“It’s not complicated – more is better,” concludes a wonderful AT&T commercial. But for many C&E officers, it’s not that simple.
In the wake of Enron/S-Ox/the Sentencing Guidelines revisions a great many companies seemingly had bottomless appetites for implementing compliance measures. That’s no longer the case. With the exception of those employed by companies that are under investigation, playing catch-up with FCPA compliance expectations or in highly regulated industries, C&E officers seem increasingly under pressure to be not only effective but also highly efficient in their work, and to steer clear of “compliance overkill.”
Note that this focus on efficiency should not be misinterpreted to mean that the need for effective C&E programs is any less powerful now than it was during the formative age of compliance. Indeed, the costs of non-compliance have, I believe, gone up since then – as reflected in (among other things) the fact that of the ten all-time highest corporate criminal fines in the U.S. five were imposed in 2012 alone. But perhaps precisely because harsh penalties have become the new normal, C&E programs in many companies seem to command a smaller portion of senior management mindshare than they did just a few years ago – and hence the growing imperative to avoid what are seen as unnecessary efforts in this area and to achieve “Goldilocks compliance.”
There are various settings in which C&E officers should be attentive to the possibility of going overboard, including but by no means limited to the following.
Note that C&E overkill is not only about doing too much – it can also be about saying too much. For instance, C&E officers need to be careful in discussing the relevance of C&E provisions in settlement agreements to their own companies. To use a medical analogy, what’s essential for a patient who has had a heart attack is not necessarily indicated for those who merely have somewhat elevated cholesterol levels.
So how do you know when you’re going from enough to too much? In some instances it is like the famous saying about obscenity, you know it when you see it. But that won’t do in all cases, and for many reasons the better approach is to base determinations of this sort on your risk assessment.
Indeed, by identifying in a risk assessment anything that’s not needed, a program can gain greater credibility among key decision makers in a company. This, in turn, can help the program focus what is essential – and implement C&E measures that are “just right.”
Jeffrey Kaplan, a partner in the Princeton, New Jersey office of Kaplan & Walker LLP, has practiced law in the compliance and ethics field since the early 1990’s.
Mr. Kaplan is also former adjunct professor of business ethics at NYU’s Stern School of Business, co-editor (with Joseph Murphy) of Compliance Programs and the Corporate Sentencing Guidelines (West Thomson), former counsel to the Ethics and Compliance Officer Association and co-author of a study by the Conference Board on the use of compliance and ethics program criteria in government enforcement decisions.