Due Diligence: The Sentencing Guidelines and the Lawyer s Role in Corporate Compliance and Ethics Programs by Steven Carr North Carolina Bar Foundation Continuing Legal Education December 9, 2005
Due Diligence: The Sentencing Guidelines and the Lawyer s Role in Corporate Compliance and Ethics Programs by Steven Carr A recent amendment to Federal Sentencing Guidelines imposes new, tougher requirements and mandates a cultural imperative for ethical behavior and compliance with law by all corporations and business organizations, large and small -- even nonprofit organizations. All business organizations must now devote high-level attention, leadership and sufficient resources to assure that their ethics and compliance programs establish an effective, ongoing process that makes ethical conduct an essential element of a successful business plan. This recent change in the federal law means that your client organizations should assess whether their current compliance and ethics programs meet new and tougher requirements for such programs. Making sure that the client s program meets the standards to be considered effective could prevent violations of law before they occur, and will help your client organization mitigate or reduce the punishment for a criminal offense, if the organization is accused or found guilty of a criminal offense. The lawyer representing the client organization plays an important role in the effort to design or to re-design and to improve, implement and promote effective compliance and ethics programs. The important question for the client organization, in light of the amendment to Sentencing Guidelines requirements, is whether the compliance and ethics program should be evaluated to appropriately assess the risks of criminal misconduct and to incorporate new processes to address those risks and to prevent and detect violations of law. Background: The 2004 Amendment to 1991 Minimum Requirements The criteria a corporation and other business organizations must follow in order to create an effective compliance and ethics program are now more rigorous. An amendment ( the Amendment ) to the Federal Sentencing Guidelines for Organizations, first adopted by the U.S. Sentencing Commission in 1991, articulates seven minimum requirements that an organization must meet in order to demonstrate that its compliance and ethics program is effective. The Amendment, and the new criteria, became effective November 1, 2004. Establishing and maintaining an effective program is essential for an organization seeking to mitigate its punishment (including fines and terms of probation), and to reduce its culpability score under the Sentencing Guidelines, for a criminal offense. The Sentencing Guidelines may be viewed and downloaded at the U.S. Sentencing Commission Web site, www.ussc.gov. The Sentencing Guidelines for Organizations are at Chapter 8 of the Sentencing Commission s 2004 Guidelines Manual ( Guidelines Manual ). This manuscript summarizes the provisions of Section 8B2.1 of 2
the Guidelines Manual and highlights the changes in the 1991 version of the Guidelines effected by the 2004 Amendment. The key change in the Sentencing Guidelines is a simple mandate: the organization s leaders must instill and promote a culture of ethical behavior and knowledgeable compliance with the law. The fundamental purposes of the Amendment are to sharpen the focus on ethical conduct, to improve corporate compliance programs, and to prevent and detect criminal conduct within organizations. The Amendment also fulfills the Sentencing Commission s duty to review and amend the Sentencing Guidelines, as directed by Congress under the Sarbanes-Oxley Act of 2002, to ensure that the Sentencing Guidelines that apply to organizations are sufficient to deter and punish organizational criminal misconduct. Guidelines Manual, 8B2.1, Background. Summary of the Amendment The major features of the Amendment include the following changes to the Sentencing Guidelines: Organizations must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The Amendment requires boards of directors (the governing authority ) and executives to assume specific responsibility (formerly assigned to high-level personnel ) for the oversight and management of compliance and ethics programs. Effective oversight and management presumes active leadership in defining the content and operation of the compliance and ethics program ( the Program ). At a minimum, the Amendment explicitly requires organizations: o To identify areas of risk where criminal violations may occur; o To train high-level officers and employees in relevant legal standards and obligations; and o To give compliance and ethics officers sufficient authority and resources to carry out their responsibilities. Due Diligence: The Seven Minimum Requirements The Amendment updates and makes more rigorous the seven minimum requirements originally contained in the 1991 version of the Sentencing Guidelines that an organization must follow to exercise its due diligence in the design and implementation of an effective corporate compliance program. These seven requirements served as the framework for the creation of an effective program to prevent and detect 3
violations of law that many corporations followed when the 1991 Sentencing Guidelines were adopted. In addition to industry benchmarks ( applicable industry practice ) and standards called for by applicable government regulations, the Amendment s elaboration on these criteria should serve as guidance by which a corporation s existing compliance and ethics program should be re-designed or improved. In abbreviated form, the seven minimum requirements are as follows: 1. Standards and Procedures. The organization shall establish standards and procedures to prevent and detect criminal conduct. These standards and procedures are standards of conduct and internal controls reasonably capable of reducing the likelihood of criminal conduct. Each organization s standards should be tailored to fit its own business. The standards should be based on a risk analysis of potential criminal activity and non-compliance, and the organization should implement procedures designed to enforce the standards and reduce the identified risks. 1 2. Board of Directors Oversight/Operational Effectiveness. The organization s governing authority shall be knowledgeable about the content and operation of the Program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the Program. a. Specific individual(s) within high-level personnel (individuals who exercise substantial supervisory authority and substantial discretion) shall be assigned overall responsibility for the Program. b. Specific individual(s) shall be delegated day-to-day operational responsibility and shall report periodically (not less than annually) to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the Program. c. These individuals shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. 1 The Sarbanes-Oxley Act of 2002, affecting public companies regulated by the Securities and Exchange Commission under the Securities and Exchange Act of 1934, also imposes new requirements for codes of ethics for senior financial officers. See Section 406 of the Act, 15 U.S.C.A. 7264. The statute defines the code of ethics to mean and include such standards as are reasonably necessary to promote (1) honest and ethical conduct... (2) full, fair, accurate, timely and understandable disclosure in the periodic reports required to be filed by the issuer; and (3) compliance with applicable governmental rules and regulations. The SEC s implementing rules add the word laws to governmental rules and regulations. See 17 CFR 229.406(b)(3). 4
3. Screening and Excluding Unethical Individuals. The organization shall use reasonable efforts not to include within the substantial authority personnel (people who exercise a substantial measure of discretion in acting on behalf of the organization) any individual whom the organization knew or should have known has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program. (The key point here is that the Program should include not only pre-employment background checks but also an emphasis on ethical conduct at all stages of the employment, including performance reviews.) 4. Effective Training Programs. The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures (see Step 1) by conducting effective training programs and otherwise disseminating information appropriate to individuals roles and responsibilities at all levels of the organization (including executives and the Board of Directors), and as appropriate, the organization s agents. This means that the organization s compliance Program is really an ongoing process, and must be designed to provide legal updates, periodic training and refresher courses. 5. Periodically Evaluate Effectiveness. The organization shall take reasonable steps to ensure the Program is followed, including: a. Monitoring and auditing to detect criminal conduct; b. Evaluating periodically the effectiveness of the Program; c. Providing and publicizing a system and mechanisms for anonymity or confidentiality, whereby employees and agents may report or seek guidance regarding potential or actual criminal conduct, without fear of retaliation. Notably, a new feature included with the Amendment also mandates that the organization periodically assess the risk of criminal conduct... and take appropriate steps to design, implement or modify each requirement [of the Program, following the seven minimum requirements] to reduce the risk of criminal conduct through this [risk assessment] process. 6. Promote and Enforce the Program. The organization s Program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent and detect criminal conduct. The 1991 version of the Sentencing Guidelines focused on disciplinary measures. What s new with the 2004 Amendment is the addition of the 5
requirement that organizations promote an ethical culture and compliance program with appropriate incentives. The Sentencing Commission notes that this addition articulates both a duty to promote proper conduct in whatever manner an organization deems appropriate, as well as a duty to sanction improper conduct. 7. Respond Appropriately When Criminal Conduct is Detected. The organization shall respond appropriately to the criminal conduct and to prevent further similar conduct, including making any necessary modifications to the Program. Timely and Fully Cooperating with Criminal Investigations: The Attorney-Client Privilege The Amendment also addresses concerns about the relationship between obtaining credit under the Sentencing Guidelines for timely and thorough cooperation with law enforcement authorities and criminal investigations and waiver of the attorneyclient privilege and the work product protection doctrine. The Sentencing Commission notes that waiver of the attorney-client privilege and of work product protection is not a prerequisite to a reduction in culpability score... unless such waiver is necessary in order to provide timely and thorough disclosure of all pertinent information known to the organization. The Commission expects that such waivers will be required on a limited basis. Synopsis of Amendment, submitted to Congress May 1, 2004, at www.ussc.gov/2004guid/rfmay04-corp.pdf. Guidance from the United States Department of Justice addresses the waiver issue also, in a memorandum titled Principles of Federal Prosecution of Business Organizations issued January 20, 2003 by former Deputy Attorney General Larry D. Thompson (sometimes referred to as the Thompson Memo ). The Thompson Memo states: One factor the prosecutor may weigh in assessing the adequacy of a corporation s cooperation is the completeness of its disclosure including, if necessary, a waiver of the attorney-client and work product protections, both with respect to its internal investigation and with respect to communications between specific officers, directors, and employees and counsel. Such waivers permit the government to obtain statements of possible witnesses, subjects and targets, without having to negotiate individual cooperation or immunity agreements. In addition, they are often critical in enabling the government to evaluate the completeness of a corporation s voluntary disclosure and cooperation. The Thompson Memo further states, in a footnote, that the waiver should ordinarily be limited to the factual internal investigation and any contemporaneous advice given to the corporation concerning the conduct. Except in unusual circumstances, prosecutors should not seek a waiver with respect to communications and work product 6
related to advice concerning the government s criminal investigation. See the Thompson Memo at www.usdoj.gov/dag/cftf/corporate_guidelines.htm. The changes in the securities laws affecting publicly-traded companies under the Sarbanes-Oxley Act also impose new rules of conduct for lawyers who provide legal advice relating to securities law matters and who appear and practice before the SEC. See 15 U.S.C.A 7245, titled Rules of professional responsibility for attorneys. The SEC has imposed rules prescribing minimum standards of conduct, including the socalled up-the-ladder reporting mechanism for securities law violations, to report evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof, to the chief legal officer or the chief executive officer. If the CLO or the CEO does not respond appropriately to the evidence (adopting, as necessary, appropriate remedial measures or sanctions with respect to the violation) then the statute and the SEC s rules require that the lawyer report the evidence up-the ladder to the audit committee of the board of directors, or to another committee of the board comprised of directors not employed by the company, directly or indirectly, or to report directly to the board of directors itself. See 17 CFR Part 205 and Section 205.3 (17 CFR 205.3). Rule 1.13, titled Organization as Client, of the North Carolina Rules of Professional Conduct, adopted by the North Carolina State Bar, imposes similar duties on the lawyer representing an organizational client. Rule 1.13(b) states that if the lawyer for an organization knows that an officer, employee or other person associated with the organization is engaged in action, intends to act or refuses to act in a matter related to the representation that is a violation of a legal obligation to the organization, or a violation of law which reasonably might be imputed to the organization, and is likely to result in substantial injury to the organization, the lawyer shall proceed as is reasonably necessary in the best interest of the organization. The lawyer s next steps may include referring the matter to higher authority in the organization, including, if warranted by the seriousness of the matter, referral to the highest authority that can act on behalf of the organization as determined by applicable law. Practical Implications for Your Client Organization s Ethics Program Many organizations improved and strengthened their ethics codes and compliance programs after the 1991 Sentencing Guidelines were adopted, and many have anticipated and already address a number of the changes in the due diligence requirements effected by the 2004 Amendment. For example, the designation of a Chief Compliance Officer ( CCO ) and the creation of a compliance specialist staff position to assist the CCO in fulfilling the day-to-day operations of the Program would be positive steps forward to achieving what the Amendment and the new Sentencing Guidelines criteria now require. To assure that your client organization s Program is meeting all of the new due diligence requirements, the CCO and the compliance specialist, with appropriate 7
assistance from the organization s lawyers, should focus their attention on potential Program design changes and other operational changes, including: Providing regular and appropriately detailed reports about the Program to the Board of Directors or the Board s Audit or Governance Committees, and making recommendations for the Board or the appropriate subgroup of the Board to assure operational effectiveness and periodic assessments of risks and effectiveness measures. Working with legal counsel and auditors to design and implement process changes to evaluate Program effectiveness, to conduct periodic risk assessments, to provide training updates. Reviewing the organization s standards, procedures and controls across the enterprise and business units to address and reduce risks of criminal activity and noncompliance and to assure consistent and appropriate discipline and a response plan for any misconduct detected within any of the business units. Identifying new ways to promote the Ethics and Compliance Program, to instill an ethical organizational culture, and to offer appropriate incentives to promote and encourage ethical behavior. Next Steps All business organizations now must devote high-level attention, leadership and sufficient resources to assure that their ethics and compliance programs establish a dynamic, ongoing process that makes ethical conduct an essential element of an effective business plan. The Chief Compliance Officer and other leaders of your client organization should consult with legal counsel to assess whether the organization s ethics and compliance program is effective and meeting the new requirements mandated by the 2004 Amendment. Steven Carr is a partner with the Raleigh office of Nelson Mullins Riley & Scarborough LLP. He served as an associate general counsel for Progress Energy and in other corporate counsel positions, and has counseled corporate clients, written and served as a speaker on corporate compliance and ethics programs since the 1991 Guidelines were adopted. 8
Highlights of the Key Changes in the Guidelines Emphasis 1991 2004 Cultural Imperative An effective program to prevent and detect violations of law Compliance Responsibility High-level personnel oversee compliance with standards and procedures An effective compliance and ethics program designed (a) to prevent and detect criminal conduct and (b) to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.... at the Highest Level The governing authority must exercise reasonable oversight and compliance to implement and measure effectiveness Specific high-level individual(s) must have day-to-day responsibility, and must report periodically to the governing authority or subgroup of the governing authority, equipped with adequate resources and appropriate authority and access to the governing authority or subgroup Training Requirements Employees and agents Measuring Effectiveness... Monitoring and auditing systems (controls) Reporting system Consistently Enforce Appropriate disciplinary mechanisms Training at All Levels Individuals at all levels of the organization, and agents... and Assessing Risk Evaluate effectiveness periodically Periodically assess risk of criminal conduct and make appropriate changes Promote and Enforce Appropriate incentives; and Appropriate disciplinary measures for misconduct, failures to detect 9