Key Elements for Effective Compliance Program Board Reporting
By Randy Stephens, JD, CCEP, VP of NAVEX Global’s Advisory Services Team
“Know your audience.” It’s a cardinal rule of business communications—and it certainly holds true when determining the most effective ways to communicate ethics and compliance programme updates to your board of directors.
Board members are generally highly sophisticated, business-focused professionals who are accustomed to being provided with customised, high-level data and information. Their expectation is that the data they receive in board reports has been vetted and analysed for them, and that they can convert that information into specific business plans.
Excellence in board reporting helps create opportunities for deepening board engagement, improving the company’s culture and helping to further cement the trust and respect the board has for the accomplishments of the company’s compliance programme.
Optimising Board Reporting
In our work with companies across the world, we see a wide range of approaches to board reporting. Our surveys of critical compliance employees have yielded insights on which approaches typically work well, and which fall flat.
The following best practices for board reporting create a strong, mutually-beneficial relationship between compliance officers and the board:
1. Create a Compelling, Professional Format & Structure for Board Reports
Following an executive summary (delivered either in writing or verbally), reports should be delivered in a well-organised, professional looking format and address some combination of:
- Ethics Hotline/Helpline Data
- Risk Assessment
- Yearly Initiatives (for the annual report only)
Recommendations: Open with a short executive summary section which provides a high level summary of the focus areas identified above. The executive summary should also highlight any resource challenges the compliance department may have which would need board support.
Consistent: The look, feel, format and data used for reports should be consistent from quarter to quarter and year to year.
Strategic: The report should support or explain gaps in the compliance programme’s and company’s strategy.
Provides Context: Avoid supplying data with no context supporting its inclusion. Seize the opportunity to explain how KPIs are being reflected in the data.
Use of Benchmark Data: Benchmark data can give the board comfort and context about how the company performance compares to peers. There is often safety in numbers and executives and boards are often on the lookout for benchmarking statistics which show consistency with peers. By way of illustration, it might be interesting to the board to know how the number of training hours per 100 employees compares to peers. If it differs from the peer benchmark, “Why?” They will want to know that the CCO is using company resources in ways that are meaningful to bringing the company in line with industry standards or why the company has chosen to deviate from that benchmark.
Outcome Driven: It is helpful to the board’s understanding of your compliance programme to tie program goals and outcomes.
SUGGESTED CONTENT (FOR ILLUSTRATION PURPOSES ONLY): Consider, for example, in the ethics hotline/helpline section including a statement such as: “While our current percentage of anonymous calls is 33%, the goal is to reduce the percentage to less than 25%, which represents the industry median for our peer group. Anonymous calls are more difficult to properly and completely investigate. By using more awareness and anti-retaliation training, we hope to empower employees to be more comfortable identifying themselves when they call. Note: Certain countries in the EU limit our ability to collect identifying information. Those calls have been removed from the overall percentage calculations for the purpose of this report.”
2. Deliver Reports at the Right Frequency
Reports should be delivered at least quarterly along with an annual report at the end of the year. This frequency meets or exceeds the standards of most companies. This might vary depending on the size and sophistication of the compliance programme. Ensure you are meeting the board’s expectations on timing by asking the board for feedback.
Improve board reporting further by seeking opportunities for the CCO to interact with the board outside of quarterly meetings and directly interact with the board in cases of predetermined priorities.
Recommendations: In addition to regular reporting, to the extent possible, consider off-cycle deep dives into important risk issues, such as reputational crisis preparedness or anti-corruption programme elements.This separates the risk discussions from the overall routine report. However, if this is not available, consider deeper dive risk discussions embedded in the quarterly and annual reports.
3. Include (Only!) the Most Crucial, Relevant Content
Mature ethics and compliance programmes never lack for content. However, the sheer amount of material and data may desensitise the board to the accomplishments and challenges a program has faced and overcome.
The following basic elements should be covered in some form or another:
- Communication and Training: Unless the board has specifically requested an exhaustive level of detail, they only need to know basic information: that the programme and standards have been communicated, and that employee or third party training has been completed satisfactorily in accordance with the CCO’s learning and curriculum goals.
- Compliance Programme Elements: A good way to structure a board report is to follow the general categories for an effective compliance programme outlined in guidelines such as the United States Federal Sentencing Guidelines for Organizations (FSG) or OECD. At least on an annual basis, a board report on the compliance programme should address in some way the status and effectiveness of:
This provides the board with an information reporting structure closely aligned with their oversight obligations.
The board should be concerned with any investigations of high-level employees and the outcomes, whether reported by whistleblowers or otherwise. This is an excellent opportunity for the CCO to demonstrate the effectiveness of programme elements, which hopefully detected the issue, prompted a timely investigation, and resulted in swift action to address the issue, such as policy changes or terminations.
It is also critical to address the state of the company’s risk assessment and risk readiness. This should be more than just addressing the risk that criminal conduct will occur as called for in the FSG. (More on this in the next section.)
Structure and Leadership
Standards and Procedures
Training and Communication
Integration with HR Practices
Auditing and Monitoring
Culture and Support for Compliance: This is an area often overlooked or ignored in most board reports. This is usually the result of board members’ reluctance to step outside of their comfort zones. Board members read the bottom line, not between the lines. However, this is one of the most critical elements of discussion for board members, who really help set and drive tone at the top.
When a rule, policy or a code conflicts with organisation’s culture, the culture trumps—and prevails— most of the time. In order to have an effective ethics and compliance programme, a company needs to pay as much attention to culture as to policies, training, auditing, etc.
Beyond merely approving the code of ethical business conduct, the board and the CCO should engage in a conversation about:
Responsibility or rules: Will employees, including executives and senior leadership, take personal responsibility to address issues, or is that somebody else’s job?
Candor or quiet: Will people speak up if they see questionable business conduct?
Accountability or acquiescence: What happens to great performers who violate the code?
Employee perceptions: Surveys, focus groups, message boards
Customer and supplier perceptions: Surveys, social media
Reports of concern: Hotline/Helpline data
Recommendations: Balancing content with engaging substance and context will offer the board an even greater likelihood of engaging with the CCO during the presentation. With all of the demands on board members' time, reports should have the greatest impact with the least amount of information possible, while still providing the board with relevant and timely information.
SUGGESTED CONTENT (FOR ILLUSTRATION PURPOSES ONLY): An example of how to address this issue could be: “Our Compliance Culture: Survey Says…” A recent employee engagement survey was submitted to 2,000 randomly selected employees. They were asked questions which helped the compliance department determine how employees perceived our organisational culture. Out of 2,000 employees, we achieved a completion rate of 67%, which is extraordinarily high and above the average survey return rate of 34%. This high completion rate suggests that our employees are engaged. It could also indicate that they are particularly interested in sending a message to senior leadership about a particular issue such as a reduction in force, union activity or the recent restructuring of division responsibilities. However, since this compares favorably to a 68% completion rate the last time the survey was administered, it suggests an unusually engaged employee population. When asked if they felt comfortable reporting issues of misconduct, more than 65% responded “Yes.” This is an indicator of a healthy culture.”
4. Risk Assessment, Emerging Trends & Current Events Of Interest
A risk assessment is one of the foundational elements of an effective compliance programme. It provides critical information affecting the company’s risk recognition, planning and mitigation process. This is one area that board members know well—particularly for public companies or issuers which must file a Form 10-K or an annual report. A heavily scrutinised element of these filings is always the risk factors.
Failing to address the risk assessment process in board reports may leave the board with the impression that compliance does not drive or participate in the risk assessment process.
Recommendations: Consider addressing some or all of the following in all or some of your board reports:
- High-level summary of the top risks for the enterprise as a whole and individual operating units
- Summary of exceptions to management’s established policies or limits for key risks
- Summary of significant gaps in capabilities for managing key risks and status of initiatives to address those gaps
- Summary of emerging risks that warrant board attention
- Periodic overview of management’s methodologies used to assess, prioritise and measure risk
- Risk reports, such as trends in key risk indicators
- Report on effectiveness of responses for mitigating the most significant risks
- Case law updates
- Summaries of articles of interest
5. Elevate Board Engagement
The best compliance programmes are often coupled with a very engaged board and a healthy relationship between the board and the CCO. In the best case, the CCO has regular, formal contact with board members and provides information on topics of interest between regularly scheduled board meetings.
This engagement is usually a sign that the board values the role of the CCO and the compliance programme overall. A board that is genuinely interested in the compliance process and its outcomes is often due in equal measures to the dedication and professionalism of the board as well as the excellent job done by the CCO and the compliance team members.
Recommendations: Engage in regular dialogue with the board to explain and refine the information presented in board reports. This will help the information resonate to the greatest degree possible with the board members, and further cement the trust and respect the board has for the accomplishments of the company’s compliance programme.
Leverage an engaged and knowledgeable board to help you develop a more meaningful board reporting process, and underscore the board’s ownership stake in your compliance program. Engaged boards can help extend and expand the compliance programme while also enhancing both top-down support and bottom-up buy-in for continuing to move the compliance programme from a reactive to a predictive model.
The board should be comfortable that they have the information and understanding of the programme they need to carry out the fiduciary responsibilities required of them. This not only protects the board from potential liability but will also tap the considerable experience and professionalism of the board.
Additionally, we recommend a regular schedule of board training. This should be developed with the board’s buy-in, implemented promptly, and refreshed every 24 months or as new board member classes are elected.
This training should cover:
- Frameworks for ethics and compliance programmes (USSG, OECD, global requirements, risk based)
- Board’s oversight responsibilities
- Specific compliance and ethics environment and risks to the organisation and to the board
- Creating a culture of integrity—challenges and building blocks, board observations and potential areas of impact
- Cases relevant to their roles and responsibilities
Many CCOs assume that boards know their risks and responsibilities already and are afraid to discuss board-specific risks. This is not always the case. Boards need and want to talk about things like:
- Issues that have occurred with other companies and boards
- Recognieing their unintended influence
- Gifts, gratuities and influences
- Insider trading
- Conflicts of interest—both personal and organisational
- Executive accountability
In the final analysis, the story being presented to the board should focus on:
- Benchmarking—internal and external
- Status of the company’s relationships with regulators
- Full ethics, compliance and reputational risk universe and any anticipated changes
- Audit and monitoring coverage
- KPIs against your plan
- Issues and trends
- Emerging risks or other insight to what’s coming in the future
Use your board reports to provide the board with a high-level report card on your programme. Provide context and strategy instead of overwhelming the board with raw data. The board report is a regular opportunity for the CCO to engage the board and gain buy-in for the compliance programme. Treat the board report as a starting point for the conversation, not the end game.
ABOUT THE AUTHOR
Randy Stephens, J.D., CCEP, vice president of NAVEX Global’s advisory services division, is a lawyer and compliance specialist who has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China and Canada. Randy has significant in-house experience leading compliance programs and working for some of the largest and most diverse public and private corporations in the United States, including Home Depot, Family Dollar and US Foods.