Uncategorized

20 best practices in conducting risk assessment

A new whitepaper published by Syntrio.

I hope you find it useful.

DOJ Issues New Compliance Program Evaluation Standards

My latest column in Compliance & Ethics Professional.

I hope you find it useful.

Summer compliance reading for boards of directors

A recent post by attorneys at the Sullivan & Cromwell law firm on the blog of the Harvard Law School Forum on Corporate Governance and Financial Regulation examined an important decision issued last month by the Delaware Supreme Court which “reversed the dismissal of a stockholder derivative lawsuit against the members of the board of directors and two officers of Blue Bell Creameries USA, Inc., a leading manufacturer of ice cream products. The lawsuit arose out of a serious food contamination incident in 2015 that resulted in widespread product recalls and was linked to three deaths. The Delaware Supreme Court, applying the ‘duty to monitor’ doctrine enunciated in In re Caremark International, Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), and noting the very high hurdle to claims under it, nonetheless ruled that the plaintiff had adequately alleged the requisite bad faith by the members of the Blue Bell board. Plaintiff did so by… show[ing] facts supporting their contention that the Company did not have in place ‘a reasonable board-level system of monitoring and reporting’ with respect to food safety, which the Court deemed to be ‘a compliance issue intrinsically critical to the company’s business.’ …[t]he Supreme Court ruled that bad faith was adequately pled by alleging ‘that no board-level system of monitoring or reporting on food safety existed.’ The Court thus declined to dismiss a claim that the directors breached their duty of loyalty, potentially exposing directors to non-exculpated (and potentially not indemnifiable) monetary damages.”

The facts of the Blue Bell case do seem somewhat extreme. Presumably there are not many companies that have zero board oversight for compliance with areas of very high risk. But the case is worth directors’ attention as a reminder that the prospect of personal liability for directors arising from compliance failures is real. Among other things, directors may want to use the occasion of this case being published to review their respective boards’ procedures for monitoring compliance issues.

Also worth reading by directors and others is the Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations published last week by the US Department of Justice. This document contains an exhaustive list of questions and considerations that the Antitrust Division will use in evaluating compliance programs in investigations, including the following: “Who has overall responsibility for the antitrust compliance program? Is there a chief compliance officer or executive within the company responsible for antitrust compliance? If so, to whom does the individual report, e.g., the Board of Directors, audit committee, or other governing body? How often does the compliance officer or executive meet with the Board, audit committee, or other governing body? How does the company ensure the independence of its compliance personnel?” The Antitrust Division will also ask: “Does [compliance] training include senior management/supervisors and the Board of Directors?”

None of these are trick questions. But some companies would need trick answers if their antitrust compliance program was evaluated by the Justice Department in the context of an investigation. So, this is another reason for a compliance “check up” for prudent boards of directors.

Point-of-risk compliance

Here is my latest column from C&E Professional – on  “point-of-risk compliance.”

I hope you find it useful.

E-book on compliance & ethics risk assessment

I am pleased that Corporate Compliance Insights has just published a revised and expanded edition of my e-book on risk assessment: Compliance & Ethics Risk Assessment: Concepts, Methods and New Directions.

You can get a free download here.

Risk assessment expectations under DOJ C&E program evaluation criteria

A column in Corporate Compliance Insights.

I hope you find it interesting.

Preventing investigative failures

It is too soon to know how history will judge the efficacy of the Mueller special counsel investigation. But there is no shortage of clear investigative failures in the private sector, such as in the Wells Fargo debacle.

In Complex Compliance Investigations – a soon-to-be-published article in the Columbia Law Review – Professor Veronica Root Martinez of Notre Dame Law School argues that many recent compliance failures “within organizations might have been avoided if more robust processes –  meaning the actions, practices, and routines that firms can employ to communicate and analyze information  – had been in place to ensure investigations were conducted in a manner that allowed the firm to analyze information from diverse areas within the firm.” She further notes: “The task of creating effective compliance programs has been made more challenging, however, by the shift from small, discrete organizations to complex ones. The challenge for complex organizations is, quite simply, more complicated than what’s faced by those with a smaller footprint and reach.”

She makes the following recommendations for addressing these challenges:

Track Similar Unlawful Behavior within the Firm. She suggests this because “[w]hen firms focus on policing and structural components of a compliance program, they sometimes focus too heavily on particular compliance areas, when they might otherwise benefit from assessing certain types of behavior.”

Engage in Consistent Compliance Assessments. Specifically, “Complex organizations could choose to develop formal, prospective processes in an effort to ensure that members throughout their organizations engage in similar investigative methods when misconduct is detected.”

Aggregate Potential Compliance Concerns. As she notes: “sometimes a seemingly innocuous or isolated event is actually an indication of a larger problem within the firm,…”

However, she also notes that: “ The promise of process is, however, limited in that for it to be effective it requires a firm to have (i) a strong organizational structure (ii) free from a corrupt culture.”

There is far more to Professor Martinez’s very fine article than I have space to address here. I encourage you to read all of it.

Additionally, for more information about making investigations effective please see this post in the Compliance Program Assessment Blog.

False allegations of conflicts of interest

Over the course of the nearly two years that Robert Mueller served as Special Counsel, President Trump complained that Mueller had conflicts of interest that should have prevented him from being  in that role. One of these concerned Mueller’s having supposedly been turned down for a job as Trump’s FBI chief. Another was based on Mueller’s former law firm  having done legal work  for certain Trump family members. A third alleged COI arose out of a purported dispute regarding a membership fee paid by Mueller at a Trump golf club.

The specifics of each are not particularly interesting. What is noteworthy is that – for legal or factual reasons – each of them is utterly without merit, as described in this piece from FactCheck.Org.

Making false accusations of conflicts of interest is not the worst thing that Trump has done as president. Indeed, probably is not  in the top 100.

But – at least from the perspective of this blog – such accusations are particularly pernicious as they can make it difficult for companies and individuals to identify and address genuine COIs.

I should stress that I am not suggesting that companies adopt “zero tolerance” for inaccurate reports of conflict of interest. Doing so would undoubtedly discourage reporting of accurate – as well as inaccurate – COIs pursuant to companies’ compliance & ethics programs.

But when a COI accusation is made not to protect an organization and/or individuals from unethical conduct but rather as part of a campaign of falsehoods being pursued for personal and political reasons that is another matter. As Oliver Wendell Holmes Jr. famously said: “Even a dog knows the difference between being kicked and being stumbled over.”

A webcast on effective COI compliance programs

https://www.pli.edu/programs/effective-conflict-of-interest-program

Rebecca Walker and I hope you can attend.

Designing compliance incentives

A new article from SCCE’s  Compliance & Ethics Professional on an always challenging area.

I hope you find it interesting.