Certainly recognizing that inane training is simply that - inane training, Anderson missed the larger picture of what constitutes a best practices compliance program. Training is one part of a larger component of how companies manage their compliance with laws, regulations and, most importantly, the ultimate barometer of their value - their corporate reputation through compliance. The role of compliance in corporations was born in 1992 with the enactment of the US Sentencing Guidelines, which laid out the initial standards for corporate compliance and ethics programs, of which training is one part. It was only after these Sentencing Guidelines were put into effect that corporations moved to create Codes of Conduct to publicly state their values.
These Sentencing Guidelines provide a very general outline of what would constitute an effective compliance program. In the latest amendments to the Sentencing Guidelines, in 2010, the stated purpose of training is to "(6) Training - Conduct effective training programs and otherwise disseminate information to ensure that the board of directors, high level personnel and other employees with substantial authority receive information about the standards, procedures, and other aspects of the compliance program".
One of the most significant areas of the law, where the government has provided specific guidance on compliance programs including training, is the 2012 publication entitled "FCPA - A Resource Guide to the U.S. Foreign Corrupt Practices Act", which was issued jointly by the Criminal Division of the Department of Justice (DOJ) and the Enforcement Division of the Securities and Exchange Commission (SEC). This FCPA Resource Guide provided the government's views on what constituted an effective compliance program under the Foreign Corrupt Practices Act of 1977 (FCPA) in the form of the Ten Hallmarks of an Effective Compliance Program.
Hallmark No. 5, Training and Continuous Advice, which says, in part, "DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners." This Hallmark goes on to state that training should be appropriate for the risk of the persons being trained and tailored to the situations they might find themselves at risk in for their company.
Whether you consider the language of the Sentencing Guidelines or the much more specific FCPA Resource Guide, the proper context to review ethics and compliance training is as a part of an overall holistic approach to compliance and ethics, compliance can be seen in its proper role as a communication tools. The reason a company puts on compliance training is not to solely stop unethical or non-compliant conduct. The role of training is to communicate the standard of values the company wants to set forth.
The training itself should be tailored to risks involved with those employees receiving the training. My wife works at a major oilfield service company in Houston, as an SAP integration specialist in the IT department. The risk that she could engage in non-compliant, unethical behavior, that could put her company at legal risk, is relatively low. So basic training for her on the company's ethical values is an appropriate reminder.
However, in the same company there are thousands of employees who are in positions oversees which are at much higher risk for non-compliant behavior, particularly under the FCPA. For those employees more focused, specific and in person training is the preferred method. So more than simply asking is something illegal, such training would focus on the specific requirements under the law, what an employee should do if a foreign government official demands a bribe and how to seek help or report such conduct through the company hotline.
Training is not and never has been the all-encompassing way to stop illegal or even non-compliant, unethical conduct. It should be seen as a part of the overall corporate compliance program. Enron is the prime example that simply having one part, the Enron gold standard Code of Conduct and even training on that Code of Conduct, is not enough. It all starts at the top with the tone from the top. If your top management are crooks, in the case of all the former Enron senior managers who are now convicted felons, that speaks to the tone management creates. No rule, regulation, company policy or certainly compliance training should get in the way of the next deal.
Yet even after management sets an appropriate tone, that tone must be communicated to the employees. A corporate Code of Conduct sets out the general values and the policies and procedures lay the specifics of how employees can comply with laws, regulations and ethical concepts. After this communication, a company must set out appropriate incentives and discipline (carrots and sticks) to reinforce these behaviors. Finally, there should be internal controls baked into to all of this, which not only reinforces these concepts but also allows a corporate compliance department to monitor compliance to hopefully prevent any incidents before they become violations and detect them if they occur.
Anderson does get one thing right. If a company is putting on training simply as "just a form of legal ass-covering" then it is probably the type of company which does not put a high value on doing business either (1) ethically or (2) in compliance with existing laws. That alone puts a company in the Enron zone for compliance. Next, I will take a look at her claims about the dumbing down of compliance training.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016