Strong oversight by boards of directors—meaning typically by authorized board committees—of compliance-and-ethics (“C&E”) programs can be essential to promoting legal and ethical conduct within companies. In a variety of ways, board oversight should help to ensure that a program is effective and that directors and companies are otherwise meeting applicable C&E-related legal standards. Nonetheless, this is an area of uncertainty for many boards and managers, and can even be a struggle for some.
In Reporting to the Board on the Compliance and Ethics Program, published in the June issue of Compliance & Ethics Professional, we examine various aspects of such oversight from a law and good-practices perspective.
First, we consider who should provide reports to the board on the C&E program. Generally, this is assumed to be the “C&E officer,” but that term is used to describe a wide variety of roles. In our article, it refers to the person who has operational responsibility for the C&E program, which some individuals with the C&E officer title do not have.
Not all companies have the C&E officer personally provide reports to the board, but doing so promotes the independence of the program and can be helpful in terms of assuring the sufficiency of program resources. Such reporting is also consistent with key legal standards, such as those found in the Federal Sentencing Guidelines for Organizations (the “Guidelines”), the Department of Justice and Securities and Exchange Commission’s Resource Guide to the U.S. Foreign Corrupt Practices Act, and others, as discussed in the article.
Identifying who in fact has operational responsibility for a given company’s C&E program is not always an easy task, and may require assessment of a number of factors, including:
- The amount of time that the person spends on C&E program responsibilities;
- The range of the person’s program responsibilities (i.e., the greater the range of program responsibilities, the greater likelihood that the person has operational responsibility for the program);
- Whether the person is involved in setting strategic goals and plans for the C&E program; and
- The perception of employees at the organization as to the person’s role (i.e., is he/she primarily perceived as the general counsel, or the C&E officer?)
We also explore in the article the desirable and fairly common practice of C&E officers’ meeting with board committees in executive session. Additionally, we note that a truly independent approach to program oversight may require a board to receive information regarding the program from other senior managers beyond the C&E officer.
Our article next considers the type of information that boards should receive about C&E programs. The Guidelines contemplate the board’s receipt of two types of program information: information regarding the implementation and effectiveness of the C&E program generally and information regarding allegations of misconduct—with the former of these itself consisting of three different sub-categories of information (information regarding program elements, program attributes, and higher-risk areas).
Boards should receive some information about each of the program elements—e.g., C&E training, the operation of the hotline, and C&E monitoring—but the focus of board reports should be those areas where director oversight can have the greatest impact on effectiveness, such as incentives, discipline, and senior management’s involvement in the program. Indeed, knowledge that the board is receiving information about certain program elements can itself help underscore the importance of those elements. In the area of C&E training, for example, knowing that the board receives information regarding completion rates in different parts of a company (e.g., different business units or different geographies) may help senior managers to ensure training completions within their respective areas.
C&E personnel should also consider providing information to the board about important attributes of the C&E program. These are characteristics that are applicable to more than one program element, such as authority, reach, resources, independence, management’s knowledge and support of the program, organizational culture, and having a true ethics component to one’s program, as opposed to a purely compliance-based one. Information regarding program attributes can be critical to a thorough understanding of program effectiveness, and directors can make a significant difference with respect to many of these.
In addition to information regarding program elements and attributes, C&E personnel should consider providing the board with appropriate risk area-specific information, such as concerning anti-corruption or competition law—a type of information that was discussed extensively by Delaware’s Supreme Court in Stone v. Ritter, 911 A.2d 362 (Del. 2006). Which risk areas the board should hear about is a function of two considerations: (1) which risk areas provide the greatest overall risk to the company (which will obviously vary by industry/line of business and geography); and (2) in which risk areas, if any, senior managers’ and the company’s interests are not well-aligned, i.e., in effect a “moral hazard” analysis (albeit in a different context than that in which boards typically consider moral hazard).
Further, the C&E officer should also provide the board with information regarding allegations of criminal or other misconduct and the company’s responses to those allegations. As a legal matter, this is a function of the Caremark case (In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)) and its progeny; the Guidelines; and section 301 of the Sarbanes-Oxley Act. As a matter of good practice, companies should consider establishing systems to ensure that the appropriate board committee is notified promptly of certain types of allegations beyond those contemplated by the Sarbanes-Oxley Act, such as allegations (1) of any violations by senior management, (2) where there is the potential for significant adverse financial impact (including reputational harm), or (3) of any other circumstance suggesting a need for an independent investigation.
Finally, our article considers the appropriate level of frequency for reporting to the board about a C&E program. The Guidelines provide that the C&E officer should report to the board or a board committee “no less than annually,” but deferred prosecution agreements and corporate integrity agreements—which are often consulted by companies looking to develop strong C&E programs—tend to require quarterly reporting to the board. And 62% of respondents to the 2013 survey by the Society of Corporate Compliance and Ethics on board reporting indicated that there are four or more meetings per year between the board and the C&E officer, so frequent regular meetings seem to be fairly common. With respect to reporting regarding allegations of misconduct, the Guidelines indicate that the C&E officer should have the authority to report “promptly” to the board—although that discretion would presumably only need to be exercised infrequently when, for example, an allegation is made against a high-level member of management. In addition, boards or board committees typically receive information regarding allegations of misconduct in summary form several times during the year (e.g., at each meeting of the audit committee).