As fiduciaries, board members have a responsibility to shareholders to oversee many aspects of a company’s business, including compliance with laws and regulations. Board oversight of compliance is also an expectation of federal and state regulators. As a corporate governance advisor and a current Chief Compliance Officer, I have seen first-hand the struggles some boards have with the often complex topic of compliance and their oversight role.
If it isn’t already, compliance should be a regular agenda item for board meetings. Some boards delegate compliance to a committee, such as a compliance committee or risk management committee. If that is the case, the relevant committee chair should present a summary to the full board of the subjects discussed at each committee meeting. Otherwise, the full board agenda should include a compliance report. Consider including:
- regulatory developments and enforcement actions that impact the company’s business
- the status of regulatory examinations and any special inquiries or investigations
- customer complaint trends
- high risk compliance issues
- results of risk assessments and compliance testing
- the status of the compliance training program and completion rates
- issues relating to third party vendor oversight
- privacy trends and security incidents
As business and regulatory environments are ever changing, the board should also review the overall state of the compliance program and consider areas for enhancement, at least once a year.
Ideally, compliance presentations to the board should be made directly by the highest ranking compliance professional in the company, whether that is a chief compliance officer, a compliance manager or general counsel, if he or she also serves as the chief compliance officer. If the reporting line of the chief compliance officer is not directly to the board or a board committee, the board should consider meeting with the chief compliance officer in executive session (without other management attendees) at the end of each board or committee meeting. This allows for the free flow of information between the chief compliance officer and the board and supports the independence of the compliance function.
So once the board has the right topics on the agenda and the right people in the room, the board can help to fulfill its fiduciary duties and oversight role by asking the chief compliance officer these key questions.
- What are your biggest concerns about the company’s compliance program?
This is the “what keeps you up at night” question. Chief compliance officers have a huge responsibility and learn of many issues on a daily basis, some big, some small. Boards should expect the chief compliance officer to sift through these issues and present the areas of greatest risk to the company and how they are being addressed. Consider these follow-up questions:
- Are remediation plans in place and on schedule?
- Are these issues being raised by the regulatory agencies in enforcement actions?
- Do you and the business have sufficient resources to address these issues?
- Are you getting support from business leaders, middle managers and rank and file employees for compliance initiatives?
- Overall, does the company have sufficient resources to adequately address its compliance needs on an enterprise basis?
- How would you assess our compliance culture?
This question will alert the board to the level of emphasis compliance receives within the organization and the attitude of leaders and employees about the importance of compliance. Generally, a compliance culture is one in which:
- compliance is imbedded into business processes, systems and products
- compliance is viewed as a business imperative
- resources are dedicated to compliance
- all employees have a healthy respect for legal and compliance requirements and the regulatory process
- compliance is recognized as everyone’s job
- employees are held accountable for compliant behavior.
Follow-up questions might include:
- What is the company doing to engender a compliance culture?
- Does the company have the right tone from the top and, just as importantly, tone from the middle?
- Are employees taking their required compliance training?
- What can board members do to help support and develop a compliance culture?
- Is our state of compliance in line with industry peers?
Benchmarking is important in many facets of business, including compliance. The board should know if the compliance program is lagging, commensurate with, or exceeding industry norms. The board can then determine whether additional resources are needed and, if so, where they should be applied. It will also help ensure that the company’s compliance program is keeping pace with regulatory expectations. As follow-up questions, the board might consider:
- If the company is lagging industry peers, which areas are weak and what is being doing to uplift the compliance program?
- Is the company satisfied with meeting industry norms, or is the intent to be a leader in compliance proficiency?
- How would you describe the company’s relationship with federal and state regulators?
An honest assessment of this relationship will give the board a sense of whether unsatisfactory examination reports or enforcement actions could be looming on the horizon. A constructive working relationship with regulators should be the goal of the organization. Friction or antagonism toward regulators is not productive and can lead to negative examination outcomes. On occasion, regulators, especially at the federal level, may want to meet with the board. This can also be a sign that the relationship with management is not positive and, in such cases, the board may be required to intercede and recommit the organization to improving the relationship and its compliance program. Consider also asking:
- What were the findings on the last examination report and are they being addressed in a satisfactory manner?
- What was the tone of the regulators during the examination and in the examination report?
- Are there repeat findings from one examination to the next?
- Are the regulators raising the possibility of an enforcement action and, if so, what is the plan to address or mitigate this risk?
- Do employees feel comfortable raising compliance issues with their managers or directly to the compliance department?
Information flow within an organization, both up and down the chain, is a sign of a healthy compliance culture. The board should ensure that the company has mechanisms in place, such as escalation procedures or whistleblower hotlines, to identify and report compliance gaps. Employees should be well-aware of these mechanisms, encouraged to use them and actually use them. A “safe to speak up” culture will give the board assurance that it is receiving the right information in a timely manner so that it is not surprised later with an incident that could cause financial or reputational damage. Asking these follow-up questions might help:
- What are the escalation channels within the company?
- What types of issues are being reported and how often?
- What is management doing to improve communication and information sharing within the organization?
- Has the company conducted employee surveys to gauge employee satisfaction and morale?
Board oversight is a critical component of any compliance management system. If board members ask questions along these lines on a regular basis, and probe even deeper when warranted, the board will be able to properly oversee the company’s compliance program and assess its effectiveness. In so doing, the board will be serving the best interests of the company’s shareholders and its other key stakeholders, including employees, customers and regulators.
Linda Iannone is the Chief Compliance Officer of Toyota Financial Services.