Knowledge of Good and Evil: A Brief History of Compliance
Click to Print This Page
Adam’s bite of forbidden fruit marked the first recorded compliance violation, but not the last. Corporations perpetually struggle to stay compliant with the ever-increasing complexity of laws, rules, and regulations. A board of directors that fails to oversee a system of compliance may not only call into question its fiduciary duty standards, but may give rise to claims of tort liability or even criminal liability. Effective management of compliance risk and reputational risk requires a firm to link ethical business behavior to its culture: to establish ethics as an integral part of a company’s continued business success.
But the distinction between compliant actions and unethical business behavior has become increasingly difficult to distinguish. Enron and WorldCom marked the beginning of escalating prosecutions of corporations and individuals for acts that were interpreted as unethical and illegal only after the fact, with the benefit of hindsight. Such prosecutions include the New York State Attorney General’s pursuit of New York Stock Exchange chief executive Dick Grasso for excessive compensation, and the Enron-related prosecution against bankers for their personal involvement in the off-balance-sheet Nigerian barge deal transactions.
WHAT IS COMPLIANCE?
Today compliance is defined as “being in accordance with established guidelines, specifications, or legislation, or the process of becoming so” (SearchDataManagement.com 2008). Compliance (and its organizational structure) is viewed as the relationship that is established by senior management’s control of the company’s business activities and by the orientation of company employees to this power of senior management.
The growth of the United States in the 1950s and 1960s prompted the development of modern management culture and organizational structures. In the 1960s, organizational sociologists such as Amitai Etzioni began to study and identify management structures and sources of power for compliance controls.
Etzioni identified normative or identitive power, whereby an organization creates compliance by using symbolic images and intrinsic rewards to build loyalty. Although firms with powerful cultures and brand names may employ identitive power to a limited degree, it is more commonly linked with universities, not-for-profit corporations, and professional organizations. He also discussed coercive power, in which compliance is established by the use or threat of physical force. Coercive power pertains to prisons and military units rather than the business environment.
Finally, Etzioni studied remunerative or utilitarian power, which relates directly to business and is rooted in an organization’s control over material resources and extrinsic rewards such as salaries, bonuses, and benefits. Today’s firms commonly link their performance management processes with incentive-based performance measurements that in turn establish minimal compliance thresholds for year-end bonus eligibility (Marshall 1998).
THE ROOTS OF COMPLIANCE SYSTEMS
Modern compliance programs can be traced back to the turn of the 20th century, when public safety agencies began to emerge. The Food and Drug Administration, for example, was created in 1906. Spurred on by novels such as Upton Sinclair’s The Jungle, the new public safety movement increased friction between private business and the federal government as it began oversight of industries as diverse as meatpacking and financial services.
This model of centralized governmental oversight was constrained by governmental resources, by political willpower, and by compliance objectives that were limited to public safety initiatives. It’s still used today, as demonstrated by the recent expansion of the power of the Consumer Product Safety Authority in response to numerous safety issues related to the importing of children’s toys, pet food, and other products from China.
The distinction between compliant actions and unethical business behavior has become increasingly difficult to distinguish. Enron and WorldCom marked the beginning of escalating prosecutions of corporations and individuals for acts that were interpreted as unethical and illegal only after the fact, with the benefit of hindsight.
Although the growth of organized labor reduced the role of centralized oversight, the public model for compliance enforcement was predominant until the 1970s. Several events during this period, such as the Watergate scandal and foreign corruption investigations, transferred the responsibility for compliance to private industry. Corporations recognized the need to become increasingly knowledgeable about their sales practices, manufacturing processes, and the overall business conduct of their industries.
In December 1977, the Foreign Corrupt Practices Act was signed into law after an investigation by the Securities and Exchange Commission revealed that several hundred US companies engaged in bribing foreign officials to obtain foreign government contracts or bidding advantages. This law, along with the creation of enforcement agencies such as the Environmental Protection Agency and the Drug Enforcement Agency, prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.
The defense industry procurement scandal of the 1980s was the impetus for the creation of managerial positions to oversee a firm’s adherence to proper and ethical business practices, known today as compliance and ethics officers. The procurement scandal—emblematized in the media by reported Department of Defense purchases of $400 hammers and $600 toilet seats—led to the voluntary creation, by 32 defense contractors, of the DII (Defense Industry Initiative) in 1986. The DII was a revolutionary industry-led initiative that preempted governmental action with the creation, adoption, and implementation of a set of principles endorsing ethical business practices and conduct. It acknowledges the contractors’ corporate responsibilities to the Department of Defense.
In response to the increase in corporate scandals and the perceived inconsistency of criminal sentencing, the US Sentencing Commission created the first federal sentencing guidelines for organizations in November 1991. In addition to serving as standards to govern the sentencing a judge may apply, these guidelines also articulated the specific elements of an effective compliance and ethics program. Companies that embarked on such programs would be eligible for more lenient sentences. To qualify as “effective,” a company’s compliance program would not only have to establish standards and procedures to prevent and detect criminal conduct, but would have to actively promote a culture encouraging ethical conduct and compliance with the law. The emendation of those guidelines in 2004 reflected the need for corporate boards to demonstrate knowledge of compliance programs and fulfillment of oversight responsibilities as part of monitoring the effectiveness of companies’ compliance and ethics programs.
The criminal trial of Arthur Andersen, LLP, during the Enron scandal and the collateral consequences stemming from the firm’s conviction highlighted the challenge to prosecutors rooting out corporate fraud. The increased sensitivity of the role of the organizational defendant in business, regional, or political environments began a grassroots shift in terms of law enforcement strategy. The focus was now on reforming corrupt corporate cultures, rather than indicting, prosecuting, and punishing corporations.
Federal and state prosecutors’ increasing utilization of pretrial agreements such as nonprosecution agreements and deferred prosecution agreements in corporate criminal investigations has created a de facto regulator for corporate business behavior, an area of increasing friction. As a result, compliance and ethics programs are now being integrated into risk management and general counsel oversight. This increased attention requires that corporate boards be assured that compliance issues are being addressed and that material problems and risk discussions are being brought to the boards’ attention.
COMPLIANCE AND CORPORATE RISK MANAGEMENT
Compliance risk has only recently been recognized as a distinct risk class requiring dedicated resources, program design, and oversight by senior management. The Basel Committee on Banking Supervision (2005) defines compliance risk as “the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities.” Since 2005, global banking regulators have held that financial organizations should design effective compliance risk management programs that embrace risk-based approaches incorporating controls designed to maintain compliance with risk-assessed rules and standards.
Critical events in today’s financial system are evidence of the complexity and challenges of modern risk management. The downfall of Bear Stearns and Lehman Brothers has demonstrated the degree to which external risk events can create a loss of confidence resulting in permanent reputational damage and impaired shareholder value. Disclosure of fraudulent activity or improper business practices may permanently damage a firm’s reputation, driving away customers, shareholders, and counterparties.
The downfall of Bear Stearns and Lehman Brothers has demonstrated the degree to which external risk events can create a loss of confidence resulting in permanent reputational damage and impaired shareholder value.
Disclosure of fraudulent activity or improper business practices may permanently damage a firm’s reputation, driving away customers, shareholders, and counterparties.
Recent studies have demonstrated that reputational risk events can erode a firm’s expected future cash flows—either because of the loss of current or future customers, or because of the loss of current or future business partners—thereby increasing the market’s required rate of return (Perry and de Fontnouvelle 2005). Compliance risk management can mitigate the effects of these events, either by eliminating improper business practices or by enhancing a company’s external reputation with regulators, governmental entities, customers, counterparties, and business partners. (It is important to note that neither market nor consumer behavior is responsible for compliance risk. This risk depends entirely on the firm’s interpretation of business standards and its implementation of controls.)
THE INVESTOR’S PERSPECTIVE
Investment professionals should have a comprehensive view of target firms’ risk management programs, including compliance and ethics program oversight, and should be aware of compliance risk red flags such as the following:
- The firm occupies a leading position in a highly regulated industry such as financial services, telecom, or health care.
- The firm has recently increased the complexity of its product offerings, customer base, or geographic locations.
- Historically negative market reactions (e.g., loss of market valuation, market share, key customers, etc.) to internal events that impair the firm’s reputation.
- The “tone at the top” of the firm: the leadership reputation of senior management and the board of directors is perceived unfavorably.
- Organizational memory: the firm tends to forget historical errors and routinely jumps into the latest industry trends without proper risk reflection and planning.
- Compensation management: the firm incentivizes excessive risk taking and is intolerant of managerial failure.
A 2005 benchmarking survey conducted by the nonprofit Open Compliance and Ethics Group demonstrated that 54% of all existing compliance and ethics programs had been created in the years 2000–2005. The immaturity of compliance programs, then, gives rise to various opportunities for consulting and technology services (Aguilar 2006). Already, publicly traded professional service corporations that provide business advisory and risk management services have moved in rapidly. Information technology will also be a key driver of sustainable and productive compliance programs, especially in the areas of training execution, risk measurement, and program reporting.
A final factor is the role of compliance and ethics programs in driving business strategy and initiatives. In many companies, environmental protection laws and corporate responsibility reports were once the provenance of compliance and ethics programs. As compliance officers struggled to create corporate motivation to adhere to emerging environmental and business practice standards, some firms recognized the changing consumer and political environment. These firms are today’s leading “green” businesses. They’ve enhanced their reputations with products that profit from the societal movement toward an organic, carbon-free lifestyle. Compliance and ethics programs are often viewed as an impediment to conducting business, but as the green companies demonstrate, those programs can provide multiple rewards—from risk mitigation, to reputational enhancement, to business strategy development.
Aguilar, Melissa Klein. March 28, 2006. “Setting the Benchmark for Compliance Programs.” Compliance Week.
Basel Committee on Banking Supervision. April 2005. “Compliance and the Compliance Function in Banks.” Bank for International Settlements.
Marshall, Gordon. 1998. A Dictionary of Sociology. Retrieved December 3, 2008, from Encyclopedia.com.
Perry, Jason, and Patrick de Fontnouvelle. October 2005. “Measuring Reputational Risk: The Market Reaction to Operational Risk Announcements.” Federal Reserve Bank of Boston.
Open Compliance and Ethics Group. 2005. “OCEG 2005 Benchmarking Study.”
SearchDataManagement.com. September 23, 2008. TechTarget.
–John MacKessy is the founder of Prism Risk Advisors, in which capacity he draws on a breadth of regulatory and investigative experiences, including participation in global compliance investigations and government-appointed monitorship teams, as well as perspectives gained as a compliance and risk officer for several financial institutions.