[Return To Selected Articles]
January/February 2000 - by Joseph E. Murphy
Examining The Legal And Business Risks Of Compliance Programs
There can be little question that compliance programs are a requirement for prudent management in any organization today. The risks that drive this decision are enormous—criminal enforcement, regulatory enforcement, civil claims and punitive damages.
Organizations face enforcement initiatives at multiple levels—federal, state and local—and on a multinational basis if they operate overseas. If a violation occurs, there is likely to be not only an investigating agency, but also skeptical employees, questioning customers, and intense media and public scrutiny. The risks are extraordinary, making compliance programs a corporate necessity.
But the story of risk does not end there. The very act of instituting and managing a compliance
program can itself create risks that must be addressed.
Dealing with these risks calls for careful work. This article will inventory a variety of these risks, and suggest some ways to address them. But this is only a summary. Ultimately, those responsible for compliance programs will find it essential to obtain sound legal advice in their work.
Adverse use in litigation. One of the most disturbing risks in compliance programs is the potential for adversaries to exploit program
material in litigation. Audits, investigations, hotline logs and similar materials may become litigation roadmaps. Adversaries may try to use them as a substitute for doing their own case work in litigation. In the Lucky Stores case, an adversary even used notes taken in a compliance seminar as a basis for claiming punitive damages. Indeed, a compliance office can become a lightning rod for litigation and discovery. An adversary may find that the program has arranged all of the company’s
embarrassing materials in one place, and designated one officer, the compliance officer, who knows everything bad that has happened.
In addition to providing such a tactical advantage for adversaries in litigation, the documentation generated by audits, investigations and other internal assessments may also contain negative statements that can be taken as admissions against interest. In the litigation context such admissions may blunt or eliminate the ability to contest an adversary’s
allegations. Moreover, even if the documents do not admit legal violations, they still may invite an adversary to claim to a jury that the company did not live up to its own standards. The subtlety of the distinction between binding legal standards and self-imposed compliance standards may well be lost on a jury looking for a basis to impose liability on a giant company.
Several points apply for addressing this area of risk. The first, and most fundamental, is to be sure that all those
associated with the compliance program are conditioned to think before writing, and to consult freely with the legal department about how to document compliance matters. At least in the most sensitive areas, and in any preparation for litigation, the company may take steps to permit it to assert attorney-client and other privileges.
If the compliance program is to conduct self-assessments of any sort, there are certain fundamental points to remember. First, follow the advice applied by
trial lawyers—never ask a question if you are not prepared for the answer. In the compliance context, do not conduct audits or other self-assessments unless you are sure that management will take whatever action is necessary to remedy any findings. Once an audit or similar step is taken, and there are findings (if there are no findings, go back and re-do your audit), remember these three most important principles: 1) follow-up; 2) follow-up; and 3) follow-up. Conducting an audit and then not
fixing the problems found is an open invitation to adversaries in litigation.
Making unintended contracts. Codes, employee manuals, disciplinary manuals, and other such documents can be interpreted as binding obligations against the company. Any promise of continued employment, or statements that discharges will only be for cause, or that anyone accused of a violation will receive "due process" may be read by a court as a legally binding commitment by the company.
writing codes and other compliance policies, only promise what you know management can and will deliver. Special care must be used in committing to "due process," "fairness," a "hearing," or similar procedural protections in connection with disciplinary steps. Such open-ended statements may cause a court to require courtroom-like formalities, including cross-examination, the right to appeal, and even the right to have one’s own lawyer participate. This can
quickly mire a company’s compliance program in procedural wrangling and prevent the imposition of effective discipline. While it is good advice to treat employees fairly, it is problematic to appear to make commitments if you cannot be sure they will always be carried out.
Defamation and privacy. Those working in compliance must be especially careful in what they say and write, and how they conduct investigations. Negative statements about an employee under investigation can result in
defamation claims being brought, as happened to Griffin Bell in the E.F. Hutton internal investigation. Compliance office personnel conducting investigations should know not to make accusatory statements about the targets of investigations, and to make sure that any conclusions reached at the end of an investigation are fully supported and documented. Overzealous investigation techniques can also create risks and lead to infringements of employees’ privacy protections.
investigations it is necessary to take steps to protect the identity and reputation of those under investigation. It is also necessary to know the limits of legitimate investigations, and what privacy protections exist in states where investigations are conducted. For example, the company needs to comply with applicable wiretap laws, which can vary from state to state.
On the positive side, there are state statutes providing a privilege for employers to communicate about wrongdoing by
employees. Each state’s laws should be reviewed. Even with such a protection, it is still important to use care to bring the investigation within the standards of the state’s laws.
Wrongful discharge claims. Employees who are terminated for compliance violations may bring wrongful discharge claims against the company. It is important to remember that even bad guys can sue. A company may decide to discharge an employee based on the results of an investigation, but there is no guarantee
that a jury, looking at the findings with the benefit of hindsight, will agree with the company’s conclusions. If a jury believes the employee did not get fair treatment, it may hold that against the company.
It is important, therefore, to be fair in the investigation and disciplinary processes. It may be highly risky to make open-ended promises of procedural protections, but it is wise to make a point of providing some such procedure in practice. In that way the process will strike an
outside observer as demonstrating that the company was serious about finding the truth and was not using the disciplined employee as a scapegoat. Such procedures are also likely to improve the quality of the fact-finding process.
Whistleblower protection. One function of a compliance program is to bring to light instances of internal wrongdoing. This is done by encouraging employees to raise questions and report potential problems. Whether or not explicitly promised, employees rightly
expect that they will not be punished for making such calls. The existence of a reporting system raises their expectations.
Failure to protect anonymity and confidentiality for whistleblowers and failure to protect them from retaliation constitute significant risks for the company. There is serious danger in raising employees’ expectations and then disappointing them. A wronged whistleblower will have powerful appeal to a jury.
To address this risk, there should be strong
policies against retaliation. It may also be wise to follow up with whistleblowers periodically to ensure that they are not being mistreated.
Discrimination and disparate impact. An effective compliance program will result in serious disciplinary steps being taken against those who break the rules. Great care must be taken, however, that the discipline is consistent with respect to protected groups of employees.
This can be a particular problem when the program is first being
energized, and discipline is imposed in cases where it had not been before. Differences in treatment of employees invite allegations of discrimination. There is also the risk that the sanctions applied to particular types of violations could have a disparate impact on the workforce and add to the appearance of discrimination.
Conducting background checks and screening new hires are also functions that require care to avoid allegations of discrimination. For example, if a company were
to check arrest records, it could quickly find its practices being challenged as having a disparate impact in the hiring process, and thus being illegally discriminatory. Good legal advice would explain the difference between permissible checks of conviction records, and the dangers of using arrest records.
The Fair Credit Reporting Act. A diligent compliance program will likely include at least some background checks before hiring key people. It will also certainly include conducting
investigations when there are allegations of misconduct. Where the background checks involve difficult cases or large numbers of employees, and in cases where internal investigations require resources not available in-house, companies will go to outside, qualified firms to perform these functions.
If outside firms are used for background checks in the hiring process, then that process is covered by the Fair Credit Reporting Act. The prospect’s permission needs to be obtained, and other
requirements need to be met to comply with the law. Companies need to be alert to these requirements, since the title of the act with its reference to "credit" reporting could cause some to overlook the fact that it also applies to hiring practices.
There is, however, an even greater surprise lurking in this statute. According to an opinion of the Federal Trade Commission’s staff, even the conducting of an internal investigation, if the company uses outside firms, triggers
the requirements of this law. Thus, according to the FTC staff, in order to have an outside law firm conduct an internal investigation, the target of the investigation would have to give consent, and the report would have to be made available to the employee investigated. It is difficult to believe that Congress had anything like this in mind when it wrote the law, but it now appears to be a trap lying in wait for the otherwise diligent, but unsuspecting, compliance manager. The FTC’s staff
had offered some limited advice on dealing with the absurdity that this interpretation produces, but application of the law in this context is still likely to lead to nonsense and wasteful legal claims.
Dealing with agents and subsidiaries. The federal Sentencing Guidelines for Organizations contain several references to agents, and indicate that companies have some responsibility for addressing the risk of misconduct by third parties acting on their behalf. It is expected that, to
some extent, company programs will extend their reach to agents. This may be a commendable act, but if a company exercises too much control there are potential legal consequences.
If there are sufficient controls over an agent, that person may be considered an employee, with all the legal consequences that follow—such things as responsibility for withholding taxes and eligibility for the company’s employment benefits. There is also the risk of extended liability for the company if it
exercises so much control over the agent that it ends up having the agents’ acts attributed to it.
This is not to say that merely having an agent subject to aspects of a company’s compliance program will result in the agent being held to be an employee. But the determination of employee status is an incremental analysis, and the more control a company exercises over an agent, the greater the risk of such a finding.
Similar types of concerns can surface in the relationship
between a parent and its subsidiaries when the parent implements a systemic compliance program. At the extreme end, if the parent ignores corporate form (and this would certainly involve more than just a compliance program), there could be a piercing of the corporate veil. (For more on the ‘corporate veil,’ see ethikos, November/December 1999.) Short of this, however, a high degree of parent participation in the subsidiary’s functions could subject the parent to jurisdictional claims based on
its activity in implementing the compliance program.
These risks should not suggest that a company ignore its agents, or leave its subsidiaries on their own. However, they do require that companies pay attention to this issue, and use caution in what they do. For example, it would be wise both from a legal and a compliance perspective to ensure that substantial subsidiaries have their own compliance functions, such as a compliance director, even though the overall compliance program is
guided by the parent company. This can secure greater buy-in at the local level.
Disillusioning the compliance staff. When a company initiates a compliance program and installs its compliance staff, it may make a public pledge to conduct itself with the highest integrity. While this may sound like a fine and worthy step, it is important not to pledge more than the company is sure to deliver.
The compliance staff will be required to bring these commitments to life. If company
management is not serious, however, it can sharply disillusion the compliance staff. These employees, moreover, are positioned in a most sensitive part of the company, and if they become sufficiently upset at the company, they can become whistleblowers. If the company is a government contractor, they could be qui tam plaintiffs against the company as well. In such an event, they will likely have enormous credibility; their accusations will have a strong impact on the company.
soundest advice for managers creating a compliance program is to be honest and realistic about the program. Avoid leading anyone—and especially the compliance staff—into thinking the program is something that it is not.
Labor law risks. Managers responsible for a company’s compliance program need to pay special attention to their labor lawyers, particularly if bargaining units are represented in the work force. If there is a union contract, then implementation of a code of conduct, and
perhaps other parts of a compliance program, may require union bargaining. Failure to do so could be attacked as an unfair labor practice, as American Electric Power discovered in proceedings before the National Labor Relations Board.
It is necessary to be familiar with the bargaining unit’s contract and to make sure that compliance program procedures do not clash with the contract. For example, employees subject to a compliance office investigation may have the right to protections
under their contract, such as the presence of a union representative during any interviews.
Obstruction of justice. Responding to allegations of misconduct or notice of government proceedings requires great skill to avoid making a bad situation much worse. If improper or careless methods are used in an internal investigation it can appear, after the fact, as if the company was trying to cover up violations or distort witnesses’ potential testimony. The important advice here involves
fundamental points about conducting investigations: Companies should not let amateurs conduct investigations, and they should not let those with an interest in the matter under examination participate in the investigation, or have access to information that is being developed in the investigation.
It is also essential that all documents relevant to an investigation or government proceeding be faithfully preserved. If the compliance program has addressed records management issues
adequately, then procedures should be in place to interdict destruction of relevant documents and electronic records.
Dealing with voluntary disclosures. The government now expects companies that uncover violations to disclose their findings to the government and to cooperate in the government’s own investigation. This appears to be a sine qua non for government recognition of a company’s good faith. Yet this act of good faith is heavy with risk.
Often there is an absence of
commitment from government. Although some agencies, such as the Antitrust Division of the U.S. Department of Justice, will guarantee favored treatment after a voluntary disclosure, the more usual approach is a vague, unnervingly noncommittal statement of intent.
Thus, a voluntary disclosure can still lead to vigorous criminal enforcement. Moreover, for practical purposes, disclosure to one agency is disclosure to all. Even if one agency promises to treat the disclosure favorably, other
government agencies may take a different approach. To compound this risk, it is likely that any such voluntary disclosure would seriously undermine, if not eviscerate, any claim to privilege protection for whatever is disclosed.
If disclosure is made to the government in a matter where there is also civil exposure, then the company will face the prospect of private claims, including punitive damages claims and treble damages claims in antitrust and RICO cases. Here the company has
probably waived privilege protection, and, having neatly tied the case together with a ribbon, given everything to the government.
There are steps a company can take in making a voluntary disclosure that will maximize the chances of preserving privilege protection, but this is a difficult argument to win. It would include obtaining the agency’s agreement not to assert waiver and to treat the information disclosed as confidential.
Impact of the compliance program on the
workforce. When a compliance program is well designed and well executed, it can add positively to the culture of a company and have a strong positive effect on employee morale. But if it is not well thought out, it can have the opposite effect.
If a program is implemented without proper forethought and explanation to employees, the employee body may speculate: What recent management wrongdoing has triggered this sudden concern about ethics? It can also cause resentment among employees
who are suddenly being given the message that management does not trust them, and considers them perhaps little more than rogues and criminals. In one instance, in a General Motors plant in Canada, workers called a walk-out after the company announced it was starting a hotline—labeled by employees a "snitchline."
Investigations can be another source of employee discontent. If a work unit is subject to the intrusion of an investigation, this can substantially damage the morale
of the unit. An alert management can ameliorate this impact if it addresses the issue in a careful way. (See ethikos, January/February 1998, "Investigation, Termination–and the Aftermath.")
To minimize these risks, it is important to obtain employee input as part of the compliance program. Employee focus groups, and other regular participation by employees should give compliance program managers a sense of the company’s culture and which initiatives will be well received by
Reducing the risks. Many of the risks cited here can be ameliorated as long as management is sensitive to them and addresses them in advance. One of the keys in this process is to be sure that all those involved in the compliance process think before they act, and think before committing anything to writing.
It is also important to be fully aware of the potential role of privilege protection in compliance activities. The attorney-client privilege can have great value
in this respect, although even then documents should always be written with the assumption that they will not be protected. If there is a litigation context, it is also possible to assert work-product protection.
A number of other privileges are possible sources of protection, although none can be fully relied on. These include the self-evaluative privilege, state statutory protections for compliance activities such as environmental audits, the ombuds privilege, and state statutory
accountant-client privilege protection. Legal advice should be obtained from a lawyer familiar with these protections to determine which ones might be available.
Conclusion. In creating an effective program, it is certainly true that compliance is a management function, but the degree of risk and the close connection with litigation requires a high degree of care. Compliance managers need to be thorough, fair, prompt and professional. It is always critical to follow-up and follow
through, to be sure that the work done by the compliance program helps the company in abiding by the rules.
Compliance programs do not need to be run by lawyers. There are good arguments, in fact, that compliance programs should be management programs, not legal ones. But it is always crucial to get legal advice and assistance in all aspects of the compliance program.
Finally, compliance managers need to avoid being corporately insular. If they only tend their own gardens, they
set themselves and their companies up for serious abuse by the legal system.
Companies and all those committed to voluntary compliance need to be quick to challenge any attempt by the government and the legal system to hamstring their compliance efforts or impose perverse burdens on compliance activities. They should champion reform in the courts, the agencies, and the legislatures. There is no reason to be passive in the face of legal doctrines and enforcement activities that punish
those who try to do the right thing. Such distortions serve no public interest and should be corrected promptly before they can inflict serious harm.
Joseph E. Murphy is Co-Editor of Ethikos
Reprinted from the January/February 2000 issue of ethikos
© 2004 Ethikos, Inc. All rights reserved.
[Return To Selected Articles]