Does Your Board Know How to Conduct Oversight and Monitor Your Compliance Program?
There is nothing training cannot do. Nothing is above its reach. It can turn bad morals to good; it can destroy bad principles and recreate good ones; it can lift men to ‘angel ship. – Mark Twain
I am always struck by how much is written about tone-at-the-top, board commitment to compliance and specific benchmarking of chief compliance officer access and reporting to a corporate board and/or audit/compliance committee without asking a fundamental question — does the Board even know how to conduct oversight and monitoring of a company’s ethics and compliance program? To put it bluntly, most corporate boards do not know specifically how to effectively monitor the company’s compliance program.
The challenge for the chief compliance officer is two-fold – first, to get access to the board for a “training” session; and second, to deliver a message (which is continually reinforced) that the board has to learn how to monitor and assume oversight responsibility for the company compliance program. A CCO has to use his/her diplomatic and inter-personal skills to communicate to the board this important message.
The CCO has to cover a number of important topics, including:
- Board responsibility for independent review of a company’s compliance program;
- What information should the board require and how often should such information be provided to the board?
- Elements of an effective ethics and compliance program;
- Requirement that company has “devoted adequate staffing and resources to the compliance program.” Management, resources and operation of compliance program;
- Company culture, assessment, trends and measurement;
- Budget, resources and planning in relation to business , growth, development and planning;
- Trending issues and priorities for addressing gaps;
- What are company’s legal and compliance risks, who are the stakeholders, and what is the process for risk evaluation and analysis(as well as continuous monitoring)?
- Familiarity with Code of Conduct;
- Compliant, Reporting and Detection of Issues; and
- Internal investigation program performance: significant investigations, trends and data.
This list is not exhaustive and have many subparts that can be added. But as a starting point, the board should understand each of the above-listed topics and be able to articulate the importance of each topic and how they relate to each other.
Also, a board has to understand how to communicate with the CCO and develop a robust communication framework. In particular, the board has to inquire about the CCOs position and function within the company. These issues include:
- Is anyone or operational function preventing you/CCO from implementing any of the elements of an effective ethics and compliance program?
- Does the ethics and compliance function have adequate independence, authority and resources?
- Are there any issues that have been reported to you/CCO or that you learned of that are not being addressed?
- Are we aware of and staying current on trends in enforcement and effective compliance program? If there are gaps in our program, how are we addressing these areas?
- What is current assessment of our culture? What specific metrics is supporting your assessment?
- What steps can board and/or senior management take to support compliance program?
- Do you/CCO feel that leadership and employees are comfortable reporting potential issues, and are these issues being appropriately addressed?
- Have we had any allegations of retaliation? What steps are we taking to identify subtle attempts to retaliate?
- Are we identifying and prioritizing the company’s ethics and compliance risks? Is our program tailored properly to our current and short-term risk profile?
- Are we appropriately holding senior management and employees accountable for ethics and compliance responsibilities?
- What steps and controls have we implemented to monitor and audit our program, potential misconduct, and detect wrongdoing? How is this program working?
These are just a sample of basic questions for discussion between the CCO and the board. There are many other issues that can develop depending on the company’s circumstances.
The board has a fundamental responsibility – to learn about compliance, to require basic information needed to ask the right questions and evaluate the answers, and to ensure a healthy relationship between the board and the CCO.