When peeling back the onion on many corporate ethics scandals, a common theme is the Board of Directors not having proper and timely information. While board members are typically well intentioned, a passive management approach to ethics can result in unenforced policies that create employee confusion about what their obligations are, and compliance violations that can result in enforcement actions.
The consequences for inaction can be significant, both for the company and for individuals suspected of involvement in a crime. Large corporate settlements, deferred prosecutions, and fines have been the preferred approach of federal prosecutors in recent years, but that trend could change—after all, a presidential candidate who made her name by publicly calling for CEOs accountability is gaining in the polls.
Boards approve policy and procedure documents that require the company to follow the rules and foster a “tone at the top.” The real test, however, and the key to avoiding those worst possible outcomes mentioned above, is the “tone in the middle.”
In many instances where there is unethical behavior, there is a clear gap between “what we say” versus “what we do.”
Board members are responsible for helping define and document core beliefs and the foundation for an ethical culture of compliance. Further, they must ensure that these beliefs are understood clearly throughout the organization and that management has implemented controls to measure and monitor compliance. A passive board can be caught off guard when company management unknowingly or intentionally hides bad activity.
How can a board better prepare itself? Directors should begin by asking one simple question: Do they know the name of the company’s compliance director?
If so, that’s a good start. If not, they should learn it.
The board should then play a significant role in empowering that director, who is ultimately responsible for guiding middle management where issues often emerge. Compliance cannot catch every bad actor, but if a large layer of managers perceive bad behavior is rewarded rather than punished, human nature suggests that they may follow suit. Well intentioned employees must be encouraged to raise their hands when they see unethical behavior.
Good compliance does not simply keep you out of hot water with regulators, it helps avoid dangerous business practices. An effective compliance department is one that can not only request information, but is empowered to get a timely response, and have a clear escalation path for issues of noncompliance.
For example, in a financial institution, there may not be consequences for a relationship manager who fails to respond to compliance department requests for information about a client or a transaction. If there are no consequences, there may not be an incentive for the relationship manager to take time out of their day, bother their client and get the information. Before you know it, the institution’s due diligence is so lax that it creates real risk.
For their part, compliance directors can help the board be more effective by presenting issues in a manner that directly correlates compliance metrics with actual risk to the firm, rather than merely dumping on them context-less metrics. The compliance professionals need to tell the board why those metrics are important. For example, are regulatory exams showing systemic issues or are they localized? Forward-looking compliance departments provide context around compliance issues—interpreting numbers, identifying patterns, assessing the level of firm risk and communicating how they are addressing these issues.
The relationship between compliance directors and the board is crucial; staying out of the headlines and clear of regulator crosshairs requires superb cooperation and communication. Step one is making sure that relationship exists in the first place.