Originally published September 27, 2004

Codes of conduct have become the norm for public companies. Stock exchanges mandate them as a corporate governance requirement. Pursuant to the Sarbanes-Oxley Act, public companies must disclose whether or not they have a code of ethics for their principal executive, financial and accounting officers and must disclose amendments and waivers to this code of ethics on a Form 8-K or on their websites. Similarly, the NYSE and Nasdaq listing standards require prompt disclosure of waivers of the code of conduct for any director or executive officer. Organizations that rate corporate governance inquire as to the existence of a code of conduct. Some companies view the code of conduct as an important component of the internal control system. The codes of conduct are readily available for the public to view — they can be found on websites and/or as exhibits to Securities and Exchange Commission filings. So, now everyone has a code of conduct. However, simply having a code of conduct is not enough for the purposes of the Sentencing Guidelines. Acode of conduct is an integral part of an effective compliance and ethics program, but it is not the only part of one.

Last spring, the United States Sentencing Commission sent to Congress significant changes to the federal Sentencing Guidelines for organizations. The amended Sentencing Guidelines will become effective on November 1, 2004, unless Congress disapproves them. The amended Sentencing Guidelines are available in full at http://www.ussc.gov/FEDREG/ 05_04_notice.pdf. (The portion of the amended Sentencing Guidelines addressing organizations is Chapter Eight, which begins on page 148 of this document.)

Ideally, a company will never find itself in the position of facing sentencing for corporate wrongdoing, but if it does, an effective compliance and ethics program is a mitigating factor that could reduce the ultimate penalty a company has to pay with respect to specific governmental fines and sanctions. (The absence of an effective program may lead a court to place a company on probation and the implementation of an effective program may be a condition of probation.) Also, an effective compliance program may limit the risk of aiding and abetting liability in private litigation by uncovering, correcting and preventing misconduct. With the effective date for the amended Sentencing Guidelines approaching, companies should consider whether they need to make any changes in their compliance programs.

The amended Sentencing Guidelines strengthen the existing criteria that a company must follow to establish that it has an effective compliance program and introduce new concepts into the definition of an effective compliance program. To emphasize its importance, the criteria for an effective compliance and ethics program has been elevated into its own, separate guideline (as opposed to its prior appearance as commentary). The amended Sentencing Guidelines require high-level responsibility for compliance. The Board must be knowledgeable about the content and operations of the program and members of senior management must administer the program. Training, which had been one way of communicating standards under the existing Sentencing Guidelines, will become a mandatory element of a compliance program once the amended Sentencing Guidelines become effective. And, this training obligation extends to directors and high-level personnel. The amended Sentencing Guidelines focus on incentives for compliance as well as discipline. The amended Sentencing Guidelines also introduce the concept of periodic assessment of potential risk of criminal conduct as a component of an effective compliance program for each company. Companies must provide sufficient resources for their compliance programs. Companies are specifically charged with promoting an organizational culture that encourages ethical conduct and compliance with law.

Under the amended Sentencing Guidelines, a company’s culpability is generally determined by six factors. Two of these are factors that mitigate the ultimate sentence:

  • the existence of an effective compliance and ethics program; and
  • self-reporting, cooperation or acceptance of responsibility.

In addition, the amended Sentencing Guidelines list four factors which increase punishment. These are:

  • involvement in or tolerance of criminal activity;
  • the company’s prior history;
  • a violation of an order; and
  • obstruction of justice.

An effective compliance program, which by itself serves as a mitigating factor in sentencing decisions, should reduce negative factors that courts are to consider such as tolerance of criminal activity.

Requirements of an Effective Compliance and Ethics Program

The amended Sentencing Guidelines establish two major requirements for an effective compliance and ethics program. First, the organization must exercise due diligence to prevent and detect criminal conduct. Second, the organization must promote an organizational culture that encourages ethical conduct and a commitment to compliance with law. The amended Sentencing Guidelines set forth seven minimum requirements for an effective compliance and ethics program, each of which must be met.

  1. Standards and Procedures. The first minimum requirement is the establishment of standards and procedures to prevent and detect criminal conduct. This is where a code of conduct addressing compliance with law fits in. In addition, a company may have detailed policies and procedures, not formally part of the code of conduct, that supplement the code of conduct.
  2. Board and Senior Management Oversight. According to the amended Sentencing Guidelines, for a compliance and ethics program to be effective, the organization’s governing authority (i.e., its board of directors, or if the organization does not have a board of directors, its highest- level governing body) must be knowledgeable about both the content and operation of the compliance and ethics program. The governing body must exercise reasonable oversight of the program’s implementation. This can be done through a board committee, such as the audit committee (which for a NYSE listed company is specifically charged with responsibility for legal compliance), with the board committee reporting periodically to the board. The amended Sentencing Guidelines also require that high-level personnel of the organization (i.e., persons with substantial control or who have a substantial policy making role, such as directors and executive officers) ensure that the organization has an effective compliance and ethics program. The amended Sentencing Guidelines use the word "ensure" in this requirement, setting a high standard of responsibility for the individuals in the top levels of authority who are charged with compliance responsibility. Specific, highlevel individual(s) within each organization must be assigned overall responsibility for the compliance and ethics program. In addition, specific individual(s) must be given day-to-day operational responsibility for the program. These operational individuals must report periodically to high-level personnel and, as appropriate, at least annually, to the board of directors. The individuals who are given operational authority for the compliance program must be given adequate resources, appropriate authority and direct access to the board or a board committee. The individuals with responsibility for the compliance program must perform their duties with due diligence and must promote an organizational culture that encourages ethical conduct and a commitment to compliance with law.
  3. Screening. A company must use reasonable efforts so that it does not permit individuals who have engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program to exercise a substantial measure of discretion in acting on behalf of the organization. The amended Sentencing Guidelines impose a due diligence obligation as part of this requirement. In applying this requirement, a company may consider the relatedness of the misconduct to the specific responsibilities to be performed, the recency of the misconduct and whether the individual in question has engaged in other misconduct.
  4. Training and Dissemination of Information. The fourth component of an effective compliance and ethics program consists of training programs and the dissemination of information appropriate to an individual’s roles and responsibilities. This obligation applies to directors, high-level personnel and personnel who exercise substantial discretion on the part of the company, as well as to employees in general and, in appropriate circumstances, to a company’s agents.
  5. Monitoring and Auditing. The amended Sentencing Guidelines require a company to take reasonable steps to ensure that the program is followed, such as monitoring and auditing to detect criminal conduct. The company must periodically evaluate the effectiveness of its compliance and ethics program. The company must also establish and publicize a system to report or seek guidance regarding potential or actual criminal conduct.
  6. Promotion and Enforcement. The sixth minimum element of an effective compliance program is the promotion and consistent enforcement of the program throughout the organization. There should be appropriate incentives to perform in accordance with the program and appropriate disciplinary action, both for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. While adequate discipline is a necessary component of an effective compliance program, the amended Sentencing Guidelines do not mandate the form of discipline other than to require that it be appropriate to the specific case.
  7. Responding to Violations. Finally, if criminal conduct is detected, the amended Sentencing Guidelines require that the organization take reasonable steps to respond appropriately and to prevent further similar criminal conduct. This may require modifying the company’s compliance and ethics program.

Satisfying the Compliance Program Guidelines

Each of the above-described minimum requirements must be met in order for a company to have an effective compliance and ethics program for the purposes of the amended Sentencing Guidelines, but the amended Sentencing Guidelines explicitly recognize that the specific actions necessary to satisfy a requirement may vary based on applicable industry practice or government regulation, the size of an organization or similar misconduct. As a result there is no "one size fits all" approach to a compliance program.

Conformance to Industry Practice and Comply with Governmental Regulation. It is critical to follow applicable industry practice and standards required by any governmental regulation. The amended Sentencing Guidelines expressly provide that failure to do so will weigh against a finding that an effective compliance and ethics program exists. Therefore, codes of conduct and company policies should be drafted so that they promote compliance with applicable standards set by the industry as well as governmental regulations.

Size of Organization Considerations. Larger companies will be expected to have more formal compliance operations — and to devote greater resources to compliance activities — than smaller companies. The amended Sentencing Guidelines also suggest that larger companies should be encouraging smaller companies to implement effective compliance and ethics programs, particularly if they seek to do business with the larger company.

While smaller companies may meet compliance requirements with less formality and fewer resources than larger companies, they must nevertheless demonstrate the same degree of commitment to ethical conduct and legal compliance as larger companies. Smaller companies may, for example, use available personnel rather than hiring separate compliance staff. Training may occur through informal staff meetings and monitoring may occur through "walkarounds" or continuous monitoring. The Board may directly monitor the program. Compliance programs may be modeled on well-regarded programs of similarly situated companies.

Similar Misconduct. Recurring misconduct will cast doubt upon the effectiveness of a compliance and ethics program. For this reason it is very important to respond firmly to problems that may arise and to modify the program as necessary to avoid repeated violations by anyone within the organization.

Risk Analysis. The amended Sentencing Guidelines require a risk analysis to be performed in connection with the implementation of the required elements of an effective compliance and ethics program. That is, companies must periodically assess the risk of criminal conduct in their organizations, which may vary depending on the businesses engaged in and the methods of conducting business. This analysis should take into account the nature and the seriousness of the potential criminal conduct. Based on this risk analysis, they must take appropriate steps to design, implement or modify the actions that they are taking to satisfy each requirement of an effective program in order to reduce the risk of criminal conduct that they identify. Companies are expected to prioritize their resources to target potential criminal activities that pose the greatest risk. This is not only an ongoing process, it is one that must be specifically tailored for each company.

Practical Considerations

  • Benefits of an Effective Compliance Program. Mitigation of penalties after something has gone wrong is not the only benefit of a compliance and ethics program that will satisfy the requirements of the amended Sentencing Guidelines. The principles of an effective compliance and ethics program outlined in the amended Sentencing Guidelines represent a governmentally sanctioned statement of what is expected from a corporate governance perspective. It will be looked upon as a measure of good corporate citizenship. The requirements of the amended Sentencing Guidelines in this area may be used as a measuring stick by institutional investors and organizations that rate corporate governance. Evidence of an effective compliance program may also lessen the threat of a governmental investigation. The minimum requirements of the amended Sentencing Guidelines may have been developed by a review of best practices, but they may now become more than a set of best practice goals. Because the amended Sentencing Guidelines are promulgated by the government, they may actually take on a heightened sensibility. Organizations may find that these standards become viewed as obligatory requirements rather than as a tool to reduce penalties that hopefully will never have the occasion to be imposed.
  • Ongoing Evaluation and Revision. A code of conduct should be an evolving, rather than a static document. A great deal of attention was focused on codes of conduct during the last year and a half as companies sought to comply with new listing requirements and SEC rules, and to generally respond to the corporate scandals that led to the adoption of Sarbanes-Oxley. This work is not completed, however. Unlike stock exchange listing standards or the SEC’s rules on disclosure of codes of ethics, the amended Sentencing Guidelines do not dictate mandatory elements that must be part of an organization’s code of conduct. Best practices are evolving. Therefore, there is no set of amendments that needs to be made to bring a code of conduct into compliance with the amended Sentencing Guidelines. What the amended Sentencing Guidelines do require, however, is that the compliance program of which the code of conduct is a part be evaluated on a regular basis, together with procedures for compliance.
  • Identification of Responsible Individuals. Companies should clearly identify the high-level individuals who have supervisory responsibility for the compliance and ethics program and the individuals who have the day-today responsibility for the compliance program. The amended Sentencing Guidelines do not promulgate a single approach, recognizing that a larger organization may have a greater need for formality than a smaller organization. Therefore, it is not necessary for there to be an individual in every organization with the title of compliance officer. That being said, it is important for all companies to have someone who is charged with compliance responsibilities, even if that person also performs other functions within the organization.
  • Responsibility to Ensure Compliance. The high-level individuals given responsibility for the compliance and ethics program must recognize that the amended Sentencing Guidelines expect them to "ensure" that the program is effective. Compliance responsibility must be taken seriously so that the tone is set from the top.
  • Board Monitoring. It is important for reports to be given to the board or a board committee with respect to compliance and ethics issues on a regular basis. The amended Sentencing Guidelines explicitly state that the board must be knowledgeable both about the content and the operation of the compliance and the ethics program. The audit committee may take the lead role in fulfilling this responsibility, but it should report to the full board both as to content and operations. Compliance, of course, should be raised at the board or committee level whenever there is a specific issue that needs to be addressed. In addition, however, companies should consider adding compliance review to the regular schedule of board or committee activities. This requirement of the amended Sentencing Guidelines dovetails with requirements, such as that of the New York Stock Exchange, that the audit committee assist the board with oversight of the company’s legal and regulatory requirements.
  • Adequate Reporting Mechanisms. The Sarbanes- Oxley Act required public companies to implement procedures whereby accounting and auditing concerns could be confidentially and anonymously reported. To get the mitigating benefits of the amended Sentencing Guidelines should a criminal action arise, as well as to generally enhance their corporate governance profile in the eyes of investors, rating agencies and potential investigators, companies should determine that they have adequate systems in place to permit employees to anonymously report other categories of violations of laws without fear of retaliation. One way to accomplish this is through the use of a third-party, toll-free hotline, but that is not a requirement.
  • Importance of Training. Companies must recognize that under the amended Sentencing Guidelines, training is an integral part of a compliance and ethics program. This includes training at high levels, such as training programs for directors and senior management. It is not sufficient to assign duties to individuals without giving them the tools to understand and effectively implement their legal compliance duties.
  • Compliance by Agents. Companies should consider how actions of "outsiders," such as agents, suppliers and distributors, reflect upon their own compliance and ethics programs. In some circumstances, it may be appropriate to insist that these other parties adhere to the company’s compliance program or demonstrate that they have implemented their own program. The amended Sentencing Guidelines explicitly acknowledge the possibility that training of agents might be appropriate. Therefore, it is important to assess the role agents play for a company. To the extent they play a significant role in a company’s business, the company must take steps to clearly communicate its compliance and ethics programs to agents and train them as necessary.
  • Ethical Issues. The scope of the amended Sentencing Guidelines is not limited to compliance with law. The key phrase used in the amended Sentencing Guidelines is a compliance and ethics program. Companies should focus on ethical issues, as well as legal compliance, when designing their programs. This constitutes another aspect of setting the proper compliance tone from the top of the organization.
  • Compliance-Based Incentives. The amended Sentencing Guidelines explicitly mention incentives, as well as disciplinary actions. Companies should consider how to incorporate this concept in a way that is appropriate for their organizations. Including compliance as a component of employee performance evaluations may be one form of incentive. For some companies, an explicit tying of compliance performance to compensation, at least for individuals who are charged with responsibilities for oversight or operations of the compliance and ethics program, may be appropriate. No specific approach is mandated. However, companies should assess how they address incentives as well as disciplinary action.
  • Follow-Through. Establishing compliance procedures is not sufficient. There must be follow-through. For example, keep records to demonstrate how employees are made aware of the program. If employees are given hard copies of the code of conduct, be sure all employees get them, including new hires. If employees are expected to access the code of conduct and related policies electronically, be sure they are given adequate information to locate the materials — and access to a computer on which to do so. And, maintain an electronic log to document that employees are accessing those materials. If annual certifications are requested of all or a designated group of employees, be sure that all required certifications are returned.
  • Sufficient Budget. Companies should assess whether they are providing a sufficient budget for compliance activities.
  • Background Screenings. Companies should review their procedures for screening the background of senior management to be sure that they can demonstrate that they are not giving substantial authority to persons with a history of illegal or unethical conduct.

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.