Compliance is everyone’s responsibility. That an organization’s legal obligations and ethical standards are the responsibility of every employee is a foundational premise underlying the organization’s holistic commitment to abiding by both the letter and spirit of the law—and refraining from actions that violate the organization’s own ethical standards.
Yet far too often, the compliance function of an organization is falsely viewed as both the beginning and end of an organization’s commitment to building the foundations of an ethical and legal compliance culture. A fundamental misperception exists that it is solely the compliance team’s responsibility to both identify legal and regulatory risks and assume primary responsibility for mitigating those risks. In reality, however, it is the business function of an organization in conjunction with the board of directors, senior leadership and rank-and-file employees that are responsible for implementation—and observance of—compliance protocols.
Even worse, the very phrase “corporate compliance” is too often misconstrued to mean that smaller organizations—from sole proprietorships to partnerships and single-member limited liability companies—are immune from adopting programs designed to detect (and ideally prevent), infractions of the law.
Ethics and Compliance Matter – To All Organizations
It is axiomatic that every organization—regardless of size or sector— is subject to the law. A corollary to this principle, therefore, is that all organizations should design, implement, and periodically audit internal controls designed to mitigate violations of the law in areas that pose the greatest risk to the organization overall. As such, organizations of all shapes and sizes should be engaged in the continuous process of risk assessment—that is, identifying, in a systematic and documentable fashion—the major risks the organization faces from a legal perspective, and implementing policies and procedures reasonably designed to both deter and detect potential legal and/or ethical violations.
An excellent starting point for organizations new to the concept of compliance itself is the United States Department of Justice’s Criminal Division’s Guidelines for the Evaluation of Corporate Compliance Programs (“DOJ Guidelines”), last updated in June 2020. While the DOJ Guidelines do not themselves carry the force of law, they provide keen insight into what federal prosecutors look for when confronted with a criminal violation by an organization. Critical to determining (a) whether to bring charges and (b) whether to negotiate a settlement with an organization implicated in wrongdoing is “the adequacy and effectiveness of the [organization’s] compliance program at the time of the offense, as well as at the time of the charging decision.” To that end, the DOJ Guidelines emphasize that prosecutors should ask the following three fundamental questions: (1) Is the corporation’s compliance program well designed; (2) Is the program being applied earnestly and in good faith and (3) Does the corporation’s compliance program work in practice?
To meet the first criterion of “well designed,” a risk assessment—as previously mentioned—is required to ensure that an organization’s mitigation strategy is appropriately tailored to its operations and industry. As the DOJ Guidelines explicitly and implicitly emphasize repeatedly, compliance programs are not ‘one-size-fits-all.’ Rather, effective compliance programs are targeted and risk based. This is emphasized by the DOJ Guidelines’ initial notation that federal prosecutors should consider whether “the [organization] devote[s] a disproportionate amount of time to policing low-risk areas instead of high-risk activities” and “gives greater scrutiny, as warranted, to high-risk transactions . . . than to more modest and routine [ones].” Accordingly, an organization’s risk mitigation strategy is inextricably linked to the outcome of the risk assessment. An internal manufacturer and distributor of computer chips, for example, will have a very different risk mitigation strategy than a domestic non-profit organization dedicated solely to the promotion of the arts in a particular locale. In the case of the former, an effective risk assessment will almost certainly identify the potential for bribery and corruption, observance of economic sanctions regulations, and knowledge of trade controls as material risk factors. For the latter, these considerations would likely be irrelevant. Rather, the organization would be more concerned with observing IRS regulations involving charitable contributions and corresponding tax-related implications at the state level, in addition to basic accounting, permitting and licensing issues.
The second factor mentioned in the DOJ Guidelines—namely, whether the program is being applied in good faith (i.e.., whether the program is adequately resourced)—underscores the importance of senior leadership commitment to ethical practices; autonomy and appropriate resources for the compliance function of the organization; and the adoption of incentives and disciplinary measures to address employee conduct. In this context, it cannot be overstated that an organization’s board of directors/managers and senior management team ultimately ‘set the tone’ for an organization’s commitment to legal and ethical practices. This “high-level commitment” is indispensable in ensuring that the organization itself is both aware of, and commits to abide by, external laws and regulations and internal policies respecting ethical conduct. As such, the DOJ Guidelines emphasize the significance of concrete action by senior leaders taken with respect to compliance. Such actions include, but are not limited to, encouraging compliance by employees overall through frequent intercompany communications; modeling appropriate behavior to subordinates; and persisting in ensuring that compliance prevail in the face of competing interests and/or business objectives.
With respect to autonomy and resources, the organization must take steps to ensure that those “charged with a compliance program’s day-to-day oversight” are empowered to act with “adequate authority and stature.” Ideally, an organization’s compliance officer would be autonomous from both the financial and legal functions of an organization and have a direct reporting line to the board of directors/managers. However, recognizing that organizations vary in size and resources, so long as the compliance function of the organization has unimpeded access to the very top of the organization when legitimate concerns arise that warrant board attention, this prong of the DOJ Guidelines is likely met. Of course, the organization must also ensure that appropriate resources are devoted to the compliance function as appropriate. For larger enterprises, this often means a designated compliance function (and potentially subsidiary teams) with a separate budget, and sufficient manpower to adequately implement the organization’s risk mitigation strategy. For smaller operations, resource constraints may well mean that the compliance function is delegated to an employee with other responsibilities. The key factor here is to ensure that any such personnel are appropriately trained, adequately resourced, and encouraged—not discouraged—to raise concerns both to senior leadership and the board of directors/managers as warranted.
Arguably the most critical factor contained in the DOJ Guidelines is assessing whether the organization’s compliance program actually works—that is, whether it effectively detects and deters misconduct. While it is frankly impossible for an organization to proactively address every potential risk and avoid every legal infraction, the DOJ Guidelines place considerable emphasis on continuous improvement and periodic testing as decisive elements of this requirement. In other words, to ensure that the organization’s policies and procedures are working in practice, it is incumbent upon that organization to periodically audit and test its internal controls; update its risk assessment to account for any deficiencies; vigorously and properly investigate credible allegations of misconduct; and analyze and remediate any misconduct by conducting a so-called “root cause” analysis. Even if an organization’s internal controls fail to prevent a legal or regulatory infraction, if an organization can demonstrate its commitment to compliance by faithfully observing the foregoing factors, leniency—in the form of an official or unofficial reprimand, deferred prosecution agreement (“DPA”), or other form of non-judicial resolution—is often available. This is far more preferable to all organizations than criminal charges, administrative proceedings and substantial fines/penalties; to say nothing of the often-unquantifiable reputational damage inflicted on an organization as a result of such enforcement actions.
Compliance is Every Employee’s Responsibility
Just as compliance applies to every organization holistically, it also applies to each and every employee of that organization. Here, it seems contrite but important to observe that buy-in to the compliance program from rank-and-file employees is an essential ingredient in ensuring that the program works in practice. Emphasis on compliance is not a static event, but a continuous process of acquainting each employee with their legal and ethical obligations, and any developments that dramatically alter or shift the nature of those obligations. Ideally, organizations should include compliance officers at the induction or onboarding phase, to clearly articulate the organization’s commitment to abiding by the law and observing ethical standards set by the organization and answer any questions that a new employee might have with respect to those obligations. Thereafter, the organizations should commit to periodic compliance updates—both formal and informal. Email reminders, quarterly newsletters, compliance case studies, and anonymized reports of intercompany misconduct are but a few of the many tools available to a compliance officer to make compliance considerations an integral component of each and every employee’s job responsibilities. Training should also be customized by the organization to ensure that activities identified as high-risk involving a certain team or department are adequately addressed. For example, the sales and business development function of an international organization with significant government interactions abroad should and must receive training on strict adherence to anti-bribery and corruption laws and regulations, including, but not limited to, the U.S. Foreign Corrupt Practices Act (“FCPA”). Although the financial function of the same organization might also receive FCPA training, it should be customized to account for the FCPA’s books and records provisions perhaps more than its anti-bribery prohibitions. Finally, no employee in the organization—including members of senior leadership—should be exempt from receiving compliance training. Too often, organizations make the mistake of assuming key leaders are already knowledgeable when it comes to compliance, when in fact, most are not. Even worse, some organizations refuse to “inconvenience” such senior leaders with what they view as trivial concerns. But it is important to emphasize that what seems like a trivial concern today might very well become a major scandal tomorrow.
In the end, both organization and employee bear responsibility for ensuring that their actions conform to the letter and spirit of the law, as well as the organization’s own internal expectations and fundamental values. Organizations of all shapes and sizes—and all employees of those entities—should be expected to abide by the laws under which each and every one of us operate. A refusal to play by the rules not only undermines an organization’s credibility, but is corrosive of civil society and undermines the very essence of the rule of law.