As Seen in Compliance Week
Individuals who serve on the boards of directors and officers of corporations and non-profit institutions face a new and frightening reality: They may no longer be insulated by the corporate structure against personal liability for an organization’s wrongdoing. This new reality dawned just over a year ago, with the publication of a memorandum by U.S. Deputy Attorney General Sally Yates. The so-called “Yates Memo” says, in part:
“One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing. Such accountability is important for several reasons: it deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions, and it promotes the public’s confidence in our justice system.”
The memo goes on to enumerate key actions being taken by the Justice Department to more aggressively pursue cases against individuals responsible for corporate misdeeds.
Recent developments, specifically the fallout over Wells Fargo’s opening of unauthorized customer accounts, have brought this issue front and center. Federal prosecutors are in the early stages of an investigation. They are likely to focus on who was responsible for initiating and directing the fraudulent sales practices and the degree to which senior management knew, or should have known, that customers were being defrauded. Some have even suggested potential board culpability with headlines like “Liability for Wells Fargo Mess Could Seep Into Boardroom”
If this situation were to become more pervasive, it could have a major negative impact on the exposure of current board members and the willingness of individuals to serve on boards. Thus, it is essential that boards, as well as corporate risk managers, identify and address the most serious sources of liability. They must not only ask, “What could sink the ship?” They must also facilitate the provision of a life preserver in the form of robust risk-based ethics and compliance programs and processes.
For individual board members, the first line of defense against personal liability is an effective risk monitoring and oversight regime at the board level. The SEC has required since 2010 that companies clearly disclose the board’s risk oversight role in filings such as proxy and information statements; annual reports; and registration statements. Directors need to stay informed about and engaged in their role, including whether the board as a whole or a board committee in particular is responsible for the risk oversight function; whether the company personnel responsible for risk management report directly to the board or to a committee of the board; and whether and how the board or committee monitors risk.
Most board members are not well informed about the changes in individual accountability under the Yates Memo. For proper corporate governance, as well as their own personal financial security, it is essential that they carefully assess and understand the risks that could sink the ship.
Additionally, beyond simply being aware of the general risk oversight process, board members should educate themselves as to the company’s most vulnerable areas of risk exposure. Some of these risk exposures are present in all companies (for example, business interruption and competition risk) while others are industry-specific (e.g., interest rate sensitivity or credit quality at a bank, or supply chain issues for a retailer or manufacturer). But it is also essential that board members consider less familiar areas of risk exposure that might not have posed a problem only a few years ago. Some of the risks that are appearing on more corporate radar screens these days include (but are not limited to) the following:
- Cyber-security/data breaches;
- Technology disruption;
- Diversity and inclusiveness policies;
- Environmental exposures;
- Supply chain compliance (including compliance with child labor regulations); and
- Anti-money laundering/know your customer (for financial institutions).
In addition to the above, boards should be encouraged to initiate and oversee the development and maintenance of comprehensive risk assessment processes to uncover other areas of significant exposure of which the directors may not be aware, together with mitigation procedures and processes to reduce those risks to an acceptable level of exposure.
The board can help to reduce the exposure of its members to individual liability by fostering a robust, enterprise-wide compliance culture that encourages ethical conduct and a commitment to compliance with the law. Fostering such a culture requires “leading by example,” and the following elements should be present:
- Implementation and maintenance of an “effective” ethics and compliance program that conforms to the amended Organizational Guidelines of the United States Sentencing Commission;
- Active oversight of the compliance program by executive management and the board;
- Prompt and appropriate resolution of issues brought to management’s or the board’s attention;
- Documentary evidence that will allow the board and its executive officers to demonstrate that they are exercising due diligence, reasonable care, and good faith in operating the company in an ethical and compliant fashion.
EFFECTIVE COMPLIANCE PROGRAMS
Below is an excerpt from an overview of the U.S. Sentencing Commission’s Organizational Guidelines.
Criminal liability can attach to an organization whenever an employee of the organization commits an act within the apparent scope of his or her employment, even if the employee acted directly contrary to company policy and instructions. An entire organization, despite its best efforts to prevent wrongdoing in its ranks, can still be held criminally liable for any of its employees’ illegal actions. Consequently, when the Commission promulgated the organizational guidelines, it attempted to alleviate the harshest aspects of this institutional vulnerability by incorporating into the sentencing structure the preventive and deterrent aspects of systematic compliance programs. The Commission did this by mitigating the potential fine range—in some cases up to 95 percent—if an organization can demonstrate that it had put in place an effective compliance program. This mitigating credit under the guidelines is contingent upon prompt reporting to theauthorities and the non-involvement of high level personnel in the actual offense conduct.
Chapter Eight outlines seven key criteria for establishing an “effective compliance program”:
Compliance standards and procedures reasonablycapable of reducing the prospect of criminal activity—
- Oversight by high-level personnel
- Due Care in delegating substantial discretionary authority
- Effective Communication to all levels of employees
- Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal
- Consistent enforcement of compliance standards including disciplinary mechanisms
- Reasonable steps to respond to and prevent further similar offenses upon detection of a violation
The organizational guidelines criteria embody broad principles that, taken together, describe a corporate “good citizenship” model, but do not offer precise details for implementation. This approach was deliberately selected in order to encourage flexibility and independence by organizations in designing programs that are best suited to their particular circumstances.