Is a weak compliance program worse than no program?

Many years ago I was asked by a prospective client if I could design a “C minus” (i.e., just barely passing) compliance program for them. I responded that, for various reasons, by aiming for a C minus they were likely to end up with an “F.” I did not get the gig. But would there have been any harm in aiming low?

Yes, there would – at least according to David Hess of the University of Michigan’s Ross School of Business, who argues, in a piece in the Brooklyn Journal of Corporate Finance and Commercial Litigation:

“Employee perceptions of an organization’s compliance program are critical. A program that has lost legitimacy with its employees is not just ineffective, but it creates more harm than good by leading to more unethical behavior. This Article identifies ways in which compliance programs can start to lose legitimacy, explains how that lost legitimacy leads to increased wrongdoing, and then concludes by setting out some basic reforms focused on helping stop this downward spiral and protecting the legitimacy of the compliance function.”

Hess’s first point – that, for a variety of reasons, compliance programs can lose their legitimacy – is well trod ground.  Less so is the notion that that an “ineffective program creates more harm than good.” Here, he argues – persuasively, in my view: “If there was no ethical infrastructure, then the individual would rely on his or her own moral reasoning. With a weak infrastructure the organization is sending the message to the individual that ethical concerns do not matter for doing his or her job.” Hess also notes, in this regard, that while research has shown “that a properly enforced code of conduct decreases unethical behavior …  the simple existence of a code of conduct, after controlling for perceived code enforcement and corporate culture, increased unethical behavior.”

Finally, he notes: “Corporations should be required to regularly evaluate their ethical culture.  This recommendation focuses on helping to ensure appropriate and ongoing monitoring of the ethical infrastructure to prevent the compliance program from chipping away to a point where it has lost legitimacy … Measurement of the ethical culture helps  corporate actors recognize when intervention is necessary.”

To which we should all say Amen.





How to assess the efficacy of codes of conduct

Here is a post from the Compliance Program Assessment Blog on assessing codes of conduct.

Rebecca Walker and I hope you find it useful.

Lessons learned from lessons learned

Rebecca Walker and I recently authored this post for our program assurance column in Corporate Compliance Insights.

We hope you find it useful.

“To lose one parent may be regarded as a misfortune; to lose both looks like carelessness.”

So said Oscar Wilde. And while he clearly didn’t have compliance programs in mind, his immortal words provide a humorous introduction in these distinctly unfunny times to the topic of how the Department of Justice’s recently revised Evaluation of Corporate Compliance Programs (“the Evaluation”)  has impacted how the Department evaluates companies’ risk assessment measures in investigations and prosecutions.

By way of background, over the years many compliance failures have been risk assessment failures. But risk assessment was not in the original Sentencing Guidelines, which were issued in 1991, although it was added when the Guidelines were amended in 2004.  In 2017 the Department published the first iteration of the Evaluation, which was followed by revised versions in 2019 and this year. In this post I look at aspects of the whole of the discussion of risk assessment in the Evaluation – not just the 2020 additions.

One key aspect of the Evaluation is documentation. Many risk assessments are somewhat informal and not sufficiently documented.  Documenting the risk assessment is useful not only in the event of a government investigation or prosecution but also for self-checking by management and for the board of directors’ periodic review of the program. Therefore, for those companies that haven’t already done so, drafting a risk assessment governance document should be considered.

Having a defined methodology – which not all companies do – is also important under the Evaluation. There  are lots of methodological considerations for conducting risk assessments. Included are:

– Different processes – document reviews, interviews, focus groups, surveys.

– Different substantive approaches – e.g., how important is risk impact (as opposed to risk likelihood)? What are boundaries?  What are likely risk scenarios?

– Finding a way to measure success. What have you learned – not just about newly discovered risks, but getting a better understanding about known ones?

One size doesn’t fit all, but all need to select and deploy a methodology.

A third important area under the Evaluation is resources, with the issue being whether the process enables the company to allocate resources to different program elements in an effective and efficient way.  Note that many companies use the results of risk assessments for auditing and board oversight,  but there are many other program elements that could benefit from such use.

Finally, the Evaluation calls upon companies to adopt a “lessons learned” approach to compliance. This brings us back to the title of the piece, and specifically to the need to avoid the appearance of being careless by failing to prevent a recurrence of a specific type of wrongdoing. While funny in a great comic play, there would be little to laugh about in such a situation in a criminal case.



Insider trading and “inner controls”

Here is my latest column in Compliance & Ethics Professional – which looks at insider trading from a behavioral compliance perspective.

I hope you find it interesting.

Conflicts of interest in a post-Trump era

In a classic Watergate-era Doonesbury, Mark asks rhetorically whether it is fair to judge the ethicality of the White House based solely on the various cases and allegations that had surfaced during that scandal. No it isn’t, he replied: those are only the ones we know about.

The latest Trump COI to surface was an allegation this week that (as described in the NY Times) ”the American ambassador to Britain, Robert Wood Johnson IV, told multiple colleagues in February 2018 that President Trump had asked him to see if the British government could help steer the world-famous and lucrative British Open golf tournament to the Trump Turnberry resort in Scotland,…”

As Trump COIs go I suppose this isn’t the worst. But, by any reasonable analysis it is unethical.

Last winter a government watchdog group, Citizens for Responsibility and Ethics in Washington (“CREW”), issued a report finding: “President Trump’s unprecedented decision to retain his business interests while serving in the White House set the stage for a deluge of conflicts of interests between the government and the Trump Organization. From the beginning of President Trump’s administration, CREW has endeavored to track these conflicts, which pit President Trump’s personal and financial interests against those of the nation as a whole, and this week, President Trump reached a new, disgraceful milestone: He has racked up 3,000 conflicts of interest during his time in office.”       

And these are just the ones we know about.

As of this writing, Joe Biden seems likely to win the presidential election in November (but obviously things could change between now and then). Still, it is not too soon for him to consider how his administration will deal with COIs.

Of course, for many reasons, there should be no fear that he will personally engage in COIs of a nature and scale that Trump has.  But he can and should ensure that by word and deed all facets of a Biden administration treat this area as a top priority.  This means – among other things – understanding and addressing through risk assessment, education, enforcement and other compliance measures the many types of harms COIs can cause to individuals, organizations and societies.

Some of these are listed in a recent posting in the FCPA Blog   The most significant of these is in  the broader (i.e., societal) realm. On a wide range of issues – the most pressing of which is climate change– there is an increasing need for devising solutions that will be predicated on substantial trust because they will require substantial sacrifice. Conflicts of interest in the public sphere make this already considerable challenge even more daunting.

Answers to tough questions on conflicts of interest

Recently our friends at NAVEX Global invited Rebecca Walker and me to teach a master class on conflicts of interest.

Part of the session involved our receiving and responding to key questions about COIs.

We thought you might like to see this Q & A.



PLI briefing on revised DOJ compliance program standards

Rebecca Walker and I hope to see you then and there. 

Nearly 1500 C&E professionals have downloaded the free risk assessment e-book

Have you?

It is available from Corporate Compliance Insights.

I hope you find it useful.

Making the most of risk assessment

Today the FCPA Blog published a post I authored on risk assessment.

I hope you find it useful.