A number of high profile corporate scandals at some large and supposedly sophisticated companies have, if nothing else, driven home the fact that no matter how strong you think your corporate compliance and ethics program is, the risk of failure is still there. This month I want to look at this issue from the standpoint of the board of directors.
Right now, there are a number of very concerned directors asking themselves whether they have done all they could, or should, have to prevent this and what are the ongoing risks, not only to the company, but to them personally. True, directors should always be thinking about the institutional risk to the company, but nothing motivates effectiveness like the risk of personal liability.
Ordinarily directors are protected by the business judgment rule which provides that well informed decisions of directors taken after due consideration and in good faith will not be attacked by a court because the decisions turned out wrong. In cases of compliance failures – whether issues of foreign bribery, cartel activity or environmental hazards, to name a few – the issue for a board is usually one of omission. Rarely has a board approved such activity. Rather, the issue is whether it has done everything possible to avoid such conduct. Here are four ideas that can help strengthen the effectiveness of the board in these situations and thus, limit risk.
Interestingly, in many companies directors do not necessarily receive the same compliance training that employees do. Directors may claim they are too constrained by time, or that they, of course, know this material already. Perhaps they do, but even if the directors are compliance experts shouldn’t they know how the employees are trained? How do you measure the effectiveness of a program you have opted out of? In short, directors should go through, at a minimum, the same training employees receive.
But that is not enough. Directors need specialized training, not just in the nuts and bolts that line employees receive but also in the issues at the center of compliance and ethics. Directors need to be focused on the big picture of why a company has a compliance program. They need to know what questions their compliance professionals should be asking, and if directors don’t see this happening, they need to act quickly.
Moreover, at least some of this training should be external to the company. Even if management is well intentioned, it is vital that directors get an occasional different perspective on compliance from that which prevails in the company.
A long discourse of the various pros and cons of possible compliance structures would fill several of these columns. There is an active professional debate out there as to whether or not the chief compliance officer should be separate from the general counsel? Should both ethics and compliance roles be rolled into one position? Where does internal audit fit in? I won’t attempt to evaluate these debates here. Indeed, there may be no one right answer. But the way in which your company structures these roles is vital to your governance and your ability to address compliance and ethics.
Boards of directors should be intimately involved in planning for these issues. Directors should regularly review the existing structure and make sure they are comfortable with it and it is serving the company’s interests. Whatever the specific structure chosen, those primarily responsible for compliance must have direct access to the board or a compliance committee. Given this dictate, you can decide what works for your company. Is your organization hierarchical in nature? Are managers expected to closely follow superiors with little questioning? If so, asking a GC who reports directly to the CEO to also serve as CCO and report to the board may place him or her in an unworkable position. If the CFO uses internal audit as a personal resource how comfortable can the board be that the head of IA would bypass that CFO if the situation called for it? On the other hand, where a company operates in a matrix environment with multiple reporting lines standard, such dual roles and reporting may come naturally.
Most boards of directors do not have separate counsel from the entity they serve. Directors typically rely on the general counsel and regular outside counsel to do their job except in the rare situation such as the need for a special committee and counsel thereto. In general, most boards do not need regular and continuing counsel involved in every decision they make. But that does not mean such outside advice may not be useful some of the time.
Every board should have a relationship with counsel independent of the company and its management; someone who can be called upon in those rare times when the directors feel that they need a truly independent voice. Directors need to avoid making this counsel into a crutch to which they turn for validation any time they have a tough decision to make. But at the same time, they need to be willing to seek outside advice when the situation demands. Setting up this relationship in advance makes that all the easier.
Evaluation of the efficiency of a compliance program is commonplace. The CCO does it. IA plays a role. Board members weigh in regularly. But who evaluates whether the board is doing its job when it comes to compliance? Company officers are unlikely to risk angering the board by criticizing their work in this area. Often, the only judgment comes when there has been a compliance failure and the inevitable derivative action.
Instead of waiting for disaster and trial by fire, boards should consider bringing in a consultant to work with them in evaluating how they fulfill their compliance and oversight role. This should be something the board does for itself and can be combined with the training discussed above. Whether the evaluator be an outside law firm or one of the many consultants available in the compliance field, an outside voice can be a great check on the natural tendency to overestimate are own effectiveness.
The board of directors has a difficult role in this area. They need to protect the company and themselves. These four steps will make that job easier and make them more effective in their role with less risk.
Republished with permission from Corporate Compliance Insights. For more, visit CorporateComplianceInsights.com.