It’s as predictable as the sun rising in the morning.
A corporate “crisis” happens and supposed compliance “commentators / gurus” or those with fancy self-made titles or institutional affiliations come out of the woodwork with the supposed secret sauce like “doing compliance,” “tone at the top,” “values-based culture” and my favorite “trust.”
Indeed, “Trust Your Employees, Not Your Rule Book,” was the title of this recent article in the Harvard Business Review.
Using the recent United airlines passenger dragging incident, the author of the article identifies “the grave shortcomings of an approach to business, culture, and customer service that relies on rules and procedures at the expense of letting flesh-and-blood human beings solve problems and make sound decisions. It’s time for leaders to toss out their rule books and trust their people.”
The article continues:
“The Wall Street Journal published an in-depth analysis of the “recipe for the disastrous decision” that triggered a front-page crisis at Chicago O’Hare International Airport. Its conclusion? The problem wasn’t with United’s employees, but with a “rules-based culture” in which 85,000 people are “reluctant to make choices” that are not in the “tomes of rule books” and “giant manuals” that govern life at the airline. In other words, employees at every level did what they were supposed to do — they followed the rules — yet the result was a total failure.
When I read the Journal analysis, I couldn’t help but think about another famous service organization, the retail giant Nordstrom, and the long-standing handbook that defines life at this 72,500-person company. The entirety of the Nordstrom Employee Handbook fits on a single 5×8 card and involves exactly one rule. Here is Rule #1: “Use best judgment in all situations. There will be no additional rules.”
No wonder Nordstrom’s image and brand is built on heroic stories of above-and-beyond service and problem solving.”
For starters, the above reference to Nordstrom is misleading (but then again narratives, not facts, are often the tools of many compliance commentators). Here is Nordstrom’s 12 page Employee Code of Conduct with enough bullet-points to stock an arsenal.
More substantively, stop and think why business organizations don’t merely trust their employees, but rather have a rule and procedure for this, that and everything. In many respects, business organizations are just responding to the enforcement climate and compliance expectations that the government has created.
In this regard, Ronald Reagan’s famous statement “the nine most terrifying words in the English language are, ‘I’m from the government and I’m here to help'” are worth repeating. Circa 2000 or so, government prosecutors began to fancy themselves as compliance professionals (when the reality is most had little or no actual compliance experience) and enforcement actions began to include detailed post-enforcement action compliance expectations.
Compliance Inc., sensing a business opportunity, began to market these compliance expectations and new “best practices.” Even more troubling is that the same enforcement attorneys who often created the compliance expectations moved into private practice to provide advice as to the compliance expectations they created.
The trust issue remains the same as discussed in this August 2013 FCPA Professor post.
Would it be nice for business organizations merely to trust their employees. Yes, it would be.
Might trust satisfy the “prudent’ and “reasonable” legal standards of the FCPA’s internal controls provisions? Perhaps so.
After all, the FCPA defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Relevant legislative history from 1988 when this definition was added to the FCPA states:
“The prudent [person] qualification [was adopted] in order to clarify that the current standard does not connote an unrealistic degree of exactitude or precision. The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.”
The only substantive judicial decision concerning the FCPA’s internal controls provisions (SEC v. World-Wide Coin – see here for the prior post) states:
“The concept of ‘reasonable assurances contained in [the internal controls provision] recognizes that the costs of internal controls should not exceed the benefits expected to be delivered.”
Beyond this legal authority, in FCPA guidance issued in 1981, the SEC stated:
“The [FCPA] does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘Reasonableness,’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.” […] Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”
Likewise in the 2012 FCPA Guidance the DOJ and SEC stated:
“Like the ‘reasonable detail’ requirement in the books and records provision, the Act defines ‘reasonable assurances’ as ‘such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.’”
“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”
Yet, imagine a situation in which an issuer becomes the subject of FCPA scrutiny.
During a meeting with the DOJ and SEC, the enforcement attorneys ask company counsel what internal controls existed relevant to the alleged culpable actors.
Company counsel responds, “we don’t have rule books or detailed policies and procedures regarding x, y, or z, rather we trust our employees to make the right decisions.” This would likely cause the enforcement attorneys to laugh out loud.
In short, certain commentators can continue to peddle their secret sauce of “doing compliance,” “tone at the top,” “values-based culture” and “trust.”
Yet, the government has created materially different expectations and that is what risk averse business organizations are in good faith responding to in drafting, implementing, and monitoring compliance practices and procedures.
FCPA Institute - Phoenix (Jan. 11-12, 2018)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active active. Learn more, spend less. CLE credit is available.