Recent Activity Will Drive Many Legal & Compliance Teams to Improve Their Compliance Program and Risk Management Processes for External Reporting and Officer Conduct
By Lauren Kornutick, director analyst, research in the Gartner Legal and Compliance Practice
Earlier this year, over the span of about 6 weeks, there was a flurry of activity from the DOJ, SEC and Delaware Chancery Court that has signaled an increased importance of officer’s duty of oversight of compliance programs. To recap, in January 2023, the SEC settled a few enforcement actions (Activision and McDonald’s) that signal potential focus on executive risk oversight and monitoring. The Delaware Court of Chancery – for the first time – applied the Caremark duty of oversight to corporate officers and held that allegations of sexual harassment can state a claim for breach of the duty of loyalty. Caremark and its progeny cases created an obligation for directors to implement and monitor internal control systems and address any red flags. Within the span of 6 weeks, the DOJ:
- Revised its Corporate Enforcement Policy to provide prosecutors guidance for how to assess and treat corporate offenders;
- Adopted the long awaited corporate Voluntary Self-Disclosure policy setting nationwide incentives for voluntary corporate disclosures. The tone was set for this policy in the 2022 Monaco Memo;
- Updated Guidelines for the Evaluation of Corporate Compliance. This includes long awaited guidance on compensation clawbacks in support of compliance.
Most recently, the DOJ continues to place an emphasis on oversight and disclosure with an October 4, 2023 announcement sharing policy changes that provide companies with a safe harbor period to disclose compliance violations at acquired companies.
Focus on Executive Oversight and Monitoring
These actions signal a heightened focus on the risk management process for legal risk, corporate compliance programs, and their related controls and testing procedures. Without comprehensive governance programs, companies risk being subject to a SEC enforcement action, and officers and directors may be subject to shareholder derivative litigation for failing to fulfill their duty of oversight. Additionally, the DOJ is encouraging companies to voluntarily disclose misconduct. Firms can only do so if they’ve set up effective compliance control monitoring and mechanisms that provide early detection of misconduct.
Even though most organizations have existing compliance programs, these recent actions show how they can break down and leave companies open to regulatory inquiry, litigation and reputational damage. In fact, Gartner predicts these events will drive legal and compliance functions to invest 50% more in governance, risk and compliance (GRC) tools by 2026. That’s because such tools can help legal and compliance teams evaluate and modify programs in near real-time, pressure test their systems, and help management and the board improve oversight processes.
Three Imperatives for Executive Risk Management and Oversight
Gartner experts are advising clients to begin taking practical steps in three key areas to ensure their company’s compliance programs are up to scratch in this domain.
- Leverage Risk Management Methodologies to Verify Control Effectiveness
Legal and compliance leaders often rely on their gut feelings of known risk. However, an increased focus on reporting misconduct as soon as it is known means that legal and compliance teams must consider leveraging risk management methodologies used by their peers in risk and audit such as probabilistic and predictive risk analysis and risk quantification. Getting a better understanding of such methodologies will help legal and compliance leaders check their assumptions on what they consider high risk as part of the risk assessment process and, for certain risk terrains, understand the likelihood and probability of misconduct occurring.
- Analyze the Impact of Changing Expectations on Board and Officer Oversight
Recent regulatory activity is signaling that the traditional corporate compliance program that focuses on discrete program elements is not sufficient for the enhanced duty of oversight. Officers must also have sufficient processes in place, that are grounded in accessing the right information about risk posture and investigate red flags as they are elevated. Officers must also keep in mind that the absence of information about a particular risk could be concerning.
To best support the board, legal and compliance must improve their risk management process by building a comprehensive view of controls and procedures, that consider risk interdependencies to ensure the business is operating within established risk appetite and tolerance levels. Legal and compliance should also clarify officers’ roles and responsibilities, including responding to new or changing risks. Lastly, legal and compliance should document and review the board’s expectations with management and risk committees’ responsibilities for risk oversight, including understanding roles and accountability, the format and cadence of meetings, and expectations for escalating incidents of non-compliance to the board.
- Renew and Raise Compliance and Governance Standards
The new reality facing legal and compliance teams is that all employees, with extra scrutiny placed on officers, are expected to conduct themselves in accordance with company values, policies, and all legal obligations. Legal and compliance teams must prioritize their responsibilities as a second-line monitoring function and partner closely with enterprise risk and audit. For corporate compliance programs, this means they should prioritize testing the effectiveness of their controls (program elements) and determine whether employees understand their obligations with respect to business conduct and speak-up culture. With respect to M&A activity, compliance must take an active role in conducting due diligence on the target’s compliance program with emphasis on evaluating third party risk. This includes pre-closing screening on high-risk and audits of the third-party if the risk profile is outside of the accepted risk tolerance.
Furthermore, legal and compliance leaders must set an appropriate tone from the top that reflects the message that all employees act with integrity by tying compensation to ethical behavior in management buy outs and establishing clawback polices where appropriate.