By Thomas R. Fox and Ryan Morgan
The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of the New York Times (NYT) for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart on Sunday, April 22, 2012, when on the front page of the Sunday Times, in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, the Times alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations. These allegations, if true, would have violated the US Foreign Corrupt Practices Act (FCPA) which prohibits US companies from engaging in bribery and corruption of foreign governmental officials, to obtain or retain any business benefit.
Although the FCPA was enacted in 1977, it was rarely enforced. This changed beginning in 2004, though the reasons are not entirely clear as to why there has been such an increase in enforcement. The below chart tracks the number of corporate and individual enforcement actions since 2002.
1. Legal Standard
What are the obligations of a Board member regarding the FCPA? Are the obligations of the Audit Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? “Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program.” The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?
As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of Stone v. Ritter holds for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, there is the principle that directors should follow the best practices in the area of ethics and compliance.
Unfortunately, many companies either do not have the incentive to spend the resources or take the rigorous approach to their anti-compliance programs. Albert Vondra, a partner with PricewaterhouseCoopers, has said that their attitude is “‘We’ve got it covered,’ but they don’t”. There must be written records demonstrating that the audit committee and that the board members asked questions and received answers regarding FCPA compliance issues. Such documentation demonstrates the Board members have “fulfilled their fiduciary obligations,” Cassin, author of the FCPA Blog, has written.
Board failure to heed this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath Swaine & Moore, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”.
2. When Things Get Bad
While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water to begin with. For instance, regarding the News Corp internal investigation, a Wall Street Journal (WSJ) report quoted corporate governance expert Neil Minow for the following, “The probe cannot be conducted effectively while Mr. Murdoch is in charge.”
In a recent White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:
• Define the Board’s Role – There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.
• Foster a culture of risk management – All stakeholders should understand the risks involved and manage such risks accordingly.
• Incorporate risk management directly into a strategy – Oversee the design and implementation of risk evaluation and analysis.
• Help define the company’s appetite for risk – All stakeholders need to understand the company’s appetite, or lack thereof, for risk.
• How to execute the risk management process – The risk management process must maintain an approach that is continually monitored and had continuing accountability.
• How to benchmark and evaluate the process – Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.
All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receives direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may more appropriate to deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information “…the Board can give oversight to any modifications to managing FCPA risk that should be implemented.”
There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.
3. Four Areas of Inquiry
In an article in the December 2011 issue of Compliance Week Magazine, entitled “Board Checklist: What Every Director Should Know”, author Jaclyn Jaeger reported on a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting. The discussion was centered on four core areas upon which Directors should focus their attention: (1) structure, (2) culture, (3) areas of risk and (4) forecasts. The article focuses on each of these areas together with some questions proposed by panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, which she suggested a Board should ask of the company’s CCO or General Counsel (GC).
A. Structure Questions
This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Hutchens believes that such inquiries should allow each Board member to communicate the main elements of a compliance program. With those concepts in mind, Hutchens suggests that Board members ask some of the following structure questions.
• Who oversees the operation of the program?
• What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
• How are complaints being received?
• Who conducts investigations and acts on the results?
• What corporate resources are being devoted to the compliance and ethics program?
• How much money is allocated to the program?
• What types of training is required? How effective is it?
• Have any compliance failures been detected? If so, how was such detection made?
• If a company’s compliance program is less mature, what are the charter compliance documents?
• If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. If a CCO is required, where would such person sit in the organization and what is the CCO reporting structure?
B. Culture Questions
This area of inquiry should focus on the culture of the organization regarding compliance. “Board members should have an understanding of what message is being communicated not only from senior management but also middle management.” “…Equally important, the Board needs to understand what message is being heard at the lowest levels within the company.” Hutchens suggests that Board members ask some of the following culture questions.
• When did the company last conduct a survey to measure the corporate culture of compliance?
• Is it time for the company to resurvey to measure the corporate culture of compliance?
• If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
• Did any compliance investigations arise from a cultural problem?
• Regardless of any survey results, what can be done to improve the culture of compliance within the company?
• If there were any acquisitions, were they analyzed from a compliance culture perspective?
• Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?
C. Areas of Risk
Here Hutchens recommends that Board members “need to know what process is being used to identify emerging risks.” Such risk analysis would be broader than simply a legal/compliance risk assessment and should be tied to other matters, such as “business continuity planning and crisis response plans”.
Another panel participant Jennifer MacDougal, Senior Counsel and Assistance Secretary of Jack-in-the-Box, noted that “the board of directors need to use their expertise and ask the right questions”. Hutchens suggested that in the areas of risk, questions which a Board should ask are some of the following.
• What is the risk assessment process?
• How effective is this risk assessment process? Is it stale?
• Who is involved in the risk assessment process?
• Does the risk assessment process take into account any new legal or compliance best practices developments?
• Are there any new operations that pose substantial compliance risks for the company?
• Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
• Has the company moved into any new markets which impose new or additional compliance risks?
•Has the company developed any new product or service lines which change the company’s risk profile?
D. Forecast
Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” My colleague Stephen Martin suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.” Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.
The four-part approach suggested by Hutchens lays out a clear and logical program for a Board of Directors not only to understand its role in the compliance function but to play an active role. Any best practices compliance program has several moving parts, a CCO to lead the compliance program, a Compliance Department to execute the strategy and an engaged Board of Directors who oversee and participate. We applaud Hutchens approach and commend it for use by a company’s Board of Directors.
IV. Twenty Questions
What are some of the questions that the Board of Directors should be asking? We posit that a large public company should have Compliance Sub-Committee of Board members. We list 20 questions below which reflect the oversight role of directors which includes asking senior management and themselves. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper, as necessary.
The comments summarize current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.
Part A: Understanding the Role and Value of the Compliance Committee
1. What are the Compliance Committee’s responsibilities and what value does it bring to the board?
2. How can the Compliance Committee help the board enhance its relationship with management?
3. What is the role of the Compliance Committee?
Part B: Building an Effective Compliance Committee
4. What skill sets does the Compliance Committee require?
5. Who should sit on the Compliance Committee?
6. Who should chair the Compliance Committee?
Part C: Directed to the Board
7. What is the Compliance Committee’s role in building an effective compliance program within the company?
8. How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?
9. How long should directors serve on the Compliance Committee?
10. How can the Compliance Committee assist directors in retiring from the board?
Part D: Enhancing the Board’s Performance Effectiveness
11. How can the Compliance Committee assist in director development?
12. How can the Compliance Committee help the board chair sharpen the board’s overall performance focus?
13. What is the Compliance Committee’s role in board evaluation and feedback?
14. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?
15. Should the Compliance Committee have a role in chair succession?
16. How can the Compliance Committee help the board keep its mandates, policies and practices up-to-date?
Part E: Merging Roles of the Compliance Committees
17. How can the Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?
18. What is the Compliance Committee’s role in CCO succession?
19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?
20. How can the Compliance Committee help the board in deciding CCO pay and bonus?
“The Wal-Mart case has driven home the need for focused Board of Directors oversight of a company’s compliance program.” With fines and penalties reaching into the $100 million range a company simply cannot afford to be without a best practices compliance program. However, having such a program in place is clearly not enough. There must be senior level management commitment to the company’s compliance program. One of the key drivers of this senior level management is Board oversight. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. If the Wal-Mart Board had fulfilled its legal obligations regarding compliance, the company might not have found itself on the front page of the New York Times.
About the Authors
Thomas R. Fox, General Counsel/Chief Compliance Officer. Thomas is a client-focused, innovative attorney, with expertise in contracts, corporate law, international law, compliance, and small business affairs for major Fortune 500 corporations, such as Halliburton, Smith and Wesson, Exxon, Tesoro, and Texaco, as well as small and solo business owners. Thomas built an international reputation as the “Nuts and Bolts” compliance expert. He is a resourceful negotiator, with high integrity and good judgment who can provide direction and credible legal expertise. (tfox@tfoxlaw.com; www.tfoxlaw.com; tel: +1 832.744.0264)
Ryan Morgan, AML/CA, CCEP – Anti Corruption Specialist. Ryan is the Anti-Corruption Specialist for WorldCompliance, offering his clients insight on risk evaluation, implementing effective due diligence policies, as well as best practices in protecting their company’s reputation. In this position, Ryan works with some of the world’s largest financial institutions, Fortune 500 companies, and governments to develop effective FCPA policies and procedures and help battle corruption and money laundering around the globe. (ryanm@worldcompliance.com; tel: +1 305.815.0809)
About WorldCompliance
WorldCompliance has created World-NEO to provide companies the ability to vet their third party vendors, suppliers, distributors and agents; directing them to register and complete a questionnaire with the NEO Network, a web-based portal. World-NEO automatically assigns a risk score to every agent and distributor, performing initial and on-going due diligence.
Suppliers who register are provided a risk score that determines whether they represent a risk to your organization. Their score is proof that they are compliant with the FCPA and UK Bribery Act.
To learn more go to www.worldcompliance.com