Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
Adapted from Corporate Practice Portfolio Series No. 103A, Corporate Compliance: Practice Tools for Your Program, by Suzanne Rich Folsom, Senior Vice President and General Counsel, Philip Morris International Inc., et al.
One hallmark of an effective ethics and compliance program is a clear delineation of responsibility for overseeing and implementing the program. Failure to clearly and specifically designate appropriate corporate bodies and personnel as responsible for aspects of the program may result in a program that lacks key components or fails to effectively address compliance risks. Recognizing the importance of assigning responsibility for ethics and compliance and ensuring that sufficient resources are dedicated, the U.S. Sentencing Guidelines call for a three-tiered approach that consists of
(1) robust oversight of the ethics and compliance program by the company's board of directors;
(2) assigning a senior employee overall responsibility for implementing the program; and
(3) delegating day-to-day operational responsibility for the program to a specific individual with sufficient resources, experience, independence and authority to effectively implement the program.
Broadly speaking, a company's board of directors is ultimately responsible for overseeing and managing the company's business activities, including efforts to manage risk and ensure compliance with applicable laws and regulations. Robust board oversight can help ensure that the ethics and compliance program is effectively designed and set a strong “tone at the top,” signaling to employees and external stakeholders that the company is committed to doing business ethically and in compliance with applicable laws, which can foster a strong ethical culture. On the other hand, a lack of effective oversight may expose the company to legal risk and constitute a breach of the directors’ fiduciary duties to act in the best interests of the company.
Tone at the top is a familiar phrase at this point, but a company can't gloss over the concept as cliché—conduct by senior leaders and demonstrated leadership in compliance efforts are key factors federal enforcers consider when investigating misconduct.
Among the activities that any board (or an appropriate committee of the board) should consider undertaking to fulfill their oversight role include the following:
• obtaining and reviewing ethics and compliance program updates from management at least annually and, ideally, on a quarterly or more frequent basis;
• reviewing and approving the company's code of ethical business conduct, as well as any other significant compliance-related policies;
• assessing the structure and resources of the compliance function, including the competence of those responsible for administering it and the financial resources made available;
• assessing and planning a mitigation strategy for significant risks faced by the company, including natural disasters and pandemics (such as the novel coronavirus Covid-19 pandemic), safety incidents, cybersecurity and data breaches and economic downturns;
• oversight of the company's business continuity planning
• retaining ultimate responsibility for hiring and firing the chief compliance officer (CCO) and for helping define the role and goals of the CCO;
• participating in and periodically reviewing the company's ethics and compliance training efforts;
• assessing the effectiveness of the company's various mechanisms (e.g., hotlines) for receiving compliance-related complaints and investigating and remediating alleged misconduct;
• addressing significant compliance issues that present serious risks to the company (e.g., issues where senior management is potentially implicated/interested, there is significant reputational or financial risk or there is a regulatory investigation), including by retaining independent counsel when necessary; and
• reviewing the results of periodic compliance risk assessments, program evaluations, audits, employee surveys and other ongoing monitoring activities intended to measure ethical culture and compliance program effectiveness.
Like the board of directors, senior management plays a significant role in ensuring effective implementation of an effective ethics and compliance program. As an initial matter, senior management must allocate sufficient human and financial resources to the ethics and compliance program.
Perhaps more importantly, senior management also can foster a robust ethical culture by setting a strong “tone from the top.” For example, senior management should model ethical behavior for other employees in order to communicate to all employees that the company expects them to behave consistent with the company's values; integrate ethics and compliance into business decision-making processes; complete assigned ethics and compliance training and actively encourage subordinates to do the same; distribute periodic compliance-related communications reaffirming the company's values; discuss compliance issues during meetings; encourage colleagues to make ethical decisions; and participate in addressing compliance-related issues, when appropriate.
As the employee with primary responsibility for the ethics and compliance program, the CCO typically has the greatest influence on the program's success. Among the CCO's responsibilities are the following:
• setting and enforcing the company's standards of ethical conduct;
• establishing company-wide objectives for ethics and compliance;
• conducting company-wide risk assessments to identify compliance-related risks and other risks;
• developing plans, policies and procedures for mitigating significant risks, including natural disasters and pandemics (such as the Covid-19 outbreak), safety incidents, cybersecurity and data breaches and economic downturns;
• coordinating with senior management and other constituencies within the company, including legal, human resources, information technology, investor relations and facilities, to develop a business continuity plan
• overseeing the creation, periodic revision and distribution of the code of ethical business conduct, as well as other compliance policies and procedures;
• managing ethics and compliance training and communication programs and initiatives;
• overseeing operation of reporting mechanisms, including in-house or third-party ethics hotlines;
• investigating and remediating misconduct, including by disciplining employees who violate the company's standards;
• monitoring implementation of the compliance program and reviewing its effectiveness periodically;
• advising employees on compliance with applicable laws, regulations and company policies;
• sponsoring incentive and reward programs to encourage ethical behavior and foster a strong culture of compliance;
• periodically reporting to senior management and the board of directors regarding the compliance program;
• serving as a trusted ethics and compliance advisor to senior management; and
• supervising subordinate personnel who work in the compliance function.
Given the breadth of these responsibilities, a CCO should have a wide range of attributes, skills, experience and knowledge, including personal integrity and a strong will; current knowledge of applicable laws, regulations and leading compliance practices; risk management; strong communication and problem-solving skills; management experience; and in-depth familiarity with the company's operations. In addition, in light of the substantial time commitment often required to implement an effective program, companies—particularly larger companies and those with a significant risk profile—should seriously consider making the CCO a full-time position with no other assigned duties or responsibilities. Regardless, the CCO must be afforded sufficient independence, authority and resources to successfully implement an effective ethics and compliance program.
Independence empowers the CCO to raise and address potential ethics and compliance issues free from the influence of those who have an interest in the outcome, such as, for example, the business line implicated in an issue or members of senior management whose primary focus is the company's financial success. Independence also ensures that the CCO provides unfiltered reports to those with ultimate responsibility for managing risk, including the board of directors.
Similarly, the CCO must have sufficient stature and authority within the company, such that he or she is able to give advice and have all personnel, including members of senior management, take that guidance seriously. Generally speaking, the CCO should be a member of senior management and given a title that appropriately reflects that position. Because many strategic and operational business decisions implicate ethics and raise compliance issues, it is important that the CCO be integrated and accepted as a full member of the senior management team from whom guidance is sought when making decisions. Likewise, the CCO's reporting lines bear on his or her authority and stature within the company. Although there is no one-size-fits-all approach, one increasingly common practice is to have the CCO lead a standalone compliance function and report directly to the CEO, with a dotted reported line to the board of directors (or an appropriate committee). This approach raises the profile of the compliance function thereby demonstrating the company's commitment to ethics and compliance, ensures the CCO's independence, makes the CCO a full member of senior management and satisfies the Guidelines’ requirements with respect to independent reporting lines. Of course, there are a variety of other potential reporting structures that each have their own pros and cons, including having the general counsel serve as the CCO or having the CCO report to the general counsel, both of which are relatively common arrangements.
Ultimately, the structure adopted by any particular company will be dictated by its particular resources, needs and culture.