FSGO Series: Part 2

Federal Sentencing Guidelines: Enterprise Risk Management

2004
Kenneth W. Johnson

Background

. Last month, we introduced a series of articles promising to discuss in detail the recently amended Federal Sentencing Guidelines for Organizations ("Amended Guidelines"). That introductory article noted that U.S. Sentencing Commission ("Commission") had provided new terms pregnant with meaning, such as compliance and ethics program; governing authority and organizational leadership; and "certain individual(s) hav[ing] day-to-day responsibility for the compliance and ethics program." We emphasized that with new terms came new or expanded responsibilities.

The article also noted that the Amended Guidelines embrace four profound changes: (1) a broadened purpose for an effective compliance and ethics program to promote an ethical organizational culture, (2) specific requirements to design a program around identified risks and periodic program evaluation, (3) recognition of a practical disincentive to having an effective program, often called the "litigation dilemma," and (4) attention to the challenges of compliance for the small organization.

In this article, we discuss the new requirements of "risk assessment" and "program evaluation." We will put these requirements into the broader context of other current management initiatives, such as "enterprise risk management," "managing for results," and "outcomes-based program evaluation." These various initiatives suggest that, to be effective, a compliance and ethics program must manage identified risks and uncertainties through a carefully tailored program that is designed, implemented, enforced, and evaluated to achieve carefully chosen program outcomes.

Specific provisions.

The sentencing of organizations is treated in Chapter Eight of the Guidelines.(2). In that chapter, the Commission provides for mitigation in sentencing if the organization can demonstrate that it had an "effective compliance and ethics program." The minimum requirements for such a program are listed in §8B.2.1: the purpose of a compliance and ethics program (§8B2.1(a)); the minimum requirements of an effective program (§8B2.1(b)); and (3) a requirement for periodic risk assessment (§8B2.1(c)).

The stated purpose of an effective program is to "exercise due diligence to prevent and detect criminal conduct" and "otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." However, the purpose is somewhat broader, since the Commission declares in §8C2.5(f)(2) that the benefits of having such a program "shall not apply if, after becoming aware of an offense, the organization unreasonably delayed reporting the offense to appropriate governmental authorities" (emphasis added). Broadening the purpose even further, the Commission observes in the introductory materials to the Amended Guidelines that such a program "also should facilitate compliance with all applicable laws" (emphasis added).

If we take these into account, a restated purpose of an effective compliance and ethics program is "to exercise due diligence to prevent, detect, and report criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with all applicable law." Next, in the subsection (b), the Commission declares that there are seven minimum requirements, which serve as the "hallmarks" of an effective compliance and ethics program. These serve as "indicators of program performance":

(1) Standards and procedures to prevent and detect criminal conduct;

(2) Responsibility at all levels of the program, together with adequate program resources and authority for its managers;

(3) Due diligence in hiring and assigning personnel to positions with substantial authority;

(4) Communicating standards and procedures, including a specific requirement for training at all levels;

(5) Monitoring, auditing, and non-retaliatory internal guidance/reporting systems, including periodic evaluation of program effectiveness;

(6) Promotion and enforcement of compliance and ethical conduct; and

(7) Taking reasonable steps to respond appropriately and prevent further misconduct upon detecting a violation.

In the original guidelines, these indicators formed the core of an effective program. Hundreds, if not thousands of conferences were devoted to the best practices of complying with what the Commission then described as "seven types of steps" to an effective program. Most of the changes in these seven requirements reflect these "best practices," emerging regulatory requirements, such as Sarbanes-Oxley, and experience over a scandal-filled decade. One change that does not reflect a widely practiced best practice, and one of the two subjects of this article, is the §8B2.1(b)(5)(A) requirement that an organization "evaluate periodically the effectiveness of the organization's compliance and ethics program."

Placing these "best practices" into perspective, however, the Commission now requires in subsection (c) that "an organization must periodically assess the risk of the occurrence of criminal conduct." In practice, this provision changes the emphasis of compliance and ethics program design, implementation and enforcement from program best practices to effectively managing identified risks and uncertainties. A profound change.

Risk Assessment and Program Evaluation.

The effectiveness of a compliance and ethics program under the Amended Guidelines formally comes into play only after an organization has been convicted of federal criminal conduct.(3) Once convicted, the burden of proof shifts to the organization to make the case that it had an effective program, as the Commission defines one, when it argues for a lighter sentence and to avoid probation.

In our view, the underlying logic for the Commission's compliance and ethics program requirements can be better understood by reading the new requirements for risk assessment and program evaluation together, even though they are in different subsections. Such a reading addresses not only the Commission's specific requirements, but also the larger context of program effectiveness, since over the last decade or so, three concepts have come to the fore in the esoteric area of evaluating program effectiveness.

Enterprise Risk Management. The latest development is a new "integrated framework for enterprise risk management," offered by COSO, the Committee of Sponsoring Organizations of the Treadway Commission. This framework, which has only been available in hardcopy since 25 October 2004, will probably lay the foundation for compliance and ethics programs in the future, much as a predecessor framework provided the foundation for program requirements in its earlier "integrated foundation for internal controls."

The similarity to the Commission's requirements for an effective compliance and ethics program are striking. For example, COSO defines enterprise risk management as:

[A] process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achieve of entity objectives.(4)

The literature on enterprise risk management recognizes three broad areas of risk management: credit risk, market risk and operational risk. The Commission's requirement for risk assessment falls into the broad category of "operational risk."

Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events.(5)

Though having a common definition, author James Lam notes, "there is still considerable debate on how it should be applied." Lam argues that an organization has a number of tools available to it "to assess, measure, and management operational risks."

• Loss-incident database: the loss-incident database should be used to support root-cause analysis and risk mitigation strategies, as well as to facilitate the sharing of lessons learned.
• Control self-assessment: an internal analysis of key risks, controls, and management implications. Tools that support self-assessments include surveys, issue-specific interviews, focus groups, team meetings, and facilitated workshops.
• Risk mapping: Building on the work from control self-assessment, the organization's key risk exposures can be ranked with respect to their "probability" and "severity."
• Risk indicators and performance triggers: Risk indicators are quantitative measures that represent operational risk performance for a specific process. Program managers would deal with specific requests and reports, of course, but trigger levels can be established in terms of goals and minimum accepted performance levels (MAPI) to guide systemic problem solving.

All of these tools can be used by the responsible managers of a compliance and ethics program to conduct its enterprise-wide risk assessment and design, implement, and enforce an effective program to meet the identified risks and uncertainties. Examples might include tracking issues employees seek guidance on, misconduct reported, or employee satisfaction by business unit or staff function; reviewing internal and outside audit reports, regulatory investigations/complaints; and conducting exit interviews and stakeholder satisfaction surveys. Industry leaders are often subjects of media reports and advocacy groups, which may raise operational risk issues, not to mention reputation risks.

Managing for Results. Second, federal and state governments alike now require that programs be evaluated by their results or outcomes rather than simply activities or their immediate outputs. For example, a purpose of federal "Government Performance and Results Act of 1993" (GPRA) is to "improve Federal program effectiveness and public accountability by promoting a new focus on results, service quality, and customer satisfaction." This is to be accomplished, in part, through "performance plans, which are to "establish performance indicators to be used in measuring or assessing the relevant outputs, service levels, and outcomes of each program activity."

The State of Maryland's Managing for Results program, defined in the text box, emphasizes that programs are responsible for achieving results, not simply engaging in processes and activities. Moreover, the results desired are based upon internal and external assessments, planning for results, and performance evaluation.( 6)

Outcomes-based Program Evaluation. Finally, in the program evaluation community, the approach known as "outcomes-based program evaluation" is expanding to address issues in other areas, such as Total Quality Management. The logic for this parallels the GPRA focus on results. Responsible managers realize that the significance of a program lies not in the structures it has or what program staff do so much as in what changes actually occur in the target population. These changes are much more difficult to identify and measure, but they are, after all, the whole point of a program.

Outcomes-based program evaluation requires that the organization be able to document its situation; the resources dedicated to the program; the program structures and systems; the activities or processes planned and undertaken; the outputs, such as the number of people trained; more important, the outcomes, and the actual impacts/benefits/changes for the targeted employees and agents.(7)

With specific application to compliance and ethics program requirements, for example, training required under the compliance and ethics program,§8B2.1(b)(4), provides a good example. In arguing to a federal judge that a program is effective, he or she will be only mildly interested that the organization has a state of the art online training program, if the organization is unable to demonstrate that its training program was geared to dealing with a specific body of risks and actually contributed to an explicit program outcome: reducing misconduct or encouraging reporting of misconduct, for example.

Restated Logic of the Amended Guidelines.

With these external developments in mind, and given that the purpose of a program is to prevent, detect and report criminal conduct and otherwise promote a culture of ethical conduct and a commitment to compliance with the applicable law, the logic of the Amended Guidelines would take the following course (click here for a graphical depiction of the program logic). The organization must:

1. Surface its core beliefs, which need to include a commitment to compliance with the letter and spirit of the law and ethical conduct, as it defines it;(8)

2. Understand the strengths and weaknesses of its own culture and organizational capacities;

3. Scan its business environment, presumably on an enterprise-wide basis, to determine what pressures the organization faces, especially the risk of criminal conduct and violating other applicable laws, and, more broadly, benchmarking data of industry standards and best practices;

4. Determine, relative to its goals and objectives and baseline data of its prior performance, what outcomes should be expected of the program;

5. Identify targets and measurable indicators of expected program outcomes;

6. Design, implement, and enforce its program to meet all seven of the hallmark minimum requirements; and

7. Regularly evaluate its program to determine if it was effective and capture what the organization learned along the way.

Conclusion.

The Amended Guidelines reflects what has been learned in the compliance and ethics field since 1991 and other, related fields, such as enterprise risk management, managing for results, and outcomes-based program evaluation. The purpose of this article has been to put the Amended Guidelines into a broader context to enhance practitioner understanding of the Commission's requirements for designing, implementing, enforcing and evaluating an effective compliance and ethics program as an integral part of the way the organization pursues its vision for the future, while working to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with all applicable laws.

1.  The Commission proposals were made to Congress on 30 April 2004 and took effect automatically on 1 November 2004, when Congress did not pass legislation rejecting them. At the time of this writing, the Commission's description of its intent can be found at http://www.ussc.gov/2004guid/RFMay04_Corp.pdf.

2. The earlier seven chapters describe the effect of the provisions as a whole and deal with specific punishments for specific crimes by individuals.

3. It is beyond the scope of this article, but the Department of Justice has given its prosecutors guidance on when to prosecute an organization for the acts of its employees, which references, but does not mandate considering whether it had an effective program under the guidelines.

4. Executive Summary, "Enterprise Risk Management - Integrated Framework", p. 2. It is important to note that the "risk appetite" for violation of criminal laws, all applicable laws and regulations, and standards of ethical conduct needs to be set at zero.

5. James Lam, Enterprise Risk Management: From Incentives to Controls (Hoboken, NJ: John Wiley & Sons, 2003), p. 210 quoting the British Bankers' Association, International Swaps and Derivatives Association, PriceWaterhouseCoopers, and RMA, "Operational Risk: The Next Frontier," 1999.

6. See the State of Maryland resources for its "Managing for Results" program: available at http://www. http://www.dhr.state.md.us/mfr/.

7. As one online source notes, outcomes, are usually expressed in terms of short-term (knowledge and skills); intermediate or medium-term (conduct or behaviors); and long-term outcomes (values, conditions, and development), See Carter McNamara, Basic Guide to Outcomes-Based Evaluation for Nonprofit Organizations with Very Limited Resources: available at http://www.mapnp.org/library/evaluatn/outcomes.htm. For detailed discussion of expected program outcomes see Chapters 4 and 10 of Managing the Responsible Business Enterprise in Emerging Market Economies: available at http://www.responsible-business.com/manual.html/. See also Trevio, Linda K. et al. "Managing Ethics and Legal Compliance: What Works and What Hurts," California Management Review vol. 41 (Winter 1999), pp. 131-51.

8. See, e.g., Collins, James C. and Jerry I. Porras. Built to Last: Successful Habits of Visionary Companies. New York: HarperBusiness, 1994, 1997, 2002.

View Part 3 of FSGO Series