Compliance

In this section we examine how the various “tools” of a C&E program can be deployed to mitigate COIs, as well as other matters regarding the interaction of COIs and C&E programs. Please see the various sub-categories for information about each of these tools.

Does your company need a stand-alone conflicts of interest policy?

Last month, Pro Publica published an extensive report regarding a dispute on whether Goldman Sachs should be sanctioned by the Federal Reserve for failing to have a firm-wide policy on conflicts of interest.  An examiner for the Fed had argued in favor of such an action but the firm contended – successfully – that the COI provision in the company code of conduct coupled with COI policies for various of its divisions was good enough.

At least for C&E aficionados, the story is an interesting one (and the issue, in my view, a close call), particularly given Goldman Sachs’ recent COI history.  (See this post and this one.)   But for readers of this blog the piece may be most useful as an occasion to ask: Does my company have the COI policy that it needs?

To begin, a great many businesses don’t need a stand-alone COI policy. For many what’s in the code of conduct is policy enough. But there are, in my view, quite a few companies that should have stand-alone policies but don’t.

Five things to ask in a COI policy needs assessment

Certainly where companies have client relationships that could give rise to COIs there is a good reason to have a stand-alone policy, as such businesses generally face a greater array of COI risks than do others. Such risks tend to warrant a fuller discussion of COI standards and mitigation than can fit into a code of conduct. Put otherwise., companies that have relationships of trust with clients tend to have higher COI risks – both in terms of likelihood and impact – than do other sorts of businesses, and that should be reflected in how formal and extensive the related mitigation should be.

But other types of organizations should  consider drafting stand-alone policies too, at least if they:

- Have had more than their share of COIs in recent years, as a stand-alone policy can help signal to key constituencies resolve in dealing appropriately with COIs.

- Face more diverse, complex, non-obvious or culturally challenging COI possibilities than the average company has.  The more there is to say about different sorts of COI risks, the greater the need for a stand-alone policy, as there simply won’t be enough room in the code to do justice to all pertinent issues.

- Have significant COI-related process needs – in such areas as disclosure, management and auditing. Here too the code may not offer enough space to deal with the company’s requirements.

- Face heightened COI expectations for other reasons (e.g., non-profits, or other organizations that could be held to a “Caesar’s wife” standard of ethicality).

And don’t forget organizational justice

Even companies that don’t fit into any of the above categories should consider developing a stand-alone COI policy as a means of promoting “organizational justice.” As noted in this earlier post: “The special harm that COIs can cause to organizational justice arises from their frequently personal nature: because COIs often involve a personal benefit to an individual employee that is denied to others, the latter (i.e., rule abiding employees) can feel personally harmed (from a relative perspective) by the COI in a way that they would not feel, for example, with an antitrust offense or violation of export regulations.” Implementing a stand-alone COI policy can thus, in my view, help elevate the confidence employees have in the overall ethicality of their companies. Of course, to do so the policy must be sufficiently promoted and enforced.  But being successful here could have a ripple effect – by enhancing trust that management is committed to doing the right thing generally, which can be utterly vital to compliance and ethics program efficacy.

Note that while this consideration presumably applies to all companies, it does not mean that all companies need stand-alone COI policies.  But it is a factor that all companies should weigh in determining whether to implement such a policy.

Drafting a policy

If one does opt to create a stand-alone COI policy there are obviously lots of choices to be made in determining the content of the policy, and the links below to prior posts in the COI Blog might be useful in that regard.

To start, you might see this overview,  which includes links to several leading companies’ policies (that could be helpful samples from a form – as well as substance – perspective).

Regarding the key question of what COIs to address in the policy, a fairly comprehensive list is included in this post about certifications (the content of which is equally applicable to policies).

Here are some more specific discussions:

-  G&E generally  and gifts between employees.

Supervising family members in the workplace.

Moonlighting.

- Serving on another company’s board.

Next, regarding standards for allowing COIs to continue and related process issues, see this post and this one.

Finally, note that within the above posts there are links to many other posts and resources that might be useful in drafting or revising a COI policy.

The complicated and consequential world of compliance “checking”

Over time, companies should devote an increasingly greater amount of C&E program effort/resources to “checking” – auditing, monitoring and other forms of self assessment.  More than two decades after C&E checking became the law of the land, one can imagine how little sympathy the government would have for a company that tries to get “credit” for its C&E program but which had taken insufficient steps to determine if that program was in fact fit for purpose.

However, if the need for checking is clear, where to start  (or what step to take next) may not be. Both as a conceptual and practical matter, this can be a daunting area to tackle given the many types and dimensions of checking available.

In a complimentary web cast sponsored by The Network on January 20, 2015 at 1:00 pm Eastern, I’ll try to survey the world of C&E checking, describing relevant legal expectations and best practices that apply to both the risk area and the general program dimensions.  I’ll also discuss practical measures that companies can take to begin or improve a regime of C&E checking – in effect, a needs assessment for one’s C&E auditing, monitoring, program assessment and risk assessment.  Finally, I’ll consider what the impact of “behavioral ethics” should be on C&E checking.

Postscript:  more than 500 C&E folks attended the web  cast live and another 400 are getting the recorded version.   If you’d just like the slides, please click here.

Risk assessments for office romances

Perhaps the most celebrated story ever about a love affair is Anna Karenina  and the story doesn’t end well – as the distraught heroine throws herself under a train.  Office romances typically don’t end that way, but they are not without risks – particularly those involving senior leaders.

This is indeed an oft-told tale. Here is an earlier post on “frisky executives” discussing one such case from 2012.  Others around that time involved the CEOs of Lockheed Martin and Best Buy. And the latest in this line concerns the CEO of Johnson Controls.

As described in this article of a few weeks ago in the Milwaukee Business Journal, that CEO “failed to inform the corporation’s audit committee about the potential conflict of interest in his extra-marital affair with a consultant hired by the company.”  The net result: a reduction “of his annual incentive performance plan payout to $3.92 million, down nearly $1 million.”

A few thoughts on this case, perhaps of use to any CEO conducting a pre-office affair risk assessment.

First, while the economic hit is high it seems justified for a high ranking official – anything less could be seen as a slap on the wrist. Indeed, one of the cases discussed in the “frisky executives” post also involved a million dollar penalty. So, don’t expect economic leniency.

Second, consider the risk to the other party. In the case of the Johnson Controls executive, she was a consultant in a firm that lost an apparently long standing client in the scandal. No surprise there either.

Finally, while disclosure is necessary it may not be sufficient to prevent harm.  That is because even if an actual COI can be avoided the appearance of a COI might be inescapable – as the natural suspicion among others in the workplace could be that with the relationship comes workplace favoritism. For more on how some  apparent COIs simply can’t be mitigated by disclosure see this post.

(Thanks to COI Blog reader Don Bauer for letting me know about this story.  And, happy new year to all.)

 

The cost of director and officer conflicts of interest just went up

In the vast realm of conflicts of interest those involving boards of directors tend to stand out. That is because part of the reason the role of corporate director even exists is to mitigate the conflict-of-interest-type tensions (which fall under the broad heading of “agency problems”) that managements may have vis a vis shareholders.  Moreover, while the role of officers obviously differs somewhat from that of director, the duty of loyalty that both owe shareholders is the same.

Director and officer COIs can arise in many settings but often the most consequential of these involves mergers. And, as described in a post last week in the D&O Diary:  ”Within the past few days, two merger objection settlements – one involving Activision Blizzard, Inc. and the other involving Freeport-McMoRan, Inc. — have been announced involving massive cash payments,… The Activision settlement may represent the largest cash settlement payment ever in a shareholder derivative lawsuit.” The post further describes that “[t]he common feature of these two cases that may account for the magnitude of the cash payments seems to be the conflicts of interest that were alleged to be part of the challenged transactions.”

The specific facts of these two cases – both of which are complex, as COI cases involving mergers typically are – may be less important than is what they (and another one last year involving News Corp, which is discussed in the same post) may mean for insurance costs to companies: “The rise of jumbo shareholder derivative lawsuit settlements has a number of implications. Among other things, it is a topic that will have to be taken into account as D&O insurance buyers consider how much insurance they will need to ensure that their interests are adequately protected.”

While most directly relevant to risk managers and others in companies in charge of securing D&O coverage,  I think C&E professionals also need to know about this development – because directors and officer of their companies  likely will and will be concerned about it.  And, hopefully this awareness will contribute to a greater overall sensitivity at high levels in companies to COIs generally – meaning that this may be a good time to train (or retrain – or schedule training of) your directors and officers on COIs.

For those looking to develop such training, here is a prior post on that topic.  And here are some other posts, portions of which might provide helpful ideas or information for training boards on COIs:

- Friendship – and the ties that blind (directors to conflicts of interest).

- CEOs’ ethical standards and the limits of compliance.

- Are private companies more ethical than public ones?

- Catching up on the backdating cases

- Behavioral ethics training.

- Catching up on CEO COIs.

- Catching up on director COIs.

- The largest derivative lawsuit settlements (from the D&O Diary).

Here are some pertinent words of wisdom from two good friends of the blog: Steve Priest (on keeping ethics training real) and Scott Killingsworth (on mitigating C-Suite risks).

Finally, if you are training your board, and want to use the occasion to look beyond the COI area to general C&E oversight by directors this recent article by Rebecca Walker and me  from Compliance and Ethics Professional magazine might be useful.

 

 

Risk assessment: law, economics, morality science…and liquor

Many years ago a client who was in the compliance department of a pharma company told me his strategy for conducting risk assessments.  He would schedule the interviews of sales people – a key, but typically difficult, constituency for nearly any risk assessment – to begin late in the work day, and after a while suggest that the discussion continue in a nearby bar.  As the drinks began to flow, so apparently did the information about risks.

Risk assessment is the foundation of an effective C&E program – certainly as a matter of common managerial sense, and increasingly as a matter of law.  In  connection with the latter, we recently passed the ten-year anniversary of the revised Sentencing Guidelines, which established risk assessment as an official C&E program expectation of the U.S. government; and on virtually the same day, the Italian government published important new competition law compliance  guidelines, discussed in this publication from the Baker & McKenzie law firm, which include a risk assessment component.

Still, meeting such expectations – by getting business people people to talk openly about the uncomfortable topic of risk – is as challenging as is anything in the C&E field.  So, what can you use to make these conversations succeed if, like most C&E professionals, your toolkit doesn’t include a liquor cabinet?

Part of the way for dealing with this challenge is to provide that the assessment is conducted under the company’s attorney-client privilege  and, beyond this, that no attribution to the sources of information will be included in the assessment report.  These are the tools of law, and deploying them can be essential to success in a risk assessment.

But offering confidentiality alone may not be enough because while it is typically in the clear interest of a company to have a thorough risk assessment, individuals’ interests often seem (and sometimes are) out of alignment with those of the organization. This is the realm of the economics-based concept of moral hazard, discussed in various prior posts of this blog that are collected here.

There is no panacea for dealing with this impediment – but hopefully one can make a persuasive appeal to an interviewee’s being a “C&E leader,” a formulation which seeks to blend considerations of personal and organizational benefit, to get the interviewee  to be truly helpful for the  risk assessment. Of course, for an approach such as this to work, it cannot be limited to the risk assessment process. Senior executives, and even the board of directors, need make clear through various intangible and occasionally tangible ways that such leadership is duly appreciated.

Finally, there is also a psychological dimension to the challenge of risk assessment.  As discussed in this recent article in Science  - “Morality beyond the lab” by Jesse Graham (which I learned of from the Ethics Unwrapped web site ),  various  “laboratory  studies have shown a ‘holier-than-thou’  effect, in which people over-optimistically predict their own future moral behavior but accurately predict the not-so-moral future behavior of others” – a view which has now been supported by the results of an important recent field study (by W. Hofmann, D. C. Wisneski, M. J. Brandt, L. J. Skitka, which is published in the same issue of Science). As summarized by Graham: “[T]he study suggests that moral life can largely be characterized by two kinds of events: noting one’s own good deeds and gossiping about the bad deeds of others.”

For those conducting risk assessments, the path suggested by this research is clear:  to the maximum degree possible, one should structure the inquiry so that it is not seen as asking about the interviewee’s own risks but those of others.  And, in providing information about others, at least in the aggregate, employees of an organization will likely be helping you analyze risks that in fact involve themselves.

One other point about the above-discussed research, which is that while I have highlighted its use for risk assessment there are other ways in which this aspect of  what Graham calls “morality science” can enhance the efficacy of a C&E program.  Mostly notably, it can be used in training and other communications to underscore the overarching behavioral ethics notion that “we are not  as ethical as we think,” which should help reinforce an appreciation for the help that C&E staff and other resources can provide to employees when  confronted with legal risks or ethical dilemmas.

For further reading on risk assessment, here’s a link to a complimentary e-book comprised mostly of my risk assessment columns in Corporate Compliance Insights.

For an index of posts on “behavioral ethics and compliance” please click here. 

Compliance programs and the culture of care

Samuel Johnson once said: “It is more from carelessness about truth than from intentionally lying that there is so much falsehood in the world.” And carelessness is obviously at the root of many other types of wrongdoing too.

In a keynote speech at the just-concluded SCCE  10th annual Compliance and Ethics Institute, FBI director James Comey spoke of the need for companies to have a “culture of care” when it comes to cyber-security.  (Unfortunately the speech is not yet published on the FBI web site, so I can’t link to the text.)  While focusing on cyber-security, Comey did indicate that the concept of a culture of care might have broader application to the world of compliance and ethics.

I think the concept is indeed potentially quite useful for C&E professionals.  But what might be included in such a culture?

One example is suggested by a presentation – Beyond Agency Theory: The Hidden and Heretofore Inaccessible Power of Integrity, by Michael Jensen and Werner Erhard – discussed in this earlier post. The authors argue that honesty requires more than sincerity: “When giving their word, most people do not consider fully what it will take to keep that word.  That is, people do not do a cost/benefit analysis on giving their word.  In effect, when giving their word, most people are merely sincere (well-meaning) or placating someone, and don’t even think about what it will take to keep their word. This failure to do a cost/benefit analysis on giving one’s word is irresponsible.”    This argument makes sense to me – and I think it would to Samuel Johnson  and James Comey as well.

And, as noted above, the need for carefulness goes beyond being honest.  More broadly, a culture of care would help shape an organization’s values, policies, procedures, risk assessment, approach to incentives and  C&E training and communications.  As well, carelessness would be addressed sufficiently through the investigations and disciplinary policy/process – something that too few companies do, as discussed here.  

Finally, I asked Steve Priest, a true master at diagnosing and shaping corporate cultures, what he thinks about the “culture of care” concept.  He said “Emphasizing a ‘culture of care’ makes great sense. However for many who do not understand the full sense in which James Comey used the phrase, it will seem soft. It isn’t soft, but to balance it I encourage organizations to aim for these three in your culture: care, competence and courage. Organizations and leaders that demonstrate care, competence and courage may not win every sprint, but they will win most marathons.”

I agree with Steve that care alone cannot a culture make.  And, as with virtually any part of a C&E program, one has to guard against overdoing it.   In this connection, nearly 20 years ago, I was concerned that my then eight-year-old daughter occasionally ran out into the street without checking for traffic – and so to help make her more careful I tried to get her to keep a “safety journal.”  I’m proud (in retrospect) to say that she refused – as my idea was a bit over the top, and this story from the archives of Kaplan family compliance history helps to remind me that one must be careful not to promote over-cautiousness.

 

Conflicts of interest, compliance programs and “magical thinking”

An article earlier this week in the New York Times takes on the issue of “Doctors’ Magical Thinking about Conflicts of Interest.”  The piece was prompted by a just-published study  which examined “the voting behavior and financial interests of almost 1,400 F.D.A. advisory committee members who took part in decisions for the Center for Drug and Evaluation Research from 1997 to 2011” and found a powerful correlation between a committee member having a  financial interest (e.g., a consulting relationship or ownership interest ) in a drug company whose product was up for review and the member’s voting in favor of the company – at least in circumstances where the member did not also have interests in the company’s competitors.

Of course, this is hardly a surprise, and the Times piece also recounts the findings of earlier studies showing strong correlations between financial connections (e.g., receiving gifts, entertainment or  travel from a pharma company) and professional decision making (e.g., prescribing that company’s drug). Nonetheless, some physicians “believe that they should be responsible for regulating themselves.”

However, such self regulation can’t work, the article notes,  because “our thinking about conflicts of interest isn’t always rational. A study of radiation oncologists  found that only 5 percent thought that they might be affected by gifts. But a third of them thought that other radiation oncologists would be affected.  Another study asked medical residents similar questions. More than 60 percent of them said that gifts could not influence their behavior; only 16 percent believed that other residents could remain uninfluenced. This ‘magical thinking’ that somehow we, ourselves, are immune to what we are sure will influence others is why conflict of interest regulations exist in the first place. We simply cannot be accurate judges of what’s affecting us.”

While the findings of these and similar studies are, of course, most relevant to conflicts involving doctors and life science companies, there is a broader learning here which, I think, is vitally important to C&E programs generally.  That is, they help to show that “we are not as ethical as we think” – a condition hardly limited to the field of medicine or to conflicts of interest, as has been discussed in various prior postings on this blog.

One of the overarching implications of this body of knowledge is that we humans need structures – for business organizations this means  C&E programs, but more broadly these have been called “ethical systems” – to help save us from falling victim to our seemingly innate sense of ethical over-confidence.  So, to make that case, C&E professionals should – in training or otherwise communicating with employees (particularly managers) and directors  - address the issue of “magical thinking” head-on.

Moreover, using the example of COIs to prove the larger point here may be an effective strategy, because employees are more likely to have experience with ethical challenges in this area  than with other major risks, such as corruption, competition law or fraud – which indeed may be so scary as to be largely unimaginable to many employees.  I.e., these and other “hard-core” C&E risk areas might be subject to an even greater amount of magical thinking than is done regarding COIs.  So, at least in some companies,  discussing COIs might offer the most accessible “gateway” to addressing the larger topic of ethical over-confidence.

“The inner voice that warns us somebody may be looking”

Within the treasure trove of H.L. Mencken’s sayings, this definition of “conscience” may be my favorite.  And, various studies have indeed shown that the sense that somebody may be watching can help promote ethical behavior.  Among these are  experiments exposing individuals to “eyespots” –  drawings which create a vague sense of being watched, even among those who know as a factual matter that they aren’t being seen. (See, e.g., this study, showing that exposure to eyespots can promote generosity.)

While actually deploying eyespots around the workplace is hardly a viable option for most companies, various technological advances offer not only the appearance of being watched but the actuality of it.  Such monitoring technologies can be particularly promising for promoting compliance by parts of a workforce for whom supervision is relatively remote – which is often the case for sales people.

For two other risk-related reasons, sales people can be a logical choice for C&E monitoring:

- Their incentives may not align well with those of their respective companies – a “moral hazard” condition.  (Indeed, in a risk assessment interview I conducted last week, the interviewee responded to a question about conflicts of interest by saying – only somewhat in jest – that the whole company sales force had such conflicts.)

- Sales people tend to be in a position to cause legal/ethical violations – e.g., corruption, collusion and fraud – much more than the average employee at a company.

But, while the case for monitoring sales people is strong as a general matter, obviously not all monitoring strategies are equally effective.  According to a paper published in the September 2014 issue of the Journal of Business Research, “Does transparency influence the ethical behavior of salespeople?” John E. Cicala, Alan J. Bush, Daniel L. Sherrell and George D. Deitz (rentable on Deep Dyve): “it is not the perception of visibility that drives sales persons behavior, but rather the perception of the likelihood of negative consequences resulting from management use of knowledge and information gained from technologically increased visibility.”

Of course, these results – based on an on-line survey which is described in the paper – presumably won’t surprise any C&E professionals. (Nor, likely, would they have impressed Mencken, who also said: “A professor must have a theory as a dog must have fleas” – although I should add that that’s just another chance to quote the great man – not a reflection of my view of this paper.) But, as with much of the social science research discussed in this blog, having data to back up what is intuitively known may be useful, particularly when seeking to make C&E reforms in a company that are being resisted.

Most relevant here is the often-contentious issue of how open a company is with its discipline for violations (meaning not just of sales persons but any employee).  While C&E professionals typically understand that true “public hangings” – i.e., full identification of individual transgressions and transgressors – can be undesirable for all sorts of reasons, there is still a lot that their respective companies can do in a general way to show that   negative consequences do exist for breaches of C&E  standards. Hopefully, this new research can help C&E professionals make such a case.

Liability for faking compliance – a new-fashioned type of deterrence?

I have long felt that C&E programs should do more to appeal to the better angels of our nature. (For more information on how “pro-social” qualities can be built on to promote more ethical workplaces, see this research page from the Ethical Systems web site.) But at the end of the day there will always be a place for good old-fashioned deterrence.

Deterrence, in the business realm, traditionally operates by punishing those who engage in conduct that harms others (e.g., corruption, collusion, pollution). But as C&E program expectations themselves become more central to promoting responsible behavior by companies,  it is inevitable that a more “upstream” form of deterrence should emerge – in which faking compliance is itself the punishable (or otherwise addressable) wrong.  Indeed, this could be considered “new-fashioned” type of deterrence.

The COI Blog has previously discussed two cases of this sort – one involving Goldman Sachs , the other S&P  – both having to do with allegedly false claims by the defendant firms that they had taken strong compliance measures against conflicts of interest.  And at the end of last month, another case was brought in which faking compliance was itself found to be a punishable wrong.

The case – In the Matter of Mark Sherman — can be found here, but readers may find more useful a post about it on the Harvard corporate governance blog by attorneys from the Ropes & Gray law firm.  As they note:

“On July 30, 2014, the Securities and Exchange Commission (“SEC”) advanced a novel theory of fraud against the former CEO (Marc Sherman) and CFO (Edward Cummings) of Quality Services Group, Inc. …, a Florida-based computer equipment company that filed for bankruptcy in 2009. The SEC alleged that the CEO misrepresented the extent of his involvement in evaluating internal controls and that the CEO and CFO knew of significant internal controls issues with the company’s inventory practices that they failed to disclose to investors and internal auditors. This case did not involve any restatement of financial statements or allegations of accounting fraud, merely disclosure issues around internal controls and involvement in a review of the same by senior management. The SEC’s approach has the potential to broaden practical exposure to liability for corporate officers who sign financial statements and certifications required under Section 302 of the Sarbanes-Oxley Act (‘SOX’). By advancing a theory of fraud premised on internal controls issues without establishing an actionable accounting misstatement, the SEC is continuing to demonstrate that it will extend the range of conduct for which it has historically pursued fraud claims against corporate officers.” (Emphasis added.)

Of course, there is much more that could be said about the various connections that the legal systems draws between violations of law and poor compliance than what’s in this and the other two cases mentioned above.  (See, for instance, this prior post about the SAC insider trading case brought last year - where the weakness of the company’s compliance program was used as a basis for finding corporate liability for insider trading by individual employees.) And, the notion of punishing fake (or otherwise weak) compliance efforts has long been part of enforcement strategies in highly regulated areas (e.g., broker-dealer compliance). But the Sherman case seems especially important, as it can be utilized in training corporate officers in public companies of all kinds on the need to be careful in executing their S-Ox certifications which, in turn, should lead them to have a greater appreciation of the value of strong compliance generally.

Finally, the Ropes & Gray post concludes with the following observation: “this case, which includes fraud charges in an accounting case without any restatement of financials, seems to represent an application of SEC’s ‘Broken Windows’ strategy first announced by Robert Khuzami and reiterated by Mary Jo White—to pursue small infractions on the theory that minor violations lead to larger ones—to the public company disclosure and accounting space.”  To this I would add that a “Broken Windows” strategy to preventing wrongdoing is also supported by behavioral ethics research (see this post ), and the Sherman case should also be a reminder for C&E officers to review whether their own companies’ deterrence systems  take this approach into account to a sufficient degree.

 

 

The Caterpillar criminal investigation: culture, risk and “informal” duties of trust

As described in an article in today’s Wall Street Journal  (which may require a subscription for access): “Ten thousand railcars a month roll into [the] sprawling [Terminal Island] port complex in Los Angeles County. While here, most are inspected by a subsidiary of Caterpillar Inc. [Progress Rail Services]. … When problems are found, the company repairs the railcars and charges the owner. Inspection workers, to hear some tell it, face pressure to produce billable repair work. Some workers have resorted to smashing brake parts with hammers, gouging wheels with chisels or using chains to yank handles loose, according to current and former employees. In a practice called ‘green repairs,’ they added, workers at times have replaced parts that weren’t broken and hid the old parts in their cars out of sight of auditors. One employee said he and others sometimes threw parts into the ocean.”

Caterpillar is being investigated by the US Attorney’s office in Los Angeles, and it should be emphasized that no charges have yet been brought.  Still, the article provides some nourishing food for thought about two key topics in the C&E field, as well as one narrower but, likely for some companies, dangerously under-appreciated risk.

First, there is the issue of culture.  As noted in the article, current and/or former employees told the Journal that while ‘[t]hey weren’t instructed to do [these things], …some managers made clear the workers would be replaced if they didn’t produce enough repair revenue…Current and former employees interviewed said those who found large numbers of parts to replace didn’t receive extra pay, but they tended to be favored by the supervisors and sometimes honored with employee-of-the-month recognition. Employees said newer workers sometimes learned bad habits from veterans. ‘I was trained to do everything the wrong way,’ one current worker said. ‘I basically fell into a bandit’s nest.’”

And then there’s this piece of information: “Three years ago, two workers who were fired from a Progress Rail repair shop in Florida filed lawsuits making allegations similar to what the U.S. attorney is looking into at Terminal Island…. A lawyer who represented the two said the suits were settled on terms that barred them from discussing the case.”

Again it should be emphasized that this is only an article – no charges have yet been brought.  But, if these allegations turn out to be founded, then clearly the culture in Caterpillar’s Progress Rail business will – under current enforcement policy – weigh in favor of bringing criminal charges against the company, meaning, in the first instance, the Progress Rail subsidiary.

But what about Caterpillar itself?  Here, the key issue may turn on whether Caterpillar conducted a meaningful risk assessment after it bought Progress Rail in 2006. I recall, from various conferences at that time, that Caterpillar had a C&E officer and program  – and so if it did not look closely at Progress’s risks (then or since) a prosecutor might well wonder why.

Finally, besides broad lessons about culture and risk assessment, the Caterpillar matter – depending, of course, on how it turns out – may reinforce a narrow but important learning about risk for some companies.  That is, when a company expands its business from just manufacturing goods to providing services it often enters a new realm of risk – because its employees are effectively in a relationship of trust with customers that involves opportunities and motives to cheat beyond those in the context in which it is used to operating.  As described in an earlier post in Corporate Compliance Insights,   risk assessments typically should include “[e]xamining whether a company has any relationships (with customers or others) where the need for good faith and candor might not be sufficiently understood by employees or third parties acting on its behalf. Relationships such as these – which tend to involve a high degree of trust but not necessarily a formal fiduciary duty – may be rife with ethics risk potential.”

Businesses facing this risk typically should consider enhanced C&E mitigation measures, and as the Caterpillar matter progresses (pun not intended) it will be interesting to see what – if anything – the company did on this front. (For further reading on informal fiduciary duties  see this post. )