An Effective Risk Assessment Process Underlies A Culture Of Compliance

Editor: Mr. Myers, would you tell us something about your professional experience?

Myers: I have been in private practice since 1984. Before that, I was an Assistant United States Attorney in the District of Columbia for five years. I have been a partner in the Washington, DC and Northern Virginia offices of Holland & Knight since 1994.

I have a broad range of civil and criminal litigation experience, but for the past 12 years, my practice has focused on white collar defense, corporate compliance and governance advice. I am currently the co-chair of Holland & Knight's Global Compliance and Governance Team. I spend a significant amount of time working with companies in heavily regulated industries on developing, implementing and operating compliance and ethics programs. I also represent companies in internal compliance and enforcement investigations.

Editor: I am sure your corporate compliance practice has changed considerably since the corporate scandals and Sarbanes-Oxley. Please tell us about this evolution.

Myers: It has been an interesting process. When I first started helping companies with compliance programs, well before the Sarbanes-Oxley Act, there were only a few industries - healthcare and the defense industry among them - that clearly recognized the need for and benefits of compliance programs. Both the healthcare and defense industries had been the targets of government investigations in the late 80s and early 90s.

The corporate scandals - Enron, WorldCom, MCI, and others - brought compliance and governance issues into the spotlight. It quickly became apparent that the previous system of checks and balances on certain kinds of bad corporate and individual behavior were not working. Investors began to conclude that they could not trust management and boards of directors to protect their interests. A number of things came together very quickly, on parallel but related tracks: the Sarbanes-Oxley legislation required significant corporate governance changes and internal controls procedures; the U.S. Sentencing Commission promulgated revisions to its guidance on "effective" compliance and ethics programs; the Department of Justice worked closely with the SEC on numerous enforcement actions and issued a policy statement requiring prosecutors to take compliance programs into account before charging a corporation with criminal violations; and the SEC and the accounting board issued further guidance on compliance. Together, these developments have caused a recognition of the very significant advantages that come to companies with strong compliance and governance systems.

Editor: Risk management used to mean the cost of insurance. Today it means much more.

Myers: Risk management has taken on entirely new meaning. In part, this has come from Sarbanes-Oxley and the strengthened regulatory framework that the SEC and the securities exchanges have pursued in recent years. In addition, the Sentencing Commission's guidance on compliance and ethics programs has identified with more specificity the requirement that an effective compliance program must have a formal risk assessment process. Risk management, in many companies, has been brought under the compliance and ethics program umbrella. It is much more rigorous than having a few people sit around outlining the risks facing a company. Under the new systems, risk assessment requires a mapping of potential risks across the entire company, identifying procedures to address the risks, quantifying the likelihood of adverse events occurring, charting the potential impact of violations, and prioritizing compliance program activities related to the risks identified.

Editor: What is the role of senior management - and general counsel in particular - in examining and addressing risks to the corporation?

Myers: The risk assessment process cannot work unless senior management, including general counsel, is involved. Senior management must set the standard for the company and its workforce. They must demonstrate through their words and actions that the identification of risks and the prioritization of responses is a responsibility that extends across the company and down through the ranks. In order for the process to be taken seriously, the workforce must believe that the company has an ethical culture that is exemplified by senior management.

With respect to the general counsel, there are a number of privilege and confidentiality issues that affect the risk assessment process. A number of the risks to be evaluated and quantified are legal and regulatory risks. In some situations, the risk analysis should be conducted through counsel and under the attorney-client privilege. This could come into play, for example, if a company is doing a risk assessment for the first time and is looking into the possibility of a large potential exposure on a regulatory risk.

Editor: How does an effective risk assessment process help in determining whether the company is compliance ready?

Myers: An effective risk assessment process can identify a company's major compliance risk exposures and help set the priorities for the compliance and ethics program. The risk assessment should also evaluate the effectiveness of whatever systems the company has in place to mitigate its risks. This part of the process will tell the company how close it is to being "compliance ready," as well as what it needs to get there.

Editor: Does outside counsel have a role to play in this process?

Myers: We recommend that outside counsel be involved in certain aspects of the risk assessment process to protect the attorney-client privilege and the confidentiality of the information gathered. If the parts of the process involving significant legal and regulatory exposure are conducted with the assistance of outside counsel, it will be a confidential process.

If compliance failures are identified, the company would be in a position to assess in a careful and deliberate manner whether there is a reportable violation. Using outside counsel is not intended to keep information permanently under wraps, but rather to give the company time to do a proper evaluation of what needs to be done. Also, experienced outside counsel can often conduct the process more quickly and with more accurate results.

Editor: You have spoken and written about the government's six-year investigation of the Boeing Company as a cautionary lesson for companies to pay attention to corporate compliance and ethics. For starters, what went wrong at Boeing?

Myers: We have not represented Boeing in any of these issues. According to an article reporting statements by Boeing's general counsel concerning the compliance failures at the company, one investigation had to do with new employees who, upon being employed by Boeing, allegedly brought confidential information of a competitor with them. A second investigation related to an employment offer made to a Defense Department official who was involved, at the time of the offer, in overseeing Boeing's work on contracts with the Defense Department. According to the article, part of the problem was that employees were afraid to report problems. There was a culture of silence which prevented the problems from being discovered and corrected before they caused irreparable harm.

Editor: What systems should have been in place?

Myers: Boeing apparently had a compliance program in place. The problem seemed to be that the employees did not believe that senior management took it seriously. They were afraid of retaliation if they reported problems, so the program failed at the moment it was most needed.

Editor: And the consequences to Boeing - both tangible and intangible - of failing to have strong corporate compliance and ethics programs?

Myers: I don't want to limit these comments just to Boeing. For any company hit with a public investigation into a potential compliance failure, the failure to have an effective compliance and ethics program can have a multitude of negative effects. Obviously, there are large fines and penalties, very high costs for defense counsel and experts, as well as potential suspension, debarment or exclusion from government programs. For public companies, enforcement actions and compliance problems typically cause decreases in stock value, which, in turn, often lead to shareholder suits against the board and management. Intangible costs can also include the loss of good people. Studies have shown that people like to work for companies with a commitment to ethical behavior, and that they will leave if that commitment is perceived to be lacking.

Another intangible cost is the time that the company's senior executives must devote to the investigation, disrupting the company's business.

There is also the cost of capital. Empirical studies have shown that companies with strong compliance and governance systems have a lower cost of capital. Their stock prices are generally higher because of the premium the market places on good governance and compliance systems. Competitive advantage also weighs in. A company in a heavily regulated industry, e.g., government contracting or healthcare, that can demonstrate a strong compliance program invariably achieves a comfort level with government officials that can enhance business opportunities. Government officials like to do business with companies they are confident they can trust to do the right thing.

Editor: Today everyone is talking about having a strong compliance and ethics culture. Almost by definition, however, this kind of thing cannot be legislated. If a company takes all reasonable steps to implement the right programs, what is necessary to make them actually stick?

Myers: There must be a true commitment from the board and senior management down throughout the company. Although an ethical culture cannot be forcibly imposed from the top, the board and management can have a significant impact on culture. Employees must see that the commitment is real. They must see behavior by the board and management that demonstrates that there is meaning behind the words. For example, the compliance and ethics program cannot be isolated from the business operations of the company. The compliance and ethics officer should be involved when important decisions are made. The hiring, promotion and review process should include a component based on compliance and ethical behavior. The company must enforce its compliance program across the entire employee and management base. The CEO should regularly communicate to employees the importance of the compliance program and "doing the right thing." Sufficient resources must be provided to the compliance and ethics program to allow it to be effective. Employees must see that if a potential violation is reported, it will be investigated and resolved, and there will be no retaliation against the reporter. These things together help establish the kind of culture that employees believe in and will follow.

Editor: You have also written about the Merck-Medco Managed Care case as a wake-up call for any corporation lacking an effective compliance program. What has this decision done to move the discussion forward?

Myers: Accepted wisdom has been that having a good compliance program can help persuade the government that the company did not intend to violate the law. Merck-Medco is the first case that points to the opposite corollary: that the failure to have an effective compliance program is affirmative evidence of an intent to defraud the government.

Editor: Today our economy is part of the global economy, and American corporations are in competition with enterprises that may not pay much attention to the ethical concerns that increasingly impact how decision-making proceeds in the American corporate context. Are we going to be at a disadvantage here?

Myers: The commitment to formal, well-supported compliance and ethics programs is further along in the U.S. than in many other countries. Sometimes, other countries think that the U.S. has gone overboard and is over-regulating industries. In the EU and in several other developed countries, however, change is underway. There are issues, such as money laundering, where regulatory efforts are international in scope and compliance programs are mandatory. Increasingly, the markets are demonstrating a preference for companies with strong compliance and governance systems. I think that, over time, this preference will drive corporate behavior both here and overseas. Ultimately, people like to do business with companies that they think will treat them fairly and behave with integrity. I don't think there is anything uniquely American about that.

Published October 1, 2006.