A few weeks ago, the United States Sentencing Commission (USSC) issued a report titled The Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence. The publication summarizes the history of Chapter Eight’s development and discusses the two substantive changes made to the elements of an effective compliance and ethics program. So, what does this mean for compliance professionals? In this episode of the Principled Podcast, host Jen Uner, Strategic Communications Director at LRN, talks about the guidelines with Eric Morehead, Director of Advisory Services at LRN. Listen in as the two discuss how these updates—and the wider USSC—impact corporate governance.
The purpose of the U.S. Sentencing Commission is to study and develop sentencing policies for the federal courts. The Commission serves as an information resource for Congress, the executive, the courts, and the public on matters relating to federal crime and sentencing. Our episode today focuses on Chapter 8, which addresses organizational sentencing guidelines, not individual sentencing guidelines which is also a significant focus for the USSC.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.
Eric Morehead is a member of LRN’s Advisory Services team and has over 20 years of experience working with organizations seeking to address compliance issues and build effective compliance and ethics programs. Eric conducts program assessments and examines specific compliance risks, he drafts compliance policies and codes of conduct, works with organizations to build and improve their compliance processes and tools, and provides live training for Boards of Directors, executives, managers, and employees.
Eric ran his own consultancy for six years where he advised clients on compliance program enhancements and assisted in creating effective compliance solutions.
Eric was formally the Head of Advisory Services for NYSE Governance Services, a leading compliance training organization, where he was responsible for all aspects of NYSE Governance Services’ compliance consulting arm.
Prior to joining NYSE, Eric was an Assistant General Counsel of the United States Sentencing Commission in Washington, DC. Eric served as the chair of the policy team that amended the Organizational Sentencing Guidelines in 2010.
Eric also spent nearly a decade as a litigation attorney in Houston, Texas where he focused on white-collar and regulatory cases and represented clients at trial and before various agencies including SEC, OSHA and CFTC.
Jen Üner is the Strategic Communications Director for LRN, where she captains programs for both internal and external audiences. She has an insatiable curiosity and an overdeveloped sense of right and wrong which she challenges each day through her study of ethics, compliance, and the value of values-based behavior in corporate governance. Prior to joining LRN, Jen led marketing communications for innovative technology companies operating in Europe and the US, and for media and marketplaces in California. She has won recognition for her work in brand development and experiential design, earned placements in leading news publications, and hosted a closing bell ceremony of the NASDAQ in honor of the California fashion industry as founder of the LA Fashion Awards. Jen holds a B.A. degree from Claremont McKenna College.
Intro: Welcome to the Principled Podcast brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change makers.
Jen Uner: A few weeks ago, the United States Sentencing Commission issued a report titled The Organizational Sentencing Guidelines: 30 Years of Innovation and Influence. The publication summarizes the history of Chapter Eight's development and discusses the two substantive changes made to the elements of an effective compliance and ethics program. Hello, and welcome to another episode of LRN's Principled Podcast. I'm your host, Jen Uner, strategic communications director at LRN, and today, I'm joined by my colleague, Eric Morehead, director of advisory services solutions at LRN. We're going to be talking about the guidelines, and how it impacts corporate governance and what compliance professionals need to know. Eric Morehead is a real expert in the space as he once worked on these guidelines in a prior role at the US Sentencing Commission. He advises LRN clients now on these topics. Eric, thank you for coming on the Principled Podcast.
Eric Morehead: Thanks, Jen. It's good to be here.
Jen Uner: So hot off the press is this new publication from the US Sentencing Commission. Tell us about what it is, why it matters, and especially to owners of compliance programs at their organizations.
Eric Morehead: Well, it's sort of a look back over the last 30 years. The Sentencing Guidelines for organizations were first promulgated and came into effect in 1991, so technically the 30th anniversary was last year, but the report has just come out now, and over those 30 years, there's been about 5,000 organizations that have been sentenced under the US Sentencing Guidelines. The Sentencing Commission and the Sentencing Guidelines have to do with federal sentencing, so either individuals or organizations who have been charged with a federal offense and find themselves in a federal district court, somewhere in the United States, and they either have pled guilty, or been found guilty by a jury, or found guilty by a judge after a bench trial, and now they're being sentenced. So when you sentence an individual, obviously, that can include a fine in restitution, but also time in a federal penitentiary.
You can't jail an organization, but the Organizational Guidelines have put together over the last 30 years standards by which the judge can assess fines, restitution, and also order when necessary compliance reforms and implementation. Since you can't put the organization behind bars, you can however, put the organization on probation and require the organization to make some necessary reforms, if you will. So that's a kind of quick background of what the guidelines are for those of you who weren't sure, and why they matter to us, because the implementation of compliance standards is baked into any kind of probationary sentence or sentence that's handed down to an organization, or can be baked into, I should say.
Jen Uner: And you have personal experience at the USSC.
Eric Morehead: Yes, I worked at the Sentencing Commission from about 2007 to 2011, and during that period, there have been two amendments to the original guidelines that were first put out in 1991 for organizations. The first was in 2004, partly in response to Sarbanes-Oxley and the legislation that came out at that point around implementing reforms for organizations and their governance, but also there was back at the time in the early 2000s, a task force put together that the Sentencing Commission took some advice from. And so they made some amendments in 2004. The primary thing that happened in 2004 is that these compliance standards that are in the Sentencing Guidelines were put more front and center.
They had been what are called application notes before, and they were actually promoted, if you will, to an actual textual listing in the guidelines. Just making them more prominent is really what it boiled down to. Also, putting a little further definition around the components of an effective program, training, governance and oversight, written standards, and procedures in place, reporting mechanisms, that we all know most organizations have an anonymous reporting mechanism, a hotline or helpline out there. That comes out of these standards that were first put together by the US Sentencing Commission. They were the first national standard in the United States anyway that suggested having a reporting mechanism, including with an anonymous option.
Enforcement, discipline, and incentives often overlooked, but the Sentencing Guidelines have been talking about incentives for the past couple decades as well. And then in 2010 while I was there, the second amendment to the Organizational Sentencing Guidelines was undertaken, and that also strengthened that relationship between the governing authority of the organization, the board of directors, or whatever the oversight of a particular organization might be, because these guidelines affect not just public companies, but any kind of organization, so nonprofits, governmental agencies. Any kind of organizational structure is contemplated by the guidelines, and the 2010 amendments strengthened that relationship between the people actually responsible for the program and the governing authority of the organization, and also provided some incentives for organizations to come forward and to reform their programs. So those things have all happened over the years.
Given the length of time that the Sentencing Guidelines have been in effect, now 30 years plus, to only have gone back and revisited them twice is not that significant. So they've been kind of bedrock standards that have existed and been well known. We often talk about them as the hallmarks of an effective program for this entire time, and the commission gathers data, and so the other big piece of this report that's very interesting is there's 30 years worth of data. And in fact, the majority of the report goes through in much detail about the demographic characteristics of organizations that have been sentenced over the years, how many organizations have received credit for having an effective program. Spoiler alert, not very many out of the 5,000, less than a dozen. So that's the other great thing about this report for those of us who are interested in compliance is you have a great wealth of data to see what the characteristics are, and how organizations have gotten into real serious trouble in the past.
Jen Uner: So you were saying there have only been two amendments since inception?
Eric Morehead: Yes.
Jen Uner: That's pretty interesting, because it kind of speaks to how enduring.
Eric Morehead: Yeah, they got it right, and the primary takeaway in this report in the executive summary in the beginning is that the biggest impact that the commission sees for its work is that these standards have become so universally accepted, and that's not just in the United States. That's across the world. These standards are seen to be when you're talking about effective compliance programs, they're seen to be sort of the bedrock, if you will. There are obviously other international standards out there in Europe, and Asia, and other places where government agencies and international agencies like the OECD Good Guidance that came out well over two decades ago itself.
They all kind of trend and follow the same path, if you will, that the Sentencing Guidelines started 30 years ago. So it really has been the guiding light for not just individual organizations that want to build a better program, but also other regulators out there, whether that's the Department of Justice, or other agencies here in the United States, or international organizations that are adopting compliance standards.
Jen Uner: So the most recent publication, it provides great historical context about the commission and its impact. Can you outline some of those highlights? I remember that the report is chock full of charts, data, as you were saying, which is great if you're needing to report about program effectiveness, for example. What do you think is most salient for leaders in that report?
Eric Morehead: Yeah, as far as those particular pieces of data, nothing here if you've been paying attention to the sentencing guideline data over the years, and every year, I should mention that the Sentencing Commission puts out what they call the Sentencing Source Book, and that has a lot of data about not only individual's sentencing, which is the primary thing that the Sentencing Commission collects data on is the actual, real living human beings that are being sentenced year in, year out in federal courts around the nation, but it also includes data on the organizations that have been sentenced in that prior year. So if you've been paying attention over the years and looking at these source books, you will have noted that pretty much year in, year out, the vast majority of organizations that are sentenced, 70% of them have less than 50 employees, and 12.1% have 99 to 400 employees.
And just a very small percentage, 8%, have more than 500 employees. So the vast majority of organizations that get sentenced are very small, but if you think about it, that makes logical sense, because smaller organizations tend to have less governance structure, probably have less resources, probably don't have a compliance program, and that's certainly the finding that courts when they review these cases 89.6% of the time, so almost 90% of the time organizations have been found not to have a program in place, or what was in place was not significant enough to be considered a compliance program. So those two figures seem to correlate well, right?
The organizations that face the most serious repercussions are small and also don't have a program, so probably hadn't even contemplated having a program before misconduct occurred. The other real striking piece of information that comes out of this report and is also something that's been consistent through the years is the number of actual living human beings that are being sentenced along with the organizations in these cases. When we look at these cases, often we're talking about the demographics of the company, how many employees they have, what sort of crimes they have been found guilty of, how big the fines are, et cetera, but sometimes what gets lost in that discussion is the fact that if there's misconduct that's occurred, very often, there are individuals who are charged right along with the company for violations of the law. And in fact, over time, 53% of these cases include at least one other individual, and sometimes multiple individuals, who've also been charged with crime.
The other really striking piece of data out of this that I think a lot of people don't realize is the vast majority of individuals who are charged are not considered "high level", so these are folks that have some authority to engage in whatever behavior underlies the conduct that led to a criminal offense. So they probably are not at the very lowest level of the organization most of the time, but they are not necessarily in the C-suite. Only 25.7% of the individuals charged with an offense along with an organization were considered high level. So almost three quarters of those individuals who find themselves facing criminal sanction, potentially going off to the federal penitentiary are folks that are not considered high level in their organization, and I think that is perhaps counterintuitive, because we oftentimes hear the headlines of executives and other senior folks in organizations getting in trouble and facing criminal sanction, but the reality is the opposite of that.
Jen Uner: That's kind of scary, I got to say. I mean, it makes me as an individual in the company really want to pay attention to my compliance training.
Eric Morehead: Certainly. Anytime an organization... And granted these cases are not as numerous as situations where organizations may have an investigation and might settle with either the Department of Justice or an agency, like have a civil settlement, something short of a criminal conviction, and there are a lot of situations where organizations might receive a subpoena or have some sort of investigation that occurs, that just ends without any kind of charges or settlements being attained. So there's a lot of data that we don't have, right? Where things may not go perfectly, but don't go quite as bad as ending up with a criminal conviction, but it is scary to consider that there are individuals that are being charged right along with these organizations for this misconduct.
Jen Uner: It's really interesting, because so often inside organizations, you've got pressure on one side to perform or deliver in a certain way, and then you can find maybe shortcuts. I mean, I don't know how else to describe it, but a quicker way to get there that maybe is potentially outside the law. So it's true that there are real repercussions for taking those shortcuts, and also for not speaking up, if you see something.
Eric Morehead: Yeah, and the real repercussions here for organizations, again, you can't jail a company. You can only fine them. You can order restitution. A federal judge can order them to implement compliance reforms, put together a program if they don't have a program. Those are all things they can do, but the other thing to consider here too is if you take a federal felony conviction, and you are an organization that does any amount of work with the federal government, you can be debarred from future federal contracting, so that can very often... Taking a federal conviction beyond the fines and the costs associated with having to defend the organization against those charges, if it actually ends up with a conviction, and your organization relies heavily or primarily on government contracting, that's the end of the organization. I mean that's the death penalty.
The best example of that that we all can probably remember is Arthur Andersen. When they took the federal conviction in Houston for conduct involving Enron, that was the end of Arthur Andersen. They could no longer audit public companies, and they were debarred from government contracting, obviously, after that point too, and that was just the death sentence. Oftentimes when we're looking at these cases, when we look at the data, those are organizations that just had no options, because if there were any options before that to settle the case, to make reforms, to have some sort of civil settlement, those on-ramps just weren't available to them.
Jen Uner: I do remember that whole upheaval. My father was in accounting at I think Ernst & Young at the time. I can't even remember, but I do remember that massive upheaval for Arthur Andersen, and how they had to completely pivot the entire business.
Eric Morehead: Yeah. The consequences reputational and lost opportunity, real bottom line business costs involved in having misconduct, even if it doesn't rise to the level where we're talking about Sentencing Guidelines or having to implement Sentencing Guidelines for the organization, just an investigation can really derail an organization in a significant way.
Jen Uner: I'm going to ask kind of a uninformed question now. It's because I'm not a lawyer. This is going to be maybe really obvious for others, but in case you're like me, can you describe what the Sentencing Commission's relationship is with the DOJ and the SEC, and how do these organizations sort of interrelate? We so often hear about DOJ guidance, for example. How is that different from Sentencing Commission?
Eric Morehead: Over the years, we've seen more and more guidance both here in the United States and abroad from prosecuting entities like the DOJ, but also other regulatory agencies like SEC, and many of these regulatory organizations have compliance standards they put together. As far as I'm aware, they're pretty universally based on the same basic standards that we talk about in the Sentencing Guidelines. The DOJ guidance, and primarily we're talking about the memoranda that the criminal division has put out periodically since I think 2017 with the most recent iteration being the 2020 summer one, I believe, that guidance is based and explicitly cites the Sentencing Guidelines as its fundamental basis. Now, obviously there's a lot more detail and specificity within the DOJ guidance.
The difference between guidance from the Department of Justice, other guidance that you might see in other agencies, but particularly the memoranda that we're talking about from the DOJ, is that can be withdrawn at any time, and as we've seen over the past few years, it can be amended at any time. It's only a few years old, and it's been amended twice. The DOJ, if there's a change of administration or a change within the hierarchy of the criminal division, those new officials that come in may want to make a change. The former deputy attorney general in the prior administration had talked about doing away with memoranda from the department altogether and codifying everything in as much as you can codify it in the US Attorney's Manual. So there are various things that could potentially happen at any time.
Because the US Sentencing Commission is a rule making organization, there's a whole process that the commission has to go through before there are changes made to the Sentencing Guidelines. That's one of the reasons why there have been very few amendments to the Organizational Sentencing Guidelines over the years is because there's a whole process involved. The commission first has to publicly publish its intention to make any changes. It'll often, if there are proposals to make changes, it will seek public comment, often have a public hearing, and then it votes. And once a commission votes, if a new amendment is promulgated, then it's sent to Congress to both the House and the Senate, and they have a period of time to either make changes or not allow those guideline amendments to come into effect, but if they don't do anything, they automatically come into effect and basically have the force of law as the Sentencing Guidelines.
Now, granted the Sentencing Guidelines don't officially apply to your organization except when you're in front of a federal judge being sentenced, right? So if there's no sentence, there's no criminal offense where the sentence is being determined, the guidelines don't have any official capacity, but we've all taken them as the standards by which we measure the effectiveness of a program. So I guess what I'm saying here is I think any guidance is helpful guidance. Certainly the DOJ guidance has been very helpful and added more detail into what regulators are looking for when they peer into an organization, but just the sort of bread and butter basic pieces of a compliance program are always going to reflect back to those seven hallmarks of an effective program within the Sentencing Guidelines, because they're pretty immutable.
Jen Uner: So if you're building an E&C program, what are the steps that organizations should be taking to lower their risk? Can you go into a little bit more detail on that? How do you unearth all the rules that apply, and how can you effectively transmit them to the people in your organization?
Eric Morehead: Yeah. Whether you're using the Sentencing Guidelines, looking at the guidance from the Department of Justice, or guidance from international organizations like the OECD or others, I feel like, and this is backed up by the specific guidance that the department has given over the past few years of what they look for, every organization is unique. It's its own unique snowflake, right? And so you're going to have your own unique risk profile, and you're going to have to develop your own unique compliance program to be an effective control for those risks. So you evaluate all of these standards, but you put together a program, and you put together standards that really address what your program needs.
One of the key provisions of the Sentencing Guidelines, by the way, is what I would call the not one size fits all provision. The guidelines from the very beginning stages of when they were developed had this notion that not every program is going to look the same, not every program is going to be as extensive as other programs. Smaller organizations that are purely domestic here in the United States, for example, and maybe are smaller probably don't have the same exposure to anti-corruption concerns, for example, foreign bribery anti-corruption concerns that international organizations might have for just as an example. So really the best advice is to make sure that your program meets your needs, and so the first step along that process is evaluating and figuring out what your needs are.
What are compliance risks that your organization faces, and how are you addressing those risks, and do you need to reform those controls, put more resources behind training or monitoring and auditing, or whatever it might be to address those particular risks? So it's really an investigation of what you face as an organization, what are the risks you face, looking at all these standards, reading the guidance from the department, reading specific guidance that might apply to your organizations, for example, if there are particular compliance requirements. If you're a government contractor, you have to have a written code of conduct. You have to post certain reporting materials if you're a government contractor.
So there are some particularized compliance requirements, depending on who you are, and how your business is operating, and you have to be aware of all those standards, but you develop a program that fits your organization, that is very specific and customized to the risks you face, the resources you have to use, because not everybody has the same resources. So you have to make some tough calls sometimes as a compliance officer or the person responsible for compliance at an organization, because you may not be able to do all the things you really want to do, but you have to figure out and prioritize the things you need to do.
Jen Uner: Which makes me think about corporate culture, right? Because every company's culture is also unique and completely attuned to its own size and position of the marketplace, and where it trades, and who it does business with, and all of those pieces.
Eric Morehead: Yeah, the ethics side of compliance and ethics is the determining factor very often, right? The culture of the organization really tell the tale as to how effective or ineffective ultimately you're going to be. You may need more controls. You may have some potential risks that need to be addressed. Even if you have a super strong culture, you can't just get by on culture alone, because organizations are made up of a lot of individuals, and some of those individuals may have bad intent, but it's hard to imagine how you could properly resource an organization that had a poisonous culture, right? If you don't have values, if you don't have an effective ethical framework that everybody is primarily operating under, you can pour money onto systems, controls, tools, and it may not make any difference whatsoever. You can have a compliance budget that is the top budget out there, but if the culture is ruined or ruinous, then it's going to be really hard to have an effective program.
Jen Uner: Yeah. I think they famously have said, "Culture eats strategy for breakfast."
Eric Morehead: Yeah, and that's really true. I've seen different ends of the spectrum, right? I've seen organizations where the culture was hard to know how you would start to climb back up that hill and reform the culture, and how you would be able to have an effective program without having a positive, ethical culture, but I've also seen the other end too, which is less frequent, but also potentially problematic, where organizations... And sometimes I see this, for example, a good example of this would be a nonprofit where mission is really important, and everybody has a very ethical outlook, and they wouldn't be working at a nonprofit and particularly in difficult circumstances unless they really were all about the mission and had a very positive, ethical attitude, but they don't have a lot of structure. They don't have a lot of resources. And so there's always the potential that there could be failures and misconduct, because for instance, they might be a good target for an outside data privacy issue, right? Because they don't have strong data security systems.
Jen Uner: I was just going to say data privacy.
Eric Morehead: So you can be at both ends of the spectrum as far as that culture piece goes, and still have some serious compliance risks.
Jen Uner: So there's definitely always a need for E&C training for sure.
Eric Morehead: Yeah, training in Sentencing Guidelines, and the guidance from the Department of Justice, both are really clear about we are not interested in one size fits all. We are not interested in how big your budget is. We just want to make sure your budget is right, that the governing authority and the organization has addressed this properly and is serious about compliance, but if you're a smaller organization or an organization where the risks are being properly addressed without spending a lot of money, that can be perfectly fine. Again, depends on the individual organization, and what is their risk profile, how are they addressing those risks, and are they meeting the other big picture criteria of having some standards that everybody knows about, training where appropriate, having proper governance and oversight, and monitoring and auditing, having a reporting process, where people can ask questions and report concerns, properly enforcing the rules, and disciplining people, and having incentives. And that's the one that often gets missed. That's been in the Sentencing Guidelines for years now, and has is mentioned in the guidance. How do you incentivize proper behavior at your organization? That's really important too.
Jen Uner: There is so much that goes into building an effective E&C program. I'm sure we could be talking about this all day, but we are running out of time. I am so glad you could join me today to talk about this report and why it matters to every organization. I know we'll be including a link to that report in our show notes at LRN.com. My name is Jen Uner. I want to thank you, Eric, for joining me today.
Eric Morehead: Thanks, Jen. It was my pleasure to be here.
Jen Uner: And I want to thank everyone for listening to the Principled Podcast by LRN.
Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at LRN.com to learn more, and if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen, and don't forget to leave us a review.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.