Since the enactment of the Sarbanes-Oxley Act of 2002, corporate counsel have devoted much of their time to guiding their board of directors and senior management through the flurry of new regulations and developments in the areas of corporate governance and compliance. By now, most companies have adopted the requisite board committee charters, codes and procedures necessary to comply with the Sarbanes-Oxley Act, related Securities and Exchange Commission rules and stock exchange listing standards and are well on their way to completing their internal controls review required by Section 404 of the Sarbanes-Oxley Act.
Having guided the board and senior management through the implementation of corporate governance procedures, corporate counsel will bear much of the responsibility for ensuring that those procedures function in an effective manner on an ongoing basis. As part of that responsibility, corporate counsel must work with the board of directors to ensure appropriate oversight of the company's compliance programs. This has increasingly been seen as a significant component of the board's responsibility and was emphasized in amendments to the sentencing guidelines proposed earlier this year. As counsel approach these tasks, it may be helpful to review a few general principles that have emerged in the areas of corporate governance and compliance.
Since the Enron scandal, it has become clear that in order for corporate governance and compliance to be effective, they must be integral aspects of the company culture. As a starting point, the board and the executive officers must understand and agree on what corporate governance and compliance mean to the company. In this regard, I note that corporate compliance has a generally accepted definition as compliance with and enforcement of company policies and applicable laws and regulations. While no single definition of corporate governance has emerged over the past few years, I would suggest that it encompasses conducting business and managing the company in a manner that emphasizes ethical and honest behavior, compliance with applicable laws and regulations, effective management of the company's resources and risks, and accountability of persons within the organization. Once the board and executive officers have agreed on the definitions, they leadership roles in setting the appropriate ethical tone for the organization. The board and senior management must effectively communicate to the organization that they have high ethical standards for themselves and others.
As aspects of the company's culture, corporate governance and corporate compliance should be considered as daily practical components of the company's business. Whereas they were once considered "lawyers' issues", corporate governance and compliance must gradually come to be understood as integral elements of business decisions and operations.
Another principle for counsel to consider is the centralization of corporate governance and compliance responsibility in one officer or department. This is not meant to lessen the responsibility owed by each individual in the organization for effective compliance - it is meant to provide leadership and to promote consistency and uniformity in the application of standards and consistency among individual compliance programs. This officer/department should have direct and regular access to the chief executive officer and, as appropriate, the board of directors. Company employees on all levels should be able to bring matters to the attention of the compliance officer.
Governance practices and compliance programs should be reviewed periodically for their effectiveness and practicality in light of the company's particular circumstances and industry best practices. As part of the periodic review, the interrelationship between practices and programs should be considered to ensure effectiveness as a whole. Most companies have developed discrete compliance programs for matters such as employment discrimination, customs/export control, or specific regulations relating to the industry. Given the specialized nature of many of these regulations, such policies are often generated and administered by specific departments within the organization without review for overlap or conflicts with other policies.
Policies should be effectively communicated to the appropriate employees and periodic mandatory training for company employees at all levels should be administered. While some topics, such as ethics and general compliance with the company's code of conduct, are appropriate for all employees, in most cases, training must be customized to the individual's or department's role in the organization. The training program in general should be reviewed periodically with the board of directors.
Informal compliance and governance practices should be formalized. While this may seem an unnecessary waste of time and resources, all too often employees are not aware of informal policies or, particularly across large organizations, over time, different policies on the same issue develop. Memorializing a policy is also an excellent way to initiate a review and evaluation of that policy.
Legal and regulatory requirements applicable to the company should be reviewed periodically. In addition, the company should carry out periodic audits of its practices and policies to make certain that it has appropriate systems in place to address applicable legal and regulatory requirements. As part of that process, the company should review each compliance program to ensure that no program operates in such a manner as to cause the company to inadvertently run afoul of a legal requirement in another area. One area of concern increasingly identified by company counsel is data protection regulation, particularly in multinational businesses. The results of reviews and any remediation necessary should be discussed periodically with the board of directors.
Carol B. Stubblefield is a partner in Coudert Brothers' New York office and a member of the firm's international securities practice.