By Adam Turteltaub
Although the idea of board oversight of compliance programs is nothing new, up until recently there was very little guidance as to what, in practice, that means from the government’s perspective. Is meeting a few times a year enough? Does compliance have to report to the board directly? How well do boards have to understand compliance as a discipline?
Those questions and many others were answered, ironically, by a series of questions from the Fraud Section in the Criminal Division of the US Department of Justice. “Evaluation of Compliance Programs”, a document released in February, lays out a series of questions prosecutors are likely to ask in evaluating the effectiveness of compliance programs. Included in the document are the following questions about the board’s role in overseeing compliance. Below each question are some implications for organizations and their boards to consider.
- What compliance expertise has been available on the board of directors?
Note that the question asks about expertise “on the board of directors” not “available to the board of directors.” Few boards have present or former compliance professionals on them. Now may be the time to look for including compliance expertise as part of the “balance” that makes up a good board. Likewise organizations should seek out training for helping board members understand their role in compliance oversight.
- Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors?
The message here is clear: filters are bad. Whether it’s having someone keep compliance from getting to the board, having the GC or someone else do the compliance report, or having management in the room listening in and vetting every word, it’s not a good thing in the DOJ’s eyes. Frank and direct conversations are necessary.
- What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?
As noted elsewhere in the document, the DOJ is eager to see root causes addressed, not just band aids. They are looking for comprehensive, not quick, fixes. Boards will need to ensure that management delivers.
- How often do they meet with the board of directors?
The days of the annual compliance update are dead. Regular interactions are now expected, and likely, very regular interactions at times when the organization is managing a compliance failure.
- Are members of the senior management present for these meetings?
This can be read a couple of ways. On the one hand having management present can demonstrate support. However, there are times when compliance will need to speak frankly about management’s support of the compliance program, and potentially investigations of management. In those cases, having management in the room is likely not a good sign.
- Who reviewed the performance of the compliance function and what was the review process?
This question underscores that the compliance team has to be evaluated fairly and can’t count on its future being dependent on people whom it may be investigating or holding to account. Boards should probably start also asking why a compliance officer quit or was fired.
- How have management and the board followed up?
This question is, perhaps, the most profound. It underscores the fact that the compliance officer is not responsible for the organization acting in a compliant manner. It’s the responsibility of the business unit. By making it clear that management and the board need to follow up when a breach occurs, it underscores that the business’s leadership owns responsibility for making sure organizations operate lawfully and ethically.
In addition to the areas outlined specifically for board members, it would also be prudent for the board to review the rest of the DOJ document to identify other areas to focus on. For example, there is an entire section dedicated to incentives. Members of the compensation committee would be wise to read through it and consider the implications. A couple of questions in particular stand out: “How has the company considered the potential negative compliance implications of its incentives and rewards?” and “What incentives has the company adopted to promote adherence to the company’s compliance and ethics program?”
While all of this may seem daunting and new, it’s not. As the DOJ notes, this document synthesizes many individual elements of direction that are available elsewhere. But, by putting everything together in one place, they are providing compliance officers, management, and boards a clear roadmap of expectations. That’s a lot better than trying to guess what the prosecutor may someday want. And that can help board members and those they oversee, sleep a lot better at night.
[clickToTweet tweet=”A Compliance Wake Up Call for Boards” quote=”A Compliance Wake Up Call for Boards” theme=”style3″]