Compliance Systems That Align to Fail Together (Part 1)

Compliance Systems That Align to Fail Together (Part 1)

My whistleblowing adventures included more than 150 complaints and follow-ups with about 33 officials.  Eleven of those offices never replied to my communications, and another six stopped replying to my follow-up messages.  Consistent with that governmental indifference, half of the issues that I raised remain unresolved two or more years later.  Constrained by budgets, government agencies cannot, it seems, be relied on to investigate possible misdeeds on their own.  Corporations also have a responsibility to ferret out wrongdoers and make things right.

In its Sentencing Guidelines Manual, the U.S. Sentencing Commission outlines elements of an effective compliance program – including a code of conduct and related policies, a compliance office and monitoring procedures, and a knowledgeable Board – that can mitigate penalties in the event of a criminal conviction for wrongdoing.  Guided by its Board and the 2004 California Nonprofit Integrity Act, HomeFirst implemented many of these elements, but problems still arose. 

Formal Policies

Each year the HomeFirst’s Board of Directors approved an Employee Handbook which included an Ethics and Conduct Policy that required all directors, officers and employees to observe high standards of business and personal ethics.  We must practice honesty and integrity in fulfilling our responsibilities and comply with all applicable laws and regulations, it urged.

In addition, estimable values were front of mind:  We aspire to an excellence that is marked by diligent effort; pursuing excellence means always bringing our highest quality work forward and demonstrating integrity, accountability and transparency in all aspects of our work.   The code of conduct was bolstered by policies on whistleblower protection, conflicts of interest, document retention, and other matters to ensure that the code was effective.  While ethical codes like these can be comforting, they seldom deter wrongdoing[1].   Enron, Volkswagen, and other corporations had admirable policies before committing their well-publicized wrongs.  More critical than written policies is the way they are realized in the organization’s behavior.

Management Oversight

The primary responsibility for HomeFirst’s compliance belonged to program management: the Chief Program Officer, her program managers, and others who served clients according to the terms of government contracts and private grants.  Program managers were positioned to readily correct common contract violations, such as file documentation that did not support client eligibility or services that were not provided as required by contracts.  They could not as easily identify violations in billings or compliance with loan agreements and legal requirements; those were attended by administrative management, like CEO Jenny and me. 

Correcting some program violations could, however, be time consuming, difficult, or costly.  Correction of the master lease violations, for example, required managers to negotiate new leases with landlords who would not benefit from the change or to relocate clients to new apartments.  If the violations were tolerated by senior management, they might be corrected slowly or not at all.  Operating management, which had limited resources, might skirt inconvenient demands, so HomeFirst employed additional layers of oversight.

Compliance Officer

HomeFirst designated me, in my CFO role, as Compliance Officer.  I was charged with receiving internal whistleblower complaints, reporting them to the chair of the Audit Committee, and investigating them.  A contract compliance review program provided an annual monitoring of compliance with contracts that accounted for about 75% of government revenue.  I reported the detailed results of these reviews to Jenny and program management, describing my findings and recommendations for corrective action.  I also provided monthly reports of violations to the Finance Committee and the Board.

Compliance programs like HomeFirst’s are often initially well accepted when they follow compliance crises.  Over time, though, the perceived legitimacy of compliance programs can diminish[2].  Six years after HomeFirst’s disastrous 2006 audit, Jenny decided that she wanted to exert more control over the way reviews were conducted.   Program managers were afraid of the existing process, she said.  In particular, she wanted staff to be told exactly what I would examine and to be given time to prepare their files before I arrived.  She insisted that the reviews not investigate anything that I had not pre-identified.  In 2014 after I pointed to an increased number of compliance violations, Jenny considered that it might be time to shift responsibility for compliance to program staff.

Managers may justify weakening compliance programs for a variety of reasons.[3]  Benefits from the programs are difficult to prove.  Because staff may be basically ethical, program is unnecessary.  Compliance requirements can crimp business practices that are considered legitimate enough.  Because management pressures can impede the operations of an ethics program, the Sentencing Commission hoped that Board oversight would help ensure appropriate governance.

Board of Directors

The Finance Committee of the Board oversaw HomeFirst’s financial performance and strategies, policies and procedures, and compensation packages.  The Committee met monthly prior to Board meetings to discuss the financial statements and other topics that fell within my area of responsibility, including preparation of the budget, contract compliance, cash management and forecasting, banking, insurance, IT, and property management.  The three Finance Committee members joined in the decision to fire me.

The California Nonprofit Integrity Act aimed to improve corporate governance, accountability and transparency in the nonprofit sector, by requiring companies with revenues of more than $2 million to have an Audit Committee and an annual audit and to comply with rules relating to commercial fundraising.  In practice, the role of HomeFirst’s Audit Committee depended on the background and interest of the Committee members, which diminished in quality as the 2006 problems passed from memory.  In any event, while HomeFirst’s auditors welcomed input from the Audit Committee, established audit procedures, guidance from the American Institute of CPAs and others determined how they conducted their work.  The chair of the Audit Committee supported the decision to fire me.

The full Board of Directors, which met about seven times a year, was the primary legal decision-making body of the corporation.  The Executive Committee of the Board met monthly and officially comprised the Chair, Treasurer, and Secretary, but in practice it also included the Vice-Chair, who would usually become the next Chair, the chairs of the Audit and Development committees, the past Board Chair, and occasionally others.  HomeFirst empowered the Executive Committee to make most decisions on behalf of the Board although the Committee, like the Finance and Audit Committees, deferred all decisions to the full Board.  The Executive Committee members also participated in firing me.

As the ultimate decision-maker, the Board has responsibility for the actions of the corporation, and its members must be good fiduciaries[4].  They must avoid self-dealing and conflicts of interest.  They must act as a “prudent person” would.  If the directors exercise independent judgment in good faith, then they can avoid liability for the ill-effects of their decisions unless they are grossly negligent.  Since HomeFirst’s board was self-perpetuating, they legally answered only to themselves, but they felt, and the community might have expected, that they were responsive to the community.

The board is also responsive to the CEO, and a healthy relationship between the CEO and the board is often viewed as critical to the success of the CEO, the board, and the corporation[5].  Jenny’s participation in all Board and committee meetings, her organization of board retreats, and her one-on-one meetings with members went far to build that healthy relationship.  In a 1990 survey, nonprofit board presidents felt that their CEOs were more responsible for company results than were the boards[6].  Under those circumstances the CEO might naturally lead, and perhaps should lead the board, they felt.  

This the possibility of complicity between the board and the CEO led California’s Nonprofit Integrity Act to require independent audits of larger nonprofits.  Perhaps external auditors could keep a tilting company upright.

---

[1] Kaptein, Muel. “Toward Effective Codes: Testing the Relationship with Unethical Behavior.” Journal of Business Ethics 99 (2011): 233-251

[2] Trevino, Linda Klebe, Nike A. den Nieuwenboerm, Glan E. Kreiner and Derron G. Bishop. “Legitimating the Legitimate: A Grounded Theory Study of Legitimacy Work among Ethics and Compliance Officers.” Organizational Behavior and Human Decision Processes 123 (2014): 186-205

[3] Ibid

[4] Brody, Evelyn. “The Legal Framework for Nonprofit Organizations.” In The Non-Profit Sector: A Research Handbook, 2^nd edition, Walter W. Powell and Richard Steinberg (eds.) New Haven: Yale University Press. 2006

[5] For example:  http://betterboards.net/relationships/the-board-and-the-ceo-relationship/; http://www.nonprofitrisk.org/library/articles/Lets_Work_Together.shtml; http://www.governance.com.au/board-matters/fx-view-article.cfm?loadref=2&article_id=42DE41E2-C01E-4CF6-9D648F68B0746CF7; http://www.huffingtonpost.com/jeffrey-walker/the-most-important-relati_b_3748510.html

[6] Herman, Robert D. “The Effective Nonprofit Executive: Leader of the Board.”  In Nonprofit Management and Leadership 1.2 (1990): 167-180