Dr Richard Leblanc

“This city, this province, this country has a reputation of being the best location to carry out white collar crime, corporate fraud, in the industrialized world.”

These public words are not from some scholarly journal but from a hard-hitting, no-nonsense corporate director, Spencer Lanthier, (PDF profile) as he received his award at the annual Institute of Corporate Directors dinner last year – a sort life-time achievement award for a select few directors. Guests at my table were shocked to hear this, as was I, so I followed up to interview Mr. Lanthier for an illuminating interview. I also went for lunch with former colleague Al Rosen who wrote the book “Swindlers,” which I am now reading and equally eye-opening.

Flash-forward to 2012 where the Nortel trial is now underway to examine what role directors or officers might have played in that alleged fraud. See a headline from last week: “Toronto lost nearly $1M to fraud in 2011, auditor-general reveals”and the twelve cases identified by the auditor general. See this excellent report (PDF), courtesy of Tim Leech in my LinkedIn group Audit Committee.

Here are some questions: Do directors on boards play a role in detecting and deterring fraud? Can they be held responsible or even liable if they do not fulfill this role properly? Increasingly the answers are “yes,” especially given UK and US legislation since the financial crisis. I remember one of my very first board meetings I observed. It was of a bank. At the break, a director got up and shook my hand. He leaned over and whispered in my ear that the number one role of a director was to watch for fraud. I never forgot this.

Here is a list of 10 red flags and suggestions I have compiled based on my work recommending governance enhancements for companies accused of fraud or other malfeasance, including very well known Canadian companies.

1. The Audit Committee must fully understand how the company’s business model, estimates and judgmental choices by management give rise to potential manipulation of financial reporting by that management. Audit Committee members should be selected and educated on this basis. Financial literacy is a low bar and is not enough. Educate yourself on how fraud happens if you are a director or audit committee member. If necessary, hire an expert to report to you individually or in closed session with the Audit Committee without any member of management present.

2. If your organization does not have an internal audit function, install one appropriate for your organization. The head of Internal Audit must report directly and confidentially to the Audit Committee and cannot be over-ridden by any company officer. If necessary, Internal Audit should report directly to the board.

3. The Audit Committee must approve the independence, budget, work-plan and succession of the head of Internal Audit. The board should direct the CEO and CFO to commit resources for further design and test of internal controls whenever necessary.

4. As a director, you are entitled to any piece of information and access to any personnel in fulfilling your duties under any circumstance. If any manager blocks you from doing your job, this is a red flag. Go on unscripted company tours unaccompanied by management to test for tone and culture whenever you can.

5. Direct management to conduct a survey on company culture, assisted by an independent firm, with results reported directly to the board. Act on the results. You may have a toxic workplace with undue influence, internal control override and bullying and not even know it.

6. The independent whistle-blowing hotline must have a protected mechanism for people to come forward. When fraud happens, fellow employees know and are your best source of defense. If employees do not have confidence they can come forward and have a proper investigation conducted, they won’t and fraud will fester. Whistleblowers can go to regulators directly (in the US) now and participate in a monetary reward. If they don’t have confidence in the hotline, they will quit, acquiesce or go directly to the regulator.

7. Direct independent advisors (consultants, and now auditors) to conduct a risk assessment of all management compensation packages to ensure compensation is not driving potential fraud, such as bonuses awarded on profit.

8. If any company officer is not 100% transparent with you, this is a red flag. You should meet in executive session without management in the room to discuss your concern, which is likely shared by other directors. If the CEO or CFO lack integrity, the tone at the top is broken and you have a serious problem. You do not need a reason to fire your CEO.

9. Your responsibility as a director is to direct if and when necessary. Legislation gives you this power but protocols enable it. If management has undue influence and keeps you at bay, your protocols are likely deficient. Boards, committees, chairs and directors all need terms of reference now. Don’t let management draft these important documents as they have an interest in not giving you the power you are entitled to by law. Draft your own protocols or have someone independent do it if you have a concern or want best practices.

10. Above all, be vigilant and assertive if or when necessary. No amount of compensation can ever make you whole for the reputational damage inflicted and protracted litigation that could follow allegations of fraud or other misfeasance for a company of which you are or were a director. The number one regret directors have is not speaking or acting when they could have or should have. Don’t let this happen to you and follow the above steps.

 

Many of the questions below are based on hypothetical and disguised but plausible scenarios that I researched, or upon which I directly advised.

Let’s say a worker is responsible for maintenance of a machine, but because of time pressures, cuts corners and does not address fatigue (or wear and tear) in the machine, and no one oversees this person’s omission. The machine fails and affects the failure of other machines nearby. The company is in an industry where, if that machine fails, 300+ customers will likely die.

Or let’s say it is another machine where, if it is not treated properly, the company’s product can be poisonous. Or another machine where, if procedures are inadequate or not followed, property destruction and death can result. Or another process in an institution, where if internal controls are inadequate or not implemented, millions of dollars of losses can result.

Aside from senior management, is it fair to hold the board responsible for the above failures in risk management and internal controls, in the above hypotheticals? Is it fair to hold the committee chair or committee overseeing this risk responsible, in part?

I am not sure. It would depend on the actions (or inactions) vis-à-vis best practices and legal tests. One thing I can say however, is that I have had the good fortune of interviewing and seeing how one or two excellent board or committee chairs, or directors on a board, can completely reform and turn around risk management of an entire large, complex organization by pressing management and holding them accountable. This is a pleasure to watch and see, how effective a strong board and strong directors can be.  This is how boards should be.

I recently interviewed directors and senior management of an important organization, along with nine leading Canadian directors and audit committee chairs. Here are some questions that address the above scenarios and incorporate learning I have developed from my research and assessing audit committees.

1. Risk Management Coverage and Assurance Mapping

   Is each material financial and non-financial risk (no more than 12-15) covered (via explicit mapping) through identification, treatment, independent assurance and upward reporting? Do board guidelines and committee charters cover off all material risks so none slip through the cracks?

2. Whistle blowing and Code Compliance

   Employees may now go directly to regulators without utilizing the company’s internal investigation procedures, and participate in a monetary reward. Does the company code of conduct have fair, impartial, credible investigation procedures that employees trust and actually use? Does effective oversight occur of ethical reporting by the Audit Committee?

3. Internal Audit

   Does the Audit Committee approve the appointment, compensation, work-plan, independence and accountability of this function? If not, why not? This person should report directly to the Audit Committee.

4. IT Governance

   Is IT risk and opportunity management adequately overseen by the board (or a committee), including over IT investment, cloud computing, social media, security of information, privacy, business interruption and crisis planning? Does management (and the board) have competencies in these areas?

5. Stress and Scenario Testing

   Is the capital structure, quality of earnings and revenue tested under various adverse conditions (including regulatory, competitor and contagion), such as “what if” or “when”?

6. Audit Committee Bench Strength

   Does the Audit Committee have the competence and courage to understand and constructively challenge the basis and rationale for management’s estimates, assumptions, judgments and forecasts, both in terms of potential manipulation by management, and the fairness, balance and quality of financial disclosure?

7. Chair Reporting to the full Board

   Does the Audit Committee Chair (and other committee chairs overseeing non-financial risk) submit a written report that enables non-committee members to understand the deliberations, recommendations and reporting, and ask questions and receive satisfactory answers?

8. Auditor and Financial Management Bench Strength

   Does the board have confidence in the quality of finance and risk management, and external and internal audit (including integrity, competence, responsiveness and reporting)? The board should oversee all of these positions, subject to shareholder approval for the external auditor.

9. Internal Controls over Non-Financial Reporting

   This area may be a weakness for many boards. Has the regime for financial reporting and assurance been adopted for the most important non-financial reporting risks of the organization (e.g., operations, compliance, environmental, social, reputation)? Has the effectiveness of the design and implementation of internal controls been tested on and reported to the board or relevant committee, for these areas? Boards should press management for this reporting and obtain independent (outside) assurance for risks of concern, to put the heat on management.

10. Undue Influence / Reliance, Integrity and Fraud Risk

    Are there any pockets within the organization or executives who may have the opportunity, pressure or incentive to take inappropriate risks, or engage in potential fraud, that may be exacerbated during an economic downturn? As two audit committee directors said, the systems must be “person-proofed” and run on “auto pilot.” Can the board demonstrate that it has taken reasonable steps to satisfy itself that executive officers possess integrity? (The board is responsible for satisfying itself that executive officers have integrity under NP 58-201.)

Conclusion

Back to our original hypothetical scenarios. Directors have said to me, “we missed it,” or that you cannot protect yourself against a “rogue” or someone who is intent on committing fraud. I am not sure these answers are entirely satisfactory.

It seems to me that if the above steps are followed, and a culture of risk management and tone-at-the top is set by the board, there is a much lesser likelihood that “we missed it” will occur.