An increase in regulatory enforcement actions and more focus on corporate governance issues by shareholders is requiring corporate board members to interact more regularly with the company's general counsel.
During a panel discussion at the Association of Corporate Counsel's annual conference in Denver last week, legal executives led a conversation on how general counsels and board members can work together to keep up with the fast-changing developments.
“Pressure is coming from both directions. It's important to focus the board's attention on this new dynamic,” said Amy Hutchens, general counsel, vice president of compliance and ethics services for Watermark Risk Management International, a risk-management services provider.
Hutchens offered four core compliance areas that directors should focus their attention: structure, culture, areas of risk, and forecasts.
Jennifer MacDougall, senior counsel and assistant secretary of restaurant chain Jack in the Box said it can be challenging to convey those core areas to the board in an engaging manner “in what is probably a very short amount of time.”
It's also important that each board member is familiar with the compliance program and how it works and that they can communicate its main elements. They should be able to answer the following questions, says Hutchens:
Who oversees the operations of the program?
What is in the Code? Is each board member aware of corporate standards and procedures?
How are complaints being received?
Who conducts investigations and acts on results?
What corporate resources are being devoted to the compliance & ethics program?
How much money is allocated to the program?
What types of training is being required?
Think about what metrics are most meaningful to your company, advised MacDougall. A hotline, while it can provide helpful statistics, is not always the most effective source of metrics. “Make sure you're counting all the reports, not just helpline reports,” she said. Some good metrics for general counsels to communicate to directors are:
How many compliance failures were detected internally and externally?
How much of a financial loss was averted because of misconduct detection?
How many compliance failures have been detected (by audits, help line calls)?
Directors should also be versed in the company's compliance and ethics training program and they should know what vendor the company is using for online training, said Hutchens. For example, how does the company train employees who don't have Internet access? What is the structure to that? “Get the board's assistance for assigning the resources and a plan for getting that accomplished,” said Hutchens.
“I want to emphasize not to describe the program at a high level, not too give too much description and summary. Focus on your company's risks.”
—Jennifer MacDougall,
Senior Counsel,
Jack in the Box
The overall objective between less mature and more mature compliance and ethics programs is very different. For less mature programs, major structural improvements need to be put into place. For example, are charter documents in place to formally establish a program? Do the documents formally assign compliance duties to an individual? How are job descriptions and performance evaluations updated to reflect responsibility?
“A mere paper program is not sufficient, but it takes a lot of paper to show that you don't have a paper program,” stressed Hutchens. Additionally, major structural changes mean the board should review the company's Code of Conduct and benchmark against competitors on quality and best practices.
Compliance programs with a greater level of maturity should focus on making minor refinements to structural elements:
Is it time for an independent chief ethics, compliance officer? If so, where will the chief ethics and compliance officer sit in the organization?
What is the reporting structure for the CECO?
How effective is training? Is it time to reexamine the company's approach?
Is it time to grow the company's corporate social responsibility or sustainability efforts? If so, how will that fit into the structure of the existing program?
Culture
Another area that boards and general counsels are spending more time on is the culture and how it is communicated across the organization. Board members should know from employees at the lowest level of the company what message is being perceived on ethics and compliance. Additionally, what message would the board like to send on ethics and compliance?
Surveys are an effective way to measure corporate culture. When was the last time the company measured its ethical culture? Is it time to survey or re-survey?
KEY QUESTIONS
The excerpt below is from the ACC's presentation, “Best Practices for Compliance Reporting to the Board of Directors,” regarding questions board members may ask:
How does the board know (how does company measure) the cultural integrity of the organization?
How does the company's helpline calls compare to industry benchmarks?
Where there any ethical violations involving fraud or financial integrity, or officers, or others with significant responsibility?
How did detected violations surface?
What did management do in response to the violation?
What is management doing to address company's biggest risks in the compliance and ethics area?
Why should I care about this?
Source: ACC Presentation: “Best Practices for Compliance Reporting to the Board of Directors.”
The board must be informed of survey results and be involved in approving action plans to improve or maintain an ethical corporate culture. This is also a perfect time to discuss any major investigations and whether they arose from a cultural problem, said Hutchens.
Anytime a change or disruption in the workforce, or in business operations, occurs is a good time to gauge culture. In the event of a merger and acquisition, for example, that influx of new people has a different culture. “When and how are you going to send the message to unify that culture?” asked Hutchens.
Areas of Risk
Board members need to know what process is being used to identify emerging risks. This risk analysis should consider not just legal compliance risks, but also matters such as business continuity planning and crisis response plans. Hutchens raised several questions that directors should consider.
What is the current risk assessment process?
How effective is the risk assessment process? Is it stale?
Who is involved in that process?
Are you taking new legislation into consideration for that risk assessment?
Are there any new operations that pose substantive compliance risks?
Is the company tracking enforcement trends? Are other companies getting hit with enforcement actions that the board needs to be aware of?
“I want to emphasize not to describe the program at a high level, don't give too much description and summary,” said MacDougall. “Focus on your company's risks.” At Jack in the Box, for example, the core area the company focuses on is food safety, she added.
Talking about a specific risk, violation, or incident says a lot about process and culture more than a mere paper process. “The board of directors needs to use their expertise and ask the right questions,” said MacDougall.
Forecast
A truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow. “Set maturity goals for the program and seek board approval and buy-in for the resources you need to accomplish the goals,” advised Hutchens.
Maybe the company recently underwent an investigation, a merger and acquisition, a divesture, or something else. “All those things can change the dynamic of a company,” said Hutchens, “and you want to get your board's attention on the changes that might need to happen with the program.”
No comments yet