Compliance: Telling the Board What it Needs to Know

Thursday, November 03, 2011

Thomas Fox


An article in the July Issue of Compliance Week Magazine, entitled “Telling Your Board What it Needs to Hear”, author Arielle Bikard discusses the views of Pfizer Inc’s Chief Compliance Officer (CCO), Douglas Lankler, on how he keeps the Pfizer Board of Directors up to date on compliance issues.

There are many articles which focus on the information that a Board of Directors may want to receive and this is one of the few articles which focuses on the issues from the perspective of the CCO.

Reporting Structure

Due to a recent compliance enforcement action, Pfizer was forced to separate its compliance function from its legal function and Lankler began to report directly to the Board.

This has led to a tripartite level of reporting at the Board level. There is a monthly meeting of the Audit Committee, to which he reports to, by telephone and bi-monthly in person meetings, to which Lankler also reports.

There is also a special Board level committee dedicated to regulatory and compliance issues, to which Lankler began reporting to in June. Lankler also submits an annual report to the full Board.

What is Measured and How is it Presented

Lankler noted that the Pfizer Board is “very concerned about how the company is measuring improvements in the compliance function.” To provide this information, Lankler measures the results of inspections during internal monitoring and auditing. He provided the example of whether a country assessed received a “generally satisfactory” rating as opposed to the lessor rating of ‘satisfactory”.

He is also measured on “how much bad stuff I prevent from happening.” To determine this metric, Lankler brings in “external environmental considerations” which look at what is happening in the industry and what his and Pfizer’s peers may be facing from the compliance perspective.

Lankler believes that the key to reporting is to provide sufficient information presented in a manner which puts the emphasis on what is important. To achieve the latter, he prepares a tracking chart and uses a red, yellow and green dot next to each line of information. He believes that this allows the conversation with the Board to be directed “in a way that makes sense.” If he adds to or subtracts from the tracking chart, “the change and its cause are highlighted in a memo to the Board.”

The annual report which is submitted to the Board comes in at 30 pages or so. In it, Lankler sets out four different areas which he believes that a Board needs to review on an annual basis. They include:

(1) his views on what he believes to be the most significant compliance risks to the company

(2) his opinion on whether the program has sufficient resources to achieve what is necessary in managing these risks

(3) his belief on the “health of the organization from a compliance perspective”, and, finally

(4) his perception of management’s commitment to compliance.

Lankler’s Lessons Learned

Lankler also gave some lessons learned about what he believed that the CCO should tell the Board. It is important that the CCO share information with rest of management, in advance of the Board meeting, creating transparency.

As the CCO works with the General Counsel, outside legal counsel and outside external audit quite closely throughout the year, he must work with them closely during the preparation of the annual compliance report.

Lastly, and, from my experience always the one which is most important in any relationship with senior management or the Board, make sure there are NO SURPRISES.

Cross-posted from Tom Fox Law

Possibly Related Articles:
General Legal
Legal Compliance Enterprise Security Management Regulation Leadership Board of Directors
Post Rating I Like this!
Chris Rich The role of the CCO here is well structured and could serve as a model for other (large) organizations, though, things can and will change. I agree with your statement that the best way to maintain this relationship is to make sure there are no surprises. Like security, compliance problems are often a big surprise. Increased attention to compliance will help organizations protect themselves and their customers more proactively.

At NetWrix, we develop solutions that help organizations around the globle large and small to sustain regulatory compliance, improve security and to promote IT infrastructure visibility. We are finding more and more upper management and C-level staff investing more of their attention to these areas.

Chris Rich
Product Manager
NetWrix Corporation
NetWrix is #1 for Change Auditing and Compliance: Simple, Lightweight, Affordable
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.