While the chief compliance and ethics officer (CCO) and corporate compliance committee (CCC) may be tasked with the daily management of their company’s compliance program, the tone and leadership of the corporate board of directors play a key role in determining the effectiveness and success of the program itself. The courts and the U.S. government recognize this practical reality and have crafted clear and unmistakable rules that a board must follow to avoid civil and even criminal liability for themselves and their company in the event the compliance program is determined to be ineffective.
Boards, in their oversight role, must ensure that management has a firm grasp on internal controls and risks through a robust governance, risk and compliance (GRC) program that provides a strategic approach to integrating risk management, controls, assurance structures and processes. Getting GRC right has become critical, because it can offer a level of oversight that may weigh in a board’s favor should litigation challenge their resolve in their duties.
The stakes are high, both in terms of professional and personal liability for board members. Several leading cases from the Delaware courts have found that board oversight of a company’s compliance program is rooted in the board’s fiduciary duties of loyalty and care. In Stone v. Ritter, the Delaware Supreme Court held that, pursuant to its fiduciary duty of loyalty, a corporate board must ensure the existence of adequate controls and a reporting system designed to provide it with important compliance information on a timely basis. Under Stone, a conscious failure to monitor or oversee such a system could lead to personal liability for individual board members, since the company cannot indemnify its directors for breaches of their duty of loyalty. In addition to a judicially imposed “duty of oversight,” the U.S. Sentencing Guidelines make clear that a company’s “governing authority” (i.e., the board) must exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program. These guidelines clearly require periodic reporting to the board and the CCO and others in management, and that such a program must work to prevent and detect criminal conduct.
Given the potential liability for boards and their companies from a “compliance failure,” whether following a government investigation or shareholder’s lawsuit, it is critical that the board and senior management develop effective strategies for building a strong compliance team. Facing a broad landscape of new regulatory challenges, from Sarbanes-Oxley to Dodd-Frank, a GRC program and the right team to implement it can provide a common approach to eradicating duplicated effort, complexity and cost, leading to improved performance in alignment with the corporate mission and strategy.
Boards have ultimate responsibility for overseeing the compliance team. Many also are seeking additional insights from outside advisers to help complement their internal compliance resources, especially where small teams are in place to meet new precedents on responsibility set by the courts and the government. Having the “best thinking” – both from the internal team and external advisers – is critical to mitigating liability issues and getting to the unvarnished truth.
Structuring A Team That Is Right For The Company
Although there is some latitude at each company to do things a little differently, several government pronouncements make clear that all effective compliance programs must include a formal CCO and CCC. While many CCOs are attorneys and report directly to the company’s general counsel, the government has made no secret that it views the stronger, more effective and preferable structure as one where the CCO reports directly to the CEO and/or board. Such a reporting structure not only enhances the compliance program’s stature within the company, but allows the CCO to 1) audit activities and programs that the company’s legal department often approves without creating a real or apparent conflict of interests; and 2) more readily assist the board in meeting its legal and fiduciary compliance oversight obligations.
Regardless of what department the CCO sits, he or she should chair the CCC and/or various “sub-CCCs” focused on (i) the development and revision of the code of conduct, policies and critical procedures; (ii) compliance and ethics training; (iii) corrective action and employee discipline; (iv) risk assessment; and (v) the implementation of the annual compliance audit plan. Mid- and senior-level members from human resources, legal affairs, finance and other departments will need to be included on these committees to get their department’s “buy-in” and to assist in implementing compliance initiatives across the company.
Given the degree of complexity and uniqueness of certain issues companies can face, leading practices dictate that it may be necessary for organizations to retain outside advisers – lawyers, accountants, consultants, etc. – to provide their broad market experience and independent third-party view to an unadulterated, frank discussion. Having the input or opinions of outside, independent advisors can also raise a comfort level for compliance officers and the board. Some of the more difficult and yet increasingly more important compliance initiatives from the government’s perspective require the development of effective, compliance-focused cross-functional teams within an organization. For example, according to government officials, management should create financial “disincentives” for non-compliant behavior and should institute programs that require monitoring of high risk activities to deter and detect inappropriate behavior in “real time.” The success of these or any other compliance initiative requires departmental collaboration and a shared commitment to developing a compliant and ethical culture that begins and ends with the board and senior management.
Measuring a Team’s Success
The most difficult aspect of building a strong compliance team is measuring its own success. While the CCO can certainly provide the audit committee or the entire board with quarterly and “as needed” reports, the question arises whether such reports are enough to assure the board that the company’s compliance team and program are best in class. In order to ensure that its compliance team and program are effective and providing it with information adequate to discharge its fiduciary oversight obligations, a board should require the CCO to provide it with objective and subjective “metrics” of success.
To that end, implementing GRC requires a management vision that sets the tone for the organization’s culture and strategy and that provides the discipline needed to implement a sustainable process and a flexible technology solution that interfaces with existing systems and processes. It also requires having the right information—including governance, risk and compliance components—to support business decision making and contribute to the success of business transformation initiatives. The use of IT offers a strategic dimension that can provide enterprise decision and assurance support through executive monitoring capabilities in the form of dashboards and macro-level analysis based on the organization’s strategic business objectives and the development of the risk profiles.
Key performance indicators (KPIs) and key risk indicators (KRIs) are established as part of the risk profile analysis and help to drive GRC analytics and reporting.
Delivering Information and Value Holistically
Given the current state of regulatory enforcement and the clear lines set by regulators and lawmakers, alike, technology can be a key enabler in the implementation of an integrated framework that unifies the governance, risk, compliance, and assurance functions across an organization. It provides support for a holistic approach to GRC, which seeks to protect and enhance business value, enhance operational efficiency, support strategic objectives and provide an added dimension.
In this day and age, all of this discussion also needs to have critical input from the organization’s IT professionals, who can help select and move the right data to help boards and management make swifter, more informed decisions. Boards should ensure their compliance officers are delivering key information for oversight of the organization, and the company’s IT professionals must deliver that information in a distilled way that makes it easy to analyze in order to grow the business, manage risk and compete in an increasingly tough marketplace.
Republished with permission from Corporate Compliance Insights. For more, visit CorporateComplianceInsights.com.