Corporate Crime in America
Strengthening the "Good Citizen" Corporation

Day One

Table of Contents

How the Organizational Guidelines Work: An Overview

The Organizational Guidelines' "Carrot and Stick" Philosophy, and Their Focus on "Effective" Compliance

Where Theory and Reality Converge: Three Corporate Experiences in Developing "Effective" Compliance Programs

Sharing "Best Practices" Information

Keynote Address

A Presentation of Empirical Research on Compliance Practices: What Companies Say They are Doing - What Employees Hear

Evolving Compliance Standards: New Models and Proposals

Bringing Carrots and Sticks in House: The Role of Ethics, Incentives, and Private "Inspectors General" in Achieving "Effective" Compliance


COMMISSIONER BUDD: Now, let's move to the formal part of our program and get things rolling. We thought it was important to offer you a quick grounding on how the guidelines actually work so that you have something of a context for thinking about the presentations that will follow. We are very fortunate to have two excellent presenters. I am going to keep with my own words and make their biographies very brief. Again, you have them before you.

Russell "Rusty" Burress is the first of our presenters this morning. He has been with the Commission for ten years, and during that time he has trained thousands of people in the federal court family, as well as in the legal community. Indeed, he is considered to be a national figure in the criminal justice system.

The other presenter, and she will be starting with Rusty in just a moment, is Julie O'Sullivan. Ms. O'Sullivan is an associate professor at Georgetown Law School where she has been for about a year. Prior to that she held several very important positions, not the least of which was serving as a law clerk for Associate Justice Sandra Day O'Connor of the United States Supreme Court.

With that, I'm going to turn the program over to Rusty and I think you're going to very much enjoy this presentation. Rusty Burress.

MR. BURRESS: The Sentencing Commission believes that an organization that has developed and has maintained an effective compliance program, that is a program that will detect and hopefully prevent violations of law, that a corporation that has done that is a good corporate citizen. Because of being a good corporate citizen, you are going to find out over the next couple of days, I believe, that there are a number of benefits to being a good corporate citizen.

One is that if this program prevented the violation of law, then, of course, your organization will not face a criminal conviction and will not face the penalties that go along with a criminal conviction. But even if there has been a criminal conviction, the guidelines still recognize and the Sentencing Commission still recognizes the good corporate citizen and the efforts the good corporate citizen has made in establishing and maintaining this effective compliance program. The way they recognize that is in lesser fines being called for under the guidelines for the organization.

So what Julie and I are going to do is to talk with you about how the guidelines are applied and how the guidelines recognize in their application this effective compliance program and call for lesser guideline fines because of this effective compliance program.

Now also, as we're looking at guideline application, we will point out other areas that are mitigating areas or factors that, if they're present in your organization, can result in lesser guideline fines. While we're looking at these mitigating factors that will reduce the guideline fines, we will also point out to you some aggravating factors, some factors that will increase the guideline fines if those factors are present.

We don't anticipate anyone being a guideline application expert in 30 minutes of discussion of guideline application, but hopefully, if you do leave here, if you ever look at our guidelines in any detail, you will at least have some insight as to what is going on in the guidelines.

Now, I have been talking about guideline fines, how we will calculate a guideline fine, and I have mentioned these aggravating and mitigating characteristics under guideline application. But there is really sort of a distinction between, say, the organization's culpability and the organization's responsibility under the guidelines and under the statute, and, Julie, what is that distinction and exactly what is the applicability of the organizational guidelines to an organization?

MS. O'SULLIVAN: Let me start with the basics. The organizational guidelines can be found in Chapter Eight of your Guidelines Manuals. The Commission has xeroxed it for you. Chapter Eight is in the last section of your booklet, so the entirety of the organizational guidelines is available for you. What we're going to do is just go through and generally sketch out the high points.

Now, Chapter Eight applies to organizations, and organizations are defined as persons who are not individuals. That means they're not living, breathing human beings. Chapter Eight will apply to corporations, unincorporated associations, partnerships, pension funds, and unions. It will apply to basically every organization you can think of.

Say you have an organizational defendant. If there is an individual employee who is also convicted, what will apply to that individual are Chapters One through Seven, which are the individual guidelines. They will be dealt with separately.

Now, just to be very basic so everybody's on the same page, the organizational guidelines do not change the standard for the imposition of criminal liability. Generally speaking, corporations can be vicariously liable for the actions of their agents or employees within the scope of their employment and for the benefit of the corporation. The guidelines don't change that.

What the guidelines do do is structure the judge's discretion in assessing sentence after the organization has been convicted. Congress, by statute, set forth the maximum penalty that can be imposed on an organization for a particular count. What the guidelines do is tell the judges what narrow fine range within that larger statutory maximum they must choose, and in most cases, the judge is required under the guidelines to impose the fine on the corporation within the range mandated by the guidelines, absent extraordinary circumstances.

And if the individual guidelines are any precedent, then what will happen is in most cases, the fine imposed on an organization will be within the range dictated by the guidelines. We are going to tell you how it is that you arrive at the guidelines range. Rusty, do you want to start that off?

MR. BURRESS: Okay. I want to introduce you to some of the general principles of the organizational guidelines in Chapter Eight. We are going to be using some overheads here, but in your Section One tab you have all these materials that we're using as overheads, so these are in your materials.

We're looking at the one that has the typewritten page number one at the bottom, the general principles that the Commission has in these organizational guidelines back in Chapter Eight of the guidelines manual. The first general principle is to remedy the harm. The Commission says if the offense has resulted in some harm, let's remedy that harm. Generally, that is going to occur by an order of restitution. There's going to be a victim in the offense. There's going to be a monetary loss, perhaps, and there's going to be an order of restitution to make the victim whole once again. Generally, that's how remedying the harm will occur.

You may also have remedying the harm occur through, say, a remedial order, to go in and remedy the harm that has occurred, have the organization do something that will remedy the harm or to lessen the likelihood of future harm or risk of harm from this offense that has occurred.

You also can have a community service order, ordering the organization to do some type of community service that will remedy the harm. So there are a variety of ways including an order of notice to victims that can be achieved under a guideline sentence that will try to remedy the harm in an offense.

MS. O'SULLIVAN: You may want to note that it may be called remedying the harm, but a restitution order of, say, $10 million, is going to seem awfully punitive to some organizations. So it is in theory remedying the harm, but it may hurt.

MR. BURRESS: Now, we see where the Commission goes in to penalize the organization - where the punishment occurs in guideline sentencing - is under the second general principle here: the second general principle being "penalize the organization through fines." That's where the penalty occurs. And we say fines based on the seriousness of the offense and the culpability of the organization, and we're going to come back to that in a little bit and see exactly how those fines are calculated. That's where we intend to spend most of our time up here with you over the next few minutes.

I will make the note that in those instances, and I dare say that none of your organizations that are represented here today would be one of these instances, but in those instances where the organization is determined to be a criminal purpose organization, that is, an organization that's operating primarily through criminal means or primarily for a criminal purpose, then the guidelines say that the fine imposed on such an organization should be sufficient to divest this organization of their net assets.

In other words, try and put them out of business if, indeed, it's a criminal purpose organization, but I don't think we're going to be dealing with that and that's why we're going to focus with you people on how fine range calculations will occur for your types of organizations.

The third principle is the use of probation to implement another sanction or to prevent future criminal conduct. Again, probation is not given as the punishment as such, but oftentimes probation will be given in order to carry out some other aspect of a sentence. If the court orders restitution or the court orders a remedial order or a fine has been ordered and those things haven't been immediately done, then quite likely there will be an order of probation so the organization will be under the jurisdiction of the court in carrying out these requirements of the court's order. So we have probation that is done primarily for that.

Now, one note to you, because we are going to try to encourage you, if you do not have an effective compliance program, to come up with one: if an organization comes into federal court having been convicted of an offense and that organization does not have an effective compliance program at the time of sentencing and the organization has 50 or more employees, then the guidelines require that the organization be placed on probation to come up with an effective compliance program. So it's a sure ticket to get placed on probation if you do not have an effective compliance program when coming into court.

Now, what we would like to do is go back here and focus on this second general principle, which is penalizing the organization through fines, and we say fines based on the seriousness of the offense and the culpability of the organization. Julie has come up with what I think is a very descriptive overhead here that shows exactly what this fine calculation is all about. Julie, do you want to explain to us how this fine will be established?

MS. O'SULLIVAN: I should note that some sections of Chapter Eight apply to every federal felony and Class A misdemeanor. The restitution provisions and the probation provisions apply to every federal felony and Class A misdemeanor. The fine provisions, however, apply only to certain federal offenses, and those offenses are specified in your Guidelines Manual.

Basically speaking, the fine calculation provisions do cover about 85 percent of federal cases. Notable exceptions to the application of the fine provisions are environmental offenses, national defense export violations, and food and drug violations. You need to make sure that the criminal violation that you're dealing with is covered by the fine calculation provisions.

Let's proceed to how you figure out the fine range within which a judge, absent extraordinary circumstances, must sentence the criminal defendant to a fine. Conceptually, the fine range is the product of the seriousness of the offense and the culpability of the organization. Now, the seriousness of the offense is represented by a base fine. The base fine can be computed in a number of different ways, but in most cases, the base fine is the loss caused by the offense.

Assume you have a federal contracting fraud and the government is out $10 million as a result of that violation. That's going to be your base fine. The Sentencing Commission has determined that that, in their view, represents the seriousness of the offense. So you've got a base fine, say, of $10 million.

You want to end up with a range, so you're going to multiply the base fine by a minimum multiplier to end up with the bottom of the range and a maximum multiplier to give you the top of the range. For example, your range could be $20 to $40 million at the end. How do you know what multipliers to apply?

The Commission has isolated certain factual circumstances that it believes are relevant to determining the culpability of a corporation. It has assessed points that relate to those factors. One goes through the factors, figures out whether they're applicable in the organization's case, adds up the points - say five points for this, three points for that. You end up with what's called a culpability score, for example ten points.

You look on a chart which we've given you on page nine of your handout. We won't go through it independently, but there's a chart that basically tells you for a culpability score of ten, you're going to have a minimum multiplier of two and a maximum multiplier of four. You apply the multipliers to your base fine. Conceptually you are multiplying culpability by seriousness.

In our example, you have a base fine of $10 million times a minimum multiplier of two and a maximum multiplier of four, and you end up with a fine range of $20 to $40 million, within which the judge, absent extraordinary circumstances, must sentence the defendant.

Now, there are certain grounds upon which a court can depart from that range, but again, given the individual guidelines experience, that's not going to happen very often.

You should also be aware that in certain circumstances, the judge can sentence outside the range if the fine range would essentially jeopardize the continuing viability of the corporation, that is, if the fine is too large. But in most cases the organization is going to end up paying a fine within the fine range yielded by the formula.

We are going to be concentrating on the culpability score because it is in this area that the organization can do the most right now to affect any future liability it may have, most notably by instituting an effective program for detection and prevention of criminal conduct. An effective program will give you credits that are going to make a very large difference in this culpability equation. Rusty, do you want to go on?

MR. BURRESS: Because Julie has a good example as to the dollar impact that these culpability points will have on an organization, let's just quickly look at these culpability factors, and we are going to come back and look at a couple of them in detail that are somewhat difficult, perhaps.

But for culpability calculations, just the mathematics of it, everyone starts with five culpability points. That's the starting point. Then there are factors, aggravating factors that may increase this culpability score from five points going up, and it potentially can go up as high as 17 points. And the mitigating factors that are subtracted from these five points that could run the culpability score down. It could potentially take you down to like a minus three. So these factors are going to decide what the multipliers are going to be.

Now, you start with five points and then these following are aggravating characteristics, that if they're present in the offense, the Commission says, this organization is more blameworthy than an organization that didn't have these characteristics. The first is the level of authority and the size of the organization. Basically, the Commission says, if you have someone who is in the hierarchy of an organization and that person was involved in the offense or somehow tolerated this offense occurring, then that organization is more culpable. And then if you have an individual in the hierarchy, depending on where they are in the hierarchy and the size of this organization, these two things in conjunction will increase the culpability points anywhere from one up to five additional culpability points. In other words, you could go from five up to a ten in some instances based on that factor alone.

The next factor is the prior history, prior history meaning did this organization have a previous criminal adjudication, civil or administrative adjudication for similar conduct, because if they did, this organization is more culpable than an organization that didn't have this prior record. And so that will increase the culpability points by one or two, primarily based on the recency of this prior adjudication.

This federal offense that the organization is coming into federal court for - is that somehow a violation of a court order or an injunction, or were they on probation and they violated a condition of probation by committing this offense? If so, it's a more culpable organization and that organization will pick up one or two additional culpability points.

And then obstruction of justice. Did somehow this organization obstruct the investigation or the prosecution of this offense? And if that's the case, three culpability points are picked up for that characteristic. I'm sure that it will be mentioned further on in the program, but this is sort of what they refer to as the "stick." In other words, this is where you are going to get punished, the organization gets punished for these characteristics.

But there's also the "carrot," and that's what these next couple of characteristics are, the mitigating characteristics, one being the effective program to prevent and detect violations of law that we've been mentioning already. That subtracts three culpability points, and we're going to talk a lot more about that over the next couple of days.

And then the final characteristic, the organization reporting the offense, cooperating with the authorities in the investigation and accepting responsibility, which often translates into a plea of guilty. Those things can reduce it by five additional culpability points.

So I mentioned you could get the culpability points high and you could get them low, depending on these aggravating or mitigating characteristics. Now Julie, do you want to give us an example, a dollars-and-cents example as to where this culpability may lead?

MS. O'SULLIVAN: This overhead is intended to give you a fairly graphic example of how much these factors can matter to an organization. This is my case of a $10 million contracting fraud. The base fine is $10 million because that's the loss that the government incurred here.

These represent three different assumptions. Assumption one, is ten or more points. Let's say you start, again, with your base of five. Say this particular organization also obstructed justice and acted in violation of a prior order. So they have another three points for obstruction, and two points for violation of an order. That's an additional five points. They end up with ten points for their culpability score.

That translates into multipliers that are going to give you a fine range of $20 to $40 million. Now, you have to recognize that this is in addition to restitution. This is just the punitive aspect. The organization would have been subject to a $10 million restitution order on top of this.

Case two: assume you start off with a base of five and there are no mitigating or aggravating factors. This organization in this circumstance is going to pay a fine of between $10 and $20 million.

Case three: you start off with a base of five points. Say you've got an effective compliance program. That's going to give you a credit of three points. Say, too, you cooperate and accept responsibility. Your culpability score will be zero. The organization's fine is going to be between $0.5 and $2 million. You can see what an enormous difference ten points makes.

What I want to also emphasize is that a culpability score of zero is possible. A score of zero is attainable, especially if one has in place, at this point in time, an effective program to prevent and detect criminal violations, because that will give you an automatic three point credit.

MR. BURRESS: Time is growing short, but we do want to just go back and look at a couple of these culpability factors in just a little bit of detail here over just the next couple of minutes so you're aware as to what these overheads in your materials actually mean. Going back to the first one we're looking at, the level of authority and size of an organization. Again, the level of organization is going to drive, to some degree, what this culpability point assessment will be.

This is assuming in this scenario here, that you have 10,000 employees in the company. If the person who committed the offense or tolerated this offense is, say, the CEO of this company, that's going to be five additional culpability points.

But in the same organization, if the person who is involved in the offense or tolerated the offense was, say, a sales manager, someone who wasn't in a policy making position or in control of the organization but had substantial discretionary authority in this position, then you're going to get two culpability points for that individual.

But now if you have an individual who's not involved, say, in the hierarchy of the organization, say just a sales representative, there will be no culpability point increase in that situation. So the effect on the culpability score by the level of authority is quite significant.

The size of the organization is significant, too. Assuming we have the CEO in each of these scenarios but the size of the organization varies, and we have, say, 10,000 employees. We just saw how that would give us five additional culpability points. But if the organization is smaller, say 200 employees, that would give three additional culpability points. Or a very small organization, say with 25 employees, that would get one additional culpability point. So those two things work in conjunction, both the level of authority and the size of the organization.

MS. O'SULLIVAN: When you're focusing on this factor, you should be aware that the guidelines do not only examine the level of authority of persons actually involved in the offense. They're also examining the level of authority of those persons who tolerated, condoned, or turned a blind eye to the offense, and the pervasiveness of that willful blindness within the organization.

So if a sales representative is the person that actually committed the offense, but persons at higher levels of authority basically condoned it or tolerated it, the organization is going to be assessed more points.

MR. BURRESS: On page seven of your materials we list for you the minimum requirements for having an effective compliance program. In other words, if you want these three culpability points removed, you have to meet the minimum requirements for an effective compliance program.

That means that's what you have to do to get the three culpability points removed. However, you may find that your organization will benefit more by having more than the minimum requirements. Maybe going beyond the minimum requirements is what you need to prevent the violations from occurring. It is certainly better to have no fine than to have a reduced fine.

The final characteristic that we want to look at, and I'll let Julie speak to, is the self-reporting, cooperation, and acceptance of responsibility where you can get a lot of culpability points removed.

MS. O'SULLIVAN: This is another area where the organization can get a lot of credit. You can get five points for self-reporting, but self-reporting is a fairly onerous requirement. You need to act prior to an imminent threat of disclosure of the violation or to a governmental investigation. So before you get the subpoena, and within a reasonable time of finding out about the violation, you must report it to the government. You must also cooperate with the investigation, and there's a lot of discussion as to exactly what cooperation entails, and you must accept responsibility, which usually translates into pleading guilty.

You have to do all those things to get five points. To get two points, you just need to cooperate and to accept responsibility, meaning plead guilty. To get one point, you need to accept responsibility.

You should be aware that there is a certain dove-tailing between these credits. For example, you are more likely to be in a position to claim these points for self-reporting if you have an effective program in place. If you have an effective program in place, presumably the organization will have detected the offense in advance of a governmental investigation and will be in a position to remedy and report it at that point.

MR. BURRESS: We are going to be with you all for today and tomorrow, so if you have any questions in particular, please feel free to talk to us. We look forward to spending time with you during the course of the symposium and thank you all for coming.

The Organizational Guidelines' "Carrot and Stick" Philosophy, and Their Focus on "Effective" Compliance

Win Swenson, Deputy General Counsel/Legislative Counsel, U.S. Sentencing Commission

COMMISSIONER GOLDSMITH: Good morning. My name is Michael Goldsmith. I am a member of the U.S. Sentencing Commission. The next panel is concerned with "The Organizational Guidelines' 'Carrot and Stick' Philosophy, and Their Focus on 'Effective' Compliance." The panel moderator is Win Swenson, who is Deputy General Counsel at the Commission.

Win was responsible for the staff group that developed the basis for the organizational guidelines. He has written several works on the guidelines, including a treatise on organizational sentencing and a series of law review articles on guidelines and guidelines implementation. He continues to oversee our staff group charged with studying organizational sentencing. Win?



A. The previous presentation (Burress and O'Sullivan) summarized key features of the organizational guidelines. Implicit in these guideline features is a "carrot and stick" structure: companies that 1) fail to take certain actions (e.g., establish strong compliance programs, voluntarily disclose misconduct, fully cooperate in the investigation of the misconduct) and 2) have attributes indicating greater institutional culpability for misconduct (e.g., had senior corporate officials involved in the offense, or had employees obstruct justice) face stiff penalties in the event of a violation. Companies that take the prescribed steps, and do not evince attributes of greater institutional culpability, will avoid onerous penalties should a violation happen to occur.

B. In this presentation, I will attempt to set the stage for those that follow by examining three questions:

1) What is the origin of the Commission's "carrot and stick" corporate sentencing philosophy - and, relatedly, how does this philosophy contrast with prior practice?

2) What were the Sentencing Commission's objectives in establishing the carrot and stick approach?

3) How does an understanding of these Sentencing Commission objectives help one understand the definition of a guideline-qualifying compliance program - i.e., "an effective program to prevent and detect violations of law?"

II. Question One: What Is the Origin of the Commission's "Carrot and Stick" Corporate Sentencing Philosophy, and How Does this Philosophy Contrast with Prior Practice?

A. Prior to the guidelines the practice of sentencing corporations lacked a coherent, consistent rationale.

1) Court decisions demonstrated that judges truly were struggling to find meaningful ways to sanction corporations. See, e.g., United States v. Allegheny Bottling Co., 695 F. Supp. 856 (E.D. Va. 1988) (corporation sentenced to a three-year, suspended term of "imprisonment"), rev'd in relevant part, 870 F.2d 656 (4th Cir. 1989) (tbl.). See also United States v. Missouri Valley Constr. Co., 741 F.2d 1542 (8th Cir. 1984) (vacating a condition of probation that required corporate defendants to contribute money to a charitable organization); United States v. John Scher Presents, Inc., 746 F.2d 959 (3d Cir. 1984 ) (vacating condition of probation that corporate defendants use promotional business to raise money for charities designated by the probation office); United States v. Wright Contracting Co., 728 F.2d 648 (4th Cir. 1984) (vacating sentence of probation that imposed charitable contributions); United States v. Mitsubishi Int'l Corp., 677 F.2d 785 (9th Cir. 1982) (upholding a sentence requiring three companies to lend high-level executives' service to charity for one year without compensation and to pay contributions to the same charity); United States v. Arthur, 602 F.2d 660 (4th Cir.) (upholding requirement that white collar defendant accept full-time employment without salary in a charitable organization as part of probation), cert. denied, 444 U.S. 992 (1979); United States v. Clovis Retail Liquor Dealers Trade Ass'n, 540 F.2d 1389 (10th Cir. 1976) (vacating sentence of probation that included financial contribution to county alcoholism council); United States v. Nu-Triumph, Inc., 500 F.2d 594 (9th Cir. 1974) (upholding condition of probation requiring company not to engage in the distribution of pornographic material); United States v. Danilow Pastry Co., 563 F. Supp. 1159 (S.D.N.Y. 1983) (requiring bakery companies to donate fresh baked goods to specified charitable organizations).

2) Scholars also disagreed about how best to respond to corporate violations. See, e.g., Kip Schlegel, Just Deserts For Corporate Criminals (1990) (endorsing the application of the"just deserts" theory, which mandates that the punishment reflect the seriousness of the offense, to corporate crime); Michael K. Block & Joseph G. Sidak, The Cost of Antitrust Deterrence: Why Not Hang a Price Fixer Now and Then?, 68 Geo. L.J. 1131 (1980) (arguing that threatening antitrust violators "with exorbitant economic penalties that have only a minimal probability of being enforced" is not the optimal solution); John C. Coffee, Jr., Corporate Crime and Punishment: A Non-Chicago View of the Economics of Criminal Sanctions, 17 Am. Crim. L. Rev. 419 (1980) (arguing that "fines are an inefficient means by which to deter organizational crimes"); Brent Fisse, Reconstructing Corporate Criminal Law: Deterrence, Retribution, Fault, and Sanctions, 56 S. Cal. L. Rev. 1141 (1983) (arguing that the punishment for corporate criminals should not be limited to fines); Richard A. Posner, Optimal Sentences for White-Collar Criminals, 17 Am. Crim. L. Rev. 409 (1980) (arguing that a sufficiently large fine for white-collar crime is socially preferable to imprisonment); Andrew von Hirsch, Desert and White-Collar Criminality: A Response to Dr. Braithwaite, 73 J. Crim. L. & Criminology 1164 (1982) (arguing that "white-collar crimes should have a pyramidal structure of seriousness similar to that of ordinary crimes").

3) Empirical research of corporate sentencing practices conducted by the Sentencing Commission showed that corporate sentencing was in disarray. First, the Commission found that nearly identical cases were treated differently. Thus, there was evidence of disparity in corporate sentencing. Second, while some fines appeared quite high, the average fines were meaninglessly low. By that I mean that fines appeared to be, on average, less than the cost corporations had to pay to obey the law. See Mark A. Cohen et al., Report on Sentencing of Organizations in the Federal Courts, 1984-1987, in U.S. Sentencing Commission Discussion Materials on Organizational Sanctions at 7-11, 21 (tbl. 9). See also Ilene H. Nagel & Winthrop M. Swenson, The Federal Sentencing Guidelines For Corporations: Their Development, Theoretical Underpinnings, and Some thoughts About Their Future, 71 Wash. U. L.Q. 205, 215 (1993). This seemed to raise the specter that corporate crime did in fact "pay," as some had historically claimed.

B. Because the government's approach to corporate crime enforcement was managed by so many distinct entities and personalities, See generally Marshall B. Clinard et al., U.S. Dep't of Justice, Illegal Corporate Behavior 37 (1979) (stating that the regulatory agencies responsible for enforcement do not adequately coordinate their activities). it was difficult to make out what the government's policy was in all this. One thing clear was that the government's corporate crime enforcement policy often got mired in litigation. In very simple terms, you might say that the prevailing system was characterized by "speed trap enforcement" and a "circle the wagons" corporate response.

1) By "speed trap enforcement" I mean that the government's policy toward corporate crime often seemed reducible to that of the many state police forces out on the national highways. State police departments accept the fact that in all of the millions of miles of national highway there are only so many trees, grassy knolls, and dips in the road in which they can hide the limited number of patrol cars they have. So, they pick the best spots, turn on the best radar equipment they can requisition, and wait for unwary lawbreakers that happen by those spots. One can argue that the government engaged in a similar policy toward corporate lawbreakers - substantial resources were put into catching corporate lawbreakers, but little effort was put into providing a meaningful response to these violators. And, just as with speed traps, the enforcement community simply accepted the fact that for every one they nabbed, many more went sailing by somewhere else. See id. at 35-36 (discussing limitations of enforcement efforts).

2) This rather bare-bones enforcement policy toward corporate crime, in turn, fostered a "circle the wagons" response by many transgressing corporations. This was because companies often perceived little incentive to respond any other way.

(a) First, corporate decisionmakers could not know what penalties they would be facing because corporate penalties - just like fines from speeding tickets among the many jurisdictions around the country - were not imposed in any predictable way; they depended mostly on where the transgression occurred and the unpredictable proclivities of individual prosecutors and judges.

(b) Second, there was no guarantee that a company's cooperation with the authorities or its demonstration of extenuating facts - such as significant compliance efforts - would better the company's predicament. It was easy for companies to rationalize in this environment that the safest response was: "circle the wagons" and fight back - that is, litigate - for all your worth.

C. Meanwhile - and surprisingly given the state of things - many representatives of the business community argued that the Commission should ignore corporate sentencing altogether and leave the prevailing system as it was. They cited evidence that Congress's creation of the Sentencing Commission was motivated more by concerns over the sentencing of individuals than of corporations.

D. Given the lack of coherence in prevailing corporate sentencing practices and what most commissioners concluded was a broad, but definite, mandate from Congress to improve sentencing practices where they could, See Nagel & Swenson, supra note 3, at 214. the Commission decided to plow forward.

E. However, concluding that current corporate sentencing was in need of improvement begged an even more important question: could the Commission fashion a corporate sentencing policy that was any better? The Commission ultimately concluded that the answer was yes, but it is critical to recognize that this was not a foregone conclusion. For detailed discussions of the history of how the organizational guidelines were developed, see Nolan Ezra Clark, Corporate Sentencing Guidelines: Drafting History, in Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability 2:01-2:06 (Jeffrey M. Kaplan et al. eds., 1994). See also Nagel & Swenson, supra note 3, at 217-51.

1) The Commission's early forays into the development of organizational guidelines reflected little of the carrot and stick philosophy the Commission ultimately came to adopt.

2) For example, the first model the Commission considered - a so-called "optimal penalties" approach - relied on a formula to produce what theory said should be perfectly calibrated fines. The theory was that these perfectly calibrated fines would, in turn, bring about perfectly efficient crime-avoiding responses by corporations. Under the approach, fines were to be set according to this formula: the optimal fine = monetized harm (i.e., loss) probability of conviction.

3) This approach was really an idealized version of the pre-existing, "speed trap" approach to corporate crime enforcement. It assumed that government policy need be little more than a commitment to catch some corporate wrongdoers and fine them. Fines for the unlucky corporations that were caught would then be set in inverse relationship to the likelihood of being caught, and corporate managers - carefully, coldly scrutinizing these perfectly calibrated fines and concluding that crime could not pay - would rationally choose, instead, to spend resources obeying the law.

4) As it did with a variety of approaches over the next few years, the Commission rejected this approach and moved on. Overall, the process of developing organizational guidelines spanned five years, produced numerous official and informal drafts and generated mountains of public comment.

F. Ultimately the "carrot and stick" approach seemed to emerge from the Commission's acceptance of three facts:

1) Fact One: Vicarious liability means not all corporate defendants are alike - The Commission came to recognize that the doctrine of vicarious criminal liability for corporations operates in such a way that very different kinds of corporations can be convicted of crimes; from companies whose managers did everything reasonably possible to prevent and uncover wrongdoing, but whose employees broke the law anyway, to companies whose managers encouraged or directed the wrongdoing.

2) Fact Two: Responsible corporate actions can foster crime control - The second key fact the Commission came to embrace was that actions by corporate managers can significantly reduce the likelihood and impact of corporate crime. Voluntary disclosure and cooperation by a company mean, for example, that harms caused by the company will be rectified and individuals within the company will be identified and held accountable. Similarly, strong corporate compliance efforts hold out the promise of fewer violations in the first instance and greater detection and remediation of offenses when they occur.

3) Fact Three: Mandatory guidelines can create incentives - Finally, the Commission recognized that because guideline penalties are essentially mandatory and therefore predictable, penalties tied to how well a corporate defendant had undertaken specified crime-controlling actions would create incentives for companies to take those actions. With a guideline system, corporate managers would know - unlike the situation in the pre-guideline era - that their "good citizen" actions would make a difference in terms of the company's exposure to penalties. Good citizen actions, low penalties. Failure to take such actions, high penalties - "carrot and stick."

III. Question Two: What Were the Sentencing Commission's Objectives in Establishing the Carrot and Stick Approach?

A. The Commission had three principal and related objectives in structuring the organizational guidelines as it did.

1) Objective One: Define a model for good corporate citizenship - The first objective was to define a model for corporate action that would exemplify "good corporate citizenship" with respect to the narrow issue of law abidance. The Commission, for example, did not try to draft a broad model for corporate social responsibility. Cf. Edward Petry, Should the Government Create a Corporate Model for Social Responsibility?, 4 Center for Bus. Ethics News (Bentley C., Waltham, Mass.), Summer 1995, at 3.

2) Objective Two: Use the model to make corporate sentencing fair - The second objective was to incorporate this model into the guidelines so that corporate sentencing would be more fair. Penalties would go up and down depending on objective, defined criteria that would reflect a corporation's true culpability for criminal conduct.

3) Objective Three: Use the model to create incentives for companies to take crime controlling actions - The third objective was to create the incentives for good corporate citizenship that I mentioned before - incentives for corporations to undertake crime-controlling measures that, in turn, satisfy the Commission's model of good corporate citizenship.

4) This final objective marks a significant departure from the "speed trap" enforcement policy of the past. Under the new approach, the enforcement policy is something more than just "lie and wait" and impose a fine. The new policy is interactive. Companies take actions to join the fight against corporate crime and government responds by significantly limiting potential penalties for the companies that do. Limited government enforcement resources are augmented by the potentially highly effective efforts of companies themselves.

IV. Question Three: How Does Understanding this Last Objective - i.e., the Goal to Have Companies Themselves Undertake Effective, Crime - Controlling Actions - Help One Understand the Definition of Qualifying Compliance Program under the Guidelines?

A. An understanding of this objective makes clear what the Commission had in mind in defining an "effective" compliance program under the guidelines: the Commission wanted companies to use some reasonable degree of diligence and ingenuity to devise compliance programs that actually work. Put another way, the often-cited seven steps in the definition of an "effective" compliance program should not be viewed as a superficial check-list requiring little analysis or thought.

B. The actual guidelines definition of an "effective program to prevent and detect violations of law" support this interpretation. To begin with the "seven steps" are only one part of a four-part definition. For further discussion of the definition, see Winthrop M. Swenson, An Effective Program to Prevent and Detect Violations of Law, in Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability 4:06-4:08 (Jeffrey M. Kaplan et al. eds., 1994).

1) The definition begins with a paragraph of general criteria that includes what might be called the definition's baseline requirement: a qualifying compliance program is one that has been "designed, implemented, and enforced so that it generally will be effective." U.S.S.G. 8A1.2, comment. (n.(3)(k)) (emphasis added). To establish such a program, the introductory commentary continues, the company must exercise "diligence."

2) The seven steps constitute the second part of the definition. What is especially important to recognize is that the seven steps are drafted somewhat generally. Each step can be satisfied by a range of possible approaches. Finally, the definitional commentary stresses that the seven steps are the "minimum" steps required . Id. Thus, by their own terms the seven steps are drafted to imply a framework, not a highly specific course of action that companies can simply "adopt."

3) The third part of the definition stresses that the particular features of the company - its size, its areas of risk (due to the kinds of business in which it is engaged), and its prior history all must be given close attention in determining the "precise actions necessary" for an effective program. Id.

4) Finally, the definition concludes with a sentence instructing that a company must look to its external environment - to compliance standards met by others in the company's industry and to any relevant regulatory requirements - to ensure that its program measures up.

V. Conclusion

A. The definition of an "effective" compliance program does not envision that the process of developing a creditworthy program will be a passive one. You might say that - within reasonable and appropriate limits - the Commission wanted companies to "struggle" a bit to learn what works, tailor what are found to be generally effective approaches to their own particular circumstances, and continuously evaluate their unique compliance experiences to refine their approaches to compliance.

B. This is all part of the shift in enforcement policy that I described before. At its heart the new policy contemplates a kind of compact between government and the private sector so that our collective response to corporate crime can be made more effective.

C. Thus, over the next two days, we will look at how companies are engaging in this "struggle" to make compliance work, and what mechanisms they are creating to share "best practices" information.

This afternoon's concurrent sessions recognize the inherent flexibility in the guidelines' definition of an "effective" compliance program. In Session A, we will look at new external standards for effective compliance approaches that are being proposed to provide additional guidance to practitioners in this area.

In Session B, we will examine how the guidelines should be read to embrace a variety of approaches that prove effective, even when those approaches are not explicitly mentioned by the guidelines. This session is particularly relevant to those who have questioned whether good corporate conduct is better supported through a values or ethics-based approach than a "law-centered" one.

Finally, during the course of symposium, we will examine whether and how the government's role in this new enforcement approach to corporate crime can be improved.

D. When the Commission drafted the organizational guidelines, it basically took the title of this symposium and divided it into a question and an answer. The question was, "How should we respond to corporate crime in America?" The answer the Commission arrived at was, "Strengthen the 'good citizen' corporation." The implications of this answer are what this conference is about.

Where Theory and Reality Converge: Three Corporate Experiences in Developing "Effective" Compliance Programs

Kenneth D. Martin, Senior Corporate Counsel, Sundstrand Corp.

Herbert L. Thornhill, Jr., Deputy Counsel, Bank of Tokyo

John A. Meyers, Senior Vice President and Associate General Counsel, Tenet Healthcare Corp.

Moderator: Jeffrey M. Kaplan, Arkin Schaffer & Supino

Corporate Crime in America: Strengthening the "Good Citizen" Corporation

MR. SWENSON: I'm going to let our panel moderator introduce our next panel, but let me introduce our panel moderator very briefly.

Jeff Kaplan may be known to many of you. By background and training, he's a criminal defense attorney, but you may know him as one of the most prolific, energetic, and I would say creative writers on compliance issues who is out writing on these issues at all. He has written on compliance issues in just a vast range of arenas, everything from banking, insurance, environmental. He is also a co-editor of a book called Compliance Programs and the Corporate Sentencing Guidelines.

We are particularly glad to have him here as a panel moderator, but I should also tell you that he was useful to us not simply to be here to moderate this panel but also in helping us think about how we ought to approach it. So without further adieu, let me turn it over to Jeff Kaplan. Thank you.

MR. KAPLAN: Judge Wilkins, the former Chairman of the Sentencing Commission Commission, has described the organizational guidelines' carrot and stick approach as developmental, an invitation to shield against potential liability with well-designed and rigorously-implemented compliance systems. This panel will explore the compliance system design and implementation experiences of companies from three industries: defense contracting, in the case of Sundstrand Corporation; financial services, in the case of Bank of Tokyo, Limited; and for health care, Tenet Healthcare Corporation.

More than for their business areas, however, these three companies were chosen for this panel because each one's experience suggests in compelling but very different ways the importance of accepting the invitation that Judge Wilkins described.

By the time the organizational guidelines went into effect in 1991, Sundstrand Corporation, due in part to an earlier prosecution and in part to reforms in the defense contracting industry generally, had already implemented a significant compliance program. Nonetheless, using the guidelines' articulation of an effective program to prevent and detect violations of law, the company expanded and improved its program in many respects. One such reform, the "Responsible Executive" feature, became a model for various other companies' compliance programs.

Sundstrand's experience thus illustrates that even for compliance-sophisticated corporations, accepting the Commission's invitation by revising a program based upon the guidelines' articulation of an effective compliance program, what Joe Murphy of Bell Atlantic has called the new standard of accountability, can be most useful.

Although the Bank of Tokyo had instituted compliance policies and procedures before the advent of the organizational guidelines, it had had no traumatic experience to cause it to create a comprehensive program. It did, however, face a wide variety of compliance-related needs arising from various legal and regulatory mandates.

For the bank, the guidelines' articulation of an effective program to prevent and detect violations of law offered what Herb Thornhill calls a road map to coordinate its many compliance efforts. The bank has, indeed, found that using this articulation to structure its overall program provides significant efficiencies and cost savings.

A second lesson, then, is that for those creating as well as those modifying an overall program, the guidelines are a sound place to start. The experience of Tenet Healthcare Corporation offers a very different lesson, a "Ghost of Christmas Yet to Come," if you will, for those who might decline the invitation of the guidelines. Tenet, previously known as National Medical Enterprises, was the subject of the costliest prosecution ever for health care-related fraud.

Although the company's General Hospitals Group had developed a significant compliance program, its separately-managed Specialty Hospitals Group had not; and, as part of its settlement of the government's investigations, the company as a whole was compelled to adopt compliance measures more onerous than those typically found in a truly voluntary program.

Because the guidelines may require organizations to adopt a compliance program as a condition of probation, as was described in our first session today, Tenet's experience with what might be called "forced compliance" suggests just how unhappy living with a compliance program instituted under probation might be.

In sum, then, organizations that fail to develop and implement programs in the spirit of the first two companies featured in today's panel and in the spirit of Judge Wilkins's invitation may someday share the fate of the third.

Tenet's experience, however, may carry lessons for the government as well as the business community. Just as Judge Wilkins cautioned that the guidelines approach is developmental, so John Meyers of Tenet notes that the science of compliance is still very much in its infancy. John's frank criticisms of some of the obligations imposed on Tenet, a quarrel with the means, not the ends, will, I hope, be a part of a process of continuously analyzing what actually works in this new science of compliance.

Finally, a necessary disclaimer. In no way was the selection of these companies meant to serve anything other than an illustrative purpose. No Sentencing Commission approval, condemnation, or anything in between obviously should be assumed from their selection.


MR. KAPLAN: Our first speaker is Ken Martin. Ken received his law degree from Duquesne University School of Law. Prior to working at Sundstrand, he worked at Morton Thiokol with the U.S. Navy's Office of General Counsel, the U.S. Army Communications Electronics Command, and the U.S. Army Judge Advocate General Corps.

He joined Sundstrand in 1985, where he is currently responsible for providing legal advice in support to Sundstrand's business operations, particularly in the field of government contracts, compliance program activities, and intellectual property. He is a National Contract Management Association fellow, currently holding the NCMA position of Functional Director, Legal. Ken?

MR. MARTIN: Good morning, everyone. I have some overheads, if we can start with the first one, please.

Thanks very much for the opportunity to be here today, particularly for the invitation from the Sentencing Commission and Win Swenson and Jeff Kaplan, although I have to say I think it might not be a good idea to be here when the title of the conference is "Corporate Crime in America." What I thought I'd try to do in the time that we have allotted is first give you a little bit of an idea of the backdrop of Sundstrand's compliance program as it existed before the sentencing guidelines came into effect and then what the sentencing guidelines meant or what our reaction to the guidelines was. May I have the next overhead, please?

This first chart gives you a rough organizational idea of what our top-level compliance and ethics structure is. We have consciously chosen compliance and ethics in the sense that we try to cover both compliance with law as well as values and ethical standards.

To try to put a little context into the Sundstrand discussion, Sundstrand is a Fortune 500 corporation. We do about $1.4 billion a year in sales. We have about 10,000 employees. Most of them are in the United States, but we do have a significant number in some overseas locations and some plants and facilities in overseas locations.

We have two segments of the company, an aerospace segment and an industrial segment. Virtually all of the government business is on the aerospace side. The dollars are roughly split 50-50 between the two parts of the company. So one of the things, even though the focus of the discussion is government contracts, from a Sundstrand point of view, in today's environment, we are definitely a lot more than just a government contractor in terms of worrying about compliance issues.

We have a focus on trying to develop international business, which we believe has some obvious compliance implications, and our products range from construction compressors that you may see by the side of the road to the little pumps in your ice machines in the hotel here all the way up to aircraft electric power systems and torpedo motors. So we have a pretty wide range of different types of products and different types of markets that we have to contend with.

Our program, the Sundstrand Business Conduct and Ethics program, originated as a formal program in the late 1980s time frame, and it was principally in the context of a major fraud investigation relating to government contracts. The results of that investigation led to a payback of about $200 million, a three-year probation period, primarily under the auspices of the Department of Defense, and essentially many changes in terms of the senior management of the company and many other managers and employees at lower levels. So a fairly traumatic circumstance led to the establishment of the formal program that we started with.

At the time, nobody exactly knew what a compliance program was all about. The Defense Industry Initiative (DII) began around that time with Alan Yuspeh and some other industry leaders coming up with what industry, at least the defense industry, thought might be some guidelines. And until the sentencing guidelines came out, we principally operated under guidelines that were sort of developed by industry for themselves, to a certain extent supplemented by Department of Defense criteria or standards as to what they thought some relevant factors for a compliance program were; and that's where we went from the late 1980s until 1991 or 1992.

As an overview comment, how compliance is perceived within the company is, I think, a gut reaction. Sundstrand is a good old solid Midwest company. Most of the people are good solid Midwest people who believe in ethics and believe in values, so I think, overall, compliance and ethics are viewed as a business strength in the sense that if you don't have that kind of a program or that kind of a workforce, you're just not going to be viewed as a reputable supplier or a worthy business partner. So in an overall sense, that's the general attitude.

But then, of course, you get into the carrot and stick discussion and how the sentencing guidelines specifically are viewed, which I'll address a little bit later.

This chart shows that we have some high-level support and commitment from within the company, starting with the board of directors and the CEO of the company. The next chart, please?

The next few charts are just kind of a "gee whiz" listing of some of the key features of our program. For those of you who have programs, I would be surprised if there are any big surprises on this list. We think we have top-management commitment. We do have a code of conduct. We try to iterate that code about every three years, just to keep it fresh, put it in a different format. The basic message doesn't change unless there are some startling new laws or regulations that have come out on the books.

And, we also have gone through a lot of effort to try to internationalize the code and have it printed in various foreign languages to make it fit not only a domestic U.S. environment but overseas environments, as well.

We have a full-time Director of Business Conduct and Ethics. The person selected for that job has always been selected on the basis of being a fairly long-term employee, well known, well respected by the employees, someone that a lot of people would just know off the top of their head as a good person, a good role model. We have a specific government audit group in our internal audit department that has an expertise in looking at government contracts and government regulatory issues.

We have, in addition to the corporate ethics committee, other committees located at every one of our plants and facilities, a total of about 26 committees, and most of those committees include line worker and union representation where we have unionized plants, because we have also found that, at least for our environment, a key to success is to try to win the hearts and minds of all levels of employees and give all levels of employees an opportunity to participate and feel that they are a part of this process and this program.

As I mentioned, we are also a signatory to DII, the Defense Industry Initiative, and we think that that has been a particularly good forum to talk about and discuss best practices in terms of a compliance and ethics program.

Our corporate ethics committee has some responsibilities which are pretty broad ranging. Its job is to really set the pace for what the compliance and ethics program and policies will be. I don't think we need to repeat anything here. I think the critical factor is developing corporate-wide policies and that's how the committee views itself.

Our ethics director runs an ethics department and this is a short list of what the mission, at least what our ethics director perceives his mission to be. I think the short way of saying this is that his principal job is to continuously improve the program and to continuously assess its health in the best way that you can. Obviously, a lot of this is subjective, but you try to look at some indicators that give you some idea of whether the thing is working or not working and where you need to improve it.

You will also notice, if you look down a lot of those bullets, certainly the second bullet and the last two bullets, a lot of focus on how the employees feel about the program or how they regard the program, and I would put all of those bullets in the category of working on gaining employee trust and confidence, that the company is serious about this, that we mean what we say.

And I think for a lot of people in the room, the rubber really hits the road when you get a live allegation and all people involved in that process need to feel that it's going to be handled in a very confidential business-like manner and that everybody is not going to be roasted and fried just because your name happened to come up in the context of an ethics allegation.

These next two charts are just to try to give you a feel for some of the statistics that we keep or metrics that try to give us some indicators of what's going on in the program. This chart is just a list of the total number of contacts that our ethics director got for the second quarter of 1995. The total number of contacts is somewhere in the neighborhood of 100, 110 or 120, and I believe that these rough breakdowns are probably not too dissimilar from the experience of a lot of other companies.

We have our ethics director and our hotline available for any and all questions. We don't try to tell employees, only call if you have a compliance or a legal concern, so that's why you see a lot of human resources type of contacts. We get the calls where somebody says, "I thought I should have gotten a higher pay raise," and we funnel those off into the HR department. But the object of the program is to take every and all calls, any and all concerns, and this is a place you can call if you don't want to talk to your boss about it or you don't think that your supervisor is the right channel. It tries to take the sting out of asking questions.

Percent of anonymous contacts - we happen to think that this is a relevant indicator of the health of the program, only in the sense that this is some sort of measure of employees' trust and confidence; that is, when they call to ask a question or to question something that they have seen going on, how hesitant are they to identify who they are and where they work?

Our experience has been the trend that you see, and just to satisfy you that we're not playing games with numbers, the total number of contacts has remained constant over that time frame, so that trend is not just a function of reductions in force or selling divisions or any radical changes in the structure of the company. It's a true trend, and we may be kidding ourselves, but again, we think that that's one factor that may indicate how comfortable your people feel with the confidence and the treatment they're going to get under the program.

And now to move into what happened when the sentencing guidelines came into force, or life after the sentencing guidelines, I guess you could say when the sentencing guidelines became effective, I would be less than candid if I stood up here and told you that everybody in the executive office said, "Wow, this is really a great idea. Why didn't we do this sooner?"

That was not the prevailing reaction because the executive office grasped real fast the carrot and stick concept. So I think in the category of how do companies like these guidelines, things are either necessary, a necessary evil, or just evil, and my guess is the sentencing guidelines are perceived as somewhere in the necessary evil category, but it's also something that you have to recognize. You can't just do nothing and stand there naked.

So the decision that was made was we would incorporate sentencing guidelines considerations into our program. We did not view the guidelines as a program all by themselves. They were a guide as to factors that we should add to our program.

And I think the reception to this carrot and stick thing is, I don't know whether you ever noticed, but sometimes a carrot can sure look like a stick, but I don't think a stick ever looks like a carrot. There's a healthy slug of that, that this thing is to be viewed with a little trepidation because, again, senior managers read the newspapers, too, and they realize that this whole thing is maybe just another invention of all these lawyers that represents another blow to the safety of their species.

So we try to caveat it, and what are the benefits that come out of the sentencing guidelines, and we think there are some benefits. We thought that the principal benefits of the sentencing guidelines were that they clearly illustrate that compliance for a company like Sundstrand is not just government contracts, because one of the big albatrosses that we had around our neck after the situation we went through is that most employees thought that all this "compliance stuff" was just government contracts. It was you guys in government contracts that got us into this mess and all of us people out here in the rest of the company, we don't have anything to do with government contracts so we don't have to worry about compliance.

So obviously, one of the real messages in the guidelines is that it's a violation of any federal law, and certainly, a company the size of Sundstrand runs across virtually every wicket there is in terms of the alphabet soup of regulatory agencies.

We also thought it was a plus that the standards clearly set forth some due diligence standards, and that's how we refer to them in Sundstrand, the seven criteria. They are due diligence standards, and they are defined by the government, so they are at least some sort of an official starting point that says, to managers particularly, if you do these kinds of things and if we do these kinds of things as a company, if all is right in the world, we should be okay or at least relatively okay, even in the face of a maverick employee or a bad apple or whatever you want to call it that has gone against what we perceive as important standards to be followed.

Being an attorney in the company, I don't know how many people I've had come to me and ask me, what does due diligence mean? And when you sit down and try to go through a discussion of defining due diligence, sometimes it's pretty hard. We think the sentencing guidelines help that process because at least there's some starting point that says, well, the Sentencing Commission has said if our program has these things and if you do these things, again, all else being equal, that should be deemed as due diligence.

The other perspective we had on the guidelines is that we view the guidelines as principally a matter of proof and evidence, in the sense that if we are reading the guidelines the right way, if something happens in 1995 that represents a violation of law, it's not exactly like Win was talking about with a speed trap. When you get a ticket, you get ticketed right on the spot. You're apprehended at the time the offense is committed.

Well, in the environment that we're in with white collar crime, it doesn't happen that way. It's usually three, four, five years later down the road, and so to us, the problem statement was, if something happens in 1995 and we're in front of a judge in the year 2000, how do we prove what our program was in 1995 that says we had an effective compliance program at the time and that this thing happened in spite of good efforts?

I'll get into a little description of how we addressed that situation, but we saw that as a real issue with the sentencing guidelines, just from a pure statement of how do you prove how good you were in 1995 when the prosecution or the investigation doesn't happen until years later.

I'll slip through these next couple of charts and give you an overview. That first overhead was some of the key features of our program. We went down the sentencing guidelines checklist, and again, this is what Sundstrand thinks are the significant compliance risk areas that we have addressed with our program. That's not all the risk areas from a business point of view. That's what we believe are all the risk areas that could involve some possible likelihood of criminal violations or criminal activity. So we didn't try to cover the whole waterfront of every single issue. And again, that's just our list. That list obviously has to be tailored for a particular company. The next overhead, please?

This is a real eye chart, and I know it's also in your materials. The approach that we came up with to address sentencing guidelines is what we call our "Responsible Executive" program, and for each of those risk areas that was on the previous overhead, we selected one individual in the company, in some cases two individuals, and we selected them to be our responsible executive with principal oversight responsibility for compliance and ethics in that risk area.

And we selected the highest-level person we could find in the company who had policy-level responsibility for that area, not necessarily operational responsibility but policy-level responsibility, and to that person we said, "You are the responsible executive for this area and it's your job to continuously be sure that our compliance program meets the sentencing guidelines requirements."

What this chart shows is just an example of the government contracts risk area and how we move across this matrix to say that we identify the area of risk. We try to identify what the company policies are that apply in this area. And then the next column is statutes and rules that are the federal statutes or regulations you can trip across in that area, to make sure we've got them covered.

The next column lists the identity of the Responsible Executive. Then the next column lists the functional experts who are the principal supporters of the Responsible Executive in doing a lot of the day-in, day-out compliance function. As you can see, we just try to cover the areas.

We'll just go through the next two charts quickly, under the area of statutes and rules and violations. This just happens to be the list of statutes and rules that we believe could come into play in the government contracts area, and we have a similar list for each of other risk areas, again, just to try to define for ourselves where the traps are for the unwary in terms of laws.

The next one is just another example of how we identified the Responsible Executive and the statutes and rules for the area of securities law compliance. If we could go to the next overhead, please?

For each one of our risk areas, we decided that we needed to have some method of monitoring each of those risk areas and so we came up with this list. The way we use this list is that our internal procedures say that if a risk area is worthy enough to be identified as a risk area, then every one of these monitoring methods should be used in that risk area.

This is not a pick-and-choose list. Again, the standard that we have is every one of these methods should be brought to bear in the risk area if it's important enough to be identified as a risk area, so we try to check ourselves to be sure that we are doing some or all of these things for every risk area. The next overhead, please?

To bring this all together, we ask each Responsible Executive to do an annual review of their particular risk area and make a report on that risk area to the corporate ethics committee. The report is actually made in the form of a volume, a binder, a book, and the report that the Responsible Executive makes is keyed to the seven due diligence standards in the sentencing guidelines, and we have a book for each year.

The idea is we will have retained somewhere back in the files of the law department the books for 1994, the books for 1995, and the books for 1996. So again, if this issue ever comes up - what did you have in place in any particular year to address this particular risk area - the idea would be that we would have something available so we wouldn't have to go back scrambling through files and records and trying to reconstruct what happened three or four or five years earlier.

The form that we ask each Responsible Executive to sign is nothing more than a listing ofthe seven due diligence standards with a check block for yes or no. The idea is that in addition to this form, for each of the questions that are asked, there are backup materials and supplementary materials, examples, training lists, whatever the particular subject happens to be.

So this checklist or assessment form becomes the top cover for the 1995 compliance assessment book, and then underneath this form are the particular materials that the Responsible Executive has pulled together that offer some proof or evidence of what we did to answer this question, which we hope makes the program more than just a paper program, so there's actually some action behind the words.

That summarizes and describes the Sundstrand program. I was glad Win corrected one thing, too. I know when Julie was speaking, I guess I misheard her, because I thought she said that companies today are "nefariously liable" for the acts of their employees. I'm glad Win corrected that it's still "vicariously liable," because I thought there was some new standard that was being put out. Thank you very much.


MR. KAPLAN: Thank you, Ken. Our second presenter is Herb Thornhill. Herb is Deputy Counsel of the Bank of Tokyo, Limited, where he has played a central role in drafting and developing the bank's overall compliance program. Herb has also published and lectured widely on the subject of banking compliance. He's a graduate of Harvard Law School, a former clerk for a federal trial court judge, and worked at Winthrop, Stemson, Putnam, and Roberts before joining the bank. Herb?

MR. THORNHILL: Thanks for the introduction, Mr. Kaplan. As Jeffrey Kaplan just said, my name is Herbert Thornhill, and I work for The Bank of Tokyo, Ltd. in New York in the North American Legal and Public Affairs Office. I have been involved in establishing the overall structure for compliance at The Bank of Tokyo, Ltd.

I have also been involved in putting together compliance statements in specific areas including criminal liability, environmental liability, insider trading, confidentiality, and ethics. I also consult the Bank's Compliance Committee, which is a group of executives at the Bank that manages and oversees our compliance efforts.

What I would like to share with you today is the Bank's experience in the compliance area and how we approached the goal of assembling a compliance program under the federal sentencing guidelines. However, the basic theme that you will hear me repeat from time to time is this: If you start with the federal sentencing guidelines' definition of an effective compliance program, and use it as the guiding force behind your compliance program, you will put together an overall effort that will efficiently and reliably reduce the prospect of civil and criminal liability at your institution.

The Bank of Tokyo, Ltd. has made the federal sentencing guidelines the focal point of its overall compliance effort, and we have gained three basic advantages by doing so. First, as Jeffrey suggested, the federal sentencing guidelines gave us a "road map" for compliance. It was the only source that gave us an overall view of what a compliance program should look like once it is completed.

Second, to the extent that the definition gave us a sense of what a system of compliance should look like, it gave us a means of managing a series of complicated laws and regulations affecting The Bank of Tokyo, Ltd.'s business activities.

And third, the sentencing guidelines gave us a reference point for measuring the success of our compliance program once it was implemented.

Let me tell you something about The Bank of Tokyo, Ltd. and its activities. In terms of assets, The Bank of Tokyo, Ltd. currently has the largest presence of any foreign bank doing business in the United States. That status will continue after we merge with The Mitsubishi Bank, Limited and become the largest bank in the world. At that point, the size of our asset base will be three times that of Citicorp and roughly two-and-one-half times that of The Chase Manhattan Bank after it merges with Chemical Bank.

We have offices and branches throughout the United States in all of the key money centers, including New York, Chicago, San Francisco, Atlanta and Boston. In the greater New York area alone, we have approximately 1,000 employees.

We are a full-service bank, and we offer a range of financial services. Through our California-based affiliate, Union Bank, we are engaged in retail as well as commercial banking. However, our primary focus in the United States is commercial banking. Our activities include corporate banking, trust and fiduciary services, foreign exchange services, capital markets and securities activities.

Let me tell you why compliance has always been important at the Bank. The Bank of Tokyo, Ltd. operates in a highly-regulated industry: the banking industry. In 1990, we did a survey of the regulations and laws that apply to our banking activities. We came up with a list of more than 400 regulations and laws. Everything from lending and taking deposits to the location of our branches to the issues that our board of directors must consider on a regular basis is regulated to one degree or another.

But, many of the regulations we comply with go far beyond banking. Many of them are the same regulations that the organizations represented in the room today have to comply with.

For example, when it comes to export controls and OFAC regulations, the Bank has to be concerned because it is involved in international trade finance. When it comes to environmental liability, we have to be concerned because we are involved in financing real estate development and power projects. We also have to be concerned about insider trading because we receive confidential information about our customers, but, at the same time, we provide securities trading services.

And, finally, because we are a significant employer in the United States, we have to be concerned about EEOC-related regulations.

But, my purpose is not to merely list the laws and regulations that apply to The Bank of Tokyo, Ltd. My point is this. The Bank of Tokyo, Ltd. is concerned with regulations that apply to banking. However, many of the regulations we comply with are not directly related to the banking business. Yet, we have found that the federal sentencing guidelines definition of an effective compliance program is flexible enough to accommodate all of the regulations we face - regardless of whether they are banking-related. Therefore, the sentencing guidelines can act as a focal point for any compliance program for virtually any corporation, regardless of the industry and regardless of the relevant regulations.

In addition to the regulations that I just mentioned, starting in l990, The Bank of Tokyo, Ltd. had to confront a new compliance environment. During the recession of 1989-1992, as you will recall, many savings and loan institutions and banks failed. The response on the regulatory and legislative level was to develop stricter laws and regulations.

But, along with the change on the legislative and regulatory level, we saw a change in the attitudes of prosecutors, examiners, and regulators. As you all know, they became more rigid.

The Bank of Tokyo, Ltd. also had to consider the fact that the Comprehensive Crime Control Act of 1990 and the Financial Institutions Reform, Recovery, and Enforcement Act increased the fines and penalties associated with banking-related offenses. Currently, if you are involved in bank fraud, embezzlement, or bribery, you will face possible fines of up to $1 million and possible imprisonment of up to 30 years.

Under the FDIC Improvement Act of 1991, regulations were promulgated that required banks like The Bank of Tokyo, Ltd. to put in place internal controls for compliance and to establish overall compliance mechanisms to meet federal standards. Moreover, on an annual basis, banks like ours must test their compliance programs and report the results to federal regulators.

We also became subject to a new regulatory system for examining and evaluating the safety and soundness of banks. Under the current system, assessing compliance is a key aspect of the examination process. And, in fact, if a bank has a compliance program that doesn't meet federal standards, its examination rating can be affected adversely.

We also received a flurry of specific pronouncements aimed at a number of issues including money laundering, environmental liability, derivatives trading activities, and real estate appraisals. And finally, on November 1, 1991, the federal sentencing guidelines were adopted.

In response to this new compliance environment, the Bank used the federal sentencing guidelines to guide its compliance efforts for several reasons.

First, the federal sentencing guidelines gave us a clear picture of what a compliance program should look like. We received many directives from several agencies and legislatures. The directives required us, for example, to enhance our anti-money laundering compliance, to make sure that insider trading was addressed, and to ensure that environmental liability was properly managed. But no agency told us how to coordinate all of these directives through an overall compliance program. No one told us how everything should work together.

However, the federal sentencing guidelines gave us a clear picture of what a compliance program should look like and a set of instructions on how to construct a program. Another reason we used the federal sentencing guidelines is that they suggest a flexible structure for managing compliance. We found that virtually every directive we got, whether it was from the U.S. Congress or a regulatory agency or otherwise, could easily fit within the structure that is suggested by the seven elements for compliance under the federal sentencing guidelines. Let me try to illustrate this point.

As you all know, the sentencing guidelines stress several key concepts that should be parts of a compliance program. Number one, clear standards must be effectively communicated to employees. Second, you must establish auditing and monitoring mechanisms that are reliable. Third, you must ensure that discipline is properly enforced. Fourth, you must ensure that your employees are trained properly in the legal and regulatory areas affecting your institution. And, fifth, you must ensure that your effort is properly supervised by senior personnel.

We found that virtually every compliance directive we received, regardless of the source, fit comfortably within the structure that is suggested by the foregoing elements and the other elements contained in the federal sentencing guidelines definition.

An example is the Annunzio-Wiley Anti-Money Laundering Act, which required us to adopt stricter standards on money laundering. In that particular situation, we found that the Act emphasized, number one, proper supervision; number two, training; number three, written policies and statements; and number four, auditing mechanisms.

All of those requirements are already in the federal sentencing guidelines. And, if you put together a structure for compliance based on the guidelines, you will be able to easily introduce any new directive you get into your structure. It's almost like a computer. When you introduce new software to the computer system, you will give your overall computer system greater capability.

The same thing is true for compliance. If you use the federal sentencing guidelines as your overall structure, you will be able to introduce the new directives to your structure to give your compliance program greater capability. This is true because all the terms, all of the seven elements, are universal and generic.

Also, to the extent that the federal sentencing guidelines gave us a sense of an overall structure for coordinating compliance, they put us in a position where we could manage our compliance program effectively, and, therefore, save money. Clearly, saving money is a key concern in managing an effort of this magnitude.

Let me illustrate this point by giving you two basic approaches to compliance. One approach would be to respond to each compliance mandate that your institution faces on an individual basis. Of course, there is a good reason to do this because as soon as a company receives a directive, its first impulse will be to respond to the directive and ensure that the organization is protected.

On the other hand, if this approach is taken, an organization eventually will be left with a series of unconnected compliance objectives. They will not be coordinated. There will be a haphazard quality to the organization's overall compliance effort. However, if you use the structure for compliance suggested by the sentencing guidelines, you will have a well-managed coordinating structure, and you will be in a position to save money.

Finally, the reality of sustaining huge fines and perhaps a loss of reputation was important for The Bank of Tokyo, Ltd., as it would be for any institution. However, because we deal in large-dollar transactions, and the fines associated with large-dollar transactions are higher than others imposed under the federal sentencing guidelines, we realized that we had to take the guidelines very seriously. Also, many of the offenses associated with banking-related activities carry higher penalties under the federal sentencing guidelines than do other types of offenses.

The Bank of Tokyo, Ltd. has used the approach suggested by the guidelines. We believe in it. But, other banks have used the approach, and they believe in it also. On an annual basis, I work with Mr. Thomas Santiago of the International Bank Study Center, "IBSC," in New York to assemble a presentation for foreign banks on banking compliance.

At the first seminar, Jeffrey Kaplan was a key speaker, and he underscored the importance of using the federal sentencing guidelines as a starting point for assembling your compliance program. That message was well-received by the audience when Jeffrey delivered it originally, and continued to be well-received at each presentation that followed.

Moreover, one of the corporations that attended the original program, the Canadian Imperial Bank of Commerce, "CIBC," adopted a federal sentencing guidelines approach, put it into practice, and received such favorable results that I asked Mr. Eric Young of CIBC to join the panel to illustrate CIBC's experience. But it is not only CIBC. Several other New York-area banks have begun to use the guidelines as a foundation for their overall compliance efforts.

Further, state and federal banking agencies that attended the IBSC presentations remarked that starting your compliance program based on the federal sentencing guidelines represents a sound approach to compliance.

Finally, I would like to leave you with a sense of some of the other advantages that you can gain if you use the federal sentencing guidelines as the basis for your overall compliance effort. As you go through the process of constructing and managing a compliance program, you will have to focus on particular areas of your program at particular times. At one point, it will be important to write policy statements. At another time, it will be necessary to strengthen your auditing and monitoring mechanisms. An unfortunate result is that you may lose sight of your fundamental goals.

We found that the federal sentencing guidelines gave us a reference point that we could always refer back to and which allowed us to see the forest for all the trees. As a result, you can use the federal sentencing guidelines definition to evaluate your progress. The guidelines also provide a measuring stick for evaluating where a program is strong and where it is weak; where more resources are necessary and where efforts are sufficient. Another valuable aspect of the federal sentencing guidelines is that they provide an idea of how to prioritize your approach to dealing with a myriad of regulations and laws.

The Bank of Tokyo, Ltd., as I told you, has more than 400 areas of law and regulation that it has to comply with on a regular basis. When we started our compliance effort, the guidelines gave us a sense of how to prioritize our efforts. We focused efforts where our primary business activities were. We focused on where we were likely to run into problems. And, we focused on those laws and regulations that were likely to carry high penalties.

Also, the federal sentencing guidelines' definition allowed us to visualize how various departments would participate in our compliance effort. For example, by looking at the definition, we identified the need to put together written compliance statements. That task seemed to be a project well-suited for our Legal Office.

Similarly, auditing and monitoring mechanism requirements were easy to delegate because we already have internal auditors, and we simply added a new dimension to what they already do. We found that the federal sentencing guidelines' definition was valuable for another reason. It allowed us to keep the attention of employees when it comes to compliance efforts. The mere fact that you can sustain fines that have been estimated to be $290 million and more helps to keep priorities focused on compliance.

If you come away from my speech with one thought, I would hope that it is this one. The federal sentencing guidelines are the key place to start in constructing your program. They give you a clear picture of where you should be once you have established a compliance program. The definition is flexible enough to accommodate virtually any law or regulation you may face. The guidelines worked for The Bank of Tokyo, Ltd., they worked for the Canadian Imperial Bank Commerce, and I think they will work for many of the other corporations that are represented here today. Thank you very much.


MR. KAPLAN: Our final presenter in this panel is John Meyers. John has practiced domestically and internationally in the health care field for over 20 years. He is now a partner in the Los Angeles office of Katten, Muchin, Zavis, where he's a member of the health care department. Prior to this and until recently, John was Senior Vice President, Associate General Counsel, and Special Counsel to the CEO of Tenet Healthcare Corporation, which was formerly known as National Medical Enterprises.

He received his law degree from UCLA, is a member of various bar associations, and has spoken and published widely on health care issues. John?

MR. MEYERS: Tenet Healthcare Corporation is a $5.6 billion revenue enterprise and is the result of a March 1995 combination of the former American Medical Holdings and National Medical Enterprises. It is now the second largest publicly-traded hospital owner and operator.

Prior to the combination, a three-year trauma commenced in 1991 for NME as its psychiatric hospitals were the target of one of the most thorough-going federal investigations in health care history. NME had been founded in 1968 and owned and operated or managed diverse activities within the health care industry, including acute hospitals, rehabilitation hospitals, nursing homes, other specialty hospitals, as well as clinics, physician practices, and HMO and other provider-related activities.

NME operated in six states and in four countries and had over 30,000 employees. The psychiatric and substance abuse facilities were separately operated through the NME specialty group under the name Psychiatric Institutes of America, headquartered here in Washington, D.C.

In August of 1993, the federal investigators searched a number of NME facilities, including its California headquarters. Certain NME affiliates were charged under information filed by the United States with a series of acts which essentially amounted to the following kinds of violations. First, billing fraud. Second, improper payments to induce referrals. Third, improper waiver of copayments and deductibles.

As a result of the information and investigations, payments in civil settlements to 19 insurers amounted to about $215 million. The corporation suspended dividends in December of 1993 to conserve cash to pay over an additional $360 million to conclude federal investigations and to settle additional claims, and lest one think that these fines were severe, whether denominated as restitution or as fines, the judgment of the markets was even harsher. NME stock fell from a high of about 26 to under seven in trading on 180 million shares outstanding.

The three founders of the corporation departed, its board composition was changed so as to be thoroughly dominated by outside directors, and most of NME's 80 or so psychiatric facilities have now been sold or closed, along with more than 40 physical rehabilitation hospitals and outpatient clinics not on acute care hospital campuses.

Certain NME affiliates also entered into plea agreements and a civil and administrative settlement with the United States, which included, among other matters, the corporate integrity program, a program designed to be an effective program to prevent and detect future violations of law. The CIP agreement, I would like to have included in the materials, but its length of some 20 pages prohibited that. It is available through my offices, or if you would like to give me your card, I can give it to you.

It will be, according to Gerald Stern, who is the Special Counsel to Janet Reno on health care matters, the model of imposed corporate programs in the health care industry. So if you are from a health care company, this may give you some insight to what the future bodes for you if you do not come up with a voluntary program that works.

Prior to the emerging crisis in the specialty group, I served as the Chief Operations Counsel for the General Acute Care Hospital Division, which was a separately operated division of NME and headquartered in Los Angeles. As the difficulties in the psychiatric hospitals grew, I was appointed to oversee the legal functions of the Specialty Hospital Group after the removal of that group's chief executive officer.

One of the reasons for this appointment, I think, was that in about 1986, I had begun a number of legal compliance programs within the General Hospital Group and I have to admit that I was completely oblivious of the Sentencing Commission's struggle, as detailed by Mr. Swenson, in its efforts to come to standards.

My own efforts arose from my experience as counsel to the International Division of the company and in attempting to create a program of compliance with the Foreign Corrupt Practices Act. My concern in this regard and in this sort of embryonic compliance program was the following: I was concerned that the advice given by lawyers to the various facilities be performed according to its terms, that contracts that were approved by the legal department to be performed under the terms and conditions as approved, and this arose from the fact that the Foreign Corrupt Practices Act required that documents reflect the underlying transactions accurately.

The then-evolving safe harbors in the health care industry included a provision that agreements of certain types be in writing, and obviously for an agreement to meet the criteria of the federal government, the writing must reflect the underlying arrangement. It couldn't be some kind of a cover-up.

And that was sort of what started my view of this. I know that business people often depart from written agreements just in the ordinary course of business, but I was concerned that a departure might fail a federal test in another area and it reminded me of the strictures imposed under the Foreign Corrupt Practices Act.

What happened in 1991 under the duress of these events was that NME adopted an expanded version of my program, which amounted to a corrective action plan for its psychiatric and substance abuse facilities. Ultimately, these voluntary efforts were the basis for distinguishing a good corporation from its bad sister. NME essentially made the case that there were two companies, one of which had exercised substantial and pioneering efforts to assure general legal compliance, and that company deserved to survive.

And lest any of you doubt that your very corporate existence is at stake, the sentencing guidelines provide under section 8C1.1 that an organization found to operate primarily for a criminal purpose or primarily by criminal means shall have the fine set in an amount "sufficient to divest the organization of all of its assets."

I believe this early history is important for you because I think it places me and my management at the time squarely in the camp of those who support compliance programs, not simply because of their effect on sentence mitigation but because compliance with law is sound business in the long run and because it's basic morality. This belief gives context, I hope, to my remarks concerning how burdensome and counterproductive some elements of a forced compliance program can be. My concern is with the means and not the ends.

The present requirements of the corporate integrity program should provide, I hope, some valuable lessons for businesses which have the present opportunity to voluntarily discover and correct their problems before federal marshals appear and to ameliorate the burdens of a negotiated but still imposed solution.

If you act now, I think that you will prevent the imposition of programs designed to provide a skeptical government with assurances of both good faith and effectiveness at much greater cost and with less flexibility, and here I would like to talk to you about some of the issues raised under the corporate integrity program.

The first is a mandated series of audits which require outside auditing by accounting, law, professional organizations with respect to certain identified billing procedures, provision of certain services, certain payments to physicians, and certain accounting practices. The agreement requires contracting for reports in these subject areas, and under the duress of the agreement, it has been difficult to develop specifically targeted issues and standardized methodology. In fact, the audits begin to be a four-cornered document review.

I think all of you can feel from your own experience that it really is uncommon to find smoking guns which outline consciously criminal action in the form of documents lying around, although there are occasionally unwise documents, I think, within any large corporation. But this audit program and the expense of it to find this little kernel, I think is not an effective approach, and what I believe is a more effective approach is the combination of outside and internal functions working together.

The problem with the CIP program is that it requires numerous reviews by third parties, and not only are these expensive, but what happens is they pit the third party against internal constituencies within the corporation. The mandatory reporting requirement of, for example, material billing violations to Health and Human Services creates some unease both among the third party reviewers and among employees. It causes the third parties to worry about whether employees' participation in these reviews may compromise their own sense of integrity. It causes responsible employees to worry about the fairness of the conclusion drawn.

This is especially true in the health care area, where billing practices and procedures are undergoing continuous change and where their administration by government-contracted, private, third-party intermediaries sometimes results in what might be called a difference of opinion, which intermediaries sometimes characterize as a violation of law, and where, I might add, there can arise actual conflicts of interest as these intermediaries increasingly operate their own provider networks and operate as private payers.

This tension and this notion that some of your advisers can be advising some of your competitors and can be using your experience to advance their own interests creates a tension within the corporation. If you don't take the internal constituencies of the corporation and join with this outside system, what you have is two things.

You have a sort of group of enforcers that sit outside the corporation and a group of people who feel that they are somehow being looked at as potential sources of trouble and expendable people to the corporation, instead of tying the two together and saying the objective that we have here is to assure that the corporation complies with law.

But the government's position on this issue is quite simple. The government's position was the corporation had violated a number of laws. They didn't trust anybody in the corporation, and they weren't about to listen to the corporation's views of its own efforts.

So I say this to you while you have a period of calm that in the halcyon days, you really ought to look at this problem to be sure that your internal and external functions are well integrated so that there isn't this juxtaposition of two sort of opposing forces.

The CIP also required review of decisions to admit, for example, psychiatric patients by an NME officer who was not an employee of the admitting physician and an independent quarterly review by third parties of admission practices. This would have been prohibitively expensive and it would have alienated most physicians who believe that the decision to admit a patient to a hospital ought to be theirs, had the agreement not required the divestiture of most facilities to which the requirements were applicable. That's a pretty expensive way to resolve an operating tension.

Additionally, for certain classes of payments to physicians, outside legal review was required. Not only was this review expensive but it created pressure and tension between the inside and outside lawyers, and in effect, a kind of forum shopping occurs. Your inside business people seek the least restrictive alternative and they seek to consult lawyers who will effect their transactions, and I think this is an experience that all of us are quite familiar with.

What happens under such a circumstance is that, first, you go to the inside lawyers, and if they can approve your transaction, you are satisfied. If they can't, then you can go to the outside lawyers and see if they can approve your transaction, or you can go to the outside lawyers first and then to the inside lawyers. What happens is, just as happens among litigators, there is a kind of search for those who will expeditiously implement the objectives of the business principle in the ordinary course of his business, and I think this is contrary to the objectives of the Sentencing Commission, which ought to be to foster a considered review, not a review subject to another kind of law called Gresham's law.

Prior to these various mandated reviews, various employees in the Acute Care Group used to revisit certain transactions and programs to see the degree to which the transactions were performed according to their approved terms, and this had a practical effect. I would take legal teams out into the field. We would review certain of the facilities.

Both the lawyers and the operators educated each other as to the strengths and weaknesses of agreements previously entered into, and this, what I'll call post-op review by the corporation's managers reminded the business people that they were fallible, that conforming actual conduct to the entity's standards and procedures was and is more than just signing a paper that your attorney says is okay, and it reminded the lawyers that they weren't engaged in Euclidian geometry and they had to deal with the reality of the fact that contracts approved according to certain premises might be subject to factual change in the underlying circumstances.

Some employees, I believe, have also expressed fear that previously-taken actions, which now, after their education, they look at and they say, "Gosh, I wonder if that was the right thing or if I reached the highest moral ground or whether I was in compliance with all law in those areas." And they fear that they may be sanctioned by reason of the provisions which make adherence to the corporate integrity program part of each manager's performance standards.

Indeed, the very detail of the compliance report required to be filed with the government and the affirmative duty to report credible evidence of misconduct and the government's right thereunder to subsequently investigate reported matters has an intimidating effect on those who might otherwise report.

And here, I say this in the spirit of Win Swenson's talking about the struggle to implement common objectives. I believe that the government needs to be cognizant of the fact that in the real world, it's not just a fear of corporate reprisal but also a fear of government reprisal which can deter coming forth.

There is an independent corporate ethics and policy compliance body, and I think conceptually, no one disagrees with this notion. Our agreement requires this group to be staffed by certain identified executives, in particular, the president and various high-ranking executives. In a period of calm, I think this is a good idea. It shows that the corporation has got a high-level commitment to preventing problems, and it infuses the moral value of the corporation's leadership throughout the corporation.

But there is a little bit of a counter element here or a counterproductive trend and I wanted to just touch on it for a second. To the extent that high levels of management are involved in this body, while its credibility can be enhanced, there may also be a perception that the body is not truly independent and sometimes that it is created to conceal the sins of higher up.

An imposed program causes a more formalized and removed discussion of some issues and may add some trepidation to those who would like to bring exceptions to the attention of an ethics body. If you are a line employee, you have some difficulty with the very augustness of this body in voluntarily coming to it, and I suggest this to those of you who have a chance to do some voluntary thing, that you adopt a little bit of what Ken had talked about. I like the idea of having the 25 or so subcommittees that moved about in that enterprise because I think that they enable people a level of access and a level of ability to express their problems and their concerns that are not quite so intimidating.

A second issue is the issue of bad actors. NME was required to cease the following: employing all headquarters, regional, and facility executives involved as of a date certain in the operation of over 90 identified psychiatric and substance abuse facilities and not to employ or contract with such formerly-employed individuals for a period of five years.

We were allowed to retain certain specifically identifiable individuals, but this blanket prohibition cast, I believe, unfair aspersions upon a number of individuals, impacting their livelihood and causing some fear among remaining employees that the corporation would not stand by them in any difficulty. This undercut the loyalty and comfort necessary to make voluntary disclosure work, and there is something, I suggest, Orwellian about such a broadly based provision.

I wanted to suggest that in this developing business of trying to eliminate known bad actors that there are some areas where you can take some comfort. In the health care area, there is something called the Fraud Abuse Control Information System now sold by Strategic Management Services located here in Alexandria, Virginia which provides a valuable service in collating information about people with known violations of law. The CIP agreement itself had a stricture dealing with people actually convicted, and I think that this more narrowly drawn stricture is the preferable approach in a voluntary program.

Under our agreement, there are a series of notification provisions. We have to actually notify all employees and contractors of the fact and substance of the CIP agreement, and I think there's a one-page handout that all of you have. This rather detailed notice we actually hand out to those that we contract with. It was drafted by my former colleague, David Layne in TENET's legal department, as a result of our review of the documents.

The notice has a couple of effects. Given the history of the corporation, it had, actually, I think, an initial salutary effect in dealing with some third parties who might have been troubled in dealing with the corporation. It was a demonstration that the corporation had, so to speak, has reformed and gotten its act together.

But it does also discourage some third parties from proceeding with arrangements which might involve manageable legal risk for fear of the cost of involvement in an expensive compliance program, even, or perhaps especially, innocent third parties who have a fear of their activities being specially reported to the federal government concerning the necessity of their services. The requirement that the corporation report "credible evidence of misconduct," even by outside third parties, disturbed them even more.

Some of our contractors have explicitly stated to me an unease at doing business with what they call a government informant in an area of the law where the government acknowledges various meanings for departures, for example, from its own safe harbors promulgated as regulations under the anti-kickback statute.

Another complication that arises from the government-imposed program, and it is an odd one and I try to touch on these things, I hope, with some subtlety, is that the process of educating your employees about legal compliance is quite a difficult one. We are not sending all of our employees to law school. We are trying to get them to understand basic constraints that operate on the business and basic principles of law that apply to their distinct areas.

But business has become so complex, and I'll give you an example in the health care area. As you try to make employees aware of laws, there are areas in which the laws actually conflict. Take, for example, the changing health care regulations in every state dealing with who is allowed to employ physicians and to bill and collect for physicians' services.

Jurisdictions vary in their regulation of the corporate practice of medicine, and employees now sometimes fail to proceed with perfectly legitimate undertakings in their new locale because they have been educated by rules applicable only in a different jurisdiction. This happens because newly educated employees now know enough not to consult their lawyers about the law in the jurisdiction where they have gone. I don't know that this is a major problem but I was just trying to give you a sense of tension that happens.

Finally, there were a couple of things that were touched upon by the previous speakers. One was prioritizing. Here is what will happen to you under an imposed agreement. The agreement will lay out various areas and you will focus on those areas because you must and because you are required under the agreement to do so. Here, it's medical fraud; it's billing; it's the medical necessity of services and certain physician payments and bad debt accounting.

Out of necessity in corporate America and because of the limitations of resources, a deemphasis in some other areas occurs, for example, in antitrust, perhaps, or insider trading or in some of the other areas that are more generally applicable.

Finally, I wanted to just touch on this. It's the most difficult area. It's the disclosure requirements under the imposed program. As an in-house lawyer, I found it became ever more necessary to Mirandize employees, to tell them, "I am not your lawyer; I am the corporation's lawyer. Things that you tell me that indicate that we have violated law, I must report to our management, and our management must make a decision about what to do with that, given the constraints of the corporate integrity program."

This has a tendency to make your employees less willing to talk to their lawyers. They formerly thought of you as their lawyer and now they wonder whether they need a lawyer to talk with their ex-lawyer. We tried to solve this problem a number of ways, but I don't really believe that there is a good solution to this problem. I think there is an inherent tension, and I tell you this from personal experience; it played no small role in my decision to leave the corporation because I believe that in some circumstances I could more effectively represent it from the outside.

And this segues into another notion, which is the role of the attorney. For those of you who are lawyers out there, when you have an imposed program, it will raise issues that will surprise you in their complexity. These issues will make you search for who your client is within the organization; wonder about your function; wonder whether or not your duty is to disclose or to defend under client-attorney privilege; and whether or not to resign. I think it adds a great deal of complexity to operating inside.

If I have any specific thing that I would like to raise with the government it is this conflict between inside and outside attorneys. I believe that the struggle here should be to implement effective legal review and not be so concerned with the source of it. To the extent that corporate compliance programs can strengthen internal legal departments, that should be a legitimate objective. And while you have the chance to do so, you really ought to do so because I think it's much more cost effective than the hourly charge I now impose upon my former clients.

So this concludes my general remarks. I think if there was one last thought I would leave you with, it is that as a practical matter, if you are in business, it is a much better idea to implement and experiment with these compliance programs in a flexible environment where you have voluntary corporate compliance than under the strictures, tensions, and rigidity which accompany an imposed, albeit negotiated, program.

To those of you in the government, I know you are aware of the infant science of creating and implementing these programs and I hope you continue to consider the pressures, the fears, the organizational tensions operating on ordinary individuals who struggle to keep an organization lawful and economically viable.


MR. KAPLAN: Thank you very much, John. Let me just pose the first question to Ken, which is, "How do you deal with privilege issues in regard to your various auditing and monitoring mechanisms?"

MR. MARTIN: By and large, most of our auditing and monitoring that goes on is done without any particular regard for trying to establish privileges. Under our general rules of doing business with government officials, our audit reports are open for review. We routinely give access to work papers. Our defense auditors routinely see our board of directors' minutes.

We made one of those conscious decisions a few years back that a lot of this stuff is just not nearly as fascinating as the government people think it is, and after the first few times going through it, they realized that there aren't all these smoking guns and bad things going on. So with the exception of specific investigations of specific allegations of misconduct, those we do under privilege and try to keep under privilege at least until we have done the review. Except for those relatively rare situations, generally, our books are open.

MR. KAPLAN: Thank you, Ken. Here is a question for Herb. Did the discussion and consideration of Bank of Tokyo's commitment to an effective compliance program include the directors' fiduciary duties to its stakeholders to implement such an effective program and what were those discussions?

MR. THORNHILL: I can answer the question broadly, in that the directors were concerned about compliance at Bank of Tokyo, that the executive management of Bank of Tokyo was very concerned about compliance. They have really been a source of momentum for our compliance program.


Jeff Kaplan

Q. Do you see a need for an objective or independent assessment or "audit" of a company's ethical compliance systems? If yes, who should perform this audit or assessment?

A. While an independent audit of a company's ethics/systems is not always necessary, it is frequently advisable. Typically such an audit should be conducted by an individual having significant experience with compliance systems but not involved in designing the program under consideration. Utilizing a lawyer (with the appropriate expertise) may promote greater candor in the audit process since the results of his or her effort would be privileged.

Q. You are retained by a corporation that is under investigation (for an environmental crime) and discover that your client does not yet have a compliance program. Is it too late? What can you do? What advice do you give the General Counsel? The Chairman?

A. Even an after-the-fact program is better than none at all. The comments of several of the DOJ representatives at the symposium confirmed that prosecutors will give some credit in charging decisions to companies taking compliance-remedial steps after an investigation has started. Even a convicted corporation should develop and implement a compliance program prior to sentencing so as to avoid having to do so as a condition of probation. See USSG 8D1.1(a)(3).

Q. Most programs on corporate compliance programs and the sentencing guidelines feature speakers and written materials that are slanted to large organizations. The reality is that most investigations and fines have been imposed on small/medium organizations. What practical advice do you have for small/medium organizations (that do not have the financial/personnel resources of Sundstrand or Bank of Tokyo) for developing an effective compliance program, especially with regard to ongoing monitoring and auditing?

A. The components of an effective compliance program, as articulated by the sentencing guidelines, can readily be adapted to small/medium organizations, as I have found in working with a number of companies. What often works best in organizations that are too small to have a full-time compliance officer is to develop a compliance committee - composed typically of the CFO, head of human resources, in-house counsel (if there is one), and chief quality assurance officer - to meet periodically and review areas identified in a committee charter or "standard operating procedure" (which is drafted by the program designer) that serves as an auditing/monitoring road map.

Jeff Kaplan and John Meyers

Q. If the Tenet Corporate Integrity Program ("CIP") has been adopted as the model for CIPs for the health-care industry, have CIPs been developed in cases in other industries that will be models for future cases in those industries?

A. (Jeff Kaplan) A number of these are identified in Kirk Jordan's materials.

Kenneth Martin

Q. How can a large company with a minimum of government sales (= 15 percent), and having an ethical program primarily driven by the Defense Department, extend the ethics program across the entire company?

A. Compliance and ethics standards and procedures must be developed to address those common values and rules applicable to all business activities. As an example, the permissible extent of gratuities from vendors and to customers is an issue which should be faced across the business, even though the Defense Department certainly has unique rules supported by regulations and civil and criminal statutes.

Q. At Sundstrand, what is the role of the corporate committee in dealing with live allegations or major investigations?

A. The Corporate Committee does not generally become directly involved in or deal with specific allegations, investigations, or discipline. The principal role of the Corporate Committee is to monitor and improve the Business Conduct and Ethics Program and report on the statutes and health of the Program to the Executive Office and the Board of Directors.

Q. Should the corporation not only develop its own compliance program but also develop the programs of each of its subsidiaries? Is there a prohibition against such an eventuality?

A. Sundstrand's approach was to develop and implement a single Business Conduct and Ethics Program applicable to all subsidiaries and affiliates owned or controlled by the Company. There are no prohibitions against subsidiaries developing their own programs and this is an area where each company should choose the approach which best suits its structure, culture, and business activities.

Q. In what sense is the "responsible corporate officer" responsible? Is this the same as "the Vice President in charge of going to jail?"

A. Sundstrand's "Responsible Executives" are responsible for using due diligence to review each compliance risk area on an annual basis against the Code of Business Conduct and Ethics, the Company policies that implement the code and the seven standards for an "effective program" found in the organizational sentencing guidelines. Since the "Responsible Executives" are generally in policy-making staff positions with respect to the Business Conduct and Ethics Program, they are not responsible for operational compliance on a day-to-day basis and their role is not intended to be a substitute for the compliance responsibilities of individual employees and managers.

Sharing "Best Practices" Information

Alan R. Yuspeh, Howrey & Simon

Anne L. Gill, General Attorney, Sprint

W. Michael Hoffman, Executive Director, Ethics Officers Association

Thomas Furtado, Corporate Ombudsman, United Technologies Corp.

Moderator: Donald A. Purdy, Jr., Chief Deputy General Counsel, U.S. Sentencing Commission


MR. PURDY: This is the panel on "Sharing 'Best Practices' Information." My name is Andy Purdy. I am the Chief Deputy General Counsel at the Commission. Our first speaker is Alan Yuspeh. He is a partner with the law firm of Howrey & Simon. He concentrates on government contract law. Perhaps most notably, Mr. Yuspeh is the coordinator of the Defense Industry Initiative on Business Ethics and Conduct. Mr. Yuspeh.

MR. YUSPEH: Andy, thank you very much. The Defense Industry Initiative on Business Ethics and Conduct is an outgrowth of the work of the Packard Commission in 1986. The Packard Commission was a blue ribbon commission on defense management chaired by a founder of the Hewlett Packard Corporation, David Packard, who was also a Deputy Secretary of Defense. This effort predated the sentencing guidelines for organizations by about five years.

The recommendations of David Packard and his commission were, essentially, that among other changes that were needed in the defense industry, there needed to be more corporate self-governance in the industry. Particularly, he called upon the industry to universally adopt codes of conduct, ethics training programs, hotlines, ombudsmen, and the like.

The industry decided to have a concrete reaction to those recommendations and the reaction was one that was basically led by Jack Welch, then and now the Chairman and Chief Executive Officer of General Electric. In response to these preliminary recommendations, Jack Welch convened a meeting of 17 CEOs of large defense contractors, and within a period of two days a document was drafted called the Defense Industry Initiative on Business Ethics and Conduct, to which the 17 companies became signatories.

This presentation is on the lessons learned from this industry initiative. It was initially decided that this effort should not be housed in some existing association, and I think the reason was two-fold.

One was that the way the defense industry is organized is basically by line of business, so you have the shipbuilders in one association, and the aviation or aeronautical companies in another, and so on. So one problem was how if you want something that's truly defense industry-wide, where do you put it?

The other thing was that this effort was supposed to be, and would become, so important and so significant that people did not want it to be subsidiary to other functions of an existing association. The concern was that if you have a trade association whose primary purpose is one perhaps of lobbying or affecting public policy, would self-governance be subsidiary to that? So the feeling was that the initiative should be a free-standing effort.

The Defense Industry Initiative (DII) principles require these things. They require that the signatories have a written code of conduct, that the code of conduct be distributed to all employees who are involved with government contracting, that there be some type of orientation for new employees with respect to the code, and that there also be training for all employees with respect to the code and other ethics and compliance-related principles.

The DII principles require that there be an internal reporting mechanism, hotline, ombudsman, help line, or concern line, that there be a system for making voluntary disclosures to the government. I might note here that the Department of Defense facilitated this requirement substantially, because shortly after the DII was off the ground, the Department of Defense Inspector General started a formal voluntary disclosure program in the Department of Defense, and the Department of Defense Inspector General, Eleanor Hill, will speak later in this program as will the head of that program, Bruce Drucker. So I will leave it to them to explain the details of the voluntary disclosure program.

The principles also required that the signatories attend best practices forums each year, and finally, that they participate in a public accountability process, and the public accountability process was very straightforward. There was a questionnaire of 20 questions which basically sought to determine that the signatories had met their obligations. The questions were questions like: "Do you have a code of conduct," "Do you have an internal reporting system," and the like. You would have those questions audited by your independent auditors and then submitted to an external internal body which would compile the results. That then became part of an annual report.

I might mention that the annual report has grown substantially. It is now about a 150-page document because it includes, among other things, about a 50-page description of the types of programs that DII signatories have implemented, and it also includes a listing of materials and an information clearinghouse.

In terms of the DII progress since 1986, today there are 55 signatories. Last year, there actually were 60 signatories, but as people know, one of the trends in the defense industry is toward merger. So Northrop and Grumman have merged. Lockheed and Martin have merged. Raytheon and E-Systems are merging, as are General Dynamics and Bath Iron Works. So the consequence of that is that the number has dropped from 60 to 55, really reflecting the merger trend of the industry.

This represents about 55 percent of all the prime contracts with the Department of Defense. It includes all of the ten largest defense contractors and 22 of the largest 25, so it really is the core of the defense industry.

The DII has had a modest governance structure since its inception. There is a steering committee, which is a CEO group of 12 companies. It was chaired initially by Ed Hood, who was a Vice Chairman of General Electric at the time. It has been chaired for the last five years by Joe Gorman, who is the CEO of TRW.

There is a working group which consists of representatives from the same companies. The interesting thing about the working group is it started out virtually as an all-lawyer group in 1986. It has evolved to where the majority of the representatives are no longer general counsels of their companies but are ethics directors of their companies.

The original chairman of the working group was the general counsel of Martin Marietta. The second chairman was the general counsel of Boeing. The current chairman is Carl Skooglund, who is the Vice President for Ethics at Texas Instruments and is also a Vice President of the Ethics Officers Organization.

The other part of this modest governance structure is that the decision was made early on that if we are going to have conferences, issue reports, do a public accountability process, and the like, we needed somebody on a day-to-day basis to do that, and so the position of DII Coordinator was created. The decision was also made that we wanted this to be a low-cost, non-bureaucratic organization, so they went to someone who was actually practicing in a law firm and would do this on a part-time basis, and I have had the privilege of serving in that role basically since the inception of the DII effort. The role is one, in effect, of serving as the executive director of an association, though the association is one with the very limited purposes I have described.

In terms of the DII activities, they consist of maintaining an information clearinghouse which now amounts to more than 700 items of policies, procedures, codes of conduct, ethics training materials, video tapes, and the like that are maintained in our offices. The annual report of the DII will show a full listing of those and these are all publicly available materials and we regard the clearinghouse as being publicly available. It consists of materials that have been voluntarily submitted by each of the 55 DII signatories.

We do have annual best practices forums which are meetings of a day and a half duration in June in Washington. Typical kinds of things that are done at these forums is that there may be demonstrations of new training materials or tools. Last year we had an interesting film festival for a morning in which four company training video tapes, segments of them, and four commercial training video tapes were shown and discussed.

We always have small group discussions, which people enjoy. We have roundtable discussions where we may bring in three or four CEOs or three or four ethics directors or three or four general counsels and put a lavaliere mike on them and put them around a coffee table and have a sort of informal discussion about things that are posed by a moderator.

We certainly look at different functions, such as the human resources function or labor relations or internal audit and how those tie in with the ethics and compliance effort. These companies have in common the fact that they have really one domestic customer, for the most part, the Defense Department, other than the fact that they are one another's customers because of prime and subcontractor relationships. So we obviously ask the customer (DOD), how are we doing, and we will ask the suspension and debarment authorities for the various military departments, perhaps the head of the Defense Contract Audit Agency or the head of the Defense Contract Management Command to come and be part of the panel and to say what's going well and where can improvements be made.

And finally, one of the important aspects of these best practices forums is that we have sought and obtained very conscientious participation from the Department of Defense, the Department of Justice, and the Sentencing Commission, not just as speakers but as participants. So last year, out of 200 attendees, we had about 25 government attendees who were very senior-level government officials who could participate in this and make a very significant kind of contribution.

The other programmatic efforts are that we have an ethics director workshop for one day each year. We have quarterly meetings of the ethics directors in the Southern California area because there's a large concentration there. We issue the annual report, which I mentioned, which describes these programs in some detail and reports the results of the public accountability process. We meet from time to time with senior officials of the Department of Defense to update them on what's happening in terms of self-governance in the defense industry. Occasionally, we will prepare some training materials and occasionally do some mail outs which will address various kinds of focus issues.

In terms of the accomplishments, I think the accomplishments are primarily that we take pride in the fact that there are robust, energetic, and particularly imaginative programs in these 55 companies. I think that you would be incredibly impressed to look through the clearinghouse at the enormous imagination that has been shown and what these companies have done.

I think another accomplishment is that we certainly have gotten positive feedback from the Department of Defense that they have seen dramatic improvements in the attitude and the quality of the relationship and particularly in the compliance of contractors that have participated in this. We have, as a practical matter, a much higher level of compliance than there may have been ten years ago.

The other thing we find is that there has been broad-based acceptance and excitement in companies, that there is increased morale in many companies as a result of these kinds of programs and I think there's a broad-based recognition that these are sound management practices.

I conclude with a quick list of the lessons learned from the DII experience, and I think there are primarily four. One lesson learned is that setting industry standards, at least in the case of the defense industry, has certainly, I think, raised where the industry would otherwise be. The record shows pretty conclusively, I believe, that as an industry group, the defense industry has the most energetic programs of industry in the United States.

That is not to say that there aren't many companies represented in this room and in other industries that don't have wonderful compliance programs or effective programs to prevent and detect violations or law or ethics programs or the like, but it is to say, I think fairly, that in terms of an overall industry effort where the core of the industry has pulled together and said, "We want to establish our standards at this level," that I think this is the only industry effort of this type and I think I can say fairly that the standards are higher than they would have been without this kind of collaborative effort.

The second lesson learned is that coming together in meetings like our best practices forum is enormously valuable and perhaps valuable beyond expectation. That is, as the defense budgets have fallen and as travel budgets in companies fall, I have thought for each of the last few years, well, we can probably take fewer hotel rooms and get a smaller room.

But the reality has been that we fill the room each year, that there is no sort of languishing of attention to this, and I think the reason is that people joining together for a day and a half each June have found that this is a time to sort of reaffirm the commitment to these basic kinds of principles and also to start to network again with people who have become very important professional colleagues.

A third lesson learned is that exchanging ideas is critically important and can be very, very helpful. And what we have found, interestingly, is that even though these companies may be intense competitors in the business world, that in terms of their ethics and compliance and commitments under this initiative, they have been as open as possible in sharing ideas with one another and in borrowing from one another in the most constructive and proper kinds of ways.

I think the fourth thing is we have learned lots of lessons about how these programs can be most effectively operated. I did prepare for you some materials that describe key requirements for success of these kinds of ethics and compliance programs, which really fall under the DII principles but are very similar to the kinds of programs contemplated in the sentencing guidelines. I think that you will find those to be sort of interesting kinds of things and a whole additional set of lessons learned about individual company efforts.

I would just say in conclusion that the defense industry very properly takes great pride in the accomplishments over the last ten years from the DII effort, and I think certainly believes that it could be a very effective model for other industries. Thank you.


MR. PURDY: Anne Gill administers Sprint Corporation's ethics and compliance program. She has been active with a telecommunications industry group that meets to share compliance practices, so she can give you another perspective. Anne.

MS. GILL: All of you over 43 or so will appreciate the need for reading glasses. As Andy said, my name is Anne Gill and the reason I have been asked to speak with you today is that I was involved in creating Sprint's ethics and compliance program and for the last three years have regularly participated in a telecommunications industry group that meets regularly to benchmark compliance practice information. I hope knowledge of our forum is useful to you as you try to put what you learn here into effect in your own compliance programs.

Of course, the opinions I will share with you today are my own and not those of Sprint, of the Telecommunications Forum, or of the U.S. Sentencing Commission.

How do you discover that your company requires employees to personally report misconduct to their supervisors when most of the companies in your industry have established anonymous hotlines? How would you know that your company keeps no formal compliance statistics while most companies your size not only keep such statistics but report them annually and sometimes even quarterly to a board of directors committee?

As you heard this morning, failure to know those kinds of things can result in a much larger penalty if you ever find yourself in the misfortune of a criminal problem. One way is to spend your entire work life on the telephone with your colleagues, asking them how they are handling things that are important to you. Other ways include attending seminars that have industry practice breakout groups, sponsored compliance roundtables, or meetings of the ethics officers or ombudsmen associations.

Although all of these methods would be helpful, I have found personally that the most consistently reliable way to gather this type of information over time is to meet regularly with members of my industry for frank, open, and honest discussions about compliance issues that we all regularly face. I also believe that being aware of and able to adapt the best compliance practices of my industry and avoid the costly mistakes of others helped Sprint create a much better, a much more efficient and much less costly compliance program.

We all understand that industry meetings have inherent legal risk, and my group has handled these risks by including antitrust lawyers as member participants, requiring that compliance issues remain the sole focus of our business communications, and by maintaining minutes of all of our meetings.

Additionally, we are very careful, and you are hearing a lot about this lately and I find it personally very upsetting, but we are very careful to make sure that we share information about our respective compliance programs but never concertedly attempt to set industry practice. We accomplish this by reporting to each other what each company is doing in various compliance areas but never deciding as a group what we believe the answer should be to any particular compliance issue.

Assuming that you agree that your company could benefit from being part of an industry forum, let's look for a moment at the practical considerations surrounding forming such an organization. How big should the group be? The size of any group is an important factor in both its group dynamics and its success. My goal would be to reach a good balance between being small enough to build trust, and to be able to facilitate informal honest dialogue, and large enough to reasonably reflect industry practice.

My industry group includes a dozen or so major players in the local wire line communications industry and the representatives of each are committed to attending on a consistent basis. Who should participate in such a group? In my opinion, individuals responsible for the day-to-day hands-on administration of a company's compliance program are the best participants for this kind of group. This would include the organization's chief compliance lawyer, not its general counsel, and if there is one, the compliance program manager, not necessarily the chief ethics officer or the company ombudsman, unless in your particular company these are hands-on positions.

The intent would be two-fold. First, to have a working group composed of those people who most intimately are familiar with both the federal sentencing guidelines and with their company's program on a detailed level. Second, you would want them to have access to the highest policy-making executives in the company.

Our telecommunications group also decides whether or not to allow additional participants at any of these meetings, which would include compliance investigators, hotline administrators, conflict of interest auditors, human resources lawyers, and we generally do allow companies to bring these personnel and occasionally hold specific meetings for the chief compliance officer in the company. Those are separately-held meetings, not in the Telecommunications Forum itself.

What does it take to plan an industry practice meeting and how do you set the agenda? I would recommend establishing three primary goals to such a meeting. One, that the meeting be interesting, valuable enough to guarantee regular attendance, that all members actively participate, and that the meeting be easy to prepare for, to host, and to attend.

The Telecommunications Industry Forum rotates the responsibility for planning meetings, which usually last a day and a half and are held quarterly at the headquarters' city of the hosting organization. The hosting company is responsible for providing meeting rooms and enough coffee to keep us motivated, for taking suggestions from participants of topics, and for setting the agenda. The host company then assigns responsibility for each agenda topic to one of the member companies.

What do the meetings actually look like? Well, our meetings are very informal. There are no lectures, although occasionally we will bring someone in to talk on a particular topic, and at a typical meeting, the participant assigned an agenda topic will discuss what his or her company is doing in that agenda area, including any problems they have encountered, suggestions, warnings, tips, and words of wisdom.

We then go around the room and each company will note if it applies a different approach, has encountered a unique challenge, or has developed any specific tools that might benefit the group, such as database formats, check lists, surveys, and matrices, as well as video or computer training programs. Each company may then adapt these materials to their own company's individual needs, given its risks and its size and its politics and its structure and its corporate culture. As I mentioned earlier, in a concerted effort to avoid any appearance of setting industry practice, we never discuss how this topic should be handled.

I have now explained what my industry forum looks like and how it functions and the reasons that I think Sprint has benefitted from being part of one. At this point, I'd like to take a quick opportunity to tell you why you personally might benefit from belonging to such a group.

In my experience with legal compliance programs, I find that most executives feel much more comfortable, especially if the program is a new one, if they understand what other companies are doing in similar areas. Executives will often choose to take an innovative step and lead the industry, but they always want to know if they're hanging out there alone.

No decision maker wants to discover that they just approved a program that appeared to them to be reasonable and innocuous, only to find out that not only was it extremely controversial but that no one in the industry had been willing to take such a step. No compliance manager with any sanity wants to be the person who neglected to mention those issues.

Belonging to an industry group provides a source of statistics and data and comfort. It's very helpful to be able to respond to questions regarding the cost and feasibility of a particular compliance approach by relating the specific experiences of your competitors. Moreover, collectively, members of your forum will have fielded almost every question and concern you're likely to encounter, and access to their successes and failures will allow you to be more knowledgeable, better prepared, and more confident than you could ever be otherwise.

In conclusion, I'd like to share with you three facts about compliance programs, and by facts, I have to tell you that's my definition for a fantastically accurate compliance truth.

Number one, you will never achieve a program which actually deters undesired employee behavior without the driving force coming from the highest levels of your organization, and if you don't have that, you will be somewhat akin to the internal affairs department of the LAPD.

The more aware you become of the prerequisites for a truly effective compliance program, the more you will focus your attention on issues you know you haven't yet addressed, and the harder it will be not to appear idealistic, and not to become frustrated and discouraged and the more stressful your job will become as a result.

Number three, the lower the understanding, demand, and commitment of senior management for an organization's compliance program, the more likely employees responsible for that program will be seen as lacking in good judgment and lacking in executive temperament and the higher, therefore, your personal level of risk within the organization.

With these facts in mind, the very best reason I can offer you for joining an industry practice forum is to provide yourself with a group of peers who share your understanding of the matrix in which you perform, who have good suggestions for handling political situations that arise, and who will bail you out with a prototype when the general counsel calls and says that he or she needs an insider trading compliance program or an environmental compliance program in time for next Monday's board meeting. Most important, such forums will focus your attention regularly on what you have accomplished and not on what you haven't accomplished.


MR. PURDY: Let me just follow up one point that Anne Gill made. Alan, you said that your organization attempts to set industry standards. Alan, to what extent do you think there are serious antitrust concerns here and how do you deal with them?

MR. YUSPEH: The industry standards that I was speaking about are essentially process standards, which frankly are very similar to your sentencing guidelines. They are processes such as having codes of conduct, training programs, new employee orientation, hotlines and ombudsmen and the like.

What we have not done, and thought it a bad idea to do, is to try to establish any kind of models. In fact, even on something like a code of conduct, we have left it to each of the signatories to develop their own codes and they all look quite different. In fact, I just got a new code from Rockwell the other day which I think is a superb 45-page book, but every one else's would look different than Rockwell's.

So the bottom line is that we have not established substantive standards nor substantive responses to problems. For example, some companies have more restrictive rules on gifts to government employees than federal law requires. But we would never push all signatories to do that and would think it improper to do so.

So that, essentially, is how I think the antitrust concerns have been observed so that we haven't crossed the line of improper areas.


MR. PURDY: Our next speaker will be Michael Hoffman. He is founding Executive Director of the Center for Business Ethics at Bentley College, and he is formerly Executive Director of the Ethics Officer Association, now on its Board of Directors. Mr. Hoffman.

MR. HOFFMAN: Thank you, Andy. The Ethics Officer Association (EOA) started in the summer of 1991. At least, the seeds of it were planted then, when about 40 to 45 ethics officers came to the Center for Business Ethics at Bentley College and began to meet each other, some of them for the first time. The day-and-a-half's very unstructured workshop was so successful that the ethics officers that were there said, "Let's keep this going."

So we had a planning committee meeting at Raytheon a couple of months later and then another planning committee meeting at Honeywell about six months after that. We became a chartered 501(c)(3) non-profit organization about a year after we started the planning. So the EOA is now about three years old. Could I have the first overhead, please?

The mission of the Ethics Officer Association is dedicated to promoting ethical business practices and serving as a forum for the exchange of information and strategies among individuals responsible for ethics programs. To be a member of the Ethics Officers Association - I will call it EOA for short - you have to be involved in some managerial responsibility for an ethics/compliance program in your organization. I will talk about membership in just a minute; the growth of the EOA has been quite dramatic.

Here is a list of services and projects. We have Sponsoring Partner Forums. There is a category in the Ethics Officer Association for a company to become a Sponsoring Partner Organization, and for just the Sponsoring Partner Organizations, there are special forums which are smaller than our general conferences.

We have had four Sponsoring Partner Forums. The first in 1992 and the second in 1993, both held at Raytheon outside of Boston. The third in 1994 held at Levi Strauss in San Francisco, and the fourth this past April at Sears in Chicago. We try to spread our forums around.

We also have conferences. We have had two general conferences so far. The first one in 1993 at the Center for Business Ethics at Bentley College, and the second one in 1994 in Dallas, hosted by Texas Instruments. Our next conference is going to be in Toronto in October, hosted by NORTEL. In 1994 in Dallas, we had about 165 registrants. We anticipate that the Toronto conference will be at close to 200.

Professional development courses (PDC) have just started within the Ethics Officer Association. Our first PDC course, jointly sponsored by the EOA and the Center for Business Ethics, is being held September 17 through September 22 at the Center for Business Ethics at Bentley College. We wanted to have 35 participants in this first executive development course. We have as of now 37. It is closed for September, but we will be offering another one in May of 1996. We already have a waiting list for the May PDC course.

The PDC course is called "Managing Ethics in Organizations," and has more than 25 faculty members. Seventeen or 18 of those faculty are experienced ethics officers from different companies, talking about different areas in that course.

These ethics officers are flying in from all over the country at their own expense because they feel that this executive development initiative for present and future ethics officers is extremely important. So we have people coming from all kinds of different corporations to participate, giving their time freely, to make this professional development program a success.

The EOA also plans to work with the Center for Business Ethics in a strategic alliance to continue to offer such professional development courses. This week-long intensive course will continue, but we will also have one-day intensive courses that will focus on a specific subject matter, exploring in more depth a particular area that the week-long course touched upon but couldn't deal with thoroughly.

The Ethics Officer Association hopes, within the next year or so, to be offering credentials for ethics officers. For example, if a person takes the week-long intensive course, and perhaps three one-day intensive courses, he or she would receive credentials for being an ethics officer from the EOA. The EOA intends to provide some professional credentialing for this very new profession.

The EOA is really very similar to the DII, which started in 1986. We started in 1991/92. One of the main differences is the fact that the EOA is open to corporations from all industries instead of just the defense industry, even though we have as many defense companies as members of the EOA.

In fact, just as a change of pace, I wonder if all the members of the EOA who are here today would stand up or those people who know that their corporations have a representative in the EOA. Would you stand up just for a couple of seconds?

That's a good representation of the EOA at this symposium. I'm pleased to see that all our panelists stood, too. So if you saw people stand and would like to know more about the EOA, please go up to them and ask them what they think of it. I think you will find that they are pleased with what they have been receiving from the services of the EOA.

There are some other EOA services, and I'll go quickly. There is resource assistance with the Ethics Officer Association. The Center for Business Ethics and the EOA maintain a very extensive research library at Bentley College. It is very similar, I suspect, to the DII's research library. We have both EOA company materials, approximately 1,500 to 2,000 books on business ethics, the best journals on business ethics are there, and many videos on business ethics.

We have networking assistance. Quite often, members will call EOA headquarters at the Center for Business Ethics to find out who to benchmark with in regard to a safe reporting system? Who can we benchmark with in terms of our training programs? And in addition to being able to come to the Center and look over the materials that are there, we can put people in touch with companies that have some of the best ethics programs in a particular area.

The growth of the EOA has been excellent. These numbers may not jump out at you right away, but for us, they're very exciting. As of today, we have 84 Sponsoring Partner corporations and 119 individual members. You can be an individual member (IM) even if your organization chooses not to become a Sponsoring Partner (SP), at least not initially. We have 119 in this category. So that puts us over 200 members, including SPs and IMs, in the EOA.

The EOA has numerous plans for future development. We now have a full-time Executive Director. I was more of a part-time Executive Director. Now I have been invited to join the Board of Directors. I think they didn't know what else to do with me, but I am honored.

I would like to introduce you to our new Executive Director, Ed Petry, who you will be hearing from after lunch. And the Chairman of our Board who has been the EOA President, Bill Redgate. Bill is Vice President of Business Practices at Dun & Bradstreet. Ed Petry is still a tenured faculty member at Bentley College and works with the Center for Business Ethics, but he will be the full-time Executive Director at the Center. A full-time Executive Director of the EOA is now needed because of its growth in membership and services.

The future development of the EOA certainly involves improving benefits and services for its members. It has now struck up a strategic alliance with the Center for Business Ethics. The Center is no longer just the administrative headquarters of the EOA, but it is also a strategic partner, an example of which is the professional development course being offered in September, which is jointly sponsored by EOA and CBE.

We are certainly going to continue the progress with the executive education program. We are also going to start carving inroads into the international arena. The EOA has already scheduled conference panels in Tokyo, Germany, and Great Britain, so that we can spread the EOA mission of building best-practice ethics and compliance programs abroad.

The final comment I will make is this. If anything distinguishes the EOA from other organizations it is stressing the importance of ethics/compliance programs not being just compliance driven. We feel that a truly successful compliance program must be value driven, integrity driven. There is too much to lose in an ethics/compliance program not stressing the good things that come about in raising the level of ethical awareness of all members of the company and in providing all employees with the tools to make intelligent ethical business decisions.

If anything could characterize the efforts of the EOA, it would be that out of that effort to raise the level of ethical awareness and to provide the educational tools for making intelligent ethical business decisions, a good compliance program will follow. Thank you.


MR. PURDY: Our next speaker is Thomas Furtado. He is the Corporate Ombudsman for United Technologies Corporation, and he is President of The Ombudsman Association.

MR. FURTADO: Thank you, Andy. This is sort of a blip in the schedule here because the ombudsman in many organizations doesn't exist and in some is a relatively new fixture. I represent The Ombudsman Association, which has about 230 members. What I would like to do today is give you a brief overview of why I think the ombudsman function has grown because of the sentencing guidelines, and why I think the ombudsman function helps greatly in meeting the requirements of the sentencing guidelines.

I have taken just a small portion of the sentencing guidelines text that relates to, in my opinion, why so many organizations in the last three or four years have appointed ombudsmen. In the last three or four years, there have been approximately 400 or 500 ombudspersons created in the United States, some of them in academic institutions, some in health care institutions, and a great many in corporations.

The underlined portion of this second slide is really the critical part of the sentence that relates to the value of the ombudsman, especially the words "within the organization without fear of retribution."

This text actually is one of the drivers in the minds of CEOs for thinking about an organizational ombudsman. Let me just explain briefly that word "organizational," because there are classical ombudspersons, and we have a number of them in the United States, who are generally appointed by a state or community legislature, and who have subpoena powers, investigative powers. They write formal reports and they actually represent the citizenry on behalf of those issues that they feel warrant investigation of the government.

An organizational ombudsman is totally different. We work within an organization or we contract with an organization to represent them. We are neutral. We stand between employees/employees and employees/management in dealing with issues that need to be resolved by both parties. We are also confidential, and I think that confidentiality is one of the major values that we bring to the sentencing guideline requirements.

The internal formal complaint handling system represents those people who have been charted by the organization to represent the company. It might be the legal department, it might be a compliance officer, it might be an EEO officer, other parts of the personnel department, security people.

The formal complaint organization has a charter to protect the company, and, in almost every instance that I have known, cannot and does not guarantee confidentiality, especially if someone brings to them a violation of many of the Title VII human resource issues, or government contractual issues, they cannot guarantee confidentiality. The result is that the company is put on notice when somebody comes to them and they must go forward. That is proper and it should be done that way.

However, people using the formal systems oftentimes have problems relating to the protection that they might have. In my experience, there have been three different groups that I can identify who relate to the formal system, either in terms of being comfortable with it and willing to use it, or being uncomfortable.

The first group consists of the people in the organization who have high trust and confidence. These are people who get up in the morning, get down on their knees and say, "Thank God I work for this company. It's such a wonderful place to work and there isn't anything I wouldn't bring to them in total confidence." I can count those people on the fingers of one or two hands because they are rare and most of their fellow employees would call them naive.

The second group consists of the people at the bottom of the spectrum who have no trust and no confidence in the organization and in the formal complaint handling system. These are people that generally are bitter. They are disillusioned. They have plateaued. They have worked for the company for many, many years without advancing. They see younger people coming in and getting ahead. They really don't like the company anymore, but they're vested, they've got a lot of time in, and so they stay.

These people don't trust anybody, and when they need to come forward or want to come forward, it's not always feasible or in their best interests to do so using the formal complaint handling system. So they look for another place to go, and even when they find that other place, they often report anonymously.

The third group represents most people in an organization and it's a swing group that can be as high as 80 percent. These people are ambivalent about whether they're going to use the formal complaint system, a compliance officer, a lawyer, an EEO officer, and they're ambivalent on the basis of two things.

Number one, what is the issue? I might go to my EEO officer and talk about diversity as a concept and ask for an explanation of what the company is doing to further diversify. I might not go to that same person to discuss sexual harassment that I have undergone. I might feel uncomfortable doing that. I might go to the benefits department to complain about a misreading of my statement that I received in the mail, but I might not go to the personnel department to complain that my manager is retaliating against me.

So people make judgments about whether they are going to use the formal system or not on the basis of how serious is the complaint. Secondly, they make judgments about the integrity of the system. I might go to the personnel department in plant A and feel very comfortable because the manager of that department has utmost integrity, has a staff that reflects that, and has a reputation over the past five years of never breaching confidence unless absolutely necessary, and I may feel very comfortable going to them.

In plant B, I could go to my personnel manager and talk in confidence about an issue and when I get back to my department my manager could call me in and say, I want to talk to you about what you just discussed with the personnel department.

So there is a reputation that precedes all of the departments that are in the formal system. That reputation covers the legal department, the compliance department, the security department, the EEO department, and people feel comfortable about using them on the basis of whether they have a reputation for integrity.

So we have these three groups. The value of the ombudsman, it seems to me, is that it is an additional service available to the organization that reaches those people who don't feel comfortable on certain issues, because the ombudsman can sometimes reach that low trust or ambivalent employee who doesn't want to come forward to the complaint handling system because they are afraid that the issue may go beyond their control.

Secondly, we get a low percentage of cases but we get a higher percentage of sticky issues, because the very nature of the confidentiality of the ombudsman means that people are more apt to bring serious issues forward. So although all systems get serious complaints, we get a higher percentage of them and therefore are able to surface to management complaints that don't show up any other way.

Thirdly, I think we meet the requirement in the sentencing guidelines of no retribution, because we keep no records beyond a certain amount of time. Mine is six months. Some ombudsmen keep no records at all. We do not release records and we are willing to go to court to fight against the release of those records and have done so.

How secure is the confidentiality of the ombudsman? First of all, it applies to the office and not the employee. It does not apply to the employee, because I cannot guarantee that an employee who comes to see me will not go out and talk about our conversation, but I can guarantee that I will not. So the confidentiality applies to the function.

Secondly, when can we break it? We will break confidentiality when there is a threat to life or a serious threat to property - no other time.

We have gone to court on this issue. United Technologies has gone to court to protect the confidentiality and privilege of our ombudsman office and we won. McDonnell Douglas has done the same. Upjohn has done the same. In fact, Upjohn is on a roll because they have won five cases in a row.

The ones that have been won, which are predominately the organizations that I mentioned, are cases where the judge saw in the spelling out of the program to the employees clear-cut language that said, this function is confidential. Where you spell it out, where employees come to the office knowing that confidentiality is an attribute of the function, they have upheld the privilege.

When they have not upheld the privilege is when the company never spelled out clearly that when you visited the function, the ombudsman office, there was confidentiality. So we have learned our lesson from that, and in the organization, The Ombudsman Association, we clearly tell our membership to be sure everybody in the company from the CEO on down understands the charter of confidentiality and neutrality.

I will just end by talking a bit about the relationship between the ombudsman office and the formal complaint system. It shouldn't be that we are an alternative, but in many companies we are portrayed that way. The big problem is often the way the program is launched - as a "perk" for employees and an alternative to the formal system. It's not an alternative. It is an addition. It is an attempt to catch those people who won't use the formal system.

The way to make it work is to build solid relationships with the people in the formal system that you have to deal with. I meet regularly with our Senior Vice President of Human Resources. I meet regularly and work closely with Pat Gnazzo, who is in this room today and who is our Vice President of Business Practices and Compliance. I think that when you do that, you make it work.

I will close by saying that the ombudsman function can also be a signal to employees of a value system. I was struck by Judge Conaboy's remarks this morning about values and Michael's reaffirmation of them a few minutes ago. Groucho Marx once said, "I have principles. If you don't like them, I have others."

Well, I think that often we find ourselves building compliance programs and business practice programs and ethics practice programs on the basis of threats, on the basis of government coddling or not coddling, on the basis of the fear that we have that we might find ourselves behind the eight-ball in the courts. We don't build those programs necessarily on value systems, and that's really where we have to start. Compliance programs do not work when we don't have a value system behind them.

One of the things the ombudsman function does show employees is that we are willing to go after those issues that don't come out in any other system because people are concerned or afraid. Thank you.


MR. PURDY: We have a question from Andy Apel with the Minnesota Association of Applied Corporate Ethics about the benefits of effective compliance programs compared to the potential harms of having information used against you, and it's in that general context that I wanted to direct the first question to Anne Gill: what are the political dangers of doing this work within a corporation and how you sell the top corporate officials on the importance of what you're trying to do?

MS. GILL: I'd say that, at least in my company, executives have ears and eyes. They read the newspaper. They watch the television. They are aware of what happens when there is a major meltdown in a company and they are very, very concerned about that. They also will have a staff of people who will be telling them to protect themselves and to keep everything confidential and not to write everything down, and it's always going to be a balancing act.

One of the things the sentencing guidelines have done is to really add a push towards a little more openness and a little less benefit in that kind of protection. I frankly am not sure exactly where that is going to go in that we don't have the kind of privileges in place now that would allow us to comfortably go forward and place your soul and all your documents in advance of being subpoenaed or in advance of any discovery, to do that safely.

I think the corporate community wants to be less concerned about protection and more concerned about really detecting and deterring - and I would have to add civil. We are primarily talking about criminal offenses here, but most of the companies I'm involved with have applied all of this to their civil issues, as well.

If I could do anything, it would be to get a little bit more privilege, which would allow you to make your case for the government but in a safer way.

MR. PURDY: Let me ask the question to Alan Yuspeh in this way. How important is it to have the top-level executives on board with the compliance plans, and what do you find through your organization are some of the more effective ways that top-level corporate officers can convey that support?

MR. YUSPEH: I think, as others have said, that it may be the single most important thing to the success of these programs, and I want to associate myself with Michael's comments, too, about values and integrity-based programs being sort of critical. But you can just think that if that message is to be conveyed, the message, in effect, that if there is ever a conflict between business pressures and standards, values, integrity, and often the requirements of law, that the company unequivocally expects the matter to be resolved in favor of complying with law and with corporate policy and with the values of the corporation and not giving in to whatever the business pressures may be.

I think it is only the most senior people in the corporation that can effectively send the message, and I think the way to do that, Andy, is to be willing to talk about it, that in some of our signatories, I have sometimes talked to chief executive officers where others in the company have said, you know, we never find that so-and-so ever talks about this and so we infer that it's not important to him.

So I think that people need to be not self-conscious about this, need to realize that it is a leadership message, just like you may have leadership messages about the need to stretch your goals, or things like that. You need to have leadership messages about ethics and about values and about the kind of things we're talking about today.

MR. PURDY: Michael Hoffman. To what extent do you feel that it's important that you have a high-level full-time official to direct the compliance efforts?

MR. HOFFMAN: That's very important. In fact, it seems to me that that has been part of the problem that corporations have faced over the last several years, in not having an ethics officer or a compliance officer that really, truly, had a kind of gadfly function within the organization, to make sure that they put into place appropriate training programs for employees, and an appropriate ethics office with proper staff and proper functioning to handle help lines and hotlines.

And I want to make a distinction there, because a safe reporting system is not just a hotline system where all of a sudden somebody calls in with a problem. By the way, down in such-and-such there is somebody doing something wrong. These reporting systems are for employees to get help in trying to understand how to make a decision about an ethically-sensitive situation.

The ethics officer serves as a kind of inspiration for keeping that ethics flame, and that flame of the corporate values, alive in the variety of functions that he or she does, but in overseeing training programs, handling the safe reporting system, making sure that the code of ethics is up to date and properly communicated, and making sure constantly that those values of the company are constantly communicated and that the employees have the proper tools to make important ethical business decisions in a variety of circumstances.

When you talk about a compliance program, it sounds like you are all of a sudden talking about some omniscient policeman who is sort of going to take care of all of the things that a corporation or individuals in a corporation might do wrong. Individuals make individual discretionary decisions every single day of their lives, and no policeman, no compliance program can make that go away. You have to give those people the proper tools and the proper awareness to make those individual decisions autonomously.

MR. PURDY: We have a question from the floor concerning confidentiality and your ability to sustain your confidentiality. One of our audience members says that he or she doesn't believe that this confidentiality is legally recognized, and they say, for example, if there is an environmental problem that's significant that comes through the ombudsman's office that the subpoena can reach that information.

I know we'll talk about this in greater length in the law enforcement panel later, but I wonder if you might, in 30 seconds or so, comment on that.

MR. FURTADO: Thirty seconds? Well, actually, the test of that has been made. I mean, there have been at least two dozen law cases in the last five years where sexual harassment issues, racial discrimination issues, environmental issues have been challenged in the courts as far as seeking information from the ombudsman's office.

In most of those cases, the privilege of the ombudsman has been upheld. It is very similar to the privilege that mediators have in the courts through shield laws. One of the things that we're looking for now is a shield law, to stop going through this process every time we have a case and to go after the same protection that the mediator has in mediation law.

If you take an environmental issue to a mediator who enjoys privilege through shield laws, that person is also not going to violate confidentiality unless given permission. Thank you.


Thomas Furtado

Q. What specific precedent (case law and statute) exists to support the ombudsman privilege?

A. The effectiveness of organizational ombuds is attributed to their confidentiality and their neutrality. Ombuds practice strictly to the Code of Ethics and Standards of Practice adopted by The Ombudsman Association. The Ombuds practice assures organizations and their members of the promise of confidentiality. In fact, Ombuds believe that if it were known that confidential communications could be compelled in public arenas, then the Ombuds' ability to mediate disputes and help uncover problems concerning safety, health and environmental issues would be greatly diminished and the primary reasons for the existence of Ombuds would be eliminated.

Ombuds rely on a number of legal theories in their efforts to preserve and protect communications including, the Common Law privilege of confidential communications, state statues protecting confidential communications of labor mediators and other related neutrals, state constitutional provisions relating to rights of privacy, and the Administrative Dispute Resolution Act.

The Common Law privilege of confidential communication is recognized pursuant to Federal Rules of Evidence 501. In order to assert a privilege at common law, the courts have looked to the following: (1) the communication must be made in the belief that it will not be disclosed; (2) confidentiality must be essential to the maintenance of the relationship between the parties; (3) the relationship should be one that society considers worthy of being fostered; and (4) the injury to the relationship incurred by disclosure must be greater than the benefit gained in the correct disposal of litigation. See In re Doe, 711 F2d 1187, 1193, (2d Cir. 1983); Mattson v. Cuyuna Ore Co., 178 F Supp. 653, 654 n2 (D. Minn 1959).

The Administrative Dispute Resolution Act, enacted in 1989, was designed to streamline resolution proceedings through the use of alternative dispute resolution techniques instead of litigation. Congress provided a privilege of confidentiality for the neutral serving government agencies. Organizational Ombuds analogize to this legislation.

On September 8, 1995, Senator Grassley and Senator Levin introduce a Bill to reauthorize the expiring legislation. The Bill contemplates a modification designed to further enhance and preserve confidentiality to participating neutrals. Senator Grassley stated, "[T]he Bill addresses agency confidentiality concerns by exempting all dispute resolutions communications from Freedom of Information Act disclosure. Although these communications have always been confidential by implication, this amendment to the 1989 Act makes that confidentiality express and clear." (Congressional Record-Senate; September 8, 1995; S1224).

In two recently decided cases, trial courts directly addressed the issue of ombudsman privilege. In Jones v. McDonnell Douglas Corporation, Case No. 4:94-CV-355 (CEJ) (memorandum and order of 5/22/95 attached), the Court found pursuant to Rule 501 of the Federal Rules of Evidence that the four factors to support a privilege were present and that communication between the ombudsman and the parties was privileged and not subject to discovery. In Koslowksi v. The Upjohn Company, File No. 94-5431-NZ (opinion and order of 8/16/95 attached), the Court granted a protective order and found that "[t]o successfully assist employees and employers in the settlement of workplace differences, Ombuds must maintain a reputation for impartiality and the parties must feel free to talk without fear that the Ombuds may later disclose what transpired. If Ombuds were allowed or required to testify, not even the strictest adherence to purely factual matters would prevent evidence from seeming to favor one side or the other. The inevitable result would be that the usefulness of the Ombuds in settling future disputes would be seriously impaired, if not completely destroyed."

Further, in Kientzy v. McDonnell Douglas Corporation, 133 FRD 570 (E.D. Mo. 1991), the court found that "[t]he utility of the program and the office, in resolving disputes in this workplace and thus diminishing the need for more formal resolution procedures, is founded on the confidentiality of its communications to and from company officials and employees." Also, more recently, on March 14, 1995, in McMillan v. The Upjohn Company, Case 1:92:CV:826, the U.S. District Court, W. Dist. Michigan (order of 3/14/95 attached) found ". . . privilege of confidential communications under Federal Rule of Evidence 501 . . ." and also found that "policy interests favoring consideration of matters submitted to corporate ombudsman in confidence as privileged communications . . . ."

Although all the foregoing are non-binding decisions and none has been appealed, members of the Ombudsman Association and the Association itself would welcome the opportunity to bring the issues of ombudsman privilege before an appellate court.

On October 23, 1995, the California Court of Appeals granted a qualified privilege of confidentiality to ombuds on the basis of California's constitutional right to privacy. In the case of Garstang v. California Technical Institute, (Second Appellate District, Division Two, Case No: B088019), plaintiff Garstang sued the private educational institution for slander and intentional infliction of emotional distress. Plaintiff claims she was treated unfairly when certain rumors were circulated about her in the institution. Caltech's ombud, Helen Hasenfeld, conducted meetings to assist the parties to resolve the situation. However, the ombud was unable to satisfactorily resolve it and Garstand filed suit. During discovery, plaintiff sought to compel Hasenfeld to testify about the substance of the meetings.

In deciding the case, the court weighed competing public values ". . . there must be a careful balancing of the compelling public need for discovery against the fundamental right of privacy." The court also found that, "where the communications were tendered under a guaranty of confidentiality, they are thus manifestly within the Constitution's protected area of privacy."

California does not recognize a privilege unless codified by statute. However, after finding the right to privacy applicable, the Appellate Court also examined the facts in light of the four-prong common law analysis for privileges, set forth in Federal Rules of Evidence 501 and relied on Kientzy v. McDonnell Douglas, (1991) 133 F.R.D. 570. Garstang is the first appellate court in the country to recognize a privilege of confidentiality for organizational ombuds. The appellate court certified its opinion for publication.

Q. What is the typical background of individuals who serve as ombudsmen?

A. Organizational ombudspersons come from a number of backgrounds. A large number come from functions in the organization that deal with people issues, such as human resources, communications, and legal departments. Degrees and educational backgrounds come from all areas, mainly because the most important factors in choosing ombudspersons tend to be the personal qualities of the individual. A great deal of emphasis is put on the integrity and interpersonal skills of the prospective ombuds, since without these two qualities it is hard to imagine how one could be effective in the role. The choice, therefore, focuses less on academic background (this is not always true on campus) and more on the person. Some of the most effective ombudspersons have come from such departments as marketing, engineering, and manufacturing. Their success comes from their ability to deal with people and the reputation they enjoy in their organization for integrity and approachability. Today a number of clergy and psychologists serve as ombudspersons to both corporate and academic institutions.

Q. If the sentencing guidelines and DII disappeared, would your company's management continue to maintain an ombudsman function? To what extent does this reporting option diminish trust in the organization? To what extent does it build trust?

A. Since these are hypotheticals, one can only conjecture the answers. The first issue to be faced is whether a company's ethics program is value-based or compliance-based. Did the company put the ethics program in place because it wanted to do the right thing and to encourage its employees to help it be an ethical company? Or did it establish its program because it was concerned about it legal liabilities and potential fines and public embarrassment. If the program was started for the first reason, then it likely that the company would retain its compliance and ombudsman functions, regardless of the disappearance of DIE and the Sentencing Guidelines. If the program was started for the second reason, then it seems likely that ethics officers, compliance officers and ombudspersons alike would be hastily dispatched. The continuing growth of the ombuds function at United Technologies, and the support we enjoy from our Chief Executive Officer, not based on fear of liabilities but rooted in our values, leads me to feel comfortable with our situation.

The ombudsman function is not an alternative to the formal compliant-handling system. It is an additional place to go when people, for one reason or another, do not choose to use the system in place. Because it is an option, and because we encourage our people to use the formal system first, it is hard to see how it would diminish trust in the organization. One would be naive to believe that organizations do not have problems that at times inhibit people from coming forward with concerns. The record where ombuds exist says just the opposite. Management will to put in place a function that is neutral, confidential and independent to deal with these issues will be seen by most employees as open-minded, trusting, and willing to seek out the truth about how the company is run.

Michael Hoffman

Q. Do you believe that there is a need to audit the ethics and compliance efforts of business organizations? If so, who should provide this audit?

A. Yes, I think audits of ethics and compliance efforts are important - if appropriate processes and instruments can be developed for such audits, and if information provided by such audits is properly communicated. I also think audits should be done both by the ethics office and audit departments and by an independent, objective body outside the organization. Without the independent audit the results may appear self-serving and also may be tainted by an insider perspective. Efforts have already been instituted internally and are being developed externally for such audits. But this is an area where much more important work needs to be done.

Q. How serious a problem is corporate crime among the Sponsoring Members of the Ethics Officer Association?

A. Many Sponsoring Partner members have had problems and others may be experiencing problems. But this should not be misinterpreted to imply that companies joined the EOA for window dressing. Nor should we think that just because a company has an excellent ethics/compliance program that nothing will go wrong. I am convinced that most, if not all, EOA member companies join to try to prevent wrongdoing from occurring in their organizations. This is no guarantee that it won't happen. Nor does preventive medicine - proper check-ups, habits - guarantee that a person won't become ill. But preventive ethical medicine does help prevent problems and is a responsible course of action to maintain ethical well-being. This is the reason companies and individuals join the EOA, and I, for one, am convinced that it is laudable and beneficial. It is also in keeping with the spirit of the U.S. Sentencing Commission's efforts to promote good corporate citizenship.

Keynote Address

Senator Edward M. Kennedy, Keynote Speaker

Introduction: Judge A. David Mazzone, Vice Chairman, U.S. Sentencing Commission

JUDGE MAZZONE: It is my pleasure and honor to introduce Senator Edward Kennedy from Massachusetts. He has served continuously in the United States Senate since 1962, a long time, I think he feels now. He was formerly Chairman of the Senate Labor and Human Resources Committee and is now the Ranking Minority Member of that committee. He was formerly the senior majority member of the Senate Judiciary Committee and is now the senior minority member of the Senate Judiciary Committee. He was formerly the Chair of the Judiciary Committee Subcommittee on Immigration and Refugee Affairs and is now the Ranking Minority Member of that committee. He was formerly the senior majority member of the Armed Forces Subcommittee on Defense and Contingency Forces and is now the senior minority member of that committee. He was formerly the senior majority member of the Joint Economic Subcommittee on Monetary and Fiscal Policy and is now the senior minority member of that committee. Formerly, he was a Democrat.... Today, he comes before you to make a very important and historic announcement.

Two years ago, at the Sentencing Commission's initial symposium on drugs and violence, I also introduced Senator Kennedy. That was an easy introduction. He had co-sponsored the Sentencing Reform Act and had worked for its passage with Senator Thurmond of South Carolina. His involvement with the criminal justice system was long, going back to his days when I first heard of him as a young assistant district attorney in Boston prosecuting felony cases.

In the Senate, his leadership with criminal justice, health care, education, and civil rights issues is well-known and his record for improving the quality of life for millions of American people has been widely recognized. Today, I could make the same introduction because the bottom line with Senator Kennedy always has been and always will be - what's good for the American people is where he will stand.

Today, I introduce him to a group of people which represents corporate America at its best. I listened this morning and was impressed with what I heard from the speakers about making important business ethical decisions and setting out company values. I sat here and thought that this is a great symposium, where we begin to understand and promote the notions of a good corporate citizen.

Today, when government talks about downsizing, budget complaints, and withdrawing, it's even more important to understand and to promote the role that the "good citizen" corporation will play in the United States. That's a role that's been long-recognized by Senator Kennedy in Massachusetts. I recall the support that he received from the Massachusetts Business Council and the Massachusetts business community generally during his last and successful re-election campaign. The support he received, ranging from the Massachusetts Bankers Association, the high-tech industry, and the Massachusetts Biotechnology Institute, for which he obtained the initial funding which, in turn, launched new firms and new jobs. I recall his support for the North American Free Trade Agreement, creating new jobs and opening new markets, and his work with environmental technology to reduce barriers, to speed up the EPA review, and to encourage research and development for alternative technologies in partnership with universities and private businesses.

So, you see, while the mandate of the Sentencing Reform Act gave the Sentencing Commission the opportunity to run these kinds of conferences - whether they are to deal with problems of crime on the streets or deal with problems of crime in the boardroom - Senator Kennedy has been an integral part of that program and those concerns.

It is my pleasure to introduce to you Senator Edward Kennedy from Massachusetts.

SENATOR KENNEDY: Thank you very much, Dave, for that introduction and for your outstanding service on the Sentencing Commission. Thank you. Let me just say a wonderful word about Dave Mazzone because he's been so nice to me today.

Dave and I both started off in Boston a number of years ago when he was an Assistant United States Attorney and I was in the district attorney's office. He went on to become a distinguished member of the bar of Massachusetts, one of our leading state judges, served as one of our outstanding district judges, and then went on to the Sentencing Commission. His career has been a continuing, ongoing, and upward one.

I got out as an assistant district attorney in 1962. I got my job. I came to Washington and I haven't moved since. I've always admired and looked to David for career guidance in whatever way I could. He has been a good friend, a distinguished jurist, and an outstanding member of the Sentencing Commission.

I thank Judge Conaboy and the other members of the Sentencing Commission for their constant pursuit of the mission of the Sentencing Commission and their help in working with us, Republicans and Democrats alike, in the Congress and the Senate, and for always being available to review with us the concerns that have been raised with the Commission. I think all of us in the Senate Judiciary Committee and all of us generally have been enormously impressed with their commitment and their dedication to achieving the objectives of the Commission and extending, really, the envelope to try to make our federal justice system a fairer and more equitable system.

I am glad to see Wayne Budd here. You don't know what a sigh of relief I gave two years ago in 1994 when Wayne decided not to run for the United States Senate from Massachusetts. I am glad he is delighted to be in the private sector and want to keep him doing well, very well, for a long period of time.

When Strom Thurmond and I sponsored the Sentencing Reform Act of 1984, we sought to create an agency that would do more than just write sentencing guidelines for the federal courts. We established an independent, non-political organization to serve as a catalyst for wide-ranging improvements in the criminal justice system. Sessions like this are one of the most important ways in which the Commission educates itself, the public, and fulfills its statutory mission. We in the Senate regard very highly the recommendations, the nature of the discussions, and the suggestions that are made as a result of this conference.

We knew that the Commission would attract controversy over the years, and indeed it has. Unfortunately that's what can happen when an agency does its job effectively. Earlier this year, for example, the Commission took on the sensitive issue of race discrimination in drug sentencing. Under the guidance of Commissioner Wayne Budd, yet another leader of the Massachusetts bar, the Commission issued a landmark study and has proposed changes to remedy the unwarranted disparity caused by the current laws on sentencing for crack cocaine offenses.

This proposal faces an uphill battle in Congress. But, I for one, am proud to see the Commission fighting for fair, rational sentencing laws. If doing the right thing turns out to be controversial, so be it. That is precisely why Congress created the Commission in the first place; to enable sentencing to be guided as much as possible by the rule of law and not the prevailing winds of partisan politics.

In many ways, this symposium is a mirror image of the Sentencing Commission conference I addressed two years ago. That gathering concerned crime in the streets. We discussed the complex interplay of drugs and violence, and explored ways in which community policing, gun control, and drug treatment could help prevent street crime before it occurred.

Today, we turn our attention from preventing crime in the street to preventing crime in the boardroom. One important goal of the 1984 Act was to eliminate the two-tier system of justice in which white collar criminals received lenient treatment for acts of theft and fraud that would merit lengthy prison terms if committed on the street. There is a long and impressive tradition of the business community working with Congress to tackle the problem of corporate crime. I remember very well, for example, the important contribution made by Irving Shapiro, Chairman of the DuPont Corporation, when we attempted to recodify the criminal laws in the late 1970s. Thus, the attendance of so many members of the business community at this conference is certainly in that tradition.

The same principles of deterrence and fair punishment that apply to street crime apply to white collar crime, even when the defendant is a corporation instead of a human being. In the field of corporate sentencing, as elsewhere, the Commission has brought greater rationality to a subject best characterized as "law without order." The corporate sentencing guidelines established by the Commission four years ago replaced a system in which penalties were largely dependent on the views of individual judges. Now, there is a set of principles to guide judges throughout the nation and a set of rules to guide good corporate citizens seeking to comply with the law and minimize their criminal liability. True to its statutory duties, however, the Commission did not simply announce this new corporate penalty policy and then assume that its work was done.

Instead, as with all the sentencing guidelines, the Commission is monitoring this policy to understand how it is working and to identify areas where it should be improved. The Commission is doing this by undertaking the kind of empirical research that will be presented immediately after this luncheon and by convening this symposium, which has brought together hundreds of leading experts and practitioners - all of you - to share ideas on these key issues.

At a time when some are trying to gain political advantage by sowing seeds of cynicism towards government, the Commission reminds us that some government functions are important and can be performed in a deliberative, inclusive, and highly competent manner.

These guidelines are designed to address corporate crime, a significant problem that justifies this kind of serious consideration. Some have suggested that corporate crime is just an overblown, anti-business invention of career-hungry prosecutors, regulators, and politicians. Statistics gathered over the past decade and a half demonstrate, however, that these crimes are both serious and distressingly common.

One early study on the incidence of corporate crime was conducted in 1979 by the Justice Department. This study found that in a one-year period, more than 60 percent of the corporations examined had undergone at least one enforcement action and that the average number of enforcement actions among those companies was four.

In 1980, Fortune magazine launched a study that tried to distinguish minor offenses from serious offenses. The magazine wanted to see whether prominent companies engaged in what all would agree are significant acts of impropriety. The study examined the track record of the 800 largest companies in America during a ten-year period and looked exclusively for major instances of what Fortune classified as "corporate corruption" - that is, five serious categories of crimes involving such things as bid rigging, major fraud, and high-level bribery. A number of serious crime categories, such as foreign corrupt practices, environmental, and food and drug were not even considered by this study.

Even so, the study found that 11 percent of these highly respected companies had been caught committing what Fortune called "blatant illegalities." Several companies were multiple offenders during the same ten-year period. We have no idea how many offenses went undetected.

That was in the 1970s, and things seemed to go from bad to worse during the 1980s. This was the decade of the "Ill Wind" prosecutions, where major defense contractors were involved in bribing the procurement offices. As a member of the Armed Services Committee, I can remember the hearings that we had on "Ill Wind" and how offensive it was in terms of, most importantly, our national security, and secondly, the taxpayers' investments. Major frauds which had been committed under other circumstances were those at highly-regarded brokerage firms, and savings-and-loan institutions, and even the sale of adulterated juice by a trusted purveyor of baby food.

The 1990s have yet to demonstrate much of a turnaround. We have already seen record penalties imposed for massive violations in the health-care and securities industries. Medicaid and Medicare fraud amounts to anywhere from $30 billion to $45 billion a year. It is something that in just that area alone undermines both the effectiveness of health care delivery systems and also of cost. Last month, a Texas company agreed to pay the largest criminal antitrust penalty ever for bid-rigging. In 1994, the Justice Department recovered over $1 billion in fraudulent government contract billings under the False Claims Act.

But the heart of the matter is people, not statistics. Corporate crime robs the nation. It robs children of clean air and clean water. It robs senior citizens of their security and peace of mind by luring them into unsound investments. It impairs the government's ability to buy the technology we need to maintain our national defense. It puts dangerous and ineffective medicines in the hands of people whose very lives depend on having medicines that work.

Perhaps its most pervasive effect, however, is something Judge Conaboy has spoken of: the way in which corporate crime undermines public confidence in our free enterprise system. Consumers become cynical about buying when they discover that they were lied to about the juice, the life insurance policy, or the automobile they just bought. They become cynical about the prices they pay when they learn that an antitrust conspiracy, not competition, has set those prices.

Finally, there is the effect on a company's own workforce. As executives, you know how demoralizing it is when the majority of employees who have played by the rules get tarred by the conduct of a few who did not. This kind of blow to a company's reputation and morale has rippling effects that can go on for years.

That is why I believe that the corporate sentencing guidelines - and a number of complementary policies pioneered recently at the Justice Department, EPA, and some of the other agencies - are so significant. As Win Swenson of the Commission said this morning, the guidelines recognize a fundamentally important fact about corporate crime: the culture and policies of a company make all the difference. The sentencing guidelines reflect this fact by setting penalties that depend on how well a company has taken steps to prevent, detect, and disclose corporate offenses. When companies take these steps, corporate crime is deterred.

The significance of this new policy is recognized by the experts. Leading criminal defense lawyers have written that the guidelines constitute a "revolution in organizational sentencing philosophy." Two prominent compliance experts recently praised the guidelines as an example of what they call "smart regulation." A professor at one of the country's leading business schools put it simply: "[T]he Sentencing Commission did a masterful job in assessing [corporate] culpability."

The corporate guidelines have attracted international attention as well. For many years, America was the only western nation to impose criminal penalties on corporations. Now, countries such as France are emulating the United States, and the Commission's work has helped inform these efforts.

All this attention is deserved, but the accolades are somewhat premature. The guidelines are still largely untested. In a very real sense, the success of this new policy rests with you - those of you in the audience today and many others like you across the country. That's why I'm hopeful that the lessons, ideas, and suggestions that come from the conference be available to the various business and graduate schools, law firms, and law and medical schools of this country. A number of them are in different stages of addressing these kinds of issues and I think it would be useful to be able to have the kinds of observations, recommendations, and comments available to the academic institutions that are working with the young people in this nature in the future.

In a very real sense, the success of the new policy rests with you and with many like you across the country. Members of the business community and those who counsel corporate clients must recognize that there will always be skepticism about a policy that gives any break to corporations that have committed crimes, as the guidelines will sometimes do when a corporation demonstrates a solid compliance program. That skepticism will grow if the public comes to believe that companies are approaching the guidelines with a "window dressing" compliance effort and a clever law firm waiting in the wings at the first sign of trouble.

As this symposium shows, commendable efforts are underway to help ensure that companies doing business in this country are, in fact, good corporate citizens. The impressive attendance by the business community at this symposium is a very positive sign. But some companies are taking the "window dressing" approach to compliance. Management's support for compliance at some companies is half-hearted, at best. Compliance and ethics officers are being told to scale back and spend less. The amount of resources a company should devote to compliance is a legitimate issue, and it is impressive that many of the companies represented here today are demonstrating a serious commitment to compliance, despite going through difficult economic times and downsizing.

Judge Conaboy was talking about the nature of the discussion of business ethics and the high nature of those comments and debate earlier today in morning sessions. But neither the public nor Congress will be fooled if the business community as a whole approaches compliance with superficial efforts. To make this new policy work, businesses must embrace compliance wholeheartedly. Many of you here today are trying to accomplish just that, and I commend you for your leadership.

The government also has a role in ensuring the success of this new policy. If companies are going to do their part and commit to more than "window dressing" compliance, those who are responsible for enforcing the law must be able to tell the difference between sincere and cosmetic compliance efforts. Unless prosecutors, debarment officials, judges, and others have the expertise to assess compliance program effectiveness, there is a risk that companies without substantial compliance programs will get a free ride, and those with strong programs will not receive the credit that they deserve. Either outcome is a threat to the new corporate crime policy.

Government officials also have a duty to reduce red tape and coordinate multiple overlapping enforcement tools. Companies face a wide range of criminal and non-criminal sanctions. While the notion of coordinating these sanctions is not new, the guidelines make coordination all the more imperative. In effect, the guidelines make a basic promise to companies: "Act as good citizens and your penalty exposure will be reduced." But that promise is false if companies face non-guideline penalties that take no account of these "good citizenship" efforts. I'm pleased that tomorrow's proceedings will consider these important coordination issues.

Finally, enforcement authorities must weigh the special issues involved when small businesses are the target of prosecution. We must make sure that mom and pop businesses have an opportunity to develop effective compliance efforts so they, too, can prevent crime and minimize their criminal liability.

Let me close by again commending you for being here. Your presence is a welcome endorsement of the goals of the corporate sentencing guidelines. Working together, we can combat corporate crime with the same strength and commitment that we use to combat violent crime. These deliberations, discussions, comments, and debates at these sessions are of enormous importance to all of us in the Congress and on the judiciary committees. We take seriously the work that is being done in the morning and afternoon sessions of these two days. They are extremely important. I don't think that we have had in this nation the kind of thoughtful consideration of these matters that we have had as the result of the leadership of the Sentencing Commission. We want your recommendations, comments, and suggestions. That is a goal that we are fighting for - a goal that can be achieved. I look forward to working with you to achieve it, and I thank you very much.

JUDGE MAZZONE: That concludes our lunch program. Well, I'll send you on your way with a little story, then. I closed the last symposium with this same story. It has to do with how much we all have to learn and how much we all have to know as a result of what we're learning today. I'll tell you about a particularly humbling experience I had in my own family. I was at home alone one night when the phone rang. It was one of our daughters who was away at school. She said, "Dad, is Mom home?" I said, "No, she's not." She said, "Well, that's too bad because I want to ask her a question." I said, "Well, why don't you ask me?" And she said, "Dad, I don't want to know that much about it."

That doesn't apply to us here. We have a lot to know and a lot to learn. Thank you very much.

A Presentation of Empirical Research on Compliance Practices: What Companies Say They Are Doing - What Employees Hear

Andrew R. Apel, Executive Director, Minnesota Association for Applied Corporate Ethics

William S. Laufer, Associate Professor, The Wharton School

Edward S. Petry, Senior Research Associate, Center for Business Ethics

Rebecca Goodell, Howrey & Simon

Mark Pastin, President, Council of Ethical Organizations

Moderator: Cameron Counters, Senior Research Associate, U.S. Sentencing Commission

DR. COUNTERS: Good afternoon and welcome to "A Presentation of Empirical Research on Compliance Practices: What Companies Say They Are Doing and What Employees Hear." I am Cameron Counters, a senior research associate in the Office of Policy Analysis at the U.S. Sentencing Commission and I have the privilege of serving as the moderator for this panel.

In previous sessions, it has been noted that the Commission is mandated to serve as a clearinghouse for federal criminal justice research. Given the importance of compliance programs under the organizational sentencing guidelines and increasingly other enforcement settings, the Commission concluded that research that contributes to our understanding of compliance practices among U.S. businesses would benefit both the business and the enforcement communities.

To help develop an appropriate survey instrument for compliance practice research, the Commission convened a diverse panel of practitioners with expertise in this area.

The goal of the survey instrument was to provide an initial but comprehensive inventory of the compliance policies and practices being used by businesses, both the common and innovative. Interview questions were grouped by the organizational sentencing guidelines' seven steps that serve as a minimum indication of a company's due diligence in seeking to prevent and detect criminal conduct by employees.

The Commission contracted with representatives of the Minnesota Association for Applied Corporate Ethics, Bentley College's Center for Business Ethics, and the Wharton School of Business to conduct telephone interviews of company representatives in small, medium, and large firms in a variety of businesses.

Using the Commission's basic interview instrument, the interviewers asked company representatives about their company policies and practices regarding: the company's standards of conduct; who has formal responsibility for compliance; sanctions for employee non-compliance; communication of company standards of conduct; internal reporting of non-compliance; prevention of retaliation against employees who report violations; responsibility for compliance oversight; company efforts to assess compliance; investigations of reported non-compliance; and company efforts to assess the effectiveness of compliance efforts.

The Minnesota Association for Applied Corporate Ethics interviewed representatives from over 300 U.S. companies. Each company was randomly selected from a pool of companies in the same industry and size category. The Wharton School targeted 200 randomly-selected small U.S. companies, also stratified by industry category. The Center for Business Ethics targeted 200 U.S. companies that are members of an ethics or compliance-related organization. This latter group of companies was thought to be especially aware of alternative organizational compliance policies and practices.

All three of the surveys asked the same set of basic questions. The instrument for interviewing small and compliance aware companies went beyond the set of basic questions by having more follow-up questions. The follow-up questions allowed the interview to move to a deeper level of detail.

The Commission spread its research effort over these three distinct yet integrated projects in order to provide a more comprehensive picture of organizational compliance efforts at the national level.

The empirical research of the Ethics Resource Center and the Council of Ethical Organizations provided a different perspective on compliance policies and practices, a perspective that complements the approach taken by the Commission-sponsored interviews of company representatives. The Ethics Resource Center and Council of Ethical Organizations have collected and analyzed data from employee questionnaires. Both of these studies provide insight on how employees perceive organizational compliance efforts, a factor often cited as a critical aspect of an effective compliance program.

I need to add a few words of caution. While the Commission established methodological criteria and funded three of the research studies, the Commission neither endorses nor criticizes the findings presented by the panelists. Furthermore, the Commission cautions the audience that the studies presented on this panel represent initial efforts to bring empirical data to bear on important issues about compliance policies and practices. Until replicated in other studies, the findings presented here should be viewed as tentative and may not be generalizable to all companies or industries.


DR. COUNTERS: Our first presentation is by Mr. Andrew Apel, Executive Director and principal founder of the Minnesota Association of Applied Corporate Ethics, an association of corporations that have or are working to implement compliance programs. He is also the editor of Benchmarks, a publication of MAACE.

He holds a J.D. from the University of Iowa, a master's degree from the University of Minnesota, and a bachelor's degree from the University of Northern Iowa, both in philosophy. He has been involved in the design, implementation, and interpretation of numerous telephone research projects, some involving as many as 10,000 contacts, and he is well acquainted with the compliance issues facing companies. We are fortunate to be able to draw upon his experience.

He will discuss the highlights of interviews of over 300 U.S. company representatives. As I noted before, the MAACE project is the most general of the three Commission-sponsored surveys.

MR APEL: My name is Andy Apel and I worked with Lorman Lundsten and Jack Militello at the University of St. Thomas to complete a survey of compliance practices in organizations with 50 or more employees in virtually every industry in the United States. Of the three surveys commissioned by the USSC, ours was the most general.

Some of you out there may have participated in this survey, and I would like to express my appreciation for your help. I only have a few minutes for this presentation and a lot of data to cover. Since you have copies of my abstract already, I would like to take this opportunity to add to what has already been written.

First off, I would like to caution everyone on the use of this data. It is not benchmarking. Benchmarking is an effort to find what policies and practices work the best and the average or most prevalent practices might neither be ideal nor even good enough for anyone's operations, which also means, don't use these numbers to help establish per the guidelines what the industry practice is. That's a far too dangerous game for everyone involved, and insisting on average policies and behavior would only stifle the creativity and ingenuity displayed by the many corporations I had the pleasure of interviewing. I think the patterns behind the numbers will bear this out.

Here you can see the patterns of leadership in charge of compliance efforts. You can see there is a tendency to make compliance the job of one person, which is preferred two to one over putting a committee in charge. Some companies reported that having an individual in charge made it difficult to make compliance part of everyone's job. On the opposite end of the spectrum, one company in five has nobody in charge of compliance. This does not imply that they have fully integrated compliance into the corporate culture.

When a committee is in charge of compliance, senior managers make up over half of the committee. Executives make up most of the remainder, with only a few companies involving line managers and hourly workers. That is all fine and good since the guidelines require the involvement of high-level personnel. The guidelines don't imply that companies should exclude line managers and hourly workers, but that seems to be what has happened.

Roughly three out of four compliance committees report to the executive level and virtually all of the rest report to senior managers. There is virtually no reporting back to line management, which seems to complete a pattern. In compliance efforts, accountability and reporting is almost uniformly in an upward direction, starting at the senior management level with little or no input from below.

Four out of five companies tell employees that compliance has an impact on their performance reviews. It is more likely that poor compliance will weigh against an employee than that exemplary compliance will be rewarded. I had it often explained to me that compliance was not something you reward, it's just the minimum you expect.

But you need to take these numbers with a grain of salt. The question asked about compliance with company standards. So what needs explaining, perhaps, is why requiring employees to live up to expectations is less than universal.

Not all companies make overt efforts to communicate standards of conduct to employees. Of those that do, you can see a written code of conduct is the most popular means, followed closely by written materials of similar import. Live training comes in at third place - more on that later. Half of all companies report using posters. But keep in mind that the law requires posters on a number of different and popular compliance topics. That means that posters should be in number one position, except that most respondents forgot they were there. This should tell you something about the effectiveness of posters in communicating standards of conduct.

Compare the most popular means of communicating standards of conduct with what people think works the best. We saw earlier that a code of conduct is used by 84 percent of companies responding. Here we see it is considered effective by 7.2 percent. Live presentations get the highest marks here as the favored method by nearly two out of five companies, closely followed by video.

Management is the most popular target audience for the code of conduct, but you can see that companies with a code are pretty good about getting a copy to virtually everyone in the organization, from 93 percent of management to a low of 81 percent for hourly workers.

Agents and customers don't get much. Only 15 percent of companies with a code of conduct circulated it to those "outside" the organization. Those familiar with the guidelines know the requirements regarding agents. Those familiar with the Internal Revenue Code know the tax consequences of governing the conduct of agents. People are still trying to sort this one out.

Training in compliance matters is most intensive at the top of the organization, with managers leading the list. Executives and other salaried workers follow. At the level of hourly workers, only six out of ten companies give them training. A number of companies said they had given up trying to train hourly workers because the turnover was simply too high. And again, agents are near the bottom of the list.

For detection of wrongdoing, most companies rely primarily on the willingness of employees to report what they see, most often to a supervisor. In almost all cases, this procedure is announced in the company's code. More proactive efforts are less common, such as spot audits, and more on that later.

With a little imagination, you can see a bell curve in the frequency of internal investigations, with over half of all companies doing between six and 24 investigations in the last five years. Almost nobody gets away with doing none at all. Considering that we sampled all the way down to companies with as few as 50 employees, this is pretty strong evidence that there is a lot of misbehavior being investigated.

When non-compliance is detected, companies respond in interesting ways. Broad-based employee involvement in a compliance program is minimal, but after a violation, their input suddenly becomes more important. Meanwhile, the relative importance of auditing and reporting by employees trade places. Nearly half of the companies with significant violations modify their auditing practices after something goes wrong, but fewer than one in five modify their reporting mechanisms.

One in three brought significant violations to the attention of law enforcement, which shows how little trust many managers place in involvement with the legal system. This also means that two times out of three, there will be no public record of the employee's infraction. Couple that with the standard employee policies on giving references and you can see how hard it is, or can be, to avoid hiring those with the wrong propensities.

Companies with compliance efforts reported a wide variety of motives. The most prevalent is the intent to maintain an ethical reputation. This is both laudatory and sound business. General legal concerns and responding to the guidelines tie for second place, followed closely by fear of litigation. Whether or not this is the ideal state of affairs would make a good topic for a conference all by itself.

But certainly, the guidelines are having a significant impact on what organizations are doing to prevent and detect violations of law. Nearly half of their compliance efforts were made more vigorous and one out of five added new programs, that is, among companies that are aware of the guidelines. Most aren't.

Here, a pattern repeats itself. The individuals involved in creating a compliance program are roughly the same as those who staff the committees which run them. Again, line managers have little involvement, but then, neither does outside counsel.

People who work in compliance generally feel positive about their efforts but find it hard to compare their efforts to others in their industry. They may compare their legal troubles to those of their competitors. Sometimes they compare notes with others they meet at conferences or establish small informal groups for sharing information on compliance programs.

Some of these latter efforts are boycotted by those who fear that the Antitrust Division of the Department of Justice will prosecute them for sharing information on industry compliance practices, although one stalwart soul confessed he would be proud to defend against such an action by Justice.

Here is the compliance history of respondents. Those who feel their efforts are effective or better nonetheless have suffered many legal consequences for the wrongs of their employees. Six percent of organizations have been convicted of a criminal offense. One in six has reported adverse adjudications as a result of employee misconduct, and this actually under-reports companies' experiences. This does not count the numerous out-of-court settlements. One company in four has seen an employee convicted of an employment-related criminal offense.

Finally, most organizations try to play their internal documents close to the vest. If they involve personnel records, this is often a legal requirement. In spite of the large numbers, there are actually few organizations which attempt to take advantage of any legal privilege. Those who do try to cover their documents with a privilege often doubt that their efforts will make a real difference.


DR. COUNTERS: Our next presentation is by Dr. William Laufer, Associate Professor in the Department of Legal Studies at the Wharton School. He holds a Ph.D. from the School of Criminal Justice at Rutgers, a J.D. from Northeastern University, and a bachelor's degree from Johns Hopkins.

Bill has written extensively on corporate compliance issues in a variety of literatures, including legal ethics and criminology literatures. We are glad to have him with us today. Bill will discuss the results of interviews of small businesses.

DR. LAUFER: Last year, when staff members of the Commission first started discussing the possibility of drafting a survey of corporate compliance efforts, I suggested a consideration of small business practices. After all, Commission data from 1984 onward revealed that over 90 percent of all corporations convicted in federal courts each year are small businesses. This remarkable finding, along with the fact that 99 percent of all non-farm businesses in the United States have fewer than 500 employees argues in favor of studying standards of conduct in small firms.

Commission data suggest a very strong association between firm size, ownership structure, and successful corporate prosecution. The median number of employees remains below 60 throughout the Commission data, with the percentage of privately-held firms convicted ranges from 90 to about 97 percent. So it's remarkable. If you look at successful prosecutions in relation to convictions, we are talking about small privately-held firms.

Scholarly research on small businesses identifies three distinguishing characteristics. Generally, small firms differ from their larger counterparts in the informality of their structure, culture, and communication, their available resources, and their orientation toward governmental regulation.

These differences fueled a number of hypotheses regarding the proposed study of small business practices. Due to time limitations, I will only mention some of them.

First, we thought that only a small percentage of firms surveyed would have clearly articulated and/or codified standards of conduct and we also hypothesized that only a small percentage of firms surveyed would have designated a person and/or committee with oversight responsibility.

Two-hundred-and-twelve organizations completed a similar survey as administered in the national study. All organizations had between 50 and 500 employees. The average number of employees was 155 with mean revenues of about $17 million. It may be helpful to summarize these findings before I take some time going through the survey results, and the highlights are as follows.

Seventy-five percent of survey respondents acknowledge having standards of conduct with oversight by high-level personnel. Twelve percent credit the sentencing guidelines as influencing a reassessment or modification of such standards. Small firms use a combination of written codes, legal memoranda, posters, and personnel meetings to communicate standards of conduct. Compliance with standards is often considered in both employee performance appraisals and promotion decisions. And finally, 71 percent of all firms conclude that their compliance programs are effective or very effective.

It is worth noting here that we were generally surprised to see such a high percentage of small firms with identifiable standards of conduct and compliance procedures. The data support the view that in spite of the conventional academic wisdom that small businesses are informal customer-oriented organizations, most small firms have codes, programs, and compliance procedures that in many respects resemble their larger counterparts.

With the balance of my time here today, I would like to quickly review some of the most interesting findings. All of the results, of course, relate to the guidelines criteria for what constitute an effective compliance program. As has been noted, the guidelines criteria for an effective program turn on the notion of organizational due diligence.

The first criteria for due diligence is the presence of an established compliance standard, procedures to be followed by employees and agents. Seventy-five percent of the survey respondents acknowledge such standards. This is less than the reported percentages of large firms with ethics codes but is nevertheless impressive. At the very least, it strongly suggests that the majority of small businesses have taken the time and committed the necessary resources to identify standards of conduct, whether written or unwritten.

Due diligence, according to the Commission, also requires a showing that organizations have delegated responsibility to oversee compliance with such standards. Of the firms that have standards of conduct, 47 percent have assigned corporate-wide responsibility to a person, 19 percent to a committee, and three percent to a person and a committee. Once again, this is quite impressive. Close to three-quarters of all small firms with standards of conduct engage in oversight.

There is additional evidence that compliance oversight in small firms is taken quite seriously. Nearly 50 percent of all designated persons are high-level employees. Most have a background in human resources and report directly to the owner, CEO, or president of the firm.

Employee accountability to standards of conduct is an integral part of organizational due diligence. A modest number of small firms actively use compliance information. For example, one-third of the small firm respondents with standards of conduct consider compliance and performance appraisals. Nearly one-third consider a poor track record of compliance in promotion decisions, as well. Notably, this is considerably less than that observed with compliance aware organizations and with the national study that was just described.

Due diligence requires effective communication of standards. As in the national study, a majority of small firms distribute ethics codes to officers, managers, salaried, and hourly employees. As you can see, and I hope you can, training topics include workplace safety, labor, product quality, environmental issues, tax issues, gifts, gratuities, all the way down to false advertising, which is listed at 17 percent of the firms sampled.

Under the guidelines, organizations must take reasonable steps to achieve compliance, including the implementation of monitoring, auditing, and reporting systems that detect non-compliance. Sixty-seven percent of the firms indicate that employees report non-compliance to immediate supervisors and/or personnel departments. This compares favorably with the national study, which noted that 79 percent of companies have employees reporting non-compliance.

Sixty-one percent of the small firms with standards of conduct publicize the ways in which non-compliance may be reported. Nearly three-quarters treat reports of non-compliance as confidential.

Motivations to implement compliance programs are similar to that found in the national study. They include establishing a better culture, reaction to industry trends, fear of litigation, and prompting by corporate officers. Surprisingly, only 12 percent of the small firms with standards of conduct said that they were influenced by the sentencing guidelines for organizations. This is considerably less than that found by my colleagues in their surveys.

Finally, 75 percent of small firms reported that compliance measures helped ensure that employees comply with standards of conduct, a distribution similar to that found in the national study.

A plea for future research. In the future, additional research should be conducted that employs objective measures of compliance effectiveness. Unfortunately, that wasn't done here. We need research that focuses on the role of corporate culture - that was omitted - considers informal compliance efforts, and that contrasts the effectiveness of compliance initiatives that are prompted by and not prompted by the passage of governmental regulation. Thank you.


DR. COUNTERS: Our next presentation is by Dr. Edward Petry, Executive Director, Ethics Officers Association, and Associate Professor at Bentley College's Center for Business Ethics. Ed received his Ph.D. in philosophy from Penn State University and has degrees in philosophy from the University of Toronto and Trinity College. He has also written extensively in the area of business ethics.

Ed has served as a consultant and provided business ethics workshops to numerous companies and has a working familiarity with companies that are aware of the importance of compliance issues. Ed is here today to discuss the results of his interviews with what we're calling compliance aware companies.

DR. PETRY: First of all, I would like to thank John Desmond, who is with us in the back of the room. John, as some of you know, was formerly the general counsel and ethics officer at Boston Edison. He helped me considerably with this study, and in particular with the interpretation of the data. Thank you, John.

Our main goal in this part of the study was to look at organizations that have been at this for a while and that have made a concerted effort to develop effective ethics and compliance programs. What has their experience been and what exactly have they been doing?

We chose our sample of 200 organizations primarily based on the organization's participation in associations that encourage awareness of ethics and compliance programs. This included the Ethics Officers Association and the DII. We also included organizations that have regularly attended conferences that feature best practices, conferences such as the EOA conferences, the DII conferences, and also the Conference Board Business Ethics Conferences.

Consideration was also given to geographic and industry diversity. As you might expect, large companies, over 10,000 employees, made up a significant portion of the sample. Defense and highly-regulated industries, including telecommunications and public utilities, were also well represented. Most industries were included in the sample, and also, we had some large non-profits and some governmental organizations.

The most striking feature is the overall similarity of the formal initiatives. I will talk about each in more detail, but we find that written standards, oversight at high level, multiple means of communicating standards, training, and internal reporting systems were all common throughout the entire sample.

Beyond this, there was also consistent efforts to conduct in-house investigations and protect confidentiality and inform only on a need-to-know basis. For example, in one question, interviewees were asked who receives reports on investigations, and the overwhelming response was that this information was limited to the employee under investigation, their immediate supervisor, the ethics officer or ethics committee, and that's about it, limited on a need-to-know basis unless it was an extraordinary situation.

There was also evidence across the board that compliance audits, monitoring and reviewing processes, were all well integrated into the organizations.

Now let's look at several of the questions in more detail. As you would expect, all 200 of the organizations had standards of conduct for their employees.

When asked if the organization had a person or committee with corporate-wide oversight of compliance with standards, 84.5 percent had either a person, a committee, or both. Only five percent of these had just a committee, so of our sample, 79.5 percent had a person with corporate-wide oversight responsibilities for compliance.

Who are these people, what is their background, and where are they located in the organization? First, their expertise. The three most common areas of expertise are, one, general business management background, about 31 percent of those who have such a position. Next was a legal background, about 26 percent of those who have such a position. Third, audit and finance, and then a distant fourth, human resource.

An indication of their position in the organization is shown by the fact that they tend to report directly to the CEO and to the board or to a board committee. The most common reporting line was to the board or board committee. One-hundred-and-eight of those who had such a person, 68 percent, report to the board or board committee; 102, or 63 percent, to the CEO; and one of the more common answers is that they report to both a board committee and the CEO.

On the topic of communication of standards, over 90 percent of the sample used written codes, additional written materials, training, and memos or letters from a supervisor or from the CEO. In addition to that, over 50 percent also used formal scheduled personal meetings with employees and their supervisors or senior management, a newsletter or articles in an existing newsletter, training videos, and posters. High-tech methods are not yet common.

In addition, there were several interesting additional methods that were used for communicating standards. These included table tents on the lunchroom tables to remind employees of, or to highlight, certain values or issues; messages in their paycheck envelopes, either on the checks themselves or included in the checks; and it was pointed out by a few respondents that these were the two places they were sure to have people's attention, at lunch and on payday.

Other companies use in-house closed-circuit TV. And as Alan Yuspeh said earlier, there were some interesting additional examples, particularly in the defense industry, where there were many creative ways to communicate standards and to keep the message fresh. These included having theme days, paperweights, and memo pads. Some of this may sound corny but it, in fact, keeps the message fresh, renews interest, and keeps ethics and compliance as its priority.

On the topic of training, here, I believe we see the influence of other factors beyond the sentencing guidelines. Training on 14 of these 15 topics was provided at 70 percent or more of the organizations.

On the issue of reporting non-compliance, it's clear from the data that multiple avenues are being used. The most common, literally in all of the surveyed corporations, is that the reports are directed to supervisors. Eighty-two percent of the sample reported also having a hotline or a help line, and some of those who said they didn't have a help line quickly added that they were in the process of putting one in place. So today, that figure would probably be a bit higher. Given the difficulties of having a hotline, the fact that so many organizations do have them clearly indicates the influence of the guidelines.

Now I would like to turn to some questions and problems raised by the data. First, on the issue of a high-level person, 79.5 percent reported having a high-level person, either an owner, director, or other executive officer assigned corporate-wide responsibility in this area.

A few questions: how many of these are figureheads? Second, what percentage of their time is devoted to overseeing compliance? And I might add that in many of these organizations, the person who I was talking to was the ethics or compliance officer. However, the person who they said was designated with corporate-wide responsibility was someone higher up in the organization to whom they reported to, but they, nevertheless, had the day-to-day responsibilities. Third, given their high level, how hands-on can they be, and does that limit their effectiveness?

And a fourth question we might add, should an emphasis be placed on the individual being high level if, in some cases, this means having a figurehead in that position? Instead, should more emphasis be placed on the individual's direct reporting line rather than his or her level in the organization?

Next, as far as the legal background of some of these ethics officers, 26 percent of the organizations with a high-level person and 21 percent overall reported that the person's general background was in law. Will a chief legal officer in this position emphasize a legalistic approach? Will he or she have neither the time nor the expertise to address managerial issues and other responsibilities as they relate to compliance? And, does having the chief legal officer in this position further complicate attorney-client issues? As John Meyers said this morning, this may further complicate issues of trust and confidentiality.

Regarding broad-based representation on the ethics committees, only 20 percent of the organizations with a corporate-wide compliance committee, or only nine percent overall, reported having mid-level managers or below on the committee. As Andy pointed out, the question is, "Does this relative absence of operating personnel on compliance committees limit the committee's effectiveness?" It is important for a successful program to have a buy-in. Also, diversity brings alternate points of view. This may be lost if the committee is made up entirely of senior executives, as is mostly the case. This was also a point mentioned this morning by Ken Martin from Sunstrand.

Next, the place of compliance in performance appraisals. Seventy-eight percent of the organizations in my sample reported having a requirement that an employee's track record be considered in performance appraisals and 27 percent also reported requiring that an employee's exemplary track record of complying with standards of conduct be considered in recommending the employee for promotion.

Questions: One, how do you measure "exemplary compliance"? And two, should compliance be considered exemplary performance? And third, we didn't ask how compliance is weighed against other performance criteria. When push comes to shove, is it the first thing to go?

Distribution of written materials and training to non-employees, again, a similarity with Andy Apel's material. Seventy-five percent of the organizations in this sample do not distribute copies of the standards of conduct to non-employees and 78 percent do not provide training to non-employees on any aspect of the organization's standards of conduct. This may not be cost effective, given that problems often emerge at employee/non-employee points of contact. Are communication and training resources therefore being used effectively?

The high percentage of Human Resource (HR) calls also raises questions. We have seen in some of the data from earlier and here, as well, 74 to 80 percent of the calls to help lines involve HR issues. Now, this may indicate a disconnect between the organization and the employees' priorities. Employees might perceive ethics and compliance primarily in terms of fairness and personnel issues while the organization is stressing regulatory compliance.

Lastly, one interviewee commented that as far as he knew, the only way to receive any kind of validation of a program is to be on probation under the guidelines. He suggested that this seemed an unfortunate arrangement and hoped that there might be some other method of getting a program validated, suggesting either some third party or governmental agency. Thank you.


DR. COUNTERS: Our next two presentations constitute what the employees hear component of this panel. Our first employee perspective is by Ms. Rebecca Goodell with Howrey & Simon. She has a J.D. from the University of Virginia and a bachelor's from Notre Dame. Rebecca is well-versed in employee perceptions of company ethics practices and how perceptions may vary by employees' role within the company and the industry in which the company operates. Prior to joining Howrey & Simon, she was a senior consultant at the Ethics Resource Center. While at ERC, she authored Ethics in American Business: Policies, Programs, and Perceptions. Today, she will be discussing some of the highlights of that study.

MS. GOODELL: This survey that I am going to present on is mostly about ethics programs. We didn't really delve into the compliance areas.

This survey was a mailed questionnaire. It was done approximately a year and a half ago and included 48 questions. We had 4,035 responses, which was a 53 percent response rate. We worked with a group called NFO, based in Greenwich, Connecticut, which is a market research firm, to survey a cross-section of U.S. employees. We excluded certain groups, such as non-profit and government workers, so that it was representative of business. So at least in that way, it's not cross-sectional.

ERC performs a significant amount of consulting work for major corporations and there is a standard survey instrument that they typically develop from interviews and focus groups with client companies. In creating this questionnaire, we simply adapted and expanded the client survey instrument.

The data in the survey report is broken out by chapter into several different categories. We looked at the data by industry classifications. We grouped different SIC, (standard industrial classifications) together by job function to see which job functions had different responses, as well as level of responsibility in the organization to see how senior management differed from middle management differed from hourly workers.

The final way that we cut the data was by presence of a comprehensive ethics program and that is really what I am here to talk about today. We defined a comprehensive program much like some of the other studies have done. It was the presence of a code of conduct, training on the standards of conduct, and an ethics office or ethics ombudsman to whom people could report violations or seek advice about proper business conduct.

This survey differs from the three that you've already heard. First of all, it surveyed individuals and not corporations, and it wasn't specific individuals within corporations; it was simply individuals across America who are employed in companies.

It was also different from some previous studies that have been conducted in that it surveyed employees in companies of all sizes. We don't have data on the size of companies that our respondents were in, which is unfortunate. I don't think most respondents could accurately say, whether theirs is a $10 billion company or a $2.5 billion. So, we did not include that question. It would have been useful, had it been reliable.

The third and most significant way that this survey is different is that it looks at the effect of ethics programs. We didn't really go into great detail about how you trained your employees or who you distributed your code of conduct to. We simply asked people basic questions. Does your company have a code? Does your company provide you training on proper business conduct? Does your company have an ethics office? The rest of the survey focused on whether these elements worked and what their effect was.

Unfortunately, we weren't able to evaluate the quality of the programs. It would have been nice to distinguish a good program from a bad program, an elaborate program from a simple program, and how the answers differed, but I think we would have had about a 300-question questionnaire if we had combined all the work of the Commission and all the work that we did.

In our employee survey, 33 percent of employees said that they have some sort of ethics office where they can report suspected violations or seek advice. This was surprisingly high, since it is a cross-section of U.S. employees, with small companies and big companies. As Bill Laufer said earlier, 99 percent of companies are small, which may not necessarily correlate that 99 percent of employees work in small companies.

We asked employees whether they feel pressure to engage in misconduct to meet business goals, pressure from their management, and nearly a third of respondents overall reported that they do feel this pressure, and half of that 29 percent reported, when you asked them the frequency of feeling pressure, they said they feel it pretty regularly.

That doesn't necessarily mean that management is asking them to do things that are wrong. They may be setting stretch goals and employees interpret that as, they're asking me to do something wrong. The only way I can achieve this sales figure is to break the law or cut corners. So that doesn't mean that all of management is evil.

We asked them, "What were the causes of these pressures? Where is it coming from?" And as I think most of you in the compliance community are not surprised - neither was I - it comes from aggressive goals. This is where the pressure comes from. Meeting financial goals, and schedules are the two principal causes of the pressure. Helping the company survive was also a factor, as well as advancing the boss's career interests.

We asked how that pressure translates into misconduct. We asked, "In the last year, have you witnessed misconduct that either violated the law or company standards?" You can see that one in three employees surveyed said that they had witnessed this misconduct.

And lest you think this is smoking in the bathroom or bad manners; it's not. I would hardly call falsifying records and lying to supervisors minor infractions. Some companies would like to think they're just witnessing small breaches.

We asked them, "Did you report this misconduct? Did your company find out? Did you tell them?" We compared employees with comprehensive programs with those with no program, and no program is defined as not having a code of conduct, not having training, and not having an ethics office. And each group, comprehensive programs and no program, represented at least 20 percent of respondents, so it was a fairly large number that we were dealing with.

In terms of reporting, there is an eight percentage point difference between the two. People with comprehensive programs were eight percentage points more likely to report misconduct.

That may seem small, and I think some of us may be disappointed that the differences aren't bigger, but if you think about it, there is a societal bias that is very difficult to overcome to get people to blow the whistle. No one wants to blow the whistle. But I think eight percentage points is noteworthy and in some ways we should take heart from that. If you can detect misconduct earlier, the earlier the better, you are more able to protect your company.

We said, "Okay, so you reported your misconduct - what happened - what did your company do?" The variation in percentage points is between 13 and 18 percentage points. Now, these were just a variety of answers and these are three of the more positive ones, and you can see that employees in companies with comprehensive programs were much more likely to have had a positive experience.

Going from the specific to the general, we asked them, "How satisfied were you with your company's response?" The employees with comprehensive programs - no surprise - were more likely to be satisfied with their company's response to their report of misconduct, and hopefully that will translate into increased reporting, or at least that's what we all hope. In the "very satisfied category" there was an even greater difference in the numbers.

We went back and we asked those employees who hadn't reported, who had observed misconduct but hadn't reported the misconduct, why they didn't report their misconduct. And again, these are only a few of the responses. Those with ethics programs were less likely to say that they feared retribution from management and also that they didn't believe corrective action was taken.

One anomaly in this data which isn't on a slide is that those with comprehensive programs actually had greater concerns about confidentiality and also were more likely to cite as a reason for not reporting that they didn't want to be known as a whistleblower. If we had more data on the quality of the programs, I think this would be useful to see what were the factors that caused people to not want to be known as a whistleblower and to be concerned about confidentiality. But I think for all of you out there with ethics programs, those are good factors to know because those may be lurking in employees' minds.

Regarding some of the added and perhaps even unintended benefits of ethics programs - employees with ethics programs were much more likely to say that the ethical commitment of various groups, CEOs, senior management, direct supervisor, was about right. For anyone who's having trouble convincing senior management of the value of an ethics or compliance program, this may be one of the things you can do. It will make them look better. But it clearly does work.

Another benefit of an ethics program is how well your company fulfills its obligation to the following stakeholder groups, and one of the answers was "exceptionally." You can see the effect of an ethics program is noteworthy. There is a significant difference between those with a comprehensive ethics programs and those without ethics programs. And customers - that is a big difference. That's something, you want employees to think that they treat their customers right because they probably do.

In conclusion, having spent literally thousands of hours looking through thousands and thousands of pages of data on the effectiveness of ethics programs, trying to determine, do they work, do they not, I would say very cautiously that while there are several anomalies in the data which various theories can explain, I think the overall trend in the data does say that ethics programs in whatever form do have some positive effect on corporate conduct.


DR. COUNTERS: Our next presentation is by Dr. Mark Pastin, President of the Council of Ethical Organizations. Mark has a Ph.D. in philosophy from Harvard and a bachelor's degree from the University of Pittsburgh. Mark has been working in the area of business ethics since the early 1970s. As a faculty member, he has been instrumental in establishing academic programs on business ethics. He has also been an ethics adviser to corporations, federal, local, and foreign governments, and is an author of numerous articles and books.

The Council of Ethical Organizations has been collecting information on employee perceptions of company ethics policies and practices since the mid-1980s. Mark's presentation adds an interesting perspective to this panel and his analysis looks at how organizational factors affect employee perceptions of a company's commitment to ethical behavior, which he refers to as the ethics compliance environment.

DR. PASTIN: It's hard for me to believe that you are hungry for still more statistical data at this point, so I will take a somewhat different approach.

The purpose of the Council of Ethical Organization's study was simply to learn what works and what does not work in ethics-compliance programs. By now, you are familiar with the sorts of things people do in these programs - codes, hotlines, training programs, compliance officers and so on. The question is: Do these things work?

As we originally conceived the study, the question to which we sought an answer was: "why is it that there are companies, doing all the 'right things' according to the accepted compliance wisdom, who are still sitting in our lobby with a settlement agreement - or worse - in hand? What would keep them out of our lobby?" It is not that we do not welcome clients, but we prefer them without handcuffs.

Study issues included what are the factors that influence the corporate ethics compliance environment? What are the key factors? How effective or ineffective are such compliance tools, now much employed, as codes of conduct, hotlines, and training programs? What are the main compliance risk factors? What is likely to create an environment where violations of law or other standards will occur? And as the study proceeded - it started in 1988, we were urged by our constituents to look at the impact of the sentencing guidelines (for organizational crime).

Our premises included: 1) that there is very little empirical data on factors influencing the ethics compliance environment of companies, 2) that compliance programs had settled into a recipe form with little evidence as to the effectiveness of this form, and 3) that the study should be conducted according to sound research standards.

To be clear about the recipe issue, we do not mean the seven steps or building blocks associated with the sentencing guidelines. We do not see the guidelines as offering or intending to offer a recipe for how to build a compliance program. The guidelines are more like an order for a cake than a list of ingredients for the perfect cake.

Finally, we felt that the study should be conducted according to sound empirical research standards. We did a validation study preliminary to the full study to ensure that the items used in the study survey meant what we thought they meant when read by employees. The preliminary study encompassed 200,000 employees in 47 companies. Why bother with this preliminary step? Consider an example. If someone asked you, "Are you a truly great lover," would they be likely to get the truth? No, because that's a very personal subject and most of us would rather not bare our souls on a survey.

Ethics is much the same. We are not likely to assess our own ethics candidly on a survey. So items had to be carefully constructed and tested to ensure that they produced useful and reliable information. We did not conduct this study as an opinion poll.

Companies were resurveyed beginning in 1992 after enactment of the sentencing guidelines. Eventually, approximately 750,000 employees in 203 large companies, roughly Fortune 650 companies, responded to the survey over five years ending December of 1994. A lot of the surveys were rejected as unscorable - as usual in such a study. We ended up with about 660,000 scorable surveys, an average of about 3,500 employees per company.

What factors indicated a good compliance environment?

This is a very difficult question. You will see there's a list of items here. A positive response indicated a good compliance environment, by our standards agreed to for the purposes of the study, and a negative response indicated a poor environment:

Employees will/will not report apparent violations of law or ethics

Employees see ethical/lawful conduct as contributing to/diminishing employment success

Employees perceive that discipline is/is not fair and consistent across rank and position

Employees believe that their organization will/will not accept short-term losses to maintain standards

Employees believe that tolerated illegal/unethical conduct is unusual/common.

Our general results showed the following: common compliance practices may actually contribute to or at least fail to influence a poor ethics compliance environment, whereas variations on these practices improve the ethics compliance environment.

The two factors that most significantly correlated with a poor ethics compliance environment are, first, performance measures or reward systems that employees see attaching financial incentives to behavior inconsistent with ethical conduct. In other words, the company is paying for something that isn't consistent with ethical conduct. The second factor significantly correlated with a poor ethics compliance environment is employee indicated fear of retribution and reprisal by supervisors or managers for reporting apparently unethical or illegal conduct.

Fewer than ten percent of the surveyed companies reported addressing reward and management systems as part of their ethics compliance efforts. Just a comment on that. We asked companies a question: Has there been at least one supervisor or manager denied a raise or promotion for an internally-detected compliance problem? That was one of the criteria we applied in determining whether a company's reward system was sensitive to compliance issues.

A major goal of the study was assessing the effectiveness of different compliance tools. The companies participating in our study were a representative sample. They were not "compliance aware" or "compliance unaware." They were companies. We did divide companies in the sample by industry type, size, and other factors. (Differences by industry, company-size, form of organization and other factors are not reported in this presentation.) We found that 88 percent of the companies had codes of conduct; 67 percent had ethics or compliance hotlines; and 58 percent had ethics compliance training programs.

By the way, some of the companies reported that they had certain elements of a compliance program, but we were unable to verify that they did. For example, some companies reported that they had a code of conduct, but we were unable to find any employees or managers who were aware of it. So we did verify each factor before reporting it.

Codes of conduct were generally ineffective as compliance tools. They had a negative correlation of 0.55 out of 1.0 with a good compliance environment, but they were somewhat effective under certain conditions. Codes of conduct viewed by employees as legalistic and one-sided, i.e., in favor of the company, increased the likelihood that employees would exhibit behavior that they identified as unethical or illegal. Codes of conduct viewed by employees as straightforward, informative, and even-handed decreased the likelihood that employees would exhibit behavior they viewed as unethical or illegal.

When you look at the numbers, 86 percent of the codes in effect in those companies were viewed as not effective; eight percent as effective and six percent were in the category of "effectiveness not determined."

Hotlines were more effective in improving the ethics compliance environment. Employees observing infractions had little confidence in hotlines that they identified as answered by the legal department, outside lawyers, or by an outside answering service. However, employees had confidence in hotlines that were answered in-house by a named representative, that were backed by a non-retaliation policy, and that had more than two years of continuous operation. Employees had the least confidence in other reporting mechanisms, such as write-in reports and use of an off-site ombudsperson, that is, a rental ombudsperson.

If you look at the pie chart, you see that 69 percent of the hotlines were in the category "defensive or not effective." Eleven percent were effective; 20 percent had a non-hotline reporting mechanism - the least effective option.

These findings indicate that employees will use hotlines to report compliance problems provided they feel the hotline representative will give them a fair hearing, they feel protected against retaliation and perceive the hotline as an established mechanism.

Training programs of certain types proved effective while other types of training programs proved ineffective or harmful to the ethics compliance environment. This following result brought the wrath of the compliance gods down on us, so I offer it with a caveat:

Training programs delivered - and here's the caveat - primarily by means of video, interactive technology, or in game format were ineffective or harmful to a company's compliance environment. Training programs that were interactive, over one contact hour in length, delivered in person and periodically repeated were effective.

Our interpretation is that employees are skeptical of training programs in general. They all agree to the statement, "Please, God, don't let the boss read another management book." And they are especially skeptical of ethics compliance training programs, assuming the programs are not in their best interest. This assumption can be overcome when the manner in which the program is delivered evidences genuine commitment to the program.

On this chart, 22 percent of the training programs were effective; 51 percent were ineffective; and 27 percent were indeterminate as to effectiveness.

The compliance risk factors that stood out quite significantly are:

Employees who felt that they had been punished for reporting a concern (a fairly large population in many companies) indicated that they were likely to notify outside authorities.

Employees who reported awareness of observed unpunished violations of ethics or compliance policies by a supervisor or manager indicated they were more likely to have violated policies or laws themselves.

Employees in many companies participating in the survey were surveyed again 12 or more months after enactment of the sentencing guidelines. Employees of companies that had implemented or fortified comprehensive ethics compliance programs in response to the guidelines, as per verified company self-characterization, reported that they were less likely to violate laws and policies. Employees of companies reporting that no changes or only minor changes were needed in response to the guidelines reported that they were more likely to violate laws or policies.

Our summary reading of the results of this study is that many compliance measures being taken by companies have no effect of a negative effect on the compliance environment of the company. Secondly, companies that enact these same measures as part of a comprehensive program significantly improve their ethics compliance environments.

The impact of the guidelines on a company's ethics compliance environment depends on the thoroughness and employee-perceived sincerity of a company's response to the guidelines. In other words, they're watching closely and they're going to look for more than a pro forma effort on the part of the company. Our results indicated that 38 percent of the companies significantly improved their ethics compliance environments post-guidelines. It's not just what you do, but how you do it.

I guess what we learned about this, and we are continuing research, currently focusing on the health care industry, is that sometimes copying or sharing what other people do is not a good idea if you don't have an independent reason to think that what they're doing actually works. By "actually works," we mean keeping the company out of trouble and convincing employees to help a company keep its compliance environment clean.

DR. COUNTERS: Due to the time constraints, the panel members were limited in the information they could present today. The information presented by the panel members was only the tip of the data iceberg and probably generated as many questions as it does answers. With this in mind, the Commission encourages others to utilize the information collected by the three Commission-sponsored projects. It will make that data available to the public.


DR. COUNTERS: Let me move on to some of the questions that we have received. This question is directed to Dr. Laufer but I think it also applies to Andy and Ed. Bill might want to take the first shot at it. Did you find that companies were training in the area of corporate ethics and ethical decision making?

DR. LAUFER: We found a conspicuous absence of active training taking place.

MR. APEL: Yes. In our sample, we didn't ask that question specifically on point, or at least sufficiently pointedly to generate a quantifiable response.

DR. PETRY: Same here. That wasn't one of the questions we asked. However, there are other indications that that is becoming increasingly common in training programs, but it wasn't on the survey.

DR. COUNTERS: Here is another question directed to Bill. What objective measure of effectiveness of compliance programs do you propose?

DR. LAUFER: This one, I would be delighted to take. Even though I think it's a very difficult question, it's a great question.

We'd use a scale of subjective self-perceptions. At the very least, we would like a study of the aggregate subjective perceptions of employees and would much prefer to try to do something culture-based.

We would also like to examine more than just self-reports of violations. We relied exclusively on the companies' reports of either criminal law violations or civil violations. It would be nice to have some independent external evidence of law violations. Of course, that is a tricky issue because you can have a company that has a very effective program with many law violations and you can have a company that has a very effective program and has very few, so it's difficult. The bottom line is we would like to see more culture-based questions given to a larger number of employees.

DR. COUNTERS: Does anybody else want to step in on this question?

DR. PASTIN: That is what we tried to do. We tried to define effectiveness in terms that were real, and we did do a lot of things to establish the validity of the items, such as measuring them against items otherwise independently tested and validated, some of them for a very long period of time in studies of organizational culture and otherwise.

And the conclusion we came to is really that people are liars when it comes to ethics and compliance unless you do darn good research in writing to find out what they are going to be saying. I think any of you who have ever conducted an investigation, for example, are not going to be surprised that people do not, at first blush, tell you their worst sins or their worst imagined sin, although they may be extremely aggressive in reporting those of their brothers and sisters at the next work station.

DR. COUNTERS: This question is directed to Rebecca. How did the study determine whether a company has a comprehensive ethics program and - the second part - what percentage of the employers fell into this definition?

MS. GOODELL: That's a very simple question. We determined whether someone had a comprehensive ethics program simply by three questions. Does your company have a code of conduct, yes or no? Does your company have training on its standards of conduct, yes or no, and do you have an ethics office, yes or no. And then in terms of the exact percentages, I know that it's over 20 and whoever that person is, I have it in this booklet, the exact number, and if they want to see me afterwards, I'll be happy to look it up for them.

DR. COUNTERS: Mark, on what basis did your survey determine that certain types of training were ineffective or harmful, in other words, personal opinion or active behavior?

DR. PASTIN: Active behavior is an interesting thing. If you look at the criteria we used, did employees participating in it say that they were more or less likely on a valid item to report an infraction of law or ethics, and in many cases, they reported that they were less likely to report. Did they feel that acting ethically would improve their chances of employment success, and so on?

This is the only way you can do it. You try to validate the items so that you know that these employees are responding in a truthful manner, not in a manner that enables them to position or negotiate with you.

I would add that we believe, but this is not an empirically-supportable belief, we believe these indicators have been very predictive of companies that have had significant compliance problems over the past two or three years at a time in which poor compliance environment could evidence that, but that still must be viewed as episodic and it will not be corrected from a research viewpoint since large companies settle, and they may settle because they're guilty or they may settle because it's cost effective to settle rather than to fight, so it's very hard to get a clear external validator for that kind of information.

DR. COUNTERS: This next question is actually a combination for Ed and Mark. In light of Ed Petry's concerns about the effectiveness of a legalistic approach and Mark Pastin's findings regarding legalistic codes of conduct, are lawyers best placed to develop compliance programs?

DR. PASTIN: I have a little different view in this, in that I don't think employees really want to hear a lot of baloney. They don't want to be sold truth, justice, and the American way, and they don't want you playing with their soul.

They want you tell them what's important and why and what the rules are for doing it and how they will be treated when it happens. When I say plain language, I don't mean soft-side puffery. It may be the general counsel is the best person to lead that effort, but the actual task of writing and doing part of it must be a team effort. I think it depends very, very much upon the inclinations and particularly the common sense and influence of corporate general counsel in being the person to take on that task.

DR. PETRY: Certainly someone from the law department or the general counsel needs to be involved in the process, but I think the most important things in developing a code is to have, first of all, candor, why it's being done, why it needs to be done, and second, cooperation at all levels throughout the organization.

Rarely do you see this. Too often, the codes or the revisions of the codes are handed down from on high, and this is a missed opportunity. In, I think, the best situations, the code revisions or the original code is done as a cooperative effort involving focus groups and other task forces throughout the organization. It takes longer but the end result is much more effective.

DR. COUNTERS: This question is directed to Bill but I think Andy might be able to contribute something. The Wall Street Journal reported last week that last year, most of the companies sentenced under the guidelines were less than ten years old, had fewer than 50 workers, or a pre-tax profit of less than $1 million annually. Senator Kennedy said today that we must make sure that mom and pop businesses have opportunities to develop effective compliance programs. In view of your findings, what do you recommend?

DR. LAUFER: Courts and prosecutors are often hesitant to proceed with a criminal indictment against a large decentralized entity under a standard of vicarious liability. I think because of that, we should just focus our attention on those companies that end up as defendants in federal court - small businesses. And we certainly need additional resources to develop compliance programs for small businesses. A few suggestions. It is important to seriously consider the role of leadership - especially in small firms. Compliance programs must be developed to match corporate culture. And, perhaps most importantly, all compliance efforts must never lose sight of the informality of structure and communication in small businesses.

MR. APEL: One luxury that we have when we are dealing amongst ourselves as larger organizations at this particular level is that we share fundamentally the same model of business and the same model of management and compliance. We tend to be very familiar with the seven steps, many of which would be difficult to adapt to a small business environment.

If a model for small business compliance were developed and readily available, I think it would be very easy to roll this out to the small business community and actually have some rather substantive results emerge.


Rebecca Gooddell

Q. The Ethics Resource Center's study appears to show that a comprehensive ethics program makes only a minor difference in whether or not an employee reports misconduct but makes a big difference in how the company responds to a report of misconduct. Therefore, shouldn't one place a higher priority on response mechanisms rather than line employee ethics education and reporting?

A. Unfortunately the ERC study does not analyze the quality of the comprehensive programs included in the survey. There is an eight percentage point difference in reporting of observed misconduct in companies with comprehensive ethics programs compared to companies with no program elements. While this difference is small, it is not insignificant. I believe that companies need to do more to improve the likelihood that employees report misconduct through training, discipline and by trying to create a culture where reporting misconduct is expected and accepted.

Clearly, employees in companies with comprehensive programs do have better experiences when they report misconduct. Companies should keep up the good work in this area. The more important thing is finding ways to increase employee willingness to report misconduct which should include satisfying employees who have gone out on a limb and reported misconduct in the first place. If employees do not report misconduct, companies are exposed.

Q. Does your study involve private law firms? The legal community is often criticized for recommending to clients ethics or non-discrimination requirements that are stricter than the law firms themselves follow.

A. The study does include private law firms but the numbers are too small to have broken the data down into this sub-category. There is a certain irony that many law firms do not have policies and internal reporting mechanisms that are as rigorous as they recommend to their clients. Law firms may believe that trained lawyers know and understand the law and therefore that firms do not need to provide training, policies, and reporting mechanisms. However, the track record of law firms indicates that they are not immune from legal problems and would do well to take the advice they give to their clients.

Mark Pastin

Q. Your studies correlated compliance techniques with "ethical behavior." Can you say anything about correlations with criminal behavior?

A. Actually, the Council of Ethical Organization's study did not focus on "ethical behavior" per se, but on a set of behaviors widely viewed as correlated with both unethical and criminal organizational conduct. In fact, we focused on many of the same factors addressed in the sentencing guidelines for organizational crime. For example, we focused on the likelihood that perceived acts of misconduct would be reported internally, whether employees perceived that unethical and illegal conduct were rewarded by the organization, and the perception that wrongful conduct is or is not routinely tolerated. So, the results of our study should relate to criminal conduct in rough proportion the extent that the guidelines themselves relate to criminal conduct.

At the level of empirically indicated but not empirically proven results, we see a clear correlation between our results and criminal corporate conduct. None of the companies in the top quartile of our study in terms of overall ethics-compliance climate has been convicted of or entered into a settlement concerning a significant corporate crime subsequent to participation in the study (1988-1994) - at least in so far as we can determine from public records. Several of the companies in the bottom quartile have been charged with serious organizational crimes and rough calculations show that they have collectively paid well over half a billion dollars in fines since participating in the study. It was a condition of participation in our study that we not name individual companies, so that is the best we can do to substantiate this point.

At another level, we doubt that it is possible to achieve the level of empirical significance needed for a study of this kind if criminal behavior is defined in terms of charges brought or convictions won against individuals or organizations. Large companies may commit great resources to forestall the bringing of charges against or conviction of key employees and the company itself. The justice system must often choose between inflicting great harm on innocent employees, communities or, in some cases, the country itself, and the abstract interests of justice. This is not a criticism of the justice system, but a simple fact of prudence. Thus, any correlations obtained tend to be based on records of petty infractions committed by large companies or a combination of serious and petty infractions by smaller companies. We would like to see more empirical study of organizational factors and actual crime, but the inherent limits must be recognized as well.

All Panel Members

Q. Wouldn't it be useful to ask exactly the same questions in the two kinds of surveys presented here to find out if employees are aware of the programs that management thinks are in place? For example, Mr. Petry's study found that about 85 percent of the companies say they have assigned someone oversight responsibility, but employees said that only 33 percent of their companies have an ethics office or ombudsman.

A. (Andrew Apel) Yes, it would be useful, but I think we can guess the outcome in advance. Consistently, the most difficult part of doing our survey was finding out who to talk to. Even within organizations with mature, well-developed compliance programs with aggressive training and communication, most employees did not know if there was an ethics or compliance program, or a code of conduct, or someone assigned to talk to or take calls about ethical and legal problems at work. This same sort of difficulty was sometimes encountered within corporate legal departments.

The difference in the numbers does not mean that there are fewer compliance programs out there than were reported to us. Rather, it is simply that the methods many organizations use to communicate their compliance standards do not make their compliance programs very visible. Whether the visibility of a compliance program has anything to do with the "effectiveness" of its communication component is best left for others to decide. However, I would recommend that those involved in compliance efforts call their own switchboards and try to discover who's in charge of compliance. The experience would be enlightening, and in most cases, will suggest a need for bolstering communication efforts with the use of more memorable media and messages.

A. (Mark Pastin) In the Council's study, we had to compare what companies said they were doing with what employees were aware of in order to obtain results. In other words, to determine if the measures a company was taking were achieving the intended results, we had to know both what measures the company was taking and whether or not employees had any awareness of the measures. For example, we had to verify the company's representation that it did promulgate a code of conduct, training program, or reporting program.

Our data did show that in some cases companies represented that they had implemented some aspect of a compliance program while employees had little or no awareness thereof. Indeed, a program element could be effective in the sense we defined only if employees were aware of it. However, the data show that it is quite easy to broaden awareness of compliance measures, but not at all easy to convince employees that the measures were seriously intended.

In summary, our response to this question is, "Asked and answered." The problem is not whether employees have awareness, but why that awareness is accompanied oftenby so much employee skepticism.

Evolving Compliance Standards: New Models and Proposals

Edward A. Dauer, President, National Center for Preventive Law

James T. Banks, Director of Government and Environmental Affairs, WMX Technologies

Christopher L. Bell, Sidley & Austin

Moderator: Marguerite A. Driessen, Senior Staff Attorney, U.S. Sentencing Commission


MS. DRIESSEN: Good afternoon, ladies and gentlemen. In this session we are going to be discussing "Evolving Compliance Standards" and some new models and proposals.

All day today, you have heard about the sentencing guidelines. You have heard about compliance efforts. You have heard what people have been doing, and we just heard a panel that discussed some empirical information on how well the existing practices are working. In this panel, we are going to talk a little bit about where we're going in the future. What are some ideas people are trying? Where are they aiming? What are their goals?

I want to introduce our speakers. First up, we have Edward Dauer. He is President of the National Center for Preventive Law. He authored the first law school textbook on preventive law. I think that makes him the foremost expert in these matters. That's what we're talking about today, developing compliance plans for preventive law. Without further adieu, I will turn the mike over to Ed.

MR. DAUER: I want to cover very quickly four points this afternoon and to go through the first couple of them very rapidly. One of them is to tell you who we are, because the National Center for Preventive Law may deserve to be a household name, but it isn't one yet. The second point is what it is we're doing that is connected to the topic of this particular conference.

Third, and most important is the question of why we are doing it. In fact, that may be the only point of any real significance. And then, if we have some time at the end of this, I'll try to come back and see if we can tease out some implications from what we are doing for the larger question of the corporate compliance enterprise in general.

The word "we" in each of those sentences, again, is the National Center for Preventive Law, which is a loose confederation of a large number of private lawyers, general counsel of corporations, some legal educators, public interest organizations, and a variety of other people, including some non-lawyers, brought together only by a common interest in developing ways of reducing the dis-economies and adverse effects of avoidable legal risk in both the public and the private domains.

We operate at the present time on the basis of gifts and grants and an occasional seminar and some contracts here and there, but essentially we are completely independent of any industry or group.

We have been offering seminars in corporate compliance systems since 1985, maybe even earlier. But it was in 1991 that, if we had had listed stock, they probably would have halted trading, because when the U.S. Sentencing Commission had its guidelines authorized in the fall of 1991, suddenly, people who were just casually acquainted with what we were doing became very interested in knowing what we knew about how to build compliance systems within corporations.

Since that time, we have emphasized in our own work, developing skill and knowledge about how to build compliance systems. It is not the only area of our activity, but it is a central one. We offer seminars and publications and act as a switchboard for information and resource sharing for corporations and other organizations in the area of the development of these systems.

We have, in the course of that work, met literally hundreds and probably thousands of lawyers and compliance officers, who call us from time to time or come to our programs, and we have some sense, though it is anecdotal to be sure, of the needs and interests that the constituency out there has.

Two years ago it occurred to us to start a project to respond to those needs, which is the one that I want to talk to you about today. It is a project to develop guidelines for building compliance systems within organizations; it includes guidelines, suggestions, and examples illustrating how these systems are assembled and designed and implemented and how they are operated. It is of greater specificity than the seven or ten admonitions that are in the official sentencing guidelines themselves.

We assembled for this venture a group of about 30 people, mostly, but again not entirely, lawyers who are divided into four working groups and who are now producing, in effect, a private restatement. I'm not going to walk you through it; I don't have nearly enough time. But this product, when it's done within the year - my target, at least, is within the year, probably early 1996 - will be a book of compliance guidelines and recommendations and suggestions that will operate in three layers.

What we tried to do was to take the federal sentencing guidelines and the whole world of ideas about compliance systems and boil it down into 20 principles. We start off with a layer of black-letter text, called "principles." Two layers are completed so far. One is these 20 black-letter principles. Underneath them is a series of what we call considerations, or factors to consider in putting these principles into place.

Very much like the restatements, it starts with a black-letter text that says something rather general. The theme is some commentary, which in our case is the "factors to consider." That's a little more precise. The theme is something under that called "examples." One third layer is also concrete examples.

The black-letter text, again, is pretty general. To take an example, the first one says that "an effective compliance program is designed to prevent, detect, and respond to legal risks and to promote compliance with the law." That's a fairly high level of abstraction.

A typical "factor to consider" under that is "Identifying liability-causing conduct, such as questionable acts and behaviors, as well as the occasions for such risks." That is a factor to think about when putting this principle into effect. And then we offer some examples.

Here, we start getting fairly concrete. One of them, for example, says, here is how you identify the areas of greatest risk. "To conduct a comprehensive review of existing files for documents that demonstrate the risk of violations, companies can review litigation records, civil complaints, SEC disclosure documents, board of directors minutes, prior investigative records, insurance policies, risk management documents, accountants' and auditors' work papers, employee questionnaires, and so on. The inventory should be documented so that a company can establish how it achieved compliance but should never be fully completed because compliance itself is dynamic."

We are now collecting these models and examples, to try to build concrete ideas about how each of these more general principles is put into place when designing a compliance system.

The question of why we are doing this is, I think, the more important. We have heard today from a number of large corporations, probably many of them in the Fortune 500, who have described the federal sentencing guidelines as road maps for the construction of compliance efforts by corporations.

But to steal a phrase used by some of my law students, there is also the bottom 90 percent of the class. The Fortune 500 represents one category of companies, but there is a whole world of others who are experiencing far more difficulty in the implementation of the Commission's recommendations because they lack the resources, skill, or whatever it may be, to deal with something that's as broad and flexible as those official recommendations are.

We're responding to a disquiet we found among our seminar participants, particularly in that second level of company - not the very small company, since they don't come to our seminars, but among the level below the very top. That disquiet, I think, has a cause about which I'd like to speculate.

The existing guidelines as issued by the Commission, regarding compliance systems, mix together two very strong themes in our legal tradition. The tension between those two themes, I think, may be causing a problem, or at least a problem with expectations. You who are lawyers will remember that our Constitution requires due process and equal protection with respect to criminal matters. That is, government in its behavior is restrained by, among other things, the requisites of giving prior notice.

A government is permitted to have only limited discretion. It is supposed to hold people liable for acts only when it warns them, with specificity, in advance. You may remember the phrase, a statute can be "void for vagueness." That is, it doesn't pass constitutional muster if it's not quite specific enough to tell you what it is you're supposed to do or refrain from doing.

On the other hand, we have in the civil liability side a more passive role for government. Civil liability rules, and the common law, cover an infinity of possible behaviors and so they grow out of broad principles, like "negligence," like "due care," and phrases of that kind. Here, the tradition is the very absence of specificity rather than its presence. It is tolerated because it is not punitive.

I think that what's happened. The U.S. Sentencing Commission's guidelines have taken the style of the common law of negligence and engrafted it on top of the liability of the criminal process. In fact, it's the misfit. The tension between those two may be what is creating the difficulty.

In effect, what they have said is that this organization has a duty to exercise reasonable care to avoid committing a crime. It's a negligence standard for criminal liability. I think that the problem may arise right there.

It may be that the Commission was trying to be that broad and open textured to effect a culture shift, rather than to create pat kinds of programs, and so that's the way they did it. But the bottom 90 percent of the class doesn't see it quite that way. I think that a substantial number of the bottom 90 percent of the class see this as a regulatory effort issued without the customary regulation, and so feel themselves somewhat in jeopardy.

There are three problems. First, what's flexible is of necessity vague and non-directive. Second, we have very little real data, about what works and what doesn't work. Third, unlike the common law of negligence, there aren't ever going to be enough cases from which an organization can derive predictable principles about when something is going to pass muster and when it isn't. There simply won't be enough reported appellate convictions in which there are discussions of the meaning of compliance programs to be able to provide sufficient guidance.

And so the Commission has created both the incentives and the jeopardy of a common law system without providing the common law body of case law from which people can derive what it is that really matters and what's going to count. They find out only retrospectively whether something passes muster or not.

And that, I think, is the reason for the disquiet that we are beginning to see. It was the reason for our trying to step in and provide some additional specificity, some assistance to the bottom 90 percent of the class.

If I can take just a minute and speculate a bit about what it may mean in terms of where we might go with this, I think it's fair to say that what the Preventive Law Center is doing really isn't important, at least not in the grand scheme of things. But the appetite to which we are responding may be.

I remember a physics professor once saying to me that "systems always equilibrate." Ultimately, any unstable situation reaches equilibrium, even if you don't like the equilibrium that gets reached. Somehow, somewhere, even in the absence of very good data about what works and what doesn't work, standards will emerge.

The situation with the vagueness, or the flexibility, of the existing guidelines is, from the point of view of a part of the world that we think we know something about, an unstable circumstance. Standards are going to emerge whether we like it or not.

They might emerge from the few judicial opinions that we can read every year. They will emerge from some consent decrees that we can read about. They will emerge from stories, apocryphal or not, about the enforcement behavior of particular agencies or even about particular prosecutors and what those people want. They may even begin to emerge from the activities of industry groups, such as those we heard about today, or maybe even from private groups such as ours.

I think the question is, should we allow them to emerge willy-nilly, or should they be guided with some kind of a plan in mind. Or to go back in recalling negligence, which is both accurate, I think, and a metaphor, I would ask whether we should let the reasonable man evolve naturally or whether we ought to engineer him. That, I think, is one of the more significant questions facing the house and all of those who are interested in this area.

We hope that the product we are generating will never be taken as a standard. We don't mean it to be a standard. We mean it to be guidelines and suggestions. But as we are doing it, we are mindful of the fact that it inevitably will be a standard in some more or less limited way. It won't be taken as a standard by prosecutors and it won't be taken as a standard by courts, but it probably will be taken as a standard, whether we like it or not, by companies, probably smaller rather than larger, whose hunger has no other place from which to be satisfied.

I would suggest that this is too much responsibility for an organization like NDCPL to bear, but I would also suggest that to provide common law liability without a common law body of data to support it is too much responsibility for individual small businesses to bear. Thanks very much for your attention.


MS. DRIESSEN: Our next panelist is Jim Banks, seated here to my left. He is Director of Governmental and Environmental Affairs for WMX Technologies. I have been acquainted with Jim for a number of years because he, quite cordially and perhaps unknowingly, agreed to participate in a U.S. Sentencing Commission advisory group on environmental sanctions that you all may have heard about. The group started work in May of 1992, I believe, and they worked for nearly two solid years to come up with a proposal to the Commission where they focused exclusively on organizations and environmental offenses and how to develop appropriate sanctions for organizations that are convicted of environmental crime. I believe that's going to be the substance of his remarks today, and without wasting any more of your time, I'll turn the time over to Jim.

I was fortunate, also, to be a part of the advisory group that developed proposed sentencing guidelines for environmental crimes. I must say, when the group released its proposal about two years ago, the standing ovation we received from our colleagues in industry was a little shorter than what Cal Ripken got last night. The work was controversial, to say the least, but I think it was important work. I think it moved the discussion along, certainly heightened the debate, and created some controversy. And I think that's good.

There were 16 members of the committee, which, as Marguerite said, worked for nearly two years on that product. There were representatives of environmental groups, government, academia, the private bar, and business, including the general counsels of three major corporations. The proposal was issued in November of 1993, styled as a new proposed Chapter Nine to the sentencing guidelines.

I think the reason that the Commission decided to convene such an advisory group was to explore whether Chapter Eight, Chapter Two, or some combination of them would be suitable for environmental crimes. When Chapter Eight was issued, the Commission omitted coverage of environmental crimes. This was an exercise in trying to figure out whether environmental crimes are sufficiently different to justify a different approach.

The perceptions at that time, I think, were that environmental regulation and control is far more complex in many ways than other fields, and that compliance with environmental requirements is unusually difficult. In addition, that the mens rea provisions of federal environmental statutes are such that convictions of environmental crime are a good deal easier to obtain than many other types. With that background, the group decided to explore whether existing provisions of the guidelines fit or did not.

It is not my purpose to review the entire proposed guideline, nor, more importantly, to defend it. As I mentioned, it was criticized widely. It has many defects. But nonetheless, it has some important innovations, and my focus here today is on that portion of the proposed Chapter Nine that spelled out the elements of a compliance program. I think it is worth examining, and I mean to be provocative, which should not be difficult. I know a number of my colleagues found it overly prescriptive and detailed, and indeed, in many ways, it was. But it includes some important new directions worth laying out here.

In order to understand the result of that effort, I think you need to begin by appreciating the starting point that the advisory group adopted, and I think it's fair to say that there was consensus among the group on three essential things.

The first is that the goal of the effort should be to use sentencing policy to increase compliance with environmental law, and therefore to facilitate an increase in environmental protection. It was not an exercise just in crafting something that would deter or punish environmental crime. It was not even just an exercise in creating equitable sentencing guidelines for environmental crime. I think the objective was much broader, as I have said. And as a result of that, I think the agenda was much more activist than perhaps many of us thought it would be going in.

Secondly, I think there was consensus that a high rate of environmental compliance is achievable only if the organizations, the corporations and other entities, take on that responsibility for themselves. Government inspection, investigation, and enforcement catches only a very small tip of the iceberg in environmental violations, and changing corporate behavior toward compliance was, therefore, considered to be a central key to success.

Third and finally, there was consensus that a very substantial incentive is needed to bring about that result. There are many incentives at play. You will hear Chris, for example, describe business relationships as an incentive toward managing environmental liabilities, and there are certainly sanctions on the civil side that can be mitigated in order to provide incentives.

But the advisory group had only one, and that was the opportunity to mitigate criminal penalties. The group believed that a very substantial offer of penalty mitigation in the criminal arena could be effective in changing corporate behavior.

With these basic agreements in mind, I think we led ourselves then to the central question. If substantial criminal penalty mitigation is to be offered, what kind of corporate behavior is expected? What would merit that kind of favorable treatment? In other words, is the Chapter Eight compliance program description, the so-called seven steps, good enough?

I think the answer of the group was two-fold. First, there should be some kind of expectation of compliance management efforts as the norm in corporate America, and that led to a feature of the proposed guideline which would aggravate criminal penalties in the absence of some sort of organized effort at managing compliance.

And the second part of the answer was, no, Chapter Eight is not good enough to merit substantial criminal penalty mitigation. So the group set about defining what is good enough, and when they were finished they proposed that criminal penalties could be mitigated up to a maximum of 45 percent for companies that had made a substantial commitment to environmental compliance. That's not counting the so-called "collar provision," which would put a limit on overall penalty mitigation. The compliance program element itself could merit up to a 45-percent reduction in criminal penalties.

My purpose, then, is to outline how and why the proposed Chapter Nine compliance program differs from Chapter Eight, the so-called seven steps, and from other federal government policies that were built around it. It's not completely different, of course, but it does go beyond Chapter Eight, I think, in three important ways.

The first is that its orientation is not just toward criminal violations. It is not just a program to detect and prevent crimes, unlike Chapter Eight. The second is that it calls for the integration of compliance efforts into the management of operations in the entity. Unlike Chapter Eight and many existing corporate compliance programs, it does not envision a separate compliance department or effort within the entity.

And finally, it is very deliberately preventive in nature. It is not reactive. Unlike EPA's policy, the Department of Justice's policy, Chapter Eight, and all 14 of the state audit privilege laws that have been passed so far, it is not built around the notion of auditing, correcting, reporting, and learning from those lessons to improve compliance in the future.

So let me walk you very briefly through each of these. I will try to keep it short so that we have plenty of time for discussion. The first is that the Chapter Nine proposed program is comprehensive. It is not aimed at preventing crimes. As I mentioned, the objective of the group was to try to do something that would make a real difference in compliance across the board.

A very large percentage of environmental violations never involve criminal conduct. Therefore, the Chapter Eight program was considered at the outset too narrow because of its exclusive focus on preventing criminal conduct. It starts, for example, with prescribing that there be standards and procedures capable of reducing the prospect of criminal conduct. Everything else in the seven steps, then, is designed to ensure implementation of those standards.

In contrast, the proposed Chapter Nine starts by requiring policies, standards, and procedures necessary to achieve environmental compliance, a very different approach, very, very different kinds of standards, and a much more comprehensive look at compliance. Proposed Chapter Nine then goes on to say how these standards should be implemented. It does that by aiming at the principal causes of violations today: management inattention, sloppy production practices, an ignorant workforce, and lack of motivation. So it makes great demands on organizations that want to truly exhibit a commitment to environmental compliance. This is no easy thing to do. But the judgment of the advisory group was that if a very large break on criminal penalties was sought, then a very large effort by the corporation was what was needed.

The second main distinction between this proposal and Chapter Eight is that it calls for the integration of compliance management within the management of the operations of the organization, not for a separate program. Chapter Eight, in my view, encourages programs like those that were prevalent in corporate America in the 1970s and the 1980s. Typically, they involved separate departments. You had an environmental vice president in a corner office. He or she had a cadre of environmental experts, and their job was to set standards for compliance, to audit against those standards, and then, one way or another, to try to enforce those standards and those audit findings on the operating functions of the entity. It became an internal game of cops and robbers, an internal police force, if you will.

What that led to in many companies, mine especially, was that the operating entities tried to hide the ball from the auditors. You had operations folks with the authority and the resources to do something about compliance but without the ownership or the understanding of what was needed.

The proposed Chapter Nine turns that completely on its head. It starts with the judgment that the responsibility for environmental compliance belongs in the hands of those who control the functions that can lead to violations. So it begins by assigning compliance responsibility to line management of the entity, not the usual "high-level personnel" that are mentioned in Chapter Eight and in other policies.

Then it requires, or at least suggests, that those managers use the same management systems and techniques to manage compliance that they use in running the other facets of their business. The theory is: these are good businessmen who know how to achieve results; let them apply those same techniques and tools for achieving compliance.

And finally, it calls for incentives for compliance to balance other existing incentives in the corporate setting, and for accountability to achieve it. These are all the points that I think integrate compliance with operations, and that motivate operations managers to achieve it.

Finally, the proposed Chapter Nine focuses on prevention of violations rather than simply detecting existing ones and overcoming them. Chapter Nine stresses those measures that are, I think, most effective in preventing violations in the first instance. Chapter Eight's emphasis, as I mentioned, is on auditing, correcting problems that are detected, and then applying those lessons learned to prevent future violations.

Chapter Nine is very much like total quality management. It resembles the functions that Chris is going to describe in a moment in connection with ISO 14000. It is designed to systematically prevent defects, just the way manufacturing operations work to prevent defects in products. The most important aspect of that is to integrate the standards into the operating function to get the work done properly because it is designed properly. There are many other management techniques mentioned in Chapter Nine to do that as well. These all go well beyond Chapter Eight and, I think, give line managers the tools to achieve compliance in the environmental arena.

So these are pretty important distinctions. Some are fairly subtle; some are not. They opened up a new line of discussion in this arena. I think they make the difference in achieving a high rate of compliance. And the bottom line for the advisory group was that if substantial penalty mitigation is to be warranted in the criminal arena, then this program goes far enough to justify it. Thank you.

ISO 14000

MS. DRIESSEN: Chris Bell is a partner at Sidley & Austin, and he has an extensive environmental background, which I imagine is why he is now one of the lead players in the U.S. delegation to what you heard alluded to as ISO 14000. That acronym stands for the Organization for International Standardization, International Environmental Standards Initiative. Did you get that?

ISO 14000 is obviously beyond just the United States. It is beyond just Chapter Eight and the corporate guidelines, and Chris is going to take some time now to bring you up to speed on what that effort is about and what we can learn to go forward from here. Chris?

MR. BELL: Good afternoon. What I'm going to be talking about today I think meshes well with what both Ed and Jim were talking about, because what I have been involved in for the last three years is this international effort to develop a consensus standard on good management practices in the environmental area.

One way that I usually like to start thinking about this, and this is getting back to a point that Ed was talking about, is to ask where do you go for information on this issue? Some companies, big companies, might have large programs and they've got it all figured out and they've got a lot of internal head counts to figure all this out, but for the most part, if somebody walks into your office and says, "Okay, how do we do an environmental management program and I want one on-line in the next six weeks," or something like that, to whom do you turn, where do you turn, and so on and so forth.

What you've been hearing about today is a lot of guidance from the United States government, particularly on what I would call the end-of-pipe section of the United States government, i.e., the enforcement side, on what a good management program is. Sentencing guidelines, I'm sure you've heard some discussion of and you will hear some more tomorrow about the U.S. Department of Justice prosecutorial guidelines, the EPA audit policy, and the revisions to the U.S. EPA auditing policy.

These are all programs which are grounded in the classic American command and control approach. Which, by the way, when I went out internationally, people found sort of interesting. The most formal U.S. government statements on what preventative programs should look like have come from the people who deal with people who go to jail. They found that rather ironic, that some of the most creative thinking in the U.S. government on compliance programs was coming from the rear end of the program, not the front end of the program.

Now, of course, that's been changing through EPA's Common Sense Initiative, the Environmental Leadership Program, and other initiatives. In fact, in ELP and CSI, you've seen a variety of environmental management systems, initiatives, and pilots being suggested. EPA's Project XL is another piece out there.

There are also state initiatives. For those of you who are familiar with the U.S. Department of Justice prosecutorial guidelines, the New Jersey prosecutors have their own guidelines which actually are far more detailed than the U.S. DOJ's.

Then there are a variety of voluntary initiatives at the industry level. The International Chamber of Commerce has its principles for sustainable development, there is the Global Environmental Management Initiative, and you've got the Chemical Manufacturers Association's Responsible Care effort. You've got a variety of U.S. domestic standards organizations that are working on environmental management and systems standards. I mention here only NSF International, Inc., which is based in Ann Arbor, but ASTM has also been working on them, as well as others.

Then you get outside the United States and there has also been quite a bit of work going on in this area. I mention only one here, BS 7750, which is a U.K. standard written by the British Standards Institute. It is probably the one that has gotten the most press around the world up to now. There are companies around the world, including in the United States, Asia, and Europe, that have actually gotten registered third party verification to that British standard, but there are lots of others. The Irish have IS 310. The Spanish have one. South Africa has one. New Zealand, Australia all have one.

The European Union has one. They have something called EMAS, the Environmental Management and Auditing Scheme. Though it is a regulation, it is actually a voluntary standard that has environmental management systems and auditing components. That became effective in the European Union in the spring of this year. I think the U.K. and Germany are just about on-line to actually be able to start having companies go to work on it. There have been a few pilots.

And finally I get to what I was supposed to be talking about this afternoon, which is ISO 14000. The point of all this is to indicate that really there is an awful lot going on out there. There are a lot of sources. And, in fact, my experience has been it's not so much the absence of information but just a little bit too much.

One of the concepts of ISO as an international standards writing organization was to try to simplify the process, bring experts from all around the world together, and to do a little bit more one-stop shopping. One problem, particularly for U.S. multinationals, is that if you've got facilities all around the world, which environmental management system am I going to pick?

Am I going to do BS 7750 in the U.K. and EMAS for my German location? And I've got to worry about the sentencing guidelines in the states. And I want to control all of this in some rational way from corporate headquarters. This is a mess. One of the aspects of ISO is to try to harmonize these kinds of activities.

Now, who are these people that are following us in ISO? The International Organization for Standardization was invented in 1946. It's a non-governmental organization based in Geneva. It has about 113 country members now but it's a non-governmental organization, so the representatives to ISO are standards bodies. For example, the U.S. vote in ISO is held by the American National Standards Institute, or ANSI. It's not held by the State Department.

Anybody can play in the U.S. delegation. ANSI holds our vote in ISO, but ANSI doesn't have all the resources to develop U.S. positions so they develop what are known as technical advisory groups or TAGs, and that's what the U.S. delegation is. And, in fact, the U.S. delegation on ISO 14000 is having three days of meetings at the end of next week in Philadelphia.

Within ISO, they create a whole series of technical committees. You can tell they're all the way up into the 200s. They've been writing a lot of standards. Historically, they've been technical standards, things like the light sensitivity of film. You look on a box of Kodak film, it'll say ISO 400 on it. It doesn't say DIN 400 and ASA 400 on it. It says, ISO 400.

ISO put itself on the map with general management, though, with the development of the ISO 9000 quality management series that maybe some of you are aware of. That came out in the 1980s and it's basically a TQM standard or a Deming standard or a "plan, do, check, act" standard. Much to everybody's surprise, getting third party registration to this standard has actually become a condition of doing business in a lot of parts of the world and in a lot of industrial sectors. There are about 100,000 ISO 9000 registrations worldwide, a little over 10,000 in the United States, and it's growing.

Coming out of the work of ISO 9000 came Technical Committee 207, which is the technical committee that's working on the ISO 14000 series of environmental standards. It was formed in 1993 and has been working away feverishly ever since then.

In this last set of boxes down here are the basic sets of standards that ISO is working on in the environmental management area. I think the key one of interest to us here is the environmental management system standard, EMS, headed up by the U.K. There are also standards being written on auditing, labeling, environmental performance evaluation, life cycle assessment, and so on and so forth. So there's a lot of work going on there.

Let me focus here for a minute on the key components of the environmental management system specifications document. It's called the specifications document and it will have the number ISO 14001. This is the document that, if people are going to get third party registration, they will be audited against. By third party registration I mean an accredited auditor coming in and verifying that you actually meet the standard and that you can document that you meet this standard. If you are going to get third party registration, this is what you would get third party registration to: ISO 14001.

It will be a final standard sometime in 1996 but it's essentially in a complete form right now. There's just some lengthy international balloting going on. It's about 15-16 pages long with about another ten or so pages of informative guidance.

And most of these things are very similar to the kinds of things Jim was talking about. In establishing communicative top management policy, this policy has to include commitments to comply with the law, commitments to continually improve your system, (TQM again), and a commitment to pollution prevention.

Once you've got this policy, you have to go out and identify your significant environmental obligations and set measurable objectives and targets based upon those obligations. You can split the obligations into two halves. One set are your legal obligations and the other set go to actually going out into the environment and determining the significant environmental issues that are associated with not only your factories, your facilities, but also your products and any services that you might deliver. So it's a fairly comprehensive concept.

Then once you've set these objectives and targets, you have to actually have plans and procedures and identified personnel and trained personnel to actually meet them. This is sort of the hole in the doughnut that I think Jim was talking about. A lot of people have a great policy and they've got a great auditing program, but they don't have a whole lot in the middle to make sure everything gets done.

Then you measure your performance. You verify your performance through auditing. Then you correct problems that you find. Then you have senior management review on a periodic basis to check this whole thing. Once you've got the program in place, you're not supposed to just go to sleep and let the dust collect on the shrink-wrap on the nice binders. You're actually supposed to keep an eye on it.

Now, in the few minutes I have remaining, I just want to toss out a few thoughts on how all this might relate to compliance programs and the sentencing guidelines, and we might be able to generate some discussion on this.

First of all, a few thoughts on the sentencing guidelines, and on this, I was sympathetic with some of the thoughts that Ed was suggesting as to whether or not the sentencing guidelines and the whole criminal context is really the right place to be thinking about overall comprehensive environmental management systems. The focus of the sentencing guidelines is that you're dealing with criminal situations. You're essentially dealing with situations where you are trying to avoid or deal with potential or actual criminal violations of the law.

And so a lot of what the sentencing guidelines are about, and essentially what the prosecutorial guidelines are about that DOJ has, is that we are trying to figure out at what point in time are we going to say that an organization is actually culpable for criminal conduct, because as we know, an organization by itself doesn't really have a state of mind.

What we're really trying to do is figure out at what point are we going to assign responsibility for the actions of individuals to the organization as whole and say that this organization is criminally culpable. That is what we're about in the criminal context, and that, I think, is the focus of the sentencing guidelines.

ISO 14001 is a little bit different. It has both a narrower and a broader set of issues than the sentencing guidelines. On the one hand, it is narrower than the sentencing guidelines, because standards such as ISO 14001, BS 7750, or EMAS are only worried about the environment. The sentencing guidelines, on the other hand, have a general approach to compliance programs.

On the other hand, ISO is much broader than the sentencing guidelines because it is not worried just about crime. ISO 14001 is a management systems standards that has a much broader scope. It addresses issues such as pollution prevention, talking to your suppliers, communicating with the public, setting measurable objectives and targets. These are all issues very, very important in the environmental arena to do a good job.

But it could be seriously questioned whether the presence or absence of, for example, a really nifty pollution prevention program or the presence or absence of a system to communicate with your suppliers is really relevant to determining criminal culpability of organizations. It might be highly relevant to doing a good job. But I think it might be useful to distinguish between doing a really good job and the issues that we should be worrying about in the criminal context.

I think that the existing compliance assurance provisions in the organizational sentencing guidelines are adequate to their task, which is to focus on preventing criminal violations. I don't think that special compliance assurance program provisions are needed just to focus on environmental issues, because I think we can make the same argument for antitrust or Medicare fraud or anything else, and we would have all kinds of different compliance programs out there.

I think that the existing provisions are flexible enough to allow different parts of organizations to do what they need to do in their particular areas to get a good compliance program going. And then to close, I would say that compliance, or conformance - you don't comply with a voluntary standard - conformance to something like ISO 14001 or some other appropriate environmental management system standard that you might choose - it might be BS 7750, it might be something else - should be considered a viable option for demonstrating conformance to the sentencing guidelines. If I conform to ISO 14001 or a similar standard, I should be deemed in conformance with the sentencing guidelines.

It is also important to note that there is no one way to implement a program, and my experience has been in these three years of international negotiations, as soon as you get down to detail, there's always somebody else who says, I've done it differently and it works, and there's a real danger in the U.S. government starting to get into hardly any detail at all into these issues.

And so finally, my last concluding point would be apart from the basic concept that conformance with accepted standards like ISO 14001 should be considered appropriate for demonstrating conformance to the sentencing guidelines, that standards like ISO 14001 should not actually be incorporated into things like the sentencing guidelines or Federal Register notices by EPA or so on and so forth. Thank you very much.


MS. DRIESSEN: I have a number of questions here, and since you're walking up to your seat, Chris, I guess we'll start with you. I have a couple of questions here relating to ISO 9000, so I thought I'd start with that.

The first one is coming from your esteemed colleague, Ed Dauer, on the panel. He said that ISO 9000 certification can be applied for apart from any criminal or even civil liability. He wants to know if the experiences there have shown whether prevalidation of a federal sentencing guideline program might be possible.

MR. BELL: Prevalidation?

MR. DAUER: Right. The question of whether you're ISO 9000 certified is done apart from any risk of liability.

MR. BELL: Yes.

MR. DAUER: The question is whether a solution to some of the difficulties of retroactivity under the federal sentencing guidelines could be resolved by allowing companies to have their programs validated and approved prior to the time that any criminal liability is an issue. I wondered if the experience with ISO gives us any reason to believe that prevalidation would work under the U.S. Sentencing Commission's own standards.

MR. BELL: I guess the only concern there that I think might be expressed amongst at least the industry people that I've worked with is they are concerned about getting into detailed third party validation systems as a condition for demonstrating conformance with the sentencing guidelines.

I think they would want to see a lot more flexibility because there are a lot of elements in the voluntary standards that I think go beyond what most people would think are necessary for a good compliance assurance system. I mean, the concept of third party verification might be useful, but transferring it directly over from the voluntary standards program might be a little bit dangerous.

MS. DRIESSEN: I have another question that follows up on that. In an area where you might get prevalidation, you mentioned that ISO is not a governmental entity. Do you have any indication that if people voluntarily comply with ISO, that will be considered as some sort of an exemption from criminal liability in the event of some sort of a violation?

MR. BELL: There is increasing interest in various elements of the U.S. government about the potential uses of ISO. Some of those areas of interest are in the area of regulatory flexibility. So, for example, the Office of Clean Water has launched an initiative to write new permit guidance to give more permit flexibility for companies that have a third party validated environmental management system plus good performance.

In the area of enforcement discretion and penalty mitigation, EPA's Office of Enforcement has expressed serious interest in the presence/absence of a good environmental management system in determining how they would proceed. But this is all really in the preliminary stages, though I do think that there are some real fruitful discussions that can be had in that direction.

MS. DRIESSEN: Thanks. We've got a number of questions here and I want to move on. We've got some questions here for Jim Banks. There are several that are sort of related. First, is the Sentencing Commission the best or even the second-best forum to be establishing the elements of a comprehensive environmental compliance program?

And a sub-question of that relates to whether or not the Sentencing Commission's guidelines for punishing criminal conduct are the appropriate place for bringing in standards that go beyond just criminal activity to total compliance, or even beyond compliance. That's really what your emphasis is. You're talking about a gold standard. You're talking about changing corporate behavior, and the questions relate to whether or not it's appropriate to pool those standards into a system of criminal penalties.

MR. BANKS: Well, I'll give you my own personal opinion. I think the advisory working group that I was a part of answered that in the affirmative by proposing that a fairly comprehensive program be prescribed by the Commission as one of the things that would warrant serious penalty mitigation.

In environmental law enforcement, for decades, there has been the concept of "good faith efforts to comply." Most of the major environmental statutes include it. EPA and Justice Department policies have it. And the notion is that the severity of sanctions can be mitigated, depending on whether the corporation or the entity was making an effort to get it right, and whether the instant violation occurred despite their doing all you could ask them to do.

I think in the criminal sentencing area, it is just as logical to consider good faith efforts to comply as it is in the civil arena or in debarment and blacklisting, which has been done for many, many years, and is equally appropriate and effective as a way of encouraging appropriate compliance behavior by entities.

If it is deemed to be too far afield from the narrow purpose of criminal sentencing and the objective of deterring crimes per se, so be it. Maybe it is not yet time for the federal government to reach that far. As a matter of policy, my view is that it is time, it is appropriate, and it probably will be highly effective.

MS. DRIESSEN: Thanks. We also have a couple of questions for Ed here. The first one asks you to perhaps think about some examples or some mechanisms a company can use to demonstrate that it has exercised due diligence to ensure that persons with a propensity to commit criminal illegal acts are not placed in positions where they exercise substantial discretionary authority. Do you have some ideas on that?

MR. DAUER: Yes. It's dangerous, because there is probably not a very wide gap between the duty to investigate under the federal sentencing guidelines and violations of privacy under civil liability.

I don't have an answer for that that I can give you now. We have been collecting examples of how companies actually do this. When we come out with a final draft later this year, those will all be available. We have seen examples that run all the way from running fingerprint checks in one report that we got from a fairly substantial corporation, to another which says that what you ought to be doing is looking at police investigations in the county of record as well as in the county of residence; and then there are a lot of people who aren't doing anything at all.

I don't have any magic answers for this, but I can tell you that one of the areas we are concerned about is that this is one of the few parts of the federal sentencing guidelines that we have not wanted to tinker with because it's so strange and the language is so precise, and yet the danger is there if one goes into areas of protected confidentiality. It's a narrow path. So the bottom line answer is, no, I don't have any magic words, but we're working on it.

MS. DRIESSEN: I have a follow-up question to that. You spoke of some tension between Chapter Eight and traditional ideas of negligence liability and criminal liability, and that the guidelines themselves therefore produce vague directions and vague guidelines. I was wondering if you could speak to things the guidelines could do or could incorporate that could eliminate a little bit of that vagueness or perhaps you could suggest changes.

MR. DAUER: Yes. I'm glad you asked. There are two or three, and again, I don't have any magic bullets, and certainly not all of the ideas there are, but two or three that I can think of.

One obviously is the encouragement of the development of industry-wide collaborative groups. There is, I understand, some question raised about whether industry groups that get together are not also getting together about other matters and whether they ought to be encouraged or not.

My own feeling is that any source of information that can be provided, so long as we don't have violation of other rules, ought to be encouraged and maybe even facilitated, if not by the Commission, then by some other agency.

A second possibility would be the development of model programs. This, for example, has been done by other agencies. As I recall, it was done under regulations B and Z in the banking industry. When they came out, the agencies even generated sample forms. Some people thought that was probably cookie cutter, but it sure helped achieve their objectives and at the same time not create any disincentives by setting new traps.

The third is the question that I put to Chris. I think there is a disincentive to invest in creating a compliance program on the part of a business that will not find out whether it's up to snuff until it's too late. There might, however, be an incentive to invest in a compliance program and therefore to change behavior in a pro-compliance direction if that corporation could have validation or approval of this program outside of the context of any serious risk of criminal liability.

So suppose that someone were to create a program and ask that it be inspected at the time and approval given then, in advance. It would be a kind of presumptive validity which could later be inquired into if it turned out it was only on paper or it wasn't in good faith being followed.

I think what we might find is a reduction in the uncertainty, and therefore a reduction in the disincentive effect; and, consequently, an increase in compliance. That's what I meant by asking whether some of the private programs which certify people to do business under certain regimes, like ISO 9000 - not that they themselves would be the deemed triggers to show that one satisfies the federal sentencing guidelines - whether the experience under that kind of investigation and approval gives us any reason to believe that there is feasibility to the suggestion that a compliance program designed to meet the federal sentencing guidelines might be approved in advance.

MS. DRIESSEN: I guess we'll be addressing some of those issues a little bit more tomorrow with the law enforcement panels. I see by the clock on my desk that our time is past. I did want to ask one more question briefly because I think it kind of sums up where we are going. It was a question for Jim, and perhaps all of you can think about this, too. It was regarding the story of your guilty plea. The question here is, should the CEOs make that plea and get that lecture from Judge Conaboy or whomever rather than the general counsel, and do you think there is an additional deterrent effect if the CEO has to stand up and account, as opposed to an attorney?

I wanted to ask this question to get everybody thinking about it, because really, what we are talking about here is changing corporate culture. It's the theme of the conference. We're talking about corporate crime in the context of strengthening the good citizen corporation, and a lot of what we're doing and saying are things we hope will change the sort of corporate culture where these things are allowed to happen.

Jim, would you speak to that?

MR. BANKS: I think corporate managers need to understand and appreciate how third parties, including federal judges, view their conduct or their employees' conduct, and be made to recognize that and report it to the board and explain how they're going to prevent it in the future. But standing up in front of a judge isn't the only way to get that done, and certainly, in our case, the pain of paying a large penalty, of having a permit put at jeopardy, and of running the risk of debarment from doing business with the federal government, was enough pain to get their attention.


Jim Banks

Q. You said that proposed Chapter Nine goes beyond Chapter Eight to seek to prevent all non-compliant activities, not just criminal ones. What justification did your advisory group have to conclude that sanctions in the criminal system should be based on a failure to prevent civil or administrative violations?

A. The Advisory group did not propose to base criminal sanctions on a failure to prevent civil or administrative violations. Indeed, the proposed aggravator for "prior civil compliance history" would apply, not to mere failures to prevent violations, but only to a pattern of violations so severe and extensive that it "reveals a disregard by the organization of its environmental regulatory responsibilities."

Instead, the group proposed to modify criminal sanctions depending on the rigor with which organizations make the attempt to manage their compliance responsibilities in a comprehensive fashion - even if those attempts ultimately failed. In this sense, the proposal differs a little from the existing Chapter Eight program description. The key difference, as the question properly notes, is that the proposal's compliance program is directed to compliance in general, while Chapter Eight's is specific to criminal conduct. The justification for this is simple and straight forward: if the eight-style program is thought to justify substantial penalty mitigation, then its proponents should pursue that goal. The advisory group didn't buy it, and I doubt the Commission will either.

Q. Chapter Eight was considered too narrow because it focuses solely on preventing criminal conduct. Presumably, this is because only a small portion of inappropriate behavior is criminal. One could argue that a system of criminal penalties should focus solely on criminal conduct. Is proposed Chapter Nine's ambitious approach more appropriate to ethical standards instead of criminal practices?

A. I don't think this is a question of appropriateness or legal symmetry. I think it is just the opposite. It is a very practical, bottom-line question: are corporations that invest vast resources in compliance management programs going to get tangible credit for it when an employee flouts company policy, ignores his training and procedures, and jeopardizes his employer's well-being by committing a criminal act? If we expect companies to continue doing those things, and for the sake of the environment I think we should, then the answer has to be a resounding "YES!" We only have systems for imposing civil and criminal sanctions within which that credit can be offered; ethical standards are great, but they don't lead the CFO to approve resources for this kind of effort.

Chris Bell

Q. ISO-9000 is widely accepted as a "model/standard" for a quality management system. Why continue to develop "program guidelines" for compliance, ethics, environmental, etc.? Simple application of an ISO-9000 management system to the management objectives of compliance as well as product quality should be sufficient (ISO-9000 contains 20 elements for a program to achieve management objectives). Comment?

A. ISO decided to establish environmental management systems as a separate standards writing activity because the member countries concluded that managing environmental issues is sufficiently different from quality management in that distinct standards, written by environmental experts, were necessary. In particular, the deep public interest in environmental issues, as well as the heavily-regulated status of environmental matters, create some unique systems issues. However, many of the components of ISO 14001 are consistent with the ISO 9000 quality systems standards, and organizations with ISO 9000 systems in place are likely well along the way to conforming to ISO 14001. Such facilities might choose to integrate their ISO 9000 and ISO 14001 systems.

Q. Given all the work going into ISO 14001, what will the practical effect be? If your program is accredited, does that mean you will be exempt from criminal prosecution in ISO's member countries?

A. ISO 14001 is a voluntary, non-governmental standard. Therefore, by itself, it has no legal effect and does not provide immunity from civil or criminal enforcement. However, regulators may choose to exercise enforcement discretion or penalty mitigation to organizations that conform to ISO 14001. The practical efforts of conforming to ISO 14001 will differ from organization to organization. For some companies, it might be necessary as a commercial matter: customer demand. Others might use it as a foundation to improve their environmental management system, which may result in improved compliance performance, pollution prevention gains, enhanced environmental risk management, etc. The important point to understand is that compliance assurance is only one element of ISO 14001, and it has a broader, overall environmental management systems approach.

Q. ISO 9000 certification can be applied for apart from any criminal or even civil liability. Have the experiences there shown whether pre-validation of a "FSG" (federal sentencing guidelines) program might be possible?

A. Experience with third-party registration to the ISO 9000 quality systems standard and to existing environmental management systems standards such as BS 7750, indicates that it would be possible to create a "pre-validation" program for the U.S. sentencing guidelines. The more important question is whether such a program would be a good idea. Pre-validation would likely require a more detailed approach to compliance assurance programs than is currently in the organizational sentencing guidelines. Organizations should have the option to choose the systems approach most appropriate to their operations, and not have to conform to a specific approach mandated by the government.

Some of the interest in pre-validation is the perception that organizations do not have sufficient guidance on what constitutes an adequate compliance assurance system. This perception appears to be based on the absence of case law or formal government statements on these issues. However, the narrow focus on traditional legal sources of information ignores the fact that there are a wide variety of approaches to establishing and implementing compliance assurance systems, many of which are already reflected in extant documents such as ISO 14001. Therefore, pre-validation is not necessary for purposes of having some confidence in the robustness of a compliance management systems.

Lastly, there is some concern regarding the value of third-party registration, or pre-validation, in the ISO 9000 and ISO 14001 contexts. After several years of experience, there has been criticism about the value-added of the third party registration process and increasing interest in less cumbersome, less intrusive and less expensive approaches to determining conformance to the standards. In the context of the U.S. sentencing guidelines, we should be wary of creating an administrative structure and bureaucracy for pre-validation purposes. Accordingly, federal policies, including the guidelines, should be flexibly applied to allow determinations that organizations conform to those policies if they have implemented compliance assurance programs that are consistent with generally accepted practices. For example, since the scope of ISO 14001 is far broader than simply compliance assurance, registration to ISO 14001 should not be a condition of "qualifying" for the "benefits" of federal enforcement and penalty mitigation policies.

Ed Dauer

Q. On the NCPL guidelines for corporate compliance, have you considered developing these guidelines as an ISO chapter - similar to the ISO 14000 chapter for environmental management systems?

A. No, we have not. One of the advantages our work enjoys is its independence - our members speak as practicing efforts in compliance. Yet we too are having our internal discussions about how our guidelines will be shaped. I would guess that an affiliation with ISO at this time would distract us from our own work. Perhaps we can consider this idea when our product is complete.

Q. You spoke of tension arising out of Chapter Eight of the guidelines, perhaps because of vague standards. What could the sentencing guidelines do to reduce that vagueness?

A. This is the central challenge. One possibility is to publish non-binding "models" for several of the key areas. A second is to encourage and nurture industry groups that are attempting to create information exchanges. Third - and my personal choice - would be to create a pre-incident approval procedure. Doing so could lead to a number of useful results.

Bringing Carrots and Sticks In House: The Role of Ethics, Incentives, and Private "Inspectors General" in Achieving "Effective" Compliance

Ronald Goldstock, Director of Monitoring Services, Kroll Associates, Inc.

Gary Edwards, President, Ethics Resource Center

Moderator: Mary E. Didier, Staff Assistant for Legal and Legislative Affairs, U.S. Sentencing Commission


MS. DIDIER: Good afternoon and welcome to the afternoon session of the symposium. My name is Mary Didier, and I am a staff assistant for legal and legislative affairs at the United States Sentencing Commission. I will be moderating this afternoon's panel discussion.

Before introducing the panel, I would like to expand on a theme Win Swenson touched on this morning because it has particular relevance to what the next two speakers are going to talk about. For the reasons Mr. Swenson discussed, the guidelines' seven steps of "an effective program to prevent and detect violations of law" are not intended to be a checklist. Rather, the definition of an effective compliance program should be viewed as somewhat "elastic" - in other words, able to accommodate a range of compliance approaches with the ultimate focus of the definition being to encourage companies to devise programs that actually work.

This interpretation of the guideline definition has an important implication. It means that as certain compliance practices become recognized for their effectiveness, companies should, in a sense, "read them into" the guideline requirements even if the guidelines do not explicitly require these practices. How do we draw the conclusion that the guidelines should be interpreted in this manner? An initial indication is evident in the introductory commentary to the organizational guidelines, which states that one of the Commission's purposes in drafting the organizational guidelines was to provide "incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct." It is unlikely that the Commission wanted to encourage the development of such internal compliance mechanisms but did not care whether they worked.

More concretely, though, the guideline definition of an effective program itself strongly implies that companies should read effective compliance approaches into the guidelines definition. As Mr. Swenson noted this morning, the introductory text of the definition establishes the definition's baseline requirement: an effective program to prevent and detect violations of law is one "that has been reasonably designed, implemented, and enforced" - and here is the key language - "so that it generally will be effective in preventing and detecting criminal conduct." The definition continues by explaining that the hallmark of a qualifying program is that the program provides evidence of the organization's "due diligence" in seeking to prevent and detect violations by employees and agents. Finally, the definition stresses that the often-cited "seven steps" that an organization must take in order to meet the due diligence standard are, in fact, the "minimum steps" companies must take. Moreover, they are referred to in the definition as "types of steps," meaning they are more in the nature of general principles than highly detailed rules.

All of these considerations together - the emphasis on effectiveness, the requirement that companies use diligence in developing their program, and the fact that the seven steps are somewhat broadly worded and are called "minimum" steps - suggest that companies should approach compliance with more than a cookie-cutter attitude. They must be prepared to learn what works and incorporate that learning into their program whether the guidelines explicitly say so or not.

These considerations are relevant to a debate recently spurred by an article published in the Harvard Business Review by Lynn Sharp Paine. Professor Paine describes two contrasting models by which organizations might seek to foster desirable employee conduct: a "legal compliance" approach and an "integrity-based" system.

Professor Paine describes the legal compliance model as being lawyer-driven, unduly focused on the narrow objective of avoiding criminal violations, and too reliant on threats and punishments to achieve its law-related objective. This model contrasts with an integrity-based approach to ethics management which, she states, combines a concern for the law with an emphasis on managerial responsibility for ethical behavior. I refer you to Professor Paine's article for a further description of these two models. The point I want to make here is that if, as Professor Paine argues, the integrity-based approach is more effective in bringing about lawful conduct, there is every reason to believe that the guidelines would embrace such an approach.

All the foregoing is not to suggest that the guideline definition of an effective compliance program cannot be improved. Indeed, the Commission hopes to gain some insight from this symposium on areas for possible improvement. In the meantime, the guidelines seem to encourage companies to experiment with and evaluate their compliance efforts with a goal toward finding out what works best. With those thoughts in mind, I would like to turn now to our two speakers who have compelling but somewhat different ideas about how companies can develop effective compliance environments.


MS. DIDIER: Our first speaker is Ronald Goldstock. He joined Kroll Associates as a managing director and director of Kroll Monitoring Services in January of 1995 after 13 years as director of the New York State Organized Crime Task Force. The Task Force played critical roles in the Mafia Commission, the Lucchese and Gambino family prosecutions, and the Cali Cartel drug and money-laundering cases. As director of the task force, Mr. Goldstock designed and developed the Independent Private Sector Inspector General Program, which has become a significant force in promoting organizational integrity worldwide. Mr. Goldstock has served as Inspector General of the U.S. Department of Labor, Director of the Cornell Institute on Organized Crime, and Chief of the Rackets Bureau in the New York District Attorney's office. He has also written extensively on subjects related to organized and white-collar crime, money-laundering, and labor racketeering. I present to you Mr. Goldstock.

MR. GOLDSTOCK: Thank you, Mary. I guess after Senator Kennedy's talk, it is fashionable to quote Win Swenson. He's clearly the most quoted person here today; as he said at the outset, the sentencing guidelines provide an outline, but not a model for the development of compliance programs - programs which control through prevention and detection illegal behavior and which, presumably promote the work of the organization, whatever it happens to be, the delivery of goods and services or other operational objectives.

Actually, at the time that the guidelines were developed, there existed a potential model for the program envisioned in the guidelines - the Federal Inspector General Act of 1978 - effective in all of the major departments and agencies within the federal government. The IG program mandated that those departments and agencies have an inspector general to reduce waste, abuse, and fraud and to promote economy, efficiency, and effectiveness within the department and the departmental programs. It also provided for the assignment of auditors and investigators to the IG's office and created the positions of Assistant IGs for both investigations and audits.

Designed to be independent of the head of the department - although it would report to that head - it also reported to the Congress of the United States. The program was certainly not perfect; there were a number of flaws within it.

First, an entity designed to reduce waste, abuse, and fraud and promote economy, efficiency, and effectiveness, should be utilizing individuals with more than audit and investigative skills. Second, depending on where a case was assigned - to the Assistant IG for Audit or to the Assistant IG for Investigations, there was an audit response or an investigative response. The audit response generally was to disallow costs and increase internal controls. The investigative response was to indict, convict, and incarcerate. Auditors looked at investigators as Nazis, and investigators looked at auditors as wimpy without credentials or guns. But in either case what was missing was an Inspector General response.

Let me give you an example. Let's assume that somebody came up with a brilliant idea to deal with ineligibles in a particular entitlement program. A computer match would be run of Social Security Numbers of the people on the program and some other list which would be inconsistent with being eligible. Assume also that the computer match is an amazing success. One thousand people, 1,000 ineligibles, are found to be on the rolls of the entitlement program. There are arrests and newspaper headlines and everybody thinks that the IG did a wonderful job - so wonderful, in fact, that the following year, the same thing is done. The computer match is run, and then - it worked again! Another 1,000 people were found to have been involved in obtaining benefits illegally. While it was a wonderful investigative success, as an IG matter, it was a complete failure. Nothing was done to stop those 1,000 people from getting on the list in the intervening year.

That was understood, I think, by the best IGs, who included a loss prevention component in their programs. They also recognized several other concerns. It is, in fact, possible for an IG to eliminate waste, abuse, and fraud from the department and the departmental programs. I'm not saying control it; I'm saying you can eliminate it. The only problem is that as a result, no goods and services are delivered.

Two is something called IG toleration. People who are involved in the programs, who have to implement the controls that are designed, have a natural tendency not to do so; I think this is so for two reasons. By accepting internal controls, they are admitting that what they were doing before was wrong or ineffective. Moreover, it is not something that they have a stake in. IG toleration is dramatically increased by bringing the people who are involved in the program into the process of reform.

But even with all of those flaws and even with the governmental environment, the IG programs are successful. They work. Imagine the possibilities in the private sector, especially when modified. And such a program does exist: Private Inspectors General. The problem with the term Private Inspectors General is that the acronym doesn't work all that well, hence Independent Private Sector Inspectors General, or "IPSIG." What is an IPSIG? An IPSIG is an inspector general with the additional skills and disciplines that are necessary to look at problems of waste, abuse, and fraud along with the promotion of economy, efficiency, and effectiveness. In addition to investigative and audit skills, it adds legal, loss prevention, opportunity blocking, research, analytic, business, computer, and industry specialization.

Rather than separating into separate skill areas, individuals work together as a team to address problems. They design and implement internal controls, codes of conduct, and codes of ethics; they work with the management and staff to determine where vulnerabilities to fraud and corruption exist, and help create cost-effective countermeasures; then, they implement the controls and codes and monitor the systems through investigations, forensic audits, integrity tests, hotlines or anything else that is appropriate to ensure that they are working well. Then, after reviewing the results of investigations and audits, and the controls that were put into place, and after analyzing the results, they make whatever modifications are needed so that either people do not get too used to the systems and tend to ignore them or that they are not obsolete due to changes in the economy or changes in regulations.

The IPSIG has to have independence - independence guaranteed by dual reporting responsibility - to a high executive officer within the corporation and to some external body. In the case where there is a probationary status because a company has been in trouble and the IPSIG is implemented as part of a deal with law enforcement, reporting is probably to a law enforcement agency. But reporting can also be to an external body that is independent of the company as an outside board of directors.

What are the advantages of having IPSIGs within a corporation? Because they are independent and are not corporate employees with a corporate career path, there is no confusion as to their mission. That is important. Remember the scene in one Barney Miller episode where Captain Barney Miller was speaking to the obsequious Police Officer Levitt, who always wanted to please his superior, Barney Miller. Barney Miller said that one of the detectives had a personal problem and was going to be in late that day. Levitt, who was taking the role, said: "Right. I'll dummy up the records."

Barney Miller said, "No, I don't want you to dummy up the records."


"No, I really mean it. I do not want you to dummy up the records."

"You don't have to say anything more."

It was clear that no matter what Barney Miller really wanted him to do, Levitt would always believe that Miller wanted him to change the records.

That's what happens inside any bureaucratic organization with success in the career paths dependent on the hierarchy. People will act in the way they believe they're expected to act regardless of the words or particular codes that are in place.

But an IPSIG not dependent upon the corporation culture and management is not constrained by that problem. Employees speak more freely to IPSIGs generally than they do to their own corporate colleagues. The IPSIG acts as a type of ombudsman. Credibility is enhanced with the IPSIG making a finding rather than an internal compliance program, once that credibility exists within the corporation, within the marketplace, with regulatory bodies, and with law enforcement. It is probably also true with federal judges when it comes to implementing the sentencing guidelines.

Since the IPSIG's job is not only to look at dishonesty, illegality, and unethical behavior, but to reduce waste and abuse, and to promote economy, efficiency, and effectiveness, the IPSIG's acceptance and IG tolerance is enhanced. The IPSIG is seen as being part of the process for the delivery of goods and services in an effective manner, not as an obstruction.

IPSIGs can be used to prevent the company from being victimized, not only from internal employees but from outside companies and corrupt governmental officials. It is very handy for somebody in the company to have an excuse for extortionists - "Look, I would be happy to pay you the money, and I would do so, only I have this IPSIG sitting on my shoulder, and anything we do they catch and report." It's like having The Club in the car; the thief just goes to another car.

It works internationally when companies having to do business overseas must deal with unknown corporations and governments. Indeed, companies can use IPSIGs in any high-risk areas to deal with contractors and suppliers, by requiring that the vendor hire an IPSIG which reports to that company and to the corporation in question. For example, how can a company who hires the contractor ensure that a contractor is not going to be selling goods that are made by prisoners or children? The use of an IPSIG - the contractual use of an IPSIG can deal with that problem.

Let me end with a true story. The NYC School Construction Authority ("SCA") exists because the government of the City of New York was incapable of building schools. The SCA has an IG's office which prequalifies contractors who want to do business with them.

One company had a problem and the SCA required it to hire an IPSIG. The company objected because they thought it would put them on an uneven playing field. The School Construction Authority IG insisted, and the company eventually had no choice but to do so.

The contract called for the company to have the IPSIG for a period of 18 months. At the end of 18 months, the company found that the internal controls, the reduction in waste, abuse, and fraud, and the promotion of economy, efficiency, and effectiveness had made them much more effective and profitable. And because they were then able to market themselves as a company that had an IPSIG, demonstrating their integrity, they decided after the 18-month period to keep the IPSIG on.

It is a win-win-win-win situation; society benefits, the Sentencing Commission benefits, the IPSIG benefits, and the company does as well. It is, in effect, the compliance program which doesn't cost. More dollars are saved than is spent on the program. Thank you.


MS. DIDIER: Our next speaker is Mr. Gary Edwards. He has been with the Ethics Resource Center for 15 years and has served as its Executive Director for 10 of those years before his promotion to President in 1991. Mr. Edwards has designed and conducted ethics training for companies in numerous industries including manufacturing, financial services, and defense technology. He has led the Ethics Resource Center's production of a series of award-winning videos designed to help businesses and managers promote greater awareness of ethics issues in the workplace.

Mr. Edwards has also aided more than 130 companies and government agencies in developing and implementing codes of conduct and internal support mechanisms. His clients have included major corporations such as General Dynamics and Martin Marietta. He has testified on the defense industry self-governance initiatives before the House of Representatives Armed Services Committee, and he has also consulted on behalf of ERC for the Internal Revenue Service, the U.S. Postal Service, and the cities of Chicago and Milwaukee. I present Gary Edwards.

MR. EDWARDS: I want to take a few minutes this afternoon to talk about how failures in corporate values, strategic planning, and incentive and reward systems drive organizational misconduct. That's the title of my remarks.

What I want to do, in a certain sense, is to cut against the grain of the presentations that have been made today and, indeed, to a certain extent against the grain of the work that we do at the Ethics Resource Center, because I want to talk about the inherent limitations of the efforts that are being undertaken.

A word or two about the Center and its role in corporate self-governance. I know many of you are familiar with us, but I know also that many of you are not, and I want to provide that information as briefly as I can as background for the conclusions that I draw.

The Center is an 18-year-old, not-for-profit educational corporation. We were founded with a mission to strengthen public trust and confidence in our institutions, public and private, and to try to do that by raising ethical standards and practices. We were essentially in a business that had no market, at least if you mean by market demand, as opposed to need. We were set up as a non-profit so that we could be supported by contributions from well-meaning individuals and organizations and begin to try to do work that we thought was necessary.

Many of you are familiar with the research that the Center has done since 1979, including the studies that we published in 1979, 1980, 1985, 1988, and the research project for 1994-1995 which was the National Business Ethics Survey (NBES) that Rebecca Goodell just presented in the morning session.

Our work is direct and "hands-on" with corporations. Unfortunately, of the nearly 150 clients that we have had, about 100 of them have come to us too late; they are the headliners that got it wrong, and they want to know why. More importantly, they want to know how to stay out of trouble in the future.

We interview their senior executives; we talk to their people in focus groups; we administer a standardized survey instrument to get baseline data to gather information along four parameters: knowledge, attitudes, values, and behavior. After we complete our work, which includes extensive education from the top down in organizations, we then readminister the survey to measure change. That provides some assurance that the company's efforts made a difference, but it also helps them localize where change has not been sufficiently effective. They then can direct scarce resources for ethics in the future to the most important, continuing issues.

One of our better-known clients, mentioned in my introduction, General Dynamics, gave us an opportunity to create what we believe was the first corporate ethics office in any company back in 1985. (There had been an ethics office by name at Dow-Corning, but it was, at the time, a Foreign Corrupt Practices Act audit team.) An ethics office, as conceived for General Dynamics and numerous clients since, is a place to get advice and counsel when you don't know the right thing to do and, when necessary, to blow the whistle internally on misconduct. To our knowledge, an ethics office at a high level within a corporation reporting to the board and to the CEO began in 1985 with General Dynamics. As other statistics have shown you today, they have spread and spread widely.

It was our work with General Dynamics and Martin Marietta that led to our invitation by the Packard Commission to draft the recommendations on self-governance for their report to President Reagan. Those recommendations became the backbone for the Defense Industry Initiative on Business Ethics and Conduct about which Alan Yuspeh provided you information earlier today.

Since 1985, we have worked with about 150 major U.S. and multinational corporations. As I said, most of those are in trouble and come to us too late. But in the last three years, something has happened in our client engagements. Even though the earlier clients were largely international corporations, until three years ago, none of them sent us outside the United States. In the last three years, only one multi-national corporate client has failed to send us all over the globe. Something has changed the opinion of top management in major corporations about the need for a globalization of ethics, along with the globalization of the marketplace. Indeed, what we are learning internationally is causing us to look very hard and very critically at how we can best serve the needs of our clients.

Among the critical lessons that we have learned from our client work, I want to give you just one visual this afternoon. I'm going to talk about the principal causes of serious misconduct in organizations - and I offer this slide as a simple typology of misconduct.

Starting in the upper right-hand corner, there is, of course, the intentional misconduct that benefits the self. That's people who have their hand in the till. They're people who are embezzling from you, stealing corporate resources.

Then, in the upper-left quadrant, there is the unintentional misconduct that benefits the individual. Think for a minute about how smart suppliers have become. They know that in a good corporation, they can't easily corrupt a buyer. Buyers are subject to professional standards of ethics, special training, and intensive oversight and auditing.

So what do they do? Forget the buyer. They go around the buyer to the design engineer, and they wine and dine that engineer. The next thing you know, the engineer has written specs that can only be met by one supplier. Well, that poor design engineer didn't realize what was happening, perhaps.

Maybe he doesn't deal with buyers very often; didn't get the code of conduct that the buying people got; didn't get the training that the buying people got; and now, he has managed to compromise the process, benefit personally, and is still ignorant of his misconduct until somebody brings him up short.

Down in the bottom right quadrant, we find the unintentional misconduct whose principal beneficiary is the organization itself rather than the individual. That's the familiar tale about the sales or marketing person going to the trade association's annual convention and exposition, and coming back on the plane, finding the competitor's five-year strategic business plan hanging out of a seat pocket ahead as they deplane. They didn't know they were doing anything wrong when they made 50 copies and distributed it around the corporation. They thought everybody was going to win.

It is the fourth, remaining quadrant that I want to talk about. It refers to corporate misconduct which is intentional, witting, and intended to benefit the organization, rather than the individual. Misconduct in this quadrant characterizes many of the problems that bring our clients to us for help. It is the area where we provide the greatest value for our clients, and it is the area which is the most difficult to manage effectively. And it is perhaps the least positively affected by any programmatic attempt to improve ethics and business conduct.

This quadrant includes such things as bribery because, "In this part of the world, how else are you going to do business?" The last several years, as I've mentioned, I've spent a lot of time overseas, particularly in Asia/Pacific. I've talked to over 300 foreign national country managers for U.S. and other western multinational corporations. And I have spoken with numerous expatriate executives in charge of Asia/Pacific for their vast corporations. Most of these folks, indeed virtually all of them, say that the best thing they can do in that part of the world is hire an agent and try not to know what they do with their commission. Of course, they admit that they do know. They just don't want to have any incriminating knowledge.

Bribery is an example of intentional misconduct intended to benefit the corporation. Mischarging, fraud, cutting costs by cutting corners often are intended to help the corporation achieve cost-cutting goals or profit and performance objectives that otherwise are beyond reach.

The first three quadrants in this diagram are addressed quite directly, and can be addressed quite effectively, by ethics and compliance programs. For instance the two unintentional quadrants: if you have good codes of ethics and well-drawn corporate policies and procedures and you train people to them and you provide an ethics office for advice and interpretation, you ought to be able to deal with most uncertainties and ambiguities and prevent most unintentional misconduct. You've got people informed; any misconduct, then, should at least not be unintentional.

In the third quadrant, ethics and compliance programs can also be helpful to reduce the intentional misconduct that benefits one's self. Companies have their audit and security departments, and in addition, line management to deter and detect such misconduct. Additionally, by the creation of an environment where employees are less willing to tolerate the misconduct of others and where they can easily and even anonymously report it, the ethics and compliance office can also have an impact here.

But in the fourth quadrant, we have found conduct that is most likely to result in serious damage to an organization and its reputation and to expose it to serious legal sanctions. Stated differently, the paradigm of unethical conduct in large organizations today is decent people who come to believe that to do their jobs or keep their jobs, they have to do something they absolutely know to be wrong.

These are not people who need a compliance training course; they've had it. They know what the law is; they know what corporate policy is; they've memorized the code of conduct. They know that what they are doing is forbidden. The problem that they have is that they really do come to believe that their misconduct is expected by their management and will be rewarded.

In our experience, these employees are almost always wrong. Now, they are not always wrong. Occasionally bad actors make it very high in some companies. But, generally speaking, employees who draw those inferences are almost always wrong.

We talk to these employees if they're still in the company after they made the decision that put them in the wrong section of the newspaper. If they're gone, we talk to their peers. We ask them how those decisions could have been made and why. They tell a common tale. They woke up one day and couldn't get to the numbers - again. They looked around for signals. They saw that people who hit the quarterly profit and performance objectives succeeded. They went up the ladder; they were promoted. People who didn't were plateaued, shoved off into staff positions, or gone. They understood that message.

They looked around a little more, and they saw Joe, Pete, and Sally, people who cut corners to get ahead, and the system didn't pick it up. Look where they are today. They wondered if there was a message there as well.

They looked straight ahead into the mirror, and they saw somebody 35 years old, smart enough to run the company someday if they could just get the chance. They would not come up short again. Or they saw somebody 55 years of age, with three kids in college and two mortgages. They could not come up short again. Who would need them?

These men and women did what they knew to be wrong, and they rationalized their misconduct because it was expected, and because it was necessary in order to achieve objectives that had been set for them. They became what we describe as morally schizophrenic: people who regard themselves as decent human beings, who take care of their families, volunteer in the community, and care about all the right things. When they go to work, they park their character and their conscience with their car, because "in business you do what it takes." For such people, there is such a thing as business ethics, and it is not as good as their own personal ethics. For them, business ethics permits, even requires, what is "necessary."

Examples abound: the Sears automotive centers. In the face of increased competition and declining revenues, management increased performance objectives for sales and service personnel and created incentives for the sales of particular products and services. The result? Widespread consumer complaints and allegations of fraud and the sale of unnecessary parts and services. Did management intend the result? Surely not.

Giant telephone companies were facing increased competition in their primary markets from competitors, competitors who were spared the cost of maintaining aging infrastructure. They tried to increase their own efficiency and expand their sales simultaneously. The strategy? Introduce aggressive quotas for service calls answered per hour and transform service reps into sales reps to sell additional services to residential and business customers when they call for help. The result? Unhappy customers whose service complaints were not properly recognized and met; customers who were billed for additional services that they did not authorize; and the false reporting of time for restoration of interrupted services.

In another example, a large financial services organization called me to address their 150 top executives. They knew about the National Business Ethics Survey; in fact, their CEO wanted that report presented to their people, and they decided it would be interesting if they themselves took the survey during the meeting, storing their responses, and then comparing them to the national data. There wasn't time to administer and discuss all 48 questions. So we gave them ten. Consider now the first two of the questions that we asked, and the answers that they provided.

The first question was, which you will recall from Rebecca's report in the morning session: "Do you ever feel pressured by other employees or managers to compromise your company's standards of ethical business conduct in order to achieve business objectives?" Among the national sample, 29 percent say that they feel those pressures; half of them say that they feel such pressures regularly. Among the 150 top executives in this financial services firm, 52 percent said they felt those pressures.

Next, we asked them if they had witnessed misconduct in the last year that violated the law or their company's standards of conduct. Nationally, 31 percent say they have. Among these 150 top executives in the financial services firm, half of them reported that they had seen such misconduct.

The group became basically unglued at that point. We took a break. We were scheduled to come back and discuss a hypothetical case study. They decided their time could be better spent by talking about what they had just learned about themselves and the culture of their organization. We put a clear transparency on an overhead projector, and we elicited from those executives the reasons why they felt such tremendous pressure to engage in misconduct to achieve business objectives, and the reasons why they witnessed so much misconduct in their own organization.

And the number one reason? The strategic planning process. It wasn't the lack of a code of ethics; it wasn't the lack of ethics training; it wasn't the need for an ethics office or a hotline. It was the strategic planning process itself. It seems, in that firm, as in too many other of our clients, data is sent up to the top for strategic planning purposes and then, in effect, placed on the shelf. And the real strategic planning begins. And the goals and objectives are set. And, as we learned with this particular client, and as we have heard from others, objectives are too often determined by such things as the desired earnings-per-share outcome. Let's figure out what we've got to make, and then we'll back into what we've got to do, and never mind the information that we requested and got from our field sales organization, our marketing executives, and the external market research that we did.

The second most important reason for the pressures felt by these executives? The incentive and reward system that they had created that rewarded the achievement of those objectives and appeared to be indifferent to, or at best uninformed about, the methods by which those objective were achieved.

What concerns me about that client's experience and what concerns me about the limitations of what the Ethics Resource Center and other good organizations have attempted to do programmatically with standards of conduct, training and ethics and compliance offices, is that we run up against a wall, a limit to program effectiveness. I found the National Business Ethics Survey information when it came into us initially both exciting and disheartening. It's exciting because it seems to demonstrate that investing the time and the effort in the standards and in the training and in the ethics office has a positive and measurable impact across a whole array of variables.

But it's also disheartening because you see not only how much change has occurred, but also what the limits to change are, no matter how high the confidence in the integrity of management. You see that even with a comprehensive ethics program, still nearly half of the people are unwilling to report misconduct. One cannot help but be discouraged. And I guess my message for the audience here today is that we have not done enough, and we may not be doing the right things. This is not to say that we should not have standards, training and ethics offices; I think all those are essential. But I feel that while they are necessary, they still are not sufficient to preserve the integrity of good people in aggressive, competitive environments.

In an era of downsizing and restructuring, reengineering, delayering, and taking the cost out (you know all of the euphemisms), spans of control for many managers have increased beyond their ability to provide the guidance and the oversight necessary for their people. Heightened anxiety about job security combined with increased pressures to reach more aggressive objectives with fewer resources have created in many companies an internal environment that overwhelms and discredits corporate messages about ethics and compliance. What is needed is not more policy; what is needed is not more training, oversight, or sources of advice. What is needed is certainly not another program to prevent misconduct.

What is desperately called for is honest and serious attention to the most basic tools and systems for management. That attention has to come from the very top. It is not enough for ethics officers, for general counsel, for external experts to care. What is needed is for top management to examine the tools they have, to use them honestly, to recognize that not intending the consequences does not provide them an excuse for them for the consequences. Indeed, serious misconduct may be inevitable when senior management denies the reality of a competitive environment, when planning is driven by the financial markets instead of the marketplace, and management tries to grow the business faster than the market will allow.

The failure of senior management to provide effective leadership on ethics is not a failure of intent. It's not a failure to give enough speeches about ethics and compliance, and it's not an unwillingness to spend money on compliance programs, on corporate values, credos, and codes of ethics. It's simply a failure to recognize and own their own complicity in inadvertently and unintentionally creating internal environments that undermine the best intentions of their good people and cause them to believe that the price of success is their integrity.

Make no mistake. I'm very proud of the work of the Ethics Resource Center, and I'm encouraged that the sentencing guidelines are causing more companies to address ethics and compliance in more formal and more programmatic ways. But all such efforts are, if not flawed, then severely limited by their inability to penetrate some of the most important drivers of misconduct, the very tools of management itself.


MS. DIDIER: Thank you. I have a couple of questions. Mr. Goldstock, what will prevent IPSIG personnel from filing qui tam suits based on the results of their audits?

MR. GOLDSTOCK: It's an issue that we have looked at. There is, in fact, an IPSIG association, and it meets regularly and addresses the kinds of issues like that, which are of concern to IPSIGs and corporations that would use them. We believe the best way of doing it now would be to have contractual provisions when the IPSIG deals with the corporation. It would state that the IPSIG has a responsibility to report any wrongdoing to the corporation, or, if it's inappropriate, to some outside body, and that they may not file a qui tam action, and the employees would have to sign onto that contract.

The only question I see is whether or not that would be void for public policy. If it is void for public policy, then, of course, it's problematic, but no more problematic than the issue of any employee of the corporation filing a qui tam, even if that person isn't part of the compliance program process.

MS. DIDIER: This question is for Mr. Edwards. Do the limitations on ethics imposed by the strategic planning process in turn point outside the organization to the nature of financial markets and other external factors?

MR. EDWARDS: Oh, you know they do. There are reasons why executives worry about earnings per share, and they are myriad. They need help; they need help at the board level. They need some assurances that serious strategic planning for the future, the long-term future and profitability of the organization will be rewarded. And they need courage.

We had a client a couple of years ago who had a stranglehold on certain parts of its market and was very successful. But they were in a business whose demand was very predictable. It increased, but it increased on a straight line over time. If you looked at their financials, what you would see was not a straight line but a series of "hockey sticks" every quarter. And we found that curious, and asked about it. And what we found out was that in trying to achieve short-term financial objectives that were increasingly aggressive, the salespeople were consistently pulling forward sales from the future into that quarter from both their direct customers and their distributors. They would use significant price discounts to talk their distributors into warehousing products not yet needed. And that, of course, meant that in the next quarter, sales were nonexistent until you got near the end, and they were suddenly in a panic again, and they had to keep pulling sales forward, and discounts kept creeping upwards.

Well, the company was concerned. They didn't necessarily think it was unethical to discount their products to get sales at the end of the cycle. It probably wasn't meeting the shareholders' best interest, but they didn't think it was deeply dishonest. They were concerned, though, their people were telling them that they were reaching the limits of their ability to persuade distributors to put additional products in their warehouses. And they were afraid that they were going to come to a quarter when they couldn't get to the numbers by pushing more out the door, pulling sales forward, and, then, people were going to get truly creative and do things that were not only dishonorable but criminal.

They decided they had to change what they were doing. They had to quit cold-turkey, basically, and get back to trying to match their sales to the real market demand.

Well, the immediate concern was what this was going to do to the short-term performance of the company. What's the impact going to be in the financial markets? Their strategy was to sit down with the analysts and explain the reason why their performance was going to suddenly be flat, giving assurances that, in the future, it would not only be back up, but that sustainable growth would be achieved by meeting their market demand, instead of trying to outrun it. I believe the company is making the right decision and that the market will not punish them for it.

Yes, the external forces are tremendous. But if we cannot run our organizations in a way that benefits our customers and our employees without over-reacting to short-term pressures from analysts, we're going to have a corrupt society of people who believe they have to lie, cheat and steal just to do their jobs and to keep their jobs.

We have watched corporate profits take off in recent years. We have watched the stock market reward those profit surges. Some of those profits have been achieved by extraordinary cost-cutting, the removal of people from their jobs, and increased sales and performance pressures that are put on those who remain. Some of that corporate performance is hollow and cannot be sustained into the future. So we're going to hear from the market on some of our top corporate performers, and, I think, quite soon. They can't just keep getting more with less.

MS. DIDIER: This question is for Mr. Goldstock. Because IGs are essentially internal affairs cops, how does an IPSIG avoid the fear and apprehension that is associated with most dealings with internal affairs? Isn't their apprehension a poor and ineffective way of achieving employee compliance?

MR. GOLDSTOCK: I mean, I think that, in fact, they are not at all like internal affairs cops. I would describe them as - I don't know what the opposite of an internal affairs cop is, but I think they have very little to do with that. They are made up of people with a variety of backgrounds and skills looking at the processes within the company, the corporation, the union or whatever organization happens to be involved, including, for example, a police department, to see how things are done in order to make them less likely that criminal activity, unethical activity, illegalities will occur.

I mean, I agree wholeheartedly with Gary Edwards. I thought we were going to have a bit of a distinction in what we said, and I must say that I believe that what he was saying is precisely the issue. An IPSIG ought to be taking a look at what the corporation does, how it does it, what the bonus plan is, what contractual provisions there are, how they rate individuals, what the quality of the work is, how the decision making process occurs, in order to put into place incentives to do the right thing and disincentives to do the wrong thing.

The idea is not to catch people committing crimes; it is to stop people from committing crimes. The emphasis ought to be on prevention and to encourage people within the company to value integrity and let the company benefit from that.

MS. DIDIER: This question is for Mr. Edwards. In light of your remarks about top management responsibility for pressures on employees to engage in unethical conduct, can you recommend three specific actions that top management might take that differ substantially from current practice? As an aside to that, what can be done to reduce short-term pressures on corporations and CEOs.

MR. EDWARDS: First, some actions for top management that might be different than their most recent past. With respect to the strategic planning process first - and if this shoe doesn't fit, if you've got yours right, fine. But if you don't have it right, and you're your driving your strategic plan by earnings-per-share or some other externally driven factor other than what your products, services, and market match, try backing away from that and building your strategic plan based on the information that comes up, supplemented and tempered by the external market research that you do.

I know that if you bring the planning information up in an organization, there's a natural tendency for everybody to say they can do less than they know they can. If they tell you exactly what they can do, and then you task on top of that, they fear they will fail. So they'll tell you they can do less than they can do, expecting you to add onto that, and then, maybe, they can succeed. That is a problem of dishonesty in the flow of information upwards that is fed by a history of dishonest actions at the top of the organization in disregarding the information that is provided.

So start by doing a strategic plan from the bottom up; listen to your people; try to get the most honest information you can; and temper it with external market research, that reflects what the customer market will bear, not what the financial market its analysts wish.

Second, look at the incentive and reward systems. I'm not suggesting you ought to have a bonus for being good, but we do get what we create rewards for. So let us think about the specific responsibilities of management and the specific activities of management that will help to create and reinforce an internal environment where decent people will challenge misconduct, will challenge pressures to do the impossible, will challenge dishonest objective setting. Create incentives and rewards for the kinds of behaviors you want to see in your management, behaviors that will create and re-enforce an environment of integrity. Look at your performance management system. What are you identifying, measuring and rewarding? Are those the actions that are going to create the right kind of environment internally?

MS. DIDIER: The next question is addressed to both of you. If aggressive goals and rewards systems can create incentives for misconduct, how do you provide incentives for employees to stretch themselves without such systems?

MR. EDWARDS: That's a reasonable question. You don't want everybody walking around like it's Monday morning all week long. You do want, in the words of the Army, to help people be all they can be, and the stretching is a good idea.

Stretching is one thing; ripping people apart is another. If you start with good information, and you rely on the good information you have, then you know what it is to stretch people's performance. But if you disregard the information, both from your people and from your external market research, and drive it by the financial markets, you're not going to wind up stretching people; you're going to wind up pulling people over the edge.

You want to inspire people; you inspire them with your rewards and incentives systems, but you also inspire them with other kinds of recognition, and the best companies know how to do that. But to get stretch without getting rip, you have to build on honest information.

MR. GOLDSTOCK: I sort of have the same kind of problem answering, but let me sort of attack it from a different approach, and it's based on the question that was asked before about internal controls in police departments.

I mentioned that a private inspector general could do well within a police department, because I think what they do is different from internal affairs. Internal affairs generally looks at police who are engaging in misconduct and tries to catch them doing that. It seems to me that an IPSIG in a police department would look at how the police department operates, how it enforces certain corruption-type crimes - bookmaking, narcotics, what the spans of control are, and what kinds of policies and procedures are followed in filling out reports and in testifying in court.

The systems are critically important to an inspector general. It seems to me that one role that the inspector general can play is in thinking about stretching the employees' capabilities, which is important to the programmatic side, and building in the kinds of controls that are appropriate to the stretch. If you are going to ask, for example in that same analogy, for police officers to do more and do the kinds of things where they might cross the line, then the span of control has to drop from an arbitrary 6-to-1 to 4-to-1.

The same thing is true within corporations. To the extent that you encourage employees to do things that approach the line, then internal controls have to increase. To the extent that they are low-risk, non-stretching areas, then they can be relaxed.

MR. EDWARDS: Ron's concrete illustration of the police reminds me that specifics are better than generalities. In the financial services industry, as an example, there is a huge problem of sales force management. It is a problem in other industries too, but I have had clients struggle with it in financial services. If you take your best salespeople and you make them field office managers, you've got one big problem and two responses, both of which are wrong.

The big problem is that you can't pay them enough. You can't pay them as much as they can make selling. Yet, you want them to manage the sales force because they understand selling. So what do you do? Well, too often, you give them a book of business to keep so they can sell while they're managing, and you know what that does for where their attention goes. Second, you give them a rake on the sales of everyone else in the unit. You know what that does to the intensity of their oversight of the practices of those other people. If others are churning accounts, and it's not too egregious, you don't want to be too harsh on them; you'll lose what you're getting from that, and you may lose them. They'll fly to a less critical environment and take their accounts with them.

Well, what can you do about that? E.F. Hutton, before the check-kiting scandal, years ago, tried to address that and tried to develop a cadre of professional, salaried sales force managers. Unfortunately, Hutton didn't survive long enough for it to work.

My point is that you should look at the very specific drivers of particular risks in given functions within your organization and see if you can't deal with the unintended incentives toward misconduct and pull them back and restructure and reorganize the function and re-incent the behavior.


Gary Edwards

Q. Have you identified any causes of variation in the personal ethics and integrity of CEO's (e.g., age/generation)?

A. I have not noticed differences among CEOs that correlate to age, nor in terms of personal ethics or integrity, nor have I seen any remarkable differences from one industry to another. I have a concern, however, for the rising managers of today who aspire to be the chief executives of tomorrow, they, like most young Americans today, are products of a culture and an educational system that have largely abandoned responsibility for the inculcation of moral virtues. Great executives will need first to be great people, and a lack of moral preparation may leave them ill-suited for the leadership required in a globally competitive economy.

Q. Can you cite specific examples of reward system solutions that work?

A. If your objective is to create and maintain an ethical business environment where decent people make good decisions, make them for the right reasons, and never come to believe that they are expected to violate conscience or company standards, the keys for achieving that objective are leadership, communication, and proper incentive/reward programs.

The requirements of leadership are not only of the CEO but also of every manager. And the requisite leadership is more than speeches. It goes, again, to strategic planning and proper management systems.

Communications about ethics require that managers talk about company values and standards at the beginning of each year when they go over the year's goal and objectives for each of their employees. When they sit down with their employees to review performance on a quarterly or other regular basis, they should again speak of the company values, its standards, and the necessity of achieving its business objectives consistent with them. And on those exceptional occasions when performance has gone off the rails and management must intervene, it is critical to communicate that the now more difficult to achieve objectives may only be reached ethically. This practical linking of a subject most managers never talk about, ethics, to the subject they constantly communicate about, performance, can help maintain the proper balance in the attitude and performance of employees.

The incentives reward system is a major driver of behavior; therefore, managers' own compensation ought to be significantly linked to their leadership on ethics. Practically speaking, this means that the linking of communication about ethics and performance objectives that I just described must itself now become an explicit responsibility of each manager, with contingent compensation tied to its accomplishment. Additionally, managers should be required on a regular basis, perhaps monthly, to discuss the ethic issues facing their part of the business. Those meetings must be regularly scheduled and their content documented. Again, significant compensation should be contingent upon meeting such obligations. Furthermore some part of compensation could be tied to the upward evaluations of managers with respect to their ethical leadership, their openness to ethics questions, and to the timeliness and objectivity of their investigation and discipline of misconduct.

Q. You hit the nail on head: Profit is a necessary condition of the corporation but not the reason for the corporation; goods and services are. This is a deep-seated issue of culture in the corporate sector and society. Corporations reflect social values. Where do we begin? Are we diminishing our social capital as Francis Fukuyama contends in his book Trust?

A. The modern corporation is a creature of the state. It provides a means for capital formation with limited risk and limited liability in order to produce goods and services. Whether the production of those goods and services will yield a profit is what business management is about. Poor products or excellent products without a market are already ethical failures on the part of management, for it has failed on its responsibility to shareholders or owners. When managers attempt to overcome poor planning, market research, design, manufacturing or distribution problems through dishonesty, cutting corners, failure to test or inspect, they undermine the trust of their own employees and, ultimately, their customers and the larger society. Trust in the goodwill and honesty of business people must be earned, and where it is absent the state intervenes to protect and to regulate. So the cost of a failure of trustworthiness is both inefficiency and loss of autonomy in making business decisions. These are costs which increasingly affect competitiveness in a global economy.

Q. The federal False Claims Act provides a financial incentive for employees not to report misconduct but accumulate evidence, file a secret lawsuit (qui tam), and make money. How can a corporation foster the climate and culture you describe in the face of this powerful incentive?

A. It was the collective wisdom of Congress that substantial financial incentives were necessary for employees to disclose misconduct within their corporation to federal officials. I do not share the congressional wisdom. I believe a corporation, properly managed, can encourage employees to disclose their own mistakes and the misconduct of others, although even the best management will be unlikely to fully overcome the strong cultural resistance to report on the misdeeds of others. I believe that the False Claims Act's bounty system is more virulent and destructive than fraud itself. A law that encourages the deception of a company's management, and the withholding of information about serious misconduct from the management, and indeed creates financial incentives to all the misconduct to continue while the damages to the government and to the public accumulate, should, in my opinion, be found to be against the public interest and overturned as a matter of public policy.

To answer your question more directly, how can a corporation foster an ethical climate and culture in the face of the False Claims Act, I can only restate management's obligations for leadership, communications, and proper planning and performance management systems. In other words you can only do those things you already must do, recognizing that the job has been made more difficult for you.

Q. Do the limits on ethics imposed by the strategic planning process in turn point outside the organization to the nature of financial markets and other external factors?

A. Yes; therefore, executives need to educate analysts and investors - especially large institutional investors - about their company's clear vision and long term strategy, and they need steadfastly to implement that vision and strategy. Changes occur in technology, in the market place and ultimately in the vision and strategy. It is the job of management to anticipate these and other changes that affect the future of the business and to communicate these changes in a timely manner internally and externally. The markets will not punish long term success.

Q. What can be done to reduce "short term" pressures on corporations and CEO's?

A. It is senior management's responsibility to reduce short term pressures on the company and its people. Again, that can be done if the planning is well informed and realistic. Additionally, some of the short term pressures that CEOs feel personally may have to do with how their own compensation has been structured. If their current and longer term future compensation is tied to the short term performance of their company's stock, they are going to be focused on the same short term objectives for which they criticize the financial markets. Boards of Directors have a critical role here in structuring compensation that rewards the executives for long term profitability and the achievement of the corporate vision and strategy.

Q. How does senior management draw the line between "stretch goals and unrealistic expectations"?

A. With honest information brought up from the field and tempered by external market research. Companies can create a much more honest flow of information simply by rewarding it and punishing the self-serving misinformation when it is put into the system. For many companies, this will require an utter transformation but, however daunting, it is both achievable and absolutely necessary to have honesty in the planning, budgeting, and reporting process in order to build and sustain an ethical culture within a company.

Q. Do you believe that the guidelines emphasize techniques that are inherently limited? If so, how can the guidelines be improved?

A. My principal concern about the guidelines lies not in their techniques but in their focus on compliance as the objectives and compliance training as an important means for achieving the objective. I recognize that the guidelines are richer than this characterization, and that they fully expect that mitigation will require an "effective" program. Although I believe that the Commission is wiser than this, I find that too many of my clients understand the task to be the provision of lectures on legal and regulatory compliance. Such training may be necessary, but it is not sufficient and, in the experience of our clients, it is only minimally relevant to achieving compliance. Again, in our clients' experience, most serious misconduct is not the result of ignorance of the law or its penalties. It is, too frequently, intentional misconduct undertaken on behalf of the corporation in order to achieve aggressive business goals. Those who engage in such conduct know that it is wrong and believe that it is expected of them and necessary for success. Compliance training misses the mark by not addressing the systemic nature of the pressures and incentives that drive misconduct. It is not ignorance. I am not certain how to improve the guidelines other than to encourage management and, finally, judges to attend the management systems and leadership that ultimately drive behavior within the organization.

Q. In light of your remarks about top management responsibility for pressures on employees to engage in unethical conduct, can you recommend three specific actions that top management might take that differ substantially from current practice?

A. First, honest strategic planning informed by customer need and market demand. Communicate honestly, internally and externally, and quit trying to drive planning by desired earnings per share. Second, share responsibility for failure. Don't necessarily punish the employee who fails to reach objectives. The fault may lie with what his or her manager said could be done with the resources available. If so, take the measure of that manager and of that manager's manager who failed properly to review the plan and its assumptions. If goals were unrealistic and poorly informed, then, just as the rewards for success cumulate to the top, so should the penalties for failure. If the company fails to meet the plan because the plan was fundamentally dishonest, every higher level of management that approved that plan is increasingly responsible. Third, compensation plans for senior management should be reviewed and restructured, as necessary, to reward honest planning and communication and their contribution to the long term success of the company.

Ronald Goldstock and Gary Edwards

Q. If aggressive goals and reward systems can create incentives for misconduct, how do you incent employees to stretch themselves without such systems?

A. (Ron Goldstock) Internal controls are designed to stop bad people from doing bad things; they invariably present hurdles when good people want to do good things. The IPSIG is invaluable for the corporation which seeks to save its honest employees from seeing those controls as obstructions; it can serve as an independent and objective mechanism for waiving certain constraints and monitoring the activity of the corporate activity operating under such waiver. Appropriate sole source contracting under IPSIG oversight in one such example.

A. (Gary Edwards) In an advanced service economy the key to productivity and to quality lies in the ability of employees to identify their own values and aspirations with those of their company - in effect, to bond to the company, to so care about its performance that they will make every effort to ensure its success. Incentives and reward systems are still of importance but let them be tied well to behavior that advances and secures those values deemed critical for success.

Ronald Goldstock

Q. What will prevent IPSIG personnel from filing qui tam suits, based on results of their audits?

A. The issue of qui tam suits is, of course, problematic for any company which provides its employees or contractors access to internal documents and procedures. It may, however, be possible to contractually provide that while the IPSIG has an obligation to notify the government of its losses through fraud, it may not itself profit from doing so.

Q. Because IG's are essentially "internal affairs" cops, how does an IPSIG avoid the fear and apprehension that is associated with most dealings with "internal affairs"?

A. IPSIG's are not "internal affairs cops" as that term is commonly understood, i.e., to have as its primary function the investigation of employee wrongdoing with an eye towards criminal prosecution. The IPSIG's goal is to work with the host organization and its employees to develop and implement internal controls which will prevent the commission of criminal activity and to promote efficiency and effectiveness. Given its emphasis on IG toleration and its independence of the traditional corporate culture, the IPSIG tends to promote trust and win employee confidence.

Q. I can see why a company would welcome an IPSIG if it is in trouble and needs to convince the government it can be trusted. Can you briefly summarize the advantages for a company that is not in trouble?

A. The advantages to the host corporation are numerous, but the specifics frequently depend on the specific issues that confront that organization and the economic and regulatory environment in which it operates. In general, the IPSIG can be used to protect the host from dishonest employees and unethical vendors and to maintain or regain both the fact and image of organizational integrity and corporate citizenship. It clearly serves as a model compliance program for sentencing guideline purposes, and, because the properly utilized IPSIG promotes economy and efficiency and controls waste and abuse, it provides substantial financial savings.

[Note: This completes Day One of the Symposium. ]

United States Sentencing Commission