United States: High-Stakes Corporate Compliance: Reducing Risk And Managing Potential Sanctions

Vince Farhat is a Partner in the Los Angeles office
David Schneider is an Associate in the Northern Virginia office

  • Compliance-related investigations, suspensions, and debarments are on the rise.
  • The government looks favorably on a strong corporate compliance program.
  • Independent monitors oversee a sanctioned business's compliance activities.
  • When qualifying a monitor, objectivity and merit are essential factors.
  • Successful monitorships are built on detailed agreement, communication, and collaboration

The past few years have seen significant increases in compliance-related government investigations, suspensions, debarments, and other actions by government agencies, regulators, and law enforcement. A Government Accountability Office study in 2011 concluded that Suspension and Department officers were not being as aggressive as they should,1 sparking Congressional hearings and then more aggressive sanctioning of government contractors by state and federal regulators, agency Inspectors General, and the Department of Justice (DOJ). This increased government scrutiny covers a range of issues, including False Claims Act (FCA) violations; Procurement Integrity Act violations; Federal Acquisition Regulations (FAR) violations; regulatory infractions; quality control; Foreign Corrupt Practices Act (FCPA) violations; health, safety, and welfare violations; bribery; and kickbacks.

Many government enforcement actions focus on corporate compliance and corporate ethical culture. In this landscape, creating a culture of compliance has become a maxim of good corporate governance. But how does an entity determine whether it has established such a culture? This article discusses key elements of an ethics assessment and the role independent monitors can play in collecting unbiased information, reducing risk, and mitigating potential sanctions.

Creating a culture of compliance

A strong and well documented culture of compliance burnishes a company's reputation and helps it identify problems when they are still at a small and manageable stage. It also helps a company defend itself if it becomes the target of a government ethics investigation. The DOJ publishes the United States Attorney Manual (USAM), which identifies factors for U.S. Attorneys to consider when deciding whether to prosecute companies.2 Two of the factors listed involve corporate compliance programs:

  1. The existence and effectiveness of the corporation's pre-existing compliance program; and
  2. The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one.

A strong compliance program may encourage an enforcement agency to consider accepting a remediation plan rather than seeking costly and punitive sanctions. In cases in which a matter goes to prosecution, an effective compliance program may help limit the damages.

The USAM commentary states that the DOJ "encourages" corporate compliance programs, however, "the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents." That is, the mere existence of a compliance program does not give a company a free pass from liability. USAM indicates important elements of a real and effective compliance program3 including whether:

  • the company can effectively detect and prevent misconduct;
  • the corporation's directors exercise independent review over the proposed corporations actions rather than unquestionably ratifying officer's recommendations;
  • the company's internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy; and
  • the directors established an information and reporting system in the organization reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization's compliance with the law.

Further guidance regarding the elements of an effective corporate ethics and compliance program is set forth in the advisory Federal Sentencing Guidelines (FSG).4 In addition to the USSC, other agencies such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Department of Health and Human Services (HHS) have compliance guidelines that can affect corporate liability. Companies should also look at the applicable agency guidance when developing a compliance program.5

As with the factors listed in the USAM, the FSG requirements for an effective compliance program can help position a company to advocate for a non-prosecution or deferred prosecution agreement and/or to curb the financial damage sustained (e.g., in the form of fines) if an agreement is negotiated. The U.S. Sentencing Commission modified the sentencing calculation relative to compliance and ethics programs in 2010 in order to incentivize selfreporting and creation of direct reporting lines between compliance officers and the corporate governing authority. In addition, it delineated some limited situations in which an organization could receive credit for an effective ethics and compliance program, even if high level personnel were involved in the misconduct.6

Although the FSG lists seven factors of a strong compliance program,7 its overarching principles are that an organization must exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The FSG recognizes that even the best compliance programs cannot detect or prevent every possible crime; however, the compliance program must be reasonably designed, implemented, and enforced so that it is generally effective in preventing and detecting criminal conduct. In light of these considerations, it is wise for companies to train employees on how to make ethical decisions and how to respond appropriately to complaints and allegations of misconduct.

Both the USAM and the FSG give guidance about the factors important in determining whether an ethics and compliance program is real or pro forma (i.e., for the sake of form, a "paper" program), but they also allow for variability based on the size of the company and other characteristics. In general, larger companies are expected to have more formal ethics and compliance programs and more extensive mechanisms for measuring their implementation; many large companies appoint a chief ethics/compliance officer (CECO). The FSG states:

(2) (A) The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

From a practical perspective, experience has shown it is helpful if this individual has strong communication and training skills, is respected by the employees, has adequate staff and funding for the job, and understands and respects the obligations of the role. The key to success for this position, however, is ensuring that the CECO has the necessary independence, authority, and placement within the company; usually this means direct reporting responsibilities to the decision making authorities of the company: the CEO, COO, and the board of directors. Best practices include a quarterly report from the CECO to the board, which has a fiduciary responsibility in a public company to know the ethical posture of the company.

Although a CECO can build or implement an adequate program, a true culture of compliance requires commitment from a company's leadership. The "tone at the top" of such an organization is one in which all levels of staff are encouraged to do the right thing and managers are expected to be role-models of ethical and compliant behavior. The tools which support this type of culture include:

  • An up-to-date and useable code of conduct that states the company's and the employees' responsibilities and focuses on the unique vulnerabilities of the company;
  • Values-based and compliance-focused ethics and compliance training;

    • Effective education in this area comprises a mix of live and computer-based initiatives, with examples based on scenarios likely to be encountered in the field.
    • Tests of comprehension reinforce the message and identify areas in which the organization needs to improve its messaging.
  • A mechanism for providing advice to employees who have ethics or compliance questions;
  • Written acknowledgement by all employees of their duty to report observed ethical violations;
  • A mechanism for collecting reports of violations, such as an anonymous reporting hotline that allows employees to convey information without fear of retribution;
  • A fair process for dealing with reports, complaints, allegations, and investigations. In instances in which violations are found, disciplinary action should be both progressive (e.g., proportionate to the seriousness of the violation) and consistent across the organization (i.e., not based on a person's rank in the company or how much business he/she brings in). Ideally, the program should function as both a carrot and a stick, incentivizing employees to act properly while disciplining improper actions;
  • Internal auditing to determine whether the ethics and compliance program is being followed and to look for possible misconduct or criminal activity; and
  • Periodic reassessment of the overall effectiveness of the company's ethics and compliance efforts, as well as updating of its program and processes.

The FSG encourages periodic independent assessments as a means of determining this overall effectiveness from an objective standpoint, and identifying areas of risk. Commentary to FSG states:

6. Application of Subsection (b)(7).— Subsection (b)(7) has two aspects.

First, the organization should respond appropriately to the criminal conduct...

Second, the organization should act appropriately to prevent further similar criminal conduct, including assessing the compliance and ethics program and making modifications necessary to ensure the program is effective. The steps taken should be consistent with subsections (b)(5) and (c) and may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications.

Independent monitors: Reducing risk and managing potential sanctions

An organization can benefit from the services of an independent monitor in several situations.

As noted above, companies are encouraged to not only conduct internal assessments of their ethics and compliance programs, but periodically to have them independently evaluated. A large organization with well-established rules and processes can benefit from the viewpoint of an outsider who is not wedded to the current system or influenced by the politics within the company. A smaller organization with a less formal ethics and compliance program can benefit from the focus of an independent monitor and from the monitor's knowledge of best practices in the field. Engaging this type of outside professional advisor will help a company identify its evolving areas of risk and improve its systems for preventing unwanted behavior, thereby further demonstrating its commitment to compliant and ethical behavior, if it is subject to investigation by a regulatory authority or enforcement agency.

For many companies, however, the idea of using an independent monitor is first raised in discussions of deferred prosecution or non-prosecution agreements, plea agreements in criminal matters, debarment proceedings, settlement agreements, probation or corrective actions, or corporate integrity agreements. In a typical scenario, a company might self-report an ethics violation to the agency for which it is providing contracted services. The self-report, along with a demonstrated ethics and compliance program, might indicate that the company was a suitable prospect for a non-prosecution agreement, rather than prosecution or sanction. The non-prosecution agreement would require correction of the reported problem plus ongoing independent monitoring for an agreed-upon period to support its continued compliance.

An independent monitor who will take on the role of overseeing the compliance activities of businesses or professionals who have been sanctioned for violating laws or regulations should be a person (or organization of people) with in-depth knowledge of and experience with regulatory schemes. Selecting an independent monitor is simultaneously one of the most important and most difficult decisions regarding the use of a monitor. In 2008, Acting Deputy Attorney General Craig S. Morford wrote a memorandum (the Morford Memo) for U.S. attorneys, regarding the "Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations."8 The Morford Memo provides principles for drafting independent monitor-related provisions, and these were updated in 2010 by Acting Deputy Attorney General Gary Grindler.9 Collectively, these documents describe the monitoring process overall and the selection of a monitor in particular. The Suspension and Debarment officials of several federal government agencies have since adopted these principles in their selection of monitors.

The most important factor in qualifying a monitor is the monitor's objectivity/lack of conflict of interest. The monitor should not have a personal or business relationship with the company, should not be a stockholder, a former employee of the business, nor someone looking for a permanent position there. In addition, the monitor should be selected on the basis of merit. A company which has been subject to a Medicare/ Medicaid fraud investigation, for example, would look for a monitor well-versed in forensic accountancy as well as Medicare/Medicaid billing and coding practices.

Other criteria for an effective monitor can be inferred from the Morford Memo. Where the Memo indicates that monitoring should focus on addressing and reducing the risk of a recurrence of the established misconduct, one can assume that a monitor who understands establishing clear parameters for the project would be preferable to one who goes into an assignment ready to look at anything and everything. Where the Memo indicates that it may be appropriate for the monitor to submit periodic reports to the company, the government, or both, it can be inferred that the monitor should be an able communicator. Where the Memo indicates that the company will be expected to implement or respond to recommendations made by the monitor, one can assume that the monitor should be of a practical mindset—able to give advice about how to correct a problem, rather than one with a "gotcha" mentality who simply relishes finding violations. And, because the monitor is neither an investigator for the government nor an advocate for the company, and yet needs to be trusted by both, the monitor must be of high integrity.

Usually a monitor put in place as a result of a settlement agreement is paid by the monitored company and issues reports to both the government and the company. The agreement between the company and government directs the monitor's course of action, the scope and frequency of the oversight, as well as its duration. Newer agreements have incorporated the 2010 Grindler recommendation and address what to do if there is a dispute between the monitor and the company. Most agreements require the monitor to report on the good faith efforts of the company (or lack thereof) to comply with their terms, the extent of its cooperation with the monitor, identified areas of concern, improvements recommended and changes implemented, areas in need of additional attention, and adherence to ethics and compliance programs. It is usual practice for the government to allow the company to receive a copy of the monitor's report.

A successful relationship between an independent monitor and the client company is built on (1) a detailed agreement, (2) communication, and (3) collaboration. It is natural for a company to be concerned about opening its business to an outsider, but open dialogue between the monitor and the company makes the monitorship more efficient and effective, resulting in more pertinent and individually tailored recommendations. The thoroughness of the monitor's work and the level of company cooperation will also build the trust of the government.

It bears repeating that an independent monitor is not an investigator. The assumptions behind a settlement agreement include (1) the company acknowledges shortcomings in its systems, and (2) the government accepts its proposal to correct these problems. The monitor, therefore, is reporting on the process of identifying and correcting weaknesses, not on all compliance matters within an organization. Analyses of company weaknesses—especially of systems failures—vary tremendously, according to the underlying issues. As mentioned above, a billing fraud issue might trigger a forensic accounting assessment. A FAR ethics violation, on the other hand, might warrant a review of the company's ethics policies and its ethical culture. The tools of such information gathering include document and policy reviews, interviews, participation in staff training, conducting focus groups, and surveys.

No matter what the underlying issue is, the monitor should provide an assessment of the company's internal controls. This is important for several reasons:

  • Typically, the failure of the company's internal controls led to the acknowledged problem;
  • The company's ability to consistently identify and correct its own problems will prevent future lapses; and
  • Strong internal controls signify to the government that the company can be trusted.

All risk cannot be eliminated, but the assessment should help a company determine how its programs, policies, pay, and promotion structures may be contributing to its risk of unethical or noncompliant activity. And, as noted above, the monitor should offer practical recommendations for improvement which can be measured and tracked. An effective monitor is one who can convey these recommendations while maintaining the neutrality to report on their implementation in an objective and truthful manner.


The current compliance environment is a high-stakes game for companies doing business with, or under the regulatory eye of, government agencies. The use of independent monitors is one more tool that companies and their counsel have available to demonstrate commitment to remediation and a willingness to work with the government—a tool which may help them avoid the more punitive approaches to compliance that government agencies are taking with ever greater frequency.

Originally published in Compliance & Ethics Professional, September/October 2013.


1. U.S. Government Accountability Office: Suspension and Debarment: Some Agency Programs Need Greater Attention, and Government wide Oversight Could Be Improved. GAO-11-739, Aug 31, 2011. Available at http://1.usa.gov/13337GH

2. United States Attorneys Manual. Available at http://1.usa.gov/19xBEo2

3. Ibid, at 28.800.

4. USSC, Federal Sentencing Guidelines. Available at http://bit.ly/17TWrOy

5. See e.g., SEC 17 CFR Parts 270, 275, and 279, Compliance Programs of Investment Companies and Investment Advisors; Final Rule, December 24, 2003. http://1.usa.gov/14iH2dp; See also, FINRA Rule 3130 Annual Certification of Compliance and Supervisory Processes. Available at http://bit.ly/16Enf3W; See e.g., HHS Compliance Guidance http://1.usa.gov/1aWWxa4

6. USSC Guidelines Manual, Supplement to Appendix C, Amendment 744, pp. 361-363, November 1, 2010. Available at http://bit.ly/13ZOJlL

7. 2012 USSC Guidelines Manual, §8B2.1. Available at http://bit.ly/1ebrG9g

8. Craig S. Morford, Department of Justice Memorandum, March 7, 2008. Available at http://1.usa.gov/1bKqPR2

9. Gary G. Grindler: Additional Guidance on the Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations, Department of Justice Memorandum, May 25, 2010. Available at http://1.usa.gov/1aWWTNI

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Cadwalader, Wickersham & Taft LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Cadwalader, Wickersham & Taft LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions