- US Sentencing Commission. US Congress created the US Sentencing Commission in the 1980s to develop sentencing standards for the federal court system.
- Chapter 8. In 1991, the US Sentencing Commission published Chapter 8 “Sentencing of Organization” of its guidelines, which included the “Seven Elements of an Effective Compliance Program.”
- Seven elements. The Seven Elements of an effective compliance program include Standards and Procedures; Governance and Oversight; Education and Training; Monitoring and Auditing; Reporting; Internal Enforcement and Discipline; and Response and Prevention.
- Change is needed. Despite significant investments in corporate compliance and ethics programs modeled on the Seven Elements, over the last 30 years, there has been little reduction in the corporate corruption rate. Governance changes in the boardroom are needed to improve performance.
As we approach the 30th anniversary of the publication of Chapter 8 of the US Federal Sentencing Guidelines (FSG) and their groundbreaking Seven Elements of an Effective Compliance Program, I thought it an appropriate occasion to take stock of their impact on corporate compliance.
Sentencing of organizations
On Nov. 1, 1991, The US Sentencing Commission — an entity created by the US Congress in the 1980s to develop and publish uniform sentencing standards for the federal court system — published Chapter 8 of the guidelines entitled “Sentencing of Organizations.”
These guidelines provided detailed factors federal judges should consider in sentencing organizations (including corporations) convicted of crimes. Nestled in its pages were the Seven Elements of an Effective Compliance Program (Seven Elements) detailing factors relating to corporate governance structures and practices courts could consider in determining whether an organization had taken reasonable steps to prevent and detect criminal conduct.
If an organization convicted of a crime could demonstrate to the court that it had an effective compliance program and met several other criteria, the FSG permitted judges to provide up to a 95 percent reduction in fines and penalties. The potential for such a substantial penalty reduction was specifically designed to induce organizations to examine and, if necessary, bolster their internal controls.
The Seven Elements of an effective compliance program
- Standards and Procedures,
- Governance and Oversight,
- Education and Training,
- Monitoring and Auditing,
- Internal Enforcement and Discipline, and
- Response and Prevention
In 2004, the Sentencing Commission published amendments to Chapter 8 that was dubbed “Seven Elements of an Effective Compliance and Ethics Program,” integrating into these standards mandates regarding the promotion of an “ethical culture” and providing substantially more detail regarding expectations associated with organizational governance and internal controls.
Over the years, the Department of Justice (DOJ) bolstered incentives for organizations to implement compliance and ethics programs by publishing a number of memoranda and guidance documents further detailing their expectations regarding such programs.
According to these DOJ publications, if organizations under investigation for crimes committed by their employees or agents can demonstrate they had an effective compliance and ethics program and meet several other criteria, the DOJ may significantly reduce the penalties it seeks or decline prosecution altogether.
In many instances, including two I have been personally involved in, the DOJ has been true to its word.
Compliance and ethics professionals
In response to the Seven Elements and the DOJ policies mentioned above, thousands of corporations invested in dedicated compliance and ethics offices and charged them with the responsibility of developing and implementing “effective” compliance and ethics programs to prevent and detect criminal conduct. I count myself among the many other compliance and ethics professionals (CEPs) whose careers have been shaped by these developments.
For the last three decades, through a zeal for our mission seldom found in other professions, and a willingness to share best practices, we CEPs have implemented compliance and ethics programs modeled on the Seven Elements. In so doing, we greatly strengthened various internal controls that had been long neglected and carved out a niche in the corporate hierarchy that is now considered indispensable by most sizable firms. Long gone are the days when no one knew what CEPs did for a living.
This is especially true in industries that have experienced a significant volume of enforcement actions like banking, medical devices, pharmaceuticals, and healthcare. Some companies in these and other industries have been compelled to install compliance and ethics officers by the terms of corporate integrity agreements or deferred the prosecution agreements. But many others have done so voluntarily in anticipation of the benefits that might flow from the creation of a dedicated compliance and ethics office.
Today, we CEPs number in the thousands and enjoy the support of multiple trade associations and a cottage industry comprising dozens of companies that supply global 24/7 helplines, case management systems, online training programs, third-party due diligence services, consulting, and program evaluations.
Many corporations that have invested in compliance and ethics programs now have sophisticated organizational justice systems, a well-educated employee population, internal compliance monitoring and auditing programs, and superior third-party management systems designed to minimize legal risks associated with company distributors and agents. Most CEPs also have direct access to company senior management and the board of directors to apprise them of compliance and ethics program status and solicit their support for various program initiatives.
But have these investments made a difference? Specifically, have compliance and ethics programs modeled on the Seven Elements and DOJ guidance reduced the corporate crime rate? As a practicing CEP, I wish I could answer this question in the affirmative, but I’m hard pressed to find support for such a conclusion. The evidence is to the contrary.
Recall for a moment the spate of breathtaking corporate scandals at the beginning of this century when marque companies like Enron, WorldCom, Countrywide, Tyco, and others were caught systematically defrauding shareholders. Then, in 2008, there was a global financial meltdown precipitated by the malfeasance of thousands of organizations including many of the world’s most respected banks and financial institutions.
Since then, Wells Fargo was caught defrauding millions of customers; Volkswagen and its leadership were prosecuted for the emissions scandal; Goldman Sachs was caught paying staggering sums to win business in Asia; GSK, Johnson & Johnson, Pfizer, Novartis, and many other life-sciences firms were caught paying bribes to healthcare providers or promoting their products off-label; and Airbus was prosecuted for paying bribes to government officials in over a dozen countries.
Fast forward to 2020, when the DOJ collected a record US$9.8 billion in monetary recoveries related to non-prosecution and deferred prosecution agreements in enforcement actions against corporations. That same year, enforcement activity for Foreign Corrupt Practices Act (FCPA) violations was on par with prior years with record fines of over US$6 billion paid to enforcement agencies in the US and other countries.
For decades, the scourge of corporate financial fraud has raged on with no sign of abating, notwithstanding the Sarbanes Oxley Act of 2001 regulations mandating codes of conduct for boards and senior executives coupled with strict internal controls. The 2020 fiscal year saw 715 securities enforcement actions by the SEC culminating in record financial remedies of US$4.68 billion — an increase of approximately eight percent over the amount collected in 2019.
These corrupt business practices were not the doing of just a few rogue employees. In most cases, they were deliberately and systematically perpetrated by cohorts of business executives to seek advantage in the marketplace or to boost their company’s share price. And, most disturbingly, a significant fraction of these schemes were committed in companies with compliance and ethics departments that were powerless to prevent these calamities.
The Seven Elements and CEPs are not to blame
By making these observations, I do not mean to suggest that the Seven Elements and the associated DOJ guidance is flawed. It is not. To the contrary, together they provide a sensible framework that organizations can and should rely upon to structure their internal controls. Nor do I think CEPs have failed in carrying out their responsibilities.
Instead, I believe we CEPs have done and continue to do important work that contributes to the collective efforts of all the other corporate functions to support the business and operate in compliance with the law.
But one has to ask what good is a compliance and ethics program grounded in the Seven Elements that implements world-class helplines, investigation protocols, codes, policies, training programs, internal controls, and the rest if it is incapable of preventing senior corporate executives from engaging in wanton criminal conduct that causes significant harm to the enterprise and its stakeholders?
It appears that as currently configured, corporate compliance programs may be doing a good job regulating the crew “below deck” but, despite their best efforts, are incapable of preventing those at the “helm” from steering firms into the rocks.
That said, it would be grossly unfair to blame compliance and ethics departments for their firm’s corrupt business practices. We CEPs and the programs we run are not the cause of corrupt business practices. We have done and continue to do our level best to prevent them.
But to help the companies we serve find a realistic means of improving performance, we must have a clear-eyed view of our role in the corporate governance structure and our limitations in achieving this objective. It was never realistic to expect that the addition of a compliance and ethics office alone would be sufficient to prevent and detect systemic corporate corruption — especially when corrupt acts are committed, authorized, or tolerated by those on the “bridge.” Moreover, we CEPs never have been and likely never will be in a position to provide effective oversight of senior corporate officers or many of a corporation’s most significant legal and ethical risks.
CEPs have virtually no role in the design or operation of the internal controls required to comply with financial reporting rules, SEC regulations, stock exchange listing rules, safety health and environmental laws, product quality control regulations, good manufacturing practices, labor laws, antitrust laws, patent and trademark laws, product licensing and registration laws, product labeling laws, product packaging laws, product safety laws, international trade laws, debt covenants, commercial agreements, building codes, information technology security requirements, tax laws, and myriad others that collectively comprise the lion’s share of enterprise legal and ethical risks for many companies. Nor should we.
To manage the legal and ethical risks associated with these requirements, companies wisely invest in armies of experts in each of these fields and group them together in the various corporate functions and charge business professionals at every level of the corporation to play by the rules.
Further, in most firms, CEPs have little to no visibility to actions taken and decisions made by their board of directors and senior management team that can present significant corruption risks. Very few, if any, CEPs are involved in senior management or board deliberations relating to staffing, budgeting, acquisitions, divestitures, financial statements, quality controls, financial controls, capital investments, or investor relations — all of which carry enormous legal and ethical implications. My guess is that no CEP was in the room when the Wells Fargo board of directors approved the disastrous employee incentive program that induced a toxic work environment and widespread criminal conduct in their consumer banking business.
Although CEPs occupy a wide variety of positions in corporate hierarchies, only a small fraction of CEPs are peers with their firm’s general counsel, chief financial officer, or the heads of other corporate functions like information technology or human resources. Instead, most CEPs are relegated to posts in middle management and report to executives who are a rung or two down on the corporate ladder from the CEO. Many other CEPs are lower-level functionaries with little to no contact with top management.
The relatively low position most CEPs occupy in the corporate hierarchy is no accident. Senior executives who occupy positions of power are generally not inclined to cede their authority to anyone — let alone to a corporate officer charged with monitoring and possibly regulating their behavior.
Absent a corporate integrity or deferred prosecution agreement compelling companies to elevate CEPs to the C-suite on the heels of a major corporate scandal, most firms deliberately limit CEPs’ authority and their access to senior management meetings.
Consequently, very few, if any, CEPs are given the authority and global reach to be the single individual “delegated day-to-day operational responsibility for the compliance and ethics program,” as per the Seven Elements. Instead, these responsibilities are defused among many individuals across the corporation. But this is hardly the only challenge we CEPs face in achieving the goal of detecting and preventing systemic corporate corruption.
Even those CEPs who earn a coveted C-suite office — where I believe they should be — and are “in the room” during some senior management meetings can’t be in every room in which decisions are made. Business professionals throughout a corporation can and must make key decisions that carry with them significant legal and ethical risks every day without first asking a CEP “Mother, may I?”
The fact that CEPs are not in charge of managing all enterprise legal and ethical risks is not a flaw in compliance and ethics program design. Instead, diffusion of this responsibility is necessitated by the vast complexity of legal and ethical mandates that corporations confront on a daily basis. Charging a CEP or compliance department with this responsibility is neither realistic nor desirable. Thousands of decisions must be made and acted upon continuously without a CEP’s knowledge or approval for a business to function properly.
I make these observations not to diminish the importance of the work CEPs perform but, instead, to dispel the myth that they “own” their firms’ compliance and ethics programs. They do not. Compliance and ethics functions are responsible for performing duties that comprise an important but narrow sliver of the work that is done every day to manage corporate legal and ethical risks. They are just one of a large cohort of business professionals charged with developing and implementing internal controls designed to manage legal and ethical risks and building a strong ethical culture.
I must also take a moment to dispel the myth that CEPs serve as the “conscience of the company.” We certainly may try our best to play this role but there is little evidence that CEPs possess an “ethical expertise” that is superior to other corporate executives. We may have an enhanced understanding of laws and ethical standards in areas, in which we have specialized knowledge like data privacy and anti-bribery laws. But few CEPs, if any, have had any formal education that would make them better suited than their executive counterparts to make even garden-variety business decisions that have significant legal and ethical dimensions.
When deciding how much to invest in research and development — whether to create, purchase, or sell derivative financial instruments, close a plant, initiate a stock buyback, lay off workers, manage pollution levels, off-shore manufacturing operations, draft a SEC filing, pay a dividend, or finalize an advertising budget — it’s hard to see how a CEP would necessarily make better, more ethical calls than other business leaders who have greater expertise in such fields and better knowledge of the relevant facts.
Regardless of how much expertise, authority, or moral courage a chief CEP has, others in a corporation ultimately have the responsibility to run the business. Many of the most important and difficult business decisions corporations must make are based upon incomplete data, assumptions about future market conditions, and hundreds of other variables. In such circumstances, there are many ethical and lawful options.
It is the CEO and their team, not the chief CEP alone, that shareholders and directors expect to make these decisions. This is as it should be. In a well-designed compliance and ethics program, it is the business management team, corporate functions — including the compliance and ethics department — and the employees, rather than the compliance and ethics department alone that comprises the company’s ethics and compliance program.
A way forward
I suspect most would agree that the status quo with its continuous parade of corporate scandals and the enormous harm they cause to all stakeholders is intolerable. Thirty years on we still have considerable work to do to realize the primary goal of the Seven Elements by developing and implementing corporate governance practices that are more successful at regulating individual behavior at all levels of the corporation.
Although I believe CEP effectiveness is optimized when they are members of the executive management team, the answer is not the creation of larger and more potent compliance and ethics offices.
Instead, I believe the key to eradicating the scourge of systemic corporate corruption remains where it has always been and always will be: in the boardroom. As a practical matter, directors, not CEPs, are the only ones in a position to hold senior management accountable for implementing sound internal controls and building a strong ethical culture.
This sentiment is reflected directly in the language of the Seven Elements that provides:
(2) (A) The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
It is also a cornerstone principle in the recently published ISO 37000 Guidance for the Governance of Organizations that charges directors, among other things, with the responsibility of holding management accountable for designing and implementing adequate internal control systems, “including an effective compliance management system and an effective risk management system.” At the root of every major corporate scandal is a failure of boards to carry out this fundamental responsibility notwithstanding what I believe to be directors’ sincere intentions to avoid such calamities.
In my experience, the overwhelming majority of corporate directors are highly intelligent, conscientious business professionals dedicated to helping the companies they serve conform to legal requirements and thrive over the long term. Their jobs are exceedingly demanding and have been made more so by the torrent of regulations passed in response to past corporate transgressions. But to be more effective at governing corporate behavior directors must seek and find a practical means to measure compliance and ethics performance and hold management accountable for meeting performance goals.
One means of achieving this objective that I have advocated for years is for boards to ask and demand that corporate senior management (not CEPs) provide answers to two fundamental questions coupled with objective, verifiable evidence and hold them accountable for meeting defined performance goals:
- How effective are the company’s internal controls in managing its most significant legal and ethical risks?
- What is the company’s ethical culture strength benchmarked against our peers?
In addition to being a sensible and cost-effective means of satisfying the Seven Elements and ISO 37000 mandates, this prescription for improved governance is in keeping with other key aspects of board oversight. Boards don’t take management’s word for a company’s financial performance and leave the firm’s future prosperity to chance. Instead, they scrutinize financial statements and commission routine internal and independent audits. CEOs and senior managers who fail to meet performance targets at well-run firms are dismissed.
This same level of oversight is not happening with respect to compliance and ethics performance in most corporations. Absent a compliance calamity, I’m unaware of any instances in which a board has fired a CEO for a failure to maintain robust internal controls or a strong ethical culture. And even in the wake of massive corporate scandals, there have been many instances where boards made no management changes or only reluctantly did so in response to withering pressure from shareholders, regulators, or legislators. This culture of tolerance for poor compliance and ethics performance must change.
Directors who do not know their firm’s Prime Integrity Metrics, and who do not hold management accountable for achieving defined performance goals, are failing at a fundamental level to provide effective oversight of their companies’ compliance and ethics programs. As a consequence, they are often as shocked and surprised as the rest of us when news of a massive scandal at their firms becomes public. Until directors remedy this deep shortcoming in corporate governance practices, I suspect another 30 years will pass with little reduction in the corporate corruption rate. This is a fate we should all work to avoid.
If you agree with these observations, do your part to help drive the governance changes in the boardroom necessary to realize the true promise of the Seven Elements and materially reduce your firms’ compliance and ethics risk profile. Develop practical methodologies to gather the Prime Integrity Metrics and help your directors understand and act upon them by setting performance goals and holding management accountable for achieving them.