Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.

Categories
Daily Compliance News

January 30, 2023 – The Robbing Ohio Blind Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • Is corruption robbing Ohio blind? (Ohio Capital-Journal)
  • Shareholders can sue execs for ‘failure of oversight.’ (Reuters)
  • Is SBF contacting witnesses edition? (WSJ)
  • The court hearing on a monitor for Boeing. (Law360)
Categories
Blog

Expanding Compliance Obligations of the Board – Part 3: Hughes v. Hu

The next case on the Board’s obligations regarding compliance oversight is Hughes v. Hu. In this case, the plaintiffs’ claimed that the director defendants consciously failed to establish a system of oversight for financial statements and related-party transactions, “choosing instead to rely blindly on management while devoting patently inadequate time to the necessary tasks.” According to the plaintiffs’ assertions the defendants “breached their fiduciary duties by willfully failing to maintain an adequate system of oversight, disclosure controls and procedures, and internal controls over financial reporting.” Additionally, “The board of a Delaware corporation has a fiduciary obligation to adopt internal information and reporting systems that are ‘reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance’.”
The audit committee failed to meet often as required and when they met, the meetings were short and failed to devote adequate time and attention to the issues, especially in light of the known internal control issues. In addition, the audit committee frequently acted through written consent as opposed to addressing issues during in-person meetings. The outside auditor failed to report on key issues and when it did so, the audit committee failed to respond or follow up.
The court noted, “directors face a substantial threat of liability under Caremark if “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” For both potential sources, “a showing of bad faith conduct . . . is essential to establish director oversight liability.” A plaintiff establishes bad faith by “showing that the directors knew that they were not discharging their fiduciary obligations. Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation . . . only a sustained or systemic failure of the board to exercise oversight . . . will establish the lack of good faith that is a necessary condition to liability.” [citations omitted]
Moreover, “a director may be held liable if she acts in bad faith in the sense that she made no good faith effort to ensure that the company had in place any ‘system of controls.’” Significantly directors must “design context- and industry-specific approaches tailored to their companies’ businesses and resources.” Caremark also mandates “a bottom-line requirement that is important: the board must make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting.” Finally, a Caremark claim can be stated by alleging that “an audit committee that met only sporadically and devoted patently inadequate time to its work, or that the audit committee had clear notice of serious accounting irregularities and simply chose to ignore them or, even worse, to encourage their continuation.”
What the court found was that the Company’s Audit Committee met sporadically, devoted inadequate time to its work, “had clear notice of irregularities, and consciously turned a blind eye to their continuation. As detailed in the Factual Background, the Company suffered from pervasive problems with its internal controls, which the Company acknowledged in March 2014 and pledged to correct. Yet after making that commitment, the Audit Committee continued to meet only when prompted by the requirements of the federal securities laws. When it did meet, its meetings were short and regularly overlooked important issues.”
For example, in May 2014, the Audit Committee convened for the first time after disclosing two months earlier that its “disclosure controls and procedures were not effective as of December 31, 2013, due to a material weakness.” The meeting lasted just forty-five minutes. During that time, the Audit Committee purportedly reviewed new agreements governing the Company’s related-party transactions with Kandi USA. Neither the agreements nor the review procedures were produced in response to the plaintiff’s demand for books and records, supporting a reasonable inference that they either did not exist or did not impose meaningful restrictions on the Company’s insiders. Three weeks later, the Audit Committee purportedly reviewed and approved a new policy that management had prepared governing related-party transactions. The Company also did not produce this policy in response to the plaintiff’s demand for books and records, supporting a reasonable inference that it too either did not exist or did not impose meaningful restrictions on the Company’s insiders.
After 2014, the Audit Committee did not meet again for almost an entire year. The committee next convened in March 2015, “spurred by the need to review the Company’s financial results for purposes of the 2014 10-K. The meeting lasted only fifty minutes. During this time, the Audit Committee ostensibly discussed the financial results and purportedly approved a new policy that management had prepared to govern related-party transactions involving the Joint Venture. It is reasonable to infer that the policy did not place meaningful restrictions on management and that the Audit Committee failed to establish its own monitoring system for related-party transactions. It is also reasonable to infer that during this fifty-minute meeting, the Audit Committee could not have fulfilled its responsibilities under the Audit Committee Charter for purposes of nearly a year’s worth of transactions.” The Audit Committee again did not meet for almost an entire year, not meeting until March 2016, again spurred by the need to review the Company’s financial results for purposes of the 2015 10-K. This meeting lasted just thirty minutes.
These chronic deficiencies support a reasonable inference that the Company’s Board of Directors, acting through its Audit Committee, failed to provide meaningful oversight over the Company’s financial statements and system of financial controls. Despite identifying Yu and Lewin as Audit Committee Financial Experts in 2015, the Company later disclosed in the 2016 10-K that it lacked personnel with sufficient expertise on US GAAP and SEC disclosure requirements for equity investments and related-party transactions. The directors charged with implementing a system to oversee the Company’s financial reporting thus lacked the expertise necessary to do so all along. Instead, the Audit Committee deferred to management, which dictated the policies and procedures for reviewing related-party transactions and hired and fired the Company’s auditor, even though management’s actions suggested that it was either incapable of accurately reporting on related-party transactions or actively evading board-level oversight.
The defendants alleged that the Company had the trappings of oversight, “including an Audit Committee, a Chief Financial Officer, an internal audit department, a code of ethics, and an independent auditor.” A plaintiff cannot meet its Caremark burden by pleading that board-level monitoring systems existed but that they should have been more effective. The Court found the plaintiffs’ allegations supported inferences that the Board members did not make a good faith effort to do their jobs. The Court stated, “The Audit Committee only met when spurred by the requirements of the federal securities laws. Their abbreviated meetings suggest that they devoted patently inadequate time to their work. Their pattern of behavior indicates that they followed management blindly, even after management had demonstrated an inability to report accurately.”
An Audit Committee can rely in good faith upon reports by management and other experts. In doing its job, the members of an Audit Committee will necessarily rely on management. But Caremark envisions some degree of board-level monitoring system, not blind deference to and complete dependence on management. The board is obligated to establish information and reporting systems that “allow management and the board, each within its own scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”
Finally, the Board never established its own reasonable system of monitoring and reporting, choosing instead to rely entirely on management. There were no Board meeting minutes to support the company’s rebuttals. As the Court noted, “The absence of those documents is telling because “[i]t is more reasonable to infer that exculpatory documents would be provided than to believe the opposite: that such documents existed and yet were inexplicably withheld.”” The documents that the Company produced indicated that the Audit Committee never met for longer than one hour and typically only once per year. Each time they purported to cover multiple agenda items that included a review of the Company’s financial performance in addition to reviewing its related-party transactions. On at least two occasions, they missed important issues that they then had to address through action by written consent. Clearly, the Board was not fulfilling its oversight duties.
The Hughes Court further delineated a Board’s obligations under Caremark. It cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document). Marchand required Boards to manage the risks their organizations face. Clovis Oncology requires ongoing monitoring by the Board. Hughes stands for the proposition that have the structures, policies and procedures in place is not enough. The Board must fully engage in oversight of a compliance program.

Categories
Blog

Day 21 of 30 Days to a Better Compliance Program, the Compliance Oversight Committee

Key Takeaways 

  1. Determine an appropriate committee membership.
  2. The committee is there to act as an extra set of eyes for the CCO, not to substitute its judgment.
  3. Determine the scope of items and issues to be reviewed by the committee.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. The Compliance Oversight Committee provides a second set of eyes for the CCO and compliance department.    ]]>