Effective C&E Programs: The Justice Department Speaks

[This essay was originally posted on the Conflict of Interest Blog]

Last week, together with David Wilkins of SNC-Lavalin, I chaired the Practising Law Institute’s Advanced Compliance & Ethics Workshop.  Marshall Miller, the number 2 in the Justice Department’s Criminal Division, gave the keynote address, which was subsequently posted on the Department’s web site.  Among the important points he made were the following.

First, Miller said that a principal hallmark of an effective C&E program “is high-level commitment.  When employees truly understand that a company’s leadership is committed to compliance – even when it runs up against profits – only then does a company truly have a successful compliance program.”

A side note on this: I’ve found over the years that one of the most meaningful gauges of the seriousness of a C&E program is whether a company can provide specific examples of where it has in fact sacrificed  potential profits to maintain its C&E-related standards. A company’s having done this often makes a profound impression on employees (and potentially third parties) – and can be seen as more significant than mere words in a code of conduct.

Second, Miller said: “The quickest way to check on that commitment is to take a look at corporate structure.  If you see compliance executives sitting in true positions of authority at a corporation, reporting directly to independent monitoring bodies, like internal audit committees or boards of directors, you likely are looking at a strong compliance program.   Compliance programs also need to be resourced; they need to have teeth and respect.”

A side note on this:  It was clear from Miller’s talk that Justice was not saying that all companies needed to have the C&E officer report administratively – as opposed to informationally  – to the board.  Very few companies take the former approach; indeed, based on a show of hands, none of the conference attendees do this.

Third, Miller said: “Another key hallmark is whether the program grows with the company.  Any good compliance program needs to be periodically evaluated, using risk assessment models aimed at the individual circumstances of the company.  As companies change over time, so must compliance policies.”  Key here is the phrase “risk assessment models aimed at the individual circumstances of the company,” because too many companies assess risk using a one-size-fits-all approach.

Fourth, he noted: “A strong compliance program must also involve enforcement and discipline.  It is human nature to pay more attention to what people do than to what they say.  Compliance must be incentivized; violations disciplined.  And the response must be even-handed.  Too often we see low-level employees who implemented bad conduct fired, but bosses, who did nothing to stop the conduct – and may even have directed it – left in place without sanction.”  To my mind, this has always been a weakness of many C&E programs, as discussed in this earlier post.

Fifth, Miller said that “expanding corporations must extend their compliance programs to all of their subsidiaries – even, or perhaps especially, those that were recently acquired – and must ensure that compliance policies are understood and implemented by all employees, no matter what country they work in.”  This seems an especially important point, given the history of C&E failures involving subsidiaries, joint ventures and other members of corporations’ “families” – as discussed in this eight-part series from the FCPA Blog.

Finally, there was lots more to the conference than Miller’s fine speech – but I don’t have permission to post all of  it, as it is for PLI members and other conference attendees.  I can, however, post this legal update I gave with Joe Murphy with lots of information about how law promotes – and sometimes impedes – companies developing strong C&E programs.