By Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE, NACD Board Fellow
Establishing and supporting a corporate compliance and ethics program is widely recognized as one of the fundamental responsibilities of a corporate board of directors. But merely seeing that there is a compliance program in place is by no means an adequate effort. The Board must also actively oversee that function.
Active oversight is essential if a company’s business plan includes strategies, practices, or other elements that could be considered high-risk. Such situations call for even more involvement and active engagement by the Board.
To put it another way, board members have an affirmative duty to ask tough questions, be skeptical, and independently assess the answers they are given. Serving as a director on a board requires professionalism, which includes applying the right amount of skepticism – trust can often be a professional hazard, so verify. This approach applies not only to the compliance function in general but also to the specifics of the compliance program.
In addition to evaluating the company’s compliance strategy’s overall sufficiency, board members must also see that the strategy is fully and competently executed. Finally, the Board must also ensure that the strategy and implementation are ultimately effective and successful.
Regulatory and Legal Perspectives
Active board involvement in overseeing compliance is more than a best-practice standard – it is also a critical regulatory expectation. A Board’s failure to exercise active oversight could lead directly to a U.S. Foreign Corrupt Practices Act (FCPA) violation. It could even form the basis of an independent Sarbanes-Oxley Act (SOX) violation. In a series of rule-making pronouncements, the U.S. Securities and Exchange Commission (SEC), the Department of Justice (DOJ), and other regulatory bodies have made it clear that they expect boards to take an active role in overseeing the management of risk within their companies.
For example, in November 2012, the DOJ’s Criminal Division staff and the SEC’s Enforcement Division staff jointly published A Resource Guide to the FCPA to guide businesses and individuals regarding FCPA compliance. In describing the characteristics of an effective compliance program, the authors unequivocally declare, “Compliance begins with the board of directors,” later adding that “compliance with the FCPA and ethical rules must start at the top.”
Several years later, the DOJ offered more specific comments on directors’ obligations in its 2019 guidance, Evaluation of Corporate Compliance Programs (updated in June 2020). This guidance directed federal prosecutors to evaluate the effectiveness of board oversight by posing the following questions:
- What compliance expertise has been available on the Board of directors?
- Have the Board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
- What types of information have the Board of directors and senior management examined in their exercise of oversight in the area in which misconduct occurred?
By digging deeper into these questions, we can begin to see how federal regulators envision the Board’s role and requirements regarding compliance. For example, when considering the first of the three questions, the guidance clearly suggests that an effective board should arrange to have a compliance subject matter expert as a member, most likely as chair of the compliance committee or to sit on the audit committee. It also would suggest that the Board include a former chief compliance officer (CCO) or another person with significant comparable experience in the nuts and bolts of compliance.
In short, there should be someone on the Board who can cut through the numbers that are presented and ask tough, probing questions of the CCO. If no such person is sitting as a board member, the Board should have access to a subject matter expert who is separate and apart from the company’s expert resources to assist in the compliance function. Such an expert would be a resource to the audit committee or other board subgroup or subcommittee. It should report only to the Board so that there is no conflict of interest with any other corporate function.
The second of the three questions probes whether the Board provides executive session access to the CCO. This is necessary so that the Board receives compliance information in an unfiltered manner, regardless of whom the CCO reports on the organization chart, such as a general counsel or CEO. The DOJ recognizes that without unfettered board access, the CCO could easily be cut off or shut down by a CEO by merely minimizing their face time in front of the Board. To fulfill its oversight obligations and ensure that it receives timely and accurate information, the Board must provide the CCO with regular, unfettered access without fear of repercussion.
The third question posed in the DOJ guidance addresses the Board’s obligation to actively participate in the compliance function. One might view this as the flip side of the CCO access because this inquiry focuses on the Board’s affirmative examination of the compliance program.
The fundamental questions a prosecutor would ask in this area are: 1) “Is the corporation’s compliance program well designed?” 2) “Is the program being implemented earnestly and in good faith as intended?” and 3) “Does the corporation’s compliance program work in practice?” If a prosecutor would be asking these questions during the course of an investigation, then any responsible board member should be asking those same questions of the CCO and management to preempt the need for an investigation in the first place.
Beyond their fiduciary obligations, board members’ compliance oversight responsibilities are also a matter of legal concern – including potential criminal sanctions. Under the FCPA and other criminal statutes, a director may be personally fined and jailed for a violation.
For example, the DOJ’s Justice Manual, the official guidance that is provided to U.S. Attorneys, notes that “the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents.” The manual instructs prosecutors to ask and answer several pertinent questions when considering whether to file criminal actions against a business organization. These questions are designed to determine whether the corporation’s directors exercise genuinely independent review of the company’s compliance program and whether the directors are provided with timely and accurate information sufficient to enable the exercise of independent judgment?
Furthermore, under federal sentencing guidelines, to receive credit for having an effective compliance program and thereby reduce the fines imposed on the organization, a board of directors must be “knowledgeable about the content and operation of the compliance and ethics program,” and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”
It is worth noting that foreign regulators and prosecutors generally take similar positions. For example, in the United Kingdom, it is considered best practice for a board to “provide active oversight of the implementation of the anti-bribery policy and programme.” A leading compliance organization’s flagship guidance into compliance with the U.K. Bribery Act also says board members should “inform themselves of the risks and appropriate policies and procedures required,” because the “board is accountable to shareholders and other stakeholders on how well the company is meeting its commitments to doing business ethically (including being free from bribery).”
In the past 25 years, boards’ roles and responsibilities in the areas of compliance and corporate ethics have drawn increasing scrutiny. This is due in no small measure to several important rulings by the Delaware Court of Chancery and the Delaware Supreme Court. Because of the thousands of corporations and other business entities domiciled in the state, Delaware courts are widely recognized as pre-eminent forums for determining disputes involving businesses’ internal affairs.
One of the most significant cases involving board oversight responsibilities was decided by the Chancery Court in 1996.
In re Caremark International Inc., 698 A.2d 959 (Del. Ch. 1996), this landmark decision involved a lawsuit brought by shareholders of Caremark International, who alleged that its directors breached their duty of care by failing to put in place adequate internal control systems. The Chancery Court’s decision clarified boards’ duties regarding oversight activities and outlined what plaintiffs must prove when claiming that directors breached their duties.
The court said that to prosecute a claim against a Board successfully, shareholders must prove three things:
- The directors either knew or should have known that violations of the law were occurring;
- The directors took no steps in good faith to prevent or remedy that situation; and
- The Board’s failure to act resulted in the losses alleged in the complaint.
While it provided clarity and direction for all concerned in such cases, the Caremark decision built a relatively high wall for plaintiffs to scale in asserting a board’s failure to comply with duty of care and loyalty standards. A more recent decision, Marchand v. Barnhill, No. 533, 2018 (Del. June 18, 2019), provides some guidance into how plaintiffs might scale that wall.
In this closely watched case, the Delaware Supreme Court’s opinion also provided additional guidance to directors on the proper role of the Board in overseeing risk management and compliance programs. Given this, it can also help guide the minimum best practices a board should consider.
For example, the 1996 Caremark ruling had limited directors’ liability for an oversight failure to instances in which plaintiffs could show an “utter failure to attempt to assure a reasonable information and reporting system exists.” On the other hand, the 2019 Marchand ruling said that to “satisfy their duty of loyalty,” “directors must make a good faith effort to implement an oversight system and then monitor it” themselves. In other words, the Marchand court said the mere existence of management-level compliance programs is not enough for directors to avoid Caremark exposure.
The Marchand case involved the directors and officers of Blue Bell Creameries, a company that manufactured and distributed ice cream, sherbet, and other frozen snacks to supermarkets and food stores. In April 2015, Blue Bell voluntarily recalled all of its products. It shut down production operations at all of its facilities after the Centers for Disease Control and Prevention, the U.S. Food and Drug Administration. Several state health agencies found evidence that linked the company’s products to an outbreak of listeria that resulted in the reported deaths of three people.
In addition to substantial fines for poor safety policies and practices, the company suffered serious financial losses from the operational shutdown, which eventually forced it to accept a dilutive private equity investment. The plaintiffs in the case alleged that Blue Bell’s CEO and vice president of operations breached their duties of care and loyalty by knowingly disregarding contamination risks and failing to oversee the safety of Blue Bell’s food-making operations. Moreover, they also claimed that the company’s directors breached their duty of loyalty under Caremark.
The Delaware Supreme Court decided in the plaintiffs’ favor, citing a lack of Board oversight over food safety issues and the absence of protocols by which the Board expected to be advised of developments in this obvious area of industry-specific risk. In particular, the court said it was concerned that when “yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board and the board was not presented with any material information about food safety” during the critical period leading up to the three deaths.
In the court’s view, these circumstances created “a reasonable inference that the directors consciously failed to attempt to assure a reasonable information and reporting system exist(ed),” which was sufficient to satisfy the high Caremark standard for establishing that the Board breached its duty of loyalty by failing to make a good faith effort to oversee a material risk area.
The settlement of the shareholder action amounted to $60MM, along with the $9MM of attorneys fees, which is a costly monetary lesson and one that negatively impacted Blue Bell’s reputation.
“A reputation is more valuable than money”. Publilius Syrus – 1st Century BC
Is there anything that really needs to be said here?
Guidance for Directors
While the Blue Bell case dealt with board oversight of compliance issues specific to food safety, the court’s decision is widely regarded as a warning “shot across the bow” that applies to other areas of compliance as well, potentially including ethics, financial reporting, and investor relations issues. Boards should take care that their risk oversight processes meet or exceed fiduciary standards and consider the unique regulatory demands of their particular industry.
To this end, the specific deficiencies that the court found at Blue Bell can serve as a helpful guide to the minimum best practices a board should consider. At a high level, such best practices would include:
- Dedicating a committee to oversee a company’s main compliance risks.
- Establishing protocols that require management to keep the Board apprised of compliance practices, risks, and reports.
- Setting a schedule to assess the company’s main compliance risks regularly.
- Formulating procedures for communicating red or yellow flags to the Board and memorializing the associated discussions in board minutes.
- Arranging for and documenting regular discussions of compliance risks at board meetings.
To implement and expand on these basic principles, board members should pursue a structured and methodical process that encompasses, at a minimum, the following steps:
- Review public filings. Given that the risk factors listed in a public company’s Form 10-K generally represent the core areas of concern, directors should review their company’s recent public filings and evaluate whether the company has adequate board-level oversight mechanisms in place to address relevant risk factors.
- Upgrade monitoring and reporting systems. There needs to be a board-level compliance system directed at the company’s core compliance risks – that is, the threats posed to an organization’s financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. The compliance system must be implemented in good faith, governed by appropriate procedures, and tailored to the company’s business. Many organizations probably need to improve their risk assessment process to incorporate compliance risk exposure fully.
- Go beyond mere listings of risks. Boards should never truncate the oversight process by merely listing the company’s risks from time to time and doing nothing else. Such practices fall short of effective oversight. Instead, boards need to align their oversight with the company’s most significant risks in view of its strategy and business model and then prioritize the most critical risks and focus on them.
- Allow time on the board agenda for risk oversight. Risk management issues should be discussed regularly at board meetings. Directors should ask questions to satisfy themselves that mission-critical compliance matters are escalated to their attention in a timely manner.
- Establish and enforce risk escalation and monitoring protocols. Executives responsible for managing risk should be positioned to succeed with policies, processes, reporting, and systems appropriate to the industry.
- Pay attention to company culture. Organizational culture and performance incentives were highlighted in the case against Blue Bell because it seemed inexplicable to stakeholders that management did not inform the Board of the matters in question. Setting specific and clear expectations of management and mission-critical risk owners can help develop a culture of trust and open, timely communication.
- Delineate full board and standing committee roles. When delegating responsibilities to its committees, the full Board should ensure the appropriate committee covers the key risks—whether it currently exists or has to be created and newly chartered—and that information flows are sufficient to apprise the full Board.
- Maintain minutes concerning critical risk matters. The Marchand court found it particularly troubling that minutes from Blue Bell’s board meetings were “bereft of reports on the listeria issues” and “revealed no evidence that these were disclosed to the board.” The court also questioned why the Board left the company’s response to the listeria outbreak to management instead of holding frequent emergency board meetings.
There are significant legal, regulatory, and risk management reasons for board members to become more actively involved in overseeing operations and understanding the compliance risks confronting their companies. This means that, beyond oversight alone, from time-to-time directors must take a deeper dive into specific risk management program components to test the design, implementation, and overall effectiveness of their companies’ compliance efforts.
Lastly, being an active Board member requires on-going and appropriate training, which is often overlooked – board members simply don’t know what they don’t know. Training helps ensure that Board members are current on leading board practices and understand emerging issues, which could enhance overall board member decision-making by helping calibrate a board member’s degree of skepticism when evaluating the reasonableness of the answers received to the questions asked. No one is too smart for training!
I welcome your thoughts and comments.
Jonathan T. Marks, CPA, CFF. CFE, PI
 A Resource Guide to the FCPA, U.S. Department of Justice Criminal Division and Securities and Exchange Commission Enforcement Division, Nov. 14, 2012, https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf, p. 57
 Evaluation of Corporate Compliance Programs, U.S. Department of Justice Criminal Division (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download, pp. 10-11
 Principles of Federal Prosecution of Business Organizations, Title 9-28.800, Corporate Compliance Programs, July 2019, https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations
 United States Sentencing Commission Guidelines, Annotated 2018, §8B2.1, Effective Compliance and Ethics Program, https://www.ussc.gov/guidelines/2018-guidelines-manual/annotated-2018-chapter-8#NaN
 Global Anti-Bribery Guidance, Governance Best Practice Guidelines, Transparency International UK online publication, https://www.antibriberyguidance.org/guidance/2-governance/best-practice#body
 In re Caremark International Inc., 698 A.2d 959 (Del. Ch. 1996), Section III. Analysis of Third Amended Complaint and Settlement, https://law.justia.com/cases/delaware/court-of-chancery/1996/13670-3.html
 Marchand v. Barnhill, No. 533, 2018 (Del. June 18, 2019) https://courts.delaware.gov/Opinions/Download.aspx?id=291200, p. 30
 Ibid., p. 32
 Ibid., p. 12
 Board Member Composition: Participants, Passengers, and Prisoners?, Jonathan T. Marks, BoardanFraud.com https://boardandfraud.com/2018/11/02/board-member-composition-are-you-a-participant-passenger-or-prisoner/