Board needs help monitoring ethics and compliance program
There is no question that the expectations placed on board members have changed in recent years. Serving on a board today is analogous to competing on American Idol. There is a multitude of people watching what you do and a few – mainly enforcement officials and a variety of activists – ready to throw you out if you don’t measure up. Clearly, board service requires greater preparation, greater engagement and greater diligence than ever before; at least for those board members who want to reduce their personal exposure.
As more companies are faced with accounting, options backdating, bribery and other kinds of scandals, more attention has also been focused on the board’s role in overseeing an ethics and compliance program. While many directors have a basic understanding of compliance, few have the expertise and experience necessary to effectively monitor management’s performance in building, implementing and maintaining an effective ethics and compliance program. The checklist on the final page of this article is intended to help quickly assess how your organization’s compliance and ethics program measures up. I suggest you fill out the checklist now. Then, if you are comfortable with the score, skip the rest of the article. If you are uncomfortable with the score, perhaps you should read on.
Obviously, there is more to an effective compliance and ethics program than answering the simple questions on this checklist. However, the benchmarks articulated in the checklist reflect current best practices in ethics and compliance programs and can serve as a mechanism by which board members can ensure that they are setting the right tone and that management is delivering. Meeting these benchmarks will not guarantee that your organization will never have trouble, but it will significantly decrease the risk and your organization’s exposure when misconduct occurs. The following paragraphs correspond to the checklist questions.
The basis for any program
The organizational sentencing guidelines (OSG) are the foundation for any effective compliance program, at least in the US. The OSG require a company’s governing authority to be ‘knowledgeable about the content and operation of the compliance and ethics program and … exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.’ The OSG also require the appointment by the organization of ‘high level personnel’ to oversee the program. While this role may be adjunct to another role in a small organization, larger organizations generally have a dedicated ethics and compliance officer (ECO). Please note that the ECO is not responsible for compliance, management is. However, it is the ECO’s role to give management the tools necessary to promote ethics and compliance, and report to the board and management about the progress they are making implementing the program. The ECO should report directly to the audit committee, preferably with a dotted line to the CEO.
Two important roles of the ECO include bringing bad news to the attention of management and the board, and occasionally advising senior management that what they have done – or haven’t done – is inconsistent with company policy, the law or accepted ethical standards. Unfortunately, there are countless examples of people whose employment was terminated when they rocked the boat. Even the most conscientious ECO may have a difficult time telling a CEO that his or her conduct was flawed. You are much more likely to get candid conversation from an ECO who feels secure in their position. Moreover, the presence of a severance agreement should make management think a little harder before they act inappropriately.
We would all prefer that employees raise concerns through the management chain. However, too often that approach doesn’t get results. An anonymous hotline, coupled with prompt and thorough investigation and regular reporting to the board, is an important tool for ensuring that employees can effectively raise concerns. Moreover, both Sarbanes-Oxley and the OSG effectively require hotlines.
A board (or appropriate committee) cannot effectively oversee the compliance program if it doesn’t know what is going on. Rather, unfiltered board reporting is essential as are occasional executive sessions with the ECO. If you or senior management don’t trust the ECO to have direct access to the board, chances are high you have the wrong person in this role.
Relevant and consistent education is a necessary element of an effective program. All employees should be oriented to the organization’s code of conduct and compliance and ethics program. Employees who materially impact high-risk areas or have significant authority should receive regular, job-specific education.
SOX requires the audit committee to have a financial expert. Adding an experienced compliance professional to the committee overseeing ethics and compliance applies the same logic. Moreover, enforcement authorities, settlement agreements and deferred prosecution agreements have all endorsed and/or imposed this requirement. It is quickly becoming a best practice, particularly in highly regulated sectors.
Playing the best defense
Compliance and ethics programs should include a range of specific and measurable objectives that address both the structural and the substantive aspects of your organization’s programs. These objectives serve three important purposes. First, they communicate to business unit leaders what they need to do to effectively implement the program. The reality is that compliance and ethics cannot be management’s principal focus. Consequently, both the board and management should work with the ECO and business unit leaders to develop relevant, specific and measurable objectives that will promote the efficient implementation of the program and enable management to focus on delivering results.
Second, specific and measurable objectives afford protection to the business leaders and management. If an issue of non-compliance occurs, the managers and directors unaware of or not involved in the non-compliant activity should reasonably be able to say they followed the compliance and ethics program and, therefore, cannot be held liable. In the absence of direct evidence to the contrary, this is usually the case. Such metrics should consequently be welcomed by competent and thoughtful operators.
Clearly, the development of specific, measurable objectives serves a defensive role for the organization. It should be more difficult for a state or federal prosecutor to make the case that the organization was indifferent to corruption or sought profits at the expense of compliance when there is a plethora of evidence that the organization was committed to compliance and corrected problems brought to its attention. This tactic also helps boards and management defend the organization against the misbehavior of rogue employees.
Finally, if properly developed, these objectives form the basis upon which the board and management evaluate program effectiveness.