 |
The Amended Organizational
Sentencing Guidelines:
Top Ten Things Attorneys
Should Know
By PAUL E. McGREAL
In 1991, the United States Sentencing Commission promulgated the first guidelines for the sentencing of organizational defendants. Like their counterpart for individual defendants, the organizational guidelines promised to bring coherence and consistency to the sentencing of corporations, partnerships, and other business organizations. The guidelines did so by calculating a corporate defendant’s penalty based on the seriousness of the offense and the existence of specified aggravating and mitigating factors.
Over the last 14 years, much practice and commentary has focused on one of the guideline’s mitigating factors: whether a company has an effective corporate compliance program.1 Compliance programs are corporate procedures and standards designed to prevent illegal conduct by educating and motivating employees to comply with the law and to deter and detect legal violations. The guidelines’ commentary sets forth seven criteria for evaluating a compliance program’s effectiveness, including whether the company has designated compliance personnel, drafted compliance standards and procedures, communicated the standards and procedures to its employees, and monitored and audited employee adherence to compliance obligations.2 These criteria immediately became the gold standard for designing and implementing an effective compliance program.
In early 2002, the Sentencing Commission appointed an Ad Hoc Advisory Group to review the organizational sentencing guidelines and propose needed changes. The Advisory Group learned that in the ten years since the guidelines were introduced, companies had implemented and adopted best practices that refined and built on the original seven criteria. The Advisory Group sought to codify many of these best practices in the amendments it recommended to the Commission. The Commission proposed most of these amendments to Congress, whose inaction rendered the amendments effective on November 1, 2004. What follows are the top ten things attorneys and organizations should know about these amendments.
10. No Matter What the Supreme Court Says, It Counts
The first entry in our countdown is a legal development unrelated to the amended guidelines themselves: the United States Supreme Court’s recent decision on the constitutionality of the federal sentencing guidelines. In United States v. Booker,3 the Court held that the federal sentencing guidelines violate an individual criminal defendant’s Sixth Amendment right to a jury trial. The case relied heavily on last term’s decision in Blakely v. Washington,4 where the Court struck down similar state sentencing guidelines. Blakely involved a criminal defendant who pleaded guilty to kidnapping his estranged wife, which carried a 53-month jail sentence. During the sentencing phase, the trial court increased the defendant’s jail term to 90 months based on the judge’s finding that the defendant had acted with “deliberate cruelty.” According to Blakely, however, the Sixth Amendment requires that a jury find any facts used to increase a defendant’s sentence, and the sentence enhancement based on the judge’s finding of “deliberate cruelty” was unconstitutional.
Booker held that the federal sentencing guidelines suffer from the same fatal flaw in requiring federal judges to increase criminal sentences based on facts that were not found by a jury or admitted by the defendant.5 After holding the guidelines unconstitutional as written, the Court had two choices — require that a jury find all sentencing facts necessary to apply the guidelines, or make the guidelines mere suggestions that judges may consider when exercising sentencing discretion. By a five-to-four vote, the Court kept federal sentencing in judges’ hands, making the guidelines merely advisory.6
Booker should not affect the organizational guidelines for several reasons. First, there is serious doubt whether the Sixth Amendment right to a jury trial extends to organizational defendants,7 and the Booker holding is dicta for such defendants.
Second, even if the organizational guidelines are unconstitutional, practically speaking, they will continue to influence charging and sentencing decisions. A Department of Justice Memo-randum on the “Principles of Federal Prosecution of Business Organizations” directs United States Attorneys to consider whether an organization had an effective compliance program in deciding whether to investigate, charge, or negotiate a plea with the organization.8 Further, the Memorandum specifically refers to the organizational sentencing guidelines for specific criteria in evaluating the effectiveness of such a program.9 On the sentencing side, whether an organization has an effective compliance program will surely influence judicial sentencing discretion. As a reflection of current best practices, the amended guidelines are a logical standard for measuring such programs’ effectiveness.
Third, the sentencing guidelines have had influence far beyond the sentencing arena. Several federal agencies, including the Department of Health and Human Services, Department of the Treasury, and the Securities and Exchange Commission, have issued compliance regulations or guidance that either incorporate or specifically reference the sentencing guidelines. As a result, even if the guidelines are found unconstitutional, they will continue in other regulatory guises.
9. The Privilege Problem: To Waive or Not To Waive?
The Advisory Group devoted almost a third of its report to the attorney-client and work product privileges. They had heard from lawyers and clients that a major obstacle to implementing and operating an effective compliance program is fear that compliance documents will someday provide a detailed roadmap for litigation against or prosecution of the organization. The Advisory Group offered little comfort, observing that current privileges were unlikely to protect compliance materials. This left a cruel irony: those companies most successful at implementing an effective compliance program, having identified relevant risks as well as weaknesses in the organization’s internal controls, will be most vulnerable to the litigation dilemma. The Advisory Group recommended that the Commission study the issue and propose reform. Further, the Advisory Group recommended, and the Commission adopted, guideline commentary clarifying that an organization need not waive the attorney-client privilege to receive sentencing credit for cooperating with the government.10 Absent action by Congress or the states, however, the litigation dilemma remains.
8. Adding the Carrot to the Stick
When it comes to motivating employees, the original sentencing guidelines spoke only in the negative: “The [company’s compliance] standards must have been consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense.”11 The amended guidelines add the carrot to this stick:
The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.12
The Commission explained that this amendment imposes “a duty to promote proper conduct in whatever manner an organization deems appropriate.” For example, instead of simply evaluating employees on whether their job performance meets certain tangible measures, the organization might also ask how the employee went about achieving those measures. Did the employee act in a manner that promotes the organization’s ethical values? If so, the employee should be rewarded appropriately.
7. From Carnac to Kojak
The original guidelines included the following maddeningly vague directive on assigning personnel:
The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities.13
This provision charged employers with making a speculative, predictive judgment about their employees’ “propensities.” According to the Advisory Group, such unguided, subjective prognostication led some to believe that “they were being asked to ‘become either “Big Brother, Inc.” or mind readers.’”14 The amended guidelines switch to a retrospective approach:
The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.15
The focus is now on what the employee has done, not what she might do. This brings the task for new hires within the background checking an employer might ordinarily perform. For existing employees, an organization should be able to capture work-related conduct in its evaluation process and compliance audits.
6. Size Matters, Sort Of
Small organizations, which the guidelines define as any organization with less than 200 employees, had two complaints about the original sentencing guidelines. First, a small organization could not feasibly implement a compliance program that met the guidelines’ seven criteria. For example, the original guidelines required that “high-level personnel of the organization [be] assigned overall responsibility to oversee” the compliance program. Yet, in some small organizations, it would be unrealistic for a single person to undertake the compliance function. And while the guidelines provided that the “requisite degree of formality of a program to prevent and detect violations of law will vary with the size of the organization,” they offered no specific guidance regarding what informal compliance measures small organizations might adopt.
The amended guidelines offer the following concrete examples of how small organizations might feasibly implement an effective program:
(I) the governing authority’s discharge of its responsibility for oversight of the compliance and ethics program by directly managing the organization’s compliance and ethics efforts; (II) training employees through informal staff meetings, and monitoring through regular “walk-arounds” or continuous observation while managing the organization; (III) using available personnel, rather than employing separate staff, to carry out the compliance and ethics program; and (IV) modeling its own compliance and ethics program on existing, well-regarded compliance and ethics programs and best practices of other similar organizations.16
Informal, however, does not equal lax: “small organizations shall demonstrate the same degree of commitment to ethical conduct and compliance with the law as large organizations.”17 Thus, small organizations must be committed to compliance, but can achieve compliance differently.
While these examples are certainly helpful, they highlight the fact that small organizations have little guidance in designing, implementing, and operating a compliance program. The available best practices material and practice commentary focus on larger organizations that have the resources to support such work. To fill this gap, the Commission and private, non-profit organizations should devote resources to the question of how small organizations can best implement the various compliance functions.
A second complaint was that the original guidelines conclusively deemed a small organization’s compliance program to be ineffective if so-called “high-level personnel” broke the law. The guidelines define “high-level personnel” to mean:
[I]ndividuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization. The term includes: a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.18
The problem for small organizations is that they will have a much higher concentration of high-level personnel in their overall staff, which makes it much more likely that such personnel will be involved in wrongdoing, automatically disqualifying the organization from credit for an effective compliance program. The amended guidelines eliminate this disadvantage. Now, if high-level personnel of a small organization participate in wrongdoing, the organization may still prove that its compliance program was effective.
5. Training — Gotta Do It
The original guidelines waffled on the issue of training employees:
The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, e.g., by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.19
This allowed a company to rationalize that it had effectively communicated its compliance standards even though it had not conducted employee training. After all, the guidelines merely listed training as one example, along with “disseminating publications” that explain those standards. When confronted with the choice between costly training or simply handing out a code of conduct and accompanying policies (along with the remarkably disingenuous demand that, immediately upon receipt, employees sign a statement that they had read and understood those documents), guess which option many companies chose?
Companies that genuinely struggled to design and implement a compliance program learned that there was no substitute for training. Otherwise, employees never get the compliance message, and some might even infer that the company is not serious about compliance because it will not spend the resources required for adequate training. Recognizing this reality, the amended guidelines make clear that employee training is a must:
The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, . . . by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.20
Note also that training must occur “periodically.” The company must provide timely training to new employees, as well as refresher training, when needed, to existing employees.
4. Training — It’s Not Just for Employees Anymore
Not only do the new guidelines add training as a required compliance element, they also define quite broadly who must be trained. Specifically, the company must train its board and senior management on matters “appropriate to such individuals’ respective roles and responsibilities.”21 A company must ask what legal and other risks those persons pose to the organization, and then educate those constituencies about their legal responsibilities. For example, an organization might educate its board about the conflicts of interest posed by outside business interests and service on other boards. The training challenge facing entities will be twofold — first, identify proper subjects for board training, and second, conduct training that provides useful information but does not overburden board members already stretched thin by new corporate governance responsibilities.
3. Board Oversight
For some time now, state corporate law has recognized that corporate boards must oversee the company’s compliance efforts. Under the notoriously forgiving standard that is the business judgment rule, however, board members are protected from state law liability if they act in good faith, which merely forbids systematic neglect or an utter failure to address compliance.22 While there have been some signals that the good faith standard is rising,23 board members still face a low hurdle under state corporate law.
The amended guidelines contemplate a greater compliance role for board members. First, board members must “be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” with respect to its implementation and effectiveness.24 This requirement has an education prong and an oversight prong. On the education side, the company must educate the board about its compliance program. This likely requires a report to the board that both identifies the company’s major risks (see the discussion of risk assessment in the next section) and describes the compliance measures implemented to cover those risks. For the oversight prong, the board, or its audit committee, should evaluate whether the compliance program is working. The guidelines facilitate this evaluation by requiring that “[i]ndividual(s) with operational responsibility shall report . . . as appropriate . . . to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.”25 The education undertaken under the first prong should provide board members with the background to effectively exercise their responsibilities under the oversight prong.
2. Assess Your Risks, Then Do It Again
Remarkably, the original guidelines never mentioned conducting a risk assessment. Surely, the fact that the guidelines require an organization to tailor its compliance program to the nature of its business and its past history strongly suggested that the organization must do something to examine that business and history. For those taking a check-the-box approach to compliance, however, silence on risk assessment was often enough to keep that step off the check list.
The amended guidelines correct that omission with a vengeance, requiring that risk assessment occur not only at the outset, but also on an ongoing basis:
[T]he organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each [element of its compliance program] to reduce the risk of criminal conduct identified through this process.26
Quite sensibly, a risk assessment must precede design and implementation of a compliance program, for how else can an organization know what laws it must comply with. By requiring a risk assessment, the guidelines push companies from a reactive approach, where compliance concerns are addressed as questions or violations arise, to a proactive approach, where resources are deployed to prevention. Also, the guidelines make clear that risk assessment must not be a one-time start-up task. The company must “periodically assess” its risks, looking for changes in the legal or business environment that affect its risk profile.
1. It’s Culture, Stupid!
While the amended guidelines do not require it, companies might consider having their compliance personnel tattoo this topic heading on their foreheads, or perhaps a less noticeable part of their bodies. Indeed, culture tops this list for a reason — without a healthy, ethical corporate culture, an organization cannot maintain an effective compliance program. Dr. Ed Petry, former Executive Director of the Ethics Officers Association, put it this way: “Culture trumps compliance.” No compliance program, no matter how well designed and funded, can operate successfully in a corporate culture poisoned by cynicism and distrust. Employees will discount all statements regarding ethics and values as mere words and corporate hypocrisy.
The amended guidelines reflect this focus on an ethical corporate culture. Where the original guidelines referred to a compliance program as an “effective program to prevent and detect violations of law,”27 the amended guidelines refer to “an effective compliance and ethics program.”28 While the old label focuses narrowly on legal violations, the new label widens the view to include ethics. Further, the new guidelines add that compliance programs should “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” The culture should not be legalistic, where employees focus on what they can get away with. Rather, the company should sincerely articulate core values that employees believe define the organization’s culture. Then, legal compliance and ethics will be woven into the corporate fabric, and not awkwardly appended in case the government comes knocking.
Of course the big question, and one on which the guidelines are silent, is how a company creates a healthy, ethical culture. My suggestion is to judge every action or decision by a simple, childhood maxim: Actions speak louder than words. Stephen Cutler, Director of the Securities and Exchange Com-mission’s Division of Enforcement, recently gave similar advice to people running public companies: “You’ve got to talk the talk; and you’ve got to walk the walk.”29 Cutler emphasized that while it is important for the board and management to verbalize the compliance message, “[a]ll the words in the world mean nothing without deeds to support them. You have to pay more than lip service to values. You have to live them.” No employee will believe that a company values honesty and fair dealing if promotions and raises go to those who “meet the numbers” by cutting corners, sharp dealing, or worse.
Practically speaking, a company must ensure that its incentives and rewards are aligned with its compliance message. Cutler offers a series of suggestions that illustrate how a company can put its values into practice:
“[M]anagers themselves have to comply with the letter and the spirit of the rules.”
“[M]ake character a part of the firm’s set of key hiring criteria.”
“[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well.”
“[M]ake it clear that you won’t tolerate compliance risks - even if that means losing a lucrative piece of business or a client or a transaction.”
“[H]old all of your managers accountable for setting the right tone[,] . . . disciplining or even firing them when they have failed to create a culture of compliance.”
The fact that some of these suggestions might seem unrealistic or even Pollyanna-ish only emphasizes that creating an ethical compliance culture will be hard work. Building a sound culture may require management to break with long accepted practices, and in some cases, even exercise corporate courage. The intangible benefits of such efforts may have even more of an impact on corporate well being than credit that may result in a sentencing situation.
Endnotes
1. U.S. Sentencing Guidelines Manual § 8C2.5(f) (2002). An effective compliance program allows a defendant to reduce its culpability score, which is used to calculate the applicable fine range. 2. Id. § 8A1.2, Application Note 3(k). 3. ___ U.S. ___, 125 S. Ct. 738, 160 L. Ed. 2d 621 (2005). The opinion reviewed two lower court decisions on the constitutionality of the federal sentencing guidelines. See United States v. Booker, 375 F.3d 508 (7th Cir. 2004), cert. granted, 125 S. Ct. 11 (U.S. Aug. 2, 2004) (No. 04-104); United States v. Fanfan, 2004 WL 1723114 (D. Me. 2004), cert. granted, 125 S. Ct. 12 (U.S. Aug. 2, 2004) (No. 04-105). 4. ___ U.S. ___, 124 S. Ct. 2531, 159 L. Ed. 2d 403 (2004). 5. Booker, 125 S. Ct. at 756 (opinion for the Court in part of Stevens, J.). 6. The Court did this by simply striking the statutory provisions that made the guidelines binding on federal judges. See id. at 764 (opinion for the court in part of Breyer, J.). 7. See generally Alan L. Adlestein, A Corporation’s Right to a Jury Trial Under the Sixth Amendment, 27 U.C. Davis L. Rev. 375 (1994). 8. Memorandum from Larry D. Thompson, Deputy Attorney General, to Heads of Department Components and United States Attorneys 3 (Jan. 20, 2003) (available at http://www.usdoj.gov/dag/cftf/business_organizations.pdf). 9. Id. at 7, n.2. 10. U.S. Sentencing Guidelines Manual § 8C2.5, Application Note 12 (2004). 11. U.S. Sentencing Guidelines Manual § 8A1.2, Application Note 3(k)(6) (2002). 12. U.S. Sentencing Guidelines Manual § 8B2.1(b)(6) (2004) (emphasis added). 13. U.S. Sentencing Guidelines Manual § 8A1.2, Application Note 3(k)(3) (2002) (emphasis added). 14. Ad Hoc Advisory Group on the Organizational Sentencing Guidelines, Report at 64 (2003). 15. U.S. Sentencing Guidelines Manual § 8B2.1(b)(3) (2004) (emphasis added). The guidelines make clear that due diligence does not require acts prohibited by other law. Id., Application Note 4(A). 16. Id. § 8B2.1, Application Note 2(C)(iii). 17. Id. 18. U.S. Sentencing Guidelines Manual § 8A1.2, Application Note 3(b) (2002). 19. Id. § 8A1.2, Application Note 3(k)(4). 20. U.S. Sentencing Guidelines Manual § 8B2.1(b)(4)(A) (2004) 21. Id. § 8B2.1(b)(4)(A). 22. In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). 23. See In re The Walt Disney Company Derivative Litigation, 825 A.2d 275 (Del. Ch. 2003). 24. U.S. Sentencing Guidelines Manual § 8B2.1(b)(2)(A) (2004). 25. Id. § 8B2.1(b)(2)(C). 26. Id. § 8B2.1(c). 27. U.S. Sentencing Guidelines Manual § 8C2.5(f) (2002). 28. U.S. Sentencing Guidelines Manual § 8C2.5(f) (2004) (emphasis added). 29. Stephen M. Cutler, Tone at the Top: Getting it Right, Speech at Second Annual General Counsel Roundtable, (Director, Division of Enforcement, Securities and Exchange Commission) (Washington, D.C.) (Dec. 3, 2004), available at http://www.sec.gov/news/speech/spch120304smc.htm.
Professor Paul McGreal is Director of the Corporate Compliance Center and serves as the Harry and Helen Hutchens Research Professor at the South Texas College of Law, where he teaches a seminar on corporate legal compliance. He is also on the faculty of the Executive MBA Program of the Mays Business School at Texas A&M University, where he teaches business ethics, social responsibility, and corporate compliance. For more information on the Corporate Compliance Center, please visit http://www.stcl.edu/ccc/index.html.
< BACK TO TOP >
|
