This article is excerpted and adapted from "Building A World-Class Compliance Program: Best Practices and Strategies for Success," by Martin T. Biegelman with Daniel R. Biegelman. Published by John Wiley & Sons Inc. ©2008 by Martin T. Biegelman. Reprinted by permission.
Imagine this nightmare scenario: A publicly traded company whose domineering leadership rules by fear. Dissenting opinion in any form is met with immediate termination of employment. A culture where written policies and procedures are few and far between and internal controls are shunned. Training is sporadic and lacking. Eventually, this company's most senior executives conspire to prematurely and fraudulently recognize revenue to meet or exceed Wall Street's expectations. They conduct this massive fraud year after year. The board is totally in the dark and accepts management's explanations and assurances without independent verification. When their accounting practices finally are scrutinized and the government starts an inquiry, these executives attempt a cover-up by fabricating a story, obstructing the investigation, and suborning perjury by instructing other employees to lie to the government and outside counsel. Ultimately, eight of the company's senior executives, including the CEO, CFO, and general counsel, plead guilty to securities fraud and/or obstruction of justice charges. Shareholders lose more than $10 billion because of the massive accounting fraud.
Employees are left shocked and demoralized that their leaders have lied and defrauded their company. Investors are also horrified at seeing their investments diminish and that no one in the company did anything to stop it. Add to this explosive mixture the fact that the company had no compliance program. That's right, no compliance program. Think this couldn't happen? Think again because it did.
This all occurred at Computer Associates, now called CA Inc. These blatant transgressions happened because an effective ethics and compliance program was not in place. Compliance involves many different elements; knowing and following all the relevant laws, rules, and policies is but one part of the mix. An effective compliance program would have made a difference at CA. A strong compliance program is absolutely necessary to protect an organization both internally and externally.
Compliance means following the law and more. It's making sure organizations adhere to all applicable legal requirements. It is a detailed and complex process. For any particular situation one must be aware of all potentially applicable laws and regulations - federal, state, local, as well as internal company-instituted rules. A company is obligated to be aware of and understand these rules and laws. That in itself can be an onerous process as even experienced and sophisticated lawyers sometimes have a difficult time deciphering the cryptic ''legalese'' that passes for statutory language. This compliance obligation is important because everyone in authority is charged with knowledge of the law. Ignorance of the law is no excuse. A person cannot escape a criminal charge or civil liability by claiming that he or she did not know the law was being broken. This is the role of compliance, to make sure people know the rules beforehand and help to ensure that they continuously follow them.
Knowledge and understanding of the law is the first step. Businesses also have to know to what and where it applies. Furthermore, once one has this information, one must implement it in an effective compliance program. But what does effective mean? A company must carefully craft a program, hire experienced compliance professionals, issue detailed policies and guidance, institute training, and promote all other aspects of the program to ensure the knowledge is spread to all who need it. This process must be continuous. The compliance program is the engine of compliance, putting all of this into effect.
Knowing the law and following it is only one side of compliance. Compliance goes much deeper than that, true compliance anyway. Simply following the law so that one doesn't get into trouble is not full compliance. State-of-the-art compliance involves a successful blending of compliance - following rules, regulations, and laws - with ethics - developing and sustaining a culture based on values, integrity, and accountability, and always doing the right things. True compliance ensures consistency of actions to eliminate, or at least lessen, opportunities for harm from criminal conduct or other compliance failures. It means going beyond the minimum requirements. More importantly, it involves the ongoing commitment from senior leaders in the organization to promote ethical conduct and compliance with the law. Leading by example and establishing the tone at the top set the stage for every other element of compliance.
The problem that can occur is when people use compliance as an excuse - those who profess to believe in it but use a compliance program to mask their own negligence or even wrongdoing. It may be said that this is even more dangerous than having no compliance program at all. That is because it gives shareholders, employees, vendors, and the public the false belief that the company cares about following the law when in fact, all it wants is to deceive others into believing so. Let us not forget that Enron had a 65-page code of conduct, but in the end, it was nothing more than empty words.
Enacting a compliance program and instituting training programs but not supporting them through lack of funding, lack of skilled personnel, or by management undercutting them in various ways, is also dangerous and counterproductive. Real compliance means that one believes in what one is doing day in and day out. It is not merely lip service; it's putting your money where your mouth is. This is the two-tiered approach to compliance - one's actions and one's mind-set. An organization cannot have effective compliance without both of them. One alone will not work. This is tied into the idea of setting a positive tone at the top. If management believes in compliance and reinforces it by their actions, over and over again, then people below will follow their lead.
ETHICS IS JOB ONE
Executives are constantly confronted with the realities of business compliance. They must ensure compliance with their internal rules and policies. Those from public companies must follow the requirements of the Sarbanes-Oxley Act and other reporting enhancements. All organizations must follow federal, state, and local laws and all must comply with the United States' Federal Sentencing Guidelines, which mandate the creation of compliance programs. Moreover, a raft of other laws must be complied with, from anti-bribery rules to free trade provisions. Yet, chief among these requirements is the idea of ethics, the concept that lies at the heart of every corporate governance requirement.
Ethics include integrity and proper business conduct; it refers to standards and values by which an individual or organization behaves and interacts with others.1 The famed Greek philosopher Aristotle in his "Nicomachean Ethics" argued that "moral behavior is acquired by habituation" and that without question, "moral behavior is good."2 It is no different today. Ethics and compliance are clearly on the minds of executives, as well as investors, the public, and the government. Ethics has become a hot-button topic, thanks to the many corporate scandals of the past years. This is hardly news to anyone. Despite the increased awareness given to ethics and compliance programs, the problem has not been solved. For instance, the Hewlett-Packard (HP) spying and pretexting scandal involved key executives and illustrates that there is more to successful compliance than just a code of conduct. HP had a comprehensive Standards of Business Conduct (including, slightly ironically now, several pages on how to handle sensitive information), yet it still was engulfed by negative front-page headlines and a shakeup among its leadership. Even great corporations like HP can, at times, face compliance failures. Merely having a program in and of itself is not the solution to protecting a company and keeping it in good graces with shareholders and the government. A truly successful compliance program goes far deeper.
The push toward compliance, especially since the enactment of the Sarbanes-Oxley Act and the reaction to the scandal culture of the Enron era, could almost be described as an "ethics fad." Sarbanes-Oxley strengthened corporate accountability and governance of public companies through rules covering conflicts of interests, financial disclosures, board oversight, and certification of financial statements.3 The Act's passage left companies hurrying to comply. All of a sudden, every company had to have an ethics code; if there wasn't one there was scrambling to get one, or else be left behind. This rush merged with heightened concerns stemming from the penalties imposed on companies for ethical breaches. From the lighter treatment afforded to companies who came clean and "restated" their earnings, as compared to those formally investigated and charged by the government, companies got the message that it was in their best interest to cooperate and that having a compliance program would be something that would lessen potential penalties should the company commit further misdeeds.
Companies that the government caught red-handed had to pay very stiff financial and reputational penalties, not to mention the personal impact on those executives prosecuted and sent to prison. This sent companies searching for ways to avoid this disastrous outcome. At the same time, ethics enjoyed a renewed focus throughout the corporate world, first as companies struggled to understand the new requirements placed on them by the passage of Sarbanes-Oxley, and then rushed to embrace ethical conduct for chief executives and others. The ethics fever swept every industry and that was a good thing, a very good thing. While this practice makes compliance easier, there is still much to do as compliance lapses and criminal conduct persist. The Securities and Exchange Commission (SEC) has continued its strong enforcement program over the last few years.
Ethics and ethical behavior are not things that can merely be created or attained solely through corporate expenditure. They require a deeper commitment, one that can only be achieved through time, effort, and yes, expenditure. Though it is a clichÈ, quality matters here far more than quantity. In many senses, a little goes a long way. Building a world-class compliance program requires smart decisions in building it, maintaining it, and sustaining it; by doing so, a company will be able to achieve truly effective compliance over the long term.
THE NYPD AND AN ETHICAL CULTURE
A commitment to ethical conduct cannot be accomplished by simply initiating a program and then checking the box that the process is complete. Building a culture of compliance takes time. Integrity and character bring out the best in people and are critical components in ethics and compliance. Yet, human beings are not perfect creatures and tend to falter from time to time. The importance of ethical conduct needs to be nurtured, reinforced, and repeated over and over again lest people forget and stray from the course. There is no better example of this continuous need for attention to ethical conduct than the various police corruption scandals that have impacted the New York City Police Department (NYPD) over the past 100 years. Even legendary institutions can face the firestorm created when law enforcement officers forget their oaths and turn to crime and corruption.
The feeling of deja vu that the NYPD faced was due to not learning from the past. The NYPD of the 21st century has made great strides in understanding that ethical lapses can seriously impact a long-standing reputation. In building its compliance program, the NYPD starts with police recruits as soon as they enter the police academy. Look at what is presented to recruits in its "Police Student's Guide: Introduction to the NYPD":
Our history is a source of great pride to us, and we have very little tolerance for officers who do not treat our hard won reputation with the respect it deserves.... When things go right in this Department - when we succeed in reducing crime; when we make spectacular arrests; when we make dramatic rescues - our actions are described in news reports throughout the country and across the world, and our officers are treated like heroes. But, when things go wrong - when officers are caught in scandal, or when they make some tragic mistakes - the same reporters and leaders who are quick to praise us are quick to condemn us. When this happens, the public often does not recognize that the problem may be limited to one or only a few officers. Instead, in the eyes of many people, we all become suspect, and the mistakes and sins of a few are generalized to all of us. This breeds distrust among the public, and makes it tougher for all of us to do the job the way we should. . . . Make certain that you carry yourself in a manner that brings only respect to yourself and to your brothers and sisters in this Department.4
Warren Buffett, the billionaire investor and CEO of Berkshire Hathaway Inc., has said, "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." The NYPD understands this and so must all organizations. Yet, we often fail to learn from the past. The disclosure of stock option backdating scandals in 2006 at dozens of companies, large and small, in the United States brought back distressing memories of the accounting scandals of just a few short years ago. How could so many smart people forget the lessons of Enron, WorldCom, Adelphia, and others? The sheer number of companies involved is striking. Much of the misconduct took place a number of years ago and was only recently disclosed. Still, the participants were chief executives and other high-level employees who should have known better. More importantly, their compliance programs did not work.
WHAT IS COMPLIANCE?
Compliance is a state of being in accordance with established guidelines, specifications, or legislation.5 The Compliance and Ethics Leadership Council defines compliance as "a company's or an individual's observance of relevant laws, regulations, and corporate policies. ... Companies must have various programs, policies, and controls in place in order to be defined as being 'compliant' with certain laws, rules, regulations, or policies."6
The United States Department of Justice (DOJ) has strongly reinforced the importance of effective compliance programs. The DOJ defines compliance programs as follows:
Compliance programs are established by corporate management to prevent and to detect misconduct and to ensure that corporate activities are conducted in accordance with all applicable criminal and civil laws, regulations, and rules. The Department encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own. However, the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal conduct undertaken by its officers, directors, employees, or agents. Indeed, the commission of such crimes in the face of a compliance program may suggest that the corporate management is not adequately enforcing its program. In addition, the nature of some crimes, e.g., antitrust violations, may be such that national law enforcement policies mandate prosecutions of corporations notwithstanding the existence of a compliance program.7
The key to effectiveness is whether the program is adequately designed to ensure compliance. The United States' Federal Sentencing Guidelines for Organizations (FSGO) state that "to have an effective compliance and ethics program, an organization shall exercise due diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law."8 The constantly evolving compliance landscape requires executives and managers to constantly ensure that their programs are "best in breed" to fully protect organizations.
Organizations that run afoul of the law and commit crimes such as fraud, face severe penalties from the courts. Under the FSGO, organizations found guilty can face additional penalties based on certain aggravating factors calculated by a "culpability score." As stated in the FSGO, the factors contributing to increased penalties and fines include whether:
- Senior executives within the organization "participated in, condoned, or [were] willfully ignorant of the offense"
- "Tolerance of the offense by substantial authority personnel was pervasive throughout the organization"
- There was prior history of a similar offense in the company's past
- The organization obstructed justice by impeding the investigation or prosecution9
The FSGO also provide a significant "carrot" or benefit in that there are mitigating factors that can significantly lessen the penalties for criminal convictions. The questions that will determine if these factors are to be considered include:
- If the subject "organization had in place at the time of the offense an effective compliance and ethics program"
- If the organization promptly "reported the offense to appropriate government authorities" once they became aware of its existence
- If the organization "fully cooperated in the investigation"
- If the organization "clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct"10
While quality matters more than quantity, a solid compliance program needs a proper balance between the two. An under-funded and unsupported program is doomed to fail. Without sufficient support by the company and the management, a program cannot succeed in its objectives of changing and influencing employee behavior. Compliance requires direct input by company leadership, and the key support of a qualified compliance officer running a reliable compliance department, accessible to the rank and file to answer their questions and provide them with appropriate direction. However, spending too much money (without proper guidance on how to spend and direct funds) can lead to incredible inefficiency, and be just as ineffective as not spending.
Regardless, a sound compliance program has to become the heart and lungs of an organization infusing new oxygen into its lifeblood. Management cannot just give it lip service but must support it wholeheartedly by daily examples of ethical and compliant conduct.
Martin T. Biegelman, CFE, ACFE Fellow, is director of financial integrity for Microsoft Corporation in Redmond, Wash.
Daniel R. Biegelman, J.D., is a 2006 graduate of St. John's University School of Law and currently practices in New York City.
1 "Preempting Compliance Failures: Identifying Leading Indicators of Misconduct.'' Compliance and Ethics Leadership Council. April 26, 2007.
2 Aristotle. Nicomachean Ethics. Translated by Martin Ostwald. (Englewood Cliffs, NJ: Prentice Hall, 1962), xix.
3 Martin T. Biegelman and Joel T. Bartow. Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance. (Hoboken, NJ: John Wiley & Sons, 2006), 64.
4 New York City Police Department. Police Student's Guide: Introduction to the NYPD. July 2005, 4-5.
5 Definition of compliance found at PEMCO Corporation Corporate Services library site.
6 "Preempting Compliance Failures."
7 Paul J. McNulty, "Principles of Federal Prosecution of Business Organizations." Department of Justice. December 2006.
8 Federal Sentencing Guidelines. Chapter 8, Part B, Effective Compliance and Ethics Programs.
9 Federal Sentencing Guidelines. Chapter 8, Part C, Fines.
10 Ibid.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
