Companies are subject to various types of regulatory and statutory compliance requirements, whether they are publicly traded, privately held, or even nonprofits. The requirements may vary by industry and location, the latter referring to both the company’s state of incorporation and where it does business. Publicly traded companies have a further overlay of Securities and Exchange Commission (SEC) and stock exchange regulation. This article provides a broad overview of how board members should address these compliance requirements as part of their oversight duties to forestall future issues, and how preparation is key when an issue does arise.
The fiduciary duties of board members include far more than just oversight of compliance, and so it is important to note at the outset that compliance is not the same as governance. However, a central duty of corporate board members is the oversight of the company’s compliance with all laws and regulations to which the company is subject. This includes staying aware of any new regulations that may arise, as well as changes in existing regulations, particularly as both the regulatory landscape and a company’s activities are constantly changing.
For example, as companies expand vertically, whether upstream into activities like production and raw material sourcing or downstream into activities like distribution and retail sales, the company may become subject to regulatory schemes that are new and unfamiliar to the company and its board. A company’s merger and acquisition activity may introduce new businesses and/or business jurisdictions, which may also be new and unfamiliar. Even the regulatory frameworks with which the company may be experienced are likely changing constantly, whether in small ways or large, and of course how those regulations are applied and interpreted by tribunals affects the requirements for compliance. The board’s oversight of compliance should therefore be a regular part of the board’s agenda, and optimally a board committee such as audit—or a risk committee, if there is one—should be assigned to monitor compliance closely, including watching out for new areas of compliance and changes in preexisting ones.
Inevitably, breakdowns in a company’s compliance policies and procedures may occur. Noncompliance can cause severe disruptions in a company’s business activities, and it can create material costs in terms of investigations—both internal and by regulatory agencies and/or law enforcement—and penalties. These failures can also seriously damage a company’s reputation and brand, impacting relationships with customers and vendors, and they can depress employee morale and hinder a company’s ability to attract new employees. And of course, noncompliance can potentially result in liability for individual directors.
Board members should also be aware that whistleblowers have become a regular part of the governance landscape, and their revelations are typically related to some area of alleged noncompliance. Many companies have programs that ostensibly are designed to encourage whistleblowers to report actual or suspected noncompliance, and to provide boards with direct visibility into such reports. However, there are significant variations in the effectiveness of whistleblower programs, as well as in the quality of the board responses. Ideally, on a “clear day,” boards should regularly review their company’s whistleblower program, looking for opportunities to strengthen and improve it, and of course to prepare extensively and in advance for their own response if/when the need arises.
When evidence of noncompliance arises—whether through an effective compliance program, whistleblower report, management discovery, or regulatory or law enforcement action—boards must decide whether to launch an internal investigation. If a regulatory agency or law enforcement is not already involved, the board must determine with the assistance of counsel whether the company is required to report the noncompliance, and then cooperate fully with any ensuing investigation. There may also be a requirement—or at least an opportunity—to communicate with stakeholders, such as customers, vendors, employees and/or local communities.
It’s usually better to “play offense rather than defense” with regard to publicity after noncompliance is discovered, which gives the company the opportunity to affect the narrative. Again, a board that is prepared in advance for a range of possible needs can be more effective in overseeing management’s response. For example, preparations could include lining up potential outside advisors, determining how company communications will be handled, and assigning a board committee to oversee the responses by management, both internal and external, as well as help coordinate any board action that may be needed. For example, in addition to the possibility of an internal investigation and notification of appropriate authorities as noted above, there may be personnel issues uncovered by the issue, weaknesses in systems and controls, or other management actions called for that should receive board oversight.
Such a board committee may need to be a new one—a “special committee”—composed exclusively of independent and “disinterested” directors, both to provide the necessary board resources to focus on the problem, as well as to insulate the board’s response from any parties that may have been involved, whether by act of omission or commission. Rather than scrambling to add independent directors when the need arises, it’s better to have enough independent directors in place at all times in order to form a special committee, should the need ever arise. Suffice it to say, “The games are won in practice!”
The quickness and thoroughness of the company’s response can favorably influence the severity of whatever regulatory or law enforcement penalties may ultimately be applied, as well as help reduce any damage to the company’s reputation and relationships. However, the potentially beneficial effect provided by the company’s response may vary widely with the type of noncompliance problem, e.g., antitrust, Foreign Corrupt Practices Act, health and safety, etc. Again, boards are well-advised to prepare for all of the above potential needs well in advance. In addition to the potential preparatory actions mentioned above, preparation may include, among other things, refreshing bylaws and strengthening and reinforcing the reporting processes, e.g., through compliance or internal audit.
Board oversight of compliance has undoubtedly been affected by the pandemic. Sources of information have been disrupted with employees not being on-site, and the lack of in-person communication may have had a subtle but nonetheless important effect on decreasing the flow of information. The lack of in-person board meetings, as well as the distraction of exigent issues raised by the pandemic, may contribute to a decrease in attention to overseeing compliance. Remaining compliant requires deliberate allocation of attention and resources, both of which may have been strained during the COVID-19 pandemic.
Boards must take account of this, or risk falling victim to compliance failure. Valuable knowledge can be gained from the cautionary tales of compliance failures of companies that have been made all too public, becoming object lessons for boards in general. In many cases, class actions and other litigation have followed, with courts reviewing the actions and inactions of boards and providing guideposts for the future through their decisions. The Caremark line of case decisions has provided some guidance for boards, the overarching message of which is that boards must be diligent in their oversight of compliance, and properly document in board minutes and elsewhere that they have done so. For example, in the Marchand case, involving a dairy producer and an outbreak of listeria from its products, the Court found that compliance with food safety regulations was central to the company’s business, and therefore should have received greater board oversight.
Regardless of whether a company ultimately prevails in such litigation, much of the damage may have already been done to the company’s reputation, brand and relationships—possibly its most valuable assets but which appear nowhere on its balance sheet. The value of advance preparation cannot be overestimated, since the company’s speed of response may be crucial in limiting the damage from a noncompliance issue. While not a noncompliance example, the historical “gold standard” for crisis response was that of Johnson & Johnson, when, in 1982, bottles of Tylenol were discovered to have been tampered with, leading to several deaths. The company famously took broad action, including the removal of millions of bottles from store shelves. What is less remembered is that response took several days, possibly because the company was unprepared to ever have to take such action. Contrast this with the episode on United Airlines in 2017 when a passenger was forcibly dragged off the plane, with videos circulating via the Internet within seconds. The damage to a company that can follow a crisis can occur within minutes, and companies—and the boards that oversee them—must be prepared in advance.
Oversight of compliance is an important board duty, and it should be high on the list for attorneys advising boards on their governance.
 See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
 Marchand v. Barnhill, 2019 WL 2509617 (Del., 2019).