Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.
In a recent White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of compliance risk governance. I have adapted them for the Board role around compliance.
- Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.
- Foster a culture of compliance risk management-all stakeholders should understand the compliance risks involved and manage such risks accordingly.
- Incorporate compliance risk management directly into a strategy-oversee the design and implementation of compliance risk evaluation and analysis.
- Help define the company’s appetite for compliance risk-all stakeholders need to understand the company’s appetite or lack thereof for compliance risk.
- Execute the compliance risk management process-the compliance risk management process should maintain an approach that is continually monitored and had continuing accountability.
- Benchmark and evaluate the compliance process-compliance systems need to be installed which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.
All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.
There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company which fails to make it to fines, penalties or profit disgorgement.
Three Key Takeaways
- The Board’s role is to keep really bad things from happening to a Company.
- There are six general areas the point can inquire into and lead from.
- SEC Reg SK 407 may put greater scrutiny on Boards.
What are 6 fast and efficient areas of inquiry for a Board around compliance?