By Michael Volkov – Principal at The Volkov Law Group & John Fons – Former Director of Global Compliance & Ethics Programs
Corporate boards face expanding risks and increasing responsibilities. No longer is board service a ‘comfortable resting place’ for former executives forced to retire from a company because of age restrictions. Board members are subject to increasing scrutiny by prosecutors, regulators, shareholders, creditors and other stakeholders.
Shareholder securities class-action lawsuits filed against board directors are increasing year on year. Last year, approximately one in 12 public companies was the target of a securities class-action lawsuit.
Board members serve as fiduciaries and are responsible for oversight of complex challenges, from traditional acquisitions, financial statements and IPOs to climate change, cybersecurity, safety and environmental harms, anti-corruption, fraud, sexual harassment and privacy risks. An important part of this oversight responsibility is the company’s corporate culture, as secured by its ethics and compliance programme. Poor oversight of this important aspect of company performance can have a disastrous impact on several key interdependent functions: sustainable financial performance, government regulatory and enforcement actions, and shareholder value, as well as avoiding collateral litigation.
While the range of issues under the oversight umbrella is rapidly expanding, too often corporate boards remain entrenched, resistant to change and techniques needed to exercise proper monitoring of corporate management and overall corporate activities. Seismic changes are needed in board oversight and responsibility for a company’s programme.
There is no question that the current system is anachronistic and a significant contributor to corporate malfeasance. The current system has evolved over the years with favourable corporate laws and regulations designed to protect board members from accountability. With the support of legal doctrines that insulated board members from personal responsibility, a defensive approach to board governance and performance evolved.
If corporate boards continue down the current path, they will face increasing risk of individual criminal prosecution, civil enforcement actions and, ultimately, individual liability in shareholder suits. For years, corporate governance law has been fixed for the benefit of corporate boards. But the days of relying on legal doctrines designed to protect corporate boards from liability are slowly deteriorating in response to demands for accountability and indefensible corporate governance failures.
The day of board member accountability is near. Proactive boards that institute reforms in their oversight and monitoring efforts will survive and their companies will thrive under this growing trend. Those that stand pat with current programmes and controls will be overwhelmed by the myriad of risks, threats to the company and themselves and, ultimately, potential liability.
Over the past two years, company boards have lost significant cases in which the board’s performance was challenged under the Caremark doctrine for poor oversight and adherence to compliance standards governing safety and financial controls and operations. This is only the beginning of holding boards accountable for poor oversight leading to disastrous corporate malfeasance.
Increasing the US government’s expectations
The Department of Justice (DOJ) and other federal agencies, such as the Office of Foreign Asset Control (OFAC), have been clear in their expectations that corporate boards assert greater oversight of a company’s programme and for adherence to applicable legal and regulatory requirements.
Over the past two years, these agencies have released extensive guidance on such programmes. Among the many important issues discussed, prosecutors and regulators have outlined a number of important requirements for corporate boards. This guidance has evolved over the years, starting with the United States Sentencing Guidelines and growing through enforcement activity, reliance on corporate monitorships and other compliance tools, and compliance professional input.
The DOJ’s Evaluation of Corporate Compliance Programmes (guidance) mandates that a company ‘create and foster a culture of ethics and compliance with the law at all levels of the company’. Building an effective programme requires a high-level of commitment from the company’s board of directors and executives. See USSG § 8B2.1(b)(2)(A)-(C) (the company’s ‘governing authority shall be knowledgeable about the content and operation of the compliance and ethics programme and shall exercise reasonable oversight’ of it; ‘high-level personnel… shall ensure that the organisation has an effective compliance and ethics programme’ (emphasis added)). ‘The company’s top leaders – the board of directors and executives – set the tone for the rest of the company’.
DOJ prosecutors are directed to examine the extent to which the board and senior management ‘have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms and demonstrated rigorous adherence by example’. With respect to corporate boards, the guidance asks several key questions under the heading ‘oversight’ that reflect the government’s expectations for board performance:
- What compliance expertise has been available on the board of directors?
- Has the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
- What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
Prior guidance in the healthcare sector on the board’s role in oversight of compliance and ethics stated:
It is the process the board follows in establishing that it had access to sufficient information and that it has asked appropriate questions that is most critical to meeting its duty of care.
With respect to individual board director obligations, this same guidance stated:
In exercising his/her duty of care, the director is obligated to exercise general supervision and control with respect to corporate officers. However, once presented (through the compliance programme or otherwise) with information that causes (or should cause) concerns to be aroused, the director is then obligated to make further inquiry until such time as his/her concerns are satisfactorily addressed and favourably resolved. Thus, while the corporate director is not expected to serve as a compliance officer, he/she is expected to oversee senior management’s operation of the compliance programme.
‘The day of board member accountability is near. Proactive boards that institute reforms in their oversight and monitoring efforts will survive and their companies will thrive under this growing trend’
Proper board oversight of a company’s ethics and compliance programme
As a starting point, corporate boards need to implement a modest set of measures from which to build effective oversight and monitoring functions. When we note ‘modest,’ we are applying realistic expectations to what should have been implemented years before. These measures will require ‘modest’ adjustments.
Disclosure of whether or not the board of directors has at least one ethics and compliance expert: It’s been 18 years since Sarbanes-Oxley (SOX) became law. ‘One of the most important aspects of the legislation was that it added additional requirements for the audit committee – the board’s financial-oversight lynchpin – in an effort to strengthen it. SOX required an annual disclosure of whether or not the board of directors had at least one audit committee financial expert (ACFE) on its audit committee… Part of the reasoning underlying this new disclosure requirement was that someone who possessed the skills and experience to be qualified as an ACFE, would ask more challenging questions and, as a result, more effective financial oversight would occur’.
This reasoning applies equally to ethics and compliance. It is past time for boards to have someone who possesses the skill and experience to be qualified as an ethics and compliance expert, one who can ask more challenging questions that would then result in more effective ethics and compliance oversight.
In addition to more effective oversight of the programme, such a board member, who understands the value of compliance and how to promote compliance and ethics, will also understand how such programmes are critical, bedrock strategy for the company’s achievement of sustainable growth and performance objectives. An ethics and compliance expert on the board is an important first step in this direction.
Creation of a separate ethics and compliance committee: In the wake of SOX, we have seen the rise of internal auditors and the importance of audit committee oversight. Because an effective programme includes internal controls, boards added oversight of such programmes to the charters of their audit committees. And because most boards have no ethics and compliance expert and because ethics and compliance is more than just internal controls – ethics and compliance fuels sustainable growth and protects the company’s culture, employee performance, and achievement of financial goals over the long term – asking the audit committee to oversee the programme often results in ethics and compliance getting little time and attention from the committee. Finance expertise is a perfect fit with internal auditors and preparation and filing of financial reports. Financial focus, however, is only a small part of a company’s programme.
To address this issue, corporate boards need to expand their committee structure to include a specific ethics and compliance committee or even a broader risk management committee. Either solution would work and bring risk management and compliance expertise to the board oversight process. A board member who has compliance expertise should chair an ethics and compliance committee. A three-member committee would be an effective oversight mechanism and help promote the implementation of an effective ethics and compliance programme.
As millennials increase their role and control over corporate cultures, millennials are demanding new and innovative approaches to corporate governance and objectives. A company’s culture is vital to this wave that’s seeking change. A separate board committee that is dedicated to ethics and compliance is an important second step in this direction.
Chief compliance officer: A new framework for the chief compliance officer (CCO) is needed, as well. As the guidance points out, CCOs must have three attributes: ‘(1) sufficient seniority within the organisation; (2) sufficient resources, namely staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management…’. 
With the addition of an ethics and compliance expert and creation of a separate ethics and compliance committee, the CCO should have sufficient seniority. To satisfy the resources requirement, the compliance committee needs to set the ethics and compliance function’s annual budget, including the CCO’s compensation.
To satisfy the autonomy requirement, the CCO should be hired and fired solely by the ethics and compliance committee. Likewise, the ethics and compliance committee also needs to be where the performance of the CCO is reviewed. The ethics and compliance committee is responsible for the company’s programme, and the CCO is its agent. Providing these three attributes to the CCO is a critical third step in this direction.
Regular chief compliance officer reporting and meetings: Assuming the first three steps have been accomplished, the CCO will quickly experience an increase in focus and responsibility. The board’s focus on ethics and compliance will elevate the stature, authority and responsibilities of the CCO to that of the internal auditor before the board’s audit committee.
For the board to meet its compliance oversight obligations, the CCO will report each quarter to the ethics and compliance committee and conduct an annual session with the full board. Each meeting should include an executive session between the CCO and the committee or full board. Between quarterly and annual meetings, the ethics and compliance committee chair and the CCO should maintain regular communications to keep the committee informally informed of ethics and compliance programme issues. By delegating this important responsibility to an ethics and compliance committee, the overall board will meet its oversight obligations on a regular basis.
Board oversight training: While the addition of an ethics and compliance expert to the board will greatly help,
boards have to improve oversight and monitoring functions but generally lack basic skills in this area. The CCO needs to train boards to conduct meaningful oversight and monitoring of the programme (as well as emerging compliance risks). As responsibilities and information increase, boards have to allocate time efficiently to address all outstanding responsibilities.
In this new environment, risk management has become a more complex and difficult challenge. Board members have to demand robust information from management generally, and the CCO specifically, on risks, including enterprise risks, legal and compliance risks and other disruptions. In this area, boards cannot only rely on CEOs and CFOs to identify these risks; instead, boards need to hear from independent voices within the company, such as internal audit and ethics and compliance.
In the area of ethics and compliance, too many corporate board members believe they have an ‘ethical’ culture and a ‘speak-up’ culture without any information or data to confirm these conclusions. Further, board members continue to ignore the importance of third-party risk management, mostly because they do not understand the issue and the significance to the company’s operational risk.
Through these modest adjustments, boards will be able to demonstrate that they have met their duty of care, have promoted a high-trust culture, and positioned their companies for success.
About The Authors:
Michael Volkov is a recognized expert in anti-corruption enforcement and defense, internal investigations, ethics and compliance, and white collar defense issues. Michael is the Chief Executive Officer of The Volkov Law Group LLC. He has over 30 years experience in practicing law. Mr. Volkov served for 17 years as an Assistant U.S. Attorney in the District Columbia. He also served on the Senate and House Judiciary Committees as the chief crime and terrorism counsel to then-Chairman Senator Orrin Hatch and then-Chairman James F. Sensenbrenner, respectively. In addition, Mr. Volkov served as a deputy assistant attorney general in the Office of Legislative Affairs of the U.S. Department of Justice and as a trial attorney in the DOJ’s Antitrust Division. Mr. Volkov maintains the popular legal blog: Corruption, Crime & Compliance. He is a regular speaker at anti-corruption, internal investigations, and other conferences and events around the globe. On November 30, 2010, Mr. Volkov testified before the Senate Judiciary Committee at a hearing on “FCPA Enforcement.”
For more than 30 years, John J Fons has been an in-house lawyer, including 15 years as a general counsel. Most recently as Director, Global Compliance & Ethics Programs for Modine Manufacturing Company, the leading global supplier of thermal management equipment. Prior to that he was Executive Vice President & General Counsel for Joy Global Inc., the world’s leading provider of mining equipment & services. He had also been the Vice President, Secretary & General Counsel for the North American operations of Metso Minerals Industries, Inc., the leading global supplier of equipment, service and process solutions to industries including quarrying and aggregates production, mining and minerals processing, construction and civil engineering and recycling and waste management. In addition to providing corporate legal services, John is a consultant to organizations seeking to build effective corporate ethics and compliance programs. From 2007–2012 he was an adjunct faculty member of Marquette University’s College of Business Administration, where he taught business ethics, including corporate citizenship strategies.
1.From Nuisance to Menace: The Rising Tide of Securities Class Action Lawsuits (June 2019) available at https://news.chubb.com/sca-spotlight, October 3, 2020).
2.In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996); and Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 372 (Del. 2006)).
3.Marchand v. Barnhill, Marchand v. Barnhill, 212 A.3d 805 (Del. 2019); In re Clovis Oncology, Inc. Derivative Litigation, C.A. No. 2017-0222 (Oct. 1, 2019) (Slights, V.C.); see Hughes v. Hu, 2020 WL 1987029 (Del. Ch. Apr. 27, 2020).
4.See, e.g. DOJ Evaluation of Corporate Compliance Programs (April 2019 and revised June 2020); (2) DOJ Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019); and (3) A Framework for OFAC Compliance Commitments (May 2019). HHS OIG Compliance Program Guidance for Pharmaceutical Manufacturers which includes Elements for an Effective Compliance Program, available at https://oig.hhs.gov/compliance/compliance-guidance/index.asp; see also Measuring Compliance Program Effectiveness: A Resource Guide HCCA & HHS OIG, March 27, 2017, available at https://assets.hcca-info.org/Portals/0/PDFs/Resources/Conference_Handouts/Regional_Conference/2017/new-york/Taitsmanhandout.pdf.
5.Practical Guidance for Health Care Governing Boards on Compliance Oversight (2015) by The Office Of Inspector General Of The U.S. Department Of Health And Human Services And The American Health Lawyers Association, available at https://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf
7.SOX’s Financial Expert Requirement 15 Years Later By Ann C. Mulé, directorsandboards.com
8.See, e.g. DOJ Evaluation of Corporate Compliance Programs (April 2019 and revised June 2020)