By Harvey L. Pitt — August 24, 2004

ffective Nov. 1, as a direct result of Sarbanes-Oxley’s mandate to the U.S. Sentencing Commission, public company directors and senior executives will assume significantly greater responsibilities to ensure the existence of effective corporate compliance and ethics programs.

ABOUT THE AUTHOR

Compliance Week columnist Harvey Pitt is a former Chairman of the Securities Exchange Commission and founder of Kalorama Partners. As the twenty-sixth Chairman of the SEC, Pitt led Commission adoption of dozens of rules responding to corporate and accounting crises, created an SEC "real time enforcement" program, and responded to market disruptions from the Sept. 11 terrorist attack. Before becoming SEC Chairman, Pitt was senior corporate partner at Fried, Frank, Harris, Shriver & Jacobson, an international law firm, for nearly 25 years. He served previously with the SEC from 1968-1978, including three years as Commission General Counsel. In 2003, Pitt founded Kalorama Partners with former SEC Chief Accountant Robert K. Herdman. Contact Information Pitt can be reached at hpitt@complianceweek.com or (202) 349-4170. Subscribers can also access previous columns by Pitt.

The amended guidelines essentially set forth two overarching requirements: first, that corporate officers and directors exercise due diligence to prevent and detect criminal conduct; and second, that corporations promote “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

This latter ‘tone at the top’ requirement begets both new and refined obligations corporate directors and officers will want to consider in advance of Nov. 1, including the following:

1. Treat the sentencing guidelines as if they are formal regulatory requirements.

   As a technical matter, of course, there’s no “requirement” that corporate officers and directors do anything to implement the new federal sentencing guidelines. The revisions do talk about “requirements,” but the Sentencing Commission has no authority to prescribe a course of conduct for corporate officers and directors.

   The standards by which directors and officers will be judged in the performance of their responsibilities, however, emanate from a multiplicity of sources. Thus, a failure to ensure existing corporate ethics and compliance programs satisfy the sentencing guidelines could subject officers and directors to potential liability if criminal wrongdoing occurs at their companies but reduced criminal liability is unavailable under the new sentencing guidelines.

   As a practical matter, corporations are well-advised to take appropriate measures to come within the sentencing guidelines’ prescriptions for compliance and ethics programs.

2. The starting point for an effective corporate compliance and ethics program is with the directors and senior corporate managers themselves.

   Those who govern a corporation must be knowledgeable about their company’s compliance and ethics programs, and exercise reasonable oversight of them. This means that the board must play a role in developing the programs, monitoring them, assessing their effectiveness and revising them, all on a regular, periodic, basis.

   It also means that members of the board and senior managers must themselves receive ethics and compliance training to educate and sensitize them to the importance of these requirements. It is hard to set a tone at the top, unless those at the top of the company demonstrate their familiarity and facility with these programs.

3. Create a formal senior officer position to administer the company’s ethics and compliance programs.

   There are a plethora of new regulatory requirements imposed by SOX; most companies are reeling from the strains these create, but cannot allow necessary actions to fall through the cracks.

   The best way to avoid this is to assign specific responsibility to a senior corporate officer who will have, as his or her mandate, the creation, administration, assessment and revision of the company’s compliance and ethics program. The person should be knowledgeable both as to regulatory and ethical requirements and, as the guidelines themselves caution, adequate resources must be devoted to the day-to-day performance of these functions.

4. Assign formal responsibility at the board level for overseeing the company’s ethics and compliance programs.

   Because of the need for board oversight, the responsibility for receiving periodic reports from the officer assigned to administer the compliance and ethics program should be delegated to a specific board committee.

   There is a tendency to load all requirements of this ilk on audit committees. While that’s logical, and may even be appropriate in many cases, it certainly isn’t the only venue for this board function. Quality Legal Compliance Committees provide many benefits to corporations, and such a committee could easily take on this function.

   One caveat, however, is in order: If the job is not assigned to the audit committee, at least one member of the audit committee should sit on whatever committee is assigned this responsibility. Although the guidelines contemplate annual reviews, board committees would be well-advised to review compliance and ethics programs on a quarterly basis.

   While oversight can be exercised through a committee with access to all the facts about the content and operation of the program, it’s critical to keep in mind that all directors should have familiarity, and be conversant, with the program.

5. Develop a proactive mindset and methodology toward compliance and ethics.

   The operative framework for the new sentencing guidelines is that companies must not just be able to detect, and take action with respect to, improper conduct that’s already occurred, but also must create an environment and sufficient internal controls “reasonably capable of reducing the likelihood of criminal conduct.”

   In years gone by, the standard wisdom was not to go looking for problems. But today, companies must have in place sufficient mechanisms to allow them to detect problems before they arise, and to have reasonable internal controls in place that serve as an effective deterrent to violative conduct.

   Among other things that should be considered are:

   1. Corporate ombudsmen;

   2. Anonymous reporting channels to permit employees and others to complain about things they’ve observed without fear of retribution;

   3. Systems that permit companies to ascertain that compliance standards are being followed as a matter of routine;

   4. Monitoring devices to detect suspicious activities;

   5. Logging and pursuit of all complaints, not just to resolve individual suggestions of wrongdoing, but to determine whether there are patterns evolving;

   6. Periodic review of compensation systems to ensure that employees are not incentivized to violate compliance and ethical standards to maximize their income;

   7. Surprise legal and other “audits” by independent external service providers designed to find problems that might not otherwise be evident (surprise audits keep people on their toes, especially if they know they’ll be audited, but simply don’t know when, or how frequently);

   8. A review of industry trends and problems to ascertain whether it is possible that problems others have experienced could also be present at the company;

   9. A periodic employee evaluation and review process that specifically targets ethics and compliance concerns;

   10. Vetting potential hires for prior conduct inconsistent with the company’s current compliance and ethical standards;

   11. Providing regular periodic programs to educate and sensitize employees to the company’s compliance and ethical standards.

6. Discard the notion of de minimis ethical and compliance violations.

   While every breach of corporate standards is not a capital offense, breaches of corporate standards must be treated as serious and significant. The surest way to impair the tone at the top is to ignore misconduct.

   The “punishments” should fit the misconduct, but all violations of company policies should result in some type of sanction. Part and parcel of this is the need to keep adequate records that demonstrate how the officials who administer the program have dealt with instances of misconduct.

7. Evaluate violations of compliance and ethical standards to determine whether a violation is an isolated occurrence, or reflects a systemic problem.

   When problems are uncovered, companies must be able to respond satisfactorily to four questions:

   1. How did we learn of this?

   2. How was the conduct able to occur?

   3. Have we repaired any adverse consequences of the misconduct? and

   4. What assurances do we have that this kind of misconduct will not recur?

   By answering these questions, those who administer the program will be able to recommend changes to the company’s internal controls where warranted, or deal with problems as isolated occurrences if that is appropriate.

8. Periodically evaluate and assess the company’s risk profile to ensure that the company is being proactive in its administration of its compliance and ethics programs.

   The company should have mechanisms in place to satisfy itself that the risks inherent in the company’s business operations are fully understood, and untoward contingencies are the subject of ample preparation and planning.

   It is definitely possible to anticipate a company’s next crisis, and the failure to do so can have devastating consequences.

9. Require annual external audits of the company’s compliance and ethics programs.

   It is sensible for companies to bring in independent external experts to evaluate the effectiveness of its programs and internal controls. To the extent that companies fail to do so, its analyses and conclusions are bound to be viewed as insular and a company’s otherwise exemplary efforts may be for naught.

10. It’s important not only to do the right thing, but also to be able to prove that you did the right thing.

    Many companies spend a great deal of time perfecting their systems and approaches, but then forget to keep complete and accurate records of their efforts.

    The sentencing guidelines assume that, despite a company’s hard work, someone somewhere may have committed a corporate crime. If that occurs, it’s critical for the company to show not only that it had good systems in place, but that the systems were effectively administered, overseen and evaluated.