Board Confidence in Compliance Programs Is Dwindling

© AdobeStock
Increasing complexity of the rules and regulations, emerging risk and a lack of formal metrics for measuring the effectiveness of compliance programs are all contributing to rising director anxiety.

Editor’s note: The study referenced below was conducted prior to the COVID-19 outbreak, but with the challenge of managing risk only increasing for boards, we believe the survey results are even more relevant today. 

Directors of public companies are having to oversee a much broader scope of risks today than they did even just a decade ago. The rapid pace of societal change, the increasing scrutiny into the inner workings of corporations and the advancement of technology are all adding new layers of complexity to the role. Against that backdrop and as part of our 19th annual “Law in the Boardroom” study, we surveyed more than 300 directors of publicly traded companies to discuss their compliance with these modern issues. Here’s what they had to say.

Ethics Exposure

Our findings indicate that directors may be losing confidence in the effectiveness of their internal ethics and compliance programs. This year, only 35 percent of respondents reported feeling “very confident” compared to 46 percent just a year prior. Similarly, 11 percent said they are “not entirely confident” compared to 1 percent in 2018.

Ron Tillett, chairman of Atlantic Union Bankshares and former Virginia State Treasurer, says he is confident in his own program, but dwindling confidence among some directors may be related to the increasing complexity of the rules and regulations. “The rules are very difficult and have become not only more complex but also more voluminous,” he says. “Can you really have complete confidence [that you’re compliant] with the number of increasing rules and regulations that are occurring on a regular basis?”

Emerging risk may also be affecting confidence, says Scott Letier, Xerox director and member of the finance and audit committees at spin-off Conduent. “Companies are moving very, very quickly, and the ability to have absolute control over every person on what they might be doing at any point in time, regardless of where on the globe it is…creates uncertainty,” he says, adding that the automation journey companies are embarking on to slim down is another factor. “There’s uncertainty as to how that [automation] works, how fast that happens, what transpires to get there and how some of your people may react in those situations, as they’re potentially getting replaced by bots and things like that. Those things create exposure in the short run.”

The lack of formal metrics for measuring the effectiveness of compliance programs may be another factor. While one of the published hallmarks of an effective compliance program is ongoing monitoring, six directors out of 10 say their board does not have measurable guidelines in place.

To Tillett, that number is shocking. “If I had anybody on our board say that, they shouldn’t be on our board. Bottom line.”

And for good reason. Companies that experience a compliance breakdown and cannot demonstrate that the board and its management team had conducted ongoing monitoring could suffer additional punitive penalties from regulatory agencies.

Tillett has been on both sides of the aisle on this issue, having spent 25 years in government occupying senior level positions with the House Appropriations Committee and Joint Legislative Audit and Review Commission of the Virginia General Assembly. As he sees it, the regulatory burden in the United States offers directors a level of comfort.

“Our company is in a continuous audit process, and the assurances that we get through our internal audit function and the external audits that are done by not only the feds but also the state regulators are helping our confidence along,” he says, adding that as a result he can understand why some boards may not feel as concerned with having to formally log or track their monitoring process outside of all the regulatory controls in place.

Yet, all publicly traded companies are subject to regulators’ scrutiny, obliged to monitor and audit their practices to ensure the business remains compliant with the laws and regulations—even those without a global footprint. Compliance-related issues involving ethics and fraudulent activity, such as travel and entertainment fraud, improper flow of funds, KYC or money laundering, can occur domestically just as easily as internationally.

“The risks of waste and abuse of corporate assets exist irrespective of the various laws that may be contravened by improper or illegal activity,” says Brian Ong, senior managing director at FTI Consulting, a partner in this study. “Wasting of corporate assets for bribery purposes is really a risk that exists for all companies, whether or not they are subject to particular antibribery legislation.”

Unfortunately, according to William Lerner, a former branch chief of the enforcement division at the SEC and a career board member with many financial services organizations, in his decades-long experience—and as our survey shows—anti-bribery and anticorruption are not generally the focus of discussions for most U.S. boards.

“In the 21st century, we entered into a new era that requires greater diligence and a better understanding [of] what FCPA, anti-bribery and anticorruption laws mean to a public corporation, and to the risk that such activity presents,” he says. “Board education as to rules and regulations including the subject laws is, however, not generally a focus of most public or private company boards, and this is unfortunate.”

While there may be missed opportunities for directors and their management teams to review and enhance their company’s ethics and compliance programs, the reported lack of confidence may also stem from the fact that the number of internal investigations that revealed a potential issue is on the rise. According to our survey, 36 percent of directors say their whistleblower or hotline reports have revealed a potential or existing compliance problem or fraud, compared to 28 percent just a year ago.

For Letier, the increasing number of investigations is most likely due to the fact that the congressional hearings of the past 18 to 24 months have created more public awareness of the potential for ethical breaches, and, as a result, more people now report what they see, whether or not they represent real violations.

“The bigger and more sophisticated a company, the more its people will report what they see, whether it is an ethical violation or not,” he says. “If at Joe’s Bar n’ Grill on the corner, the salesperson gives a side letter to cut a deal, nobody’s calling the hotline, but you do the same at Oracle and somebody in contracts administration is likely trained [to raise a flag]. We’re in a world where we have to investigate because if you don’t, it’s going to be seen as burying your head in the sand. You can’t put the genie back in the bottle. But do I think it’s overkill? Yes.”

 Cultural Concerns

Headlines decrying corporate acts of misconduct, along with heightened social awareness in the wake of movements such as #MeToo, suggest a greater need for boards to ensure they are not only aware of, but also able to influence a company’s culture.

Tillett says his board and management spend a significant amount of time looking at the corporate culture, especially in client-facing roles. While culture is the hardest thing to evaluate, it’s also the hardest thing to change, he notes, which may explain why nearly half (47 percent) of directors said they would steer clear of acquiring a company that had recently experienced a high-profile, culture-related scandal, compared to only a third (36 percent) who felt the same about a cyber breach. Considering cyber risk has been continuously ranking as directors’ top concern in our surveys, this finding is a testament to the lasting reputational damage caused by corporate misconduct.

Bill Hayes, chairman of global mining company Royal Gold, says the reason for this fear of a defective culture is that directors probably know how to deal with a data breach a lot better than they know how to address—and fix—a cultural breach, adding that until recently, the issue of culture as a corporate risk had not been getting the attention it deserves in boardrooms and among management teams.

“In previous years, many didn’t perceive culture to be as big a problem or, inherently, they just didn’t know how to deal with it or didn’t want to deal with it, rather than think seriously and get to the bottom of what was going on,” he says. “We’ve all got to take a step back and think more than we’ve been thinking in the past.”

According to our study, directors are, indeed, thinking about culture more these days, as half (48 percent) say the frequency and depth of ethics and culture discussions in the boardroom has increased, with 54 percent reporting that they discuss the issue every quarter.

Yet, despite the concerns, fully half the directors in our study report not having a response plan in place in the event of such a crisis. According to Letier, this may be because a cultural crisis is often easier to manage and deal with within the confines of the company—unless it is tied to an individual who singlehandedly represents the organization. “If your culture breach deals with Facebook’s Mark Zuckerberg or somebody like that, it’s going to be devastating,” he says.

So, how do directors ensure adequate oversight of an ethical culture?

“Only by example and by leadership,” says Hayes. “The supervisors, the managers and the senior executives in any organization have to set the right tone of what’s acceptable behavior and what’s not acceptable behavior. If you don’t weed that out when you see it, it’s going to grow, and people will assume you don’t care.”

He says that the leadership of organizations that have people spread all over the world can’t possibly know what employees are doing every day and who they’re doing it with, so “you have to make it very clear to them that if they do something they shouldn’t do, there are going to be consequences.”

From his perspective, it all comes down to hiring people who are ethical and have a good track record, and then making sure they understand the rules of the game. “There’s no gamesmanship here,” he says. “If/when that happens,if it’s not dealt with and carry serious consequences, nobody’s going to believe it.”  CBM

Enhancing Compliance Through Advanced Technologies

Advanced technologies are generating significant opportunities for growth and new efficiencies, and when we asked directors whether their company was leveraging them to support compliance monitoring, more than two-thirds (68 percent) said they were using them.

New technologies have the ability to support compliance teams so that they can focus on high-risk activities and protect the business from the reputational damage and hefty fines we’ve seen in recent history. As an example, David Turner, senior managing director at FTI Consulting, says that by leveraging the capabilities of machine learning to analyze historic events and identify typical red flags, compliance teams can proactively assess and prevent potential adverse events from occurring in the future. He says others have developed key KPIs and bespoke analytical dashboards to monitor transaction activities that may be indicia of such transactional red flags.

While the upfront investment to develop these monitoring tools are not inconsequential, the ability to routinely and innocuously monitor compliance risks in this fashion have proven to be extremely valuable. Web-based tracking tools can help companies log, approve, track and report previously untracked events, such as non-routine meetings with government officials, the giving and receiving of gifts, and the giving of donations. More complex asset tracing algorithms work to identify relationships and enable companies to answer crucial questions, such as “Where did the money in account X go? What are the sources of funds in account Y? Which intermediary accounts are involved in moving the money from X to Y?” Using technology in this manner can help companies avoid downstream reactive costs and potential regulatory-driven investigations.

When looking at new technologies, companies shouldn’t just look at the innovation potential in product or service delivery, but also at the opportunities to enhance their compliance and oversight, says Atlantic Union Bankshares’s Ron Tillett. “The technology is the creative force that’s going to be required for probably any large corporation to be successful going forward,” he says. “And if your board isn’t out there on the edge of where they need to be, if you’re not moving ahead, you’re going to be left behind.”

  • Get the Corporate Board Member Newsletter

    Sign up today to get weekly access to exclusive analysis, insights and expert commentary from leading board practitioners.



    20th Annual Boardroom Summit

    New York, NY



    Board Committee Peer Exchange

    Chicago, IL