Board oversight of corporate compliance: Is it time for a refresh? has been saved
Board oversight of corporate compliance: Is it time for a refresh?
On the board’s agenda – September 2019
Compliance oversight as a board responsibility
Nearly 25 years have passed since a landmark decision of the Delaware Chancery Court involving the board’s role in compliance oversight. The case was based upon claims that the board in question had breached its fiduciary duty regarding compliance with legal requirements applicable to health care providers, leading to an extensive federal investigation, an indictment charging multiple federal felonies, and fines, penalties, and damages approximating $250 million. Among its other findings, the Chancery Court concluded that:
“a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and . . . failure to do so under some circumstances may . . . render a director liable for losses caused by non-compliance with applicable legal standards.”
As a result of this decision and its progeny, it is now settled doctrine that a board of director’s fiduciary duties include establishing that management has an effective corporate compliance program in place, exercising oversight of that program, and taking regular steps to stay informed of the program’s content and operation. Aside from the many adverse consequences of an inadequate compliance program, a breach of these duties can result in shareholder derivative litigation, and may even subject board members to personal liability under some circumstances (though that did not happen in the case cited above). Of equal or greater importance, a compliance failure can lead to critical operational, reputational, and other business challenges that can haunt a company for years—or even destroy it.
The board's role
It seems axiomatic that the board is responsible for risk oversight. In fact, risk oversight is one of the board’s most critical roles. The cases and DOJ Guidance Document discussed, as well as many other court rulings and government pronouncements, make it clear that monitoring compliance is a critical component of risk oversight. Whether and how a board executes that oversight responsibility can have profound impacts on the company, including its very survival, and on the board and its members.
Accordingly, every board needs to be satisfied that the company has a program to assess and monitor compliance. Neither the program nor the board’s oversight needs to be infallible; what is required is that the program and the board’s oversight are reasonable. For example, a company that has experienced compliance weaknesses or breakdowns may require more oversight, at least in the short- and medium-terms, than a company with a clean, long-term record of compliance. It’s also noteworthy that compliance oversight, like other board responsibilities, is not a “set it and forget it” matter; the board needs to remain vigilant when it comes to monitoring compliance. This does not mean that the topic must be addressed at every meeting or that the board’s other responsibilities can be ignored. Again, consider what is reasonable in the circumstances.
Moreover, compliance oversight is not something that the board needs to address entirely on its own. Boards can and, in some cases should, engage outside advisers to assist them in monitoring compliance risks, including assessing whether existing compliance procedures and practices are appropriate or, if not, how they might be enhanced. And when a problem arises, boards need to consider engaging outside, independent investigators to ascertain key facts.
Time for a refresh?
Against this backdrop, and in view of the responses to the survey used in preparing the Board Practices Report, corporate boards may benefit from taking—and in some cases may need to take—a fresh look at the way they exercise their duty of diligent oversight around compliance.
In undertaking such a review, boards should seek to ask the “tough questions”—the areas where recent history has shown that corporate compliance programs have experienced breakdowns. The following are suggestions (not all-inclusive) of the types of topics that can be productively explored:
- Do we have a comprehensive code of conduct, and policies, procedures, and internal controls surrounding compliance?
- Does our compliance program satisfy legal and regulatory requirements? How do we keep the program current in response to changing requirements and circumstances?
- Who is responsible for monitoring and enforcing compliance with the program? Do they have adequate resources and unfettered access to senior management and the board? to compliance?
- Do we have centralized “help lines” and employee reporting systems with multiple channels for employees to raise concerns?
- Are we doing enough to publicize our compliance program to employees so that they are aware of it and of the resources available to them?
- How do we monitor the effectiveness of our compliance program?
- How do we ascertain that the program is effectively enforced consistently across our business?
- Is management demonstrating an appropriate “tone at the top” where compliance is concerned?
- Do we conduct regular risk assessments to help ensure that our compliance efforts are appropriately prioritized and focused?
- How are we driving compliance with suppliers and vendors in our extended enterprise environment?
In considering these and other questions, boards need to engage in self-examination. Does the board itself demonstrate the right tone? Does the culture in the boardroom support the values of compliance, or do directors treat it as just another check-the-box item?