Rebecca Walker (firstname.lastname@example.org) is a partner in the law firm of Kaplan & Walker LLP, located in Santa Monica, California, and Princeton, New Jersey. She is a member of the Advisory Board of CEP Magazine.
Robust board oversight of a compliance program is critically important to creating adequate program independence and authority. With the recent Delaware court decisions in Boeing, Marchand v. Barnhill, and other cases, the importance of board oversight has been further underscored. These decisions create an important opportunity for organizations to review and update both their documentation and their practices regarding board oversight of compliance programs, including audit committee charters, compliance and ethics (C&E) program charters, and escalation protocols. This article provides a brief recap of two important recent cases, then discusses board oversight documentation and practices.
Delaware case law
In the seminal decision of In re Caremark International, the Delaware Chancery Court established that directors have a duty to oversee a corporation’s compliance program. The court in Caremark also made clear, however, that the standard for liability in Caremark cases is high. Despite this high bar, in several recent cases, Delaware courts have denied motions to dismiss Caremark claims and thereby created important guidance to companies seeking to ensure effective board oversight practices.
In 2019, the Delaware Supreme Court decided Marchand v. Barnhill, in which the court addressed the importance of board oversight of “compliance issues intrinsically critical to the company,” and pointed to the board’s failure to implement and oversee a compliance system related to that company’s most critical risk area: food safety. The court in Marchand stated that there is “a bottom-line requirement that is important: the board must make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting.”
In 2021, the Delaware Chancery Court decided In re Boeing Company Derivative Litigation, a derivative suit stemming from the 2018 and 2019 crashes of the Boeing 737 MAX airplane. The Boeing court discussed the audit committee’s oversight of Boeing’s compliance program in some detail. Boeing’s audit committee charter assigned that committee with responsibility for (among other duties) meeting with the chief compliance officer to review the ethics and business conduct programs and compliance with related laws and regulations. The audit committee also received annual updates regarding the compliance risk management processes, although those updates did not address airplane safety. The court ruled that the board’s failure to oversee compliance in the mission-critical risk area of airplane safety gave rise to a reasonable inference that the directors breached their duty of oversight.
The court in Boeing also addressed the board’s failure to “have a means of receiving internal complaints about airplane safety.” The court stated that, “without a Board-level reporting mechanism, safety issues and whistleblower complaints reported to the [management-level safety review board] did not come to the Board’s attention. Neither the Audit Committee, nor any other Board committee, reviewed whistleblower complaints related to product safety.” In addition, the court discussed the audit committee’s failure to assume oversight of the company’s response to the very serious concerns at issue in that case in a timely manner.
Practical implications of the case law
The recent Delaware cases provide important guidance for the ways in which boards can effectively oversee a compliance program. Recent U.S. Department of Justice (DOJ) guidance provides additional insights in this area.
What follows is a (fairly long—apologies!) list of oversight activities for companies to consider including in the documentation related to board oversight of C&E programs. (While the following refers to the audit committee as the relevant committee assisting the board’s oversight of compliance, note that some companies have delegated oversight of compliance programs to another committee or committees of the board.)
Board oversight practices can be articulated in various compliance program documents, including the audit committee charter, C&E program charter, chief compliance officer (CCO) job description, and escalation protocols. Indeed, it may be appropriate for some of the following activities to appear in more than one program document.
The CCO’s relationship with the audit committee
While Delaware case law does not directly address the CCO’s reporting relationship with the audit committee (although the importance of a strong relationship is implicit in those cases), the DOJ memorandum on Evaluation of Corporate Compliance Programs contains helpful guidance on board oversight of a program, including asking whether compliance has a direct reporting line to the audit committee. The DOJ guidance recognizes what compliance practitioners have long known to be true: that the reporting relationship between the CCO and the audit committee can be one of the most important factors in ensuring that the CCO has the level of independence necessary to implement a program effectively.
Documentation of the CCO’s relationship with the audit committee might provide, for example, that the CCO shall report to and have direct access to the audit committee. This type of language, which could be included in the audit committee charter, the C&E program charter, and other relevant program documents, both helps protect the independence and authority of the CCO and fosters the critically important relationship between the audit committee and the CCO.
In-person presentations a given number of times per year
The Federal Sentencing Guidelines address board oversight of compliance programs, providing that an organization’s governing authority “shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness” of the program. To enable boards to exercise oversight of the content and operation of a program—as discussed in the guidelines and contemplated by the Caremark line of cases—companies should consider providing for a set number of in-person presentations to the audit committee each year. Relevant documentation might provide, for example, that the CCO shall present a report to the audit committee regarding the C&E program and regarding the receipt and response to allegations of misconduct [at least x times per year] or [at every scheduled meeting].
Meetings in executive session with audit committee
The DOJ guidance includes a question regarding whether the board holds executive sessions with compliance, which is important to allowing the CCO unfettered access to the board oversight committee. Here, the relevant documentation could specify, for example, that the CCO shall meet in executive session with the audit committee [at least x times per year] or [at every scheduled meeting].
Many companies provide for meetings in executive session with the audit committee at the request of the committee or the CCO. In my experience, it is preferable to require and schedule executive sessions at set times without requiring a request, which further protects the independence of the function.
Written reports regarding the program
In addition to in-person presentations, the audit committee should likely also receive more frequent, written reports regarding the C&E program. In this area, the relevant documentation may provide, e.g., that the CCO shall provide written reports regarding the design and implementation of the C&E program to the audit committee [at least X times per year].
Reporting systems and reports received
Since the Caremark decision in 1996, it has been well-established that an audit committee has a fiduciary responsibility to oversee an organization’s reporting procedures and its systems to respond to reports received. This role was highlighted by section 301 of the Sarbanes–Oxley Act, which requires audit committees of issuers to establish reporting procedures related to accounting and auditing matters. Many audit committee charters thus contain a specific provision that the committee shall oversee the establishment and maintenance of procedures for the receipt, retention, and treatment of complaints or concerns received by the company regarding accounting, internal accounting controls, or auditing matters, including enabling employees to submit concerns confidentially and anonymously (per the Sarbanes–Oxley requirements). Companies should also consider including language in program documentation that requires the CCO to present information to the audit committee regarding the helpline and the company’s systems for responding to helpline calls at least X times per year and regarding the receipt and response to allegations of misconduct at least X times per year.
Escalation of certain significant issues to the board
In both Marchand and Boeing, the court considered the failure of red and yellow flags to reach the board as evidence of the board’s failure to establish reporting systems that would require escalation. Indeed, the DOJ guidance and other legal guidance contain an expectation that the CCO will have immediate access to report the most serious issues to the audit committee as necessary. For example, the DOJ and Securities and Exchange Commission’s A Resource Guide to the U.S. Foreign Corrupt Practices Act provides that adequate autonomy for a chief compliance officer “generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” This is important to a program’s independence and to ensure that investigations are conducted appropriately—an issue highlighted by the Boeing decision. It could be quite difficult to conduct an investigation that potentially implicates a very high-level executive if the audit committee was not involved in oversight. Documentation in this area could provide, for example, that the CCO will notify the chair of the audit committee of any significant matters (which can be defined in an escalation protocol or C&E program charter) promptly (a term that can also be defined).
While the above responsibilities can be documented in audit and C&E program charters, organizations should also consider developing specific escalation protocols, if they have not already done so. Escalation protocols articulate those matters that must be raised to the audit committee and how promptly. The most serious matters should possibly be escalated immediately, whereas less significant but still serious issues may not require an immediate call to the committee chair. Considering which types of matters should be escalated, to whom, and how promptly is an important exercise. It can protect senior leaders, board members, and compliance professionals at the company’s most vulnerable moments.
Oversight of compliance risk assessment
The importance of board oversight of a company’s compliance risk assessment process can be inferred from the decisions in Boeing and Marchand, which focused on the audit committee’s lack of oversight of compliance systems devoted to mission-critical risk areas. The court in Boeing noted that the audit committee received yearly updates regarding the company’s compliance risk management process, but that those updates did not address the mission-critical area of airplane safety. Documentation of this oversight could provide, e.g., that the committee will review (or oversee) the C&E program’s periodic assessment of legal and compliance risks.
Compliance controls in significant risk areas
In light of the decisions in Boeing and Marchand, companies should consider adding provisions to their audit committee and C&E program charters regarding the audit committee’s oversight of the compliance systems related to the company’s mission-critical risk areas, which will obviously vary by company. Such a provision could state, for example, that the audit committee will receive a report regarding the company’s compliance systems [in those areas] at least X times per year.
CCO’s appointment, termination, or significant diminution in duties
This type of provision—which underscores the reporting relationship between the CCO and audit committee—presents an important opportunity to protect the independence of the C&E program. Documentation could provide, e.g., that the audit committee shall concur in the appointment of the CCO and shall be notified prior to and concur in the termination of the CCO or any significant diminution in the CCO’s duties.
Evaluation of performance of CCO
Articulating the audit committee’s participation in the CCO’s performance evaluation reinforces the reporting relationship between the CCO and the committee. Documentation could state, e.g., that the audit committee will review the performance of the CCO annually.
Oversight of budget and staffing
It is helpful—and another means of protecting the independence and resourcing of the C&E program—if relevant documentation specifies the audit committee’s oversight role in the areas of budget and staffing. Relevant documentation could provide, e.g., that the audit committee will annually review and approve the C&E program’s budget and staffing and must concur in significant diminution in program resourcing.
Oversight of code of conduct
Many organizations provide for the audit committee’s review and approval of the code of business conduct and sometimes other important program documentation, such as the C&E program charter. Documentation in this area could provide, e.g., that the audit committee will review and approve any significant revisions to the company’s code of conduct.
Audit committee oversight in practice
While the previous points focus on how program responsibilities are documented, they also contemplate that audit committees and CCOs will execute those responsibilities, of course. We note that many audit committees exercise robust oversight of programs (including many or all of the activities noted earlier) without specific documentation in committee and program charters. However, documentation is important to protecting and sustaining the practices and—as illustrated well in the Boeing decision—can be helpful to evidence the board’s oversight.
The Boeing case also makes clear the importance of documenting implementation of oversight activities in audit committee meeting minutes, reports from the CCO, and otherwise.
Not every audit committee or program charter needs to include all of the earlier provisions in order to pass muster, of course. Still, documenting good board oversight practices strengthens the independence and authority of a program. Where feasible, compliance professionals should thus work with audit committees to review and revise relevant charters, procedures, and protocols. Strong documentation facilitates strong board oversight, which facilitates effective programs.
Boeing, Marchand v. Barnhill, and other recent cases create an important opportunity for organizations to review and update board oversight practices and documentation.
The reporting relationship between the CCO and audit committee is critical to ensuring CCO independence.
Escalation protocols can protect senior leaders, board members, and compliance professionals at the company’s most vulnerable moments.
Documentation of board oversight is important to protecting and sustaining strong oversight practices.
Strong documentation facilitates strong board oversight, which facilitates effective programs.