We are back to consider the next five stories from The Casebook of Sherlock Holmes, mining each story for themes and lessons related to the compliance professional, leadership and business ethics. In this week’s third offering, I consider The Adventure of the Creeping Man. From this story we take the Holmes utterance to Watson “Come at once if convenient—if inconvenient come all the same”. This informs today’s discussion how Boards of Directors can be more involved in compliance through more effective oversight of risk management.
In this story, a man named Trevor Bennett comes to Holmes with a most unusual problem. He is personal secretary to Professor Presbury’s and is engaged to his only daughter, Edith. Professor Presbury, 61, is engaged to Alice Morphy, a colleague’s daughter. Bennett reports to Holmes that the Professor is receiving strange packages from the Continent; his behavior is even stranger and most significantly, he has been attached more than once by his faithful wolfhound who is now chained in the barn.
The Professor’s odd behavior occurs at regular intervals and becomes stranger after Bennett’s visit to Baker Street. The Professor is seen bounding along on all fours; Holmes quickly concludes the Professor is taking an animal extract that is causing the bizarre behavior.
When, on a final rampage, the Professor is nearly killed by his formerly faithful dog, Holmes and Watson are able to find the extract, from langurs, that is causing the odd behavior. Although it has apparently given the Professor renewed energy, it has also given him some langurs traits.
I thought of this story as a good way to introduce risk management and compliance at the very top of an organization. With any public and most private US companies, it starts at the Board of Directors. But what is the role of a company’s Board in a compliance program? First, a Board should not engage in management but should engage in oversight of the Chief Compliance Officer (CCO). The Board does this through asking hard questions, particularly around risk assessment, risk identification and risk management.
In a white paper entitled “Risk Intelligence Governance – A Practical Guide for Boards”, it laid out six general principles to help guide Boards in the area of risk governance. I have adapted them for the compliance function.
- Define the Board’s role.There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.
- Foster a culture of compliance risk management. All stakeholders should understand the organization’s compliance risks involved and manage such risks accordingly.
- Incorporate risk management directly into a compliance strategy. Oversee the design and implementation of risk evaluation and analysis.
- Define the company’s appetite for risk around compliance. All stakeholders need to understand the company’s appetite or lack thereof for risk.
- Execute the compliance risk management process. Maintain an approach that is continually monitored and has continuing accountability.
- Benchmark and evaluate the compliance process. Systems need to be installed which allow for evaluation and modifying the compliance process as more information becomes available or facts or assumptions change.
All of these factors can be easily adapted to Board-level Compliance Risk Management oversight. Initially, it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s CCO to either the Audit Committee or the Compliance Committee. Every Board should create a Compliance Committee to deal with compliance issues, as an Audit Committee may more appropriately deal with financial audit issues. A Board Compliance Committee can devote itself exclusively to non-financial compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information, the Board can give oversight to any modifications to managing Foreign Corrupt Practices Act (FCPA) risk that should be implemented.
CCO reporting to the Audit/Compliance Committee must be structured carefully to promote ethics and compliance. Here are five best practices to help guide the reporting.
Quarterly reports. The CCO should report in person to the committee every quarter. If the CCO submits a written report and does not appear before the committee, the failure to appear before the committee reflects a defective relationship. The quarterly report is critical for both the CCO and the committee to hear about compliance performance and challenges.
Executive session. Every quarterly report should be concluded with an executive session where the CCO and committee can have a frank discussion on any potential issues. It is a valuable opportunity to raise important issues. An executive session demonstrates that the CCO is independent and empowered within the organization and reinforces the CCO’s direct access to the Board.
Sitting in on other reports. The CCO should sit in the committee meeting when other important officers report to the committee. For example, the CCO should attend presentations by internal audit, General Counsel (GC) and Chief Financial Officer (CFO). The CCO has a macro-view of the company and needs to be informed as to issues in other areas that may be significant and have compliance implications.
Informal relationship. A CCO should actively maintain an ongoing informal relationship with the chair of the committee. A CCO has to have the ability to pick up the phone and call to chair to discuss issues that may arise. A weekly meeting for coffee or a meal is important to develop and maintain the relationship.
Annual report to full board. A CCO should report to the full Board once a year. The compliance committee quarterly reports are important, but the full Board needs to hear about the challenges and risks facing the company, as well as improvements needed for the ethics and compliance program.
Join us tomorrow as we mine the story of The Lion’s Mane for its compliance lessons.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019