Vince Farhat is a Partner in the Los Angeles office
David Schneider is an Associate in the Northern Virginia office

  • Compliance-related investigations, suspensions, and debarments are on the rise.
  • The government looks favorably on a strong corporate compliance program.
  • Independent monitors oversee a sanctioned business's compliance activities.
  • When qualifying a monitor, objectivity and merit are essential factors.
  • Successful monitorships are built on detailed agreement, communication, and collaboration

The past few years have seen significant increases in compliance-related government investigations, suspensions, debarments, and other actions by government agencies, regulators, and law enforcement. A Government Accountability Office study in 2011 concluded that Suspension and Department officers were not being as aggressive as they should,1 sparking Congressional hearings and then more aggressive sanctioning of government contractors by state and federal regulators, agency Inspectors General, and the Department of Justice (DOJ). This increased government scrutiny covers a range of issues, including False Claims Act (FCA) violations; Procurement Integrity Act violations; Federal Acquisition Regulations (FAR) violations; regulatory infractions; quality control; Foreign Corrupt Practices Act (FCPA) violations; health, safety, and welfare violations; bribery; and kickbacks.

Many government enforcement actions focus on corporate compliance and corporate ethical culture. In this landscape, creating a culture of compliance has become a maxim of good corporate governance. But how does an entity determine whether it has established such a culture? This article discusses key elements of an ethics assessment and the role independent monitors can play in collecting unbiased information, reducing risk, and mitigating potential sanctions.

Creating a culture of compliance

A strong and well documented culture of compliance burnishes a company's reputation and helps it identify problems when they are still at a small and manageable stage. It also helps a company defend itself if it becomes the target of a government ethics investigation. The DOJ publishes the United States Attorney Manual (USAM), which identifies factors for U.S. Attorneys to consider when deciding whether to prosecute companies.2 Two of the factors listed involve corporate compliance programs:

  1. The existence and effectiveness of the corporation's pre-existing compliance program; and
  2. The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one.

A strong compliance program may encourage an enforcement agency to consider accepting a remediation plan rather than seeking costly and punitive sanctions. In cases in which a matter goes to prosecution, an effective compliance program may help limit the damages.

The USAM commentary states that the DOJ "encourages" corporate compliance programs, however, "the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents." That is, the mere existence of a compliance program does not give a company a free pass from liability. USAM indicates important elements of a real and effective compliance program3 including whether:

  • the company can effectively detect and prevent misconduct;
  • the corporation's directors exercise independent review over the proposed corporations actions rather than unquestionably ratifying officer's recommendations;
  • the company's internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy; and
  • the directors established an information and reporting system in the organization reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization's compliance with the law.

Further guidance regarding the elements of an effective corporate ethics and compliance program is set forth in the advisory Federal Sentencing Guidelines (FSG).4 In addition to the USSC, other agencies such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Department of Health and Human Services (HHS) have compliance guidelines that can affect corporate liability. Companies should also look at the applicable agency guidance when developing a compliance program.5

As with the factors listed in the USAM, the FSG requirements for an effective compliance program can help position a company to advocate for a non-prosecution or deferred prosecution agreement and/or to curb the financial damage sustained (e.g., in the form of fines) if an agreement is negotiated. The U.S. Sentencing Commission modified the sentencing calculation relative to compliance and ethics programs in 2010 in order to incentivize selfreporting and creation of direct reporting lines between compliance officers and the corporate governing authority. In addition, it delineated some limited situations in which an organization could receive credit for an effective ethics and compliance program, even if high level personnel were involved in the misconduct.6

Although the FSG lists seven factors of a strong compliance program,7 its overarching principles are that an organization must exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The FSG recognizes that even the best compliance programs cannot detect or prevent every possible crime; however, the compliance program must be reasonably designed, implemented, and enforced so that it is generally effective in preventing and detecting criminal conduct. In light of these considerations, it is wise for companies to train employees on how to make ethical decisions and how to respond appropriately to complaints and allegations of misconduct.

Both the USAM and the FSG give guidance about the factors important in determining whether an ethics and compliance program is real or pro forma (i.e., for the sake of form, a "paper" program), but they also allow for variability based on the size of the company and other characteristics. In general, larger companies are expected to have more formal ethics and compliance programs and more extensive mechanisms for measuring their implementation; many large companies appoint a chief ethics/compliance officer (CECO). The FSG states:

(2) (A) The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

From a practical perspective, experience has shown it is helpful if this individual has strong communication and training skills, is respected by the employees, has adequate staff and funding for the job, and understands and respects the obligations of the role. The key to success for this position, however, is ensuring that the CECO has the necessary independence, authority, and placement within the company; usually this means direct reporting responsibilities to the decision making authorities of the company: the CEO, COO, and the board of directors. Best practices include a quarterly report from the CECO to the board, which has a fiduciary responsibility in a public company to know the ethical posture of the company.

Although a CECO can build or implement an adequate program, a true culture of compliance requires commitment from a company's leadership. The "tone at the top" of such an organization is one in which all levels of staff are encouraged to do the right thing and managers are expected to be role-models of ethical and compliant behavior. The tools which support this type of culture include:

  • An up-to-date and useable code of conduct that states the company's and the employees' responsibilities and focuses on the unique vulnerabilities of the company;
  • Values-based and compliance-focused ethics and compliance training;

    • Effective education in this area comprises a mix of live and computer-based initiatives, with examples based on scenarios likely to be encountered in the field.
    • Tests of comprehension reinforce the message and identify areas in which the organization needs to improve its messaging.
  • A mechanism for providing advice to employees who have ethics or compliance questions;
  • Written acknowledgement by all employees of their duty to report observed ethical violations;
  • A mechanism for collecting reports of violations, such as an anonymous reporting hotline that allows employees to convey information without fear of retribution;
  • A fair process for dealing with reports, complaints, allegations, and investigations. In instances in which violations are found, disciplinary action should be both progressive (e.g., proportionate to the seriousness of the violation) and consistent across the organization (i.e., not based on a person's rank in the company or how much business he/she brings in). Ideally, the program should function as both a carrot and a stick, incentivizing employees to act properly while disciplining improper actions;
  • Internal auditing to determine whether the ethics and compliance program is being followed and to look for possible misconduct or criminal activity; and
  • Periodic reassessment of the overall effectiveness of the company's ethics and compliance efforts, as well as updating of its program and processes.

The FSG encourages periodic independent assessments as a means of determining this overall effectiveness from an objective standpoint, and identifying areas of risk. Commentary to FSG states:

6. Application of Subsection (b)(7).— Subsection (b)(7) has two aspects.

First, the organization should respond appropriately to the criminal conduct...

Second, the organization should act appropriately to prevent further similar criminal conduct, including assessing the compliance and ethics program and making modifications necessary to ensure the program is effective. The steps taken should be consistent with subsections (b)(5) and (c) and may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications.

Independent monitors: Reducing risk and managing potential sanctions

An organization can benefit from the services of an independent monitor in several situations.

As noted above, companies are encouraged to not only conduct internal assessments of their ethics and compliance programs, but periodically to have them independently evaluated. A large organization with well-established rules and processes can benefit from the viewpoint of an outsider who is not wedded to the current system or influenced by the politics within the company. A smaller organization with a less formal ethics and compliance program can benefit from the focus of an independent monitor and from the monitor's knowledge of best practices in the field. Engaging this type of outside professional advisor will help a company identify its evolving areas of risk and improve its systems for preventing unwanted behavior, thereby further demonstrating its commitment to compliant and ethical behavior, if it is subject to investigation by a regulatory authority or enforcement agency.

For many companies, however, the idea of using an independent monitor is first raised in discussions of deferred prosecution or non-prosecution agreements, plea agreements in criminal matters, debarment proceedings, settlement agreements, probation or corrective actions, or corporate integrity agreements. In a typical scenario, a company might self-report an ethics violation to the agency for which it is providing contracted services. The self-report, along with a demonstrated ethics and compliance program, might indicate that the company was a suitable prospect for a non-prosecution agreement, rather than prosecution or sanction. The non-prosecution agreement would require correction of the reported problem plus ongoing independent monitoring for an agreed-upon period to support its continued compliance.

An independent monitor who will take on the role of overseeing the compliance activities of businesses or professionals who have been sanctioned for violating laws or regulations should be a person (or organization of people) with in-depth knowledge of and experience with regulatory schemes. Selecting an independent monitor is simultaneously one of the most important and most difficult decisions regarding the use of a monitor. In 2008, Acting Deputy Attorney General Craig S. Morford wrote a memorandum (the Morford Memo) for U.S. attorneys, regarding the "Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations."8 The Morford Memo provides principles for drafting independent monitor-related provisions, and these were updated in 2010 by Acting Deputy Attorney General Gary Grindler.9 Collectively, these documents describe the monitoring process overall and the selection of a monitor in particular. The Suspension and Debarment officials of several federal government agencies have since adopted these principles in their selection of monitors.

The most important factor in qualifying a monitor is the monitor's objectivity/lack of conflict of interest. The monitor should not have a personal or business relationship with the company, should not be a stockholder, a former employee of the business, nor someone looking for a permanent position there. In addition, the monitor should be selected on the basis of merit. A company which has been subject to a Medicare/ Medicaid fraud investigation, for example, would look for a monitor well-versed in forensic accountancy as well as Medicare/Medicaid billing and coding practices.

Other criteria for an effective monitor can be inferred from the Morford Memo. Where the Memo indicates that monitoring should focus on addressing and reducing the risk of a recurrence of the established misconduct, one can assume that a monitor who understands establishing clear parameters for the project would be preferable to one who goes into an assignment ready to look at anything and everything. Where the Memo indicates that it may be appropriate for the monitor to submit periodic reports to the company, the government, or both, it can be inferred that the monitor should be an able communicator. Where the Memo indicates that the company will be expected to implement or respond to recommendations made by the monitor, one can assume that the monitor should be of a practical mindset—able to give advice about how to correct a problem, rather than one with a "gotcha" mentality who simply relishes finding violations. And, because the monitor is neither an investigator for the government nor an advocate for the company, and yet needs to be trusted by both, the monitor must be of high integrity.

Usually a monitor put in place as a result of a settlement agreement is paid by the monitored company and issues reports to both the government and the company. The agreement between the company and government directs the monitor's course of action, the scope and frequency of the oversight, as well as its duration. Newer agreements have incorporated the 2010 Grindler recommendation and address what to do if there is a dispute between the monitor and the company. Most agreements require the monitor to report on the good faith efforts of the company (or lack thereof) to comply with their terms, the extent of its cooperation with the monitor, identified areas of concern, improvements recommended and changes implemented, areas in need of additional attention, and adherence to ethics and compliance programs. It is usual practice for the government to allow the company to receive a copy of the monitor's report.

A successful relationship between an independent monitor and the client company is built on (1) a detailed agreement, (2) communication, and (3) collaboration. It is natural for a company to be concerned about opening its business to an outsider, but open dialogue between the monitor and the company makes the monitorship more efficient and effective, resulting in more pertinent and individually tailored recommendations. The thoroughness of the monitor's work and the level of company cooperation will also build the trust of the government.

It bears repeating that an independent monitor is not an investigator. The assumptions behind a settlement agreement include (1) the company acknowledges shortcomings in its systems, and (2) the government accepts its proposal to correct these problems. The monitor, therefore, is reporting on the process of identifying and correcting weaknesses, not on all compliance matters within an organization. Analyses of company weaknesses—especially of systems failures—vary tremendously, according to the underlying issues. As mentioned above, a billing fraud issue might trigger a forensic accounting assessment. A FAR ethics violation, on the other hand, might warrant a review of the company's ethics policies and its ethical culture. The tools of such information gathering include document and policy reviews, interviews, participation in staff training, conducting focus groups, and surveys.

No matter what the underlying issue is, the monitor should provide an assessment of the company's internal controls. This is important for several reasons:

  • Typically, the failure of the company's internal controls led to the acknowledged problem;
  • The company's ability to consistently identify and correct its own problems will prevent future lapses; and
  • Strong internal controls signify to the government that the company can be trusted.

All risk cannot be eliminated, but the assessment should help a company determine how its programs, policies, pay, and promotion structures may be contributing to its risk of unethical or noncompliant activity. And, as noted above, the monitor should offer practical recommendations for improvement which can be measured and tracked. An effective monitor is one who can convey these recommendations while maintaining the neutrality to report on their implementation in an objective and truthful manner.

Conclusion

The current compliance environment is a high-stakes game for companies doing business with, or under the regulatory eye of, government agencies. The use of independent monitors is one more tool that companies and their counsel have available to demonstrate commitment to remediation and a willingness to work with the government—a tool which may help them avoid the more punitive approaches to compliance that government agencies are taking with ever greater frequency.

Originally published in Compliance & Ethics Professional, September/October 2013.

Footnotes

1. U.S. Government Accountability Office: Suspension and Debarment: Some Agency Programs Need Greater Attention, and Government wide Oversight Could Be Improved. GAO-11-739, Aug 31, 2011. Available at http://1.usa.gov/13337GH

2. United States Attorneys Manual. Available at http://1.usa.gov/19xBEo2

3. Ibid, at 28.800.

4. USSC, Federal Sentencing Guidelines. Available at http://bit.ly/17TWrOy

5. See e.g., SEC 17 CFR Parts 270, 275, and 279, Compliance Programs of Investment Companies and Investment Advisors; Final Rule, December 24, 2003. http://1.usa.gov/14iH2dp; See also, FINRA Rule 3130 Annual Certification of Compliance and Supervisory Processes. Available at http://bit.ly/16Enf3W; See e.g., HHS Compliance Guidance http://1.usa.gov/1aWWxa4

6. USSC Guidelines Manual, Supplement to Appendix C, Amendment 744, pp. 361-363, November 1, 2010. Available at http://bit.ly/13ZOJlL

7. 2012 USSC Guidelines Manual, §8B2.1. Available at http://bit.ly/1ebrG9g

8. Craig S. Morford, Department of Justice Memorandum, March 7, 2008. Available at http://1.usa.gov/1bKqPR2

9. Gary G. Grindler: Additional Guidance on the Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations, Department of Justice Memorandum, May 25, 2010. Available at http://1.usa.gov/1aWWTNI

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.