By: Bruce A. Ortwine
Reasons for the Occurrence of Compliance Framework Deficiencies: Compliance framework deficiencies can occur for many different reasons, including in extreme situations because an organization is fundamentally “rogue” in nature (examples include Enron Corporation, and Bernie Madoff’s and Alan Stanford’s organizations) or, more typically, that an organization is legitimate in its business operations but has fundamental failures in its corporate governance and oversight functions. Failure by the organization’s board of directors or other governing body and its senior management in ensuring that the organization develop and maintain an effective compliance framework has all-too-often been the primary reason for an organization’s compliance failures and resulting enforcement action.
Failure “at the top” generally results in a failure in the organizational compliance framework. But failure at the top can be the result of many different causes, from indifference or ignorance of the organization’s compliance responsibilities to an inability to oversee and manage the development of an effective organizational compliance framework. The latter type of failure is one that is consistent with the failure of legal and compliance to develop and maintain the Three C’s. Practicing the Three C’s between legal and compliance is more difficult to develop and maintain in the wake of indifference, ignorance or inability in the organization’s leadership.
Separate from a failure at the top, a compliance failure deficiency can all-too-easily occur because legal has not adequately been involved in the development by compliance of the organizational compliance framework. Legal may think that it should not be responsible for compliance, that compliance is a separate function, especially if compliance has a separate reporting line, or that focusing on compliance issues somehow diminishes legal’s stature within an organization. Of course, nothing could be further from the truth. An effective compliance framework requires legal’s active and effective participation and support, and the failure by legal to provide such participation or support is a prescription for potential organizational compliance failure and resulting disaster.
A Compliance Failure Quickly Becomes a Legal Problem: When a compliance failure occurs, often resulting in litigation, governmental investigations and ensuing enforcement actions, or all of the above, legal becomes immediately involved. Legal is—or at least should be—the organization’s recipient of a summons and complaint that commences a civil litigation or criminal prosecution brought against the organization, or notice that a governmental agency intends to initiate an investigation against the organization, in each case due to an alleged violation of a regulatory compliance requirement. At that moment, the organization’s compliance failure becomes legal’s problem, and legal takes effective—and immediate— “ownership” over that problem.
At that same moment, whatever other projects or initiatives legal may be involved in must now give way and become subordinated to the specific requirements of the litigation/prosecution or investigation. The requirements of each, including responding to the complaint or investigation notice, preserving relevant documents, interviewing relevant employees who participated in the events giving rise to the litigation/prosecution or investigation, regular reporting to senior management and devising strategies, quickly become all-consuming. And all of these issues need to be addressed in a timeframe that is largely beyond the organization’s control. A complaint or notice of governmental investigation requires a response within a specified number of days. Although reasonable extensions of time in which to answer can usually be obtained, legal still finds itself racing against the clock in attempting to do all of the above in an effective manner, in many cases unsure of what the actual facts are and whether the organization is, in fact, liable for the actions that have been alleged.
Typically, legal will be required to hire outside counsel for its expertise in the particular subject matter of the litigation or investigation. Also typically, that subject matter will be highly specific, in which the allegations involve potential violations of highly complex financial, securities, anti-trust, anti-bribery or other laws, and the expertise of which is beyond the scope of legal. That means that the outside counsel that is hired must itself have significant and specific expertise in the relevant area, which expertise comes at a very steep price.
Attorneys who are expert in the prosecution or investigation of highly complex matters, and how to defend against such prosecution or investigation, charge extremely high fees, based on hourly rates. And those hours quickly add up, especially when the attorney with the specific expertise determines that he or she requires a group of supporting attorneys and supporting staff to assist in the review and analysis of the complaint or notice of investigation, research of other relevant cases and successful and unsuccessful defense strategies in those cases, review of relevant documents that the organization has produced in connection with the particular litigation/prosecution or investigation, and internal meetings with the assembled attorneys and staff to discuss with those supporting attorneys all of the above.
On top of that, outside counsel may require that expert subject-matter consultants who have factual expertise of the allegations raised in the complaint or notice of investigation, must also be retained. Ongoing meetings with those outside consultants are also required. Add to that the required regular and ongoing update and strategy sessions with legal, required travel to various domestic or international offices of the organization whose activities form the basis of the litigation/prosecution or investigation, the hourly charges of time spent in travel and other associated expenses, and the costs of defense will quickly escalate well into the six figures, even before enough information can be ascertained to permit even a preliminary defense strategy to be determined.
Legal, therefore, has several management issues. First, it must make sure that the organization responds to the complaint or notice of investigation in a timely and effective manner. Second, it must manage the preservation and production of documents relevant to the litigation or investigation. Third, it must hire appropriate outside counsel and then effectively manage outside counsel, specifically to balance the requirement that outside counsel provide the most effective defense against the need to prevent runaway expenses in achieving that result.
Litigations, prosecutions and governmental investigations can become long-term problems to legal. Each can stretch into many years before an outcome is determined. And the specific outcome is often uncertain. A complex litigation or prosecution can last for years of numerous document discoveries, depositions and various pretrial motions, before ending in a settlement that neither side may particularly be happy about but which the organization settles on the basis of simple economics and also wanting closure to the matter. A governmental investigation may also drag on for years and can be especially frustrating to the organization because in certain cases, if the governmental agency decides not to pursue the matter any further it may not even so notify the organization of that fact, which is then left in effective limbo and unable to bring closure to the matter.
When a compliance failure occurs, legal is quickly brought in to help “clean up the mess.” However, depending on the findings of the internal investigation conducted jointly by legal and outside counsel, the scope of the mess can rapidly expand to areas that were not thought of or considered at the moment when legal first received the complaint or notice of investigation and was put on notice that a compliance failure had occurred. When an internal investigation determines that a compliance failure went beyond the scope initially alleged in the litigation, prosecution or investigation that has occurred, legal and outside counsel must determine whether the facts relating to these newly discovered areas of failure are subject to an attorney/client privilege or, especially in the case of a criminal prosecution or governmental investigation, will need to be shared with the prosecuting or investigating governmental agency with potentially adverse consequences to the organization.
A Compliance Failure Cannot Always be Avoided: As discussed herein, the potential for failure in an organizational compliance framework can be mitigated in a number of ways, including an ongoing Three C’s between legal and compliance. It cannot, however, in all cases be avoided. Despite the best intentions of all parties concerned, and notwithstanding an effective and ongoing Three C’s between legal and compliance, a compliance failure can still result. Even the most rigorous and comprehensive compliance framework will not prevent the willful violation of a particular law or regulation by an employee who is bent on engaging in unlawful activity. The most stringent internal controls and training programs will not prevent an employee, for example, from accepting a bribe from a customer or other third party or offering a bribe to a foreign governmental official in order to obtain business opportunities for the organization, or from agreeing with employees of other organizations to fix a particular interest or foreign exchange rate, in each case believing that the illegal activity will result to their receiving a higher level of bonus or other form of compensation.
In those cases, when a complaint or investigation is brought concerning the illegal activities of one or more particular employees, the best (and only) defense that the organization has is that it has in effect a comprehensive organizational compliance framework that both clearly prohibits the activities of which the employee(s) is accused of violating, that the organization conducts ongoing mandatory training of all of its employees concerning those activities, that all employees are required periodically to take tests and sign certifications that they understand that those activities are both illegal and prohibited by the organization and that they are in compliance with those prohibitions.
In those situations, the organization has to fully separate itself from the employee(s) in question and, effectively, “cut them loose.” In those cases, although a compliance failure could not be avoided, the resulting economic and reputational harm to the organization can be minimized. The reality is that at the end of the day, an effective organizational compliance framework is for the benefit of the organization itself, and not for the benefit of the employee.
Conclusion: Current realities dictate that no matter what its size and geographic scope may be, an organization must develop and sustain an effective organizational compliance framework. That framework must be specific and tailored to both the activities of the organization and the geographic jurisdictions in which the organization conducts its activities. An effective organizational compliance framework requires an ongoing Three C’s relationship between legal and compliance in order to mitigate to the extent practicable a compliance failure. Once a compliance failure occurs, legal must become actively involved in helping to minimize its scope and cost to the organization, although all-too-often those intended results are beyond legal’s control. If a compliance failure does occur, an effective organizational compliance framework can separate the organization from the illegal activities of its offending employees and reduce the organization’s ultimate liability.