Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Guidance requires a CCO to have direct access to the Board or an appropriate sub-committee. The Guidance also requires a tangible commitment from the top levels of an organization, starting with the Board of Directors that the company create an ethical culture.
At the Board of Directors level, a Board Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that compliance has become not only central to any well-run business but it is critical to overseeing a wider variety of risks than the typical Audit Committee has experience with, which is usually only aimed towards financial risks.
The Board Compliance Committee should begin its inquiry with a basic: ‘How do we know it is working?’ In other words, is a company’s compliance program living up to the hallmarks of an effective compliance program in the eyes of the government. Here I lay out four areas of more specific inquiry.
The Board Compliance Committee should obtain information on the processes to carry out the compliance function, rather than details on specific compliance issues. They need to understand that there is a single individual or internal corporate discipline keeping track of the compliance function and making sure that it is being handled properly. They need to understand that there is a system in place that keeps track of compliance requirements.
Another area the Board Compliance Committee interest should be in is the area of hotlines or other internal reporting mechanisms. Here, the Board Compliance Committee needs to know details about both inbound issues and the responses thereto. In the inbound side this means details about who answers the reports, that come in either via email or phone, how this information is triaged and in what time frame. It also requires an understand of whether the reporting system is truly anonymous, with no use of caller-ID or GPS tracking.
The next series of questions deals with the responses to any information which comes to the attention of the company, including such basic inquiries as how are the reports classified and routed? Who gets notified for what types of calls? How the investigative process is divided among various functions or is it outsourced? Finally, what is the response rate and response time?
The Board Compliance Committee must know who is accountable and responsible for each segment of a compliance program. They should obtain assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability. While it is true an effective Board Compliance Committee will allow management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy.
Strategic planning is another area well suited for oversight by a Board Compliance Committee. For such a committee to be both effective and informed it must have an appreciation of where the corporate compliance function stands not only at the present moment, but also has a strategic plan for how the compliance and ethics program can continue to grow. Similarly, Stephen Martin, a partner at Arnold and Porter, has long advocated a 1-3-5-year compliance game plan. However, a Board Compliance Committee should demand the compliance function be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, you want to get your board’s attention on the changes which may need to happen with the [compliance] program.
Today’s regulatory climate band hyper-transparency in social media make a Board Compliance Committee’s task seem Herculean. But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Boards of Directors. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage. A Board Compliance Committee is a good place to start.
- This committee exists to provide oversight and assist the CCO, not to substitute its judgment for that of the CCO.
- This committee should work to hold the CCO accountable to hit appropriate metrics.
- This committee is ideal for leading the efforts around strategic planning.
For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.