Five Questions for Corporate Boards on Oversight of Compliance
Let’s face it – corporate boards are not adept at overseeing a company’s compliance program. In the absence of a board member who has prior compliance expertise, corporate boards either ignore or struggle to fulfill their compliance oversight responsibilities.
Corporate governance performance is suffering from this serious gap between compliance responsibilities and compliance capabilities. Corporate boards are under increasing pressure to improve their performance, including in the area of compliance. The Federal Reserve’s recent action against the Wells Fargo’s board set an importance precedent – a board has to maintain an effective system for risk oversight and management, including its compliance program.
As a first step, every board should have a former compliance professional as a member. In today’s risk and activist environment, corporate boards need to address this deficiency as quickly as possible and enlist compliance expertise on the board itself.
As a second step, chief compliance officers, with the backing of the CEO and senior management, should “train” the board for at least two hours each year (and preferably more). When I use the term “train,” I really mean “educate” the board on risks, the law, and the company’s compliance program, and most importantly, how to oversee and monitor the company’s compliance program.
In this new era of corporate governance excellence, board members have to become familiar with the key compliance issues facing the company, ensure that there are effective controls to identify, elevate and resolve issues as appropriate. In carrying out this oversight function, there are five important issues that the board should address:
1. Risk Profile: The board needs to understand exactly the company’s risk profile. This inquiry should not be based just on an annual review of risks but should be a forward-looking perspective on risks for the year and projected risks based on expected business plans and developments.
To exercise proper oversight and monitoring, the board should direct management to provide information and data on the identification of risk, monitoring and management of risk and procedures in place to ensure that risk activities are properly addressed at each level. On a quarterly basis, the CCO should update the company’s risk profile based on compliance monitoring activities.
2. Culture and Compliance Controls: The board has to assist in defining the company’s culture, its values and principles, and take responsibility for the management and oversight of the company’s culture. To that end, the board itself should develop a two-prong strategy: communication and conduct. The board has to commit itself to communicating and conducting themselves in furtherance of the company’s defined culture.
As part of its oversight and monitoring responsibilities, the board has to hold the CEO, senior management and the CCO to the same standard – what communications activities and conduct they plan to perform to further the company’s culture and its values.
On the more granular, but equally important level, the board has to ensure that the CCO has put into place appropriate mechanisms to measure, monitor and evaluate the company’s culture. The board’s expectations should be clear – our culture is our most important asset, and what specifically is the CCO doing to preserve and promote the culture. It is critical for the board to make clear to the CCO that it expects quarterly reports on issues relating to the company’s culture, whether it be company-wide, or focused on specific high-risk areas or operations, or other appropriate inquiries.
3. Measurement and Performance: With the input of the CEO, senior management and the CCO, the board should develop accurate and appropriate metrics for the compliance program, focusing on the company’s culture and its compliance controls. The board has to demand a new compliance dashboard that includes relevant measurements, not just data that reports on completion of specific compliance tasks (e.g. training sessions held, attendance, certifications). In this area, the board has to demand measurements that answer the questions of whether management and employees understand the requirements of the code of conduct and the law, whether their behavior is conforming to these requirements, and if not, why not, and understanding of the company’s culture and expectations of the application of value principles to the day-to-day responsibilities.
4. Gap Analysis and Remediation: The board needs to understand exactly the gap between the company’s risk profile and its compliance program. To the extent these gaps are analyzed, the board has to demand plans by the CEO and the CCO to remediate these gaps and the timetable. In prioritizing this gap analysis, the board should focus on each gap, the risks created by the gap, and prioritize the remediation based on this analysis. The CCO has to be held accountable in this area as to specific analysis, and a timetable for remediation.
5. Continuous Functions: As the board understands its oversight and monitoring responsibilities, it has to ask a continuing question – based on the company’s operations, to what extent I the company’s culture and compliance program generating information and data needed to adjust and improve its compliance program. The board has to ensure that the CCO and the CEO are implementing sufficient controls, generating relevant data, analyzing such data, and presenting the board with insights, opportunities and recommendations to improve and revise the company’s compliance program.