Recently, NAVEX Global released its 2020 Definitive Risk & Compliance Benchmark Report, an in-depth analysis of the latest industry trends and best practices, based on the survey responses of over 1,400 risk and compliance professionals. Key to this year’s findings are the 7 Drivers of Program Performance – key factors shown to have a substantive, measurable impact on critical compliance areas and activities.
READ: The 2020 Definitive Risk & Compliance Benchmark Report
This week, we are taking a look at board engagement, specifically how compliance officers can leverage reports to their boards of directors to increase the impact of – and investment in – their risk and compliance (R&C) programs.
Board reporting critical to an effective compliance program
Boards of directors have a fiduciary duty to ensure their compliance programs are effective. This responsibility, which can be traced back to the In Re Caremark decision of 1996, has steadily expanded over the past quarter century. Today, directors can be held personally liable for losses caused by non-compliance, giving them compelling motivation to engage in regular and rigorous oversight.
Regulators have also long been invested in increasing board oversight of corporate compliance. The Federal Sentencing Guidelines makes clear that boards must be knowledgeable about the content and operation of their compliance programs, and exercise “reasonable oversight” of them. It defines periodic reporting to high-level personnel and direct access to the governing authority as critical components of an effective compliance program.[1] It further states that direct board reporting can lower an organization’s culpability score, even if high-level personnel participated in, condoned, or were willfully ignorant of the offense in question.[2]
In its Evaluation of Corporate Compliance Programs, the Department of Justice instructs prosecutors investigating compliance failures to ask a series of questions to assess the level of board oversight, including:
- What compliance expertise has been available on the board of directors?
- Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
- What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
- Did those responsible for compliance have direct access to the board of directors or the board’s audit committee?
- What types of relevant audit findings and remediation progress have been reported to the board on a regular basis? How has the board followed up?
LEARN: How to Address the DOJ Guidance on Corporate Compliance
As these legal precedents, statutes, and regulatory guidance all indicate, periodic reporting by compliance officers to the board of directors – and appropriate action taken by the board in response to this reporting – should be a part of every effective compliance program.
Report shows link between board reporting and better program performance
This year’s survey found several encouraging trends regarding board engagement. Chief among those is program performance. Compliance officers who periodically report to their board of directors were 2.2 times as likely as their peers to indicate a high degree of satisfaction in their compliance programs overall. Their hotline and incident management (HIM) systems were particularly strong; respondents from these programs were almost 3 times as likely to report “good” to “excellent” HIM performance.
The study also saw significant increases in board reporting. Over half (56%) of programs said they report regularly to a board that has direct oversight of them, an increase of 20% relative to 2019. The number of respondents who say they have a written escalation policy requiring the direct reporting of material issues to the board has also increased to 45%.
Board members are also getting more involved in their compliance programs. Two thirds (63%) of respondents described their board involvement as “good” or “excellent,” a significant improvement over last year. This is closely associated with how mature programs are. Nine out of ten (91%) of Advanced programs rated their board involvement as good or excellent, versus just 31% of Reactive programs.
Most R&C programs now provide training to their board of directors. Sixty-one percent (61%) of respondents say they provide one or more hours of board training on R&C topics (Figure 5.34). Roughly a third (34%) reported their boards receive two hours or more each year.
Using hotline data in board reports is key
It is not surprising that the Benchmark Report found an especially strong link between periodic board reporting and HIM performance. Information surrounding hotline reports — specifically, their number, type, distribution and outcomes — can provide boards with critical insight into their organization’s culture and compliance program effectiveness. Unfortunately, compliance officers (and board members) often eschew such data, believing there to be a correlation between the number of reports received and the size of problems within the company.
Recent research, however, suggests just the opposite. In his 2018 study “Evidence on the Use and Efficacy of Internal Whistleblowing Systems,” George Washington University Professor Kyle Welch found that firms with higher hotline usage experienced 6.9% fewer material lawsuits and 20.4% lower litigation costs over a three-year period relative to similar companies with lower hotline use.
READ: Hotlines & Headlines: The Relationship Between Hotline Reporting and Corporate Reputation
Active hotlines were also shown to lower regulatory fines by up to $8 million and reduce negative media coverage by up to 46%. As NAVEX Global CRCO Carrie Penman noted in her 2019 article Using Hotline Data to Build Better Board Reports, “These results are the clearest evidence yet of a link between increased hotline use, better business performance and good governance.” Compliance officers should not shy away from high report activity. Just the opposite; they should use such data as the backbone of their reporting. Remember: active hotline use is an indication of a healthy organizational culture.
5 steps your program can take
How, then, can compliance practitioners use hotline information within their board reporting?
First, train your board of directors. According to previous board studies, directors typically spend only 4 workdays a year on issues of core governance and compliance, so it is critical that they understand how to interpret the data presented them, especially hotline data.
LEARN: How to Build Effective Compliance Program Board Reports
Unfortunately, while a majority of organizations provide at least 1 hour of training per year, only a third offer 2 or more. Of course, these results are tied to maturity, with a plurality of Advanced programs offering 4+ hours of training. Bottom line: effective programs take the time to train their boards.
Second, provide context. Viewing data in isolation can be disorienting, even for those trained to know what they are looking at. Begin by benchmarking your program. Benchmarking allows boards to place this information in context, answering key questions like whether or not the organization is receiving enough hotline reports, or if your firm has sufficient response capacity. Use reporting as an opportunity to explain how KPIs are being reflected in the data.
Third, create reports with a consistent look, feel and format. Again, directors have limited time; consistent presentation will help them more easily identify changes.
Make sure your report is strategic and outcome driven. The report should support or explain gaps in the compliance program’s and the company’s strategy. It should also tie program goals and outcomes.
READ: How to Build Leadership Support
Finally, elevate board engagement. As we discussed in our previous performance driver segment, the latest benchmark data shows that successful programs make cultivating leadership support a deliberate priority. Board reporting is a powerful opportunity for compliance officers to build and solidify those relationships.
While board engagement is critical, it is not the only way for compliance officers to improve their programs. In the next installment of our Performance Drivers series, we will look at why and how your program can build reports that increase investment from your Board of Directors.
[1] U.S.S.G. §8B2.1(b)(2)(A)-(C)
[2] U.S.S.G. §8C2.5.(f)(3)(C)
