Board Oversight of Corporate Compliance: Is it Time for a Refresh?

Posted by Robert Biskup, Krista Parsons, and Robert Lamm, Deloitte LLP, on
Tuesday, October 15, 2019
Comments Off on Board Oversight of Corporate Compliance: Is it Time for a Refresh? print this page Print
, , , , , , , , ,
More from: , , ,

Robert Biskup is a managing director at Deloitte Risk & Financial Advisory, Krista Parsons is a managing director at Deloitte & Touche LLP, and Robert Lamm is Independent Senior Advisor at the Center for Board Effectiveness at Deloitte LLP. This post is based on their Deloitte memorandum.

Introduction—Compliance oversight as a board responsibility

Nearly 25 years have passed since a landmark decision of the Delaware Chancery Court involving the board’s role in compliance oversight. The case was based upon claims that the board in question had breached its fiduciary duty regarding compliance with legal requirements applicable to health care providers, leading to an extensive federal investigation, an indictment charging multiple federal felonies, and fines, penalties, and damages approximating $250 million. Among its other findings, the Chancery Court concluded that:

“a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and . . . failure to do so under some circumstances may . . . render a director liable for losses caused by non-compliance with applicable legal standards.” [1]

As a result of this decision and its progeny, it is now settled doctrine that a board of director’s fiduciary duties include establishing that management has an effective corporate compliance program in place, exercising oversight of that program, and taking regular steps to stay informed of the program’s content and operation. Aside from the many adverse consequences of an inadequate compliance program, a breach of these duties can result in shareholder derivative litigation, and may even subject board members to personal liability under some circumstances (though that did not happen in the case cited above). Of equal or greater importance, a compliance failure can lead to critical operational, reputational, and other business challenges that can haunt a company for years—or even destroy it.

A disconnect?

Despite this long-standing guidance, there are indications that some boards may not fully understand or appreciate the importance of their fiduciary obligations with respect to compliance. In the 11th edition of the Board Practices Report—a collaborative effort between Deloitte LLP’s Center for Board Effectiveness and the Society for Corporate Governance—almost 40 percent of the public company boards surveyed reported that their company’s chief compliance officer does not regularly attend audit committee meetings, and 70 percent reported that the chief compliance officer does not regularly attend board meetings. Only 17 percent of those surveyed reported that the chief compliance officer is responsible for managing culture risk, and only 50 percent reported that their board training includes content on ethics and compliance.

Some recent reminders on board oversight of compliance

At a minimum, these statistics are troubling. After all, the case referred to above remains the definitive statement of board responsibilities in this area. Moreover, the importance of board oversight of compliance has been reinforced—and arguably strengthened—time and time again in court rulings and otherwise.

For example, in June 2019, the Delaware Supreme Court issued an opinion in Marchand v. Barnhill, [2] allowing a lawsuit to proceed challenging the directors’ alleged failure to oversee properly a company’s compliance program and related efforts. Marchand involved an ice cream company that suffered a listeria outbreak, causing the company to recall all of its products, shut down production at all of its plants, and lay off over a third of its workforce. The outbreak caused three deaths, and stockholders suffered losses when the company suffered a liquidity crisis that forced it to accept a dilutive private equity investment.

The Marchand opinion has some particularly trenchant comments about the need for board oversight:

“As a . . . company that makes a single product—ice cream— [the company] can only thrive if its consumers enjoyed its products and were confident that its products were safe to eat. That is, one of [the company’s] central compliance issues is food safety. Despite this fact, the complaint alleges that . . . the board had no committee overseeing food safety, no full board-level process to address food safety issues, and no protocol by which the board was expected to be advised of food safety reports and developments. Consistent with this dearth of any board-level effort at monitoring, the complaint pleads particular facts supporting an inference that during a crucial period when yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board and the board was not presented with any material information about food safety.”

The only matter addressed by the court was whether the lawsuit could proceed; accordingly, the opinion was based solely upon the allegations in the complaint, and not established facts. However, while the ultimate responsibility of the board has yet to be determined, the opinion makes it clear that the board has oversight responsibility for food safety that it may have executed improperly, if at all.

Another recent development is the April 2019 publication of a “Guidance Document” on corporate compliance programs by the Criminal Division of the US Department of Justice (DOJ). The Guidance Document covers much territory, outlining factors the DOJ will consider in determining whether to investigate and/or prosecute companies for compliance failures. However, one theme that flows throughout is the critical role of the board in overseeing corporate ethics and compliance programs, as demonstrated by the following statements:

  • “The company’s top leaders—the board of directors and executives—set the tone for the rest of the company.”
  • “What compliance expertise has been available on the board of directors?”
  • “[Has] the board of directors . . . held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?”
  • “[P]rosecutors should address . . . whether those responsible for compliance have . . . sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.”

These and other statements make it clear that, in the eyes of the DOJ, a board’s effective oversight of compliance will include regular personal interaction with the compliance function and its personnel, and appropriate safeguards (e.g., executive sessions) to protect the autonomy and independence of the compliance function.

The board’s role

It seems axiomatic that the board is responsible for risk oversight. In fact, risk oversight is one of the board’s most critical roles.

The cases and DOJ Guidance Document discussed above, as well as many other court rulings and government pronouncements, make it clear that monitoring compliance is a critical component of risk oversight. Whether and how a board executes that oversight responsibility can have profound impacts on the company, including its very survival, and on the board and its members.

Accordingly, every board needs to be satisfied that the company has a program to assess and monitor compliance. Neither the program nor the board’s oversight needs to be infallible; what is required is that the program and the board’s oversight are reasonable.

For example, a company that has experienced compliance weaknesses or breakdowns may require more oversight, at least in the short- and medium-terms, than a company with a clean, long-term record of compliance. It’s also noteworthy that compliance oversight, like other board responsibilities, is not a “set it and forget it” matter; the board needs to remain vigilant when it comes to monitoring compliance. This does not mean that the topic must be addressed at every meeting or that the board’s other responsibilities can be ignored. Again, consider what is reasonable in the circumstances.

Moreover, compliance oversight is not something that the board needs to address entirely on its own. Boards can and, in some cases should, engage outside advisers to assist them in monitoring compliance risks, including assessing whether existing compliance procedures and practices are appropriate or, if not, how they might be enhanced. And when a problem arises, boards need to consider engaging outside, independent investigators to ascertain key facts.

Time for a refresh?

Against this backdrop, and in view of the responses to the survey used in preparing the Board Practices Report, corporate boards may benefit from taking—and in some cases may need to take—a fresh look at the way they exercise their duty of diligent oversight around compliance.

In undertaking such a review, boards should seek to ask the “tough questions”—the areas where recent history has shown that corporate compliance programs have experienced breakdowns. The following are suggestions (not all-inclusive) of the types of topics that can be productively explored:

  1. Do we have a comprehensive code of conduct, and policies, procedures, and internal controls surrounding compliance?
  2. Does our compliance program satisfy legal and regulatory requirements? How do we keep the program current in response to changing requirements and circumstances?
  3. Who is responsible for monitoring and enforcing compliance with the program? Do they have adequate resources and unfettered access to senior management and the board? to compliance?
  4. Do we have centralized “help lines” and employee reporting systems with multiple channels for employees to raise concerns?
  5. Are we doing enough to publicize our compliance program to employees so that they are aware of it and of the resources available to them?
  6. How do we monitor the effectiveness of our compliance program?
  7. How do we ascertain that the program is effectively enforced consistently across our business?
  8. Is management demonstrating an appropriate “tone at the top” where compliance is concerned?
  9. Do we conduct regular risk assessments to help ensure that our compliance efforts are appropriately prioritized and focused?
  10. How are we driving compliance with suppliers and vendors in our extended enterprise environment??

In considering these and other questions, boards need to engage in self-examination. Does the board itself demonstrate the right tone? Does the culture in the boardroom support the values of compliance, or do directors treat it as just another check-the-box item?

Conclusion

Regulatory and other guidance on “effective” corporate compliance programs has evolved to the point that the necessary content and operation of those programs can be well understood. Equally, the board’s fiduciary duties surrounding compliance oversight are clear and important. Recent events suggest that boards may be well served by re-examining how they address these duties so that, as with many other responsibilities, they are fulfilled in an appropriate manner.

Endnotes

1The opinion in this matter can be found here.(go back)

2https://courts.delaware.gov/Opinions/Download.aspx?id=291200(go back)

Both comments and trackbacks are currently closed.