Compliance programs can reduce companies' penalties from government lawsuits by more than 90 percent
In Gallup’s recent $10.5 million settlement with the Department of Justice (resulting from its improper employment negotiations with a government official and falsely inflated cost estimates for two federal contracts), the company agreed to implement a comprehensive compliance program. It’s not the first time this has happened. What is remarkable about this settlement is that the enforcement community acknowledged that Gallup had a pre-existing ‘business ethics program’. But the government also acknowledged that it wasn’t enough to rely on ethics alone.
Telling people to be ethical and building an ethical culture are both important, but neither is adequate if you want to avoid violations of the law and the millions or billions of dollars of fines and settlements that will wreck your bottom line. So what else should businesses do? The government gives an answer in the very same settlement: ‘Gallup has agreed to keep in place Gallup’s business ethics program, voluntarily adopted prior to the date of this agreement, and to take other actions as specified herein to assure Gallup possesses the high degree of business honesty and integrity required of a US government contractor.’
Those ‘other actions’ include a compliance program and, tellingly, not a narrow compliance program but a broad one. What makes a compliance program different from an ethics program is that a compliance program is about controls: auditing, monitoring, investigating, disciplining, reporting, educating and developing policies and procedures. It is about understanding the countless laws and regulations a business must follow, making them understandable to the workforce and ensuring they are followed, no matter how arcane or unpopular. In short, a compliance program consists of a host of processes designed to ensure the firm’s laudable ethical ambitions are paired with processes to ensure the law is obeyed. It also ensures the critical tone at the top is translated into concrete action throughout the company.
The government has been clear about the need for compliance since 1991, when it wrote Chapter 8 of the US Federal Sentencing Guidelines. Chapter 8 stipulates that if a firm implements a compliance program (the guidelines later added an ethics program) and has a violation, its penalty could be cut by more than 90 percent.
The Federal Sentencing Guidelines essentially give businesses a road map for risk management when it comes to violations of the law – and a substantial incentive for following that road map, which is a very simple one that almost any company should be able to follow:
- The compliance program should have oversight by high-level personnel
- There should be due care in delegating authority
- Employees should be trained appropriately
- Reasonable steps should be taken to achieve compliance, including systems for monitoring, auditing and reporting without fear of retaliation
- There must be consistent enforcement of compliance standards, including incentives and discipline
- There should be reasonable steps to respond to and prevent further violations when one occurs.
It’s hard to argue with any of these measures. C-suite executives and corporate board members should take note, not because they will be the ones to oversee the compliance and ethics program (there is a whole profession that has assumed that role) but because in a time of intense scrutiny of the business community by the public, regulators and enforcement communities, having an effective ethics program alone is not enough. A comprehensive compliance program is an essential investment to protect the company’s bottom line, share price and reputation.
Valuable protection
It is protection that few if any companies can afford to forgo, given the direct costs of wrongdoing. Already in 2013 we have seen settlements of $612 million by the Royal Bank of Scotland, $139 million by News Corp, $398 million by Total and $1.4 billion by Transocean, to name just a few of the larger firms. The numbers are terrifying – and enforcement is increasing globally, making it even more important that companies have adequate controls in place.
The UK’s Serious Fraud Office recently filed, for the first time, charges against individuals under the Bribery Act. At the same time, the US government is starting to provide ample evidence of the benefits of a compliance program. Morgan Stanley received no fine or penalty despite allegations that an employee had bribed a Chinese government official in violation of the Foreign Corrupt Practices Act (FCPA), typically a very expensive issue to investigate and settle. Why? Because Morgan Stanley had a robust compliance program with impressive controls and had given at least 35 reminders of the company’s FCPA policy and seven training sessions to the offending employee.
Ralph Lauren recently settled claims that one of its subsidiaries violated the FCPA by paying bribes to officials in Argentina from 2005 to 2009. The misconduct was first reported to regulators by Ralph Lauren after it was discovered in an internal review. The SEC said actions taken by the retailer ‘show the benefit of implementing an effective compliance program. Ralph Lauren discovered this problem after it put in place an enhanced compliance program and began training its employees. That level of self-policing along with its self-reporting and co-operation led to this resolution.’
Other benefits of compliance
A less obvious but still important example of the benefit of instituting a robust compliance program is HSBC’s widely publicized $1.9 billion payout in fines and forfeiture related to money laundering. While this was the largest ever bank settlement in US history, the bank’s deferred prosecution agreement included a sweeping and unprecedented overhaul of its worldwide compliance program that allowed it to forestall indictment. What resonated most with the government in this case was that HSBC implemented changes that were designed to foster and maintain a deeply ingrained, lasting culture of compliance at the bank.
Everyone is in favor of a more ethical business environment, and ethicists have the best of intentions, but they are over-promising and under-delivering. The reputation of the business community is at an all-time low. A recent Harris Interactive survey shows that about three quarters of the US general public has a perception of corporate America that is ‘not good’ or ‘terrible’.
To help foster a more ethical environment, the government is writing long, vague and expensive regulations every time some industry has a problem. But talking about being ethical isn’t enough. A business has to audit, monitor, investigate, discipline, educate and implement all the elements of a compliance program as well. Companies have to be focused on the process and not just the goal. The message to business leadership is clear: an ethical culture is a laudable aspiration, but without the structure and processes of a compliance program, companies operate at far greater risk.