What are metrics for a Board of Directors around compliance? Former Assistant Attorney General Leslie Caldwell laid out some that the Department of Justice (DOJ) would consider in a review of compliance programs. These metrics are:
- Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
- Does the Board maintain a material role in overseeing a company’s overall compliance framework?
These requirements move beyond simply having the correct tone at the top, which every Board should articulate. The 2020 Update to the Evaluation of Corporate Compliance Programs added the following, under Oversight by posing the following questions: What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
Based on the foregoing, when determining the Board’s role, begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?
A Board of Directors should take a more active role in overseeing the management of risk within a company. Now this includes having a compliance program in place and actively overseeing that function. This means if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place; the Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Some of the areas for hard questions include:
Corporate compliance policy and Code of Conduct. Is there an overall governance document that will inform the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee, translated into appropriate local languages? Is there documentation regarding delivery and training on this or these documents? What information is there on training effectiveness?
Risk assessment. Has the Board assessed the compliance risks associated with its business? Have the highest risk areas received sufficient attention in the risk management process? Has the Risk Assessment been used as a road map to manage the risk determined? What is the status of this risk management road map?
Implementing procedures. The Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Once again, have these implementing procedures been translated as appropriate and do employees understand these procedures? Are all of the above documented?
Training. Has the Board been trained to understand its role in an effective compliance program?
Monitor compliance. Has the Board independently tested, assessed and audited to determine if its compliance policies and procedures are a living and breathing program, and not just a paper tiger? What expertise is available either on the Board or to the Board?
There are several paths a Board can take to fulfill this duty. Obviously, the full Board can be apprised of compliance issues and handle them appropriately. However, this may be unwieldy or not workable if there is a large Board and the compliance function only has limited time to present a quarterly and annual report. The Board Compliance Committee is usually considered a natural venue for the compliance function to report to at the Board level.
It is time for companies to create a committee separate and apart from the Audit Committee. This Board-level compliance committee should be charged with oversight of compliance and ethics but could also be the reporting venue for anti-money laundering (AML) compliance, export control compliance and all other such disciplines within an organization. Further, after the numerous corporate scandals over the past few years (Wells Fargo, Boeing, Uber, Facebook, only to name a few); not only has a robust compliance program become a must but direct and transparent Board oversight may be the only thing stopping injury to your reputation from a competitor’s illegal or unethical conduct.
Three key takeaways:
- The DOJ expects active engagement by a Board around compliance.
- Does the Board exercise independent review of the compliance program?
- The convergence of the Yates Memo, Caldwell’s metrics, the Evaluation and FCPA Corporate Enforcement Policy mandate Board metrics around compliance.