Certifications are not the sexiest feature of compliance programs. However, they can and should play an important role in every program. This post will briefly review some of the key aspects of compliance certifications, including the related topic of honesty pledges.
At the outset, note that our subject is certifications executed by employees and other applicable individuals. The other major type of compliance certification – in which a third-party expert certifies a company’s program’s efficacy – is beyond our scope.
Why certify? The main purposes of a certification are, of course, preventing and detecting wrongdoing. Among other things, certifications can be an invaluable way of focusing the minds of employees on the need to avoid involvement of misconduct personally and be alert to the risks of wrongdoing by others.
The efficacy of certifications presumably comes – at least in part – from their formality. In this connection, certifications will sometimes surface conflicts of interest (COIs) that have not otherwise arisen through other compliance and ethics processes.
Perhaps the best-known case involving employee certifications was the 2012 decision of the Department of Justice declining to prosecute Morgan Stanley for FCPA violations. The declination was due, in part, to the fact that the culpable employee involved had executed numerous certifications falsely representing to the firm that he had agreed to comply with the firm’s code of conduct, which included an FCPA policy.
Moreover, Justice’s recently revised Evaluation of Corporate Compliance Programs provides, in relevant part: “Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners” (emphasis added).
Finally, under the Sarbanes-Oxley Act, key company personnel must execute certifications with certain compliance components. However, those certifications are handled differently than are the more general ones referred to above.
Who. Generally, all employees at an organization are required to execute compliance certifications. But under some circumstances, it may be acceptable to exclude low-risk employees. However, presumably, all managers and control personnel should be included in all cases. If a company does not require certifications for all employees, it should explain its decision in a risk assessment or program governance document.
When. Certifications are typically an annual event. However, some companies require them only once every two years. Depending on various risk and mitigation factors, this may be appropriate – assuming the company communicates that employees must disclose on a timely basis any meaningful changes since the most recent prior certification.
What. The certifications that I see typically attest to the employee’s promise to follow the code of conduct and applicable rules and laws. They also have representation that she has already reported to an appropriate company resource any violation unless the employee knows the matter has already been reported. Frequently the certification includes an acknowledgment and agreement to abide by the company’s anti-retaliation policy too.
Beyond this, the certifications typically ask about the employee’s compliance with certain high- risk areas – particularly conflicts of interest and corruption. These questions are sometimes asked in a “broad brush” way, but other times are posed more specifically. For instance, in the COI area, certification may list the main types – typically, hiring/supervising relatives; having an ownership interest/otherwise deriving income from a supplier, customer, or competitor; and giving/accepting gifts, entertainment, and other things of value where prohibited by applicable law or company policy. Based on the risk assessment, there may be other types of COIs that should be singled out in this way.
Where. Certifications are often presented to employees on a standalone basis. But a better practice – in my view – is to have them embedded in code of conduct e-learning, as that context may make the certification more meaningful for some employees.
In Honesty Pledges for the Behaviorally-based Regulation of Dishonesty, Eyal Pe’er (School of Public Policy, Hebrew University of Jerusalem) and Yuval Feldman (Faculty of Law, Bar-Ilan University) take up the topic of honesty pledges. A study they conducted found, among other things, that a “pledge can reduce dishonesty significantly,…” Note: an honesty pledge – as used in this literature – is a mechanism that makes an ethical standard more likely to be communicated before the risk event that than it would otherwise be. For instance, a reminder about the need to act ethically placed on the top instead of the bottom of a form on which there is an opportunity to cheat should be more effective in deterring cheating.
Certifications can be seen as a form of honesty pledge. The proven efficacy of honesty pledges is another reason to pursue a robust certification strategy.
Finally, pledges can be used in other compliance-related ways, too. For instance, one company requires all employees to annually come up with an ethics pledge relevant to their particular job – a true best practice, in my view.