Tag: Board of Directors

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – The Board as an Internal Control

James Doty, former Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies to compliance internal control.
In the FCPA Resource Guide, 2nd edition, in the Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first is in Hallmark No. 1, which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board.
Three Key Takeaways

  1. A Board must engage in active oversight.
  2. A Board should review the design of internal controls on a regular basis.
  3. Failure to do so could form the basis for an independent legal violation under SOX.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Legal Requirements of the Board Regarding Compliance

As to the specific role of best practices in general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc., 698 A.2d 959 (Del. S. Ct. 1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties concerning corporate compliance issues. Second, the Court found that no duty of good faith forms a basis for director liability, independent of the duties of care and loyalty. Rather, Stone v. Ritter 911 A.2d 362 (‎Del. S. Ct. 2006) holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using standard economic metrics and overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling. The Delaware Supreme Court has expanded this obligation in the cases of Marchand v. Barnhill (the “Blue Bell” case),  Clovis Oncology, Hughes, and Boeing.

From the Delaware cases, a Board must have a corporate compliance program in place and actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, additional oversight should exist. In other words, there is an affirmative duty to ask tough questions. However, there has been a significant expansion of the Board’s Caremark obligation.  Delaware courts will be much more scrutinizing of Caremark claims going forward. The evolution of decisions from Marchand to Boeing shows that a company must have robust compliance and risk management oversight but, more importantly, engage in oversight for the company’s signature risk(s). Boards must do so aggressively, not passively.

As Mike Volkov has noted, “At the bottom, the Chancery Court is raising the stakes on board member accountability.”

 Three key takeaways:

  1. The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions.
  2. Boards must have compliance expertise and exercise it.
  3. In a series of recent decisions, the Delaware courts are expanding the Caremark obligations, most recently.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
FCPA Compliance Report

Incorporating EHS and Safety in an ESG Program

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Are you interested in learning about the overlooked importance of safety in ESG? Host Tom Fox and his guests from Traliant, Andrea Foster Mack and Maria D’Avanzo delve into this topic in the latest episode of the FCPA Compliance Report. Learn how prioritizing safety can lead to cost savings and become a major differentiator for corporations in talent acquisition and retention. The trio also discusses how EHS professionals can reduce risk by implementing hazard awareness training and preventing discrimination. Furthermore, they emphasize the value-add that safety can offer to organizations in terms of corporate governance and brand recognition. Tune in to hear the experts share their insights on how ESG and EHS align under the sustainability cause and how innovative business and management decisions can lead to environmental sustainability.

 Key Highlights

·      ESG and Safety Culture within Organizations

·      The Importance of Safety in Talent Retention

·      Corporate Governance and Safety in Organizations

·      The Importance of “E” in ESG Reporting

·      ESG and its Role in Elevating Brands

·      Managing Chemical Hazards and ESG Standards

 Here are three tips to consider when incorporating safety into your ESG strategy:

1. Communicate safety policies and performance to stakeholders, such as investors and customers, to build trust and enhance reputation.

2. Use safety data to identify improvement opportunities, mitigate risks, and promote continuous learning and innovation.

3. Develop partnerships and collaborations with other organizations and industries to address safety challenges and share best practices.

Resources

Andrea Foster Mack on LinkedIn

Maria D’Avanzo on LinkedIn

Traliant

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Internal Controls – Board of Directors as an Internal Control

Is a Board of Directors a compliance internal control? The clear answer is yes. In the 2020 FCPA Resource Guide, Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. One states, “Within a business organization, compliance begins with the Board of Directors and senior executives setting the proper tone for the rest of the company.” The second is found under the Hallmark entitled “Oversight, Autonomy and Resources,” which says the CCO should have “direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).”

Further, under the U.S. Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: Do the directors exercise independent review of a company’s compliance program and are directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

Three key takeaways:

  1. Board oversight over the compliance function is a separate internal control, so document it and use it.
  2. The board must perform oversight over your company’s internal controls.
  3. Does your Board use the five principles for involvement in compliance with internal controls?

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 1

There is a reason that lawyer truisms are just that: because they are based in fact. One of those truisms is that bad facts make bad laws. I saw that in the first year I started practicing law in  case in Texas which forever changed the definition of gross negligence: Burke Royalty. In that case, a company allowed a rough neck to burn to death while hanging on a chain off an oil rig. The company, Burke Royalty claimed they had subcontracted their safety function to another company. The Texas Supreme Court decreed that safety was a non-delegable duty and failure to provide a safe workplace could form the basis of claim for gross negligence.

We now see this same truism playing out in the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. It included the now disgraced former Chief Executive Officer (CEO) Steven Easterbrook but he was dismissed from this litigation.

I will not go into the sordid facts of this matter as they are well-known from other litigation. Suffice it to say that Fairhurst and Easterbrook engaged in multiple instances of sexual harassment and inappropriate behavior with other McDonald’s employees and such conduct was not only well-known within the organization but also known by the McDonald’s Board. But this case dealt not Easterbrook or the Board but with Fairhurst. As you might guess from his corporate title, Fairhurst had a human resources role which he apparently took as license to get drunk at company events and grope, fondle and generally harass as many women as possible. It appears that the rest of McDonald’s senior management and Board stood by while he engaged in all of this.

Fairhurst’s attitude towards sexual harassment seemed to have permeated the entire corporate culture at McDonald’s. One employee class action lawsuit by employees claimed that 75% of all female employees had been sexually harassed while working at the company. Another allegation said that “over 70% of those who reported sexual harassment they witnessed or experienced faced some form of retaliation, with 42% reporting loss of income as a result.” A class action lawsuit by employees of McDonald’s franchisees claimed that “almost two-thirds of restaurant employees worked at locations that did not provide any sexual harassment training.”

As I started out this post, bad facts make bad law.

What the Court of Chancery found was there has long been a duty of oversight in Delaware law, not only for Board’s since at least the 1960s but for officers as well. On the Board side of the equation, there is of course the Caremark  decision from 1996 but which established an affirmative duty of Board oversight, with its progeny up to this day. However in 1963, the Delaware Supreme Court established a Board duty when red flags are brought to its attention in the case of Graham v. Allis-Chalmers Manufacturing Co., which held that directors have an obligation to respond if information reached them, but created no affirmative duty to set up an information system to learn about issues within the company. A limited duty of oversight arose only if the directors had already learned enough to suspect that there were issues that needed overseeing. Caremark created that affirmative duty.  

Taking a deep dive into the legalese, in this case the court noted, “Using more functional terminology, that species of claim can be called an “Information-Systems Claim” or an “Information- Systems Theory.” A plaintiff typically pleads a prong-two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. From a functional perspective, the second type of claim can be called a “Red-Flags Claim” or a “Red-Flags Theory.”

But Board’s do not govern in a vacuum. They depend on senior management. Here the court said, “Indeed, from that perspective, the Caremark oversight role “is more suited to corporate officers who are responsible for managing the day-to-day affairs of the corporate enterprise.” This “first reason for recognizing oversight duties for directors—the seriousness with which the law takes the role—thus applies equally to officers.”

Indeed, “relevant and timely information is an essential predicate for satisfaction of the board’s supervisory and monitoring role under Section 141.” Finally, “board’s need for information leads ineluctably to an imperative for officers to generate and provide that information: Whereas a corporate board meets periodically—roughly six to ten times a year—senior officer engagement with the corporation is continuous. From a practical perspective, a board’s ability to effectively monitor is contingent upon adequate information flow, usually from senior officers functioning in a non-directorial capacity.”

Join me tomorrow where I take a dive into the Court’s legal reasoning.

Categories
31 Days to More Effective Compliance Programs

Day 5 – The Board and Operationalizing Compliance

The most significant development for Boards and compliance continues to come from the Delaware courts, which have been expanding the civil law obligations of Boards through a series of court decisions involving the expansion of the Caremark Doctrine for the past several years. These developments began with the Marchand (Blue Bell Ice Cream) decision which required Boards to manage the risks their organizations face. Next was Clovis Oncology which required ongoing monitoring by the Board. Finally, the Boeing case stands for the continuing proposition that a Board cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document).


The decision in Boeing is yet a further expansion of the Caremark Doctrine, once again beginning with MarchandBoeing also states that a company must assess its risks and then manage them right up through the Board level. Finally, a Board must be aggressive in their approach and not passively take in what management has presented to them.
The DOJ has also made clear its thoughts on the role of the Board of Directors. The role of the Board is different than that of senior management. The 2020 Update and DOJ Antitrust Division’s 2019 Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations were even more explicit in announcing their expectation for robust Board oversight of a corporate compliance function.

Name any of the most recent corporate scandals; Wells Fargo, Theranos, Volkswagen, Boeing, FTX, etc., and there was no compliance expertise on the Board. It is now enshrined as a best practice for companies to have a seasoned compliance professional on the Board. I would also add that the DOJ may soon expect a Compliance Committee separate from the Audit Committee.
The DOJ continually speaks about the need for companies to operationalize their compliance programs. Businesses must work to integrate compliance into the DNA of their organization. Having a Board member with specific compliance expertise or heading a Compliance Committee can provide a level of oversight and commitment to achieving this goal. The DOJ enshrined this requirement in the FCPA Corporate Enforcement Policy. This means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific subject matter expertise on the Board and on that committee.

This means that every Board of Directors needs a true compliance expert. Almost every Board has a former Chief Financial Officer, former head of Internal Audit, or persons with a similar background. Often, these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training, and SME that can help all companies with their financial reporting and other finance-based issues. So why is there no such SME at the Board level from the compliance profession?

Three key takeaways:

1. The 2020 Update required active Board of Director engagement and oversight around compliance.
2. Board communication on compliance is two-way, both inbound and outbound.
3. The Delaware courts have been expanding Board’s roles through the expansion of the Caremark Doctrine.

Categories
The ESG Report

Attributes of ESG Reporting with Doug Hileman

Tom Fox welcomes Doug Hileman to this episode of the ESG Report. Doug is the founder of Doug Hileman Consultancy and part of the Volkswagen Monitor Team. In this conversation, he and Tom talk about his experience in the environmental and compliance industries, highlighting the increasing complexity of the environment and legal landscape. He also discusses how corporate compliance officers can play an important role in ensuring that companies are compliant with their environmental and safety obligations.

The Evolution of Environmental Regulations 

Tom asks Doug how the environmental field has changed over the years. “I would say that it’s gotten a lot more complex,” Doug responds. Regulation in the past was about cleaning up and disposing of waste, whereas now regulation is borader, covering areas such as product design, biodiversity, and the circular economy. In addition, stakeholders are now imposing requirements: they no longer want to do business with companies that don’t comply with US and global regulations. 

 

The Compliance Professional in Corporate ESG

ESG is a great opportunity for compliance professionals. Compliance obligations are now widespread in the business world, so compliance professionals must learn what the requirements are of any organization that they’re working with. Once they learn the requirements, they can then take up a leadership role. “If they’re not at the table the way they think they should be at the table, then just pull up a chair and sit down,” Doug stresses. “Make your own case for why the compliance function has such an important role in ESG. It’s not about marketing; it’s compliance.”

 

The Board in Corporate ESG 

The board needs to be involved in the company ESG program. It needs to be an ‘all hands on deck’ initiative. This will make the entire company operations more competent. Doug remarks on the importance of internal auditing and how it impacts ESG. The board’s focus should be on how to be in line with ESG practices and requirements, Doug tells Tom. 

 

Resources

Doug Hileman | LinkedIn 

Doug Hileman Consultancy

Categories
FCPA Compliance Report

The EC Gang on the Monaco Doctrine

In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, we have the Award-Winning Everything Compliance quartet of Jonathan Marks, Jonathan Armstrong, Karen Woody, and Tom Fox on the Monaco Memo.

1. Tom Fox looks at the Monaco Memo through the monitorship language and answers a listener’s questions about compliance programs under the Monaco Memo.

2. Karen Woody reviews the Monaco Memo, the self-disclosure angle, and investigatory considerations and ponders the role of defense counsel going forward.

3. Jonathan Marks also looks at investigatory issues under the Monaco Memo, the role of the Board of Directors, and the role of the forensic auditor under the Monaco Memo.

4. Jonathan Armstrong’s self-disclosure from a UK angle joins Karen Woody in questioning how defense counsel should move forward.

Resources

Tom 5-Part blog post series in the FCPA Compliance and Ethics Blog

1.     A Jolt for Compliance

2.     Timely Self-Disclosure

3.     Corporate Compliance Programs

4.     Monitors

5.     The Heat is On

Monaco Memo

Categories
Compliance Into the Weeds

Compliance into the Weeds: Mudge and Whistleblower Allegations Against Twitter

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we explore the recently publicly released whistleblower allegations by Peiter Zatko, AKA “Mudge,” made against his former employer Twitter. Highlights include:

  • The allegations made by Mudge.
  • What possible enforcement actions and legal ramifications could develop?
  • What does this mean for the Twitter/Elon Musk litigation?
  • Where was the Board, and who was the Board?
  • Is there more to come?

Resources

Matt in Radical Compliance

Categories
Blog

A Caremark Retrospective: Part II – Holdings and Rationale

Today, I continue my exploration of two of the most significant cases regarding Boards of Directors and corporate compliance; the Caremark and Stone v. Ritter decisions. The former decision was released in 1996 and the latter, some ten years later in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision. Yesterday, in Part 1, we reviewed the underlying facts of the Caremark decision. Today, in Part II, we consider the holdings and the legal reasoning. Perhaps the most interesting thing about both cases is that even though the Court in Caremark delineated the doctrine and in Stone v. Ritter confirmed it, both Courts ruled against the moving parties and for the defendant corporate Boards.

Caremark

In Caremark, the Court began by noting that director liability for a breach of the duty to exercise appropriate attention can come up in two distinct contexts. In the first, liability can occur from a board decision that results “in a loss because that decision was ill advised or “negligent””. In the second, board liability for a loss “may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

However, any decision is tempered by the following, what “may not widely be understood by courts or commentators who are not often required to face such questions, is that compliance with a director’s duty of care can never appropriately be judicially determined by reference to the content of the board decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the process employed.” In other words, if there is a process or protocol in place a board cannot be said to have violated its duty, even with “degrees of wrong extending through “stupid” to “egregious” or “irrational”.” To do so would abrogate the Business Judgment Rule.

The Caremark court went so far as to cite Learned Hand for the following, “They are the general advisors of the business and if they faithfully give such ability as they have to their charge, it would not be lawful to hold them liable. Must a director guarantee that his judgment is good? Can a shareholder call him to account for deficiencies that their votes assured him did not disqualify him for his office? While he may not have been the Cromwell for that Civil War, Andrews did not engage to play any such role.”

However, there is a second type of liability which boards can run afoul of under Caremark, and it is the one which seems to the liability under which most boards are found wanting in successful Caremark claims. It is when “director liability for inattention is theoretically possible entail  circumstances in which a loss eventuates not from a decision but, from unconsidered inaction.” This was a departure from prior Delaware case law which said that a board did not have to look for wrongdoing but only had to investigate if informed about it. That was from an old 1963 decision and the Court relied on the 1992 US Sentencing Guidelines to note how such views were no longer accepted. Board obligations had changed by 1996 with the following, “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”

Stone v. Ritter

This case involved money laundering and a bank’s failure to report suspicious activity which led to an employee running a Ponzi scheme. The bank in question was fined over $40 million. Once again, the plaintiffs were not successful in their claims. The Stone v. Ritter court approved the Caremark Doctrine and went on to further specify thatCaremark required a “lack of good faith as a “necessary condition to liability”.” It is because the Court was not focusing simply on the results but in the board’s overall conduct “of the fundamental duty of loyalty.” It follows that because a showing of bad faith conduct, “is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.”

Interestingly, the Court added what it termed as “two additional doctrinal consequences.” First, although good faith is a “part of a “triad” of fiduciary duties that includes the duties of care and loyalty, the obligation to act in good faith does not establish an independent fiduciary duty that stands on the same footing as the duties of care and loyalty.” Violations of the duties of care and loyalty may result in direct liability, whereas a failure to act in good faith may do so, but it would only result in indirect liability. The second consequence is that the “duty of loyalty is not limited to cases involving a financial or other cognizable fiduciary conflict of interest. It also encompasses cases where the fiduciary fails to act in good faith. As the Court of Chancery aptly put it in Guttman, “[a] director cannot act loyally towards the corporation unless she acts in the good faith belief that her actions are in the corporation’s best interest.””

The Stone v. Ritter court ended by further refining the Caremark Doctrine to define the necessary conditions for director liability under Caremark. They are:

  1. Directors utterly failed to implement any reporting or information system or controls;
  2. If they have implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.

In either situation, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.

As usual, once I get started, I often cannot stop so in my next blog post (or two) I will consider how this has evolved.