Is Your Board Compliant or Complacent?
Facebook fine and recent court ruling highlight need for board oversight
After a year-long investigation into Facebook’s privacy missteps, the Federal Trade Commission levied an unprecedented $5 billion fine against the tech giant. In addition to this fine (which equates to about 59 days of operating expenses) the FTC is also requiring that Facebook augment its board with a dedicated privacy committee comprised of independent board members.
Due to the dual-class share system that gives Mark Zuckerberg, Facebook’s cofounder, chairman and CEO, almost unchecked power and influence over the company, he can remove or add a new director without cause.
The FTC mandates, however, that Zuckerberg cannot remove someone from the new privacy committee without the support of two-thirds of investors who hold voting shares voting together as a single class; this limits Zuckerberg’s ability to make a unilateral decision and requires he have significant support from other shareholders.
The Facebook news about board-level compliance oversight comes on the heels of the recent decision of the Delaware Supreme Court to revive a stockholder lawsuit brought against the directors of Blue Bell Creameries on the same general topic. The lawsuit was originally filed after an outbreak of listeria in 2015 that allegedly resulted in three deaths and a massive recall of the ice cream maker’s products. Both federal and state food safety regulators found and communicated to Blue Bell’s management numerous food safety concerns over the years.
The court’s chief justice, Leo E. Strine, wrote: “We hold that the (original) complaint alleges particularized facts that support a reasonable inference that the Blue Bell board failed to implement any system to monitor Blue Bell’s food safety performance or compliance.”
It would seem that the board was remiss in its oversight and did not provide the appropriate level of focus on one of its main compliance risks - food safety.
The Supreme Court noted that “To satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.” Directors must make a diligent and honest effort to establish a board-level compliance oversight system to oversee the company’s operations, legal compliance and financial results that includes ongoing reporting and monitoring. Management’s discussion of general operations with the board is not enough to show that a system of board-level compliance oversight controls exists.
As part of a board-level system of governance, a specific committee of the board should be vested with responsibility to oversee the company’s compliance program. Regular board processes and protocols should be established that require management to keep the board apprised periodically of the company’s primary compliance risks, key controls and monitoring findings. Boards should also establish the types of matters requiring more immediate escalation by management, such as significant red flags in a key compliance risk area for the company. And in the face of such escalation, boards should respond with more frequent engagement with management and additional oversight until the issue is resolved.
Importantly, directors should recognize that it is not enough for a board to simply rely on management’s system of compliance. The board itself is responsible for building the link from management to the board by implementing specific board-level structures, processes, and procedures for oversight, reporting, and monitoring of a company’s compliance program and main compliance risks.
The Delaware Supreme Court’s recent decision to revive the Blue Bell lawsuit illustrates that a board’s failure to make a good faith effort to do so breaches its duty of loyalty and could expose directors to liability.
In addition to building a substantive, ongoing, board-level oversight, reporting and monitoring system for the company’s main compliance risks, the board should confirm that the company’s books and records, such as the minutes of committee and board meetings, adequately and appropriately reflect any discussion of compliance matters.
In other words, the board must not only oversee compliance, but also document the fact that it does so.
The decision against Facebook and the ongoing legal issues at Blue Bell Creameries highlight the need to have a board-level discussion around what the board compliance framework should be going forward, and whether the current committee structure is sufficient.
In your upcoming board meeting you may want to discuss your company’s specific risk areas, which committee is vested with compliance oversight and what processes and procedures the committee has in place to carry out its compliance oversight duties to help intercept risks before they become costly mistakes.
Betsy Atkins is a three-time CEO and founder of Baja Corporation and author of Be Board Ready. Betsy is a corporate governance expert with an eye for making boards a competitive asset. She is currently on the board of directors of Volvo Car Corporation, Wynn Resorts and SL Green Realty.
Cindy Moehring is the recently retired Walmart SVP, Chief Ethics & Compliance Officer, US and former SVP and Global Chief Ethics Officer. She is Chairman of the board of the Ethics and Compliance Association and also sits on the board of the Ethics Research Center.