Future Students, Alumni & Visitors





Archive for the ‘Risk Governance and Combined Assurance’ Category

25 Reasons for Risk Management Failure

I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.

Here are 25 reasons for risk management failure:

  1. Lack of enterprise risk management expertise on the board.
  2. Governance gaps over a material risk(s) within the board or across committees.
  3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
  4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
  5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
  6. Not upgrading information systems to track, monitor, integrate risks.
  7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
  8. Lack of conversations, common vocabulary and prioritization of the risks.
  9. Lack of internal audit, or not listening to internal audit.
  10. Internal controls that are weak, even non-existent, or capable of management override.
  11. Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
  12. Not considering impact on reputation, which can be greater than the primary impact considered.
  13. Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
  14. Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
  15. Lack of independent, coordinated assurance of internal controls provided directly to the board.
  16. Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
  17. Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
  18. Risk not based on the strategy, business model and key performance indicators.
  19. Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
  20. Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
  21. Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
  22. Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
  23. Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
  24. No sense of urgency to remedy the foregoing.
  25. The board does not know how bad it is.

The author thanks an anonymous senior risk executive for review of the foregoing items.

How do boards prepare for terrorism?

In a board meeting, the military general asked the airline’s CEO, “Why is the pilot’s food being labeled?” “Because that’s the way we always do it,” the CEO responded. “Well then stop doing it,” the military director said. “If I’m a terrorist, I might have trouble getting through the cockpit door, but you’re putting a red flag for me on how to poison the pilot and take down the plane.”

In that exchange, the new military director on the airline’s board of directors I was advising proved his value.

I am currently advising another board whose company is a target for a terrorist attack. Many other companies in transportation, utilities, defense, property development and financial services could take a page from below.

Here are six areas for boards to focus on to prepare for a possible terrorist attack.

1. Military experience on the Board. Military leaders have logistics, supply chain, tactical and international theatre experience civilian directors lack. Their contacts include the intelligence community. They think differently and understand evil.

2. Intelligence gathering. Boards should commission multi-lingual analytics from terrorist websites and chat-rooms, where the company, industry or executive is mentioned. There should be governmental relations on the board’s competency matrix. Boards want to know about unknown unknowns, or emerging risks that can be catastrophic (the black swan), or interdependent risks that rapidly interact. Risk registers don’t capture this dynamism yet. Proper intelligence gives boards and management teams a heads up.

3. Scenario planning. Good boards in sensitive industries are insisting on disaster recovery, catastrophic event planning, mock dry runs, and schedules so if or when it happens, the company is ready. There is even off-site functioning if the office is blown up.

4. CEO compensation. In a disaster that happened involving property destruction and death (another board), I was called in to recut the CEO’s compensation. It went from financial short-term to include risk, relations, internal controls, and crisis management metrics. The compensation committee has enormous often unused control over behaviours and you reward what you pay for.

5. Communication. The CEO should have media training to prepare for scenarios, and respond to journalist questions. When the event happens, it is too late if you don’t have this. Opinion crystallizes in days if not hours. The CEO profile for succession planning should include communication, intelligence gathering, and political linkages.

6. Invest in enterprise risk management (ERM) and information technology (IT). Risk management is often immature, cyber threats are significant, and good ERM is bottom up to include focus groups and integrated real-time IT. There are vulnerabilities that are missed without good ERM. Without being explicit, there are vulnerabilities at universities, cities, shopping malls and events that will surface in good ERM.

The bombers in Boston capitalized on police that were not there, inadequate crowd control at the finish line, and unattended unchecked bags. New York is much better at this now. Cameras, K-9 dogs, screening, monitoring, crowd control and escorts are all about choices. Management can choose not to do something. Boards can DIRECT that they do. This deters potential targets.

Regulators turning up anti-bribery heat on corporate boards: But will practices change?

Russia is one of the most corrupt nations in the world (see a recent anti-corruption story on Russia by the New York Times). It ranks 143rd of all 182 countries on Transparency International’s corruption perception index, with a score of 2.4. Canada ranks the 10th least corrupt country in the world with a score of 8.7. New Zealand is the least corrupt country globally, ranking first with an overall score of 9.5. The US ranks 24th and the UK 16th, with scores of 7.1 and 7.8 respectively. See the “Full Table and Rankings,” where countries can be searched via the table. Lower rankings and higher scores mean the country is perceived as being less corrupt.

Prime Minister Harper visited China, India and Brazil to enhance trade with these countries, which are also some of the most corrupt nations in the world, ranking in at 95th, 75th and 73rd respectively. Libya, which involved the alleged Montreal-based SNC Lavalin bribes of some $56 million, comes in at 168. Within these countries, the governments themselves are the net beneficiaries of much of the corruption, so these politicians are far from motivated to impose reform.

Is it realistic to expect that Anglo-American nations, such as the US, UK and Canada, can impose “Western” will on the very way business is done, and has been done, in some countries for centuries? And if things will not or perhaps cannot change, should home country boards of directors be held responsible for systemic local corruption that may be beyond their control?

Regulators are taking corruption and the role of boards and senior management very seriously. The Securities and Exchange Commission and Department of Justice recently released 130 pages of guidance (see the PDF and other coverage here and here) on the Foreign Corrupt Practices Act (“FCPA”). The US has had the FCPA since 1977. Enforcement and penalties have gone up dramatically in recent years. The UK Bribery Act, from 2010, has some of the most stringent bribery laws in the world. In Canada, we have The Corruption of Foreign Officials Act (since 1999) and the recent guideline from the OSC for issuers operating in emerging markets (see the PDF).

Emerging economies are future markets for Canadian companies. The Prime Minister has a vision for Canada to be an energy supplier superpower. For this to happen, Canada will shift its trade to markets with 100s of millions or billions of consumers and much higher growth rates than our current major trade partner, the US, which could be coping with austerity due to its debt for years to come. Harper was in India last week to boost trade.

What is clear is that there is an enormous disconnect between the home country regulations now being imposed, and host country actual practices on the ground.

What should boards that have operations in emerging market jurisdictions do? Six things. First, if you are doing business in such a market, you need a director with extensive on-the-ground experience at the board table, who can tell you and management what the hotspots are. You should move a board meeting to the jurisdiction once a year so directors can get a first hand look. Second, boards must make it crystal clear to management that if the company is not going to bribe, management must walk away from certain business. And the board must support this and not have incentives that promote bribery. Third, the internal controls over financial reporting must be as strong in the emerging market as it is in the home market. Investment and resource commitments need to be made. Fourth, boards must have their own experts to scrutinize off-balance sheet and related-party transactions and complex structures; validate and assure internal controls; and provide foreign language document translation. Fifth, local auditors should have the same oversight, scrutiny, and as necessary direct contact with the audit committee that the home auditors have. Lastly, there needs to be zero tolerance by the board communicated to each employee and supplier. The UK is even banning facilitating payments, which are regarded as a “tip,” as these may be bribes in disguise.

Companies and politicians are feeling the pain, including on Canadian shores. The Wal-Mart bribery probe has widened beyond Mexico to include China, Brazil and India. The RCMP is investigating the SNC Lavalin bribery allegations, on which I advised a law firm suing the company. I blogged about Sino-Forest, a case of alleged Chinese fraud by a Canadian-listed company. In Quebec, the corruption inquiry has cost the Mayors of Montreal and Laval their jobs and this is only the beginning. There are allegations of kickbacks in cash that may reach other more senior politicians. And Ontario is not immune either. A senior Canadian director remarked that Ontario has a reputation for being “the best place to carry out a stock fraud in the industrialized world.”

Clearly, more work needs to be done. Canada’s corruption ranking on Transparency International may go down in 2012 instead of up.

Banking Directors Need to be at the Top of Their Game

There’s an old maxim that corporations don’t fail, boards do. And when banks fail, the reason is poor management, which is the fault of a poor board.

Take the case of Lehman Brothers, the financial services firm that collapsed in 2008 and played a big role in the global economic downturn. Stanford University professors David F. Larcker and Brian Tayan noted that Lehman’s board was lacking financial services experience and current business acumen. In fact, the former CEOs on the board were, on average, 12 years into their retirement. “This raises the question of whether the professional experiences of Lehman board members were relevant for understanding the increasing complexity of financial markets,” wrote Larcker and Tayan.

Well, the job of a bank board isn’t getting any easier. Following the financial downturn, banks have been placed under greater scrutiny and new regulations, both in Canada and abroad.

That’s why, more than ever, banking board directors need to be at the top of their game.

Last week, I spoke to bank directors in Dallas, Texas, about banking governance best practices as a result of a review that I had conducted for the Office of the Superintendent of Financial Institutions. (The OFSI is Canada’s banking regulator.) Specifically, I looked at Canada’s governance guidelines and board assessment criteria and compared them with international financial regulatory practices and recent developments. I provided the OFSI with suggestions for revisions.

Some proposed board reforms to Canada’s deposit-taking institutions and insurance companies sectors under the new guidelines include:

  • Having directors who possess risk management and relevant industry experience;
  • A risk committee that oversees enterprise risks, and a chief risk officer who reports directly to this committee and the board;
  • Board approval of the internal control framework to mitigate all material risks to the financial institution, and board monitoring of internal control effectiveness;
  • Expert third party reviews of the board’s effectiveness, risk management effectiveness, and effectiveness of oversight functions (such as internal audit), with results reported to the board;
  • Enhanced director orientation and training, self assessment and external reviews;
  • A board-approved risk management statement that translates into cascading limits and thresholds for all material business risks (e.g., credit limits, loan losses, capital levels);
  • The internal audit function should report directly to the audit committee; and
  • The audit committee, not management, should approve the scope of the external auditor’s engagement and fees.

When I asked for a show of hands as to how many banking directors adopted at least some of the above best practices, about half the hands went up.

However, it’s apparent that many boards aren’t prepared for a new era of banking regulations.

Remember the JPMorgan board of directors that oversaw the derivative failure that cost the bank several billion dollars? Well, here is the current board. Last I checked, not a single director other than the CEO had banking experience. This is wrong.

In 2009 and 2010, there were a total of 297 bank failures in the U.S., according to the Federal Deposit and Insurance Corporation. In the second quarter of this year, the FDIC identified 732 “problem” banks which are at risk of failing.

At the event in Dallas, one of the speakers brought up a good point. “Don’t get involved in something you don’t understand,” said Charles G. Cooper, commissioner of the Texas Department of Banking. He added: “The duties haven’t changed, but the topic is harder.”

And he’s right. That’s why it’s vital that banking boards are well-equipped with qualified directors for this increasingly complex environment.

 


E. Coli, Contaminated Beef and Shoddy Governance

I interviewed an independent director of Canadian food retailer Loblaws about risk and he told me the most important risk for Loblaws that could cause a ‘run on the bank’ (his words) was food safety. Food safety was front and center in his mind, and each of the other independent directors and management. It seems the management of XL Foods Inc., which is owned by Nilsson Brothers Inc., has not figured this out. “Governance” does not even appear on their sparse website. Safety does, in a general way, here. Neither company appears to have any independent directors.

Contrast this with the other major beef processor in Canada, Cargill Ltd., which is owned by Cargill, Inc. in the U.S. See Cargill’s commitment to food safety here; their “ethics open line” here; their core competencies that include supply chain and risk management here; and that their board has six independent directors and five managers, according to Wikipedia. (Their 2008 accountability report stated a third of the board were independent directors.) Cargill claims to be the largest private company in the U.S. in terms of revenue. Although private companies like Nilsson Brothers and Cargill are not required to have independent directors, forward-thinking ones do. See McCain Foods here. Independent directors bring objectivity and an external perspective into the boardroom. They are honest brokers to keep an eye on management. A good independent board will not prevent a disaster but almost always will lessen its likelihood.

According to the Mayo Clinic, the most common way to acquire an E. coli infection is by eating contaminated food such as ground beef: “When cattle are slaughtered and processed, E. coli bacteria in their intestines can get on the meat. Ground beef combines meat from many different animals, increasing the risk of contamination.”

The way you mitigate food safety risk is through internal controls, including segregation of duties, restricted areas, approval, records and reconciliations – and a culture of food safety and not cutting corners. Management is inherently conflicted in assuring such controls, and internal controls cost money. This is the reason for government inspectors and, most importantly, a competent and independent board of directors to approve the control regime to begin with.

I am heading to Calgary next week to give speeches to the directors of Livestock Identification Services Ltd., as well as directors of a few additional beef industry groups and one being a newly formed national beef agency called Canada Beef Inc., on internal controls and risk. I have given speeches to farmers in the U.S. and am going again to Colorado in November to talk to CEOs and director-farmers on the latest trends in corporate governance, risk management and internal controls. Good agri-businesses take governance very seriously.

Risk management and internal controls are not profit producing activities per se. No one likes to be controlled, least of which entrepreneurial employees. However, ask yourself if defective internal controls are worth the price, reputationally and financially? Do you think XL Foods has taken a financial and reputational hit because of the tainted beef? What about the farmers coping with a price decline? What about Maple Leaf Foods? Most importantly, what about the health and safety of customers? It can indeed be a run on the bank if consumers don’t have confidence, and it can get worse unless governance checks are put in place.

See the long list of beef recalled here from the Canadian Food Inspection Agency, and the update from the USDA Food Safety and Inspection Service, here. Recall that the American inspectors detected the tainted beef before Canadian inspectors did. Rather than prioritizing the federal agency to re-open XL Foods, the premier of Alberta, Alison Redford, should insist that food safety for all Canadians (and consumers in America and other countries too) is number one. Then, and only then, should XL Foods be re-opened. Tainted beef from Alberta seems to be a pattern. And the Prime Minister should reform the governance of the Canadian Food Inspection Agency to require independent directors and an independent chair (it appears not to have either on its website here and here) like many other federal or provincial agencies. Maybe it’s also time that some private companies that affect a broad swath of the population should have a requirement for independent directors too.