Government appointed monitors in corporate crime cases are increasingly rare these days.
One reason? The rise of the voluntary monitor. In the wake of serious misconduct, corporations are appointing voluntary monitors to avoid one imposed and selected by the government.
StoneTurn is perhaps the only firm in the country focusing on monitorships. Jonny Frank is a partner at StoneTurn in New York.
He has been a government appointed or approved monitor by the Department of Justice, or the Securities and Exchange Commission or the New York Department of Financial Services five times. And there have been six assignments where he served as the chief forensic adviser to the monitor.
When would a major corporation appoint a voluntary monitor?
“If a company has a significant issue – take the cases of Airbus and Rolls Royce for example,” Frank told Corporate Crime Reporter in an interview last month. “These are not my clients. They knew they had a significant issue and said – rather than have a government monitor, we will have an independent monitor so that people know we are taking this seriously.”
What’s the difference between a voluntary monitor and a corporate compliance office?
“A compliance counsel is an advocate for the company. A voluntary monitor is reporting to the board and senior management. They are not working under the attorney client privilege. And the company is saying – we want somebody who is independent.”
But they are being paid by the company and controlled by the company?
“They are paid by the company. But a government appointed monitor is paid by the company as well. And there is a similar level of independence.”
We have interviewed Columbia Law Professor John Coffee. He’s critical of the Boeing deferred prosecution agreement where he thought that in the Boeing case, there should have been a monitor.
What is your take on the Justice Department and SEC’s monitorship practice and whether they are underplaying their hand?
“The Justice Department has a policy they use in determining whether a corporate monitor is needed. A monitor is not supposed to be a form of punishment. The one thing that a company can control is the amount of remediation that it has undergone and whether it has shown itself to be a company that is trustworthy.”
“Has the company made efforts to remediate? And secondly, has the company proven to be trustworthy? There are other factors that the Department considers, including how pervasive the misconduct was, whether the wrongdoing involved senior management.”
Historically, trends in monitorships – are they up or down, better or worse?
“The number of monitorships is not a good indicator of what’s happening. The Department has given guidance on how to avoid a monitor and companies are following that guidance. That’s one reason why you are seeing fewer monitorships.”
When we started this publication almost 40 years ago, the practice was much different. Prosecutors would investigate a case and if there was a case, they would bring a charge, go to trial or get a plea.
If there wasn’t a case, they wouldn’t bring a prosecution. Now that’s rare and instead, there are these deferred and non prosecution agreements of all shapes and sizes. Also back then, if there was a criminal plea, a judge might appoint a probation officer for the corporate criminal.
Now, we have these monitors, which are sort of probation officers lite.
Should we go back to that probation officer model?
“It comes down to the level of expertise. The level of expertise needed for corporate compliance auditing involves a deep understanding of risk and controls and a knowledge of auditing rules and a knowledge of how you prevent and detect corporate misconduct.”
“It’s not a question of whether the government does it or whether a private individual does it. It comes down to who has the expertise. In France, for example, the government serves as a monitor.”
There have been proposals, if you are going to follow the French model, of building a corporate probation office with a deep understanding of corporate culture and how to change it.
“Well, the Justice Department itself has now developed an expertise in this area. The Department has lawyers and professionals with compliance, risk and controls, data analytics expertise. They are able to assess what the company has done and whether or not they need a monitor. When a company comes and says – we don’t need a monitor because we have done all of this remediation, at least within the Justice Department, they are able to assess whether or not that’s a correct statement.”
A company comes across serious wrongdoing within the company. How does remediation kick in?
“An effective compliance program would already have a remediation policy in place.”
A company says – if things go wrong, we have a plan in place?
“Yes. And things do go wrong. A major corporation is going to have issues. They have in-house investigative groups. They could also have in-house remediation groups. And a few companies have in-house remediation offices. Rather than learning the process in a crisis, they have policies in place to be able to, in a consistent fashion, execute.”
“And they will have a policy on remediation. When they do an investigation, for example, they risk rank the investigation, just like they rank other risks. In a compliance risk assessment, you have various risks. And you rank some critical, some significant, some important.”
“Companies will use the same rating system when an allegation comes in. And the risk rating will be based upon the potential impact of the investigation – the size of the fine, will people go to jail, might they lose their license, reputation impact – those kinds of factors.”
“And if you hit a certain threshold for a particular incident or a number of similar incidents combined, then you would have to go into a remediation or a lessons learned process.”
“Then the next step would be a root cause analysis. That needs to be done by people who are objective – they are not reviewing their own work. In a perfect world, you would have business people, compliance people, legal people and risk control people. That would be the team. And you would use a recognized framework such as the COSO framework to figure out what are the root causes that led to this problem.”
“What are the cultural issues that caused people to engage in misconduct? What are the financial incentives and pressures that motivated them to engage in misconduct? What was missing from the controls? Were the controls defective from a design perspective? Were there no controls? Or were the controls not operating effectively? Did the company identify the risk ahead of time? If not, why not? What was the nature of the risk assessment? If the company did identify it as a risk, how come they didn’t put in sufficient controls to mitigate the risk? Was internal audit involved? If so, how come internal audit didn’t pick up the problem? And how come the company didn’t detect the problem?”
“After this root cause analysis, you would understand not just the specific very technical wrongdoing, but the bigger picture as to why the misconduct arose.”
That’s an analysis of what went wrong and why it went wrong. But remediation implies changing things so that they don’t go wrong again.
“Yes. Then you have to remediate the root causes. I’ll give you the elements of an effective remediation plan. The first thing you need to do is look at the root causes. The second thing you have to do is think about where else in the company might this have occurred. If I have a Foreign Corrupt Practices Act problem in Brazil, what caused it and if I have any issues like that in Germany or India. That’s called read across.”
“Then you develop a corrective action plan. The corrective action plan is – now I need to fix whatever went wrong. What can I put in place to prevent and detect the wrongdoing? In today’s world, with technology, you can do a lot about detection. It’s like a smoke detector and detecting misconduct is often more efficient than preventing misconduct.”
[For the complete q/a format Interview with Jonny Frank, 38 Corporate Crime Reporter 16(12), April 15, 2024, print edition only.]