Reflections on the Impact of the “Seven Elements of an Effective Compliance and Ethics Program”

As we approach the 30^th anniversary of the publication of Chapter 8 of the US Federal Sentencing Guidelines (FSG) and their groundbreaking Seven Elements of an Effective Compliance Program, I thought it an appropriate occasion to take stock of their impact on corporate compliance.

Sentencing of organizations

On Nov. 1, 1991, The US Sentencing Commission — an entity created by the US Congress in the 1980s to develop and publish uniform sentencing standards for the federal court system — published Chapter 8 of the guidelines entitled “Sentencing of Organizations.”

These guidelines provided detailed factors federal judges should consider in sentencing organizations (including corporations) convicted of crimes. Nestled in its pages were the Seven Elements of an Effective Compliance Program (Seven Elements) detailing factors relating to corporate governance structures and practices courts could consider in determining whether an organization had taken reasonable steps to prevent and detect criminal conduct.

If an organization convicted of a crime could demonstrate to the court that it had an effective compliance program and met several other criteria, the FSG permitted judges to provide up to a 95 percent reduction in fines and penalties. The potential for such a substantial penalty reduction was specifically designed to induce organizations to examine and, if necessary, bolster their internal controls.

In 2004, the Sentencing Commission published amendments to Chapter 8 that was dubbed “Seven Elements of an Effective Compliance and Ethics Program,” integrating into these standards mandates regarding the promotion of an “ethical culture” and providing substantially more detail regarding expectations associated with organizational governance and internal controls.

In many instances, including two I have been personally involved in, the DOJ has been true to its word.

Compliance and ethics professionals

In response to the Seven Elements and the DOJ policies mentioned above, thousands of corporations invested in dedicated compliance and ethics offices and charged them with the responsibility of developing and implementing “effective” compliance and ethics programs to prevent and detect criminal conduct. I count myself among the many other compliance and ethics professionals (CEPs) whose careers have been shaped by these developments.

For the last three decades, through a zeal for our mission seldom found in other professions, and a willingness to share best practices, we CEPs have implemented compliance and ethics programs modeled on the Seven Elements. In so doing, we greatly strengthened various internal controls that had been long neglected and carved out a niche in the corporate hierarchy that is now considered indispensable by most sizable firms. Long gone are the days when no one knew what CEPs did for a living.

This is especially true in industries that have experienced a significant volume of enforcement actions like banking, medical devices, pharmaceuticals, and healthcare. Some companies in these and other industries have been compelled to install compliance and ethics officers by the terms of corporate integrity agreements or deferred the prosecution agreements. But many others have done so voluntarily in anticipation of the benefits that might flow from the creation of a dedicated compliance and ethics office.

Today, we CEPs number in the thousands and enjoy the support of multiple trade associations and a cottage industry comprising dozens of companies that supply global 24/7 helplines, case management systems, online training programs, third-party due diligence services, consulting, and program evaluations.

Many corporations that have invested in compliance and ethics programs now have sophisticated organizational justice systems, a well-educated employee population, internal compliance monitoring and auditing programs, and superior third-party management systems designed to minimize legal risks associated with company distributors and agents. Most CEPs also have direct access to company senior management and the board of directors to apprise them of compliance and ethics program status and solicit their support for various program initiatives.

But have these investments made a difference? Specifically, have compliance and ethics programs modeled on the Seven Elements and DOJ guidance reduced the corporate crime rate? As a practicing CEP, I wish I could answer this question in the affirmative, but I’m hard pressed to find support for such a conclusion. The evidence is to the contrary.

Corporate corruption

Recall for a moment the spate of breathtaking corporate scandals at the beginning of this century when marque companies like Enron, WorldCom, Countrywide, Tyco, and others were caught systematically defrauding shareholders. Then, in 2008, there was a global financial meltdown precipitated by the malfeasance of thousands of organizations including many of the world’s most respected banks and financial institutions.

Since then, Wells Fargo was caught defrauding millions of customers; Volkswagen and its leadership were prosecuted for the emissions scandal; Goldman Sachs was caught paying staggering sums to win business in Asia; GSK, Johnson & Johnson, Pfizer, Novartis, and many other life-sciences firms were caught paying bribes to healthcare providers or promoting their products off-label; and Airbus was prosecuted for paying bribes to government officials in over a dozen countries.

Fast forward to 2020, when the DOJ collected a record US$9.8 billion in monetary recoveries related to non-prosecution and deferred prosecution agreements in enforcement actions against corporations. That same year, enforcement activity for Foreign Corrupt Practices Act (FCPA) violations was on par with prior years with record fines of over US$6 billion paid to enforcement agencies in the US and other countries.

For decades, the scourge of corporate financial fraud has raged on with no sign of abating, notwithstanding the Sarbanes Oxley Act of 2001 regulations mandating codes of conduct for boards and senior executives coupled with strict internal controls. The 2020 fiscal year saw 715 securities enforcement actions by the SEC culminating in record financial remedies of US$4.68 billion — an increase of approximately eight percent over the amount collected in 2019.

These corrupt business practices were not the doing of just a few rogue employees. In most cases, they were deliberately and systematically perpetrated by cohorts of business executives to seek advantage in the marketplace or to boost their company’s share price. And, most disturbingly, a significant fraction of these schemes were committed in companies with compliance and ethics departments that were powerless to prevent these calamities.

The Seven Elements and CEPs are not to blame

By making these observations, I do not mean to suggest that the Seven Elements and the associated DOJ guidance is flawed. It is not. To the contrary, together they provide a sensible framework that organizations can and should rely upon to structure their internal controls. Nor do I think CEPs have failed in carrying out their responsibilities.

That said, it would be grossly unfair to blame compliance and ethics departments for their firm’s corrupt business practices. We CEPs and the programs we run are not the cause of corrupt business practices. We have done and continue to do our level best to prevent them.

But to help the companies we serve find a realistic means of improving performance, we must have a clear-eyed view of our role in the corporate governance structure and our limitations in achieving this objective. It was never realistic to expect that the addition of a compliance and ethics office alone would be sufficient to prevent and detect systemic corporate corruption — especially when corrupt acts are committed, authorized, or tolerated by those on the “bridge.” Moreover, we CEPs never have been and likely never will be in a position to provide effective oversight of senior corporate officers or many of a corporation’s most significant legal and ethical risks.

CEPs have virtually no role in the design or operation of the internal controls required to comply with financial reporting rules, SEC regulations, stock exchange listing rules, safety health and environmental laws, product quality control regulations, good manufacturing practices, labor laws, antitrust laws, patent and trademark laws, product licensing and registration laws, product labeling laws, product packaging laws, product safety laws, international trade laws, debt covenants, commercial agreements, building codes, information technology security requirements, tax laws, and myriad others that collectively comprise the lion’s share of enterprise legal and ethical risks for many companies. Nor should we.

To manage the legal and ethical risks associated with these requirements, companies wisely invest in armies of experts in each of these fields and group them together in the various corporate functions and charge business professionals at every level of the corporation to play by the rules.

Further, in most firms, CEPs have little to no visibility to actions taken and decisions made by their board of directors and senior management team that can present significant corruption risks. Very few, if any, CEPs are involved in senior management or board deliberations relating to staffing, budgeting, acquisitions, divestitures, financial statements, quality controls, financial controls, capital investments, or investor relations — all of which carry enormous legal and ethical implications. My guess is that no CEP was in the room when the Wells Fargo board of directors approved the disastrous employee incentive program that induced a toxic work environment and widespread criminal conduct in their consumer banking business.

Although CEPs occupy a wide variety of positions in corporate hierarchies, only a small fraction of CEPs are peers with their firm’s general counsel, chief financial officer, or the heads of other corporate functions like information technology or human resources. Instead, most CEPs are relegated to posts in middle management and report to executives who are a rung or two down on the corporate ladder from the CEO. Many other CEPs are lower-level functionaries with little to no contact with top management.

Consequently, very few, if any, CEPs are given the authority and global reach to be the single individual “delegated day-to-day operational responsibility for the compliance and ethics program,” as per the Seven Elements. Instead, these responsibilities are defused among many individuals across the corporation. But this is hardly the only challenge we CEPs face in achieving the goal of detecting and preventing systemic corporate corruption.

Even those CEPs who earn a coveted C-suite office — where I believe they should be — and are “in the room” during some senior management meetings can’t be in every room in which decisions are made. Business professionals throughout a corporation can and must make key decisions that carry with them significant legal and ethical risks every day without first asking a CEP “Mother, may I?”

The fact that CEPs are not in charge of managing all enterprise legal and ethical risks is not a flaw in compliance and ethics program design. Instead, diffusion of this responsibility is necessitated by the vast complexity of legal and ethical mandates that corporations confront on a daily basis. Charging a CEP or compliance department with this responsibility is neither realistic nor desirable. Thousands of decisions must be made and acted upon continuously without a CEP’s knowledge or approval for a business to function properly. 

Dispelling myths

I make these observations not to diminish the importance of the work CEPs perform but, instead, to dispel the myth that they “own” their firms’ compliance and ethics programs. They do not. Compliance and ethics functions are responsible for performing duties that comprise an important but narrow sliver of the work that is done every day to manage corporate legal and ethical risks. They are just one of a large cohort of business professionals charged with developing and implementing internal controls designed to manage legal and ethical risks and building a strong ethical culture.

I must also take a moment to dispel the myth that CEPs serve as the “conscience of the company.” We certainly may try our best to play this role but there is little evidence that CEPs possess an “ethical expertise” that is superior to other corporate executives. We may have an enhanced understanding of laws and ethical standards in areas, in which we have specialized knowledge like data privacy and anti-bribery laws. But few CEPs, if any, have had any formal education that would make them better suited than their executive counterparts to make even garden-variety business decisions that have significant legal and ethical dimensions.

When deciding how much to invest in research and development — whether to create, purchase, or sell derivative financial instruments, close a plant, initiate a stock buyback, lay off workers, manage pollution levels, off-shore manufacturing operations, draft a SEC filing, pay a dividend, or finalize an advertising budget — it’s hard to see how a CEP would necessarily make better, more ethical calls than other business leaders who have greater expertise in such fields and better knowledge of the relevant facts.

Regardless of how much expertise, authority, or moral courage a chief CEP has, others in a corporation ultimately have the responsibility to run the business. Many of the most important and difficult business decisions corporations must make are based upon incomplete data, assumptions about future market conditions, and hundreds of other variables. In such circumstances, there are many ethical and lawful options.

It is the CEO and their team, not the chief CEP alone, that shareholders and directors expect to make these decisions. This is as it should be. In a well-designed compliance and ethics program, it is the business management team, corporate functions — including the compliance and ethics department — and the employees, rather than the compliance and ethics department alone that comprises the company’s ethics and compliance program.

A way forward

I suspect most would agree that the status quo with its continuous parade of corporate scandals and the enormous harm they cause to all stakeholders is intolerable. Thirty years on we still have considerable work to do to realize the primary goal of the Seven Elements by developing and implementing corporate governance practices that are more successful at regulating individual behavior at all levels of the corporation.

Although I believe CEP effectiveness is optimized when they are members of the executive management team, the answer is not the creation of larger and more potent compliance and ethics offices.

The key to eradicating the scourge of systemic corporate corruption remains where it has always been and always will be: in the boardroom.

Instead, I believe the key to eradicating the scourge of systemic corporate corruption remains where it has always been and always will be: in the boardroom. As a practical matter, directors, not CEPs, are the only ones in a position to hold senior management accountable for implementing sound internal controls and building a strong ethical culture.

This sentiment is reflected directly in the language of the Seven Elements that provides:

(2) (A) The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

It is also a cornerstone principle in the recently published ISO 37000 Guidance for the Governance of Organizations that charges directors, among other things, with the responsibility of holding management accountable for designing and implementing adequate internal control systems, “including an effective compliance management system and an effective risk management system.” At the root of every major corporate scandal is a failure of boards to carry out this fundamental responsibility notwithstanding what I believe to be directors’ sincere intentions to avoid such calamities.

In my experience, the overwhelming majority of corporate directors are highly intelligent, conscientious business professionals dedicated to helping the companies they serve conform to legal requirements and thrive over the long term. Their jobs are exceedingly demanding and have been made more so by the torrent of regulations passed in response to past corporate transgressions. But to be more effective at governing corporate behavior directors must seek and find a practical means to measure compliance and ethics performance and hold management accountable for meeting performance goals.

One means of achieving this objective that I have advocated for years is for boards to ask and demand that corporate senior management (not CEPs) provide answers to two fundamental questions coupled with objective, verifiable evidence and hold them accountable for meeting defined performance goals:

1. How effective are the company’s internal controls in managing its most significant legal and ethical risks?
2. What is the company’s ethical culture strength benchmarked against our peers?

I characterize data gathered to answer these questions as the “Prime Integrity Metrics” and have detailed methodologies to collect and respond to them in several past ACC Docket articles.

In addition to being a sensible and cost-effective means of satisfying the Seven Elements and ISO 37000 mandates, this prescription for improved governance is in keeping with other key aspects of board oversight. Boards don’t take management’s word for a company’s financial performance and leave the firm’s future prosperity to chance. Instead, they scrutinize financial statements and commission routine internal and independent audits. CEOs and senior managers who fail to meet performance targets at well-run firms are dismissed.

This same level of oversight is not happening with respect to compliance and ethics performance in most corporations. Absent a compliance calamity, I’m unaware of any instances in which a board has fired a CEO for a failure to maintain robust internal controls or a strong ethical culture. And even in the wake of massive corporate scandals, there have been many instances where boards made no management changes or only reluctantly did so in response to withering pressure from shareholders, regulators, or legislators. This culture of tolerance for poor compliance and ethics performance must change.

Directors who do not know their firm’s Prime Integrity Metrics, and who do not hold management accountable for achieving defined performance goals, are failing at a fundamental level to provide effective oversight of their companies’ compliance and ethics programs. As a consequence, they are often as shocked and surprised as the rest of us when news of a massive scandal at their firms becomes public. Until directors remedy this deep shortcoming in corporate governance practices, I suspect another 30 years will pass with little reduction in the corporate corruption rate. This is a fate we should all work to avoid.

Parting thoughts

If you agree with these observations, do your part to help drive the governance changes in the boardroom necessary to realize the true promise of the Seven Elements and materially reduce your firms’ compliance and ethics risk profile. Develop practical methodologies to gather the Prime Integrity Metrics and help your directors understand and act upon them by setting performance goals and holding management accountable for achieving them.

To build a more ethical company, join the ACC Compliance and Ethics Network.