Lessons Learned About Lessons Learned

“Those who do not remember the past are condemned to repeat it,” famously wrote philosopher George Santayana. But what exactly – of the past – should be recalled? The need to explore violations of law and policy in an effort to prevent future, similar violations is an important aspect of a robust compliance and ethics (C&E) program. C&E professionals have long sought to utilize violations to enhance programs. The Department of Justice’s (DOJ) recently revised Evaluation of Corporate Compliance Programs (the Evaluation Guidance) provides some important guidance regarding remedial efforts.

First, the Evaluation Guidance provides, in relevant part: “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction. Prosecutors should therefore consider, as an indicator of risk-tailoring, ‘revisions to corporate compliance programs in light of lessons learned…’” (quoting the DOJ’s Justice Manual).

This is a potentially powerful “carrot” for those companies that undergo such a lessons-learned analysis. And it is likely to be a powerful “stick” for those that do not. Indeed, the failure to apply a lessons-learned approach to an act of wrongdoing followed by a subsequent similar act may make the original transgression appear to be more purposeful than it otherwise would have appeared.

Second, the Evaluation Guidance instructs prosecutors to ask the following question (among others) in evaluating the risk assessment component of compliance programs: “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”

Particularly important in this part of the Evaluation Guidance is the notion of having a true process (as opposed to an informal practice) for gathering, tracking and utilizing lessons-learned information. For many companies, there is room to improve here.

Third, the Evaluation Guidance also provides, in pertinent part, that prosecutors should ask the following about training: “Has the training addressed lessons learned from prior compliance incidents?” The challenge here is that in some companies, this sort of information may be considered bad for employee morale. But the same concern would be applied to many aspects of a compliance program. Moreover, training is perhaps the best way to reach the greatest number of employees with the substance of a lesson learned. Note that this is not easy to do over the long haul, but we can think of at least one company that managed to keep their lessons-learned communications robust for more than 20 years after a significant criminal offense.

Fourth, in the section on Continuous Improvement, Periodic Testing and Review, the Evaluation Guidance further provides that “[i]n evaluating whether a particular compliance program works in practice, prosecutors should consider ‘revisions to corporate compliance programs in light of lessons learned…’” (again citing the Justice Manual.) This section also provides that they should ask: “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”

Here, too, the challenge for some companies is less a matter of what they are actually doing in practice and more one of creating and documenting appropriate procedures. This includes incorporating the importance of considering remedial measures into investigations guidelines and training, considering how remedial measures are documented and followed up on and reviewing periodically to ensure that remedial measures are appropriate and have, in fact, been implemented.

Looking beyond the specific expectations set forth in the Evaluation Guidance is the issue of what might be called the “culture of lessons learned.” Whether a company has such a culture depends partly in some instances upon what industry it is in, often for reasons having little or nothing to do with C&E. For instance, it is part of the culture of the civil engineering industry for companies to undergo detailed lesson-learned inquiries in the wake of significant problems in their work.

More importantly, however, the culture of lessons learned is dependent on the particular senior managers at an organization. It is they who must establish an understanding that lessons learned should be seen as valuable company assets that must be nurtured over the long term.

Perhaps most important, the lessons learned from senior management should go beyond the mechanics of the offense in question and explore potential underlying cultural causes. These include behavioral ethics knowledge that “we are not as ethical as we think we are,” the dangers of undue business pressure and the need for sufficient accountability. In particular, focusing on how extreme business pressure has contributed to otherwise ethical employees engaging in wrongdoing can be a particularly effective form of lessons learned.