When it comes to a corporate board’s oversight of compliance programs, it’s no longer business as usual.
In 2019, a Delaware court shifted the board oversight standard from “sustained or systemic failure of the board to exercise oversight” to a proactive requirement that directors “must make a good faith effort to implement an oversight system and the monitor it” – a requirement that dovetails with the Department of Justice’s (DOJ’s) compliance update this past June, whereby leadership’s oversight of compliance will be judged by their ability to focus on risks unique to their company, use data to test programs and track effectiveness, and demonstrate evolution of said programs, among other criteria.
“In the past, the courts had adopted a very heavy presumption against finding board members to have breached their fiduciary duties in exercising their compliance oversight function,” said Beth I. Z. Boland, Chair of Foley’s Securities Enforcement & Litigation practice, at a panel held as part of the firm’s annual New Directors Institute (NDI) conference. Boland co-hosted the panel with fellow Foley partner and former federal prosecutor Rohan A. Virginkar; Mary Huser, Vice President, Deputy General Counsel at Airbnb, joined as a special guest.
“Yet in the last year or so,” Boland continued, “that has changed. Boards must proactively ask the right questions, or risk heightened DOJ scrutiny, shareholder class action suits, or shareholder derivative suits.”
A series of flash polls conducted during the panel, drawing on responses from nearly 40 attendees – including GCs, CEOs, senior executives, and board members – suggest that some corporations may have work to do on this front. For instance, only 31% said they were very confident in the strength of their organization’s enterprise risk assessment, and less than half said as much about their firm’s internal compliance programs.
Fortunately, Boland, Virginkar, and Huser offered useful guidance for business leaders and boards. Here are five key takeaways.
There is no “one and done” in today’s landscape when it comes to compliance programs. Instead, the DOJ is increasingly looking for senior leadership to demonstrate (and document) how a given company is continually revising its program based on risk assessments, audits, internal allegations of misconduct, external factors, and/or industry-related concerns.
This means using data to track effectiveness; updating training, policies, and risk disclosures when necessary; monitoring periodic changes in both domestic and foreign requirements; and, crucially, focusing on the “why” behind any changes made to compliance programs.
Moreover, this evolution must be driven from the top, based on the importance of metrics that were specifically tied to leadership’s role in improvement towards internal compliance goals. Aside from audits/risk assessments/monitoring practices (65%), other metrics garnering selections by a majority of attendees included “Leadership team’s response to complaints and investigations” and “Tone at the top by leadership”, at 60% and 53% respectively.
Other significant metrics included compliance trainings and completion rates (38%), and compliance policy updates/revisions (23%).
Only 20% of attendees said their board was involved in defining their organization’s risk assessment and monitoring processes “to a large extent.”
Under today’s standards, that may need to change. To that end, panelists suggest looking at the top 100 or so enterprise-level risk areas – then deciding which will be prioritized at the board level, and which areas can be assigned to other executives throughout the company (for each, there should be both an executive and an operational risk owner). These risk owners will be accountable for providing metrics and reporting to the board and its appointed risk committee on a regular quarterly cadence to ensure continual monitoring of progress.
Such a process not only establishes a solid “tone at the top” but distributes risk ownership throughout the company, so that numerous individuals have a stake in the success of the program.
The fast-paced, unpredictable nature of today’s business world makes it impossible to prevent every compliance issue. This is especially true given widespread #MeToo allegations and renewed calls for racial justice. There’s a reason why PwC’s CEO Success study found that ethical lapses accounted for more forced CEO departures (38%) than financial- or board-related shakeups for the first time in the study’s nearly 20 year history.
Knowing this, the key factor is whether a company can respond swiftly and effectively when something does go awry – and this means board-level involvement. For instance, leadership should be asking questions like: When and how is the board informed of sexual/racial harassment complaints? Does the board have access to information about previous complaints and outcomes? Are they notified immediately if an accusation is made against the CEO or a member of the senior management team?
And on the broader, company culture front, is there a hotline that people actually know how to find and use? Is it effective (i.e., are complaints assessed quickly and reasonably)? Would people actually call it?
Fortunately, when asked if their board would act quickly and decisively if our CEO were accused of ethical improprieties, over two-thirds (76%) agreed they would do so; only 5% said they would not.
In the current enforcement climate, it’s not enough that boards be actively involved in compliance – they must also
have the requisite knowledge and experience to ask the right questions of management and effectively evaluate responses. Regular access to the company’s general counsel, compliance officer, internal auditors, and others are crucial in this respect.
To ensure both adequate independence and necessary institutional knowledge, it’s also important to have a mix of newer and longer-tenured board members at any given time.
It can be human nature to close ranks when a lapse occurs, be it around a CEO or another senior executive. But boards need to be able to take a step back – and fairly and legitimately say, “We’re going to take an independent review of
In this regard, the quality and independence of these third parties – be it outside counsel or auditors or others – is critical in having the government view the evaluation as credible.
These are just a few of the many insights proffered in Foley’s recent panel discussion. Other practical considerations when it comes to compliance include, for example:
- Reviewing employment contracts and employment practices liability insurance,
- M&A implications for a potential buyer’s due diligence review, and
- the need for an increased focus on succession planning.
Despite the ever-changing terrain and the myriad complexities at play, panelists agreed on two guiding principles: keep it simple, so you can actually execute the program throughout your organization; and, above all, do the right thing.