Uncategorized

What is a page of compliance worth?

Justice Oliver Wendell Holmes famously said that a page of history can be worth a volume of logic.  This raises the question – at least among C&E professionals – What is a page of compliance worth?

At least to my mind the answer is:  Potentially quite a bit.

Among other things, some companies draft and disseminate among their respective workforces “one pagers” summarizing key provisions of the compliance program with respect to certain high-risk areas –  as well as contact information for seeking guidance or reporting concerns.

I should stress that not all companies need this.  For many it would be overkill.  But for others it could be very helpful.

The conflicts of interest “one-pager” would of course focus on COI policies and procedures. This would include apparent, as well as actual COIs.  For some companies potential COIs. should be addressed too.

There should also be some discussion of the behavioral ethics aspect of COIs – and particularly the seeming paradoxical fact that disclosure may make conflicted behavior more common than one would expect. Although based on COIs this behavioral ethics learning supports the compliance program as a whole by showing we are not as ethical as we think.

Finally, there should also be a discussion of the harm that COIs can have on shareholders, employees and suppliers. This is important because – more so than with many other types of offenses – COIs often give the mistaken  impression of being victimless.

Conflicts of interest and the dark side of professionalism

Perhaps my favorite ethics story is when the senior partner of a law firm was confronted by a junior partner about an apparent conflict of interest, and replied “You’re an ethics expert – find a way around this.”

In Professionalism Paradox: A sense of professionalism increases vulnerability to conflicts of interest       Sunita Sah of Cornell writes: “Professionalism is often viewed, in the management literature and in practice, as a desirable sought-after trait in employees and managers. This belief, however, does not consider a potential dark side of professionalism. A high self-concept of professionalism often coexists with a shallow notion of the concept and can paradoxically lead to detrimental outcomes, such as greater unethical behavior and increased vulnerability to conflicts of interest. This article describes the circumstances in which this outcome is likely to occur and how workplace policies that rely solely on cultivating intrinsic values at the expense of monitoring and extrinsic controls may fail or have a contrary effect. It recommends integrating both intrinsic and extrinsic approaches together, and redefining professionalism as a deeper concept that includes a set of consistently repeated practices rather than a character trait.”

A recent  Cornell publication  notes: “Sah surveyed 400 managers on multiple conflict of interest scenarios, and asked whether they would accept or reject the gift offered in each circumstance. Participants were further asked to imagine they accepted a gift and to predict the influence, if any, it would have on them. Prior to viewing the scenarios, each respondent’s perception of their own professionalism was measured by assessing their personal view of their ability to remain objective and self-regulate unwanted influence. ‘Consistent with my predictions, the greater the managers’ sense of professionalism, the more likely they were to report that they would accept gifts from people with questionable or ambiguous agendas, and less likely to be influenced by the specific gifts in the scenarios,’ Sah wrote. ‘These overall results indicate that a high sense of professionalism with a shallow understanding of the concept may lead to greater acceptance of conflicts and potentially more bias.’”

There is a lot to chew on in her piece and not enough time/space to do justice to it. But some points that struck me in this regard are the following.

First, she writes: “The problem of COIs is not always due to deliberate corruption but often arises from unconscious and unintentional bias. Unless professionalism is redefined as a deep concept that includes an understanding of the limits of self-regulation and a set of observable repeated behavioral practices with positive ethical outcomes rather than as an individual characteristic, a high self-concept of professionalism does not protect against unconscious bias and could make matters worse.”

This is a lot to ask for. But it makes sense (to me) and I hope that some companies will seek out practical ways – for instance, through discussion of these ideas in training for senior leaders – to draw from this important knowledge.

Second, the notion of repeated behavioral practice is also key to Sah’s analysis: “As Aristotle emphasized, virtues of character (moral virtues) cannot be taught but must be developed by repeated practice and achieved by means of habit. The repetition of appropriate activities when practiced consistently throughout one’s life results in a state of character, or virtue. …, a deep understanding of professionalism will require both a realistic intellectual understanding of the limits of self-regulation (virtues of thought) and repeated practice (cultivating virtues of character). It requires action—a consistent display of professional behaviors—not just sentiment or feelings of professionalism.”

How one creates the settings for such repeated practice is another matter. But here, too, for at least some companies, there  is enough  reason to move in this direction.

Finally, Sah believes that humility should play a significant role in promoting ethical behavior.  I agree and note that this has indeed been a recurrent theme of the COI Blog. I believe that – at least for some companies – humility should be a core value, in both word and deed. (I do see this at some companies, but not many.) As noted in an earlier post : First, humility is a logical and arguably inevitable response to the vast body of behavioral ethics research showing “we are not as ethical as we think.”  Thinking and acting with humility is indeed a way of operationalizing behavioral ethics. (For a list of behavioral ethics and compliance posts click here .)  Second, humility is well suited for addressing ethical challenges that are based not on the purposeful failure to be honest but on the less well-appreciated dangers of being careless.  Recognizing the limits of one’s abilities – which is part of being humble – should help underscore the need for carefulness. Third, humility has the potential to resonate deeply in our political, as well as business, culture. By this I mean humility can help form part of a broader mutually supporting relationship between business ethics and ethics in other realms. Finally, humility can support relationships of  trust. As described in a recent post,  such relationships can be an essential foundation for prosperity in many ways.”

 

 

Board oversight of C&E programs: how much is enough?

There was a time when a company’s merely having a code of conduct could be enough to dismiss a claim against the company’s directors under the Caremark case for failed compliance program oversight. But those days are now gone.

In his forthcoming article in the Journal of Corporate Law, “Max Oversight Duties: How Boeing Signifies a Shift in Corporate Law,”  Roy Shapira of the University of Chicago Booth School of Business writes: “In September 2021, the Boeing 737 Max debacle turned into an important moment in corporate law. A Delaware court allowed a derivative lawsuit brought by Boeing shareholders to proceed, based on the theory that Boeing’s directors breached their oversight duties by not doing enough to monitor, prevent, and react to fatal airplane safety issues.”

Shapira further notes that for many years: “Some compliance was enough compliance. Boeing shows that this is clearly not the case today. Consider the following examples: Boeing’s board agenda reflected allocating time to discuss safety, yet the court criticized them for allotting only five minutes. Boeing’s board minutes invoked ‘safety’ several times, yet the court criticized them for doing this only in passing and in the context of getting on the regulator’s good side. The minutes also showed that management shared information on airplane safety with the board, yet the court faulted them for not treating information from management more critically. All in all, Boeing shows just how much courts are willing to scrutinize what directors should have known and how they should have reacted.”

Note that such scrutiny (under this and the Marchand case handed down last year) does not apply to all risk areas. But it does apply to “mission critical,” ones, which airplane safety clearly is for Boeing. And, as Shapira notes, for large companies there can be many such areas.

The enhanced focus on “mission critical” risk areas will indeed require many boards to “up their games.”

One obvious way to start is with a C&E board assessment, meaning an assessment of how the board is likely to fare in any Caremark case brought against its directors.

This would include determining whether the board has appropriately identified mission-critical risk areas.  It would also entail ascertaining how the board has enacted relevant governance documentation (e.g., committee charters) and what information it has received about the risk area(s) both from written reports and in-person presentations.

Among other things the assessment would involve assuring that the board was in fact doing all the things the governance documentation provides they should do. (In this connection, I know of one  respected company where the board approved minutes of committee meetings that in fact never happened.)

Lastly, this type of assessment should be conducted by an independent expert. That is, given how powerful directors can be in a company asking its internal staff (law, compliance, audit) to assess the efficacy of a board’s C&E program oversight might be too much to get an unbiased view.

.

 

Rebecca Walker on the progression of compliance

In the April issue of Compliance and Ethics Professional. 

 

What does the “E” in your C&E program stand for?

My latest column in C&E Professional.

I hope you find it useful

I was recently interviewed as part of the Pioneers in Business Ethics project.

You can find the text here.

I hope you find it interesing.

 

An important ethics warning for corporate counsel

From an article in the ABA Journal last week :   “As a way to undermine discovery, Google directs employees to add attorneys and seek legal advice in writing for ‘ordinary-course business communications,’ according to a March 21 sanctions motion filed by the U.S. Department of Justice, which is suing the company for alleged antitrust violations.  Known as the Communicate With Care program, it began in 2016, according to the U.S. District Court for the District of Columbia filing. ‘Often, knowing the game, the in-house counsel included in these Communicate With Care emails does not respond at all, according to the motion. A Google spokesperson told Reuters that the government has more than 4 million documents from the company, and the ‘teams have conscientiously worked for years to provide responses.  The motion asks the court to sanction Google for misusing attorney-client privilege and order that all documents be released in instances in which an attorney was included in the communication but did not reply.’”

This is not a new issue. DOJ had – years earlier – investigated whether some tobacco industry lawyers had improperly tried to hide routine business communications behind the privilege (although no charges were brought on this theory).  Indeed, my law partner Rebecca Walker and I have spoken at several PLI and SCCE compliance conferences on the need to avoid misuse of the privilege in this way.

Regardless of how the Google motion is ultimately resolved, in-house counsel should take appropriate measures to ensure that “over-privileging” is not done in their respective companies.  The same is true of outside counsel, although presumably the danger with the latter is less than it is with the former.

At a minimum this should involve some education – whether it be a memo from the general counsel, comments at a law department meeting or both.  For higher risk situations, some follow-up contact or other forms of monitoring may be warranted.

Finally, I should make clear that I am not suggesting that this is a “red alert” for corporate counsel. But it is a good opportunity to ask: Am I basically okay?

 

Analyzing conflicts of interest – where to start

A conflict of interest (“COI “) analysis of any situation should generally start with an identification of the relevant duty (or duties), which sometimes (but not always) are legal in nature.  Sources of such duties typically include the following.

First, there can be express contractual provisions mandating that employees, agents and others conduct themselves in a conflict-free (or conflict-disclosed) way.  An employment agreement would typically have a provision of this sort.  So would agency or retainer agreements.

Second, a code of conduct or other internal policy document could create a contractual COI obligation – either because it has been formally agreed to by employees or under an “implied contract” theory in the absence of such explicit agreement.  Of course, some codes disclaim any intent to create a contractual obligation, but their COI provisions could still help to create (or prove) an ethical duty.

Third, another important source of duties are statutes and regulations addressing COIs in a variety of contexts. These include types of employment (e.g., for government employees); regulated businesses (e.g., healthcare, financial services); or other settings.

Fourth is the fiduciary duty of loyalty, which serves as a “default” under common law. That is, it specifies loyalty-related obligations for directors, employees and other agents even in the absence of a contract or statute.

Note, however, that in some circumstances a party might “contract out” of such an obligation or limit its scope, although doing so would not always be effective as a matter of law. As a general matter, being able to contract out of or otherwise limit a duty of loyalty is more likely when the relationship is between parties of relatively equal bargaining power and sophistication.

Finally, there are duty-related standards of conduct for certain professions. Some may be enforced by various legal regimes (as in the case of rules of professional responsibility for attorneys), the violation of which can lead to discipline.  But such aren’t always present (as in the case of journalists, where  – to my knowledge –  there is no such regime).

This is only a very general framework, and more information about COIs and duties can be found throughout this blog.

Compliance “moot courts” for CEOs?

The CEO of a client company once told me that he wanted to fire another corporate officer there. I asked him what basis he had for this contemplated action and he said it was that the officer had failed to take mandatory compliance training. I responded by asking if he – the CEO – had taken the training, to which he replied (without a trace of irony or shame) that he had not.

Several years ago, unrelated to my encounter with the CEO, I ran a blog post proposing that in certain circumstances “moot courts” be held to determine what, if any, accountability members of a board of directors should bear for the consequences of a compliance-related breach.  In  today’s post I ask: Should such an idea be tried with CEOs?

There is indeed precedent for this sort of exercise. My law partner Rebecca Walker and I have held compliance moot courts at an industry conference.  We are also aware of something similar being conducted elsewhere,

Of course, a C&E moot court can be seen as essentially just another form of assessment, However, the advantage of a compliance moot court is that, by its nature, it can focus the CEO’s mind (and that of other senior executives) on the need for strong C&E in a way that traditional compliance assessments might not.  And the need for such focus has never been greater.

In a speech delivered earlier this month, Assistant Attorney General Kenneth A. Polite Jr. said at the ABA Institute on White Collar Crime:

When you are asked about remedial action, and you’re asked about corporate leadership and personnel, we are doing so to ensure individual accountability. For example, even if there is not any evidence that a CEO personally committed a crime, upon discovery of a crime, a corporation should examine whether a change in leadership is necessary, not for change’s sake, but because he modeled poor ethical behavior for the workforce, or fostered a climate in which subordinates committed wrongdoing with intent to benefit the company, or permitted weak

In my view, this somewhat enhanced focus on CEOs as a source of risk calls on companies to up their game on mitigation.

All that should be covered in a CEO assessment is beyond the scope of this post, but a few of the many such topics are:

– How the CEO makes the C&E program a true strategic imperative.

– How the CEO ensures that the Program has sufficient resources, reach, autonomy and clout.

– What messaging the CEO sends to employees about C&E.

– How C&E effects compensation, promotion and related matters at the Company.

Finally note that moot courts need not involve an actual examination of the CEO. It should generally be sufficient to have the CECO “testify” about the CEOs role in the program.

 

Handling undue pressure: the role of the compliance and ethics office

One of the most important business ethics experiments ever took place in the early 1970s in Princeton NJ.  In it, interview subjects were asked to travel from one place to another, but some were told that they had to hurry and others were not told this. Along the way, all saw an individual in apparent distress. Individuals put under time pressure were about six times more likely to engage in unethical conduct (not helping the individual in distress) than were those not under such pressure.

This was an incredible result. It – along with other subsequent behavioral ethics experiments – has led to an understanding of wrongdoing that places greater emphasis on the situation facing an individual and less on that individual’s character.  This, in turn, helps make the case for strong C&E efforts.

Turning from the world of research to that of the courtroom and prosecutors’ offices,  the corrupting influence of high-pressure is an oft-told tale. In recent years the most prominent case of this sort involved Wells Fargo, where a toxic corporate culture pressured many employees to engage in serious legal and ethical transgressions.

So, what is to be done about this potentially perilous risk?

At the outset, I note that C&E programs are not expected to eliminate all pressure to perform. That would be impossible and indeed undesirable.  But what a C&E officer can and should do is to mitigate undue pressure.

One part of such an effort is risk assessment. Based on a variety of factors – both internal (e.g., employee surveys) and external market conditions (e.g., hyper competitiveness) – the risks of undue pressure can be identified.

Of course, the fact that risky conditions exist at one company does not necessarily mean that they also exist at a competitor. But it can suggest a line of inquiry both as to risk and to the efficacy of mitigation that should be explored.

Another approach is having the managers’ duties section of the code of conduct address the issue of avoiding undue pressure. That is, the code and related documents (policies, charters, among other things) should spell out that a manager is responsible for addressing pressure that might lead their subordinates to cross a legal or ethical line.

Yet another available measure is having the CEO speak at an all-company or other major event about the need to avoid undue pressure  – particularly at key times (such as near the end of a financial reporting period). One should also cascade the message down through the ranks of management (both operations and staff).

In a related vein one might develop pressure-related scenarios for use in training and other communications.  This would seem to be an obvious compliance measure, but my belief is that too few companies go this route.

Less obvious still, one should consider including undue pressure in audits.  By this I mean that some audit interviews should seek to determine whether pressure at the company is unduly risky. Note that I am not suggesting that this be an extensive effort.  A single question asked of individuals in high-risk positions (e.g., sales) and locations should be sufficient in many audits.

Investigations and discipline have a key role in this aspect of compliance.  Both in how one conducts an investigation and in related discipline one should make sure that those responsible for undue pressure are held accountable. One practical measure to ensure that this happens is to speak to this issue in the company’s investigations manual.

One should, as well,  consider addressing the issue in performance evaluations. By this I mean including in evaluations the extent to which a manager projects undue pressure onto their subordinates – or shields them from it.

Finally, one should ensure the board of directors (typically via the audit committee) is alert to undue pressure risks. They have the ultimate power in a company to mitigate those risks.

Of course, not every company needs to do all of these. And some will address the issue of undue pressure in other ways.  But all should be actively engaged on this risky area.