The last wordby Joe Murphy, CCEP, CCEP-IDiscipline for “failure to takereasonable steps”: Could youfind even one example inyour company?<strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional May/June 2013MurphyThere are certain parts <strong>of</strong> the FederalSentencing Guidelines st<strong>and</strong>ards mostfolks seem comfortable with (e.g., codes<strong>of</strong> conduct, training, helplines). And then thereare topics that it seems almost no one is comfortablewith. One example is discipline—notmany articles or presentations on that.So here is an issue I just don’tsee discussed. The Guidelines veryclearly call for:“(B) appropriate disciplinary measuresfor… failing to take reasonable stepsto prevent or detect criminal conduct.”(emphasis added)It is right there, in black <strong>and</strong>white, clear as day. Our Canadian friends, intheir Competition Bureau’s guidance on complianceprograms, also say:“Proper disciplinary actions should alsobe taken against managers who fail to takereasonable steps to prevent or detect misconduct.”(emphasis added)Does your discipline meet this st<strong>and</strong>ard?If your company’s coverage <strong>of</strong> disciplineconsists <strong>of</strong> nothing more than routine codelanguage (“violations will result in discipline,up to <strong>and</strong> including termination”), <strong>and</strong> a record<strong>of</strong> firing junior employees for petty theft fromthe company, then can you really argue thatyou have met the language <strong>of</strong> the guidelines?What is the message <strong>of</strong> this language?Think about it. Government believescompanies routinely engage in scapegoating.Punish the little guys so the big guys get away.The language quoted above means you can’thave an <strong>of</strong>ficer with subordinates runningamuck, <strong>and</strong> have that <strong>of</strong>ficer get <strong>of</strong>f by saying“Gee, I didn’t know.” If that <strong>of</strong>ficer had nottaken real steps to address the risk, then the<strong>of</strong>ficer must be disciplined. Taking preventivesteps is every supervisor’s job.But have you ever, in the entire life <strong>of</strong> yourprogram, done that? Do you have any example<strong>of</strong> a manager or <strong>of</strong>ficer, not directly involvedin a violation, who was nevertheless subjectto “on your watch” discipline? I suspect theseare very, very rare. And when you conductinvestigations <strong>of</strong> alleged misconduct, are yourinvestigators also looking at this issue? Do theyalways include the question, “What did theboss do to prevent this violation from happening?”Or do you routinely notify <strong>and</strong> bring intothe inner circle the boss <strong>of</strong> the person beinginvestigated, even though that person might besubject to discipline under this st<strong>and</strong>ard? Doesyour code warn managers <strong>and</strong> <strong>of</strong>ficers that thisst<strong>and</strong>ard applies to them? Do line <strong>and</strong> staffmanagers know that their jobs include taking“reasonable steps to prevent or detect criminalconduct”? Perhaps we need a bit more disciplinedapproach to this topic <strong>of</strong> discipline. ✵Joe Murphy (jemurphy5730 @ gmail.com) is Of Counsel to <strong>Compliance</strong>Systems Legal Group <strong>and</strong> Editor-in-Chief <strong>of</strong> <strong>Compliance</strong> & <strong>Ethics</strong>Pr<strong>of</strong>essional Magazine.76 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
sTakeawaysMay/June 2013<strong>Compliance</strong> & <strong>Ethics</strong>Pr<strong>of</strong>essionalTear out this page <strong>and</strong> keep for reference, or share with a colleague. Visit www.corporatecompliance.org for more information.Seven strategies for preventingusers from hoarding documentsMark Diamond (page 25)»»Employee hoarding <strong>of</strong> electronic documents isan information governance change managementproblem.»»Aggressive deletion <strong>of</strong>ten drives undergroundarchiving, making the problem worse.»»Addressing underground archiving requires across-functional approach engaging policies,processes, tools, <strong>and</strong> technologies.»»Effective approaches create a “win” for employeesby underst<strong>and</strong>ing the reasons for their behaviors.»»Ongoing auditing is critical to assess programeffectiveness.You’ve identified a corporate risk—what next?C. J. Rathbun (page 33)»»The company’s choices in response to anidentified risk will depend on its risk tolerance.»»The CCO’s considerations should include howmitigating the risk will affect everyone from theboard room to the mailroom.»»The CCO’s report should be carefully designed forits target audience.»»Internal procedures may need to be changed toprevent future risks.»»Proactive monitoring <strong>and</strong>/or auditing will help youcatch problems before they become issues.Mind the gap! Where corporatepolicy <strong>and</strong> social media meetSteve Carr (page 41)»»Social media <strong>of</strong>fers opportunities for broader,timely communication in a fashion peopleappreciate more than static PDF or email formats.»»The gap between liability concerns <strong>and</strong> potentialbenefits <strong>of</strong> adopting social media can <strong>of</strong>ten bebridged with policy <strong>and</strong> company-wide planning.»»New online tools to manage <strong>and</strong> archivesocial media, emails, <strong>and</strong> other electroniccommunications are widely available <strong>and</strong>inexpensive.»»Each organization should view social mediain its regulatory context, including Reg FD forpublicly held US companies, the Dodd-Frank Act,Sarbanes Oxley, Solvency II, <strong>and</strong> Basel III.»»Properly adopted, social media <strong>of</strong>fers theopportunity to improve compliance <strong>and</strong> corporategovernance practices <strong>and</strong> even maintain or reducecosts.Political activity compliance:A complex but necessary subjectfor compliance pr<strong>of</strong>essionalsScott Stetson (page 47)»»Corporations have substantial politicalinvolvement, which may entangle gift <strong>and</strong> conflict<strong>of</strong> interest policies.»»<strong>Compliance</strong> requirements are continually changingwith the passage <strong>of</strong> new legislation at local, state,<strong>and</strong> federal levels.»»The Government Affairs department <strong>and</strong> generalcounsel cannot do it alone.»»Non-compliance has serious organizationalimplications.»»Political compliance should be included in anorganization’s compliance plan.Powerful witness preparation:Don’t volunteerDan Small <strong>and</strong> Robert F. Roach (page 52)»»Free-flowing conversations move through a series<strong>of</strong> connections to seemingly unrelated topics.»»Testimony should stick to the question at h<strong>and</strong><strong>and</strong> stay on a narrow path.»»The questioner’s job is to ask clear questions, notlead the witness into volunteering information thatis inadmissible, irrelevant, or just <strong>of</strong>f track.»»Don’t fill the silence—use it to prepare for whatlies ahead.»»Volunteer information only if it will clear up amisunderst<strong>and</strong>ing or emphasize a key theme.You can’t cure symptomsFrank J. Navran (page 55)»»Finding the underlying problem first may avert acatastrophe later.»»Diagnostic interviews, focus groups, <strong>and</strong>surveys will help you uncover the root cause <strong>of</strong>organizational problems.»»Build a rapport <strong>and</strong> an atmosphere <strong>of</strong> trust beforeyou start asking the tough questions.»»A document review will give you insights intowhat employees learn about the formally statedst<strong>and</strong>ards for employee conduct.»»Skills, knowledge, <strong>and</strong> conceptual models canonly take us so far in solving the organizationalproblems we face.<strong>Ethics</strong> in the workplace: TheDominican Republic perspectiveLaura Serra Nova (page 66)»»In addition to the concerns <strong>and</strong> conflicts thatarise during the hiring process, companies mayoverlook compliance management.»»Current laws in the Dominican Republic allowcompanies to establish internal manuals <strong>and</strong>procedures, as well as codes <strong>of</strong> ethics.»»Procedural justice has played an important rolein establishing ethical st<strong>and</strong>ards, however, theperception required to implement such st<strong>and</strong>ardsneeds to be shifted in the right direction.»»State must set an example in order to mitigate the“produce-at-all-cost” mentality in the country.»»Great efforts have been made by the public <strong>and</strong> privatesector to have an ethical business environment.An invitation to connect: The FFIECembraces social media regulationCris Mattoon (page 69)»»Social media usage requires corporategovernance.»»Enterprise risk management must encompasssocial media risks.»»Federal regulators will expect organizations toactively manage social media risks.»»<strong>Compliance</strong> <strong>of</strong>ficers can leverage current federalaction to enhance governance.»»Failure to proactively address social media mayimpact future safety <strong>and</strong> soundness ratings.Conflict <strong>of</strong> interest: It’s not so badif I don’t get any benefit out <strong>of</strong> it.Right?Peter Fazio (page 71)»»Familial relationships among employees cancreate real conflicts <strong>of</strong> interest.»»Conflicts <strong>of</strong> interest related to employeeinteractions have a tangible cost to theorganization.»»Conflict <strong>of</strong> interest risk management should beaddressed as a component <strong>of</strong> the organization’soverall anti-fraud program.»»Disclosure <strong>of</strong> conflicts <strong>of</strong> interest to a higher leveltends to increase the trust <strong>of</strong> the discloser withoutthe intended increase in the level <strong>of</strong> pr<strong>of</strong>essionalskepticism for the integrity <strong>of</strong> the transaction.»»The real challenge with conflicts <strong>of</strong> interest is themanner in which we react to them or ignore theirimpact on the integrity <strong>of</strong> our work.Gray areas: When ethics problemsare not exactly black or whiteFrank C. Bucaro (page 74)»»Not all ethics problems fit neatly into a black-orwhitecategory; some problems fall into a “grayarea.”»»Gray area issues can provide an opportunity todeal proactively, before issues becomes a fullblownethics problems.»»Gray area issues can help point the way to gaps inethics education or training.»»<strong>Ethics</strong> resources for employees must be known,accessible, <strong>and</strong> consistently communicated to beeffective.»»Gray area issues may not be right vs. wrongsituations, but could possibly be a right vs. rightsituation, or even right vs. “more” right.<strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 77