The Board of Directors and Compliance

Tuesday, August 02, 2011

Thomas Fox

59d9b46aa00c70238bb89056cfeb96c0

What is the role of a company’s Board when it comes to Foreign Corrupt Practices Act (FCPA) compliance?

The Board should not engage in management but should engage in oversight of a Chief Executive Officer (CEO) and senior management, which they do by asking hard questions, risk assessment and identification.

These questions were brought to the fore in an article in the Tuesday edition of the Wall Street Journal (WSJ) entitled, “News Corp. Board Challenged” by reporters Russell Adams and Joann S. Lublin.

In this article they discussed the Board of Directors of News Corp and their response to the current scandal engulfing the company. While focusing the independence of the Board from the influence of the Murdochs, the article also discussed whether the structure of the Board will allow it to “properly police the company.”

While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company.

While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water to begin with.

To this end the WSJ reports quoted corporate governance expert Neil Minow for the following, “The probe cannot be conducted effectively while Mr. Murdoch is in charge.”

In a White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

Define the Board’s Role – there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.

  • Foster a culture of risk management – all stakeholders should understand the risks involved and manage such risks accordingly.
  • Incorporate risk management directly into a strategy – oversee the design and implementation of risk evaluation and analysis.
  • Help define the company’s appetite for risk – all stakeholders need to understand the company’s appetite or lack thereof for risk.
  • How to execute the risk management process – the risk management process maintaining an approach that is continually monitored and had continuing accountability.
  • How to benchmark and evaluate the process – systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receive direct access to such information on a company’s policies on this issue.

The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may more appropriately deal with financial audit issues.

A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company.

The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.”

If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

At this point it is not clear what, if any, of these factors or guidance the Board of News Corp has implemented. The WSJ reports that News Corp., has created a management and standards committee “tasked with cooperating on investigations into voicemail interceptions and alleged improper police payments at its U.K. newspaper unit.”

Furthermore this committee will be “conducting its own enquiries” and proposing new standards.” So perhaps it may all work out in the end. Or perhaps this committee will continue to receive the rating given to the News Corp Board by Mr. Minow since 2003 for its governance and effectiveness; that being an “F”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

Cross-posted from Tom Fox Law

Possibly Related Articles:
9569
General
General Legal
Compliance Risk Management Emergency Management FCPA Leadership Board of Directors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.