The Office of Inspector General (OIG) white paper, “Practical Guidance for Health Care Governing Boards on Compliance Oversight (OIG Guidance), provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations.

As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It states:

The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.

The OIG Guidance sets out four areas of Board oversight and review of a compliance function:

  1. Roles of, and relationships between, the organization’s audit, compliance, and legal departments;
  2. Mechanism and process for issue-reporting within an organization;
  3. Approach to identifying regulatory risk; and
  4. Methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.

While noting that a corporate compliance function should promote the prevent, detect and remediate of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather, the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should evaluate and discuss how management works together to address risk, including the role of each in:

  1. Identifying compliance risks,
  2. Investigating compliance risks and avoiding duplication of effort,
  3. Identifying and implementing appropriate corrective actions and decision-making, and
  4. Communicating between the various functions throughout the process.

A key component of Board oversight is the flow of information. According to the OIG Guidance, the Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these reports help to create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board.

But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” The key component, however, is that the organization delivers the message that everyone is responsible for compliance.

A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions on this:

Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.

Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally, especially those that can track and identify trends in performance that be red flags and call for corrective action.

Ultimately a Board should drive home of the message of compliance as a way of life so that it permeates into the DNA of an organization. If a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues.

The OIG Guidance is an excellent review for not only compliance professionals and others in the healthcare industry but a good primer for Boards around their own duties under a best practices compliance program. The US Sentencing Guidelines, the Hallmarks of an Effective Compliance Program, the OIG Guidance, and OIG Corporate Integrity Agreements can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In the the case of Stone v. Ritter is found the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in the area of ethics and compliance. The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using customary economic metrics, and by overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem that it believes management is not properly handling.

There is no reference to prudent discharge in the FCPA itself. However, a Board member might well think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might well wish to look into a Board’s prudent discharge of duties under the FCPA.

Three key takeaways:

  1. What is prudent discharge?
  2. What is your process for doing compliance at the Board level?
  3. A Board must have active rather than passive engagement around compliance.

This month’s sponsor is Affiliated Monitors, Inc.

This week, we return to Sherlock Holmes-themed blog posts. We finished the review of The Adventures of Sherlock Holmes and now move on to The Memoirs of Sherlock Holmes. Today we move on to The Adventure of the Stock-Brokers Clerk. Leslie Klinger, in “The New Annotated Sherlock Holmes Volume 1”, said, “The world of money has changed little in 100 years, and the ‘The Stock-Broker’s Clerk’ tells a thrilling tale of ‘identity theft’ that might be drawn from today’s headlines.”

In a case which sounds suspiciously close to The Red-Headed League and The Three Garridebs a stockbroker’s clerk is lured away from his place of employment so that imposters can try and rob it. The clerk, Hall Pycroft, consults Holmes with his suspicions concerning a company that has offered him a very well-paying job. He was approached by one Arthur Pinner, who offered him a managership with a newly established hardware distribution company, to be based in France.

Pycroft is sent to Birmingham to meet Pinner’s brother and company co-founder, Harry Pinner. He is offered a very well-paid post with £100 in advance and is asked to sign a document accepting the post and is also asked not to send a letter of resignation to his would-be employers. He immediately commences his duties, but he is concerned about the unprofessional aspects of the business and their sparse offices. (Sounding resoundingly like The Red-Headed League?)

Holmes deduces that the whole point of the exercise was to obtain an example of Pycroft’s handwriting so that a ‘fake’ Pycroft may be employed at his stock brokerage firm to keep a vast stock of valuable securities and be the safebreaker. Holmes and Watson subsequently learn that the stock brokerage has sustained an attempted robbery, but that the criminal had been captured, although the weekend watchman has been murdered. Beddington, the forger and cracksman, was the miscreant, masquerading as Pycroft. American railway bonds worth nearly £100,000 were taken, together with a large amount of scrip in mines and other companies, but the police recovered them from the would-be thief.

I thought about this story as an introduction into the topic of foundational nature of a Code of Conduct and why it is so important to a compliance program in general. A Code of Conduct should be used as way to capture the risks and the issues that the organization faces. These are the major concerns that the organization has in terms of the type of business it is in, where it is operating and other factors of that nature. Obviously, this can be a wide variety of things such as anti-corruption, anti-money laundering (AML), trade sanctions, anti-trust, anti-discrimination and harassment and a myriad of others.

Moreover, by capturing these major issues within a training experience that is delivered across the organization and to all employees, it helps to level set everybody within the company in terms of what are those issues. It literally puts them at the top of mind for the company as employees understand the highest risk areas they need to be focused on. Additionally, the Code of Conduct is a source of that information and also about where to go for more help. In many cases, a Code of Conduct will point to other policies or procedures or other resources that serve to provide the support that employees might need as they go about their day-to-day business. It can also help the speak up culture of an organization by providing information on internal reporting, a commitment to non-harassment going forward and a recitation of the company’s values.

One of the key themes of the 2020 Update was of the importance of a risk assessment for all aspects of your compliance program. Additionally, the 2020 Update made clear the relationship between risk assessment and Code of Conduct training going forward. A risk assessment informs the content of the company’s Code of Conduct itself by identifying the topics and the issues that relate to the risks that the organization faces.

When you consider Code of Conduct training as the foundation of all of the compliance training to be delivered within the organization; it becomes clear that everybody in the company needs to be familiar, even if only at a high level, with the risks that the company faces on a day-to-day basis. Through aligning Code of Conduct training with the results of the risk assessment, you can ensure that the right content and messaging is being presented as part of that foundational Code of Conduct training. Moreover, by using your risk assessment to pinpoint key areas for training, you can have both a more focused and more effective Code of Conduct training.

I hope you will join me tomorrow where I consider The Adventure of the Gloria Scott.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

In today’s edition of 31 Days to a More Effective Compliance Program, I am joined by Vin DiCianni, founder of Affiliated Monitors. Vin provides insights into how the use of data can facilitate the management of third-parties after the contract is signed.

3 Key Takeaways:

  1. the process of collecting data cleans up much risk and provides cost savings.
  2. More reliable data about third-parties will facilitate their more effective management.
  3. Using data to management third-parties will further operationalize your compliance program.