Chapter 1: Overview of Compliance and Ethics Practice

The Role of Ethics, Compliance, and Culture in Reducing Risk of Misconduct

by David Gebler, JD, LPEC[1]

Introduction

The Complete Compliance and Ethics Manual (CCEM) will guide compliance professionals to maintain and improve all components of a compliance and ethics program. However—as with any journey—it helps to have a roadmap to provide some context along the way.

Ethics. Compliance. Culture. Even 30 years after the first publication of the U.S. Sentencing Guidelines Manual,[2] there is not a clear consensus in the field of the differences between “ethics” and “compliance.” Nor is there clarity on the role that organizational culture plays in reducing the risks of misconduct. Yet, these terms and the concepts behind them are each important in creating an effective program. Your job is to understand what that balance among them needs to look like in your organization.

The goal of this introduction to CCEM is to provide some insights into how to create that balance.

What Is “Good Enough?”

What are your company’s objectives in establishing an ethics and compliance program? Not getting into trouble is certainly high on the list. Equally important is to avoid corporate culpability if an employee does go off the rails. Some companies want to reach higher than pure risk mitigation and demonstrate integrity as a key corporate value. For most companies the question of program objectives is answered by looking at what the normative standards in the industry are and then gauging if the program meets those standards.

For many organizations, those normative standards have been the seven steps of an effective program set out in the Federal Sentencing Guidelines for Organizations, first published in 1991.

The seven steps of the Federal Sentencing Guidelines are:

  1. Establishing standards and procedures to prevent and detect criminal conduct.

  2. Oversight by high-level personnel.

  3. Due care in delegating substantial discretionary authority.

  4. Effective communication to all levels of employees.

  5. Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal.

  6. Consistent enforcement of compliance standards, including disciplinary mechanisms.

  7. Reasonable steps to respond to and prevent further similar offenses upon detection of a violation.[3]

These standards have set a solid foundation over the years. Research undertaken by the Ethics & Compliance Initiative (ECI) has shown that in organizations that maintain even minimum standards—such as adhering to the seven steps of the Sentencing Guidelines—employees are still twice as likely to report misconduct than companies that have no program in place.[4]

But the seven steps themselves are not magic beans. Despite the tremendous effort it takes to build the framework of a program, a framework alone is just the starting point. Organizations that are committed to building an effective program must honestly ask: How will enacting the standards effectively reduce the risk of misconduct in our organization? While few companies would say that their objective in setting up a compliance program is to “check the box,” it is increasingly clear that an effective program requires more than just establishing a compliance program that meets the seven steps of the Sentencing Guidelines.

What else is needed? Managing the organization’s culture. What many organizations have known for years is now clearly in the sights of regulators and prosecutors: Corporate culture significantly influences behavior. To have an effective compliance program, an organization must understand how its work environment influences positive—and negative—behavior. Ethics and its role in influencing corporate culture need to be taken quite seriously. What was once seen as a soft “nice to have” is now the baseline.

Expectations have evolved since 1991. When the Sentencing Guidelines were first drafted, not only was the term “ethics” not included, neither was the term “compliance.” The original objective was to establish “an effective program to prevent and detect violations of law.”[5] An effective program was one that prevented and detected criminal conduct.

The emerging standard now looks more deeply at corporate culture as a root cause of misconduct. Programs are now expected to address preventive measures, and companies are being held accountable for the effectiveness of their programs.

So, what are the new standards? A new baseline has been established by the U.S. Department of Justice (DOJ) in guidelines, titled “Evaluation of Corporate Compliance Programs.”

In recent comments, Assistant Attorney General Kenneth Polite explained the goal of the ECCP this way:

“As our Evaluation of Corporate Compliance Programs guidance makes clear, we expect an effective corporate compliance program to be much more than a company’s policies, procedures, and internal controls. We expect companies to implement compliance programs that: (1) are well designed, (2) are adequately resourced and empowered to function effectively, and (3) work in practice.”[6]

Let’s look more closely into these three criteria:

Is the corporation’s compliance program well designed?

Does the program address the specific risks faced by the organization? Are there adequate policies and procedures? Are training and communication efforts tailored to the unique requirements and needs of the organization?

Is the program adequately resourced and empowered to function effectively?

In other words, is the program being implemented effectively? “The company’s top leaders—the board of directors and executives—set the tone for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.”[7]

Does the corporation’s compliance program work in practice?

“To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”[8]

While this guidance is not law, best practices in the ethics field have always been to meet and exceed standards and guidance laid out by DOJ or the U.S. Securities and Exchange Commission (SEC). All companies should seek to be at a normative baseline compared to other companies in their industry.

So now the bar has been raised. How should organizations work toward ensuring these guidelines are met? As a first step, we need to have working definitions of compliance, ethics, and culture.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings