Business Crime: What To Do When the Law Pursues You

U.S. prosecutors are imposing giant fines and imprisoning managers when regulatory compliance problems arise. Know how to protect your company and yourself when a legal crisis hits.

In 1997, U.S. federal agents launched a series of no-warning searches at the offices of Columbia/HCA, the largest forprofit health care provider in the United States, looking for evidence of improper charges billed to the federal government’s Medicare program. The chairman’s public comment that “government investigations are matter-of-fact in health care” sat poorly with the company’s directors, and the chairman was soon gone. Years later, the investigation continues. Most of senior management has been replaced. Several executives have been indicted; two are appealing jail sentences. Other investigations and suits have been launched against the company. Institutional investors are suing the board. The company’s stock has been as low as 40% of its previous high.

In 1996, food-processing giant Archer Daniels Midland (ADM) pled guilty to price-fixing charges. Key evidence had been gathered through an ADM manager who secretly recorded business meetings for the government. ADM was fined $100 million and promised to cooperate in the prosecution of its executives. Subsequent convictions included the vice chairman, who is now appealing a two-year jail sentence.

After several waves of bank failures in the U.S. savings and loan industry during the 1980’s, Congress funded the Office of the Special Counsel for Financial Institution Fraud, which coordinated a massive prosecutorial effort. Criminal convictions were obtained against 5,506 defendants; jail sentences were meted out in 3,793 cases. Among those convicted were 1,588 bankers, including 411 bank CEOs, chairmen of the board, or presidents.1

In the United States, cases such as those mentioned above are becoming more common. Every senior manager should expect to confront, at some time, a serious allegation that his or her company and some of its managers have committed a crime—not a crime like stealing, which could arise in a nonbusiness setting, but a violation of the criminal provisions by which the complex regulations governing U.S. business are sometimes enforced. Few companies can avoid these regulations, which deal with securities, antitrust, the environment, government procurement, international trade, financial services, health care, and other aspects of business. The criminal provisions are invoked more often than the public record suggests, because many disputes with government that are officially noncriminal involve threatened criminal proceedings.

A serious allegation of criminality is a crisis for the corporation and often also for the managers who direct the corporation’s response. It is hard to look good in the shadow of the criminal law, and a manager who appears to be muddling through is likely to suffer the eroded confidence of his or her superiors. However, even otherwise skilled managers are often ill prepared. Such crises are too infrequent for the development of needed judgment. Sometimes a manager’s response puts the company in deeper trouble than the initial illegality. The criminal law raises difficult emotional issues; few responsibilities are as unsettling as passing judgment on once-trusted colleagues. And the criminal overlay to business regulation is a mine-field. Unlike the general criminal law—which builds upon simple, well-understood, enduring prohibitions, and is violated only by conduct that strays far from the acceptable—business regulation is dauntingly complex and shifting, and the distinction between routine business practices and criminal activity can be blurry.

The demands on managers and directors are rising. The law now requires that compliance be well managed, in regard to preventing violations and responding to them. Individuals whose judgment is challenged by the government cannot count on support from their companies. The law pressures a company to distance itself from individuals who may have committed crimes and also those who have mismanaged compliance.

The law pressures a company to distance itself from individuals who have mismanaged compliance.

Punishment is becoming more severe. For corporations, the ceiling on fines is rising fast. Many statutes once fixed fines at levels unlikely to daunt large companies. New elastic standards are tied to harm, benefit, and culpability. ADM’s $100 million was a sevenfold increase over the previous antitrust record; the current record is now $500 million. Enforcement agencies have become entrepreneurial. All criminal fines once went to the U.S. Treasury, but under “forfeiture” provisions first appearing in drug statutes, agencies were allowed to keep some enforcement proceeds. This practice is filtering into corporate regulation.

Managers are also facing tougher sanctions. Although U.S. antitrust laws date back to 1890, no businessman was jailed—except in violent crimes and labor disputes—until 1959. Only since the mid-1970s have jail sentences become routine. In the last 10 years, the length of a typical antitrust sentence has tripled to 18 months. Environmental enforcement ramped up more quickly. During 1984, all jail sentences for environmental offenses added up to 6 months; by 1997, that figure had risen to 2,400 months. The widespread S&L jail sentences were unprecedented. And for every manager who goes to jail, there are many who suffer lesser sanctions.

This article is not a substitute for legal advice, but it will help managers and directors meet their expanding challenges. It first explains the key arenas of legal accountability, and then offers guidance for managing a legal crisis, and for staying out of trouble in the first place.

Corporate Accountability—The Three Key Legal Arenas

In years past, a company faced with an allegation of criminal activity often had a one-dimensional strategy—avoid any finding of guilt. A typical response involved “circling the wagons” around the company and its managers, and opposing the government at every turn. Today, that strategy is rarely used, because companies are responding to more complex considerations. These cluster around three key arenas, and the manager’s task starts with understanding each.

The Corporation: Criminal, Good Citizen, or Both?
The first arena is that of corporate criminal liability. When does a company commit a crime, and how is the seriousness of the offense gauged?

In an earlier era, the criminal law did not apply to corporations, which had “no body to kick and no soul to damn.” Many nations still limit the application of the criminal law to corporations, but in the United States today, a corporation commits a crime whenever one of its employees commits that crime, if the employee acts within the scope of employment and, in part, for the corporation’s benefit. It is irrelevant that the employee acts contrary to instructions or corporate policy, is motivated by personal benefit, has little authority, or that any benefit to the corporation from the crime is tenuous. A corporation can also commit a crime if the activities and knowledge of various employees, when added together, comprise that crime, even though no individual employee has committed it. Defenders of these expansive modern rules on corporate criminal liability argue that narrower rules could be too easily evaded. However, under the modern rules, even a company that is managed in the spirit of respect for the law will often find that it cannot police all employees carefully enough to avoid any criminal activity. If such a company is in a regulation-sensitive line of business, it may commit crimes quite often.

Salomon Brothers: The High Cost of a Hesitant Response »

U.S. law has special rules for evaluating the seriousness of a corporation’s crime. For an individual’s crime, the law gives great weight to his state of mind. Did the perpetrator mean to break the law? Did he purposely harm another? But how culpable is a corporation, and how severely should it be punished? The current federal approach is reflected in the 1991 Organizational Sentencing Guidelines (OSG), under which a corporation’s fine for a crime largely reflects two calculations. The first is a “base fine” tied to the seriousness of the discrete offense. The second is a “culpability score” which gauges whether, as to the particular offense and more generally, the company is a “good citizen corporation.” A checklist measures whether the company has an effective compliance program, responds early to problems, disciplines employees, notifies regulators of problems, and cooperates in investigations. The culpability score can make an enormous difference in the final fine, in the most extreme cases varying the base fine by a factor of as much as 80. The OSG applies only to sentencing, but the same approach is taken at other stages in the criminal process, including the decision to prosecute.2

Crimes are punished. The general criminal law uses prison and stigma, but, for corporations, jail is impossible and stigma ambiguous. Corporations can be subject to monetary fines, and fines are going up. Corporations have become more vulnerable to large fines as the distinction between civil and criminal enforcement has blurred. Many modern regulations permit multiple civil damages, or “civil money penalties,” enabling government to impose punitive financial sanctions without meeting the burdens of a criminal conviction.

When prosecutors confront serious corporate misfeasance, they almost always target individual managers for harsh treatment.

Nevertheless, those who enforce the law question the effectiveness of corporate fines as deterrence, especially when noncompliance is profitable and the likelihood of being caught small. How much did ADM’s fine hurt, given its $1.3 billion in liquid assets and profits the previous year of $700 million? Yet making fines even bigger raises other problems. Fines fall first on shareholders (although they may have profited from misfeasance), and impairing a company hurts employees, creditors, and those seeking compensation for the same harm.

The Manager: Where the Blame Rests Most Heavily
The second key legal arena is the liability of individual managers for their personal criminal conduct.

The growing use of severe sanctions against individual managers is driven by several considerations. Prosecutors concerned about the effectiveness of punishing corporations take comfort in the undisputed effectiveness of punishing managers—no manager views jail time as a cost of doing business, and even lesser sanctions—or just the threat of lesser sanctions— can be devastating to a manager’s career and family. Accepting corporate fines as satisfaction in full is often viewed as allowing managers to purchase leniency with corporate assets. The federal Sentencing Guidelines for Individuals toughened punishment, especially for white-collar crime, and usually require jail time upon conviction for most major offenses. Thus, when today’s prosecutors confront serious corporate misfeasance, they almost always target individual managers for harsh treatment, even if the company is treated leniently—often because it cooperates in the prosecution of its managers.

Are managers being held to higher standards than other people? In some respects, probably yes. Even though ignorance of the law is generally not an excuse for breaking the law, prosecutors are usually reluctant to pursue those who unknowingly do wrong. Yet managers are often required to cultivate whatever expertise is needed under today’s complex regulatory regimes. Some modern statutes assign compliance responsibilities to specific managers, and these persons are at high risk—environmental compliance officers are referred to only half-jokingly as “designated jail birds.” Other statutes have broad requirements of adequate supervision within an organization generally. Managers far from a problem can be legally entangled by these provisions—as knowledge of a specific compliance problem passes up the management ladder, so does supervisory responsibility for that problem.

There are good reasons for making it easy to convict managers, whose inattentiveness or lapses of judgment can cause grave harm. Sophisticated managers can meet standards that are higher than those routinely imposed by the law. And prosecutors say they rarely seek convictions on the basis of the loosest legal standards unless culpability in a stricter sense is present. But threatening managers with criminal liability is widely used to gain leverage.

The Board: A Sharper Eye on Compliance
The third key arena is corporate governance. Directors can commit regulatory crimes like any other corporate agent, but the central concern for boards is not criminal liability, but a still-emerging body of doctrine that is increasing the threat of civil liability for directors who are not sufficiently attentive to compliance concerns.

One key development was the Private Securities Litigation Reform Act of 1995 (PSLRA), which requires auditors to examine a company’s compliance procedures and to report apparent illegalities to the board. This brings compliance within the established orbit of audits and securities law disclosures. The PSLRA’s impact is being reinforced by a 1997 Statement on Auditing Standards, which strengthens auditors’ obligations to probe for and report fraud.3

Another landmark was the 1996 Delaware court ruling in Caremark. In this civil lawsuit evaluating director responsibility for one company’s losses due to criminal infractions under the Medicare program, the court underscored a board’s responsibility to adopt systems that keep it adequately informed of compliance problems.4 This contrasted to an earlier Delaware court opinion that had written approvingly of directors who assumed that managers were honest until given reason to think otherwise.

How worried should directors be? The ramifications of the PSLRA and Caremark are still unfolding. Director liability is still almost exclusively a civil, not criminal, matter. Outside directors are much less likely to have the close involvement that would expose them to more severe sanctions. A broad body of state law protects directors—the “business judgment rule” limits second-guessing of boards, and indemnification and liability insurance for directors is encouraged. When merger litigation in the 1980s threatened to increase director liability, many states strengthened legal protection for board members.

However, the newer demands for accountability may prove stronger. They are grounded in federal law, which can override state laws that protect directors. For example, the U.S. Securities and Exchange Commission (SEC), a federal agency, has imposed limits on corporate indemnification of directors who violate federal securities laws, even when such indemnification would be permitted under state law.

Perhaps more importantly, state laws protecting directors emerged in the context of private disputes over corporate assets. Today’s demands for increased director accountability will often arise in the context of compromised public interests relating to bank or insurance company failures, pollution, price fixing, and health care overcharges. Often, the company involved will have admitted to criminal conduct. In these circumstances, directors may enjoy less deference to their judgment.

The Department of Justice suggests harsher treatment for corporations that are too generous in advancing defense funds to individuals.

Moreover, directors seeking to avoid civil liability will be pressed to become more informed about concrete compliance problems. After they have such knowledge and act—or fail to—they are vulnerable to the more serious allegations that can be made against those with specific knowledge and a supervisory role. As a director’s conduct becomes more culpable, the protection of indemnification and insurance recedes. The U.S. Department of Justice (DOJ) suggests harsher treatment for corporations that are too generous in advancing defense funds to individuals who need legal representation. 5

The Corporation in Trouble

Crises are unpredictable. The company may be put off balance repeatedly as matters unfold. There are no rules adequate for every contingency. But certain issues must almost always be addressed when criminal prosecution becomes a possibility.6

Targeted!
A company’s first reaction is often blunted by uncertainty and defensiveness, but managers should quickly come to grips with some new and harsh realities.

No matter how the crisis comes to light—through other managers, auditors, counsel, a private lawsuit, or a public event—a government investigation is a likely outcome. The regulators with whom a company routinely deals are often lax, and complex corporate practices are often opaque to their oversight. The investigative and enforcement personnel within regulatory agencies are more focused and persistent. The prosecutorial agencies to which serious matters are referred—for federal offenses, the DOJ and U.S. Attorney’s Offices, supported by the FBI—are an even harsher breed. Prosecutors have exclusive power to initiate criminal proceedings and extraordinary discretion. Sentencing guidelines have increased their clout—judicial discretion over sentencing gives judges a final say, but with guidelines a prosecutor’s framing of charges takes on additional importance. Unlike regulators, who are uncomfortable with disparate treatment of similarly situated companies, prosecutors see their role as serving up examples, treating them harshly to deter others who might not be caught.

Expect to see confidential information made public. Government investigative tools are powerful, and corporations have little privacy under the law. Barriers that assure confidentiality in other circumstances are easily pierced. A company’s internal records can be reached. Managers questioned by government and warned about the penalties for evasion often disclose all they know. A company should assume its internal deliberations— except for certain discussions with counsel—will come to light. Government investigations of business crime are increasingly using tools like wiretaps and no-warning searches that until recently were reserved for criminal enterprises.

The criminal process is a drama in vilification. Do not expect a sympathetic public ear.

The public often displays great interest in accusations against companies. Prosecutors are publicity-minded and regularly ride high-profile cases to elective office. You may think this is unbusinesslike, or that a complex problem is being viewed simplistically. However, the criminal process is a drama in vilification. Do not expect a sympathetic public ear.

Avoiding a Second Wave of Legal Problems
Management must act promptly to avoid the secondary legal problems that can arise from investigations. Lying and tampering with evidence are serious offenses—often more serious than the offenses that triggered an investigation. Prosecutors are good at spotting cover-ups and they respond harshly—both to buttress their powers and the integrity of the process, and because it is fair to punish obstruction severely when underlying offenses may have been obscured.

Who Takes Charge?
Responsibility for guiding the company through the crisis should be vested above the highest level of management whose judgment will be scrutinized for direct misfeasance or lapses of supervision. If that includes senior management, responsibility should be placed with outside directors.

Such crises require special skills, and may indicate a management failure. Is there need for technical expertise, better communication with regulators, assistance with the media, or fresh leadership?

The lawyers will have a central role. They will assess the case against the company, and coordinate a defense to what may involve criminal, administrative, and civil threats from a variety of parties. The lawyers will act to protect the confidentiality of deliberations on legal strategy, and position the company with respect to managers whose conduct will be questioned. The use of outside rather than in-house counsel will add cost and portentousness which may or may not be appropriate. Outside counsel often brings more expertise, and also independence, which can constrain the company but comfort the board and outside constituencies. Outside counsel offers better protection of confidentiality because in-house counsel often blurs its legal and managerial roles. Managers sometimes complain that the lawyers assume control over management decisions as well as legal ones, but there is no clear line between the two, and often only the lawyers have experience with such crises.

Figuring Out the Problem
The company will probably want a formal internal investigation. The investigation needs to be done right, since the results may get a hard look from within and outside the company. The principle of placing responsibility above the highest level of management that may be scrutinized applies here too. Managers offended by this should consider that the alternative to a credible internal investigation may be a hostile external one.

The company needs to determine what went wrong, not just legally, but operationally. Was the problem in the central office or the field? Was it a failure to adapt to shifting public policy? Did management not follow legal advice or get poor advice? Was the weakness due to temporary circumstances such as personnel turnovers, or more structural factors?

The most important question the company must ask is whether it “owns” the challenged conduct, or attributes it to rogue employees for whom it is not morally responsible, though it may be legally so. That is, does the company consider itself an appropriate target or a victim?

Once the company has made its assessment of what went wrong, it will try to convince the regulators. This can have a substantial impact even if not completely successful. The company may share its goodfaith evaluation of individual managers. This can range from fully backing some managers to encouraging the prosecution of others, or a broad range of middle positions, such as disciplining some managers but helping them defend against criminal liability.

In the Exxon Valdez $5 billion civil trial, the CEO’s change of view was used to discredit him.

An assessment takes time, but time can be costly. Regulators are more open-minded early in their involvement, before their views have solidified. The good citizen corporation accepts responsibility, but doing so without knowing what went wrong creates new problems. Shortly after the Exxon Valdez oil spill in 1989, Exxon’s CEO acknowledged the possible role of the captain’s drinking. Later, he and many others concluded that the causes of the accident lay elsewhere. In the civil trial that resulted in a $5 billion verdict, mostly for punitive damages, the CEO’s change of view was used to discredit him.

Shielding the Public from Harm
Management should ask whether steps are needed to protect the public from continuing risk, since preventable harm inflicted after a company is alerted to a problem will be viewed harshly. A tendency to delay is common. If an internal investigation is under way, interim measures such as revised procedures may seem unfair to employees and a premature acknowledgment of guilt. The company may fear that failure to notify regulators will appear more derelict if internal action is taken. However, interim measures to protect the public are often the only responsible reaction to a problem not yet fully understood. In its action against the Salomon executives, the SEC placed special emphasis on the fact that the errant trader continued to break the rules after top management knew about an earlier offense.

Disclosure to the Public
If a company is under investigation, should the company declare this publicly? Investigative agencies often proceed discreetly. This can benefit the targeted company—an agency can more easily relent if public scrutiny is absent. But secrecy may violate securities law requirements on disclosure and insider trading.

Disclosure to Regulators—A Better Idea than You Think
If regulators are unaware of a legal problem, should the company tell? Serious crimes must be disclosed, although for some kinds of crimes the facts are rarely clear. Some laws specifically require disclosure, as for certain environmental spills.

Other legal requirements may have the same effect. Reports filed with the government by regulated industries and contractors must be accurate. Nondisclosure may actively mislead an agency, or render other disclosures misleading. Public protection may require agency involvement.

When notifying regulators of a legal problem is not legally required, this course may have little appeal at first glance. Perhaps the problem can be hidden, or dealt with responsibly within the company. There is not yet a clear moral consensus on confession or snitching. Nevertheless, disclosure often makes sense:

  • Failure to disclose is a “slippery slope.” The failure is likely to inhibit an effective internal response not just to the current infraction, but to future infractions. Dealing forthrightly with any future problem will also call attention to past offenses which have been buried, and employees implicated in later incidents will rightfully complain that they are being treated unfairly compared to those involved in earlier incidents which were covered up. Maintaining secrecy may require increasingly culpable conduct, such as pressuring others to lie.
  • The attempt at secrecy may fail. Companies are scrutinized by regulators, media, lawsuits, and audits. An employee—past or current—may “blow the whistle.” The company will have missed the chance to be forthcoming, and judgment will be harsher when facts become known by other means, especially for managers involved in the cover-up.
  • Often voluntary disclosure is made after a period of equivocation. This can be the worst of both worlds. The delay, and those responsible for it, must be disclosed. The rewards for self-reporting diminish over time, and little credit is given if other events are in motion that would have brought the matter to light.
  • The more serious the problem, the more tempting secrecy. But a company is on firmer ground arguing it can manage a minor problem. Covering up a major infraction is likely to become another major infraction.

Thus, while secrecy may be appealing initially, especially to managers closest to a problem, those taking a broader view may conclude otherwise. Disclosure should be given full and prompt consideration.

Avoiding a Repeat Performance
The most important reason to figure out what went wrong is to avoid repeating it. Most excuses— misunderstanding the law, an innocent’s vulnerability to the machinations of others—ring false the second time. Agencies often decide after preliminary review to dispose of a matter leniently, but not when a company has been in trouble before. Expect harsher treatment the second time around.

Staying Out of Trouble

How Much Should a Company Worry?
More now than a few years ago, but otherwise the answer varies. The law is generally stricter for businesses with a direct impact on public health or safety. Big companies attract attention. Some companies are weak on compliance. Certain industries are “hot spots”—finance usually gets a hard look during economic contractions, and health care is drawing attention because of rising health care costs, public concerns about profiteering, and the government’s role as a purchaser.

The Manager as Target »

Keeping Bad Company
The most important rule for avoiding trouble is being careful of the company you keep. Expansive rules on accomplice liability reach those on the periphery of offenses. Many harshly scrutinized companies and managers did not engage in wrongdoing serious enough to attract attention, but became entangled in an investigation of a primary target with whom they had dealings. Some schemers aggressively recruit others, validating an “everyone does it” ethic. Even an arm’s-length deal with a party that has lax standards can be a problem. If the deal spreads the profits of noncompliance, regulators may scrutinize all who benefit. A company claiming ignorance of wrongdoing can be surprised to learn how much some of its own employees know, and the law deems the company to have all such knowledge.

Board Leadership
The arguments for board leadership in keeping a company attentive to potential legal problems have become stronger. The Caremark decision and the PSLRA sent a strong message to directors. The management systems endorsed by the OSG require board support. The board must protect its members and its ability to attract candidates. Yet focus on compliance is difficult to cultivate. Serious compliance problems are infrequent. Most relevant decisions are made outside the boardroom, and many are technical. Recent legal changes have raised the risks of passivity but not eliminated its attractiveness. What should a busy board do?

It should, with counsel, assess the company’s vulnerabilities. What lines of business are compliancesensitive? Is there a history of compliance problems? Are there organizational weak-points, such as employees with autonomy and incentives to cut corners? Has the company outgrown oversight systems that worked when it was smaller?

While some concerns can be addressed ad hoc, a company with sensitive lines of business is likely to conclude that a formal compliance program is appropriate. With appropriate management systems in place, the board should have a limited hands-on role. Procedures for bringing problems before the board should screen out those not warranting board attention. The board and its auditors should have a common understanding of how compliance issues will be raised in that context. The board will want a record of responsible consideration of matters that do come before it, including in every case documented assurances of an appropriate management response. Board policies about indemnification and the advancement of legal expenses should be carefully balanced; for example, should a company support a manager who is not cooperating with a company’s own investigation?

In compliance matters, the board will rely on counsel and auditors, but these advisors may be uncomfortable policing the managers who retain them for much of their services. The board is owed an overriding loyalty, which it can usually command by making its expectations clear and creating channels of communication running directly to it or, when appropriate, the outside directors.

Boards must remember that systems and experts can’t completely supplant the board’s independent judgment. Recently, the SEC issued a report critical of some W.R. Grace directors for failing to press the company to disclose details about the CEO’s retirement package. The directors argued that expert counsel had approved the sufficiency of the disclosures, and one SEC commissioner agreed.7 The SEC may have been concerned with board independence in a public company with a strong family presence. Uncritical reliance on routine procedures may be insufficient if there is reason to fear they may be out-of-plumb.

Compliance Programs
The OSG make effective compliance programs a key factor in corporate culpability and contain guidance on written standards and procedures, the designation of high-level personnel with compliance responsibility, education and training, and active self-policing. Some agencies have added further guidance. The absence of a compliance program might be the “sustained or systematic” failure that, under Caremark, is the basis of director civil liability.8

Setting up compliance programs with the help of lawyers and consultants has become routine. Running an effective program is more difficult:

  • A program’s written standards can’t be clearer than the often ambiguous regulations they mirror, or incorporate the balance and context necessary to the interpretation of prohibitions.
  • Compliance programs face cynicism, even from those who run them. Is the company committed or pretending? Given the OSG, even elaborate systems may be nothing but posturing for government.
  • Compliance is about punishment, and commitment is difficult to cultivate when punishment looms larger than rewards. Compliance records can be obtained by regulators and adverse private parties, providing them a map to the company’s lapses.

Regulators have an answer to cynicism and weak commitment. Compliance is taken seriously, they say, if a company punishes noncompliance and conduct that undermines compliance programs. Programs without a track record of internal discipline are likely to be window-dressing, especially since companies can impose sanctions without meeting the burdens of a criminal proceeding. The regulators are, I think, right. A company should sometimes emphasize guidance over punishment, but a compliance program must have teeth. This is especially difficult but important for lapses by higher management, as to which the board will have to make its own commitment clear.

Corporate Culture
Commentators emphasize the importance of “corporate culture” in ethics and compliance.9 This is platitudinous but correct. Integrity is elusive, but anyone who has sat through meetings of boards or senior management knows that sometimes it is clear that ethical expectations are high and sometimes this clarity is lacking or worse.

Leadership sets the tone. On the board, the chair and others who enjoy special influence should be individuals of integrity. Clear expectations from the board to top management can diffuse far down the company. No circumstance puts a company at greater hazard than direct involvement of a senior manager in a crime: Under the OSG, it sharply increases corporate culpability and precludes credit for an otherwise effective compliance program.

The Regulation-Savvy Company
A company needs to be savvy about its regulatory environment. Legal standards are often so unsettled as to leave no practical course completely safe. Given ambiguous regulations and agency discretion, de facto standards can shift without notice. Agencies sometimes use enforcement actions to develop new standards.

A savvy company anticipates shifting standards to the extent possible, because backpedaling from strategies and relationships can be costly. Agencies sometimes provide informal notice of enforcement shifts with public comments, redeployment of resources, and civil actions as preludes to later prosecutions. When a company practice falls under a shadow, it must be reevaluated. Senior management may need to prod, since managers closest to the practice may be too defensive. Even when agencies provide no warning, initial targets are often companies that have pursued a questionable practice most aggressively and crossed lines the rest of the industry has respected—being a frontrunner can be risky.

Government and business see the world differently, but a company must understand the regulatory perspective. For example, there is often no clear answer to the question of whether an innovation is legal. Is it likely to be viewed by regulators as an evasion of rules too narrowly drawn, to be hit hard as soon as a means can be found? Or will the innovation be seen as providing public benefit, and calling for a new regulatory response but not a hostile one? Good lawyers bring this understanding, but some are disinclined towards the conjecturing that long-term planning requires. They feel it undermines their credibility and risks endorsing conduct that later proves problematic. In an earlier day, companies could turn to attorneys on the board for strategic advice, but many law firms, concerned about liability, discourage board service. Some otherwise astute managers are boneheaded about government in general; no one with that impairment should be driving sensitive corporate decisions.

Reading the Risks: Some Common Miscues
Some patterns of enforcement regularly blind-side business:

  • Deregulation. In traditionally heavily regulated industries, innovation is stifled, but regulators are rarely nasty—they mainly say no. With deregulation, public concerns about abusive tendencies can become more pointed. The law often responds by redefining abuses broadly enough to apply to shifting business practices and by using criminal sanctions severe enough to inculcate restraint even while the law permits private initiative wide range. Antitrust law and securities law fit this pattern: innovationfriendly, but with sharp-edged prohibitions against collusion and dishonesty. Regulation of the financial services industry is moving in this direction. Business should not misinterpret deregulation as “anything goes.”
  • Doing business with government. When government enters commercial relationships, it does so under some unique disabilities. It often can’t walk away from untrustworthy business partners; for example, Medicare can bar a health care provider only upon proof of egregious misconduct. It often relinquishes initiative and judgment to private parties; for exam ple, pricing is often determined through bidding, most-favored-nation clauses, or cost-based reimbursement. And government bureaucracies, lacking the spur of proprietary interest, often don’t watch their money carefully day-to-day. All this creates opportunities for those who would overreach. Nevertheless, government does care about its money, although in an episodic and politicized fashion. And government has one unique strength—the police power—which it uses in place of the managerial devices by which the private sector protects its interests. Its commercial dealings typically show a pattern of broad passivity, with narrow and shifting nasty spikes of policing generating a steady stream of criminal prosecutions of those with whom it does business.
  • Crooks, betrayals of trust, and deep pockets. One priority for prosecutors is companies that flagrantly violate the law. These are often marginal businesses hoping to fly under the enforcement radar. Occasionally, prosecutors target larger companies for complex and novel business arrangements that exploit the fuzzy edges of regulatory principles. Such companies can be surprised and incensed—shouldn’t prosecutors be chasing blatant criminals? Yes, but not all the time. The law must evolve in the face of business innovation, and big companies should be held to high standards. The criminal law protects society against hard-core crooks from whom little is expected, and betrayals of trust by those in positions of high responsibility from whom much is expected. Targeting large companies for ambiguous offenses may become more attractive. “Good citizen corporations” that forego defensive tactics are easier targets. The standards for an eye-catching fine are rising. Entrepreneurial enforcement can create agency dependency upon recoveries, and large companies can provide substantial settlements, even in weak cases.
U.S. Regulators: The World's Rogue Policeman or Role Model? »

Criminalizing—and Professionalizing— Management Accountability

Recent legal trends represent a massive infusion of individual responsibility into business regulation. The law could have taken other paths—for example, in products liability, corporations face expansive accountability but individual managers or directors are rarely called to account no matter how egregious their lapses. However, the trend towards greater individual accountability has been dominant; even today’s corporate self-policing is, in practice, largely a matter of disciplining individuals.

The expansion of individual legal accountability does not appear to have run its course. Recent high-water marks such as the S&L imprisonments are viewed by the public and regulators as appropriate models for the future. Increasingly harsh punishment is a broad trend in U.S. criminal justice, not limited to regulatory crimes. The general U.S. incarceration rate is 600 adults per hundred thousand, compared to 85 for Germany, 100 for England, and 37 for Japan. The U.S. incarceration rate has doubled in 10 years, and public support for punitiveness remains strong. In this climate, the question isn’t “Why send managers to jail?” but “Why not?”

Business leaders are accustomed to responsibility, but the free-wheeling style they bring to many tasks will not serve them well in meeting their expanding legal accountability. A different frame of mind is required. I believe that the new business accountability is best viewed as the professionalization of the role of managers and directors in assuring the public accountability of our business institutions. This view is not offered as an academic assessment of no practical value, but rather because I think business leaders will find it helpful to keep in mind parallels between their new responsibilities and the way the traditional professions—such as doctors, lawyers, and accountants— approach difficult judgments.

Like the standards that have long applied in the professions, the new business accountability has little tolerance for inattention to risks. It is quick to impose a responsibility to dig deeper at the hint of a problem, and demands an expert’s grasp of complex technical issues.

Accountability in the professions has always emphasized the individual, with an overlay of collegial responsibility, as among the partners of a professional services firm, who are typically jointly liable as individuals for any of the firm’s lapses. They are not allowed to hide behind a corporate entity. The new business accountability shadows this pattern; directors and managers are held to high standards individually and as to the conduct of others on the team.

Some Final Pointers for Staying Out of Trouble »

Professionals are “fiduciaries,” holding positions of trust. Directors have long been considered fiduciaries for shareholders, and boards have become more professional under the prodding of federal securities laws. The new business accountability imposes on managers and directors similar duties to other constituencies: in health care, to patients and payers; in financial services, to those whose funds are held; for businesses with an environmental impact, to the communities affected. I believe that forceful sanctions for holding business to high standards are essential to public confidence in business institutions. Even the business community harbors a grudging respect for hard-edged regulation: the tough antitrust and securities laws are broadly viewed by business as essential to the United States’ robust system of competition and capital markets.

However, I doubt if business leaders will ever be as comfortable with their individual accountability as traditional professionals are with theirs. In the business world, standards are less stable or thoughtful, and new legal initiatives often involve years of groping before sound principles take clear shape. Education, training, and the job environment provide little preparation or support for meeting these responsibilities. The penalties are more severe, with greater use of criminal sanctions.

Moreover, compliance concerns are typically only a small part of a business leader’s job. Managers and directors are not expected to act like cautious professionals most of the time—in fact, society encourages a more entrepreneurial, innovative, and risk-tolerant mind-set. Yet from time to time they must “shift gears” and accept the priority of certain exacting public responsibilities, even when this conflicts with other demands of running a business. Shifting in and out of the appropriate orientation is not easy, but, in today’s legal environment, a manager who fails to do so puts the company at risk and himself or herself at extreme peril.

References

1. U.S. Department of Justice Special Counsel for Financial Institution Fraud, “Financial Institution Fraud—Special Report” (1995). See table at p. 20 (“Major Financial Institution Fraud Cases”).

2. For a current statement of prosecutorial policy, see:

“Federal Prosecution of Corporations,” internal U.S. Department of Justice document circulated under a memorandum from Eric Holder dated 16 June 1999 (www.bna.com/prodhome/leg/guidance.html).

3. SAS No. 82 on “Consideration of Fraud in a Financial Statement Audit,” promulgated by the American Institute of Certified Public Accountants, effective for audit periods ending on or after 15 December 1997 (reproduced in Journal of Accountancy, April 1997, pp. 88–99).

4. See: In re Caremark International Derivative Litigation, 698 A.2d 959 (Court of Chancery of Delaware, 1996).

5. See reference 2.

6. For crisis management with a legal bent, see: H. Pitt and K. Groskaufmanis, “When Bad Things Happen to Good Companies: A Crisis Management Primer,” Cardozo Law Review, volume 15, January 1994, pp. 951–969.

7. U.S. Securities and Exchange Commission Release Nos. 34-39156 (dealing with the company and ordering it to cease and desist from violating the securities laws) and 34-39157 (dealing with individual officers and directors and taking no formal action) (both dated 30 September 1997), reproduced at Federal Securities Law Reports (CCH), para. 85,963.

8. In re Caremark, p. 971 (see reference 4).

9. For a discussion of the limits of a legalistic approach, see:

L.S. Paine, “Managing for Organizational Integrity,” Harvard Business Review, volume 72, March/April 1994, pp. 106–117.