Serving as a director of a publicly traded company has become increasingly challenging. On one hand, corporate structures continue to grow more intricate. On the other, enforcement agencies and regulators across the globe are broadening their definitions of corporate crime. This collision between increasingly complex and international business opportunities and continuously evolving regulation places companies at greater risk.
The board can play a crucial role in mitigating this increased risk by evaluating the efficacy of any compliance program and ensuring that the tone at the top promotes ethical behavior and discourages misconduct.
Businesses have more exposure to third-party risk. Regulators have made clear that they expect corporate leadership to maintain significant visibility into all aspects of their business, including their employees, subsidiaries and third parties. In many jurisdictions, companies are bound by the actions of the third parties they engage, whether they are vendors, suppliers or service providers. For example, companies operating in developing nations are often required to obtain licenses or permits from local government officials, which creates an inherent risk of bribery liability. In addition, the identities of government officials may be obscured, making it difficult for corporate leadership to oversee these interactions. Data privacy laws, foreign laws and blocking statutes may also hamper or prohibit management from obtaining insight into employee, subsidiary or third-party conduct. Nonetheless, enforcement agencies have made it clear that challenges in the information-gathering process are no excuse for noncompliance.
Oversight is crucial in the face of an evolving regulatory landscape. Recently, regulators have demonstrated through policy and practice that oversight, and subsequent fast and full disclosure of any wrongdoing, is of the utmost importance. The Department of Justice (DOJ) recently announced revisions to its Corporate Enforcement Policy, which introduced greater incentives for individuals and companies to self-disclose and cooperate in government investigations. The DOJ has also introduced a three-year pilot program through which companies will be able to reduce criminal fines by attempting to claw back compensation from individual wrongdoers. In addition, the DOJ will require any company that reaches a criminal resolution to develop compliance-promoting criteria in its compensation structure. Relatedly, the SEC has shown a willingness to investigate and prosecute companies for governance issues, such as harassment and executive pay, which were typically confined to the labor and employment sphere. These agencies have indicated that they will look beyond any misconduct to scrutinize due diligence, internal controls and compensation structures. Thus, the only way a company can truly mitigate risk is by maintaining oversight into all aspects of its business and taking proactive steps to deter wrongdoing and promote an ethical culture from the top down.
What Can Board Members Do to Mitigate Risk?
Directors play a vital role in enabling their companies to effectively manage risk. In particular, there are three things that every board member should prioritize to ensure they are fulfilling their duties to the company.
Evaluate compliance programs early and often. While C-level executives are generally responsible for designing a company's compliance program, directors must evaluate the program to ensure it is adequate. In order to do so, board members must have insight that extends beyond knowledge of the company itself. They need to keep an eye trained on the regulatory space so that they can make informed judgments about whether their compliance policies hold up against evolving requirements. Board members also need to understand the unique risks associated with the company's line of work and with the specific nations where the company does business.
Conduct regular and targeted internal audits. Internal audits are a powerful tool for demonstrating to the government that a company is proactive about detecting and deterring misconduct. Regulators commonly assess the manner by which a company conducts internal audits, and the frequency of those audits. whenever a legal issue arises. In March 2023 guidance, the DOJ specifically noted that it would consider a series of questions related to internal audits when analyzing corporate behavior. In particular, the DOJ will evaluate how often a company conducts internal audits in high-risk areas, the types of relevant audit findings and remediation that are reported to management and the board, and whether the findings are reported on a regular basis. Thus, board members can protect their companies by ensuring that they have answers to these and similar questions.
Set a clear tone at the top. The DOJ has noted that prosecutors should “examine the extent to which senior management have clearly articulated the company's ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.” Thus, board members may be subject to scrutiny unless they have taken concrete actions that demonstrate a commitment to compliance and remediation efforts. Further, regulators may inquire into board members' own expertise and knowledge, and the types of information that they relied on in evaluating compliance risks. Thus, boards of directors should work with outside counsel to ensure they have a nuanced understanding of the risks their companies face and are well-versed in all relevant regulations.
Board members play a key role in mitigating compliance risk. As regulators ramp up efforts to prosecute corporate wrongdoing, it is incredibly important for directors to take on a proactive role in ensuring that management maintains oversight into all levels of the company and that an ethical corporate culture is conveyed from the top down.
Stephanie Yonekura is global head of investigations, white collar and fraud group, at Hogan Lovells.
Melissa Giangrande and Kacey Hirtle are associates at Hogan Lovells.