Board oversight of corporate compliance: Is it time for a refresh?

The board's role

It seems axiomatic that the board is responsible for risk oversight. In fact, risk oversight is one of the board’s most critical roles. The cases and DOJ Guidance Document discussed, as well as many other court rulings and government pronouncements, make it clear that monitoring compliance is a critical component of risk oversight. Whether and how a board executes that oversight responsibility can have profound impacts on the company, including its very survival, and on the board and its members.

Accordingly, every board needs to be satisfied that the company has a program to assess and monitor compliance. Neither the program nor the board’s oversight needs to be infallible; what is required is that the program and the board’s oversight are reasonable. For example, a company that has experienced compliance weaknesses or breakdowns may require more oversight, at least in the short- and medium-terms, than a company with a clean, long-term record of compliance. It’s also noteworthy that compliance oversight, like other board responsibilities, is not a “set it and forget it” matter; the board needs to remain vigilant when it comes to monitoring compliance. This does not mean that the topic must be addressed at every meeting or that the board’s other responsibilities can be ignored. Again, consider what is reasonable in the circumstances.

Moreover, compliance oversight is not something that the board needs to address entirely on its own. Boards can and, in some cases should, engage outside advisers to assist them in monitoring compliance risks, including assessing whether existing compliance procedures and practices are appropriate or, if not, how they might be enhanced. And when a problem arises, boards need to consider engaging outside, independent investigators to ascertain key facts.

Time for a refresh?

Against this backdrop, and in view of the responses to the survey used in preparing the Board Practices Report, corporate boards may benefit from taking—and in some cases may need to take—a fresh look at the way they exercise their duty of diligent oversight around compliance.

In undertaking such a review, boards should seek to ask the “tough questions”—the areas where recent history has shown that corporate compliance programs have experienced breakdowns. The following are suggestions (not all-inclusive) of the types of topics that can be productively explored:

1. Do we have a comprehensive code of conduct, and policies, procedures, and internal controls surrounding compliance?
2. Does our compliance program satisfy legal and regulatory requirements? How do we keep the program current in response to changing requirements and circumstances?
3. Who is responsible for monitoring and enforcing compliance with the program? Do they have adequate resources and unfettered access to senior management and the board? to compliance?
4. Do we have centralized “help lines” and employee reporting systems with multiple channels for employees to raise concerns?
5. Are we doing enough to publicize our compliance program to employees so that they are aware of it and of the resources available to them?
6. How do we monitor the effectiveness of our compliance program?
7. How do we ascertain that the program is effectively enforced consistently across our business?
8. Is management demonstrating an appropriate “tone at the top” where compliance is concerned?
9. Do we conduct regular risk assessments to help ensure that our compliance efforts are appropriately prioritized and focused?
10. How are we driving compliance with suppliers and vendors in our extended enterprise environment?

In considering these and other questions, boards need to engage in self-examination. Does the board itself demonstrate the right tone? Does the culture in the boardroom support the values of compliance, or do directors treat it as just another check-the-box item?