Evaluating compliance programme effectiveness


Evaluating compliance programme effectiveness Ethical BoardroomBy Steven W. Ortquist Managing Director of Aegis-Compliance & Ethics Center LLP



Will your organisation’s ethics and compliance programme withstand scrutiny? This question has become a very real one for many organisations based or operating in the US in recent months as the US Department of Justice has increasingly focussed on whether a programme should earn a reduction or elimination in the charges that are contemplated against organisations targeted by DOJ investigations.

Since the DOJ’s Principles of Federal Prosecution of Business Organisations¹ were revised in August 2008 and incorporated in the DOJ Manual, US Attorneys have had a set of questions and factors to consider when evaluating whether a compliance programme should be a mitigating factor in criminal charging decisions.

But several recently published comments by Criminal Division prosecutors suggest that the focus of the Department on the effectiveness of ethics and compliance programmes is becoming increasingly important. Former Principal Deputy Assistant Attorney General Marshall L. Miller, for example, said: “In fact, one is hard-pressed to find a corporate resolution with the Justice Department that does not contain a prominent reference – whether positive or negative – to the company’s compliance programme.”²

The DOJ’s press release in a matter involving Morgan Stanley and Gordon Peterson, its former managing director for real estate in China, tells the story of success that can result when a compliance programme is deemed effective by the DOJ. After Morgan Stanley disclosed to DOJ that Peterson had violated the Foreign Corrupt Practices Act by transferring ownership in a building to a shell corporation owned by Peterson and a Chinese public official, and Peterson pleaded guilty to violating the FCPA, the DOJ announced that it had declined to bring charges against Morgan Stanley in part because of the strength of its compliance programme.

An extract from the DOJ press statement, reads: “Morgan Stanley trained Peterson on the FCPA seven times and reminded him to comply with the FCPA at least 35 times. Morgan Stanley’s compliance personnel regularly monitored transactions, randomly audited… and tested to identify illicit payments. Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business personnel.. After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.”³

The recent announcement of the DOJ’s hire of a compliance programme expert to assist in its evaluation of compliance programmes is further indication of the DOJ’s increasing focus in this area. In a comment made to the newspapers by Andrew Weissmann, chief of the DOJ’s Criminal Division Fraud Section, he said: “We are seeking to assure that companies have tough but realistic compliance programmes that detect and deter individual wrongdoing by executives. Importantly, our compliance counsel will be instrumental in ferreting out whether a corporate compliance programme is truly effective or a mere paper tiger.”4

Independent evaluation

As a board member, how do you know whether your organisation’s compliance programme will fare as well as Morgan Stanley’s if the DOJ or another regulatory or enforcement body turns its focus on your organisation? You might consider taking the same step that the DOJ has recently taken: hire an expert to conduct an evaluation of the effectiveness of your compliance programme. There are several good reasons to consider this.

Primary compliance programme guidance documents from regulatory and enforcement agencies call for periodic evaluation of a compliance programme. For most organisations the structure and operation of the compliance programme is not dictated by law or regulation, but instead is based on guidance that has been provided by one or more agencies of government. Consistently, these guidance documents call for periodic review of a compliance programme to ensure that the programme is operating effectively. From a review of these guidance documents one can reasonably conclude that, to operate an effective compliance programme, an organisation must periodically evaluate the programme to assure itself that it is keeping pace with the organisation’s risk environment and is achieving desired ends. Two important examples of guidance include:

United States Federal Sentencing Guidelines, Chapter Eight: Sentencing of Organisations – the seminal guidance for US-based organisations provides in part that to operate an effective compliance programme, an “organisation shall take reasonable steps …to evaluate periodically the effectiveness of the organisation’s compliance and ethics programme…”5

United Kingdom, Ministry of Justice, Bribery Act of 2010 Guidance, this similarly provides that an organisation “might wish to consider seeking some form of external verification or assurance of the effectiveness of the anti-bribery procedures…”6

Several additional examples exist – each suggesting that periodic external evaluation of a compliance programme is itself important to ensuring that the compliance programme will be deemed effective if it is ever scrutinised by regulatory or enforcement officials.

A board can rely on the opinion of experts in meeting its fiduciary obligation to oversee a compliance programme. Under most relevant statutory schemes and judicial precedent, directors are able to rely on the opinions, reports and statements of experts in meeting their fiduciary duties, including the duty to provide oversight to an organisation’s compliance programme efforts. The Delaware General Corporation Law 7 states that: “A member of the board of directors.. shall, in the performance of such member’s duties, be fully protected in relying in good faith upon the… opinions, reports or statements presented to the corporation by any…person as to matters the member reasonably believes are within such other person’s professional or expert competence and who has been selected with reasonable care by or on behalf of the corporation.” 8
The American Bar Association’s Model Business Corporation Act similarly provides that directors are entitled to rely “on persons retained by the corporation as to matters involving skills or expertise the director reasonably believes are.. within the particular person’s professional or expert competence”. 9

“The ‘compliance profession’ is fairly new. It’s not a simple audit task that can be accomplished by static guidelines… consider carefully who you hire”

And, in both In Re Caremark and Stone v. Ritter, the leading opinions on director’s duty to oversee compliance programmes, the Delaware Chancery Court found external evaluations of compliance programmes persuasive in reaching decisions not to hold directors personally liable for compliance related losses: “The Ethics Committee of Caremark’s Board received and reviewed an outside auditor’s report …which concluded that there were no material weaknesses in Caremark’s control structure.” “The [compliance programme evaluation] Report reflects that the directors not only discharged their oversight responsibility to establish an information and reporting system, but also proved that the system was designed to permit the directors to periodically monitor AmSouth’s compliance…”

Factors to consider

Scope of the evaluation Be certain that the scope of the evaluation is broad enough – and that resources are adequate – to fully test and confirm that the compliance programme is designed, implemented and is operating effectively. If you are using an expert to conduct the evaluation, allow the expert to assist you in defining the scope. Get involved as a director in assuring that the scope of the review will give you and your fellow directors a complete assessment of the compliance programme. While it is important to ensure
an adequate scope, don’t expect a compliance programme evaluation to confirm for you that the organisation is ‘in compliance’ with legal requirements. Instead, a compliance programme evaluation should be directed at testing whether the compliance programme is well-designed, properly resourced and is operating effectively.

The evaluation should focus on the structure and operation of the programme itself, not on whether the organisation is meeting regulatory requirements. Be certain that your engagement letter clearly addresses the scope of the evaluation. Think, too, about what evaluators should do if, in the course of evaluating the compliance programme, they stumble across substantive questions about actual compliance (or non-compliance) with legal and regulatory requirements. These questions certainly need to be investigated and resolved, but an evaluation of the compliance programme may not be the appropriate forum for addressing such questions. Be certain that your engagement letter addresses how such questions will be resolved in the course of a compliance programme evaluation.

To privilege or not to privilege? This question often seems to be in play when questions of compliance are being addressed. Should the compliance programme evaluation be conducted at the direction of counsel, in anticipation of litigation, so that any resulting report about the effectiveness of the compliance programme will be subject to the attorney-client and work product privileges? The answer to this question will be fact specific and will be answered differently by different organisations (e.g. if you are currently under investigation by the DOJ on compliance-related matters, the answer is probably an easy one). But be certain to consider whether the evaluation and resulting report should be conducted and treated as an attorney-directed, privileged review.

Hire an independent expert to evaluate your compliance programme. The ‘compliance profession’ is a fairly new one – but I am often amazed by ‘compliance experts’ who have never had any hands-on experience building or operating a compliance programme. Ask questions and understand why the evaluator you are hiring is an expert. Has your expert designed, built and operated compliance programmes?

Have they been a compliance officer? Do they have other significant experience evaluating compliance programmes (e.g. as a former prosecutor?) Understanding the nuance of what it takes to operate a compliance programme effectively is not a simple audit task that can be accomplished by following static audit guidelines. Consider carefully whom you hire to conduct this important review. Consider, too, the reviewer’s independence and objectivity. Have they or their firm been regularly engaged by your organisation, regularly involved in the compliance efforts, or will they be able to offer a truly independent, objective evaluation of the strengths and weaknesses of your compliance programme?

Will an external, independent evaluation of your compliance programme buy your organisation credit if regulators or law enforcement officials subsequently focus on your compliance programme’s effectiveness? In the current environment I believe that an evaluation by a credible expert, properly scoped and executed, for which the organisation is fully transparent, with a goal of better understanding strengths and weaknesses, will serve as strong evidence that the organisation is, in fact, striving to operate an effective compliance programme.

About the Author:

Steven W. Ortquist is a Managing Director of Aegis-Compliance & Ethics Center, LLP, in Chicago, Illinois. He has been working with organisations on their compliance programme efforts since 1997. During that time he has designed, implemented and operated compliance programs and served as chief compliance officer for several organisations. He currently offers consulting, interim compliance officer, compliance programme effectiveness evaluation and board-level compliance expert services. He can be reached at sortquist@aegis-compliance.com.


1 U.S. Attorney’s Manual, Title 9: Criminal, 9-28.000- Principles of Federal Prosecution of Business Organisations, 9-28.800 Corporate Compliance Programmes (The Principles list a number of factors that prosecutors are required to consider in answering two questions that are posed by the Principles as fundamental: Is the programme well designed? And does the programme work?).
2 See Comments of Assistant Attorney General Leslie R. Caldwell at Compliance Week’s 10th Annual Conference, May 19, 2015; Remarks of Principle Deputy Assistant Attorney General for the Criminal Division, Marshall L. Miller at the Advanced Compliance and Ethics Workshop, October 7, 2014. Id. at Remarks by Principal Deputy Assistant Attorney General Marshall L. Miller.
U.S. DOJ Press Release titled Former Morgan Stanley Managing Director Pleads Guilty for Role in Evading Internal Controls Required by FCPA, dated April 25, 2012.
4 Comments of Andrew Weissmann, Chief of the DOJ’s Criminal Division Fraud Section to NPR Correspondent, Carrie Johnson, Justice Dept. Hires Compliance Expert in Fight Against Corporate Crime, Tweet dated July 30, 2015.
5 United States Federal Sentencing Guidelines, Chapter Eight, Sentencing of Organisations, §8B2.1.(b)
6 United Kingdom Ministry of Justice, The Bribery Act of 2010 – Guidance, Principle 6.4.
7The State of Delaware’s Corporation Law scheme and judicial opinions are commonly seen and cited as one of the 9 Del. Code Ann. Title 8, § 141(e).
8ABA Model Business Corporation Act, §8.30(f)(2). 9 In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), fn. 3.
9Del. Code Ann. Title 8, § 141(e)