When a corporate scandal hits the news, it sheds a powerful light on compliance issues. Corporate compliance is essential to good corporate governance, which is why it's a strategic priority for most corporations. A host of issues creates pressure to balance business fundamentals with compliance, including the economy, regulations, stakeholder expectations, technological advances and shifts in the global political landscape. The current social and ethical climates add other facets to the mix.
Boards are keenly aware of increasing competition and the need to take risks to promote growth. Often the lines between risk and compliance get blurred significantly, making it difficult for corporations to keep stringent controls on compliance while striving to take the lead over competitors. How do corporations keep a focus on compliance without letting it dominate everything?
What Constitutes Compliance?
Corporate compliance means making sure corporations follow state, federal and global laws, as well as following their own internal policies. Corporations must also meet their contractual obligations and public commitments as well. Everyone in the corporation, from the top to the bottom, must follow laws, regulations and standards, and act ethically in relation to business matters.
It's impossible to address corporate compliance without looking at the corporation's entire infrastructure, including its programs, people, controls and processes. It's necessary for corporations to consider how to embed compliance into their business and decision-making processes, with a dual focus on prevention and detection.
Proactivity Reduces the Need for Reactivity
When a corporation gets caught being out of compliance, it's fairly easy to detect where things went wrong, especially when it pertains to an issue that has serious negative consequences for shareholders. The typical corporate response is knee-jerk reactivity. The fallout can be serious, including regulatory actions, criminal investigations, heavy financial loss, reputational loss and lengthy litigation.
Compliance risks are numerous. Some are common and are relatively easier to monitor. Others are hard to predict. Here's a short list of some common compliance matters:
- Cybersecurity
- Anti-bribery
- Accounting fraud
- Foreign trade and sanctions
- Data privacy and data protection
- Antitrust and competition law
- Fraud
- Money laundering
- Environmental risk
- Workplace health and safety
- Social responsibility
- Product quality
Defining the Duties and Responsibilities of a Corporate Ethics and Compliance Committee
Ethics and Compliance Committees are emerging and evolving along with the changes in today's corporate landscape. The Chief Ethics and Compliance Officer (CECO) typically chairs compliance committees. Compliance committees work closely with legal teams and the General Counsel to receive expertise, advice and support for their work. The committee serves as a check and balance against the board and management's strategic growth plans.
Compliance committees should be as individual as the corporation and the industry of which they are a part. The work of compliance committees should be proactive and progressive because many issues within the corporate arena are continuing to evolve. To be truly effective, compliance committee members must be collaborative, consistent and project a wide range of diverse perspectives.
Many activities and duties fall under the umbrella of the CECO. First, the CECO must emphasize the importance of embedding a tone of compliance into corporate culture, starting at the top. When top-level executives speak about the focus on compliance, it naturally filters down to the employees, and they embrace it as well. Employees often have many important things to say regarding compliance, but they don't often feel heard. Executives with an eye on compliance, ethics and integrity really listen to their employees and avoid just paying them lip service. Under the leadership of the CECO, compliance committees maintain the company's policies and procedures. The policies and procedures form the basis for employee training programs to make sure that every employee understands and implements the company's compliance principles.
An Ethics and Compliance committee also handles the routine duties of compliance like maintaining compliance registers, paying appropriate fees, complying with reporting requirements, resolving conflicts of interest, managing compliance infractions like fraud and insider trading, and handling complaints. They also take on responsibility for paying attention to early warning signs of noncompliance, so the board can respond expediently. Committee members are responsible for generating internal or external investigations or inquiries, evaluating their findings, and making recommendations to the board for how the corporation should respond.
In the event that an incident of corporate non-compliance gets exposed, the compliance committee undertakes the responsibility for enacting and supervising remedial action plans. With compliance committees taking over the bulk of the responsibility for ethics and compliance, it still leaves plenty of work for boards of directors to do. Delegating many duties to the compliance committee frees up the board so that it can focus its attention on core business fundamentals like strategic planning, monitoring short- and long-term performance goals, and evaluating the competition.
Boundaries Between Ethics and Compliance Committees and Boards'A Little Murky
On the surface, the boundaries between compliance committees and boards seem pretty clear. The trouble comes when the committee makes a misstep in what and when they share information with boards of directors.
The types of information that compliance committees share with their board directors and the time frame in which they choose to share them are subjective, to say the least. Compliance committees have three main communications risks:
- Not sharing enough information
- Not sharing the right information
- Not sharing information in a timely manner
Board directors need to take responsibility for reading compliance committee reports and asking probing questions about their work. Board directors also need to take responsibility for how they respond to the information stated in compliance committee reports.
When a compliance committee fails to tell the board about a potential major compliance issue, it reflects poorly on the whole organization and can cause much damage. If the committee informs the board about a potential issue and the board decides not to take action, it can set the stage for blaming and shaming inside and outside of the organization. Either situation can cause a breakdown of trust between board and committee, and that's never good.
The reality is that there shouldn't really be a trade-off between compliance and business fundamentals as much as there really needs to be a healthy balance between them. Like many other important compliance matters, it's a work in progress.