The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of a national newspaper for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times (NYT), in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.
I. Legal Standard
What are the obligations of a Board member regarding the US Foreign Corrupt Practices Act (FCPA)? Are the obligations of the Audit Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?
As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of Stone v. Ritter holds for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, there is the principle that directors should follow the best practices in the area of ethics and compliance.
Board failure to heed this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”.
II. When Things Get Bad
While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water.
In a recent White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:
-
Define the Board’s Role – There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.
-
Foster a culture of risk management – All stakeholders should understand the risks involved and manage such risks accordingly.
-
Incorporate risk management directly into a strategy – Oversee the design and implementation of risk evaluation and analysis.
-
Help define the company’s appetite for risk – All stakeholders need to understand the company’s appetite, or lack thereof, for risk.
-
How to execute the risk management process – The risk management process must maintain an approach that is continually monitored and had continuing accountability.
-
How to benchmark and evaluate the process – Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.
All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receives direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may be more appropriate to deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.
There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.
III. What the Board wants to know from compliance
In an article in the May issue of Compliance Week Magazine, entitled “What the Board Wants to Know from Compliance”, author Joe Mont explored some of the issues he believes that a Board will want to know about their company’s compliance program. Mont quoted Michael Bramnick, senior knowledge leader for LRN, who said, “Boards really only want an answer to the question: ‘How do we know it is working?’ In other words, is a company’s compliance program living “up to the hallmarks of an effective compliance program in the eyes of the government.”
A. Questions About Process
Mont believes that Boards should “want more information on the processes to carry out the compliance function, rather than details on specific compliance issues”. He quotes Dennis Beresford, professor of accounting at the University of Georgia’s Terry College of Business, for the following “Boards want to know that there is a single individual or project management office keeping track of all this stuff and making sure that it is being handled properly. They want the comfort of knowing that there is a system in place that keeps track of compliance requirements.”
B. Questions About Internal Reporting
Another area of Board interest is compliance hotlines. In this area, Mont believes that Boards desire “to know details about who answers the calls or e-mails that come in, how they are trained, if the process is outsourced, and assurances that the hotline is truly anonymous, with no use of caller-ID or GPS tracking. Other common questions from the board include: How are calls classified and routed? Who gets notified for what types of calls? How is the investigative process divided among various functions?” If the company hotline is used, this may show that “employees are comfortable enough to speak up and that, when they do, about good things or bad, they are listened to, there is follow-up, and trends are evaluated and reported back to them.”
C. Questions About Accountability
Responsibility is yet another topic that Mont believes Boards need to stay abreast on as “directors want more details on who’s responsible for what. Boards want assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability.” He quotes Bramnick who stated that “Effective boards let management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy,” he says. “It is not for them to be looking at every contract.”
D. Questions About Strategic Planning
Jaclyn Jaeger, writing in the December 2011 issue of Compliance Week Magazine, in an article entitled “Board Checklist: What Every Director Should Know”, wrote about a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting. In the article she quoted panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, on the need for strategic planning by the Board. Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” Similarly, Stephen Martin, a partner at Baker and McKenzie, suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.” Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.
Mont quoted Bramnick that “Boards have really a Herculean task in today’s regulatory climate.” But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Board members. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage.
