It’s the board’s fiduciary responsibility to make sure an organization has an effective and well-maintained corporate compliance program. But when there are multiple risk owners and countless data points, how can they be sure it’s working?
Harvard Law notes a landmark decision of the Delaware Chancery Court some 25 years ago. It was the driver for making it a fiduciary duty of a board to make sure the organization has an effective corporate compliance program in place. The board must also maintain oversight of that program and keep current on its content and operation.
But how can boards maintain a proper pulse on the organization’s compliance programs when faced with growing risks like cybersecurity, corporate culture, and corporate social responsibility? How can they ensure that compliance failures or scandals are mitigated swiftly and corrective steps are taken?
Delegate risk ownership but maintain a hands-on approach
Of course, the board doesn’t directly “own” many of these risks, but risk oversight is one of its most critical jobs. According to a recent Deloitte Board Practices Report, the delegation of risk ownership by the board is a common corporate practice. Although boards delegate risk, it’s imperative that they maintain a hands-on approach. A failure to do so exposes both the board and the organization to potential inaccuracies and inconsistencies in the management and reporting of risk. This opens the board up to compliance failures, possible fines, and at worst, organizational failures.
Allocation of risk, source: Deloitte Board Practices Report, 2019.
So, how can boards balance the requirement to delegate with the need to maintain adequate oversight? This can be achieved by:
- Crafting and communicating clear deliverables in terms of risk management
- Having a common methodology and tools for regular reporting on risk management
- Continuing education for both the employees as well as the board to stay current on risk and compliance
- Mandating committee/individual risk owners to report on risks regularly at board meetings
- Asking the tough questions.
"Effectively delegating risk management while maintaining regular reporting on risks are tangible, clearly defined activities that actually influence the far-less-tangible “tone at the top."
Require consistent, accessible, real-time corporate compliance reporting
When assigning various committees or individuals oversight for portions of an overall corporate compliance program, boards will also need to establish a consistent and clear method of communication.
This should be done in such a way that the board can:
- Access real-time reporting and metrics at any given moment
- Have consistency in the layout, metrics, and reporting style
- Instantly understand what is being reported through additional commentary
- Provide evidence that the assigned individuals or committees are monitoring and managing the risk
- Drill down deeper into results, controls, or risks if something requires a closer look.
This is where a single, unified software platform like HighBond can add value. With people in place and the processes defined, you need to connect these different teams and/or committees and bring together all that risk data into a one-stop-shop for management reporting. HighBond enables the creation of a board-level “storyboard” where both risks and opportunities can be illuminated and where directors and management can easily drill into any outlier to find out what’s behind it. The overall result is that the corporation’s compliance posture is quickly communicated and easily understood.
Example of a HighBond storyboard detailing security awareness training compliance.
When issues are flagged, the board is also responsible for making sure those issues are investigated thoroughly and independently. So, being able to click into a specific issue and drill down is key.
Evolve from “tone at the top” to “checks and balances”
As our world evolves, so do the business risks we encounter and the ways that boards must manage them. In fact, the American Bar Association recently suggested that organizations should move away from a “tone at the top” approach, and instead take one of “checks and balances.”
They argue that “a substantive checks and balances approach addresses the roles, responsibilities, and relationships among the key elements and players in a firm’s governance, controls, and oversight system.” As we’ve seen in a number of cases, a lack of effective oversight creates a situation ripe for misconduct because leaders can feel entitled to do what they please. As of January 2020, there are over one million Google results for “CEO misconduct”—stories of failed tone at the top, including Smith & Wesson, Best Buy, and Nissan, just to name a few.
Boards should take the lead in creating, implementing, and carrying out those checks and balances. This is not a spectator sport. Effectively delegating risk management while maintaining regular reporting on risks are tangible, clearly defined activities that actually influence the far-less-tangible “tone at the top.”
Three steps boards can take
To recap, here are three practical ways that boards can get a handle on an organization’s compliance program:
- Delegate risk ownership but maintain a hands-on approach
- Require consistent, real-time, accessible reporting
- Evolve from “tone at the top” to “checks and balances.”
By implementing these steps—along with technology—boards become equipped with the right balance of information to review, identify, and follow up on issues before they become serious problems. This will also help facilitate open and effective dialogue around how the organization handles risk, and creates a deeper level of accountability for all of the risk owners.
If your organization has the people and the processes in place, the next logical step is to bring in the software. That’s where we can help. Learn more about our ComplianceBond solution.
Better practices for compliance management
- What a high-performance compliance management process looks like
- How to transform your compliance management program
- The key technology considerations for achieving a high-performance compliance program.