FSGO Series: Part 3

Federal Sentencing Guidelines: Seven Minimum Requirements

By Kenneth W. Johnson
Ethics Resource Center 2004

Background. Last month, we introduced a series of articles promising to discuss in detail the recently amended Federal Sentencing Guidelines for Organizations ("Amended Organizational Guidelines").(1) That introductory article noted that U.S. Sentencing Commission ("Commission") had provided new terms pregnant with meaning, such as "compliance and ethics program"; "governing authority" and "organizational leadership"; and "certain individual(s) hav[ing] day-to-day responsibility for the compliance and ethics program." We emphasized that with these new terms came role recognition and new or expanded responsibilities.

The article also noted that the 2004 Organizational Guidelines embrace four profound changes: (1) a broadened purpose for an effective compliance and ethics program to promote an ethical organizational culture, (2) specific requirements to design a program around identified risks and periodic program evaluation, (3) recognition of a practical disincentive to having an effective program, often called the "litigation dilemma," and (4) attention to the challenges of compliance for the small organization.

In the last article, we discussed the new requirements of "risk assessment" and "program evaluation." We put these requirements into the broader context of other current management initiatives, such as "enterprise risk management," "managing for results," and "outcomes-based program evaluation." These various initiatives suggest that, to be effective, a compliance and ethics program must manage identified risks and uncertainties through a carefully tailored program that is designed, implemented, enforced, and evaluated to achieve carefully chosen program outcomes.

In this discussion of the 2004 Organizational Guidelines, we proceed by treating each provision separately, putting the actual language of the 2004 Organizational Guidelines in a frame at the beginning of its treatment. This language will be followed by the comments the Commission made in the document forwarding the proposed amendments to Congress. These comments will be edited only to clarify cross-references, to break its treatment into separate paragraphs, or to include a text box containing definitions of terms used by the Commission that are contained in Application Notes following a provision.

With this background information readily available, we will comment on what our research and experience suggest might be helpful in either understanding or applying the 2004 Organizational Guidelines. We will often refer to the proposals or rationales of the Ad Hoc Advisory Group that worked with Commission staff to develop the 2004 Organizational Guidelines to provide either background research or help the reader understand the intent of the Commission.(2)

Introductory Guideline Section 8B2.1(b)

Commission Comments

Section 8B2.1(b) provides that due diligence and the promotion of desired organizational culture are indicated by the fulfilment of seven minimum requirements, which are the hallmarks of an effective program that encourages compliance with the law and ethical conduct. While the framework of requirements is derived from the existing criteria for an effective compliance program [in the original 1991 Organizational Guidelines], significant additional guidance is provided. [emphasis added]

ERC Observations

With these introductory comments, the Commission signaled that these "seven minimum requirements" are not so much the "elements" of an effective program as they are "indicators" that due diligence and promotion of the desired culture occurred. Serving as indicators, as we will soon see, the Commission is "guiding" sentencing judges to look for much more activity on the part of management that is consistent with the purpose(s) of its compliance and ethics program. This concept is generally referred to in management literature as "alignment."

The Advisory Group report described a number of emerging standards it felt had gone beyond the 1991 Organizational Guidelines, which guided its thinking and recommended changes. These emerging standards:

reflect three major departures from the organizational sentencing guidelines compliance paradigm in that they:

(1) Extend conduct codes and related compliance efforts beyond mere law compliance to the development of an organizational culture that encourages a more effective commitment to compliance with the law, including ethics-based standards and procedures;

(2) Recognize the responsibilities and accountability of organizational leadership for compliance efforts; and

(3) Explicitly require organizations to focus their compliance efforts by conducting careful risk assessments of probable types and sources of misconduct in company operations and then using the results of these assessments to target compliance efforts and tailor compliance program features. [emphasis added]

Note that in point (3) above, the Advisory Group used the phrase "to target compliance efforts and tailor compliance program features." Though it did not specifically refer to expected program outcomes and program evaluation, presumably it would agree that products of "conducting careful risk assessments" include (1) determining what specific outcomes the organizational leadership intends to achieve and (2) an outcomes-based program evaluation.

Guideline Section 8B2.1(b)(1)

Commission's Comments

First, §8B2.1(b)(1) provides that organizations must establish "standards and procedures to prevent and detect criminal conduct." Application Note 1 establishes that "standards and procedures" encompass "standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct."

ERC Observations

The Advisory Group to the Commission noted that commentators suggested that it require very specific standards and procedures. Instead, the advisory Group recommended a general provision, observing that:

Experience has shown that different standards and procedures are utilized by different industries and are influenced by the size of the organization, its complexity, and the nature of its business function.

Research and experience that standards and procedures in an effective compliance and ethics program go beyond these minimum requirements and take into account the core beliefs, culture, and context of the organization. They must be designed to meet the risks and uncertainties the organization actually expects to face, while taking into account the culture of the organization in terms of their content and tone. They must be consistent with the core beliefs of the organization. For example, a vision statement, including core purpose, core values, and an envisioned future, have been found to provide the essential foundation for preserving the core of the organization while stimulating progress.(3) In short, an effective compliance and ethics program provides significantly more guidance to employees and agents than "standards and procedures to prevent criminal conduct."

Context and culture also matter. Where an organization operates in a highly regulated industry and has an organizational culture that is comfortable with detailed, even bureaucratic guidance, a detailed, rules-based approach to setting standards and procedures may be effective. For a more values-oriented organization that prides itself on innovation and flexibility, a rules-based, bureaucratic approach might be disastrous. Even a values-based organization must often guide its employees and agents through required rules. Often, for example, however values-based an organization might want to be, government regulation or industry practice may require specific standards and procedures, such the requirements for publicly listed companies in the Sarbanes-Oxley Act of 2002.

Though not specifically required, organizations should be alert to including certain standards and procedures regarding the operation of the program itself. For example, policies addressing specific requirements of an effective compliance and ethics program should be included in a code of conduct or other supporting documents. Do employees and agents have an obligation to seek advice and report observed or suspected offenses? Some organizations require employees to report their concerns. Most do not. What is the policy regarding abuse of the helpline? Some will punish an employee who abuses a helpline by filing a false concern in order to hurt a fellow employee, though this risks giving the appearance of retaliation.

Finally, and perhaps must important, what is the policy of the organization on reporting employee or agent misconduct to governmental authorities? As we will discuss in our treatment of §8B2.1(b)(7), self-reporting is an often-neglected program requirement. Some organizations, especially those heavily involved in government contracting declare a policy of self-reporting. Most do not.

Guideline Section 8B2.1(b)(2)(A)

Commission's Comments

Second, the new guideline replaces the requirement that "specific individual(s) within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance" with more specific and exacting requirements.

Section 8B2.1(b)(2) defines the specific roles and reporting relationships of particular categories of personnel with respect to compliance and ethics program responsibilities. Specifically, the Commission has determined that the organization's governing authority must "be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program." Application Note 1 defines "governing authority" as the "(A) Board of Directors, or (B) if the organization does not have a Board of Directors, the highest-level governing body of the organization."

ERC Observations

This may be one of the most significant amendments. Even where access to the board or an audit committee was authorized under a compliance and ethics program, the board itself was generally not involved in its design, implementation, or effectiveness. This had been the case even though the influential Chancery Court of Delaware had referred to the 1991 Organizational Guidelines, when it announced that:

A director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system . . . exists and that failure to do so under some circumstances may . . . render a director liable for losses caused by noncompliance with applicable legal standards." 698 A.2d 959 (Del. Ch. 1996).

The Advisory Group felt strongly that board responsibilities should be set since "ultimately the governing authority is responsible for the activities of the organization." This largely tracks the more narrow, financial requirements of the Sarbanes-Oxley Act of 2002, though it places much responsibility directly in and independent audit committee.

Guideline Section 8B2.1(b)(2)(B)

Commission's Comments

Section 8B2.1(b)(2) provides that it is the organizational leadership, defined in the guidelines as "high-level personnel," who must ensure that the organization's program is effective. The accompanying commentary at Application Note 1 retains existing definitions for the terms "high-level personnel" and "substantial authority personnel"(4)

of the organization.

Section 8B2.1(b)(2)(B) provides that the organization must assign someone in high-level personnel "overall responsibility" for the program. This prescription makes explicit that, while another individual or individuals may be assigned operational responsibility for the program, someone within high-level personnel must be assigned the ultimate responsibility for the program's effectiveness. (emphasis added)

ERC Observations

The Advisory Group considered "greater specification of the roles of organizational leadership [to be] essential," and the Commission embraced that recommendation and extended it.

Section 8B2.1(b)(2)(B) expands responsibility for effectiveness of a compliance and ethics program to include the entire organizational leadership. Where the Advisory Group recommended that "The organizational leadership shall be knowledgeable about the content and operation" of its compliance and ethics program, the Commission makes it clear that organizational leadership is responsible for the effectiveness of the program itself.

The compliance and ethics program, then, is an essential leadership function and, though lesser-ranked personnel might be assigned day-to-day responsibilities, specific responsibility for the program has to reside among the organizational leadership.

This provision retains the important proviso that at least one high-level person be assigned overall responsibility. However, the Commission was ambiguous when it commented that "someone within high-level personnel" had to be appointed. The actual guideline permits multiple individuals to have ultimate responsibility for separate areas of risk and uncertainty.

Multiple "responsible officers" will be appropriate where there are major compliance issues identified during the risk assessment process. This is often the case where an organizational function is so significant or specialized as to require its own compliance and ethics program. Examples include, designing and implementing separate compliance and ethics programs for Medicare billing in a hospital, procurement for a government contractor, or anti-money laundering for the growing list of types of entities that are covered by such legislation or regulation.

Guideline Section 8B2.1(b)(2)(C)

Commission's Comments

Section 8B2.1(b)(2)(C) requires that certain individual(s) have day-to-day responsibility for the compliance and ethics program and adequate resources to carry out the associated tasks. Specifically, §8B2.1 requires that the individual assigned day-to-day operational responsibility for the program, whether it be a high-level person or an employee to whom this task is assigned, report to organizational leadership and the governing authority on the program. If authority is delegated, the governing authority must receive reports from such individuals at least annually, according to the commentary in Application Note 3. In order to carry out such responsibility, the new guideline mandates that such individual or individuals, no matter the level, must "be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority."

ERC Observations

This is the "ethics officer-authority-to-contact-the-board" provision. It also reflects the research that suggests that ethics officers often have neither the authority nor the voice to directly influence organizational policy. A frequently heard desire is for the ethics officer to have "a seat at the table" where policy is made.

Here, the Commission elevated language to subsection (C that the Advisory Group had recommended be included as commentary. The language reflects the reality that, in current practice, an ethics officer or compliance officer might have day-to-day responsibility or "operational responsibility" for compliance and ethics program operations, but not meet the definition of "high-level personnel."

Guideline Section 8B2.1(b)(3)

Commission's Comments

Third, §8B2.1(b)(3) replaces the previous requirement that substantial authority personnel be screened for their "propensity to engage in violations of law" with the requirement that the organization "use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program."

Application Note 4(A) makes explicit that this provision does not require any "conduct inconsistent with any Federal, State, or local law, including any law governing employment or hiring practices." Application Note 4(B) provides that the organization shall hire and promote individuals so as to ensure that all individuals within the organizational leadership will perform their assigned duties in a manner consistent with the exercise of due diligence and the promotion of an organizational culture that encourages a commitment to compliance with ethics and the law. If an individual has engaged in illegal activities, the organization has an obligation to consider the relatedness of the individual's illegal activities and other misconduct to the specific responsibilities such individual is expected to be assigned. The recency of the individual's illegal activities and other misconduct also should be considered.

ERC Observations

The Advisory Group had recommended more specificity in this provision, since it had found that the provision was widely considered unduly vague and industry standards had not developed, as had the other program elements. Our experience suggests that a practice of ensuring that the organization has the right employees in the right places performing the right tasks will also go a long way toward its having an effective compliance and ethics program. Often employees break laws or standards less because they are not essentially law-abiding than because they have been given impossibly demanding job requirements for their individual capacities or inadequate resources.

Guideline Section 8B2.1(b)(4)

Commission's Comments

Fourth, §8B2.1(b)(4) makes compliance and ethics training a requirement, and specifically extends the training requirement to the upper levels of an organization, including the governing authority and high-level personnel, in addition to all of the organization's employees and agents, as appropriate. Furthermore, subsection (b)(4) establishes that this communication and training obligation is ongoing, requiring "periodic" updates.

ERC Observations

This provision reinforces the expanded board and organizational leadership responsibilities of §8B2.1(b) (2) by specifically requiring appropriate training from the board to the "organization's [other] employees, and, as appropriate, the organization's agents." In then-current practice, compliance and ethics programs were generally seen as primarily the concern of the compliance or ethics officer, until something went wrong. The board, and frequently even executives and middle managers, did not participate in compliance and ethics program training.

The reasons for excluding board members were many. They varied from board members "not needing training" to their being "too busy for training." The events surrounding the performance of the Board of Directors for Enron Corporation is as good an example as any for why compliance and ethics training needs to be at all levels of the organization. First, the mere act of attending the training communicates governing board and organizational leadership commitment to the compliance and ethics program. Second, board-and executive-level training can include essential items of information that contribute to more effective board oversight and organizational leadership program management.

However, while the ERC agrees that training is an essential element of an overall communications program, this emphasis is, in one sense, overstated. Whereas in the 1991 Organizational Guidelines, training was given as an example of effective communications, highlighting one form of communication in the 2004 Organizational Guidelines risks devaluing other, equally or even more important, forms, such as a program of manager and supervisor communications.

In our view, requiring compliance and ethics training is fine so long as it is understood that training is but one form of communication--and not necessarily the best one. For example, in recommending that the Commission require that a compliance and ethics program include training about its program, the Advisory Group observed that "effective training has two component: (1) educating all employees about compliance requirements, and (2) motivating all employees to comply." (emphasis in the original) However, in our view, the best form of compliance and ethics program communication is not specified in the 2004 Organizational Guidelines: the talk and actions of managers and supervisors. Indeed, research in the ERC National Business Ethics Survey 2003 suggests that employees who perceive that their managers and supervisors talk about ethics at work, keep promises and commitments, keep employees informed (managers), support employees who followed ethics standards (supervisors) and set a good example observed significantly less misconduct at work.(5)

The importance of compliance and ethics modeling by organizational leadership is reinforced by §8C2.5(f)(2), a significant proviso that is not a part of the Commission's definition of an effective compliance and ethics program. This subsection provides that the benefits of having a compliance and ethics program(6) shall not apply for large organizations or units, if a certain specified type of personnel, including high-level personnel, "participated in, condoned, or was willfully ignorant of the offense." It is not enough, therefore, that a high-level person be punished by the organization. If a high-level person participated, condoned or willfully ignored the offense, the organization none of the mitigation benefits of having a program.

That being said, the Commission followed the Advisory Group's recommendation by referring to "conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities" instead of "requiring participation in training programs" to discourage the notion that compliance and ethics training necessarily required formal instruction.

The Advisory Group concluded that:

The larger the organization, the more appropriate it may be to have a more formal training program with appropriate documentation and dedicated resources and tools to measure the training program's impact. The burden would thereby remain on the organization to explain what training occurred and why the organization considered it effective. (emphasis added)

Guideline Section 8B2.1(b)(5)

Commission Comments to §8B2.1(b)(5)(A) and (B)

Fifth, §8B2.1(b)(5) expands the existing requirement regarding reasonable steps to achieve compliance. Specifically, the amendment mandates that organizations use auditing and monitoring systems designed to detect criminal conduct.

It also adds the specific requirement that the organization periodically evaluate the effectiveness of its compliance and ethics program.

ERC Observations

Similar to its treatment of training, the Commission accepted the recommendation of the Advisory Group to require monitoring and auditing rather than give them as examples of how an organization might take reasonable steps to achieve compliance with its standards and procedures. In support, it pointed to several recently enacted statutory and regulatory requirements for compliance monitoring and auditing, including the USA PATRIOT Act anti-money laundering requirement for independent audit functions to test programs, Environmental Protection Agency program requirements, and Office of the Inspector General, Department of Health and Human Services, compliance program standards.(7)

As to what criteria might apply in developing effective monitoring and auditing mechanisms, the Advisory Group quoted the Health Care Compliance Association, noting that:

high quality compliance programs incorporate the following monitoring and auditing features:

(1) The organization conducts a regular compliance auditing and monitoring program consistent with the organization's size, complexity and frequency of audits;

(2) The organization has auditors that are independent, to the extent possible, from the areas of the organizations they are auditing;

(3) A written compliance auditing and monitoring plan addresses the subject, method and frequency of audits;

(4) The organization gives notice to senior management and/or the board of directors of major audit findings;

(5) Corrective action plans are produced and followed in response to adverse findings;

(6) Features of audit plans respond to the organization's history of misconduct; and

(7) Audit results are disseminated to appropriate groups for corrective actions.

Finally, in our view, as we noted in last month's issue, compliance and ethics program evaluation is best understood when read together with risk assessment and establishing expected program outcomes. Monitoring and auditing are program functions concentrating on day-to-day operations. Compliance and ethics program evaluation is taking an overview of the compliance and ethics program itself. It steps outside of program operations to determine whether the program itself actually works. What is most important, however, is that there is now an explicit requirement that management be able to make the case that its program is effective because it has periodically evaluated it for effectiveness.

This is a new and significant requirement since, in our experience, program evaluation efforts have been truly comprehensive only where the evaluation was required by some regulatory agency, such as for reinstatement as a government contractor, or by a judicial body as a condition of probation. We will discuss in much more detail what a truly comprehensive compliance and ethics program evaluation might entail in next months article.

Commission Comments to §8B2.1(b)(5)(C)

Significantly, the new guideline expands the focus of internal reporting from simply reporting "the criminal conduct . . . of others" to using internal systems to either "report or seek guidance regarding potential or actual criminal conduct." The addition of "seeking guidance" is consistent with the increased focus of this guideline on the prevention and deterrence of wrongdoing within organizations.

This section also replaces the existing reference to "reporting systems without fear of retribution" with the more specific requirement that the organization must have "a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation."

The Commission is aware that both anonymous and confidential mechanisms have inherent value and limitations. For example, anonymous mechanisms may hinder an organization from engaging in an effective dialogue with the potential whistleblower to discover additional information that might lead to a more efficient detection of the wrongdoing. Confidential mechanisms may permit the dialogue and development of maximum information, but the ability of organizations to ensure total confidentiality may be limited by legal obligations relating to self-disclosure, law enforcement subpoenas, and civil discovery requests. The Commission intends for an organization to have maximum flexibility in implementing a system that is best suited to its culture and conforms to applicable law. A responsible organization is expected, as appropriate, to communicate to its employees any applicable limitations of its internal reporting mechanisms.

ERC Observations

This provision largely reflects the best practices developed since the 1991 Organizational Guidelines. Again, the Advisory Group recommended that what had previously been an example of an element of an effective compliance and ethics program be a requirement in the 2004 Organizational Guidelines.

There are three primary ways managers can find out what is going on in the organization: they can monitor, that is, to literally or figuratively look over employee shoulders; they can audit, that is, require that certain operations stop while it determines what happened and why; or they can receive reports from employees who have concerns. Section 8B2.1(b)(5) recognizes these three methods.

In many ways, the requirement "to have and publicize a system . . . whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation" is the most difficult of the three to achieve in practice.

As the Advisory Group noted:

The 2003 National Business Ethics Survey by the Ethics Resource Center found that while there had been an overall increase in employee reporting of misconduct (compared to earlier surveys), "nearly half of all non-management employees (44%) still do not report the misconduct they observe." Fifty-seven percent of those not reporting misconduct indicated that they feared that their report would not be kept confidential (up from 38% found in the 1994 survey); 41 percent feared retaliation from their manager (the same percentage reported in 1994); and 30 percent feared retaliation by their coworkers

(up from 24% reported in 1994).(8)

Referring to other studies as well, the Advisory Group concluded that: "There is thus powerful evidence that lack of confidentiality and fear of retribution are major inhibitors to reporting."

To understand this provision it is import to distinguish between promises of anonymity in a program and promises of confidentiality.

The essential difference is that anonymously received data does not include the identity of the source. If someone in authority knows the name of the source, it is not, by definition, anonymous. Providing for anonymity has the benefit of encouraging sources to come forward because no one will know who the source is. It has the substantial disadvantage of making it more difficult to contact the source to request clarification or more information. And, when management has acted, it is more difficult to report how management responded except through some form of call-back number or general public announcement.

Confidentiality as to the source's identity requires that someone in authority knows the identity of the source, but has been authorized to withhold it from others. From the organizational perspective, this requires a policy statement empowering an individual to withhold information he or she would otherwise have to disclose. From the public perspective, it requires a "privilege" at law: a law, regulation, or precedent that empowers the organization to resist legislative, regulatory, or judicial process to compel disclosure to others.

Successfully asserting a privilege to withhold information from interested others is a matter of balancing the public's right to know against the social value of the relationship protected. Some privileges are provided through legislation: attorney-client, husband-wife, and priest-penitent. Others are developed case-by-case, as we will discuss in more detail when we address the "litigation dilemma" in following months. Examples of judicially developed privileges include the psychotherapist-patient privilege, United Technologies Corporation's Ombudsman program privilege, and a mediation materials privilege.

A privilege allows one party needing information to promise another that he or she will keep the information or identity of the source in confidence. But, for a promise of confidentiality to provide the confidence required for potential sources to come forward with their concerns, the promise must be enforceable. That is, there must be a public commitment to protecting the relationship in the form of a privilege the parties can assert against discovery--and rely upon. Indeed, as the Supreme Court of the United States has declared:

An uncertain privilege, or one which purports to be certain but results in widely varying applications by the courts, is little better than no privilege at all.(9)

This being said, both government prosecutors and the plaintiff's bar generally oppose a privilege that would allow an organization to make an enforceable promise of confidentiality to potential sources. In testimony before both the Advisory Group and the Commission, the Department of Justice opposed the Commission's incorporating "any provisions which would encourage employees or organizations to think internal self assessment and correction would be subject to a privilege, since such a privilege may not exist in law."(10) In fact, in still other testimony, it opposed such a privilege or believed that "its time has not yet come." We will discuss this in much more detail, when we discuss how the Commission addressed the "litigation dilemma" in following months.

For the time being, it must suffice to say that the Advisory Group recommended that the Commission specifically require that the compliance and ethics program provide for "mechanisms to allow for anonymous reporting." This was done in a context where the Sarbanes-Oxley Act of 2002 requires that publicly traded companies adopt procedures for the "confidential, anonymous submissions by employees of issues or concerns regarding questionable accounting or auditing practices." This provision is ambiguous, since it is not clear whether it means submissions should be confidential or anonymous or that a mechanism should provide for both anonymous and confidential submissions. What is clear is that a submission cannot be both anonymous and confidential, as far as the organization is concerned, absent a formal ombudsman program that will survive judicial scrutiny.

In the event, the Commission required neither anonymity nor confidentiality, but merely noted that the required mechanism was one "which may include mechanisms that allow for anonymity or confidentiality." And, this was probably the appropriate stance, at least so far as requiring a confidential mechanism is concerned, since it is beyond the charter of the Commission to establish a privilege. As the Commission noted, it is incumbent upon the organization to avoid promising any more confidentiality in its mechanisms than it is empowered to deliver: which requires a privilege.

Finally, we believe this language should not be read so narrowly as to only support reporting or seeking advice regarding criminal conduct. In our view, if the compliance and ethics program has set appropriate standards and procedures and adequately communicated them to employees and agents, the subject of the mechanism should not be criminal conduct per se, but issues and concerns regarding the standards and procedures established in §8B2.1(b)(1). A related issue is whether personnel issues, not involving compliance and ethics issues, should be accepted through the help line mechanism. In our view, an effective compliance and ethics program accepts all calls, except organized labor grievances, for fear of developing an undeserved reputation for rejecting callers to the help line.

Guideline Section 8B2.1(b)(6)

Commission's Comments

Sixth, §8B2.1(b)(6) broadens the existing criterion that the compliance standards be enforced through disciplinary measures by adding that such standards also be encouraged through "appropriate incentives to perform in accordance with the compliance and ethics program." This addition articulates both a duty to promote proper conduct in whatever manner an organization deems appropriate, as well as a duty to sanction improper conduct.

ERC Observations

The Advisory Group recommended no substantive changes to this provision beyond conforming its language to earlier provisions. It is curious, however, that the provision does not specifically require that "reasonable steps to respond appropriately" include reporting the offense to appropriate governmental authorities, without unreasonable delay.

Section 8C2.5(f)(2) specifically provides that the mitigation provision that makes having an arguably effective compliance and ethics program worthwhile, so far as sentencing is concerned, (8C2.5(f) (1)), "shall not apply if, after becoming aware of an offense, the organization unreasonably delayed reporting the offense to appropriate governmental authorities."

It is our experience that this requirement is often either unknown or forgotten, since it is not an express requirement of an effective compliance and ethics program, as the Commission defines one. Nonetheless, §8C2.5(f)(2) should be read together with §8B2.1(b)(7) to define an appropriate response as one including reporting an offense to governmental authorities without unreasonable delay.

Conclusion

The 2004 Organizational Guidelines reflect what has been learned in the compliance and ethics field since 1991, including legislative and judicial developments. The purpose of this article has been to provide background information and discuss the seven "minimum requirements" of an effective compliance and ethics program, as the Commission defines one. Next month, we will discuss the Commission's new requirement for periodic program evaluation in detail, applying the ERC's years of research and experience in compliance and ethics program evaluation.

1. At the time of this writing, the Commission's description of its intent can be found at http://www.ussc.gov/2004guid/RFMay04_Corp.pdf. Chapter Eight, itself, can be found at http://www.ussc.gov/2004guid/tabconchapt8.htm.

2. The Ad Hoc Advisory Group has a Web page on the Sentencing Commission Web site, which includes its report to the Commission and testimony it considered. Available at: http://www.ussc.gov/corp/advgrp.htm, accessed 29 November 2004.

3. See, e.g., James C. Collins and Jerry I. Porras. Built to Last: Successful Habits of Visionary Companies. New York: HarperBusiness, 1994, 1997, 2002.

4. ERC Note: For definition of "Substantial Authority, see text box in discussion of Section 8B2.1(b)(3) below.

5. ERC National Business Ethics Survey 2003, Chapter 4.

6. §8C2.5(f) (1)

7. In a sense, this is boot-strapping, since these programs clearly profited from, and often referred to, experience under the 1991 Organizational Guidelines.

8. Ethics Resource Center, National Business Ethics Survey - 2003: How Employees View Ethics in Their Organization (2003), p. iii. Executive Summary available at: <http://www.ethics.org/nbes2003/2003_summary.html>.

9. Upjohn Co. v. United States, 449 U.S. 383, 393 (1981). See also Jaffee v. Edmond, 518 U.S. 1 (1986).

10. See, e.g., The U.S. Department of Justice's written testimony to the Advisory Group, p. 18, available at <http://www.ussc.gov/corp/ph11_02/t_comey.pdf>.

View Part 4 of the FSGO Series