Future Students, Alumni & Visitors

Archive for the ‘Risk Governance and Combined Assurance’ Category

How do boards prepare for terrorism?

In a board meeting, the military general asked the airline’s CEO, “Why is the pilot’s food being labeled?” “Because that’s the way we always do it,” the CEO responded. “Well then stop doing it,” the military director said. “If I’m a terrorist, I might have trouble getting through the cockpit door, but you’re putting a red flag for me on how to poison the pilot and take down the plane.”

In that exchange, the new military director on the airline’s board of directors I was advising proved his value.

I am currently advising another board whose company is a target for a terrorist attack. Many other companies in transportation, utilities, defense, property development and financial services could take a page from below.

Here are six areas for boards to focus on to prepare for a possible terrorist attack.

1. Military experience on the Board. Military leaders have logistics, supply chain, tactical and international theatre experience civilian directors lack. Their contacts include the intelligence community. They think differently and understand evil.

2. Intelligence gathering. Boards should commission multi-lingual analytics from terrorist websites and chat-rooms, where the company, industry or executive is mentioned. There should be governmental relations on the board’s competency matrix. Boards want to know about unknown unknowns, or emerging risks that can be catastrophic (the black swan), or interdependent risks that rapidly interact. Risk registers don’t capture this dynamism yet. Proper intelligence gives boards and management teams a heads up.

3. Scenario planning. Good boards in sensitive industries are insisting on disaster recovery, catastrophic event planning, mock dry runs, and schedules so if or when it happens, the company is ready. There is even off-site functioning if the office is blown up.

4. CEO compensation. In a disaster that happened involving property destruction and death (another board), I was called in to recut the CEO’s compensation. It went from financial short-term to include risk, relations, internal controls, and crisis management metrics. The compensation committee has enormous often unused control over behaviours and you reward what you pay for.

5. Communication. The CEO should have media training to prepare for scenarios, and respond to journalist questions. When the event happens, it is too late if you don’t have this. Opinion crystallizes in days if not hours. The CEO profile for succession planning should include communication, intelligence gathering, and political linkages.

6. Invest in enterprise risk management (ERM) and information technology (IT). Risk management is often immature, cyber threats are significant, and good ERM is bottom up to include focus groups and integrated real-time IT. There are vulnerabilities that are missed without good ERM. Without being explicit, there are vulnerabilities at universities, cities, shopping malls and events that will surface in good ERM.

The bombers in Boston capitalized on police that were not there, inadequate crowd control at the finish line, and unattended unchecked bags. New York is much better at this now. Cameras, K-9 dogs, screening, monitoring, crowd control and escorts are all about choices. Management can choose not to do something. Boards can DIRECT that they do. This deters potential targets.

Regulators turning up anti-bribery heat on corporate boards: But will practices change?

Russia is one of the most corrupt nations in the world (see a recent anti-corruption story on Russia by the New York Times). It ranks 143rd of all 182 countries on Transparency International’s corruption perception index, with a score of 2.4. Canada ranks the 10th least corrupt country in the world with a score of 8.7. New Zealand is the least corrupt country globally, ranking first with an overall score of 9.5. The US ranks 24th and the UK 16th, with scores of 7.1 and 7.8 respectively. See the “Full Table and Rankings,” where countries can be searched via the table. Lower rankings and higher scores mean the country is perceived as being less corrupt.

Prime Minister Harper visited China, India and Brazil to enhance trade with these countries, which are also some of the most corrupt nations in the world, ranking in at 95th, 75th and 73rd respectively. Libya, which involved the alleged Montreal-based SNC Lavalin bribes of some $56 million, comes in at 168. Within these countries, the governments themselves are the net beneficiaries of much of the corruption, so these politicians are far from motivated to impose reform.

Is it realistic to expect that Anglo-American nations, such as the US, UK and Canada, can impose “Western” will on the very way business is done, and has been done, in some countries for centuries? And if things will not or perhaps cannot change, should home country boards of directors be held responsible for systemic local corruption that may be beyond their control?

Regulators are taking corruption and the role of boards and senior management very seriously. The Securities and Exchange Commission and Department of Justice recently released 130 pages of guidance (see the PDF and other coverage here and here) on the Foreign Corrupt Practices Act (“FCPA”). The US has had the FCPA since 1977. Enforcement and penalties have gone up dramatically in recent years. The UK Bribery Act, from 2010, has some of the most stringent bribery laws in the world. In Canada, we have The Corruption of Foreign Officials Act (since 1999) and the recent guideline from the OSC for issuers operating in emerging markets (see the PDF).

Emerging economies are future markets for Canadian companies. The Prime Minister has a vision for Canada to be an energy supplier superpower. For this to happen, Canada will shift its trade to markets with 100s of millions or billions of consumers and much higher growth rates than our current major trade partner, the US, which could be coping with austerity due to its debt for years to come. Harper was in India last week to boost trade.

What is clear is that there is an enormous disconnect between the home country regulations now being imposed, and host country actual practices on the ground.

What should boards that have operations in emerging market jurisdictions do? Six things. First, if you are doing business in such a market, you need a director with extensive on-the-ground experience at the board table, who can tell you and management what the hotspots are. You should move a board meeting to the jurisdiction once a year so directors can get a first hand look. Second, boards must make it crystal clear to management that if the company is not going to bribe, management must walk away from certain business. And the board must support this and not have incentives that promote bribery. Third, the internal controls over financial reporting must be as strong in the emerging market as it is in the home market. Investment and resource commitments need to be made. Fourth, boards must have their own experts to scrutinize off-balance sheet and related-party transactions and complex structures; validate and assure internal controls; and provide foreign language document translation. Fifth, local auditors should have the same oversight, scrutiny, and as necessary direct contact with the audit committee that the home auditors have. Lastly, there needs to be zero tolerance by the board communicated to each employee and supplier. The UK is even banning facilitating payments, which are regarded as a “tip,” as these may be bribes in disguise.

Companies and politicians are feeling the pain, including on Canadian shores. The Wal-Mart bribery probe has widened beyond Mexico to include China, Brazil and India. The RCMP is investigating the SNC Lavalin bribery allegations, on which I advised a law firm suing the company. I blogged about Sino-Forest, a case of alleged Chinese fraud by a Canadian-listed company. In Quebec, the corruption inquiry has cost the Mayors of Montreal and Laval their jobs and this is only the beginning. There are allegations of kickbacks in cash that may reach other more senior politicians. And Ontario is not immune either. A senior Canadian director remarked that Ontario has a reputation for being “the best place to carry out a stock fraud in the industrialized world.”

Clearly, more work needs to be done. Canada’s corruption ranking on Transparency International may go down in 2012 instead of up.

Banking Directors Need to be at the Top of Their Game

There’s an old maxim that corporations don’t fail, boards do. And when banks fail, the reason is poor management, which is the fault of a poor board.

Take the case of Lehman Brothers, the financial services firm that collapsed in 2008 and played a big role in the global economic downturn. Stanford University professors David F. Larcker and Brian Tayan noted that Lehman’s board was lacking financial services experience and current business acumen. In fact, the former CEOs on the board were, on average, 12 years into their retirement. “This raises the question of whether the professional experiences of Lehman board members were relevant for understanding the increasing complexity of financial markets,” wrote Larcker and Tayan.

Well, the job of a bank board isn’t getting any easier. Following the financial downturn, banks have been placed under greater scrutiny and new regulations, both in Canada and abroad.

That’s why, more than ever, banking board directors need to be at the top of their game.

Last week, I spoke to bank directors in Dallas, Texas, about banking governance best practices as a result of a review that I had conducted for the Office of the Superintendent of Financial Institutions. (The OFSI is Canada’s banking regulator.) Specifically, I looked at Canada’s governance guidelines and board assessment criteria and compared them with international financial regulatory practices and recent developments. I provided the OFSI with suggestions for revisions.

Some proposed board reforms to Canada’s deposit-taking institutions and insurance companies sectors under the new guidelines include:

  • Having directors who possess risk management and relevant industry experience;
  • A risk committee that oversees enterprise risks, and a chief risk officer who reports directly to this committee and the board;
  • Board approval of the internal control framework to mitigate all material risks to the financial institution, and board monitoring of internal control effectiveness;
  • Expert third party reviews of the board’s effectiveness, risk management effectiveness, and effectiveness of oversight functions (such as internal audit), with results reported to the board;
  • Enhanced director orientation and training, self assessment and external reviews;
  • A board-approved risk management statement that translates into cascading limits and thresholds for all material business risks (e.g., credit limits, loan losses, capital levels);
  • The internal audit function should report directly to the audit committee; and
  • The audit committee, not management, should approve the scope of the external auditor’s engagement and fees.

When I asked for a show of hands as to how many banking directors adopted at least some of the above best practices, about half the hands went up.

However, it’s apparent that many boards aren’t prepared for a new era of banking regulations.

Remember the JPMorgan board of directors that oversaw the derivative failure that cost the bank several billion dollars? Well, here is the current board. Last I checked, not a single director other than the CEO had banking experience. This is wrong.

In 2009 and 2010, there were a total of 297 bank failures in the U.S., according to the Federal Deposit and Insurance Corporation. In the second quarter of this year, the FDIC identified 732 “problem” banks which are at risk of failing.

At the event in Dallas, one of the speakers brought up a good point. “Don’t get involved in something you don’t understand,” said Charles G. Cooper, commissioner of the Texas Department of Banking. He added: “The duties haven’t changed, but the topic is harder.”

And he’s right. That’s why it’s vital that banking boards are well-equipped with qualified directors for this increasingly complex environment.


E. Coli, Contaminated Beef and Shoddy Governance

I interviewed an independent director of Canadian food retailer Loblaws about risk and he told me the most important risk for Loblaws that could cause a ‘run on the bank’ (his words) was food safety. Food safety was front and center in his mind, and each of the other independent directors and management. It seems the management of XL Foods Inc., which is owned by Nilsson Brothers Inc., has not figured this out. “Governance” does not even appear on their sparse website. Safety does, in a general way, here. Neither company appears to have any independent directors.

Contrast this with the other major beef processor in Canada, Cargill Ltd., which is owned by Cargill, Inc. in the U.S. See Cargill’s commitment to food safety here; their “ethics open line” here; their core competencies that include supply chain and risk management here; and that their board has six independent directors and five managers, according to Wikipedia. (Their 2008 accountability report stated a third of the board were independent directors.) Cargill claims to be the largest private company in the U.S. in terms of revenue. Although private companies like Nilsson Brothers and Cargill are not required to have independent directors, forward-thinking ones do. See McCain Foods here. Independent directors bring objectivity and an external perspective into the boardroom. They are honest brokers to keep an eye on management. A good independent board will not prevent a disaster but almost always will lessen its likelihood.

According to the Mayo Clinic, the most common way to acquire an E. coli infection is by eating contaminated food such as ground beef: “When cattle are slaughtered and processed, E. coli bacteria in their intestines can get on the meat. Ground beef combines meat from many different animals, increasing the risk of contamination.”

The way you mitigate food safety risk is through internal controls, including segregation of duties, restricted areas, approval, records and reconciliations – and a culture of food safety and not cutting corners. Management is inherently conflicted in assuring such controls, and internal controls cost money. This is the reason for government inspectors and, most importantly, a competent and independent board of directors to approve the control regime to begin with.

I am heading to Calgary next week to give speeches to the directors of Livestock Identification Services Ltd., as well as directors of a few additional beef industry groups and one being a newly formed national beef agency called Canada Beef Inc., on internal controls and risk. I have given speeches to farmers in the U.S. and am going again to Colorado in November to talk to CEOs and director-farmers on the latest trends in corporate governance, risk management and internal controls. Good agri-businesses take governance very seriously.

Risk management and internal controls are not profit producing activities per se. No one likes to be controlled, least of which entrepreneurial employees. However, ask yourself if defective internal controls are worth the price, reputationally and financially? Do you think XL Foods has taken a financial and reputational hit because of the tainted beef? What about the farmers coping with a price decline? What about Maple Leaf Foods? Most importantly, what about the health and safety of customers? It can indeed be a run on the bank if consumers don’t have confidence, and it can get worse unless governance checks are put in place.

See the long list of beef recalled here from the Canadian Food Inspection Agency, and the update from the USDA Food Safety and Inspection Service, here. Recall that the American inspectors detected the tainted beef before Canadian inspectors did. Rather than prioritizing the federal agency to re-open XL Foods, the premier of Alberta, Alison Redford, should insist that food safety for all Canadians (and consumers in America and other countries too) is number one. Then, and only then, should XL Foods be re-opened. Tainted beef from Alberta seems to be a pattern. And the Prime Minister should reform the governance of the Canadian Food Inspection Agency to require independent directors and an independent chair (it appears not to have either on its website here and here) like many other federal or provincial agencies. Maybe it’s also time that some private companies that affect a broad swath of the population should have a requirement for independent directors too.


The Enbridge Oil Spill and Role of the Board

In a scathing report by the National Transportation Safety Board (“NTSB”), Canadian company Enbridge Inc. was rebuked for its pipeline rupture on July 25, 2010, and subsequent environmental damage. The pipeline ruptured due to corrosion fatigue cracks that grew and coalesced from multiple stress cracks.

The oil flow continued for 17 hours, according to the report. The oil saturated the wetlands in Michigan. Clean up continues with costs exceeding $767 million. The total release was estimated to be 843,444 gallons.

Enbridge CEO, Patrick Daniel, said on the news on that evening that Enbridge complied with all regulations.

If this is the case, then the regulations were defective or not enforced. They were, and the NTSB is addressing this.

Some of the highlights of the NTSB’s report, so far as Enbridge is concerned, include:

–       Enbridge’s integrity management program was inadequate.

–       Enbridge failed to train staff and failed to ensure staff had adequate knowledge, skills and abilities to address pipeline leaks.

–       Enbridge’s staff placed inadequate reliance on indications of a leak, including zero pressure.

–       Enbridge had a culture that accepted not adhering to procedures, including requiring a pipeline shutdown after 10 minutes of uncertain operational status. [This is perhaps the most damning conclusion from the report.]

–       Enbridge’s review of its public awareness program was ineffective.

–       Enbridge’s emergency response demonstrated a lack of training in the use of effective containment methods.

–       Enbridge’s facility response plan did not identify and ensure resources were available to the pipeline release in this accident.

–       Enbridge’s failure in respect of the above items were organizational failures that resulted in the accident and increased its severity.

What can we learn from Enbridge, from a governance, research and risk perspective?

–       The Board Chair, Mr. David Arledge, has served on the Enbridge board for 10 years.

–       The Chair of the Corporate Social Responsibility Committee, whose mandate includes oversight of Enbridge’s risk management guidelines applicable to the environment and health and safety, Mr. James Blanchard, has served on the Enbridge board for 12 years.

–       Mr. George Petty, also a member of the CSR committee, has served on the Enbridge board for 11 years.

–       Other countries are moving towards tenure limits for directors of 9 years, because of the effect that prolonged tenure could have on director independence.

–       Mr. Dan Tutcher, also a member of the CSR committee, was formerly an employee of a subsidiary of Enbridge.

–       The final CSR committee member, Ms. Maureen Kempston Darkes, has served on the Enbridge board for almost 2 years.

–       A majority of CSR committee members (three of four members) would be regarded as “busy” directors (generally 3 or more boards).

–       Enbridge would be regarded as a “busy” board, with a majority of directors (11 of 13 directors) holding multiple board seats (generally 3 or more), including the CEO, Patrick Daniels.

–       Enbridge’s CEO, Patrick Daniels, appears to be serving on seven other private and public boards. More than half of S&P 500 companies limit outside directorships for their CEO, a policy not widely in effect a few years ago, according to Stanford researchers.

–       Companies with busy boards tend to have worst long-term performance and oversight, according to the research.

–       Enbridge is a large board (13 directors). Larger boards tend to provide worst oversight (when company size is held constant), according to the research.

–       For the Enbridge directors serving on the CSR committee who have not worked at Enbridge, environment and health and safety (or related competencies such as sustainability) are not listed as areas of expertise within their website bios, or in in regards to committee membership, it would appear. Other natural resource companies and boards in Canada are addressing director competencies specifically. For example, “Sustainable Business Practices” and “Corporate Social Responsibility” are forming main areas of expertise or are on a skills and experience matrix.

Good boards, after the BP spill, pressed management to demonstrate how BP could not happen to them, and correct any deficiencies whatsoever, such as several of the above-mentioned items as applicable (training, resources, fatigue of equipment, crisis response, etc). Good boards insist on stress testing, crisis planning, and a comprehensive and robust risk management system. And, most importantly, there is no tolerance whatsoever for deviating from a culture of integrity, health and safety.

I taught a case last week to my corporate governance class based on Hydro One’s Enterprise Risk Management program. The role of the board and CEO is critical – if not essential – to risk culture and effectiveness. Hydro One specifically mentioned in a video I showed to my students how the company factors in transmission line aging and fatigue within a comprehensive risk management system. Workshops and stress testing occurs, within a comprehensive reporting and assurance system, right up to the board of directors.

text cloud