5. The Board, Compliance and Rising Expectations

Once upon a time . . . in the boardroom

As the old saying goes, ‘the fish stinks from the head down’. Applying anatomy to an organisation, naturally it may be thought that the chief executive officer (CEO) is the ‘head’, or perhaps the C-suite is.

That is mistaken: anatomically and organisationally, and on the compliance and ethical levels, gravely and even dangerously.

Until quite recently, not much was expected of a board of directors in the compliance and risk assessment spheres of corporate activity and responsibility. The compliance function, if it existed in more than name, had generally a limited, rule-enforcing role and was likely to get no more attention from the board than the physical security of plants, warehouses and inventory. You would need to sniff about to find compliance in the organisation chart, probably lumped in with all the other revenue non-producers, such as accounting, sustainability and community relations.

This board-level nonchalance towards compliance with ethical and legal standards certainly contributed heavily to the upsurge in corruption in so many countries, both in Latin America and elsewhere. My aim in this chapter is to show what went wrong but, more important, how the corporate remediation response, while well-intentioned, has relied on a model of board oversight that is no longer sufficient to changed circumstances and expectations.

Looking back at enforcement resolutions of the past several decades, in various areas of bad behaviour, we will find perturbingly rare instances of board-level sanctions or even public criticism.

For example, in a corruption case involving Embraer, it was revealed that the board of directors failed to take disciplinary action against a very senior executive even after the investigation showed that this executive knew of various bribe payments in several countries, made by employees who reported to him. The board’s failure to discipline or dismiss the executive led to higher monetary penalties and other sanctions.[2] In another corruption case, a CEO was personally involved in bribe payments in Argentina, yet continued as CEO, which again led to more severe penalties being imposed on the company.[3] In neither case was any board member sanctioned and my review of the media coverage showed no mention of the boards, much less criticism of their actions in the face of these serious findings.

But things began to change. An example is the replacement of several board members at Wells Fargo in 2018 as an outgrowth of the massive sales frauds committed against its customers.[4] The lead independent director of Wells Fargo received a letter from the board of governors of the US Federal Reserve System, finding that ‘there were many pervasive and serious compliance and conduct failures during your tenure as lead independent director’. The letter tells Mr Sanger that ‘[t]o fulfill [your] role, you needed to have sufficient information from firm management to understand and assess serious problems at the firm. This would require robust inquiry and demand for further information’, which Mr Sanger did not do. The letter charges that the director was made aware of the devious sales practices and other compliance issues. But, said the Federal Reserve, ‘you did not appear to initiate any serious investigation or inquiry into the sales practices problem or put a proposal to do so to the WFC board. Your performance . . . is an example of ineffective oversight’ inconsistent with the Federal Reserve’s expectations.[5]

The Federal Reserve was also quite unhappy with the board as a whole: ‘Management’s reports generally lacked detail and were not accompanied by action plans and metrics to track plan performance.’ The Federal Reserve also focused on the failure of the board to monitor and assess management incentives adequately: ‘[T]he board of directors must ensure that WFC’s performance management processes for employees, including compensation and other incentive programs, are consistent with sound risk management objectives and promote . . . compliance . . . [as these] programs played a material role in the firm’s compliance breakdowns.’[6]

If that seems like a dressing-down for the ages, just wait. Public reaction judged the Federal Reserve’s actions and words to be no more than a wrist-slapping. A Los Angeles Times columnist wrote, ‘The Wells Fargo board is still getting a pass for failure’ and questioned why only four directors were being dropped while seven were retained: ‘A new broom sweeps clean only if it is genuinely new but . . . Wells Fargo will keep some very old bristles indeed.’[7]

And there was worse. The former US Treasury Secretary and President of Harvard University, Lawrence Summers (hardly a radical opponent of big business), wrote in The Washington Post: ‘It has long seemed to me that we need better approaches to corporate accountability than large fines paid by shareholders of record, years after bad acts were committed.’ Turning to Wells Fargo, he asked why, in light of the clear failure of board supervision, ‘regulators are so reluctant to foist public accountability on the individuals in responsible leadership positions’. Summers added: ‘Why shouldn’t avatars of responsible capitalism such as Black Rock insist on public resignations of board members when firms have established a track record of unethical behavior on their watch?’ He reinforced, I believe properly, the major corrective element of his advocacy: ‘Yes, my proposal will make it harder to recruit board members. This is a feature, not a bug. If board members worry about reputational risk, this will deter dilettantes interested in the networking and the paycheck.’[8]

In Marchand v. Barnhill,[9] a 2019 case, on a motion appealing lower court decisions holding that the pleadings were insufficient (i.e., the facts asserted did not on their face support a finding of culpability), the Delaware Supreme Court reversed. The basic facts were: ‘Blue Bell Creameries USA, Inc, one of the country’s largest ice cream manufacturers, suffered a listeria outbreak in early 2015, causing the company to recall all its products, shut down production at all its plants and lay off over a third of its workforce. . . . Three people died as a result of the listeria outbreak . . . . [S]tockholders also suffered losses.’[10]

An aggrieved shareholder brought a derivative suit against various executives and the board of Blue Bell for breach of fiduciary duty.

The Delaware Supreme Court found that the plaintiff’s alleged facts supported the necessary inferences that the board failed to implement any system to monitor food safety issues and that this ‘utter failure’ by the board was in breach of its duty of loyalty.

The following is a partial list of board-related shortcomings noted by the Court:

  1. Blue Bell manufactures only ice cream, thus making food safety a central compliance issue, yet the board did not have a food safety committee, no board-level process to address safety issues and no protocol for food safety issues to be raised to the board’s attention.
  2. For years before the 2015 listeria outbreak, safety inspectors had found troubling compliance failures. The Court mentioned six reports, most of them detailing multiple problems.
  3. Tests, ordered by Blue Bell in 2013 and 2014, reported positive for listeria.
  4. The board never received any of the information in points 2 or 3.
  5. More negative news came to light in 2014 but board minutes reflect no discussion of these concerns.
  6. On 13 February 2015, the Texas health authorities notified Blue Bell of positive listeria tests. The company itself, on 19 and 21 February, found listeria in the Texas facility. When the board met on 19 February 2015, there was no discussion of the listeria problem.
  7. Only four days after the February board meeting, Blue Bell initiated a recall. Only then did the board discuss the listeria issue, for the first time.
  8. Instead of going into full disaster repair mode, the board did not meet more frequently or receive constant updates, leaving the company’s response to management.

You can add to these two examples scandals at Volkswagen, Uber, Boeing, CBS, Airbus, WeWork and Chipotle, and in Latin America at companies such as JBS, Biomet (later Zimmer Biomet), Biomet Argentina and Biomet 3i Mexico, Vale, Tyson de México, Petrobras, Odebrecht and Braskem, and SQM (Chile), to name only a few.[11]

However, the heads that have been made to roll so far have often followed a disquieting pattern: (1) Bad thing happens (allegations of corruption, cheating on emission standards tests, a dam bursts, publicity about a company’s pervasive culture of sexual harassment). (2) The board expresses resolute confidence in management but will ‘thoroughly and independently investigate’ the bad thing. (3) Awkward revelations come to the fore and a couple of C-suite members ‘resign’. (4) More awkward revelations and the CEO walks out with his head under his arm (and a fat cheque in his hand). (5) The board expresses its shock and dismay and appoints a new CEO, often (and with no evident sense of the asburd) a member of the board of directors who was on the scene during the whole sad mess.

An uncannily apposite example is Boeing.

  • Its ‘bad thing’ was the tragic crash of two planes – both its newest model, the 737 MAX – and Boeing’s tone-deaf management of the fallout.
  • Director David Calhoun said in November 2019 that the CEO had ‘done everything right’ and should not resign.[12]
  • On 22 October 2019, Boeing fired the head of its commercial aviation division.[13]
  • The CEO was sacked on 24 December 2019, one month after the endorsement from Mr Calhoun.
  • Mr Calhoun, a Boeing director for nine years, became CEO. In an interview with The New York Times, he said: ‘It’s more than I imagined it would be, honestly. And it speaks to the weaknesses of our leadership.’ Mr Calhoun added: ‘We had a backup plan. I am the backup plan.’[14]

The times they are a-changing. And?

Confidence in corporate governance has been shaken. Media attention has been relentless and scathing, and activist shareholders and even stay-on-the-sidelines shareholders have made their unhappiness very clear. Boards have sat bolt upright and taken notice.

They have spurred management into action, ordering the formation or bolstering of compliance departments, assertively demanding the preparation and dissemination of codes, manuals and policies, and of videos with production values of which Netflix would be proud. The latter feature the CEO, tieless, talking about the importance of compliance to his (virtually always ‘his’) company, and then, leaning into the camera, all urgency and earnestness, assuring that no one takes this issue more seriously than senior management and the board. For it is they who must set the ‘tone at the top’. And they will – count on it.

Is this insincere pap? Not at all, in most cases.

However, I fear that the focus on ‘tone at the top’ takes attention away from what else must now come from the board and the C-suite, and lulls into mistaken contentment those who believe that setting ‘the tone at the top’ is sufficient. (I forgive whomever fell into the amatory arms of alliteration and coined the phrase.)

But tone is quite a superficial characteristic: ‘manner’, ‘mode’, ‘cast’, ‘colour’, ‘tint’, ‘complexion’ are only a few of the explanations or synonyms for ‘tone’, and these are such ephemeral and slight qualities. Add to this the constant exhortations that the top tier must ‘set the tone for the company’ with ‘clearly articulated ethical standards’[15] and must ‘[do] enough to publicize [its] compliance program’.[16]

CEOs and board members are led to believe that the manner in which they deliver the message is their only required contribution to a culture of compliance and so they fail to participate actively in setting up structures and procedures from the outset that will create the conditions for a compliance culture to emerge and prosper. Boards and top executives can no longer do all the talking and leave to others all the doing. Getting periodic reports from the chief compliance officer (CCO) is not nearly enough.

The generally accepted major duties of a board of directors are to think strategically and to keep an eye on management. This second obligation has, over time and influenced by practice in many countries and by jurisprudence, notably in the state of Delaware (especially with its development of the ‘business judgement’ rule to protect boards from undue second-guessing), became defined in large part by what the board ought not to do: directors should not be executives and should not interfere in the operations and other aspects of the daily life of the company, leaving to boards a somewhat removed obligation to hear reports, ask questions and decide matters in a reasonable, prudent manner. An important outgrowth of the business judgement rule protection is that boards ought to maintain a healthy distance from operations, lest board members be judged by a more rigorous standard because they left their safe supervisory perch and mucked about in day-to-day affairs. This separation of executive and oversight responsibility is salutary and sensible. However, the definition of what is reasonable and prudent is protean. The repeated and numerous failures of board supervision show either that boards are not doing even the minimum that was expected of them (which is sometimes the case) or, my view, that boards have not realised that now more is expected of them. But what of the sacred divide between execution and oversight? Am I, a board member, now expected to inspect personally cockpit software or the integrity of dam works? Of course not.

My advice is that the board immerse itself substantively in risk assessment and compliance, rather than act in only the conventional supervisory capacity. This may seem radical and a departure from the notion that boards should not risk meddling in operational matters. My answer: not only is this not radical but in light of the repeated scandals, following my suggestion is increasingly necessary as part of the prudence and care that boards owe to shareholders. As for interference in operations, I hope I am clear that my proposal is to deepen board knowledge of, involvement in and contribution to enterprise risk management and in no way to supplant executive functions.

Here is a recent example of a recognition of these perceived higher requirements. After the aforementioned crashes of the two 737 MAX airplanes, Boeing commissioned an examination of safety issues that resulted, among other steps, in the formation of a board-level safety committee. Why was this step not taken long ago? It appears that it was taken for granted that Boeing management was totally in control of product safety. As The New York Times reported, ‘[T]he board believed that [the ex-CEO], an engineer who had been with Boeing for his entire career, was so deeply informed about the business that he was a good judge of the risks involved in ramping up production’, which turned out to be a significant contributing factor to the accidents.[17] This greater, more detailed attention from boards is what stakeholders, regulators, the media and even courts are increasingly expecting.

A word on ‘compliance’. As I use it here, it certainly includes anti-corruption and anti-fraud. Discrimination, harassment, conflicts of interest and related party transactions also are the responsibility of the compliance function. But how about other areas of risk? Driver safety for a passenger or cargo transportation company? Drug safety for a pharmaceutical concern? I do not advocate that the assessment of these risks, and processes to address them, should be the responsibility of the compliance department, but there must be in place very similar structures in conception, range of activity, and autonomy and independence to look after these areas of concern. The board cannot assume that these issues are being handled properly because they are an integral part of the ‘business’ of the company and, as such, for executives to deal with, as opposed to anti-corruption or anti-discrimination efforts, which deal with aberrant events.

And a thought on ‘board compliance oversight’. This is generally a delegated duty of the audit committee. While I share the increasing worry that audit committees may be overworked, it nevertheless seems to be the right oversight body. A separate governance or compliance committee might make sense in some circumstances, but I fear that this other committee will suffer from not having all the information an audit committee receives. So I will refer to the audit committee as the board organ responsible for compliance super­vision. Implicit in this is that the audit committee and senior management will fully brief the board and that the board will engage actively and contribute to the efforts of the committee and management.

Below I touch upon the principal compliance characteristics and structures with which the board must thoughtfully and vigorously involve itself, to ensure the healthy birth and successful maturation of an effective programme and to avoid the disasters of the past.

Risky business

To quickly and demonstrably mount or invigorate a compliance function, with new or more codes, rules, prohibitions, remedies and punishments, companies often are tempted to skip the vital step of conducting a careful risk assessment. This is like prescribing drugs before making a diagnosis.

This results from various attitudes: overconfidence (‘we know our business, we know what needs watching’), the time required, the cost and, in some instances, the worry that mapping of relevant risks will make management risk-averse (like disconnecting the speedometer so that you do not frighten yourself by your speed).

A very recent EY survey of 500 CEOs and board members found that fewer than 25 per cent of directors reported being ‘very satisfied’ with the effectiveness of their risk adjustment processes and only 20 per cent of directors were confident in risk reporting from management.[18]

Risk assessment is absolutely crucial. As the 2019 US Department of Justice Guidelines has it:

The starting point for a prosecutor’s evaluation of . . . a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.[19]
. . .
Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.[20]

A good risk assessment exercise should:

  • analyse afresh the risks of the company in its significant areas of activity;
  • have the collection of information thoroughly informed by what front-line managers think their risks are and in what order. These should be validated by interviews with senior executives;
  • include transaction-testing and walk-throughs to ascertain whether what should be working is in fact working;
  • from time to time, or for certain issues, hire external consultants;
  • have as its analytical centre for the dimensioning of risks and assigning of priorities a committee that, beyond compliance, includes senior accounting, legal, controls, internal audit (IA) and information technology representatives, at least. This diverse group is not likely to miss anything important; and
  • most of all, this work should be closely followed by at least one audit committee member. Hands-on, everyday participation is not necessary, but frequent involvement in the data analysis and priority-setting discussions by that member is highly desirable.

From conception to operation

Even recognising that companies have different culture and compliance concerns, some fundamental principles should govern the construction of a good compliance programme. While adhesion to best practices from top to bottom may be ideal, this is not realistic. But the principles of independence, autonomy, structure and cultural compatibility are key, as they serve as the foundation to build on, how sturdy the compliance edifice is and how well it will successfully meld into the corporate landscape. The first two qualities ensure reliability, the correct structure separates the operational from support functions and compatibility ensures that the programme fits the culture and language of the company. These principles being of the first order, the audit committee must be fully engaged preserving them. Choices between ‘best’, ‘good enough’ and ‘will have to do for now’ must be made by the audit committee and management together. Not unlike other strategic business decisions, which routinely involve suboptimal elements and uncomfortable compromises, the building of the compliance function cannot be left only to executives. Based on my personal experience, this is very rarely done, but it is advisable, even though it appears to cross an inviolable boundary. I believe, however, that boards will have no choice.


The importance of independence cannot be overstated. Together with autonomy, discussed below, these attributes must be self-evident and unassailable from the board down, through compliance and related functions. It is not sufficient that audit committee members be considered ‘independent’ under relevant market regulations. May a member who meets applicable requirements but who is a close, long-time friend of the CEO and other high executives (close friendship not being a disqualifying factor under, at least, US or Brazilian regulations) be on the audit committee? Technically, yes. But if that audit committee needs to launch an investigation possibly involving one of the executives who is a close friend of the committee member, how will that appear to regulators, shareholders and the media? If the structure is not as immune to attack as is possible, the reliability of its findings and conclusions may, and likely will, be questioned from the outset.

This same care should extend to professionals hired for compliance-related work, especially investigations. I would be uncomfortable hiring a law or consulting firm for an investigation that is doing, or has recently done, considerable other work for the organisation. The justification for hiring a close professional partner (‘they know us, they won’t go crazy’) is why hiring that firm is inadvisable: it may appear as an attempt to gain an advantage. The importance of ‘appearances’ varies widely between cultures. Generally, Anglo-Saxon cultures have paid more attention to the appearance of impropriety. For instance, most large, respected law firms in the United States put in place anti-nepotism rules several decades ago, while similarly respected firms in Latin America have been less inclined to do so. The same is true with management of family-owned or family-controlled public companies. I am only noting the difference, without criticism, but in compliance, seeming bad is almost as bad as being bad.


By compliance-related functions, I mean IA and internal controls. Where these are placed organisationally and to whom they report are as important to these functions as to compliance. The compliance literature is very clear[21] on the concept of the three lines of defence, so I need only summarise.

  • First line: The operational functions of the organisation, as the public-facing elements, are the front line in compliance. This is no trivial matter. A strong first line, made so by a corporate culture that persists in the incessant inculcation of ethical values, in the implacable rejection of ethically dubious conduct and in the continuous transmission by the board and senior management of the company’s values is the clearest indication of a highly effective culture of compliance. And here is where ‘tone at the top’, constant and consistent, has its greatest value. But this is an unending effort, so strong second and third lines are indispensable.
  • Second line: Compliance and internal controls support the first line. Note the word ‘support’. Their role is not to prohibit and punish, it is to construct processes that help the business functions do their jobs well and properly, and to monitor and improve these processes to make sure they work but do not constrain the business functions.
  • Third line: IA is the last line of defence and exists to ensure that anything that passed the other lines does not go any further. It is also axiomatic that IA should be kept distinct and have the highest degree of autonomy from management, inasmuch as it is not an operational function.


Here we deal with the oversight of compliance-related functions. A thoroughly independent audit committee relying on departments that have compromising or conflicting vectors acting upon them is an empty vessel. It is in this area that the board must be most firm, because it is likely to need to make structural changes, which most organisations almost instinctively resist.

Compliance and internal controls should be together and its head should report directly to the CEO. Often the reporting is to the general counsel, but this confuses an operational function that is intended for the detection and avoidance of irregularities with the management function of the legal department to protect and defend the company from legal risks. As second-line components, these functions report to the CEO because they are, as said, supporting the business operations. Nevertheless, the department head should have regular and open access to the audit committee in executive sessions. Ideally, the audit committee chairman should have a direct, informal relationship with the CCO. In a number of companies, the CCO reports directly to the audit committee. While I sympathise with the push for greater independence, I am persuaded that having compliance as part of the operations of the company and not an enforcement arm of the board is the better approach. This is also clearly the prevailing wisdom. Compliance should be seen by the company’s employees as a support function and not a policing one.

It is also important to protect the CCO from financial pressures; cost-cutting, downsizing and similar metrics ought not to be used for the compliance functions and any significant deviation in compensation of the CCO compared to peers should be discussed with and approved by the audit committee. Likewise, the CCO’s dismissal or demotion should only happen with the audit committee’s concurrence.

IA should report directly to the audit committee, which should set compensation for the IA head (in consultation with human resources.) I have not heard any convincing arguments against this structure but I will give the argument for it anyway. IA, the last line, catches what the first line thought it could live with, or get away with, and that the second line missed. To have a group with this charge subordinate to those who looked away, allowed, or worse, participated in the transgression, makes no sense.

Cultural compatibility

Pity the poor CCO. Likely to be a new arrival to the company, she or he has to very quickly put together a team and build a compliance function from scratch (or from some ramshackle structure left by the predecessor). The natural reaction of the harried newcomer is to get to work at once. There is a strong temptation to go for ‘easy wins’: announce an ambitious training schedule, get the sincere CEO video on air, put a code of ethics up on the website, probably closely modelling it on that of another company (after all, ethics are ethics, regardless of the company, aren’t they?). Pity next the poor company that put the CCO in such an impossible position. A compliance programme that does not organically follow the mores and traditions of the organisation, that does not reflect and absorb its cultural and even linguistic individualities, will fail. It will be rejected by the organisation, not with anger but with disdain.

To avoid this, the CCO will need to understand the organisation deeply, viscerally and how to best inject compliance into its core rather than grafting it on awkwardly.

What I have seen work very well is to form a committee. This committee, comprising senior members of internal audit, information technology, accounting, internal controls, legal and, ideally, some line managers, perhaps from procurement or sales, would be instrumental in helping the CCO to develop a programme that, in the language of the company, addresses those of the company’s risk and compliance issues that most need attention. In the structuring, or restructuring, of the compliance functions, the participation of an audit committee member is vital. This member can usefully contribute reflection on the views and concerns of senior executives and board members, and can give political and other support to the CCO. This effort, along with the comprehensive risk assessment that is solidly based on first-line worries, will result in a programme that is introduced to the organisation with the support of a broad array of respected managers. With this inclusive approach, greater and more rapid adhesion to the compliance programme should be assured.

Other important considerations

The observations that follow are not random; attention at the board level should be paid to them in particular, as they involve the perception, and therefore the reality, of compliance efficacy.

Compliance staffing

Many, perhaps most, compliance personnel are lawyers by training. This, I believe, is because (1) of a natural tendency to equate the imagined substance of compliance with the supposed substance of the law (rules, regulations, prohibitions and restrictions), (2) lawyers are reasonably smart and honest, on the whole, and (3) lawyers make up, it seems, upwards of 30 per cent of the world’s population.

My great issue is with point 1 (though point 3 is troubling). The bias towards lawyers in compliance positions reflects a fundamental misperception of the compliance process and an inaccurate understanding of what lawyers do.

A compliance professional’s knowledge of the law for the construction of a sound compliance programme need not to go much beyond understanding the types of illegal or undesirable conduct, generally, the organisation is seeking to prevent, and understanding, specifically, the attributes of high risk (e.g., government contracts, auctions, the use of agents and similar representatives) and the areas that will present risks (e.g., government relations, marketing, legal).

Compliance personnel need not be conversant with concepts such as quid pro quo requirements, passive versus active corruption or how civil and criminal ‘books and records’ issues differ. Likewise, in the running of compliance programmes and monitoring systems, it is sufficient to have the knowledge that will allow the clearly legitimate to not be held up at all, the obviously worrisome to be held up at once and the questionable situations to be studied with care, very likely with the involvement of the legal department. This is different from the practice of law. Moreover, the tools, the thinking and the sought-for results of a compliance programme are also very different from the practice of law. However, in one important way, the two professions are similar: the best lawyers and compliance professionals avoid saying ‘no’ and find safe ways of getting to ‘yes’.

Compliance professionals should ideally have first-hand experience in business environ­ments and dealing with business imperatives. Thus, experience in finance, treasury, planning, IA or internal controls is very useful, as is, more generally, working at a corporation and understanding how different that is from a law, consulting or auditing firm. A compliance professional with several years at a Big Four doing compliance advisory and now at a corporation recalled: ‘When I was a consultant, I told people what they should do. If they didn’t, that was their problem. Now I need to find an answer that the line manager and I both feel comfortable with. Otherwise, it is my problem.’ It is not that lawyers cannot be good compliance professionals; they obviously can, and there are many of them, but the right background and exposure are needed.

Compliance size

Unfortunately there is a significant tendency to focus on the number of professionals in the compliance department. This is probably a result of the prosecutor’s experience with law enforcement (how many policemen per 10,000 population do we need?) and processing criminal cases (how many cases can a prosecutor reliably handle at one time?). This is an understandable view.

However, it is evident that law enforcement and prosecution are one thing and compliance quite another. The contrast is naked. Compliance is procedure- and control-based, with heavy use of technology and tools such as data monitoring, computer-aided sampling and analysis, artificial intelligence and data analytics. And compliance is not designed to catch and punish but to prevent bad acts and help business personnel get to the same business result in a safe way.

I have no idea what the right size of a compliance department is; this is an unanswerable question in the abstract. Comparing the number of compliance personnel to all employees is clearly primitive. For Amazon’s compliance department, why would we take into consideration the company’s more than 250,000 full-time warehouse employees, who might never see anyone but another warehouse worker, much less a potentially corruptible public official? My recommended approach is to start (or restart) the compliance function with the number needed to get it working properly and then add as needed. Resist false equations.

I should mention briefly that the practice of using front-line personnel as ambassadors or agents of compliance is on the rise, especially in higher-risk departments. Some deride this approach as an attempt to pump up compliance personnel numbers. However, when well-trained and focused, these adjuncts are very useful in acting as a resource and in helping front-line personnel resolve a particular question or problem. The agents generally do not have, nor should they, any decision-making authority and they should not be expected to spy on their colleagues or report them. However, they can serve as mine-shaft canaries and they can also help the unable or unwilling in a peer-to-peer, unthreatening way.

Some other ‘trends’?

The compliance literature is growing exponentially and new suggestions pop up regularly. I  comment on three of them.

Having a compliance expert on the board comes from the regulatory focus on compliance expertise on boards.[22] Importantly, I have seen no regulatory mandate that at least one board member be a ‘compliance expert’. The US Department of Justice, for example, asks only: ‘What compliance expertise has been available on the board of directors?’[23] I know of no reason for having a board seat dedicated to a compliance savant; the compliance experts should be in the compliance department. Board members should bring to the boardroom much more than one particular expertise, be it in finance, marketing or compliance. So if your board lacks compliance expertise, go and get it. I estimate that a dedicated, thoughtful board member could, with help from internal and external sources, within eight to 12 months become sufficiently conversant with the topic to be of significant value to the organisation. I would guess that regulators would be delighted if this suggestion were taken up by companies.

Compliance training for board members has come up some. It strikes me, so far, as a well-intentioned idea that does not yet stand up to close scrutiny. Some research shows that a reasonable majority of firms provide board compliance training. However, the same research shows a negative response to the quality of training: 23 per cent of respondents were not at all satisfied, another 18 per cent only slightly satisfied and 42 per cent somewhat satisfied.[24] I imagine that the sin of compliance training of board members is a combination of self-evident generalisation and mind-numbing particularity. Probably the best education for board members is to hear periodically from the CCO about real-life examples of how compliance processes have kept their company out of disagreeable situations. That, coupled with the compliance expertise on the board for other members to draw on, may do the trick, although well thought out training programmes should always be considered.

Benchmarking is very important, and I’m happy to say, it is catching on. Day-to-day compliance issues that CCOs and their staff face, the ones that even the vast writings cannot address well enough, are best resolved by contact with others grappling with these issues. This is the experience-swapping done in the professions where problems do not present themselves with mathematical precision. Compliance is a young profession and we need to help each other learn and grow.


What I recommend requires more of directors than most of them might expect. They must come to terms with the need to plunge into some issues that until recently could be left to executives. That luxury is gone: a more thorough, thoughtful and critical examination is necessary for a bevy of challenges much beyond corruption, such as consumer and employee safety, discrimination of all kinds, lack of diversity or tolerance generally, and environmental, climate change and sustainability issues. I think that much of what I suggest will become standard within a few years. I hope this will happen because boards are taking their compliance and related obligations ever more seriously. If change does not come voluntarily, it will be imposed from the outside, most likely a very unhappy outcome.

[1] Andrew Jánszky is a corporate governance and compliance consultant.

[2] United States of America v. Embraer S.A., Deferred Prosecution Agreement, 24 October 2016, p. 4.

[3] United States of America v. Latam Airlines Group S.A., Deferred Prosecution Agreement, 25 July 2016, p. 4.

[4] Heltman, John. ‘Fed Drops Hammer on Wells Fargo as Four Board Members Ousted’, American Banker, 2 February 2018.

[5] Board of Governors of the Federal Reserve System, Board Letter re: Accountability as Lead Independent Director of Wells Fargo & Company Board of Directors. Washington, DC: The Federal Reserve, 2 February 2018.

[6] id.

[7] Hiltzik, Michael, ‘The Wells Fargo Board Is Still Getting a Pass for Failure’, Los Angeles Times, 6 February 2018.

[8] Summers, Lawrence, ‘Wells Fargo’s Board Members Are Getting off Too Easy’, The Washington Post, 6 February 2018.

[9] Marchand v. Barnhill, 212 A.3d, 805 (Del. 2019) [Marchand].

[10] id., at 807.

[11] Stewart, James B, ‘Problems at Volkswagen Start in the Boardroom’, The New York Times, 24 September 2015; Griswold, Alison, ‘Now That Uber Has a New CEO, Employees Say Its Board Needs to “Grow up”’, Quartz, 2 September 2017; Kitroeff, Natalie; Gelles, David, ‘Boeing Fires C.E.O. Dennis Muilenberg’, The New York Times, 23 December 2019; Gardner, Eriq, ‘CBS Faces Credibility Questions Over Leslie Moonves Investigation’, Hollywood Reporter, 8 August 2018; ‘Airbus Executives Get Swept Away by a Corruption Investigation’, The Economist, 8 February 2018; Tan, Gillian, et al., ‘WeWork Plows Ahead with IPO Plans after Reshaping Board to Counter Skepticism’, Los Angeles Times, 13 September 2019; Carr, Austin, ‘Chipotle Eats Itself’, Fast Company, 16 October 2016; Phillips, Dom, ‘The swashbucking meat tycoons who nearly brought down a government’, The Guardian, 2 July 2019; Cassin, Richard L, ‘Zimmer Biomet Holdings pays $30 million to resolve new FCPA changes’, The FCPA Blog, 12 January 2017; Watson, R T, ‘Vale’s Management Team Is on Thin Ice After Deadly Dam Break’, BNN Bloomberg, 28 January 2019; Neumann, William, ‘Tyson Settles U.S. Charges of Bribery’, The New York Times, 10 February 2011; Schipani, Andres, ‘Petrobras in $853 million settlement of bribery case that rocked Brazil’, The Financial Times, 27 September 2018; Presley, Linda, ‘The largest foreign bribery case in history’, BBC World Service, 21 April 2018; ‘Chile’s SQM paying $30 million to resolve U.S. corruption cases’, Reuters, 13 January 2017; Cassin, Richard L, ‘Former Chile mining executive to settle FCPA offenses’, The FCPA Blog, 25 September 2018.

[12] Kitroeff, Natalie; Gelles, David, ‘“It’s More Than I Imagined”: Boeing’s New C.E.O. Confronts its Challenges’, The New York Times, 5 March 2020.

[13] Gelles, David; Kitroeff, Natalie, ‘Boeing ousts Top Executive as 737 MAX Crisis Swells’, The New York Times, 22 October 2019.

[14] Kitroeff and Gelles (footnote 12, above).

[15] US Department of Justice, Criminal Division, ‘Evaluation of Corporate Compliance Programs’, April 2019, p. 9 (emphasis added).

[16] Biskup, Robert, et al., ‘Board Oversight of Corporate Compliance: Is it Time for a Refresh?’, Harvard Law School Forum on Corporate Governance, Harvard Law School, 15 October 2019 (emphasis added).

[17] Kitroeff and Gelles (footnote 12, above).

[18] Kiemash, Stephen; Doyle, Rani, Report: ‘Eight priorities for boards in 2020’, EY Center for Board Matters, 19 November 2019, p. 9.

[19] Emphasis added.

[20] ‘Evaluation of Corporate Compliance Programs’ (footnote 11, above), pp. 2 and 3.

[21] For example, ‘The Three Lines of Defence in Effective Risk Management and Control’, The Florida Institute of Internal Auditors, 2013.

[22] Fox, Thomas, ‘Compliance Expertise Needed on the Board’, Corporate Compliance Insights, 9 January 2017.

[23] ‘Evaluation of Corporate Compliance Programs’ (footnote 11, above), p. 10.

[24] Survey by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association, ‘Compliance Training and the Board’, September 2017, p. 6.

Get unlimited access to all Latin Lawyer content