Tag: BOD

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Key Board Metrics for Compliance

What are metrics for a Board of Directors around compliance? Former Assistant Attorney General Leslie Caldwell laid out some that the Department of Justice (DOJ) would consider in a review of compliance programs. These metrics are:

  • Does the institution ensure that its directors and senior managers provide strong, explicit, and visible support for its corporate compliance policies?
  • Does the Board maintain a material role in overseeing a company’s overall compliance framework?

These requirements move beyond simply having the correct tone at the top, which every Board should articulate. The 2020 Update to the Evaluation of Corporate Compliance Programs added the following, under Oversight by posing the following questions: What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information has the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?

Based on the foregoing, when determining the Board’s role, begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?

Three key takeaways:

  1. The DOJ expects active engagement by a Board around compliance.
  2. Does the Board exercise independent review of the compliance program?
  3. The convergence of the Yates Memo, Caldwell’s metrics, the Evaluation, and FCPA Corporate Enforcement Policy mandate Board metrics around compliance.

For more information, check out The Compliance Handbook, 4th edition, available here.

Categories
31 Days to More Effective Compliance Programs

What Leads to a Successful Board Investigation?

Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises. However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic because if a Board of Directors does not get an investigation, which it handles right, the consequences to the company, its reputation, and value can all be quite severe.

In an article in the Corporate Board magazine, entitled “Successful Board Investigations”; David Bayless and Tammy Albarrán, wrote about five key goals that any investigation led by a Board of Directors must meet.

  • Consider whether you need independent outside counsel.
  • Consider hiring an experienced investigator to lead the internal investigation.
  • Consider the need to retain outside experts.
  • Analyze potential conflicts of interest at the outset and during the investigation.
  • Carefully evaluate whistleblower allegations.
  • Request regular updates from outside counsel, without limiting the investigation.
  • Consider whether an oral report at the conclusion of the investigation is sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the Board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the Board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.”

Three key takeaways:

  1. Retain the right counsel. Consider conflicts and appearance.
  2. Carefully evaluate all whistleblower allegations and reject retaliation.
  3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.

For more information, check out The Compliance Handbook, 4th edition, available here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – What Is Your Board’s Investigation Protocol

Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises. However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic because if a Board of Directors does not get an investigation, which it handles right, the consequences to the company, its reputation, and value can all be quite severe.

In an article in the Corporate Board magazine, entitled “Successful Board Investigations”; David Bayless and Tammy Albarrán, wrote about five key goals that any investigation led by a Board of Directors must meet.

They are:

    • Thoroughness – The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without hav­ing to repeat the investigation themselves. Regulators tend to be skeptical of investigations where limits are placed (expressly or otherwise) on the investigators, in terms of what is investigated, or how the investigation is conducted. This question can be an initial deal-killer particularly if the regulator involved views an investigation insuf­ficiently thorough, its credibility is undermined. And, of course, it can lead to the dreaded ‘Where else’ question.
    • Objectivity – Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the conse­quences. This includes how the findings may impact senior management or other company employees. An investigation seen as lacking objectivity will be viewed by outsiders as inadequate or deficient.” I would add that in addition to the objectivity required in the investigation, the same must be had with the investigators themselves. If a company uses its regular outside counsel, it may be viewed with some askance, particularly if the client is a high-volume client of the law firm involved, either in dollar amounts or in several matters handled by the firm.
    • Accuracy – As in any part of, a best practices anti-corruption compliance program, the three most important things are Document, Document, and Document. This means that the factual findings of an investiga­tion must be well supported. For if the developed facts are not well supported, the authors believe that the investigation is “open to collateral attack by skeptical prosecutors and regulators. If that happens, the time and money spent on the internal investigation will have been wasted, because the government will end up conducting its investigation of the same issues.” This is never good and your company may well lose what little credibility and goodwill that it may have engendered by self-reporting or self-investigating.
    • Timeliness – Certainly in the world of FCPA enforcement, an internal investigation should be done quickly. This has become even more necessary with the tight deadlines set under the Dodd-Frank Act Whistleblower provisions. But there are other considerations for a public company such as an impending Securities and Exchange Commission (SEC) quarterly or annual report that may need to be deferred absent as a timely resolution of the matter. Lastly, the Department of Justice (DOJ) or SEC may view delaying an investigation as simply a part of document spoliation. So timeliness is crucial.
    • Credibility – One of the realities of any FCPA investigation is that a Board of Directors-led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation. So not only is there the opportunity for Monday-Morning Quarterbacking but quite a bit of post-event analysis. So the authors believe that any Board of Directors-led investigation “must be (and must be perceived as) credible as to what was done, how it was done, and who did it. Otherwise, the board’s work will have been for naught.”

    Three Key Takeaways

    1. The Board should have a written protocol for investigations prepared in advance.
    2. This gives cover to a Board when regulators come knocking or other third parties seek review.
    3. Remember the 5 goals of any Board led investigation.

     

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Board Governance and Risk Oversight

One of the ongoing questions from members of the Board of Directors is how to resolve the tension between oversight and management. I recently had the opportunity to visit with Joe Howell, former Executive Vice President (EVP) of Workiva, Inc., on this subject. Howell has worked on and with Boards of Directors at various companies, and I wanted to garner his understanding of the role of a Board, senior management, and a Chief Compliance Officer (CCO). Howell’s short response was an excellent starting point for understanding the role; put sand in management’s shoes.

The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong,” can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer is putting a little bit of sand in the shoe to make sure you’re thinking about things carefully can cause you to step back and focus your resources where they’re needed.”

Howell noted that the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “One perfect example is the reputation of those stakeholders involved in the company, and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell stated, “It’s essential as we go through some ways the Board can help management in that role. I think the things that make a difference to management is when the Board can be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their underlying assumptions and biases.”

A Board is more than just there to be a rubber stamp for senior management. It must exercise independent judgment, action, and oversight. Further, it is the Board’s role to ask hard, difficult, and probing questions to ensure management is doing its job and has considered other risk possibilities.

Three Key Takeaways:

  1. Boards should force management to open up the company to itself.
  2. Boards should be a grain of sand in the shoe of management.
  3. Boards should ensure senior management is aware of and planning for known and unknown risks.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Board Oversight Role over Internal Controls

Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Boards Inquiring Up and Down

Where does “tone at the top” start? It is with public and most private U.S. companies at the Board of Directors. But what is the role of a company’s Board in compliance? First, a Board should not engage in management but oversee a CEO and senior management. The Board asks hard questions, risk assessment, and identification.

These factors can be easily adapted to compliance and ethics risk management oversight. Initially, it must be necessary that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s CCO to either the Audit Committee or the Compliance Committee. Every Board should create a Compliance Committee to deal with compliance issues, as an Audit Committee may more appropriately deal with financial audit issues. A Board Compliance Committee can devote itself exclusively to non-financial compliance. The Board’s oversight role should be to receive regular reports on the company’s compliance program’s structure, actions, and self-evaluations. From this information, the Board can oversee any modifications to managing FCPA risk that should be implemented.

Three key takeaways:

  1. A Board Compliance Committee should provide oversight, not management.
  2. A CCO should use multiple reports to communicate with the Board Compliance Committee.
  3. Board Compliance Committee oversight makes companies more efficient and profitable.
Categories
FCPA Compliance Report

Incorporating EHS and Safety in an ESG Program

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Are you interested in learning about the overlooked importance of safety in ESG? Host Tom Fox and his guests from Traliant, Andrea Foster Mack and Maria D’Avanzo delve into this topic in the latest episode of the FCPA Compliance Report. Learn how prioritizing safety can lead to cost savings and become a major differentiator for corporations in talent acquisition and retention. The trio also discusses how EHS professionals can reduce risk by implementing hazard awareness training and preventing discrimination. Furthermore, they emphasize the value-add that safety can offer to organizations in terms of corporate governance and brand recognition. Tune in to hear the experts share their insights on how ESG and EHS align under the sustainability cause and how innovative business and management decisions can lead to environmental sustainability.

 Key Highlights

·      ESG and Safety Culture within Organizations

·      The Importance of Safety in Talent Retention

·      Corporate Governance and Safety in Organizations

·      The Importance of “E” in ESG Reporting

·      ESG and its Role in Elevating Brands

·      Managing Chemical Hazards and ESG Standards

 Here are three tips to consider when incorporating safety into your ESG strategy:

1. Communicate safety policies and performance to stakeholders, such as investors and customers, to build trust and enhance reputation.

2. Use safety data to identify improvement opportunities, mitigate risks, and promote continuous learning and innovation.

3. Develop partnerships and collaborations with other organizations and industries to address safety challenges and share best practices.

Resources

Andrea Foster Mack on LinkedIn

Maria D’Avanzo on LinkedIn

Traliant

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Third-Party Management: A risk-based approach – Part 4: Adam Bailey on Reporting

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 4, I visit with Adam Bailey to look at the role of the Board in risk, audit, compliance, and ESG and the reporting from executive teams and GRC practitioners to take risks and seize chances.

Bailey has worked to help organizations better manage their risk by providing insight and clarity to boards of directors. He strived to enable executive teams and GRC practitioners to assess and manage strategic risks, ultimately connecting boards, practitioners, and executives together to innovate and drive growth. With the complexity of third-party relationships continuing to grow, companies need to adopt a continuous improvement approach to contend with unforeseen risks. A corporate compliance function is not just something nice to have, but a must and a Board needs clear and relevant data to make the best decisions. Organizations need to use the necessary tools to ensure that Boards have the visibility to manage their third parties and make informed decisions.


Key Highlights
1. A compliance function must support leaders through its reporting work.
2. Companies can effectively manage third-party risk with a risk-based approach and robust processes.
3. Connecting Board, senior executives, and practitioners together to enable organizations to take risks and innovate is critical.

Notable Quotes

  1. “The key to this effective risk management is truly the follow-up, the ongoing follow-up to ensure that all the controls are in place and, if needed, are changed.”
  2. “Continuous blanket monitoring of all third parties with every risk asset you can think of is just not feasible and probably wouldn’t deliver the outcomes that we need.”
  3. “We know that change is constant, regulators are looking for risk management policies and practices which continually improve and evolve over time.”
  4. “We need robust processes and systems in place to make sure that when you create your third-party profile, it’s screened against sanctions lists, embargo watch lists, et cetera, to provide the rich data that’s there.”

Resources

Adam Bailey on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 1

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we will consider all things compliance, corporate ethics, ESG, governance, and whatever else is on our minds and the minds of other experts in the field. Kristy and Tom explore all of these topics with expertise and wit.

In this inaugural episode, they discuss the latest compliance trends and news, including two Supreme Court cases that have implications for the compliance profession. They also cover the Department of Justice and whistleblower trends, taking a look at Miranda and Upjohn’s warnings and increasing numbers of whistleblower reports to the SEC. They also dive into an article from the Harvard Law School Forum on corporate governance and discuss the Illinois Biometric law. Join the conversation and discover the latest on compliance and regulations with 2 Gurus Talk Compliance.

Highlights Include

The Role of In-House Attorneys in Communication Between Outside Counsel and Businesses [00:05:17]

Supreme Court Decision on the Future of the CFPB [00:09:11]

Impact of the Colorado Draft Regulation on Artificial Intelligence Compliance Programs [00:13:23]

The Benefits of Automated Data Deletion [00:17:23]

A Miranda component to corporate Upjohn Warnings [00:21:25]

The Obligation of Society to Address Climate Change [00:25:33]

The Benefits of Self-Disclosure in the DOJ Justice System [00:29:18]

The Role of the Board in Overseeing Third Parties in High-Risk Countries [00:33:14]

The Impact of Whistleblowers on the SEC [00:40:54]

White Castle’s Violation of Illinois Biometric Law [00:45:05]

Notable Quotes

  1. The DOJ is urging a federal judge to sanction Google’s parent, Alphabet, for its practice of setting employee chats to auto delete despite promising to preserve records.”
  2. “It goes beyond the specifics of this law, something you and I have talked about for several years now, that the compliance function and the CCO is well perhaps the most well-suited corporate discipline to deal with these new initiatives because it’s the basic framework of compliance that you and I have worked with for 15 years.”
  3. “Most compliance programs just don’t have good frameworks for things like AI or for big data even though we’ve been using that word for a long time.”

Resources

  1. Boards and 3rd Party Risk Oversight
  2. CO Draft AI Rules for Insurance
  3. Miranda Warnings in Corp Investigation
  4. Current whistleblowing landscape
  5. Has the stature of the CCO changed? 
  6. Analysis of the DOJ’s update to the self-disclosure program
  7. Supreme Court considering defunding the CFTC
  8. Trends in state privacy law   
  9. Litigation holds and records retention/Google/DOJ  
  10. Individuals charged – first enforcement action 2023 

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Internal Controls – Board of Directors as an Internal Control

Is a Board of Directors a compliance internal control? The clear answer is yes. In the 2020 FCPA Resource Guide, Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. One states, “Within a business organization, compliance begins with the Board of Directors and senior executives setting the proper tone for the rest of the company.” The second is found under the Hallmark entitled “Oversight, Autonomy and Resources,” which says the CCO should have “direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).”

Further, under the U.S. Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: Do the directors exercise independent review of a company’s compliance program and are directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

Three key takeaways:

  1. Board oversight over the compliance function is a separate internal control, so document it and use it.
  2. The board must perform oversight over your company’s internal controls.
  3. Does your Board use the five principles for involvement in compliance with internal controls?

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.