PLI: So should companies go full speed ahead on these compliance extending initiatives? Are there risks?

REBECCA WALKER: Despite the intuitive appeal of extending an organization's compliance policies to third parties, thereby spreading the gospel of compliance and business ethics, companies should nonetheless be cautious in the promises that they make regarding this endeavor. In particular, companies should be exceedingly wary of creating compliance standards that are difficult to monitor or enforce.

PLI: So should companies go full speed ahead on these compliance extending initiatives? Are there risks?

REBECCA WALKER: Despite the intuitive appeal of extending an organization's compliance policies to third parties, thereby spreading the gospel of compliance and business ethics, companies should nonetheless be cautious in the promises that they make regarding this endeavor. In particular, companies should be exceedingly wary of creating compliance standards that are difficult to monitor or enforce. The creation of such standards may subject a company to various forms of "associative liability," including potential reputational harm and legal liability.

The extension of a company's compliance policies and procedures to third parties leaves the company vulnerable to potential reputational risk if the company is not able to guarantee that its policies are being followed. Greater compliance obligations applied to third parties may create expectations that lead to reputational harm when a company holds itself out as requiring others' compliance, when in fact the company's ability to ensure compliance by third parties may be limited. A company's application of compliance policies to third parties could also more closely link the company with the third party in the minds of the public (and press), thereby increasing the risk of reputational harm.

There is also a risk that unsatisfied standards will be used against a company in the context of litigation or a government investigation. The risks created by extending components of a company's compliance program to third parties is well-illustrated by a complaint filed against Wal-Mart in the California state courts in September 2005.²⁶ The International Labor Rights Fund (the same organization that reached a settlement agreement with Unocal in 2004 for purported violations of the Alien Torts Claims Act) brought suit against Wal-Mart on behalf of a purported class of Bangladeshi, Chinese, Indonesian, Nicaraguan, Swazilander and U.S. workers for alleged violations of Wal-Mart's code of conduct for suppliers. The core of the allegations is that: (i) Wal-Mart published a code setting forth its standards for foreign suppliers; (ii) Wal-Mart required suppliers to follow the code by way of clauses in supplier contracts; (iii) Wal-Mart had a contractual right to audit for compliance; (iv) the plaintiffs, who are workers at the supplier factories, are third-party beneficiaries of Wal-Mart's contracts with its suppliers; and (v) Wal-Mart's failure to audit and adequately monitor the suppliers violates Wal-Mart's contractual obligations.

The complaint against Wal-Mart was dismissed earlier this year and is currently on appeal.  Regardless of the ultimate fate of the specific legal claims against Wal-Mart, however, the lesson is clear: companies must be cautious in setting standards for third parties.

The Wal-Mart complaint highlights some important issues for organizations to consider as they formulate policies to be applicable to third parties. First, the less control an organization has over a third party, the less lofty their promises should be with respect to that party's compliance. Companies should not assume responsibilities and duties that they are incapable of satisfying (or unwilling to satisfy). Doing so creates potential liability concerns. It also can diminish the credibility of the organization's policies governing third parties, the organization's compliance program more broadly, and even the compliance and corporate social responsibility movements.

Second, companies should carefully articulate any rights to monitor the third party's compliance. The more broadly the right is articulated, the more likely that the right will be perceived as a duty, which may make Wal-Mart-style lawsuits more likely. Companies may also wish to consider the inclusion of language in supplier codes and other relevant documents disclaiming the creation of rights in third parties.

There are definite legal incentives and tangible benefits to extending a company's compliance program to suppliers and third parties, and [I do not seek] to discourage this trend. However, companies are well advised to exercise caution when formulating such policies and to consider the finer points of such programs carefully, so as to avoid the risks of associative liability. In the best-case scenario, a company's compliance policies and assertions should be capable of being monitored and enforced. In this way, corporations can assist in improving the business practices of their brothers, while avoiding creating liability concerns for themselves.

DownloadFootnotes.