Key questions regarding the role of the board of directors in developing and overseeing an effective compliance program
October 18, 2016
When companies run afoul of laws and regulations the publicity can be intense and the adverse reputational and financial consequences to the company are generally quite significant. The post-mortem brings the board of directors to “center stage” and judges, regulators, investors and pundits in the financial press will all be asking whether the directors were paying attention, asking the right questions, adopting and enforcing appropriate policies and procedures, and making it clear that “compliance matters” when setting goals and allocating rewards. Simply put, while directors are not expected to fend off every act of misconduct by executives, employees and agents of their companies, they are responsible for effectively discharging their own duties and responsibilities relating to compliance and ethics programs.
The core elements of directors’ compliance-related duties and responsibilities come from several sources:
- The Federal Sentencing Guidelines for Organizations require that the governing authority of the organization (e.g., the board of directors of a corporation) be knowledgeable about the content and operation of the compliance and ethics program; exercise reasonable oversight with respect to the implementation and effectiveness of the program; exercise due diligence to prevent and detect criminal conduct, and promote an organizational culture which encourages compliance with the law.
- Courts have recognized that directors have a fiduciary obligation to make a good faith effort to assure that an adequate compliance program exists and to take affirmative steps to ensure that appropriate information regarding compliance with applicable laws reaches the board in a regular and timely manner.
- The listing requirements of the major securities exchanges include compliance-related elements such as mandating implementation of reporting procedures, adoption of codes of conduct and business ethics and independence of board and audit committee members.
- Regulators focusing on a range of industries have articulated their preferences regarding the role of the board of directors in compliance activities by conditioning settlement agreements on undertakings by the company that its board will retain independent individuals or entities with compliance expertise and regulatory guidelines consistently mention that directors must be knowledgeable about, and involved with, the compliance programs of their companies.
While attention to compliance problems is generally most intense for larger publicly-owned companies, directors of firms of all sizes, including privately-owned companies, should consider “compliance” to be a
significant part of their jobs. All directors have a fiduciary duty to their corporations and to the stockholders who are actual owners of the corporation and that duty will almost certainly be breached if directors fail to act with care in developing and implementing compliance and ethics programs and as a result the corporation and/or its agents are found to be culpable of misconduct and/or unlawful activity. In order to be sure that the board and its members understand their role in developing and overseeing an effective compliance and ethics program the following questions should be carefully considered:
- Is each prospective member of the board advised prior to appointment that he or she will be expected to achieve and maintain an adequate level of knowledge and skills relating to their duties with respect to overseeing the company’s compliance and ethics program and is prior compliance experience a factor in vetting new board members?
- Has each new member of the board completed an orientation program that includes information on the sources of a director’s duties and obligations with respect to oversight of the company’s compliance and ethics program and illustrative case studies of how courts and regulators have interpreted and enforced such duties and obligations?
- Are the members of the board sufficiently knowledgeable about the operations and structure of the company to understand internal reporting procedures and lines of authority and identify the activities that present the highest level of compliance risk?
- Are the members of the board sufficiently knowledgeable about the legal environment for the company’s specific business activities so that they can readily understand the statutes and regulatory guidelines that are most relevant to decisions about how to design the compliance and ethics program?
- Has the board ensured the compliance and ethics program is appropriate for the specific activities of the company by undertaking a detailed risk assessment that identifies and ranks risk areas and issues that have raised compliance problems in the past and must be specifically addressed in the program?
- Has the board conducted a “cost-benefit” analysis regarding the scope of the company’s compliance and ethics program to ensure that the company’s limited resources for compliance infrastructure have been efficiently allocated to the areas that present the most significant potential risks and liabilities for the company?
- Has the board fulfilled its overriding obligation to be knowledgeable about the content and operation of the company’s compliance and ethics program by overseeing the development of the program and formally reviewing and approving the overall program and specific policies and procedures within the program (e.g., code of conduct, policies regarding conflicts of interest, “hot line” or other policies for reporting misconduct and policies that address the company’s highest risk areas such as employment laws, antitrust laws and/or products liability laws) before implementation?
- Has the board formally approved the creation of an independent team with compliance expertise within the company’s organizational structure that includes (1) a chief compliance officer (“CCO”) who reports directly to the board (or audit or compliance committee of the board), (2) a compliance department overseen by the CCO, (3) a corporate compliance committee (“CCC”) with members from all the company’s functional departments charged with implementing compliance policies and procedures, and (4) an internal controls/security department charged with implementing internal controls and detecting and reporting actual misconduct and suspicious activities?
- Has the board formally given the CCO and the compliance department the authority to audit the activities of the company’s legal department and provide direct guidance and assistance to members of the board regarding fulfillment of their oversight responsibilities relating to compliance activities?
- Has the board formally reviewed and approved the charter of the CCC to ensure that it addresses key activities such as the development and implementation of codes of conduct and other compliance policies and procedures, development and administration of compliance and ethics training programs, risk assessments, annual audits of compliance and internal controls programs and remedial actions and employee discipline in the case of compliance issues or other misconduct?
- Does the board (or the audit or compliance committee of the board) receive regular reports from the CCO regarding the involvement of managerial leaders from other departments (e.g., human resources, legal, finance, business development etc.) in the activities of the CCC and the actions they have taken to implement relevant aspects of the compliance and ethics program within their departments?
- Has the board required that the CCO develop objective performance metrics for the compliance and ethics program that have been formally approved by the board and set aside time at each meeting of the board (or audit or compliance committee of the board) to receive reports on the operations of the compliance department and progress toward satisfying the program’s goals and objectives and ask compliance-related questions of the CCO and members of the senior management team?
- Has the board allocated sufficient human, financial and technological resources to the compliance and ethics program (including funding for the CCC and retention of outside advisors (e.g., lawyers, accountants and consultants)) and invested the board’s own time in continuously considering compliance-related issues?
- Has the board provided for the “express authority” and “direct reporting obligation” for those persons with day-to-day responsibility for compliance activities (e.g., the CCO) to have direct access to members of the board and/or the committee of the board to which compliance matters have been delegated (i.e., audit or compliance committee) without having to report to the CEO, other members of the senior management team or the legal department?
- Has the board acted in a manner that sets the appropriate “tone at the top” with respect to promotion of an organizational culture of ethical conduct throughout the company and encouraging compliance through the use of appropriate incentives and disciplinary measures and proactive involvement in the development and approval of the compliance and ethics program in the manner described above?
- Has the board properly aligned the incentives for members of the management team and employees by ensuring that the company’s performance evaluation and incentive compensation processes take into account not only traditional financial metrics but also compliance and ethics-related objectives such as product/services quality, safety and customer satisfaction?
- Have all of the members of the board, as well as officers and employees of the company, completed adequate training to ensure that they are aware of the content and purposes of the company’s compliance and ethics program and how issues are identified and remediated?
- Has the board provided for continuous training of board members and senior management on the impact of changes in the legal and regulatory environment of the company that will impact the company’s compliance requirements?
- Have all of the members of the board been provided with suggestions on how they can educate themselves about how to carry out their compliance oversight activities such as by accessing information, guidelines and educational programs available through government websites (e.g., Office of Inspector General)?
- Does the board oversee regular reviews of the compliance and ethics program, no less than annually, to determine if changes are necessary in light of objective metrics of the efficacy of the procedures included in the program and changes in applicable laws and regulatory enforcement initiatives?
- Does the board oversee regular reviews of the company’s internal controls and risk management policies and procedures, no less than annually?
- Does the board ensure that reports or findings of compliance problems or other acts of misconduct are promptly reviewed and that responses are made in a timely fashion?
While several of the questions posed above strongly imply that managerial responsibility for compliance issues be vested in a CCO, as opposed to the general counsel, it is obvious that the development and implementation of an effective compliance and ethics programs should be driven by the legal team supporting the company, both in-house attorneys and outside law firms. Your role as an attorney relative to “compliance” will vary depending on where and how you practice law. All attorneys wishing to provide value to their clients in the compliance area should be familiar with the questions above and why each of them is important. This will allow them to converse openly and knowledgeably with directors and members of the senior management team. All attorneys should also be aware of the basic elements of a comprehensive compliance program: surveying the legal environment; compliance audits and risk assessments; “buy in” from the board of directors; written compliance materials; organizational culture; education and training; program monitoring and implementation; program audits; internal investigations and document retention programs. Beyond that, a specific attorney might find that the following fits his or her particular situation in the compliance arena:
- You are the general counsel of a large organization that is involved in a range of business activities that expose it to multiple areas of law and regulation. You may even be the actual or de facto “chief compliance officer” of the organization. In this position you need to have a thorough understanding of the essential elements of any compliance program and you need to recruit and oversee qualified and experienced subject matter experts in various legal areas who can develop and administer focused compliance programs and provide support to the organization’s non-legal compliance infrastructure.
- You are the senior partner acting as outside general counsel to an organization. Your role should be to act as the principal advisor to the directors of the organization with respect to educating them on their compliance duties and obligations, a task that can be eased by going through the questions above. You should be prepared to guide the organization through the preliminary steps on the road to creating a compliance infrastructure and make available subject matter experts from your firm to assist in developing and implementing compliance programs in key areas such as employment, antitrust, intellectual property and products liability law.
- You are a senior attorney providing substantive advice on issues in a particular area of law (e.g., an employment law expert who regularly answers questions from clients on their current human resources problems such as a claim of harassment or discrimination or handling a sticky termination scenario). While helping your clients “put out fires” is certainly valued, you can also help them become more efficient users of legal services and avoid potentially costly problems by building the expertise necessary to assist clients in developing compliance programs and related tools.
- You are the head of a one person law department. Your role with respect to counseling the directors and members of the senior management team is essentially the same as your counterpart at the large organization discussed above; however, your world is likely quite different because you do not have the luxury of hiring additional in-house lawyers to provide compliance program support. In this situation you need to understand the basic elements of compliance programs and select experts from outside law firms to assist in developing a customized compliance program in a cost-efficient manner. Your own skills and understanding of compliance programs will help you strike the right balance and manage the costs of relying on an outside law firm.
- You are a solo practitioner with an active portfolio of business clients. Again, the questions above can provide you a starting point for the “compliance discussion” with those clients; however, you won’t be able to offer support from other attorneys in your firm and you will need to develop a network of subject matter experts that you can call upon to provide assistance for your clients. Fortunately, there are many small boutique firms that specialize in one area and can be relied upon to provide compliance-related support. You’ll need to know the essential elements of compliance programs and be able to interview attorneys from these firms to ascertain whether or not they can provide the support that your clients will need.
- You are a new associate or law department attorney. You didn’t take “compliance” in law school and it wasn’t something that was covered in bar exam review courses. In fact, compliance may not be well understood by your supervisors at the law firm or in the law department. Nonetheless, you can and should study the questions above and make “compliance” part of your own skill set. Ask your supervisor about compliance and seek out opportunities to help with developing compliance programs. Work on drafts of compliance policies and management briefings for clients. Better yet, volunteer to help with training programs. It’s the best way to learn the basic requirements in a particular area and practice explaining them to clients.
Law firms, bar associations and law schools tend to organize around substantive areas of law—business organizations, antitrust, contracts, real property, labor law. As such, key skills that cut across areas of law, such as deal making and compliance counseling, often get lost. It is true that “compliance” cannot stand alone without reference to particular laws and regulations; however, effective compliance counseling is invaluable to clients and can only be done when the business counselor understands the principles and ideas discussed above.
Chapter 223 (§§ 223:1 et seq.) of Business Transaction Solutions on WESTLAW provides business counselors with the guidance and tools needed to provide value to their client during the process of designing, implementing and maintaining effective compliance programs. Recently added practice tools include a checklist of legal areas and business activities to be covered by compliance program (§223:108); a checklist of the elements of an effective compliance program (§223:109); a questionnaire for analyzing and assessing compliance procedures and attitudes (§223:110); an executive summary for clients regarding compliance programs (§223:111) and a Slide Deck presentation on Compliance Programs that can be used for law firm and department training purposes (§223:112).
Titles by Alan Gutterman
- Understanding Legal Needs of Technology Companies: Leading Lawyers on Performing a Legal Audit, Managing Financial Risk, and Prioritizing Legal Needs (Inside the Minds)
- Legal Compliance Checkups: Business Clients
- Business Entities (California Transactions Forms)
- Business Transactions (California Transactions Forms)
- Buying a Business: What You Need to Know (Quick Prep)
- Business Transactions Solution (WestlawNext PRO)
- Business Counselor’s Law & Compliance Practice Manual, 2014 ed.
- Corporate Counsel’s Guide to Strategic Alliances, 2014 ed.
- Corporate Counsel’s Guide to Strategic Alliances with Forms on CD, 2014 ed.
- Corporate Counsel’s Guide to Technology Management and Transactions, 2014 ed.
- Corporate Counsel’s Guide to Technology Management and Transactions with Forms on CD, 2014 ed.
- Hildebrandt Handbook of Law Firm Management, 2015 ed.
- Going Global: A Guide to Building an International Business, 2015 ed.
- Going Global: A Guide to Building an International Business with Forms on CD, 2015 ed.
- Business Counselor’s Guide to Organizational Management, 2012 ed.