Directors & Boards
By Carrie Penman
In 2016, corporate boards should be focused on jump-starting their engagement in ethics and compliance oversight. As regulatory agencies ratchet up their own oversight, boards need to take proactive steps, ask the right questions, and set the right expectations if they are to meet their oversight responsibilities.
They should also have a sense of urgency, given recent regulatory developments. The U.S. Department of Health and Human Services, Office of Inspector General (OIG), recently released new guidelines about health care boards’ compliance responsibilities, and the Bank of England Prudential Regulation Authority took similar action, perhaps signaling a global trend. Because regulatory agencies share best practices on enforcement actions, and because much of the direction provided for health care boards is broadly applicable in any business, boards of companies in all industries should
review the OIG guidance and take appropriate action.
The OIG specifically defines what it means to have “reasonable oversight” for the implementation and effectiveness of corporate compliance programs. And, if the OIG’s direction contains one supreme universal oversight guideline, it is this: “A critical element of effective oversight is the process of asking [the compliance officer] the right questions,” to determine the adequacy and effectiveness of the organization’s compliance program. These questions could include:
- What standards are the foundation for the compliance program and do they address our highest risks?
- Is there a confidential reporting system in place to take reports of misconduct and legal violations, and is it adequate and appropriately resourced to respond to the concerns raised?
- What assurance does the board have regarding timely escalation of appropriate matters — those that involve allegations against executive leadership, have serious financial consequences, or could cause significant harm to the organization’s reputation?
- What compliance education is expected of the board?
- How do you know the program is effective?
To ensure a focus on the right questions, the OIG also says that “a board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the board, or periodically consulting with, an experienced regulatory, compliance, or legal professional.”
For a checklist of additional questions to ask, based on the OIG Guidance, visit our blog post, Real Guidance (Finally) On the Compliance Oversight Role of Boards
The next step
The next step is to reassess current board training. Using the new guidance as a framework for a board retreat or training is one option, but it might be more practical to take small steps to improve existing training. It’s not enough for a board to be briefed on the company’s ethics and compliance activities, and directors likely shouldn’t receive the same training as employees. Board training should include discussion of risk areas specific to board members, such as conflicts of interest (both personal and organizational), insider trading, government and media relations, gifts and entertainment, and the consequences of unintended influence (such as when a board member forwards an acquaintance’s resume to a hiring manager, who may then feel compelled to give that person a job whether they want to or not).
Directors also should be guided in training to discuss their unique ethics and compliance responsibilities. Those include setting the tone at the top, oversight of senior leadership, and managing board-related ethics and compliance violations, as well as how to interpret ethics and compliance data and trends and what questions they should ask the compliance officer and senior leadership about the organization’s commitment to ethics.
Making the most of board reporting on compliance matters is a critical piece of the puzzle. Whether ethics and compliance gets its own section, a page or just a paragraph in the legal or audit tab of the board report, the report can be the board’s best chance to get a clear read on what’s being done. It is up to the board to define what they want to know and how much time they will allot to the discussion. And it is incumbent upon board members to become as educated about how to read and evaluate compliance reports as they are about how to read the balance sheet. As part of the reporting process, the board (or its assigned committee) should meet in executive session with the compliance officer just as they do with audit and legal. A strong and well-positioned compliance officer will have the best insights into what is working and what is not.
For more resources on board engagement, see our blog post Top Ten Resources for Engaging Your Board in Your Ethics & Compliance Program
Whatever space and time are allotted, it will always be limited and should be used wisely. Guard against the impulse to focus too much attention on data. Functions such as finance, sales and marketing often present data-rich reports to boards, and the temptation is to try to make the ethics and compliance report match them. This impulse is especially strong with respect to helpline data, which is readily available and provides much information if used properly. But while helplines are a crucial element of effective programs, the data represents only a fraction of all reports raised, and helpline calls are not illustrative of overall employee concerns or behavior.
Data should instead be used to tee up or support the “why” and “how” of the overall effectiveness of compliance programs. Compliance officers should tell the board what the data means to them and how leadership is using it to move toward strategic goals. Beware compliance reports that amount to downloads of every possible data point as they often contain few meaningful insights. The appendix is the best place for sharing big data sets. Board reporting should also address how the program is managing and reducing compliance-related risks and whether the organizational culture supports employees who want to do the right thing.
The ‘why’ and the ‘how’
The OIG guidance might be the first in a series of guidelines for different industries and countries — or it could be the start of a trend toward the creation of one set of industry-neutral and globally applicable guidance. We also could see a movement for holding compliance programs — and boards — to more standardized and comprehensive criteria in future government investigations. Regardless of the direction this trend might take us, boards can and should use this latest OIG guidance to their advantage. Now is the time for boards to get ahead of the regulators.
Carrie Penman is NAVEX Global’s chief compliance officer and senior vice president of the Advisory Services team. She has been with the firm, which is a leading supplier of ethics and compliance software, content and services, since 2003. She was the first chief ethics officer at Westinghouse Electric Corp., where she developed one of the first corporate-wide global ethics policies.