Recently, the Ethics & Compliance Initiative (ECI) released this “Principles and Practices of High-Quality Ethics & Compliance Programs.” As stated in the report, the ECI convened a group of 24 thought leaders and challenged them to identify the qualities that distinguish … ‘high-quality’ ethics and compliance programs.”
I have no doubt that the thought leaders worked hard and in good faith in drafting the report. However, the report was disappointing unless of course one loves checklists, charts, bullet points, vague generalities and other Compliance 2.0 (or has Compliance 3.0 arrived) buzzwords.
More substantively, as highlighted below, the report contains an asserted best practice that few (including former high-ranking DOJ officials) are likely to agree with.
What follows are portions of the report that caught my eye.
The report asserts as follows.
“Research has shown that when [ethics and compliance programs] are effectively implemented, these efforts achieve positive results: ethics and compliance programs do accomplish their purpose. Misconduct has been been shown to be reduced by as much as 66 percent in organizations with effective programs.”
I agree with the general statement that ethics and compliance programs can reduce and mitigate legal risk (although that assertion has recently been disagreed with, see here and here), but how in the world can one truly measure – with definitive statistics – whether ethics and compliance programs work?
So what are the “principles and key practices that are common to high-quality ethics and compliance programs?”
According to the report, “high-quality program [are] set apart because they”
- Make every effort to comply with all relevant legal and regulatory expectations and integrate E&C thinking and practice into everyday operation of the organization;
- Are not satisfied with mere ‘check the box’ effort;
- Assess and mitigate risk and prioritize the creation of a culture where concerns can be raised and where retaliation is not only prohibited but prevented;
- Hold themselves accountable – both internally and externally – for prompt, responsible action when misconduct occurs; and
- Implement strategies that are continually documented, objectively measured, evaluated and improved.”
Hard to disagree with any of these assertions, but would do they really mean?
No worries, the report breaks down each of the 5 principles into distinct “supporting objectives” which then – in the aggregate – contain 110 separate bulletpoints of “leading practices” such as, among my favorites:
- Proposals for new business strategies are measured, in part, by their alignment with the organization’s values;
- The E&C program is nimble and adjusts regularly to identified and prioritized risks;
- Leaders’ behaviors are a significant consideration in employment and promotion decisions; and
- Culture metrics are an element of business unit performance.
Again, I am not questioning the hard work and good faith of the “thought leaders” in drafting this report.
Rather, I question the value of the report given that it consists almost entirely of vague generalities and other Compliance 2.0 (or has Compliance 3.0 arrived) buzzwords. Moreover, while criticizing “check the box” compliance, what do you think a report that contains 110 separate bulletpoints of “leading practices” is going to induce?
More substantively, the report contains an asserted best practice that few (including former high-ranking DOJ officials) are likely to agree with.
As highlighted in the report, Principle 5 of a “high-quality ethics and compliance program” is “the organization takes action and holds itself accountable when wrongdoing occurs.”
No controversy there.
However, one “supporting objective” is stated as “appropriate disclosures are made to regulatory or other government authorities” with the following “leading practice” listed first. “Leaders support responsible, timely disclosure to regulators.”
An “example from a high-quality program” is then listed as follows.
“[An organization uncovered evidence of an FCPA violation and then] quickly sought both internal and external counsel, in order to ensure that the matter would be handled appropriately. Leaders of the organization disclosed the incident to the appropriate authorities and committed to full cooperation with government officials in the resulting enforcement process.”
There are many who would disagree with the purported best practice of “disclosure to regulators.” (For instance, see this recent FCPA Flash podcast).
Included within this group are former high-ranking DOJ officials. For instance, Steven Tyrrell, the former Chief of the DOJ’s Fraud Section stated:
“It often will not be in a company’s best interest to disclose if, for example, the allegations prove not to be credible or if it is unclear whether the conduct even amounts to a violation of law. Under those circumstances, a disclosure could unnecessarily embroil the company in a lengthy and costly government investigation and result in other repercussions such as triggering civil litigation and harm to a company’s reputation that could otherwise be avoided. It’s a challenging calculus. […] However, the fact that a company doesn’t disclose a problem that ultimately comes to DOJ’s attention is not necessarily going to damage the company’s credibility with DOJ. Regulators recognize that not every allegation should be of interest to them – and, frankly, having counsel that knows when they’ll be interested and when they won’t is really important.”
Likewise, former DOJ Deputy Assistant Attorney General Greg Andres stated:
“Not every issue that a company uncovers should necessarily be disclosed. Some of it depends on size and scale – hundreds, or thousands or tens of thousands of dollars – it may not rise to the level where you would need to bring it to the DOJ’s attention.”
In short, contrary to the best practices suggestion in the report, thoroughly investigating an issue, promptly implementing remedial measures, and effectively revising and enhancing compliance policies and procedures – all internally and without disclosing to the enforcement agencies – is a perfectly acceptable, legitimate, and legal response to FCPA issues in but all the rarest of circumstances.