‘Red Flags’ of Compliance Program Ineffectiveness

Stay current on changes and developments in corporate law with a wide variety of resources and tools.


By Michael W. Peregrine

Michael W. Peregrine, a partner at McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties, and officer-director liability. He is the co-author of a series of three monographs on board oversight of corporate compliance, published jointly by The American Health Lawyers and the Office of Inspector General, Department of Health Services. The views expressed herein do not necessarily reflect the views of McDermott Will & Emery or its clients.

In her recent Bloomberg column, the well-known compliance advisor Hui Chen offered her perspective on “ leading indicators... of ineffective and outdated compliance programs”. Some of these were based in organizational style (e.g., “Lack of Financial Discipline”); some were orientation-based (e.g., “Legal Dominated Compliance”; “Citing Sentencing Guidelines as the Standard”); some were structural in nature (“Single Statute Compliance”); and some were technical (e.g., “Counting Training Completion Rate”; “Focus on Due Diligence”). They were all notable.

Ms. Chen’s perspective was a helpful contribution to the ongoing and important dialogue on the elements of an effective plan. But to those charged with the ultimate responsibility for program effectiveness—the board of directors—there may be other, more practical and recognizable indicators of program distress. These are indicators more likely to resonate with directors increasingly selected because of the diversity of their background and experience rather than technical industry expertise. They are the basis of useful questions by directors, and include the following:

Tone at the Top. One of the most fundamental signals of “ineffectiveness” is where the board doesn’t “back” its commitment to compliance by its deeds (not just by its words). Examples include tolerating the promotion of individuals with identified compliance deficiencies; allowing significant board level conflicts to go unresolved; excessive deference to risk-insensitive executives; downplaying “fitness to serve” issues of individual board members; and failing to be visible in compliance program messaging and programming with large segments of the employee population.

Fifteen Years of Fame. Directors need to be alert to discreet C-Suite signs that corporate compliance may no longer occupy the highest level of interest amongst executive leadership. That it is no longer the principal corporate imperative that it once was—and may need to be, in order to compete with other legitimate organizational initiatives for leadership attention and support. It’s a natural executive response to organizational priorities. But it is one that the board, as an extension of its compliance oversight obligations, must strongly resist.

The Marginalized CCO. There is perhaps no single, more obvious indicator of effectiveness than that which is plain from the organizational chart—the chief compliance officer’s hierarchical position. “Yellow flags” should arise for the board if the CCO’s title reflects a management level that is third or fourth tier; i.e., a “Manager”; an “Assistant Vice President”; a “Supervisor”, or other position consistent with mid-level management. Boards should intuitively recognize the program “disconnect” when its chief compliance officer holds a position that lacks organizational significance.

The Overly Busy Committee. Another obvious “ineffectiveness” indicator arises from the agenda/minutes of the board committee responsible for compliance program oversight. If compliance issues are not filling at least 50% of the committee’s time and attention, it may be a problem. This can often be the case when compliance oversight is assigned to a committee with dual responsibilities, such as “Risk & Finance”, or more common, “Audit & Compliance”. It’s not that dual subject committees can’t work; rather, it’s when one of the subjects is compliance that the allocation of time and energy becomes critical.

Missing the Signs. Board-level compliance and other legal/risk oversight responsibilities will certainly be unsuccessful if the participating board or committee members lack the ability to identify warning signs of either program weaknesses, or of specific compliance/risk concerns. The best information reporting system in the world won’t help if board members are not trained to recognize “yellow and red flags” of misconduct or noncompliance. The board and management must work together to educate directors on how best to identify problematic circumstances.

Nobody’s Calling. Another very obvious indicator is the “Hot Line” or other private conduct disclosure mechanism established by the company. In a corporate environment that should be encouraging employees to take advantage of confidential vehicles to report allegations of misconduct, the historical trend line of “Hot Line” activity is an easy way to measure compliance program effectiveness. If the volume of calls is diminishing, or if the timeliness of substantive response is decreasing, that’s a pretty fair signal to the board that something isn’t quite right in terms of how the program is interacting with employees.

The Same (Risk) Page. There should be no confusion between the board and executive leadership that compliance and risk management is a shared responsibility. The board and its senior executives are expected to reach a consensus on the company’s risk profile and its manifestation in corporate strategy. Senior executives must understand that, while the board will not become involved in daily compliance and risk management, it will make sure that executives are guiding corporate affairs consistent with that risk profile. If they aren’t, that’s a problem.

No Downstream Credibility. If employees don’t believe in the company’s compliance program, that’s a major indicator of ineffectiveness. The Department of Justice has historically considered whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. It’s pretty easy for the board to check this aspect of program credibility—ask for what employee surveys, “town hall meetings” and employee evaluations have to say on the subject (and if those forums don’t ask the question, they should).

Lost in ERM. A slightly more nuanced indicator is how corporate compliance is treated as part of an organization’s enterprise risk management program. Given how ERM programs are often developed (and by whom), there is significant concern that ERM implementation may serve, intentionally or unintentionally, to reduce the prominence of the existing internal corporate compliance infrastructure. In an effective regulated industry ERM program, all material risks are relevant, but legal compliance risks—and their infrastructure—should be more relevant than others.

Lessons Learned. Lack of evidence that the company has learned from its compliance mistakes is another easy-to-recognize sign of compliance program ineffectiveness. The Department of Justice has historically attributed value to steps taken by the compliance program in light of “lessons learned” from prior legal or compliance incidents. These are often manifested in remedial actions taken by the corporation against compliance violators, compensation or employment status penalties, and revisions to the actual corporate compliance program. This is an easy line of effectiveness questioning by the board.

Duty Confusion. This is the risk of confusion and conflict that can arise when there is lack of clarity on program duties between the three key officers whose job description legitimately touches corporate compliance: the compliance officer, the general counsel and the internal auditor. Such clarity must exist not only between these three officers, but also for the rest of the management team and the board. While it is executive leadership’s responsibility to assure that there is appropriate clarity of roles and responsibilities, it is crucial for program effectiveness reasons that the board/A&C committee monitor management’s efforts in this regard.

Culture Clash. This is the primary lesson to corporate boards from the Wells Fargo controversy; the very real potential within organizations for significant conflict between corporate culture, and business realities and incentive goals. In this case, the company’s cultural and compliance foundations were neutered by what the outside investigative report described as “significant, and in some cases extreme, pressure on employees to meet or exceed their [sales] goals”. Many employees believed their advancement was linked to achievement of those goals, no matter how unrealistic were those goals. The board should know to monitor the potential for such a “culture clash”.

A Decentralized Structure. This is the second main compliance lesson from Wells Fargo—how a decentralized corporate structure contributed to the company’s sales model controversy. This structure featured a culture of deference to the management of individual business lines, including with respect to matters of oversight, risk and compliance. The culture became problematic to the extent it prevented any coordinated effort at the banking business unit to address emerging compliance issues, and obscured the ability of executives to view sales model issues in a broader context. “Compliance” should be a topic that pops up when directors are reviewing the corporate chart.

Resource Disconnection. This is the third main compliance lesson from Wells Fargo—the fundamental obligation of the board to assure that the compliance program is commensurate in terms of scope and resources with the company’s size and complexity, and business strategies. Business initiatives that require more compliance resources and monitoring than can reasonably be made available by the company should not be pursued. The board should know whether the company has the compliance “tools” to monitor “the job”.

The Smartest Guys in the Room. This is a question of leadership composition. It’s been almost 17 years since Enron became the biggest corporate scandal in American history, and prompted the corporate responsibility environment that recalibrated corporate governance and its relationship to corporate compliance. It’s not necessarily a good thing if the board, and the executive leadership team don’t include as members individuals who held similar positions during that era; who remember the failures of leadership and who understand the crucial value of compliance.

Technical and complex, these indicators are not. But experience suggests that they are meaningful. They are capable of being recognized by the average board member, whether or not she has experience with the audit or compliance function. For the board’s responsibility for compliance program effectiveness is quite clear, and its exposure for program failure is very real.

And, despite Ms. Chen’s criticism, there is precious little direction on program effectiveness beyond what is available in the Sentencing Guidelines, DOJ’s 2017 monograph and a few cases and enforcement actions (e.g., Wells Fargo).

Ms. Chen performs a great service by raising the issue of compliance program ineffectiveness. A series of recent public comments by DOJ officials, including Deputy Attorney General Rod J. Rosenstein, serve to strongly endorse the overarching value of compliance program. For example, the newly announced willingness of DOJ to apply leniency to corporations in criminal investigations is grounded in part on the presence of a robust compliance program. In addition, DOJ’s new internal Working Group on Corporate Enforcement and Accountability will focus in part on corporate compliance.

For these and other reasons, corporate board members benefit from practical guidance on satisfaction of their Caremark obligations, and on the need to address compliance program weaknesses.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law