Overseeing Legal Risk with a Corporate Compliance Program

Among the proxy statement disclosure enhancements that became effective for the 2010 proxy season is the requirement that publicly traded companies describe the board’s role in “risk oversight.” Risk oversight is a forward-looking, proactive function requiring attention to a company’s efforts to prevent avoidable problems. Given that the portfolio of a company’s risks includes the ubiquitous risk of violating legal requirements, these new disclosures should motivate boards that have not already done so to review the efforts their companies make to prevent legal and regulatory violations.

Although compelling reasons existed for boards to view their compliance oversight duty expansively even before the new disclosure requirements, the new rules have made attention to the preventive dimension of compliance even more important. Companies meet their legal responsibilities through myriad operating and staff functions scattered throughout the organization. As a practical matter, oversight of legal and regulatory compliance is virtually impossible without the support of an effective corporate compliance program because the object of oversight – legal and regulatory risk – is largely indiscernible to the board or audit committee, and even to senior management, until an actual violation has occurred. Limiting oversight to remedial aspects of compliance (i.e., detecting, correcting and drawing lessons from compliance “spills”) can have the effect of closing the stable door only after the horses have fled, which is cold comfort to shareholders if a violation has damaged the company’s balance sheet and reputation.

To meet their oversight responsibilities and develop the most convincing narrative for a strong proxy statement, directors should consider the following:

1. Make legal compliance a priority at the board level, usually through the audit committee, to ensure that the organization approaches its legal obligations with the same rigor and discipline it applies to other business imperatives;
2. Remember that the real value of a compliance program is to provide an empirical foundation for oversight and to bring operational excellence to the company’s approach to its legal duties; and
3. Ensure that compliance is visible by establishing a corporate compliance program that draws information from, and assesses the effectiveness of, the company’s numerous risk specific compliance activities.

Although several models for compliance programs exist in current law, including the Federal Acquisition Regulations and protocols promulgated by the SEC and the Department of Health and Human Services, the most comprehensive and widely respected of these protocols – and the gold standard for compliance programs – originates from the United States Sentencing Commission in the form of the “Organizational Sentencing Guidelines” (the “Guidelines”). The Guidelines require the active involvement in a compliance program by both senior management and the board, the receipt by the board of periodic reports directly from the person with day-to-day operating responsibility for the program, and the regular review of the program (i.e., “not less than annually” for large companies) by the board. Boards seeking to install the best window into a company’s legal risk, and to improve the quality of the company’s efforts to manage such risk, are well advised to ensure that the company’s approach to compliance conforms to this protocol.

---

_{As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2010 Dykema Gossett PLLC.}