Why board directors need compliance reporting, and how CCOs can deliver it

The position of chief compliance officer has moved well beyond its part-time, "side-job" image. As laws regulating corporate conduct become stricter and more complex, as penalties for non-compliance grow more costly, and as ethics expectations from shareholders and the public rise, the role of compliance chief has acquired an importance and level of autonomy in regulated firms that many never envisioned. 

The unique skills of compliance chiefs and their unique perspective on a firm's compliance strengths and make it vital that they be given an independent voice in the boardroom, which is also under greater scrutiny from regulators. An independent CCO provides a comprehensive view of the firm's ability to meet its regulatory demands as the business evolves, and ensures processes and safeguards are functioning as they should.

Typically, directors are protected by the business judgment rule, a case-law derived principle that says well-informed decisions of directors taken after due consideration and in good faith will not be questioned by a court because the decisions turned out to be wrong.

With that said, regulators and others recently have pointed out the failings of executive and non-executive members of board, typically in instances in which these persons failed to act, despite knowing of highly risky business practices. 

Last year, a prominent proxy advisory firm urged the ouster of most of the Target Corporation directors because of the perceived “failure…to ensure appropriate management of [the] risks” as to Target’s December 2013 cyber-attack. 

On October 23, in a suit filed by Bio-Rad Lab’s former general counsel, a U.S. district court held that corporate directors may be held personally liable for failing to protect a whistleblower from illegal retaliation under both the Sarbanes-Oxley Act (SOX) and the Dodd-Frank Act.

A board's activities are determined by the duties and responsibilities delegated to it and are typically detailed in the organization's bylaws. The duties of boards of directors generally include overseeing corporate accounting and compliance issues at their firms, selecting and reviewing the performance of the CEO, and accounting to shareholders for the company’s performance.

Companies covered by SOX hire internal auditors to ensure that the company adheres to required standards of accounting and financial management. It is where those types of recordkeeping meet up with compliance policies and procedures (and testing, updating, of same) that boards can and should use the input of compliance professionals.

Basically, directors should get regular compliance awareness training specific to the business’ risks so they can monitor its overall profitability and any potential damaging impacts to it. 

Fostering board awareness


There are several ways in which compliance professionals can supply this awareness without doing so in a cumbersome and overly time-consuming way, including regular reports, committee-specific briefings, and succinct feedback on the annual compliance program review.

Compliance training. Directors could use specialized training on the issues at the center of the firm's major compliance challenges. Even if they have compliance backgrounds -- and many likely do not -- they should have some understanding of the types of training their employees are receiving. 

If directors examined the key training courses in the areas of greatest risk to the firm and underwent at least some of the training the employees themselves receive, the directors could get a better understanding of the strength of the firm's compliance program.

Since nothing motivates people like the fear of being held personally liable, directors can be reminded that undergoing up-to-date compliance training (and documenting it) might help to show regulators how seriously they take their risk-monitoring duties.

Compliance reports. The compliance department should regularly, such as quarterly, send a concise report to the board or appropriate board committee that details the compliance issues it has resolved; whistleblower and other reports from employees that are being investigated; how the firm is meeting its evolving regulatory imperatives from monitoring its communications to taking all necessary cyber security protections; how it is choosing and overseeing its business suppliers; and any conflicts of interest that have been identified and resolved.

These reports enable the compliance team to make its case for how the compliance program is equipped to identify and prevent any damage from its business dealings, employees or business partners.

The objective is not to overwhelm the board, so the "how" is as important as the "what" to deliver here. More detailed reports are best given to the appropriate committee, such as the audit committee, and more general ones to the board as a whole. 

Both versions should be as succinct and easy to read, with an invitation to ask the chief compliance officer any questions for greater detail.

The goal is to help the directors complete their main task: evaluating all of the material information that an investor would deem important in considering to invest in the business.

Mock audit results. According to the 2016 budget of the Securities and Exchange Commission, only about one in seven firms will be examined each year by the agency. This does not mean they won’t walk through your firm's door, especially if they have never done so. 

An internal mock-SEC exam of the firm’s policies, procedures and controls could be a useful exercise to prepare for the possibility of an exam, and is worth running twice a year. To maximize the lessons learned from a such fire drill, directors should be involved in how the testing will be played out, and informed of the results. The mock-SEC visit should include testing one’s back-up data center, the functionality of the whistleblower hotline, and a review of all communications, including social media.

The board’s compliance committee must be apprised of any and all testing of the compliance program and any other systems, and those spearheading the mock exercise must be ready to show well-documented evidence of the investigations and all action items stemming from it. 

If the CCO has not been able to meet with the board or a board committee, having the results of a recent mock exam as a point of discussion might help open doors, particularly if those results point to any possibility of needing to change the board’s risk appetite in any area.

Creating a culture of compliance. A recent report by the Group of 30 international financial leaders calling for the reform of banking culture is an important read for board directors across the financial sector.

The report notes that a corporate culture that highly regards compliance as a critical area of business and a value to be embraced has developed this ethos through action and by example. This culture is not gleaned from mere adherence to regulatory obligations and providing the bare minimum of disclosure and reporting needed to satisfy the regulators. 

Compliance officers must remind board directors that they can and should embody this ideal as leaders of the firm. 

Employees will pick up cues from such business leaders -- noticing how their company acts when it has discovered a possible violation of regulations and laws and how truly the firm invites and handles the disclosure of anonymous tips. 

The board's posture helps position the firm to prevent potential breaches before they occur by creating an environment that values taking the extra step to spot and mitigate risk and to test and further strengthen compliance policies and processes.

Each of these steps helps board members better appreciate the strengths and weaknesses of a firm's compliance program and how they can help fill in any gaps. These interactions with the board also help the compliance team build credibility and gain support for compliance initiatives, which are rarely inexpensive or easy.
 
Julie DiMauro is a regulatory intelligence and e-learning expert in the GRC division of Thomson Reuters Regulatory Intelligence. Follow Julie on Twitter @Julie_DiMauro. Email Julie atjulie.dimauro@thomsonreuters.com