The Importance of Being Compliant

I frequently read these days that boards are spending too much time on oversight (which is typically described as a “check-the-boxes exercise”) and not enough on the future. While I agree that boards need to allow enough time for robust discussions of strategy, that doesn’t mean that the responsibility for oversight can be ignored.

Overseeing corporate compliance may not be a topic that garners much attention, but it remains a key governance responsibility. Savvy Directors need to understand what it means to exercise oversight of compliance, and how to do so effectively in the face of a constantly evolving regulatory environment.

Oversight of compliance is what DirectorPrep calls a “nuts-and-bolts” governance topic – it’s not exciting, but directors can’t afford to ignore it.

What Is Oversight Anyway?

Oversight is a critical governance function performed by the board of directors. The word refers to the actions the board takes to review and monitor the organization and its policies, plans, programs, and projects. In their oversight role, board directors monitor the organization from above, but refrain from getting involved in day-to-day management.

Think of the breadth of oversight as a safety net meant to ensure that:

• Expected results are achieved.
• Value for money is obtained.
• Policies, laws, regulations, and ethical standards are complied with.
• Assets are safeguarded.
• Key risks are identified, monitored, and mitigated.
• Due diligence is performed before key decisions are made.
• Policies and strategies are implemented as intended.
• Business processes and systems work well.
• Areas of concern are dealt with.
• Continuous improvement takes place.

That’s a lot of oversight. Maybe that explains why boards spend so much time on the oversight function, even if it’s not the most engaging part of the job.

In today’s blog, we’re zeroing in on one specific aspect of oversight – compliance. The board of directors play a critical role in ensuring compliance. It’s their job to ensure the organization conforms to all relevant laws, regulations, standards, and policies. With that in mind, it’s critical that directors understand their responsibilities with respect to compliance.

First, a Caveat

All companies are subject to various types of regulatory and statutory requirements, whether they’re publicly traded or privately held, for-profit or non-profit. The requirements vary by jurisdiction – where the company is domiciled, and where and how it conducts business.

The requirements also vary by industry. Some sectors – such as financial institutions, healthcare and pharmaceutical companies, and extraction industries are highly regulated, others not so much. But even less regulated industries are subject to a plethora of laws, regulations, and standards that range from licensing requirements to employment standards, from health and safety to taxation, from privacy to human rights, and so on.

These regulatory frameworks change constantly. As a company expands into new markets or acquires new businesses, it may become subject to unfamiliar regulatory schemes.  

All of that means The Savvy Director won’t even try to address the specifics of any particular laws or regulations. Besides, at DirectorPrep we’re not legal experts and don’t want to be construed as offering legal advice.

Suffice it to say – when in doubt, seek legal advice in your own jurisdiction.

The Board’s Fiduciary Duty

One of the board’s fiduciary duties is oversight of the organization’s compliance with all relevant laws and regulations. This means that directors are obliged to conduct inquiries to confirm that the organization’s systems are reasonably designed to detect and prevent compliance failures. This obligation includes:

• establishing that management has an effective corporate compliance program in place.
• exercising oversight of the program.
• staying informed as to the program’s content and operation.
• being aware of new regulations and changes to existing regulations.

Directors must ensure that adequate internal controls are established and functioning properly. Doing their job right helps protect the board, the organization, and its stakeholders, safeguards reputations, and reduces the risk of noncompliance penalties.

Noncompliance can cause severe disruptions in a company’s business activities, create material costs in terms of investigations and penalties,  damage a company’s reputation, impact relationships with stakeholders, and depress employee morale. A breach of fiduciary duty can also result in litigation, and in some cases may even subject board members to personal liability.

When evidence of noncompliance arises, boards must decide whether to launch an internal investigation, whether it must be reported to a regulatory agency or law enforcement, and whether it should be communicated to stakeholders. Being prepared in advance for this eventuality can result in a quicker and more effective response, which in turn can favorably influence the severity of any penalties as well as reduce the damage to the organization’s reputation and relationships.

The Board’s Role in Compliance

Regulators, stakeholders, and courts don’t expect the board’s oversight of compliance to be infallible. Instead, the focus is on whether the content and operation of management’s compliance programs, and the board’s oversight of those programs, are reasonable. Compliance oversight is not a “set it and forget it” matter. The topic doesn’t have to be addressed at every meeting, but the board needs to remain vigilant and revisit the topic reasonably often.

The board can engage outside advisors to assist in monitoring compliance risks, assess whether existing practices are appropriate, and recommend how they might be enhanced.

Board oversight includes assessing the following:

• Adequacy of resources devoted to compliance.
• Scope of the compliance assessment process.
• Effectiveness of internal controls.
• Reliability of verification activities.
• Whether the compliance program is scalable and sustainable.
• Whether compliance activities evolve as needed.
• Whether executive compensation is aligned with compliance.
• Whether the leadership team responds appropriately to compliance failures.

Perhaps most importantly, the board of directors sets the tone at the top. Having an active and involved board helps create a culture of integrity, where transparency and accountability are encouraged throughout the organization.

A Reasonable Approach to Compliance Oversight

How can the board ensure that compliance risks are mitigated and corrective steps taken when failures occur?

At this point, you’re probably wondering just how the board can maintain a proper pulse on the organization’s compliance programs. Or whether a compliance program even exists. Smaller, less-regulated organizations may not have anything resembling a “program” at all. Instead, compliance-related activities might be scattered around the organization. Internal audit often plays an important role.

The articles listed in the Resources section offer some practical suggestions for your board to consider:

• Ask management to provide a checklist of the laws, regulations, standards, policies, licenses, certifications, and accreditations to which the organization is subject, along with who’s responsible for each.
• At least annually, obtain a report from management that confirms compliance with relevant laws and regulations.
• Assess the structure and resources of the compliance function, including internal audit.
• Consider whether responsibility for compliance oversight should be delegated to one or more board committees.
• Assess whether the board has the required expertise. If not, recruit a knowledgeable director or retain a qualified external advisor.
• Arrange for educational sessions to help directors understand the regulatory environment that your organization operates in.
• Review and approve the code of conduct and other compliance and ethics related policies.
• Plan a mitigation strategy for compliance breaches.
• Consider whether the organization needs a Chief Compliance Officer (CCO), and if so, what the role would entail and who might fill the job.
• Protect the autonomy and independence of the compliance function through regular in camera sessions for the board (or board committee) and the CCO, head of internal audit, or others responsible for compliance.
• Periodically review and assess the organization's ethics and compliance training efforts.
• Assess mechanisms for receiving compliance-related complaints and for investigating and remediating alleged misconduct, including the whistleblower program if there is one.
• Address significant compliance issues that present risks to the organization. Retain independent counsel when necessary.
• Consider having an independent third party conduct a compliance audit.

Questions for Savvy Directors

The best way for directors to fulfill their oversight duties is with “tough questions”. Here are a few questions for your board, the management team, and those responsible for compliance in your organization.

• Does our board culture support the values of compliance, or do we treat it as just another check-the-box item?
• Does management demonstrate the right “tone at the top” where compliance is concerned?
• Do we have a comprehensive and modern code of conduct?
• Do we have the necessary policies, procedures, and internal controls surrounding compliance?
• Does our compliance program satisfy legal and regulatory requirements?
• How do we keep the program current in the face of constantly evolving requirements?
• How do we monitor the effectiveness of our compliance programs?
• How do we ascertain that the compliance program is consistently enforced?
• How do we ensure that our compliance efforts are appropriately prioritized and focused?
• Who in the organization is responsible for monitoring and enforcing compliance?
• Are our compliance functions adequately resourced?
• How do we ensure that those in charge of compliance have unfettered access to the board?
• How can employees raise ethical concerns?
• How do we publicize our compliance program so that employees are aware of it?
• How are we driving compliance with suppliers and vendors?

Your takeaways:

• Oversight refers to the actions the board takes to review and monitor the organization and its policies, plans, programs, and projects.
• In their oversight role, board directors monitor the organization from above, but refrain from getting involved in day-to-day management.
• One of the board’s fiduciary duties is oversight of compliance with all relevant laws and regulations.
• Don’t expect the board’s oversight of compliance to be infallible. Instead, focus on whether management’s compliance programs, and the board’s oversight of those programs, are reasonable in the circumstances.
• The board of directors and the senior management team set the tone at the top.
• The best way for an individual director to determine whether the compliance program is reasonable is to ask tough questions.

Resources:

• The Role of the Board of Directors in Compliance Oversight. Board and Fraud. March 2023.
• Board Oversight of Compliance. Thomas F. O’Neil III. Berkely Research Group. May/June 2022.
• Board Oversight of Corporate Compliance. Howard Brod Brownstein. Business Law Today. October 2021.
• How Boards Can Effectively Oversee Corporate Compliance. Diligent. January 2020.
• Board Oversight of Corporate Compliance: Is it Time for a Refresh? Robert Biskup, Krista Parsons, and Robert Lamm. Harvard Law School Forum on Corporate Governance. October 2019.

Thank you.

Scott

Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online membership with practical tools for board directors who choose a growth mindset.

We Value Your Feedback: Share your suggestions for future Savvy Director topics.