“There is too much information. We spend too much time looking at things that are okay. We need to figure out how to concentrate on what is really important.”
—2009 National Association of Corporate Directors Blue Ribbon Report
Board engagement, training and reporting is a critical but often overlooked area of practice for the chief ethics and compliance officer (CECO). In 20+ years of practicing in the field, both as in-house CECO and outside advisor, I’ve encountered countless programs that have, on paper, all the elements of an effective program, as envisioned by the US Federal Sentencing Guidelines (FSG) and other standards. Many of these programs are implemented with the best of intentions and feature most, if not all, the FSG bells and whistles. Yet so many lack the key foundational components necessary to make those programs actually work as intended: active, knowledgeable Board engagement and a visible mandate from the top of the organization. Little practical advice has been offered about engaging, training and reporting to the Board, for the likely reason that most CECOs are struggling just to get some face time on the Board (or Audit Committee) agenda, and the profession is in a learning curve with rapidly evolving practice in this space. At the same time, a number of high-profile settlements and important policy developments have bolstered the case for heightened Board oversight through direct, unfiltered reporting by CECOs to the governing authority. A recent RAND Symposium, Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (RAND Directors Symposium), explored the role of director oversight of compliance and ethics, with some important takeaways on the state of Board readiness and education. Notably, a 2009 Report of the NACD Blue Ribbon Commission, Risk Governance: Balancing Risk and Reward, finds that 51.6 percent of directors surveyed named “[D]irectors’ understanding of how to execute risk oversight” to be their top challenge. However, despite the increased expectations on Board oversight for compliance and ethics, a 2009 survey of 1,600 Association of Corporate Counsel members found that:
Only half of the survey respondents reported that their organizations assess in any way whether they operate ethically—and more broadly—just over a third reported that they have a mechanism for assessing whether their organizations operate responsibly.
Only half of the respondents reported providing their boards with compliance or ethics training.
78 percent reported that their organizations never or only rarely undertake ethics risk assessments.
A Conference Board benchmarking survey of 225 companies in a broad spectrum of industries similarly raised questions about “the degree to which boards are sufficiently informed on compliance concepts and issues to chart the program’s future course,” finding that 58 percent of the surveyed organizations did not train the board consistent with Federal Sentencing Guidelines training criteria and, of those that did train, 31 percent did so for less than one hour annually.
A careful analysis of these developments, guidance and practical experience suggests that CECOs need to develop a much more robust approach to Board engagement, and Boards need to assess the state of their understanding, training and reporting mechanisms on compliance and ethics matters. This chapter offers CECOs some practical suggestions and guidance on crafting a successful strategy for Board engagement, training and reporting, with a view to supporting effective oversight by a “compliance-savvy” Board and encouraging a vigorous, best practice approach to this critical CECO activity.
I. Board Oversight of Compliance and Ethics—A Rapidly Evolving Role
The CECO’s relationship with the Board should always begin with a shared working knowledge of the evolving role of the Board to oversee compliance and ethics of their firms. Not only is this an important opening conversation during any basic Board training (because any effective learning needs to start with the “why”), but also the CECO should always structure communications with the Board in a manner that is fully responsive to their accountability for compliance and ethics governance. The mistake many CECOs make is providing the Board with too much information (all at one time), irrelevant information, or information without sufficient context. The art and science of Board engagement, training and reporting is to develop a finely tuned sense of what kind of information, statistics and other data the Board really needs to see, and provide it in digestible, memorable, concise, easy to understand portions that are all part of a continuing conversation about compliance and ethics in the firm. Discussion on the “what” and “how” of Board communication is set out below under item IV: “Practical Considerations in Engagement, Training and Reporting.”
Any effective communication begins with understanding the point of view of the audience. (When considering the Board audience, CECOs would do well to remember the opening quote above.) Outside of compliance and ethics, today’s Boards already have a duty of care to oversee a Sisyphean array of enterprise issues including risk management (financial and non-financial), CEO and senior management succession, executive compensation, corporate strategy, major transactions, and corporate responsibility. In a 2009 report on the role of the Board for enterprise risk management, the Committee of Sponsoring Organizations of the Treadway Commission noted that “The role of the board of directors in enterprise-wide oversight has become increasingly challenging as expectations for board engagement are at all time highs… But, the complexity of business transactions, technology advances, globalization, speed of product cycles, and the overall pace of change have increased the volume and complexities of risks facing organizations over the last decade.” Meanwhile, Boards have limited time and resources and multiple constituencies with often divergent interests, and receive an increasing volume of information and data with growing complexity and uncertainty. Viewed within this context, the CECO is entering a crowded field of information flow to the Board and therefore must make every word (and minute of Board agenda time) relevant, valuable, and directly supportive of the Board oversight role.
To their already daunting set of responsibilities, enter the relatively new Board role for oversight of compliance and ethics. Though there is little discussion or guidance on this oversight role, one governance expert calls it “potentially one of the principal areas in which corporate directors face significant personal exposure.” In a recent RAND invited white paper, “Evolving Role and Liability of the Board of Directors for Ethics and Compliance Oversight,” Gary Brown of Baker, Donelson, Bearman, Caldwell & Berkowitz P.C., further observes that: “[D]irectors must remain constantly attentive to the compliance programs that they oversee, as new agency pronouncements and high-profile settlement agreements provide new insights on “effective” compliance practice, and by extension, on the directors’ oversight role.”
Legal experts trace the definition of the Board’s responsibility for compliance and ethics to the Delaware Caremark decision (1996), as augmented by Stone v. Ritter (2006) et al. In the aggregate, these state court decisions establish the parameters of Board duty of care for corporate compliance activities. But while Caremark and its progeny set the foundation for director oversight of compliance and ethics, these cases are only part of the story. Judiciary pronouncements on director duty of care must be read against the further guidance contained in the FSG setting out the elements of an effective program to be overseen by the Board. The FSG further establish the Board obligation to be “knowledgeable” about the content and operation of the company program and exercise “reasonable oversight” over its implementation and effectiveness. Still more detail on Board oversight is contained in the 2010 FSG amendments, which stress the significance of a “direct reporting obligation” by the CECO to the Board to avoid filtering of information by senior management. Other relevant developments include the Sarbanes-Oxley Act; the OECD Good Practice Guidance for Internal Controls, Ethics and Compliance (for anti-bribery efforts by companies in 38 nations); judicial and regulatory action; agency pronouncements; and an evolving body of high-profile settlement agreements. All of these factors should be considered when considering Board oversight of compliance and ethics. A sampling of standards and other developments informing Boards on their oversight obligations for compliance and ethics follows:
Delaware State Law Decisions (Caremark, Stone v Ritter et al.)
As noted, the Delaware cases establish the basic parameters for directors’ duty of care for corporate compliance activities. Key holding of Caremark, as validated by Stone et al.: board members may be subject to personal liability if they (a) fail to implement any reporting or information system or controls, or (b) having implemented such a system, fail to monitor or oversee its operations (e.g., ignore red flags). These cases take on additional meaning when read against the more detailed standards of the FSG and other evolving guidance.
US Federal Sentencing Guidelines (including 2004 and 2010 Amendments)
In addition to defining the elements of an effective compliance and ethics program to prevent and detect organizational misconduct, the 2004 amendments expressly set out directors’ duty to be “knowledgeable about the content and operation of the program” and to exercise “reasonable oversight” over its implementation and effectiveness. The expectation for the Board to have direct accountability for oversight (i.e., not filtered by management) is further underscored by the 2010 FSG amendments, which cite a personal, “direct reporting obligation” of the CECO to the Board as required criteria for companies seeking credit under FSG where “high-level personnel” were involved in misconduct.
The 2002 Sarbanes-Oxley Act established, among other things, new levels of accountability for directors of public companies, including the direct duty to establish a confidential means for employees to raise concerns about fraud to the Board.
OECD Good Practice Guidance on Internal Controls, Ethics and Compliance
This annex to the 2009 OECD Recommendation for Further Combating Bribery of Foreign Public Officials in International Business Transactions sets out guidance for anti-bribery compliance programs to be implemented by 38 signatory nations, including expectation for oversight by “senior corporate officers, with an adequate level of autonomy from management, resources, and authority.” More CECO autonomy translates into direct, unfiltered oversight by the Board.
Relevant Industry Standards
Some regulated industries such as health care have additional standards and guidance for Board oversight, such as the OIG/AHL Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors.
As part of its $900 million settlement with the Office of Inspector General for Health and Human Services for kickbacks, fraud and other misconduct, the company agreed to unprecedented commitments regarding Board oversight, including a quarterly review and certification by the Board.
In addition to criminal and civil fines of $2.3 billion for marketing abuses (the largest corporate criminal fine in corporate history), the company agreed on specific structures to ensure director oversight of the compliance program, including quarterly director certification of the program, a new reporting structure for the CECO that stipulates a direct reporting line to the CEO with direct access to the Board, and formation of a Compliance Committee chaired by the CECO.
In 2006, the US Attorney for Western District of Pennsylvania entered into a settlement agreement with Mellon Bank after employees at its Pittsburgh office systematically destroyed tax returns rather than miss a deadline to process them on behalf of the IRS. The settlement agreement sets out clear undertakings by the Board to improve oversight of the compliance and ethics program including training and issuance of a strong Board resolution on Board role, and direct reporting line and direct access for CECO to the Board.
Siemens Settlements with Executive Board Members
As part of the fallout from the $1.3 billion U.S. penalty against the German industrial giant for corruption and bribery, the company pursued individually eleven former members of its managing and supervisory boards for failing to properly oversee the firm’s business practices, resulting in nine settlements between $1m and $5m per director. The company is continuing to pursue two other directors for damages.
Department of Justice—McNulty Charging Memorandum
The adequacy of Board oversight was expressly noted as a key factor to be considered by prosecutors in deciding whether to charge corporations. In a 2006 memorandum setting out internal guidance for prosecutors to use in deciding whether to charge corporations and in plea agreements, the Department of Justice (through the then-Deputy Attorney General, Paul McNulty) noted that in considering “the adequacy of a pre-existing compliance program,” prosecutors should ask, inter alia, whether the board of directors performed independent oversight instead of simply “unquestioningly ratifying officers’ recommendations.”
Agency speeches and pronouncements
Further guidance can be found in the speeches of various agency officials specifically addressing their expectations for the Board oversight role for compliance and ethics.
When communicating with the Board, the CECO should be able to articulate how oversight for compliance and ethics fits into the overall Board duty of care for enterprise risk management, and how the CECO will be able to directly support this expanded Board responsibility through focused reporting. In fact, this discussion should be part of any initial Board training to set the context for all subsequent engagement. Of course, there is sometimes a “chicken-and-egg” phenomenon associated with the CECO-Board relationship. A Board must understand its duties and the landscape of compliance and ethics before fully appreciating the role of the CECO in supporting it. At the same time, the CECO needs to have face time before the Board to articulate the context for the reports and gain the confidence and support of the Board for the program and continued engagement. For some Boards and CECOs, this initial stage may require the assistance of other influencers in the company, such as the General Counsel, Corporate Secretary, champion within the ranks of the Board, or an independent assessment of the program, to create engagement opportunities.