15. Certification of Ethics: Are They Worth It?
Just as good product design makes a product easy to use and aids the user in achieving its desired effect, even where the user does not understand the mechanics of said product, so too does a good risk management system and compliance programme promote appropriate conduct through well-designed management systems. Ethics certifications must be based on this principle of appropriate design rather than intent or moral behaviour.
In this chapter, we will analyse the theory behind certifications and provide examples of best practices for getting best results in fields of employee relationships, business practices, M&A due diligence, and corporate fraud and white-collar crime. We will make the case that, for certification to be effective, accepted principles need to be taken into consideration, in-depth analysis must be provided, and the highest standards must be maintained to appropriately signal to contractual partners and authorities that appropriate risk management techniques have been established.
Origins of ethics certifications
The rapid transmission and availability of information (and disinformation) has put corporate accountability in the spotlight. Organisational behaviour is being widely questioned, and the need to manage, evaluate and regulate acceptable conduct has undergone enhanced scrutiny in an effort to curb professional misdemeanour.
Further, many various disciplines regarding the study of human behaviour have converged on this topic, including behavioural economics, philosophy, psychology, sociology and neurology, to help better understand human incentives, morality, cooperation and motivation.
This discussion requires a more in-depth look at the shifting perceptions of what is considered as accepted conduct in different societies. We can safely say that, for individuals, many beliefs that were perhaps supported by moral principles such as sanctity have been greatly challenged by other accepted principles, such as fairness and reciprocity. Similar shifting has distressed expected corporate culture, driven in larger part by the availability of information and the right to free speech, which has led to the scrutiny of corporate behaviour, in itself presenting another challenge and yielding to a deeper discussion on liberty and the right and importance of holding contradicting opinions.
In essence, these shifting perceptions have yielded tougher scrutiny on organisations, especially on a rapidly growing number of organisations that, through foreign investments, financing and trading operations, are subject to different legislations and scrutiny, and are more vulnerable to not conforming to expected behaviours in different countries.
Because of this, organisational behaviour has been bound by a widening concept of risk, developed markets are expected to continually review their policies in an effort to remain compliant with market scrutiny, and these markets have added separate compliance departments with audit functions. A major challenge is presented while doing business with organisations in less developed markets, as regulations are often equivocal and formalistic, leading to corruption incentives that can present an enhanced risk for the foreign counterpart.
Many of these expected behaviours fall under the realm of accepted principles and conduct. These principles are always undergoing gradual change to changing social norms, and eventually making their way into standards, guidelines and recommended principles. This process strives to create a balance between freedom of enterprise and choice, profit generation, and individual rights, on the one hand, and more aspirational conducts such as social responsibility and observance of what has been grouped as environmental, social and governance (ESG) criteria, on the other. This is certainly a developing process, caught in a system under deep scrutiny.
Under this balancing act, the need to convey both an assurance against fallibility and a commitment to the observance of conduct that creates an acceptable balance has flourished. Such efforts present both challenges and rewards. Efforts to create credible verification systems have emerged with their distinct challenges and limitations.
Organisations are subject to scrutiny beyond contractual and non-contractual legal liability, and are subject to new standards. In a way, agency problems arising from the many relationships within the organisation and between the organisation and third-party stakeholders have been revisited. The concept of the firm and its nexus of contracts as originally conceived by Ronald Coase and described by Jensen and Meckling in their famous 1976 paper perhaps needs to be expanded to include implicit contracts held with indirect stakeholders.
In practice, new sources of organisational risks have arisen from ESG concerns, as organisations are held accountable for the effect that their actions and behaviour may give rise to such concerns. Numerous efforts have surfaced in the areas of consulting, training and certifications.
Although dealing with these matters has given rise to new areas of expertise within organisations, in practice, these matters are still within the scope of general organisational risk management and will perhaps blend in eventually within the natural organisational processes. However, for now, the need to provide appropriate signalling that an organisation operates within acceptable boundaries of behaviour has given rise to different types of certifications or recognitions that present distinct challenges.
Ethics certifications have spawned based on products and production systems (raw materials sourced, methods, environmental effects, etc.), individuals (data protection, diversity, etc.) industry standards (management standards, suppliers, distribution channels) processes or combinations of these. Certifications are made available for individual training and expertise as well as at an organisational level and also for third-party contractors or suppliers. In one way or another, organisations are seeking to facilitate business, persuade consumers, reduce the perception of risk to lenders or in general enhance their perception for third parties.
Within the governance classification, anti-corruption and, more fully, integrity and ethical behaviour, have been key drivers in certification efforts, since corruption and bribery constitute a primary, distinct and incremental risk factor.
Boundaries to certifications
Compliance programmes have been evolving into general accepted parameters. Foreign anti-corruption laws in many countries, the approval of the international standards (ISO 37001:2016) and Guidelines for Compliance Programs issued by the US Department of Justice, among other milestones, have helped in creating structural designs that have been accepted in its core and present similar arrangements and content.
Such standardisation benefits certification processes in that they facilitate the review of common criteria, and review such processes that are considered as standard parts of a compliance programme, even though organisations may be subject to different legislations and scrutiny.
On the other hand, as processes mature, organisations seek efficiencies in order to fulfil objective criteria for observance of conformity to a certification requirement. Two recent examples are the automation of anti-corruption training, and hotlines or so called whistle-blower lines.
Numerous online tools for compliance training have sprung; many contain automated examples and generic events, whose value in providing effective training represents a challenge for certifications that wish to be more than just a checklist review. It is clear that the objective behind training is to create an effective mechanism that deters employees from transgressing ethical boundaries. Many such automated training programmes contain illustrations of typecast business situations (related to the permitted gift policies, insinuations from officials, etc.). In practice, corruption quickly migrates into more subtle schemes that may involve more elaborate contractual situations, vague conflicts of interest, or reciprocal contracting; situations that require a more profound base whose training may be difficult to assess with a simplified evaluation. The challenge here is that certifications in order to remain credible will need to assess not only the frequency but also the effectiveness of such training.
Hotlines or whistle-blower channels present special challenges. Whistle-blower is a term that creates discomfort in some jurisdictions outside the United States owing to negative connotations that may discourage its use. Although these types of reporting channels have been fully automated in their operations and design, effectiveness depends both on the reaction that a report may illicit and the simplicity within which a report may be made without anxiety surrounding repercussions. In this respect, reliable certifications will need to assess the reach and helpfulness of a hotline more than its existence and the infrequency of use. Responsive actions need to be implemented from the reports for the system to maintain credibility among the organisation.
In addition, the target audience for certifications may eventually lead to different measurements and approaches. The need to assess third-party compliance may require a different evaluation to the one required, for example, by a government organisation from public contractors, which would probably be focused on anti-bribery financial controls. Nevertheless, the risk of setting up divergent certification systems may generate uncertainty on the scope of what is eventually covered and the reassurances it may provide. As a result, it is essential that anyone relying on any type of certification reviews the scope of what it may or may not provide to understand what could reasonably be assumed from it.
As more sophisticated cases emerge, the need for a more comprehensive approach will manifest. As evidenced by the 2020 DPA reached with Airbus, despite close examination of contractors and manifested internal scepticism, it was insufficient to overcome the blemished reliance on third-party intermediaries, which will increasingly fall under enhanced scrutiny.
It is impossible to certify and guarantee conduct; certifications can only verify that systems, policies and controls are in place that either induce expected behaviours or discourage misconduct.
Certifications vary in scope and depth. Consistent with what has been discussed above, most certifications are based on evaluating objective criteria that allows an objective review that a specific requirement has been met without making declarations on moral behaviour.
Some branded certifications use proprietary online platforms to perform quick assessments in just a few weeks, requiring evidence of having in place compliance programmes, accomplished business registrations, audited financial statements and presented similar documentation. These certifications often require re-certification periods of one year.
More comprehensive certifications, such as the ISO 37001:2016, require more inclusive on-site audits of senior management and board commitments, a code of conduct and compliance programme, employee training and awareness, third-party due diligence and monitoring, response mechanisms, financial controls and anti-corruption fund allocation. These certifications require an audit review every three years that takes into account how shortcomings have been dealt with and improvements made to the compliance system
Although branded certifications are easier to obtain, they have a limited reach unless accompanied by another complementary validation processes. These certifications present a higher risk to the certifiers as they are more prone to the possibility that a certified company may commit a transgression that may produce unintended pressure for the certification brand. The same risk exists for standard certifications such as ISO, even though emphasis is more on the standard itself than on the certifier.
Additionally, many certifications offer the possibility of additional items such as incorporating organisations on compliance special lists, cross-referencing suppliers on international corruption watch lists, or provide benchmarks against indices or compliance metrics, among other things.
The process of choosing a certification has more to do with the reasons why a certification is sought. Many underlying reasons may exist, such as a risk management tool, monitoring mechanisms for stakeholders, the need to persuade that the risk of previous mishaps has been dealt with, a requirement for an important client, as facilitation for public bidding process or even publicity. Nevertheless, certifications may also represent enhanced reputational risk upon a major shortcoming if it evidences that the certification was intentionally unreliable, as stated before, under some circumstances this may represent a risk to the certifier as well. Many of the benefits of obtaining a cosmetic evaluation may be deeply upset by the risk exposure it may create under the wrong circumstances. So rather than beginning with an evaluation of the quality of the certification we suggest the process begin with evaluating the reasons why one is pursued, an evaluation that needs to be accompanied by a thorough risk assessment.
Additionally, such root source analysis should take into account the opportunity cost to the organisation. Comprehensive certifications require a significant effort be made internally by the organisation and a significant amount of resources and time from an internal team will be required to be allocated during the time of the pre-assessment and certification audit.
Perhaps what is more important is the process of ascertaining where an organisation needs to strengthen its practices, align efforts and control its risks, and focus on a certification that will be consistent with such efforts so that a certification, if needed, can become an effortless reflection of its business practices.
The certification process
In essence, the certification process requires an initial assessment to identify deficiencies or limitations that determine ‘non-conformity’ to the criteria under review. Organisations often engage outside counsel or consultants to work with an internal team to perform such assessment and suggest actions to be prepared for a certification audit. These initial assessments are followed by a consulting programme divided in phases designed to address all issues determined as missing or incomplete in a gap analysis. Preparing for a certification will depend on the type and complexity of the certification and the readiness of the organisation. Additionally, the complexity of the organisation will also be a determining factor, as well as the size and quality of the internal and external team assigned to dealing with issued determined not to conform to the criteria under review. Accordingly, initial assessments and addressing incomplete issues, will vary considerably in time, from four to five weeks to several months. For more comprehensive certifications, such as ISO 37001, organisations, starting from a very basic entry level, can expect more than six months to be ready for a certification audit.
The process of certification itself will depend mainly on how the organisation has made itself ready and facilitates a fast-moving certification review. For more comprehensive certification, the process may take four to eight weeks (or more) depending on how ready the organisation has made itself.
As compliance programmes become more standardised, certification times will likely be reduced, but we can expect that measuring the effectiveness of the compliance programme will become a priority and will most probably by expected to form part of the certification process.
Future of certifications
As discussed, ethics certifications are challenging in that organisations need to disclose credible measures to curb unethical behaviour, something that certifiers need to objectively determine in a manner that is easy enough to verify and report.
On the other hand organisations can go so far as establishing and encouraging the expected behaviours that are considered acceptable for stakeholders such as employees, officers and third parties. As certain measures become expected, organisations will need to evidence the rules, systems, controls in place to motivate and incentivise such expected behaviours in such a way that they can be considered as adequate by a third party.
The migration to online platforms in 2020 has facilitated most certification processes and have made online verification mostly acceptable. Nevertheless, personal interviews have become a challenge, although online meetings have been substantially improved, the information that is obtained from personal encounters is limited on such online platforms and many times complementary procedures are recommended. Additionally, it is foreseeable that certifications will adapt to evolving compliance requirements and regulation, reporting mechanisms will undoubtedly evolve as a result.
From a risk management perspective, organisations need to perform a profound risk assessment to determine their more vulnerable areas and establish rules, systems and controls within a compliance programme that effectively address these risk factors directly. The measurement of the effectiveness of such a compliance programme will most probably require in the future the use of benchmarks and metrics.
We discuss bellow how the proclivity to certain corporate conducts conducive to non-conformity may be systemised and restrained in ways that they can be measured and certified so as to better communicate the organisation’s preparedness.
Certifiable processes in selective business practices
Ethics certification processes show that no certification can provide assurances as to the outcomes of individual behaviours in specific situations; nevertheless, corporations can create systems and policies that may provide the appropriate controls and signals that sufficient efforts are being made to mitigate certain corporate risks that represent a potential liability.
Employee relations and labour processes
Organisation programmes, policies and processes should impact employee conduct and should eventually mirror an organisation’s values, principles, ethics and compliance standards, including all the necessary protocols, measures, metrics and standards to prevent the spread of covid-19 within the workplace. As mentioned, individual behaviour in specific situations cannot be ascertained through ethics certifications; therefore, organisations seeking to convey a message of compliance can implement programmes, policies and processes that provide the right incentives to encourage acceptable and responsible behaviours, training and controls susceptible of certification. Although this will not replace employee monitoring, a well implemented programme should result in an effective tool to reduce assessed risks.
Employee training should be more than an automated video or questionnaire. It should be consistent and effective in transferring knowledge of regulation, values, principles, culture, standards, safety, health measures and any other business and expected behaviours.
The assistance, completion of these orientations and trainings, and commitment of each employee to comply with the content and regulations, should be documented for future compliance use and reference. But, more importantly the effectiveness of these orientations should be subjected to measure and evidenced; this should accompany any future-certification process.
The employment agreement, along with accompanying mandatory rules and regulations, is an essential document to launch a formal and enforceable obligation of the employee to comply and respect all internal policies and regulations of the company. The breach of that obligation should have as a consequence disciplinary measures including termination with justified cause. In some Latin American labour legislation, the sole breach of an obligation agreed on an employment agreement is considered just cause for termination. The agreement should also bind the employee to stay up to date and review all future policies and regulations by all means and channels that the employer uses (website, internal network, boards, etc.).
Once a company has all the necessary policies, metrics and regulations according to their culture, values and vision, and the necessary documentation to make the obligations enforceable, human resources and key positions in the company should also be trained to handle, apply and monitor that the employees are complying with them, and in case they are not, be aware of the correct way to take the corresponding disciplinary action.
Having the necessary policies and regulations regarding ethics and good practice is just the start; companies have to take action and apply the necessary disciplinary measures when employees do not comply with them. This will also have a positive impact on employees, increasing their awareness to compliance and showing the importance of complying with expected behaviour. Companies should update the content in those policies and regulations periodically since risks, new technology, trends and topics arise every day, and therefore not having updated policies with actual expectations could be as serious as not having them.
Ethics certifications are not are not by any means an assurance that employees will behave and act in a certain way, but without training, rules and processes subject to certification, no organisation can effectively strive to maintain employee behaviour within acceptable limits and mitigate its assessed risks. Therefore, policies, internal regulations and employment agreements should promote acceptable behaviour and discipline unwanted behaviour.
Some companies have ethics and compliance departments that have the responsibility to monitor, investigate and handle all employment situations related to breach of internal policies and regulations. It is important to consider these type of departments, but if the company is limited to headcount or resources to create such departments, it is recommended that human resources or an internal committee should receive the proper training and designate trained teams to handle these matters to avoid mishandling events that could lead to a bigger crisis or additional risk.
Owing to the covid-19 pandemic and the necessity to apply home-office or remote working conditions, human resources or internal committees have a more complex task when seeking to monitor, investigate and handle employment situations; therefore, the use of technological platforms and software are gaining ground tools to handle these matters.
Having policies and regulations and applying them daily within the workplace, from home or remotely; organising regular awareness campaigns; providing clear information surrounding unwanted situations; and incentivising desirable workplace behaviour can help create and maintain a culture of ethics and compliance of a company that can be measured and eventually be subject to certification. Considering the broader array of risk that digital communication and social media represents, human resources departments have more challenges on their hands than ever in creating and maintaining a good, positive and healthy work environment for employees, but employees need to grasp apply their company’s values, principles and regulations independently.
In recent years, whistle-blowing and hotlines for complaints within the workplace have become more relevant and important for employers, making them vital elements and mechanisms to initiate investigations and prevent future or greater risks and crises due to unethical or prohibited behaviours of employees.
Companies should create systems, protocols, and procedures of investigation for claims and complaints, but the first step is creating or giving access to the employees to mechanisms for them to be able to make those claims and complaints, such as confidential emails, a webpage, browser, internal network, hotline, etc.
Since ethics certifications are based on objective criteria, they cannot provide an assurance with regard to individual behaviour in specific situations; therefore, companies should focus and document their efforts for the implementation of best practices, principles, values and ethical behaviour within the workplace. These efforts are discerning criteria in choosing the right ethics and compliance certification within the workplace, making the following necessary and recommended tools and practices for a company to have and apply:
- written code of ethics and policies;
- written policies related to good conduct, values, conflict of interests, standards and company values;
- written policies, metrics and standards of good practice in home-office or remote work;
- easy access to policies and regulations (internal web, handbooks, emails, hard copies, etc.);
- effective training and seminars for employees;
- effective monitoring mechanisms consistent with company values to provide an early warning sign of non-compliant behaviour by employees to detect possible risks;
- hotlines or channels for confidential claims and complaints, namely protocols, systems and procedures to take action that provide an effective response mechanism and that may be measured for effectiveness;
- transparent and effective disciplinary actions when not complied by the employee; and
- a team of experts in the organisation trained and certified who are responsible for managing internal complaints.
Although the individual actions and behaviour of employees cannot be fully controlled or assured by having an ethics certification, such certifications can evaluate that an organisation has implemented consistent mechanisms to effectively align expected behaviour. An organisation taking all the necessary efforts to promote good ethics and behaviour should be able to evidence such efforts and demonstrate control of the situation, thus effectively reducing organisational risks and potential liability due to individual misconduct.
As organisations view these alignment processes more as part of their operations and risk management efforts than a separate and costly certification effort, certifications may transform into a comprehensive monitoring tool.
Compliance certifications in M&A
Ethics reviews and certifications have not been a historical checkbox item in an M&A due diligence request list. M&A lawyers will usually prioritise reviewing balance sheets, company loans and related covenants, employee benefits, regulatory infractions and other areas of risk. In this section, as stated above, we will make the case that a well-designed ethics certification is both of the following: a useful risk-detecting tool, as well as a tool that provides no guarantee when assessing risks in an M&A context.
We will begin by discussing what purposes an ethics certification may serve to a merger or acquisition process, and refer to general guidelines that any pre-M&A due diligence should take into consideration before the final decision-makers deliberate on the matter. We will then use an example of an acquisition that is appropriate to understand the far-reaching consequences that can (but by no means will always be) avoided through an ethics certification.
How is an ethics certification useful in M&A?
Although once an unorthodox practice, M&A lawyers are becoming more used to and even prone to implementing compliance metrics and requirements before assessing the legal risks of a target company. Compliance analysis is now more commonly integrated into the M&A processes. As always, key risk factors are closely related to the target’s specific operations, but in general M&A lawyers should pay close attention to the target’s efforts in areas such as anti-corruption, harassment prevention, non-discrimination, data protection, antitrust, best practices in connection to human rights.
There are various reasons why an ethics certification might prove useful:
- It sends the correct signal. An ethics certification may be sought for different reasons and defined different ways, but more than anything else, such certification is a loud and clear message to a company’s interlocutors. It is a highly effective way to convince third parties that an organisation understands the importance of investing in and implementing compliance systems, and how the failure to do so can heavily impede the company’s success. It also conveys a message about how the organiaation's members are already familiar with compliance systems, and that maintaining or improving such systems will not be as burdensome as fully implementing a system from scratch. Again, this is just a message. It can always be a truthful or not so truthful message.
- It saves a lot of time and costs. When a buyer is honestly interested in reviewing the target’s compliance metrics, it will have to invest a significant amount of time in understanding the company’s operational risks, and the way its compliance system is designed to assess whether it can effectively detect, mitigate or reduce such risks. If the target has gone through a certification process, the buyer can rely on some or many of the certifier’s assessments and can save time and costs on such review.
- It can have an effect on the purchase price. A comprehensive and duly implemented compliance system with demonstrable results is an asset to any organisation. According to the Criminal Division of the US Department of Justice, ‘Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target.’ Even if the certified compliance system fails to increase the purchase price, it will definitely ensure that it will not decrease in those cases in which the buyer already expects such systems implemented.
- It attracts buyers subject to heightened regulatory standards. Buyers subject to FCPA, the Securities Exchange Act of 1934, the UK Bribery Act, or analogous frameworks will definitely be attracted to completing the deal with a target that has such systems in place.
Important pre-M&A guidelines
A pre-M&A due diligence is useful when determining a target’s accurate value and the costs of any potential or actual misconduct it may be responsible for. On June 2020, the DOJ’s Criminal Division updated its guidelines in this matter through its document ‘The Evaluation of Corporate Compliance Programs’, which establishes relevant insights regarding a pre-M&A due diligence. This updated version of the guidelines clearly emphasises considering the particular circumstances of each company to assess the effectiveness of a compliance programme, and taking into consideration if a pre-acquisition due diligence is possible at all. Nonetheless, relevant aspects to evaluate a programme essentially remain the same:
- Due diligence process: was the company able to complete pre-acquisition due diligence, and if not, why not? Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired or merged entities and how was it done? What is the M&A due diligence process generally?
- Integration in the M&A process: how has the compliance function been integrated into the merger, acquisition and integration process?
- Process connecting due diligence to implementation: what has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?
Goodyear Tire & Rubber Co.
We will now turn to a practical case depicting an anti-corruption compliance shortcoming in the context of an acquisition to see whether a certification could have avoided or in any way reduced the costs for the acquiring company: the Goodyear matter before the Securities and Exchange Commission.
Goodyear Tires is one of the biggest tire manufacturers in the world, headquartered in Ohio, United States, with subsidiaries in 22 other countries. In 2015, after an investigation conducted by the SEC, it was found that officials of two of its subsidiaries, located in Kenya and Angola, had routinely committed bribery to be awarded tire sales, both in public and private bidding processes. After a settlement offer presented by Goodyear to the SEC, the company had to pay disgorgement and prejudgment interests plus US$16 million. The SEC found that Goodyear’s subsidiaries Treadsetters, in Kenya and Trentyre, Angola, had committed bribery from 2007 to 2011. Goodyear held controlling interest in both companies through a subsidiary headquartered in South Africa. The bribes amounted to up to US$3.2 million.
Goodyear acquired a minority ownership in its Kenyan subsidiary Treadsetters, and, by 2006, it had a majority ownership. However, the daily operations were still being controlled and handled by the founders of the company. It was found that, during the relevant period, the local general manager and the financial director were directly involved and had authorised the bribes, recording them as ‘expenses for promotional products’. There was enough evidence to suspect that these practices had started even before Goodyear had acquired an interest in the company. By 2013, Goodyear had sold its interest in the company, but the SEC sanctioned them because of failure to conduct the proper due diligence during the acquisition of interest in the company.
In Angola, Trentyre was a wholly owned subsidiary. It was found by the SEC that during the relevant period, the company had made improper payments of up to US$1.6 million. This corruption scheme was conducted by the former general manager of the company, who hid the payments by adding phony freight and customs clearing costs to the invoice price of the products. By the time of the settlement, Goodyear was looking to sell its interest in the company. For both subsidiaries, the SEC found that Goodyear had failed to implement FCPA compliant training and controls within its subsidiaries worldwide, which was in violation of the Securities Exchange Act of 1934, Section 13(b)(2)(B) and the Foreign Corrupt Practices Act of 1977.
Goodyear has since improved its compliance programme globally, including training its officers and workers, and carrying out continuous auditing with a focus on corruption risks. It has also opened different compliance, accounting and auditing positions, as well as the senior position of vice president of compliance and ethics in its parent company and, from 2015 (when the settlement was reached) to 2018, had to report periodically to the SEC on the advances made within the company on its compliance practices.
How does an ethics certification help?
An ethics certification could not alone have prevented Treadsetters and Trentyre from bribing. However, a certification could likely have had the following effects:
- Having Treadsetters and Trentyre certified might have avoided the SEC from concluding that Goodyear failed to perform adequate training and controls, which was the main reason for the fine it had to pay.
- An ethics certification, even though implemented after the acquisition, might have allowed Goodyear to detect the improper payments and take corrective actions that could have avoided a fine altogether or significantly lower it.
- An ethics certification obtained by Goodyear (and not its targets) might have also ensured that Goodyear performed high level anti-corruption due diligence on its targets, which might have in turn allowed it to detect risks or flagrant bribes that would have either deterred Goodyear from acquiring the targets and then having to sell, or at least significantly lowered the target’s price.
- Finally, ethics certifications would not have been any guarantee for Goodyear, but they would likely have allowed detecting the risks or reducing them beforehand.
Certifying processes that thwart criminal behaviour
Corporation lawyers or directors wrongfully assume that implementing a compliance programme and certifying it will somehow avert the corporation from criminal liability. In this section, we explore some processes that illustrate how future compliance certifications could become more helpful in minimising the risk of criminal liability.
Which processes should be in the scope of a compliance certification?
Regarding criminal matters, a compliance certification should focus on all the processes or organisational tools carried out by a company to ensure that its managers, employees and related third parties are carrying out its business within the legal framework and avoiding any wrongdoing with punishable legal consequences. These processes vary from one country to another and they should be tailored exclusively to the needs of each organisation. There is not a ‘one size fit all’ approach or a perfect recipe to prevent or detect criminal actions, since these are constantly evolving and adapting to new technologies.
However, for the purpose of this guide, we have outlined below what we think are recommended processes that a certification should focus on:
- Financial and accounting processes: possibly the biggest risk or area of weakness any organisation faces is in its financial and accounting processes. There are endless examples of cases regarding tax fraud, bribery and corruption, among others. In recent years, tax fraud and electoral campaign financing has been rife among companies and their directors. Organisations must develop processes to create an anti-bribery and anti-corruption culture for their management, employees and third parties. Among those processes an organisation could implement are financial and commercial controls, reviewing the sources of the funds provided by shareholders and third-party partners, and generating reporting mechanisms and their respective procedures to investigate such reports. Currently, ISO Standard 37001:2016 does focus on financial controls for the detection and prevention of bribery. Nevertheless, in the future, a system that monitors digressions from budgeted amounts, approved third parties and standard units of payments may serve as early detection systems.
- Shareholders and the decision-making process: In developing countries where the vast majority of businesses are family-owned, the shareholders and partners have complete control. Hence, there are special risks that could lead to punishable legal consequences for the company. For example, partners may instruct (with little resistance) the company’s executives to redirect funding to special non-corporate accounts or make non-budgeted expenses, or excessive payments to sham contractors for example. Therefore, the organisation must demonstrate it maintains adequate controls that impede deviation from structured financial policies and processes. Red-flag indicators should be in place requiring joint authorisations for larger or cumulative amounts, and companies should enhance hotlines to enable anonymous reporting on financial transgressions that require an automatic investigation into suspect payments or transfers, regardless of who has given the instructions including partners, shareholders or any other high-level executives.
- Production or delivery of goods and services process: Product fraud has been committed since remote times in every type or manner, including consumer goods, online fraud, prescription drugs, ensemble parts for vehicles and aircrafts, among others. Examples vary from medicines with no active ingredients to aircraft replacement parts that fail. In August 2019, Randy Constant was sentenced to more than 10 years in prison for selling approximately US$142 million in supposedly organic animal feed to livestock farmers, committing the largest case of organic fraud in the history of the United States. Hence, an organisation has to identify the risks related to product and services fraud, whereas it is within the own organisation or the products provided by its third-party partners. Afterwards, it has to generate its own processes to prevent or reduce the possibility of fraud. A common certification to aid the organisation to achieve such goal is the ISO 22380.
- Risk management process: every organisation has its own risks depending on its activities, amount of employees or third-party relations, among other factors. A company has to have a methodology or process to identify, analyse and address the particular risks it faces. It has to collect the right information and the necessary metrics to help detect the type of risk it faces and avoid it.
- Enhanced third-party management: an organisation must assess if the organisation has a complete understanding of its third-party partners, including the agents, consultants and distributors. This will require continuous monitoring systems. An organisation must undertake complete due diligence to understand the policies, procedures, reputation and relationships with foreign officials and the decision-makers of its third-party partners. The latter is especially important since such third parties are frequently used to commit crimes. A common example is the payment of bribes to foreign government officials through service providers such as consultants or attorneys. In the Walmart case brought by the Securities and Exchange Commission (SEC) and the US Department of Justice (DOJ) in 2019, according to the SEC, Walmart failed to sufficiently investigate certain anti-corruption risks and allowed subsidiaries in Brazil, China, India and Mexico to employ third party intermediaries who made payments to foreign government officials, which ultimately cost the company more than US$282 millions to settle both the SEC’s charges and the criminal charges brought by the DOJ. As the reach of Certifications grow, hiring third-party intermediaries will require that the task that is being outsourced should be proportional to the certified quality of the supplier and its proportional reputational risk.
All of these processes should be integrated in an enhanced compliance programme and a team should be assigned that is fully accountable for its observation. That compliance programme may also seek a certification. The latter provides guidance to obtain an effective, organisation-wide compliance management system that enables an organisation to demonstrate its commitment to compliance with relevant laws and best practices. 
How is a compliance certification useful in a criminal process?
Although prosecutors and courts from a variety of jurisdictions are considering an organisation’s compliance programme before establishing the responsibility of the company, the existence of a compliance programme does not automatically exonerate an organisation from criminal liability.
It has been continually evidenced that investigators will focus more on the effectiveness of compliance norms, than look into its mere form. Recently, an Assistant Attorney General of the United States remarked while announcing the publication of the ‘The Evaluation of Corporate Compliance Programs’ by the DOJ’s Criminal Division, there are three decisions that prosecutors will take that will require an analysis of the company’s compliance programme:
First, pursuant to the Justice Manual, prosecutors assess the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision. This helps guide the prosecutors in determining whether they should decline to bring a case, or, if a resolution is appropriate, what that resolution should be.
Second, prosecutors assess a company’s compliance program at the time of the misconduct to determine the company’s culpability score under the U.S. Sentencing Guidelines, which determines the company’s ultimate fine range.
Third, prosecutors look at the company’s compliance program at the time of the resolution to determine whether an independent compliance monitor is necessary to prevent the reoccurrence of misconduct, or whether the compliance program is sufficiently effective to permit the company to self-monitor.
This is pursuant to the regulations in Spain, where recently the Office of the Attorney General of the State published on 22 January 2016 the Circular 1/2016, in which it offered an interpretation of the provisions of statute 31 bis of the Criminal Code. Said Circular and statute provide prosecutors guidance on how to ponder compliance programmes to exonerate an organisation from criminal liability.
The most important characteristics of compliance programmes for organisations to obtain a benefit in a criminal case are their ‘adequacy and effectiveness’. The company must test its compliance programme, constantly evolve it and improve it. A helpful tool for that is a compliance certification by a third party. A compliance certification would serve as evidence that a company has been improving, testing and evolving its compliance programme. Therefore, a compliance certification signals the prosecutor or the court that the organisation complied with the legal framework and that the felony was not a company act but a one-man show instead.
However, a third-party compliance certification is not necessarily a bulletproof measure. Companies with compliance certifications may be involved in criminal actions or accused of wrongdoing. Such is the case of the corruption allegations against the Monaco-based energy services company Unaoil. According to the allegations, between 2002 and 2012 Unaoil and its executives bribed officials in Africa, Middle East and Central Asia to help secure contracts for international oil companies. The alleged crimes were committed despite Unaoil being brand certified as anti-corruption compliant.
Compliance certifications do not automatically exonerate an organisation for criminal liability. They may not be a sign of a guarantee but it should facilitate the fact that an independent third party has done the necessary research to reach certain conclusions about the organisation being certified. It may also not be the best method to demonstrate that the corporation took every step necessary in order to avoid, detect and control all of its risks. As Trace International’s president Alexandra Wrage said in an interview with Just Anti-Corruption regarding Trace’s certifications: ‘Its due diligence; it’s certainly not a guarantee.’
Is a compliance certification necessary in order to thwart criminal behaviour?
The short answer is no. Compliance certifications are not necessary to thwart criminal behaviour. However, compliance certifications are currently the best tools to demonstrate that a company has an adequate and effective compliance programme and it has taken necessary steps to thwart criminal behaviour or wrongdoing within its organisation and its third-party partners. Hence, a compliance certification demands that an organisation generates, improves and constantly evolves its compliance programme.
In developing countries where such programmes are still in the process of being implemented by larger enterprises and core compliance certifications are not wildly used, the impact of compliance management systems are not the benefits that the corporation may obtain in a criminal case but the change of culture it may bring about. On April 2018, a Guatemalan judge solved a corruption case involving notable business men and government officials by sentencing them to five years in prison and, for the first time in the country, ordering the implementation of compliance programmes within their respective business organisations.
Hence, for developing countries, the impact of certifications that effectively screen for a well-designed compliance programme is most probably the change of culture in its organisation and, eventually, if widely respected, the business climate supplementary itself. As the Spanish’s State Attorney General stated, the aim of a corporate compliance programme is not to avoid criminal penalties but to promote and encourage a true culture of professional ethics. A compliance certification should ultimately have as its core supplementary objective to provide the reassurance that an organisation has that culture within its roots, allowing for trust structures to facilitate dealing internally and externally with an organisation.
As reputational risk and compliance risk become more pervasive, certifications have prospered as risk mitigators. Certifications come in different shapes and sizes; it is best for organisations to assess their risk profile and needs prior to determining which certification provides the required signalling. Certifications cannot and should not verify behaviour but rather processes, policies and controls. Nevertheless, transgressions are possible despite certifications; evidence that companies have taken thoughtful precautions and have maintained best practices as evidenced in a certification process can become a valuable risk mitigator. However, when such transgressions are perceived as a signal of a lax or tarnished certification process, reputational damage can occur to any certified organisation.
We have also stressed that certain business practices are more vulnerable to ethics transgressions, a thorough risk assessment can determine vulnerabilities and companies should seek to generate practices that are susceptible to measurement and control, regardless of its interest or advantage of a certification. Just as passing the health checkup might not be anybody’s essential well-being goal, certifications should remain only as guideless for an organisation whose business conduct is aligned with its values and purpose, and for whom a certification process, when needed, should become simply reassuring.
 José Quiñones and Evelyn Rebuli are partners, Ignacio Grazioso and Javier Castellan are associates and Luis Pedro Martínez is a trial lawyer at QIL+4 Abogados.
 We refer to branded certifications as are those associated with a specific organisation that provides the certification rather than a certification based on a general norm or standard in common use that allows for multiple certificators.
 See Chapter 13, ‘Assessing and Mitigating Compliance Risks in the Transactional Context’.
 US Department of Justice Criminal Division Evaluation of Corporate Compliance Programs Guidance Document Updated: June 2020. P. 8.
 ibid., p. 9.
 Securities and Exchange Commission; Order Instituting Cease and Desis Proceedings; Release No. 74356 / February 24, 2015. Available at: https://www.sec.gov/litigation/admin/2015/34-74356.pdf.
 https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.300 Principles of Federal Prosecution of Business Organizations JM 9-28.300.