Categories
Blog

Caremark as a Strategic Framework: Compliance Strategy for Business Executives

In a surprise to no one who has been watching, a group of institutional investors has filed suit against Boeing for another set of Caremark violations. I wrote about this eventuality back last summer around the court case the (then) Department of Justice (DOJ) brought against Boeing for violating its DPA around the 737Max crashes. I was therefore intrigued to see a new article looking at the Caremark Doctrine, entitled Caremark’s Fractured State by Itai Fiegenbaum.

The Caremark Doctrine has long been the bedrock of board-level oversight in corporate compliance, yet its application remains a subject of intense debate. Originally framed as a duty of care, Caremark obligations have since developed into a duty of loyalty, placing an increased burden on directors to monitor corporate compliance proactively. Through the 2018 ruling in Marchand v. Barnhill, the Delaware courts have reinforced that directors can be liable for failures in “mission-critical” areas. However, as this Fiegenbaum explores, the Caremark standard is far from universally applied across U.S. jurisdictions, leaving compliance officers and business executives with an uneven playing field.

Understanding the Caremark framework and its implications for corporate oversight is critical for compliance professionals. This article unpacked the evolution of Caremark, its inconsistent application outside Delaware, and how compliance strategies must adapt to varying levels of director accountability.

I. The Strategic Compliance Takeaways from Caremark’s Evolution

1. Compliance as a Board-Level Obligation

At its core, Caremark establishes that directors must ensure robust compliance systems are in place and actively monitored. This proactive duty means that corporate compliance is not just a legal safeguard but a strategic necessity. Boards that fail to implement adequate monitoring systems—or ignore known compliance risks—face potential liability. In today’s regulatory climate, companies cannot afford a passive approach to compliance oversight.

2. The Expanding Definition of Oversight Risk

Delaware courts have broadened their view of what constitutes a director’s duty under Caremark. The March decision, for example, held that directors overseeing “mission-critical” aspects of a business (such as food safety for an ice cream manufacturer) are presumed to have higher oversight obligations. This shift suggests that compliance programs must be tailored to each company’s core risks. Compliance officers should prioritize risk assessments that align with the company’s industry and regulatory landscape, ensuring that high-risk areas receive enhanced scrutiny.

3. Lessons from the Jurisdictional Divide

While Delaware leads in developing oversight liability, nearly half of U.S. jurisdictions provide directors with broader legal protection, making Caremark-based claims difficult to sustain. In many states, exculpation provisions shield directors from oversight liability unless they act intentionally. This discrepancy underscores the need for compliance teams to be well-versed in jurisdiction-specific director liability standards. Companies incorporated outside of Delaware should not assume they are insulated from oversight risk—regulators and investors are increasingly scrutinizing board-level compliance failures, regardless of legal precedent.

II. Strengthening Compliance Programs in Light of Caremark

1. Building a Proactive Compliance Framework.

Given the heightened expectations of board oversight, companies must establish rigorous compliance frameworks that extend beyond minimum regulatory requirements. A robust compliance strategy should include:

Board-Level Training. Directors must be educated on their Caremark duties and understand their personal liability risks. Compliance officers should facilitate ongoing training on emerging regulatory risks and enforcement trends.

Risk-Based Monitoring. Compliance should not be a one-size-fits-all approach. Companies must identify mission-critical areas and allocate resources accordingly.

Whistleblower and Incident Reporting Systems. Companies must ensure that directors receive timely, credible information on compliance failures. This means strengthening internal reporting mechanisms and providing whistleblower protections are in place.

2. Data-Driven Compliance Monitoring.

The Caremark Doctrine has also emphasized the importance of data-driven oversight. Boards cannot exercise proper oversight without access to meaningful compliance data. Companies must:

  • Leverage analytics to detect anomalies in high-risk areas, such as supply chain transactions, financial reporting, and regulatory disclosures.
  • Implement dashboards that provide directors with real-time compliance insights.
  • Internal audits should be conducted to assess compliance program effectiveness and identify gaps before they escalate into enforcement actions.

III. The Compliance-Board Partnership: Closing the Oversight Gap 

1. Integrating Compliance into Corporate Strategy

One of the most significant lessons from Caremark is that compliance must be embedded into overall business strategy. Boards and executives should move beyond viewing compliance as a reactive function and instead treat it as a key driver of business sustainability. Compliance teams should work closely with legal and operational leadership to ensure that:

  • Compliance is integrated into strategic decision-making, particularly in areas with heightened regulatory risk.
  • Board members actively engage in compliance discussions rather than relying solely on quarterly reports.
  • Directors have direct access to compliance officers and internal audit teams to stay informed about emerging risks.

IV. Mitigating Personal and Corporate Risk

For boards, compliance failures are not just a corporate risk but a personal liability risk. Directors and executives should take steps to protect both the company and themselves by:

  • Ensuring robust documentation of compliance efforts. Regulators and courts expect clear evidence of proactive compliance oversight.
  • Regularly reviewing and updating governance policies. Compliance obligations evolve with regulatory shifts, and boards must stay ahead of these changes.
  • Engaging external compliance experts when necessary. Outside counsel or compliance specialists can provide critical insights, particularly in highly regulated industries.

V. The Future of Caremark: Compliance in an Evolving Legal Landscape 

The Caremark standard will continue to evolve as courts and regulators refine expectations for board oversight. Companies should prepare for:

Stronger enforcement actions against directors for compliance failures in mission-critical areas. This trend is relevant to the healthcare, finance, and technology industries, where regulatory expectations are intensifying.

More aggressive shareholder litigation. Investors increasingly use Caremark claims to hold directors accountable for compliance missteps, particularly in ESG-related areas.

Greater emphasis on cybersecurity and data governance. As regulators focus on data privacy and cybersecurity breaches, boards must ensure they are actively monitoring these risks.

VI. Turning Compliance into a Strategic Asset

For business executives, Caremark should not be viewed solely as a legal doctrine but as a strategic framework for strengthening corporate oversight and resilience. Companies that proactively embrace compliance as a board-level priority will reduce regulatory risk and enhance investor confidence, corporate reputation, and long-term business sustainability.

The key takeaway? Compliance is no longer optional. It is a fundamental component of responsible corporate governance, and boards that fail to adapt face increasing legal, financial, and reputational consequences. Compliance professionals must take the lead in bridging the oversight gap, ensuring that directors are equipped to meet their evolving fiduciary responsibilities in a complex regulatory landscape.

Categories
Blog

A Road Trip on the Crypto Regulatory Landscape: A Guide for Compliance and the Board of Directors

Securities and Exchange Commission (SEC) Commissioner Hester Peirce recently announced a ‘crypto road trip’ for the SEC and crypto industry. This trip includes a newly announced Crypto Task Force at the SEC, and she said it will “be more enjoyable and less risky than the crypto road trip the Commission has taken the industry on for the last decade.” She said, “On that last trip, the Commission refused to use regulatory tools at its disposal and incessantly slammed on the enforcement brakes as it lurched along a meandering route with a destination not discernible to anyone.”

Much like past road trips, the journey of crypto regulation has been unpredictable and challenging. In previous years, the SEC has navigated the crypto industry hesitantly, relying heavily on enforcement rather than clear regulatory guidance. However, with the introduction of the SEC’s Crypto Task Force, there is now an opportunity to develop a more structured, transparent, and effective regulatory framework.

Imagine you are a Chief Compliance Officer and get a call from the head of the Board of Directors’ Compliance Committee. They ask you what the company should do to prepare for this new ‘road trip.’ This blog post will provide an overview of the key regulatory challenges, risks, and strategic considerations that a Board of Directors should know as they oversee their organizations’ engagement with the evolving crypto landscape.

Where Did the Journey Start?

Since 2013, the first bitcoin exchange-traded product application was filed, and the SEC has approached crypto with a mix of enforcement actions, limited no-action letters, and ambiguous guidance. This has left many market participants uncertain about compliance requirements and legal risks. Key regulatory concerns include:

  • Legal Uncertainty: Ambiguities in applying securities laws, particularly through the Howey test, have created confusion regarding classifying crypto assets.
  • Enforcement-Driven Approach: Many regulatory decisions have been reactive, leading to litigation, stalled rulemaking, and business operational uncertainty.
  • Market Integrity and Fraud Prevention: The SEC remains committed to protecting investors by cracking down on fraudsters while balancing innovation.
  • Jurisdictional Overlap: The interplay between various regulatory agencies, such as the SEC, CFTC, and global regulators, adds complexity to compliance efforts.

The Crypto Task Force’s Objectives

The newly established Crypto Task Force is focused on developing a framework that:

  1. Defines the Security Status of Crypto Assets – Clarifying when digital assets fall under securities regulations.
  2. Creates a More Predictable Regulatory Environment – Establishing structured compliance requirements to guide businesses.
  3. Facilitates Responsible Market Innovation – Allowing for industry growth while protecting investors from fraud and abuse.
  4. Enhances Inter-Agency and Global Coordination – Ensuring crypto regulation is consistent across jurisdictions.
  5. Supports Transparent and Efficient Markets – Addressing market manipulation, custody solutions, and exchange-traded products.

Key Considerations for Boards

Corporate boards must take a proactive approach to navigating this changing landscape. Some critical areas of focus include:

  • Regulatory Compliance Readiness: Ensuring the organization has the necessary policies and procedures to comply with evolving crypto regulations.
  • Risk Management Strategies: Identifying crypto investments and transactions’ legal, financial, and reputational risks.
  • Engagement with Regulators: Encouraging dialogue with regulatory bodies to stay ahead of compliance expectations and contribute to policy discussions.
  • Governance and Oversight: Establishing clear accountability for crypto-related initiatives within the organization.
  • Investor and Stakeholder Communications: Being transparent with investors about how regulatory developments may impact business strategy.

Preparing for the Road Ahead

As regulatory clarity emerges, organizations should take the following steps:

  1. Monitor Regulatory Developments – Stay informed about SEC, CFTC, and international regulatory body updates.
  2. Develop a Compliance Framework – Implement internal controls that align with anticipated regulatory requirements.
  3. Assess Crypto Engagement Strategies – Determine how the organization should engage with crypto markets while balancing innovation and compliance.
  4. Educate Leadership and Stakeholders – Ensure board members, executives, and investors understand the regulatory landscape.
  5. Stay Agile – Be prepared to adjust business models as new rules and enforcement priorities take shape.

What about Compliance?

For good measure, you should add your thoughts about the role of compliance in this road trip for the new crypto regulatory paradigm. With greater regulatory scrutiny and the increasing use of technology in compliance, companies have an opportunity to bring structure and clarity to their compliance programs. But like any journey, knowing the destination is crucial, and so is staying aware of the risks and opportunities along the way.

Setting the GPS: The Role of a Strong Compliance Program

An effective compliance program is like a well-planned road trip; it ensures the organization stays on the right path while avoiding unnecessary detours. A well-designed compliance framework should focus on:

  1. Clear Regulatory Understanding – Organizations must stay informed about evolving laws and regulations that impact their industry. Regular monitoring and interpretation of compliance requirements are critical.
  2. Proactive Risk Management It is key to identify and mitigate risks before they become major issues. Companies should implement risk assessments and compliance audits to maintain regulatory integrity.
  3. Robust Internal Controls – Just as road safety measures protect travelers, strong internal controls help businesses prevent fraud, misconduct, and regulatory violations.
  4. Employee Training and Awareness – Employees are the front line of compliance. Regular training ensures they understand policies and procedures and recognize compliance risks.
  5. Collaboration with Regulators and Industry Groups – Engaging with regulatory bodies and participating in industry discussions can help shape best practices and ensure a more transparent regulatory environment.

Pit Stops and Road Hazards: Compliance Challenges

For corporate leaders and compliance professionals, regulatory changes present opportunities and challenges. Some key takeaways include:

  • Different Compliance Requirements – Companies should expect increasing oversight and enforcement, requiring them to enhance their compliance efforts.
  • No Blanket Approval from the SEC – Just because an organization adheres to compliance regulations does not mean it is immune to scrutiny. Continuous improvement and adaptation are necessary.
  • A Shift Toward Proactive Compliance – Businesses should focus on building compliance into their operations from the start rather than waiting for enforcement actions.
  • Industry Engagement is Essential – Businesses that engage with regulators and industry peers can better anticipate regulatory trends and shape policy.

The SEC’s approach to crypto regulation is shifting from reactive enforcement to proactive rulemaking. While uncertainty remains, establishing the Crypto Task Force is a step toward greater clarity. Board members must stay informed and strategically align their organizations to navigate regulatory challenges while capitalizing on crypto innovation opportunities.

The road ahead requires vigilance, adaptability, and strong governance. Businesses can thrive in the evolving crypto regulatory environment by taking a proactive stance.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Expertise on Board

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Just as ever corporate Board of Directors should have a Compliance Committee and a compliance expert on the Board.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the entire 3-book series, The Compliance Kids, on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Compliance Committee

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Every corporate Board of Directors should have a Compliance Committee.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Obligation for Boards

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we begin considering Board obligations around compliance.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Questions and Metrics for 3rd Party Risk Management

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what questions a Board of Directors should ask a CCO and the types of metrics they should ask for in their role of overseeing the compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

Board Oversight of Third-Party Risk Management: Key Questions and Metrics for Effective Governance

The Telephonica Venezuela FCPA enforcement action reminds us that third-party risk management is one of the most critical components of a corporate compliance program. From suppliers and distributors to agents and joint venture partners, third parties can expose a company to significant compliance risks, including bribery, data security breaches, and regulatory violations. For a Board of Directors, effective oversight of third-party risk management is essential to fulfill its fiduciary duties and ensure that the organization mitigates these potential threats.

For boards, the responsibility involves more than just reviewing policies or compliance assessments. It requires a proactive approach, regularly engaging with the Chief Compliance Officer (CCO) and demanding specific information to confirm that third-party risks are effectively managed. Today, we will consider some key questions a board should ask and key metrics that boards should track to ensure their oversight of third-party risk management.

Key Questions a Board Should Ask About Third-Party Risk Management

To provide effective oversight, board members should ask the CCO a series of targeted questions that illuminate the strengths and weaknesses of the organization’s third-party compliance efforts. These questions can guide discussions around key areas such as due diligence, monitoring, training, and incident response.

  • What is our Third-Party Risk Profile?

This foundational question helps the Board understand the scope of the organization’s third-party network and the inherent risks involved. The CCO should be able to explain how third-party risk is assessed, classified, and prioritized. This includes geographic, industry, and transactional risks that may be more prevalent in high-risk regions or industries such as defense, oil and gas, and healthcare.

  • What Due Diligence Processes are in Place?

The Board should ask about the specific due diligence processes for third parties. This includes initial onboarding assessments, background checks, and ongoing monitoring. Understanding the due diligence process, including who is responsible, the standards used, and whether enhanced due diligence is conducted for high-risk third parties, is critical for oversight.

  • How Do We Ensure Continuous Monitoring of Third Parties?

It is not enough to perform due diligence only once. Continuous monitoring is essential to detect a third party’s risk profile changes. The Board should ask about the tools and technologies used for monitoring, the frequency of updates, and how compliance continuously evaluates third parties for new risks, such as changes in ownership, regulatory status, or financial stability.

  • How Do We Address Identified Risks?

A key component of third-party risk management is having procedures to address identified risks. The Board should inquire about the company’s approach to risk mitigation, including risk-adjusted measures for different risk levels. Are high-risk third parties subject to contract clauses or specific compliance obligations? Does the organization maintain a system to monitor the ongoing effectiveness of risk mitigation efforts?

  • What Training and Awareness Programs Do We Have in Place?

The Board should ask how compliance trains third parties on relevant laws, policies, and expectations, especially concerning anti-corruption, data protection, and ethics. Additionally, internal stakeholders involved in third-party management, such as procurement and finance, should receive specialized training to help them recognize red flags.

  • What is Our Process for Reporting and Escalating Third-Party Compliance Issues?

Knowing that issues will inevitably arise, the Board should ask how the organization reports and escalates third-party compliance concerns. Does the CCO have direct access to the Board in case of serious compliance violations? Is there a protocol for handling third-party incidents that could affect the company’s regulatory standing or reputation?

  • How Do We Measure the Effectiveness of Our Third-Party Risk Management?

The effectiveness of the third-party compliance program is a priority for the Board. Asking for metrics and other objective measures helps ensure that the program is well-designed and functioning as intended. The Board should proactively seek quantitative and qualitative evidence of effectiveness.

Key Metrics for Third-Party Risk Management Oversight

Metrics are invaluable for Board members seeking to monitor the compliance program’s health. The CCO should be able to provide regular updates on the following metrics, each offering insight into specific aspects of third-party risk management.

  • Number of Third Parties by Risk Category

This metric breaks down the organization’s third parties by risk level (e.g., low, medium, high). This provides the Board with a snapshot of the company’s risk exposure and helps them assess whether the program is appropriately resourced to manage the volume of high-risk third parties.

  • Percentage of Third Parties with Completed Due Diligence

Tracking this metric shows whether the company is adhering to its compliance policies. Ideally, 100% of third parties should undergo due diligence before onboarding, and any gaps here could signal significant compliance weaknesses.

  • Average Time to Complete Due Diligence

This metric reveals the efficiency of the due diligence process. Long turnaround times can delay critical partnerships and increase risk exposure, while excessively fast times may suggest that due diligence needs to be sufficiently thorough. Boards should look for a balanced metric that reflects both efficiency and comprehensiveness.

  • Incidents of Non-Compliance Among Third Parties

The Board should be regularly informed of compliance incidents involving third parties. This metric could be broken down by type of violation (e.g., anti-bribery, data privacy, labor practices) and severity. Tracking these incidents over time helps the Board evaluate the program’s effectiveness and whether additional resources are needed.

  • Percentage of High-Risk Third Parties Monitored Regularly

Continuous monitoring is vital to effective risk management, particularly for high-risk third parties. This metric provides insight into how often high-risk third parties are reassessed, which can inform the Board about the level of vigilance being applied to higher-risk partners.

  • Training Completion Rates for Third Parties and Internal Teams

Effective third-party risk management requires third parties and the internal teams who work with them to understand the compliance risks and policies. This metric tracks how many third-party representatives and relevant employees have completed compliance training, an essential factor in reducing risk.

  • Average Time to Resolve Third-Party Compliance Issues

This metric measures the organization’s responsiveness to third-party compliance concerns. Quick resolution times may indicate an efficient and effective response system, while delays might suggest resource constraints or procedural bottlenecks. Boards should look for a metric that balances speed and thoroughness.

  • Costs of Third-Party Compliance Program

The Board should also monitor the financial investment in third-party compliance to assess if the program is adequately funded. This includes costs for due diligence, continuous monitoring, training, and compliance technology. Comparing these costs against third-party risk levels can help determine if the program is appropriately resourced.

Leveraging Metrics for Continuous Improvement

By tracking these metrics, Boards ensure that third-party risks are being effectively managed and can drive continuous improvement in the compliance function. Over time, trends will emerge, highlighting areas where the program may need reinforcement. For instance:

  • Increasing compliance incidents among third parties could indicate a need for enhanced due diligence or more stringent onboarding criteria.
  • Declining training completion rates suggest a lack of engagement from third parties, potentially due to ineffective communication or training methods that must be revisited.
  • Prolonged resolution times for compliance issues might signal the need for process optimization or additional staff in the compliance team.

The Board should encourage the CCO to use these insights to fine-tune the program and prioritize high-impact initiatives. Additionally, boards should expect the CCO to present metrics and narrative insights, offering a holistic view of the third-party compliance landscape and how specific metrics relate to broader compliance goals.

Fostering a Culture of Accountability and Compliance

Board oversight of third-party risk management is no longer a mere checkbox—it’s a crucial part of protecting the organization’s reputation, ensuring regulatory compliance, and building a resilient corporate structure. By asking the right questions and tracking key metrics, Boards can proactively ensure that third-party risks are managed effectively.

An engaged Board that emphasizes the importance of third-party compliance sends a powerful message across the organization and beyond. When Boards hold the compliance function accountable and demand robust third-party oversight, they not only mitigate potential risks but also foster a culture of integrity and accountability that resonates with employees, partners, and stakeholders alike. This, in turn, strengthens the entire organization, building a foundation of trust and resilience that will serve it well in any compliance landscape.

Categories
Blog

What Should a Chief Compliance Officer Report to the Board of Directors?

The Chief Compliance Officer (CCO) role is essential in building an organization that meets regulatory standards and upholds a robust ethical culture. But what should the CCO be reporting to the Board of Directors to ensure they understand the full scope of the company’s compliance landscape? This post will consider the essential elements of an effective Board report from the CCO. These elements will help foster transparency, trust, and accountability between the compliance function and the highest levels of corporate oversight.

  • Overview of Compliance Program Structure and Key Updates

An essential part of a CCO’s responsibility to the Board is to ensure they understand how the compliance function is structured and resourced. This includes an overview of the compliance team, its reporting lines, and any recent structural changes. The CCO should also emphasize that the compliance function has the independence, resources, and support to operate effectively.

For example, it is useful to discuss whether additional resources are needed—such as an increased budget, training for compliance staff, or investments in new technology to improve monitoring. Even more crucial is regularly informing the Board about fundamental personnel changes in the compliance team, including new hires or departures. This assures the Board that the compliance team is fully staffed and led by individuals with the experience and knowledge necessary to accomplish the organization’s compliance goals.

  • Risk Assessment and Emerging Compliance Risks

One of the CCO’s primary duties is to ensure that the Board is aware of the organization’s compliance risks. An annual or quarterly update on the status of these risks—mainly if there are high-priority or emerging risks—is critical. The CCO should discuss the results of any recent risk assessments, including:

  1. The top risks currently facing the organization.
  2. Risks associated with new business ventures or geographic expansion.
  3. Changes in geo-political or regulatory landscapes that may impact risk exposure.

For instance, if the company is expanding operations in a high-risk country for bribery or data privacy, this development should be highlighted, along with any steps the compliance team is taking to mitigate the risk. The goal here is not to overwhelm the Board with excessive detail but rather to provide a clear view of where the most significant vulnerabilities lie and what strategies are in place to address them.

The Board should leave these discussions to understand the nature and scope of the company’s compliance risks and the level of oversight being applied to manage those risks. This will reassure them that the company is not only aware of potential threats but is proactively addressing them.

  • Status of Key Compliance Initiatives and Program Enhancements

Board members must see that the compliance program is not static but a dynamic, continuously improving function. The CCO should regularly report on ongoing compliance initiatives and any recent improvements to the program. This can include initiatives such as:

  1. Enhancing third-party risk processes.
  2. Implementing new training programs.
  3. Developing better monitoring and auditing capabilities.

These initiatives should align with the company’s strategic goals, and the CCO can emphasize how compliance supports and reinforces these objectives. For example, if the company has adopted a new code of conduct or revised anti-corruption policies, the CCO should detail how these updates are being rolled out, communicated, and embedded into the organization’s culture.

Additionally, metrics that measure the success of these initiatives are invaluable. For example, sharing compliance training completion rates, results from employee feedback surveys on compliance topics, or the reduction of hotline reports in specific areas can help the Board understand the program’s impact and areas that may need further attention.

  • Compliance Investigations and Response to Issues

Transparency about compliance investigations and their outcomes is fundamental to the Board’s oversight responsibilities. The CCO should provide a high-level overview of significant compliance incidents, particularly those that pose a financial, operational, or reputational risk to the company. This discussion should include:

  1. The nature of the issue or alleged violation.
  2. The investigative steps taken.
  3. Any corrective actions or disciplinary measures implemented.

The CCO should also clearly explain how these issues were detected—whether through internal audits, whistleblower reports, or monitoring activities—demonstrating that the compliance function effectively catches and addresses problems early. It’s important to note that the Board does not need the names of individuals involved or granular details. Instead, they should receive summaries on patterns, issues encountered, and root causes.

Discussions on trends emerging from investigations—such as recurring issues in specific geographies or business units—can provide the Board with valuable insights into potential vulnerabilities. This information also equips the Board to ask strategic questions about how the company’s compliance efforts address these trends, thus bolstering their understanding and oversight of the compliance program.

  • Compliance Program Metrics and KPIs

Measurable data points—such as Key Performance Indicators (KPIs)—are crucial to effective board reporting. Metrics help the Board understand how well the compliance program is performing and identify areas for potential improvement. Examples of relevant compliance metrics include:

  1. Training effectiveness rates across the organization.
  2. Number of hotline calls and resolution time.
  3. Frequency and outcomes of internal audits.
  4. Employee survey results on compliance culture and awareness.

It is helpful to present these metrics in a clear, accessible format, perhaps in the form of dashboards or visual aids, so the Board can quickly grasp the current state of the compliance program. By monitoring trends in these metrics over time, the Board can see the program’s evolution and any areas where additional focus or resources may be needed.

  • Status of the Compliance Culture and “Tone from the Top”

Building a culture of compliance starts at the top, and the Board plays a critical role in establishing this tone. The CCO should regularly report on the company’s compliance culture, noting any shifts or improvements. This could include:

  1. Results from employee surveys on attitudes towards compliance.
  2. Observations from site visits or engagement with various departments.
  3. Feedback from middle management on employee engagement with compliance.

If the company’s compliance culture has gaps, this is the ideal time to discuss closing steps. The CCO can use this section of the report to highlight the role of senior leaders and managers in reinforcing compliance messages. For instance, showcasing how top executives have engaged in recent compliance campaigns or have visibly supported compliance initiatives demonstrates a commitment to ethical conduct and can serve as a model for others.

  • Resources and Budget: Ensuring Adequate Support

One of the most significant concerns the Board should be aware of is whether the compliance function is adequately resourced. The CCO should use this portion of the report to discuss additional needs, such as funding for new technology, more staff to support compliance efforts in high-risk regions or enhanced training programs.

If budget constraints have affected the compliance program, this is also the time to discuss those challenges with the Board. Clear communication about resource needs can help the Board advocate for the compliance function, ensuring it has the tools to mitigate risks effectively. Adequate funding and resources were mandated in the 2024 Evaluation of Corporate Compliance Programs, and CCOs need to explain to the Board their responsibility to ensure this mandate is met.

  • Regulatory Updates and External Trends

Keeping the Board informed of the latest regulatory developments is also crucial. This includes new or evolving laws that could impact the business, industry trends in compliance and enforcement actions against companies in similar sectors. For example, if a new data protection law exists in a region where the company operates, the CCO should outline how the compliance team is preparing to address it.

This part of the report ensures the Board is aware of potential compliance-related challenges on the horizon and provides context for any new initiatives or policy updates the compliance team may propose in response to regulatory changes.

  • The CCO’s Essential Role in Equipping the Board

The relationship between the CCO and the Board is one of the cornerstones of an effective compliance program. By providing a comprehensive, transparent, and strategic report, the CCO empowers the Board to fulfill its oversight responsibilities, making informed decisions that support and enhance the company’s commitment to compliance and ethical conduct.

An effective board report is about more than compliance updates; it is an opportunity to reinforce the importance of compliance, highlight the program’s successes, and communicate any challenges that lie ahead. By keeping these eight core elements in mind, CCOs can ensure their reports inform and engage the Board, fostering a culture of accountability that permeates the entire organization.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: TD Bank Lessons Learned: The Board and It’s Duty of Oversight

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Under the Caremark Doctrine, the Board of Directors has clear duties not to put their head in the sand and engage in conscious indifference.

Categories
Blog

Bank of America’s Corporate Culture Crisis: Part 4 – A Tale of Metrics and Misalignment: Lessons for Compliance Professionals

Compliance professionals constantly seek to understand how systemic issues within corporate hierarchies can lead to severe consequences. The recent revelations about Bank of America’s (BoA) persistent workplace culture problems are a powerful reminder of compliance’s critical role in safeguarding employees and the organization.

This week, I will explore the BoA failure around workplace culture from various perspectives articulated by the Everything Compliance gang, including Karen Woody, Jonathan Armstrong, Matt Kelly, Karen Moore, and Jonathan Marks. This exploration will include the failure of internal controls, failures by the Board and senior management, culture failures around highly driven, self-selecting employees, and the cultural miasma that is BoA from a perspective from across the pond. In Part 4, we consider a misconnection of metrics. This issue is not merely a question of productivity but a fundamental concern about corporate culture, ethics, and long-term sustainability.

In corporate governance and compliance, aligning business metrics and ethical obligations often defines a company’s culture’s success or failure. The recent Wall Street Journal (WSJ) article about BoA and its investment banking metrics sheds light on a crucial disconnect that compliance professionals must address: the disparity between business performance indicators and employee well-being.

At the heart of the issue is the nature of the metrics used to evaluate success in different industries. In investment banking, the primary focus is often on closing deals. The logic is straightforward: deals drive revenue, and revenue drives the bottom line. This singular focus on deal-making creates an environment where the end justifies the means, potentially overlooking the toll it takes on employees.

Conversely, in law firms, the metric of success is often billable hours. Lawyers are compensated and promoted based on the number of hours they bill, which can lead to a different, yet equally problematic, set of behaviors. Over-inflating hours or working excessive hours becomes the norm because that is the path to career advancement.

Both systems create perverse incentives: investment bankers might underreport hours to avoid raising HR flags, while lawyers might overreport hours to enhance their career prospects. These behaviors highlight a crucial point for compliance professionals: the metrics set at the top of an organization inevitably shape the behavior throughout the company.

One of the first steps in addressing these issues is understanding the available data and how it is used. Compliance professionals must ask themselves, “What data do we have, and how can it be used to monitor and manage risks effectively?” By focusing solely on deal closure, companies are potentially neglecting data related to employee well-being, such as hours worked or stress levels.

In contrast, law firms have systems that track the minutiae of an employee’s workday, from time spent on tasks to keystrokes made during document review. This data is invaluable for billing clients and identifying patterns that may indicate overwork or burnout. Compliance professionals in investment banking could learn from this approach, using technology to track hours worked or monitor workload distribution, ensuring that employees are kept within reasonable limits.

The core issue is more alignment between business metrics and corporate culture risks. Compliance professionals must ensure senior management acknowledges overwork as a significant risk and takes proactive steps to monitor and mitigate it. This involves tracking the traditional success metrics and implementing metrics that reflect the company’s values and culture.

For example, if overwork is recognized as a risk, metrics such as average hours worked, employee turnover rates, and employee satisfaction surveys should be regularly monitored and reported. This dual approach allows a company to pursue business success while ensuring its corporate culture remains healthy and sustainable.

The responsibility of aligning these metrics rests not solely with middle management, compliance officers, or senior management; it extends to the board of directors. The board’s oversight role is crucial in ensuring that the company’s culture is preserved in pursuing financial success. For boards everywhere, the recent scrutiny BoA received in the WSJ article serves as a lesson.

Board members must go beyond the surface level of management reports and delve into the realities of the workplace culture. This requires more than attending board meetings in luxurious settings and listening to pre-prepared presentations. It involves engaging directly with employees at all levels, understanding their challenges, and prioritizing their well-being.

A practical approach could involve the board requiring regular reports on employee well-being metrics, mandating internal audits focused on workplace culture, or even conducting anonymous employee surveys to get an unfiltered view of the corporate environment.

An effective compliance program also hinges on creating a culture where employees feel safe to voice their concerns. A speak-up culture is essential in identifying issues before they escalate into major risks. Management and the board should encourage employees to report inconsistencies between policy and practice and take these reports seriously.

For instance, if employees consistently report working beyond reasonable hours, this should trigger an investigation and subsequent action from the board. Such feedback mechanisms help identify risks and reinforce the company’s commitment to ethical practices.

Lastly, when issues do arise—such as the tragic death of a young employee in the Bank of America case—the board should conduct a root cause analysis. This analysis should not be limited to the immediate cause but should explore deeper systemic issues that may have contributed to the incident.

A comprehensive root cause analysis might reveal that the focus on deal closure at the expense of employee well-being is not an isolated issue but indicative of a broader cultural problem. The board could use this analysis to implement changes across the organization, ensuring that similar incidents do not occur in the future.

The lessons are clear: the metrics that companies use to measure success are powerful drivers of behavior. The challenge for compliance professionals is ensuring that these metrics align with business goals, ethical standards, and employee well-being. This requires a proactive approach, leveraging data to monitor business performance and corporate culture. It also requires a board that is engaged, informed, and committed to understanding the realities of the workplace.

In the end, compliance is not just about preventing legal and compliance risks but about fostering a corporate culture that values integrity, transparency, and the well-being of all employees. By aligning metrics with these values, companies can achieve sustainable success that benefits their bottom line and people.