To Disclose, or Not to Disclose? That is Often a Tough Question
Given the rising expectations for organizations to show both self-governance and transparency, every compliance professional (in tandem with their legal departments) needs to be familiar with some practical considerations that often arise surrounding whether various instances of misconduct need to be properly disclosed to governmental authorities. This issue is thoroughly embedded in a variety of governmental policies.
Setting the Stage
So what’s the big deal with disclosures? After significant violations or instances of misconduct are discovered internally by the company, the first step is to take immediate investigative and corrective measures. However, once the “bleeding” stops and the root cause of the problem is adequately understood, the next logical question is whether to alert the regulators. Because the government loves disclosures, and often claims to be willing to reward them to certain degrees, some observers might wonder why companies would choose not to completely disclose everything—just be an open book. In reality, sometimes the benefits of such disclosures do pan out, and everyone walks away contented. However, an equally plausible outcome is that the disclosures are met with punishments that are harsher than expected or rewards that are trivial. Under these scenarios, the corporate decision-makers cynically claim that “No good deed goes unpunished,” and regretfully scream out, “Never again.”
In the midst of such uncertainty and unpredictability, company leaders may begin to pick a philosophy and stick with it. The two extreme choices might be to either disclose everything (to avoid any corporate secrets) or don’t disclose anything . . . ever (“because we already have enough problems on our plate!”). In reality, when resolving disclosure options, most corporations come out somewhere in the middle. This decision depends upon the facts of each incident, as well as the unique culture and risk-tolerance of each organization.
Despite these case-specific variables, there are some common issues that arise that can help companies balance the risks and benefits of making such disclosures. Every company in every industry has to carefully evaluate the specific legal and ethical landscape that applies to them, but at the risk of over-generalization, this article presents some factors that often influence the critical decisions surrounding such disclosures.
Like many other issues in the Compliance arena, whether to disclose misconduct also draws an important distinction between law and ethics. What a company is required to do in the face of violations, and what it should do as a matter of ethics, are often different questions. Thus, the “correct” answer often depends upon a variety of factors that need to be carefully and collectively addressed. The following questions will help identify some important issues that need to be carefully evaluated.
Are the Violations Now Historical or Ongoing?
One threshold question that needs to be addressed before wrestling with the disclosure options is whether the misconduct or violations have stopped, or whether they are on-going. Drawing the analogy to my legal training, if I am engaged to counsel a client who has previously committed a crime, my duty is to defend his/her interests and to preserve all privileges. However, if that client comes to me and requests my assistance to perpetuate a continuing crime, that sounds like my role shifts from lawyer to a co-conspirator. Therefore, similar to the medics on the battlefield triage unit, the first order of business must be to “stop the bleeding.” Once those steps are in place, the subsequent issues can be properly addressed.
Are Disclosures Mandatory?
When corporate officials become aware of “material” misconduct and/or regulatory violations, they need to craft appropriate responsive actions. These might include:
- Initiating an internal investigation, which would include gathering relevant documents/emails and conducting interviews.
- Taking corrective measures to prevent recurrences, such as improved training or improved monitoring.
- Exploring possible remedial action, if applicable and necessary. In addition to these laudable initial responses, another issue that needs to be kept “front and center” is whether the misconduct in question is one that must be disclosed (e.g., mandatory reporting that is triggered in response to certain significant environmental releases, or instances of over-billing, or violations of federal law in government contracting).
Apart from the calculus and balancing that is triggered in voluntary disclosure settings, it must be emphasized that if the law requires disclosure, that is the end of the inquiry. Mandatory disclosure means just that—it is mandatory.
If Voluntary, What Factors Need to Be Considered?
Assuming that the misconduct and/or regulatory violation in question is not one that must be disclosed, the next question that corporate leaders must assess is whether such voluntary disclosures should be made. A small percentage of companies have adopted a “full disclosure” policy, whereby they commit to immediate disclosure “any and all material instances of misconduct.” Although such a policy may be easier to understand and implement, it does pose potential risks if the disclosed information is so significant that it gives regulators the leverage, legal basis, and discretion to impose penalties that would drive the company out of business.
For these reasons, the vast majority of companies appear to follow a more flexible approach, where the decision to disclose is based upon a variety of facts and circumstances. Some of the practical considerations that often arise in these scenarios include:
- The likelihood of eventual detection (if not disclosed).
- The seriousness of the violations/ misconduct.
- The consequences that would arise if “caught” without disclosure.
- The benefits accompanying the voluntary disclosure.
The Likelihood of Detection
When evaluating the risks and benefits surrounding the disclosure issue, one practical question that often arises is: “If we don’t disclose, what are the chances that the regulators will find out anyway?” Not only is that question logical, but it is also important because the likely punishment to be imposed after being “caught” is far greater than that which would have accompanied a self-disclosure scenario. Obviously, in this era of whistleblowing, I often counsel clients that their default assumption should be that there are no “corporate secrets” anymore. With regard to employees who may disclose violations to the authorities, they often fall into one of three categories:
- The “incentivized” (i.e., whistleblowers).
- The “disenfranchised” (i.e., disgruntled, fired, not promoted).
- The “moralized” (i.e., those who are outraged or have a guilty conscience).
Apart from “insiders,” there are a number of means by which the government can detect undisclosed violations, including:
- Regulatory inspections.
- Annual or periodic reporting.
- Employee interviews.
- Media scrutiny.
All of these potential sources need to be carefully considered in estimating the likelihood of eventual disclosure or discovery by the government agencies.
The Seriousness of the Violations in Question
This criterion is the most difficult because it can pull the decision-making in opposite directions. For example, some violations are fairly minor, where the likely consequences would be a “slap on the wrist.” If you don’t disclose, no one on the inside is likely to feel strongly about reporting them. Moreover, if these minor violations do “come to light” later, even the heightened punishments will be proportional and tolerable.
However, if the violations are extremely serious, this is where the most difficult decisions arise with competing tensions. On the one hand, disclosing serious violations can result in overly harsh penalties that may jeopardize the company’s ability to survive. Under this scenario, some company leaders may feel forced to take their chances to avoid that certain risk and fate. On the other hand, a failure to disclose such major misconduct is often met with moral outrage and a “sharpening of the knives.”
The Consequences if Caught without Disclosing
Like any form of risk assessment, the two practical parts of the relevant equation for evaluating options components are:
- The likelihood of detection.
- The consequences arising if caught. In other words, suppose you are a risk-neutral decision-maker.
If the chance of detection was 15%, and the cost of punishment imposed if caught would be $1,000,000, it would be rational for the company to spend up to $150,000 to correct and/or avoid the problem. The bottom line is that decision-makers need to carefully evaluate both of these important criteria before making a disclosure decision.
The Benefits that Accompany Voluntary Disclosure
Sometimes the desire to avoid an overly harsh penalty can motivate a company to self-disclose. Other times, such disclosure is driven by the hope of obtaining some kind of meaningful benefit, or credit, or penalty discount. This can include a fixed reduced percentage in the civil penalties or the promise of foregoing criminal prosecution. In addition, sometimes the potential benefits depend upon whether the violations were detected as the result of a systematic and regular audit (as opposed to just dumb luck). In evaluating this “upside,” it is critical to gather as much data as possible relating to the outcomes of similarly situated cases to properly manage expectations and to prevent subsequent “finger-pointing” or “second-guessing."
If We Do Disclose, What Are the Most Important Factors?
Once the decision is reached to make a disclosure, there are some other important factors to carefully consider to maximize the benefits, as well as to prevent some substantial risks. These include:
- The accuracy of the information being disclosed.
- The completeness of the disclosure.
- The timeliness of the disclosure.
One of the worst options is for a company to make a disclosure that turns out to be wrong because it was false, incomplete, or untimely. Under those circumstances, you were the source of bringing the problems out in the open. Not only would you get no benefit, but you may face additional punishment. In short, if you are going in, remember to do it right.
If We Do Not Disclose, What Else Should We Do or Prepare For?
After carefully assessing the various voluntary disclosure factors, the corporate leadership may conclude that the risks and/or costs of such disclosure outweigh the benefits. However, even when no such disclosure is made, the process is far from over. Don’t conflate the issue of voluntary disclosure with whether to take separate corrective measures. They are separate and distinct questions. Accordingly, even when disclosures are not made, there are a few more steps that companies should take to reduce the consequences or punishments that may arise if the violations are inevitably discovered by the regulators.
More specifically, regardless of whether they make a voluntary disclosure, companies still have an opportunity to earn some credibility by taking corrective measures “behind the scenes” that center around the root cause of the problem. These include:
- Making improvements to prevent recurrence.
- Improving the training.
- Tailoring the monitoring and/or auditing programs.
- Remedying any harm that may have been caused.
- Planning for immediate cooperation in response to governmental discovery and requests.
One reason why this approach helps the company is that it provides a partial rebuttal to the inevitable finger-pointing that will accompany the discovery of the undisclosed violations. Although companies that take this path will have to readily acknowledge that they chose not to disclose the violations or misconduct for various reasons (which are case-specific), post-incident corrections are important “half-measures” that are both laudable and worthy of recognition and rewards.
Corporate self-disclosures are an important part of the enforcement landscape. They give the violating company an opportunity to build credibility and goodwill with regulators, and to reduce the amount of punishment imposed. However, assuming the disclosure is not mandatory (and therefore obligatory), companies need to carefully evaluate their decisions based upon the facts of each case. Unfortunately, this decision resembles more of an “art” than an exact “science.” Such decisions are often fraught with uncertainty and incomplete information. Hopefully, the checklist presented above will assist in-house compliance staff (and their outside counselors) to properly evaluate the relevant considerations and to make fully informed decisions.
©2016. Published in Compliance & Ethics Professional, April 2016, by the Society of Corporate Compliance and Ethics. Reproduced with permission. All rights reserved.