Categories
Corruption, Crime and Compliance

Board Oversight and Monitoring of AI Risks

As companies rapidly adopt artificial intelligence (AI), it becomes paramount to have robust governance frameworks in place. Not only can AI bring about vast business benefits, but it also carries significant risks—such as spreading disinformation, racial discrimination, and potential privacy invasions. In this episode of Corruption, Crime and Compliance, Michael Volkov dives deep into the urgent need for corporate boards to monitor, address, and incorporate AI into their compliance programs, and the many facets that this entails.

You’ll hear Michael talk about:

  • AI is spreading like wildfire across industries, and with it comes a whole new set of risks. Many boards don’t fully understand these risks. It’s important to make sure that boards are educated about the potential and pitfalls of AI, and that they actively oversee the risks. This includes understanding their obligations under Caremark, which requires them to exercise diligent oversight and monitoring.
  • AI is a tantalizing prospect for businesses: faster, more accurate processes that can revolutionize operations. But with great power comes great responsibility. AI also comes with risks, like disinformation, bias, privacy invasion, and even mass layoffs. It’s a delicate balancing act that businesses need to get right.
  • Companies can’t just use AI, they have to be ready for it. That means adjusting their compliance policies and procedures to their specific AI risk profile, actively identifying and assessing those risks, and staying up-to-date on potential regulatory changes related to AI. As AI grows, the need for strong risk mitigation strategies before implementation becomes even more important.
  • The Caremark framework requires corporate boards to ensure that their companies comply with AI regulations. Recent cases, such as the Boeing safety oversight, demonstrate the severity of the consequences when boards fail to fulfill their responsibilities. As a result, boards must be proactive: ensure that board members have the technical expertise necessary, brief them on AI deployments, designate senior executives to be responsible for AI compliance, and ensure that there are clear channels for individuals to report issues.

 

KEY QUOTES

“Board members usually ask the Chief Information Security Officer or whoever is responsible for technology [at board meetings], ‘Are we doing okay?’ They don’t want to hear or get into all of the details, and then they move on. That model has got to change.”

 

“In this uncertain environment, stakeholders are quickly discovering the real and significant risks generated by artificial intelligence, and companies have to develop risk mitigation strategies before implementing artificial intelligence tools and solutions.”

 

“Board members should be briefed on existing and planned artificial intelligence deployments to support the company’s business and or support functions. In other words, they’ve got to be notified, brought along that this is going to be a new tool that we’re using, ‘Here are the risks, here are the mitigation techniques.’”

 

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
31 Days to More Effective Compliance Programs Uncategorized

One Month to More Effective Reporting and Investigations – Board Investigations

In their article, “Successful Board Investigations”, David Bayless and Tammy Albarrán, offered seven considerations to facilitate a successful Board investigation.

  • Consider whether you need independent outside counsel.
  • Consider hiring an experienced investigator to lead the internal investigation.
  • Consider the need to retain outside experts.
  • Analyze potential conflicts of interest at the outset and during the investigation.
  • Carefully evaluate whistleblower allegations.
  • Request regular updates from outside counsel, without limiting the investigation.
  • Consider whether an oral report at the conclusion of the investigation is sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the Board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the Board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.”

Three key takeaways:

  1. Retain the right counsel. Consider conflicts and appearance.
  2. Carefully evaluate all whistleblower allegations and reject retaliation.
  3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Board Investigation Protocols

Many companies have an investigation protocol in place when a potential compliance violation or other legal issue arises. However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic, because if a Board does handle an investigation right, the consequences to the company, its reputation and value can be quite severe. The SEC considers a variety of factors around corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company?

Dan Chapman has said this is the time for a very frank conversation with your Board about what such an investigation will entail. Costs must be adequately discussed to set proper expectations. These include both direct costs and, what Chapman believes may be even more important, a discussion of indirect costs to the company. He noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time to the investigation, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

Finally, Jonathan Marks has noted after notification of serious allegations, Boards should take the following steps:

• Consider creating a Special Committee to conduct the investigation;

• Establish a committee charter;

• Preserve the electronic and hardcopy documentation environment;

• Communicate with external auditors; and

• Plan potential communication with the SEC, DOJ, and the relevant stock exchange.

Marks also notes that while a special committee might be necessary in certain rare circumstances, the Board should try to avoid forming a special investigative committee to oversee the investigation if the Audit Committee is composed of independent and disinterested directors that are suited for the task. A special committee must be disbanded at some point (usually once the investigation is completed and before the restatement process begins), and the disbanding could become a complicated news item. Conversely, if the Audit Committee oversees the investigation, then, once the investigation is complete, they can pivot back to their normal role, which would include overseeing the actual restatement process. Investigations overseen by the Audit Committee also benefit from the positive relationship that the committee chair usually has with the audit partner of the company’s external auditor.

 Three key takeaways:

1. The Board should have a written protocol for investigations prepared in advance.

2. Any Board led investigation must be both credible and objective.

3. The investigation must be thorough but the Board can be cost effective.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Board – Vin DiCianni on Board Inquiries into Compliance

Where does “tone at the top” start? With any public and most private U.S. companies, it is at the Board of Directors. But what is the role of a company’s Board in compliance? We start with several general statements about the role of a Board in U.S. companies. First, a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this by asking hard questions, risk assessment, and identification.

A white paper by Deloitte & Touche LLP, entitled, Risk Intelligence Governance—A Practical Guide for Boards, laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

• Define the Board’s role. There must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.

• Foster a culture of risk management. All stakeholders should understand the risks involved and manage such risks accordingly.

• Incorporate risk management directly into a strategy. Oversee the design and implementation of risk evaluation and analysis.

• Help define the company’s appetite for risk. All stakeholders need to understand the company’s appetite or lack thereof for risk.

• How to execute the risk management process. Maintain an approach that is continually monitored and has continuing accountability.

• How to benchmark and evaluate the process. Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue.

 Three key takeaways:

1. The Board’s role is to keep really bad things from happening to a company.

2. There are six general areas the point can inquire into and lead from.

3. A Board should have direct access to information on the company’s compliance program.

Categories
Compliance Into the Weeds

Compliance into the Weeds: What is Driving Compliance Engagement at the Board?

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

In this episode, co-hosts Tom Fox and Matt Kelly dissect the Navex 2023 State of Risk and Compliance Report. Tom and Matt delve into Navex’s annual benchmarking report, which surveyed 1,300 compliance professionals. The report revealed that 53% of respondents described their compliance programs as mature. Matt and Tom question whether the board is driving the conversation or if compliance officers request updates due to potential liability. The report’s findings on cybersecurity and privacy concerns, survey results on where compliance should reside in a company, and the importance of having a mature anti-bribery anti-corruption compliance program are all discussed. Tune in to hear more about how compliance officers can address pressing concerns such as cybersecurity breaches and attacks.

Key Highlights:

  • Navex’s benchmark report on compliance programs
  • Board-Compliance Officer Relationship & Cybersecurity in Compliance
  • The necessity of Dedicated Compliance Committees
  • Survey Finds Diverse Views on Compliance Placement in Companies
  • The Importance of Anti-Bribery Compliance for Cybersecurity
  • Compliance Officer Reporting to CISO Dynamics

 Resources:

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Three Areas of Board Inquiry

Directors should focus on three core areas to help establish and maintain an effective compliance program: structure, culture, and risk management.

Structural questions. This area consists of questions that will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action.

Cultural questions. This area of inquiry should focus on the organization’s culture regarding compliance. Board members should understand what message senior management and middle management communicate. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company.

Risk management questions. Board members need to understand the company’s process being used to identify emerging risks, their evaluation, and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.

Three key takeaways:

  1. A Board of Directors should inquire into the structural component of the compliance program as it will aid in determining the fundamental sense of a company’s overall compliance program.
  2. Cultural questions should be asked to understand what message is being communicated by senior and middle management.
  3. Risk management questions should be asked to understand the company’s process being used to identify emerging risks, their evaluation, and management.
Categories
Innovation in Compliance

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 5 – The Role of the Board

Welcome to a special 5 part podcast series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series, I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, Director, Compliance and Ethics at Diligent; Andrew Rincón, Client Director at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third parties, and the role of the Board of Directors. In this concluding Part 5, we consider the role of the Board of Directors in a compliance program with David Greenberg.

In this episode, Greenberg discusses the board’s legal obligations, emphasizing their duty to exercise reasonable oversight over potential misconduct and failures of compliance with law and policy. The podcast also delves into the importance of integrating compliance programs into a company’s overall strategy and developing strong relationships with senior management, such as the chief legal officer or chief compliance officer. Listeners will learn the importance of finding the right committee to oversee compliance obligations and utilizing outside experts for insight and guidance. This conversation is essential for board members and executives who want to ensure accountability, initiate change, and drive organizational success. Don’t miss out on this informative and engaging episode of “The Role of the Board” episode.

Key Highlights:

  • Legal obligations and oversight for corporate boards
  • Importance of integrating compliance into the company culture
  • Board Oversight and Relationship Building with CCO
  • The Significance of Outside Perspectives for Boards

Notable Quotes:

“There is a strong obligation on boards to exercise reasonable oversight over all potential misconduct and failures of compliance law and policy should a reasonable board has known and taken steps…should that body have known and should it have done more than it did.”

“Boards principally should be asking tough questions and following up on those questions.”

“Anything that is not integrated into the real levers and machinery of the business will not be successful.”

“That chief compliance officer who knows the head of the audit committee or compliance committee or governance committee is much more able and comfortable picking up the phone and saying to the chair, Houston, we’ve got a problem.”

For more information go to Diligent.com

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – The Board Role in Hiring

What is the role of a Board of Directors in hiring senior executives, CCOs, and even other board members? I explored this issue with Candice Tal, who began by noting, that bad senior executive hires can cost a company much more than simply dollars. She related, the “financial costs in day-to-day operations easily can quadruple that of a regular employee, but it can also impact the company’s corporate governance and board of directors if that executive hire was found to be involved with unethical and illegal activities. Not even a signed contract can protect a company if an executive hire’s unethical actions come to the attention of the national media. Fiduciary risk and exposure for the board of directors cannot be overlooked.”

She pointed to the example of Yahoo! and its hire of Scott Thompson. It turned out that Thompson had incorrect information in his online biography regarding his academic credentials. The “implications went beyond the activist shareholder accusations to reflect on the Board of Directors for not vetting his background more carefully. The company may have been exposed to claims of providing false information to the SEC and potential stockholder lawsuits. Thompson’s 120-day tenure at Yahoo! cost the company over $7 million and seriously tarnished the company’s reputation in the business community.”

The key is that a company engages in an executive due diligence investigation rather than simply a routine or even executive-level background investigation. Tal explained that an executive background search is “typically limited to a five-component review of criminal records, employment verification, degree or education verification, social security validation, address verification and sometimes credit history.” Such searches are “very limited searches.”

Conversely, executive due diligence, “looks in-depth at all available public records sources: criminal history, civil litigation issues, financial and legal issues, relationships with other companies and board advisory positions, reputation, misrepresented education and overstated work history, behavioral history (for example litigiousness), and, in particular, undisclosed or adverse issues.” While it is generally “more costly than executive background checks and takes more time, the information gathered is extremely valuable and can save a company substantially more. A high-quality due diligence review can find important information which would not be returned in a routine executive background check.”

Infortal has found that up to 20% of executive search candidates fail a deep-level due diligence investigation. Now consider how many senior executive slots your company has and add to that Board of Directors seats and you can quickly see the risk of failure to consider an executive due diligence search when promoting or hiring. Moreover, you need executive-level due diligence in other business situations as well, including the senior management of new business acquisitions brought into your organization through a merger or other acquisition, selecting new Board members, screening the corporate Board of Directors, and of course, for third party business partners and other agents in the sales and supply chain channels. 

Three key takeaways:

  1. The costs of a bad executive hire can far exceed the dollar loss.
  2. Do not forget the differences between an executive background check and executive level due diligence.
  3. 20% of all senior executives fail an executive level due diligence check.

For more information, check out The Compliance Handbook, 4th edition, available here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Boards and Doing Business in China

The Administration’s trade war with China has highlighted the risks of both doing business in China and investing in the Chinese companies which come to America to raise capital. Yet this has been a long-known and outstanding problem in the anti-corruption enforcement world. The 2014 bribery and corruption case of GlaxoSmithKline PLC (GSK), which resulted in a $490 million fine for the firm, resonated across the corporate globe. While many questions are still unanswered, one that seems to be at the forefront of the inquiry was where was the GSK Board of Directors. This matter demonstrates that the role of a Board of Directors is becoming more important and more of a critical part of any effective compliance program.

In an NACD Directorship article, entitled “Corruption in China and Elsewhere Demands Board Oversight”, Eric V. Zwisler and Dean A. Yoost note, “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? From 2010-2019, over 25% of all FCPA enforcement actions derived from China, that’s why.

FCPA enforcement actions have made clear that numerous Chinese businesses have proven adept at appearing compliant while hiding unacceptable business practices. A Board should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just a paper compliance program. This means that both monitoring and auditing should be visible to the Board.

Three key takeaways:

  1. China presents the highest FCPA risk and after GSK, domestic law corruption risk as well.
  2. Chinese companies have been adept at hiding corrupt business practices from their western owners.
  3. A Board must be cognizant of these risks and enhance their risk management process in China and other high-risk jurisdictions.

For more information, check out The Compliance Handbook, 4th edition, available here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Board Failures

Next, consider a couple of landmark failures at the Board level around bribery and corruption.

VimpelCom Ltd. In 2015 (now Veon Ltd.), the DOJ alleged that Dutch telecom VimpelCom sought to enter the telecom market through the acquisition of a local player, Unitel, as an entrée into the Uzbekistan market. Unitel made clear to VimpelCom that to have access to, obtain, and retain business in the Uzbeki telecom space, VimpelCom would have to, according to the DPA, “regularly pay Foreign Officials millions of dollars” to Gulnara Karimova, the daughter of the then President of the country. VimpelCom also acquired another entity Butzel, that was at least partially owned by an Uzbeki government official, who hid their interest through a shell company, which was known to VimpelCom. VimpelCom did not articulate a legitimate business reason for the deal and paid $60 million for Buztel.

Ultimately, VimpelCom agreed to pay approximately $800 million in fines for these activities in 2016. 

BizJet. Another FCPA enforcement action involved the Tulsa-based company BizJet International Sales and Support Inc. (BizJet), which had four senior executives convicted for their participation in a bribery scheme. But this case also involved the Board of Directions. In the Criminal Information, it stated that in November 2005:

…at a Board of Directors meeting of the BizJet Board, Executive A, and Executive B discussed with the Board that the decision of where an aircraft is sent for maintenance work is generally made by the potential customer’s director of maintenance or chief pilot, that these individuals are demanding $30,000 to $40,000 in commissions, and that BizJet would pay referral fees in order to gain market share.

In both cases, this is where the rubber hits the road. If a company is willing to commit bribery and engage in corruption to secure business, no amount of doing compliance is going to help. If senior management is ready, willing, and able to lie, cheat and steal, the Board is the final backstop to prevent such conduct. Both the VimpelCom and BizJet Boards sorely failed in their compliance duties.  

Three key takeaways:

  1. Board liability will be severe based upon similar conduct going forward.
  2. Board members must critically challenge management on its conduct.
  3. The Board is the ultimate backstop against bribery and corruption.

For more information, check out The Compliance Handbook, 4th edition, available here.