Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Expertise on Board

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Just as ever corporate Board of Directors should have a Compliance Committee and a compliance expert on the Board.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the entire 3-book series, The Compliance Kids, on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Compliance Committee

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Every corporate Board of Directors should have a Compliance Committee.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Obligation for Boards

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we begin considering Board obligations around compliance.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Questions and Metrics for 3rd Party Risk Management

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what questions a Board of Directors should ask a CCO and the types of metrics they should ask for in their role of overseeing the compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

Board Oversight of Third-Party Risk Management: Key Questions and Metrics for Effective Governance

The Telephonica Venezuela FCPA enforcement action reminds us that third-party risk management is one of the most critical components of a corporate compliance program. From suppliers and distributors to agents and joint venture partners, third parties can expose a company to significant compliance risks, including bribery, data security breaches, and regulatory violations. For a Board of Directors, effective oversight of third-party risk management is essential to fulfill its fiduciary duties and ensure that the organization mitigates these potential threats.

For boards, the responsibility involves more than just reviewing policies or compliance assessments. It requires a proactive approach, regularly engaging with the Chief Compliance Officer (CCO) and demanding specific information to confirm that third-party risks are effectively managed. Today, we will consider some key questions a board should ask and key metrics that boards should track to ensure their oversight of third-party risk management.

Key Questions a Board Should Ask About Third-Party Risk Management

To provide effective oversight, board members should ask the CCO a series of targeted questions that illuminate the strengths and weaknesses of the organization’s third-party compliance efforts. These questions can guide discussions around key areas such as due diligence, monitoring, training, and incident response.

  • What is our Third-Party Risk Profile?

This foundational question helps the Board understand the scope of the organization’s third-party network and the inherent risks involved. The CCO should be able to explain how third-party risk is assessed, classified, and prioritized. This includes geographic, industry, and transactional risks that may be more prevalent in high-risk regions or industries such as defense, oil and gas, and healthcare.

  • What Due Diligence Processes are in Place?

The Board should ask about the specific due diligence processes for third parties. This includes initial onboarding assessments, background checks, and ongoing monitoring. Understanding the due diligence process, including who is responsible, the standards used, and whether enhanced due diligence is conducted for high-risk third parties, is critical for oversight.

  • How Do We Ensure Continuous Monitoring of Third Parties?

It is not enough to perform due diligence only once. Continuous monitoring is essential to detect a third party’s risk profile changes. The Board should ask about the tools and technologies used for monitoring, the frequency of updates, and how compliance continuously evaluates third parties for new risks, such as changes in ownership, regulatory status, or financial stability.

  • How Do We Address Identified Risks?

A key component of third-party risk management is having procedures to address identified risks. The Board should inquire about the company’s approach to risk mitigation, including risk-adjusted measures for different risk levels. Are high-risk third parties subject to contract clauses or specific compliance obligations? Does the organization maintain a system to monitor the ongoing effectiveness of risk mitigation efforts?

  • What Training and Awareness Programs Do We Have in Place?

The Board should ask how compliance trains third parties on relevant laws, policies, and expectations, especially concerning anti-corruption, data protection, and ethics. Additionally, internal stakeholders involved in third-party management, such as procurement and finance, should receive specialized training to help them recognize red flags.

  • What is Our Process for Reporting and Escalating Third-Party Compliance Issues?

Knowing that issues will inevitably arise, the Board should ask how the organization reports and escalates third-party compliance concerns. Does the CCO have direct access to the Board in case of serious compliance violations? Is there a protocol for handling third-party incidents that could affect the company’s regulatory standing or reputation?

  • How Do We Measure the Effectiveness of Our Third-Party Risk Management?

The effectiveness of the third-party compliance program is a priority for the Board. Asking for metrics and other objective measures helps ensure that the program is well-designed and functioning as intended. The Board should proactively seek quantitative and qualitative evidence of effectiveness.

Key Metrics for Third-Party Risk Management Oversight

Metrics are invaluable for Board members seeking to monitor the compliance program’s health. The CCO should be able to provide regular updates on the following metrics, each offering insight into specific aspects of third-party risk management.

  • Number of Third Parties by Risk Category

This metric breaks down the organization’s third parties by risk level (e.g., low, medium, high). This provides the Board with a snapshot of the company’s risk exposure and helps them assess whether the program is appropriately resourced to manage the volume of high-risk third parties.

  • Percentage of Third Parties with Completed Due Diligence

Tracking this metric shows whether the company is adhering to its compliance policies. Ideally, 100% of third parties should undergo due diligence before onboarding, and any gaps here could signal significant compliance weaknesses.

  • Average Time to Complete Due Diligence

This metric reveals the efficiency of the due diligence process. Long turnaround times can delay critical partnerships and increase risk exposure, while excessively fast times may suggest that due diligence needs to be sufficiently thorough. Boards should look for a balanced metric that reflects both efficiency and comprehensiveness.

  • Incidents of Non-Compliance Among Third Parties

The Board should be regularly informed of compliance incidents involving third parties. This metric could be broken down by type of violation (e.g., anti-bribery, data privacy, labor practices) and severity. Tracking these incidents over time helps the Board evaluate the program’s effectiveness and whether additional resources are needed.

  • Percentage of High-Risk Third Parties Monitored Regularly

Continuous monitoring is vital to effective risk management, particularly for high-risk third parties. This metric provides insight into how often high-risk third parties are reassessed, which can inform the Board about the level of vigilance being applied to higher-risk partners.

  • Training Completion Rates for Third Parties and Internal Teams

Effective third-party risk management requires third parties and the internal teams who work with them to understand the compliance risks and policies. This metric tracks how many third-party representatives and relevant employees have completed compliance training, an essential factor in reducing risk.

  • Average Time to Resolve Third-Party Compliance Issues

This metric measures the organization’s responsiveness to third-party compliance concerns. Quick resolution times may indicate an efficient and effective response system, while delays might suggest resource constraints or procedural bottlenecks. Boards should look for a metric that balances speed and thoroughness.

  • Costs of Third-Party Compliance Program

The Board should also monitor the financial investment in third-party compliance to assess if the program is adequately funded. This includes costs for due diligence, continuous monitoring, training, and compliance technology. Comparing these costs against third-party risk levels can help determine if the program is appropriately resourced.

Leveraging Metrics for Continuous Improvement

By tracking these metrics, Boards ensure that third-party risks are being effectively managed and can drive continuous improvement in the compliance function. Over time, trends will emerge, highlighting areas where the program may need reinforcement. For instance:

  • Increasing compliance incidents among third parties could indicate a need for enhanced due diligence or more stringent onboarding criteria.
  • Declining training completion rates suggest a lack of engagement from third parties, potentially due to ineffective communication or training methods that must be revisited.
  • Prolonged resolution times for compliance issues might signal the need for process optimization or additional staff in the compliance team.

The Board should encourage the CCO to use these insights to fine-tune the program and prioritize high-impact initiatives. Additionally, boards should expect the CCO to present metrics and narrative insights, offering a holistic view of the third-party compliance landscape and how specific metrics relate to broader compliance goals.

Fostering a Culture of Accountability and Compliance

Board oversight of third-party risk management is no longer a mere checkbox—it’s a crucial part of protecting the organization’s reputation, ensuring regulatory compliance, and building a resilient corporate structure. By asking the right questions and tracking key metrics, Boards can proactively ensure that third-party risks are managed effectively.

An engaged Board that emphasizes the importance of third-party compliance sends a powerful message across the organization and beyond. When Boards hold the compliance function accountable and demand robust third-party oversight, they not only mitigate potential risks but also foster a culture of integrity and accountability that resonates with employees, partners, and stakeholders alike. This, in turn, strengthens the entire organization, building a foundation of trust and resilience that will serve it well in any compliance landscape.

Categories
Blog

What Should a Chief Compliance Officer Report to the Board of Directors?

The Chief Compliance Officer (CCO) role is essential in building an organization that meets regulatory standards and upholds a robust ethical culture. But what should the CCO be reporting to the Board of Directors to ensure they understand the full scope of the company’s compliance landscape? This post will consider the essential elements of an effective Board report from the CCO. These elements will help foster transparency, trust, and accountability between the compliance function and the highest levels of corporate oversight.

  • Overview of Compliance Program Structure and Key Updates

An essential part of a CCO’s responsibility to the Board is to ensure they understand how the compliance function is structured and resourced. This includes an overview of the compliance team, its reporting lines, and any recent structural changes. The CCO should also emphasize that the compliance function has the independence, resources, and support to operate effectively.

For example, it is useful to discuss whether additional resources are needed—such as an increased budget, training for compliance staff, or investments in new technology to improve monitoring. Even more crucial is regularly informing the Board about fundamental personnel changes in the compliance team, including new hires or departures. This assures the Board that the compliance team is fully staffed and led by individuals with the experience and knowledge necessary to accomplish the organization’s compliance goals.

  • Risk Assessment and Emerging Compliance Risks

One of the CCO’s primary duties is to ensure that the Board is aware of the organization’s compliance risks. An annual or quarterly update on the status of these risks—mainly if there are high-priority or emerging risks—is critical. The CCO should discuss the results of any recent risk assessments, including:

  1. The top risks currently facing the organization.
  2. Risks associated with new business ventures or geographic expansion.
  3. Changes in geo-political or regulatory landscapes that may impact risk exposure.

For instance, if the company is expanding operations in a high-risk country for bribery or data privacy, this development should be highlighted, along with any steps the compliance team is taking to mitigate the risk. The goal here is not to overwhelm the Board with excessive detail but rather to provide a clear view of where the most significant vulnerabilities lie and what strategies are in place to address them.

The Board should leave these discussions to understand the nature and scope of the company’s compliance risks and the level of oversight being applied to manage those risks. This will reassure them that the company is not only aware of potential threats but is proactively addressing them.

  • Status of Key Compliance Initiatives and Program Enhancements

Board members must see that the compliance program is not static but a dynamic, continuously improving function. The CCO should regularly report on ongoing compliance initiatives and any recent improvements to the program. This can include initiatives such as:

  1. Enhancing third-party risk processes.
  2. Implementing new training programs.
  3. Developing better monitoring and auditing capabilities.

These initiatives should align with the company’s strategic goals, and the CCO can emphasize how compliance supports and reinforces these objectives. For example, if the company has adopted a new code of conduct or revised anti-corruption policies, the CCO should detail how these updates are being rolled out, communicated, and embedded into the organization’s culture.

Additionally, metrics that measure the success of these initiatives are invaluable. For example, sharing compliance training completion rates, results from employee feedback surveys on compliance topics, or the reduction of hotline reports in specific areas can help the Board understand the program’s impact and areas that may need further attention.

  • Compliance Investigations and Response to Issues

Transparency about compliance investigations and their outcomes is fundamental to the Board’s oversight responsibilities. The CCO should provide a high-level overview of significant compliance incidents, particularly those that pose a financial, operational, or reputational risk to the company. This discussion should include:

  1. The nature of the issue or alleged violation.
  2. The investigative steps taken.
  3. Any corrective actions or disciplinary measures implemented.

The CCO should also clearly explain how these issues were detected—whether through internal audits, whistleblower reports, or monitoring activities—demonstrating that the compliance function effectively catches and addresses problems early. It’s important to note that the Board does not need the names of individuals involved or granular details. Instead, they should receive summaries on patterns, issues encountered, and root causes.

Discussions on trends emerging from investigations—such as recurring issues in specific geographies or business units—can provide the Board with valuable insights into potential vulnerabilities. This information also equips the Board to ask strategic questions about how the company’s compliance efforts address these trends, thus bolstering their understanding and oversight of the compliance program.

  • Compliance Program Metrics and KPIs

Measurable data points—such as Key Performance Indicators (KPIs)—are crucial to effective board reporting. Metrics help the Board understand how well the compliance program is performing and identify areas for potential improvement. Examples of relevant compliance metrics include:

  1. Training effectiveness rates across the organization.
  2. Number of hotline calls and resolution time.
  3. Frequency and outcomes of internal audits.
  4. Employee survey results on compliance culture and awareness.

It is helpful to present these metrics in a clear, accessible format, perhaps in the form of dashboards or visual aids, so the Board can quickly grasp the current state of the compliance program. By monitoring trends in these metrics over time, the Board can see the program’s evolution and any areas where additional focus or resources may be needed.

  • Status of the Compliance Culture and “Tone from the Top”

Building a culture of compliance starts at the top, and the Board plays a critical role in establishing this tone. The CCO should regularly report on the company’s compliance culture, noting any shifts or improvements. This could include:

  1. Results from employee surveys on attitudes towards compliance.
  2. Observations from site visits or engagement with various departments.
  3. Feedback from middle management on employee engagement with compliance.

If the company’s compliance culture has gaps, this is the ideal time to discuss closing steps. The CCO can use this section of the report to highlight the role of senior leaders and managers in reinforcing compliance messages. For instance, showcasing how top executives have engaged in recent compliance campaigns or have visibly supported compliance initiatives demonstrates a commitment to ethical conduct and can serve as a model for others.

  • Resources and Budget: Ensuring Adequate Support

One of the most significant concerns the Board should be aware of is whether the compliance function is adequately resourced. The CCO should use this portion of the report to discuss additional needs, such as funding for new technology, more staff to support compliance efforts in high-risk regions or enhanced training programs.

If budget constraints have affected the compliance program, this is also the time to discuss those challenges with the Board. Clear communication about resource needs can help the Board advocate for the compliance function, ensuring it has the tools to mitigate risks effectively. Adequate funding and resources were mandated in the 2024 Evaluation of Corporate Compliance Programs, and CCOs need to explain to the Board their responsibility to ensure this mandate is met.

  • Regulatory Updates and External Trends

Keeping the Board informed of the latest regulatory developments is also crucial. This includes new or evolving laws that could impact the business, industry trends in compliance and enforcement actions against companies in similar sectors. For example, if a new data protection law exists in a region where the company operates, the CCO should outline how the compliance team is preparing to address it.

This part of the report ensures the Board is aware of potential compliance-related challenges on the horizon and provides context for any new initiatives or policy updates the compliance team may propose in response to regulatory changes.

  • The CCO’s Essential Role in Equipping the Board

The relationship between the CCO and the Board is one of the cornerstones of an effective compliance program. By providing a comprehensive, transparent, and strategic report, the CCO empowers the Board to fulfill its oversight responsibilities, making informed decisions that support and enhance the company’s commitment to compliance and ethical conduct.

An effective board report is about more than compliance updates; it is an opportunity to reinforce the importance of compliance, highlight the program’s successes, and communicate any challenges that lie ahead. By keeping these eight core elements in mind, CCOs can ensure their reports inform and engage the Board, fostering a culture of accountability that permeates the entire organization.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: TD Bank Lessons Learned: The Board and It’s Duty of Oversight

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Under the Caremark Doctrine, the Board of Directors has clear duties not to put their head in the sand and engage in conscious indifference.

Categories
Blog

Bank of America’s Corporate Culture Crisis: Part 4 – A Tale of Metrics and Misalignment: Lessons for Compliance Professionals

Compliance professionals constantly seek to understand how systemic issues within corporate hierarchies can lead to severe consequences. The recent revelations about Bank of America’s (BoA) persistent workplace culture problems are a powerful reminder of compliance’s critical role in safeguarding employees and the organization.

This week, I will explore the BoA failure around workplace culture from various perspectives articulated by the Everything Compliance gang, including Karen Woody, Jonathan Armstrong, Matt Kelly, Karen Moore, and Jonathan Marks. This exploration will include the failure of internal controls, failures by the Board and senior management, culture failures around highly driven, self-selecting employees, and the cultural miasma that is BoA from a perspective from across the pond. In Part 4, we consider a misconnection of metrics. This issue is not merely a question of productivity but a fundamental concern about corporate culture, ethics, and long-term sustainability.

In corporate governance and compliance, aligning business metrics and ethical obligations often defines a company’s culture’s success or failure. The recent Wall Street Journal (WSJ) article about BoA and its investment banking metrics sheds light on a crucial disconnect that compliance professionals must address: the disparity between business performance indicators and employee well-being.

At the heart of the issue is the nature of the metrics used to evaluate success in different industries. In investment banking, the primary focus is often on closing deals. The logic is straightforward: deals drive revenue, and revenue drives the bottom line. This singular focus on deal-making creates an environment where the end justifies the means, potentially overlooking the toll it takes on employees.

Conversely, in law firms, the metric of success is often billable hours. Lawyers are compensated and promoted based on the number of hours they bill, which can lead to a different, yet equally problematic, set of behaviors. Over-inflating hours or working excessive hours becomes the norm because that is the path to career advancement.

Both systems create perverse incentives: investment bankers might underreport hours to avoid raising HR flags, while lawyers might overreport hours to enhance their career prospects. These behaviors highlight a crucial point for compliance professionals: the metrics set at the top of an organization inevitably shape the behavior throughout the company.

One of the first steps in addressing these issues is understanding the available data and how it is used. Compliance professionals must ask themselves, “What data do we have, and how can it be used to monitor and manage risks effectively?” By focusing solely on deal closure, companies are potentially neglecting data related to employee well-being, such as hours worked or stress levels.

In contrast, law firms have systems that track the minutiae of an employee’s workday, from time spent on tasks to keystrokes made during document review. This data is invaluable for billing clients and identifying patterns that may indicate overwork or burnout. Compliance professionals in investment banking could learn from this approach, using technology to track hours worked or monitor workload distribution, ensuring that employees are kept within reasonable limits.

The core issue is more alignment between business metrics and corporate culture risks. Compliance professionals must ensure senior management acknowledges overwork as a significant risk and takes proactive steps to monitor and mitigate it. This involves tracking the traditional success metrics and implementing metrics that reflect the company’s values and culture.

For example, if overwork is recognized as a risk, metrics such as average hours worked, employee turnover rates, and employee satisfaction surveys should be regularly monitored and reported. This dual approach allows a company to pursue business success while ensuring its corporate culture remains healthy and sustainable.

The responsibility of aligning these metrics rests not solely with middle management, compliance officers, or senior management; it extends to the board of directors. The board’s oversight role is crucial in ensuring that the company’s culture is preserved in pursuing financial success. For boards everywhere, the recent scrutiny BoA received in the WSJ article serves as a lesson.

Board members must go beyond the surface level of management reports and delve into the realities of the workplace culture. This requires more than attending board meetings in luxurious settings and listening to pre-prepared presentations. It involves engaging directly with employees at all levels, understanding their challenges, and prioritizing their well-being.

A practical approach could involve the board requiring regular reports on employee well-being metrics, mandating internal audits focused on workplace culture, or even conducting anonymous employee surveys to get an unfiltered view of the corporate environment.

An effective compliance program also hinges on creating a culture where employees feel safe to voice their concerns. A speak-up culture is essential in identifying issues before they escalate into major risks. Management and the board should encourage employees to report inconsistencies between policy and practice and take these reports seriously.

For instance, if employees consistently report working beyond reasonable hours, this should trigger an investigation and subsequent action from the board. Such feedback mechanisms help identify risks and reinforce the company’s commitment to ethical practices.

Lastly, when issues do arise—such as the tragic death of a young employee in the Bank of America case—the board should conduct a root cause analysis. This analysis should not be limited to the immediate cause but should explore deeper systemic issues that may have contributed to the incident.

A comprehensive root cause analysis might reveal that the focus on deal closure at the expense of employee well-being is not an isolated issue but indicative of a broader cultural problem. The board could use this analysis to implement changes across the organization, ensuring that similar incidents do not occur in the future.

The lessons are clear: the metrics that companies use to measure success are powerful drivers of behavior. The challenge for compliance professionals is ensuring that these metrics align with business goals, ethical standards, and employee well-being. This requires a proactive approach, leveraging data to monitor business performance and corporate culture. It also requires a board that is engaged, informed, and committed to understanding the realities of the workplace.

In the end, compliance is not just about preventing legal and compliance risks but about fostering a corporate culture that values integrity, transparency, and the well-being of all employees. By aligning metrics with these values, companies can achieve sustainable success that benefits their bottom line and people.

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Cindy Moehring on Rising Up in the Compliance Ranks

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Compliance Week 2024 Speaker Preview Podcasts – Cindy Moehring on Rising Up in the Compliance Ranks discusses her panel presentation at Compliance Week 2024, “Rising the Ranks – All the Way to the Boardroom.” Some of the issues she will discuss in this podcast and her presentation are:

  • Preparing yourself to move up the corporate latter
  • What does a Board look for in candidates?
  • Learning about new best practices and new technologies at Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at the Westin Washington, DC, Downtown. The line-up is first-rate, with some top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners, including CEOs, CCOs, regulators, federal officials, and practitioners, to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, to your program for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Podcast Network produces the Compliance Week 2024 Preview Podcast series. Compliance Week sponsors this series.

Categories
Blog

Boards of Directors in the Era of Sanctions Enforcement

In a recent episode of the podcast ‘All Things Investigations, the discussion centered around directors’ critical role in ensuring legal compliance, particularly in sanctions and export controls. I was joined in this exploration by Mike Huneke, partner at HughesHubbardReed, and Brent Carlson, Director at BRG. Our discussion was based on their blog post on directors’ duty of oversight, which can be found here:  Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement.

Our discussion highlighted McDonald’s case from the Delaware Court of Chancery, where the company officers faced lawsuits for neglecting their duties, emphasizing the importance of a dynamic approach from boards and compliance officers to evaluate and enhance compliance programs in response to the evolving geopolitical landscape and increased regulatory enforcement.

While many compliance professionals reviewed McDonald’s for the new duty of oversight created for corporate officers, including Chief Compliance Officers, Huneke and Carlson focused on the duties owed by Directors. For companies engaged in international trade, these actions engage directors’ fiduciary duties. Looking to bellwether Delaware corporate law, Delaware’s Chancery Court recently reiterated in the McDonald’s shareholder litigation that directors’ Caremark duty of oversight is a function of their duty of loyalty.

According to Huneke and Carlson’s article, this case “reinforced the limits of the protections directors would otherwise have if it were instead a function of the duty of care—under both the business judgment rule and “exculpation,” which is the option corporations have to excuse in their articles of incorporation directors’ liability for breaches of their duty of care (but not of loyalty).” Directors’ duty of oversight further requires ensuring that they receive information regarding any “central compliance risks,” not just “mission critical” risks, and that there is an appropriate response to red flags.”

The decision in McDonald’s case underscored the significance of information systems and controls for compliance. It stressed the need for companies to adopt a broader, qualitative view in monitoring export control compliance, with the Department of Justice’s heightened involvement signaling a shift towards a more proactive approach. Key aspects such as oversight, duty of care, and the business judgment rule were highlighted as essential components of board responsibilities and liability.

Board directors were urged to engage with compliance issues actively, ask critical questions, and conduct thorough investigations to fulfill their fiduciary duties. It was emphasized that boards should exercise caution when relying on management reports, proactively address risks, and take necessary actions to prevent potential legal and reputational damage.

From the Board’s perspective, we emphasized the importance of being cautiously skeptical of management’s information, seeking external advice, and taking preventive measures to avoid compliance issues. We also discussed the significance of the duty of oversight, which stems from the duty of loyalty and requires directors to ensure the presence of information systems and controls for informed decision-making and an effective response to red flags.

There is a clear need for board directors, corporate officers, and compliance professionals to stay abreast of the changing landscape of sanctions and export controls. With the Department of Justice’s increased focus on enforcement in this area, organizations must prioritize compliance efforts, seek external guidance, and take proactive steps to mitigate risks and ensure legal adherence.

Huneke and Carlson noted that the court ultimately dismissed plaintiffs’ claims against the directors because, after learning of the red flags, the directors:

  • Obtained detailed oral and written reports from management throughout several meetings dedicated to the red flag identified;
  • Made enhancements to the compliance program, including training and communication;
  • Retained external advisors;
  • Ensured that affiliates (here, franchisees) were included in the enhancements made;
  • Assessed and improved corporate culture and
  • Management involved in the conduct was eventually terminated.

These serve as a road map for the sanctions and export control boards.

Huneke and Carlson concluded their article with the following suggestions:

1) Understand how the world is changing and how those changes impact your business 

Geopolitical risks impact companies in different ways. Analyze potential impact scenarios to arrive at effective oversight approaches. Seek input from a variety of experts. Challenge commonly held assumptions, especially concerning the sufficiency of traditional screening.

2) Continuously ensure that the compliance program identifies and addresses evolving risks

Effective compliance programs evolve as risks change. Make sure management considers the changed enforcement environment when assessing risk. Do not just ask questions—ensure you receive good answers. Avoid solutions that are too clever by half, which can ultimately expose the company to greater risks.

3) Don’t sit on any red flags, and don’t let the management team sit on them either

All kinds of red flags can indeed come out of the blue. Our prior posts provide suggestions for responding to potential evasion effectively and efficiently. Politics (global and domestic) drive regulatory enforcement, and 2024 will be no exception. Now is the time to get ahead of what’s coming. An ounce of prevention is worth a pound of cure.

We concluded the podcast by noting that directors’ duties in sanctions and export controls are paramount in today’s regulatory environment. The pressure will only increase. Boards must be vigilant, proactive, and thorough in their oversight of compliance programs to uphold their fiduciary responsibilities and safeguard their organizations from potential legal and reputational harm. By staying informed, engaging with compliance issues, and taking decisive actions, directors can navigate the complexities of sanctions and export controls effectively.