Boards of directors (or their delegated committees) typically allocate very little time to oversight of an organization’s ethics and compliance program during their packed board agendas. It is not at all unusual for the top compliance officer to get just 15 minutes to provide an update on their E&C programs at quarterly board meetings. As a board member myself, I know this challenge well.
Given the limited amount of time realistically available, board members need to come to the table with a basic knowledge level and skillset required to provide sufficient and effective oversight of the ethics and compliance program—as is expected by various regulatory bodies.
Without this knowledge and competency, board interactions can be frustrating and time wasting for both the compliance officer and the board members.
Following are five key areas where board members have a responsibility to be knowledgeable and informed in order to make the most effective use of everyone’s time and to meet their oversight duties as outlined in various regulatory guidance directives.
1) Risk Assessments: The Difference Between an Enterprise Risk Management Assessment and an Ethics and Compliance Risk Assessment (and Why It Matters)
A strong compliance program is built on the foundation of a solid ethics and compliance risk assessment. This is different from an ERM (Enterprise Risk Management) assessment (which looks at operational risks) but can be a subset of the ERM process.
Regulatory guidance stipulates strong programs that are built on a foundation of an ethics and compliance risk assessment. The purpose of the compliance assessment is to examine the specific regulatory risk areas applicable to the organization.
Board members need to know the difference between the two types of assessments and expect that both are addressed.
2) Specific Ethics & Compliance Risks and Oversight Requirements
Many directors lack the experience or knowledge to confidently oversee the intricacies of corporate compliance and risk management. Boards need to make time to receive training on effective programs and oversight.
As noted in our 2016 Ethics & Compliance Training Benchmark Report, only 58% of the organizations surveyed train their boards on ethics and compliance issues. Of those who do train, only 20% offer training to new directors.
Just like new employees, new directors should be introduced early on to the organization, its culture and values and the ethics and compliance program. Boards may also want to consider adding members with specific ethics and compliance expertise.
3) How Organizational Culture Impacts Compliance
Board members need to know and believe that when it comes to compliance, corporate culture matters. Unfortunately, many still do not realize that they have a direct role to play in defining that culture.
Board members need to know and believe that when it comes to compliance, corporate culture matters.
For example, decisions made by the board when reviewing and adopting financial and compensation plans could directly impact the culture if there is excessive pressure to deliver expected financial results. If the only way to achieve financial targets is by bypassing policies, looking the other way or even potentially breaking the law, then employees feel they have only bad choices available to them.
4) What Notification and Escalation Policies are in Place
Boards need to have processes and assurances that when there are serious issues or allegations that could impact the finances or reputation of the organization, they will be notified about them in a timely way.
Escalation policies should provide for notification to key directors (such as the chair of the audit committee) no more than 48 hours after a serious issue is raised.
In the age of social media and 24-hour news cycles, without clear requirements for notifications, board members could be the last to know.
5) Personal Liability Risks for Boards and Executives
Executives and board members are being subjected to new levels of personal responsibility and liability. Regulatory authorities have made it clear they intend to focus on individual accountability for corporate malfeasance.
This issue alone should provide enough motivation for boards to pay more attention to compliance oversight—and perhaps spend more than 15 minutes a quarter with the CCO.
The Yates memo has created some contentious debate and is impacting how organizations conduct and manage their investigation processes. We have yet to see how this focus will play out, but it should serve as notice that the government means business when it comes to oversight and accountability.
Get to know your chief compliance officer, understand your oversight responsibilities and ask the right questions.
Earlier this year, NAVEX Global’s chief compliance officer and head of Advisory Services, Carrie Penman wrote a guest column for Directors & Boards magazine outlining what directors need to do to get out in front of compliance issues. You can read the full article here, but the core of her advice—and mine—to boards is this: Get to know your chief compliance officer, understand your oversight responsibilities and ask the right questions.