CHAPTER 1 GOVERNANCE, RISK & COMPLIANCE: ESTABLISHING THE FRAMEWORK FOR CORPORATE COMPLIANCE PROGRAMS

• Jurisdiction: United States

Strategic Risk Management for Natural Resources Companies
(May 2008)
CHAPTER 1
GOVERNANCE, RISK & COMPLIANCE: ESTABLISHING THE FRAMEWORK FOR CORPORATE COMPLIANCE PROGRAMS
Peter L. Webster ¹
Rio Tinto
Salt Lake City, Utah

I. Introduction

"Comply or explain"²

All corporations face risk. Risks evolve and corporations attempt to keep pace by developing new risk management strategies and tools. The earliest corporations, formed in ancient Rome during the reign of Numa Pompilius (715 to 672 B.C.), were themselves a form of risk management; they resolved the risk of civil unrest between two warring factions by dividing the factions into smaller groups, including separate societies for trades and professions.³ The seventeenth century saw the rise of international trading corporations, such as the East India Company and the Hudson Bay Company.⁴ These corporations faced the risks inherent in expanding sea trade. They managed these risks through probability-based business forecasting and insurance, two risk-management tools that were new to that age.⁵ More recently, corporations managed the risks related to the commercial application of large-scale industrial technologies, such as rail and telegraph systems, by increasing their corporate size and capital-generation abilities.⁶

In the 21^st Century, corporations face a new form of risk: governance risk. Governance risk is created by the convergence between growing pressure on corporations to implement structured compliance programs, patterns of escalating regulatory enforcement and penalties, and heightened scrutiny of corporate behavior by increasingly influential non-governmental organizations (NGOs) and the impact of globally-distributed media coverage.

Over 60 countries now have some form of regulatory compliance requirement.⁷ Globalization requires smaller and medium-sized companies - which a decade ago were regional enterprises facing regional issues - to confront international regulatory and compliance risks.⁸

[Page 1-2]

Global operations often extend from regions where regulations are lax, or lightly-enforced, to regions where the opposite holds. In the European Union total antitrust fines escalated from $604.6 million in 2000 to nearly $5 billion in 2007, with an increase to $7.5 billion projected for 2008.⁹ U.S. prosecutors take the view that their jurisdictional reach under the Foreign Corrupt Practices Act (FCPA) is "virtually unlimited".¹⁰ At the same time, the growing rate of global internet penetration increased the leverage of NGOs and small groups who wish to promote or publicize a single incident or issue.¹¹ Negative media coverage - universally accessible and stored in virtual perpetuity on the internet - continues to reverberate for many years and at unexpected or inconvenient times.¹²

The risk management strategy termed "Governance, Risk and Compliance" (GRC) developed as a response to governance risk. GRC does not have a precise definition, and the term is increasingly being used the context of technology-based information system compliance tools. However, it is generally taken to mean an enterprise-wide compliance effort implicating corporate culture, technology, management processes, communication and organizational structure.¹³

This paper focuses on one tool within the GRC toolbox - implementation of a compliance program. A compliance program is a structured and documented approach to compliance with external laws, internal policies and voluntary commitments.

Compliance programs allow corporations to manage the three elements of governance risk. They satisfy specific jurisdictional requirements mandating or promoting a structured approach to compliance, they assist corporations in avoiding or minimizing regulatory violations, and they aid corporations in managing the challenges of transparency.

The scope of a compliance program should be defined by the laws, regulations, exchange rules, judicial decisions, political considerations, market forces, public perceptions and other risk factors which collectively require or influence a corporation to implement the program. Program development often starts with bright-line rules which, in turn, reference less-than bright-line

[Page 1-3]

principles. Arriving at a reasonable synthesis between the two requires interpretation and reference to external factors, such as industry practice and enforcement trends.

This overall objective of this paper is to provide the reader with sufficient information to allow them to begin to design a compliance program. Specific company regulatory risks and transparency demands must be addressed on a case-by-case basis. However, the risk factors which mandate or recommend the existence, scope and content of a compliance program can be analyzed on a country or regional basis, and the first section of this paper provides that analysis for the United States, the United Kingdom, and Australia. Some of these jurisdictions may be germane to the reader's circumstances, while others may not. However, the underlying principles of compliance program design described in this paper reflect current global best practices, and the underlying methodology and approach may be universally applied. Moreover, as will be seen, while regulatory incentives for compliance programs vary between these jurisdictions, strong compliance incentives exist in all three and there is a high degree of consensus between them with respect to compliance program content.

The multi-jurisdictional compliance program elements described in the first section of this paper are incorporated in a template compliance program in the second section. This compliance program architecture meets the common requirements of the United States, the United Kingdom and Australia and, with appropriate jurisdictional revision, could be employed in other countries as well.

The days when a prudent corporation could avoid governance risk and circumvent the need to implement a compliance program are past. Some jurisdictions take a prescriptive approach to compliance, while others do not. Regardless, escalating demands for corporate transparency tend to blur the nuances between required and recommended compliance measures. Corporations are increasingly required to meet a series of prescribed compliance benchmarks or to publicly report they have not done so. They must "comply or explain."¹⁴

II. Compliance Program Design: Country Requirements & International Standards

A. The United States

1. Federal Sentencing Guidelines

Contemporary U.S. compliance programs are the progeny of the United States Federal Sentencing Guidelines (the "Guidelines"). The Guidelines are promulgated by the United States Sentencing Commission (the "Commission"), an independent agency within the federal judiciary created by the Sentencing Reform Act of 1984.¹⁵ Congress charged the Commission with creating

[Page 1-4]

the Guidelines to address "unwanted disparity among offenders with similar characteristics convicted of similar conduct,"¹⁶ and to "provide certainty and fairness in . . . sentencing."¹⁷

In 1987 the Commission created the Guidelines to govern the sentencing of individual defendants.¹⁸ The Commission expanded the Guidelines in 1991 to include the sentencing of organizations.¹⁹ In 2004 the Commission amended the Guidelines to address both the 2003 recommendations of the Commission's Ad Hoc Advisory Group, and directions from Congress to review and amend the Guidelines in light of the Sarbanes-Oxley Act.²⁰

The importance of the Guidelines with respect to compliance is several-fold. First, and most importantly, they define the core requirements for an effective compliance and ethics program. Second, the existence, or absence, of an effective compliance and ethics program meeting the Guidelines standard can be a factor in determining whether or not the Department of Justice (DOJ) elects to prosecute a corporation. Third, although under U.S. v. Booker²¹ the Guidelines are no longer mandatory, federal courts are still required to take them into account in sentencing²² and probation.²³ Consequently, a compliance and ethics program which is deemed "effective" under the Guidelines can assist a corporation in avoiding prosecution and, if that is not successful, potentially reduce the fine assessed against a corporation found guilty of violating federal law.

Compliance programs arise under the Guidelines in the context of "culpability" scoring. The Guidelines create a five-step process for calculating punishment.²⁴ The first step establishes an offense level for the crime.²⁵ The second step establishes a base fine linked to the offense level.²⁶ The third step calculates a culpability score. Culpability scores start at five, and can be adjusted

[Page 1-5]

upwards or downwards for aggravating or mitigating factors.²⁷ The fourth step is the determination of applicable minimum and maximum fine multipliers.²⁸ The fifth and final step occurs when the court sets the fine within the fine range.²⁹

The third step - the culpability score calculation - is the step that most closely implicates compliance.³⁰ In this step of the process, three of the five points which are automatically applied to a corporation's culpability score may be subtracted "[i]f the offense occurred even though the organization had in place at the time of the offense an effective compliance and ethics program."³¹

The Guidelines' overarching requirement for an effective compliance and ethics program is for an organization to "exercise due diligence to prevent criminal conduct . . . and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law."³² A corporation can meet this requirement through its compliance program, provided the program is "reasonably designed, implemented, and enforced" and "generally effective in preventing and detecting criminal conduct."³³ In the case of a centrally-managed group...