The Board’s Overlooked Role in Compliance

How Involved is Your Board?

It’s long been said that an effective compliance program can’t exist without a strong culture of ethics and compliance. Also critical is tone from the top, without which there’s no clear directive for the organization and employees on the importance of compliance. The board of directors plays a critical role in setting the right tone. Is your board prepared to serve in this capacity?

As companies have come to accept – and sometimes even embrace – the importance of effective compliance programs, two axioms have taken hold: An effective compliance program cannot exist without a strong ethics and compliance culture; and the corollary: A strong ethics and compliance culture requires the proper “tone from the top.”

Yet, when most companies think “top,” they think C-suite, or more specifically, the chief executive officer. After all, nothing happens without the CEO’s buy-in, right? And the C-suite is where you find many chief compliance officers, or the executive to whom the CCO directly reports. The C-suite is also where decisions are made that determine whether the compliance function is robust, minimalistic or nonexistent, including:

• The CCO’s line of reporting and job description;
• The size and sophistication of the CCO’s staff;
• The funds available to implement and monitor the program and engage outside experts; and
• Whether employee incentives link seamlessly to company compliance goals.

Often overlooked, however, is the essential role of the board of directors.

Most directors generally understand that their fiduciary duties of care and loyalty include compliance oversight. After all, it has been more than 20 years since the Delaware Court of Chancery held in its famous Caremark decision that directors could, in certain circumstances, be determined to have breached their fiduciary duty and, therefore, be liable for compliance program failures if they knew or should have known about violations and did nothing to prevent – or did not make sure that the company’s systems were reasonably designed to prevent – compliance breaches. The Delaware Supreme Court later held in Stone v. Ritter that a director’s failure to implement and oversee aspects of a compliance program could constitute an indemnifiable breach of the duty of loyalty.

But boards often do not fully grasp how these abstract fiduciary duties translate into concrete compliance program oversight obligations. For example, many boards might be surprised to read this language in Chapter 8 of the Sentencing Guidelines Manual of the U.S. Sentencing Commission:

“The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”

Similarly, the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs guidance issued this past February asks:

“What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight…”

Here’s another quote from Section 9-28.800 of the U.S. Attorneys’ Manual, which addresses the role of corporate compliance programs when considering whether to charge company officers, directors and employees for criminal misconduct:

“[D]o the corporation’s directors exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers’ recommendations; …and have the directors established an information and reporting system in the organization reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law. See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 968-70 (Del. Ch. 1996).”

The point is that enforcement and regulatory agencies, as well as plaintiff’s attorneys, expect boards to be more than just generally aware of the company’s compliance program. While passive words like “knowledgeable,” “reasonable” and “oversight” provide some interpretive wiggle room, there are also plenty of active words and phrases: “exercise…oversight,” “examined,” “held…sessions,” “established,” “reach [a]…decision.”

In any event, most boards do not want to engage in a word-parsing exercise with a zealous government investigator or plaintiff’s attorney following an inevitable compliance breach. (Yes, compliance breaches are inevitable, much like death and taxes, no matter how careful you are.) Much better would be the unequivocal presence of a robust compliance program and a clear track record of active board involvement.

Don’t be lulled into a false sense of security if the board regularly participates in the company’s risk assessment and risk appetite initiatives. Certainly, board-level risk assessments are a fundamental precursor to an effective compliance program, because they help match risk-taking behavior to the board’s strategic vision for the company. Nevertheless, participation in risk assessments, even if active and ongoing, is not sufficient to meet a board’s broader compliance program oversight obligations.

Remembering that effectiveness determinations must endure the penetrating glare of 20-20 hindsight, consider both the quantity and quality of time the board actually spends in compliance oversight:

• Could each of your directors name the company’s CCO? Do you have a CCO?
• Does the CCO have direct access to the board and utilize that access regularly?
• Does the board understand how the compliance function is structured and operates?
• Is the board satisfied that the company’s compliance function matches up with the company’s strategic plan and risk appetite?
• Is it enough that the board receives an annual 15-minute, multicolored PowerPoint presentation summarily proclaiming that the company’s compliance house is in order? How about once per quarter?
• Should the board have a separate risk oversight committee, rather than delegating compliance to its overworked audit committee?
• Does the board understand its responsibilities in the event of a compliance breach?
• Does the board periodically review the company’s compliance training program and itself participate in regular compliance training?

So, circling back to our original point, shouldn’t the board, rather than the C-suite, be responsible in the first instance for the company’s “tone from the top?” If it is indeed true that tone is critical to an effective compliance program and that the board has a fiduciary duty to ensure effectiveness, then the answer must be an emphatic “yes.” It is not enough for the board to simply assume without knowing that management has established a proper compliance culture that permeates the entire company. Rather, the board must affirmatively confirm and reconfirm that to be the case.

With compliance nearing the top of C-suite and legal department concerns, directors must consider whether they are providing proper oversight. Would your directors be highly confident that they satisfy the standards articulated above?

Would you be reluctant to ask them?