13. Certifications of Ethics: are They Worth It?
Good product design can incorporate within a product knowledge of the world, incentivise appropriate use and help to generate intended results, even without users’ full knowledge of the product’s mechanics. Likewise, a good risk management system and compliance programme can promote appropriate conduct through well-designed management systems. Ethics certifications therefore need to be based on appropriate design rather than merely intent or moral behaviour.
In this chapter, we analyse theoretical concepts behind these certifications and provide examples of best practices for inducing expected corporate behaviour in (1) employee relationships, (2) business practices and due diligence in mergers and acquisitions (M&A), and (3) corporate fraud and corporate crimes. For a certification to be effective, we argue that it must account for accepted principles, provide in-depth analysis and maintain rigorous standards. This approach can signal effectively to contractual partners and authorities that appropriate risk management techniques have been established rather than simply creating an expectation of future moral behaviour. In any case, these practices need to be continuous within an organisation to achieve the desired effect.
Origins of ethics certifications
The rapid transmission and availability of information (and disinformation) has put corporate accountability in the spotlight. Organisational behaviour is often widely questioned, and the need to manage, evaluate and regulate acceptable conduct has increased greatly in an effort to curb behaviour outside the boundaries of what is legal and socially acceptable. On the other hand, many disciplines that study human behaviour have converged. For example, behavioural economics, philosophy, moral psychology, sociology and neurology, among others, have joined in the study of human incentives, morality, cooperation and motivation, including happiness and mortality.
This discussion requires a more in-depth look at shifting perceptions of acceptable conduct in different societies, which is worth considering at greater length elsewhere. Nevertheless, we can safely say that, for individuals, many beliefs that were perhaps supported by moral principles, such as sanctity, have been challenged in recent times by other principles, such as fairness and reciprocity. Similar shifts have distressed corporate cultures driven largely by the availability of information and the right to free speech that foster scrutiny of corporate behaviour, which yields a deeper discussion about liberty, and the right and importance of holding different opinions.
In essence, these shifting perceptions have yielded tougher scrutiny of organisations, especially on a rapidly growing number of those that through foreign investments, foreign financing and trading operations are subject to different laws and related scrutiny, and are more vulnerable to not conforming to expected behaviour in different countries.
Because of this, organisational behaviour has been bound by a widening concept of risk, and companies are expected to continually review their policies in an effort to remain compliant and have introduced separate ‘compliance’ departments and audit functions at different levels. A major challenge is presented while doing business with organisations in less developed markets; regulations are often equivocal and formalistic, leading to corruption incentives that can present enhanced risks.
Many of these expected behaviour fall under the realm of accepted principles and conduct. These principles sometimes adapt slowly to changing factual situations and social norms, eventually making their way into standards, guidelines and recommended principles. This process strives to strike a balance between freedom of enterprise and choice, profit generation and individual rights, on one side, and more aspirational forms of conduct, such as social responsibility and observance of what has been grouped as environmental, social and governance (ESG) criteria on the other. This is certainly a developing process, caught in a system under deep scrutiny.
Within this balancing act, the need to convey both assurance against fallibility and commitment to observing particular conduct creates an acceptable balance that has flourished. These efforts have come with many challenges and shortcomings, but also with rewards. Efforts to create credible verification systems therefore have emerged with their distinct challenges and limitations.
Organisations are subject to scrutiny beyond contractual and non-contractual legal liability, and to new standards. In a way, agency problems arising from the many relationships within an organisation or between an organisation and third-party stakeholders have been revisited. The concept of the firm and its nexus of contracts as originally conceived by Ronald Coase and described by Jensen and Meckling in their famous 1976 paper perhaps needs to be expanded to include implicit contracts held with indirect stakeholders.
In practice, new sources of organisational risks have sprung from what has been grouped as ESG concerns, as organisations are held accountable for the consequences of their actions. Numerous efforts have surfaced in the areas of consulting, training and certifications.
Although dealing with these matters has given rise to new areas of expertise within organisations, in practice these matters are still within the scope of general organisational risk management and it is likely they will blend in eventually within the natural organisational processes. But for now, the need to provide appropriate signalling that an organisation operates within acceptable boundaries of behaviour has given rise to different types of certifications or recognitions that present distinct challenges.
Ethics certifications have been based on products and production systems (raw materials sourced, methods, environmental effects, etc.), individuals (data protection, diversity, etc.), industry standards (management, suppliers, distribution channels, etc.), processes or combinations of these. Certifications are made available for individual training and expertise, as well as at an organisational level and for third-party contractors or suppliers. In one way or another, organisations are seeking to facilitate business, persuade consumers, reduce the perception of risk to lenders and more generally enhance how third parties perceive them.
Within the governance classification, anti-corruption and, more fully, integrity and ethical behaviour, have been key drivers in certification efforts, since corruption and bribery constitute a primary, distinct and incremental risk factor.
Boundaries to certifications
Compliance programmes have been evolving into generally accepted parameters. Foreign anti-corruption laws in many countries, the approval of the international standards (ISO 37001:2016) and guidelines for compliance programmes issued by the US Department of Justice (US DOJ), and other milestones, have helped in creating structural designs that have been accepted at their core, and present similar arrangements and content.
This standardisation benefits certification processes that facilitate the review of common criteria, including processes that are considered standard parts of a compliance programme, even though organisations may be subject to different legislation and scrutiny. On the other hand, as processes mature, organisations seek efficiencies to fulfil the objective criteria for observing conformity to meet certification requirements. Two recent examples are the automation of anti-corruption training, and compliance hotlines (also known as whistle-blower lines).
Numerous online tools for compliance training have sprung up; many contain automated examples and generic events whose value in providing effective training represents a challenge for certifications that wish to be more than just a checklist review. It is clear that the objective behind training is to create an effective mechanism that deters employees from transgressing ethical boundaries. Many of these automated training programmes contain illustrations of stereotypical business situations (relating to the permitted gift policies, insinuations from officials, etc.). In practice, corruption quickly migrates into more subtle schemes that may involve more elaborate contractual situations, vague conflicts of interest or reciprocal contracting; these situations require a more profound basis for which training may be difficult to assess with a simplified evaluation. The challenge here is that, to remain credible, certifications will need to assess, for example, not only the frequency but also the effectiveness of training.
Hotlines or whistle-blower lines likewise present special challenges. ‘Whistle-blower’ is a term that creates discomfort in some jurisdictions outside the United States because it is perceived that they have negative connotations that may discourage its use. Although these types of reporting lines have been automated in operations and design, their effectiveness depends both on internal perceptions regarding the ability to raise concerns without retaliation and ultimately how the reports are handled. In this respect, reliable certifications will need to assess the reach and helpfulness of a hotline more than its existence and the infrequency of use. Responsive actions need to be implemented from the reports if such a system is to maintain credibility within an organisation.
In addition, the target audience for certifications may eventually lead to different measurements and approaches. The need to assess third-party compliance may require a different evaluation than the one required, for example, by a government organisation from public contractors, which would probably be more focused on anti-bribery financial controls. Nevertheless, the risk of setting up divergent certification systems may generate uncertainty regarding the scope of what is eventually covered and the reassurances it may provide. As a result, it is essential that anyone relying on any type of certification reviews the scope of what it may or may not provide in order to understand what could reasonably be assumed from it.
Furthermore, as more sophisticated cases emerge, the need for a more comprehensive approach will emerge. As evidenced by the 2020 deferred prosecution agreement reached with Airbus, despite close examination of contractors and internal scepticism, it was insufficient to overcome the blemished reliance on third-party intermediaries that will increasingly fall under enhanced scrutiny.
It is impossible to certify and guarantee conduct; certifications can only verify that systems, policies and controls are in place that either induce expected behaviour or discourage undesirable conduct.
Certifications vary in scope and depth. Consistent with what has been discussed so far, most certifications are based on evaluating criteria that enable an objective view of whether specific requirements have been met rather than declarations on moral behaviour. Some branded certifications use proprietary online platforms to perform quick assessments within a few weeks requiring evidence of compliance programmes, business registrations, audited financial statements and similar documentation. These certifications often impose recertification periods of one year.
More comprehensive certifications, such as that on anti-bribery management systems from the International Organization for Standardization (ISO 37001:2016), require more extensive on-site audits of senior management and board commitments, codes of conduct and compliance programmes, employee training and awareness, third-party due diligence and monitoring, response mechanisms, financial controls and anti-corruption fund allocations. These certifications require an audit review every three years that takes into account how shortcomings have been dealt with and improvements made to the compliance system.
Although branded certifications are easier to obtain, they have a limited reach unless accompanied by complementary validation processes. These certifications present a higher risk to the certifiers as they are more prone to the possibility that a certified company may commit a transgression that may put unintended pressure on the certification brand. The same risk exists for standard certifications, such as ISO, even though emphasis is more on the standard itself than on the certifier.
Additionally, many certifications offer the possibility of additional items, such as incorporating organisations on compliance lists, cross-referencing suppliers on international corruption watch lists, or providing benchmarks against indices or compliance metrics, among other things.
The process of choosing a certification, more than anything, must be led by the reasons why the certification is sought. Many underlying reasons may exist, such as adopting a risk management tool, monitoring mechanisms for stakeholders, persuading the public that the company has addressed prior mishaps, satisfying a requirement from an important client, facilitating a public bidding process or even seeking favourable publicity. Certifications also may pose enhanced reputational risk if the certification proves unreliable, both for the company that obtained the certification and for the certifier. Many of the potential benefits of obtaining a cosmetic evaluation may be deeply upset by the risk exposure it may create under the wrong circumstances. So rather than beginning with an evaluation of the quality of different certifications, we recommend first evaluating the reasons why one is being pursued, and that evaluation needs to be accompanied by a thorough risk assessment.
Additionally, this analysis should take into account the costs to the organisation. Comprehensive certifications require significant effort by an organisation, including the resources and time from an internal team for the pre-assessment and certification audit.
Perhaps what is more important is the process of determining in which areas an organisation needs to strengthen its practices, align efforts and control its risks and then focusing on a certification that will be consistent with those efforts so that a certification, if needed, can become an effortless reflection of business practices and objectives.
The certification process
In essence, the certification process requires an initial assessment to identify deficiencies or limitations that determine any non-conformity with the criteria under review. Organisations often engage external counsel or consultants to work with an internal team to perform assessments and to suggest actions in preparation for certification audits. These initial assessments are typically followed by a consultation programme, organised in phases designed to address the issues identified as missing or incomplete in a gap analysis.
Preparing for a certification will depend on the type and complexity of the certification and the state of readiness of the organisation. The complexity of the organisation also will be a determining factor, as well as the size and quality of the internal and external team assigned to deal with issues determined not to conform to the criteria under review. Accordingly, the time needed for initial assessments and addressing incomplete issues will vary considerably, from four or five weeks to several months. For more comprehensive certifications, such as ISO 37001, organisations starting from a very basic level can expect it to take more than six months to be ready for a certification audit.
The process of obtaining a certification will depend mainly on how well the organisation has made itself ready and facilitates a fast-moving certification review. For more comprehensive certifications, the process may take four to eight weeks (or more), depending again on the organisation’s state of readiness.
As compliance programmes become more standardised, certification times may decrease, though we can expect that measuring the effectiveness of compliance programmes will become a priority and form an essential part of the certification process.
Future of certifications
As has been discussed, ethics certifications are challenging in that organisations need to disclose credible measures to curb unethical behaviour, something that certifiers need to assess objectively in a manner that is relatively easy to verify and report.
On the other hand, organisations can go only so far in establishing and encouraging the behaviour that are considered acceptable for stakeholders such as employees, officers and third parties. As certain measures become expected, organisations will need to evidence the rules, systems and controls to motivate and incentivise such expected behaviour in a way that they can be considered adequate by a third party.
From a risk management perspective, organisations need to carry out a thorough risk assessment to determine their more vulnerable areas and to establish rules, systems and controls within a compliance programme that directly and effectively address these risk factors. Measurement of the effectiveness of such a compliance programme will probably require the use of benchmarks and metrics in the future.
We discuss below how the proclivity for certain forms of corporate conduct conducive to non-conformity may be systemised and restrained in ways that they can be measured and certified so as to better communicate the organisation’s preparedness.
Certifiable processes in selective business practices
No certification process can provide assurances as to the outcomes of individual behaviour in specific situations. Nevertheless, corporations can create systems and policies that may provide the appropriate controls, and signal that sufficient efforts are being made to mitigate certain corporate risks that represent a potential liability.
Employee relationships and labour processes
An organisation’s programmes, policies and processes should have an effect on employee conduct and should mirror the organisation’s values, principles, ethics and compliance standards. As has already been mentioned, individual behaviour in specific situations cannot be ascertained through ethics certifications; therefore, organisations seeking to demonstrate compliance can implement programmes, policies and processes that provide the right incentives to encourage acceptable behaviour, as well as training and controls that are subject to certification. Although this will not replace employee monitoring, a well-implemented programme should result in an effective tool to reduce assessed risks.
Employee training should be more than an automated video or questionnaire. It should be consistent and effective in transferring knowledge of regulation, values, principles, culture, standards, and business and other expected behaviour.
The completion of these induction and training programmes, and a commitment by each employee to comply with the content and associated regulations, should be documented for future reference and compliance requirements. But more importantly, the effectiveness of the induction and training process should be measured and evidenced; this should accompany any future certification process.
The employment agreement, with any accompanying mandatory rules and regulations, is an essential document to launch a formal and enforceable obligation on an employee to comply and respect all internal policies and regulations of the company. Any breach of that obligation should trigger disciplinary measures, including termination with justified cause. In some Latin American labour legislation, a single breach of the obligation agreed as part of an employment agreement is considered just cause for termination. The agreement should also bind the employee to stay up to date and review all future policies and regulations, including by all means and channels that the employer uses (website, internal network, noticeboards, etc.).
Once a company has in place all the necessary policies and regulations, in accordance with their own culture, values and visions, and the necessary documentation to make the obligations enforceable, the human resources (HR) department and others in key positions should also be trained to handle and apply the active processes. Further, employees’ compliance with those processes should be monitored so that, in the event of non-compliance, the corresponding disciplinary action can be taken, and in an appropriate manner.
Having the necessary policies and regulations regarding ethics and good practices is just the start. Companies have to take action and apply the necessary disciplinary measures when employees do not comply with them. This will also have the effect of making employees aware and demonstrating the importance of complying with expected types of behaviour and avoiding unwanted behaviour. Companies should update periodically the content in those policies and regulations since risks, new technology, trends and topics arise every day. Accordingly, not having updated policies with current expectations, in certain cases, could be as serious as not having any at all.
Ethics certifications are not by any means an assurance that employees will behave and act in a certain way. But without the training, rules and processes subject to certification, no organisation can technically strive to maintain employee behaviour within acceptable limits and mitigate the assessed risks. Therefore, policies, internal regulations and employment agreements should promote acceptable types of behaviour and discipline unacceptable behaviour.
Some companies have ethics and compliance departments that have the responsibility to monitor, investigate and handle all employment situations relating to the breach of internal policies and regulations. If a company does not have sufficient headcount or resources to create such a department, it is recommended that the HR department or an internal committee receive the proper training and designate trained teams to handle these matters to avoid mishandling events that could lead to bigger crises or additional risks.
Having risk-based policies and regulations applied at all times within the workplace, organising regular awareness campaigns and providing clear information about unwanted situations to incentivise desired behaviour can help to create and maintain a culture of ethics and compliance within a company. This in turn can be measured and eventually be subject to certification. Considering the broader array of risk that digital communications and social media represents, HR departments encounter new challenges every day in creating and maintaining a positive and healthy work environment for employees. At the same time, employees must take on board and apply the company’s values, principles and regulations.
In recent years, whistle-blowing and hotlines for complaints within the workplace have become more relevant and important for employers, making them vital elements and mechanisms for initiating investigations and preventing future or greater risks and crises arising from unethical or prohibited behaviour.
Companies should create systems, protocols and procedures for investigating claims and complaints. But the first step is to create mechanisms – such as confidential email, web page, browser, internal network, hotline or other similar channels – and make them accessible to employees so that they are able to report claims and complaints.
Since ethics certifications are based on objective criteria, they cannot be an assurance of individual behaviour in specific situations; therefore, companies should focus and document their efforts to implement best practices, principles, values and ethical behaviour within the workplace. These efforts are critical factors in choosing the right ethics and compliance certification within the workplace. The following are some of the necessary and recommended tools and practices for a company to adopt and apply:
- written ethics code and policy, including references to good conduct, values, conflicts of interests, standards and company values;
- easy access to all internal policies and regulations (via intranet, handbooks, email, hard copies, etc.);
- effective induction, training and seminars for employees, which have been tested for effectiveness;
- effective monitoring mechanisms that are consistent with company values, to provide early indications of non-compliant behaviour by employees to detect possible risks;
- hotlines or channels for confidential claims and complaints, and the protocols, systems and procedures to take action that provides an effective response mechanism and may be measured for effectiveness;
- transparent and effective forms of disciplinary action when employees violate internal policies; and
- a team of trained and certified experts within the organisation who are responsible for managing internal complaints.
Although individual actions and behaviour by employees cannot be fully controlled or assured by having an ethics certification, certifications can substantiate that an organisation has implemented appropriate mechanisms to effectively address anticipated behaviour. An organisation that has invested the necessary time and effort to promote ethical and good behaviour by its employees should also be able to evidence those efforts and demonstrate an increasingly level of control over these types of situation, thus effectively reducing organisational risks and potential liability arising from an individual’s misconduct. As organisations view these alignment processes more as part of their operations and risk management efforts than a separate and costly certification effort, certifications may develop, in time, into a comprehensive monitoring tool.
Compliance certifications in mergers and acquisitions
In the past, ethics reviews and certifications have not been an item on the checklist for an M&A due diligence request. M&A lawyers will usually prioritise reviewing balance sheets, company loans and related covenants, employee benefits, regulatory infractions and other areas of risk. In the discussion that follows, we aim to make the case that although a well-designed ethics certification is a useful risk-detecting tool, it cannot provide any guarantee when assessing risks in an M&A context.
We begin by considering what purposes an ethics certification may serve in a merger or acquisition process, and refer to general guidelines that any pre-M&A due diligence should consider before the final decision makers deliberate on the matter. We then use an example of an acquisition that illustrates the far-reaching consequences that can be avoided (but by no means always will be) through an ethics certification.
How is an ethics certification useful in mergers and acquisitions?
Although once an unconventional practice, M&A lawyers are becoming more used to, and even prone to, implementing compliance metrics and requirements before assessing the legal risks of a target company. Compliance analysis is now more commonly integrated into M&A processes. As always, key risk factors are closely related to the target’s specific operations, but M&A lawyers generally should pay close attention to a target’s efforts in areas such as anti-corruption, harassment prevention, non-discrimination, data protection, antitrust and best practices relating to human rights.
There are various reasons, outlined below, why an ethics certification might prove useful. We intentionally chose the word ‘useful’ rather than ‘necessary’, because these can provide valuable information or signals to a potential buyer, but should not be obtained for the sole purpose a due diligence process.
- An ethics certification sends an important signal. It may be sought for different reasons and defined in different ways but, above all, certification can potentially send a loud and clear message to a company’s interlocutors. It is an effective way of seeking to convince third parties that an organisation understands the importance of investing in and implementing compliance systems, and how the failure to do so can heavily impede the company’s success. It also conveys a message that the organisation’s members are already familiar with compliance systems, and that maintaining or improving those systems will not be as burdensome as fully implementing a system from scratch. Again, this is just a message, which can be truthful or less than truthful.
- Certification saves time and costs. When a buyer is honestly interested in reviewing a target company’s compliance metrics, it will have to invest a significant amount of time in understanding the company’s operational risks, and the way its compliance system is designed to assess whether it can effectively detect, mitigate or reduce those risks. If the target has gone through a certification process, the buyer can rely on some, or many, of the certifier’s assessments and can possibly save time and the costs of a review.
- It can have an effect on the purchase price. A comprehensive and duly implemented compliance system with demonstrable results is an asset to any organisation. According to the Criminal Division of the US DOJ: ‘Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target.’ Even if the certified compliance system fails to increase the purchase price, it may nevertheless be valuable in demonstrating the presence of particular controls that a buyer would expect to have been implemented.
- Certain buyers will be drawn to targets with certification. Undertakings that are subject to heightened regulatory standards, such as the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act or analogous frameworks, may be attracted to completing deals with targets that have such systems in place.
Important pre-M&A guidelines
As mentioned before, and discussed in other chapters, pre-M&A due diligence is useful for determining a target’s accurate value and the costs of any potential or actual misconduct for which it may be responsible. The US DOJ’s Criminal Division recently updated guidelines in this matter through a document titled ‘Evaluation of Corporate Compliance Programs’, which provides relevant insights regarding pre-M&A due diligence:
- Due diligence process: Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
- Integration in the M&A process: How has the compliance function been integrated into the merger, acquisition and integration process?
- Process connecting due diligence to implementation: What has been the company’s process for tracking and remediating misconduct or risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?
The Goodyear Tire & Rubber Co case
We turn to a practical case depicting shortcomings in anti-corruption compliance in the context of an acquisition to consider whether a certification could have avoided, or in any way reduced, the costs for the acquiring company: the Goodyear matter before the US Securities and Exchange Commission (SEC).
Goodyear Tires is one of the biggest tyre manufacturers in the world, with headquarters in Ohio, United States, and subsidiaries in 22 other countries. In 2015, after an investigation by the SEC, it was found that employees of two of Goodyear’s subsidiaries, located in Kenya and Angola, had committed bribery to successfully complete tyre sales, both in public and private bidding processes. The company ultimately paid disgorgement and prejudgment interests of US$16 million. The SEC found that Goodyear’s subsidiaries – Treadsetters, in Kenya, and Trentyre, in Angola – had committed bribery between 2007 and 2011. Goodyear held a controlling interest in both companies through a subsidiary headquartered in South Africa. The bribes amounted to roughly US$3.2 million.
Goodyear acquired a minority ownership in Treadsetters and, by 2006, had a majority ownership. However, the daily operations were still being controlled and handled by the founders of the company. It was found that, during the relevant period, the local general manager and the financial director were directly involved and had authorised the bribes, recording them as ‘expenses for promotional products’. There was enough evidence to suspect that these practices had started even before Goodyear had acquired an interest in the company. By 2013, Goodyear had sold its interest in the company, but the SEC sanctioned them because of a failure to conduct proper due diligence during the acquisition of an interest in the company.
Trentyre was a wholly owned subsidiary in Angola. The SEC found that, during the relevant period, the company had made improper payments of up to US$1.6 million. This corruption scheme was conducted by the former general manager of the company, who hid the payments by adding phony freight and customs clearing costs to the invoice price of the products. By the time of the settlement, Goodyear was looking to sell its interest in the company. The SEC found that Goodyear had failed to implement FCPA-compliant training and controls within its subsidiaries worldwide, in violation of the Securities Exchange Act of 1934, Section 13(b)(2)(B) and the FCPA.
Goodyear since has improved its compliance programme globally, including training for its officers and workers, and continuous auditing with a focus on corruption risks. It also created compliance, accounting and auditing positions, and a senior position of vice president of compliance and ethics in its parent company. Further, between 2015 (the year when the settlement was reached) and 2018, Goodyear had to report periodically to the SEC on enhancements to the company’s compliance programme.
How might an ethics certification help?
An ethics certification could not have prevented the bribing by Treadsetters and Trentyre. However, a certification might have had the following effects:
- Having Treadsetters and Trentyre certified might have avoided the SEC from concluding that Goodyear failed to perform adequate training and controls, which was the main reason for the fine it had to pay.
- An ethics certification, even though implemented after the acquisition, might have allowed Goodyear to detect the improper payments and take corrective actions that could have avoided a fine altogether or significantly lowered it.
- An ethics certification obtained by Goodyear (and not the targets) might have ensured that Goodyear performed high-level anti-corruption due diligence of its targets, which in turn might have enabled Goodyear to detect any risks or flagrant bribes that could have (1) deterred Goodyear from acquiring the targets or (2) significantly lowered the price of the targets.
Of course, ethics certifications would not have been a firm guarantee for Goodyear, but it is likely they would have made it possible to detect the risks beforehand or reduce their effects.
Certifying processes that thwart criminal behaviour
Corporate lawyers and directors sometimes wrongfully assume that implementing a compliance programme and certifying it will somehow avoid corporate criminal liability. Nevertheless, there are processes whereby future compliance certifications could become more helpful in minimising risks of criminal liability.
Which processes should be in the scope of a compliance certification?
Regarding criminal matters, a compliance certification should focus on a company’s processes or organisational tools to ensure that its managers, employees and related third parties are carrying out business within the legal framework and avoiding wrongdoing that has punishable legal consequences. These processes vary from one country to another and should be tailored exclusively to the particularities and needs of each organisation. There is not a ‘one size fit all’ or a perfect recipe to prevent or detect criminal actions since these are constantly evolving, not least in light of new technologies.
Notwithstanding, for the purpose of this guide, we recommend the following as the processes on which a certification should focus:
- Financial and accounting processes: Possibly the biggest risk or area of weakness any organisation faces is in its financial and accounting processes. There are endless examples of cases regarding tax fraud, bribery and corruption, among other things. In recent years, tax fraud and electoral campaign financing have been the most common among companies and their directors. Organisations must develop processes to create an anti-bribery and anti-corruption culture that their managers, employees and third parties embrace. Among those processes, organisations should implement financial and commercial controls, review the sources of the funds provided by shareholders and third-party partners, and generate reporting mechanisms and the respective procedures to investigate those reports. Currently, ISO Standard 37001:2016 on anti-bribery management systems does focus on financial controls for the detection and prevention of bribery. Nevertheless, in the future, a system that monitors digressions from budgeted amounts, approved third parties and standard units of payment may serve as early detection systems.
- Shareholders and decision-making processes: In developing countries where the vast majority of businesses are family owned, the shareholders and partners have complete control. Hence, there are special risks that could lead to punishable legal consequences for the company. For example, partners may instruct (with little resistance) the company’s executives to redirect funding to special non-corporate accounts or incur non-budgeted expenses or excessive payments to sham contractors, for example. Therefore, the organisation must demonstrate that it maintains adequate controls that impede deviations from structured financial policies and processes. Red flag indicators should be in place, requiring joint authorisations for larger or cumulative amounts, and hotlines should enable anonymous reporting of financial transgressions that require an automatic investigation into suspicious payments or transfers, regardless of who has given the instructions, including partners, shareholders or any other high-level executives.
- Production or delivery of goods and services process: Product fraud has been committed since distant times in every type or manner, including consumer goods, online fraud, prescription drugs and assembly parts for vehicles and aircraft. Examples vary from medicines with no active ingredients to replacement parts for aircraft that fail. In August 2019, farmer Randy Constant was sentenced to more than 10 years in prison for selling approximately US$142 million in supposedly organic animal feed to livestock farmers, committing the largest case of organic fraud in the history of the United States. Hence, an organisation has to identify the risks related to product and services fraud, whether it is within the organisation itself or the products provided by its third-party partners. Afterwards, it has to generate its own processes to prevent or reduce the possibility of fraud. A common certification to aid the organisation to achieve this goal is ISO 22380:2018.
- Risk management process: Every organisation has its own risks depending on its activities, the number of employees and third-party relationships, among other factors. A company has to have a methodology or process to identify, analyse and address the particular risks it faces. It likewise has to collect the right information and the necessary metrics to help detect the risks it faces and how to avoid them.
- Enhanced third-party management: Organisations should ensure they have a complete understanding of their third-party partners, including agents, consultants and distributors, which will require systems for continuous monitoring. Organisations must conduct complete due diligence to understand the policies, procedures and reputation of their third-party partners, and those partners’ relationships with foreign officials and decision-makers, all of which is particularly important given that third parties are frequently used to commit crimes. A common example is the payment of bribes to foreign government officials through service providers, such as consultants and attorneys. In the Walmart case brought by the SEC and the US DOJ in 2019, according to the SEC, Walmart failed to sufficiently investigate certain anti-corruption risks and allowed subsidiaries in Brazil, China, India and Mexico to employ third-party intermediaries, who made payments to foreign government officials that ultimately cost the company more than US$282 million to settle both the SEC’s charges and the criminal charges brought by the US DOJ. As the reach of certifications grows, hiring third-party intermediaries will require that the task that is being outsourced should be proportional to the certified quality of the supplier and the reputational risk.
All these processes should be integrated in an enhanced compliance programme and assigned to a team that is fully accountable for its implementation. A compliance programme may also seek a certification. The latter provides guidance to obtain an effective, organisation-wide compliance management system that enables an organisation to demonstrate its commitment to compliance with the relevant laws and best practices.
How is a compliance certification potentially useful in a criminal process?
Although prosecutors and courts from a variety of jurisdictions are considering an organisation’s compliance programme before establishing the responsibility of the company, the existence of a compliance programme does not automatically exonerate an organisation.
It has been continually evidenced that investigators will focus more on the effectiveness of compliance norms than look into its mere form. Recently, an Assistant Attorney General of the United States remarked while announcing the publication of the ‘Evaluation of Corporate Compliance Programs’ by the US DOJ’s Criminal Division, that there are three decisions that prosecutors will take that will require an analysis of the company’s compliance programme:
First, pursuant to the Justice Manual, prosecutors assess the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision. This helps guide the prosecutors in determining whether they should decline to bring a case, or, if a resolution is appropriate, what that resolution should be.
. . .
Second, prosecutors assess a company’s compliance program at the time of the misconduct to determine the company’s culpability score under the US Sentencing Guidelines, which determines the company’s ultimate fine range.
. . .
Third, prosecutors look at the company’s compliance program at the time of the resolution to determine whether an independent compliance monitor is necessary to prevent the reoccurrence of misconduct, or whether the compliance program is sufficiently effective to permit the company to self-monitor.
In Spain, on 22 January 2016, the Office of the State Attorney General published Circular 1/2016, in which it offered an interpretation of the provisions of Statute 31 bis of the Criminal Code. This circular and statute provide prosecutors with guidance on how to evaluate compliance programmes in order to exonerate an organisation.
According to the US DOJ, the most important characteristics of compliance programmes for organisations to obtain a benefit in a criminal case are their ‘adequacy and effectiveness’. The company must test its compliance programme, constantly develop it and improve it. A helpful tool for that is a compliance certification by a third party. A compliance certification would serve as evidence that a company has been improving, testing and evolving its compliance programme. Therefore, a compliance certification gives a signal to the prosecutor or the court that the organisation has sought to comply with the legal framework and that the felony was not an act by the company but by a rogue employee (or employees).
However, a third-party compliance certification is not necessarily a bullet-proof measure. Companies with compliance certifications may be involved in criminal actions or accused of wrongdoing. Such is the case of the corruption allegations against the Monaco-based energy services company Unaoil. According to the allegations, between 2002 and 2012, Unaoil and its executives bribed officials in Africa, the Middle East and Central Asia to help secure contracts for international oil companies. The alleged crimes were committed despite Unaoil being brand certified as anti-corruption compliant.
Compliance certifications do not automatically exonerate an organisation that is facing criminal liability. Although not a guarantee, a certification should be an indication that an independent third party has done the necessary research to reach certain conclusions about the organisation being certified.
It may also not be the best method to demonstrate that the corporation took every step necessary to avoid, detect and control all its risks. As Trace International’s president, Alexandra Wrage, said in an interview with Just Anti-Corruption regarding Trace’s certifications: ‘It’s due diligence; it’s certainly not a guarantee.’
Is a compliance certification necessary to thwart criminal behaviour?
The short answer is no. However, compliance certifications are currently useful tools to demonstrate that a company has an adequate and effective compliance programme and has taken the necessary steps to thwart criminal behaviour or wrongdoing within its organisation and their third-party partners. Hence, a compliance certification potentially helps an organisation to generate, improve and evolve its compliance programme.
In developing countries where compliance programmes are still in the process of being implemented by larger enterprises and core compliance certifications are not widely used, the effects of compliance management systems are not the benefits that the corporation may obtain in a criminal case, but the change in culture that may be brought about. In April 2018, a Guatemalan judge resolved a corruption case involving notable businessmen and government officials by sentencing them to five years in prison and, for the first time in the country, ordering the implementation of compliance programmes within their respective business organisations.
Hence, for developing countries, the main benefit of certifications that effectively screen for a well-designed compliance programme is most probably the change of culture in an organisation and eventually, if widely respected, the business climate itself. As stated by Spain’s State Attorney General, the aim of a corporate compliance programme is not to avoid criminal penalties, but to promote and encourage a tradition of professional ethics. A compliance certification should ultimately have as its core objective to provide the reassurance that an organisation has that culture within its roots, allowing for a culture of trust to facilitate dealings both internally and externally.
As reputational and compliance risks become more pervasive, certifications have prospered as risk mitigators. Certifications come in different shapes and sizes; it is best for organisations to assess their risk profile and needs prior to determining which certification provides the required signalling. Certifications cannot and should not verify behaviour, but rather the processes, policies and controls under which an organisation operates. Nevertheless, transgressions are possible despite certifications; evidence that companies have taken thoughtful precautions and have maintained best practices, as attested to in a certification process, can become a valuable risk mitigator. But when those transgressions are perceived as a signal of a lax or tarnished certification process, the result for the organisation can be reputational damage and enhanced risk.
We have stressed that certain business practices are more vulnerable to ethical transgressions. A thorough risk assessment can help to determine these vulnerabilities, and companies should seek to generate practices that can be measured and controlled, regardless of the interest in or the advantage of a particular certification. Just as passing a health check-up is not an essential goal for a person’s well-being, certifications should remain as mere guides for an organisation whose business conduct is aligned with its values and purpose, and for whom a certification process, when needed, should simply provide reassurance.
 José Quiñones and Evelyn Rebuli are partners, Ignacio Grazioso and Javier Castellan are associates and Luis Pedro Martínez is a trial lawyer at QIL+4 Abogados.
 ISO 37001:2016 – Anti-bribery management systems – Requirements with guidance for use, see International Organization for Standardization < https://www.iso.org/iso-37001-anti-bribery-management.html>.
 Meaning those associated with a specific organisation that provides the certification rather than a certification based on a general norm or standard in common use that allows for multiple certifiers.
 US Department of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’, Guidance Document, updated April 2019, p. 8 < https://www.justice.gov/criminal-fraud/page/file/937501/download>.
 US Securities and Exchange Commission, Order Instituting Cease and Desis Proceedings, Release No. 74356, 24 February 2015 < https://www.sec.gov/litigation/admin/2015/34-74356.pdf>.
 See International Organization for Standardization < https://www.iso.org/iso-37001-anti-bribery-management.html>.
 See ISO Standard 37001:2016 < https://www.iso.org/obp/ui/#iso:std:iso:22380:ed-1:v1:en>.
 See ‘Evaluation of Corporate Compliance Programs’, Guidance Document, updated April 2019, page 3 < https://www.justice.gov/criminal-fraud/page/file/937501/download>.
 id., at p. 7.
 See ISO Standard 37001:2016 < https://www.iso.org/obp/ui/#iso:std:iso:22380:ed-1:v1:en>.
 Excerpts from Assistant Attorney General Brian A Benczkowski’s keynote address at the Ethics and Compliance Initiative 2019 Annual Impact Conference < https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and>.
 US DOJ, Principles of Federal Prosecution of Business Organizations: Justice Manual 9-28.300 – Factors to Be Considered < https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.300>.
 See Just Anti-Corruption interview with Trace International’s president, Alexandra Wrage < https://globalinvestigationsreview.com/article/jac/1025507/trace-president-defends-record-in-wake-of-unaoil-corruption-scandal.
 See Circular 1/2016, p. 39 < https://www.pactomundial.org/wp-content/uploads/2016/09/Circular-sobre-la-Responsabilidad-Penal-de-las-Empresas.pdf>.