Real Corporate Lawyer

The Convergence of Principle and Rule-Based Ethics Programs - An Emerging Global Trend?
Part 2 of 2
By Ronald E. Berenbeim & Jeffrey M. Kaplan

Promoting a Culture of Compliance in Australia

In 1998, six years before the U.S. Revised Sentencing Guidelines mandate to promote compliance within the organization, Australia’s AS 3806 promulgated compliance standards established an ethical culture as a core element of an effective compliance program. As with the Sentencing Guidelines, AS 3806 focuses on essential components and leaves it to individual companies to determine how best to implement effective compliance programs given the nature and requirements of their respective organizations. Specifically, AS 3806 states that a compliance program is an important element in the corporate governance and due diligence of an organization, and should:

aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, and codes of organizational standards occurring in the organization;
promote a culture of compliance within the organization; and
assist the organization in remaining or becoming a good corporate citizen.¹

This Australian standard also provides a definition of corporate culture: “…an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities take place.”²

And, it sets forth the structural and procedural elements of a compliance program:

high level commitment
compliance policy and operating procedures
management responsibility and supervision
resource commitment (including policy manuals with specific examples and possible hotlines)
record keeping about the program
reporting of compliance failures
education and training utilizing teaching methods that involve staff participation
visibility and communication
program monitoring and assessment
reviewing operations and assessing failure
accountability
continuous improvement

The uncertainty as to how these program elements promote a culture of compliance may explain in part why,
despite this level of detail, Australian courts were unwilling to order defendants to implement AS 3806 systems because in their view a judicial determination of compliance with the directive the application would be “likely to involve vague evaluative judgments or significant debates over their interpretation,” and “[it] imposes standards in their expression and not readily measured in application.”³

One critic of AS 3806 notes that: “AS 3806 is a confusing document that contains a multitude of detail for elements of compliance system processes, but no clear over-riding substantive principles and objectives. The three main organizing principles—structure, operation and maintenance—are purely process-oriented. It provides little in the way of emphatic guidance on the substantive principles (emphasis supplied) that make compliance work…” ⁴

At least one of the purposes of the 2006 AS 3806 revisions appears to be an effort to respond to these concerns. It articulates the 12 underlying principles of the compliance project and it provides guidance in relationship to achieving the intended purpose of each principle.

These principles can be grouped into four action categories:

commitment (senior management support and policy requirements);
implementation (responsibilities of senior management, compliance management, line managers and
employees);
monitoring and measuring compliance program performance; and
continual improvement ⁵

As the 2006 version of AS 3806 explains how certain fundamental compliance principles can be achieved through specific steps, four common themes emerge:

The importance of culture – an ethical culture will make it more likely that compliance can become truly
integral to day-to-day business practice.
Tone from the top – Without senior management support, it is unlikely that an effective and efficient
compliance framework can be achieved.
Training and competence – Without appropriate and regular training both in how to fulfill the functional
requirements of their role and in how to recognize and meet their compliance requirements, individuals at all
levels cannot be expected to perform to the required standards.
Embedding compliance into working practice – Is the outcome of a strong culture that is reinforced by a supportive tone form the top and effective ethics and compliance training and competence?6

Italy—Focusing on Organizational Culpability

Until recently, criminal prosecution — particularly outside of countries governed by Anglo-American and Japanese law— was largely limited to individuals because corporations were not “legal persons.” ⁷

In Italy, legislative efforts to criminalize certain kinds of corporate behavior encountered an additional impediment
in the Italian constitution which provides that “criminal liability is personal.” The drafters sought to avoid a conflict
with the constitution by including in Legislative Degree 231 (2001) elements of corporate culpability. In so doing, they borrowed heavily from the U.S. Sentencing Guidelines and its articulation of mitigating factors. The legal testing of LD 231 involved the courts in a further elaboration through judicial precedent of what constituted mitigating factors. As such, Italy’s experience contrasts with Australia’s. Whereas Australian judges found AS 3806 too vague for concrete application, Italian jurists developed case law that effectively serves as an LD 231 guidance document.

For example, early decisions in Italian cases stressed the importance of tailoring programs to company needs.
Credible programs needed to “come out of a realistic and economic vision of the business activities, not just a formal juridical one.” Ultimately, the decisions say that the specific focus requires some kind of risk analysis or as one decision
puts it:

“The effectiveness of a model depends on its concrete fitness to create decision mechanisms able to eliminate
or at lest diminish significantly the risky areas, to punish offenses, but also to identify the risk areas and
the wrongdoing areas.”⁸

Italian companies responded fairly quickly to LD 231. A 2004 survey of 97 companies conducted by the “Auditing e Controllo Interno” Master of Pisa University together with the “231 Area Committee” of the Associazone Italiana
Internal Auditor found that:

59% had adopted a compliance program;
25% were currently adopting one;
16% had no plans to develop a compliance system.

Regardless of whether the company spokesman said the organization had a compliance system, 95% of the survey participants followed certain risk analysis procedures:

identifying the business activities potentially exposed to the “231 Risk”;
surveying and analyzing existing controls in risk areas;
identifying possible gaps; and
defining the actions necessary to fill the identified gaps.⁹

In April 2006, the 231 Area Committee of the Italian Internal Auditors Association conducted a follow-up survey
(this time in collaboration with Ernst & Young) showing that compliance program prevalence among responding
companies had risen from 59 to 91 percent.¹⁰ Of course, the company compliance program trend is
greeted in Italy with skepticism similar to that encountered elsewhere. Like most industrial countries, Italy has been beset by scandals and the proliferation of ethics codes, compliance programs, and corporate social responsibility initiatives “is sometimes viewed by the public and investors simply as corporate advertising.”¹¹ Despite this cautionary note, by identifying ethics programs at the outset with risk analysis and avoidance, the Italian approach has given companies practical motives and methods for developing effective ethics programs.

Compliance by Another Name

For many legal systems, the criminal liability of corporations is a comparatively recent development. Therefore,
compliance incentives and guidance are not the same as they are in the United States, i.e., sentence mitigation schemes. However, there are a limited number of examples of governments using other approaches to encourage compliance program implementation.

In some cases, these efforts focus on specific areas of legal risk such as fair competition:

United Kingdom — A different sort of compliance incentive is that provided by the United Kingdom’s Office
of Fair Trading, which has issued a highly detailed guidance document concerning competition law compliance programs that has many of the same elements of the recommended compliance system structures found in other legal systems.

The publication states:

“…you should bear in mind that if you do commit an infringement, any financial penalty may be reduced
where you can show that you have taken adequate steps (emphasis supplied) to achieve compliance. The larger
the business and the greater the risk of infringement, the more likely it is that adequate steps will include
the introduction of a compliance program (emphasis supplied).¹²

As with the U.S. Guidelines, this admonition sounds like less of an “incentive” and more of a warning. Put succinctly, the larger the company and the risk of infringement, the greater the expectation of the enforcement authorities that
the company will have a compliance program.

Canada — As in the UK, Canada links compliance to the need to prevent and detect competition law offense.
Whether the company has an effective compliance program“may better situate” it “to receive favourable consideration or alternative case resolution” or other benefits, according to a publication of the government’s Competition Bureau. Other types of compliance-related defenses arise in the bribery law context—the focus of the OECD country reports on the implementation of the 1997 anti-corruption convention—or with respect to corporate criminal liability
generally.

Norway — In Norway, prosecution of corporations and other legal entities—not only for bribery, but other
offenses as well—is discretionary, and one of the elements to be considered in determining whether to bring charges is“whether the enterprise could have prevented the offence by guidelines, instructions, training, control or other measures….” According to a prosecutor interviewed for the OECD Country Report on the Implementation of the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions of the Organization for Economic Cooperation and Development, internal rules at a company could prevent the organization itself from being prosecuted, “provided that management applied and monitored such rules.”¹³

Switzerland — Corporations are subject to prosecution for bribery if they did not take “all reasonable and necessary organizational measures to prevent such an offense.” While these steps are not further defined by law, Swiss authorities say that proof of this element would entail assessing “whether employees have been sufficiently informed, supervised and controlled” with respect to a company’s anti-bribery standards.

South Korea — Under South Korean law, companies are not subject to sanctions for bribing a foreign public
official if they have “paid due attention or exercised proper supervision to prevent the offense.” There is a difference of opinion as to what constitutes compliance with this directive. An explanatory manual published by the Ministry of Justice suggests that merely having a policy against bribery would suffice, which the OECD Working Group indicates may be an unduly lenient test.

The confluence of three developments has resulted in a global trend that encourages and increasingly mandates the development and implementation of company systems for the prevention, detection, and, if necessary, cooperation in
the prosecution, of wrongful corporate conduct:

legislative change in some countries that permits the prosecution of companies for behavior for which heretofore only individuals could be held criminally liable;
national law (1977 Foreign Corrupt Practices Act) and international conventions and working groups
(e.g. 1997 OECD Convention on Combating Bribery of Foreign Public Officials in International Business
Transactions) that criminalize business conduct outside the company’s home country; and
the more efficient outcomes resulting from a significant transfer of the compliance burden from the governmental
officials to the institutions subject to the laws and regulations.

At the same time, the experience in the United States with what had started as a pure “compliance” regime may be leading to the development of a “third way” in which companies are encouraged to use strong compliance structures in the service of a broader ethical mandates.

Notes

1. Australian Standard AS3806 – 1998, Compliance Programs, Standards Australia, p. 4. See also, remarks of Gayle Hill, 9th International Anti-corruption Conference, Durban, South Africa, (1999).

2. Ibid.

3.ACCC v. Real Estate Institute of Western Australia (1999), ACCC v. Rural Press (2001); Although the Australian Courts have expressed reservations about 3806, the Australian equivalent of the SEC has told regulated companies to use it.

4. Christine Parker, “Section 8: Is There a Reliable Way to Evaluation Organizational Compliance Programs?” Regulation: Enforcement and Compliance, Australia Institute of Criminology, 2004.

5. “Is Your Organisation Complying?” Litigation & Dispute Resolution, Thompson Playford (August 2006) www.thompsonplayford.com.au.

6. “AS3806 – Practical Implications of the 12 Principles – What Does it Mean for You?” Deloitte Regulatory Review, May 2006, p. 2. www.deloitte.com.au.

7. Jean-Francois Arvis and Ronald E. Berenbeim, Fighting Corruption in East Asia – Solutions from the Private Sector, (the World Bank, 2003), p. 37.

8. Trib. Milano, sez XI Giud. Riesame, Pres. Rel. Mannocci, ord. 10- 28-2004, Siemans, AG, as quoted in Francesa Chiara Bevilacqua, “Corporate Compliance Programs under Italian Law,” Ethikos and Corporate Conduct Quarterly, November/December 2006, Case Citations are from Ms. Bevilacqua’s article.

9.Francesa Chiara Bevilacqua, “Corporate Compliance Programs under Italian Law,” Ethikos and Corporate Conduct Quarterly, November/December 2006. http://ethikosjournal.com/html/italy. html.

10. Ibid. Unlike the first poll, the later survey has a participant industry breakdown. Twenty-five were lending institutions or financial intermediaries, 11 were insurance companies, 16 were industrial companies, 16 were utilities and four were in the media/telecommunications sector. Possibly owing to this sample distribution, the participants identified “public administration” (meaning anti-corruption issues) as the key risk and tailored their programs accordingly.

11. Ibid.

12. “How Your Business Can Achieve Compliance – A Guide to Achieving Compliance with Competition Law”, Office of Fair Trading, 2005. p. 10.

13. The OECD Anti-Corruption Convention (1997) provides for country review by other convention signatories. The Norway country report and that of the 35 other country signatories including non-OECD countries (e.g. Bulgaria, Chile) can be found on the OECD’s website at www.oecd.org.

About the Authors

Ronald E. Berenbeim is the principal researcher and director for The Conference Board Research Working Group on Ethics and Compliance Criteria in Government Enforcement Decisions. He also teaches Market Ethics and
Law at the New York University’s Stern School of Business. Mr. Berenbeim is an authority on business ethics and corporate governance issues, and has written 44 studies for The Conference Board. Jeffrey M. Kaplan is a partner
at Kaplan & Walker, and is also chair of the Legal Advisory Board of Midi, Inc., a compliance training provider. This is the first of a two-part article; it will conclude in our June issue. Contact: Ronald.Berenbeim@conference-board.
org or jkaplan@kaplanwalker.com