s sense of trust and faith in the hotline is a vitalpart of its success.13In my first book, I devoted a full chapter to hotlinesand whistleblowers as this is a crucial element of compliance. For moreinformation on this topic please refer to that book.14Non-Retaliation PolicyIn 2007, the Compliance and Ethics Leadership Council of the CorporateExecutive Board studied the leading indicators of potential misconduct.Their study found that the fear of retaliation was the single greatest concernamong employees. This should be no surprise to an organization. Studies bythe Association of Certified Fraud Examiners continually find that employeetips are the most common way to discover fraud and abuse. Every companyneeds a strong policy against retaliation, to encourage employees to comeforward and to protect them from any reprisals. This policy should be putinto the code of conduct distributed to all employees and be incorporatedinto training programs. Anonymous reporting, if the employee so desires,should be available for the reporting of complaints regarding accounting,internal control, auditing, or any other policy or code of conduct matter. Allcomplaints should be handled in a confidential manner, even if the reporteedid not request anonymity. Disclosure of the matter should be made onlyto those persons necessary to conduct a full investigation of the allegedviolation or to carry out appropriate discipline.15Evaluating Compliance ProgramsThe effectiveness of compliance programs can be measured in a number ofways. These include having adequate resources to ensure the compliancemandate is successfully fulfilled. Each organization needs to determine theappropriate number of resources needed for the various components. Forexample, the number of professionally trained and experienced peopleassigned compliance and investigation responsibilities is one determination.Other metrics to consider are the number of employees trained and certifiedeach year and whether this comprises all employees worldwide; employees’scores on ethics surveys; how many issues and questions are escalatedto the compliance department each year; how many different reportingmechanisms are available to employees to report issues; how timely is theresponse to allegations of misconduct and other compliance issues; how
Step 5: Monitoring, Auditing, and Evaluating Program Effectiveness203long it takes to complete investigations and impose possible disciplinaryaction; and how violations of business conduct are reported to employees.This evaluation process also goes to the tone at the top of an organization.A great tool to use in evaluating the effectiveness of an organization’scompliance program is the Compliance and Ethics Program AssessmentWizardcreated by the Corporate Executive Board’s Compliance andEthics Leadership Council (CELC). The Wizard is a comprehensive measure-ment and benchmarking system for compliance and ethics program perfor-mance. It is a Web-based, self-assessment of program maturity that assessesan organization’s compliance program across eight key elements and 28sub-elements. The elements and sub-elements align closely with the revisedFederal Sentencing Guidelines and incorporate expectations of the SEC andEuropean regulators. The Wizard is further discussed in Appendix C.Other Best Practices for Evaluating ProgramEffectiveness■Periodically review company policies and procedures to ensure they areupdated as necessary to reflect changes in laws and regulations bothdomestically and internationally.■Identify and review the tools and data the organization uses to assesscompliance effectiveness.■Ensure that every employee has completed required training and, moreimportantly, understands the implications of that training especially inreporting compliance concerns and violations of business conduct.■In evaluating hotline effectiveness, consider the following:■How well communicated is the existence of the hotline?■How many calls does the hotline receive each year?■How many actual escalations of compliance concerns or other ques-tions about the program or the company were received?■For allegations received, how long did it take from the time of thereceipt of the allegation until the investigation is commenced and thenconcluded?■How many issues were founded versus unfounded?■How many terminations and other lesser disciplinary actions resultedfrom hotline calls?■How are the hotline calls and related organizational responses trackedand reported to the board of directors?■Are Sarbanes-Oxley, financial accounting, and other key issues andrisks also escalated to the board of directors?■Is the hotline periodically tested by making calls from various world-wide locations to check effectiveness and efficiency of reporting andescalation?
204THE SEVEN STEPS IN PRACTICE (PART II)■Does the organization’s internal audit function conduct an annualreview of the hotline program?■While many of the calls to a hotline will be anonymous with nofurther communication, do not forget that the caller will be watchingfor the outcome. Let’s use as an example an anonymous employeeescalating a legitimate allegation of fraud by another employee. If thesubsequent investigation corroborates the allegation and results in thetermination of the subject employee, the anonymous caller/employeewill gain great confidence that the compliance program does workand works well.■It is a good rule to always remember that some of the allegationsreported through the hotline may be false and simply made to harmthe subject for one reason or another. All allegations, especiallythose made anonymously, must be thoroughly and professionallyinvestigated to determine if there is any basis for the complaint.Finding an allegation to be unfounded is just as important as provingan allegation is true.■Establish a compliance and ethics advisory group of external industryprofessionals that regularly reviews the organization’s compliance pro-gram and makes recommendations for improvement. Consider expertsfrom top law firms, academia, compliance and ethics professional orga-nizations, and other corporations as members of this advisory group.As with any use of external professionals, the organization’s legaldepartment must be contacted for appropriate review and approval ofthis possible approach.■Retain accounting and consulting professionals from the major consult-ing firms to periodically conduct the compliance program assessment.They have significant experience in the design and implementation ofcompliance programs and have much valuable experience to share.STEP 6: PERFORMANCE INCENTIVESAND DISCIPLINARY ACTIONThe FSGO require that the ‘‘organization’s compliance and ethics programshall be promoted and enforced consistently throughout the organizationthrough (A) appropriate incentives to perform in accordance with the com-pliance and ethics program; and (B) appropriate disciplinary measures forengaging in criminal conduct and for failing to take reasonable steps toprevent or detect criminal conduct.’’16Questions that organizations need toask include:■Does the company celebrate ethics success as strongly as it condemnsunethical or criminal conduct?
Step 6: Performance Incentives and Disciplinary Action205■Does the performance management and compensation system reinforceand reward ethical behavior?17DisciplineIt is an unfortunate fact of life that some individuals will violate anorganization’s standards of business conduct. Depending on whether theoffense is a fraud or other abuse of policy and the severity of the offense,the company may face a serious risk. When that happens, organizationsmust be prepared to act appropriately to administer fair, balanced, andincremental discipline. How an entity responds to incidents of alleged orsuspected fraud will send a strong deterrent message to all employees andwill help reduce the number of future occurrences. The following actionsshould be considered in response to compliance violations:■Conduct a thorough and professional investigation of the incident.■Administer appropriate and consistent disciplinary actions against vio-lators.■Assess, redesign, and improve relevant internal controls to mitigatefuture occurrences.■Communication and training about the consequences of committingfraud or other violations should be used to reinforce the entity’s values,code of conduct, and expectations.Knowing that violators have been disciplined for wrongdoing can bean effective deterrent, increasing the perceived likelihood that those whocommit crimes and other violations of policy will be caught and punished.This also reaffirms an organization’s commitment to high ethical standardsand integrity.18Zero tolerance for fraud and other serious crimes must be the standardin every organization. Whether a person steals one dollar or one milliondollars, fraud in any amount cannot be tolerated. A person lacking integritymust be removed from the organization. Once removed, action must betaken to ensure that the person is not allowed to return in another employ-ment capacity. Human resources must ensure that employees terminatedfor compliance violations are not rehired by placing that person on an‘‘ineligible for rehire’’ list and always referring to it before hiring newemployees.Organizations should always consider referring criminal violations byemployees and others to law enforcement for possible prosecution. Not onlyis this appropriate as a good corporate citizen, but there is a definite deter-rence factor to consider. Knowing that they face possible prosecution andincarceration will deter some people from committing crimes. In addition,holding people accountable for their actions sends a strong message that
206THE SEVEN STEPS IN PRACTICE (PART II)the organization is intent on protecting their interests in a high-integrityenvironment and will hold accountable those who break the law. The gen-eral counsel or outside counsel should be the focal point for final decisionsas to criminal referrals. Companies should also consider publicizing pros-ecutions of employee fraudsters to reinforce a culture of compliance anda zero tolerance for fraud.19Compliance Insight 10.3 provides suggestionsfor deterring management misconduct.COMPLIANCE INSIGHT 10.3: KEY OBJECTIVES ANDPRINCIPLES IN DETERRING MANAGEMENT MISCONDUCT,COMPLIANCE AND ETHICS LEADERSHIP COUNCILRESEARCH, 2006Four key objectives and the related ten principles in deterring manage-ment misconduct are as follows:■Objective #1: Educate Managers■Principle #1: Train Managers on the Economic Consequencesof Misconduct■Principle #2: Educate Managers About Communicating EthicalMessages■Principle #3: Provide Regular Updates on Performance AgainstCompliance Goals■Objective #2: Hold Managers Accountable■Principle #4: Test Managers on Desired Behaviors■Principle #5: Embed Ethics and Compliance into PerformanceObjectives■Principle #6: Establish Ethics Checks as Condition of Promotion■Objective #3: Improve Detective Capabilities■Principle #7: Encourage Employees to Speak Up■Principle #8: Implement Controls to Prevent Retaliation■Objective #4: Develop Leading Indicators■Principle #9: Review Existing Internal Data to Anticipate Fraud■Principle #10: Use Multiple Date Sources to Anticipate EthicalBreakdownsReprinted with permission from the Corporate Executive Board, Washington,DC c 2006.
Step 6: Performance Incentives and Disciplinary Action207Awards and Recognition for Ethical BehaviorAppropriate incentives are key to ensuring proper employee behavior. Therecent bestsellerFreakonomicsdescribes the great power that incentives havein shaping human behavior, be they economic, social, or moral incentives. Asmall tweak in incentives can produce dramatic changes in behavior; givena big enough incentive, people will change their behavior, no matter what.20Thus, a company can take advantage of this, making sure that it providesproper incentives for its employees to act ethically, as well as making surethat it is not, either inadvertently or otherwise, giving employees incentivesto act unethically.Companies need to provide incentives to encourage good behavior,and to reward those who act ethically. Just as a company punishes badbehavior, it should reward appropriate behavior, to further encourageit. This recognition should be both external and internal: advertising tothe public the company’s ethical achievements and recognizing employees’individual achievements. A company that consistently acts ethically willbe recognized. Ethical achievements should be publicized, whether on thecompany’s Web site or in the media. Considering all of the publicitycorporate malfeasance receives, good behavior should also receive somecoverage. Ethical companies can be nominated for special awards, as wasthe case with Premier, Inc., which won the Malcolm Baldrige NationalQuality Award, discussed at length in Chapter 11.Companies should also focus on rewarding their own employees. Thereare several different ways to give employees the proper incentives to actethically. Some companies give awards to employees who have demonstratedhigh ethical standards, particularly in trying circumstances. Using awardsand recognition for employees who embrace integrity and honesty doesmuch to reinforce the commitment to compliance. People can be recognizedfor a variety of compliance and ethics successes. These may be for escalationsof compliance issues, improvements to internal controls to mitigate risk,writing articles on compliance that were published internally, preparingtraining programs to promote the culture of compliance, or other suchexamples. Recognition in the form of compensation, plaques, and certificatesof appreciation can go a long way in promoting ethical behaviorEmployees with high integrity should be praised in front of the entirecompany, as exemplars of what the company strives to achieve. An exampleof this can be found again in Chapter 11. Sometimes a company will not beable to publicize the actions of a whistleblower, but the company should stillrecognize this person confidentially, through a private ceremony with theCEO, CFO, CCO, or other appropriate executives. Some other companiesprovide financial incentives for reporting allegations of wrongdoing, fraud,and policy abuses. This is a unique approach. One company that has adopted
208THE SEVEN STEPS IN PRACTICE (PART II)this policy, a Midwest manufacturing company, receives numerous reportsof misconduct while false or vindictive reporting is almost nonexistent. Thereason for this company’s success is that employees must identify themselvesto claim the reward. This greatly reduces the possibility of deception andfalse reporting.STEP 7: RESPONSE TO CRIMINAL CONDUCTAND REMEDIAL ACTIONThe FSGO require that organizations ‘‘periodically assess the risk of criminalconduct including making any necessary modifications to the organization’scompliance and ethics program.’’21Questions that organizations need toask include:■Does the organization create tools to monitor and assess the complianceprogram, as well as make continuous improvements to the program?■Does the company identify and create processes to track changes inthe business, products, services, and organizational structure that couldlead to compliance risks?■Does the company embed ethics and compliance messages into othercompany communications?■Does the company quickly create internal control enhancements asappropriate to prevent compliance failures?■Does the company treat ethics as an integral part of how the companydoes business?■Who is (are) the person or persons responsible for making disclosuresto outside parties in case of a violation?■Does the company have a ‘‘compliance resume’’ so that if a criminalviolation occurs, the company can demonstrate that it took everyreasonable step to comply with the highest standards of corporatecompliance?22It is hoped that by implementing the Seven Steps of effective compliance,organizations can protect against criminal conduct by its employees. Unfor-tunately, that is not always the case as even good companies can have baddays. Fraud and unethical conduct can occur in any company. The deter-mining factor will be how an organization responds when non-complianceissues arise. Depending on the severity of the issues such as financial account-ing fraud, other Sarbanes-Oxley issues, FCPA violations, and other mattersrequiring disclosure, the organization may need to self-report to the SEC,the Department of Justice, and/or other oversight organizations.
Step 7: Response to Criminal Conduct and Remedial Action209Entities must have a documented process on how to respond anddisclose compliance failures. This should include the potential issues thatare in scope for disclosure and who will make the disclosure. In most cases,the disclosure of compliance issues should be handled by the general counselor his designee such as the CCO. The use of outside counsel experienced insuch matters is a common and highly recommended practice. Of course, aprofessional and highly managed internal investigation should be conductedto determine the validity of the issues. Once the allegations have beencorroborated, appropriate disclosure is needed. Compliance Insight 10.4provides strategies for improving compliance risk assessment capabilities.Reasonable Response After the Discovery of a BusinessConduct ViolationThe FSGO require that an organization take reasonable steps to respond tothe discovery of a violation. However, the question may arise, what con-stitutes ‘‘reasonable’’ steps? The FSGO recognize that not all organizationsare alike and that they will need to respond to violations differently. Thereare three factors that will determine what is reasonable and what preciseactions are necessary for a program to prevent and detect violations and beconsidered effective. They are: the size of the organization; the likelihoodthat certain offenses will occur; and the history of the organization.The requisite degree of formality of a program to prevent and detectviolations of law will vary with the size of the organization. The larger theorganization, the more formal the program should be. A larger organizationshould generally have established written policies defining the standards andprocedures to be followed by its employees and other agents.The likelihood that certain violations will occur because of the natureof an organization’s business also factors into the decision-making process.If because of the nature of the business there is a substantial risk that certaintypes of offenses may occur, management must take steps to prevent anddetect those types of offenses. For example, if a company deals with toxicsubstances, it must be prepared for spills and take steps to prevent them.An organization’s prior history may indicate types of offenses that itshould take actions to prevent. Recurrence of misconduct similar to thatwhich an organization has previously committed casts doubt on whetherit took all reasonable steps to prevent such misconduct. An organiza-tion’s failure to incorporate and follow applicable industry practice orthe standards called for by any applicable government regulation weighsagainst a finding of an effective program to prevent and detect violationsof law.23
210THE SEVEN STEPS IN PRACTICE (PART II)COMPLIANCE INSIGHT 10.4: UPGRADING COMPLIANCERISK ASSESSMENT CAPABILITIESA Compliance and Ethics Leadership Council study highlights com-panies’ strategies to enhance their ability for better assessing exposureto compliance risks. The six most significant research findings arepresented below:Finding #1—Consider a Mixture of External and Internal Indi-cators.Leading companies are sensing potential compliancerisks by closely examining the size and root causes of inci-dents in their industry, evaluating past audit results, andassessing macrotrends inside their organization such as lead-ership changes and staff turnover. Other leading indicatorsinclude 1) performance surprises (i.e., extraordinary financialperformance of a specific business unit) and 2) informationgleaned from exit interviews and survey results.Finding #2—Promote Forward Thinking in Risk Assessments.Leading companies emphasize the importance of anticipatingfuture compliance risks (occurring in a one- to three-yeartime frame) that could jeopardize business plans, includingthe recognition of consumer responses that fuel regulatoryactivity or situations in which a competitor was penalized forconduct that was perceived to be in line with regulations orsocietal expectations.Finding #3—Firmly Engage Business Unit Leadership in the RiskAssessment Process. Leading companies engage business unitleadership to emphasize their stake in the assessment processto leverage their awareness of key risk areas, and to preventcomplacency by requiring selected business unit managers topresent risk findings to senior management-led compliancecommittees.Finding #4—Create Greater Business Unit Accountability byIntegrating Compliance Risk Assessment in the Strategic Plan-ning and Budgeting Process.Leading companies increasinglymake compliance risk assessment a required part of the annualbusiness-planning and budgeting process at the business unitlevel, driving local management to consider and respond to
Step 7: Response to Criminal Conduct and Remedial Action211compliance risks that pose the greatest threat to the achieve-ment of their financial goals and strategic priorities.Finding #5—Collaborate Extensively with Other Functions ThatHave Distinct Subject-Matter Expertise.In evaluating theeffectiveness of internal controls that would help mitigateinherent compliance risks, compliance and ethics teams beginto leverage the institutional knowledge and organizationalreach of the finance function, including internal audit, thecontroller’s office, and, if applicable, the Section 404 officethat oversees the documentation and testing of all internalcontrols supporting the accuracy and integrity of financialreporting.Finding #6—Reduce Bias in Risk Prioritization Ranking.Lead-ing companies and ethics functions reduce the risk of bias andquick judgment by rating the impact of a risk across multipledimensions (including financial, legal, and reputational) anddesigning a rating scale that clearly defines the meaning of riskscores and forces respondents to make hard decisions aboutthe criticality of the risk.Reprinted with permission from the Corporate Executive Board, Washington,DC c 2005.Compliance Emergency Preparedness KitAll companies should have a Compliance Emergency Preparedness Kit(CEPK) when serious compliance failures are discovered. These failures mayinclude FCPA violations, financial accounting fraud perpetrated by seniorofficers, other criminal violations that require reporting to governmentauthorities, as well as any issue that could reasonably find its way to pageone of theWall Street Journal. Unlike a regular emergency kit, whichcontains water, food, and medical supplies, this kit covers in detail what todo in case of a compliance emergency. Companies should be prepared for it,because it could happen at any time. And just like a natural disaster, it can’tbe avoided but with proper preparedness the damage can be minimized.Advance preparation is an element of Enterprise Risk Management(ERM). ERM involves risks and opportunities and according to the Com-mittee of Sponsoring Organizations of the Treadway Commission (COSO)is defined as ‘‘a process, effected by an entity’s board of directors, man-agement, and other personnel, applied in strategy setting and across the
212THE SEVEN STEPS IN PRACTICE (PART II)COMPLIANCE INSIGHT 10.5: A CORPORATE COUNSEL’SVIEW ON RISK ASSESSMENT AND FLEXIBILITY IN FOREIGNOPERATIONSSteven A. Lauer is Corporate Counsel for Global Compliance Services,a renowned worldwide provider of third party hotline services basedin Charlotte, North Carolina. Lauer’s wealth of experience includesserving as a general counsel, attorney in private practice, consultant,and Executive Vice President ofThe Metropolitan Corporate Counsel,a monthly journal for in-house attorneys. He has authored numerousarticles on compliance as well as speaking at conferences and seminarson the subject. Lauer is Vice Chair for Programs of the CorporateCounsel Committee of the American Bar Association Section of Busi-ness Law and a member of the Corporate Compliance Committee ofthe ABA’s Section of Business Law. Here he provides his view on riskassessments and operations in foreign countries.The best compliance programs rest upon disciplined, rigorousanalyses of the business-, ethics- and compliance-related risks atten-dant to their business operations. Moreover, a periodic review of theassumptions on which the program is based—in essence, a variant ofthe risk assessment completed at the program-design stage—shouldtake place as well in order to address two basic answers: have therisks changed by virtue of new or modified business activities, newor amended laws or regulations or the identification of previouslyunappreciated risks associated with existing activities? Has the abilityof the organization to monitor and/or to minimize the potential impacton its business of those risks changed, whether because the organi-zation’s financial condition has changed (for the better or worse), itscapabilities have changed (e.g., the departure of internal experts whounderstood and led the firm’s response to those risks), or some otherchanged dynamic indicates the need to re-assess the compliance andethics program’s capabilities? Such an assessment—at the beginningof an organization’s compliance and ethics program or during its life-time, should also tie into its business and other operations in multipleways.Do the results of those assessments provide information withwhich to analyze the organizational excellence or quality program ofthe business?Does the firm’s dispute-management process take advan-tage of its compliance and ethics program and does the complianceand ethics program learn from its dispute-management history?
Step 7: Response to Criminal Conduct and Remedial Action213An organization’s compliance and ethics program must be flexible.For example, a whistle-blowing hotline for a multinational organiza-tion with operations in the European Union must take into accountthe varying scopes for permissible allegations that the nations thatbelong to that Union allow. France’s interpretation of the permis-sible scope of a hotline is less permissive than that of Belgium orGermany.Country-specific telephone lines and allegation-intake mea-sures, and particularly awareness campaigns that publicize the hotlinein conformity with those distinct requirements, are among the useful,even necessary, mechanisms in such a situation. Clients use those toolsto implement as consistent a hotline protocol as possible while meetingthe varying expectations and demands of countries’ laws and regula-tions. Likewise, the training for an organization’s employees must alsotake into account jurisdiction-specific compliance expectations, likethe supervisor-training needs regarding harassment that are mandatedin California, Connecticut, and several other states.enterprise, designed to identify potential events that may affect the entity,and manage risk to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.’’24A well conceivedCEPK addresses the ERM requirement to identity potential events that cansignificantly impact an organization.A CEPK contains a checklist of things to do in case the companydiscovers a compliance failure. The types of issues and events that wouldtrigger an emergency response must be fully discussed and documented asneeding such a response. Once defined, the kit will document the rolesand responsibilities of the CEO, CFO, General Counsel, Chief ComplianceOfficer, other senior executives, Board of Directors, and other key personnel.The kit will include staff responsibilities, which personnel will be involvedin any investigative response, the role of outside counsel, and even name theofficial spokesperson who will be responsible for disclosing the violationto outside parties. The names and contact information for outside counseland other specialists who may be called upon to assist in case of such anemergency should also be readily available. The kit should also includecontingency plans for action if the violator(s) is found to be the CEO, CFOor other key person. With these step-by-step instructions, a company willnot be shocked into inaction and will know exactly how to proceed andhandle whatever happens.It is also highly recommended that the organization create a ‘‘complianceresume’’ and include it in the CEPK. This resume would include a detailed
214THE SEVEN STEPS IN PRACTICE (PART II)description of prior compliance issues that the company discovered andmitigated including remedial action. A compliance resume is also one of themany recommended steps for compliance with the Seven Steps of the FSGO.In the event a compliance issue or criminal violation occurs, the organizationcan demonstrate to the independent auditors, SEC, DOJ, FBI, and othersthat it took every reasonable step to comply with the highest standards ofcorporate governance.25A summary of the FSGO amendments and relatedaction steps to achieve effective compliance is included in Appendix A.This kit will help to demonstrate that the company took strong remedialaction after the discovery of the violation. The FSGO require the companyto take reasonable steps to respond appropriately. The reasonableness andappropriateness of the response will, of course, depend on the type ofviolation, the type of company, the industry that it is in, and the regulationswith which it must comply. A major violation in a heavily regulated industrywill demand much swifter and decisive action than a minor violation ina less heavily regulated one. These considerations should go into the kit,with different checklists depending on the type of violation uncovered. Withappropriate action and preparedness, the company can prove that it tookevery reasonable measure to comply with the highest standards of corporategovernance.AVOIDING ACCIDENTS ON THE ROAD TO COMPLIANCEA mistake that a compliance program can make is focusing too much onthe ‘‘easy’’ things and too little on the ‘‘hard.’’ It’s easy to do the training,prepare and rollout a code of conduct, institute a hotline, talk up the cultureand tone at the top. It’s much harder to tackle areas such as discipline,audits, monitoring, incentive compensation, and being the corporate cop.Compliance expert Joe Murphy says that there is an ‘‘overemphasis on thesoft side of compliance such as training, a code of conduct, and the new buzzword of culture, because they are easier to tackle than the tougher issues.’’26Yet, it’s the tougher issues that can get an organization into trouble.Consistent, fair, and incremental discipline is often one of the hardestareas for an organization. While each case of discipline involving violation ofbusiness conduct must be evaluated separately, there must be a predictableand balanced approach when fraud and policy abuse occur. There mustnot be different standards of disciplinary action for executives and otheremployees. If a salesperson is terminated for falsifying an expense report,then an executive who does the same offense must also be terminated.Sending mixed messages, especially in disciplinary actions, can be verydamaging. All organizations and their employees must be responsible for
Avoiding Accidents on the Road to Compliance215both the spirit and the letter of the law with a zero tolerance for fraudviolations.27Discipline and how it is appropriately administered can domuch to reinforce the ethical tone and culture of an organization.It’s no different with audits, monitoring, incentive compensation, andother tough issues. These are critical areas for compliance and they mustbe strongly addressed. As Murphy further states, ‘‘Don’t just talk, do.’’There must be a program in place that responds to all compliance elements.Murphy adds that ‘‘an organization can’t design its compliance systembased on a Pat Gnazzo, it must design it based on an Andy Fastow.’’28That makes great sense. Gnazzo, the longtime CCO at United Technologiesand currently the CCO at CA, Inc. is a highly experienced complianceprofessional with great integrity and accountability. At both companies,he has built excellent compliance programs. Gnazzo and his compellingcompliance program at CA were profiled in Chapter 5.People with integrity who always do the right thing are not the onesto worry about. Companies need to have compliance programs for thepotential Fastows who might not always do the right thing. Fastow, theformer Enron CFO who pleaded guilty for his part in the massive accountingfraud and who subsequently testified against Jeffrey Skilling and Ken Lay,is who the compliance program should be built for.It’s a given that Gnazzo will oversee a strong compliance frameworkwherever he is but what happens when he leaves? What if in the future,the CCO is inexperienced or an ineffective leader and fails to continue theprior program or succumbs to pressure to weaken it? What if the CEO is anoverpowering personality who is also corrupt? Will the compliance systembe able to provide true checks and balances against the abuse of power?Build the program to ensure the behavior of a weak person and not just thestrong. Murphy argues that compliance can be imbedded in the structure ofan organization to overcome this. Having a strong and independent boardof directors is another important element for effective compliance.The Sarbanes-Oxley Act requires that each audit committee have atleast one member who is a ‘‘financial expert.’’ This person must have anunderstanding of generally accepted accounting principles and financialstatements; experience in the preparation of auditing of financial statementsfor comparable companies; experience with internal accounting controls;and an understanding of audit committee functions. The reasoning for thisexpertise is sound and further protects a public company. Boards haveas their members CFOs and others with notable financial experience andreputations. So, why isn’t there a similar requirement for boards to havechief compliance officers as members? Just because this requirement isn’tmandated in Sarbanes-Oxley, doesn’t mean it shouldn’t be followed. Thejustification is as strong as the requirement for a financial expert.
216THE SEVEN STEPS IN PRACTICE (PART II)Very few companies today have chief compliance officers sitting ontheir boards. That should change and change soon. A compliance officeradds compliance literacy and backbone to a board of directors who mustprovide that strong corporate oversight role. The role of corporate cop andgatekeeper is an absolute necessity on a board. If Adelphia CommunicationsCorporation had an independent board with a compliance officer as amember, one can argue that the corporate fraud that brought down thecompany and resulted in prison terms for their CEO, CFO, and otherexecutives, may not have occurred.The FSGO’s Seven Steps are great tools to use in implementing aneffective compliance program but they only provide the foundation andframework to build upon. Great organizations know that much more needsto be done to build world-class compliance programs. ‘‘It is up to theorganization to tailor a program to meet its organization’s challenges andto provide flesh, blood, muscle, and life to the program. The SentencingGuidelines’ seven elements of an effective program are simply minimumrequirements.’’29NOTES1.2005 Federal Sentencing Guidelines Manual, Ch 8, Sentencing of Orga-nizations, November 1, 2004, §8B2.1(b)(4)(A).2.‘‘Summary of the 2004 Federal Sentencing Guidelines Amendments andRecommended Action Steps,’’General Counsel Roundtable, June 2004.3.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, Inc., 2006), 112.4.Establishing a Compliance and Ethics Program: Designing and Dis-tributing the Code of Conduct,’’Corporate Executive Board, October2005.5.‘‘ChineseNewYear,’’ReligionFacts.com,www.religionfacts.com/chinesereligion/holidays/chinesenewyear.htm; The GAP, Inc. Codeof Business Conduct, Jan. 1, 2005, 6, www.gapinc.com/public/documents/CodeEnglish.pdf.6.‘‘ChineseNewYear,’’ReligionFacts.com,www.religionfacts.com/chinesereligion/holidays/chinesenewyear.htm.7.The Defense Industry Initiative on Business Ethics and Conduct, 2003Annual Report to the Public, 5, www.dii.org/annual/2003/AnnualReport2003.doc.8.Ibid.9.‘‘Summary of the 2004 Federal Sentencing Guidelines.’’
Notes21710.Biegelman and Bartow,Executive Roadmap, 264.11.Ibid.12.Ibid., 269–71.13.Ibid., 268.14.Ibid., 254–81.15.‘‘Establishing a Compliance and Ethics Program: Developing a ProgramCharter,’’Compliance and Ethics Leadership Council, October 2005.16.2005 Federal Sentencing Guidelines Manual, Ch 8, Sentencing of Orga-nizations, November 1, 2004, §8B2.1(b)(6).17.Ibid.18.Management Antifraud Programs and Controls, Statement on AuditingStandard 99, ‘‘Consideration of Fraud in a Financial Statement Audit,’’American Institute of Certified Public Accountants, 2002.19.Biegelman and Bartow,Executive Roadmap, 247–48, 356.20.Steven D. Levitt and Stephen J. Dubner,Freakonomics: A RogueEconomist Explores the Hidden Side of Everything, (New York:William Morrow, 2005), 23.21.2005 Federal Sentencing Guidelines Manual, Ch 8, Sentencing of Orga-nizations, November 1, 2004, §8B2.1(c).22.‘‘Summary of the 2004 Federal Sentencing Guidelines.’’23.‘‘Supplement to Appendix C—Amendments to the Guidelines Man-ual,’’United States Sentencing Commission, November 1, 2004, 102,www.ussc.gov/2004guid/APPC-2004SUPP.pdf.24.Enterprise Risk Management—Integrated Framework, Committee ofSponsoring Organizations of the Treadway Commission, (2004), www.coso.org/Publications/ERM/COSOERMExecutiveSummary.pdf.25.‘‘Summary of the 2004 Federal Sentencing Guidelines.’’26.Joseph E. Murphy, telephone interview with author, April 27, 2007.27.Biegelman and Bartow,Executive Roadmap, 355–56.28.Murphy, interview.29.Dr. John D. Copeland, ‘‘The Tyson Story: Building an Effective Ethicsand Compliance Program,’’Drake Journal of Agricultural Law, Winter2000, 348.
CHAPTER11Recognizing ComplianceExcellence: Premier, Inc. andWinning the Baldrige Award∗‘‘Compliance isn’t something done by the external auditors whocome in periodically and review progress. It should be done dailyby everyone in the enterprise whose job responsibilities touch anyof the defined internal controls.’’Sumner Blount, Director of Security Solutions, CA, Inc.As the compliance and ethics profession evolves, the need to demonstratehow such efforts improve the performance of the organization becomesmore important. Like any other component of a company’s operation, acompliance department’s contribution to that company’s quality and con-tinuing success likely will determine—or at least affect—that department’seffectiveness and stature internally and externally.Some have tried to establish the inherent value of an ethics and compli-ance program by focusing on the prevention of illegal activity and ethicallapses. While this is an important component of a compliance and ethicsprogram, this is only part of the equation. This approach also presents∗Much of this chapter’s content was provided by Steven Lauer with permission fromPremier, Inc. The Premier Code of Conduct and the Premier Group Purchasing Codeof Conduct are copyrighted material of Premier, Inc. and reprinted and referencedin this chapter with their permission. In addition, Premier, Inc. graciously gaveSteven and me access to the specific tools and elements of their excellent Ethics andCompliance Program so it could be profiled here. For that I am most grateful andappreciative to both Premier, Inc. and Steven.219
220RECOGNIZING COMPLIANCE EXCELLENCE: PREMIER, INC.considerable difficulty, as it requires the proof of a negative. Accumulatingproof that a company would have violated a law or suffered a lapse inadherence to its ethical standards represents a difficult challenge at best.Even if one can demonstrate that the company avoided violating a law orother standard, demonstrating that the company’s ethics and complianceprogram was the reason that the violation was avoided represents a signifi-cant additional hurdle. Evidence of the causal relationship between an ethicsand compliance program and the avoidance of a violation is extremely rare.Can an ethics and compliance program provide ‘‘positive’’ benefits toa company that is more demonstrable than the absence of problems? Howcan such value be shown and what types of metrics would be of assistancein that effort?The National Institute of Standards and Technology (NIST) annu-ally selects winners of the Malcolm Baldrige National Quality Award,which it credits with ‘‘making quality a national priority and dissemi-nating best practices across the United States.’’1That award recognizes‘‘businesses—manufacturing and service, small and large—and. . .educa-tion, health care and nonprofit organizations that apply and are judged tobe outstanding in seven areas: leadership; strategic planning; customer andmarket focus; measurement, analysis, and knowledge management; humanresource focus; process management; and results.’’2As NIST has noted, ‘‘theBaldrige criteria for performance excellence have played a valuable role inhelping U.S. organizations improve. The criteria are designed to help orga-nizations improve their performance by focusing on two goals: deliveringever improving value to customers and improving the organization’s overallperformance.’’3In 2006, NIST selected Premier, Inc. as the winner in the servicecategory. While the focus of the Baldrige Award is on an organization’sexcellence across the board, in announcing that award to Premier, NISTnoted, among other things, that ‘‘Premier has taken a leadership role inpromoting best practices in ethical conduct, transparency, and account-ability within its industry.’’4Since NIST determined that Premier’s ethicsand compliance program (ECP) deserved mention as part of the basis forthat award, that program also might serve as a valuable model for how acorporate ethics and compliance program can—and can be seen to—addvalue to a business enterprise. Let’s examine Premier’s ECP and how itcontributes to organizational excellence at that company.PREMIER, INC.Premier, Inc. occupies a strategic position in the health-care industry.Not-for-profit hospitals and health system organizations are its owners and
A Call to Action221it is the second largest health care strategic alliance in the United States.Premier has 1,000 employees in corporate offices in Charlotte, North Car-olina and other locations in California and Washington, DC. The companywas created in 1996 and now includes three business units to deliver servicesto its owners: group purchasing and supply chain management; insuranceand risk management; and information and performance improvement. Itsgroup purchasing activities represent the largest such operation in the coun-try measured on the basis of the annual volume of goods purchased onbehalf of its hospital owners.Premier describes a group purchasing organization as ‘‘any entity thatas all or part of its business activities is authorized to act as the agentof a provider of health care services to enter into contracts with vendors,pursuant to which vendors agree to sell or furnish goods or servicesconsistent with the terms set forth in the vendor contracts.’’5Premier’s Website states that its core purpose is ‘‘to improve the health of communities.’’They have an annual revenue of $433 million.Premier’s group purchasing business must comply with federal lawsand regulations relating to contract administrative fees and satisfy the ‘‘safeharbor’’ provisions in federal anti-kickback laws. As a group purchasingorganization (GPO) Premier satisfies the standards expressed in the Code ofConduct for GPOs developed in 2002. Many other parts of its businessesalso face regulatory constraints at the state level, like its insurance activities.The hospitals that own Premier face their own host of regulatory mandatesand Premier’s operations must be consistent with the regulatory constraintsthat they face.Within this overall regulatory and market environment, Premier appliedfor and received the prestigious Baldrige Award. How did Premier’s ECPcontribute to that success?A CALL TO ACTIONOftentimes, improvements in compliance are spurred by questionable con-duct, public disclosures, government inquiries, and a subsequent move toan ethical culture. Premier went that route to a heightened state of compli-ance. In 2002, Premier was at the center of a government investigation intoanti-competitive business practices and conflicts of interest related to theirbuying practices. Premier was not the only organization named in mediareports and Senate hearings but Premier’s executive leadership decided ‘‘thateven the appearance of a conflict of interest was unacceptable.’’6Premier’sleadership decided that they wanted to be a role model for the industry forbest practices in ethics and compliance.
222RECOGNIZING COMPLIANCE EXCELLENCE: PREMIER, INC.PREMIER’S RESPONSEIn March 2002, Premier’s Audit Committee commissioned a study ofPremier and the GPO industry to recommend best practices and proceduresthat Premier could consider for improvements in ethical conduct. Premierretained Kirk O. Hanson, a highly regarded university professor and businessethicist, to conduct the study. Hanson was just the person to undertake sucha project. He is the Executive Director of the Markkula Center for AppliedEthics at Santa Clara University in Santa Clara, California. The MarkkulaCenter is one of the preeminent ethics centers in the United States withextensive experience working in business, government, and health careethics.The Audit Committee ‘‘wanted an independent assessment of the eth-ical issues facing the industry and an independent set of best practicerecommendations.’’7The study would focus on business practices withinthe GPO industry, the current ethical climate within the industry, iden-tification of best practices in compliance, a determination of the state ofPremier’s compliance program, as well as opportunities for improvement.8Hanson had complete independence in the study and required that his reportbe made public upon completion. He believed that a public release of thereport not only demonstrated his independence but spoke volumes aboutthe intent of Premier to truly improve both the industry and its company.In conducting his research for the study, Hanson interviewed almost 100company executives, directors, employees, consultants, partners, vendors,journalists who had written on GPO issues, and Congressional staff involvedin the related government inquiry. Hanson visited every Premier location inthe United States and requested and reviewed countless company documents.After completing the first draft of his report, he assembled a blue-ribboncommittee of experts in the field of ethics and organizational management toreview his findings. He then presented his draft recommendations to groupsincluding Premier executives, employees, board members, and health careexecutives from partner organizations and requested their feedback. Afterthis extensive review, Hanson then met again with Premier’s executiveleadership to present his findings and recommendations.9Hanson’s study was entitled ‘‘Best Ethical Practices for the GroupPurchasing Industry: A Report to the Audit Committee of the Board ofDirectors of Premier, Inc.’’ (GPO Report) and was released in October2002. Hanson’s report detailed 50 recommendations involving ‘‘ethicalpolicies and practices. . .to cover most ethical questions specifically facedby GPOs. They address a number of practices that are not now, and somethat have never been, practices of Premier, Inc.’’10
Premier’s First Compliance Officer223The GPO Report covered general ethical standards and guidelines,conflict of interest issues, contracting practices, disclosures and relatedreporting, and governance reform. Key among the many recommendationswas the need to institute the following compliance elements:■Comprehensive code of conduct as a cornerstone for an ethical culture■Gift policy that forbids GPO employees from receiving gifts fromvendors■Vendor code of conduct■Disclosures by employees of equity interests in vendors■Recusal for conflicts of interest■Prohibition on insider trading■Limitation on sole source contracts■Annual financial reporting■Appointment of an ethics and compliance officer■Creation of a hotline■Ongoing audit committee review and oversight■Annual report to the audit committee on ethics performance andcompliance11In the GPO Report, Hanson commented that he received full coopera-tion from Premier’s management throughout the period of study. In addition,many of his recommendations were already being acted on even before hisfinal report was issued. For all the 50 comprehensive recommendations,please refer to the GPO report.PREMIER’S FIRST COMPLIANCE OFFICERIn January 2003, Megan Barry was hired as Premier’s first Ethics andCompliance Officer and is still at the company in this important role. Barryhas extensive experience with multinational corporations in issues involvingbusiness ethics and corporate responsibility. She also has a track recordfor innovation in compliance. While at Nortel Networks in the 1990s, astheir Director of Corporate Social Responsibility and Business Ethics, sheposted their code of conduct on the Internet making them one of the firstcompanies to do so publicly.Barry knew that she needed to convince Premier employees of thismajor change in how the company did business and obtain their buy-in.She did this by telling them that the government was watching closelyto see how Premier was responding to the issues raised in the Senatehearings. She also told employees that instituting an effective compliance
224RECOGNIZING COMPLIANCE EXCELLENCE: PREMIER, INC.program would ensure the viability of Premier and help the organizationgrow. Barry instituted education for all of Premier’s employees so theycompletely understood all the changes in policy as she reworked their ethicsand compliance program. ‘‘All’’ employees meant all employees, whether amember of the maintenance staff or the leadership team.Barry’s ‘‘experience at Premier suggests that a multi-pronged approachstrengthens employees’ efforts to act responsibly. This approach includesenhancing employees’ decision making, fostering an overall ethical culture,and identifying and providing sufficient resources to effectively addressethical issues.’’12PREMIER’S ETHICS AND COMPLIANCE PROGRAMTo understand the role of Premier’s ECP in its application for and receiptof the Baldrige Award, we must first understand the ECP. What does itinclude and how does it operate? How does it contribute to organizationalexcellence at Premier?Premier’s ECP includes the following elements:1.Code of conduct. In 2002, the Healthcare Industry Group PurchasingAssociation (HIGPA), at the suggestion of a Senate committee, began todevelop a voluntary code of conduct. Premier, as a member of that asso-ciation, participated in that effort, but Premier had previously retainedan independent ethicist (as described above) to analyze the group pur-chasing industry and to provide to Premier recommendations to improveits policies and practices. The ethicist’s report and recommendations asdetailed above and released in October 2002, served as the foundationfor Premier’s ‘‘Group Purchasing Code of Conduct.’’ That code coversall the issues identified in the code adopted by HIGPA but exceeds thestandards contained in the industry-wide program in several respects.For example, unlike the HIGPA code, Premier prohibits insider tradingby its employees and those of any Premier-affiliated entity ‘‘based onknowledge of [Premier’s] vendors or their prospects gained through [theemployees’] employment’’ at Premier.13In another example of the moreinclusive nature of Premier’s code, ‘‘[n]o advisor who is in a position toinfluence Premier GPO contracting decisions shall serve as advisor in anarea in which they hold extensive equity interests,’’ whereas the HIGPAcode does not address this possible conflict at all.14The HIGPA codedoes call for advisors to disclose such interests and to recuse themselvesfrom decisions by the GPO but to not recuse themselves as advisors onsuch issues. Premier’s Business Conduct Guidelines apply to activities
Premier’s Ethics and Compliance Program225of the company outside the scope of its group purchasing (to which theHIGPA code would apply) and contains many provisions and ethicalstandards that are similarly outside the scope of the group purchasingactivities. Premier’s Group Purchasing Code of Conduct is avail-able at www.premierinc.com/about/mission/ethics-compliance/code-of-conduct-read-friendly/code-of-conducttable-of-contents.htm and theHIGPA code can be accessed at www.higpa.org/about/code/.2.Employee training. Premier’s employees receive training on a varietyof subjects and in a variety of ways. In addition to training on sub-stantive job tasks and responsibilities, Premier’s ethics and complianceofficer provides to Premier’s employees the following types of edu-cation on ethical business practices: annual code of conduct training(in person, by video teleconference, and through Web-based courses);orientation for new employees that includes one hour of ethics training;and training within the company’s business units that includes ethicsresponsibilities and practices, and the application of Premier’s codeof business ethics and conduct to employees’ day-to-day job-relatedactivities. Premier’s employees also receive training on topics suchas process management and improvement, employee, workplace andenvironmental safety, disaster recovery, and other subjects.3.Ethics and compliance officer. Premier’s ethics and compliance offi-cer reports directly to the Audit Committee of the company’s Board ofDirectors and prepares an annual Code of Conduct Compliance Report.The Ethics and Compliance Office provides central oversight and sup-port for Premier’s ECP and works with senior management, Premier’shospital owners, suppliers, and employees to monitor adherence to thecompany’s Group Purchasing Code of Conduct and Business ConductGuidelines.4.Hotline. Premier established a third-party-provided mechanism bywhich employees can report, anonymously if they so choose, viola-tions of the company’s Group Purchasing Code of Conduct, its BusinessConduct Guidelines, and other policies.5.Ethics-related communication. Premier conducts a comprehensive com-munication campaign targeted to employees regarding the operation ofits ECP and the various means by which they can raise concernsand issues. Those communications take a variety of forms. Employeesreceive e-mails informing them of upcoming compliance and ethicstraining courses. Premier posts on its intranet short video clips for thesame purpose; those clips include a series of screen shots highlight-ing ethics-related messages that reinforce the purpose of the training.Employees who fail to attend the mandated ethics and compliancetraining receive follow-up e-mail reminders. Answers to ethics-related
226RECOGNIZING COMPLIANCE EXCELLENCE: PREMIER, INC.questions that employees submit through the annual Values Conferencechannel are communicated back to employees by means of a weeklynewsletter that is distributed to all employees. The Ethics and Compli-ance Office publishes a monthly ‘‘topics’’ column that appears in severalnewsletters.6.Case and issue management. Premier created a system that enables theEthics and Compliance Office to track reports of inquiries, allegations,resource requests and the submission of conflict-of-interest disclosureforms. Employees can access the disclosure form, for example, throughthe company’s intranet. When doing so, they follow online instructionsand guidelines for its completion and submission. The Ethics andCompliance Office sends reminder e-mails to employees who fail tocomplete the form in a timely fashion.7.Competency assessment tool. Premier measures employees’ adher-ence to Premier’s purchasing code of conduct through its VERIFYSelf-Monitoring Group Purchasing Code of Conduct Compliance Pro-gram. Certain employees (called Attesters) attest to the complianceof their business processes and practices with the company’s Codeof Conduct. They identify the procedures that they follow to verifycompliance, the documentation of those procedures and the underlyinglevel of compliance, along with any exceptions or other comments.They submit the results of those analyses to the Ethics and ComplianceOffice. The supervisors of the attesters review their attestations. TheEthics and Compliance Office reports on the aggregate results of thoseannual attestations in its Annual Group Purchasing Code of ConductCompliance Report.8.Survey of ethical reputation. A third-party firm measures adherence tothe purchasing code of conduct annually through a survey of Premier’semployees. That firm conducts the survey confidentially and reports thedata to Premier in an aggregated fashion so that individual responsesare blind. Senior management and Premier’s Board of Directors reviewthe survey results.9.Audit Committee. The Audit Committee of Premier’s Board of Direc-tors receives quarterly reports on progress against the initiatives ofthe Ethics and Compliance Office and compliance with the purchasingcode of conduct. Those reports identify ethics-oriented key performanceindicators for the company.How does the ECP support Premier’s organizational excellence? Canwe identify any concrete ways in which the ECP furthers Premier’s goalsof ‘‘be[ing] a major influence in reshaping health care’’ and assisting itsowners/customers to ‘‘be the leading health care systems in their markets’’?15
Compliance and Ethics Tools and Organizational Excellence227Those components of the ECP—or comparable components—appearin many companies’ programs. What distinguishes Premier’s ECP from itscounterparts at other organizations? Can Premier’s ECP serve as a modelfor how a corporate ethics and compliance program can serve business goalsdistinct from those related directly to ethics and compliance issues? Cana compliance professional build a more positive business case for such aprogram?COMPLIANCE AND ETHICS TOOLSAND ORGANIZATIONAL EXCELLENCEPremier utilizes the various elements of the ECP to improve its businessoperations and lessen the chance of noncompliance and ethical lapses.For example, the various communications channels in the ECP constituteways in which the company can learn about the need for changes to thoseoperations. When the company’s third-party vendor for the hotline receives acall—whether a complaint, concern or inquiry—or another communicationarrives that identifies a failure to follow company procedures or suggestsa way in which the company might operate more efficiently or effectively,Premier can review the report in order to learn if that failure offers anopportunity to design or to implement a business improvement. Someemployees use the various communications channels in the ECP to submitsuggestions for operational improvements directly. Examples include thefollowing:■Premier sponsored a ‘‘Lunch and Learn’’ program for employees whosejob changes at the company would involve relocation. An employee whohad relocated noted that information regarding tax-related impacts ofrelocation would enable employees moving for Premier’s benefit to bemore productive by reducing some of the stress associated with thatprocess.■An employee submitted to Premier’s employee suggestion box (called‘‘Premier Ideas’’) a suggestion to make available to employees forpurchase, items such as shirts, pants, and office products bearing thePremier logo in order to promote corporate spirit. In response, Premierappointed an employee as the point of contact through whom employ-ees can purchase such items. Premier communicated that decisionand appointment by means of a company newsletter called ‘‘MondayMinutes.’’■The office floors in Premier’s Charlotte, North Carolina, facility containmany cubicles. An employee noted that finding one individual among
228RECOGNIZING COMPLIANCE EXCELLENCE: PREMIER, INC.the cubicles was a confusing process. The company prepared maps ofthe floors, identifying cubicles and the employees who occupy them,that are now posted by the elevators in that facility.When three organizations merged in 1996 to form Premier, Inc., man-agement identified a need to forge a single set of values for the combinedorganization. Accordingly, as part of a ‘‘values initiative,’’ each of thosepre-existing organizations nominated 4–5 individuals to determine andvalidate the combined organization’s values. Premier held its first ‘‘ValuesConference’’ in 1998, where employees discussed the company’s values andhow to integrate them into operations. That conference led to the creation ofteams to identify the underlying behaviors that would operationalize thosevalues. The Values Conference has become an annual event attended by allemployees. ‘‘Premier’s Values Team and sub-teams are examples of how Pre-mier gathers employee input and diverse opinions to guide organizationalimprovements. The processes facilitate a systematic collection of socialresponsibility, customer and employee input through an annual conference,a Values Team, cross-location sub-teams, and a values e-mail box.’’16Premier provides its employees multiple avenues by which to raise eth-ical and operational concerns. The company’s ‘‘Vendor Grievance processgives suppliers an avenue to report concerns, providing for any grievancesto be reviewed, responded to, and used in improvement.’’17Premier’s ven-dors can access that grievance process through Premier’s website at www.premierinc.com/about/suppliers/vendor-grievance-policy.jsp.Whetheravendor has a contract-specific grievance or a generalized one, it can sub-mit that grievance by e-mail, receive a confirmation electronically, andreceive a decision within thirty days of Premier’s receipt of the matter.Vendors’ rights under those procedures appear at www.premierinc.com/about/suppliers/bidders-rights-responsibilities.jsp.Premier treats its employees as a valuable resource, in terms of bothits ongoing operations and its business improvement efforts. The annualtraining that constitutes an important element of the ECP, much of which isconducted in face-to-face format, enables the ethics and compliance officerto measure the effectiveness of that training and to solicit feedback fromthose employees who experience that training. That feedback can includeinformation and ideas relative to necessary or advisable organizational orprocess improvements.Training employees and reinforcing a culture of compliance improvesPremier’s operation and its ECP in other ways—ways that dovetail nicelywith the 2004 changes to the Federal Sentencing Guidelines for Organiza-tional Crime. In those changes, the United States Sentencing Commissionprovided much more detailed guidance on how a corporate compliance and
Compliance and Ethics Tools and Organizational Excellence229ethics program could qualify as an ‘‘effective’’ program and the benefits thatmight accompany that label. One of the changes made by the SentencingCommission in 2004 directs that a ‘‘compliance and ethics program shall bepromoted and enforced consistently throughout the organization through(A) appropriate incentives to perform in accordance with the complianceand ethics program; and (B) appropriate disciplinary measures for engagingin criminal conduct and for failing to take reasonable steps to prevent ordetect criminal conduct.’’18Several elements of Premier’s ECP bring that admonition to life. ‘‘SeniorLeaders use [Premier’s] values-based rewards and recognition program topersonally support and reward individual and team-based behavior throughuse of [its] Employee Choice Awards, unit rewards and Premier awardsprograms.’’19Premier’s chief executive officer ‘‘personally presents PremierAwards recognizing values-based behaviors in work, Team Awards, andthe Turtle Award during the Values Conference; Senior Leaders are firstto congratulate winners. The Premier Team Award (based on [Premier’s]Core Values and American Society for Quality team award criteria) rec-ognizes project teams obtaining significant results while embodying CoreValues.’’20Employees nominate their associates for those awards and reviewthe nominations. The winners receive publicity on Premier’s Web site and inemployee gatherings. The CEO personally selects the winner of the TurtleAward, which ‘‘celebrates an employee’s ‘sticking its neck out’ at some riskto pursue a desired outcome, regardless of ultimate success.’’21EmployeeChoice Awards over the course of a year ‘‘recognize values-based behaviorsof both individuals and teams.’’22Other awards at the business-unit levelalso provide opportunities to recognize positive ethics behavior on the partof employees. All of these recognition programs ‘‘are strong performancemotivators.’’23Clearly then, Premier implemented several well-thought-outemployee recognition mechanisms that reinforce its ethics and values. Thosemechanisms exemplify the Sentencing Commission’s goal that organiza-tions develop ‘‘appropriate incentives to perform in accordance with thecompliance and ethics program.’’24Premier has determined how to advance its interest in business excellencethrough the careful design and use of elements of its ECP. In doing so and inwinning the Baldrige Award, Premier has outlined a means by which othercompanies can build a more positive argument to support their ethics andcompliance goals.In a related and reinforcing postscript, Premier was a recipient of the2007 Charlotte Ethics in Business Award. The award is presented annuallyby the Charlotte (North Carolina) chapter of the Society of FinancialServices Professionals. The award honors ‘‘companies that demonstrate acommitment to ethical business practices in their operations, management,
230RECOGNIZING COMPLIANCE EXCELLENCE: PREMIER, INC.philosophies, and responses to crises or challenges.’’25A commitment toethics and compliance always pays off.NOTES1.‘‘Frequently Asked Questions about the Malcolm Baldrige NationalQuality Award,’’ National Institute of Standards and Technology,available at: www.nist.gov/publicaffairs/factsheet/baldfaqs.htm.2.Ibid.3.Ibid.4.From NIST Press Release announcing award to Premier.5.Premier, Inc. Group Purchasing Code of Conduct, Definitions, www.premierinc.com/about/mission/ethics-compliance/code-of-conduct-read-friendly/code-of-conductdefinitions.htm.6.Andrew W. Singer, ‘‘Spattered and Scorched, Premier Seeks the ‘HighRoad,’ ’’Ethikos and Corporate Conduct Quarterly, May/June 2004,www.singerpubs.com/ethikos/premier.html.7.Kirk O. Hanson, ‘‘Best Ethical Practices For the Group PurchasingIndustry: A Report to the Audit Committee of the Board of Directors ofPremier, Inc.,’’ October 18, 2002, www.premierinc.com/about/mission/ethics-compliance/attachments/Appx-A%20Kirk%20Hanson.doc.8.Ibid.9.Ibid.10.Ibid.11.Ibid.12.Jason Lunday and Megan Barry, ‘‘Connecting the Dots BetweenIntentions, Action and Results: A Comprehensive Approach to Eth-ical Decision Making,’’Ivey Business Journal, March/April 2004,p. 1, www.iveybusinessjournal.com/article.asp?intArticleID=470.13.Premier Code of Conduct.14.Ibid.15.These quotes are from the ‘‘Big Hairy Audacious Goal’’ (to be reachedin ten to thirty years) that Premier hopes to achieve.16.North Carolina Awards for Excellence: Malcolm Baldrige – BusinessApplication for Premier, March 8, 2006, 27 (‘‘Baldrige Application’’).17.Ibid., 7.18.2005 Federal Sentencing Guidelines Manual, Ch 8, Sentencing of Orga-nizations, November 1, 2004, §8B2.1(b)(6).19.Baldrige Application, 1.20.Ibid., 3–4.21.Ibid., 4.
Notes23122.Ibid., 3.23.Ibid.24.2005 Federal Sentencing Guidelines Manual, Ch 8, Sentencing of Orga-nizations, November 1, 2004, §8B2.1(b)(6).25.‘‘Local Companies Honored for Ethics in Business,’’Charlotte BusinessJournal, April 27, 2007.
CHAPTER12Designing Robust FraudPrevention Policies:The Airservices Australia FraudControl Plan‘‘If a man defrauds you one time, he is a rascal; if he does it twice,you are a fool.’’Author UnknownIwas a presenter at an internal fraud prevention conference in Sydneyin November 2005, and had a chance to listen to some of the otherspeakers. One of them was a security officer from Airservices Australia, agovernment-owned corporation based in Australia. He presented a fasci-nating session on how his company strengthened its internal fraud controlthrough communicating an antifraud policy throughout the organization.I was very impressed with the Airservices Australia program that includedlinking internal fraud control with governance strategies, engaging seniormanagement to deliver the antifraud policy, and monitoring the effectivenessof the program through key performance indicators.I immediately knew this was a best practice in compliance that I wouldwant to include in my book. Very few companies in the United Statesactually publish a fraud control plan and yet this is something that needsto be communicated internally and externally. I approached AirservicesAustralia for access to their Fraud Control Plan and related informationon their program. They were extremely gracious in providing me all theinformation that I needed and I deeply appreciate their assistance. AirservicesAustralia (Airservices) has an excellent compliance program that they have233
234THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANdeveloped over the years. Later in this chapter, I am reprinting with theirpermission selected content from their Fraud Control Plan 2005–2007 andtheir Managers’ Guide for Fraud and Corruption Control. Organizationsworldwide would benefit from the best practices developed by this innovativecompany.Airservices prepares a Fraud Control Plan to meet the requirementsof the Australia Commonwealth Fraud Control Guidelines. The Guidelinesrequire a revised fraud risk assessment and plan every two years. Airservicesfirst developed its fraud control plan in 1996. As Airservices’ SecurityManager Michael Howard explained, ‘‘The simplified format of the currentfraud control plan arose out of our experience with a number of fraudswhere established controls were not implemented and employees failed torecognise and report fraud. Maintaining the control environment throughauditing, fraud awareness, and confidential reporting are vital.’’The Australian Government Attorney General’s Department is respon-sible for coordinating fraud control policy in Australia. This includes theimplementation of the Commonwealth Fraud Control Guidelines, pro-moting best practices in fraud control, and effective risk managementtechniques.1The Guidelines define fraud as ‘‘dishonestly obtaining a ben-efit by deception or other means.’’2The Guidelines apply to governmentagencies and other organizations that receive significant funding from theCommonwealth. While not required, it is highly recommended that orga-nizations not covered by the Guidelines implement them as a compliancebest practice. Chief Executive Officers are responsible for instituting a fraudcontrol plan in their respective organizations and the required reporting offraud control activities.3The Guidelines define what an effective fraud control plan must have.Included are a fraud control strategy that encompasses detection, investiga-tion, and prevention; a risk assessment process; prosecution of all offendersas appropriate; fair and balanced disciplinary actions; recovery of the pro-ceeds of fraudulent conduct; training of employees in fraud awareness andethics; specialized training of fraud investigators; fostering a culture of com-pliance; publicizing the fraud control plan to employees; and reporting onfraud control actions and results.4For reporting purposes, agencies need to collect various data related totheir investigation and fraud prevention efforts. Included are the numberof cases investigated; the number of cases referred to law enforcement forpotential prosecution; the outcome of prosecutions; fraud losses suffered;recoveries; number of employees, contractors, and others involved in fraudand other violations; number of employees involved in fraud investigationand prevention efforts; the training and certifications for those involved in
Airservices Australia235fraud investigation and prevention activities; and the kind and amount offraud prevention and ethics training provided to employees.AIRSERVICES AUSTRALIAAirservices Australia is a government-owned corporation providing safeand environmentally sound air traffic control management and relatedairside services to the aviation industry. The Australian Flight Informationregion covers 11% of the earth’s surface including Australian airspaceand international airspace over the Pacific and Indian Oceans. Each year,Airservices manages air traffic operations for more than three milliondomestic and international flights carrying some 47 million passengers.The aviation industry also relies on Airservices for aeronautical data,telecommunications, and navigation services.Airservices Australia’s corporate headquarters is located in Canberra,Australia. The corporation has a fixed asset base of $493 million across600 sites and about 3,000 employees, including 1,000 air traffic controllersworking from two major centers in Melbourne and Brisbane and 26 towersat international and regional airports. Airservices also provides aviationrescue and fire fighting services at 19 of the nation’s busiest airports wherethere are more than 350,000 passenger movements a year. As AirservicesAustralia says, ‘‘Airspace and airside, we do it all–from the ground up.’’Airservices includes in its annual report its commitment to fraud pre-vention. In the section entitled ‘‘Fraud Control’’ in the 2005–2006 AnnualReport, it reads, ‘‘Airservices Australia has fraud prevention, detection,investigation, and data collection procedures and processes that meet itsneeds and, where required, those of the Commonwealth Fraud ControlGuidelines. During the year, the corporation undertook a number of minorfraud investigations that led to disciplinary action against a small numberof staff.’’5There are numerous compliance best practices contained within theirFraud Control Plan. The Plan provides a definition of fraud that is clear andunmistakable as well as various examples of fraudulent behavior that havebeen observed. Information is provided on the disciplinary ramificationsfor misconduct as reinforcement that the company takes appropriate actionin such cases. The Plan discusses the importance of fraud awareness asa deterrent and the need for all employees to quickly escalate suspicionsof misconduct and violations of business conduct. The importance of aformally documented risk assessment and continuous monitoring are alsoreinforced to identify mitigating controls and a response to the fraud risk.Finally, the Plan defines the key measures of success to determine theeffectiveness of the overall fraud prevention program.
236THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANCOMPLIANCE INSIGHT 12.1: AIRSERVICES AUSTRALIA:HOW WE OPERATEAirservices Australia’s Aspiration, Mission, and ValuesEmpowering people to lead through excellenceOur Aspirationand innovationOur MissionTo be the preferred global partner for airtraffic and related aviation services. We willachieve this through:■Keeping safety first■Being an employer and serviceprovider of choice■World best operations■Profitable growth of commercialactivities■Responsible environmentalmanagementOur ValuesIn achieving our ambitious goals, we recognizethe need for honesty, accountability andstrong leadership to engender a spirit ofunity and trust.Reprinted with permission from Airservices Australia, c 2005.The following are selected sections of the Airservices Australia FraudControl Plan and they are reprinted with their permission ( cAirservicesAustralia 2005).Airservices Australia Fraud Control Plan 2005–2007A message from the Chief Executive OfficerGovernment policy and good governance requires AirservicesAustralia to manage fraud risks, and the Board approved FraudControl Plan, 2005–2007 addresses this objective.Honesty, integrity and accountability are valued because theyare the foundation for continued business growth and profitability.However, regrettably, it is a fact of life that a small number of
Airservices Australia237people in many organizations do not always share these principles,and organizations such as ours need to be prepared.This Plan builds on our existing values and governance frame-work, and aims to increase the deterrence and detection of fraudby further developing the following key fraud control strategies:■Increased awareness■Identification and reporting■Maintaining confidentiality■Investigating and applying corrective action■Continually monitoring and improving performanceI commend the Plan to every member of the Airservices teamin ensuring we stamp out fraud.Greg Russell6GeneralIntroductionFraud is defined in theCommonwealth Fraud Control Guidelinesdated May 2002 as ‘‘dishonestly obtaining a benefit by deceptionor other means.’’ This definition includes monetary gain and anybenefit that is gained from the Government, including intangibles,such as information. Fraud may be committed internally by anemployee or externally by a member of the public.A proven case of internal fraud constitutes misconduct andbreaches the Code of Conduct and provisions contained in certifiedagreements or contracts of employment. Fraud is also a crime underthe provisions of theCriminal Code Act of 1995, and the proceedsof fraud may be recovered under criminal and civil court orders.Airservices Australia acknowledges its corporate governanceobligations under theCommonwealth Authorities and CompaniesAct 1997and theCommonwealth Fraud Control Guidelines 2002to implement sound financial, legal, and ethical controls. Thisincludes having a fraud control plan (FCP) that is based on acurrent fraud risk assessment.Fraud Incidents 2003–2005Airservices Australia has been exposed to the following fraudulentactivity in the past two years:■Use of Airservices Australia credit cards to purchase items forpersonal use■Theft of computer equipment
238THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLAN■Use of false medical certificates to justify leave■Submission of false petty cash claims■Use of Airservices Australia credit card numbers by unautho-rized third parties to purchase services■Submission of false invoices by third parties for services neverreceived■Use of Airservices Australia time and resources (internet, tele-phones and sick leave) to conduct personal businesses andsecondary employment■Overstating of mandatory qualifications to obtain employment■Use of misleading documents to maintain mandatory qualifica-tions■Submission of false documents in respect to salary sacrificingMost frauds involved Airservices Australia employees or con-tractors and were multiple incidents of low value conducted over aperiod of time. Investigations of the above frauds resulted in twoformer employees receiving custodial sentences and others beingdismissed or disciplined. Airservices Australia recovered monies,where possible, through negation, court orders, and terminationpayments.Fraud Control PolicyAirservices Australia Fraud Control PolicyThe Board of Airservices Australia has established the followingpolicy:Airservices Australia is committed to minimizing the risk offraud to our reputation, assets, and profitability. To achieve this wewill:■Maintain and publish a fraud control plan in accordance withthe Commonwealth Fraud Control Guidelines■Maintain and improve awareness of fraud■Document fraud control procedures■Encourage professional and ethical conduct by our employeesand service providers■Encourage the reporting of suspected or actual instances offraud■Maintain, support, and fully respect the confidentiality of anyperson making a report and any person named in a report,in accordance with the Commonwealth Information PrivacyPrinciples
Airservices Australia239■Apply best practice fraud investigation standards containedin the Crimes Act of 1914 and the Australian GovernmentInvestigation Standards■Take firm disciplinary action against proven offenders■Monitor, review, and continually improve our performanceAll managers are accountable for the implementation and man-agement of fraud control measures in their areas of responsibility.Implementation StrategiesThe requirements of the Fraud Control Policy can be grouped intothe following five implementation strategies;■Increasing awareness■Identifying and reporting■Maintaining confidentiality■Investigating and applying corrective action■Continually monitoring and improving performanceIncreasing AwarenessHigh ethical standards and professional conduct are the best formof fraud control. The primary purpose of fraud awareness is tobuild on the inherently high ethical standards of our employees,encourage them to be alert for fraud, to report suspicious activity,and to deter fraud. Fraud awareness highlights our experience withfraud and the controls that are in place to deter and detect fraud. Anemployee who commits fraud may be disciplined for misconduct,dismissed, and possibly charged for criminal offences in a court oflaw. When sentencing, judges take a serious view of Commonwealthemployees who engage in fraudulent conduct while in positions oftrust.Our experience is that employees who engage in fraudulentbehavior tend to be in positions of trust, and understand and canexploit weaknesses in the control environment.We will increase fraud awareness by:■Continuing to educate managers and employees to make themaware of fraud and the consequences of committing fraud asan active deterrence■Encouraging professional and ethical conduct by employeesand service providers and support people who make reports oridentify fraud
240THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLAN■Promoting the benefits of maintaining a positive control envi-ronment■Publishing the results of fraud prosecutionsIdentifying and ReportingA suspected fraud reported promptly may prevent a person fromactually committing a fraud or engaging in further misconduct.Very small amounts of money taken over a long period of time,known as grazing, can lead to large amounts of money being stolenwhich may lead to a criminal conviction and/or a gaol7sentence.Early reporting of a possible fraud can minimize damage toour reputation and provide greater confidence to management andemployees that we have a culture that does not condone dishonesty.Controls are also designed to identify fraud. Systematic dataanalysis and modern software tools will be used to assist theearly identification and detection of fraud. We will do this using acombination of the following measures:■Maintaining a fraud audit and compliance program, includingdata matching to target areas of high risks■Continuing self assessment programs for managers and theidentification of localized fraud risks■Integrating fraud control checks into Audit Assurance programs■Further developing efficient and cost effective controls■Reporting all suspected or actual cases of fraud to the Office ofSecurity Risk Management (OSRM)Maintaining ConfidentialityThe confidentiality of persons involved in an investigation will bemaintained and respected to the extent Airservices Australia is ableto do so. This will help to avoid rumours, the possibility of thewillful destruction of evidence, prevent an alleged offender frominterfering with witnesses and enhance our commitment to naturaljustice. Reporting of fraud is a sensitive issue, especially when anemployee’s initial report implicates a supervisor or coworker. Wewill do this by:■Supporting to the maximum possible extent, the confidentialityof any person making a report and any person named in areport, in accordance with the Commonwealth InformationPrivacy Principles.
Airservices Australia241■Using and disclosing information about suspected or actualfraudulent activity only to those employees who need to knowor when authorized by law.■Providing support to any person who makes a report of sus-pected or actual fraud.■Reporting incidents of fraud to immediate supervisory/mana-gers or, where that is not considered a realistic option andconfidentiality is required, reporting the matter directly to theOSRM either verbally or in writing.Investigating and Applying Corrective ActionAirservices Australia will investigate all suspected instances of fraud.When a report of fraud is received, all available evidence will bepreserved and controls will be implemented to reduce the risk offurther losses. We will conduct internal investigations by:■Obtaining terms of reference for the investigation from therelevant business centre■Applying the principles of natural justice8■Considering the requirements of any certified agreements■Applying best practice fraud investigation case management,including the standards contained in the Australian Govern-ment Investigations Standards and the requirements of theCrimes Act of 1914■Completing preliminary internal investigations within 45 days■Providing detailed reports to management on the outcomes andrecommendations of all internal investigations■Assisting law enforcement agencies with investigations relatingto fraud committed against, or by any person acting on behalfof, Airservices Australia, including acts committed overseasthat may breach Australian lawWhere an allegation of fraud has been substantiated, we willtake corrective action by:■Considering disciplinary action■Referring serious matters to the AFP9for further investigation■Submitting briefs of evidence to the Commonwealth Directorof Public Prosecutions (CDPP)■Fully supporting any prosecution being conducted by theAFP/CDPP on behalf of Airservices Australia by providingdocuments and personnel to assist prosecutions
242THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANWhere an employee has been found to have committed fraud,we will initiate loss recovery action. We will do this by consideringthe following actions:■Recovering losses from monies owed to employees, such astermination payments■Applying for compensation orders during criminal proceedings■Seeking civil court orders for the recovery of the debt■Placing restraining orders on personal assets to recover the debtWhere offences involve official corruption, the Commonwealthmay also recover monies from superannuation10accounts.Continually Monitoring and Improving PerformanceFraud control strategies and controls are of little practical benefitunless they are monitored and improved along with business prac-tices. Fraud controls must be integrated into published policies andprocedures. Developing an integrated approach at all levels deep-ens the awareness of fraud and acts as a deterrent by displaying toemployees and contractors that fraud can be quickly identified andis not tolerated. By building fraud controls into business processes,employees find them easier to understand and apply.We will continue to monitor and improve our fraud controlmeasures by:■Regularly reviewing the fraud risk assessment■Assessing whether current controls are adequate■Identifying and implementing cost effective and relevant con-trols■Maintaining currency in fraud control strategies by liaisingwith other agencies and private sector organizations, such asthe Australian Government Fraud Liaison Forum■Providing quarterly exception reporting on the implementationof the FCP to the Board Audit Committee (BAC)■Providing a fraud summary in the Annual ReportRisk AssessmentAs part of the development of this FCP, and with a view to thecorporate policy on fraud control, OSRM conducted a fraud riskassessment using:■Business Risk Management Interim Guidance■Australian Standard AZ/NZS 4360:2004, Risk Management
Airservices Australia243■Australian Standard AS 8001–2003, Fraud and CorruptionControl■Attorney-General’s Department, Commonwealth Fraud Con-trol Guidelines 2002This process involved consultation with Audit Assurance, Mel-bourne and Brisbane Centres, Airport Services, Directorate ofSafety, Environment and Assurance (DSEA), Information Man-agement Services (IMS) Managers, Facilities Management Ser-vices (FMS) Managers, Sales and Marketing, Corporate Services(Accounts Payable, Remuneration, Payroll, Accounts Receivable,Procurement, Salary Sacrifice, Treasury), Office of Legal Counsel(OOLC).The process involved a review of the following:■Ernst and Young Fraud Risk Assessment 2003■Fraud exposure as identified by cases between 2003–05 andhistorical cases■Current policies, management instructions and/or procedures■The effectiveness of current controls■The development of new controlsThis process will be conducted every two years in accordancewith the Commonwealth Fraud Control Guidelines.A copy of the fraud risk assessment can be obtained fromOSRM. The fraud risk assessment identified 32 specific fraud risksthat required controls or treatment. After controls were applied,there were no HIGH risks, 19 risks were rated as MODERATE,and 13 as LOW. After reviewing the risk assessment and therequirements of the fraud control policy, a number of specific fraudcontrol action items were identified as the focus of this FCP.11Key Measures of SuccessThe effectiveness of the FCP will be established by using thefollowing key measures of success:■Failures to implement established fraud controls■Losses attributed to fraud.Failures to Implement Documented Fraud Control and TreatmentsFraud controls and treatments are the established tools throughwhich fraud is managed in the corporation. A failure to implement
244THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANdocumented fraud controls and treatments indicates a potentialbreakdown of the control environment. This failure may be due toa number of factors, but they include inadequate:■awareness;■training;■supervision; or■documented procedures.Audit Assurance and the Office of Security Risk Managementwill report on failures to implement established fraud controls andtreatments.Losses Attributed to FraudThe success of the FCP can also be measured by losses attributableto fraud over the life of the Plan. Whilst the corporation could besubjected to fraud without its knowledge, reported losses providea useful measure of the extent and seriousness of fraud across thecorporation.12Reprinted with permission from Airservices Australia,c2005.THE KEY ROLE OF MANAGERS IN FRAUD PREVENTIONAirservices Australia understands that managers are the first line of defenseagainst fraud and abuse. As such, they train their managers and provide themguidance on how to respond to and prevent fraud within the organization.This is another best practice. The importance of tone at the top is a key themeof this book but that tone must extend throughout an organization. ‘‘Goodmanagers are role models to their employees. They provide guidance andmentoring. They show employees how to succeed, and they instill honestyand integrity by their actions. Managers who provide great oversight andlead by example can have a major impact in preventing fraud.’’13Myexperience has been that when managers are engaged, understand thecompany’s policies and procedures and lead by example, their organizationshave far fewer issues with misconduct.It is exceptional that Airservices Australia specifically focuses on theimportance of managers in fraud and corruption control. Similar to theirFraud Control Plan, the Managers’ Guide for Fraud and Corruption Con-trol explains the importance of fraud prevention and the impact fraud canhave on Airservices Australia. Also included is the important role of man-agers in achieving that goal as well as providing examples of misconduct.The following are selected sections of the Airservices Australia Managers’
The Key Role of Managers in Fraud Prevention245Guide for Fraud and Corruption Control reprinted with their permission( c Airservices Australia 2005).Managers’ Guide for Fraud and Corruption Control WithinAirservices AustraliaAirservices Australia is committed to the awareness of fraud andcorruption control within our organization. Staff and managersneed to be suitably empowered not only to understand the effects offraud and corruption but to feel confident in reporting it knowingthat they have the full support of the organization.The Managers’ Fraud Control Tool KitThe Managers’ Fraud Control Tool Kit has been developed to assistmanagers in:■Identifying the likelihood of fraud and dishonest behaviorwithin your areas of responsibility■Developing local strategies to deal with fraud and dishonestbehaviour■Knowing what to do when these activities have been identified■Increasing the awareness of fraud amongst your staff by deliv-ering fraud control briefings.These strategies coupled with monitoring and supervision ofexpenditure at appropriate levels set by you will assist in reduc-ing the opportunity of fraud or dishonest behaviour within ourworkplace.Contained with this package are the:■Fraud Control Plan (FCP)■Personal Guide for Fraud and Corruption Control withinAirservices Australia■Managers’ Guide for Fraud and Corruption Control withinAirservices Australia■Code of ConductPlease read the tool kit, become familiar with it, and note thefollowing:■The impact of fraud and dishonest activities■The definitions of fraud and corruption■Why fraud and dishonest activity occur
246THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLAN■Confidentiality■How to deal with reports of fraud or corrupt behaviour■Presenting the FCP to staff■Briefing new staff■Frequently asked questions■The Fraud Control Plan■Code of ConductExamples of fraud include:■Theft of plant/computer equipment■False invoicing■Theft of petty cash■Credit card fraud (inappropriate expenditure)■Theft of intellectual property■False accounting■Release or use of misleading information for deceiving or cover-ing up wrongdoing■Payment of secret commissions■Release of confidential information■Collusive tendering■Serious conflicts of interestSpecific examples that highlight some of the above categoriesare:■A manager gets an employee to pay for entertaining friends andassociates on his business credit card and subsequently uses hisauthority to sign off on the inappropriate expenditure.■An employee reports in sick for work and arranges for anotheremployee to cover his shift on overtime while working anotherjob or private business.■Employees using business credit cards to buy products clearlynot for company use, such as toys.■Employees using business credit cards while on leave.■Cash advances while not on approved travel.■Contracts being awarded to relatives in a closed tenderingprocess.■Petty cash claims for stock items never seen or obviouslyplentiful.■Submission of false and or altered documents claiming tobe originals, such as salary sacrificing invoices or sick leavecertificates.
The Key Role of Managers in Fraud Prevention247Such activities have far reaching effects and are not purelymeasured in dollars.These activities can damage trust between staff and AirservicesAustralia clients alike. They also affect:■Services■Expectations■Morale■Reputation■Profitability, and therefore job security.What are Fraud and Corruption?Fraud: Is defined in the Fraud Control Plan (FCP) as ‘‘dishonestlyobtaining a benefit by deception or other means.’’Corruption: Is defined in the Australian Standard AS8001-2003 Fraud and Corruption Control as ‘‘Dishonest activity inwhich a director, executive, manager, employee, or contractor ofan entity acts contrary to the interests of the entity and abuseshis/her position of trust in order to achieve some personal gain oradvantage for him or herself or for another person or entity.’’The impact of fraud and dishonest activities on AirservicesAustralia:■A number of studies in Australia in recent years indicate thatfraud within the workplace can cost at least 3 billion dollars ayear.■Airservices Australia is a target for fraud and dishonest activitiesdue to the size and diversity of our business activities.Why Does Fraud or Dishonesty Occur?The most obvious reason for fraud or dishonesty is greed; howeverthere may be numerous other underlying reasons for such activity.These may include:■Dissatisfaction within the workplace■Personal problems■Everyone else is getting away with it■Addictions (gambling, drugs, and alcohol)■Attitudes (it goes with my position/entitlements).In these instances, the early identification of the fraud or dishon-est activity can go a long way to addressing the individual problemrather than allowing a situation to develop to the point whereserious action needs to be taken or the safety of our organization isput at risk.
248THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANCOMPLIANCE INSIGHT 12.2: DEFINING FRAUDIN AN ORGANIZATIONEvery organization must define the specific impact of fraud and dis-honest activities that it faces. Linking this definition of fraud to theorganization’s risk assessment is critical. Included will be such factorsas the particular industry they are in, size and diversity of businessactivities, locations of the world in which they operate, governmentregulatory requirements, and other key considerations. The resultingdefinition must be clearly communicated to all employees, vendors,and other stakeholders. Creating a detailed and regularly updatedfraud control plan such as the one used by Airservices Australia ishighly recommended.A Fraud Control Plan that Targets the Whole OrganisationWe are committed to minimizing the incidence of fraud throughthe identification of fraud risks and the implementation of fraudprevention and detection strategies. Control strategies containedin the FCP are designed to minimize risks to our reputation andprofitability. We will do this in four ways:■Awareness■Identification and reporting■Investigation■Corrective action.Through these core activities we will minimize loss as a resultof fraud and develop a workplace environment based on ethicalstandards, trust, honesty, and accountability.We will continually identify risks and implement measures toprevent and deter fraudulent or corrupt activities.Our management guidelines and investigative standards willconstantly be reviewed to ensure we are prepared to deal with fraudand dishonest behavior.High Ethical Standards are the Best Form of Fraud Control■It is everyone’s responsibility to maintain a high standard ofethical behaviour within the workplace.
The Key Role of Managers in Fraud Prevention249■It is up to you to report any suspected cases of fraud or dishonestbehaviour or areas where procedures are being circumvented.■Very simple levels of supervision and querying can have a veryhigh deterrent effect as staff will be aware that expenditure isbeing checked at every level.■Training staff in the awareness of fraud and how it affects theirown local area is very important in developing a workplacebased on ethical standards, trust, honesty, and accountability.Crucial to this awareness training is the positive reinforcementor reporting and the fact that the organization will supportstaff making legitimate reports.■If you are not sure what constitutes fraud or dishonest behavi-our, please discuss the matter with the Office of Security RiskManagement.Experience has shown that one of the most common ways inwhich fraud and corruption is detected is by observation, inves-tigations, and reporting by fellow workers of the perpetrators(AS8001–2003 2.2.5).How to Deal with Reports of Suspected Fraud or Corrupt BehaviourThe timely reporting of suspected fraud or corrupt behaviour hastwo benefits. Firstly, it prevents the loss or destruction of evidenceand secondly, it may stop the suspected individual from committingmore serious criminal offences over a longer period of time.I knew something was wrong, but I didn’t want to get involved orknow who to tellManagers who suspect fraud either directly or from a report fromone of their staff should immediately prepare a written report tothe Office of Security Risk Management detailing:■The allegations■Reasons for the suspected activity■Time the activity has taken place■Any documents that support the allegation.Comments and observations of all the persons involved inthe allegation are essential to supply investigators with importantbackground information.Importantly, if a report is received from outside the organi-zation about a staff member currently employed by Airservices
250THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANAustralia the matter should be reported in the same manner as soonas possible.It is further incumbent on managers to:■Secure evidence in respect to the allegation from destruction orinterference as soon as possible. This is crucially important fororiginal documents.■Reinforce to the employee making a report the confidentialitypolicy and that the organization will support them.■Be aware that the employee subject to the report may have toexplain their actions at a later time depending on the outcomeof the investigation.■Develop a strategy to inform other employees if a staff mem-ber is subsequently suspended with a view to protecting theemployee who made the original complaint and reduce thelikelihood of rumours.■Keep the person who made the report informed of the progressof the matter.■Support and protect employees from harassment or victimiza-tion and report any instances of this nature to the Office ofSecurity Risk Management.■Develop a support mechanism equally for those who are subjectto the allegation and those who reported it. These matters areoften taken very seriously by individuals and our duty of careextends to those people during any reporting or investigativeprocess.Malicious reports will not be tolerated and may be dealt withunder the Airservices Australia Code of Conduct or other jurisdic-tions such as civil litigation or even criminal proceedings.Remember: it will often be the case that your report will directsomeone where to look in the identification phase, rather thanyour employee being crucial in any investigation, such as a keywitness.Presenting the Fraud Control Plan to EmployeesIt is a supervisors/managers’ responsibility to clearly explain theAirservices Australia FCP to their employees under their controland ensure that employees are fully aware of their responsibilitiesand reporting lines.When managers discuss fraud control with their employees,it should be done in an open and frank manner to remove anyconfusion on the part of the employees.
The Key Role of Managers in Fraud Prevention251If you are unsure of how to deliver a briefing session pleasefeel free to contact your local Fraud Liaison Officer or the Officeof Security Risk Management and we will be pleased to help anddeliver a sample package.Included in any briefing package will be:■Personal guide for staff in Fraud and Corruption within Airser-vices Australia■Managers’ Guide for Fraud and Corruption Control withinAirservices Australia■Fraud Control Plan■Code of ConductMaintaining RecordsIt is important for audit purposes that each business centre’s FraudLiaison Officer keeps a record of all staff attending fraud controlbriefing sessions and report to the Office of Security Risk Manage-ment annually on the number of sessions delivered and employeesthat attended.Briefing New EmployeesNew staff to Airservices Australia at all levels should be involved ineither a group or individual briefing session as soon as possible uponcommencement of employment. They should be provided with acopy of the Personal Guide for Staff in Fraud and CorruptionControl within Airservices Australia.Regular ReinforcementIt is crucial that fraud control briefing sessions are not done on aone-off occasion and that fraud should be openly discussed at staffmeetings and other occasions throughout the year. The high level ofawareness of the FCP and fraud in general will see a more effectiveimplementation of the plan and a less vulnerable workplace.Frequently Asked QuestionsWhat steps has Airservices Australia taken to ensure employeeswho report allegations are protected against discrimination andretaliation?■The identity of the person making the report will be keptconfidential.■Employees will not be allowed to harass or victimize any staffmember making, or involved in the making, of a report. People
252THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANfound to be involved in such behaviour will face disciplinaryaction or serious criminal charges such as attempting to pervertthe course of justice or intimidating witnesses. Both of theseoffences are viewed very seriously by the courts.■Where appropriate, ongoing counseling and other managementsupport mechanisms will be provided to staff members whoreport allegations of fraudulent or dishonest behaviour.■What should be communicated to staff about making a report?■It is important that staff report the matter to people they cantrust. If someone feels they may be compromised by reportingmatters to people within their own work area then contact theOffice of Security Risk Management and we will assist you andthe staff member.■Encourage staff not to openly discuss the issues they have raisedwith other employees especially if they feel the information theyare supplying may be compromised.What are employees’ responsibilities under the Fraud ControlPlan?■Employees of Airservices Australia should be aware of the FCPand its contents, and comply with its requirements.■Employees are encouraged to develop a workplace environmentbased on ethical standards, trust, honesty, and accountability.■In pursuit of these goals, employees are accountable for theiractions and fraudulent and/or dishonest behaviour will not betolerated by Airservices Australia.What will happen to people who make a malicious report?■Any staff member found to have made a false and/or maliciousreport may face disciplinary action under the Code of Conduct.In some circumstances they may be liable to civil litigation bythe person affected by the false or malicious report. Criminalcharges such as creating a public mischief may also follow,depending on the specific circumstances.What will happen to an employee implicated in dishonestactivity?■Once a report has been received an initial inquiry will assessthe validity of the report.
The Commonality Between Fraud Prevention and Compliance253■Upon confirmation of the initial report, an investigation willbegin under specific terms of reference and will be conducteddiscretely.■All investigations will be conducted in accordance with Com-monwealth Law Enforcement Board (CLEB) standards and theapplication of the principle of natural justice.■Fraudulent and/or dishonest behaviour will not be tolerated byAirservices Australia and employees found to have committedsuch acts will be subject to disciplinary action under the Codeof Conduct, which may include dismissal. Those individualsmay also be subject to criminal prosecution, including recoveryaction under the Proceeds of Crime Act 1987.Do we have employees who commit fraud?■Yes. It is unfortunate, but there have been employees who havecommitted fraud on our organisation and have been dismissedand subjected to criminal prosecution.Why do we bother having a Fraud Control Plan?■Airservices Australia aims to be a fraud-free organization.■It will improve our profitability and job security.■It contributes to a workplace environment based on ethicalstandards, trust, honesty, and accountability.■It’s what our clients expect of us.■It enhances our good reputation and increases morale.■It is a requirement of all Commonwealth Government statutoryauthorities to implement a FCP in accordance with standards,guidelines and procedures.14Reprinted with permission from Airservices Australia,c2005.THE COMMONALITY BETWEEN FRAUD PREVENTIONAND COMPLIANCEOne can argue that fraud prevention is actually a synonym for compliance.Their definitions are interchangeable and one cannot have a successfulfraud prevention program without corporate compliance. The Associationof Certified Fraud Examiners’ Fraud Examiners Manual states ‘‘Fraud
254THE AIRSERVICES AUSTRALIA FRAUD CONTROL PLANprevention requires a system of rules, which, in their aggregate, minimize thelikelihood of fraud occurring while maximizing the possibility of detectingany fraudulent activity that may transpire. The potential of being caughtmost often persuades likely perpetrators not to commit the fraud. Because ofthis principle, the existence of a thorough control system is essential to fraudprevention.’’15Compliance is all about strict adherence to organizationalpolices and guidelines as well as all relevant laws and regulations. Fraudprevention requires compliance and compliance requires fraud preventionAirservices Australia has embraced this concept and successfully inte-grated a world-class fraud prevention program in their compliance program.Their Fraud Control Plan and Managers’ Guide for Fraud and CorruptionControl are best practices that should be held up as example for otherorganizations worldwide to incorporate into their compliance programs.NOTES1.Australian Government Attorney General’s Department Fraud ControlPolicy, www.ag.gov.au/www/agd/agd.nsf/Page/Fraudcontrol.2.Commonwealth Fraud Control Guidelines Fact Sheet, www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(4341200FE1255EFC59DB7A1770C1D0A5)∼Commonwealth-Fraud-Contro-Guidelines-Fact-sheet.DOC/$file/Commonwealth-Fraud-Contro-Guidelines-Fact-sheet.DOC3.Ibid.4.Ibid.5.Airservices Australia Annual Report, July 2005—June 2006, 116.6.Aviation expert Greg Russell was appointed Airservices Australia ChiefExecutive Officer on July 19, 2005. Mr. Russell was the Chief OperatingOfficer at Athens International Airport until June 2005, before which heheld the position of Director, Aviation at Sydney Airport Corporation,Ltd. for four years. He has been an executive and General Manager ofthe New South Wales regional operator Hazelton Airlines and has helda range of management positions in private companies and governmentorganizations.7.Gaol is a prison or detention facility for those charged or convictedof crimes. ‘‘The word is sometimes written as jail and is said tobe derived from the Spanish word jaula meaning cage.’’ Source:Bouviers Law Dictionary at LegalLawTerms.com, www.legallawterms.com/legal-definition-GAOL.html.8.‘‘The terms ‘natural justice’ and ‘procedural fairness’ are used inter-changeably. There are three principles of natural justice: the right tobe heard and have a fair hearing, the right to have a decision made
Notes255by an unbiased decision-maker, and the right to have the decisionbased on evidence.’’ Source: The University of Newcastle, Australia,www.newcastle.edu.au/service/legal/faq/justice-fairness.html.9.Australian Federal Police.10.Pension or retirement accounts.11.For the sake of brevity, I did not include all the fraud control actionitems. Suffice it to say, they included specific action items, target datesfor completion, and the applicable policy requirements.12.Reprinted with permission from Airservices Australia, c 2005.13.Martin T. Biegelman and Joel T. Bartow,Executive Roadmap to FraudPrevention and Internal Control: Creating a Culture of Compliance,(Hoboken, NJ: John Wiley & Sons, Inc., 2006), 301.14.Reprinted with permission from Airservices Australia, c 2005.15.Association of Certified Fraud Examiners,Fraud Examiners Manual,(Austin, 2006).
CHAPTER13The Skunk in the Room‘‘Powerful men and beautiful women never get to hear the truth.’’Dutch proverbImagine this nightmare scenario: three college students wrongly accusedof heinous crimes they did not commit, a rogue prosecutor operatingwith no limitations, the news media reporting every detail of the case,prejudicial comments made by the district attorney that violate the students’constitutional rights and stoke the community’s racial tensions, and keypieces of exculpatory evidence withheld. In the end, it was a completedisaster of a case leaving the district attorney’s office humiliated anduniversally scorned, and a long-standing public servant disbarred and leavingoffice in disgrace.What does the disturbing 2006–07 saga of former Durham County,North Carolina District Attorney Mike Nifong and the Duke Lacrosse casehave to do with compliance? Of course, no CEOs would ever want to seethemselves and their companies embroiled in such an embarrassing anddamaging scenario. This debacle could have been prevented had the personin charge not been reckless and proceeding without using good judgment.But these facts alone do not link it to compliance. While on the surface thiscase and corporate compliance are completely separate, there is a lesson inthe actions of Nifong and this tragedy that every company would be wellserved to learn. The case proceeded with outrageous allegations, unfoundedand unsupported by the evidence. Every aspect of this case from the verybeginning screamed that it would be high-profile. As any career prosecutorwould advise, a case like this demands thoroughness, extreme due diligence,and patience. A reasonable person in the same situation would have seen thatthe evidence would not support an indictment, much less the convictionsthat Nifong publicly declared with absolute certainty he would get.257
258THE SKUNK IN THE ROOMIn the rush to judgment, what apparently happened was that no onestood up and said, ‘‘This isn’t right.’’ No one took a step back and saw thatwhat was going on was not justice. No one stood up to Nifong and theother assistant district attorneys on the case and took issue with what theywere doing. No one asked why they were moving so fast in such a seriouscase. Why wasn’t the story of the alleged victim thoroughly corroborated?Why didn’t anyone from Nifong’s office agree to meet with the defendantsto hear their stories and evidence of innocence? What the Durham CountyDistrict Attorney’s Office needed was a ‘‘skunk in the room.’’Just what is a skunk in the room and why is it so important tocompliance? Skunks are generally highly avoided due to the offensive odorthey can emit when alarmed or attacked. They can be extremely unpleasant.No one wants to confront a skunk, let alone have one nearby. They definitelystand out from other animals. A skunk in the room also stands out, as theytoo are different and often avoided. A skunk in the room is that contraryperson who says no when everyone else is saying yes—the person who is notafraid to ask the tough questions, especially when others do not even wantto hear them. It’s the person who is willing to jar people back to reality. It’snot a fun person to be but it’s critical for compliance. One cannot ignore theskunk in the room. This is very much like the Henry Fonda character in theclassic movie12 Angry Men. The movie is about twelve jurors deliberatingthe fate of a murder suspect. Eleven jurors are ready to pronounce thesuspect guilty but one juror decides to speak up in defense of the suspect.The contrary juror is not advocating the innocence of the suspect but justthat the situation demands greater scrutiny before the ultimate decision canbe made. He will not be bullied or ignored and through sheer force of willmakes the other jurors deeply examine their underlying beliefs motivatingtheir decision. He is the ideal skunk in the room.Why does this matter in compliance? Compliance requires followinglaws, regulations, and corporate policies. Individuals and companies that failto follow compliance requirements end up in trouble. Compliance requiresvigilance and commitment. To ensure compliance, strong people are neededto carry it out. These are the kind of people who would have told Nifong hewas wrong in what he was doing. These are the kind of people who wouldhave protested vehemently if they could not persuade Nifong to see the errorof his ways. They would have stopped this travesty of justice. What wasmissing in the Durham D.A.’s Office, besides the protection of constitutionalrights, was the lack of accountability and someone speaking up publicly.In both compliance situations and in Durham, an ethical person, havingseen serious mistakes go uncorrected and having the foresight to know theoutcome, would have noisily withdrawn to avoid being part of the injustice.
The Skunk in King David’s Court259The noisy withdrawal sends a loud and clear message to others about thiscompliance failure, and this person’s lack of tolerance for it.THE SKUNK IN KING DAVID’S COURTThe idea of a skunk in the room is not a new one, nor is the belief thatleaders need to hear contrary opinions in order to command effectively. Forinstance, it can be seen in the Old Testament of the Bible, in the story ofKing David and Bathsheba. David, who famously defeated the PhilistineGoliath in battle with nothing more than a slingshot, was the powerful kingof Israel. One day he saw a beautiful woman bathing, and was immediatelysmitten. Her name was Bathsheba and he had to have her. Even thoughKing David knew that Bathsheba already had a husband, he had an affairwith her and she became pregnant.Trying to hide his misdeeds, David sent for her husband, Uriah, a soldierserving in the army, in the hope that he would return home to his wife. Inhis clouded thinking, David thought that with the husband back living withhis wife, David’s wrong would be covered up. Returning from the middleof battle, Uriah appeared before David. He answered David’s questions,but refused to return to his house because his men were still fighting andsleeping in tents, and it would have been unfair for him alone to return tohis family. Fed up with his steadfast refusals to abandon his fellow soldiers,David sent Uriah to the battlefront, to a dangerous battle where he knewUriah would likely die. Uriah fought valiantly, but died in combat. Davidthen took Bathsheba as one of his wives and she soon gave birth to a son.Sending a man to his death and stealing his wife was inexcusablebehavior, even for a king. No one from King David’s court or any of hisadvisors said anything or objected to what he had done. Only the prophetNathan appeared before David to confront him. Nathan told the king aparable of a rich man who had many sheep but chose to feed a travelerwith the lone sheep of a poor man, rather than one of his own. Throughthis story, Nathan forced David to accept the evilness of his actions and hisgreed, how he had many riches and many wives of his own, but still sawfit to take from those who had less. Furthermore, the child Bathsheba boregrew very sick and soon died. David finally atoned for his sins and acceptedthe error of his ways.1King David’s sins and an unending lust for what was not his are stillunfortunately all too common among some of today’s corporate executives.However, even after compliance failures occur, there are still opportunitiesfor a skunk in the room to step up and force leaders to confront theirmistakes. As is well-known, the cover-up is often far worse than the crime
260THE SKUNK IN THE ROOMitself. Here, King David had an affair with a married woman, and to coverit up had her husband killed. He was punished for his misdeeds, just as anycorporate executive who ignores compliance responsibilities and engages inwrongdoing should ultimately be.JOHN F. KENNEDY, THE BAY OF PIGS, AND GROUPTHINKGreat leaders recognize that to reach the best possible decisions, they needa diversity of opinion in the decision-making process. Leaders who aresurrounded by sycophants or those unable to voice contrary opinions arein a very precarious position. They are at risk of operating in a bubble,divorced from reality and unable to confront serious problems. If they do nottake extra steps to make sure people feel comfortable expressing contraryopinions, their organizations could suffer devastating consequences.An excellent example of this is the disastrous Bay of Pigs invasion ofCuba in 1961. After the Cuban exile-led invasion turned into a colossalembarrassment for the Kennedy Administration, much of the blame restedon the inadequate discussion and planning that took place beforehand.When President John F. Kennedy discussed the plans for the invasion withhis advisors, many of whom where considered the best and brightest mindsof their era, the group was unified with little dissenting opinion, and thosewho dissented were quickly silenced. As the group was in agreement, theirassumptions and beliefs went unchallenged and soon calcified into ‘‘fact.’’What was going on in those meetings is what is called ‘‘groupthink,’’ whenmembers of a group form unified conclusions without testing them, withthe goal of avoiding conflict. The result is decision borne out of conformity,not from rigorous examination or critical and rational thinking.2Individual members are afraid of appearing to go against the groupby challenging their opinions, or by bringing in outside ideas that do notconform to what has already been discussed. Members are afraid of lookingfoolish for bringing up questions or of angering superiors who want a quickdecision made. To minimize conflict, whether consciously or unconsciously,the members reach a consensus. Since everyone basically agrees with oneanother, the similar opinions and agreement by the members convince themthat their ideas are correct, even though those ideas have not been criticallyexamined or verified.The plan for the invasion was deeply flawed and riddled with falseassumptions. However, Kennedy’s top advisors did not speak out againstthe plan, partly because the plan’s assumptions meshed with their ownunderlying assumptions and also because they did not want to upset thepresident. Any advisor who dissented faced harsh criticism from the others.
The Perfect Storm of Corporate and Personal Failure261For instance, noted historian Arthur Schlesinger Jr., then a Kennedy advisor,met privately with the president to express his reservations. He was laterfirmly rebuked by then-Attorney General Robert Kennedy and was toldthe President had already made up his mind and his decision had to besupported.3In the wake of this disastrous failure, President Kennedy set out to finda way to prevent a reoccurrence of this problem. Taking full responsibility,he even asked reporters, ‘‘How could I have been so stupid as to let themgo ahead?’’4Both Kennedys saw this failure as an opportunity to improveand strove to never repeat their mistakes.Looking back on it, President Kennedy became convinced that thelack of open debate and criticism, and the failure to consider contraryopinions lay at the heart of the problem. He realized he needed a skunk inthe room to facilitate the necessary debate. Unlike leaders who surroundthemselves with yes men and women, Kennedy wanted people who he couldtrust but who would disagree with him and voice contrary opinions. Heset about achieving this in several ways. He would often leave the roomduring policy discussions, so as not to influence his advisors. Just his verypresence and reactions during the discussion could unconsciously influencethe direction of the debate. Additionally, Robert Kennedy served as anofficial ‘‘intellectual watchdog,’’ a sort of ‘‘devil’s advocate’’ position. Hechallenged others’ ideas, even if the idea voiced was sound, just to makesure that people were able to explain why they supported something, thatthey could defend it, and that the idea stood up to critical scrutiny.5With this new system, President Kennedy achieved one of the great vic-tories of the Cold War during the subsequent Cuban Missile Crisis, winninga nuclear showdown with Russia. By putting his reforms into action, hewas able to achieve this victory and perfectly balance individual leadershipand unfettered policy discussion. ‘‘Unquestionably, President Kennedy ulti-mately guided [his advisors] in the direction of the final recommendation,but only after considerable open debate. Never, however, did he achieve aconsensus, an indication that participants felt free to speak throughout thecrisis.’’6THE PERFECT STORM OF CORPORATE AND PERSONALFAILURESometimes there is that skunk in the room who provides that dissenting,yet ultimately correct opinion, but no one else will listen. That was thecase in the Hewlett-Packard (HP) spying and pretexting scandal that madeheadlines in 2006. Had anyone listened to the skunk in the room, this story
262THE SKUNK IN THE ROOMwould not need telling. The HP scandal began as a clash of personalitiesamong board members that resulted in an internal investigation to root out aboardroom leak. In its zeal to identify the member of the board of directorswho was the source of confidential information to the news media, HPemployed questionable investigative techniques including impersonations ofjournalists, board members, and HP employees, spying and pretexting,7andcovertly installing a ‘‘web bug’’ tracer program in a reporter’s computer.This was an investigation out of control with little oversight. It resultedin state and federal probes as well as Congressional hearings and overallreputational harm to HP. The daily tribulations of HP were front-pagestories in papers across the United States. HP forgot that old but stillrelevant saying that one should ‘‘never pick a fight with someone who buyspaper by the roll and ink by the barrel.’’The skunk in the room at HP that no one listened to was a seniorinvestigator named Vince Nye.8He quickly realized that what the otherinvestigators and company officials were doing was a one-way ticket todisaster. ‘‘I have serious reservations about what we are doing,’’ Nye saidin a February 2006 e-mail to superiors. ‘‘I am requesting that we ceasethis phone-number gathering method immediately and discount any of itsinformation.’’9In a follow-up e-mail to another HP investigator in March2006, Nye questioned whether the tactics were ethical and potentially illegal.He said ‘‘[i]f one has to hold his nose and then conduct a task, it is logicalto step back and consider if the task or activity is the right thing to do.’’10Nye said he had spent more than 20 years in law enforcement and wouldnot use these tactics.As a result of the debacle, several high-level HP employees includingthe chairwoman of the board of directors, general counsel, chief ethicsofficer, and manager of global investigations lost their jobs. To settle theinvestigation by the California Attorney General, HP paid $14.5 millionand agreed to a number of corporate reforms, especially involving how itconducts internal investigations. The sad thing is that HP is a great companywith a long history of ethical conduct. This was an aberration and one thatHP took steps to fix and put behind them. HP understood the importanceof having an effective compliance program and took dramatic steps toreinforce their program.In October 2006, HP hired John Hoak for the newly created positionof Chief Ethics and Compliance officer. Hoak is experienced both as anattorney and business leader. This position provides oversight of the ethicsand compliance program. Hoak reports directly to the CEO as well as to theindependent director of the board responsible for compliance, investigativeprocedure, and conduct. ‘‘What began as a well-intentioned exercise inrisk management—an investigation into leaks of confidential information
The New CA Way263by members of our board—grew into something that no one wanted oranticipated,’’ said Hoak.11He added, ‘‘HP has a long legacy of ethicalbusiness leadership but the pretexting issue the company faced in 2006signaled that some policies and processes weren’t strong enough.’’12This scandal caused HP to look closely at its compliance program andas a result, took a number of significant actions including the following:■Accepting responsibility as a company for their compliance and ethicallapses;■apologizing to the victims of the spying and pretexting;■severing all ties to the private investigation and consulting firms whocarried out the pretexting;■accepting the resignation of the chairwoman of the board, generalcounsel, and chief ethics officer who should have provided greateroversight of the investigation;■hiring a former federal prosecutor to conduct an independent assessmentof systems and practices related to investigations;■establishing a new senior executive post to address and improve ethicsand compliance issues worldwide;■launching an internal communications campaign to keep HP employ-ees updated on the compliance issues involved in this matter andreinforcement of HP’s Standards of Business Conduct; and■developing specific training programs for employees engaged in investi-gations to reinforce ethics and compliance.13As is the case in so many compliance failures, the lessons are learnedafter the impact has been felt. HP learned those lessons and made majorchanges and improvements in their compliance program as a result. That’sa very good thing but it would have been even better if their programhad caught these compliance failures before they occurred. A world-classcompliance program learns from the mistakes of others and does not repeatthem. They also listen to those who speak up and say what no one else issaying. Had anyone listened to the skunk in the room at HP, and fully heardand truly understood the ramifications, none of this would have happened.THE NEW CA WAYThis book opened with a nightmare scenario of a situation out of control andon a path of potential ruin. Unfortunately, the nightmare was all too real forComputer Associates. The huge accounting fraud at this company resultedin prison terms for its senior executives, a deferred prosecution agreement
264THE SKUNK IN THE ROOMfor the company that required major changes in how it does business, andthe implementation of a strong compliance and ethics program. The new CAand its world-class compliance program were profiled earlier in this book.So, a fitting way to end is a look back on the many compliance failures thatcontributed to the fraud at Computer Associates resulting in its rebirth asCA, Inc.There was a failure of leadership at the company. Executive leadershipcreated a ‘‘culture of fear’’ and ‘‘shunned written policies and procedures.’’There was a ‘‘preference for promoting from within’’ the company andthe result was a management team ‘‘too young, too inexperienced, and toodependent on senior leaders.’’There were numerous organizational weaknesses. Computer Associateshad a ‘‘horizontal organizational structure that discouraged open com-munication’’ between different company departments. They were ‘‘devoidof mid-level managers’’ as senior leaders controlled decision-making, andmeetings were almost unheard of. Almost as hard to believe, ‘‘at quarterend, the CFO manually reviewed contracts for revenue recognition issuesand then created handwritten lists of contracts to be booked.’’Training was non-existent. While there was a code of conduct, no onereceived training about its importance. Not only was there an ‘‘absence ofwritten policies and procedures,’’ but employees were forced to learn ofaccounting and other important policies through ‘‘word-of-mouth.’’Internal audit was under-staffed, randomized, and had no authorityto conduct critical audits. The head of the internal audit department forthe majority of Computer Associate’s existence was not a CPA. Just asimportant, the CFO at the time was not a CPA. Add to this the cultureof corruption involving senior executives who eventually pleaded guilty fortheir criminal actions, a board of directors apparently in the dark, and thelack of a compliance department. The result is the unfortunate story of whathappened at Computer Associates.14There was no skunk in the room at Computer Associates. Even if therehad been someone to speak up, he or she would not have been heard.There was a culture of intimidation that suppressed dissenting opinion.And if someone did speak up to report a business conduct violation, thecompany hotline rang on the desk of the general counsel. This was the samegeneral counsel who pleaded guilty to participating in the ‘‘35-day month’’accounting fraud. There was no one who would have listened and doneanything. Thanks to the changes made by CA’s new executive team, thisshould not happen today.
World-Class Compliance Means Speaking Up265WORLD-CLASS COMPLIANCE MEANS SPEAKING UPA company may have the best-designed compliance program, following theSeven Steps of the Federal Sentencing Guidelines for Organizations and all ofthe advice and best practices laid out in this book, but it won’t work unlessthe people work too. People must be willing to speak up when somethingis not right, and be willing to come forward and report violations. An‘‘effectively’’ designed compliance program needs these people. Hotlines, forinstance, are useless unless people feel comfortable and empowered comingforward with information. As mentioned above, Computer Associates hada hotline but people were fearful to use it.Some of the biggest corporate scandals of recent years came to lightwhen whistleblowers called attention to the crimes going on around them.It takes a great deal of courage and conviction to be a whistleblower: aperson puts their job, and sometimes even their life, on the line to stand upfor what they believe in and do their ethical duty. Cynthia Cooper fromWorldCom, who exposed to the board the accounting fraud her internalaudit team discovered, is but one example. These corporate sentinels are animportant part not only of corporate America but worldwide organizations,keeping companies honest and bringing compliance failures to light.But, many times it does not need to go that far. Employees and othersshould have many opportunities to speak up, long before a problem reachesscandal proportions. Furthermore, most problems are on a much smallerscale—most of the time, compliance problems relate to day-to-day typesof activities, rather than large-scale accounting fraud violations. A businessdoesn’t have to let it get to the point where a major investigation isnecessary. In short, what is needed is a skunk in the room. Be that skunk.When something isn’t right, say so. Start a dialogue, discuss the issuewith others, make your point known. Even if you’re just playing devil’sadvocate and want some more discussion before a final decision is made, dosomething.Be the skunk at the party not afraid to speak up. Be the Henry Fondacharacter in12 Angry Menasking the tough questions others cannot. Don’tforget that bad things happen when good people stay silent. A company thatsuffered catastrophic compliance failure, like Computer Associates, also hada culture of silence where people were afraid to speak up and speak out.This is not a coincidence. Yet, Computer Associates went from defiance tocompliance and emerged as the new CA, Inc., a far stronger and compliantcompany.
266THE SKUNK IN THE ROOMACHIEVING WORLD-CLASS COMPLIANCECompliance will always begin and end with people. That includes everyonefrom the CEO to the newest intern. That means people who are willingto speak up and be heard, even when it is not popular to do so. Thatmeans ensuring a corporate culture where employees are not afraid toreport wrongdoing and other potential violations of business conduct. Asthe Compliance and Ethics Leadership Council of the Corporate ExecutiveBoard found in their landmark 2007 study of the leading indicators ofpotential misconduct, the fear of retaliation was the single greatest concernamong employees. Great companies encourage reporting and protect thosethat do. No one wants to hear bad news but organizations must. Build yourprogram with trust and confidence, and with continuous reinforcement, andpeople will call and people will comply.There are other important caveats to remember. Just meeting the mini-mum requirements of the Federal Sentencing Guidelines for Organizationsis not enough. World-class compliance programs go beyond the Seven Stepsto ensure both a reactive and proactive approach but with a far greateremphasis on the proactive. It means stopping the risk from ever happeningin the first place but when it does, take the appropriate steps and do the rightthings to mitigate whatever issue arises. It means protecting the organiza-tion, employees, shareholders, customers, and others from potential harm.In short, it is detecting, correcting, and preventing compliance failures.Ethics, integrity, accountability, and strong leadership are all elementsof a culture of compliance. These traits are a constant for any successfulcompany. When a business talks about increasing shareholder value, returnon investment, and driving revenue, the best investment is building andmaintaining a world-class compliance program. Best in class compliance isa competitive advantage. Compliance, not defiance, is the solution.NOTES1.The Bible, King James Version, 2 Samuel 10–12.2.See,e.g., Irving L. Janis,Victims of Groupthink, (New York: HoughtonMifflin, 1972). This book defines groupthink as ‘‘a tendency towardspremature and extreme consensus-seeking within a cohesive policy-making group under stress.’’3.Arthur Schlesinger, Jr.,One Thousand Days, (Boston: HoughtonMifflin, 1965), 252–56, 259.4.Janis,Victims of Groupthink, 154.5.James N. Giglio,The Presidency of John F. Kennedy, 2 d ed., (Lawrence:Univ. of Kansas Press, 2006), 208.
Notes2676.Ibid., 209.7.Pretexting as defined by the Federal Trade Commission is the practiceof obtaining personal information under false pretenses. Individualsinvolved in pretexting will sell the personal information they covertlyobtain to others who may use it to commit identity theft and othercrimes. Pretexting is against the law.8.It should be noted that media accounts have identified another HPinvestigator named Fred Adler who also recognized the possible illegalityof HP’s tactics and sent a warning e-mail to his superiors in early 2006.Unfortunately, his warning was also not heeded.9.Marcy Gordon, ‘‘E-mail Warned Bosses HP Probe Should Stop,’’SeattleTimes, September 29, 2006, C1.10.Ina Fried, ‘‘HP Investigator Twice Raised Objections,’’ CNET News.com, October 3, 2006, http://news.com.com/HP+investigator+twice+raised+objections/2100–10143–6122362.html.11.Jon Hoak, ‘‘Building Ethics from the Ground Up,’’ Ethisphere.com,Quarter 2, 2007 issue, http://ethisphere.com/building-ethics-from-the-ground-up/.12.Ibid.13.Ibid.14.William McCracken, Renato Zambonini, Douglas H. Flaum, David B.Hennes and Carmen J. Lawrence, ‘‘CA, Inc. Special Litigation Report,’’April 13, 2007, online.wsj.com/public/resources/documents/20070413CA.pdf.
APPENDIXASummary of the 2004 FederalSentencing GuidelinesAmendments and RecommendedAction StepsGeneral Counsel RoundtableResearch, 2004To underscore the importance of compliance programs, the U.S. Sentenc-ing Commission proposed to Congress on April 30, 2004 a number ofamendments to its sentencing guidelines that extensively define and expandthe standards, structures, and procedures of an ‘‘effective’’ complianceprogram. The amendments were approved and went into effect beginningNovember 1, 2004 and require companies to evaluate and modify, if neces-sary, their existing compliance and ethics programs to meet the specificationsof the new criteria.The following table, prepared by the General Counsel Roundtable,summarizes the actions mandated by the seven amendments to the U.S.Sentencing Commission’s sentencing guidelines. The table also includessome, though certainly not all, steps companies may take when assessingstrengths and weaknesses of their compliance programs.269
270SUMMARY OF THE 2004 FEDERAL SENTENCING GUIDELINESMANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended StepsStandards andProceduresThe organization must establishstandards and procedures toprevent and detect criminalconduct. This includesstandards of conduct andinternal controls reasonablycapable of reducing thelikelihood of criminal conduct.■Determine whetherthe current ethicsand complianceprogram emphasizescritical ethicalconduct or justcompliant conduct■Ensure that thecompany’s code ofconduct encouragesindividualresponsibilityinstead of simplylaying out a series ofrules to follow■Recognize ‘‘ethicalconduct’’ as anintegral componentof any complianceprogram■Review and ensurethat the companycode of conductmakes a compellingcase for ethics andcomplianceOrganizationalLeadershipand CultureThe board of directors or thehighest level of governing bodyof the organization must beresponsible for the following:■Understand the content andoperation of the complianceand ethics program■Clearly articulatehow the seniormanagement team isengaged in thecompliance process■Determine how theboard strategicallyoversees ethics andcompliance(Continued)
Summary of the 2004 Federal Sentencing Guidelines271MANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended Steps■Exercise reasonableoversight over the program’simplementation andeffectiveness■Assign specific individualsamong the highest level ofgoverning body overallresponsibility for theprogram■Assign an individual(s)responsibility for the‘‘day-to-day’’ operations ofthe program. Thisindividual(s) shall havedirect access to the governingauthority, report periodicallyto the governing authority,and should be provided withadequate resources■Developinformation-flowprocesses for boardand seniorexecutives toeffectively assess theprogram■Ensure thathigh-level personnelactively espouse theorganization’svalues■Establishappropriateauthority andresources for thechief complianceofficer■Identify the bestfocal point tochampion thecompliance programReasonableEfforts toExcludeProhibitedPersonsThe organization must makereasonable efforts to ensurethat personnel with substantialauthority have not engaged inillegal activities or conductedthemselves in a mannerinconsistent with thecompliance and ethicsprogram.If an organization delaysreporting an offense or ifhigh-level personnelparticipated in, condoned, orwere willfully ignorant of an■Conductbackground checkson current andfuture executivehires■Create a mechanismfor determiningwhether theviolation is materialinformation thatmight requiredisclosure under thesecurities laws(Continued)
272SUMMARY OF THE 2004 FEDERAL SENTENCING GUIDELINESMANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended Stepsoffense, the organization willnot receive credit for theexistence of a compliance andethics program.■Ensure that thecompliance andethics team isprepared to conducta thoroughinvestigation in atimely manner■Identify and/orcreate themechanisms that thecompany has inplace to learn aboutand respond toincidents promptly■Prepare to performroot cause analysisof the reasons forthe specificcomplianceviolationsTraining andCommunica-tionThe organization must providetraining and disseminateinformation relevant to thecompliance and ethics programand its objectives. Individualswithin the organization thatneed to be trained includemembers of the following:■The governing authority(board of directors or thehighest level governing body)■The organizationalleadership■The organization’semployees■Assess thecompany’s risks inorder to identify anappropriate trainingcurriculum foremployees■Communicatecompany values andstandards to vendorsand other businessassociates■Communicate withemployees theconsequences forfailures toself-govern properly(Continued)
Summary of the 2004 Federal Sentencing Guidelines273MANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended Steps■The organization’sagents, as appropriate■Create adequate systemsto communicate incidentsto the compliance andethics team■Decide how the companywill identify and reach allof its workers forpurposes of training■Decide which people theorganization works withmeets the definition of‘‘agents’’■Determine the frequencywith which trainingcurricula will be updated■Determine whether issuesof law and corporatevalues are beingcommunicated as rulesthat must be obeyed or asdrivers of the corporateculture■Determine whethermembers of the board willbe educated during boardmeetings, at other timed,and/or through meansother than in-personsessions■Determine/reassess thebudget for the new ethicsand compliance program■Establish methods formeasuring theeffectiveness of thetraining program(Continued)
274SUMMARY OF THE 2004 FEDERAL SENTENCING GUIDELINESMANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended Steps■Identify any history ofethics and compliancefailures experienced bycompetitors, as well asthose best practices thatcan be used to respond tothese risksMonitoring,Auditing, andEvaluatingProgramEffectivenessOrganizations mustperiodically evaluatethe effectiveness of thecompliance program.The complianceprogram must includemonitoring andauditing systems thatare designed to detectcriminal conduct.■The program mustinclude a reportingsystem that willprovide a means foremployees and agentsto report or seekguidance aboutpotential or actualcriminal conduct.■The reporting systemmust incorporate anon-retaliation policyand should allow foranonymous orconfidential reporting.■Create mechanisms thatrespond to people seekingguidance aboutcompliance an ethics■Determine the periodreporting that will berequired during the courseof assessing theeffectiveness of thecompliance program■Identify the existingpolicies and procedures toencourage employeereporting of incidents.Determine whether thesepolicies and procedurescan be applied to abroader ethics andcompliance program■Identify/create the toolsand data the company hasin place to assess theeffectiveness of thecompliance program■Ensure that employees areempowered by educationto resolve ethical and legaldilemmas(Continued)
Summary of the 2004 Federal Sentencing Guidelines275MANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended StepsPerformanceIncentives andDisciplinaryActionsThe organization shallconsistently enforce thecompliance programthrough the use ofincentives forcompliance anddisciplinary measuresfor engaging in orfailing to takereasonable steps toprevent and detectcriminal conduct.■Ensure that the companycelebrates ethicssuccesses as strongly asit condemns unethical orillegal conduct■Ensure that theperformancemanagement andcompensation systemsreinforce ethicalbehaviorRemedial Action The organization mustconduct periodic riskassessments of criminalconduct within theiroperations and take theappropriate steps todesign, implement, ormodify each element ofthe program to reducethe risk of criminalbehavior.Upon detection of criminalconduct, theorganization must takereasonable steps torespond appropriately,as well as preventfurther criminalconduct.■Create tools to monitorand assess thecompliance program, aswell as to makecontinuousimprovements to theprogram■Identify/create processesto track changes in thebusiness, products andservices, and theorganizational structurethat might lead to newrisks■Infuse ethics andcompliance messagesinto other companycommunications■Prepare to quickly createinternal controls toprevent future violations■Treat ethics as integralto the way the companydoes business(Continued)
276SUMMARY OF THE 2004 FEDERAL SENTENCING GUIDELINESMANDATED ACTIONS OF THE AMENDMENTS TO SENTENCINGGUIDELINES FOR ORGANIZATIONSArea UnderAmendmentMandated ActionsRecommended Steps■Identify the partyresponsible for makingdisclosure to outsideparties of the violation■Create a ‘‘complianceresume’’ so that if aviolation occurs, thecompany can prove that ittook every reasonablemeasure to comply withthe highest standards ofcorporate governanceReprinted with permission from the Corporate Executive Board, Washington, DCc 2006.
APPENDIXBSample ComplianceProgram CharterCompliance and Ethics LeadershipCouncil, 2005CONTENT OF PROGRAM CHARTERSProgram charters are intended for internal stakeholders, providing visibilityinto the structure and objectives of the program. Charters aid in themanagement of the compliance and ethics program by clearly defining thefollowing:■Role of the compliance and ethics office and responsibilities of individualstaff■Reporting relationships of the Compliance and Ethics Officer■Protocols for development and dissemination of business conduct stan-dards and procedures to stakeholders■Guidelines for monitoring and auditing of the Compliance and Ethicsprogram■Guidelines for reporting of business conduct allegations and advicerequests (managing a whistleblower program)■Guidelines for investigating alleged violations■Role of the Audit Committee of the Board of Directors (or othercommittee to which the Compliance and Ethics Officer reports)■Delivery schedule for compliance and ethics training277
278SAMPLE COMPLIANCE PROGRAM CHARTERKEY PRINCIPLESOrganization and IndependenceThe Compliance and Ethics Officer is accountable to the Chief ComplianceOfficer and the Audit Committee with respect to the activities performedby the Compliance and Ethics Office. The Compliance and Ethics Officereports to the Chief Executive Officer and shall have direct access tothe Audit Committee and shall take directly to the Chairman of the AuditCommittee matters of sufficient magnitude and urgency to require immediateattention. As a matter of policy, the Compliance and Ethics Officer willreview ethics issues with the appropriate operating head before going tothe Audit Committee, unless a conflict of interest situation precludes anobjective, unbiased review.AuthorityThe Compliance and Ethics Office conducts ethics and compliance programsand activities under the authority of the Chairman of the Audit Committee.Managers at all levels of the Corporation are expected to provide reasonableaccess to relevant people, information, and records during the course ofethics investigations.RetaliationCompany has established procedures for the reporting of complaints regard-ing accounting, internal control, auditing, or other policy or code of conductmatters. These allegations can be reported anonymously. All complaints,whether or not reported anonymously, will be handled in a confidentialmatter, with disclosure limited to those persons necessary to conduct a fullinvestigation of the alleged violation or to carry out appropriate disciplinaryor corrective action.Reporting suspected violations of policies, code of conduct, or otherprocesses is a benefit to the corporation and expected behavior of allemployees. Any form of retaliation against any employee for reportingor participating in the investigation of a suspected violation will not betolerated.Requirements of all EmployeesAll Company employees and employees ofCompany subsidiaries are required to:
Key Principles279■Understand the Corporation’s code of conduct and workplace policies■Abide by the provisions of the code of conduct and workplace policies■Participate in required training relative to the code of conduct and otherworkplace policies■Provide written acknowledgment of the code of conduct and compliancewith its provisions when requestedResponsibilities of Operating Unit HeadsOperating unit heads are respon-sible for creating an ethical work environment and acting as role models ofethical behavior. Specifically, they are responsible for:■Cascading communications about business ethics, workplace policies,and corporate values, including their personal message customized totheir employee constituency■Ensuring there is a reliable process in place within their organizationto confirm that employees receive required training, receive appropriatecommunications, understand the code of conduct, and comply with theprovisions of the code of conduct and other workplace policies■Supporting the Compliance and Ethics Office and it agents on ethicsinvestigation activities in a timely manner■Exemplifying role model behavior when it comes to ethics and othercorporate values■Directing all ethical issues and concerns to the Compliance and EthicsOffice in a timely and comprehensive manner. The Compliance andEthics Office is the only official office of record for ethics files forthe corporation. Information to be transmitted to the Compliance andEthics Office includes:■Description of suspected violation, including policy, law, or regulationreference■Person or persons involved, if known or available■Location where suspected violation occurred■Date when suspected violation occurred■How suspected violation was observed or identified■Investigative or disciplinary actions already taken or underway, if any■Ensuring that no retaliation occurs against any employee for reportingor participating in the investigation of suspected violations■Ensuring that their Compliance and Ethics Committee member hasadequate management support and resources to fulfill their duties forthe organization
280SAMPLE COMPLIANCE PROGRAM CHARTERCompliance and Ethics OfficeThe Compliance and Ethics Office has primaryresponsibility for developing and implementing programs that support anethical work environment.■Developing and implementing a worldwide code of conduct and associ-ated compliance program that supports the Corporation’s requirementto maintain an ethical work environment■Developing and implementing code of conduct training materials forthe Company employees worldwide■Ensuring annual written acknowledgment of and compliance with theCompany Code of Conduct by all designated senior managers andexecutives. This acknowledgment must include confirmation of theirorganizations’ compliance.■Providing channels for employees, suppliers, and customers to reportsuspected violations and provide ethical guidance. These channelsinclude a toll-free telephone number, e-mail, Internet links, Web page,and internal and external mail address. The option to remain anony-mous must be available to individuals reporting suspected violations.■Overseeing investigations of suspected ethical violations. Investigationsare generally conducted using existing internal competencies. Ethicscases can be closed only by the Compliance and Ethics Officer.■Coordinating the Compliance and Ethics Committee activities to ensureconsistency and provide an executive-level forum for discussing emerg-ing trends, issues, and concerns■Reporting ethics and compliance activities and issues for Companysenior management and the Audit Committee to the Board of Directors■Networking with peer group companies and professional trade associ-ations to understand and adapt best practicesCompliance and Ethics CommitteeSenior operational and functional exec-utives comprise the Compliance and Ethics Committee. The Committeeworks closely with the Compliance and Ethics Office and has primaryresponsibility for:■Implementing ethics training and education■Ensuring consistent enforcement of discipline policy■Overseeing changes and making recommendations to Company policies■Evaluating ethics and business conduct issues and trends, to addresspotential problems pro-actively■Evaluating the performance of the Compliance and Ethics Office andthe effectiveness of the ethics and compliance program and providing
Key Principles281feedback to the Compliance and Ethics Office and the Compliance andEthics OfficerAdditionally, each member is individually responsible for:■Establishing a formal or informal business ethics and compliance net-work within his or her respective organization■Ensuring that all organization-specific policies are consistent with Com-pany values, Code of Conduct, existing laws, and other Companypolicies■Attesting that ethics and business conduct training is fully deployedwith his or her organization■Attending all Compliance and Ethics Committee meetingsGovernance Board members are not responsible for the intake of ethicsviolations. All suspected violations should be directed to the Complianceand Ethics Office directly via the Ethics Helpline.Resources and CommunicationsThe Compliance and Ethics Office main-tains the Ethics Helpline as a resource on ethics, code of conduct, andworkplace policies and a channel for employees and others to report sus-pected allegations of ethical misconduct. The Helpline is available 24 hoursa day, 7 days a week from all locations. According to its charter, theHelpline must:■Preserve anonymity, if requested by the caller■Ensure confidentiality of all callers and subjects of allegations■Provide guidance on questions and inquiries■Direct allegations and inquiries to the Compliance and Ethics Office ina timely manner■Treat all callers with respect and dignityReprinted with permission from the Corporate Executive Board, Washington, DCc 2005.
APPENDIXCResources for ComplianceProfessionalsWhile this book intends to be comprehensive, due to the enormity ofthe subject, it is not possible to cover all the relevant content andmaterials. This book has attempted to convey the underlying principles ofan effective compliance program while providing numerous best practicesand strategies for success. Still, there is much more information available todiscover and apply. There are a number of outstanding resources availableto compliance professionals and others with a keen interest in the subject.Detailed below are a number of selected resources to guide the reader.An excellent source of compliance best practices can be gleaned throughinvolvement in professional compliance associations. The Internet alsocontains many Web sites, publications, articles, and blogs available to thegeneral public.CORPORATE EXECUTIVE BOARDThe Corporate Executive Board Company (NASDAQ: EXBO) is a leadingprovider of best practices research and analysis focusing on corporatestrategy, operations, and general management. The Corporate ExecutiveBoard (CEB) provides its integrated set of services currently to more than3,700 of the world’s largest and most prestigious corporations, includingover 80% of the Fortune 500. These services include best practices researchstudies, executive education seminars, management implementation toolkits,customized research briefs, and Web-based access to a library of over300,000 corporate best practices. Of special note, the CEB was extremelyhelpful in providing insight and content for the writing of this book. Theirsubstantial assistance is gratefully appreciated.‘‘The CEB’s mission is to increase the effectiveness of executives andtheir enterprises by discovering and teaching the membership the best283
284RESOURCES FOR COMPLIANCE PROFESSIONALSnew thinking and strategies from across industry and around the world.’’The CEB has many different practice areas including financial services,human resources, information technology, corporate finance, operationand procurement, and legal and administrative. Membership is on anannual subscription basis. Within the legal and administrative practice isthe Compliance and Ethics Leadership Council that focuses on improvingthe compliance and ethics programs of organizations worldwide.Compliance and Ethics Leadership Council‘‘The Compliance and Ethics Leadership Council (CELC), a membershipprogram of the CEB, serves compliance and ethics executives at hundredsof organizations around the world. The CELC’s dedicated team of research,executive education, and member services staff support members on theirmost pressing problems by helping them learn from the collective experi-ence of their peers.’’ The CELC has access to executive suites and othersenior management to understand the strategic, governance, and businesschallenges impacting legal and compliance departments. This unique per-spective allows the CELC to lend unparalleled perspective to research thatreflects enterprise-wide concerns.The CELC uses quantitative and fact-based case study research toprovide insights into proven practices from legal and compliance leaders.The case study approach offers significant insight and opportunities forimprovement in compliance programs. The CELC has a dedicated staffof analysts and researchers to study the best practices of the world’sleading organizations. Members get access to this information to solvecompliance and other challenges. An excellent tool afforded members isthe member-driven agenda that includes polling of members to determinepressing issues and business challenges. In addition, the CELC hosts anumber of member events including senior executive forums, leadershipbriefings, member-hosted forums, and teleconferences where research andother best practices are shared and discussed.A searchable archive and resource center provides online access toresearch and tools on a wide variety of compliance and ethics topics.Included is the most current research on such compliance areas as estab-lishing a compliance and ethics program, measuring program effectiveness,compliance risk management, compliance education and communications,corporate governance, and metrics. Members of the CELC include suchcompanies such as Bank of America, Dow Chemical, IBM, Royal DutchShell, Johnson & Johnson, General Motors, and Barclays. For more infor-mation on the Compliance and Ethics Leadership Council, please visit theirWeb site at www.celc.executiveboard.com/Public/Default.aspx.
Corporate Executive Board285Compliance and Ethics Program Assessment WizardThe Compliance and Ethics Program Assessment Wizardis a compre-hensive measurement and benchmarking system for compliance and ethicsprogram performance. It is a Web-based, self-assessment of program matu-rity that assesses an organization’s compliance program across eight keyelements and 28 sub-elements. The elements and sub-elements align closelywith the revised Federal Sentencing Guidelines for Organizations and incor-porate expectations of the SEC and European regulators. The ProgramAssessment Wizard was created by the Corporate Executive Board’s Com-pliance and Ethics Leadership Council (CELC). The results can benchmark aprogram against peers and external standards and identify areas of strengthas well as opportunities for improvement and resource allocation.The Program Assessment Wizard’s eight key elements and 28 sub-elements are as follows:■Program Structure and Oversight■Leadership and Resources■Enterprise Oversight■Program Objectives■Standards and Procedures■Development■Accessibility■Applicability■Compliance Risk Assessment■Process■Responsibility■Prioritization■Scope■Mitigation■Training■Content■Delivery Mechanism■Audience■Tracking■Assessment and Certification■Communications■Content■Channels■Discipline and Incentives■Background Checks■Performance Review Process■Disciplinary Action
286RESOURCES FOR COMPLIANCE PROFESSIONALS■Allegation Reporting and Investigations■Allegation Reporting■Allegation Tracking and Analysis■Investigation Management■Program Measurement and Monitoring■Monitoring Standards■Monitoring Ownership■Metrics■Employee Perception MeasuresThe CELC developed an Importance Scale from 1 to 5 for the eight ele-ments with 1 as ‘‘Very Low Importance’’ and 5 as ‘‘Very High Importance.’’The CELC also developed a Maturity Scale from 1 to 4 that indicates thematurity level of each of the 28 sub-elements. A Level 1 is ‘‘Unstructured’’and a Level 4 is ‘‘World-Class.’’ The four levels of program maturity weredeveloped using best practices research and through extensive consultationwith dozens of member companies.There are additional benefits to using the Program Assessment Wiz-ard. The CELC will recommend processes, procedures, and organizationalstructure to address program gaps and enhance program strengths. Theirbenchmarking is a result of interactions with over 300 companies. Theywill provide ready-to-use tools, templates, and best practices for programimprovements from their archives. It should be noted that an organizationmust be a member of the CELC in order to receive these benefits. For moreinformation, please visit www.celc.executiveboard.com.SOCIETY OF CORPORATE COMPLIANCE AND ETHICSThe Society of Corporate Compliance and Ethics (SCCE) is an organiza-tion dedicated to the continuous improvement of corporate governance,compliance, and ethics. It is headquartered in Minneapolis, Minnesota andservices the growing industry of corporate compliance and compliance offi-cers. As stated on their Web site, the SCCE’s Mission is to ‘‘championethical practice and compliance standards in all organizations and to pro-vide the necessary resources for compliance professionals and others whoshare these principles.’’1The SCCE offers tools, resources, and trainingfor compliance officers and others involved in developing and maintainingcompliance programs. The SCCE also offers a speaker’s bureau to providespeakers on compliance related topics at conferences and other trainingevents. Members of the SCCE include Fortune 500 companies such as Col-gate Palmolive, Dell, Microsoft, UPS, and Wal-Mart, as well as law firms,
Ethics and Compliance Officer Association287compliance service providers, and other businesses. For more informationon the Society of Corporate Compliance and Ethics, please visit their Website at www.corporatecompliance.org/index.htm.Certified Compliance and Ethics ProfessionalsWith the growing emphasis on corporate compliance, there is an ongoingneed for compliance and ethics professionals. Professional certification inthe field is an excellent way to advance compliance as well as personaldevelopment and growth. The SCCE offers a certification program incompliance and ethics that is administered by the SCCE CertificationBoard. The Board’s mission ‘‘is to develop criteria for the determination ofcompetence in the practice of corporate compliance and ethics at a varietyof levels, and to recognize individuals meeting these criteria.’’2The CertifiedCompliance and Ethics Professional (CCEP) is a certification that requiresan applicant to fulfill requirements in work experience and continuingeducation, as well as pass a certification examination.According to the SCCE, a ‘‘CCEP is a professional with knowledgeof relevant regulations and expertise in compliance processes sufficient toassist corporate industries to understand and address legal obligations,and promote organizational integrity through the operation of effectivecompliance programs.’’3The CCEP certification will formally recognizecompliance professionals and provide a national standard of requisiteknowledge in ethics and compliance. This certification program is anotherbest practice in developing the knowledge, skills, and abilities to furtherthe quality of professionals involved in compliance as well as complianceprograms.ETHICS AND COMPLIANCE OFFICER ASSOCIATIONThe Ethics and Compliance Officer Association (ECOA) is a not-for-profit,non-consulting, member-driven organization for individuals responsiblefor oversight of ethics, compliance, and business conduct programs intheir respective organizations. The ECOA was incorporated in 1992 andtoday has over 1,300 worldwide members. It offers compliance resourcesand networking to both highly experienced compliance officers and thosenew to the field. The mission of the ECOA, as stated on its Web site, is‘‘being the leading provider of ethics, compliance, and corporate governanceresources to ethics and compliance professionals worldwide’’ and providinga worldwide network of compliance professionals ‘‘for the exchange ofideas and strategies.’’4
288RESOURCES FOR COMPLIANCE PROFESSIONALSMembership in the ECOA is restricted ‘‘to those individuals who arerecognized by their organization as having the assigned role and responsibil-ity for designing, implementing, and/or administering ethics, compliance orbusiness conduct programs.’’5ECOA members are expected to share theirknowledge, experience and best practices with other members to furthercorporate compliance. Member companies include Alcoa, CA, Inc., Citi-group, General Electric, Lockheed Martin, Microsoft, PepsiCo, and UnitedTechnologies. The ECOA conducts training and other educational confer-ences, forums, webcasts and professional development programs. For moreinformation on the Ethics and Compliance Officer Association, please visittheir Web site at www.theecoa.org.DEFENSE INDUSTRY INITIATIVE (DII) ON BUSINESSETHICS AND CONDUCTThe Defense Industry Initiative on Business Ethics and Conduct (DII)is as they state on their Web site, a ‘‘consortium of U.S. defense industrycontractors that subscribes to a set of principles for achieving high standardsof business ethics and conduct.’’6The DII was established in 1986 by 32major defense contractors ‘‘who pledged to adopt and implement a set ofprinciples of business ethics and conduct that acknowledge and express theirfederal-procurement-related corporate responsibilities to the Department ofDefense, as well as to the public, the Government, and to each other.’’7The DII provides a whole host of member services including Best PracticesForums, ethics training resources, annual reports of DII activities and otherrelated services. Each DII member company commits to adopt and adhereto the DII’s six principles of business ethics and compliance. The principlesstate that each member shall:■Have a written code of conduct setting forth the high ethical valuesexpected for all within their organization.■Train everyone in their organization about their responsibilities underthe code.■Encourage reporting of violations of the code as well as promoting anon-retaliation policy for such reporting.■Be required to implement internal controls to monitor compliance withfederal procurement laws and adopt voluntary reporting of violationsof federal procurement laws to authorities.■Share best practices related to the DII Principles, as well as participatein the annual Best Practices Forum.■Be accountable to the public.8
United States Sentencing Commission289DII members have worked over the years to make their principles astandard for the entire defense industry as well as for other industries.‘‘Perhaps because of their disciplined approach to ethics and conduct, nomember of the DII family of companies experienced the fate of the Enrons,the Global Crossings, the WorldComs, and the like. We cannot knowfor sure that it is the DII values-based ethical culture that set the DIIfamily above those that failed, but thatethical culture had to have been acontributing factor(emphasis added).’’9There is an annual assessment formembership that is determined by each member company’s total annualcompany revenues. The DII has grown steadily since 1986 to 74 membersat the end of 2006. For more information, visit www.dii.org.UNITED STATES DEPARTMENT OF JUSTICEThe Department of Justice, as the entity responsible for prosecuting cor-porate crime on the federal level, sets out the enforcement policies ofwhich all corporate professionals should be aware. The Justice Depart-ment, and in particular its Corporate Fraud Task Force, developed theseenforcement standards. These policies, particularly as described in the 2003‘‘Thompson Memo’’ and the 2006 ‘‘McNulty Memo,’’ can be viewed on theDepartment’s Web site. These memos as well as speeches, reports from theCorporate Fraud Task, and other materials can be found in the ‘‘President’sCorporate Fraud Task Force’’ and ‘‘Publications & Documents’’ sectionsof the site. The site also contains links to the text of important laws suchas the Sarbanes-Oxley Act, the USA PATRIOT Act, the Foreign CorruptPractices Act, and SEC rules. The Corporate Fraud Task Force site can befound at www.usdoj.gov/dag/cftf. The McNulty Memo can be read in fullat www.usdoj.gov/dag/speech/2006/mcnultymemo.pdf. The section on theForeign Corrupt Practices Act containing the law itself and many other infor-mational resources can be found at www.usdoj.gov/criminal/fraud/fcpa.UNITED STATES SENTENCING COMMISSIONThe U.S. Sentencing Commission creates and [manages] the Federal Sentenc-ing Guidelines, legislation which has had a profound and dramatic effect oncompliance.An independent agency in the judicial branch, the Commission princi-pally ‘‘establish[es] sentencing policies and practices for the federal courts,including guidelines to be consulted regarding the appropriate form andseverity of punishment for offenders convicted of federal crimes.’’10TheGuidelines’ list of the seven elements of a minimally effective compliance
290RESOURCES FOR COMPLIANCE PROFESSIONALSprogram serves as the baseline for many of the corporate compliance pro-grams in existence. Chapter Eight of the Guidelines covers the sentencingof organizations and the best practices it set forth have been adoptedor served as the basis for model compliance programs created by otherfederal agencies.11The Sentencing Commission’s site includes the entireSentencing Guidelines and numerous resources, particularly those pertain-ing to the Organizational Guidelines, as well as statistical data regardingorganizational sentencing practices.The main site can be found at www.ussc.gov/. The link to theAdvisory Group on Organizational Guidelines to the United States Sen-tencing Commission is www.ussc.gov/corp/advgrp.htm. The Organiza-tional Guidelines themselves and supplemental material can be found atwww.ussc.gov/orgguide.htm.NOTES1.The Society of Corporate Compliance and Ethics, www.corporatecompliance.org/about/about.htm.2.Certified Compliance and Ethics Professional (CCEP), The Societyof Corporate Compliance and Ethics, www.corporatecompliance.org/CCEP/index.htm.3.Ibid.4.The Ethics and Compliance Officers Association, www.theecoa.org/AM/Template.cfm?Section=Mission&Template=/CM/HTMLDisplay.cfm&ContentID=1819.5.The Ethics and Compliance Officers Association, www.theecoa.org/source/Members/cMemberInsert.cfm?Section=JointheECOA&WHERETONEXTSOURCE=../Members/paJoinAddlInfo.cfm.6.The Defense Industry Initiative on Business Ethics and Conduct,www.dii.org.7.The Defense Industry Initiative on Business Ethics and Conduct,www.dii.org/Statement.htm.8.Ibid.9.The Defense Industry Initiative on Business Ethics and Conduct, 2003Annual Report to the Public, 1, www.dii.org/annual/2003/AnnualReport2003.doc.10.‘‘An Overview of the United States Sentencing Commission,’’ UnitedStates Sentencing Commission, June 2005, www.ussc.gov/general/USSCoverview2005.pdf.11.PaulaDesio,‘‘AnOverviewoftheOrganizationalGuidelines,’’United States Sentencing Commission, www.ussc.gov/corp/ORGOVERVIEW.pdf.
IndexAbTox, Inc., 175, 182–184Adelphia,SeeAdelphiaCommunications CorporationAdelphia CommunicationsCorporation, 166–168, 216compliance failures, 166–168Airservices Australia:company mission and values, 236company profile, 235confidentiality, 240–241control strategies, 242, 248–249definition of fraud, 237, 247–248fraud awareness, 239–240, 250–253Fraud Control Plan, 233–244fraud incidents, 237–238internal investigations, 241–242,249–250Managers’ Guide for Fraud andCorruption Control, 244–253risk assessment, 242–243Allen, William, 73, 75AML.SeeAnti-money launderingAnti-money laundering, 131–145.SeealsoMoney launderingaudit function, 143–144compliance programs, 138–143criminal sanctions, 137enhancements and regulations fromUSA PATRIOT Act, 136–137forfeiture, 137–138‘‘Know Your Customer,’’ 138, 141monitoring, 140non-financial institutions, 138record-keeping requirements, 135Antitrust, 49–50Aristotle, 3Arizona State University, 20W. P. Carey School of Business, 20Arthur Andersen, 48, 159Aspen Institute, 15Asset forfeiture, 137–138Asset Forfeiture Fund, 137Asset Forfeiture Program, 137Association of Certified FraudExaminers, 122, 253Attorney-client privilege, 57–58waiver of privilege, 58–59Audit Committee, 175, 226Background checks, 185–186Bank Secrecy Act, 132–133, 139origin, 133record-keeping requirements, 135reporting requirements, 133, 135transaction activity, 133USA PATRIOT Act enhancements,136–137Barnsley, Jan, 152Barry, Megan, 223–224Bay of Pigs, 260–261Blakely v. Washington, 164Blue Ribbon Commission on DefenseManagement, The, 50Board of directors, 175fiduciary responsibility, 20, 35, 216reports, 197–199Booz Allen Hamilton, 15Brown, Shawn, 28–29BSA.SeeBank Secrecy ActBuffett, Warren, 6, 46Burke, James, 157Business Roundtable, The, 157CA, Inc., 1–2, 87–105, 263–265Business Practice Officers, 103chief compliance officer, 92–94291
292INDEXCA, Inc., (Continued)code of conduct, 95–99Compliance and Ethics ProgramAssessment Wizard, 103compliance best practices, 104compliance failures, 264Defense Industry Initiative, 99Deferred Prosecution Agreement,89–92, 105document retention policies, 100Gnazzo, Patrick J., 92–97, 99–105,176, 215hotline, 95, 100, 102independent examiner, 89, 92, 105Kumar, Sanjay, 89–90McDermott, John, 101‘‘New CA Way, ’’ 263–264Ombudsperson Program, 102remedial steps, 90–9235-day month, 88–90tone at the top, 99–100training, 100‘‘unfettered access,’’ 93–94Caputo, Ross, 182–184Caremark.See In Re CaremarkCastillo, Judge Ruben, 184CELC.SeeCompliance and EthicsLeadership CouncilCertified Fraud Examiner, 187Certified Compliance and EthicsProfessional, 187Certified Protection Professional, 187Chief Compliance Officer, 52, 92–94,155, 175–177‘‘Corporate First Responder,’’ 175importance of, 176–177prosecution of, 182–184responsibilities, 175–176Coca-Cola, 31–33Code of conduct, 11–12, 63, 96–99,121, 154–155benchmarking and evaluation, 172core values, 171designing and distributing, 193integrity as a value, 32Investigator’s Code of Conduct,187–188promotion of, 154–155protecting trade secrets, 32–33Seaboard Corporation, 63Code of ethics.SeeCode of conductCommittee of SponsoringOrganizations, 211Commonwealth Fraud ControlGuidelines, 234–235definition of fraud, 237Compliance:anti-money laundering, 138–143best practices, 128–129, 154–155,195–196, 200–201business case, 14chief compliance officer, 52, 92–94,155, 175–177communicating compliance values,35consultants, 37, 39definition of, 8, 150development of modern compliance,49–52effective, 2–3, 8, 9, 28–29, 31–33,62, 150ethical lapses, publicizing, 102,193–194, 207evaluating program effectiveness, 62,202–204, 210–211failures, 48, 54, 55–57gatekeepers, 34–35, 258gift policy, 194global concerns, 127–128history, 45–53incentives, 207–208individuality, 11–12job descriptions, 177–179meaningful accountability, 30obstacles to, 16, 17–19, 21, 40organizational structure, 178,180–181‘‘paper program,’’ 61–62, 76programs, 61–62, 128–129, 138red flags, 20retaliation, 266
Index293side letters, 102training, 40–41, 191–193, 195Compliance and Ethics LeadershipCouncil, 8, 103, 203, 266Compliance and Ethics ProgramAssessment Wizard, 103, 203Compliance Emergency PreparednessKit, 211, 213–214Comprehensive Crime Control Act of1984, 137Computer Associates.SeeCA, Inc.Connor, Laura, 131, 148Cook, Jay, 46, 48Cooper, Cynthia, 265Copeland, Howard, 153Copeland, Dr. John D., 149–162Corporate first responders, 175Corporate crime, 53–54culpability, 60–61defense, 53–54enforcement, 54Corporate Executive Board, 103Corporate governance, 124Latin America, 124–125value of, 13, 15Corporate regulation, 47Congressional intervention, 47–50New Deal, 48–49historical patterns of, 45–49Presidential influence on, 47–49COSO.SeeCommittee of SponsoringOrganizationsCoughlin, Thomas, 55–57Cox, Christopher, 174Croft, Bob, 26–27CTR.SeeCurrency Transaction ReportCuban Missile Crisis, 261Culture of compliance, 266Currency Transaction Reports, 133,135, 143Defense Industry Initiative, 51, 99Deferred Prosecution Agreement,89–92, 114, 117Delaware Court of Chancery, 73Dewey & LeBoeuf, 166DII.SeeDefense Industry InitiativeDirector liability, 76–77, 161–162Discipline, 155, 205–206DOJ.SeeUnited States Department ofJusticeDPA.SeeDeferred ProsecutionAgreementDrucker, Peter, 30Duke University Lacrosse case, 257Dunlap, Al, 158Durham County, North CarolinaDistrict Attorney’s Office,257–258Ebbers, Bernie, 53ECOA.SeeEthics and ComplianceOfficers AssociationEnron, 19–20, 48, 53, 159, 215code of conduct, 3, 151, 171Enterprise Risk Management, 100, 211ERM.SeeEnterprise Risk ManagementEthics, 3–4ethical behavior, 150, 152ethical culture within the New YorkCity Police Department, 5–6‘‘ethics fad,’’ 4link with retention and productivity,15–16warning signs of ethical collapse, 20Ethics and Compliance OfficersAssociation, 94Ethisphere Magazine, 98–99Executive compensation, 10–11Executive leadership, 174–175Executive Roadmap to FraudPrevention and Internal Control,34, 54Fabiano, Pedro, 121–129Fastow, Andy, 215FATF.SeeFinancial Action Task ForceFBAR.SeeReport of Foreign Bank andFinancial AccountsFBI.SeeFederal Bureau of InvestigationFCPA.SeeForeign Corrupt PracticesAct
294INDEXFDA.SeeFood and DrugAdministrationFederal Bureau of Investigation, 28–29,31, 88Federal Sentencing Guidelines forOrganizations, 3, 9, 12, 52–54, 77,163Caremark, 73, 77Chapter 8, 163compliance standards andprocedures, 165–166, 170–173criminal conduct and remedial action,170, 205–206, 208–209culpability score, 9effective compliance, 71, 165mitigating factors, 9–10, 12, 71,164–165organizational leadership, 168–169,173–178, 180–181performance incentives anddisciplinary action, 170,204–208program effectiveness, 169, 196,201–204prohibited persons, 169, 185–188Seven Steps, 52, 75, 154–155,164–165, 168–170training and communication, 169,191–1962004 Amendments, 52, 164Feeney, Thomas F.X., 166Financial Action Task Force, 144Financial Crimes EnforcementNetwork, 135IRS/FinCEN Form 8300, 138FinCEN.SeeFinancial CrimesEnforcement NetworkFisher, Alice S., 115–117Fonda, Henry, 258, 265Food and Drug Administration,182–184Foreign Corrupt Practices Act, 37, 72,107–108, 115, 122, 128audits, 119books and records provision, 108,123code of conduct reference, 98compliance consultants, 116cultural implications, 127Department of Justice opinionprocedure, 116disclosures, 115–116disgorgement of profits, 121due diligence, 117effective compliance program,118–119, 121enactment, 50, 108enforcement, 120, 123facilitating payments, 88, 127foreign issuers, 122, 127–128investigations, 111–113, 117–118,120Fraud:corporate, 53, 55–56defense contracting, 50investigations, 55–56, 63, 88–89,101prevention, 244, 253–254prosecution for, 205–206zero tolerance for, 205Freakonomics, 207FSGO.SeeFederal SentencingGuidelines for OrganizationsGatekeepers, 34General Electric, 50, 117Gnazzo, Patrick J., 92–97, 99–105,176, 215Greenspan, Alan, 30Groupthink, 260–261Hackett, Susan, 176Hammer, Armand, 159Hanson, Kirk O., 222Healthcare Industry Group PurchasingAssociation, 224–225Hewlett-Packard, 4, 50civil settlement with CaliforniaAttorney General, 262compliance enhancements, 263spying and pretexting scandal,261–263
Index295HIGPA.SeeHealthcare Industry GroupPurchasing AssociationHoak, John, 262–263Hotlines, 75, 95, 102, 201–202aversion to, 126confidentiality, 102, 201–202non-retaliation, 202restrictions, 213Howard, Michael, 234HP.SeeHewlett-PackardHunt, J.B., 153‘‘Icarus Effect,’’ 10‘‘Icaran’’ risk factors, 10–11In Re Caremark, 62, 72–75board responsibility, 73–76compliance program, 74–75director liability, 76–78duty of care, 72–75duty of loyalty, 77role of ethics, 77Infosys Technologies, 174Insull, Samuel, 48–49Integrity, 26, 96–97Investigations:government, 59internal investigative unit,186–187investigator’s code of conduct,187–188InVision Technologies, Inc., 117Invitrogen Corporation, 81Isdell, Neville, 32Jennings, Marianne, 20Johnson & Johnson, 157–158baby oil case study, 158credo, 157tone at the top, 157–158Tylenol product tampering, 157Kennedy, President John F., 260–261Bay of Pigs invasion, 260importance of open debate, 261Kennedy, Robert, 261Kinder Lydenberg, Domini &Company, 160King David, 259–260Knapp Commission, 7–8‘‘Know Your Customer,’’ 138, 141.Also seeAnti-money launderingKumar, Sanjay, 89–90‘‘KYC.’’See‘‘Know Your Customer’’Lauer, Stephen A., 212Lay, Ken, 16, 19–20Lockheed Martin, 121LRN, 15Lucier, Greg, 81Lucky CEOs Study, 30, 33–34Lucky Directors Study, 34Mail Fraud Statute,SeeUnited StatesMail Fraud StatuteMalcolm Baldrige National QualityAward, 207, 220Management:Deterring management misconduct,206role in fraud prevention, 224Market Value Added, 13Markkula Center for Applied Ethics,222McDermott, John, 101McNulty Memo, 54, 58–62, 121analysis of, 58–59charging factors, 59–60cooperation with prosecutors, 59criminal culpability, 60–61‘‘paper program,’’ 61sentence reduction, 59, 61–62McNulty, Paul, 58‘‘Meaningful accountability,’’ 30Meilstrup, David, 131, 148Merck, 158River blindness case study, 158Metcalf & Eddy International, Inc.,117–120.See alsoForeignCorrupt Practices Acteffective FCPA compliance program,118–119
296INDEXMoney laundering, 131–133.See alsoAnti-money launderingBlack Market Peso Exchange, 132convictions, 134definition, 132drug trafficking, 132foreign statutes, 144–145integration, 132layering, 132placement, 132red flags, 141–143Monitoring, 140Monsanto Corporation, 120Montedison, S.P.A, 122–123Moritz, Scott, 37Murphy, Joseph E., 42, 214–215MVA.SeeMarket Value AddedNASDAQ, 72, 95foreign issuers, 124National Institute of Standards andTechnology, 220NCCT.SeeNon-Cooperative Countriesand TerritoriesNew York City Police Department, 5–8history of corruption within, 7–8Police Student’s Guide: Introductionto the NYPD,6reforms efforts, 6New York Stock Exchange, 72, 95foreign issuers, 124policy on financial risk, 100Nicomachean Ethics, 3Nifong, Mike, 257–258NIST.SeeNational Institute ofStandards and TechnologyNon-Cooperative Countries andTerritories, 144Nye, Vince, 262NYPD.SeeNew York City PoliceDepartmentOccidental Petroleum, 159OFAC.SeeOffice of Foreign AssetsControlOffice of Foreign Assets Control, 37, 83Oil States International, Inc., 122OSI.SeeOil States International, Inc.Oxley, Michael, 82Packard Commission, 50–51Packard, David, 50PATRIOT Act.SeeUSA PATRIOT ActPCAOB.SeePublic CompanyAccounting Oversight BoardPepsiCo, 31–33Petroleos de Venezuela, S.A., 122Postal Inspectors.SeeUnited StatesPostal Inspection ServicePremier, Inc., 207, 220audit committee, 226awards and incentives, 229background, 220–222best practices, 227–229code of conduct, 224–225communications, 225–226compliance officer, 223–225compliance program, 224–229ethical practices and standardsreport, 222–223hotline, 225, 228program assessment, 226training, 225winning the Baldrige Award, 220Pretexting, 4, 261–262Principles of Corporate Governance,157Principles of Federal Prosecution ofBusiness Organizations.SeeThompson Memo and McNultyMemoProfessional Certified Investigator, 187Prophet Nathan, 259Program Assessment Wizard,SeeCompliance and Ethics ProgramAssessment WizardPublic Company Accounting OversightBoard, 78RadioShack, 185Reagan, President Ronald, 50
Index297Redflex Traffic Systems, 28–29Report of Foreign Bank and FinancialAccounts, 135Report of the National Commission onFraudulent Financial Reporting,The.SeeTreadway CommissionRigas, John J., 166–167Rigas, Michael, 167Rigas, Timothy, 167Riley, Robert, 182–184Roosevelt, President Franklin Delano,48–49Roosevelt, President Teddy, 47State of the Union speech, 47–48Russell, Greg, 237SAR.SeeSuspicious Activity ReportsSarbanes, Paul, 82Sarbanes-Oxley Act, 3–4, 38, 46, 52,53, 72, 78–79, 108adoption by private companies, 153costs of implementation, 79–82criticism of, 79director responsibility, 153financial expert on board, 215financial reporting, 153impact on business, 80–82Section 302, 123Section 404, 79–81, 123Section 906, 124Schlesinger, Jr., Arthur, 261Schnitzer, Sam, 109Schnitzer Steel Industries, Inc., 109–114Deferred Prosecution Agreement, 114FCPA violations, 110–113history, 109–110impact of Sarbanes-Oxley Act, 111prosecution of, 112–114remedial efforts, 113–114Scott Paper, 158Seaboard Corporation, 63Seaboard Criteria.SeeSecurities andExchange CommissionSEC.SeeSecurities and ExchangeCommissionSecurities and Exchange Act of 1934, 49Securities and Exchange Commission,4, 49, 63–64enforcement activity, 5, 120Seaboard Criteria, 61, 64–66Seven Signs of Ethical Collapse, 20Seven Steps,SeeFederal SentencingGuidelines for OrganizationsShare Our Strength, 160Sherman, Marc, 131, 148Sherman Antitrust Act, 50Side letters, 102Skeel, David A., 10‘‘Skunk in the Room,’’ 258, 264–265Soderquist Center for Leadership andEthics, 149–150Soderquist, Don, 152Speaking up, 265–266Spying, 4, 261–262SSI International Far East, Ltd.,SeeSchnitzer Steel Industries, Inc.SSI International, Inc.,SeeSchnitzerSteel Industries, IncSt. Thomas, University of, 16Center for Business Ethics, The, 16Stamboulidis, George, 59Stock Options:backdating, 30, 33–35, 161companies probed, 36–37Stone v. Ritter, 77Sullivan & Cromwell, 88Sunbeam, 158Suspicious Activity Reports, 134–135,141–143Swainson, John, 96, 105Third-party risk, 108Thompson Memo, 54, 57, 121Titan Corporation, 120–121Tone at the top, 25–26, 35, 38absence of, 34creating, 99definition of, 26, 156demonstration of, 28–33, 40–43,153, 157, 159measurement, 27, 99–100, 160
298INDEXTraining, 40–41, 100, 152, 169,191–193Treadway Commission, 51–52, 21112 Angry Men, 258, 265Tylenol, 157Tyson Foods, 151,159–160compliance program, 151compliance training, 152tone at the top, 159Tyson, John, 159United States Attorney’s Office:District of Oregon, 112Eastern District of New York, 88–89United States’ Federal SentencingGuidelines.SeeFederal SentencingGuidelines for OrganizationsUnited States Department of Defense,51United States Department of Justice, 8,53–54, 57–59, 63, 120asset forfeiture, 137cooperation with, 59FCPA enforcement, 120money laundering, 133United States Department of theTreasury, 133United States Mail Fraud Statute, 47‘‘United States person,’’ 135United States Postal InspectionService, 101Postal Inspector, 166United States Sentencing Commission,163.See alsoFederal SentencingGuidelines for OrganizationsUnited States v. Booker, 164United States v. Fanfan, 164United States v. Kay, 120United Technologies Corporation,92USA PATRIOT Act, 37, 72, 107, 131,135–136anti-money laundering program,137asset forfeiture, 137–138criminal sanctions, 137regulations, 136USSC.SeeUnited States SentencingCommissionValues, 156corporate, 56communication of, 35Verschoor, Curtis C., 13Wal-Mart, 55–57, 152Wall Street Journal,The, 211Westinghouse, 50Whistleblowers, 207, 265Wooh, Si Chan, 114WorldCom, 53, 265