Overseeing the board’s compliance programme

By Michael Volkov – CEO and owner of The Volkov Law Group

Recent corporate scandals have revealed a weakness in many compliance programmes – board oversight. We have seen time and again the detrimental results of a board that is not trained to manage compliance issues.

The VW emissions scandal and last year’s VimpelCom enforcement action are great examples of what can go wrong. When a company’s board does not fully understand
its duty of oversight and is not providing effective leadership on corporate culture, it is doomed to fail in its fiduciary responsibilities to detect and prevent misconduct.

The VimpelCom enforcement action from last year was a shocking example of a board that had nearly abdicated its compliance oversight responsibilities. When VimpelCom executives were seeking approval to acquire two companies, the board simply never asked a very basic question – who are the beneficial owners of the target companies to be acquired? If they had obtained the answer to this basic question, VimpelCom could have possibly avoided the FCPA disaster resulting in more than $700million in fines and penalties. So, how do you ensure that your board is fully aware of its compliance oversight responsibilities? With training.

The training deficit

Unfortunately, the numbers show that board members and senior management are chronically under-trained. Based on a recent survey by Navex Global, more than 40 per cent of organisations do not train board members and only 20 per cent train new board members. For example, only 12 per cent of companies trained board members on workplace harassment; 33 per cent trained on conflict of interest; and only 22 per cent trained on cybersecurity. With corporate boards and senior leadership ultimately responsible for a company’s ethics and compliance programme, the lack of education and training stands as a significant risk to a company’s compliance programme.

It is no secret that training a board is not an easy task – experienced and busy people who believe they already have the knowledge they need are not the most attentive or committed audience.  In reality, board members often do not know as much as they claim and need a refresher to remind them of both their responsibilities of programme oversight and how to set the tone for an organisation to develop a culture of compliance.

Corporate boards are increasing their focus on compliance issues. Unless a board member has prior experience in the field, the board must be trained on compliance and has to learn how to oversee and monitor compliance issues. A compliance professional adds significant value to the board by ensuring that the board exercises appropriate oversight of the compliance functions, monitors senior management compliance activities and devotes significant time and resources to the compliance and ethics function.

Training board members is not about explaining the basics – they know that already. Instead, board training should focus on the role of a board in a compliance programme and how members can contribute to building a culture of compliance. A CCO should spend at least 30 minutes each quarter with his or her reporting board or committee. The report has to include an executive session during which honest and candid questions and discussions can occur. Frankly, a CCO who reports for longer than that – up to an hour – is better practice, especially in today’s multi-risk environment.

Any board and executive training programme should include some or all of these components:

Legal responsibility for compliance oversight

Board members often are familiar with their fiduciary duties, legal obligations imposed upon board members to act in the best interests of the company. When it comes to a compliance programme, a board should be informed of the ‘duty of oversight.’ This requires the board to make sure the company acts lawfully. In the United States, the law largely draws from two Delaware Court of Chancery decisions – a 1996 decision, In re Caremark International Inc. Derivative Litigation, and a 2006 decision, Stone v. Ritter. These cases provide that a board that ‘utterly fails to implement any reporting or information system or controls’ or, having implemented controls, ‘consciously fails to monitor or oversee its operations’ may face liability for breach of its fiduciary duties.

Without digging too deeply into legal nuances, suffice it to say that directors who fail to oversee an adequate compliance programme could face personal liability for losses due to compliance programme failures. When training directors, this is a critical element to communicate.  Not only does it encourage directors to pay attention to remaining training topics, it also is a fundamental part of a board’s duty overall.

Company risk sources

A board member should be able to tick off the largest risk sources facing the company, including anti-corruption risks. Often this requires an understanding of nuances of anti-corruption law, such as the risks third parties pose. It might be easy to tell a board that the company doesn’t make sales to public entities, suggesting a low risk of bribery. But what about your third parties; do they make sales to government entities? Do you use third parties to assist with export compliance? These are the type of risk nuances that a board should be familiar with and know enough to dig deeper.

Make sure your board has enough awareness of risk sources to do so. A great example is the VimpelCom action described above. In that case, the board was aware it had some duty to review the proposed transaction, but did not have enough information to know to ask about beneficial ownership of the shell companies involved in the transactions. A well-trained board will have an understanding of the risk landscape, both risks the company currently faces and may in the future.

A board should be aware of the largest corruption risk sources and it is the compliance programme’s job to make sure they know. When training the board on this area, it is important to keep the content high-level.

The importance of corporate culture: While training for managers and employees may focus on a speak-up culture, training for board members should also focus on how the board can build a strong culture of compliance from top down. Offering specific, actionable options to board members will help them to lead. For example, you might suggest that a board member provides a message of compliance to top executives via email or at an annual meeting. Or, you may invite board members to sign a statement of support for the code of conduct or anti-corruption policy.

A best-practice is to enlist the support of the board in training senior managers on the importance of the compliance programme. The message then is very powerful – the board takes compliance seriously and will actively participate by talking directly to senior management. Offering specific ideas to board members will allow them to focus on the ones that make the most sense for the company.

Internal investigation procedures and outcomes

Board training should provide high-level information on a company’s internal investigation programme. One effective way to inform the board about the state of company culture is to develop a robust internal reporting and investigation system that tracks outcomes in a standardised, comparable way. This will allow a company to track violation sources over time to identify trends and remediate weaknesses. By taking complex, individualised situations and standardising the tracking of them, you are creating quantitative metrics that provide immense value to a board in evaluating how the company’s culture is doing. This also allows the compliance department to inform the board about what steps have been taken to remediate areas identified as concerns.

Many of my clients have anonymous hotlines in place but haven’t put in the support function to leverage the information you learn from these anonymous reports. While it is commonly accepted that 70 per cent of hotline reports will relate to human resource and workplace concerns, the rest can provide valuable information about potential risks. A company that encourages and fosters a speak-up culture is building a valuable governance resource. A company that retaliates, such as Wells Fargo, which fired numerous whistleblowers who attempted to raise concerns about the bank’s sales programme, will suffer serious harm to its culture and foster an environment in which employees are more apt to engage in misconduct.

The ability to track those reports and outcomes is invaluable, specific information that cannot be obtained elsewhere. Board training should include details on the importance of tracking hotline reports and the trends over time.

Compliance as a marketing advantage: Finally, board training should emphasise the value of an ethical culture. Compliance programmes should be win-win for the business. In almost every significant business transaction – a bank loan, convertible debt, acquisition of equity or assets – company lawyers are demanding that each participant demonstrates and provides proof of their respective compliance programmes. My translation of this requirement is simple – compliance has become an important currency in the business transactions.

This demand for ethics and compliance reaches into the global marketplace. Companies want to do business with other companies that are committed to ethics and compliance. Companies do not want to deal with shady companies that may be suffering from a range of unethical conduct or legal risks. Recognising this context, compliance officers have the opportunity to ‘sell’ the board on the value of a compliance programme, the elements of an effective compliance programme, documents they can use to promote compliance, and an overall message about their company – the company is committed to trust and integrity throughout all of its operations.

Turning compliance into a sales advantage is a win-win because it provides tangible and substantive advantage to the sales and compliance missions for both compliance officers and sales staff. For customers, the company’s message is powerful: you never have to worry about misconduct, bad headlines or publicity when conducting business with us. Moreover, the message of trust and integrity provides an important reassurance on overall business trust – a company committed to trust and integrity is less likely to engage in fraud, delay in invoice payments, or unscrupulous business dealings. In other words, the trust factor is an important competitive benefit. In a close competitive match, a government agency or a company may award significant credit to a company that has a robust and/or mature ethics and compliance programme.

The risks of not training are too great

Board training is not an easy task to tackle but is vital to the long-term success of a company’s compliance programme. The first step is to get in front of the board – put it on the board’s calendar and then make the time you have as productive as possible. Charts and graphs, along with numbers and metrics, are all important parts of the oversight and monitoring process. There are many third-party vendors who can provide assistance on this issue and have training programmes designed specifically for senior executives and board members.

If the car maker VW’s board had understood the importance of tone at the top, it may have chosen to clarify VW’s priorities and acted to obey the law rather than increase profits by violating the law. Instead, VW faced publicity, such as The New York Times 25 September 2015 article Problems at Volkswagen Start in the Boardroom. The article cites a former executive as describing the scandal as ‘all but inevitable’ due to ‘the company’s isolation, its clannish board and a deep-rooted hostility to environmental regulation among its engineers’. It is easy to imagine but hard to accept that VW would have chosen the same path had the board and its executive team been trained and understood the implications of its misguided strategy to avoid environmental regulatory requirements.

About the Author:

Mike Volkov has over 30 years of experience in practicing law. A former federal prosecutor and veteran white-collar defense attorney, Mike is an expert in compliance, internal investigations and enforcement matters. Mike was a federal prosecutor for over 25 years, and has extensive trial experience in federal court. He also served as chief crime and terrorism counsel for the Senate and House Judiciary Committees. Mike maintains a highly popular FCPA blog – Corruption, Crime & Compliance. He is a regular speaker at events around the globe, and is frequently cited in the media for his knowledge on criminal issues, enforcement matters, compliance and corporate governance.