Program supervision and oversight info for senior management and the board:
Under contemporary compliance program standards (e.g. the US Sentencing Guidelines and the draft ISO 37001 “Anti-bribery management systems”) the corporate governance structures are based on board oversight and management implementation and supervision of the corporate compliance program.
The information required to appropriately exercise the respective duties associated with each role consists of two parts: (1) the program management data needed by the Chief Compliance Officer (CCO) covered above; and (2) contextual data that gives perspective and insight as to how the company’s program both compares with others similarly situated and addresses certain “big picture” questions.
From management’s perspective, consider:
- What are the right metrics to be using to compare our program against others?
- What are other metrics that may positively demonstrate how our program is appropriately aligned to its assessed and documented risks?
- Are these metrics being appropriately tracked and recorded?
- Given certain regulators’ emphasis on “adequate resources”, how does one reasonably and objectively gauge what level of committed resources meets that standard, and do we pass that test?
- Given the renewed emphasis by certain regulators on personal accountability in general, and specific possible liability if a member of management is found to have knowingly engaged in non-compliant and illegal behavior, does our company have the “culture of compliance” and does our program have the necessary policies, processes and controls that will help prevent and detect inappropriate activities?
From the board’s perspective, consider:
- If there were a regulatory investigation involving allegations of a serious compliance policy breach and illegal acts, would the company’s compliance program be viewed as “effective” at the end of the day – where notwithstanding the result of the investigation, the company would still be viewed as a “good corporate citizen”?
- Given the seemingly ambiguous nature of some of the concepts and terms that apply to “effective” compliance programs, such as “adequate resources” and “culture of compliance”, and the risks associated with not having such a program in place, how do I know, as a board member, that the CCO and management have a good grasp of, and are appropriately applying, these concepts to our program?
The smart CEO will anticipate and have detailed answers for these questions from the outset, and will calibrate his or her reports to these groups to periodically update them on these and other matters that they consider important.