Competition Bureau
competitionbureau.gc.ca
Common menu bar links
Institutional links
Important Message
- Amendments to the Competition Act
By Topic
- Ensuring Truth in Advertising
- Investigating Cartels
- Preventing Abuse of Market Power
- Reviewing Mergers
About Us
- Job Opportunities
- Our Legislation
- Our Organization
Resources
- Fraud Prevention
- Health Portal
- Legal Actions and Opinions
- Media Centre
- Publications
- Public Consultations
Tools
- CA Identification Number
- Online Forms
- Labelling Corner
- Multi-Media Tools
- Site Map
- FAQs
Comments on the Competition Bureau Canada’s Corporate Compliance Programs Bulletin
May 22, 2008
Comments by Joseph E. Murphy, CCEP Director of Public Policy, Society of Corporate Compliance and Ethics
1. Introduction
The following comments are submitted by Joseph E. Murphy, as Director of Public Policy, Society of Corporate Compliance and Ethics (SCCE), in response to the Competition Bureau Canada’s draft Corporate Compliance Programs Bulletin. The SCCE is a membership organization dedicated to the field of compliance and ethics. I am also an attorney in the compliance and ethics field, an editor of ethikos (www.ethikosjournal.com), and a certified compliance and ethics professional (CCEP). Although I have included references to other organizations in this paper, he comments do not necessarily represent the views of any other person or organization. The Bureau is to be commended for opening up this commentary process to all interested persons. These comments are based on a review of the draft Bulletin and the existing Bulletin. They are also based on my experience working in the compliance and ethics field for companies, law firms and governments on a global basis for the past 30 years. I have separately participated in the drafting of comments by the Antitrust Section of the American Bar Association, but this paper represents only my own views as SCCE’s Director of Public Policy.
2. The Bureau’s leadership
The leadership shown by the Bureau in this Bulletin is commendable, reflecting an understanding of the importance of compliance programs and their potential for promoting compliance. The Bureau also takes a useful position in saying that compliance programs count in enforcement decisions. The Bureau’s approach in this regard is considerably more practical than that taken by the Antitrust Division of the US Department of Justice, whose focus appears to be almost entirely on enforcement rather than prevention. Because the field of compliance and ethics is a global one, where actions in one country or in one risk area can affect all aspects of compliance and ethics programs, all those who devote their efforts to preventing and detecting organizational misconduct stand to benefit from the work of the Bureau.
3. Codes and programs in general
The Bulletin addresses only compliance programs in areas enforced by the Bureau, but it would be more useful for the Bureau to acknowledge the existence of company compliance programs in general covering ethics and the full range of compliance risks. The Bureau would then recognize the prior existence in many companies of codes of conduct, helplines, etc., and discuss the competition program as being set in that context. For example, given Canada’s strong commitment to protecting privacy Canadian companies should be expected to have privacy compliance efforts, and given that Canada is an OECD member nation, Canadian companies with overseas activity should have anti-corruption compliance programs. If all of the programs in the long list of risk areas companies typically face operate in isolation, none of them can be fully effective, and they may even conflict with each other. If it takes a more integrated approach the Bulletin could refer to the fact that at least most large companies will have codes of conduct, and recommend that these codes include coverage of competition law elements.
4. Infrastructure
The Bulletin wisely calls for the designation of a compliance officer, but effective programs need more than just one solitary compliance officer sitting in headquarters. There should also be compliance people supporting the officer, and designated in all the business units (typically not full-time except in larger units). Programs generally, particularly in larger companies, also include interdepartmental compliance committees. While the Bureau should not try to dictate detail to companies, it might be advisable to speak of an adequate compliance infrastructure, and to add examples that would clarify this for companies. Just as one indication of the scope of modern compliance programs and the types of functions involved, in the book Working for Integrity 63-88(SCCE; 2006), my co-author and I listed over 800 different job titles related to aspects of compliance and ethics.
5. Responsibility for compliance
The Bulletin says managers may delegate their compliance responsibility to a compliance officer (see page 9). There is a serious risk that this will be misinterpreted. The compliance officer is not responsible for compliance in the organization. It is the role of the compliance officer to help management understand what it needs to do, to develop the programs, policies and procedures that promote compliance and help employees understand their responsibilities. The compliance officer is the champion of the program who develops processes to monitor and audit for compliance, and who ultimately reports to the board of directors and to management on the organization’s progress in effectively implementing and operating the compliance program. It needs to be clear that while the compliance officer operates the program, managers are always personally responsible for actual compliance.
6. The board
The board of directors is omitted from the Bulletin, but should be included as a key player in ensuring the strength and integrity of the compliance program through such steps as appointing the compliance officer, endorsing the program, receiving periodic reports about the program’s progress, etc. Indeed, in competition law the board may take on special importance, given that senior executives have been perpetrators in some of the major cartel cases
7. The compliance officer
The Bulletin should make it clear that the compliance officer
needs to be effective. This officer needs independence, empowerment,
connection to what is going on, and professionalism. Merely pinning
that title on someone without adding the elements needed for success
will not have the necessary impact. An excellent resource on this point
is the white paper produced by several compliance and ethics organizations,
“Defining the Role of the Chief Ethics & Compliance Officer,”
http://www.corporatecompliance.org/Content/NavigationMenu/Resources/
Surveys/CECO_Definition_8-13-072.pdf. While for most purposes
I believe the Bulletin should be general and principles based,
the issue of empowerment of the chief ethics and compliance
officer is so fundamental that the specific guidance of the
Bureau is crucial. It is this area, more than training,
policies, or any other program element, where the government
has the most important role to play. Cartel behavior often
occurs at a high level in the business; if the compliance and
ethics officer is to have a good chance of preventing or detecting
such misconduct, the person needs empowerment, professional status,
and sufficient budget. Within the corporate world, however, it is
typically not viewed approvingly to insist that one’s own position
be raised above that of others; people in organizations do not
willing cede power without outside motivation. The ability to
provide that motivation is a role uniquely held by government,
to lead companies to appropriately position and empower their
compliance and ethics officer.
8. Controls
Item 2 in the list of compliance program Basic Requirements refers to “Policies and Procedures,” (emphasis added) but in general there is too much emphasis on policies, which, by themselves, are merely paper. The Bulletin’s message, considering the understanding that “procedures” is not just a synonym for “policies”, would be strengthened if there were specific reference to compliance controls (see the US Sentencing Guidelines’ commentary on the meaning of “policies and procedures” as including controls, and the coverage of controls in Australia’s standard on compliance programs, AS 3806). There are a number of good, competition-law procedural controls that should be in programs. While the Bureau should not specify what controls companies must use, it should be very careful not to lead companies into thinking that merely issuing reams of paper will do much to prevent violations. Carefully crafted control mechanisms have an essential role in good compliance and ethics programs, and should not be overlooked.
9. Training and communications
There is a disproportionate coverage of training and education in the Bulletin, but almost nothing on other types of communications (the term “communications” is, unfortunately, omitted from the list of Basic Requirements). Moreover, the Bulletin appears to endorse one specific method of training (small group classes), to the detriment of all the varied means of conducting training. There are many important ways to convey the compliance message besides traditional classroom approaches, e.g., web sites, manuals, videos, email messages, online training, etc. And while the author of these comments personally believes in using small group training when appropriate, that can also be one of the worst ways to communicate if the trainer does not know the subject well, and/or does not know how adult learning works. The Bulletin, on page 13, states categorically that “Effective training is best delivered by experts (i.e. by legal counsel or a compliance officer);” if only this were always true. In reality, some lawyers are simply not effective trainers, and while good compliance officers will have many skills, competition law expertise is not necessarily one of those common skills. Any doubt on this score can be settled simply by talking with a company employee who has had to endure a boring lecture from an uninspiring presenter. Moreover, even if all the trainers were lively and knowledgeable, it is likely that no large company could adequately train all of its at risk employees on all the compliance risks (e.g., competition law, overseas bribery, privacy, consumer protection, financial fraud, employment discrimination, etc.) on a recurring basis, by relying on small group sessions.
10. The role of senior managers in training
The training and education discussion at page 13 says “Senior management should also play an active role in delivering compliance messages to employees . . .” This is true insofar as these managers need to show support for the program, e.g., by being first to take the training, sending emails to employees supporting the program, referring to the code of conduct in their presentations, etc. But the Bulletin should not indicate that senior managers can substitute for experts in the area. Even more important, this language may mislead readers into thinking that these managers’ role is only as trainers. However, at least in international cartels, the lesson from the cases is that the senior manager group is the most important target audience of the compliance program. Rather than standing at the podium, giving a lecture and leaving, these managers arguably need training the most and should be sitting in the classes taking notes.
11. Auditing and measuring
There is almost no specific guidance in the Bulletin on the important topic of auditing and measuring. The Bulletin at page 14 states that “the Bureau does not endorse any particular procedure or combination of procedures.” When contrasted to the detailed coverage of training this may send the message that the Bureau has much less interest in this tool; the brevity of the topic gives the impression it is merely a check the box exercise. Ironically, training, which is often overestimated in its importance, is covered in detail. Auditing, which companies tend to avoid and where they need much guidance, is given scant notice. Yet cartel activities are typically deliberate violations; perpetrators often appear to know they are breaking the law, since they usually act in secrecy. One could fairly conclude that more training, telling them what they already know – that their conduct is illegal – will not suffice. Instead, the Bureau might be better advised to provide increased guidance in those areas where companies appear more reluctant to take action, such as auditing. For example, representatives of the US Justice Department have advised companies that they should conduct audits that “include a review of both the paper and computer files (especially e-mails) of employees with competitive decision-making authority or sales and marketing responsibilities. ” See Kolasky, “Antitrust Compliance: The Government’s Perspective,” 16 ethikos 6, 8 (Sept./Oct. 2002). The Office of Fair Trading in the UK, in its guidance document, “How Your Business Can Achieve Compliance,” page 15, advises companies to have “formal audits of sales and procurement processes, by appointment or unannounced, to check for actual or potential infringements” http://www.corporatecompliance.org/Content/NavigationMenu/International/ UnitedKingdom/achieveCompliance.pdf. Moreover, there are a number of important measurement tools, e.g., surveys, focus groups, exit interviews, deep dives, computer modeling, etc., that are ignored in the discussion. It is understandable that the Bureau would not require any specific technique, but more guidance from the Bureau could help drive companies to implement better, more aggressive compliance programs.
12. Incentives
The Basic Requirements listed in the Bulletin include discipline, not incentives, but the discipline discussion on page 16 includes an important sentence at the very end about incentives. It would be better to add incentives to the list of Basic Requirements, to reflect the importance of this point. The reference should be broad enough to cover a range of incentive-related activities, since incentives are such an important driver in corporate behavior. For reference on this point, the Society of Corporate Compliance and Ethics has published a white paper detailing ways that incentives can play a useful role in compliance and ethics programs. See Murphy, Building Incentives In Your Compliance & Ethics Program, http://www.corporatecompliance.org/Content/NavigationMenu/Resources/ IssuesAnswers/DRAFTwhitepaper-BuildingIncentivesCompliance_WOappdx.pdf
13. Holding bosses accountable
The US Sentencing Guidelines’ requirement, in item 6 of the 7 elements , for discipline for failure to take reasonable steps to prevent and detect misconduct is an important element that should be considered for the Bulletin. This helps to avoid scapegoating, and to remind supervisors that their jobs include preventing violations.
14. Risk assessment
While the Bulletin focuses on only a few risk areas associated with competition law and consumer protection, there is nevertheless a need to do risk assessment, even in those areas. The Bureau should consider adding this as a Basic Requirement, to remind companies to conduct a diligent assessment of their compliance risks, considering both the likelihood of specific violations, and the potential impact of each. The risk assessment would then play a role in determining compliance priorities and allocating resources.
15. Investigations and response
There is no requirement in the Bulletin for responding to problems, including investigations and taking steps to prevent recurrence of violations. A good compliance and ethics program will include conducting investigations of issues raised and taking steps to prevent recurrence of violations. This is an important feedback loop that helps ensure that the program continues to develop and improve.
16. Making a commitment
The Bulletin in Part V says the Bureau “may” consider compliance efforts. If the program is genuine, the Bureau needs to make more of a commitment. For example, the Bulletin should say the Bureau “will” take real programs into account. As long as a program meets the rigorous standards set by the Bulletin, there is no reason not to make a meaningful commitment. If government wants a commitment from industry, it must be wiling to make an equally meaningful commitment.
17. A senior manager’s misconduct
The Bureau is to be commended for moving away from the somewhat anachronistic language of the earlier Bulletin which referred to the “directing minds” of the corporation to describe involvement by senior managers in violations. The new draft, however, still retains the notion that such involvement negates the value of the compliance program. Yet in today’s corporation (unlike the “directing minds” days of the old English common law), there are often senior level decision makers throughout the organization, and their individual decisions do not, in any real sense, represent the judgment of the other managers, the board or the shareholders. Whether a company is a good corporate citizen cannot fairly be determined by the errant acts of any one or few employees, no matter what their level. In the world of large, multinational organizations, the most realistic test of corporate good faith is whether management and the board have committed enough energy and resources to preventing and detecting misconduct. While the Bureau should certainly have a healthy skepticism about companies whose senior managers engage in serious misconduct, this should not be done in a straightjacket that ignores the facts of each company and each violation. The company should still be allowed to explain what happened and why its program represents corporate good faith.
18. Compliance with law
The Bulletin now speaks only of compliance with law. Studies and experience indicate that a single-minded focus on law compliance does not work as well to prevent violations as does an approach including values. This increased awareness of the value of ethics is reflected, for example, in the development in Canada of the membership organization, the Ethics Practitioners Association of Canada, see Boehme & Murphy, “A Canadian Association’s Big Tent Approach to C&E,” 21 ethikos 14 (Mar./Apr. 2008), and in the US in the Sentencing Commission’s inclusion of “ethics” in the Sentencing Guidelines’ reference to “compliance and ethics” programs. The prior edition of the Bulletin, in the Conclusion, stated that the procedures put in place as the result of a compliance program also serve “to promote awareness that will result in ethical standards of conduct.” (emphasis added); this is missing in the new proposal. The Bulletin should have at least this much, if not more, focus on values and ethics, and should recommend programs be “compliance and ethics” programs, or at least include coverage of values and integrity.
19. Immunity program
The Bulletin, page 19, says having a compliance program is not a prerequisite for admission to the immunity program, and this approach may help avoid creating barriers to participation. But having such a compliance program should certainly be a condition subsequent. If, as the Bulletin is saying, an effective compliance and ethics program is a sign of corporate responsibility, why accept a company into the immunity program unless it has made such a commitment going forward? The World Bank’s anti-corruption voluntary disclosure program is a model for this. Companies that are admitted into that program must institute compliance programs; this commitment should be part of the Bureau’s immunity program as well.
20. Certification letters
Page 28 contains a very legalistic certification letter (including a requirement for a witness, suggesting the company does not even trust its employees to sign the certificate). Lawyers sometimes believe this step will cause employees not to violate the law. More often, employees believe these are just “gotcha” devices written by lawyers. If the Bureau wants to promote substance over form it may want to reconsider holding this step out as a model. Employee certification may have some value, but probably not enough to merit it being singled out in the Bulletin. Moreover, the Bureau should recognize the number of compliance issues the typical company faces; requiring separate certifications for all such areas can be a major diversion of corporate resources and attention. Indeed, overly legalistic certifications can backfire, increasing employee cynicism about the company and the compliance effort. One certification covering an entire code of conduct (which includes competition law) may be more practical, particularly if written in language the employee can understand and without bureaucratic steps like requiring a witness.
21. Typographical errors and drafting points
The following are minor points noted in the Bulletin:
- a. Pages 8-9, the “and” at the end of page 8 should appear at
the top of page 9, after the penultimate paragraph.
- b. Page 18, third bullet point. Instead of looking at whether
conduct was against “corporate policy,” which is only paper, the
review should assess whether “the conduct occurred despite the
existence of an effective compliance and ethics program”.
- c. Page 20, conclusion. This summary appears to reduce compliance programs to nothing more than education efforts. Compliance programs are not simply educational programs; rather, they are management programs using a full range of management steps to prevent and detect misconduct.
Respectfully submitted,
Joseph E. Murphy, CCEP
Director of Public Policy
Society of Corporate Compliance and Ethics
30 Tanner Street
Haddonfield, NJ 08033 USA
jemurphy@voicenet.com
May 22, 2008
