When the Board Comes Calling About Compliance: A Risk-Intelligent Approach
By: Donna Epps – Deloitte & Touche
When it comes to compliance risk, Board members know the drill all too well. Every six months or so, they receive a new report indicating that everything is mostly under control. So it’s no wonder they’re surprised when a compliance issue blows up – and it’s no wonder they’re asking tougher questions of compliance executives with every passing quarter.
As regulatory oversight continues to grow, the challenge of dealing with compliance risk will only become more pressing. It’s not just an item on the agenda – compliance is its own agenda these days. Given the pace and scale of change, both compliance executives and Boards are increasingly concerned that old, reactive ways of managing compliance may cause them to fall behind the competition — or leave them exposed to new regulatory and reputational risks.
If your organization is looking to increase its Risk Intelligence quotient through full-spectrum compliance, three broad areas will command your attention: Environment, execution, and evaluation.
Bring out the magnifying glass. In general, industry, geography and emerging issues are the most important areas for assessment when it comes to compliance risk.
Industry: Companies in the same industry, of roughly the same size, may be facing very similar compliance challenges at any given moment. But when you’re looking to lead the pack, sharing the same strategies as your competitors won’t do.
How can business leaders and Board members establish a compliance strategy rooted in industry, without taking the exact same approach as close competitors? Start with a measuring stick: What are our peers doing? How do we match up across key benchmarks? Then zero in on what the organization is doing differently (good or bad) today and what it should be doing differently tomorrow.
Geography: Compliance issues extend as far as your products or services are offered and throughout the entire supply chain. Adding to the challenge, different cultures have different ideas about what constitutes adherence and corruption. Also remember that this complexity does not stop at the country level. In the U.S., for example, different states enforce different regulatory guidelines, and cities and counties will often add more layers to suit their own requirements.
Emerging issues: It’s often those issues that no one anticipated which present the biggest challenges. But just because no one saw it coming doesn’t mean someone couldn’t have. Too often, compliance efforts are focused on the steady state of the business. Board members have a special responsibility to make sure their organizations are preparing for emerging issues as well.
Without it, nothing else matters.
Roles: Ownership of compliance tends to disappear only a few layers deep into the organizational chart. As a result, employees in business and functional operating units may be performing compliance-related activities every day without knowing the potential consequences of not executing them properly.
Integration: The benefits of a consistent framework and tight integration with the business can be significant in compliance risk management. But it’s not just about a smoother, less expensive approach. It’s about delivering more value to the business. Establishing enterprise-level management and communications standards can go a long way toward driving efficiency, control, and knowledge.
Growth: Compliance fears should never override the pursuit of growth. But they must inform that pursuit at every turn: when developing the business case, driving risk analysis, conducting due diligence, managing expectations, and contributing to decisions and strategies along the way.
Education: Compliance executives and Boards must understand how leadership is communicating expectations and values when it comes to compliance. It often takes a wide range of activities for communications to break through to the front lines.
Transparency: Increased transparency about compliance — even about failures — can improve the trust that stakeholders have in the organization and its leadership. And it’s not just about avoiding fines and penalties. If everyone understands and shares the Board’s vision for compliance, they’ll be more likely to make it happen.
Board oversight: The rules of engagement must be clear, drawing a bright line between the roles of Board members in providing oversight and those of the executives responsible for driving compliance activities. To monitor compliance effectively, the Board should have open access to the Chief Compliance Officer.
Remediation: Many regulators (not to mention the Federal Sentencing Guidelines) recommend or require proactive measures. It’s the right thing to do – and it’s often the law.
What gets measured gets done.
Risk assessments, ROI analysis, and monitoring are the three primary levers executives can use to help determine that the right level of effort is going into evaluation initiatives. Each covers a different dimension of evaluation. Taken together, they provide a full-spectrum view of program effectiveness.
Risk assessment: How can Board members be confident they’re getting reliable answers to tough questions about compliance risk assessments? Ask to see your company’s risk register. This catalog of existing and potential compliance risks specific to the organization can ultimately serve as a framework for prioritizing risk at every level.
ROI analysis: To determine ROI, Boards must first understand how much has been invested and what is being gained. While it may not be realistic to achieve a perfect view of your organization’s compliance activities, establishing the scope of compliance is a good place to start. Next, gain agreement on the KPIs and KRIs you should have in place.
Monitoring: Monitoring can help uncover instances where compliance has gone awry. But just as important, it can be used to examine compliance processes as part of a continuous improvement effort. It’s also the smart way to stay ahead of emerging issues. What should you do? It may be tempting to focus on individual elements presented here, but don’t lose sight of the big picture. Having that “full spectrum” view of compliance is the most effective way to serve as a catalyst for cultural change.
Another thing you can do is underscore the competitive power of excellence in compliance. Companies that master compliance risk management are often better positioned to break away from the pack. And in the final analysis, that’s what every compliance executive should be focused on.
Board Oversight and Reporting Structures
By: Rebecca Walker – Kaplan & Walker LLP
Ethics and Compliance (E&C) programs occupy a moment of great opportunity. No longer viewed as merely an adjunct to the law department or internal audit or as merely a hedge against the possibility of a future prosecution, some E&C programs have gained the gravitas and credibility to enable them to have a significant impact on the culture and level of misconduct at organizations.
As the standing of E&C programs grows, the enormous potential of this nascent profession comes closer to being realized. Perhaps no two factors are more important to ensuring the standing of E&C programs within organizations than (1) the level of Board oversight of and engagement regarding the E&C program and (2) the positioning of the Chief Ethics and Compliance Officer (CECO) and the compliance program.
In order to explore these issues, we will begin by reviewing those characteristics that are most critical to effective E&C programs. We will then explore the importance of Board oversight and engagement to a robust program, the ways in which the Board’s interaction with the E&C department has evolved in recent years and practical strategies for enhancing Board engagement. And lastly, we will explore the topic of CECO and broader program positioning.
Critical Program Characteristics
While the purpose of E&C programs has typically been described as prevention and detection of misconduct, E&C has in recent years evolved to include the greater—and complementary—purpose of fostering an ethical corporate culture in organizations. Indeed, in LRN’s 2013 Ethics and Compliance Leadership Survey Report, E&C professionals indicated that three of their top five priorities concern culture, including promoting alignment between core values and day-to-day operations, strengthening ethical culture and strengthening ethical leadership. Also in the top five was increasing employee levels of speaking up, which is another component of corporate culture. “This continued emphasis on driving culture and values over the past three years suggests that E&C leaders are stretching beyond compliance to drive important performance outcomes.”
In order to achieve the parallel and complementary goals of preventing misconduct and promoting a healthy corporate culture, E&C programs must possess certain critical traits, none of which is more important than independence and authority.
Without adequate independence from the business and other functions and sufficient authority, it would be impossible for E&C to assess compliance risks accurately, to investigate and respond to allegations of misconduct, to conduct auditing and monitoring or to impact promotion and hiring decisions.
Of course, other program characteristics are also important, such as program reach, collaboration and integration with other functions and the business; but for purposes of this discussion, we will focus on the key traits of independence and authority and how Board oversight and E&C positioning impact them.
Board Oversight of E&C Programs
Board oversight and engagement in an E&C program are critically important factors in ensuring that a program has the levels of authority and independence that are needed for misconduct prevention and culture promotion. Because the Board of Directors is the only corporate entity that has authority over the Chief Executive Officer, without active Board-level oversight, the E&C program will lack the level of authority and independence that are necessary for E&C to have any chance of oversight of the C-Suite, which is in some ways where the job of E&C is at its most critical.
Board oversight—and the added independence from management and authority that it affords E&C—also creates the authority and independence necessary to conduct other critical program activities, such as investigations and auditing. In order for Board-level oversight to create the right level of independence for an E&C program, the appropriate person within the function should be providing information to the Board—in an unfiltered manner. If, for example, the person with operational responsibility for the E&C program reports to the general counsel, who in turn provides reports to the Board, then the ability of these reports to enhance the level of independence and authority of the program is diminished—at least as a general matter.
The same is true if the general counsel (or another member of high-level management) censors the written or verbal reports provided by the person with operational responsibility. Conversely, one of the benefits of having the person with operational responsibility provide reports to the Board is that such a structure enhances the independence of the Board’s oversight. In other words, the Board cannot exercise independent oversight of the function if its information source is management of a different function. This is just one of the reasons that it is critical that the Board have a healthy relationship with the person charged with implementing the program.
The Sentencing Guidelines emphasize the importance of having the person with operational responsibility for the program provide reports to the Board. Other government guidance likewise discusses the importance of this reporting relationship, including the Resource Guide to the U.S. Foreign Corrupt Practices Act, released in 2012 by the Department of Justice and the Securities and Exchange Commission, which declared that “adequate autonomy [for an E&C program] generally includes direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).”
Topics Addressed to the Board
Whether Boards are able to exercise sufficient oversight depends on the Board’s receipt of the right types of information about the E&C program. Boards should be receiving helpline and investigations data (which is a common practice), but they also should receive information about the program more generally and about E&C’s efforts to impact culture and ensure compliance. According to LRN’s 2013 Ethics and Compliance Leadership Survey Report, the types of information conveyed to Boards tends to be principally lagging indicators, such as helpline data (80 percent) and code violations (70 percent). However, some (though fewer) companies also provide the Board with more proactive information, such as culture survey results (42 percent) and risk assessment and mitigation plans (61 percent).
General program information is necessary for the Board to oversee the program in a comprehensive manner. Organizations should therefore consider whether it would be useful to expand the range of information they currently provide to their Boards regarding the E&C program. In addition to general program information, E&C personnel should consider providing the Board with risk area-specific information for appropriate risk areas. This is the type of information discussed extensively by Delaware’s Supreme Court in the Stone v. Ritter case.
The risk areas the Board should hear about are: (1) those that provide the greatest overall risk to the company (which will obviously vary by industry and company) and (2) those in which the interests of senior managers and the company are not well aligned, as in those areas of “moral hazard” where Board oversight can be extremely valuable. In addition to information regarding the E&C program generally, the Board of Directors plays a critical role in oversight of the company’s handling of investigations of misconduct. It is this area with which much of the case law considering Board oversight is concerned.
In the case of Caremark and its progeny, the Delaware courts discussed Directors’ obligations to ensure the existence of a corporate information and reporting system to alert the Board to red flags, or other evidence of serious misconduct.
As a matter of good practice, companies should establish systems to ensure that the audit (or other appropriate) committee of the Board is notified promptly of allegations of violations by very senior management, allegations of serious fraud or any circumstances suggesting the need for an independent investigation.
It may also be helpful to include these procedures in program governance documentation, such as E&C charters and reporting procedures. Indeed, formal, documented procedures regarding escalation of reports are important to ensuring that practices are implemented in a consistent fashion in this area. Formal requirements for the person with operational responsibility for the E&C program to meet in executive session with an appropriate Board committee are also helpful in enhancing both program independence and authority.
The profession has shown some very helpful trends in this area. In LRN’s 2013 Ethics and Compliance Leadership Survey Report, nearly half (49 percent) of responding organizations indicated that their E&C leaders meet with the Board on a quarterly basis, and another 12 percent said that they meet more frequently than four times per year.
This is positive news, although there is still room for improvement. Boards should be meeting with E&C leaders frequently and receiving ample, appropriate information to enable them to exercise the oversight that is necessary for a program to have adequate independence and authority.
Position of CECO and Program
While Board oversight and engagement are critical, the position of the CECO within the organization is also extremely important. It ensures that a program has the appropriate level of authority and autonomy to achieve the twin goals of misconduct prevention and culture promotion. LRN’s 2013 Ethics and Compliance Leadership Survey Report indicates that the percentage of CECOs “who report directly to the general counsel (GC) is declining. In our 2012/2013 results, 46 percent of E&C Officers respond that they report directly to GC, down from 57 percent in 2011/2012, and 56 percent in 2010/2011.” The survey further found that 18 percent of CECOs now report directly to the Chief Executive Officer, and another 16 percent report to the Board of Directors.
Whether E&C is self-standing or whether it exists within the law department, internal audit or another function, it has become crystal clear that E&C has its own raison d’être, which is separate and apart from other functions. Only if E&C’s purpose and goals are recognized and realized within the context of the corporate structure will the program prevail.
The appropriate positioning of the E&C function is a decision that should not be about convenience, but about effectiveness. In particular, its positioning must be such that the program has the independence and authority necessary to achieve the goals of misconduct prevention and culture promotion. Of course, in addition to the E&C department, many programs rely extensively not only on leveraging other functions (such as legal, internal audit and human resources), but also on individuals in the businesses and other functions who have been assigned part-time responsibility for E&C.
Giving these individuals reporting responsibilities to E&C can strengthen the independence of the E&C program (including at the local level) and the authority of the function more generally. It also helps ensure that E&C responsibilities are taken seriously. This was recognized in certain recent deferred prosecution and corporate integrity agreements, which specify that local or function-specific compliance designees must have reporting obligations to the CECO.
The potential of E&C programs has been clearly demonstrated. Effective programs decrease the incidence of misconduct, increase reporting and foster a culture of compliance and business ethics. Now the profession must focus on ensuring independence and authority—through CECO positioning, Board oversight and otherwise—in order to assist E&C in achieving its promise.
III. The Board & Compliance: How to Improve Effectiveness & Reduce Risk
By: Stuart Altman – Hogan Lovells US LLP
A number of high profile corporate scandals at some large and supposedly sophisticated companies have, if nothing else, driven home the fact that no matter how strong you think your corporate compliance and ethics program is, the risk of failure is still there.
Right now, there are a number of very concerned directors asking themselves whether they have done all they could, or should, to prevent this — and what are the ongoing risks, not only to the company, but to them personally.
True, directors should always be thinking about the institutional risk to the company, but nothing motivates effectiveness like the risk of personal liability. Ordinarily directors are protected by the business judgment rule which provides that well informed decisions of directors taken after due consideration and in good faith will not be attacked by a court because the decisions turned out wrong.
In cases of compliance failures – whether issues of foreign bribery, cartel activity or environmental hazards, to name a few – the issue for a Board is usually one of omission. Rarely has a board approved such activity. Rather, the issue is whether it has done everything possible to avoid such conduct.
Here are four ideas that can help strengthen the effectiveness of the Board in these situations and thus, limit risk.
Interestingly, in many companies directors do not necessarily receive the same compliance training that employees do. Directors may claim they are too constrained by time, or that they, of course, know this material already. Perhaps they do, but even if the directors are compliance experts shouldn’t they know how the employees are trained?
How do you measure the effectiveness of a program you have opted out of? In short, directors should go through, at a minimum, the same training employees receive. But that is not enough. Directors need specialized training, not just in the nuts and bolts that line employees receive but also in the issues at the center of compliance and ethics.
Directors need to be focused on the big picture of why a company has a compliance program. They need to know what questions their compliance professionals should be asking, and if directors don’t see this happening, they need to act quickly. Moreover, at least some of this training should be external to the company. Even if management is well intentioned, it is vital that directors get an occasional different perspective on compliance from that which prevails in the company.
There is an active professional debate out there as to whether or not the chief compliance officer should be separate from the general counsel. Should both ethics and compliance roles be rolled into one position? Where does internal audit fit in? I won’t attempt to evaluate these debates here. Indeed, there may be no one right answer. But the way in which your company structures these roles is vital to your governance and your ability to address compliance and ethics.
Boards of Directors should be intimately involved in planning for these issues. Directors should regularly review the existing structure and make sure they are comfortable with it and that it is serving the company’s interests.
Whatever the specific structure chosen, those primarily responsible for compliance must have direct access to the Board or a compliance committee. Given this dictate, you can decide what works for your company. Is your organization hierarchical in nature? Are managers expected to closely follow superiors with little questioning? If so, asking a GC who reports directly to the CEO to also serve as CCO and report to the Board may place him or her in an unworkable position. If the CFO uses internal audit as a personal resource how comfortable can the Board be that the head of IA would bypass that CFO if the situation called for it?
On the other hand, where a company operates in a matrix environment with multiple reporting lines standard, such dual roles and reporting may come naturally.
3. Seek Advice
Most Boards of directors do not have separate counsel from the entity they serve. Directors typically rely on the general counsel and regular outside counsel to do their job except in the rare situation such as the need for a special committee and counsel thereto.
In general, most Boards do not need regular and continuing counsel involved in every decision they make. But that does not mean such outside advice may not be useful some of the time.
Every Board should have a relationship with counsel independent of the company and its management; someone who can be called upon in those rare times when the directors feel that they need a truly independent voice.
Directors need to avoid making this counsel into a crutch to which they turn for validation any time they have a tough decision to make. But at the same time, they need to be willing to seek outside advice when the situation demands.
Setting up this relationship in advance makes that all the easier.
Evaluation of the efficiency of a compliance program is commonplace. The CCO does it. Internal Audit plays a role. Board members weigh in regularly. But who evaluates whether the Board is doing its job when it comes to compliance?
Company officers are unlikely to risk angering the Board by criticizing their work in this area. Often, the only judgment comes when there has been a compliance failure and the inevitable derivative action. Instead of waiting for disaster and trial by fire, boards should consider bringing in a consultant to work with them in evaluating how they fulfill their compliance and oversight role.
This should be something the Board does for itself and can be combined with the training discussed above. Whether the evaluator be an outside law firm or one of the many consultants available in the compliance field, an outside voice can be a great check on the natural tendency to overestimate are own effectiveness.
The Board of Directors has a difficult role in this area. They need to protect the company and themselves. These four steps will make that job easier and make them more effective in their role with less risk.