Future Students, Alumni & Visitors


This blog is intended to be a governance resource and source of current governance commentary, offered by a corporate governance academic engaged in research, teaching and other ongoing academic activities. There is a very public element to the governance field, and it is hoped that this blog will contribute to the public discussion of current governance issues. It is also hoped that it will address a need in the governance field by presenting a holistic online approach to the topic. There is a rapid rate of change in the field of governance (public, private, government and not-for-profit entities) and developments in internet technology move swiftly. This governance blog offers resources for a broad variety of stakeholders including: [...more]




How should a board oversee ethics?

I recently moderated a keynote address by Andrew Fastow, the former CFO of Enron, and followed up by delivering a keynote on the role of the board in ethics, tying in aspects of Mr. Fastow’s speech. What follows is based on my speech; incorporates not only my interactions with Mr. Fastow, but also Messrs. Conrad Black and Arthur Porter; and draws on my work with boards that have succeeded and failed in their ethics oversight.

Here are ten ways a board can oversee ethics:

  1. Ask the right questions.

Good questions for boards, when faced with an ethically problematic action, are: (i) How will this action impact our reputation? (ii) How will this action impact us over the long-term? (iii) What are the aggregate effects of this action? (iv) What will the view of this action be by objective parties, especially if current circumstances change? (v) Even if this action is technically correct or permitted, does it meet the principle or spirit of applicable guidelines and rules? and (vi) Are we doing the right thing?

Management should have detailed answers to these questions. And they should leave the room so only independent directors can discuss.

  1. Have a line of sight over ethics, integrity, reputation and culture.

Many behavioural and integrity controls fail in their design and implementation, and because they do not go far enough or are subject to management override. These controls should be independently audited. Good companies are measuring and assuring reputation, integrity and risk culture for boards. It is important that this assurance reach the board un-funneled by reporting management. Good Audit and Quality Committees are reaching deep into organizations to view culture, quality and “tone in the middle.” Toxic culture or wrongdoing can bring enormous and rapid harm to brand and reputation. Bad news needs to rise, without delay, and good boards do not want surprises. The days of boards overseeing just the CEO and other senior management are gone. Management needs to accept more activist boards. This does not mean boards are running companies, but they are overseeing conduct.

  1. Use executive sessions, questions and information as your leverage touch-points.

Have the authority in your board and committee charters to obtain any information, to interview any personnel, and to obtain any outside assistance that you need to in order to fulfill your duties. If management blocks access, you now work for them. Obtain disconfirming information from the outside as well. Meet directly with auditors, consultants, the risk function, and the compliance function, including without any manager in the room. Meet also with major long-term shareholders without any manager present. Only then will you hear what others hear. Boards can live in an echo chamber otherwise. You do not want to be the last to know.

  1. Make sure your lawyer is independent.

The person drafting the above charters, including your clawback clause (see 6. below), should not be the general counsel or the external counsel who works for management, or colleagues of lawyers at the law firm. None of these parties is independent. Just like auditors and compensation consultants must be independent, so should the board’s counsel. Independent assurance on related party transactions, conflicts of interest, the code of conduct, investigations, integrity risks, and whistle-blowing cannot occur by management or their advisors. Only independent advisors will be free to recommend action that corrects and directs (and when necessary, terminates) reporting management.

  1. Address whistle-blowing defects.

Once the Ontario Securities Commission enacts a whistle-blowing reward regime like has been done by the Securities and Exchange Commission in the U.S., there will be a changeover from defective regimes currently in place. If the point of contact for a whistle-blowing program is any manager, the policy is defective. The point of contact must be an independent person or party who reports directly to the Audit Committee. Only then will anonymity be preserved and the channel be used fully. Bad news needs to rise, and investigations need to occur when warranted, and neither happens if it is management investigating management.

  1. Pay for conduct and performance.

Pay drives behavior, including ethics. Many pay committees under-utilize their executive pay toolbox and control over management.

Because pay practices can incent risk-taking and unethical conduct, good regulators and pay committees require ethical conduct to be tied to executive pay. If risk management or the Code of Conduct is breached, executive pay should not vest and be clawed back if it has vested. Conduct and risks should be evaluated every pay period before the pay committee allows equity to vest or a bonus to be received. And ethics and morals clauses should be in every executive and employee contract. And directors need to lead by example, with ethics clauses drafted into their terms of service. A good board insists on resignation in advance if an ethics clause is breached.

  1. Oversee the oversight functions.

Your eyes and ears in the company are internal audit, risk and compliance. These functions must now have reporting channels right into the boardroom and committees. Does your board directly oversee these functions? Does your company have these functions? I have recommended to numerous boards the hiring of these functions and doing so can greatly improve toxic culture, flawed risk management, and unethical conduct. Just as in the early 2000s when the audit committee began to hire, fire and pay the external auditor, now the audit and other committees and the board hire, fire and pay risk, compliance and internal audit.

  1. Speak up and recruit a board challenger.

When directors and chairs are chosen on the basis of preexisting relationships, which many or most are, this means directors are beholden to each other, or worse yet, to management. These directors will not speak up or ask tough questions, as they are owned by their extra-boardroom relationships. The board becomes accountable to management rather than the other way around. Boards where fraud has occurred often met governance guidelines, including Enron. Andy Fastow said that the Enron board not only approved but encouraged his actions (in the words of one director): “Fastow you are a —- genius!” Recruit directors who have no pre-existing relationship to any other director or manager. This includes female directors.

  1. Recruit independent, competent directors with courage.

Independence of mind is not formal independence. Smart managers can capture directors through relationships, perks and incentives. There are directors on boards are well out of their depth. They are there because of relationships, profile and glow, but know little about the actual business and cannot or will not challenge because they are captured. Seeing them ask perfunctory questions is akin to a fork trying to hold water. Only when a director is truly independent and competent, can that director then challenge. Often directors are docile because they simply do not know what to do.

  1. Set tone at the top.

Lastly, and most importantly, set the ethical tone. The actions and behaviour you observe as a director is the tone that you have just accepted. Good tone at the top is unambiguous, applies to everybody, and is consequential. And it is exercised. It is the board, not just management, that sets tone. I recall the story of the audit committee chair who saw the CFO go through customs at an airport and not declare a bottle of wine. The next morning, the CFO was fired.

Management is fond of explaining unethical conduct away by saying it was a “rogue” employee. Boards are fond of explaining unethical conduct by saying “we missed it.” If boards and management teams are truly honest, they know they should not have missed it and that it was not a rogue employee. It was an employee operating within the culture that was accepted.

In all of my interviews of directors over the years, including during ethical failure, when I ask about directors’ greatest regret, the answer is consistently, “I should have spoken up when I had the chance.” Speaking up is incredibly important when it comes to tone at the top. If you are uncomfortable, “speak up” is the best advice I could give a director. Chances are, several of your colleagues are thinking the exact same thing.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Why integrity is good for business, and the role that boards play

“We didn’t know.” “We missed it.” “It was a rogue employee.” There is not an excuse I have not heard for ethical failure. But when I investigate a company after allegations of fraud, corruption or workplace wrongdoing, almost always there is a complacent, captured or entrenched board that did not take corrective action. In a few cases, boards actually encouraged the wrongdoing.

The first myth is that the board is a “good” board. There is no relationship between the “glow” or profile of directors and whether the board is “good.” Often times, there is an inverse relationship, as trophy or legacy directors typically lack industry and risk expertise in recognizing fraud or understanding what proper compliance looks like, are not really independent, are coasting and not prepared to put in the work, or they themselves may not possess integrity.

How important is integrity? Extremely. Three factors make for a good director or manager: competence, commitment and integrity, with integrity ranking first. Otherwise, you have the first two working against you.

Integrity needs to be defined, recruited for, and enforced. “Does your colleague possess integrity?” “Yes” is an answer to this perfunctory question. Full marks. But when I define integrity to include avoiding conflicts of interest, consistency between what is said and done, ethical conduct, and trustworthiness – and guarantee anonymity, I get a spread of performance scores. Those who do not possess integrity in the eyes of their colleagues are poison and should are extracted from any board or a senior management team. They never should have been elected or hired in the first place, which is a recruitment failure.

Fraud, toxic workplaces, bullying, harassment and pressure do not occur in a vacuum. Many people in the company know. The issue will not go away, will only get worse, and is a latent legal, financial and reputation risk.

For bad news to rise, boards need to ensure that protected channels exist and are used – including for a director or executive to speak up in confidence, and for an independent consequential investigation to occur.

Ethical reporting also needs to assure anonymity to the fullest possible extent to receive reliable information. If a whistle-blowing program has any manager as the point of contact, it is not effective. Whistle blowing, culture surveys, and ethics audits should be conducted independently and reported directly to the board without management interference.

Frequently, I find ethical design and implementation failure are the culprits, with codes of conduct, conflict of interest policies, whistle-blowing procedures, culture and workplace audits, and education and communication being perfunctory at best, overridden by management at worst, and not taken seriously by employees or key suppliers, with minimal assurance and oversight by the board.

Complacent boards and executives are the last to know and deny any wrongdoing, having creating the conditions for fraud to flourish. Shockingly, lacking any pride, in full denial, and further reinforcing their entitled self-serving mindset, they refuse to resign.

After ethical failure happens, executives argue that it is a lone rogue employee or an isolated incident. Nothing could be further from the truth. It is an employee who reflects the true and actual culture, internal control environment, and practices of the organization, and who is attracted to and flourishes within them. There is no such thing as a rogue employee. It is a board that approved the conditions that management proposed within which employees operate. The board’s leverage of approval, documentation and questions went unused and unasserted. They are the very people who should not be overseeing subsequent reforms, as they are assessing their own shoddy work.

This lax control environment, where self-interest is pursued and where pressure is applied, is the heart of ethical failure.

There is a shocking lack of internal controls over employee and agent behavior that I have found in corrupt jurisdictions in which Western firms do business. This means, not only is the potential for fraud rampant, but also that costs of compliance are being borne by companies who do not bribe and have proper controls. They are penalized for doing things right.

Furthermore, there are corrupt jurisdictions whose companies and government officials offer and receive bribes and advantage themselves over Western counterparts, including in Russia, China, India and MENA. The most recent example is bribery allegations at FIFA. This unequal playing field puts Western companies – in the US, UK, Canada and elsewhere – at a disadvantage, when competing for business, opportunities and contracts.

This is why Western governments are seeking to put their countries and companies in the most competitive position possible. They are enforcing anti-corruption laws using long arms of justice to prosecute bribery. They are also debarring companies from government contracts who commit ethical breaches. This debarment is a powerful motivator to spur investment to internalize the costs of internal controls over integrity.

Western industry will mistakenly argue that integrity laws will disadvantage them or cost their industry jobs, but the reality is the opposite. Tough integrity laws will prevent substandard competitors from offering bribes, will disincent recipients from receiving bribes, and will strengthen Western companies who compete on the basis of price, quality and service.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Executive compensation is broken: Three ways to fix it

President Obama said to a reporter recently, “We have corporate governance that allows CEOs to pay themselves ungodly sums.”

Why should this be the case, and how might this problem be addressed?

Following say on pay protests in Canada at CIBC, Barrick Gold and Yamana Gold, and others at BP, HSBC and JP Morgan, the Securities and Exchange Commission (SEC) recently proposed rules linking pay to performance, six years after Congress passed the law directing them to so in the first place.

Will the new rules work? Regulators have a poor track record of getting executive pay right. Indeed, some say Congress has been the single greatest driver of increasing CEO pay.

According to a survey by Mercer, a majority of UK board members believe the executive pay model is broken. Here are three ways to fix it.

First, look at who is negotiating the pay. A CEO pay contract is negotiated between a subset of company directors – the compensation committee – and the CEO. I remember a CEO telling me once, “I will out-gun any compensation committee.” He is right. For any contract to work, there needs to be proper motivation and equality of bargaining power. Many directors on pay committees are former CEOs, have been on the board for over nine years, or tend to be men recruited on the basis of prior relationships. These types of directors are not effective in negotiating a CEO pay contract.

Directors confide to me how perks compromise them, including jobs for acquaintances, gifts, vacations, and so on. There is no free market for CEO pay if the people on the other side of the table are captured.

An effective bargaining party should be independent of management and selected directly by shareholders to represent investor interests. In other words, shareholders should be selecting the directors, not directors and certainly not management.

I advise large investors that they should press for this right to select directors. Industry Canada is considering corporate reforms, and should give shareholders the right to select and remove directors without artificial barriers. In the Canadian companies above, not a single director on the compensation committees was forced to resign, including the compensation committee chair on the Quebecor board who failed to garner majority support.

Second, CEO pay has been driven upwards by a process known as “peer benchmarking.” Invented by pay consultants, one CEO’s pay is compared to pay of other CEOs, often at larger, complex companies (“peers”). Compensation committees, who purchase this comparative data, want to pay their own CEO, not at a 50th percentile (meaning that half of CEOs are better than their CEO), but at the 75th or 90th percentile. This inflationary effect, as you can imagine, has resulted in structural increases to CEO pay. Research confirms this. The process is made worse by rivalry, because CEOs see what other CEOs are earning, and think they deserve more. This knowledge and mindset increases the leverage of the CEO during pay negotiations.

One public sector organization, about to disclose pay for its employees, whom I recently advised, is not disclosing the identity of employees and their pay, but only the position title. This pay disclosure promotes good governance and accountability, but addresses peer rivalry, privacy and safety concerns. More regulators should exercise care over the inflationary results of disclosing pay. Compensation committees should focus less on inter-company comparison, and more on the performance and value creation within their company.

This brings me to the final pay reform, which is linking pay to sustained value creation within the company over the longer term. Performance metrics are what drives management. Most performance metrics for executive pay are short-term, financial, and based on total shareholder return (TSR). Even the new SEC rules rely on TSR. Research shows, however, that much of TSR is not under the control of management, but rather reflects exogenous market forces. In other words, executives benefit from factors beyond their control, such as a bull market.

Most of the business model and market value of companies are composed of broader, leading indicators that are non-financial in nature. By focusing just on financial results, boards lack the ability to track leading indictors, which could be customers, reputation, employees, innovation, R & D, ethics, risk management, safety, and so on, that measure risk and broader performance. Many boards desire these metrics but they are under-developed by management, which reflects board complacency.

90% of pay is short term, which is fewer than three years. This short-term focus causes executives to swing the fences for short-term gains, taking risks, because their pay incents them to do so, rather than being aligned with the product cycle of the company, which is in the range of five to seven years.

International Monetary Fund chief, Christine Lagarde, has called for banks to change the culture of short-term risk taking. There is also director leadership responding to short-termism: The subject of the Institute of Corporate Directors conference next month is titled “Short-Termism: A Problem or Not.”

The problem is that opposing the above reforms – shareholders selecting compensation committee members; relying less on peer benchmarking; and relying more on broader long-term performance metrics – are so entrenched into the status quo and vested interests that these reforms are almost unachievable. CEO pay problems will continue. To truly solve this issue, more leadership is needed from investors and directors. Models and best practices are needed to devise roles for shareholders in selecting directors and long term pay principles. Thoughtful regulation and more industry leadership and cooperation are needed.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

25 Reasons for Risk Management Failure

I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.

Here are 25 reasons for risk management failure:

  1. Lack of enterprise risk management expertise on the board.
  2. Governance gaps over a material risk(s) within the board or across committees.
  3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
  4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
  5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
  6. Not upgrading information systems to track, monitor, integrate risks.
  7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
  8. Lack of conversations, common vocabulary and prioritization of the risks.
  9. Lack of internal audit, or not listening to internal audit.
  10. Internal controls that are weak, even non-existent, or capable of management override.
  11. Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
  12. Not considering impact on reputation, which can be greater than the primary impact considered.
  13. Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
  14. Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
  15. Lack of independent, coordinated assurance of internal controls provided directly to the board.
  16. Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
  17. Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
  18. Risk not based on the strategy, business model and key performance indicators.
  19. Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
  20. Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
  21. Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
  22. Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
  23. Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
  24. No sense of urgency to remedy the foregoing.
  25. The board does not know how bad it is.

The author thanks an anonymous senior risk executive for review of the foregoing items.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Twenty Anti-Fraud and Corruption Governance Red Flags

The following reflect my work in assisting regulators and enforcement authorities, and research on governance in companies that have been accused of fraud, bribery, corruption, and other malfeasance such as harassment, nepotism, expense reporting, and excessive compensation. I also draw on my interactions with, and guest lectures by, fraudsters who are currently in prison or who have served time in prison, and experts such as forensic accountants.

Here are the red flags, as I see them, in problematic companies and boardrooms that may contribute to fraud and other malfeasance going undetected or undeterred. Drawing on a speech I gave this month to a bribery and foreign corruption conference, and an earlier speech to corporate directors, the red flags are, in no particular order:

  1. Independent oversight functions (audit, compliance, risk) either non-existent or reporting to senior or operating management.
  2. A board lacking in risk, international and relevant industry expertise, and paucity of audit committee know how of how fraud is or may be committed.
  3. A whistle blowing procedure that is neither anonymous nor protected.
  4. A board that does not believe it sets tone at the top. A tone that is not equal and consequential.
  5. A focus on rule and legal correctness, not spirit and intent. Failure to account for exogenous shock, stress, and a different frame of analysis. Directors not speaking up.
  6. Complex design being approved by directors. Directors approving when management does not fully tell them the counter-argument, and directors do not ask (know), or press.
  7. Captured, conflict-seeking, self-dealing, over-compensated, over-tenured directors and gatekeepers who are not objectively independent.
  8. Immature risk management, non-investment in information technology, and defective or non-existent controls, particularly non financial, reputational and behavioural.
  9. Defective, non-existent, or dominated internal audit function.
  10. Lack of culture and reputation control assurance to the Board. No understanding of tone in the middle, or toxic or bullying work culture.
  11. Non-audited compensation, and improper incentives (quantitative, financial, short-term) that incent risk-taking behaviour. Unconstrained risk-takers and a complacent board.
  12. Clawbacks not at correct threshold of ethics or risk. Lack of risk-adjusted compensation.
  13. Charismatic, dominating, and/or stretched CEOs and CFOs, including distracting external activities, personal issues, living beyond their means, not tasking vacations, and undue attention to accounting.
  14. Ethical code poorly designed, controlled, monitored, enforced, assured and reported to the board.
  15. Lack of documentation with explicit limitations and thresholds for material risks, cascading to emerging markets and key suppliers.
  16. Lack of executive sessions, with only independent directors, and with only internal oversight functions (audit, risk, compliance).
  17. Lack of due diligence and integrity controls at the hire or contract stage. Lack of integrity controls over senior management, and capacity for over-ride.
  18. Non-zero tolerance of facilitating payments. Mixed message sent by the board.
  19. Lack of independent, expert validation (board, risk, controls) reporting directly to the board.
  20. Weak or corrupt host country auditors not vetted or overseen by the audit committee, and lack of availability and translation of documents.

Do you recognize any of the above red flags? On a board or in a company of which you serve? Allegations of wrongdoing can put assets and reputation at risk. Regulators have enormous power, and are focusing their sights much more on the role a board plays, or does not play, in overseeing the affairs of the company.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

text cloud