By Patty P. Tehrani
Lawyer and Founder of Policy Patty Toolkit
So much focus right now on the new administration in place. Not to mention the rampant speculation about what they will do about various financial regulations and how dramatically this landscape is expected to change. As if this were not enough, your company has a new Chief Executive Officer (CEO). She has requested a meeting with you, the General Counsel, to meet to discuss your ethics, risk and compliance programs to learn more about them. She also wants to get your insights on what she and management should do to avoid the common pitfalls highlighted in recent corporate scandals.
As an experienced lawyer, this is welcome news. You know that a company’s governance, risk and compliance programs (“core programs”) should be promoted by management to truly be effective. You are all too familiar with recent headlines regarding the lack of management focus on a company’s core programs resulting in poor company culture and irreparable systemic failures. Often these scandals involve management that has delegated ownership for their company programs and most definitely ignorant to the risks and issues involving them. Most end up with dire consequences – share price plummets, employees lose morale and leave, customers leave, and overall the brand and reputation diminish. And while your company’s prior management did a good job to promote your core programs more can still be done.
This article provides key considerations to help you prepare for your meeting with your CEO.
Note: You can define management however you deem fit for your company. This can include boards of directors where appropriate and your business leaders such as the chief executive officer, president, chief financial officer, the heads of product/business lines as well regional divisions for global companies.
Preparing for Your Meeting
You decide that the focus of your meeting will be on management ownership of your core programs. To prepare for your meeting, you want to make an outline of discussion points. As a starting point, you want to note what ownership does not mean, which can be delegated to the subject matter experts. That is – the development, implementation, and maintenance of a core program which can be delegated to the subject matter experts – Legal, Risk or Compliance departments (as well as others). Next and most importantly, you list how management can own these programs. In doing so, you want to make sure that you underscore the benefits. To help your discussion consider the following points:
• Tone at the Top – Management should set an effective “Tone-at-the-top” to communicate their commitment to core programs and to promote the need for them.
- Formal and documented adoption of a program (e.g., notice from management to all employees that they have approved a core program).
- Regular communication from management on a program (e.g., management messages on your programs via training, company websites, inclusion in town halls, or periodic reminders on program requirements to name a few).
• Embed in the Business and Culture – Management should lead efforts to incorporate program requirements and risks into the company’s overall business strategy, processes, and operations. Taking an integrated approach will lead to better overall performance and ultimately your bottom line by avoiding different and possibly conflicting business and control requirements.
- Unintegrated program risks and vulnerabilities may affect the ability of a company to fulfill its business strategies and objectives.
- Failed or deficient programs may result in costly disruptions to core business activities leading to harmful breakdowns in business operations and ultimately the company’s viability.
- Jeopardizing the company’s continuity and integrity increases the potential for reputational damage — in the market, among shareholders, and with business partners.
In addition, a core program should not be viewed in isolation of a company’s core values, mission, and culture. Management should align a core program with a company’s core values, mission, and culture to reap tangible benefits.
- A strong program provides important benefits including safeguards for weak or absent controls, and integral to an open environment of trust, accountability, and integrity – all ingredients that benefit productivity and the bottom line.
- While every company is unique, there are a few universal program outcomes/objectives that it every company would benefit from:
- an enhanced culture of trust, accountability, and integrity;
- process for prevention, detection, and management of issues;
- protection (to the extent possible) from negative consequences, and detection of non-compliance;
- defined escalation measures for non-compliance and material issues; and
• Accountability – Management should foster a culture of accountability to help the success of a core program. Accountability requires management to know what the material issues are with a core program and how to act on them promptly.
- Escalation – A defined escalation process to alert management is critical to management accountability. This is particularly important when the company is getting close to (or crossing) a risk or challenge that prevents the achievement of a material program objective or deliverable or runs afoul of a legal, regulatory or business requirement.
- Monitoring – Program processes and results should be monitored and measured on a regular basis. If done properly, monitoring measures keep regulators happy during reviews, but more importantly keep management informed and accountable.
Robust monitoring and reporting results can be used to:
- facilitate management response to program issues and challenges;
- help company’s gauge progress of objectives and how they are contributing to the success of the company’s strategy;
- improve program components from time-to-time; and
- prevent, detect, and respond to identified malfeasance in the future.
Note: Be mindful of matters that may warrant referral or reporting to the relevant governmental agency or regulator following presentation to management.
o Access – Management should ensure key areas have access to them to ensure timely, proper and informed responses to program issues.
- Key program administrators and messengers – Legal, Compliance, Risk Management, Operations, Human Resources, Audit, Information Technology – need unrestricted access to management to help them respond to the issue/challenge.
- Responsibility – Management should also be prepared to go so far as to take the blame for a material failure involving a core program. Consider when a company CEO publicly acknowledges responsibility for a company failure, everyone takes notice – employees, investors, business partners and industry regulators.
- Support – Management should support program leaders and administrators so that they have the authority and sufficient resources to: 1) manage a program on a day-to-day basis; and 2) maintain them in the event of regulatory and operational changes, varying and possibly increasing risks.
You’ve drawn your outline together and ready to discuss with your CEO. You know that by working together, management and program administrators can help ensure a core program not only contributes to the improvement of the company’s governance practices but the success of its company’s strategy as well.