This week has evolved into an exploration of different types of compliance committees a company might employ to make their compliance function more effective. On Monday, together with Baker Hughes Incorporated (BHI) Chief Compliance Officer (CCO) Jay Martin, we considered the BHI GeoMarket Compliance Committee. Yesterday, I advocated that Boards of Directors should now have a Compliance Committee separate and apart from their traditional Audit Committee, to focus more directly on compliance and risk issues an organization might face. Today, I want to consider another type of compliance committee which I call the Compliance Oversight Review Committee.
The Compliance Oversight Review Committee sits between the CCO and the Board’s compliance committee. The role of this Compliance Oversight Review Committee is to provide oversight and review of items such as third party approvals and renewals, requests for payments from third parties and significant gift, travel and entertainment requests from employees. There should be some type of oversight which can be reviewed on a monthly or quarterly basis as part of a company’s management of risk.
As far back as January, 2005, the Deferred Prosecution Agreement (DPA) entered into between the Department of Justice (DOJ) and the Monsanto Company provided for “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or an Oversight Committee. The scope of this Oversight Committee is not fleshed out in the DPA. While many have focused on the Oversight Committee to monitor agents and other third party business representatives, the role of the Oversight Committee can be broader than simply agents and representatives. A major purpose of an Oversight Committee is to act as redundant backup to the books and records internal controls systems which are designed to detect violations of a company’s compliance program.
It should be clear the role of the Compliance Oversight Review Committee is not to substitute its judgment for that of the CCO but rather to provide another level of review to make sure nothing slips through the cracks which might expose the company to unwanted risk. This can begin with a clear, written charter that sets out the functionality, goals, and parameters of the group. Moreover, the Compliance Oversight Review Committee should be reviewed on a periodic basis to determine usefulness and effectiveness.
To this end, the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual (2016 ed.) suggests the following language in its proposed form of Compliance Committee Charter:
The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.
Who should be on an Oversight Committee?
The Monsanto DPA provides guidance on this point by stating, “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Oversight Committee. It would also indicate that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations. The bottom line is that the CCO should chair a committee of her peers/senior level officers in a position to make decisions and marshal resources.
What Should the Oversight Committee Review?
There are a variety of approaches that an Oversight Committee can assume. It can dive down deeply ‘into the weeds’ for transactions which the company has identified as high risk. This can be the review of agents or other representatives in high risk areas or transactions in high risk countries. The Oversight Committee can use techniques such as continuous controls monitoring to identify any outliers of payments or other indicia of financial information which would warrant additional investigations. In addition to the above remedial review, the Oversight Committee should review all payments requested by agents and representatives to assure such payment is within the company guidelines and is warranted by the contractual relationship with the company. Lastly, the Oversight Committee should review company sales or business development requests to provide compensation and, as appropriate, reimbursement for gifts, travel and entertainment of foreign governmental officials.
The oversight of Foreign Business Partners is one of the key mechanisms that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the Foreign Corrupt Practices Act (FCPA). The proper structure of the Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.
However, it is incumbent that each Compliance Oversight Review Committee should be designed to review the highest risks to your organization. If your company’s highest compliance risk is third party relationships, you should focus your compliance committee resources on that issue. The scope of this was not fleshed out in the Monsanto DPA. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function. The Compliance Oversight Review Committee should therefore review all documents relevant to the five-step lifecycle management of third parties.
In addition to the above remedial review, the Compliance Oversight Review Committee should review all payments requested by the third party to assure such payments are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the Committee should review any request to provide the third party with any type of non-monetary compensation and, as appropriate, approve or decline such requests.
The Compliance Oversight Review Committee is a key tool which can be utilized by a company to manage its risks. The books and records component of internal controls is one level of prevention and detection. The review by a Compliance Department for requests for travel for and gifts and entertainment to foreign governmental officials and the lifecycle management of third parties is also an important step in the prevention process. However, the Compliance Oversight Review Committee is another step which I believe can also act as a detect prong and should be employed by companies as an additional protection against any type of compliance and ethics violation slipping through the cracks to become a much larger problem down the road. Companies should implement a Compliance Oversight Review Committee and review the systems they have in place to detect risky conduct.
The Compliance Oversight Review Committee is critical in a best practices compliance program.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016