31 Days to a More Effective Compliance Program Thomas Fox

Under the U.S. Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: 1) Do the directors exercise independent review of a company’s compliance program? and 2) Are directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Resource Guide, 2nd edition required a CCO to have direct access to the Board or an appropriate sub-committee and requires a tangible commitment from the top levels of an organization, starting with the Board of Directors, that the company creates an ethical culture.
This requirement was brought forward in 2017 in the FCPA Corporate Enforcement Policy. Finally, nn the 2020 Update to the Evaluation of Corporate Compliance Programs, under the section entitled Oversight, it posed the following questions What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
Today’s regulatory climate and hyper-transparency in social media make a Board Compliance Committee’s task seem Herculean. But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Boards of Directors. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage. A Board Compliance Committee is a good place to start.
Three key takeaways:

The Board Compliance Committee exists to provide oversight and assist the CCO, not to substitute its judgment for that of the CCO.

The Board Compliance Committee should work to hold the CCO accountable to hit appropriate metrics.

The Board Compliance Committee is ideal for leading the efforts around strategic planning.


For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here. 
Learn more about your ad choices. Visit megaphone.fm/adchoices

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In the case of Stone v. Ritter, the proposition is found that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in ethics and compliance. The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using customary economic metrics and overseeing compliance with applicable laws and regulations.
While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling.
There is no reference to prudent discharge in the FCPA itself. However, a Board member might think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might wish to look into a Board’s prudent discharge of duties under the FCPA.
Three key takeaways:

What is prudent discharge?

What is your process for doing compliance at the Board level?

A Board must have active rather than passive engagement around compliance.


For more information, check out The Compliance Handbook, 3rd edition, available from LexisNexis here.
Learn more about your ad choices. Visit megaphone.fm/adchoices

As to the specific role of best practices in general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc., 698 A.2d 959 (Del. S. Ct. 1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”
In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties concerning corporate compliance issues. Second, the Court found that no duty of good faith forms a basis for director liability, independent of the duties of care and loyalty. Rather, Stone v. Ritter 911 A.2d 362 (‎Del. S. Ct. 2006) holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”
The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using standard economic metrics and overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling. The Delaware Supreme Court has expanded this obligation in the cases of Marchand v. Barnhill (the “Blue Bell” case), Clovis Oncology, Hughes, and Boeing.
From the Delaware cases, a Board must have a corporate compliance program in place and actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, additional oversight should exist. In other words, there is an affirmative duty to ask tough questions. However, there has been a significant expansion of the Board’s Caremark obligation. Delaware courts will be much more scrutinizing of Caremark claims going forward. The evolution of decisions from Marchand to Boeing shows that a company must have robust compliance and risk management oversight but, more importantly, engage in oversight for the company’s signature risk(s). Boards must do so aggressively, not passively.
As Mike Volkov has noted, “At the bottom, the Chancery Court is raising the stakes on board member accountability.”

 Three key takeaways:

The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions.

Boards must have compliance expertise and exercise it.

In a series of recent decisions, the Delaware courts are expanding the Caremark obligations, most recently.


For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here. 
Learn more about your ad choices. Visit megaphone.fm/adchoices

If there is one truism from the practices of law which translates to the practice of compliance, it is that your imagination only limits you. Marc Havener, founder, and CEO of Resonate Pictures, Inc., created a series of video shorts for a consulting company on compliance and ethics. Rather than the traditional legal approach of telling employees about the corporate policy on compliance, they wanted to tell a story about compliance through the art of movie-based storytelling that wove messaging into characters to tell a story.
I have urged compliance practitioners to bring more storytelling into their compliance messaging. If you put the employee in the shoes of the person they’re watching, they will remember it because they will see how it applies to their lives. Havener noted that the training experience would last “exponentially longer than if you just go over a written policy or show a PowerPoint.” He called it “expanding your classroom.” The next time they see George Clooney, they’re going to remember the training, the next time they watch that movie that you showed a clip from, they’re going to be reminded of the training, and so it becomes a great drift method of training.”
Three key takeaways:

Storytelling is another form of communication.

Movie clips in compliance training can provide useful touchstones that employees can relate to for compliance lessons.

The Morgan Stanley declination gave credit for annual compliance reminders.


Learn more about your ad choices. Visit megaphone.fm/adchoices

Since at least 2017, the DOJ has emphasized the need to determine compliance training effectiveness. In the 2020 Update, it stated under the section entitled “Form/Content/Effectiveness of Training” the following questions, How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing? Has the company evaluated how much the training impacts employee behavior or operations?
The DOJ enshrined the importance of determining the effectiveness of your compliance program in its 2020 Evaluation. The 2020 Evaluation demonstrates that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still need help to determine. Both the simple guidelines suggested herein, the more robust assessment, and the results provide you with a start to fulfill the precepts set out in the 2020 Evaluation, but you will eventually need to demonstrate the effectiveness of your compliance training in the future.
Three key takeaways:

You must demonstrate that you have measured the effectiveness of your compliance training.

The DOJ is moving into requiring a demonstration of the effectiveness of compliance training.

You should be moving towards a model of demonstrating compliance training ROI to validate the full operationalization of your compliance training.


Learn more about your ad choices. Visit megaphone.fm/adchoices

What should be your organization’s compliance training frequency? How does the amount of training can positively or negatively impact an overall training strategy? Unfortunately, these questions were not answered by the 2020 Update or the 2020 FCPA Resource Guide. Still every company should have a “well-designed compliance program is appropriately tailored training and communications.”
Often compliance professionals think that compliance training needs to be conducted very frequently, even if it means repeating the same training courses every year. Compliance training expert Shawn Rogers analogizes compliance training to an automobile’s windshield wiper system in a discussion of how frequently compliance training should be administered. He went on to explain that “it would not make any sense to run your wipers constantly, even when it is not raining. First, it would be extremely annoying to the passengers. And second, eventually it would wear out both the wiper blades and the wiper motor. It would simply be nonsensical.” Requiring overly repetitive training is like running your windshield wipers in clear weather. The learners are going to be annoyed, the training will be viewed as a waste of time and energy and finally your employees will not take training as seriously when it is really needed to address a specific situation as the compliance training will be viewed literally and figuratively as a “check-the-box” exercise.
 Three key takeaways: 

Have a well-reasoned approach to training frequency.

Lengthier more full-bodied training can be given once every three years or so.

Shorter more frequent compliance refreshers or reminders can be used to keep the risk top-of-mind.


Learn more about your ad choices. Visit megaphone.fm/adchoices