Next-generation compliance: are you covered?

by Steve Hill

So many times health-care leadership, in dealing with their compliance obligations, have asked me, "How do we know when we have met our obligations?" Since 1991, federal enforcement authorities have expected corporate leaders to have an effective program in place to prevent violations of law. Critics of this policy have complained that the enforcement community has not always adequately defined what companies must do to satisfy this obligation. A recent set of recommendations by an ad hoc committee of the U.S. Sentencing Commission may go a long way toward answering that question. More importantly, the recommendations will also increase the requisite level of cor-porate leadership on the issue.

On October 7, 2003, the Commission's Ad Hoc Advisory Group on Organizational Sentencing Guidelines issued recommendations for organizational compliance with federal laws. The committee reviewed what con- stituted an effective compliance program in the aftermath of various high profile incidents involving allegations of corporate wrongdoing. The Commission's report highlights that while all of these corporations had compliance plans in place, they still failed to detect or prevent violations of law. Echoing many of the same policy arguments used to justify the Sarbanes-Oxley Act of 2002, the Ad Hoc Committee turned its attention to corporate leadership and their commitments to compliance.

If the recommendations are adopted, and my judgment is that they will be, they will provide new criteria for what now is officially an "effective compliance program." The practical impact of this new approach will be much broader than it appears at first glance. If history is any guide, the recommendations will also create a series of policy guidelines for prosecutors and agents in their preliminary assessments of criminal culpability for business organizations.

A common misconception is that Sentencing Guidelines are only applicable to defendants that have been investigated, charged and convicted. In practice, the Department of Justice uses these same concepts when determining whether to criminally prosecute an organization. The October report acknowledges that federal prosecutors have declined prosecutions based on the existence of an effective compliance program. Given this practice, and the fact that organizations are made up of people that sometimes make mistakes, qualifying for a chance to avoid a criminal investigation and prosecution makes a great deal of sense.

The Commission's previous standard focused on seven requirements that outlined the requisite organizational compliance components. Some include: Do you have compliance standards and procedures for your employees designed to prevent criminal conduct? Do you have a compliance officer? Do you enforce policies and take reasonable measures for the detection and prevention of improper conduct? These measures were familiar to any-one addressing corporate compliance prior to Enron, WorldCom and other high profile cases.

The new approach will incorporate the previous conditions but also introduce a greater emphasis on an organization's compliance culture and whether its "organization leadership" and "governing authority" are aware of and directly involved in the compliance effort. Organization leadership will be defined as "high-level personnel" while "governing authority" is presently being defined as the organization's board of directors or its equivalent. As a result of the new guidelines, corporate leadership cannot defer compliance issues to others or simply offer its Code of Ethics in convincing the enforcement community that their organization should get the government seal of approval. In evaluating their effort to meet the new standard, corporate leadership should ask themselves a series of straight-forward questions:

• What would my employees say about my commitment to complying with the law?
• How do my responsibilities compare with other leadership or the board of directors?
• Who should take the lead on the issue within our organization now that the top level officers and directors are responsible?
• Can I personally describe the efforts my organization takes to comply with the law?
• How do I know our compliance efforts are working?
• What is the best course of action if we find a problem?

Business organizations operating within heavily regulated fields like healthcare, particularly those that regularly experience federal oversight, will probably want to ask those questions of themselves sooner rather than later. Self- evaluation now will prepare you to respond to the media, law enforcement or investors in the future. With preparation, your response can be, "I'm glad you asked."

Steve Hill, is a partner with the law firm Blackwell Sanders Peper Martin. He may be reached at 816.983.8162 or e-mail shill@blackwellsanders.com