Greenberg Traurig Alert
Corporate Compliance: A Guide to Protecting Your Company from Liability
By Karen Y. Bitar
View or download the PDF version of this Alert here.
You have just been named General Counsel of a new public company. Perhaps you got the
job because you are a corporate lawyer who worked on the offering, a litigator who
successfully handled a case that made the offering possible, or maybe a friend of the CEO.
In any event, you probably didnt get the job because of your experience in dealing
with criminal wrongdoing within a corporation. Your lack of experience in this area can be
a disaster for your company, its management and you and your instincts alone may
not be enough to steer you right.
Lets take a case in point. After a year of steadily increasing revenues, you hear
through the grapevine that some of those revenues may be tied to illegal payments made
abroad in violation of the Foreign Corrupt Practices Act. You file the information away,
hoping nothing comes of it. Nothing does, until federal marshals show up at your office
with a subpoena or a search warrant, at which time you learn that the government received
the same information you did by way of a tip, and has been secretly investigating the
Companys activities abroad ever since. The government wants to know when you first
learned of the possible wrongdoing, whether you investigated it, and whether your company
had a compliance program in place to detect and deter criminal activity. Your
companys board of directors now wants answers to the same questions. So do the
plaintiffs in the securities fraud class action filed immediately after news of the
investigation hit the newswire, causing the companys stock to drop significantly.
Its too late now to do what you should have done then. Proper planning
including the creation of an effective corporate compliance program could have
avoided much, if not all, of the ensuing nightmare. Heres why:
A compliance program sets forth a corporate code of conduct that defines proper
business ethics within the company, and the process of creating the program forces a
company to assess risk areas within its organization, minimizing the likelihood of any
misconduct that could result in civil or criminal liability. Ideally then, the program
would have prevented the wrongdoing or at least detected it early on. Even if the program
failed to prevent the wrongdoing, however, there are additional benefits. The government
places great weight on self-policing by companies and expects that companies will have a
compliance program in place. If the company learns of any possible criminal wrongdoing, it
will investigate it and, if it confirms that there was criminal activity, report to the
government the results of the investigation. Since a companys self-policing
activities are regularly considered by the government in deciding whether to prosecute a
company, had you taken your companys self-policing obligations seriously, the
company might have been able to avoid a criminal prosecution altogether. At the very
least, your company would have faced a lighter sentence because, under the Federal
Sentencing Guidelines which apply to any "organization" public or private,
creation of an effective program will permit a "reduced culpability score"
(which translates to a lesser fine) should there be a criminal prosecution. For the
compliance program to be viewed as "effective" it should "prevent and
detect violations of law." If a company does not have a compliance program it will
not be entitled to mitigation under the Guidelines. In addition, the government will
likely require the creation of a program after any finding of wrongdoing. Thus, in
addition to a larger fine, the company can also expect significant government intervention
in the corporations affairs. For example, a recent corporate defendant stepped up
its compliance efforts once it learned that it was under criminal investigation.
Notwithstanding this effort, as part of its plea with the government, it had to enter into
a detailed "corporate integrity agreement" in essence a more expansive
compliance program than it had originally intended.
In light of the recent case, In Re Caremark International Inc. Derivative Litigation,
698 A.2d 959 (Del. Ch. 1996) there is yet another extremely important reason to tend to
corporate compliance to protect the companys board of directors in the event
of a challenge in the nature of a shareholder derivative claim or class action. The
Delaware Chancery Court held that "A directors obligation includes a duty to
attempt in good faith to assure that a corporations information and reporting
system, which the board concludes is adequate, exists, and the failure to do so . . . may
. . render a director liable for losses caused by non-compliance with applicable legal
standards." Caremark left unchanged the circumstances a corporation may be
held criminally liable for the acts of its employees: the employee must be acting within
the scope of his employment with the intent to benefit the corporation. It is irrelevant
that the employee might also derive a benefit from his criminal act. Thus, directors now
have an affirmative duty to ensure that the corporation they serve has put in place an
effective compliance program to detect and prevent fraud and criminal conduct by its
employees and the failure to do so can be used as a basis for director liability in the
event the corporation is sued by its shareholders.
Indeed, a recent KPMG Peat Marwick study concluded that approximately 80% of
respondents to its survey had a formal code of conduct or an ethics compliance program.
However, while compliance programs are fairly standard in large corporations, far less
respondents had an ethics or compliance officer, or were satisfied with their internal due
diligence in assessing fraud. Even post Caremark, only one third of the respondents
had engaged in routine audits intended to measure the continued effectiveness of their
If your board of directors wants protection from civil liability, Caremark
dictates that they should be active participants in the compliance function and the
compliance officer must periodically advise the board on compliance efforts and issues.
Simply put, if your company does not have a compliance program, it should.
The Seven Steps Toward An Effective Compliance Program
To create an effective compliance program, a company must follow certain steps
specified in the Federal Sentencing Guidelines. See, Guidelines Chapter 8
Section 8 A1.2 Commentary 3(k). These steps set forth those criteria which, at a
minimum, need to be followed for the government to consider the program to be
"effective" for mitigation purposes. They are:
- The organization must have established compliance standards and procedures to be
followed by employees and other agents that are reasonably capable of reducing the
prospect of criminal conduct.
- High-level individual(s) within the organization must have been assigned overall
responsibility to oversee compliance with standards and procedures.
- The organization must have used due care not to delegate substantial discretionary
authority to individuals who have a propensity to engage in illegal activities.
- The organization must have effectively communicated its standards and procedures to all
employees and other agents (i.e., trained the employees about the program).
- The organization must have taken reasonable steps to achieve compliance with its
standards (monitored and audited the program).
- The standards must have been consistently enforced.
- After detection of offense, the organization must have taken reasonable steps to respond
appropriately and to prevent further similar offenses.
If under Caremark failure to follow these compliance criteria can create
potential director liability in civil suits, then demonstrating effective compliance by
adherence to the seven steps might be used as a basis to shield a director from potential
In interpreting the seven steps, here are some practical considerations:
Assessing the Risk of Criminality
Dont pull together existing corporate policies and call it a "compliance
program." Your program should be created only after the company and its counsel have
assessed the risks specific to the corporation and designed a program so as to deter
criminal conduct in those areas. The program creators must solicit the opinions of
management, as well as lower level employees, to determine those areas where the
corporation may be vulnerable. If the companys business should change in any
substantial way by virtue of a merger or otherwise the company must reflect
those changes to the business by amending its compliance program. Those creating the
program should document their efforts at risk assessment, including maintaining minutes of
compliance related meetings and notes of interviews of company personnel.
Management Must Make the Employees Accountable for Program Failure
Management must make clear to employees that they take the code of conduct seriously.
Those in charge of each department should be held accountable for ensuring code compliance
by their employees. Code compliance should be factored into incentive compensation. Where
there is a lack of appreciation or inattention to the compliance function, a manager
should be sanctioned, financially or otherwise.
Due Care in Delegating Authority
A company must use "due care" to not delegate substantial discretionary
authority to anyone that it knows, based on its due diligence, has engaged in improper
conduct. At the very least, the corporation should engage in a background check of any
person it intends to bring on board that will engage in business for the corporation. Such
a check should not be limited only to candidates for senior or executive positions.
Due care should not be generic. Each corporation should determine what constitutes due
care in light of the nature of its particular business.
Training Employees about the Program
Employees need to understand the purpose and scope of the compliance program. To
fulfill these objectives, sufficient training is required. Training is effective when done
in an interactive manner that requires an action or response from the trainee. An example
of interactive training is requiring employees to certify in writing that they understand
and will follow the program. Compliance training, using examples specific to a
companys business, will make the program training more relevant to employees. To
keep the trainees as active participants in the training process, tape the training, or
give the trainees routine pop quizzes.
The compliance manual itself should be included in any employee materials given to new
hires. All training that employees receive should be reflected in their personnel files,
as should any refresher courses given to them.
Program trainers can come from "in-house." These individuals will probably be
most knowledgeable about the companys business. Alternatively, the company can use
professional trainers who use their well honed teaching skills to educate employees. The
benefit of using professional trainers is that they can properly train managers from the
companys human resource or legal departments with an eye toward having the company
personnel become better teachers who can then assume the training function. The in-house
instructors can revise the training program to correspond to any changes to the compliance
program that are driven by changes in the companys business. The "train the
trainer" approach, therefore, can be extremely useful and cost effective.
In addition to the comprehensive training given to all employees, a company can provide
targeted training, given only to those personnel whose activities create a specific legal
exposure. Using our example, only those doing business abroad need to be advised about the
Foreign Corrupt Practices Act.
Who Should Monitor the Compliance Process
The Sentencing Guidelines require involvement of high-level personnel in the compliance
effort. The guidelines define high level personnel as "individuals who have
substantial control over the organization or who have a substantial role in the making of
policy within the organization" to be involved in compliance. The term includes a
director and executive officer . . . or an individual with a substantial ownership
interest." (Guidelines Chapter 8 Section 8 A1.2 Commentary 3(b).) The
appointment of a high-level compliance officer sends a strong message to the employees
that the company is serious about compliance and that they should be as well.
The company has various options as to whom the compliance officer can be. The General
Counsel, the CFO, or the chief auditor are likely candidates. The compliance
officers responsibility is to ensure that the business practices do not violate
compliance procedures, that the procedures and training in place are appropriate, and to
review and investigate any compliance issues that arise. The compliance officer should
report directly to the board and must have legitimate investigatory authority. He cannot
be a mere figurehead.
The compliance officer needs to be independent and dedicated to the compliance
function. Sufficient time, leadership skills and experience are also prerequisites.
Knowledge of the companys employees and operations, and access to resources, are
also critical factors to be considered when making the selection.
The company can opt for a compliance officer new to the organization. If this is his
only responsibility, he will likely develop greater familiarity with compliance issues and
investigatory techniques. However, while independent, a person brought in from the outside
may not have sufficient familiarity with the corporate culture. Viewed as an outsider, it
will be harder for him to do the job.
Maintaining the Integrity of the Program
Management must also ensure that everyone complies with the code. If the program is
viewed as unfair, employees will not follow it. There should be equal punishment for a
violation, regardless of who is the alleged violator.
Prevention of Similar Offenses
Once on notice of a violation, the program must be reevaluated and, if necessary,
amended so as to take all reasonable steps to prevent re-occurrence. While it is
understood that no program can be foolproof, you will undermine the legitimacy of the
program if you fail to take affirmative action to improve the program if it is found to be
Now more than ever, organizations are expected to self-police to detect and deter
criminal conduct. This responsibility will fall largely to you as the General Counsel.
Fortunately, the creation and successful implementation of an effective compliance program
will fulfill this objective. It will also provide an extremely useful mechanism to manage
risk, and can shield the corporation and its directors from both criminal and civil
liability. In the arsenal to protect your company and its directors and officers from
liability, it is one tool you cannot do without.
© 2000 Greenberg Traurig
This GT ALERT is issued for general purposes only and is not intended to be
construed or used as legal advice. Greenberg Traurig attorneys provide practical,
result-oriented strategies and solutions tailored to meet our clients individual
legal needs. The Firms responsive approach to client service often cuts across legal
subject matter; applying the right experience and resources to provide cost-effective
With more than 750 attorneys and locations in New York; Miami; Washington, D.C.; Los
Angeles; Chicago; Boston; Wilmington; Atlanta; Tysons Corner; Philadelphia; Phoenix; Ft.
Lauderdale; Boca Raton; West Palm Beach; Orlando; Tallahassee; and in São Paulo, Brazil,
the Firm offers a broad spectrum of quality legal representation in areas including, but
not limited to: Corporate & Securities, Litigation, Employment Law & Employee
Benefits, Banking, International, Tax, Trusts & Estates, Entertainment Law,
Environmental & Land Use, Information Technology Law, Franchising, Real Estate,
Federal/State Governmental & Administrative Law, Reorganization, Bankruptcy &
Restructuring, Intellectual Property, Telecommunications, Executive Compensation, Health,
International Trade, Public Finance & Immigration.