Ethics and Compliance (E&C) programs occupy a moment of great opportunity. No longer viewed as merely an adjunct to the law department or internal audit or as merely a hedge against the possibility of a future prosecution, some E&C programs have gained the gravitas and credibility to enable them to have a significant impact on the culture and level of misconduct at organizations.
As the standing of E&C programs grows, the enormous potential of this nascent profession comes closer to being realized. Perhaps no two factors are more important to ensuring the standing of E&C programs within organizations than (1) the level of Board oversight of and engagement regarding the E&C program and (2) the positioning of the Chief Ethics and Compliance Officer (CECO) and the compliance program.
In order to explore these issues, we will begin by reviewing those characteristics that are most critical to effective E&C programs. We will then explore the importance of Board oversight and engagement to a robust program, the ways in which the Board’s interaction with the E&C department has evolved in recent years and practical strategies for enhancing Board engagement. And lastly, we will explore the topic of CECO and broader program positioning.
Critical Program Characteristics
While the purpose of E&C programs has typically been described as prevention and detection of misconduct, E&C has in recent years evolved to include the greater—and complementary—purpose of fostering an ethical corporate culture in organizations. Indeed, in LRN’s 2013 Ethics and Compliance Leadership Survey Report, E&C professionals indicated that three of their top five priorities concern culture, including promoting alignment between core values and day-to-day operations, strengthening ethical culture and strengthening ethical leadership. Also in the top five was increasing employee levels of speaking up, which is another component of corporate culture. “This continued emphasis on driving culture and values over the past three years suggests that E&C leaders are stretching beyond compliance to drive important performance outcomes.”1
In order to achieve the parallel and complementary goals of preventing misconduct and promoting a healthy corporate culture, E&C programs must possess certain critical traits, none of which is more important than independence and authority. Without adequate independence from the business and other functions and sufficient authority, it would be impossible for E&C to assess compliance risks accurately, to investigate and respond to allegations of misconduct, to conduct auditing and monitoring or to impact promotion and hiring decisions. Of course, other program characteristics are also important, such as program reach, collaboration and integration with other functions and the business; but for purposes of this discussion, we will focus on the key traits of independence and authority and how Board oversight and E&C positioning impact them.
Board Oversight of E&C Programs
Board oversight and engagement in an E&C program are critically important factors in ensuring that a program has the levels of authority and independence that are needed for misconduct prevention and culture promotion. Because the Board of Directors is the only corporate entity that has authority over the Chief Executive Officer, without active Board-level oversight, the E&C program will lack the level of authority and independence that are necessary for E&C to have any chance of oversight of the C-Suite, which is in some ways where the job of E&C is at its most critical. Board oversight—and the added independence from management and authority that it affords E&C—also creates the authority and independence necessary to conduct other critical program activities, such as investigations and auditing.
In order for Board-level oversight to create the right level of independence for an E&C program, the appropriate person within the function should be providing information to the Board—in an unfiltered manner. If, for example, the person with operational responsibility for the E&C program reports to the general counsel, who in turn provides reports to the Board, then the ability of these reports to enhance the level of independence and authority of the program is diminished—at least as a general matter. The same is true if the general counsel (or another member of high-level management) censors the written or verbal reports provided by the person with operational responsibility.
Conversely, one of the benefits of having the person with operational responsibility provide reports to the Board is that such a structure enhances the independence of the Board’s oversight.2 In other words, the Board cannot exercise independent oversight of the function if its information source is management of a different function. This is just one of the reasons that it is critical that the Board have a healthy relationship with the person charged with implementing the program.
The Sentencing Guidelines emphasize the importance of having the person with operational responsibility for the program provide reports to the Board.3 Other government guidance likewise discusses the importance of this reporting relationship, including the Resource Guide to the U.S. Foreign Corrupt Practices Act, released in 2012 by the Department of Justice and the Securities and Exchange Commission, which declared that “adequate autonomy [for an E&C program] generally includes direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).”4
Topics Addressed to the Board
Whether Boards are able to exercise sufficient oversight depends on the Board’s receipt of the right types of information about the E&C program. Boards should be receiving helpline and investigations data (which is a common practice), but they also should receive information about the program more generally and about E&C’s efforts to impact culture and ensure compliance. According to LRN’s 2013 Ethics and Compliance Leadership Survey Report, the types of information conveyed to Boards tends to be principally lagging indicators, such as helpline data (80 percent) and code violations (70 percent). However, some (though fewer) companies also provide the Board with more proactive information, such as culture survey results (42 percent) and risk assessment and mitigation plans (61 percent).5 General program information is necessary for the Board to oversee the program in a comprehensive manner. Organizations should therefore consider whether it would be useful to expand the range of information they currently provide to their Boards regarding the E&C program.
In addition to general program information, E&C personnel should consider providing the Board with risk area-specific information for appropriate risk areas. This is the type of information discussed extensively by Delaware’s Supreme Court in the Stone v. Ritter case.6 The risk areas the Board should hear about are: (1) those that provide the greatest overall risk to the company (which will obviously vary by industry and company) and (2) those in which the interests of senior managers and the company are not well aligned, as in those areas of “moral hazard” where Board oversight can be extremely valuable.
In addition to information regarding the E&C program generally, the Board of Directors plays a critical role in oversight of the company’s handling of investigations of misconduct. It is this area with which much of the case law considering Board oversight is concerned.7 In the case of Caremark and its progeny, the Delaware courts discussed Directors’ obligations to ensure the existence of a corporate information and reporting system to alert the Board to red flags, or other evidence of serious misconduct.8
As a matter of good practice, companies should establish systems to ensure that the audit (or other appropriate) committee of the Board is notified promptly of allegations of violations by very senior management, allegations of serious fraud or any circumstances suggesting the need for an independent investigation. It may also be helpful to include these procedures in program governance documentation, such as E&C charters and reporting procedures. Indeed, formal, documented procedures regarding escalation of reports are important to ensuring that practices are implemented in a consistent fashion in this area. Formal requirements for the person with operational responsibility for the E&C program to meet in executive session with an appropriate Board committee are also helpful in enhancing both program independence and authority.
The profession has shown some very helpful trends in this area. In LRN’s 2013 Ethics and Compliance Leadership Survey Report, nearly half (49 percent) of responding organizations indicated that their E&C leaders meet with the Board on a quarterly basis, and another 12 percent said that they meet more frequently than four times per year.9 This is positive news, although there is still room for improvement. Boards should be meeting with E&C leaders frequently and receiving ample, appropriate information to enable them to exercise the oversight that is necessary for a program to have adequate independence and authority.
Position of CECO and Program
While Board oversight and engagement are critical, the position of the CECO within the organization is also extremely important. It ensures that a program has the appropriate level of authority and autonomy to achieve the twin goals of misconduct prevention and culture promotion. LRN’s 2013 Ethics and Compliance Leadership Survey Report indicates that the percentage of CECOs “who report directly to the general counsel (GC) is declining. In our 2012/2013 results, 46 percent of E&C Officers respond that they report directly to GC, down from 57 percent in 2011/2012, and 56 percent in 2010/2011.”10 The survey further found that 18 percent of CECOs now report directly to the Chief Executive Officer, and another 16 percent report to the Board of Directors.
Whether E&C is self-standing or whether it exists within the law department, internal audit or another function, it has become crystal clear that E&C has its own raison d’être, which is separate and apart from other functions. Only if E&C’s purpose and goals are recognized and realized within the context of the corporate structure will the program prevail. The appropriate positioning of the E&C function is a decision that should not be about convenience, but about effectiveness. In particular, its positioning must be such that the program has the independence and authority necessary to achieve the goals of misconduct prevention and culture promotion.
Of course, in addition to the E&C department, many programs rely extensively not only on leveraging other functions (such as legal, internal audit and human resources), but also on individuals in the businesses and other functions who have been assigned part-time responsibility for E&C. Giving these individuals reporting responsibilities to E&C can strengthen the independence of the E&C program (including at the local level) and the authority of the function more generally. It also helps ensure that E&C responsibilities are taken seriously. This was recognized in certain recent deferred prosecution and corporate integrity agreements, which specify that local or function-specific compliance designees must have reporting obligations to the CECO.11
The potential of E&C programs has been clearly demonstrated. Effective programs decrease the incidence of misconduct, increase reporting and foster a culture of compliance and business ethics. Now the profession must focus on ensuring independence and authority—through CECO positioning, Board oversight and otherwise—in order to assist E&C in achieving its promise.
The full LRN Risk Forecast Report can be accessed at: http://pages.lrn.com/risk-forecast-report-2014
1 LRN, 2013 Ethics and Compliance Leadership Survey Report at 21.
2 The importance of independent Board oversight is highlighted in the Department of Justice’s prosecution standards, which ask prosecutors to consider whether directors exercise independent review and whether they are provided with information sufficient to enable the exercise of independent judgment. United States Attorneys’ Manual, Principles of Federal Prosecution of Business Organizations, § 9-28.800.
3 U.S. Sentencing Guidelines Manual § 8B2.1(b)(2)(C).
4 Department of Justice and Securities and Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act at 58 (November 14, 2012).
5 LRN, 2013 Ethics and Compliance Leadership Survey Report at 27.
6 Stone v. Ritter, 911 A.2d 362 (Del. 2006).
7 In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 362 (Del. 2006).
8 Caremark, 698 A.2d at 970.
9 LRN, 2013 Ethics and Compliance Leadership Survey Report at 53.
10 LRN, 2013 Ethics and Compliance Leadership Survey Report at 24.
11 See, e.g., the Deferred Prosecution Agreement between the Department of Justice and Johnson & Johnson (2011) and between the Department of Justice and HSBC Holdings plc (2012).