“A compliance program should apply from the board room to the supply room—no one should be beyond its reach” (A Resource Guide to the U.S. Foreign Corrupt Practices Act, p.57). The board has a critical role in helping a company achieve compliance with laws such as the US Foreign Corrupt Practices Act (FCPA) – a role that is under-appreciated by many, including board members.
If you are on a corporate or non-profit board, ask yourself the following questions:
- What more could we do to set an appropriate tone at the top of our organization?
US enforcement authorities have explained, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company” (A Resource Guide, p.57). Board members do this by setting expectations regarding compliance at the top of the organizational structure. For example, a board that includes compliance as an agenda item at every board meeting (and expects management to report on the topic at each meeting) will quickly send the message that compliance matters. Board members can also help set the tone by (a) having periodic executive sessions with the chief compliance officer (CCO) and (b) incorporating compliance performance components into senior officers’ performance and compensation plans.
- What are we doing as directors to understand and respond to our organization’s compliance risks?
The de facto standard for US companies’ compliance programs, the US Sentencing Guidelines, provides that the board must “be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program” (USSG §8B2.1(b)(2)(A)).
Accordingly, an informed board will ask for and review (a) compliance-related risk assessments; (b) monitoring, audit, and incident reports; (c) communication and training plans; and (d) budgets to understand compliance activities and needs and how they are being resourced (in terms of both budget and personnel). An operationally oriented software-based compliance management platform can be invaluable in providing the speed, reporting capabilities, and audit trail that CCOs need to operate – and board members need to oversee – an effective compliance program.
Board members also may wish to engage in discussions with both managers and line employees about how the compliance function is working. These discussions not only help the board appropriately oversee the compliance component of company risk, but they also help company personnel feel that the board supports them in their compliance efforts.
Company boards should leverage their own unique resources to fulfill their oversight responsibilities. Most company boards consist of individuals with diverse experiences and competencies. Board members increasingly have compliance experience from other companies that is applicable to dealing with challenging compliance situations that may arise. If you are a board member, share compliance experiences (as well as experiences in related areas, such as cyber security) to build your board’s knowledge base from the inside out. If your company’s board lacks compliance experience or expertise, consider recruiting directors who bring this perspective. To supplement the compliance expertise that may exist on the board, and for the benefit of the board and management alike, have an outside compliance expert periodically speak on current compliance developments and trends.
Finally, as recommended by US enforcement authorities, provide the CCO with direct and easy access to the board (A Resource Guide, p.58). Encourage informal as well as formal communication. Both the CCO and the board will benefit from a relationship that is built on normal course of business (rather than “time of crisis”) contacts and interactions.
- What is our incident response plan?
In spite of a company’s reasonable efforts – and a board’s conscientious oversight – problems sometimes still arise. When a material event happens, stakeholders (including government regulators, law enforcement, and shareholders) may ask tough questions: How did this happen? What processes broke down? Who is at fault (and what disciplinary measures have been taken)? What is the company doing to prevent this from happening again? Is the problem an isolated instance, or indicative of more serious systemic issues?
To help prepare the company to deal with such questions, management (led by the CCO) should draft and present to the board a high-level plan for responding to material incidents of misconduct. Although the unpredictable nature of such events precludes treating each component or phase in advance with specificity, certain aspects are foreseeable (e.g., communication strategy options, retention of outside counsel, records preservation) and should be identified. Having these overall plan pieces already in place will help reduce the excessive time, stress, and financial expenditures typically involved in crisis response.
With respect to specific board involvement in the mitigation and resolution of any such situation, this plan might include, for example, action items involved with overseeing any corresponding reassessment of the company’s risk and its compliance program and/or any disciplinary measures against individuals (if it is discovered that senior management was involved in the event).
The board has an important role in supporting compliance, but it is one of many interrelated programmatic parts. In our next post, we will consider specific ways the CCO can work with the board to help members increase their effectiveness in overseeing compliance.