No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Governance

Program Management: Board Oversight and Reporting Structures

by Rebecca Walker
June 30, 2014
in Governance
Program Management: Board Oversight and Reporting Structures

Ethics and Compliance (E&C) programs occupy a moment of great opportunity. No longer viewed as merely an adjunct to the law department or internal audit or as merely a hedge against the possibility of a future prosecution, some E&C programs have gained the gravitas and credibility to enable them to have a significant impact on the culture and level of misconduct at organizations.

As the standing of E&C programs grows, the enormous potential of this nascent profession comes closer to being realized. Perhaps no two factors are more important to ensuring the standing of E&C programs within organizations than (1) the level of Board oversight of and engagement regarding the E&C program and (2) the positioning of the Chief Ethics and Compliance Officer (CECO) and the compliance program.

In order to explore these issues, we will begin by reviewing those characteristics that are most critical to effective E&C programs. We will then explore the importance of Board oversight and engagement to a robust program, the ways in which the Board’s interaction with the E&C department has evolved in recent years and practical strategies for enhancing Board engagement. And lastly, we will explore the topic of CECO and broader program positioning.

Critical Program Characteristics

While the purpose of E&C programs has typically been described as prevention and detection of misconduct, E&C has in recent years evolved to include the greater—and complementary—purpose of fostering an ethical corporate culture in organizations. Indeed, in LRN’s 2013 Ethics and Compliance Leadership Survey Report, E&C professionals indicated that three of their top five priorities concern culture, including promoting alignment between core values and day-to-day operations, strengthening ethical culture and strengthening ethical leadership. Also in the top five was increasing employee levels of speaking up, which is another component of corporate culture. “This continued emphasis on driving culture and values over the past three years suggests that E&C leaders are stretching beyond compliance to drive important performance outcomes.”1

In order to achieve the parallel and complementary goals of preventing misconduct and promoting a healthy corporate culture, E&C programs must possess certain critical traits, none of which is more important than independence and authority. Without adequate independence from the business and other functions and sufficient authority, it would be impossible for E&C to assess compliance risks accurately, to investigate and respond to allegations of misconduct, to conduct auditing and monitoring or to impact promotion and hiring decisions. Of course, other program characteristics are also important, such as program reach, collaboration and integration with other functions and the business; but for purposes of this discussion, we will focus on the key traits of independence and authority and how Board oversight and E&C positioning impact them.

Board Oversight of E&C Programs

Board oversight and engagement in an E&C program are critically important factors in ensuring that a program has the levels of authority and independence that are needed for misconduct prevention and culture promotion. Because the Board of Directors is the only corporate entity that has authority over the Chief Executive Officer, without active Board-level oversight, the E&C program will lack the level of authority and independence that are necessary for E&C to have any chance of oversight of the C-Suite, which is in some ways where the job of E&C is at its most critical. Board oversight—and the added independence from management and authority that it affords E&C—also creates the authority and independence necessary to conduct other critical program activities, such as investigations and auditing.

In order for Board-level oversight to create the right level of independence for an E&C program, the appropriate person within the function should be providing information to the Board—in an unfiltered manner. If, for example, the person with operational responsibility for the E&C program reports to the general counsel, who in turn provides reports to the Board, then the ability of these reports to enhance the level of independence and authority of the program is diminished—at least as a general matter. The same is true if the general counsel (or another member of high-level management) censors the written or verbal reports provided by the person with operational responsibility.

Conversely, one of the benefits of having the person with operational responsibility provide reports to the Board is that such a structure enhances the independence of the Board’s oversight.2 In other words, the Board cannot exercise independent oversight of the function if its information source is management of a different function. This is just one of the reasons that it is critical that the Board have a healthy relationship with the person charged with implementing the program.

The Sentencing Guidelines emphasize the importance of having the person with operational responsibility for the program provide reports to the Board.3 Other government guidance likewise discusses the importance of this reporting relationship, including the Resource Guide to the U.S. Foreign Corrupt Practices Act, released in 2012 by the Department of Justice and the Securities and Exchange Commission, which declared that “adequate autonomy [for an E&C program] generally includes direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).”4

Topics Addressed to the Board

Whether Boards are able to exercise sufficient oversight depends on the Board’s receipt of the right types of information about the E&C program. Boards should be receiving helpline and investigations data (which is a common practice), but they also should receive information about the program more generally and about E&C’s efforts to impact culture and ensure compliance. According to LRN’s 2013 Ethics and Compliance Leadership Survey Report, the types of information conveyed to Boards tends to be principally lagging indicators, such as helpline data (80 percent) and code violations (70 percent). However, some (though fewer) companies also provide the Board with more proactive information, such as culture survey results (42 percent) and risk assessment and mitigation plans (61 percent).5 General program information is necessary for the Board to oversee the program in a comprehensive manner. Organizations should therefore consider whether it would be useful to expand the range of information they currently provide to their Boards regarding the E&C program.

In addition to general program information, E&C personnel should consider providing the Board with risk area-specific information for appropriate risk areas. This is the type of information discussed extensively by Delaware’s Supreme Court in the Stone v. Ritter case.6 The risk areas the Board should hear about are: (1) those that provide the greatest overall risk to the company (which will obviously vary by industry and company) and (2) those in which the interests of senior managers and the company are not well aligned, as in those areas of “moral hazard” where Board oversight can be extremely valuable.

In addition to information regarding the E&C program generally, the Board of Directors plays a critical role in oversight of the company’s handling of investigations of misconduct. It is this area with which much of the case law considering Board oversight is concerned.7 In the case of Caremark and its progeny, the Delaware courts discussed Directors’ obligations to ensure the existence of a corporate information and reporting system to alert the Board to red flags, or other evidence of serious misconduct.8

As a matter of good practice, companies should establish systems to ensure that the audit (or other appropriate) committee of the Board is notified promptly of allegations of violations by very senior management, allegations of serious fraud or any circumstances suggesting the need for an independent investigation. It may also be helpful to include these procedures in program governance documentation, such as E&C charters and reporting procedures. Indeed, formal, documented procedures regarding escalation of reports are important to ensuring that practices are implemented in a consistent fashion in this area. Formal requirements for the person with operational responsibility for the E&C program to meet in executive session with an appropriate Board committee are also helpful in enhancing both program independence and authority.

The profession has shown some very helpful trends in this area. In LRN’s 2013 Ethics and Compliance Leadership Survey Report, nearly half (49 percent) of responding organizations indicated that their E&C leaders meet with the Board on a quarterly basis, and another 12 percent said that they meet more frequently than four times per year.9 This is positive news, although there is still room for improvement. Boards should be meeting with E&C leaders frequently and receiving ample, appropriate information to enable them to exercise the oversight that is necessary for a program to have adequate independence and authority.

Position of CECO and Program

While Board oversight and engagement are critical, the position of the CECO within the organization is also extremely important. It ensures that a program has the appropriate level of authority and autonomy to achieve the twin goals of misconduct prevention and culture promotion. LRN’s 2013 Ethics and Compliance Leadership Survey Report indicates that the percentage of CECOs “who report directly to the general counsel (GC) is declining. In our 2012/2013 results, 46 percent of E&C Officers respond that they report directly to GC, down from 57 percent in 2011/2012, and 56 percent in 2010/2011.”10 The survey further found that 18 percent of CECOs now report directly to the Chief Executive Officer, and another 16 percent report to the Board of Directors.

Whether E&C is self-standing or whether it exists within the law department, internal audit or another function, it has become crystal clear that E&C has its own raison d’être, which is separate and apart from other functions. Only if E&C’s purpose and goals are recognized and realized within the context of the corporate structure will the program prevail. The appropriate positioning of the E&C function is a decision that should not be about convenience, but about effectiveness. In particular, its positioning must be such that the program has the independence and authority necessary to achieve the goals of misconduct prevention and culture promotion.

Of course, in addition to the E&C department, many programs rely extensively not only on leveraging other functions (such as legal, internal audit and human resources), but also on individuals in the businesses and other functions who have been assigned part-time responsibility for E&C. Giving these individuals reporting responsibilities to E&C can strengthen the independence of the E&C program (including at the local level) and the authority of the function more generally. It also helps ensure that E&C responsibilities are taken seriously. This was recognized in certain recent deferred prosecution and corporate integrity agreements, which specify that local or function-specific compliance designees must have reporting obligations to the CECO.11

Conclusion

The potential of E&C programs has been clearly demonstrated. Effective programs decrease the incidence of misconduct, increase reporting and foster a culture of compliance and business ethics. Now the profession must focus on ensuring independence and authority—through CECO positioning, Board oversight and otherwise—in order to assist E&C in achieving its promise.

The full LRN Risk Forecast Report can be accessed at: http://pages.lrn.com/risk-forecast-report-2014

Footnotes

1 LRN, 2013 Ethics and Compliance Leadership Survey Report at 21.

2 The importance of independent Board oversight is highlighted in the Department of Justice’s prosecution standards, which ask prosecutors to consider whether directors exercise independent review and whether they are provided with information sufficient to enable the exercise of independent judgment. United States Attorneys’ Manual, Principles of Federal Prosecution of Business Organizations, § 9-28.800.

3 U.S. Sentencing Guidelines Manual § 8B2.1(b)(2)(C).

4 Department of Justice and Securities and Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act at 58 (November 14, 2012).

5 LRN, 2013 Ethics and Compliance Leadership Survey Report at 27.

6 Stone v. Ritter, 911 A.2d 362 (Del. 2006).

7 In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 362 (Del. 2006).

8 Caremark, 698 A.2d at 970.

9 LRN, 2013 Ethics and Compliance Leadership Survey Report at 53.

10 LRN, 2013 Ethics and Compliance Leadership Survey Report at 24.

11 See, e.g., the Deferred Prosecution Agreement between the Department of Justice and Johnson & Johnson (2011) and between the Department of Justice and HSBC Holdings plc (2012).


Previous Post

EY Brazil’s Fraud Investigation & Dispute Services Expands Offerings with Conformity Acquisition

Next Post

The Board Must Take the Lead in Establishing a Corporate Culture of Ethics and Compliance

Rebecca Walker

Rebecca Walker

Rebecca Walker is a partner in the law firm of Kaplan & Walker LLP, a firm that specializes in corporate compliance and governance located in Santa Monica, California, and Princeton, New Jersey. For over 20 years, Rebecca has specialized in advising clients on the development and implementation of compliance programs. She has also served as a monitor for the Department of the Air Force and as an independent consultant, reviewing programs for the U.S. Securities and Exchange Commission. Rebecca is the author of "Conflicts of Interest in Business and the Professions: Law and Compliance," published by Thomson West, as well as numerous articles and studies. She chairs the Practising Law Institute's Compliance and Ethics Essentials Institute in New York and the Advanced Compliance and Ethics Workshop in San Francisco and serves on the Advisory Board of "Compliance and Ethics Professional" magazine. Rebecca received her B.A. from Georgetown University and her J.D. from Harvard Law School.

Related Posts

dod pentagon

CMMC 2.0 Creates New Compliance Calculus for Defense Contractors

by Shrav Mehta
July 3, 2025

Simplified framework still poses significant challenges for smaller defense industrial base participants

Integreon Launch

Integreon Launches AI-Enabled Legal & Regulatory Compliance Services

by Corporate Compliance Insights
July 2, 2025

Integreon has launched AI-enabled legal and regulatory compliance services powered by ContractPodAi's Leah intelligence platform to automate compliance processes and...

SpeakUp Launch

SpeakUp Launches AI Phone Agent and Disclosure Management Platform

by Corporate Compliance Insights
July 2, 2025

SpeakUp has launched two new solutions — an AI-powered disclosure and approval management platform called SpeakUp Paths and an AI...

Riskonnect Launch

Riskonnect Launches AI Governance Solution for Risk Management

by Corporate Compliance Insights
July 2, 2025

Riskonnect has launched an AI governance solution integrated within its risk management platform to help organizations manage AI-related risks and...

Next Post
The Board Must Take the Lead in Establishing a Corporate Culture of Ethics and Compliance

The Board Must Take the Lead in Establishing a Corporate Culture of Ethics and Compliance

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights