“Criminal liability can attach to an organization whenever an employee of the organization commits an act within the apparent scope of his or her employment…Consequently, when the [US Sentencing] Commission promulgated the Organizational Guidelines, it attempted to alleviate the harshest aspects of this institutional vulnerability by incorporating into the sentencing structure the preventive and deterrent aspects of systematic compliance [and ethics] programs. The [US Sentencing] Commission did this by mitigating the potential fine range – in some cases up to 95% – if an organization can demonstrate that it had put in place an effective compliance [and ethics] program.” – Paula Desio, Deputy General Counsel, United States Sentencing Commission
“Organizations can act only through agents and, under federal criminal law, generally are vicariously liable for offenses committed by their agents…The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.” – Introductory Commentary, Chapter Eight/Sentencing of Organizations, Guidelines Manual (November 1, 2007)
Sentencing Guidelines, Subsection 8B2.1 – Effective Compliance and Ethics Program
(a) To have an effective compliance and ethics program, “an organization shall: (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
(b) This “minimally require[s] the following:
(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.[Ethics Code]
(2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
(2) (B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline.
(2) (C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority.
(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in
(4)(B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities. [Ethics Awareness and Ethics Training]
(4) (B) The individuals referred to in (4)(A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
(5) The organization shall take reasonable steps—
(5) (A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
(5) (B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
(5) (C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. [Ethics Hotline]
(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through
(A) appropriate incentives to perform in accordance with the compliance and ethics program; and
(B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
(7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.”
(c) To implement this, “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [above] to reduce the risk of criminal conduct identified through this process.”