The Fundamental Foundation – Board Oversight of Corporate Ethics and Compliance Programs
Jonathan Marks, Partner, Baker Tilly, joins us for a posting on the importance of corporate board oversight of ethics and compliance programs. Jonathan’s profile is here and his email contact is firstname.lastname@example.org.
Under the U.S. Federal Sentencing Guidelines, in order to receive credit for having an effective compliance program, and thereby reduce the fines imposed on the organization, a Board of Directors must be “knowledgeable about the content and operation of the compliance and ethics program,” and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” In addition, in criminal actions against a business organization, including the FCPA, the DOJ’s Justice Manual instructs prosecutors to ask and answer several questions, including:
1) Do the Directors exercise independent review of the company’s compliance program? and
2) Are Directors provided timely and accurate information sufficient to enable the exercise of independent judgment?
The SEC’s and DOJ’s November 2012 Resource Guide provides, “Compliance begins with the board of directors.” Directors’ obligations were expanded in the DOJ’s 2019 guidance, Evaluation of Corporate Compliance Programs, which mandated Board oversight by posing the following questions:
What compliance expertise has been available on the board of directors?
Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
Unpacking each one of these reveals the basic Board requirements in any best-practices compliance program. It all starts with expertise on the Board. Does the Board have a compliance subject matter expert on the Board or as chair of the Compliance Committee or sitting on the Audit Committee? If not, why not? Does the Board have a former CCO or other person with significant experience in the nuts and bolts of compliance sitting on it? Is there someone on the Board who can cut through the numbers presented to the Board to ask tough, probing questions of the CCO?
If there is not such a person sitting on the Board, is there a subject matter expert available to the Board who is separate and apart from the compliance expert resources the company uses to assist the compliance function? Is that person a resource to the Audit Committee or other Board sub-group or subcommittee, and does he or she report only to the Board so that there is no conflict of interest with any other corporate function?
The next inquiry involves whether the Board provides access to the CCO for executive sessions. In other words, does the Board receive information in an unfiltered manner? This is regardless of to whom the CCO may directly report, such as a General Counsel or even CEO. Here, the DOJ recognized the corporate reality that unless the CCO can have unfettered access, the CCO could be cut off or shut down by a CEO, simply through minimizing the face time in front of the Board to as little as 15 minutes per year. In short, to fulfill its oversight obligations, and to ensure that it is receiving timely and accurate information, the Board must provide the CCO with regular, unfettered access, without fear of repercussion.
The third and final question goes towards the Board’s obligation to actively participate in the compliance function. One might view this as the flip side of the CCO access; because this inquiry focuses on the Board’s affirmative examination of the compliance program. What information has the Board received from the CCO that it tested or took a deep dive into so that it could examine if a compliance program was fully operationalized in an organization? The “fundamental” questions that a prosecutor will ask are: 1) “Is the corporation’s compliance program well designed?” 2) “Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?” and 3) “Does the corporation’s compliance program work in practice?” If a prosecutor will be asking these questions of a corporation, then any responsible Board member better be asking those questions of the CCO and management. In light of available pronouncements regarding the Board’s obligations, a director may breach his or her duty to a corporation and its shareholders by failing to establish and examine the compliance program.
A Board must not only have a corporate compliance program in place, but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions and independently assess the answers. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.
Taken collectively, these points drive home the absolute requirement for Board participation in any best-practices or even effective compliance program. Separately, in a series of rule-making pronouncements, the SEC has also made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. Moreover, under the FCPA and other criminal statutes, a director may be personally fined and jailed for an FCPA violation.
Notably, foreign regulators and prosecutors agree. For example in the UK, it is best practice for a Board to “provide active oversight of the implementation of the anti-bribery policy and programme,” and the Board “should inform themselves of the risks and appropriate policies and procedures required,” because the “board is accountable to shareholders and other stakeholders on how well the company is meeting its commitments to doing business ethically (including being free from bribery).” See Transparency International UK, “Global Anti-Bribery Guidance: Best practice for companies in the UK and overseas,” Governance section, available here.
A Board’s oversight is part of effective compliance controls, the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation. The bottom line is that there are significant legal, regulatory and risk management reasons for the Board to be actively involved in any compliance program. Oversight is the Board’s primary role, but it must from time-to-time take a deep dive into a compliance program component to test the design, implementation and effectiveness of the compliance program.
Minimum Best Practices
The specific deficiencies noted in the recent case, Marchand v. Barnhill, No. 533, 2018 (Del. June 18, 2019), which involved the directors and officers of Blue Bell Creameries’ serve as a helpful guide to the minimum best practices under Delaware law a board should consider
- Dedicating a committee to its main compliance risks;
- Establishing protocols requiring management to keep it apprised of compliance practices, risks, and reports;
- Setting a schedule to assess its main compliance risks on a regular basis;
- Formulating procedures for the communication of red or yellow flags to the board and memorializing the associated discussions in board minutes; and,
- Arranging for and documenting regular discussions of compliance risks at board meetings.
Directors cannot take an ostrich-like approach to their fiduciary obligations, and so they must take active steps to oversee the operations of the corporation and become informed about the risks confronting the company along with the focus and effectiveness of the compliance program.