It’s been a year since I wrote about The Board’s Overlooked Role in Compliance. At the time, it seemed that momentum was building for more proactive board engagement in establishing and overseeing compliance programs. After all, regulators and courts have been increasingly outspoken about the importance of effective compliance programs and pointed about the essential role of boards of directors. Deputy Attorney General Rod Rosenstein recently addressed that very topic at Compliance Week’s 2018 Annual Conference for Risk Professionals in Washington, D.C. During his remarks, Mr. Rosenstein emphasized the need for companies to design, implement, and maintain effective enterprise-wide compliance programs, highlighting both the positives of success and negatives of failure.
Yet many companies still are not taking the necessary steps, and boards of directors may be partly to blame. For example, although the director panelists at Compliance Week 2018 consistently and emphatically supported the concept of effective ethics and compliance programs, they generally fell short of acknowledging the board’s affirmative duty to proactively oversee the process. The focus was instead on the now venerable (and perhaps overused) “tone from the top” concept, with some speakers seeming to take the view that proper board oversight consists of ensuring that the company hires capable personnel and then receiving periodic reports about any known compliance glitches.
But while that might once have been the accepted standard for board compliance oversight, those days are gone. It’s been more than 20 years since the Delaware Court of Chancery held in Caremark that directors could, in certain circumstances, be determined to have breached their fiduciary duty and, therefore, be liable for company losses due to compliance program failures. That was followed by the Delaware Supreme Court’s holding in Stone v. Ritter that a director’s failure to implement and oversee aspects of a compliance program could constitute an unindemnifiable breach of the duty of loyalty.
More recently, the U.S. Sentencing Guidelines refined that standard by articulating the Department of Justice’s board engagement expectations:
“The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”
Various other best practice and industry standards (OECD, health care, financial services, etc.) and judicial opinions followed suit, highlighting expectations for the board’s proactive and direct involvement.
It is now clear that “knowledgeable about the content and operation of the compliance and ethics program” does not equate to “confirm that the company has hired good people and then let them do their jobs.” Nor does “exercise reasonable oversight with respect to … implementation and effectiveness” mean listening to 15-minute quarterly reports from management regarding the number of hotline complaints, any new compliance developments at the company (usually none), and a couple of recent news stories about compliance breaches elsewhere.
So, what’s the solution? Directors need to be better educated and trained in the scope and nature of their compliance and ethics duty and the specific workings of the company’s compliance and ethics program. Armed with that knowledge, they must implement a process for actively and regularly overseeing in the assessment, maintenance, and updating of that program.
Expect some pushback from some directors and senior management, who may think the board already grasps these issues and is already stretched too thin on more important issues. But chances are that the board’s understanding is dated or incomplete, particularly given the rapid evolution of compliance oversight standards, expectations, and best practices. And a strong case can be made that there are very few, if any, issues more important than ensuring effective company-wide ethics and compliance. Remember that, at the end of the day, the board must be “knowledgeable about the content and operation” of the company’s compliance program and must properly oversee its “implementation and effectiveness.”
Here are some key discussion points:
- Reconsider the role of the Chief Ethics and Compliance Officer. Do you have one? Does he or she have regular and meaningful access to the board, and vice versa? Consider the nature and frequency of that access, lines of reporting, method of communicating, and other structural and logistical issues will vary from company to company. Are lines of communication between the CECO open and effective, without editing or redacting by a go-between?
- Discuss the standards impacting board oversight, including state fiduciary duties, regulatory agency rules and guidelines, judicial opinions, peer programs, and best practice expectations of investors and other stakeholders.
- Explore the interplay of risk management (which most boards readily accept as a primary duty) and an effective compliance program.
- Note the well-established positive correlation between a company’s financial and strategic performance and an effective compliance program, rather than dwelling exclusively on regulatory enforcement actions and litigation risk. This correlation will be of special interest to the boards of companies with significant geographic, line of business or acquisition growth strategies.
- Describe how the company’s compliance program currently operates, including staffing, lines of reporting, allocation of responsibilities, and budget. Note any immediate and long-term goals for improvement. Don’t be afraid to quantify your resource needs/shortfalls or to provide empirical metrics for evaluating the return on investment.
- Highlight what other companies are doing and industry standards that have developed. Directors never want to think they have fallen behind their peers.
- Discuss how the board prefers to receive compliance program updates, including content, quantity, and frequency.
- Consider whether the board prefers to consolidate compliance oversight into a single board committee (perhaps a new compliance and risk oversight committee?). If compliance oversight is currently housed in the audit committee, discuss whether that remains appropriate in light of the breadth of an effective compliance program and the corresponding time commitment for proper oversight.
- Determine whether the board itself needs additional resources, including more extensive training or access to consultants or legal counsel, to ensure fulfillment of its responsibilities.
Once you get the dialogue started, the directors will, no doubt, have discussion topics of their own. The point is to be sure everyone is on the same page regarding the board’s oversight role and how that oversight meshes with its strategic and risk management goals for the company.
Failing to properly bridge the compliance divide between management and the board is, at best, a lost opportunity to enhance company performance. At worst, it’s a recipe for disaster.