Future Students, Alumni & Visitors


This blog is intended to be a governance resource and source of current governance commentary, offered by a corporate governance academic engaged in research, teaching and other ongoing academic activities. There is a very public element to the governance field, and it is hoped that this blog will contribute to the public discussion of current governance issues. It is also hoped that it will address a need in the governance field by presenting a holistic online approach to the topic. There is a rapid rate of change in the field of governance (public, private, government and not-for-profit entities) and developments in internet technology move swiftly. This governance gateway offers resources for a broad variety of stakeholders including: [...more]




Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently?

Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.

In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders’ investment? Indicators are that many boards and directors may not be. Plaintiffs’ lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:

  • “Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable”;

 

  • “Social media is the number one activity on the web,” according to Belle Beth Cooper in a Huffington Post article;

 

  • The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;

 

  • The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;

 

  • Cybercrime constitutes the “greatest transfer or wealth in history,” according to the National Security Agency’s General Keith Alexander;

 

  • Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;

 

  • Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;

 

  • Fewer than 50% of companies use encryption techniques for devices;

 

  • 38% of companies do not address cloud risks;

 

  • “Only 56% of companies conduct penetration tests, and 19% fail to test at all,” according to an Ernst and Young report;

 

  • Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and

 

  • “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached,” according to a 2014 NACD (National Association of Corporate Directors) report.

What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?

  1. “You have to own this problem as a leader,” in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company’s business model resides on the Internet, consider having a separate technology and strategy committee.
  2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
  3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
  4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
  5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
  6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
  7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
  8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
  9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
  10.  Most of all, protect your company’s crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company’s valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.
Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Tis the Season to Prevent Cyber-Hacking

What are best practices individuals can employ to lessen the chance of hacking of their computer or device?

Here is a quick “top 20 list,” based on part of an education session I have been providing to directors of company boards on cyber security.

  1. Never click on unknown or non-credible emails, attachments or downloads.
  2. Never click “save password.”
  3. Never use the same password across multiple devices or accounts.
  4. Use smart, strong passwords, and regularly update and change your passwords.
  5. Have a second credit card that you use online, with a low limit.
  6. Use two-step authentication whenever possible.
  7. Install firewalls on all your computers and devices.
  8. Always update your software.
  9. Always logout at the end of your work-time.
  10. Always install anti-virus, anti-spam and anti-spyware or adware programs.
  11. Use only your own computers and devices.
  12. Never leave your device or desktop computer unattended or accessible.
  13. Have a professional validate all of the above and never give your password out.
  14. Cover any cameras that are not in use.
  15. Browse anonymously whenever possible.
  16. Use secure, encrypted connections: https where “s” means “secure.”
  17. Resist unencrypted, public wifi hotspots.
  18. Back up your data in real time, twice as a fall-back.
  19. Be careful what you store or send (crown jewels).
  20. Always use a document shredder.

“Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable.”

Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies.

The greater individuals are aware of steps that can be proactively taken, the less the chance that your property or data can be breached.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

2015 Trends and Answers in Corporate Governance

2015 is shaping up to be a year where boards, once again, will be under intense pressure and scrutiny to get it right. Here is a list of trends and key issues, along with what boards are or should be doing in response.

1. Greater Director and Advisor Independence

 

Pressure:

 

A director or professional advisor can be formally independent, and yet captured inside the boardroom. Forms of capture reported to me include social relationships, donations, jobs or contracts for friends, perks, vacations, office use, director interlocks, supplier or customer relations, and excessive tenure and compensation. Look for more regulators implementing term limits and moving towards an objective standard of director independence. Look for activists going into the background of directors to demonstrate the capture. Look for investors focusing on the origination of each director and service provider, which is to say how he or she came to be proposed, to address social relatedness.

 

Answer:

 

Boards can protect themselves by terminating any director or professional advisor who cannot be reasonably seen, by directors themselves and more importantly by an outsider, to be independent from management in their oversight and assurance roles. Assume what boards know internally is what is or will become known externally. This trend towards tighter independence standards will continue: For example, internal oversight functions should also now be independent from senior and operating management, and that includes the risk, compliance and audit functions, who now should report functionally to the committees and board. Any director or external or internal advisor to the board or a committee should be, in law and in fact, independent of all reporting management or any other adverse interest, in order to be free to make recommendations that run counter to that of management. A board fully protecting itself would also require a third party anonymous review of director and advisory independence annually, and acting on the results. Directors know who is captured and there should be a mechanism for this to come through.

 

2. Better Board Composition and Diversity

 

Pressure:

 

Regulators are moving towards prescribed competency matrixes; the production of curriculum vitae (not perfunctory short bios); and interviews with directors and oversight functions to determine whether these individuals are fit for purpose. Activists are searching director backgrounds and track record to determine alignment between competencies and the business model and strategy of the company. Regulators are legislating board renewal and diversification, through quotas or the production of measureable objectives covering recruitment to retirement.

 

Answer:

 

Competency, diversity and behaviour matrixes should: flow from the purpose of the board and the strategic and oversight requirements of the company; be established by the nominating committee; and be independently designed and validated to ensure recent and relevant expertise is possessed by each director. The diversity policy should extend the prospective director pool to previously unknown directors and who may be joining their first board (80% of directors are on one board only). Tenure limits and excessive directorships (beyond two) should now be policied and capped (the average board position is 300 hours). Robust matrix analysis and director evaluation should occur by the nominating committee and its independent advisor, not management. The board should extract directors who do not possess relevant and recent competencies or desired behaviours. (See boardroom dynamics, below, for a separate discussion of director behaviour.)

 

3. Risk Governance

 

Pressure:

 

Plaintiff’s investor lawsuits and proxy advisory firms are targeting directors at risk for oversight failure. Regulators are imposing onerous risk coverage requirements on directors that require oversight of internal controls, risk-takers and limitations. Lack of understanding of social media, bring your own device, and cyber security are contributing to enormous investor loss and brand impairment, as an example of technology risk. Recent risk failure by boards also includes sexual harassment, safety, security, technology, bribery, fraud and reputation.

 

Answer:

 

Boards should now have directors possessing risk expertise, as regulators are requiring this. The identity of these directors should be disclosed. Every company should board-approve a risk appetite framework, including internal control reporting and independent, coordinated, assurance over controls mitigating each risk and their interactions. Directors using technology dashboards should oversee risks prospectively. Hiring of risk, compliance and audit functions should occur, reporting to the audit and risk committee. Known limitations should cascade throughout the organization, and back up to the board, with ease, including within each market in which the company operates, and to key suppliers. Annual third party reviews should occur, reporting directly to the board and audit and risk committees. Board and committee charters should have coverage over each material risk, financial and non-financial. Audit committees that oversee substantive non-financial risks may be a red flag. There will need to be significant investment and restructuring of reporting relationships for the foregoing risk governance regulation to occur.

 

4. Compensation Governance

 

Pressure:

 

Media and public pressure over the quantum and alignment of executive pay have resulted in regulation over: compensation committee and advisor independence; say-on-pay; proxy advisors; and pay ratios; but not over pay-for-performance (most important) and clawbacks, yet. Certain public regulators have become more aggressive, targeting the quantum of pay. Financial regulatory focus is on the delivery and alignment of pay. There is a modest, but will be a growing movement once full regulation occurs, moving from (i) short-term, quantitative, financial pay metrics, relying on comparator inter-company benchmarking, which exacerbates pay unrelated to performance, to include (ii) long-term, qualitative, non-financial pay metrics, with customized, risk-adjusted pay delivery commensurate with internal value creation and shareholder return.

 

Answer:

 

Boards should engage directly with long-term, major shareholders on their pay plans, without management influence. Clawbacks should be restructured or implemented based on risk management and ethical failure, not fraud, using an independent advisor not the company lawyer or management-retained counsel. Boards should approve key performance metrics based on an explicit full business model invoked from the strategy. 75% of the performance metrics reflecting the firm value chain should be leading and non-financial indicators. Peer benchmarking should be balanced with the foregoing pay principles and long-term alignment with the product cycle of the company (five to seven years, not three). Non-financial leading metrics such as innovation, value and quality, and financial metrics such as balance sheet and capital treatment and returns, should be incorporated into pay plans that have a line of sight to management performance, without any unjust exogenous enrichment. There is much work to be done here, and more regulation is expected in 2015 and 2016.

 

5. Greater Shareholder Accountability

 

Pressure:

 

Look for activism to grow unabated, and institutional shareholder and even regulatory support of proxy access in 2015, giving greater control to shareholders over director selection and removal. Look for further shareholder assertion of rights and coordination over the targeting of below-average management supervised by complacent boards. Look for shareholder focus on director mindset, track record, and lack of management capture or self-interest. Look for continued attack on entrenchment devices by management and their retained advisors to insulate under-performers.

 

Answer:

 

Camera-ready boards should implement private, candid, executive session meetings with long-term shareholders to discuss governance, risk, pay, and value creation. Investors and boards should focus on company performance in comparison to peers, and superior governance that exceeds the minimal. This includes background of directors. Independent governance auditors should be retained to provide an activist point of view, ahead of a possible attack. Any advisor to the board on shareholder engagement should be independent of management.

 

6. A Focus on Strategy and Value Creation Focus

 

Pressure:

 

Activist and, increasingly, good board focus is on the value creation plan, monitoring, and holding management responsible for its achievement. Complacent or inexperienced boards incapable of directing an under-performing, ineffective or inefficient management team are being targeted. Weak or legacy chairs and directors are also targeted. Excessive or non-performance based compensation is a red flag for governance intervention.

 

Answer:

 

Good boards are becoming engaged, focused, results-oriented and disciplined. Agendas and committee structures are being revised to focus on strategic primacy and value creation. Robust debate and review of the plan is the primary board agenda item each meeting, and strategic practices are adopted, such as, among others, that at least one presentation each meeting from key personnel below the senior level, on that person’s role in the value maximization plan, and a full discussion of progress to date in that regard. However, board renewal is not reflecting this structural and deeper board focus, yet. Ill-chosen directors are still unable to add value strategically, my applied research suggests. There remains ample opportunity for activist intervention.

7. Information Technology Governance

 

Pressure:

 

Rapid technology advancement has created opportunity and risk. There is profound technological ignorance by many or most boards that is creating an inability to direct and oversee management. Cyber security, bring your own device, and social media are just three IT risks that, reviews indicate, have deficient or non-existent internal controls, which in turn causes privacy breach, reputational damage, and significant investor loss. Plaintiff’s lawyers are suing boards, correctly alleging breach of duty of care. Regulation is not keeping up with cyber-threats and hacker advancement.

 

Answer:

 

Boards should be IT literate, agree on the standard and platform, and direct management to have an action plan and target date for implementation, covering crown jewels; assuming penetration; and including internal controls over behavior and human error. Boards should control the budget, talent, resources, reporting and assurance of IT risk as part of broader ERM (enterprise risk management) and strategic risk. Scenario testing, mock attacks, and expert assurance should be board-reported. If management resists third party validation, this is a red flag for any board.

8. Board Performance Audits

Pressure:

Regulation, activist, technical and public pressures are augmenting the objective standard of care for directors. Director action (or inaction) will be visible and risk liability or other loss post failure. Resourced and sophisticated investors are a particular threat, as are regulators. Complying with basic practices is no longer adequate assurance or protection for boards, as capture, entrenchment, self-dealing, complacency and non-performance have all been shown to occur within existing governance frameworks. Governance failure, including bribery, corruption, cyber and under-performance, have occurred at companies whose governance has been said to be exemplary.

Answer:

Good boards and regulators are moving towards independent, internal and deep reviews over the board, risks and internal controls, similar to financial audits. Just as management cannot assure its own work, neither can boards assure a self-review. A well-chosen third party or independent internal auditor provides boards with advance warning on precisely where their vulnerabilities and weaknesses are. An expert audit within an activist and emerging regulatory framework is a wise use of time and resources.

9. Tone at the Top – and Now in the Middle

Pressure:

Long arms of regulators are now able to hold boards vicariously responsible for fraud, bribery and other forms of corruption at deep levels within and even interacting outside their organization. The distraction, assets put at risk, and reputation damage can be significant. “Tone in the middle,” culture, and imprudent risk-taking are the new warning signs on which sophisticated boards are requesting concrete assurance, to ensure directors are not the last to know.

Answer:

Resourced boards are instituting: confidential and incented whistle-blowing procedures; audits of internal controls over culture and reputation; and amnesty, among other best practices, to ensure bad news rises. Explicit and monitored thresholds for the board-approved risk appetite framework are being instituted, along with a line of sight by the board that compensation is not driving bad behaviour. Due diligence, climate, values, spot audits, and the code of conduct are all being independently reviewed and reported to committees and boards, without interference or funneling of reporting management. Good boards are much less tolerant of ethical lapses or management blockage.

 

10. Boardroom Dynamics

 

Pressure:

 

Lastly, the board must gel as a team, and, as a team, control management. Any behavior gap – undue influence, reliance, dislike, dysfunction, or even contempt – by one or more directors or managers, introduces information and oversight asymmetry that can and does lead to governance failure. Every seat at and reporting to the board table matters. The pressure here is a toxic or under-performing director who refuses to resign out of self-interest, or a board allowing integrity breaches and leadership shortcomings by an officer to continue.

 

Answer:

 

Good boards: have behavior matrixes and performance reviews that define and rate behaviours at the board table; have peer reviews and mentoring that develops and refines behaviours; and act on the results regardless of profile or tenure. Due diligence, background checks, interviews, and assessments are all becoming commonplace. Personality testing is also developing.

 

Conclusion

 

There have been more governance change occurring in the last five years than in a generation. Enron, WorldCom and other implosions in 2001-02 are very different from the global financial crisis of 2008-09, which: was systemic, involved banking, and required broad government intervention. There is a regulatory and investor appetite for broad and deep governance change. The above ten changes and responses are touch-points for where governance change is happening the most. Boards and management teams are only about 40% through digesting all of the above reforms, and there are more to come in 2015.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Canada’s Corporate Governance Guidelines Are Out of Date, Part 2

Following up from last week’s blog, I argued that Canada’s corporate governance guidelines were out of date because of: 1. Lack of principles and practices; 2. Lack of focus on risk management; 3. Lack of independence of mind; 4. Lack of industry expertise; and 5. Lack of shareholder engagement, here are reasons 6-10 that our Guidelines need an update:

6. Lack of shareholder engagement: The words “investor” and “shareholder” are mentioned once each, in a perfunctory manner, within the 2005 Guideline. Shareholders own the company and regulators and investors are explicitly providing context now: for investor input on director selection; for engagement and dialogue between investors and directors; and for the use of technology in shareholder communication and annual meetings. The foregoing are all absent from the Guidelines. Canada has still not adopted “say on pay,” which has also been a catalyst for shareholder engagement. The US, UK, Australia, Germany, France and other European countries either have say-on-pay or are moving rapidly in this direction. Canada is a laggard.

7. Lack of focus on strategy and value creation. “Strategy” is mentioned only once within the entire Guidelines, and that is that the board should approve a strategic planning process, and approve, at least annually, a strategic plan. It is hardly surprising that many boards short-change strategy at the expense of compliance. This requirement of once a year essentially marginalizes a board in its strategic role. When I interview top directors who add value strategically, the strategic oversight and involvement by boards are much more focused and engaged. There are strategic best practices here that would enhance the performance and value creation that a proper board can make. Regulators drafting this guidance should have experience creating listed company value.

8. Lack of focus on sustainability: The word “environment” or “sustainability” is not mentioned at all in the 2005 Guidelines, a noticeable omission. Australia’s emphasis on economic, environmental and social sustainability risks, within its Corporate Governance Principles and Recommendations, is second to none, as is South Africa’s focus on “integrated sustainability reporting” within King III. This omission is especially noticeable given investor focus on the environmental, social and corporate responsibility. The lack of environmental stewardship and response to climate change is also a broader issue. Canada is also a laggard here.

9. Lack of compensation guidance: The regulatory movement from short-term, quantitative, financial metrics, to risk-adjusted, long-term, qualitative, non-financial metrics for executives is absent from the Guidelines, as is guidance on non-executive remuneration. Investors, regulators and good boards are focusing on leading performance metrics that reflect the entire business model and value chain (most of which is non-financial), and that are longer-term in nature.

10. Lack of focus on the chair of the board: Lastly, but far from least, the position of the board chair has undergone a metamorphosis since 2005. There is no guidance at all offered on the role, responsibility and attributes of an independent chair, within the Guideline. Other codes offer extensive guidance on skill-sets and responsibilities that and on which the chair should possess and execute. Without this regulatory guidance, a chair (and committee chairs) can be bullied or unduly influenced by dominating reporting management such that they are rendered ineffective, albeit formally independent. More guidance is needed. Chair position descriptions should not be drafted by management lawyers or management-retained lawyers.

Conclusion

Does Canada improperly have a false sense of governance superiority? Perhaps so. But in this rapidly changing field, if you rest, you are left behind. Nine years is sufficient rest.

There are arguments (i) by industry and advisors to management that corporate governance in Canada is not broken so does not need to be fixed; and (ii) by regulators who complain of scarce resources and how difficult it is with fragmented securities commissions and the diversity of Canadian companies. I have never been persuaded by these arguments.

To address the second argument, what is required is leadership and political will. Premier Kathleen Wynne’s and the OSC’s Maureen Jenson’s emphasis on gender diversity have resulted in nine jurisdictions collaborating and endorsing recent changes to the disclosure of gender diversity, term limits, and measureable objectives, for example. To address the variety of Canadian companies, South Africa’s King III Code applies to all types of companies (public, private, state and non-profits). The issue is one of drafting.

To address the first argument, namely the arguments by industry, regulators should be conscious of undue influence by reporting management and service providers, whose internal power, business model, or commercial interests may be disrupted by governance rejuvenation. The primary consideration for policy renewal should be evidence-based policy and international consistency with best practices. Regulators should also guard against potential conflicts of interest and regulatory capture, by themselves, including those individuals within regulators who intend to return to private industry, or who have other close association with regulated companies. Regulators should also guard against those provincial regulators who oppose reform on the basis of extraneous and non-relevant considerations, such as a desire to maintain turf.

Richard Leblanc is an Associate Professor, Law, Governance & Ethics, at York University. He can be reached at rleblanc@yorku.ca.

 

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Canada’s Corporate Governance Guidelines Are Out of Date

In my teaching, research and consulting, I no longer use “NP-58201 Corporate Governance Guidelines,” June 17, 2005 (“Guidelines”), that apply to publicly traded companies in Canada, as an example of exemplary corporate governance. I regard them as stale and dated. I cannot think of another developed country that has not updated its governance guidelines in almost 10 years. There have been more changes to governance since the financial crisis of 2008 than in a generation. And we are only about half way through all of them. Canadian regulators – including all provinces and territories – need to keep up, and step up.

Here are the deficiencies to the Guidelines as I see them:

1. Lack of principles and practices: Our Guidelines are four pages long. The UK’s new Code (September 2014) is thirty-six pages. Australia’s Principles and Recommendations (March 2014) are forty-four. South Africa’s “King III” (2009) is sixty-six pages, to pick only three examples. Quantity is not necessarily quality, but by having such succinct guidelines, the opportunity to set out (i) best practices that (ii) achieve the objective of principles is gone. It is comply or explain against a perfunctory unitary guideline, which can be – and is – gamed by reporting management. There should be more robust guidance, where the regulator explains various ways good governance can occur, from which listed companies can pick and choose according to their circumstances.

2. Lack of focus on risk management: Take risk for example. The Canadian Guidelines simply state that the board should identify principal risks and ensure appropriate systems are in place to manage these risks. I have no idea what this actually means, nor may directors. Risk management oversight now involves an explicit risk appetite framework, internal controls to mitigate, technology, limitations, and assurance provided directly to the board and committees by independent risk, compliance, and internal audit functions. None of these practices, which are very much addressed by other regulators, appear in the 2005 Guidelines. Consequently, many public companies have immature risk management, especially in addressing non-financial risks such as cyber security, operations, terrorism and reputation. Regulatory inaction has an effect. Even a forward-thinking director may be blocked by intransigent management to devote greater resources to mitigating risk because of inadequate regulation.

3. Lack of independence of mind: In Canada, a board can subjectively believe a director to be independent, but this belief need not be independently validated, nor tied to any objective or reasonable standard. Nowhere else can a conflict of interest lack a perceptual foundation. As a result, directors tell me how colleagues are compromised by an office, perks, vacations, gifts, jobs for friends, social relatedness, relations to major shareholders, excessive pay, excessive tenure, interlocks, and other forms of capture. If a director or chair is captured, they are owned by management and totally ineffective. If there is a difference between regulatory independence and the independence of mind of directors, the fault lies with the regulation. Regulators should implement an objective standard of director independence, not a subjective one.

4. Lack of industry expertise: It was admitted in open forum that the original 1994 committee did little research. Sufficient industry expertise on boards is glaringly absent from the Guidelines, and consequently in many boardrooms. We are suffering from an independence legacy, perpetuated by entrenched directors, and unsupported by academic research. For example, in Australia, two academics claim has cost their country’s decline in shareholder value between 30 and 50 billion Australian dollars (“Does “Board Independence” Destroy Corporate Value,” by Peter L. Swan and David Forsberg).

Fraud, meltdowns and underperformance such as Nortel, RIM and CP all had a paucity of industry experts on their boards, including, most recently, Tesco in the UK. JP Morgan at the time of the risk management failure did not have a single independent director with banking experience. Prior to Bill Ackman’s involvement in CP, not a single independent director had rail experience. I recently assessed a similar board and not a single director had the necessary industry experience. The Guidelines should require relevant industry expertise on boards. I recommended this to OSFI when I was retained by them to examine their earlier guidelines, and this is now the law for all federally regulated financial institutions, along with risk expertise being present on boards.

5. Lack of financial literacy and internal audit: There is no requirement to be financially literate to sit, initially, on an audit committee of a Canadian public company. This presumes someone can acquire financial literacy as opposed to having it to begin with. There is also no requirement to have an internal audit function for a Canadian public company. This should also change so audit committee members hit the ground running, and there should be a comply or explain approach to internal audit. In many compliance failures, there is a defective or non-existent internal audit function, with a weak audit committee lacking recent and relevant expertise. Regulators are now moving towards “independent coordinated assurance,” which means that reporting to, and functional oversight by, the board and committees are fulfilled by internal and external personnel who are independent of senior and operating management, including, most importantly, an effective and independent internal audit function.

Join me next week where I will talk about 6-10, including: lack of shareholder engagement; lack of focus on strategy and value creation; lack of focus on sustainability; lack of compensation guidance; and lack of focus on the chair of the board.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

text cloud