Law.com reported this week the results of a survey conducted by the Society of Corporate Compliance & Ethics (SCCE). The group asked a random sample of compliance professionals about their use of codes of conduct with third parties, such as suppliers, and received back 400 responses.
The findings: Fifty-three percent of companies don’t disseminate their internal codes of conduct to third parties; only 26% require third parties to certify to their own codes; and just 17% of the respondents have any third-party codes of conduct to begin with.
Those results are consistent with KPMG’s 2008 Anti-Bribery and Anti-Corruption Survey that we talked about here. It revealed that around three quarters of the bosses surveyed think their companies aren’t able to handle the compliance risks that come from third parties — including overseas acquisition targets, joint venture partners, distributors and agents. The execs responding to KPMG’s survey complained about difficulties doing effective due diligence and auditing third parties for compliance.
This is serious. Third parties, after all, cause most Foreign Corrupt Practices Act offenses. They deserve lots of compliance attention but aren’t getting it. Why not?
Most foreign third parties push back hard against compliance pressures from outside. A lot of them don’t want to risk being in breach of contract if they don’t comply. They view U.S.-style compliance regimes as highly technical, which only increases their contract risks. Some overseas suppliers have an irrational fear of being dragged into the jurisdiction of the Justice Department if they agree to FCPA compliance language. Others resist on the reasonable grounds that they don’t understand exactly what’s intended by the compliance language — and no one from the other side can give them a clear explanation.
The survey results published by the above-mentioned Society of Corporate Compliance & Ethics are part of an article written by attorney Rebecca Walker of Kaplan & Walker LLP. She’s smart — Georgetown undergrad, Harvard Law School, author of the book Conflicts of Interest in Business and the Professions: Law and Compliance.
We haven’t read her book or other articles yet. But a couple of her comments in this article got our attention. She said organizations should be “cautious” about extending codes of conduct to third parties. “Companies,” she said, “should be careful not to create compliance and ethics standards that are difficult to monitor or enforce and that could potentially create their own risks of ‘associative liability.’ Extending compliance and ethics obligations to third parties could lead to reputational harm when a company holds itself out as requiring others’ compliance, when in fact the company’s ability to ensure compliance by third parties may be limited, a problem which could be compounded if the third-party compliance requirements more closely link the company to the third party in the minds of the public (and press). There is also a risk that unsatisfied standards could be used against a company in the context of litigation or a government investigation.”
Her words remind us of executives and even some company lawyers who used to talk that way about their own FCPA compliance. They reasoned that if they adopted a program but something went wrong, they might be held accountable against whatever measuring stick they’d created. So it was better, they thought, not to have any program at all.
That argument, of course, was wrong. The Federal Sentencing Guidelines make it clear that an effective compliance program — with written guidelines — is always to everyone’s advantage. The only time that’s not true, we suppose, is when an organization intentionally adopts a program as pure window dressing, knowing from the outset it won’t comply. But anyone in that category is already well down the road to disaster.
Ms. Walker isn’t suggesting that companies shouldn’t have compliance programs. She’s just cautioning against possibly futile attempts to extend codes of conduct beyond an organization’s actual range of influence. Her advice sounds practical, but it’s a controversial idea. We’d like to hear from others on this question, pro and con. Should companies even try to impose codes of conduct on suppliers and other third parties? Are there risks that outweigh the rewards? Let us know what you think.
The SCCE’s survey is available for download by registration here.