Hotel Compliance The Board of Directors

By William H Harriss, from his shortly-to-be-published book, ‘Golden Information For Hoteliers’?

Many of the hotel Group's directors believe they can just limbo under the pole of Government Compliance Rules and authoritative orders. But then, some directors, I am sure, are unaware of their responsibilities in compliance matters. But what is certain in law, compliance begins with the board of directors, they are primarily responsible and will always remain so.

The legal requirements are simple for the basic Board requirements in any best-practices compliance program. It all starts with expertise on the Board. Does the Board have a compliance subject matter expert on the Board or as chair of the Compliance Committee or sitting on the Audit Committee? If not, why not? Does the Board have a former CCO or other people with significant experience in the nuts and bolts of compliance sitting on it? Is there someone on the Board who can cut through the numbers presented to the Board to ask tough, probing questions of the CCO?

If there is not such a person sitting on the Board, is there a subject matter expert available to the Board who is separate and apart from the compliance expert resources the company uses to assist the corporate compliance function? Is that person a resource to the Audit Committee or other Board sub-group or subcommittee, and does he or she report only to the Board so that there is no conflict of interest with any other corporate function?

The next inquiry involves whether the Board provides access to the CCO for executive sessions. In other words, does the Board receive information in an unfiltered manner? This is regardless of to whom the CCO may directly report, such as a General Counsel or even CEO. Here, the DOJ recognized the corporate reality that unless the CCO can have unfettered access, the CCO could be cut off or shut down by a CEO, simply by minimizing the face time in front of the Board to as little as 15 minutes per year. In short, to fulfil its oversight obligations, and to ensure that it is receiving timely and accurate information, the Board must provide the CCO with regular, unfettered access, without fear of repercussion.?

The third and final question goes towards the Board’s obligation to actively participate in the compliance function. One might view this as the flip side of the CCO access; because this inquiry focuses on the Board’s affirmative examination of the compliance program. What information has the Board received from the CCO that it tested or took a deep dive into so that it could examine if a compliance program was fully operationalized in an organization??The “fundamental” questions that a prosecutor will ask are: 1) “Is the corporation’s compliance program well designed?” 2) “Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?” and 3) “Does the corporation’s compliance program work in practice?” If a prosecutor will be asking these questions of a corporation, then any responsible Board member better be asking those questions of the CCO and management. In light of available pronouncements regarding the Board’s obligations, a director may breach his or her duty to a corporation and its shareholders by failing to establish and examine the compliance program.

?A Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions and independently assess the answers. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask hard questions and be fully informed of the company’s overall compliance strategy going forward.

Taken collectively, these points drive home the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. Separately, in a series of rule-making pronouncements, the SEC has also made clear that it believes a Board should take a more active role in overseeing the management of risk within a company.?Moreover, under the FCPA and other criminal statutes, a director may be personally fined and jailed for an FCPA violation.

Different rules apply in different countries, but they are all similar and harsh on directors. There is plenty of case law for several countries available.?

Boards have taken someone's advice; I am not sure whose and set up an assortment of schemes to try and make others responsible for the company's compliance failures. They believe they can throw their arms in the air and say well, we took and followed advice from experts, and it is their fault and not ours.

Some have given compliance responsibilities over to compliance management companies. Several of them have even contracted the advice of medical companies to advise and then approve their hotels and cruise ship bedroom and bedding cleaning and sanitising programs.?

Under the U.S. Federal Sentencing Guidelines, to receive credit for having an effective compliance program, and thereby reduce the fines imposed on the organization, a Board of Directors must be “knowledgeable about the content and operation of the compliance and ethics program,” and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” In addition, in criminal actions against a business organization, including the FCPA, the DOJ’s Justice Manual instructs prosecutors to ask and answer several questions, including: 1) Do the Directors exercise independent review of the company’s compliance program? and 2) Are Directors provided timely and accurate information sufficient to enable the exercise of independent judgment?

I want to assure the boards of the Hotel, Resort, and Cruise Ship Groups that the directors will remain responsible regarding compliance. Regardless of whether they have inserted others between them and where they think they can divert responsibility. Directors and the board can never be removed from the compliance breach problem. Directors and management retain their responsibility for compliance. They cannot simply "delegate away" this responsibility to a compliance officer, a Medical Company adviser, a chemical cleaning product supplier, or a compliance management company. All those people may seem to take the weight off a serious matter and procedures, and the groups may be able to sue them contractually if they fail to protect them. But the directors and management remain liable for all breaches, even if the violations are opposite to advice given by others. ?

Some medical companies advising the groups who have not made sterilization of bedding a feature in the hotel cleaning programs have set a trap for themselves. Because most of the Medical Groups involved have sterilization of bedding programs in their hospitals, a hotel suing client will readily have that information.

Just about everyone connected to the Hotel Industry is fully aware that some items of bedding and bed pillows are rarely washed and never sterilized. Clients stand the definite risk of contracting diseases from hotel bedding. The directors are aware and they are in serious breach of compliance in doing nothing about it.

Most of the world of hoteliers now know that every unsterilized bed pillow will contain pathogens, and some will also contain black mould spoor and bed mites. That is the greatest compliance matter that some group leaders are trying to pretend does not exist.

A US law firm has already approached me to advise on the matter. I have, at this time, denied that request.

Compliance officers in some companies are untrained and are not experts in the field of compliance. People have been given jobs for which they are not qualified. What will happen if such people are called to court to give evidence? Compliance managers must know how to implement various controls that different governmental and industry standards organizations require. Being a compliance manager can sound tedious to a lot of people. When people think about compliance, they often think about checking boxes on audit forms. However, compliance management is more like putting together a jigsaw without having the cover picture. Compliance issues come from various regulations and industry standards, often overlapping and sometimes disconnected.

Compliance is a trending issue in our increasingly regulated and complex business world. We have all seen giants such as Enron fall after issues of non-compliance and the numerous cases of personal data breaches on the nightly news. Yet, regardless of scope or industry, every organization is legally obliged to have an effective compliance program outlined by the 2010 U.S. Federal Sentencing Guidelines Manual. Unfortunately, regulations have become so complex that large organizations often allocate entire departments to these efforts. As a result, the cost of non-compliance is three times greater than that of an effective compliance program. Ref: Ponemon, 3.

Every society has rules and conventions that define proper and improper behaviours, typically underlined by moral values. Compliance organization and programs saw their beginnings in protecting consumers and set centralized governmental oversight over public safety concerns during the early 20th century. For example, The Food and Drug Administration's modern regulatory functions began in 1906 with the passage of the Pure Food and Drugs Act to provide basic protections to consumers, such as product labels, in response to public dissent on food processes spurred by publications such as Upton Sinclair's The Jungle (FDA). These first programs in compliance focused on public safety initiatives and public concerns and took on a public-centred approach to compliance. As the U.S. experienced capital growth during the 1950s and 1960s, the modern management and organizational cultures we experience today began to emerge. Around this time, sociologists such as Amitai Etzioni also began the study of compliance within societal structures, and we as a culture began to realize the necessity of compliance programs from within the organization. Ref: Coughlin.

During the 1970s, events such as the passage of the Foreign Corrupt Practices Act (created to curb illegal payments by companies above $300 million to foreign officials) and the creation of the EPA and DEA led to a shift in the structure of compliance programs from public initiatives to internal functions within organizations. In the 1980s, procurement scandals by the Department of Defence (such as paying $600 for toilet seats) led to the creation of industry-wide initiatives that called for the government to create guidelines for the creation, adoption, and implementation of ethical practices Ref: Packard. Creating these initiatives acknowledged that it was the contractor's responsibility to ensure ethical business practices on behalf of the government.?

In 1991, the U.S. Sentencing Commission created the first federal sentencing guidelines for organizations in response to inconsistent criminal sentencing for non-compliance and compliance failure. These guidelines were the first publications to outline key elements of an effective compliance program and were the basis for the seven principles all organizations must follow today. Later, scandals such as WorldCom (Inflated Stocks Pricing) and Enron (Fraudulent Loss Transparency) highlighted the need for a shift in compliance strategy from indicting non-compliant companies to a strategy of reforming corrupt corporate culture (List). This shift in compliance strategy led to our current structure of compliance risk management systems and general counsel oversight that provides an internal proactive stance to effective compliance.?

By 2013, compliance in the U.S. was larger than Sweden's GDP; regulatory compliance amounted to $112 billion in regulatory costs and 157 million man-hours of paperwork for U.S. workers. Ref: Batkins. ?While the strategy for compliance has changed over the last century, so have the processes and technologies involved.

Hotels, motels, casinos, ski lodges, resorts, and more all fall under the Occupational Health and Safety Administration [OSHA] regulations for General Industry. The General Industry Standards are found in Title 29 Section 1910 of the Code of Federal Regulations (29 CFR 1910) and refers to industries not included in agriculture, construction or maritime.

Classification under General Industry regulations requires hotels to comply with a wide range of standards, including providing appropriate hazardous communication training and personal protective equipment (PPE) to keep their employees safe while working. Hotels must also comply with OSHA recordkeeping requirements.