Chris Bauer, among others, gently chides me from time-to-time that I do not put enough emphasis on ethics in a FCPA compliance program. Probably part of the reason is that, with my legal training, I tend to think of rules, regulations and laws as the guideposts for corporate conduct. Chris, once again among others, reminds us that corporations are made up of people and that there can never be enough rules and regulations to cover every situation. So if employees have the right ethical compass they would tend to do the right things in business going forward.
Yesterday, at the Hanson Wade Pharmaceutical Anti-Corruption Compliance Conference, I heard a talk by Jay Mumford of Ethisphere on the Health Care Industry Executive and Company Conduct Compact. Jay’s talk focused largely on the ethics component of compliance and ethics and he talked about an Ethisphere initiative which helps company’s in the health care industry to add an ‘ethics’ component to compliance and ethics. Jay began his talk by pointing out the loss of trust that Americans have in various industries and corporations. When most Americans, generally, have such a lack of trust, as after the 2008 financial meltdown, they turn to more regulations. The financial meltdown and the perception that the financial industry caused it led to the passage of the Dodd-Frank legislation. Jay pointed out that the 848 page long Dodd-Frank bill now has over 8000 pages of regulations interpreting this law. He said that the law firm of Davis Polk has estimated that this is only 1/3 of the total page number of regulations to come to implement Dodd-Frank. His point was stark and clear, there is absolutely, positively no way that any corporation or person could know all the regulations.
One of the things that Ethisphere tries to bring to the compliance and ethics debate is a manner to rise above the rules-only approach. They recently initiated a new program in the Life Sciences Industry called the Company Conduct Compact “Compact”. This Compact is designed to reduce the probability of corporate misconduct and to help to set up an affirmative defense if an individual prosecution action is in the offing. The Compact itself offers companies and individuals a method to proactively commit to a set of heightened ethical principles and specific behaviors, based upon the elements found in the US Federal Sentencing Guidelines.
The Compact is designed to be executed by both the Chief Executive Officer (CEO) and top Senior Management in a company. It is set up to align with the company’s overall compliance efforts. The commitments made in the Compact are subjected to external verification and testing. Each commitment is set out in writing for each signatory and the CEO commits his or her organization to the seven principles set out in the Compact. The seven principles are as follows:
- Written Policy and Procedures. The organization will have a comprehensive written set of policies and procedures that establish a best in class compliance program, including a Code of Conduct, company-wide policies and procedures and specific internal controls for each department. The leader commits to proactively identifying, preventing and correcting behaviors that are not consistent with the company’s values. If the leader has a disagreement with the standards, he or she will work within the system to address them.
- Program Oversight. The company will ensure that the compliance function has vigorous support from management and the Board of Directors, is well-resourced and financed and has appropriately elevated status within the company. The leader commits to full, consistent and active implementation of the company’s compliance regime and will give the time, attention and resources to support his or her area of responsibility within the overall compliance structure.
- Education and Awareness. The company commits to periodically and in a practical manner educate employees on its standards and procedures, through effective training. The leader commits that all of his direct reports will complete all required compliance and ethics training in a timely manner and that if these direct reports do not do so, the leader’s compensation may be effected. The leader will also attend a number of live compliance and ethics training sessions for employees to emphasize the importance of it throughout the company.
- Monitoring and auditing; reporting channels for concern. The company shall embrace both ongoing monitoring and auditing as techniques to help ensure that its compliance program is followed. The company shall periodically assess the effectiveness of its compliance program and maintain a dedicated reporting channel which can be used anonymously. The leader commits that at least once per quarter he or she will sit down individually with the Executive Leadership Team (ELT) and ask them what specific steps they are taking to help the company do business in a compliant manner. There shall also be a strong commitment to the creation of a culture of no retaliation for reporting of compliance violations.
- Enforcement and discipline incentives. The company will enforce its compliance program through both incentives and discipline. There should be a portion of compensation based upon doing business ethically. The leader commits to enforcing the company’s ethical standards, through both positive and negative incentives, including him or herself, through an agreement for claw backs if a FCPA violation occurs on his or her shift. The leader believes that senior management should be held to a higher standard and embraces that obligation.
- Response and prevention. This commitment means that after misconduct has been discovered, the organization shall take reasonable steps to respond appropriately and prevent further similar misconduct. The leader commits to learn what has happened, why it happened and how to prevent it from occurring again. He or she will not shift the blame to ‘the system’ but will work to prevent it from occurring again.
- Risk management. Here there is a commitment to periodically assess the risk of misconduct and the signatory shall take appropriate steps to aid in the design, implementation or modification of the company’s compliance program to reduce the risk of misconduct. The leader commits to actively manage the compliance risks that an organization faces no ‘out of sight, out of mind’ mentality for thee. The risk assessment process must be embraced.
While sitting through Jay’s presentation I initially thought that no CEO would agree to such obligations, but as they are largely based on obligations which already exist, legally I do not see much downside to a CEO and senior management agreeing to such obligations. As Jay pointed out, one of the very large reasons for signing this Compact and performing its obligations is to present a viable defense if the DOJ comes knocking. But more than simply another defense, the Compact really does help a company to demonstrate to its employees, its shareholders and its business relations a commitment to doing business ethically. As I told Jay after his talk, primarily I thought this initiative was so far out in left field it had no chance of success. However, what may be today’s initiative from left field may be tomorrow’s ‘Enhanced Compliance Obligations’ and next year’s new best practices in compliance. The Ethisphere Compact certainly is something that companies can and should consider.
This article originally appeared on tfoxlaw.wordpress