OIG Compliance Guidance for Health Care Governing Boards

On the front page of the Saturday New York Times (NYT) was an obituary for Edward Thomas, who joined the Houston Police Department (HPD) in 1948 and finally retired in 2011 at the age of 90. As reported in the article, entitled “Edward Thomas, Policing Pioneer Who Wore a Burden Stoically, Dies at 95”, when Thomas joined the HPD, “he could not report for work through the front door. He could not drive a squad car, eat in the department cafeteria or arrest a white suspect. Walking his beat, he was once disciplined for talking to a white meter maid.” The reason was that Thomas was the first African-America to don a uniform for the HPD. Yet through stoic service and professional leadership, Thomas became the longest serving Houston police officer and had the HPD Police headquarters renamed in his honor earlier this year.

I thought about how Thomas led the HPD to the modern era in the area of race relations in the context of a report, issued in April, by the Office of Inspector General (OIG), Department of Health and Human Resources, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). Through this paper, the OIG provided compliance practitioners and health care company Board of Directors its views on the proper role of a Board in overseeing a corporate compliance function.

As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for issue-reporting within an organization; (3) approach to identifying regulatory risk; and (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.”

While noting that a corporate compliance function should promote the prevention, detection and remediation of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should “evaluate and discuss how management works together to address risk, including the role of each in:

1. identifying compliance risks,
2. investigating compliance risks and avoiding duplication of effort,
3. identifying and implementing appropriate corrective actions and decision-making, and
4. communicating between the various functions throughout the process.”

A key component of Board oversight is through the flow of information. The OIG Guidance says, “The Board should set and enforce expectations for receiving particular types of compliance-related information from various members of management. The Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts—separately and independently”. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these help create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board.

But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance also notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” However the key component is that “Through a system of defined compliance goals and objectives against which performance may be measured and incentivized, organizations can effectively communicate the message that everyone is ultimately responsible for compliance.”

A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions when it says, “Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.”

Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally. It states, “Boards should also consider establishing a risk-based reporting system, in which those responsible for the compliance function provide reports to the Board when certain risk-based criteria are met. The Board should be assured that there are mechanisms in place to ensure timely reporting of suspected violations and to evaluate and implement remedial measures. These tools may also be used to track and identify trends in organizational performance against corrective action plans developed in response to compliance concerns.”

Ultimately a Board should drive home of the message of compliance as “a way of life” so that it permeates into the DNA of a health care organization. For if a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues.

The OIG Guidance is an excellent review for not only compliance professionals and others in the health care industry but a good primer for Boards around their own duties under a best practices compliance program. The US Federal Sentencing Guidelines, the Ten Hallmarks of an Effective Compliance Program, the “OIG voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements (CIAs) can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program. The Guidelines “offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program.” The compliance program guidance documents were developed by OIG to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.”

It is a document well worth your consideration.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Maurice Gilbert, CCI and Ten Questions A Board Should Consider About Compliance

For those of you in the compliance world who do not know Maurice Gilbert, you should. I could probably write an entire post on the number of hats that he wears. For the Chief Compliance Officer (CCO) or compliance practitioner, two of the most significant are as Managing Director at Consileum Inc., which I consider to be one of the premier compliance related search firms in America and as Founder and Managing Editor of Corporate Compliance Insights, known as CCI in the compliance world (full disclosure – I blog and write for CCI). If you are looking for some of the country’s top compliance talent for a corporate compliance position Maurice should be about the first person you call when even thinking about such a task. He can help you to define the scope of the position and then craft the position to attract some great talent for you to consider. Of course, you should always know one of the country’s top compliance talent recruiters because you never know when the right opportunity might be presented by a client to Maurice and you could perfectly fill the bill.

However it is his other hat that I want to highlight today. As Founder and Managing Editor of one of the top online compliance resources, Maurice leads a team that continually generates and posts some of the most insightful and useful pieces of information around the entire panoply of issues related to compliance. From my world of anti-corruption compliance, to trade-compliance, corporate boards and governance, auditing and much more, CCI is a resource you should have on your favorites toolbar. It was through Maurice and CCI that I was introduced to the writings and assorted wisdom of Jim DeLoach, who is one of my favorite contributors to read on CCI.

DeLoach is a Managing Director with global consulting firm Protiviti. He regularly writes and blogs on issues relating to Enterprise Risk Management (ERM). He put out such great material and a plethora of it that Maurice persuaded him to put it together for us in an eBook, entitled “Making Risk Management Work for You”. In the section entitled “10 Questions You Should Ask About Risk Management”, DeLoach lists 10 questions he says that a board and senior management should think about when considering ERM. I have used this section as a basis to reformulate the questions from a compliance perspective.

• What are the company’s top compliance risks, how severe is their impact and how likely are they to occur? – Just as managing enterprise risk at a strategic level requires focus, the same is true for compliance. This requires you limiting your top risks to a handful so they can accurately be assessed and managed. DeLoach suggests that you should be emphasizing no more than five to 10 risks. Furthermore, “Day-to-day risks are an ongoing operating responsibility.”
• How often does the company refresh its assessment of the top [compliance] risks? – As the Department of Justice (DOJ) continually reminds us, your compliance risk assessment process should be responsive to change in the business environment. It is now mandatory that teams have in place “a robust process for identifying and prioritizing the critical [compliance] risks, including emerging [compliance] risks, is vital to an evergreen view of the top risks.”
• Who owns the top compliance risks and is accountable for results, and to whom do they report? – While this might seem self-evident in any best practices compliance program it is not always opaque within an organization. Clearly your CCO should own the top compliance risks and manage them but there should also be proper board oversight and reporting. DeLoach warns, “Gaps and overlaps in risk ownership should be minimized, if not eliminated.”
• How effective is the company in managing its top [compliance] risks? – Just how effective is your compliance regime is a key question that any CCO or compliance practitioner needs to be thinking about on a regular basis. However, for the board and senior management level, there should be “a robust process for managing and monitoring each of the critical [compliance] risks.” Moreover, your “risk management capabilities must be improved continuously as the speed and complexity of business change.”
• Are there any organizational “blind spots” around [compliance] warranting attention? – Some practitioners believe that the entire Foreign Corrupt Practices Act (FCPA) enforcement regime is a failure because companies are still engaging in bribery and corruption. But the simple fact is that since corporations are made up with people there will always likely be wrongdoers. DeLoach notes that “Cultural issues and dysfunctional behavior can undermine the effectiveness of [compliance] risk management and lead to inappropriate risk taking or the undermining of established policies and processes.” He cites several examples including “lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.”
• Does the company understand the key assumptions underlying its [compliance] strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – You might not think it could happen in a compliance regime but if a company fails to recognize that its business paradigm is changing, it could be too late to affect an appropriate compliance strategy for a new product line/service offering or breaking into a new geographic territory. Here DeLoach believes that while “no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.”
• Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – This is one area that always bears discussion. For some companies there is enough business in the middle of the road that they feel like they do not have to go up to the line of a FCPA violation to garner sales, while other companies have done deals that may have been lawful but, at the end of the day, had awful consequences for the business. Just because you can do something does not mean you should do it and a large part of such a calculus is round your risk appetite dialogue. DeLoach believes such ongoing conversations can assist to “bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk toler­ances may be expressed differently for objec­tives relating to earnings variability, interest rate exposure, and the acquisition, develop­ment and retention of people.”
• Does the company’s [compliance] risk reporting provide management and the board information they need about the top risks and how they are managed? – Compliance reporting should begin with relevant information about the critical compliance risks and how those compliance risks are managed. DeLoach believes that some of the questions you should be asking under this prong are along the lines of the following: “Are there opportunities to enhance the [compliance] risk reporting process to make it more effective and efficient? Is there a process for moni­toring and reporting critical [compliance] risks and emerging [compliance] risks to executive management and the board?”
• Is the company prepared to respond to extreme [compliance] events? – DeLoach calls it an extreme event but I would ask, what will you do if your company is on the front page of the New York Times (NYT), Wall Street Journal (WSJ), Financial Times (FT) or any other similar media outlet for a compliance related violation or issue? Do you have a response plan in place? More so “Has it prioritized its high-impact, low-likeli­hood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?”
• Does the board have the requisite skill sets to provide effective [compliance] risk oversight? – This goes to the heart of frustrations from both the compliance function side and the board side of the equation. Does your board and senior management have specific FCPA or other relevant anti-corruption training and understand your business model well enough to provide input regarding critical compliance risk issues on a timely basis? From the board’s perspective they may feel the information they receive is asymmetrical and that they do not receive enough material information to render good decision-making. From the CCO or compliance practitioner’s perspective, they may feel that they cannot get enough time in front of the board, audit committee or senior management to properly educate them on the issues.

I have only scratched the surface of DeLoach’s thoughts on ERM. I urge you to go to the CCI site and download the entire work. Did I mention the best thing about CCI and DeLoach’s book? It is free on the CCI site. So after you download DeLoach’s book, stick on the site and noodle around to find something that interests you or could be of assistance in your compliance practice. Don’t forget to check out CCI’s job listing because Maurice has that other hat that he wears as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Board Investigations and the Curse of the Mummy’s Tomb – Part II

Yesterday I began an exploration of a recent article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP. In Part I, I reviewed the authors’ five key objectives, which they believe a board must pursue to ensure a successful investigation. Today, I will look at the authors’ seven considerations to facilitate a successful board investigation.

1.             Consider whether you need independent outside counsel

The authors consider that the appearance of partiality “undermines the objectivity and credibility of an investigation.” That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors:

• Did management, the board or committees consisting solely of outside directors oversee the review?
• Did company employees or outside persons perform the review?
• If outside persons, have they done other work for the company?
• If the review was conducted by outside counsel, had management previously engaged such counsel?
• How long ago was the firm’s last representation of the company?
• How often has the law firm represented the company?
• How much in legal fees has the company paid the firm?

As Andre Agassi might say, ‘perception is reality’.

2.             Consider hiring an experienced “investigator” to lead the internal investigation

Noted internal investigation expert Jim McGrath has written and spoken about the need to utilize specialized counsel in any serious investigation. If a board is leading an investigation, I would submit by definition it is serious. The authors say that your investigation needs to lead by a lawyer with significant experience in conducting internal investigations; a strong background in criminal or SEC enforcement; and has substantive experience in the particular area of law at issue. The traits are needed so that your designated counsel will think like an investigator, not like an in-house lawyer or civil litigator.

3.             Consider the need to retain outside experts

In any Foreign Corrupt Practices Act (FCPA) or other anti-corruption investigation, there will be the need for a wider variety of subject matter experts (SME’s) than a compliance professional. The authors correctly recognize that “ if there are accounting issues, forensic accountants might be needed. In this day and age, an electronic discovery consultant is often required, and can be a cost effective option for gathering and processing electronic data for review.” These types of investigations will most probably be cross-border as well and this will require other varieties of expertise. The authors caution that, “The lowest bid may not necessar­ily be the best for a particular investigation. While cost is important, understand the limitations of each consultant and, with input from your investigator, determine which consultant best meets your goals.”

4.             Analyze potential conflicts of interest at the outside and during the investigation

The authors see two types of conflicts of interest that may come to light during an investigation. First is the one which comes up when the law firm or lawyers conducting the inves­tigation are those whose prior legal advice has some bearing on the matters being investigated because a company’s regular outside lawyers represent the company. During an internal investigation, however, the lawyers may be hired by, and represent, the board or its committee. The second occurs when a lawyer or law firm jointly represents the board and employees at the company as regulators have become increasingly concerned with joint representations. Moreover, “The trickier question is what to do when there simply is a risk that representing one client could limit the lawyers’ duties to the other.” So in these situations, joint representation may not be appropriate.

5.             Carefully evaluate Whistleblower allegations

With the advent of Sarbanes-Oxley (SOX) and Dodd-Frank, whistleblowers have become more important and taking their allegations seriously is paramount. This does not mean trying to find out who the whistleblowers might be to punish or stifle them, even if they are located outside the United States and therefore do not have protections under these laws. They can still get hefty bounties. The authors recognize that companies can come to grief when “companies run into problems when whistleblower allegations are discounted, if not outright dismissed, especially if the whistleblower has a history of causing trouble or is perceived as incompetent. When this type of whistleblower makes a claim, it is easy to presume ulterior motives.” While such motives might exist, it does not matter one iota when it comes to the investigation, as “Regulators are very wary of boards that do not satisfactorily evaluate a whistleblower’s complaint based on a perception of the whistleblower himself, as opposed to the substance of the complaint.”

6.             Request regular updates from outside counsel, without limiting the investigation

These types of investigations are long and very costly. They can easily spin out of cost control. But, by trying to manage these costs, a board might be perceived as placing improper limits on the investigation. The “goal is to strike the right balance between the cost of the investigation and its thoroughness and credibility.” To do so, the authors advise that flexibility is an important ingredient. A board can begin the project with an agreed upon initial scope of work and then “revisit the scope of work as the investigation progresses. If conduct is discovered that legitimately calls for expanding the scope of the investigation, then the board can revisit the issue at that point. Put another way, the scope of what to investigate is not a static, one-time decision. It can, and usually does, evolve.” By seeking regular updates and questioning counsel on what they are doing and why, directors can manage costs, while at the same time ensuring that the investigation is sufficiently thorough and credible.

7.             Consider whether an oral report at the conclusion of the investigation is sufficient

While there may be instances in which, due to complexity and the nature of allegations involved, a written report is necessary, the authors believe that there may be times when an oral report delivered to a board is better than a written report for “a written report may be easier to follow and appear to be the logical conclusion to an investigation, it is an expensive and time-consuming endeavor, and it comes with great risk.” The authors indicate three reasons for this position.

First, it is much easier to inadvertently waive the attorney-client privilege if a written report is created and in the wrong hands, such a written report may well create “a road map to a plaintiff” in any shareholder action. Second, once those findings and conclusions are written they may become “set in stone. If later information comes to light that impacts the report’s conclusions, altering the conclusions may undermine the credibility of the entire investigation. So, retaining flexibility to change the findings if further information is later learned is a real advantage of an oral report.” Third, and finally, “it takes time to prepare a well-written and thorough report. When an internal investigation must be conducted quickly, spending time to prepare a written report may not be an efficient use of time.” For all of these reasons, and perhaps others, an oral report presented to the board and documented in the Board of Director meeting minutes may be sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.” I would only add that by following some of the prescriptions set out by Bayless and Albarrán your Board might also avoid the fate that befell Lord Carnarvon and the Curse of the Mummy’s Tomb.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

One of my weekend reading pleasures is the Saturday section in the Financial Times (FT) entitled “Lunch with the FT”. Each week, this column highlights a weekly interview with leading cultural and business figures. In addition to an excellent interview with fascinating people, the column discusses the food served and lists the prices of all items purchased. The column is so smartly done that even the Men In Blazers talk about it in their weekly podcasts on all things soccer.

Since imitation is the most sincere form of flattery, today I will inaugurate a “Lunch with FCPA Compliance and Ethics Blog” series of posts. While it will not be a weekly feature, nor will I detail the costs for lunch, I will commit to you the cost will be in line with that of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program business entertainment lunch. My inaugural guest is Phil Wedemeyer, who is a retired former partner of a Big Five accounting firm (when there was a Big 5); the former Director of the Office of Research and Analysis at the Public Company Oversight Accounting Board and currently sits on the Board of Directors of two corporations; one public, where Phil is the Chairman of the Audit Committee, and one private. As you might guess from someone with such a professional background, Phil tends to view things through the prism of an audit perspective.

This week Phil and I sat down for a couple of Houston’s finest cheeseburgers to catch up. Phil asked me what might be happening on the FCPA front and I told him that I thought the news about the National Security Agency (NSA) information collection programs was going to make the job of the compliance practitioner more difficult. Many of America’s allies are up in arms over not only the collection of information but the revelation that such collection of information can be used in monitoring FCPA compliance across the globe. I think this will mean that companies will face greater data privacy laws and have more difficulty not only getting information out of foreign countries and into the US for evaluation but even in collecting types of data and information.

Great Board Oversight Required?

Phil had another take on it, which I found equally interesting. He questioned whether this information about the US government could put an additional burden on not only the compliance practitioner but on a board of directors? When I asked him what he meant by this, he questioned if a company had reliable information that the US government was employing oversight techniques to search for evidence of bribery and corruption (or non-compliance with other laws or regulations) beyond more traditional law enforcement techniques (e.g., whistleblowers, self-disclosure and competitor reporting); should this cause that company to increase its oversight of compliance with the FCPA? In particular, more comprehensive government monitoring activity could increase the chances of discovery of the types of illegal activities at lower levels of the company that is one of the primary objectives of whistleblower procedures and that may not always be known to upper level management. Further, if so, would this change in risk put a director on notice that they need to perform additional oversight of the compliance function?

Transaction Analysis

Phil also inquired about any trends that I might have seen over the past six to 12 months on FCPA enforcement. I told him that one of the things I have seen is the introduction of transaction monitoring, beginning with the Morgan Stanley declination. I then discussed the Eli Lilly enforcement action and particularly the bribery scheme used in Poland where charitable contributions were made to a charity run by the head of a provincial health service. This led to sales spiking in that province rather dramatically. These cases, and some others, have led me to advocate that companies engage in transaction monitoring from the compliance perspective to identify any anomalies.

Phil’s observation here was once again based on his auditing background. He said that, in considering variations in operating results as a director, he asks two questions of management: What happened and how do you know? In answering these questions, it is clearly important that management understands the business cause of significant sales increases and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. Phil thought analysis of variations needs to occur at the level at which the sales increase was material. As an example, he conjectured that, in the Lilly scenario, such a sales spike would likely not be material to the company’s consolidated financial statements or, for that matter, to the European business unit. However, such a sales increase would most probably be material for the country of Poland and certainly for the province in which the sales increase occurred.

Once the material level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on business entertainment or other specific categories; were charitable donations made to any non-core business charities and other questions might help to get at the true underlying reason for a sales spike. Further, a company should review its findings in subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods. The answer to such a question might identify red flags indicating the need for further review.

One of the key things that I learned from my lunch is the need for the compliance practitioner to talk to other non-compliance professionals to get their perspectives on how they view issues. So, just as I had lunch with Phil Wedemeyer, you could take out the head of your internal audit group for a lunch and chat; or HR; or IT. The list of possibilities is lengthy. I hope that you have enjoyed my inaugural, Lunch with the FCPA Compliance and Ethics Blog as much as I have bringing it to you.

———————————————————————————————————————————————————————-

I will be discussing transaction monitoring on a free Webinar entitled, “A Winning Strategy for Automating FCPA Compliance” hosted by SAP, next Wednesday, June 19 at 2 PM EDT. For registration and information, click here.

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

What is the Role of a Board of Directors?

Aeschylus was the first of the three ancient Greek tragedians whose plays can still be read or performed; the others are Sophocles and Euripides. He is often described as the father of tragedy. In his life he fought for the Athenian democracy, most notably at the Battle of Marathon. When asked if he wanted to be remembered for his plays or his service to his country, he responded by having the following epithet inscribed on his burial site: “Beneath this stone lies Aeschylus, son of Euphorion, the Athenian, who perished in the wheat-bearing land of Gela; of his noble prowess the grove of Marathon can speak, and the long-haired Persian knows it well.” Sometimes it is the simple rather than the complex that we should focus on and for my money, the epithet of Aeschylus is one of the classic examples.

One of the ongoing topics for various Foreign Corrupt Practices Act (FCPA); UK Bribery Act or other anti-corruption and anti-bribery compliance conferences is what information does a Board of Directors want or need for oversight of a compliance program? However today I would like to step back and focus on the initial question of “What is the role of a Board of Directors?” In a recent preliminary draft of a White Paper entitled “Corporate Governance of Social Enterprises” (herein “the White Paper”) a group of European authors, Ann-Kristin Achleitner, Judith Mayer, Andreas Heinecke, Mirjam Schöing and Abigale Noble (collectively “the authors”), explored this most basic question and others including such topics as Board of Directors make-up and selection; Board of Directors meetings and management of the Board and its relationship with a company’s management.

A Board of Directors will probably have an Audit Committee or Compliance Committee. I would like to focus on the role of the entire Board of Directors, rather than a specialized subcommittee. By reviewing the role of a Board of Directors within an organization, this should shed light on the types of information that a compliance officer should be prepared to present to the. Starting with the proposition that a “well run Board can lift a significant burden off of the management team in the short-term and ensure the long-term success” of an organization, the authors posit three general areas. They are (1) Support; (2) Supervision; and (3) Approval of Management Decisions.

Support

In the area of support a Board of Directors should provide strategic guidance but should not simply take what management may tell it or even feed to it. A Board member must be ready to challenge management, particularly the Chief Executive Officer (CEO). A Board must hold the CEO accountable for running the company’s business but should not go so far as to become bogged down in the day-to-day details of running the company.

 Supervision

Here a Board of Directors should monitor the performance of management against prescribed benchmarks. The financial bottom line is obviously a key performance indicator. However, there are other areas which the Board will need to monitor. Clearly the compliance arena is now one which a Board must become familiar with and have visibility into but there may well be a variety of other legal issues, such as regulatory or even intellectual property protection in a situation where a company’s main, if not only asset is some type of intellectual property. This should be broad enough to ensure that management complies with its own governing documents. The authors note that ideally Boards should “have a list of the compliance requirements and periodically check if they are being met.”

Approval of Management Decisions

The authors believe that betwixt and between the concepts of Support and Supervision lays the area where a Board must approve certain management decisions. Board approval of these decisions should “serve to guarantee conformance with the overall mission” of the organization. While each organization could certainly have a greater number of these areas, the authors believe there are basic areas that, at a minimum, should require Board approval. These areas are:

1. The organization’s annual budget;
2. Decisions on significant financing and significant changes in the ownership structure;
3. Succession planning for the CEO and remuneration as well as key members of the company’s management team; and
4. Decisions about overall company strategy.

The authors provide a summary of some of a Board’s “Do’s and Don’t’s” which I have put into the following box:

DO’s	DON’T’s
Define Success with the Board	Spend time on the trivial
Let Board’s create their own agenda	Short term and reactive bias
Direct questions to specific members	Overly involve the Board
Focus on shaping the future of the organization	Just review the past
Invite external experts	Let company executives control the Board

The authors end their White Paper with a very useful Appendix of country-by-country listing of corporate governance guidelines and codes of best practices for Boards of Directors.

While the White Paper has a focus on social enterprises, the concepts that it puts forward can inform the types of information that as a compliance officer, you can suggest to your organization’s Board of Directors that they begin to review. In the US and UK, many Boards will have an Audit or Compliance Committee, which will desire more detailed information. A report, annual or other, to a full Board of Directors is an important component of a minimum best practices compliance program. The compliance function should be prepared to lead your company’s Board through this journey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Telling the Board what it needs to know Regarding Compliance – The Pfizer Experience

An article in the July Issue of Compliance Week Magazine, entitled “Telling Your Board What it Needs to Hear”, author Arielle Bikard discusses the views of Pfizer Inc’s Chief Compliance Officer (CCO), Douglas Lankler, on how he keeps the Pfizer Board of Directors up to date on compliance issues. There are many articles which focus on the information that a Board of Directors may want to receive and this is one of the few articles which focuses on the issues from the perspective of the CCO.

Reporting Structure

Due to a recent compliance enforcement action, Pfizer was forced to separate its compliance function from its legal function and Lankler began to report directly to the Board. This has led to a tripartite level of reporting at the Board level. There is a monthly meeting of the Audit Committee, to which he reports to, by telephone and bi-monthly in person meetings, to which Lankler also reports. There is also a special Board level committee dedicated to regulatory and compliance issues, to which Lankler began reporting to in June. Lankler also submits an annual report to the full Board.

What is Measured and How is it Presented

Lankler noted that the Pfizer Board is “very concerned about how the company is measuring improvements in the compliance function.” To provide this information, Lankler measures the results of inspections during internal monitoring and auditing. He provided the example of whether a country assessed received a “generally satisfactory” rating as opposed to the lessor rating of ‘satisfactory”. He is also measured on “how much bad stuff I prevent from happening.” To determine this metric, Lankler brings in “external environmental considerations” which look at what is happening in the industry and what his and Pfizer’s peers may be facing from the compliance perspective.

Lankler believes that the key to reporting is to provide sufficient information presented in a manner which puts the emphasis on what is important. To achieve the latter, he prepares a tracking chart and uses a red, yellow and green dot next to each line of information. He believes that this allows the conversation with the Board to be directed “in a way that makes sense.” If he adds to or subtracts from the tracking chart, “the change and its cause are highlighted in a memo to the Board.”

The annual report which is submitted to the Board comes in at 30 pages or so. In it, Lankler sets out four different areas which he believes that a Board needs to review on an annual basis. They include: (1) his views on what he believes to be the most significant compliance risks to the company, (2) his opinion on whether the program has sufficient resources to achieve what is necessary in managing these risks, (3) his belief on the “health of the organization from a compliance perspective”, and, finally, (4) his perception of management’s commitment to compliance.

Lankler’s Lessons Learned

Lankler also gave some lessons learned about what he believed that the CCO should tell the Board. It is important that the CCO share information with rest of management, in advance of the Board meeting, creating transparency. As the CCO works with the General Counsel, outside legal counsel and outside external audit quite closely throughout the year, he must work with them closely during the preparation of the annual compliance report. Lastly, and, from my experience always the one which is most important in any relationship with senior management or the Board, make sure there are NO SURPRISES.

=======================================================

I have been honored to be nominated as one of the Top 25 Business Blogs of 2011 by LexisNexis. If you would like to support my nomination, please comment on the announcement post on our Corporate & Securities Community

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

20 Questions Directors Should Ask about Compliance Committees

What are some of the questions that the Board of Directors should be asking? We posit that a large public company should have Compliance Sub-Committee of Board members. We list 20 questions below which reflect the oversight role of directors which includes asking senior management and themselves. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

The comments summarize current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

1. What are the Compliance Committee’s responsibilities and what value does it bring to the board?

2. How can the Compliance Committee help the board enhance its relationship with management?

3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

4. What skill sets does the Compliance Committee require?

5. Who should sit on the Compliance Committee?

6. Who should chair the Compliance Committee?

Part III: Directed to the Board

7. What is the Compliance Committee’s role in building an effective compliance program within the company?

8. How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?

9. How long should directors serve on the Compliance Committee?

10. How can the Compliance Committee assist directors in retiring from the board?

Part IV: Enhancing the Board’s Performance Effectiveness

11. How can the Compliance Committee assist in director development?

12. How can the Compliance Committee help the board chair sharpen the board’s overll performance focus?

13. What is the Compliance Committee’s role in board evaluation and feedback?

14. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?

15. Should the Compliance Committee have a role in chair succession?

16. How can the Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

17. How can the Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?

18. What is the Compliance Committee’s role in CCO succession?

19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?

20. How can the Compliance Committee help the board in deciding CCO pay and bonus?

We hope these questions may lead to further discussions and debate on the role of the Board in a company’s overall compliance program. We invite any reader to comment on these and add their own questions which may lead to further dialogue and inquiry for a Board or Compliance Committee.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011