Jeff Kaplan/Kaplan & Walker / Society of Corporate Secretaries & Governance Professionals 2012 Mid-Atlantic Chapter Fall Meeting

 US Sentencing Guidelines  DOJ Prosecution Standards  Delaware case law ◦ Caremark, Stone v Ritter ◦ Disney: best practices as a way of minimizing risks and costs  Not a C&E case, but logic is relevant to C&E  S-Ox, NYSE rules  Various official expectations outside the US

 Types ◦ Audit committee charter ◦ C&E program charter ◦ Job descriptions  CECO  GC or others ◦ Investigation and reporting procedures

 Sentencing Guidelines: individual with operational responsibility for the program should have express authority to communicate personally to the board or a board committee ◦ Promptly on any matter involving criminal conduct or potential criminal conduct, and ◦ No less than annually on the implementation and effectiveness of the C&E program  Good practice ◦ CECO- multiple reports per year; C&E director (if a different person) – one ◦ Both have authority to report to audit committee chair re: alleged misconduct

 Given board’s reliance on CECO, typically an important consideration  Many criminal/regulatory settlements require CECO not be part of law department  But for many companies CECO can be part of law department if have other indicia of independence ◦ Strong informational reporting relationship with board ◦ Audit committee monitoring of compensation and duties

 These are not mutually exclusive, nor should any board necessarily cover all ◦ Rather, key is to find what is most helpful for a given company/board  First, main elements and attributes of an effective C&E program, but focus on those where directors can really make a difference ◦ Elements: incentives, discipline, senior management involvement ◦ Attributes: authority, independence, reach, resources, organizational culture

 Second: particular focus on system for encouraging reports of violations ◦ At the heart of Caremark and S-Ox obligations ◦ Look for weak spots (by business or geography)  Third: other program metrics ◦ Can be helpful, e.g.,  Employee survey/focus group results  Audit results  Breaches  Training completions  Many others ◦ But some boards worry too much about this – and there is no magic quantitative approach to C&E metrics

 Fourth - risk areas ◦ Stone v Ritter underscores need ◦ Board should have sense of C&E risk assessment methodology (and why you think it works) ◦ For top risk areas (e.g., EHS, FCPA, Antitrust) provide ongoing information about  Risks  Mitigation plans  Adherence to plans  Asking good questions is key to any of these approaches ◦ See boards-should-ask.htmlhttp:// boards-should-ask.html

 Going beyond audit committee  Oversight is part – but not all – of what should be covered in training  Individual C&E risks for directors (e.g., COIs, confidential information) should also be addressed because ◦ Director integrity key to market confidence; violations by directors can undermine this ◦ Relevant to oversight of senior management, since many of the risks are the same  Consider cataloging all the C&E information your board gets to see what’s missing, and develop a true curriculum map (of current and planned training/communications)

 Strong expressions of support for these by ◦ Justice Department ◦ Sentencing Commission ◦ OECD Anti-Bribery Good Practice Guidance  Boards generally encouraged to rely on experts – may be particularly useful for C&E programs  Assessment report can provide framework for ongoing program oversight for years to come  The very act of commissioning an assessment itself helps show that the board is serious about C&E