1. Jeff Kaplan/Kaplan & Walker / jkaplan@kaplanwalker.com jkaplan@kaplanwalker.com Society of Corporate Secretaries & Governance Professionals 2012 Mid-Atlantic Chapter Fall Meeting

2.  US Sentencing Guidelines  DOJ Prosecution Standards  Delaware case law ◦ Caremark, Stone v Ritter ◦ Disney: best practices as a way of minimizing risks and costs  Not a C&E case, but logic is relevant to C&E  S-Ox, NYSE rules  Various official expectations outside the US www.kaplanwalker.com2

3.  Types ◦ Audit committee charter ◦ C&E program charter ◦ Job descriptions  CECO  GC or others ◦ Investigation and reporting procedures www.kaplanwalker.com3

4.  Sentencing Guidelines: individual with operational responsibility for the program should have express authority to communicate personally to the board or a board committee ◦ Promptly on any matter involving criminal conduct or potential criminal conduct, and ◦ No less than annually on the implementation and effectiveness of the C&E program  Good practice ◦ CECO- multiple reports per year; C&E director (if a different person) – one ◦ Both have authority to report to audit committee chair re: alleged misconduct www.kaplanwalker.com4

5.  Given board’s reliance on CECO, typically an important consideration  Many criminal/regulatory settlements require CECO not be part of law department  But for many companies CECO can be part of law department if have other indicia of independence ◦ Strong informational reporting relationship with board ◦ Audit committee monitoring of compensation and duties www.kaplanwalker.com5

6.  These are not mutually exclusive, nor should any board necessarily cover all ◦ Rather, key is to find what is most helpful for a given company/board  First, main elements and attributes of an effective C&E program, but focus on those where directors can really make a difference ◦ Elements: incentives, discipline, senior management involvement ◦ Attributes: authority, independence, reach, resources, organizational culture www.kaplanwalker.com6

7.  Second: particular focus on system for encouraging reports of violations ◦ At the heart of Caremark and S-Ox obligations ◦ Look for weak spots (by business or geography)  Third: other program metrics ◦ Can be helpful, e.g.,  Employee survey/focus group results  Audit results  Breaches  Training completions  Many others ◦ But some boards worry too much about this – and there is no magic quantitative approach to C&E metrics www.kaplanwalker.com7

8.  Fourth - risk areas ◦ Stone v Ritter underscores need ◦ Board should have sense of C&E risk assessment methodology (and why you think it works) ◦ For top risk areas (e.g., EHS, FCPA, Antitrust) provide ongoing information about  Risks  Mitigation plans  Adherence to plans  Asking good questions is key to any of these approaches ◦ See http://www.fcpablog.com/blog/2010/6/8/what- boards-should-ask.htmlhttp://www.fcpablog.com/blog/2010/6/8/what- boards-should-ask.html www.kaplanwalker.com8

9.  Going beyond audit committee  Oversight is part – but not all – of what should be covered in training  Individual C&E risks for directors (e.g., COIs, confidential information) should also be addressed because ◦ Director integrity key to market confidence; violations by directors can undermine this ◦ Relevant to oversight of senior management, since many of the risks are the same  Consider cataloging all the C&E information your board gets to see what’s missing, and develop a true curriculum map (of current and planned training/communications) www.kaplanwalker.com9

10.  Strong expressions of support for these by ◦ Justice Department ◦ Sentencing Commission ◦ OECD Anti-Bribery Good Practice Guidance  Boards generally encouraged to rely on experts – may be particularly useful for C&E programs  Assessment report can provide framework for ongoing program oversight for years to come  The very act of commissioning an assessment itself helps show that the board is serious about C&E www.kaplanwalker.com10