Tag: oversight

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
Blog

Dagger of the Mind: Ethics, Oversight, and the Dangers of Mindless Compliance

Show Summary

Today, we journey to Tantalus V, home to a facility for the criminally insane, where a celebrated doctor, a controversial device, and a desperate escapee converge into a chilling tale of manipulation, unethical experimentation, and failed oversight. Dagger of the Mind is more than a story about a rogue psychiatrist. It serves as a cautionary tale for every compliance professional navigating the complexities of ethics, whistleblower protections, and corporate accountability.

We unpack six key lessons for today’s compliance landscape, using this Star Trek episode to explore the human rights implications of innovation, the importance of informed consent, and the non-negotiable need for robust oversight mechanisms.

Key Highlights and Compliance Case Illustrations

1. Whistleblower Protection—Listen When Someone Escapes the Box

Illustrated by: Simon van Gelder, smuggling himself aboard the Enterprise to escape the abuse at Tantalus V.

Van Gelder risks everything to report misconduct, yet he’s initially treated as a threat—not a truth-teller. His trauma and desperation illustrate what happens when whistleblowers are ignored or presumed unstable. Compliance officers must establish safe and credible pathways for internal reporting, and leaders must be trained to respond with empathy, not disbelief.

2. Oversight and Accountability—Who Guards the Guardians?

Illustrated by: Dr. Tristan Adams using the neural neutralizer to control and silence dissent.

Adams is a textbook example of what happens when powerful individuals operate without meaningful oversight. His esteemed reputation masks his abuse of power. Every organization must implement regular audits, anonymous feedback loops, and third-party evaluations to ensure that even the “untouchables” remain accountable.

3. Human Rights and Ethical Treatment—Compliance Begins with Humanity

Illustrated by: The neural neutralizer erasing minds and reducing patients to emotional voids.

The weaponization of mental health treatment in this episode is a stark warning about the technology used without ethical restraint. Whether it’s surveillance, AI, or employee monitoring tools, companies must evaluate the human impact of every system. Dignity and consent are the foundation of all ethical compliance frameworks.

4. Informed Consent—Misuse of Technology Without Disclosure

Illustrated by: Kirk unknowingly subjected to memory manipulation through the neural neutralizer.

Kirk’s experience under the device demonstrates the risk of deploying tools without informed consent. In modern terms, this equates to unethical data collection, misleading contractual clauses, or hidden surveillance programs. Compliance programs must ensure transparency and fairness in every tech-enabled interaction.

5. Due Process and Fair Trials—Don’t Assume Guilt Without Review 

Illustrated by: Van Gelder’s deteriorated condition and absence of any formal grievance process.

Once van Gelder begins to unravel, no formal process is in place to evaluate his claims or provide medical advocacy. In today’s corporate environment, this underscores the importance of adhering to due process during internal investigations, including access to counsel, neutral adjudication, and accommodations for mental health when necessary.

6. Corporate Social Responsibility—Reputation is No Substitute for Integrity 

Illustrated by: Dr. Adams’ public image as a reformer, masking his private abuses.

Adams is held up as a pioneer, but beneath the surface lies a profound history of misconduct. This serves as a reminder that a shiny ESG report or CSR campaign cannot substitute for real operational integrity. Compliance officers must look beyond external branding and delve into actual practices and their impact.

Final ComplianceLog Reflections

Dagger of the Mind is not just a metaphor for the dangers of unethical control; it is a metaphor for the risks of unethical control. It is a manual for why compliance must protect the vulnerable, investigate the credible, and challenge authority when necessary. Dr. Adams built a system that silenced his critics. Compliance must create systems that amplify them.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.

Categories
Daily Compliance News

January 30, 2023 – The Robbing Ohio Blind Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • Is corruption robbing Ohio blind? (Ohio Capital-Journal)
  • Shareholders can sue execs for ‘failure of oversight.’ (Reuters)
  • Is SBF contacting witnesses edition? (WSJ)
  • The court hearing on a monitor for Boeing. (Law360)
Categories
Blog

Expanding Compliance Obligations of the Board – Part 3: Hughes v. Hu

The next case on the Board’s obligations regarding compliance oversight is Hughes v. Hu. In this case, the plaintiffs’ claimed that the director defendants consciously failed to establish a system of oversight for financial statements and related-party transactions, “choosing instead to rely blindly on management while devoting patently inadequate time to the necessary tasks.” According to the plaintiffs’ assertions the defendants “breached their fiduciary duties by willfully failing to maintain an adequate system of oversight, disclosure controls and procedures, and internal controls over financial reporting.” Additionally, “The board of a Delaware corporation has a fiduciary obligation to adopt internal information and reporting systems that are ‘reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance’.”
The audit committee failed to meet often as required and when they met, the meetings were short and failed to devote adequate time and attention to the issues, especially in light of the known internal control issues. In addition, the audit committee frequently acted through written consent as opposed to addressing issues during in-person meetings. The outside auditor failed to report on key issues and when it did so, the audit committee failed to respond or follow up.
The court noted, “directors face a substantial threat of liability under Caremark if “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” For both potential sources, “a showing of bad faith conduct . . . is essential to establish director oversight liability.” A plaintiff establishes bad faith by “showing that the directors knew that they were not discharging their fiduciary obligations. Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation . . . only a sustained or systemic failure of the board to exercise oversight . . . will establish the lack of good faith that is a necessary condition to liability.” [citations omitted]
Moreover, “a director may be held liable if she acts in bad faith in the sense that she made no good faith effort to ensure that the company had in place any ‘system of controls.’” Significantly directors must “design context- and industry-specific approaches tailored to their companies’ businesses and resources.” Caremark also mandates “a bottom-line requirement that is important: the board must make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting.” Finally, a Caremark claim can be stated by alleging that “an audit committee that met only sporadically and devoted patently inadequate time to its work, or that the audit committee had clear notice of serious accounting irregularities and simply chose to ignore them or, even worse, to encourage their continuation.”
What the court found was that the Company’s Audit Committee met sporadically, devoted inadequate time to its work, “had clear notice of irregularities, and consciously turned a blind eye to their continuation. As detailed in the Factual Background, the Company suffered from pervasive problems with its internal controls, which the Company acknowledged in March 2014 and pledged to correct. Yet after making that commitment, the Audit Committee continued to meet only when prompted by the requirements of the federal securities laws. When it did meet, its meetings were short and regularly overlooked important issues.”
For example, in May 2014, the Audit Committee convened for the first time after disclosing two months earlier that its “disclosure controls and procedures were not effective as of December 31, 2013, due to a material weakness.” The meeting lasted just forty-five minutes. During that time, the Audit Committee purportedly reviewed new agreements governing the Company’s related-party transactions with Kandi USA. Neither the agreements nor the review procedures were produced in response to the plaintiff’s demand for books and records, supporting a reasonable inference that they either did not exist or did not impose meaningful restrictions on the Company’s insiders. Three weeks later, the Audit Committee purportedly reviewed and approved a new policy that management had prepared governing related-party transactions. The Company also did not produce this policy in response to the plaintiff’s demand for books and records, supporting a reasonable inference that it too either did not exist or did not impose meaningful restrictions on the Company’s insiders.
After 2014, the Audit Committee did not meet again for almost an entire year. The committee next convened in March 2015, “spurred by the need to review the Company’s financial results for purposes of the 2014 10-K. The meeting lasted only fifty minutes. During this time, the Audit Committee ostensibly discussed the financial results and purportedly approved a new policy that management had prepared to govern related-party transactions involving the Joint Venture. It is reasonable to infer that the policy did not place meaningful restrictions on management and that the Audit Committee failed to establish its own monitoring system for related-party transactions. It is also reasonable to infer that during this fifty-minute meeting, the Audit Committee could not have fulfilled its responsibilities under the Audit Committee Charter for purposes of nearly a year’s worth of transactions.” The Audit Committee again did not meet for almost an entire year, not meeting until March 2016, again spurred by the need to review the Company’s financial results for purposes of the 2015 10-K. This meeting lasted just thirty minutes.
These chronic deficiencies support a reasonable inference that the Company’s Board of Directors, acting through its Audit Committee, failed to provide meaningful oversight over the Company’s financial statements and system of financial controls. Despite identifying Yu and Lewin as Audit Committee Financial Experts in 2015, the Company later disclosed in the 2016 10-K that it lacked personnel with sufficient expertise on US GAAP and SEC disclosure requirements for equity investments and related-party transactions. The directors charged with implementing a system to oversee the Company’s financial reporting thus lacked the expertise necessary to do so all along. Instead, the Audit Committee deferred to management, which dictated the policies and procedures for reviewing related-party transactions and hired and fired the Company’s auditor, even though management’s actions suggested that it was either incapable of accurately reporting on related-party transactions or actively evading board-level oversight.
The defendants alleged that the Company had the trappings of oversight, “including an Audit Committee, a Chief Financial Officer, an internal audit department, a code of ethics, and an independent auditor.” A plaintiff cannot meet its Caremark burden by pleading that board-level monitoring systems existed but that they should have been more effective. The Court found the plaintiffs’ allegations supported inferences that the Board members did not make a good faith effort to do their jobs. The Court stated, “The Audit Committee only met when spurred by the requirements of the federal securities laws. Their abbreviated meetings suggest that they devoted patently inadequate time to their work. Their pattern of behavior indicates that they followed management blindly, even after management had demonstrated an inability to report accurately.”
An Audit Committee can rely in good faith upon reports by management and other experts. In doing its job, the members of an Audit Committee will necessarily rely on management. But Caremark envisions some degree of board-level monitoring system, not blind deference to and complete dependence on management. The board is obligated to establish information and reporting systems that “allow management and the board, each within its own scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”
Finally, the Board never established its own reasonable system of monitoring and reporting, choosing instead to rely entirely on management. There were no Board meeting minutes to support the company’s rebuttals. As the Court noted, “The absence of those documents is telling because “[i]t is more reasonable to infer that exculpatory documents would be provided than to believe the opposite: that such documents existed and yet were inexplicably withheld.”” The documents that the Company produced indicated that the Audit Committee never met for longer than one hour and typically only once per year. Each time they purported to cover multiple agenda items that included a review of the Company’s financial performance in addition to reviewing its related-party transactions. On at least two occasions, they missed important issues that they then had to address through action by written consent. Clearly, the Board was not fulfilling its oversight duties.
The Hughes Court further delineated a Board’s obligations under Caremark. It cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document). Marchand required Boards to manage the risks their organizations face. Clovis Oncology requires ongoing monitoring by the Board. Hughes stands for the proposition that have the structures, policies and procedures in place is not enough. The Board must fully engage in oversight of a compliance program.

Categories
Blog

Day 21 of 30 Days to a Better Compliance Program, the Compliance Oversight Committee

Key Takeaways 

  1. Determine an appropriate committee membership.
  2. The committee is there to act as an extra set of eyes for the CCO, not to substitute its judgment.
  3. Determine the scope of items and issues to be reviewed by the committee.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. The Compliance Oversight Committee provides a second set of eyes for the CCO and compliance department.    ]]>