Compliance Committees Vary In Scope, Structure

As regulatory compliance increases in complexity, many companies are assembling committees to coordinate and oversee such efforts.

COMMITTEE EXAMPLES

Below are examples of several compliance committees at public companies, including their structure, membership and function:

Altria Corporation

Committee Structure: The parent company committee has about 30 members, including the CCO of each operating company, the CCO of the parent company, and represent-atives of other corporate functions, including audit, corporate communications, HR, security, and finance. The committee also draws on outside advisors as necessary.

Each operating company also has its own compliance committee chaired by the operating company CCO and with representatives from each functional group. The parent company CCO participates in at least one meeting a year with each operating company committee.

Both committees use smaller working groups to focus on specific projects, such as compliance training, developing factory-level compliance standards in multiple languages, and deciding whether to appoint compliance officers at the country level.

Year formed: 2001

Meeting frequency: Parent committee meets as needed, usually three times a year. The operating company committees meet quarterly.

Membership: Most members of the parent company committee are at the vice president level in their functional areas and the members of the operating company committees are usually the heads of the functional areas.

What it does: The parent company committee sets enterprise standards for all compliance committees, including compliance goals and activities, standards and codes of conduct, and a compliance training strategy. The operating company committees focus on meeting enterprise compliance standards, developing risk assessments and a compliance integrity plan, developing compliance training, and overseeing disciplinary actions.

Sealed Air Corporation

Membership: 12 members, including the CEO, CFO, general counsel, and members of the corporate financial and legal staff.

Year formed: 2002

Meeting frequency: Quarterly before the release of quarterly financial reports. Additional meetings as needed to discuss new regulations and to change existing policies.

What it does: The committee provides a formal quarterly process to ensure that individuals with key roles in compliance and the implementation of internal controls and the presentation of financial data have the necessary visibility with the CEO and CFO to discuss any issues involving quarterly reporting.

The committee also provides guidelines for dealing with reporting issues as part of the certification process.

The committee members must acknowledge that they have complied with the guidelines in a way that mirrors what the CEO and CFO must certify in the company's SEC filings. This is also a forum for raising issues and asking questions about specific points of reporting and controls, such as how to report and handle new types of transaction.

Baxter Healthcare

Committee Structure: A five-member committee, known as the corporate responsibility office, is appointed annually by the public policy committee of the board of directors. This group, in turn, appoints the members of five regional business practice committees and one country committee.

Year formed: 1993

Meeting frequency: Quarterly or more frequently as needed.

Membership: The permanent members of the office are the vice president of business practices, the general counsel or a senior member of the legal department, and the vice president of audit. The other two seats in the office are held by senior management staff for two-year terms-one year as office vice chair and one year as chair-to ensure that all members of the senior management team rotate through business practices office, including the leaders of business units, R&D, and manufacturing. These appointments begin with the CEO's direct reports then move down to direct reports of the CEO's direct reports.

What it does: The corporate responsibility office develops and communicates business practice policies, identifies methods for employees to raise business practice issues anonymously, and handles the annual certification of integrity and compliance through which 13,000 employees in certain job levels certify that they have read and understand the company's accepted business practices, promise to conduct business according to those practices, will communicate practice standards to peers, direct reports, and customers, and will give those individuals the opportunity to comment and raise issues about business practices.

Genzyme Corporation

Year formed: 1999

Meeting frequency: Quarterly or as needed

Membership: About 25 people, including all of the sales and marketing leaders of each product line, compliance officers of each business unit, and representatives from important functional areas, such as clinical trials, finance, internal audit and HR. Additional peripheral members might be added to help deal with specific emerging issues, such as technology issues, international operations, and finance. Overall, the committee tries to recruit people with substantive knowledge, interpersonal skills, the ability to be advocates of the compliance program, and the respect and visibility in the organization to help implement committee recommendations.

What it does: The committee is structured based on the compliance program guidance for pharmaceutical manufacturers issued by the U.S. Department of Health and Human Services' Office of the Inspector General. The committee's initial focus is managing the company's sales and marketing practices for the various product sales forces, as well as developing a company-wide code of conduct.

Oracle Corporation

Year formed: 2002

Meeting frequency: Three times a year or as needed

Membership: CCO, general counsel, and the business compliance officers from each of the company's geographic regions.

What it does: The committee manages the company's compliance risk profile, ensures there is a consistent definition and perception of risk throughout global operations, and ensures consistent investigations and handling of complaints and issues. The company also plans to convene an annual meeting of the compliance committee and all heads of business units and functional groups to discuss compliance issues.

Wachovia Corporation

Year formed: 2001

Meeting frequency: Quarterly with the ability to call special meetings to discuss urgent issues.

Membership: About 30 people, including the senior compliance leaders from the company's four lines of business and representatives from staff areas, including HR, technology, audit, legal, and corporate communications.

What it does: The compliance committee was created when Wachovia merged with First Union to monitor emerging regulatory risks and how those risk might affect the franchise, to make policies with an understanding of the impact those policies will have on company, and to identify training opportunities.

But these compliance committees can have vastly different compositions and functions, depending on the company's business, industry and compliance requirements. That's not the case with most board committees, where responsibilities are generally identical across industries—the audit and nominating committees at Ford and Intel basically serve the same function.

Not so with compliance committees.

$81.8 billion Altria Group, for example, has compliance committees at each operating company, and a "parent" compliance committee that sets standards, codes and training strategies across the enterprise.

At $1.7 billion Genzyme, on the other hand, a single compliance committee focuses heavily on providing guidelines for the sales and marketing practices of the company's different product sales forces, a key issue in the pharmaceutical industry. In addition, the group also works on ethical issues that are common to most companies; for example, the committee has developed a 16-page code of conduct with extensive input from senior management and the compliance functions within each business unit.

In some cases, business complexities require companies to maintain several unique compliance committees. Baxter International has a corporate responsibility office to oversee the enforcement of business practices and codes of conduct, but also has regional business practice committees. The $8.9 billion health care company also has committees to manage financial disclosure, to handle privacy issues, and to manage product-related compliance.

Risk and compliance consultancy Jefferson Wells International, a subsidiary of $12.2 billion staffing firm Manpower Inc., recently conducted a survey of 165 senior executives that outlined this phenomenon. According to the survey, companies are indeed using compliance committees to tackle a variety of issues, including development of ethics codes and investigation of whistleblower complaints, as well as oversight of compliance with exchange rules, securities regulations, and the U.S. Sentencing Commission's organizational sentencing guidelines.

Although the SEC has recommended that companies create a committee "with responsibility for considering the materiality of information and determining disclosure obligations on a timely basis," it does not take a position on the use of compliance committees that have a broader mandate. "Our mission is to ensure compliance with U.S. securities laws," says an SEC spokesman. "In general, we have not specified a one-size-fits-all means to accomplish that. We are leaving it to companies to devise the best way to for each to fulfill its legal responsibilities."

That's part of the reason for the diversity of committee composition, role and reporting structure at U.S. public companies. Most experts recommend that compliance committees report to the audit committee of the board of directors, which helps ensure that findings are reported—and issues are raised—to the appropriate level. However, that's not always the case. "There is a mix of reporting relationships for these committees," notes Daniel B. Langer, North American practice director of the internal control services practice of Jefferson Wells. According to Langer, such committees report "primarily to the board audit committee or the full board, but alternatively to the CEO, CFO, or CLO."

Working Across Functions

In most cases, companies use compliance committees to bridge operations and functions, maximizing the flow of information across the enterprise on critical issues. Doing so enables the company to make decisions and solve problems with greater speed and accuracy, thereby minimizing risk.

"Compliance needs some kind of ad hoc committee that cuts across functional lines and breaks down barriers to ensure the company can achieve its compliance objectives," says Jim DeLoach, national corporate governance leader with Protiviti Inc, an internal audit and risk consulting firm based in Menlo Park, Calif.

Bill Langley, executive vice president and chief compliance officer of $24.5 billion Wachovia Corporation, in Charlotte, N.C., agrees that bringing people together is a key aspect of the compliance committee. "The major benefit of a committee is pulling together the intellectual heavyweights throughout the company," he says. "It sounds trite but by focusing on the issues, the committee can cut through any problems to come up with simple solutions. This is one of the most powerful things we've done in the compliance area."

Carolyn Miller, a former SEC staffer who now serves as senior vice president in the financial communications practice of Fleishman-Hillard, agrees. "The most valuable aspect of a compliance committee is having representatives from most areas of the company, including operating divisions, not just the general counsel and the CFO." According to Miller, "Companies with a broad-based compliance committee will be way ahead of those still working in their silos."

Another key benefit to having a cross-functional compliance committee is the ability to develop a consensus around specific issues and to encourage functional areas to work together. This is particularly true for companies with many separate business units or operating companies. "We really have a dialogue with businesses, so that at the end of the process people do not feel that something has just been handed down from the parent," says David Greenberg, executive vice president and CCO of Altria Corporation in New York. "We try to be as inclusive as possible by involving other functions when they have shown an interest in an issue."

That sense of inclusion can be especially critical when it comes to implementation of committee findings and policies across units, divisions and locations. An ethics policy, for example, could be utilized in different ways by operating companies. "The code of conduct is a broad document, almost like a constitution, that can guide behavior," says Roger Louis, Genzyme's chief compliance officer. One business unit compliance officer might use the code of conduct to guide the development of program manuals for clinical testing labs, while another might use it for guidance on how to handle product sampling.

Baxter International ensures broad participation in its corporate responsibility office by rotating senior executives through a two-year term on the committee. The company reserves two of its five committee seats for these executives, each of whom—according to Vice President of Business Practices Gretchen Winter—serve as committee vice chair during the first year of his or her rotation, and chair during the second year.

To generate more input from a cross-section of the company, $9.5 billion Oracle plans to convene a meeting this fall between the compliance committee and the heads of all of its business units and functional groups to review the results of compliance investigations and to discuss ways to make the process better and more efficient. If that meeting is a success, Dan Cooperman, Oracle's general counsel, hopes to continue the meetings annually.

This type of cross-functional cooperation will become even more essential in the future for companies that want to manage compliance on an enterprise-wide basis. "Companies will need to integrate compliance with the activities of the business, not just treat it like an appendage," says Protiviti's DeLoach.

Too Many Committees?

At the same time, companies need to be aware of the danger of having too many committees. "Many people feel that they are committee'd to death," says Trent Gazzaway, national director of corporate governance advisory services for Grant Thornton in Charlotte, N.C.

The challenge, therefore, is to structure the compliance committee carefully to maintain focus and engagement among members. That's what Oracle Corporation has tried to do by purposely limiting compliance committee membership, and keeping the committee structure somewhat informal.

Cooperman considers a formal committee structure as too bureaucratic and requiring too much energy from members. "Once the machinery in place, the enthusiasm wanes over time and people find it difficult to contribute constructively," says Cooperman. "The routine can suck the life out of a committee. We want more than just people in a room contributing their views of what might work."

To those ends, Oracle has limited membership to its compliance committee to the general counsel, the CCO, and the regional business conduct officers in each of the company's geographic regions. The group meets three times a year or as frequently as needed to deal with specific issues related to managing the company's compliance risk profile and the company's code of conduct. "We need to make sure everyone is perceiving risk the same way throughout our global operation," says Cooperman.

Oracle's compliance committee routinely supplements its membership with representatives from functional areas to help deal with specific issues or investigations, rather than having those individuals participate in the full committee. "We think this is a more efficient use of resources," says Cooperman. Depending on the situation, this might include representatives from corporate security, internal audit, legal, or human resources.

Limiting involvement of designated executives to specific matters or issues also helps to control the dissemination of privileged and sensitive information on a need-to-know basis. Because many matters handled by the group involve individual employee misconduct allegations, the group must be aware of, and adhere to, different privacy rules and expectations around the world. "Different parts of the world deal with privacy in different ways," says Cooperman. "If we had large committee, there would be a greater chance that we could find ourselves in violation of a specific country's privacy rules if people are not aware of those rules."

Daniel Langer at Jefferson Wells agrees that the committee should be small, selective, and focused on privacy. "Because of the sensitive nature of [many compliance committee] matters, it is important that related information be disseminated only to those working on the matter," says Langer. "You don't want that sort of information going out to the wrong people."

But no matter who is on the committee, the committee must have the appropriate expertise and authority to deal with compliance in all the areas it covers.

Maintaining Interest & Flexibility

According to many compliance committee chairmen and members, a key challenge to success is maintaining interest and enthusiasm.

Although David Kelsey, CFO of $3.5 billion Sealed Air Corporation, recognizes that the compliance committee must maintain some consistency in its agenda from quarter to quarter, "We don't want people to be partially engaged so we make an effort to ask participants to think about specific issues and be prepared to discuss them."

For example, Sealed Air's compliance committee is working through issues associated with an upgrade in the company's enterprise resource planning software, including maintaining data integrity throughout the move to a new system. The committee is discussing the steps division management is taking to ensure data accuracy and whether there are problems with extracting data for management reporting.

Appropriate preparation is also important, not only to make the best use of the committee's time, but to set the tone for professionalism and to provide a record of issues discussed. Wachovia's Langley develops an agenda with input from the company's compliance leaders, and also invites committee members to offer suggestions. "We need to get a share of members' mind before the meeting, so we have to make sure we have the right things on agenda and that we send out information in advance of the meeting so members come prepped for discussion and prepared to weigh in on the issues," says Langley.

Langley also ensures that the most appropriate individuals are making related presentations, and works hard to make sure the committee stays on agenda and accomplishes what it set out to do. "When you have so many people involved, it is important to have a strict agenda," he says. "Otherwise, you could get overwhelmed."

That being said, flexibility is critical. Because compliance may mean different things to different companies and different times of the year, committees should take a broad view of their oversight responsibilities and remain acutely aware of changes that might impact their roles.

"Good compliance committees have an unlimited charter because there are always developments taking place on the regulatory side of the business," notes Protiviti's DeLoach. "Internal and external monitoring of compliance will always be part of that charter."

In addition, the mandate for compliance committees is likely to expand as companies recognize the importance of managing enterprise-wide compliance activities. Notes Trent Gazzaway of Grant Thornton: "The cost of not complying is almost always more expensive than compliance."