If there has been any doubt about the importance of ethics and integrity in conducting business in the United States, that doubt should have been laid to rest by two recent government actions. In November 2012, the Obama administration temporarily blocked BP PLC from entering new contracts with the U.S. government citing BP's "lack of business integrity" in the 2010 Gulf of Mexico oil spill--a significant issue for an oil company operating in the Gulf of Mexico.
And a federal court in the Southern District of New York in 201 2 allowed a shareholder lawsuit against Goldman Sachs & Co. to proceed based on allegations that Goldman Sachs misrepresented to investors that it was an honest and ethical company. In rejecting Goldman's assertion that its statements about its honesty and integrity were simply opinion or puffery, the court stated:
"Goldman's arguments in this respect are Orwellian. Words such as 'honesty,' 'integrity' and 'fair dealing' apparently do not mean what they say; they do not set standards; they are mere shibboleths. If Goldman's claim of 'honesty' and 'integrity' are simply puffery, the world of finance may .be in more trouble than we recognize."
In 1991, corporate America began to develop codes of ethics and related ethics and compliance programs to comply with the newly enacted Federal Sentencing Guidelines for Organizations (FSGO). Most major corporations today have both a published code of ethics and an ethics and compliance program frequently modeled on the FSGO.
But corporate scandals and misconduct continue to make headlines, and there have been many examples of corporate misdeeds in companies that were perceived to have model programs--at least on paper. So do these programs have teeth and are they effective at preventing or detecting misconduct? The answer is not simple and varies from business to business. But the need for continuing efforts to improve and implement effective ethics and compliance programs is self-evident.
Expectations and Requirements
The FSGO are widely recognized in the U.S. as setting out the framework for an effective ethics and compliance program in the private sector. By offering organizations reduced federal sentences in criminal prosecutions for setting up and implementing "effective" programs (among other factors), the FSGO started a movement in corporate America to improve self-policing to prevent wrongdoing.
Although the U.S. Department of Justice (DOJ) investigations of large companies today rarely end up in trials where the FSGO actually come into play in sentencing corporate defendants, FSGO standards for effective ethics and compliance programs have become a principal reference point in setting up and implementing such programs.
The FSGO are principles-based and provide for flexibility in establishing and implementing an ethics and compliance program--there is no one-size-fits-all. However, two overarching principles govern the establishment of an effective program. First, the organization must "exercise due diligence to prevent and detect criminal conduct;" and second, the organization must "promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." (See U.S. Sentencing Guidelines USSG [section]8B2.1 (a).)
A company must meet several requirements to have a 'minimally" effective ethics and compliance program under the FSGO. These include:
* Standards and procedures to prevent and detect criminal conduct.
* Communication of these standards and procedures to the board, all employees and agents, as appropriate, and effective training programs.
* A knowledgeable board, which exercises "reasonable oversight" over the ethics and compliance program.
* A "high-level" person with overall responsibility for the program and an individual with day-to-day responsibility who periodically reports to high-level management and, as appropriate, to the board or an appropriate committee of the board on the program's effectiveness. This individual must have adequate resources, appropriate authority and direct access to the board or board committee.
* Monitoring and auditing of the ethics and compliance program to detect criminal conduct.
* Periodic evaluation of the effectiveness of [he program.
* A system where employees and agents may report or seek guidance regarding criminal conduct without fear of retaliation, which may include mechanisms that allow for anonymity or confidentiality.
* Enforcement of the program through incentives and disciplinary measures.
* After criminal conduct has been detected, appropriate steps to prevent similar conduct, including modifying the program.
* Periodic assessment of the risk of criminal conduct and steps to reduce the identified risk of criminal conduct.
Several other sources set out guidelines or mandatory requirements, which offer insight into additional procedures for design and implementation of ethics and compliance programs. For example, audit committee members and chief financial officers are quite familiar with the Sarbanes-Oxley Act of 2002 and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) requirements and expectations for compliance programs, which call for codes of conduct, whistleblower hotlines, disciplinary mechanisms and reporting on the adequacy of internal controls for financial statement purposes.
DOJ guidelines and deferred prosecution agreements with major companies also offer insight into additional ethics and compliance matters that the DO) considers important, such as establishment of internal management compliance committees and chief compliance officer direct access to the board.
New York Stock Exchange (NYSE) and Nasdaq listing requirements promulgated post-Enron also offer guidance. NYSE Rule 303A.10 requires that listed companies must have a code of ethics available on the company website to "focus the board and management on areas of ethical risk, provide guidance to personnel to help them recognize and deal with ethical issues, provide mechanisms to report unethical conduct and help to foster a culture of honesty and accountability." The code must also contain procedures to ensure prompt and consistent action against violations.
While recognizing that a company may address responsibilities differently, commentary to the rule sets out specific, important topics that should be covered in the codes of listed companies. These include conflicts of interest; corporate opportunities; maintaining confidentiality of company and customer information; fair dealing with customers, suppliers, competitors and employees; protection and proper use of company assets; compliance with laws, rules and regulations, including insider trading requirements; and encouraging the reporting of illegal or unethical behavior.
Codes and Compliance Programs Come In All Shapes and Sizes
Consistent with the intent of the NYSE rules and FSGO to provide flexibility to individual companies in designing and implementing codes of ethics and ethics and compliance programs, codes and related programs come in many shapes and sizes. Some are short and principles-based, frequently tracking NYSE listing requirements, while others are longer and are designed to address not just principles, but actual ethical decision-making situations employees may face. Some companies have one code for directors and a separate code for employees.
ExxonMobil Corp., for example, has a short set of guiding principles applicable to directors, officers and employees, supplemented by foundation policies. This code makes it clear that ethics polity does not stop with compliance. "Even where the 'law is permissive, the corporation chooses the course of highest integrity ... The corporation cares how results are obtained, not just that they are obtained."
Unlike many company codes, the chairman's introductory letter provides that no one in the organization has the authority to grant waivers to the company's foundation policies, and the company's corporate governance guidelines expressly provide that the board does not envision that any waivers will be granted.
The website of The Boeing Co. hosts its 37-page Ethical Business Conduct Guidelines, which addresses ethical questions employees may face. The guidelines include a checklist for ethical decision-making that covers common sense questions for employees to ask themselves, such as "Am I being fair and honest?" "Would I be uncomfortable describing my decision at an all-hands meeting?" "What would I tell my child to do?"
In many companies, the board's corporate governance committee is responsible for reviewing its code of ethics annually and recommending revisions to the. board. Often the board's audit committee has responsibility for code administration and interpretation and has oversight responsibility for compliance issues regardless of whether the issues relate to financial statement matters. This can include reporting to the board on the implementation and effectiveness of the ethics and compliance program. Sometimes, however, codes provide for questions regarding interpretation to be addressed to the legal department or specific ethics contacts, who report to the general counsel or to the chief financial officer.
Reporting of complaints and subsequent handling of investigations differs. Employees are frequently encouraged to report complaints to managers, human resources, corporate compliance, legal or to hotlines, which may be staffed by third parties. Complaints relating to accounting or auditing may have separate reporting and investigation requirements consistent with Sarbanes-Oxley and other rules. Directors--and sometimes executive officers--may have different complaint reporting procedures, which call for reporting to the board or a committee chairman or to the general counsel or compliance officer.
The role of chief ethics and compliance officer (CECO) also differs from company to company. CECOs frequently report to the general counsel, though there is increasing pressure through the FSGO and DOJ to have the CECO as part of the executive team with direct reporting responsibilities to the board or hoard committee.
With increasing Foreign Corrupt Practices Act (FCPA) enforcement and the globalization of business as well as recognition of the critical role of midlevel managers in the ethics culture of the organization, some organizations are putting ethics officers and resources in every business unit rather than centralizing the function at the corporate level.
Do Codes and Enforcement Programs Work?
Most major corporations have both a published code of ethics and an ethics and compliance program frequently modeled on the FSGO. Yet corporate scandals persist, and there are many who believe that the 2008 financial crisis was, among other things, a failure of ethics. The author's firm's own experience in providing analysis and expert testimony in litigation shows that allegations of ethics violations and failures are being raised more frequently in litigation.
So the question must be asked: Do ethics and compliance programs work? The answer is a qualified yes--as long as the program is not just a check-the-box exercise. Though quantifying the business case for a strong ethics and compliance program and a culture of ethics may be difficult, it seems obvious in today's increasingly global environment that a strong program is necessary not just to comply with government expectations and requirements, but also to protect the company's reputation and brand.
There is also evidence that having a strong and well-implemented program drives a strong ethics culture in a company, which reduces ethics risk. The Ethics Resource Center (ERC), a nonprofit funded at least in part by major corporations in the U.S., has conducted a National Business Ethics Survey since 1994 to assess trends in workplace ethics and to identify drivers that improve ethical workplace behavior.
Results of its 2011 survey specifically found that "[B]y every measure, strong ethics programs and strong ethics cultures produce substantially better outcomes--less pressure, less misconduct, higher reporting and less retaliation--than in weaker ethical environments."
Observed misconduct in the strongest ethics programs in the 2011 survey was 30 percent--in the weakest programs 89 percent. Only 6 percent of those surveyed who observed misconduct in the strongest programs failed to report it, while 48 percent did not report the observed misconduct in the weaker ethics programs and cultures.
And though the degree to which a strong ethics and compliance program and a strong ethics culture affect government enforcement actions is hard to quantify because of a lack of public information, a 2012 ERC Independent Advisory Group Report on the 20th anniversary of the FSGO concluded that the FSGO had had a positive effect on ethics in the business community.
Ethics failures and violations produce real-world consequences for companies in the form of government investigations and enforcement actions, civil litigation and potential damage to reputation. To avoid these consequences, it is important that ethics and compliance programs not be just check-the-box exercises, which lull a company into believing it has done what it should. Codes of ethics and ethics and compliance programs do work--but only if supported by strong systems, which not only encourage compliance but deter misconduct through enforcement.
Sheryl L. Hopkins, J.D., MBA (shop. email@example.com), is a member of the board of advisors of Grace & Co. Consultancy Inc. in Houston and a former practicing attorney with more than 30 years' experience in all aspects of class action and complex commercial litigation.