by Jack Quinn and Suzanne Rich Folsom – NACD Directorship
It is still the rare and sensational case when CEOs, let alone board members, are accused by the government of failing to supervise employees adequately in ways that would have prevented them from committing criminal acts. That, of course, is the gravamen of the civil complaint against Steven Cohen, founder of SAC Capital. Less well-publicized, but perhaps more significant in this regard are the hundreds of directors and officers being pursued by the FDIC for poor judgment or oversight in the making of loans by financial institutions that failed during the financial crisis.
Even in today’s world of intensified regulatory aggressiveness, not a great many actions involving directors are brought. But, given the increased attention to corporate compliance in recent years—on multiple fronts by multiple stakeholders—it is not at allunlikely that inadequate attention to corporate legal and regulatory compliance and oversight will put any public company’s reputation, share price, and prospects for continued success at serious risk. The trend is not favorable for directors: the FDIC cases, as an example, appear to embrace situations of negligent failure to manage risk, a lower bar than the complaints of recklessness that often characterized cases against directors of failed S&Ls in the 1980s.
Chances are there’ve been many, many directors who were sure that this kind of legal exposure “can’t happen here” because “we have a Sapeg track record” or “a great general counsel” or “a lengthy Code of Conduct (which must be enough to protect us)” or “that’s the kind of trouble our competition has, not us.” That was the song they sang before they experienced the shock of learning that their companies gushed oil into the Gulf of Mexico or had a London Whale on the payroll or engaged in anticompetitive practices, age or gender discrimination, suspect accounting practices, or all of the other wrongs “that can’t happen here.”
Compliance—especially a truly robust compliance program—can be inconvenient at best and costly at worst. But, it is a crucial form of insurance: non-compliance can take its toll in many multiples of the costs of compliance and the company and its people can be exposed to painful non-monetary dangers including the tarnishing of reputations and brands.
Over the past decade, largely in response to the accounting scandals of the early 2000s and the legislative response contained in the Sarbanes-Oxley Act of 2002 (SOX), corporate compliance has grown into a fundamental, “organic” area for director consideration, with many corporations having formalized the role of corporate compliance. To be sure, corporate compliance now has a permanent place in the executive suite.
In this environment, all corporate directors should know the answer to at least 10 basic questions about compliance at the corporations they help to govern. So here’s an admission exam that virtually every director ought to be able to pass with flying colors. Good luck!
What is meant by the term “compliance”?
We use the term compliance to refer to a corporation’s ongoing effort to comply with all domestic and foreign laws, regulations, and rules to which it is subject, including a corporation’s own internal policies and procedures. For many years, compliance has been emphasized in industries that were traditionally heavily-regulated, such as healthcare and financial services firms. Following the enactment of SOX, however, every industry became heavily regulated, and the need emerged for a specific person (or department) to monitor a corporation’s compliance with the myriad of laws, rules, and regulations in place. Ultimately, the point of a vigorous compliance program is not only to head off investigations but, more generally, to foster an ethical environment in which business will prosper.
Who is in charge of compliance?
Over the past 10 years, the position of chief compliance officer (CCO) has emerged in many executive suites. Some corporations, on the other hand, assign compliance tasks to the general counsel (GC) or the chief financial officer (CFO), the two positions that have traditionally undertaken corporate compliance work.
There are many factors guiding the business decision of how to assign the task of and responsibility for compliance. Every director needs to know who is the person most responsible for running the corporation’s compliance program, including name, title, and experience. Directors should also take the opportunity to meet with the CCO just as they would meet the chief executive officer (CEO) or CFO or any other member of the executive suite to discuss their roles, vision, and concerns, if any.
To whom does the person in charge of compliance report?
The reporting structure for the person charged with compliance is critical; it can make or break the effectiveness of any compliance program. Does the compliance officer report to the CEO, the GC, the CFO, or directly to the Board of Directors? The CCO must keep top management apprised of any compliance issues and, when a failure is detected, the Board needs to hear the bad news in real time. Whatever the structure, directors must make sure that compliance failures are detected and acted upon immediately. The compliance officer therefore needs direct access to the executive suite and the Board of Directors, and vice versa.
What corporate standards and procedures are in place to promote compliance?
At the center of any effective compliance program is a set of written policies and procedures. These might include, among others, a code of business ethics and conduct, an anti-corruption compliance policy, specific policies related to each regulated area of the business, training procedures to educate employees about applicable laws and regulations, policies and procedures for promptly responding to allegations of misconduct, and policies and procedures detailing the company’s oversight monitoring program. An appropriately designed and well-documented compliance program is the first step towards robust compliance.
What resources are devoted to compliance?
“Whatever is worth doing at all, is worth doing well,” the Earl of Chesterfield admonished his son in 1746. To do their job well, CCOs need resources to execute their mandate. They need a trained and properly supported staff.As SEC Commissioner Cynthia Glassman observed in 2002, the corporate officer responsible for compliance “should have sufficient time and adequate resources to implement the company’s corporate responsibility program in an effective manner. The best written code of ethics will be worthless if the company starves the budget of the officer who has to implement it.”
What are the main laws and regulations with which the corporation must comply?
Directors should have at least a general understanding of the main laws and regulations with which a corporation must comply. Ultimately it is up to the CEO to communicate throughout the organization that a company must comply with all laws and regulations and that lapses and breaches will not be tolerated. Boards of Directors should also consider board communications to the company at-large that echo and support the tone being set by the CEO. Such messages set the “tone at the top” in their insistence that compliance with laws and regulations is imperative.
What monitoring systems are in place to ensure that the company complies with them?
The U.S. Sentencing Guidelines state, “[t]he organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.” Examples of monitoring processes include risk assessments, audits, quality checks, and internal and external compliance reviews. Monitoring helps disclose program deviations and define ways to address and correct them in a timely fashion, thus improving the overall efficiency of the business, as well as providing an effective tool for risk management.
If the company does business overseas, does its existing monitoring systems alert headquarters to issues in those countries?
Multinational companies need to implement effective ethics and anticorruption compliance programs throughout the world in order to prevent violations of anticorruption laws such as the Foreign Corrupt Practices Act, and the UK Bribery Act 2010. A company that has strong controls in place can often prevent misconduct. If a violation does occur, the company can then demonstrate that the misconduct is the result of circumvention by a rogue employee and not due to a culture of corruption or systemic weaknesses. As such, a robust compliance program is the best available insurance against government prosecution for alleged criminal activity in any country where the company may operate
If compliance personnel see a red flag, what do they do?
No compliance program can one-hundred percent prevent the possibility of employee misconduct, and directors should assume that compliance personnel will encounter red flags within the company at some point. The question then becomes: “How are those problems addressed?” Companies need to be ready to take immediate and effective action to resolve a problem and not permit it to languish or fester. The CCO should have such an action plan, the Board should be aware of it, and it should be systematically followed when and if the need arises.
How are complaints received from within and outside the company?
Is there a company-wide reporting system in place in case any company personnel have compliance concerns? Are there safeguards in place, such as anonymity, to ensure against workplace retaliation?
It is often said that compliance is everyone’s responsibility. That means everyone must be able to report potential breaches without fear of reprisal. While directors and senior management set the “tone at the top” of a robust compliance program, it is also important that this tone resonates and is embraced throughout the company. Everyone needs to work together in order for a company to be the gold standard for governance in its industry.
A strong compliance environment is one in which misconduct is less likely to take place and will be more easily detected. It is an environment that makes for a much more efficient and cost-effective business operation. And, as the 2012 Ethics Resource Center report stated, workplaces with strong compliance programs “are better places to work. Our economy and our society are better off when corporations and their employees obey the law and operate within ethical frameworks that direct them to ‘do the right thing.’”
Most children are taught that a good person does the right thing when no one is watching. If everyone in the world were to dutifully internalize that lesson, it would be quite a different world indeed. A robust compliance program provides the “belts and suspenders” to cover any learning gaps within an organization. Directors are good directors when they take pains to make sure that we do not leave to chance that which we strive to do every day—“the right thing.”