Board Engagement, Training and Reporting: Strategies for the Chief Ethics and Compliance Officer

Excerpted from The Complete Compliance and Ethics Manual, 2nd Edition; Copyright 2010, Society of Corporate Compliance and Ethics. Reprinted with permission. Board Engagement, Training and Reporting: Strategies for the Chief Ethics and Compliance Officer By Donna C. Boehme1 “There is too much information. We spend too much time looking at things that are okay. We need to figure out how to concentrate on what is really important.” – 2009 NationalAssociationof Corporate Directors Blue RibbonReport2 Overview Board engagement, training and reporting is acriticalbut often overlooked area of practice for the chief ethics and compliance officer (CECO). In 20+ yearsofpracticing in the field, both as in-house CECO andoutside advisor,I’ve encountered countlessprograms that have, on paper, all the elementsof an effective program, as envisioned by the US Federal Sentencing Guidelines (FSG) andother standards. Many of these programs are implemented with the best of intentions and feature most, ifnot all, the FSG bells and whistles. Yet so many lack the key foundationalcomponents necessary to make those programs actually work as intended: active, knowledgeable Board engagement and a visible mandate from the top oftheorganization. Little practical advice has been offered about engaging, training andreportingto the Board, for the likely reason that most CECOs are struggling just to get some face time on the Board(or Audit Committee) agenda, and the profession is in a learningcurve with rapidly evolving practice in this space. At the same time, a number ofhigh-profile settlements and important policy developments have bolstered the case for heightened Board oversight through direct, unfiltered reporting by CECOs to the governing authority. A recent RAND Symposium, Directors as Guardians of Compliance and Ethics withinthe Corporate Citadel: What the Policy Community ShouldKnow 3 (RAND DirectorsSymposium), explored the role of director oversight of compliance and ethics, with some important takeaways on the state of Board readiness and education. Notably, a 2009 Report ofthe NACD Blue Ribbon Commission, Risk Governance: Balancing Risk and Reward,findsthat 51.6%of directors surveyednamed “[D]irectors’ understandingofhowto execute riskoversight”to be their top challenge.4 However, despite the increasedexpectationson Boardoversight for compliance andethics, a 2009 survey of 1,600 Association of Corporate Counsel5 members found that: ● Only halfofthe survey respondentsreportedthat their organizations assess in any way whether they operate ethically — andmore broadly — just over athirdreportedthat they have amechanism for assessing whether their organizationsoperate responsibly. 1 Excerpted from The Complete Compliance and Ethics Manual, 2nd Edition; Copyright 2010, Society of Corporate Compliance and Ethics. Reprinted with permission. ● Only halfofthe respondents reportedprovidingtheir boards with compliance or ethics training. ● 78% reportedthat their organizationsnever or only rarely undertake ethicsrisk assessments.6 A Conference Boardbenchmarking survey of 225companies in abroad spectrum of industries similarly raised questions about “the degree to which boards are sufficiently informedon compliance concepts and issuesto chart the program’s future course,” findingthat 58%ofthe surveyedorganizations didnot train the board consistent with Federal SentencingGuidelines trainingcriteria and, ofthose that did train, 31% did so for less than one hour annually.7 A careful analysis ofthese developments, guidance and practicalexperience suggeststhat CECOsneedto develop amuch more robust approach to Board engagement, andBoards need to assess the state oftheir understanding, training andreportingmechanismson compliance and ethicsmatters.Thischapter offers CECOs some practical suggestions and guidance on crafting a successful strategy for Board engagement, training andreporting, with a view to supporting effective oversight by a “compliance-savvy” Board andencouraging a vigorous, best practice approach to thiscriticalCECO activity. I. Board Oversight of Compliance and Ethics – A Rapidly Evolving Role The CECO’srelationship with the Board should alwaysbegin with a shared working knowledge of the evolvingrole ofthe Boardto oversee compliance and ethicsoftheir firms. Not only is this an important opening conversation during any basic Board training (because any effective learningneedsto start with the “why”), but also the CECO shouldalways structure communications with the Board in a manner that isfully responsive to their accountability for compliance and ethics governance. The mistake many CECOsmake is providingthe Board with too much information (all at one time), irrelevant information, or information without sufficient context. The art and science of Board engagement, training and reporting is to develop a finely tuned sense of what kindof information, statistics andother datathe Board really needsto see, andprovide it in digestible, memorable, concise, easy to understand portions that are all part of a continuing conversation about compliance andethics in the firm. Discussion on the “what” and “how”ofBoard communication is set out below under item IV: “Practical Considerations in Engagement, Training andReporting.” Any effective communication begins with understandingthe point of viewofthe audience. (When considering the Board audience, CECOs would do wellto remember the opening quote above.) Outside ofcompliance andethics, today’sBoards already have aduty ofcare to oversee a Sisyphean array of enterprise issues including riskmanagement (financial and non- 2 Excerpted from The Complete Compliance and Ethics Manual, 2nd Edition; Copyright 2010, Society of Corporate Compliance and Ethics. Reprinted with permission. financial), CEO and senior management succession, executive compensation, corporate strategy, major transactions, andcorporate responsibility. In a 2009 report on the role of the Board for enterprise risk management, the Committee of Sponsoring Organizations of the Treadway Commission notedthat “The role ofthe boardofdirectors in enterprise-wide oversight hasbecome increasingly challenging asexpectationsfor boardengagement are at all time highs… But, the complexity of businesstransactions, technology advances, globalization, speedofproduct cycles, andthe overallpace ofchange have increasedthe volume and complexitiesofrisks facingorganizationsover the last decade.”8 Meanwhile, Boardshave limited time andresources andmultiple constituencies with often divergent interests, and receive an increasing volume of information and datawith growingcomplexity and uncertainty. 9 Viewed within this context, the CECO is entering a crowded field of information flowto the Board andtherefore must make every word (and minute of Board agenda time) relevant, valuable, and directly supportive ofthe Board oversight role. To their already daunting set of responsibilities, enter the relatively newBoardrole for oversight ofcompliance and ethics. Though there is little discussion or guidance on this oversight role, one governance expert calls it “potentially one ofthe principal areas in which corporate directors face significant personal exposure.”10 In a recent RAND invited white paper, “Evolving Role and Liability of the BoardofDirectors for Ethics and Compliance Oversight,” Gary Brown ofBaker, Donelson, Bearman, Caldwell &Berkowitz P.C., further observes that: “[D]irectorsmust remain constantly attentive to the compliance programs that they oversee, asnew agency pronouncements and high-profile settlement agreements provide new insights on “effective” compliance practice, andby extension, on the directors’ oversight role.”11 Legal experts trace the definition of the Board’sresponsibility for compliance and ethicsto the Delaware Caremarkdecision (1996), as augmentedbyStone v. Ritter (2006) et al.12 In the aggregate, these state court decisions establish the parametersofBoard duty of care for corporate compliance activities. But while Caremark and itsprogeny set the foundation for director oversight ofcompliance and ethics, these cases are only part ofthe story. Judiciary pronouncementson director duty ofcare must be read against the further guidancecontained in the FSG settingout the elementsof an effective program to be overseen by the Board.13 The FSG further establish the Boardobligation to be “knowledgeable” about the content and operation of the company program and exercise “reasonable oversight” over its implementation and effectiveness.14 Stillmore detail on Boardoversight is contained in the 2010 FSG amendments, which stressthe significance of a “direct reportingobligation”by the CECOto the Boardto avoid filteringof information by senior management.15 Other relevant developments include the Sarbanes-Oxley Act; the OECD Good Practice Guidance for Internal Controls, Ethics and Compliance (for anti-bribery efforts by companies in 38 nations); judicial andregulatory action; agency pronouncements; and an evolvingbody ofhigh-profile 3 Excerpted from The Complete Compliance and Ethics Manual, 2nd Edition; Copyright 2010, Society of Corporate Compliance and Ethics. Reprinted with permission. settlement agreements.16 All of these factors should be considered when considering Board oversight ofcompliance and ethics. A samplingof standards andother developments informing Boards on their oversight obligations for compliance andethics follows: ● DelawareState Law Decisions (Caremark, Stone v Ritter et al.) Asnoted, the Delaware cases establish the basic parameters for directors’ duty of care for corporate compliance activities. Key holding of Caremark, as validatedby Stone et al.: boardmembersmay be subject to personal liability ifthey (a) fail to implement any reporting or information system or controls, or (b) having implemented such a system, fail to monitor or oversee itsoperations(e.g., ignore red flags).17 These casestake on additional meaning when read against the more detailed standardsofthe FSG and other evolving guidance. ● US FederalSentencing Guidelines (including 2004 and 2010Amendments) In addition to definingthe elements of an effective compliance andethicsprogram to prevent and detect organizationalmisconduct, the 2004 amendmentsexpressly set out directors’duty to be “knowledgeable about the content andoperation ofthe program” andto exercise “reasonable oversight”over its implementation andeffectiveness.The expectation for the Board to have direct accountability for oversight (i.e., not filteredby management) is further underscoredby the 2010 FSG amendments, which cite a personal, “direct reportingobligation”ofthe CECO to the Board asrequired criteria for companies seekingcredit under FSG where “high-levelpersonnel” were involved in misconduct.18 ● Sarbanes-Oxley Act The 2002 Sarbanes-Oxley Act established, among other things, new levelsof accountability for directorsofpublic companies, includingthe direct duty to establish a confidential means for employeesto raise concerns about fraudto the Board.19 ● OECD Good Practice Guidance on Internal Controls, Ethics and Compliance This annex to the 2009 OECD Recommendation for Further CombatingBribery of Foreign Public Officials in InternationalBusinessTransactions setsout guidance for anti-bribery compliance programsto be implementedby 38 signatory nations, including expectation for oversight by “senior corporate officers, with an adequate levelof autonomy from management, resources, and authority.”20 More CECO autonomy translates into direct, unfilteredoversight by the Board. ● Relevant IndustryStandards Some regulated industries such ashealth care have additional standards and guidance 4 Excerpted from The Complete Compliance and Ethics Manual, 2nd Edition; Copyright 2010, Society of Corporate Compliance and Ethics. Reprinted with permission. for Boardoversight, such asthe OIG/AHL Corporate Responsibility andCorporate Compliance: A Resource for Health Care Boards of Directors.21 ● Tenet Aspart of its $900million settlement with the Office ofInspector General for Health andHuman Services for kickbacks, fraud andother misconduct, the company agreedto unprecedentedcommitmentsregardingBoardoversight, including a quarterly review andcertification by the Board.22 ● Pfizer Settlement In addition to criminal andcivil finesof $2.3billion for marketing abuses(the largest corporate criminalfine in corporate history), the company agreedon specific structures to ensure director oversight of the compliance program, including quarterly director certification ofthe program, anewreporting structure for the CECOthat stipulates a direct reporting line to the CEO with direct access to the Board, and formation of a Compliance Committee chairedby the CECO.23 ● Mellon Bank In 2006, the US Attorney for Western District ofPennsylvania entered into a settlement agreement with Mellon Bank after employees at its Pittsburgh office systematically destroyed tax returnsrather than miss a deadline to process them on behalf of the IRS. The settlement agreement sets out clear undertakings by the Board to improve oversight ofthe compliance andethicsprogram including training and issuance of a strongBoardresolution on Boardrole, anddirect reporting line and direct access for CECOto the Board.24 ● Siemens Settlements with Executive Board Members Aspart ofthe fallout from the $1.3billion U.S. penalty against the German industrial giant for corruption andbribery, the company pursued individually eleven former membersof itsmanaging and supervisory boards for failingto properly oversee the firm’s businesspractices, resulting in nine settlementsbetween $1m and $5m per director.25 The company iscontinuingto pursue two other directors for damages. ● Department ofJustice— McNultyChargingMemorandum The adequacy of Boardoversight was expressly noted as a key factor to be considered by prosecutors in deciding whether to charge corporations. In a 2006memorandum settingout internal guidance for prosecutorsto use in deciding whether to charge corporations and in plea agreements, the Department ofJustice (through the then-Deputy Attorney General, PaulMcNulty) notedthat in considering “the adequacy of a pre-existing compliance program,”prosecutors should ask, inter alia, whether the board 5 ... - tailieumienphi.vn