Corporate harassment scandals across a wide range of industries have dominated recent news. These problems are not new, but their effects have taken on a new permanency, resulting in destructive damage to the people and companies that have faced them. Previously viewed by many as unavoidable litigation risks, boards of directors have begun to appreciate these problems as potentially seismic events, understanding that they are not limited by time and pose a host of fundamental risks, including risks to the company’s brand and market reputation, its operations, and its shareholder value.
Addressing these risks as an independent board director who is necessarily removed from day-to-day operations is not an easy task, but it is required by the director’s duty to the corporation. Detecting the problem is the first real challenge, especially when senior management is implicated. One solution is creating or further empowering the role of a Chief Human Resources Officer (CHRO) that reports to the board. Another is asking tougher questions about the corporation’s Human Resource (HR) systems and compliance structure.
This article is intended to help independent directors define the right questions. Fortunately, there is no need to reinvent the wheel. Directors may already be asking the right questions when assessing typical compliance risks previously considered more destructive than harassment, such as foreign corruption and fraud.
At its core, any good compliance program educates employees about the value of doing the right thing and encourages thoughtful, proactive behavior. Certainly a familiar concept to experienced board directors, establishing the right “tone at the top” is a first step to solving endemic problems of corruption and fraud because it shapes the broader corporate culture and sets an example that other employees strive to follow. Most relevant here, it is also a crucial step to mitigating harassment. The board, Chief Executive Officer, and other c-suite executives play critical roles in setting and communicating the tone at the top. The “tone” cannot be limited to static or sporadic training, but must instead be consistently communicated, and show employees that harassment will not tolerated.
The importance of “tone at the top” is only the beginning of the shared lessons between corruption, fraud, and harassment. The term “echo from the bottom” is also critically important and must match the tone at the top. Every employee should know the importance of speaking up and know that they have a pivotal role in ensuring compliance. Employees must believe that senior and middle management are held accountable, and management must lead by example. “People learn what to do and how to do it by observing their colleagues and especially their leaders—emulating successful behaviors and avoiding unsuccessful ones.”
Of course, boards of directors should not just stop with ensuring their companies have the right tone.
“[A]t all levels, across all positions, an organization must have systems in place that hold employees accountable for this expectation. Accountability systems must ensure that those who engage in harassment are held responsible in a meaningful, appropriate, and proportional manner, and that those whose job it is to prevent or respond to harassment should be rewarded for doing that job well (or penalized for failing to do so).”
A code of conduct that reflects the company’s values, creates a zero-tolerance policy for misconduct, and explicitly applies to everyone in the organization can help the company set the right tone. Compliance policies should address the consequences for misconduct as well as retaliation. Companies should also implement risk-based trainings tailored to high-risk employees, such as employees in supervisor roles, and employees in control roles, including human resources and compliance.
These considerations are paramount, but directors still may need to dig further. There are several assessment tools in the compliance field that can be used for that purpose. Among them is the Department of Justice’s Evaluation of Corporate Compliance Programs (herein “the Guidance”). Probably known best to board directors focused on corruption and fraud, the Guidance is not specific to any particular industry, provides common sense benchmarks that can be referred to throughout an organization, and “is of particular relevance to the board of directors  in the exercise of its compliance oversight duties.” The principles that underlie the Guidance are a collection of accepted industry best practices for developing a compliance program to address general concerns, and can be readily applied to sexual harassment.
Below, we take a several excerpts from the Guidance and show how board directors can use them to address challenges raised by sexual harassment.
|Excerpts from DOJ Evaluation of Corporate Compliance Programs||Additional Questions Tailored to Prevent, Detect, and Respond to Sexual Harassment|
|· “What methodology has the company used to identify, analyze, and address the particular risks it faced?”
· “What information or metrics has the company collected and used to help detect the type of misconduct in question? How has that information informed the company’s compliance program?”
|· Has the company identified and analyzed the specific harassment risks that it faces? What methodology has the company used to address harassment risks?
· What metrics specific to harassment does the company use? How have those metrics influenced the company’s harassment program? Are those metrics reported to the company’s board of directors?
|Training and Communications|
|· “What training have employees in relevant control functions received?”
· “Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?”
· “What analysis has the company undertaken to determine who should be trained and on what subjects?”
· “How has the company measured the effectiveness of the training?”
· “What has senior management done to let employees know the company’s position on the misconduct that occurred?”
· “What communications have there been generally when an employee is terminated for failure to comply with the company’s policies, procedures, and controls?”
|· What type of training were supervisors and higher management provided?
· Does the company provide additional training for officers and key employees?
· Has the company determined which parts of its business experience the highest rate of sexual harassment claims, and have additional measures been taken to train employees in those parts of the business?
· How frequently, and in what manner, do company leaders speak about the company’s anti-harassment policy?
· What “lessons learned” have been communicated throughout the company when a key employee or company officer is terminated for violating the company’s anti-harassment policy?
|Effectiveness of Reporting|
|· “How has the company collected, analyzed, and used information from its reporting mechanism?”
· “How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?”
|· After a harassment complaint is received, how does the company determine who should review and investigate the complaint to ensure that the investigation is fair and conflicts of interest are avoided?
· Who has access to harassment reporting and investigative information? How does the company handle allegations of sexual harassment by employees in the control functions, such as compliance or HR?
· Has the company audited its reporting mechanisms by placing a complaint through the hotline and determined whether the correct protocols are followed?
|Management’s Awareness and Commitment|
|· “How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question?”
· “What concrete actions have the leaders and other stakeholders have taken to demonstrate leadership in the company’s compliance and remediation efforts?”
· “How does the company monitor its senior leadership’s behavior?”
|· Are leaders at all levels helping to instill a clear and consistent message of compliance with the law? How are leaders communicating this message to the rest of the company?
|Autonomy and Resources|
|· “Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? . . . Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence?”
· “Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation[,] bonuses[,] raises[,] hiring[,] termination of compliance officers?”
· “How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions . . . ?”
· “Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns?”
|· Does the company have a CHRO or an equivalent who reports to the board?
· Is the company’s compliance function properly staffed and trained to handle harassment complaints?
· Does the board of directors periodically review selected responses by the compliance or HR team to ensure adequacy and consistency?
· Who has the authority to agree or disagree with investigative findings by the HR team? Who is the final decision-maker?
|Analysis and Remediation of Underlying Misconduct|
|· “How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?”
· “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? How has the effectiveness of the outsourced process been assessed?”
· “What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified?”
· “Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?”
· “What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis?”
|· The independence of investigations are important in every case, but particularly key where harassment allegations are against a high ranking or performing employee who may receive significant protection from inside the company. What steps does the company take to protect the integrity of its investigative process? Are external investigators consulted for sensitive investigations?
· In harassment investigations, does the company assess the full scope of the problem, i.e., whether it is solely caused by one person, or whether it is accepted practice in the business unit at issue?
· If there were systemic issues that led to a culture where harassment was not prevented or detected earlier, why were those opportunities missed?
· Have the disciplinary actions been consistently applied across the organization? Have new protocols been implemented to improve training and reporting protocols?
 See, e.g., Brooks Barnes & William Neuman, Weinstein Company Sale Delayed by N.Y. Attorney General Lawsuit, N.Y. Times, Feb. 11, 2018, https://www.nytimes.com/2018/02/11/business/media/harvey-weinstein-company-sale.html.
 Rosemary Lally and Brandon Whitehill, How Corporate Boards Can Combat Sexual Harassment: Recommendations and Resources for Directors and Investors at 3, Council of Institutional Investors (Mar. 2018), https://www.cii.org/files/publications/misc/03_01_18_corporate_boards_sexual_harassment.pdf (“High-profile allegations of sexual harassment have beset the venture capital community, affecting both VC firm members and executives at the private companies in which they invest (VC firms have also been criticized for lacking diversity). Recently, however, VC firms have sought to get in front of the issue. Boardlist found that since September 2017, 83% of venture capital-backed companies discussed the climate of sexual harassment and 43% diagnosed their company’s culture. In addition, 50% are developing a new plan to respond to sexual harassment reports and 45% are reevaluating the plans they have in place.”).
 See Ram Charan, Dominic Barton, and Dennis Carey, People Before Strategy: A New Role for the CHRO, Harvard Business Review (July-Aug. 2015), https://hbr.org/2015/07/people-before-strategy-a-new-role-for-the-chro (explaining the role of a CHRO as someone who “should be searching for people who could be future value creators and then thinking imaginatively about how to release their talent. Judging people must be a special skill of the CHRO, just as the CFO has a knack for making inferences from numbers.”).
 Criminal Division of the U.S. Dep’t of Justice and the Enforcement Division of the U.S. Secs. and Exchange Comm’, FCPA A Resource Guide to the U.S. Foreign Corrupt Practices Act at 57 (Nov. 14, 2012), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf (“[C]ompliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders.”).
 See Stephanie Chaly, James Hennessy, Lev Menard, Kevin Stiroh, and Joseph Tracy, Misconduct Risk, Culture, and Supervision, Federal Reserve Bank of New York at 5 (Dec. 2017), https://www.newyorkfed.org/medialibrary/media/governance-and-culture-reform/2017-whitepaper.pdf.
 Chai R. Feldblum & Victoria A. Lipnic, Select Task Force on the Study of Harassment in the Workplace, Equal Emp’t Opportunity Comm’n (June 2016), https://www.eeoc.gov/eeoc/task_force/harassment/report_summary.cfm.
 Criminal Division of the U.S. Dep’t of Justice Fraud Sec., Evaluation of Corporate Compliance Programs, https://www.justice.gov/criminal-fraud/page/file/937501/download.
 Michael W. Peregrine, Important New Compliance Program Guidance from DOJ, N.Y. Univ. School of Law (Mar. 3, 2017), https://wp.nyu.edu/compliance_enforcement/2017/03/03/important-new-compliance-program-guidance-from-doj/.
 Quoted material in the left column is from the Department of Justice’s Evaluation of Corporate Compliance Programs at 4.
 Quoted material in the left column is from the Department of Justice’s Evaluation of Corporate Compliance Programs at 5.
 Quoted material in the left column is from the Department of Justice’s Evaluation of Corporate Compliance Programs at 5.
 Quoted material in the left column is from the Department of Justice’s Evaluation of Corporate Compliance Programs at 2.
 Quoted material in the left column is from the Department of Justice’s Evaluation of Corporate Compliance Programs at 3.
 Quoted material in the left column is from the Department of Justice’s Evaluation of Corporate Compliance Programs at 5, 3, 1, and 2.