Managing the High Risk of Regulatory Noncompliance

This article is for those readers interested in establishing a regulatory compliance program or evaluating an existing one in their mining industry company. Readers in larger organizations likely will have a compliance program in place, yet may find in this article some ideas of how to make an existing program even better.

The reality is a growing practice under federal law to use the criminal justice process to leverage company compliance with external regulatory requirements, such as those involving the environment, financial reporting, employee and product safety, and health. In November 1991, the United States Sentencing Commission promulgated Organizational Sentencing Guidelines which establish a uniform sentencing structure with penalties that at least equal and often greatly exceed those previously imposed on business organizations (the Guidelines and supporting commentary may be found at www.ussc.gov). The underlying legal principle is that the organization itself, by imputation, is criminally liable for the criminal acts of its employees, done in connection with their work. In our context here, this means the company may be punished for the criminal regulatory violations of its employees, even violations by a rogue employee in contravention of company practices. The Guidelines also identify the components of what is regarded as an effective compliance program, which, if implemented, (i) may preclude a noncompliance; (ii) in the event of a regulatory violation, may justify a government decision not to prosecute the company; and (iii) in the event of prosecution, is likely to result in a lesser sentence.

The underlying philosophy of the Guidelines is that there are gradations of organizational culpability for the wrongdoings of employees and agents. This philosophy has been characterized as embracing a "carrot and stick" approach. Hence, the Sentencing Guidelines reward responsible organizational behavior as evidenced in an effective compliance program, and come down with harsher penalties on those without such a program. Said another way, for organizations convicted of an environmental, health or safety-related crime, the penalty will be less for those that have tried to do the right thing by having a program that the prosecutors and judges consider to be effective to prevent and detect criminal misconduct. But, the whole story does not turn on sentencing. From our experience we know that organizations with robust compliance programs are less likely even to be charged in the event of criminal misconduct by its employees and agents. In fact, this proposition is expressed in the Deputy U.S. Attorney General's January 20, 2003 memorandum, "Principles of Federal Prosecution of Business Organizations." Similarly, when there is a cause for debarring the organization from government contracting, the decisionmaker is far less likely to debar the organization with a genuinely effective compliance program. See, e.g., 48 C.F.R. Subpart 9.4; 48 C.F.R. § 203.7001 (procurement regulation is of the Department of Defense); 48 C.F.R. § 1503.500-71 (EPA procurement regulations).

Minimum Elements Required by Guidelines

The steps identified in the Guidelines for organizations as "minimum" to the establishment of an effective compliance program are:

1. Establish compliance standards and procedures that are reasonably capable of reducing the prospect of criminal conduct.
2. Designate high-level personnel with responsibility to oversee compliance with the standards and procedures.
3. Avoid giving substantial discretionary authority to persons with a propensity to engage in illegal activities.
4. Communicate the standards and procedures to all employees and agents.
5. Monitor and audit compliance to detect criminal conduct; establish a reporting system for employees and agents to report criminal conduct within the organization without fear of retribution.
6. Enforce the standards through appropriate discipline.
7. After detecting an offense, take reasonable corrective action to prevent recurrence.

The Guideline steps present what some companies may mistakenly see as too burdensome and too costly a program to put in place. These may instead hunker down and hope that all goes alright. They do not establish an effective regulatory compliance program. They mistakenly believe that creating an effective program means adding to headcount (which may be avoided in most organizations by "dual-hatting" good people) and large recurring costs (which also may be avoided by focused organization and careful management). Even without such a program, there already exists the unavoidable daily burden on the bottom line of routine, "ad hoc" compliance with the federal, state, and local regulations and permits that govern the mining industry's work. We know that the cost is real; the cost is significant; the cost does not add value to the product of the business. It is a thesis of this paper that the incremental cost of having a program rather than an ad hoc approach to regulatory compliance is modest, and the rewards are high. A program approach is that contemplated by the Sentencing Guidelines. The business benefits are the highly improved chances of avoiding the cost of dealing with an allegation of a significant noncompliance, avoiding potentially hefty sanctions and penalties, and the additional reputational reward of being regarded as a "go-to ethical company."

Five Steps Towards an Effective Compliance Program

Companies in the mining industry that seek to have an effective compliance program or to fortify an existing program should generally follow this path:

1. Perform a compliance risk assessment to identify the key risks of noncompliance for the particular business. (Often, an experienced outsider's perspective will be more objective than a "do-it-yourself" project.) Because mining is highly regulated, it is a high-risk industry. Compliance risks hang on many factors, especially the nature of the business, the quality and experience of its personnel, the "tone from the top," the compliance history of the company, and the current focus of attention by the regulators who enforce the law. A good risk assessment will reveal the important compliance risks that need to be addressed, and also will reveal the groupings of employees associated with each compliance risk who need to know of the company's compliance risks, and of the company's rules, and know to follow those rules.

2. Establish a company compliance rule for each significant risk, which is to be strictly enforced by those employees and supervisors whose duties touch the risk area. Companies use different terms and techniques for rules. These include policies, procedures, practices, SOPs, checklists, technical manuals, and the like. What is important is that the rules match the risks. No "off-the-shelf" or borrowed standards are likely to fit. Additionally, once the rule is established, the owner/manager must monitor the situation to assure that the rule is known and is being followed. This is not a matter of "fire and forget." A high-level person in the organization must be made responsible for continuous monitoring.

3. Provide instruction/training/coaching of those employees and supervisors identified with each compliance risk. This is vital. Merely having a rule is of no consequence unless those affected by the rule know and understand it. What is important to most employees is what is perceived as important to the boss. The employees must believe that the rule is genuinely what the boss wants, and that the rule is not merely for show. If employees believe the rule is hollow they will tend to ignore it. Training can take many forms, ranging from classroom instruction, to videos, to staff meetings, to "tailgate" and "table-top" discussions.

4. Discipline those who fail to comply. The compliance program will not be regarded as real unless the company disciplines those who break the rules and those who allow conditions to exist which produced the violation. Not punishing a knowing breach of the rules sends the wrong message to the others who respect the rules.

5. Correct the conditions which caused the noncompliance. Compliance failures will come to every organization, and, statistically, the larger the organization the more likely the failures. What is most important to the regulators — and to prosecutors — is that the noncompliance has been disclosed and promptly corrected.

The Next Step...

This process will bring the company far down the road to having and effective program; however, there is another important ingredient. That additional element is fostering a culture of compliance. The central theme of the various governmental responses to the recent accounting and financial reporting scandals — the rip-off by a few stewards of many investors' monies and employees' livelihoods — is to encourage organizations to promote ethical business conduct. The Sarbanes-Oxley Act of 2002 encourages companies to adopt codes of ethics which include "standards that are reasonably necessary to promote honest and ethical conduct." The Securities and Exchange Commission regulations now recognize that codes of ethics should include written standards which are reasonably designed to deter wrongdoing and to promote honest and ethical conduct. Similarly, the New York Stock Exchange emphasizes the importance of an ethical culture as a means of improving compliance. As far back as 1986, the defense industry, then in the midst of widespread fraud and abuse, established the Defense Industry Initiative on Business Ethics and Conduct (see www.dii.org) which binds that industry together with a common aspiration to the highest level of ethical conduct. In 1991, the Environmental Protection Agency published "Policies Regarding the Role of Corporate Attitude, Policies, Practices and Procedures, in Determining Whether to Remove a Facility From the EPA List of Violating Facilities Following a Criminal Conviction," which characterizes the right "corporate attitude" as a significant factor for justifying removal from "The List." More recently, in the Deputy U.S. Attorney General's January 20, 2003 Memorandum, "Principles of Federal Prosecution of Business Organizations," the role of management is singled out as an important factor in determining whether to prosecute the organization: "... management is responsible for a corporate culture in which criminal conduct is either discouraged or tacitly encouraged."

Based on this established consensus of the imperative of a company culture of ethics, the United States Sentencing Commission Advisory Group, in its October 7, 2003 report, recommends adding to the Sentencing Guidelines a specific requirement that companies seek to develop a culture of compliance with the law. Given the momentum since the recommendations were made public, this recommendation is very likely to be adopted during 2004. The point of this recommendation is to harmonize the Sentencing Guidelines with what already is the expectation in the law, as evidenced by such legislative, regulatory, and industry measures referred to above.

The Need for a Culture of Ethical Conduct

Without an undergirding of ethical values, a regulatory compliance program is little more than a litany of "shall nots." Even then, the decisions made in the ordinary course of running a mining operation do not always lend themselves to "shall nots." What if there is no rule? How then should tough decisions presented in the context of competing interests or pressures be reached? The answer, I believe, is that the company must have registered a clear and consistent message that a culture of ethical conduct is the expected condition within the company. Values such as integrity, truth-telling, and moral courage. With the right "tone from the top," supervisors and employees will feel comfortable making the right decision, even when there is no rule, and even when the right decision is the harder or the more time-consuming or more costly decision. With the added component of an ethical culture, widely accepted within the organization, the likelihood of a serious regulatory noncompliance is substantially reduced.

In the next issue of the C&M MINING LAW MONITOR, we will discuss how to tell if your regulatory compliance program is working or is broken.

[Editors' note: Dick Bednar, Senior Counsel, Crowell & Moring LLP, concentrates his practice in compliance, ethics, internal investigations, suspension and debarment. He is the National Coordinator of the Defense Industry Initiative on Business Ethics and Conduct, the defense industry's organization for ethics and compliance. He also is a member of the U.S. Sentencing Commission Advisory Group on Organizational Sentencing Guidelines.]