Compliance officers are spending a lot more time in the boardroom these days.

Regulators are putting more pressure—and in some cases liability—on directors to keep up with regulatory demands, which means directors are increasingly leaning on compliance officers to keep them informed.

“Boards have really a Herculean task in today's regulatory climate,” says Michael Bramnick, senior knowledge leader for LRN, an advisory firm that specializes in compliance, ethics, and governance. It falls upon chief compliance officers to find the best way to help directors fulfill their oversight obligations.

The dilemma for compliance officers, however, is striking a balance between too much and too little information.  A high-level report, issued only at infrequent intervals, may not be detailed enough to get the job done. Granular reporting runs the risk of data overload or taking too much time for directors to wade through.

Amendments to Federal Sentencing Guidelines, for example, demand that boards be “knowledgeable about the content and operation of the [compliance] program to prevent and detect violations of the law and exercise reasonable oversight.” In November, joint guidance issued by the Department of Justice and the Securities and Exchange Commission on the Foreign Corrupt Practices Act further detailed the board's role in promoting due diligence and board oversight of anti-corruption policies, codes of conduct, and a “culture of compliance.”

What boards want to know is how their own programs live up to the hallmarks of an effective program in the eyes of the government, Bramnick says.

“Boards really only want an answer to the question: ‘How do we know it is working?' For a board, keeping its finger on the pulse of compliance across the organization is critical,” Bramnick says. “One way to get to this is for compliance officers to institute employee surveys or other metrics that give board members assurance of an effective program.”

Boards also want assurances that the company doesn't merely have “paper programs” that are not adequately tracked or analyzed. They want the code of conduct to be useful and engaging, “not just sitting on a shelf gathering dust,” he says.

A compliance officer should also be prepared to update the board, outside of the normal reporting period, as serious issues arise, Bramnick says. Compliance should have a process for notifying them, or one of their committees, of any allegations that emerge from a helpline, e-mail, telephone call, or even hallway conversation.

More About Processes

Directors say that generally boards want more information on the processes to carry out the compliance function, rather than details on specific compliance issues. “Boards want to know that there is a single individual or project management office keeping track of all this stuff and making sure that it is being handled properly,” says Dennis Beresford, professor of accounting at the University of Georgia's Terry College of Business. “They want the comfort of knowing that there is a system in place that keeps track of compliance requirements.”

Internal compliance hotlines are a hot topic for boards these days, for example. Directors want to know details about who answers the calls or e-mails that come in, how they are trained, if the process is outsourced, and assurances that the hotline is truly anonymous, with no use of caller-ID or GPS tracking. Other common questions from the board include: How are calls classified and routed? Who gets notified for what types of calls? How is the investigative process divided among various functions?

Directors want to know that employees are comfortable enough to speak up and that, when they do, about good things or bad, they are listened to, there is follow-up, and trends are evaluated and reported back to them, Bramnick says.

“For a board, keeping its finger on the pulse of compliance across the organization is critical.”

—Michael Bramnick,

Senior Knowledge Leader,

LRN

Another topic directors want more details on is who's responsible for what. Boards want assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability, Bramnick says. “Effective boards let management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy,” he says. “It is not for them to be looking at every contract.”

Even though boards need to think “big picture,” the compliance function can assist that effort by providing specific data points, says Beresford, a director for Legg Mason who has also served on the boards of Fannie Mae, Kimberly-Clark, and MCI.

“Directors just assume that the company is complying with all the routine regulation,” he says. “We don't expect them to tell us that they filed tax returns or comply with employment regulations in every state they do business. But if there are compliance maters that rise to a level of importance, the board does expect to be updated,” says Beresford.

While compliance officers should not overload directors with information, or bore them by reading through all of their PowerPoint slides, they should feel free to request additional time at board meetings when warranted, Beresford says. At Fannie Mae, his board set aside extra time at each meeting, usually about 15 minutes, for a “deep dive” on a specific compliance risk. “Over a period of time, we would have a better understanding of the different types of compliance risk that we face,” he says.

Beresford sees value in working with compliance officers outside the confines of scheduled meetings too. He encouraged one particular CCO, for example, to let him know if their allotted time before directors was not enough. “They don't want to bother you, but having enough time, whether it is an audit committee meeting or full board meeting, is always a concern,” he says. “They want to know how to use the time they have efficiently and effectively and really get into all the details you need to fully understand.”

DIRECTOR QUESTIONS

The following, from a resource guide published for healthcare boards of directors published by the Office of the Inspector General for the Department of Health and Human Services, offers suggested questions directors should ask to better understand the scope of an organization's compliance program and identify operational issues.

How is the compliance program structured, and who are the key employees responsible for its implementation and operation? How is the board structured to oversee compliance issues?

How frequently does the board receive reports about compliance issues?

What are the goals of the organization's compliance program? What are the inherent limitations in the compliance program? How does the organization address these limitations?

What will be the level of resources necessary to implement the compliance program as envisioned by the board? How has management determined the adequacy of the resources dedicated to implementing and sustaining the compliance program?

Does the compliance officer have sufficient authority to implement the compliance program? Has management provided the compliance officer with the autonomy and sufficient resources necessary to perform assessments and respond appropriately to misconduct?

Are employees held accountable for meeting compliance-related objectives during performance reviews?

What is the scope of compliance-related education and training across the organization? Has the effectiveness of such training been assessed?

How is the board apprised of significant regulatory and industry developments affecting the organization's risk?

Does the organization periodically evaluate the effectiveness of the compliance program?

How are reporting systems, such as the compliance hotline, monitored to verify appropriate resolution of reported matters? Does the organization have policies that address the appropriate protection of “whistleblowers” and those accused of misconduct?

What guidelines have been established for reporting compliance violations to the board?

What policies govern the reporting to government authorities of probable violations of law?

Source: Office of the Inspector General.

Boards and compliance officers can learn from how small-cap companies deal with their obligations, says Adam Epstein, founding principal at Third Creek Advisors, lead director at OCZ Technology Group, and author of “The Perfect Corporate Board: A Handbook for Mastering the Unique Challenges of Small-Cap Companies."

Boards at small companies, for example, may treat operational risks with greater urgency. “Small-cap companies are, in some ways, immunity-suppressed versions of larger companies,” he says. “Their directors realize that even seemingly innocuous decisions can have business-ending consequences.”

Out of necessity, small companies have stripped away needless bureaucracy so that boards can “focus more on substance than form,” Epstein says. Boards should be encouraged to rely more on internal expertise than third parties and consultants, otherwise, “they can end up with a culture of box checkers.”

Each year, PwC surveys directors to gauge their changing needs and concerns. The 2012 edition shows that it remains difficult for board members to “get their head around culture and tone” because the people they interact with are typically the same executives who attend board meetings,” says Don Keller, a partner in PwC's Center for Board Governance.

He suggests that, to help give boards the company-wide perspective they seek, compliance officers should analyze the feedback from exit interviews conducted when employees and managers leave the company.

“Are there any overtones that would suggest maybe the culture could be approved upon and give the board a more thorough understanding? Obviously, a board member is not going to go through them all, but they should set an expectation with the compliance officer that they are going to have a robust dialog about the overtones,” Keller says.

A challenge for directors, and one they need compliance officers to help them with, is ensuring that corporate culture reaches into the broader universe of third-party vendors and supply chain partners. “Compliance risk now extends beyond the borders of your own employee workforce,” Keller says. “You had your own backyard to worry about, and now you have all these other backyards.”

Boards want to focus on the protocols in place for third-party relationships and should be apprised of how ethical behavior is achieved contractually, such as through the right to audit.

“It's a fast train they are chasing,” Keller says of boards struggling to keep pace with increased demands on the limited time and resources at their disposal. “But at least they are asking questions about what's really going on with their culture and whether they have the right processes and protocols. Even just inquiring can cause a ripple effect, and the compliance function does a better job because the board is focused on them.”

Topics