It’s long been axiomatic that an effective compliance program cannot exist without a strong ethics and compliance culture, which in turn requires the proper “tone from the top.” Yet, when most companies think “top,” they think C-suite. After all, tone starts with the CEO, right? And the C-suite is where you find many CCOs, or the executive to whom the CCO directly reports. Also, that’s where decisions are made about staffing the compliance function, allocating funds to implement the program and the host of other operational matters that determine whether the program is robust, minimalistic or non-existent. Often overlooked, however, is the crucial role of the board of directors.
Most directors have a general understanding that their fiduciary duties include compliance oversight. After all, it’s been more than 20 years since the Delaware Court of Chancery held in its famous Caremark decision that directors could, in certain circumstances, be determined to have breached their fiduciary duty and, therefore, be liable for company losses due to compliance program failures. Later, the Delaware Supreme Court in Stone v. Ritter held that a director’s failure to implement and oversee aspects of a compliance program could constitute an unindemnifiable breach of the duty of loyalty.
But how well do boards really understand their compliance program obligations? And to what extent do many boards devote time and effort to ensuring that their performance would pass muster under the microscope of hindsight when (not if) a compliance breach occurs? Is it enough for them to know that someone in the company has been given the title of CCO? Is it enough to allocate 30 minutes each year to listening to a compliance report from the CCO? How about 15 minutes per quarter? If asked, could each director describe how the company’s compliance program is structured and how it operates? Could they provide convincing assurances to a third party that it operates effectively?
The U.S. Sentencing Guidelines were promulgated by the U.S. Sentencing Commission in 1991 so that sanctions imposed on entities and individuals “will provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct.” While there are many important reasons to establish and maintain an effective compliance program beyond simply seeking to minimize criminal penalties, the Sentencing Guidelines are a key consideration in that effort. It is interesting, therefore, to note that Chapter 8 of the Sentencing Guidelines Manual states in plain English that:
“The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”
Admittedly, words like “knowledgeable,” “reasonable” and “oversight” provide some interpretive wiggle room. Nevertheless, the scope of this language is not the kind of thing you want to be arguing about with a government investigator (or a plaintiff’s attorney, in other contexts) following a compliance breach, particularly with the current emphasis on risk management and compliance. Much better would be to have a robust compliance program in which the board clearly has been, and remains, actively involved so that questions of duty of care and loyalty are never seriously at issue.
With compliance working its way toward the top of things that keep general counsels and other executives awake at night, one wonders to what extent directors should likewise be pondering whether they are truly fulfilling their fiduciary duty to oversee the activities necessary for ensuring proper compliance. Put another way, would your directors be highly confident that they can pass the standard articulated, for example, by the Sentencing Guidelines? Would you be reluctant to ask them?
All the best,