Conflict of Interest Blog

Board oversight of C&E programs: how much is enough?

There was a time when a company’s merely having a code of conduct could be enough to dismiss a claim against the company’s directors under the Caremark case for failed compliance program oversight. But those days are now gone.

In his forthcoming article in the Journal of Corporate Law, “Max Oversight Duties: How Boeing Signifies a Shift in Corporate Law,”  Roy Shapira of the University of Chicago Booth School of Business writes: “In September 2021, the Boeing 737 Max debacle turned into an important moment in corporate law. A Delaware court allowed a derivative lawsuit brought by Boeing shareholders to proceed, based on the theory that Boeing’s directors breached their oversight duties by not doing enough to monitor, prevent, and react to fatal airplane safety issues.”

Shapira further notes that for many years: “Some compliance was enough compliance. Boeing shows that this is clearly not the case today. Consider the following examples: Boeing’s board agenda reflected allocating time to discuss safety, yet the court criticized them for allotting only five minutes. Boeing’s board minutes invoked ‘safety’ several times, yet the court criticized them for doing this only in passing and in the context of getting on the regulator’s good side. The minutes also showed that management shared information on airplane safety with the board, yet the court faulted them for not treating information from management more critically. All in all, Boeing shows just how much courts are willing to scrutinize what directors should have known and how they should have reacted.”

Note that such scrutiny (under this and the Marchand case handed down last year) does not apply to all risk areas. But it does apply to “mission critical,” ones, which airplane safety clearly is for Boeing. And, as Shapira notes, for large companies there can be many such areas.

The enhanced focus on “mission critical” risk areas will indeed require many boards to “up their games.”

One obvious way to start is with a C&E board assessment, meaning an assessment of how the board is likely to fare in any Caremark case brought against its directors.

This would include determining whether the board has appropriately identified mission-critical risk areas.  It would also entail ascertaining how the board has enacted relevant governance documentation (e.g., committee charters) and what information it has received about the risk area(s) both from written reports and in-person presentations.

Among other things the assessment would involve assuring that the board was in fact doing all the things the governance documentation provides they should do. (In this connection, I know of one  respected company where the board approved minutes of committee meetings that in fact never happened.)

Lastly, this type of assessment should be conducted by an independent expert. That is, given how powerful directors can be in a company asking its internal staff (law, compliance, audit) to assess the efficacy of a board’s C&E program oversight might be too much to get an unbiased view.



Rebecca Walker on the progression of compliance

In the April issue of Compliance and Ethics Professional. 


What does the “E” in your C&E program stand for?

My latest column in C&E Professional.

I hope you find it useful

I was recently interviewed as part of the Pioneers in Business Ethics project.

You can find the text here.

I hope you find it interesing.


An important ethics warning for corporate counsel

From an article in the ABA Journal last week :   “As a way to undermine discovery, Google directs employees to add attorneys and seek legal advice in writing for ‘ordinary-course business communications,’ according to a March 21 sanctions motion filed by the U.S. Department of Justice, which is suing the company for alleged antitrust violations.  Known as the Communicate With Care program, it began in 2016, according to the U.S. District Court for the District of Columbia filing. ‘Often, knowing the game, the in-house counsel included in these Communicate With Care emails does not respond at all, according to the motion. A Google spokesperson told Reuters that the government has more than 4 million documents from the company, and the ‘teams have conscientiously worked for years to provide responses.  The motion asks the court to sanction Google for misusing attorney-client privilege and order that all documents be released in instances in which an attorney was included in the communication but did not reply.’”

This is not a new issue. DOJ had – years earlier – investigated whether some tobacco industry lawyers had improperly tried to hide routine business communications behind the privilege (although no charges were brought on this theory).  Indeed, my law partner Rebecca Walker and I have spoken at several PLI and SCCE compliance conferences on the need to avoid misuse of the privilege in this way.

Regardless of how the Google motion is ultimately resolved, in-house counsel should take appropriate measures to ensure that “over-privileging” is not done in their respective companies.  The same is true of outside counsel, although presumably the danger with the latter is less than it is with the former.

At a minimum this should involve some education – whether it be a memo from the general counsel, comments at a law department meeting or both.  For higher risk situations, some follow-up contact or other forms of monitoring may be warranted.

Finally, I should make clear that I am not suggesting that this is a “red alert” for corporate counsel. But it is a good opportunity to ask: Am I basically okay?


Analyzing conflicts of interest – where to start

A conflict of interest (“COI “) analysis of any situation should generally start with an identification of the relevant duty (or duties), which sometimes (but not always) are legal in nature.  Sources of such duties typically include the following.

First, there can be express contractual provisions mandating that employees, agents and others conduct themselves in a conflict-free (or conflict-disclosed) way.  An employment agreement would typically have a provision of this sort.  So would agency or retainer agreements.

Second, a code of conduct or other internal policy document could create a contractual COI obligation – either because it has been formally agreed to by employees or under an “implied contract” theory in the absence of such explicit agreement.  Of course, some codes disclaim any intent to create a contractual obligation, but their COI provisions could still help to create (or prove) an ethical duty.

Third, another important source of duties are statutes and regulations addressing COIs in a variety of contexts. These include types of employment (e.g., for government employees); regulated businesses (e.g., healthcare, financial services); or other settings.

Fourth is the fiduciary duty of loyalty, which serves as a “default” under common law. That is, it specifies loyalty-related obligations for directors, employees and other agents even in the absence of a contract or statute.

Note, however, that in some circumstances a party might “contract out” of such an obligation or limit its scope, although doing so would not always be effective as a matter of law. As a general matter, being able to contract out of or otherwise limit a duty of loyalty is more likely when the relationship is between parties of relatively equal bargaining power and sophistication.

Finally, there are duty-related standards of conduct for certain professions. Some may be enforced by various legal regimes (as in the case of rules of professional responsibility for attorneys), the violation of which can lead to discipline.  But such aren’t always present (as in the case of journalists, where  – to my knowledge –  there is no such regime).

This is only a very general framework, and more information about COIs and duties can be found throughout this blog.

Compliance “moot courts” for CEOs?

The CEO of a client company once told me that he wanted to fire another corporate officer there. I asked him what basis he had for this contemplated action and he said it was that the officer had failed to take mandatory compliance training. I responded by asking if he – the CEO – had taken the training, to which he replied (without a trace of irony or shame) that he had not.

Several years ago, unrelated to my encounter with the CEO, I ran a blog post proposing that in certain circumstances “moot courts” be held to determine what, if any, accountability members of a board of directors should bear for the consequences of a compliance-related breach.  In  today’s post I ask: Should such an idea be tried with CEOs?

There is indeed precedent for this sort of exercise. My law partner Rebecca Walker and I have held compliance moot courts at an industry conference.  We are also aware of something similar being conducted elsewhere,

Of course, a C&E moot court can be seen as essentially just another form of assessment, However, the advantage of a compliance moot court is that, by its nature, it can focus the CEO’s mind (and that of other senior executives) on the need for strong C&E in a way that traditional compliance assessments might not.  And the need for such focus has never been greater.

In a speech delivered earlier this month, Assistant Attorney General Kenneth A. Polite Jr. said at the ABA Institute on White Collar Crime:

When you are asked about remedial action, and you’re asked about corporate leadership and personnel, we are doing so to ensure individual accountability. For example, even if there is not any evidence that a CEO personally committed a crime, upon discovery of a crime, a corporation should examine whether a change in leadership is necessary, not for change’s sake, but because he modeled poor ethical behavior for the workforce, or fostered a climate in which subordinates committed wrongdoing with intent to benefit the company, or permitted weak

In my view, this somewhat enhanced focus on CEOs as a source of risk calls on companies to up their game on mitigation.

All that should be covered in a CEO assessment is beyond the scope of this post, but a few of the many such topics are:

– How the CEO makes the C&E program a true strategic imperative.

– How the CEO ensures that the Program has sufficient resources, reach, autonomy and clout.

– What messaging the CEO sends to employees about C&E.

– How C&E effects compensation, promotion and related matters at the Company.

Finally note that moot courts need not involve an actual examination of the CEO. It should generally be sufficient to have the CECO “testify” about the CEOs role in the program.


Handling undue pressure: the role of the compliance and ethics office

One of the most important business ethics experiments ever took place in the early 1970s in Princeton NJ.  In it, interview subjects were asked to travel from one place to another, but some were told that they had to hurry and others were not told this. Along the way, all saw an individual in apparent distress. Individuals put under time pressure were about six times more likely to engage in unethical conduct (not helping the individual in distress) than were those not under such pressure.

This was an incredible result. It – along with other subsequent behavioral ethics experiments – has led to an understanding of wrongdoing that places greater emphasis on the situation facing an individual and less on that individual’s character.  This, in turn, helps make the case for strong C&E efforts.

Turning from the world of research to that of the courtroom and prosecutors’ offices,  the corrupting influence of high-pressure is an oft-told tale. In recent years the most prominent case of this sort involved Wells Fargo, where a toxic corporate culture pressured many employees to engage in serious legal and ethical transgressions.

So, what is to be done about this potentially perilous risk?

At the outset, I note that C&E programs are not expected to eliminate all pressure to perform. That would be impossible and indeed undesirable.  But what a C&E officer can and should do is to mitigate undue pressure.

One part of such an effort is risk assessment. Based on a variety of factors – both internal (e.g., employee surveys) and external market conditions (e.g., hyper competitiveness) – the risks of undue pressure can be identified.

Of course, the fact that risky conditions exist at one company does not necessarily mean that they also exist at a competitor. But it can suggest a line of inquiry both as to risk and to the efficacy of mitigation that should be explored.

Another approach is having the managers’ duties section of the code of conduct address the issue of avoiding undue pressure. That is, the code and related documents (policies, charters, among other things) should spell out that a manager is responsible for addressing pressure that might lead their subordinates to cross a legal or ethical line.

Yet another available measure is having the CEO speak at an all-company or other major event about the need to avoid undue pressure  – particularly at key times (such as near the end of a financial reporting period). One should also cascade the message down through the ranks of management (both operations and staff).

In a related vein one might develop pressure-related scenarios for use in training and other communications.  This would seem to be an obvious compliance measure, but my belief is that too few companies go this route.

Less obvious still, one should consider including undue pressure in audits.  By this I mean that some audit interviews should seek to determine whether pressure at the company is unduly risky. Note that I am not suggesting that this be an extensive effort.  A single question asked of individuals in high-risk positions (e.g., sales) and locations should be sufficient in many audits.

Investigations and discipline have a key role in this aspect of compliance.  Both in how one conducts an investigation and in related discipline one should make sure that those responsible for undue pressure are held accountable. One practical measure to ensure that this happens is to speak to this issue in the company’s investigations manual.

One should, as well,  consider addressing the issue in performance evaluations. By this I mean including in evaluations the extent to which a manager projects undue pressure onto their subordinates – or shields them from it.

Finally, one should ensure the board of directors (typically via the audit committee) is alert to undue pressure risks. They have the ultimate power in a company to mitigate those risks.

Of course, not every company needs to do all of these. And some will address the issue of undue pressure in other ways.  But all should be actively engaged on this risky area.

A free podcast on the history and future of compliance

from SCCE Here is an introduction from SCCE’s Adam Turteltaub:

For most of us, it’s hard to imagine a time before the US Federal sentencing Guidelines came into being and set the direction for compliance and ethics programs.

Jeff Kaplan, partner at the law firm Kaplan & Walker and longtime compliance leader remembers those pre-Guidelines times and in this podcast we discuss the changes that have come, didn’t happen and may yet occur with compliance programs.

Even after thirty years he reports that, in many ways, we are still getting started. While many organizations have developed robust compliance programs, a large number are still at the starting gate. In addition, many business people, particularly in management, tend to think of compliance as something less than sales, marketing or other departments, and not worthy of the investment.

A related challenge is what he called the “mission accomplished phenomenon”, which he defines as a tendency to see compliance as an event rather than an ongoing program.

Still, he sees the glass as something more than half filled and creating new challenges. For more developed programs, he believes, now is the time to maintain a sense of urgency and improve performance.

Click here to listen to the pod cast.

The third rail in American compliance

An article by Rebecca Walker and me in Compliance and Ethics Professional  on when and how a chief ethics and compliance officer should report to the general counsel.

We hope you find it useful.