Boards face increasingly demanding requirements for oversight. It is no longer enough to have a compliance program on paper. Regulators, courts, and investors expect boards to ensure that compliance systems function to prevent, detect, and respond to misconduct. That expectation places directors at the center of highly technical assessments of investigations, culture, data governance, internal controls, and emerging risks.

In a new article, I argue that this moment raises a distinct governance question: How does the board learn? And more specifically, how should boards structure their relationships with the outside consultants who increasingly conduct compliance assessments that help to determine compliance-program effectiveness?

Under Delaware law, directors must make a good-faith effort to establish and monitor systems designed to provide timely, accurate information about compliance and mission-critical risks. But directors cannot oversee what they do not understand. As firms grow more complex and regulatory expectations expand, the gap between directors’ experience and their oversight obligations may widen.

In practice, boards often fill that gap by turning to outside compliance consultants. These consultants conduct compliance program assessments, including evaluating confidential “speak-up systems” for reporting misconduct, performing cultural audits, and translating operational realities into board-level reports. They do not simply gather information. They frame it. They select what to emphasize and shape how risks are categorized and understood.

That function is educational. It is consequential.  And it requires careful consideration.

Compliance consultants are sometimes treated as interchangeable, but they are not.  Some operate within robust professional regimes – lawyers and accountants, for example, are licensed and subject to ethical obligations and disciplinary systems. Others, including many management-consulting firms, are constrained primarily by contract and reputation.

These differences matter because compliance assessments are not neutral audits that simply report facts. Consultants often decide which employees to interview, which data to collect, how to characterize weaknesses, and how to present findings to directors. Moreover, a consultant embedded within management, dependent on management for repeat engagements, and compensated through ongoing advisory relationships may feel subtle pressures to soften critiques or prioritize management’s narratives. By contrast, consultants operating within professional licensing regimes – such as lawyers and accountants – are subject to ethical rules, potential discipline, and reputational constraints that shape how they describe risks and conflicts. Institutional position, fee structure, and professional obligations thus influence not only what information reaches the board, but how candidly problems are framed and whether uncomfortable issues are escalated.

When boards treat consultants as fungible, they risk overlooking how differences in institutional position, incentive structure, and professional constraint shape not only the information they receive, but the education they ultimately obtain.  This is important, in part, because in many organizations, management determines the scope of the compliance assessment, selects the consultant, provides data to the consultant and board, and sometimes reviews drafts before the board sees them. Even when the board formally retains the consultant, others frequently control the review.

This is understandable. Management runs the business, and consultants need access, so cooperation between the two is essential. But the structure of the engagement shapes how candid consultants can be and what information ultimately reaches the board. If consultants’ role is to educate directors, then boards must determine in advance how they are going to learn – who controls scope, who filters findings, and whether directors have unmediated access to the consultant’s assessments.

In the article, I propose several practical responses. Boards should consider adopting a consultant code of conduct that clarifies expectations regarding independence, candor, escalation of concerns, and disclosure of conflicts. They should examine fee concentration – that is, the extent to which a consultant’s revenue depends on the company or on a small group of repeat clients – and other financial or relationship incentives that might compromise objectivity. They should ensure that consultants report directly to the board or relevant committee and that directors have opportunities to engage without management present.

Most important, boards should define the standards for consultants to evaluate compliance programs. Those standards should be consistent with not only regulations, but also with the firm’s stated purpose, ethical commitments, and risk profile.

Engaging consultants does not relieve boards of their oversight responsibilities. If anything, it heightens the need for carefully defining the role of consultants. As oversight expectations intensify, the durability of corporate compliance may turn less on whether boards hire consultants, and more on how deliberately they govern the conditions under which they are educated.

Veronica Root Martinez is the Simpson Thacher & Bartlett Distinguished Professor of Law at Duke University School of Law. This post is based on her recent article, ”The Board’s Education Through Compliance Consultants,” forthcoming in Law & Contemporary Problems and available here.