Board Oversight of Compliance Risk

Listen to article

Recent guidance from the Department of Justice shines light on the importance of corporate compliance efforts.

Recent guidance from the U.S. Department of Justice (DOJ) signals a more aggressive approach to corporate crime through heightened expectations about the pace of corporate internal investigations and related disclosures to DOJ.
The guidance underscores that to avoid prosecution or at least minimize penalties in the event of a significant compliance failure, corporations must self-report compliance problems early and provide information about the senior executives involved. Boards of directors that decide to pare back on compliance efforts on the theory that “what isn’t detected can’t be reported” would be seriously misguided. Rather, boards should review whether the corporation’s ethics and compliance systems (including related policies and training programs) are well-designed to position the corporation to detect problems. They should also consider self-reporting early if they want to get full cooperation credit from the DOJ.

New DOJ Guidance Prioritizes Investigation of Individuals and Timely Disclosures

On Sept. 15, 2022, Deputy Attorney General Lisa Monaco issued a memo providing guidance on the DOJ’s corporate enforcement policy (the Monaco memo), building on prior DOJ guidance. The Monaco memo reaffirms that when a corporation voluntarily self-discloses, fully cooperates and promptly remediates, absent aggravating factors, the DOJ will not seek a guilty plea from the corporation. It also emphasizes the DOJ’s interest in pursuing individuals who engage in misconduct: “The Department's first priority in corporate criminal matters is to hold accountable the individuals who commit and profit from corporate crime.”
This emphasis on individual misconduct shapes the DOJ’s definition of corporate cooperation. Specifically, to receive full cooperation credit, a corporation must timely produce “all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” This includes prioritizing the production of evidence to the DOJ that is most relevant for assessing individual culpability, including “information and communications associated with relevant individuals during the period of misconduct.” 

The guidance directs prosecutors to try to complete investigations into individuals (and seek appropriate criminal charges if any) prior to, or simultaneously with, resolution of the matter with the corporation. Prosecutors must also specifically assess whether the corporation cooperated in a timely manner prior to resolution. In assessing timeliness, prosecutors are to consider whether the corporation unduly or intentionally delayed its production of relevant information. Even where the corporation shares significant facts, delay in disclosure to the DOJ places eligibility for cooperation credit in jeopardy. (Note that the DOJ intends to update the Justice Manual to provide consistent guidelines for cooperation credit.)

In prior guidance, the DOJ has instructed prosecutors to consider a corporation’s history of misconduct as well as the efficacy of a corporation’s compliance program. The Monaco memo clarifies that with respect to prior history, the greatest weight should be placed on prior U.S. criminal prosecutions and prior misconduct involving the same personnel. With respect to the efficacy of a company’s compliance program, the new guidance clarifies that it should be assessed both at the time of the offense and at the time of charging. This later assessment gives the corporation opportunity to receive some credit for making improvements to the program. Prosecutors are to consider whether the corporation’s compliance program is “well designed, adequately resourced, empowered to function effectively and working in practice.” In assessing a compliance program’s mechanisms for identifying and investigating problems, prosecutors should consider the efficacy of the corporation’s policies governing the use of personal devices and third-party messaging platforms.

In addition, the guidance suggests that prosecutors will determine the role of compensation structures in rewarding compliance and penalizing noncompliance. 

Board Responsibilities for Oversight of Compliance

Effective compliance systems are central to establishing an ethical culture in a company while also helping to deter compliance failures and detect problems early. They help prevent and mitigate risk and the significant costs associated with compliance failures. As evidenced by the Monaco memo and earlier DOJ guidance (including in the form of prosecutorial and sentencing guidelines), an effective compliance program can influence a federal prosecutor’s decision whether to charge a corporation for the bad acts of its employees or officers and the extent to which the corporation may receive credit for cooperation in a settlement or influence a court in its determination of penalties.
Directors have a key role in providing oversight of corporate compliance efforts. As fiduciaries, directors must exercise reasonable care and good faith to ensure that the corporation is being managed in compliance with law, regulation and corporate policies. Over the past several decades, a series of Delaware cases, beginning with In re Caremark International Inc. Derivative Litigation, have emphasized that, as fiduciaries, directors must consider the legal and regulatory compliance framework that has developed and ensure that the corporation has appropriate compliance-related reporting and information systems and internal controls in place. Caremark and subsequent Delaware cases remind boards to pay attention to prosecutorial and sentencing guidelines and the opportunities they provide to defer prosecution and mitigate corporate and individual penalties.

Compliance programs, information and reporting systems, and related controls all need to be designed in light of this framework to deter and detect compliance violations and provide senior management and the board with “timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance” (Caremark, 698 A.2d at 970).

Key Takeaways and Practical Guidance 

Boards should review the company’s compliance systems and assess whether they are fit for the purpose of preventing and mitigating compliance failures. Boards should also consider whether the company is well-positioned to identify and investigate potential violations with agility, so as to be positioned to self-report to the DOJ if appropriate. Boards should consider the following:

  • Key compliance risks. Do we understand the key compliance risks facing the corporation and how those specific key compliance risks are monitored and mitigated? Have we established clear expectations about the circumstances and time frame for the board or a board committee to be informed and involved in compliance matters that arise? 
  • Compliance culture, programs and systems. Do we understand and oversee the compliance culture, programs and systems that management has put in place to identify, manage and mitigate risks, as well as to respond to risk incidents that arise? The duty of oversight is discharged in large measure by ensuring that the corporation has implemented appropriate compliance programs and systems designed in relation to the risk profile of the corporation, including any critical compliance risks.
  • Information and reporting systems. Do we periodically review and assess whether the company has appropriate information and reporting systems in place to keep management and the board informed of compliance issues? This is especially important in light of the Monaco memo’s emphasis on the importance of timeliness in voluntary self-disclosures. The board (or delegated committee) should ensure that the corporation’s information and reporting systems contemplate the key compliance risks it faces, and these systems should be reasonably designed to provide the board with timely, accurate information sufficient to allow it to reach informed judgments concerning the corporation’s compliance with laws and oversight of risk.


    The board (and any delegated committee) should set clear expectations with management about the circumstances in which compliance issues should result in a board or committee report. In addition, the board (or delegated committee as appropriate) should hear, on a regular basis, from the senior executives with overall responsibility for the most significant risk areas and, if there is an issue in a significant risk area, should ensure that management has an appropriate plan for addressing the risk and regularly updates the board or committee regarding that plan.


  • Incentives. Do we understand how compensation relates to compliance, including whether compliance is rewarded and/or compliance failures are penalized? Incentives could include use of compliance metrics in compensation and promotion decisions, and penalties could include “clawback” measures.
  • Accountability. Have we considered how accountability is built into the compliance program to ensure that the corporation takes action and holds itself accountable when wrongdoing occurs? The compliance program may do this by communicating that individuals at any level of the corporation who violate corporation standards or the law will be disciplined, maintaining an excellent investigative system and enforcing rules by taking disciplinary action when violations are substantiated. Boards may also improve accountability by following the Monaco memo’s guidance on compensation structures (such as “clawbacks” as a penalty for compliance violations).


    The board should assess whether there are effective systems for escalation and response and regularly test them, ensuring that leaders are held accountable for compliance failures and that the company is positioned for voluntary self disclosures to regulatory or other government authorities. Mechanisms for accountability at all levels of the corporation should align with the Monaco memo’s priority of holding accountable the individuals who commit and profit from corporate crime.

  • Annual assessment of compliance programs and systems. On an annual basis (and more frequently if issues arise), does the board or delegated committee assess compliance programs and systems to ensure both that they are performing in alignment with the standards set forth in DOJ guidance, federal sentencing guidelines for organizations, and other influential resources on board oversight of compliance risk and compliance program effectiveness?


    This review should consider alignment of compliance programs and systems with the key compliance risks facing the corporation, which evolve over time as the corporation’s business and compliance environment change (e.g., the growing need to address risks related to the use of personal devices and third-party messaging applications); the effectiveness of reporting hotlines and whistleblower mechanisms; and whether changes are appropriate, based on compliance issues that arise. This is especially important for corporations with a history of misconduct, given that the Monaco memo instructs prosecutors to consider the extent to which remediation has occurred. Ongoing development of compliance programs may also prevent the DOJ from imposing an independent monitor in the organization in the wake of a compliance failure.

The Monaco memo’s guidance reinforces the importance of board attention to compliance systems. Effective compliance systems are central to establishing an ethical culture in any corporation and help prevent compliance failures and detect problems earlier, thereby mitigating risk, including the potentially significant costs — both monetary and reputational — associated with compliance failures. It is evident that the DOJ remains committed to rewarding companies — through deferred prosecution and lighter penalties — for cooperation and genuine commitment to compliance.

Holly J. Gregory is co-chair of Sidley Austin’s global corporate governance practice. She also co-leads the firm’s ESG and crisis management teams. 

Justin C. Nowell is a managing associate in Sidley Austin’s New York office, working as counsel for public and private companies and boards of directors across industries.

Other related articles