Project: Corporate Counsel - Legal Service Providers Why Compliance And Ethics Training Is Now Mandatory

Editor: Susan, tell us about your professional background.

Cutright: Our Compliance Services Group provides Internet-based ethics and compliance training services to major companies, working with clients on the strategic aspects of their online training initiatives in order to:

• Identify the varying compliance risks faced by different segments of the employee population;
• Develop a managed training program to address those risks;
• Support client-driven customization of course content as appropriate; and
• Coordinate with the Integrity Account Management group to deliver program tracking and reporting in support of the compliance oversight function required of the Board and senior management.

Before joining Integrity, I was a staff attorney in a large NYSE conglomerate, and later served as general counsel to a privately held telecom company based in Manhattan, and then to a Nasdaq tech company based outside Boston.

Editor: In a nutshell, what does the Sarbanes-Oxley Act have to do with ethics training?

Cutright: Sarbanes-Oxley is basically the Congressional response to Enron et al., and has the effect of driving companies to establish ethics codes, explain them to employees, position the reporting mechanism as an effective tool, ensure free flow of information to support an effective disclosure process, and position the compliance program as an integral element of the company's internal controls.

Editor: What specific Sarbanes provisions relate to training?

Cutright: I should categorize them under the following headings:

• Sarbanes-Oxley §301 (preventing listing of a company's securities unless the company's Audit Committee has established procedures for (a) receipt, retention and treatment of complaints regarding accounting, internal accounting controls, or auditing matters; and (b) confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters).
• Sarbanes-Oxley §302 (requiring quarterly CEO and CFO certifications regarding effectiveness of disclosure controls and procedures).
• Sarbanes-Oxley §406 (requiring public companies to disclose whether they have adopted a code of conduct for senior financial officers).
• Sarbanes-Oxley §906 (requiring CEO & CFO certifications of periodic SEC reports confirming that the reports comply with requirements and fairly present the company's financial condition and results of operation).
• And of course, the Big Unit of Sarbanes: Sarbanes-Oxley §404 (requiring annual management assessment of internal controls over financial reporting).

Editor: What do internal controls have to do with compliance training?

Cutright:Compliance and ethics policies, communication programs and training can be seen as part of the corporate control infrastructure.We see this in the Public Company Accounting Oversight Board's Audit Standard No. 2, based on the COSO definition of internal control.Under this standard, auditors have to test and evaluate the design effectiveness of company-level controls, such as the control environment, as reflected in the company's integrity and ethical values, the tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units.

As a practical matter, this means the auditors will be randomly checking employees' familiarity with the company's Code and ethics resources, and employees' perceptions of the depth of their company's commitment to doing business with integrity.¹

Editor: How do these Sarbanes standards intersect with the Organizational Sentencing Guidelines?

Cutright: The Organizational Guidelines were developed in 1991 to establish consistency and to make sure fines were high enough to discourage violations.The goal was to replace speed trap enforcement and circle the wagons corporate response with a carrot and stick approach that would discourage employees from committing offenses.²

An Ad Hoc Committee was appointed for an 18-month term on February 21, 2002 for the purpose of conducting a ten-year review of the Organizational Sentencing Guidelines to review the general effectiveness of the Guidelines, and especially to examine the criteria for an effective program to ensure an organization's compliance with the law.In developing its recommendations, the Committee considered emerging legal standards and education and progress in the compliance field in the preceding ten years.The Committee concluded that the Guidelines should be amended to give greater guidance regarding the factors that are likely to result in truly effective programs.The goal was to emphasize the role of organizational leadership in light of:

• Enron, Arthur Andersen, Adelphia, Tyco, WorldCom, Quest, Xerox, Kmart, McKesson, HealthSouth, ImClone & Martha Stewart
• The responses of Sarbanes-Oxley, SEC regulations, NYSE listing standards, and developing anti-money laundering program standards
• Best practices reflected in guidelines established at Justice, H&HS, EPA, SEC, OSHA and Treasury

Editor: What are the objectives of the amendments as adopted by the Sentencing Commission?

Cutright: As it relates to compliance programs, the objectives are to: (1) promote an organizational culture that encourages a commitment to compliance with the law; and (2) to incentivize companies to create programs designed to prevent and detect violations of law (including regulatory violations).

Editor: What are the key aspects of the amended Organizational Sentencing Guidelines?

Cutright: The Guidelines now call for risk-based training and reporting.

Training is an essential component - not just one possible way of communicating standards.This point was emphasized in testimony presented to the Committee.

Companies must educate employees about compliance requirements.The training program must motivate all employees to comply.Simply sending out policy documents and related materials will not be sufficient.

As to reporting, the company's "governing authority" (i.e., the Board of Directors) must be actively involved in compliance review; exercise reasonable oversight of the program; be knowledgeable about the content and operation of the program.Organizational leadership (high-level management personnel) must be knowledgeable about the program and get information about the program on a regular basis.And operational management must periodically report to the Board about the program, including any apparent misconduct by senior management.

Editor: Where are you seeing the most interest in ethics and compliance programs?

Cutright:The interest in these programs is truly across the board. For example, finance folks are looking for an efficient solution to Sarbanes §404 internal control requirements.They want to contain risk, and protect revenue potential associated with corporate and brand reputation. Directors obviously are concerned about their obligations under the Sentencing Guidelines and Caremark to exercise informed oversight of the compliance program. Corporate lawyers want to make sure the training content is legally solid.They also are interested in an effective way to get outside the Law Department, and get their message out to employees.This helps surface legal issues early, for more effective resolution.

Human Resources personnel often see training as a vehicle for strengthening two-way communications with employees by

• Promoting the primary mission of resolving employee issues in-house;
• Containing discrimination complaints and damages; and
• Supporting recruitment and retention goals.

IT professionals are interested in online training specifically as a way to leverage existing Learning Management System investments, without burdening the network or introducing security risks.It can also focus attention (and resources) on rationalizing corporate e-mail and data systems.

Most importantly, I see online programs developing into a critical two-way communications channel.The Board and CEO can communicate their values to employees in a way that is credible, consistent, and informative.And employees have an open channel to raise questions, report concerns, and offer feedback on issues within the company, within the compliance program as a whole, and with respect to the training in particular.The net effect is that the desired tone at the top is delivered and reinforced throughout the organization, and there is a free flow of information up to decision-makers.

Editor: Do you train boards of directors specifically, particularly in the matter of employee compensation?

Cutright: Yes, both as clients and as recipients of training. The message with respect to compensation at the board level is that the board has the duty to be informed and to exercise due care as well as make reasonable judgments that benefit the organization. We reach that goal by making sure the program as a whole keeps the board informed as to what is happening at the operational level. We are also developing training geared specifically to the board to make sure it is aware of its obligations and duty of care, which cuts across any number of issues.

Editor: How do you go about identifying risks in an organization?

Cutright: Our group works with organizations at a strategic level to identify what risks employees may face, such as the legal implications of some of the business activities they engage in, the training available in response to those risks and what gaps exist that we can address. We use a process of risk-assessment to identify the risks. We use training to mitigate, manage and control it. We use comprehensive testing as well as an online vehicle for soliciting employee feedback, getting responses to surveys on the efficacy of the program in general and training specifically. We have a proprietary tracking and administrative system that enables our clients to document their procedures and thus sail through an audit.

Editor: How do you measure success in uncovering existing problems?

Cutright:Of course, the ideal is prevention, and the second line of defense is early detection. Given the inherent conflict between those goals, it is very hard to know if you have really prevented a disaster, or simply failed to discover it.We work with clients in measuring the efficacy of their programs, looking at internal metrics and benchmarking against third parties. We talk with clients about looking at their historic rates of employee complaints, investigations initiated, lawsuits filed, settlements paid. The same type of approach is used to look at feedback from employee hotlines. We can demonstrate the effectiveness of our communications by testing employees' comprehension and retention of course material, and tracking course completion rates.And we can measure our own efficacy by the fact that we have a growing business with a rapidly growing roster of clients.

Editor: Do you also counsel clients about potential risks they may not be aware of but which is part of your cumulative knowledge from working with many clients?

Cutright:Absolutely. We work with leading companies in multiple industries and have a continuous feedback process so that risks and issues that emerge in one organization help us in seeing potential risks in other organizations. We are all experienced lawyers who spend a lot of time working with our research group and within the compliance services group to monitor legal developments and maintain our legal edge so that we are a conduit of best practices information to our clients.

Editor: Does your organization have specialists working in specialized risk areas?

Cutright: We do not segregate issues, because our clients cannot do so. Our goal is to support clients by maintaining a high level of support in the form of an account team. We cover all issues facing a client, bringing in subject matter experts in the form of an advisory panel, but also maintaining a free flow of information and professional education so that we can provide clients with a full service product. There is differentiation in our course curricula, with different courses for different risk buckets. Ethics and compliance programs represent a golden opportunity to establish a robust communications channel among employees. The ethics training program is a way for the CEO to get before his employees with a consistent, sustained and meaningful message, allowing employees to know what matters and whom he or she can approach if a problem arises. This goes a long way to ensuring that critical information goes to those who can act upon it, as well as making the employee feel he matters.

¹ The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.It was formed in 1985 and chaired by James Treadway, General Counsel of Paine Webber and a former SEC Commissioner.It is currently chaired by Dr. Larry Rittenberg.

² As described subsequently in the Ad Hoc Advisory Group Report:

"The former [speed trap] involved a reactive policy to corporate lawbreaking.The government seemed to concentrate on nabbing those offenders who came within readily available radar, but little effort was made to create incentives for corporations to prevent the lawbreaking in the first instance.The "circle the wagons" response of corporations to government enforcement efforts grew out of the fact that corporations had little reason to respond in a more constructive fashion.The unpredictability and variation in the sanctions imposed upon convicted corporations meant that there was no obvious incentive to galvanize resources to avoid such sanctions.Indeed, in many cases, the sanctions were less expensive than avoiding liability in the first instance.Further, there was no guarantee that corporate cooperation or compliance efforts would be rewarded in a concrete way, either in charging decisions or at sentencing."