This article is an Ethikos Classic. It originally appeared in Ethikos, March/April 2004 – vol. 17., No. 5
As children we learn the story of the cobbler’s children. The person who makes the shoes for the village is the one whose children lack shoes. It is an ironic picture—those whose job is to provide a product in fact do without the product themselves. And yet, in the compliance and ethics field, where we spend our days telling corporate clients how to act legally and ethically, and we routinely push them to adopt and apply codes of conduct, do we follow this advice ourselves?
In 2002, the Australian Compliance Institute adopted a relatively brief set of generalized ethics standards. But in 1999 one organization in this field, Health Care Compliance Association (HCCA), took the rather bold step of adopting a strong, detailed set of standards in the Code of Ethics for Health Care Compliance Professionals. The author had the opportunity to participate in this process as one of the draftspersons. Although the standards are addressed to compliance and ethics practitioners in the healthcare field, there is little in the standards that is limited to healthcare; in fact, the initial draft drew from work that was part of an earlier study done for the EOA. The final product was designed to be generally applicable to anyone working on organizational compliance and ethics.
Drawing from multiple sources
The Code was not created from whole cloth; it drew from a number of sources. One of these is the excellent analytical work of Professor Christine Parker of the University of Melbourne (Australia). In her insightful essay, “A Model for the Compliance Professional: Consulting, Policing and Managing,” in Heller, Murphy & Meaney, Guide To Professional Development in Compliance, she discerns that the practice of compliance and business ethics consists of three roles: counseling, managing, and policing. While most practitioners welcome the role of counseling and advising clients, and they recognize the need to manage the compliance program to achieve results, there remains much controversy and resistance to the actual policing role. Of course, after the recent spate of corporate scandals there may be increased recognition of the reality of human nature that makes such policing necessary. In any case, the Code recognizes all these roles in its standards.
The Code’s drafters also were aware of the many ethics codes that exist in other fields and professions. These were used as models, and in some cases as examples of mistakes to avoid. For example, the drafters viewed the ethical standards for lawyers as not encouraging the type of aggressively preventive role required in compliance. They specifically disagreed with the American Bar Association (ABA) model standards’ weak escalation provisions that applied to lawyers representing organizations.
The Code was intended to set high ethical standards for practitioners and to encourage them to aspire to those high standards. But it was also designed to empower compliance people and to recognize their unique role in organizations. The standards were intended as a bulwark against organizational pressure to “go along” and to be a team player. They recognized that organizational misconduct flourishes in an environment where powerful actors can silence those who would otherwise resist their schemes. Before the era of Enron and WorldCom the drafters were concerned with how a compliance practitioner might deal with the domineering corporate executive intent on pursuing some improper scheme. Much of the Code, in fact, reads as if it had been written in response to the recent spate of corporate scandals. But those cases were predictable results of misused corporate power; the Code was drafted with just such scenarios in mind.
The Code consists of a preamble, 3 principles, and 17 rules, supplemented and explained by official commentary. We will review here some of its highlights. The Code begins with the preamble explaining that the document is divided into three general principles that guide compliance and ethics professionals. Within each principle are the rules and the commentary that helps explain in practical terms how the rules should be applied. The drafters of the Code knew from experience that a code that merely lists values and provides no guidance on how to balance them does not really serve a useful purpose. Soft standards invite manipulation. When the issue is how to control the use and abuse of power, the standards need to be strong and unequivocal. Thus the commentary is quite specific. The preamble also defines key terms. For example, the Code defines “misconduct” comprehensively to include violations of any laws, as well as unethical conduct.
Obligations to the public
Principle 1 of the Code covers obligations to the public. The profession is to contribute to the public good.
Rule 1.2 states that professionals “shall take such steps as are necessary to prevent misconduct by their employing organizations.” Note that this is an activist approach. Compliance professionals need to be persistent and to be constant advocates of compliance and ethics. They cannot just give advice and hope for the best; they must be forceful players in the corporate game.
Rule 1.4 is the escalation provision. This rule has been perhaps the most controversial of the Code’s rules.
It reminds professionals that they represent the organization and not management. If the professional becomes aware of misconduct he or she must: a) refuse to consent; b) escalate to the highest governing body as appropriate; c) if things are still not resolved consider resignation, and, d) if required by law, report the decision to public officials (which would be a very rare occasion).
Resignation is a disfavored recourse because the compliance professional may be the last obstacle standing in the way of management misconduct. The commentary explains that if resignation is necessary the reasons must be spelled out in detail to the board. The commentary also states that the compliance professional should “exhaust all internal means available” to deter the misconduct. Again, the emphasis is on action, not just giving advice. One could picture this principle in action in some of the recent cases, where in-house people objected to proposed conduct, but ultimately went along or were brushed aside. Had the compliance people been there, required to resist such schemes and to escalate the matters to the boards, there might have been different outcomes, or at least misconduct may have come to the surface at an earlier stage. Rule 1.4 anticipated the standard that Sarbanes- Oxley and the subsequently adopted SEC rules required for securities lawyers. The ABA, in its model rules, has also stepped up to the need to push escalation as a duty. The previous ABA standard had been so ambiguous as to invite avoidance.
Obligations to the organization
Principle II sets out the obligations to the employing organization. One key aspect of this is the duty to promote effective compliance programs.
Rule 2.1 requires that the professional act in a timely, competent and professional manner. The professional must get the necessary education and stay current in the field. This could address such issues as the need to keep current on the legal standards on obstruction of justice prior to advising employees on what document disposal was or was not appropriate at the institution of an SEC inquiry.
Rule 2.2 requires professionals to “ensure to the best of their abilities that employing organizations comply with all relevant laws”—enforcing the duty to society in Rule 1.2. The commentary here is crucial, however. It explains that this role calls for leadership, while reminding practitioners that “all employees have the responsibility to ensure compliance.” Corporate management may need to be reminded of this key distinction; compliance professionals cannot guarantee results and must depend on employee and management buy-in.
Rule 2.4 addresses a point that should have been obvious to everyone in the field, but for many required the hammer of Sarbanes-Oxley to drive the point home. The compliance professional must keep senior management and the highest governing body informed of the status of the compliance program, both as to implementation and as to the areas of compliance risk. This rule follows the standards set in the Caremark case, and the commentary quotes that case. One has to wonder exactly what the boards of directors in WorldCom and Enron, as well as the leaders of Arthur Andersen, were asking about compliance programs in their companies. The duty imposed by this rule fits well in the world of Sarbanes-Oxley.
Rule 2.5 addresses one of the most troublesome aspects of compliance, the risk of retaliation against whistleblowers. Carrying forward the activist approach of the Code, it is not enough for the compliance professional to avoid participating in retaliation; the professional must “strive to implement procedures that ensure the protection from retaliation” of any whistleblowers. The tough whistleblower protection provisions in Sarbanes-Oxley make this approach the only safe one today.
Rule 2.7 speaks to the concern about conflicts of interest, but in a somewhat unusual way. Of course, it requires the avoidance of conflicts and reporting those that occur. But it goes on to recognize the reality of the corporate world, where a compliance person may have some connection with a matter that raises compliance issues. It recognizes that involvement in a matter subject to investigation will not necessarily prejudice the professional’s ability to participate, and should not necessarily remove that person from a role in the matter. In a world of scarce resources, the compliance professional’s experience may provide valuable insight into misconduct, and that professional may be the one person best positioned to prevent or detect the misconduct. The crucial element is that everyone knows of the possible conflicts. This observation is drawn in part from the reported experience of the compliance officer in the Dow Corning breast implant matter, as explained in John Byrne’s book, Informed Consent. There an ethics officer played a lesser role in the defining moment of his company’s ethics program because he felt he was too close to the matter. Arguably the person who knew enough to take action instead put himself on the shelf. Apparent conflicts must be examined thoughtfully in the compliance world so that they do not remove from the picture people who have the insight and motivation necessary to prevent harm to the public.
Obligations toward the profession
Principle III discusses the professional’s duty to the profession. This includes a duty to promote professionalism in the compliance field.
Rule 3.1 could easily be called the Enron investigation rule, except that it was promulgated in 1999, two years before Enron became a national scandal. The rule requires professionals to act with “honesty, fairness and diligence.” Nothing really remarkable there. But in the commentary the standards reach an extraordinary level of specificity, requiring that compliance professionals:
“[S]hall not agree to unreasonable limits that would interfere with their professional ethical and legal responsibilities. Reasonable limits include those that are imposed by the employing organization’s resources. If management of the employing organization requests an investigation but limits access to relevant information, [compliance professionals] shall decline the assignment and provide an explanation to the highest governing authority of the employing organization.”
Had outside counsel in Enron been subject to this standard, the firm would have avoided the horrendous publicity surrounding its unduly limited investigation of the company’s ‘special purposes’ enterprises.
Rule 3.5 requires professionals to maintain their competence and to be familiar with industry practices. The commentary calls for “participation in open professional dialogues and exchanges,” reflecting the historically open nature of this field, and the Sentencing Guidelines direction that compliance programs need to be at least as good as industry practice. This stands in marked contrast to a report given at one Ethics Officer Association meeting that the compliance person at Enron would only share the company’s code of conduct under a non-disclosure agreement, and required return of the document. Of course, that was before that same code became an object of derision.
A strong ethics code has enormous potential to aid in the compliance practitioner’s efforts to implement and enforce effective compliance programs. It can answer difficult questions and provide direction that balances loyalty to the employing organization with the need for compliance and ethics professionals to be diligent in preventing misconduct. But such codes are only a tool. For them to be effective there is more that needs to be done. Besides the HCCA and the Australian Compliance Institute, such codes need broader acceptance. EOA needs to step into a leadership role, and compliance practitioners need to push for the professionalization of their as yet under-powered field. Make no mistake about this—it is not an easy or especially painless course. But if we were seeking an easy, get-along approach we would not have entered this field in the first place. Compliance and ethics people believe in values and in taking a stand for what is right. How can we not insist on the same standards for ourselves, even if this means a difficult trail to travel?
Importance of enforcement
Beyond this struggle for rigorous ethics standards, however, the single ingredient that is missing from any of these codes is an enforcement mechanism. The Australians have stated publicly that they intend to enforce their code. In the U.S. this is a highly risky proposition; any enforcement effort by a voluntary organization is likely to be followed swiftly by court action. American judges, historically jealous of their roles as arbiters of society’s values, are likely to show little sympathy for any extra-judicial efforts to police conduct. Defamation, tortious interference with contract, antitrust conspiracy, and other exotic legal theories are likely to be used by the legal system to thwart such professional enforcement efforts.
Considering that compliance with law is a prime mission of government, it is fair to ask what government is prepared to do to aid in this effort. One approach is to provide a strong immunity for those who enforce such ethics codes. This is a step that is certainly needed, but it should be noted that even strong immunity statutes are often undermined by judges who seek to control all such adjudication. Still, it is a course worth pursuing. Failing this, government enforcement of ethics standards is another option, but this is a genie that is likely to range beyond anyone’s control and perhaps is best left in its bottle. The best model may well be that established for the legal profession, in which one’s peers handle the matter, but with judicial oversight and the necessary immunity.
Obtaining legal cover is likely to take time and political capital. One immediate step that requires much less effort is for government to take note of such ethics standards, and to recognize their importance in enhancing the role of compliance programs and practitioners in the effort against organizational misconduct. Prosecutors and regulators could do this easily by making it clear that they consider a commitment to such strong standards as a factor in evaluating compliance programs.
Were regulators to ask whether companies have compliance officers committed to such standards, this could have a highly salutary effect on the acceptability of these ethics standards.
What will happen next? Will compliance and ethics practitioners subscribe to a strong and specific code of ethics? Or will they opt for the easy, cosmetic route, swearing a mighty oath to “always be ethical and do right,” but with no specifics and no enforcement mechanism? Will they adopt a list of pious sounding virtues, but with no guidance on how to make difficult decisions? The answer to these questions may tell us whether the ethics and compliance field will continue to play the invisible role that gave us Enron, Andersen and WorldCom, or whether this is truly a profession marked by practitioners with the courage to act boldly on their beliefs.