Business Law Today

Volume 12, Number 3 - January/February 2003

Can The Scandals Teach Us Anything?
Enron, Ethics and Lessons for Lawyers
By Joseph E. Murphy

The business world had leaped from the financial section to Page One. The alleged accounting fraud at Enron was so massive that it brought down one of the nation's largest companies. Then the story expanded to include allegations of obstruction of justice at Arthur Andersen.

Suddenly, there seemed to be an endless succession of corporate scandals: Adelphia, Tyco, ImClone, Xerox, Rite-Aid, WorldCom.

The trend has been so extensive that it may be undermining the entire capital market. Instead of a single storm sinking a few ships and passing on out to sea, it appears the impact is closer to a corporate Watergate — an event that causes fundamental rethinking of society's assumptions.

Although the cases involve a variety of industries, circumstances and laws, one striking similarity is the level of the individuals involved. These cases do not appear to involve the "rogue" employee off on an individual frolic. They are not about a remote office acting outside of headquarters control, or misguided employees who went astray because they did not know the rules. Instead, we see high-profile corporate executives and even corporate lawyers at the center of these cases.

In this dramatic context, what has been the role of lawyers? Has our profession been battling misconduct, and taking heroic steps to protect companies and their investors? For the most part, our profession has not distinguished itself. Even in the cases where internal voices were raised in protest, usually those voices have not been lawyers. Indeed, in some of the highest profile cases lawyers have themselves either been accused of aiding misconduct, or have been the direct targets of the allegations.

Ironically, this rush of bad news comes in the context of a shift in the expected role of corporations. Increasingly, corporations and other forms of organization are being called on to police their own operations to prevent and detect misconduct. These efforts, called compliance and ethics programs, are becoming part of organizational life today.

This push for corporate self-policing derives much of its force from government initiatives. The foremost example is the Organizational Sentencing Guidelines — a watershed event in 1991 that provided tangible incentives and established standards for compliance programs. But, in an important sense, there is no real alternative to this development; society simply must have organizations police themselves.

No matter how high the penalties for violations may become, they do no good if the company does not get the word out and take steps to bring the law to life. Every form of criminal and civil penalty has the same fatal flaw: They only come into play after an offense has occurred and been detected. But modern organizations are in positions too critical to the well being of society to accept a reactive approach.

What we see in the headlines are not just the failings of individual executives. These cases show organizational failures: failures to assess compliance risks; failures to reach employees with the compliance message; failures to impose checks and balances on the exercise of corporate power. In other words, these disasters could have and should have been prevented, or at least interdicted at a much earlier stage.

One other common element attaches to all these cases: All of these organizations had lawyers — both in-house and outside counsel. Within this context, we examine this question: What ethical standards should guide lawyers who counsel organizations?

Our starting point for this examination is the context of corporate self- policing. If compliance programs are to be society's first line of defense against corporate crime, what must be in these programs? This is no longer a mystery for today's compliance professional — there are well- established standards to guide these programs, starting with the Sentencing Guidelines and extending to such sources as regulatory pronouncements, judicial interpretations (under the Supreme Court's Kolstad and Ellerth decisions), as well as actual practice in companies.

Not surprisingly, there is also a growing group of people who identify with these standards and who have adopted organizational compliance as their mission. These include compliance and ethics officers and their subordinates, auditors, compliance lawyers, HR managers and others with compliance-related functions.

Given the enormity and sensitivity of this task, it was only a matter of time before ethical standards for those in the field of organizational compliance began to emerge. The most comprehensive example was promulgated in 1999 by the Health Care Compliance Association, an organization of 3,000 members in the health-care compliance field.

These standards, the Code of Ethics for Health Care Compliance Professionals (HCCA code), were developed after a review of other professions' standards, including those of the legal profession, and adopted by HCCA's board in 1999.

The standards adopt three principles: Obligations to the public, obligations to the employing organization, and obligations to the profession. Within this framework, the HCCA code provides rules implementing each principle, and commentary giving guidance on the rules. Although these standards were developed in the health-care field, they were, in fact, written broadly enough to apply to any type of compliance work.

We will look at more of the detail in the next section. A broader explanation of the code is provided in Heller, Murphy and Meaney, Guide to Professional Development in Compliance (Aspen Pub; 2001).

It is likely that other parts of the compliance world will ultimately follow this approach. Indeed, in Australia, which has also taken a very sophisticated approach to compliance, see Dee, "Australia Sets New Standards For Compliance Programs," 12 ethikos 11 (Marchl/April 1999), their nationwide compliance professionals group has already published for comment a draft code of ethics.

But even the HCCA standards are still at an early stage. And, unlike lawyers' ethics, the state provides no enforcement power behind these standards. Nevertheless, they provide an important perspective on what standards for those doing compliance work should encompass.

What guidance might these standards and a compliance-oriented approach offer the legal profession in the current surfeit of organizational misconduct? We consider here some of the key ethical questions raised by recent cases, and what difference the HCCA code might have made.

Who is the client? — In the corporate context, for both lawyers and compliance professionals, the theoretical answer to the question, "who is the client" is straightforward: It is the organization. But in the real world, those who work with corporations deal with the individual managers and naturally tend to form relationships and loyalties. The HCCA code recognized that the compliance role is more than that of counselor and assistant. The compliance role also contains an unavoidable "policing" element that calls for a more aggressive role than that of the traditional legal counselor.

In the Enron case and perhaps in other earnings management cases, one could fairly question whether counsel were called on to assist managers to conceal the actual performance of the corporation from the corporation's owners, the shareholders. Did the lawyers for these companies represent the organization, or were they acting in reality for the individual executives? Of course, we should not judge such important matters from press reports, but these cases do spotlight this ethical issue.

The HCCA code directly addresses this concern, requiring that compliance professionals "not permit loyalty to individuals in the employing organization . . . to interfere with or supersede the duty of loyalty to the employing organization" or the duty to uphold the law. They must also "take such steps as are necessary to prevent misconduct by their employing organization."

Unlike lawyers' ethical codes, which draw from a history of defending individuals against the state, compliance standards start with a recognition that large organizations can be a source of serious harm, and that compliance professionals are a key line of defense against such misconduct. Managers who engage in misconduct threaten harm to the organization — and the public.

What standards apply? — While the answer to the question "who is the client" varies primarily in emphasis between lawyers and compliance professionals, the answer to the next question, "what standards apply" may mark a major departure from lawyers' traditional standards.

Compliance professionals deal not just with the letter of the law, but also with a broader concept of misconduct that includes company codes of conduct. Having a code is one of the elements of the Sentencing Guidelines standards for compliance programs, and is one of the most common elements in company programs. Codes are included in:

the proposed revisions to the NYSE listing rules and similar revisions for NASDAQ,
the recent Preliminary Report of the ABA Task Force on Corporate Responsibility,
and even, to a limited extent, in the Sarbanes-Oxley Act (required for senior financial officers).

Yet, for these codes to be effective, they need to be respected and binding throughout the company — in effect, they need to be treated as the "law of the company." Should not lawyers who advise a company also respect the client's direction that these standards bind all employees, including officers? Can a lawyer act professionally giving advice to an officer that, while technically legal, violates the company's code of conduct? Or should the code be considered the highest expression of the client's wishes?

The allegations in Enron highlight this issue. When Enron's outside counsel examined the special purpose entities that were challenged by the August 2001 Sherron Watkins letter, counsel concluded that the arrangements would look bad if covered in a Wall Street Journal expose. Yet the advice provided was that no further investigation was appropriate. If the code of conduct required that the company act ethically, how could counsel accept conduct that so blatantly failed the "newspaper test," which is a standard measure for ethical conduct?

Should there be a duty of compliance diligence? — In general, a lawyer's ethical duty is reactive. A client asks for legal assistance and the lawyer responds. The compliance professional, however, must be proactive. Under the HCCA code, this person has a duty of compliance diligence. The person must know the applicable compliance program standards and apply them to prevent and detect misconduct. This duty includes an obligation to report on the status of these efforts to the highest governing authority in the organization.

One example illustrates the significance of this standard. Compliance programs require continuing risk assessment — looking out for potential compliance, ethical and reputational risks. A compliance professional must be diligent in this, looking for trends and listening to the voice of the enforcement community.

Anyone who had been reading the Wall Street Journal well before Enron imploded would have seen the repeated warnings from the SEC that accounting fraud was a top priority. Yet there is no indication in such cases as Enron or Xerox of an aggressive anti-earnings management compliance initiative. A compliance professional acting under the HCCA standards would have been obligated to advise senior management and the board of the need to address this risk.

What if senior management wants to do something wrong? — A central question in the recent spate of cases is how to deal with senior executives who want to engage in illegal or unethical conduct. Of course, a lawyer may not assist in illegal conduct, or advise a client on how to violate the law.

For the compliance professional operating under the HCCA standards, there is a significant difference in emphasis. They must do much more than not assist wrongdoing. They must clearly state their objection, and then do everything in their power to prevent the misconduct. This is, in effect, a duty to resist the misconduct. And this duty applies not just to criminal conduct, but to unethical activities as well. It is also a categorical duty, not one allowing room for interpretation.

What happens if, despite this effort, management persists in an improper course of action? For a lawyer, there is a duty to "proceed as is reasonably necessary in the best interest of the organization," and the lawyer "may" escalate the matter. But even this duty is generally qualified and leaves a fair amount of room for interpretation (See ABA Model Rule 1.13(b)). For example, lawyers may take into consideration the scope of their representation, whether it is likely there will be substantial injury to the organization, and the motivation of the persons involved in the proposed activity. Any measures must "minimize disruption of the organization."

The HCCA standards, in contrast, require escalation, and emphasize the importance of acting to prevent the misconduct. If management persists in wrongdoing, the compliance professional "shall" escalate the matter to the highest governing body, as appropriate. Moreover, for more junior staff members, the issue does not end when one's boss disagrees with the wisdom of "raising a fuss."

Fear that the communication to the board may someday see the light of day is not allowed to deter the communication to the board. It is, ultimately, for the board to decide what to do — and the board can only do this when fully informed.

Why should legal counsel, who are in position to learn of misconduct, not also be part of this process, since the information is going to the highest representative of the client, the board? In the Sarbanes-Oxley Act, it appears that Congress has endorsed this view, charging the SEC with a duty to impose through professional standards such an escalation requirement on a company's securities lawyers.

In the reports on Enron, it appears that one lawyer did take a stand, rejecting efforts to have him discipline a staff lawyer for resisting management pressure in a conflict of interest context. That same lawyer even went so far as to retain separate outside counsel to review the propriety of some of the questionable transactions. This is the type of principled conduct that could change the outcome in these cases, if it is also required that information about such events be communicated up the organizational ladder to the very top.

What are the obligations in conducting an investigation? — In Enron, the outside law firm that was asked to conduct an investigation of the Sherron Watkins allegations was told not to second- guess the accounting, even though the whistleblower's allegations related to accounting, and was limited in the transactions the firm could review. The firm did as instructed.

By contrast, the HCCA standards recognize that management is not the organization itself and does not call all the shots. Under Rule 2.3, the compliance professional must investigate where there is an issue. Most striking is that compliance professionals may not accept unprofessional limits on their investigations. Certainly the investigator must use reasonable judgment, and must accept the resource constraints of the client. But under HCCA Rule 3.1, anyone requested to conduct an investigation on the terms imposed on Enron's outside counsel would be required to decline the assignment and then explain to the board of directors why it was handled that way.

Does the duty of confidentiality limit compliance communication? — When the HCCA code was adopted, one lawyer raised an alarm that the standards allowed the compliance professional to break the attorney-client confidentiality requirement, because the HCCA standards require compliance professionals to "report the decision [by management to violate the law] to public officials when required by law." Aside from simply misreading the provision (it requires disclosure only when the law requires it — no ethical code can override a legal requirement. See ABA Model Rule 1.6(b)(4) (permitting disclosure by lawyers "to comply with other law or a court order")), the person also misunderstood ethical requirements for lawyers.

It simply is not correct that all discussions between lawyers and clients are confidential. If a client asks counsel's advice on how to break the law, that is not protected communications. Depending on the state jurisdiction and the gravity of the client's proposed misconduct, various states either permit or require disclosure by lawyers. If the client proposes a fraud on the court, a similar review of state ethical standards is required.

The HCCA code respects client confidentiality, but also makes it clear that compliance professionals cannot be muzzled internally. If the compliance professional believes management intends to engage in misconduct, and the professional deems it necessary to resign, the professional must advise the board of "the precise conditions" that necessitate such drastic action. At that point, protecting the client (or more accurately, the individual managers) by not hitting the nail on the head is no longer a consideration; this is the last chance to get the client to act to prevent misconduct, and that is the highest duty of the compliance professional.

Yet even at this stage, the professional does not go outside with this message; the communication is solely internal (unless the law requires otherwise). Communications up the line need to be clear, they need to cover the bad news, and the requirement for such communications needs to be free of any ambiguity.

Congress and regulatory agencies will act. There will be increased fines, with little thought for the consequences — the shareholders, already victimized by management misconduct, will now have their investments further decreased by the payment of enormous fines, followed by the inevitable class actions. And, as history informs us — despite all the political theater — there will certainly be new organizational scandals down the road.

There are no easy answers, but I believe we should expect more of ourselves and our profession. Most important, we need to recognize the emergence of compliance, or organizational control, as a field of study and practice that needs to inform our professional standards.

As lawyers, one of our most important contributions would be to reconsider our professional ethical standards in light of this development. The HCCA standards offer some insight on a different way of viewing the organizational client. We, as lawyers, should take the lead in this change, and not wait until we are forced into changes that miss the mark.

Murphy is vice-chairman of Integrity Interactive Corp. in Haddonfield, N.J., and co-editor of ethikos. He was one of the drafters of the Health Care Compliance Association's Code of Ethics for Health Care Compliance Professionals. His e-mail is jemurphy@cslg.com.

ABA Section of Business Law