The Guidelines, in particular, put meaningful burdens on the board to:
foster a culture of good risk management;
to ensure there are systems designed to prevent and detect criminal conduct;
to assign responsibility for compliance with the myriad laws, rules and regulations to which a company is subject; and
to give those assigned that responsibility adequate resources, authority and access "to the top" to enable an effective system of corporate training, compliance and monitoring at every consequential level of the organization.
In short, good governance must be understood to mean good compliance.
What are the elements of good compliance?
For starters, boards cannot blindly defer to management with respect to compliance matters. Rather, checks and balances must be carefully built into the corporate system. This requires, first, that directors not be overcommitted. Independent directors who have other, primary, jobs, should serve on two or three boards at most.
Second, adequate resources must be devoted to compliance. What is adequate will be a function of the compliance burdens on the company and the company's financial wherewithal, but sufficient resources should be available to enable the board to do its duty and to staff the corporate compliance functions adequately. An identifiable compliance office should be at the top of the list of needs to be funded.
And, while many companies have established a chief compliance officer, those officers do not necessarily report directly to the board. They should.
The CCO should not have another senior executive or CEO between her/him and the representatives of the shareholders and ultimate governors of the corporation; management should not be in a position to wall off the committee chair from any circumstances of which (s)he should be aware.
Third, every board should have a compliance committee, the function of which is to oversee compliance programs and activities. The committee should be dominated by independent directors; without doubt, it should be chaired by an independent director. Without such a body, it is impossible for boards to have the necessary line of vision into the risks associated with their business so they can prevent, detect and resolve compliance problems.
The committee should have adequate resources to do its job; the compliance staff should report to the chair of the committee; all employees should have whistle-blowing access to the committee.