Future Students, Alumni & Visitors

Archive for the ‘Risk Governance and Combined Assurance’ Category

The Enbridge Oil Spill and Role of the Board

In a scathing report by the National Transportation Safety Board (“NTSB”), Canadian company Enbridge Inc. was rebuked for its pipeline rupture on July 25, 2010, and subsequent environmental damage. The pipeline ruptured due to corrosion fatigue cracks that grew and coalesced from multiple stress cracks.

The oil flow continued for 17 hours, according to the report. The oil saturated the wetlands in Michigan. Clean up continues with costs exceeding $767 million. The total release was estimated to be 843,444 gallons.

Enbridge CEO, Patrick Daniel, said on the news on that evening that Enbridge complied with all regulations.

If this is the case, then the regulations were defective or not enforced. They were, and the NTSB is addressing this.

Some of the highlights of the NTSB’s report, so far as Enbridge is concerned, include:

–       Enbridge’s integrity management program was inadequate.

–       Enbridge failed to train staff and failed to ensure staff had adequate knowledge, skills and abilities to address pipeline leaks.

–       Enbridge’s staff placed inadequate reliance on indications of a leak, including zero pressure.

–       Enbridge had a culture that accepted not adhering to procedures, including requiring a pipeline shutdown after 10 minutes of uncertain operational status. [This is perhaps the most damning conclusion from the report.]

–       Enbridge’s review of its public awareness program was ineffective.

–       Enbridge’s emergency response demonstrated a lack of training in the use of effective containment methods.

–       Enbridge’s facility response plan did not identify and ensure resources were available to the pipeline release in this accident.

–       Enbridge’s failure in respect of the above items were organizational failures that resulted in the accident and increased its severity.

What can we learn from Enbridge, from a governance, research and risk perspective?

–       The Board Chair, Mr. David Arledge, has served on the Enbridge board for 10 years.

–       The Chair of the Corporate Social Responsibility Committee, whose mandate includes oversight of Enbridge’s risk management guidelines applicable to the environment and health and safety, Mr. James Blanchard, has served on the Enbridge board for 12 years.

–       Mr. George Petty, also a member of the CSR committee, has served on the Enbridge board for 11 years.

–       Other countries are moving towards tenure limits for directors of 9 years, because of the effect that prolonged tenure could have on director independence.

–       Mr. Dan Tutcher, also a member of the CSR committee, was formerly an employee of a subsidiary of Enbridge.

–       The final CSR committee member, Ms. Maureen Kempston Darkes, has served on the Enbridge board for almost 2 years.

–       A majority of CSR committee members (three of four members) would be regarded as “busy” directors (generally 3 or more boards).

–       Enbridge would be regarded as a “busy” board, with a majority of directors (11 of 13 directors) holding multiple board seats (generally 3 or more), including the CEO, Patrick Daniels.

–       Enbridge’s CEO, Patrick Daniels, appears to be serving on seven other private and public boards. More than half of S&P 500 companies limit outside directorships for their CEO, a policy not widely in effect a few years ago, according to Stanford researchers.

–       Companies with busy boards tend to have worst long-term performance and oversight, according to the research.

–       Enbridge is a large board (13 directors). Larger boards tend to provide worst oversight (when company size is held constant), according to the research.

–       For the Enbridge directors serving on the CSR committee who have not worked at Enbridge, environment and health and safety (or related competencies such as sustainability) are not listed as areas of expertise within their website bios, or in in regards to committee membership, it would appear. Other natural resource companies and boards in Canada are addressing director competencies specifically. For example, “Sustainable Business Practices” and “Corporate Social Responsibility” are forming main areas of expertise or are on a skills and experience matrix.

Good boards, after the BP spill, pressed management to demonstrate how BP could not happen to them, and correct any deficiencies whatsoever, such as several of the above-mentioned items as applicable (training, resources, fatigue of equipment, crisis response, etc). Good boards insist on stress testing, crisis planning, and a comprehensive and robust risk management system. And, most importantly, there is no tolerance whatsoever for deviating from a culture of integrity, health and safety.

I taught a case last week to my corporate governance class based on Hydro One’s Enterprise Risk Management program. The role of the board and CEO is critical – if not essential – to risk culture and effectiveness. Hydro One specifically mentioned in a video I showed to my students how the company factors in transmission line aging and fatigue within a comprehensive risk management system. Workshops and stress testing occurs, within a comprehensive reporting and assurance system, right up to the board of directors.

Bribery, Cyber-Security and Derivatives: Is Internal Audit up to the Task?

Do internal auditors have the resources, skills and authority necessary to do their job? I wonder. I was asked recently to be an expert witness in an alleged bribery case. Internal audit is one of the first places I look to when assessing governance failure because they are the eyes and ears of the board.

I asked a question recently at two auditing conferences I spoke at. How many auditors use Twitter? In both cases, only one hand went up. Yet we know cybercrime is widespread, is under-reported, and management may not even know it is happening. It is a top concern of boards. How can internal auditors assure internal controls – not only over cyber-security but social media – when they themselves may be technically illiterate? IT literacy and data mining were two of the top skills required by internal auditors in a recent survey.

What about derivatives used by traders? How many auditors understand the use of derivative products such that they can attest to the internal controls over their use? The responses I received from my audiences were not encouraging.

What about corruption risk? How do auditors treat working notes, delegation to foreign auditors, language barriers, and do they even understand foreign practices? Do they visit the jurisdiction or audit from an office in Canada? The OSC came out with a scathing report recently about emerging market risks, chastising not just boards but the audit and underwriting professions.

What about fraud? Evidence from the conference board is that many whistle-blowing programs don’t work and aren’t used. Now whistle-blowers can go directly to the SEC in Washington, completely by-passing possible retaliation, flawed investigations or toxic workplaces.

Auditors cannot choose which internal controls they validate. Regulatory authorities are clear: every activity of every entity should fall within the scope of the internal audit function. This includes compensation structure of risk-takers. Combined assurance over all material risks should be undertaken.

Management may have vested interest in starving internal audit or compromising their objectivity with management responsibilities. Regulators have been clear here also: auditors, both internal and external, must maintain their independence from audited activities. They cannot assess their own work.

If the internal audit function is weak, or the chief audit executive does not have the experience or stature, or management disregards internal audit findings, this is the fault of the audit committee and the board. The audit committee should approve the head of internal audit, his/her compensation structure, the budget, work-plan and most of all the independence of the internal audit function. If the audit committee and ultimately the board does not ensure this, it is not doing its job. When or if governance failure happens, scrutiny will follow.

Derivatives May be Ungovernable

The recent loss of 2Billion dollars by JPMorgan confirms what is now a blindingly obvious governance reality. Board of directors do not understand derivatives and cannot control management’s use of them. The same may be said for regulators.

One job of a board is to identify risks and ensure a proper system of risk management. If you cannot do this, you should not be on a board. This means that a director needs to assess the adequacy of the design and effectiveness of internal controls to mitigate the risks. Of the over 300 interviews I have undertaken in my research, including directors of large banks, only one director claimed to understand complex derivatives. How can directors assess internal controls when they do not understand the very instrument itself?

Other than Jamie Dimon, CEO of JPMorgan, not a single director of the board has any experience in banking. See the roster of directors here. Even if some directors were from the sector, it is debatable whether they would still understand the complexities of these products. For a basic explanation of what derivatives are, see here. U of T Rotman professor John Hull, a derivatives expert, has stated in an email to me “There is no question in my mind that a large financial institution should have on its board people (perhaps 2 or 3) who understand derivatives and other complex financial products.” Unless bank boards that oversee derivatives are prepared to have subject matter experts on their board who can effectively question management and insist on proper risk controls, other governance or oversight structures are needed.

Not only are boards incapable of controlling derivatives, but regulators may not be any better. Warren Buffett has said “Central banks and governments have so far found no effective way to control, or even monitor, the risks posed by these contracts. In my view, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.” See Warren Buffett on Derivatives.

The question is what have we learned from 2008? Banks are bigger than ever, with most American mortgages concentrated in only a handful of banks, yet the risky bets and use of complex derivatives continue. Harvard law professor Elizabeth Warren yesterday called for a new version of the Glass Steagall Act. Yet independent Senator Bernie Saunders pronounced that Wall Street “runs” the Senate, implying that any attempt at further regulation would be forestalled. Mitt Romney has vowed to unwind Dodd-Frank on his first day as President. Look at the long list of political donations made by JPMorgan in 2011, here. And this is just one bank.

If derivatives are going to continue, regulatory conflicts of interest need to be addressed and boards need to have the directors with the expertise to oversee them.

SNC Lavalin and RBC in the News

If the CEO of SNC Lavalin allegedly over-rode his own CFO and breached the company’s code of ethics in authorizing $56 million of questionable payments to undisclosed agents that the federal Canadian police are now investigating, did the board of directors of SNC Lavlin have a role to play?

If the RBC (formerly Royal Bank of Canada) is alleged by a US regulator to have made “material false statements” in connection with non-arms length trades, reported in the Wall Street Journal to be “a scheme of massive proportion,” did the board of directors of RBC have a role to play?

The answer is “it depends” in these and similar cases. Speaking generally, as all allegations have yet to be proven, it is not credible to argue that boards do not have a role to play in compliance and reputational oversight. A board is the only body that has the legal authority and power to control management and designate all compliance and control systems. It alone acts or fails to act. A board is paid, handsomely paid at the senior most levels in Canada, to take all reasonable steps consistent with best practices, to ensure that it does know.

More regulation now, such as the UK Bribery Act, and the SEC Whistle-Blower Rule, are attempting to hold directors responsible and accountable for failing to direct proper anti-corruption and whistleblowing systems. The SEC rule enables employees to report wrongdoing directly to the regulator, thereby completely bypassing toxic work cultures where whistleblowing is neither independent nor anonymous. This legislation is putting the heat on boards and senior management, or at least it should be.

The Ontario Securities Commission last month released a scathing report about governance, risk management, internal control and auditing failures in companies operating in emerging markets.

In SNC Lavalin’s case, how could anomalous payments of this magnitude and internal controls be allegedly manually over-ridden, as is being reported, and would payments of this nature require explicit board or committee approval? SNC’s own internal report reveals a lack of disclosure of contracting parties and improper documentation and passwords. The board chair, Gwyn Morgan, said that the board wasn’t “able to really determine the use of those payments.” Back in 2010, federal minister Stockwell Day had signaled that certain aspects of SNC’s pricing were “absolutely unacceptable.”

The former CEO, Pierre Duhaime, is receiving almost $5 million dollars. A portion of this is stock options awarded before an independent review was completed, as is reported in the press. Basel includes (at page 38 of this report) a malus scheme whereby vesting occurs only if there is no breach of the code of conduct. Boards may wish to consider comprehensive – and independently drafted – malus or clawback clauses that include similar provisions.

It may be highly unlikely for fraud, bribery or ethical breaches to occur in a vacuum. Employees may have knowledge. The 2011 National Business Ethics Survey reveals that those who reported bad behavior they saw reached a record high of 65% and retaliation against employee whistleblowers rose sharply to more than one in five employees. The Conference Board’s Directors Notes, in “Lessons for Boards from Corporate Governance Failures” (see the PDF at page 3), reveals defects in whistleblowing systems that include lack of anonymity, lack of independence, lack of communication and training, lack of incentive, and lack of a proper investigation. These defects are exactly what the SEC rule is designed to address. As Chairwoman Schapiro has argued, “I find that many of the business ethics problems severe enough to be investigated by us are the result less of individual greed than of individuals succumbing to pressure from their peers.”

Whistle-blowing defects may be faults of a board. If a board is getting its information only from management, this is a red flag. Management may not even possess accurate knowledge, as we see in cybercrime. Independent assurance over anti-fraud and whistle-blowing procedures must occur for any prudent board. And “independence” does not mean the company auditor or legal counsel who assess their own or their firm’s work, nor any firm who does, has done, or seeks to do work for company management. Any assurance provider in this area could likely recommend action adverse to incumbent management or service providers.

Directors and boards themselves also need to step up. This includes international directors, moving board meetings to emerging markets, understanding corrupt business practices, structured deep engagement by directors, receiving third party assurance and disconfirming information (including culture surveys), and using alerts and social media.  See “What Better Directors Do,” by NACD Directorship.

Both SNC Lavalin and RBC received governance recognition and were among the top twenty-five companies in the Globe and Mail’s Board Games for 2011. SNC Lavalin was the 2007 award winner from the Canadian Coalition for Good Governance.

The question therefore, is, could occurrences such as these happen on other boards of directors? If you are a director on a board and cannot reasonably answer “no,” to this question, perhaps you should consider some of the above recommendations.

Does Canada have a White Collar Crime Problem? A Red Flag Checklist for Directors

“This city, this province, this country has a reputation of being the best location to carry out white collar crime, corporate fraud, in the industrialized world.”

These public words are not from some scholarly journal but from a hard-hitting, no-nonsense corporate director, Spencer Lanthier, (PDF profile) as he received his award at the annual Institute of Corporate Directors dinner last year – a sort life-time achievement award for a select few directors. Guests at my table were shocked to hear this, as was I, so I followed up to interview Mr. Lanthier for an illuminating interview. I also went for lunch with former colleague Al Rosen who wrote the book “Swindlers,” which I am now reading and equally eye-opening.

Flash-forward to 2012 where the Nortel trial is now underway to examine what role directors or officers might have played in that alleged fraud. See a headline from last week: “Toronto lost nearly $1M to fraud in 2011, auditor-general reveals”and the twelve cases identified by the auditor general. See this excellent report (PDF), courtesy of Tim Leech in my LinkedIn group Audit Committee.

Here are some questions: Do directors on boards play a role in detecting and deterring fraud? Can they be held responsible or even liable if they do not fulfill this role properly? Increasingly the answers are “yes,” especially given UK and US legislation since the financial crisis. I remember one of my very first board meetings I observed. It was of a bank. At the break, a director got up and shook my hand. He leaned over and whispered in my ear that the number one role of a director was to watch for fraud. I never forgot this.

Here is a list of 10 red flags and suggestions I have compiled based on my work recommending governance enhancements for companies accused of fraud or other malfeasance, including very well known Canadian companies.

1. The Audit Committee must fully understand how the company’s business model, estimates and judgmental choices by management give rise to potential manipulation of financial reporting by that management. Audit Committee members should be selected and educated on this basis. Financial literacy is a low bar and is not enough. Educate yourself on how fraud happens if you are a director or audit committee member. If necessary, hire an expert to report to you individually or in closed session with the Audit Committee without any member of management present.

2. If your organization does not have an internal audit function, install one appropriate for your organization. The head of Internal Audit must report directly and confidentially to the Audit Committee and cannot be over-ridden by any company officer. If necessary, Internal Audit should report directly to the board.

3. The Audit Committee must approve the independence, budget, work-plan and succession of the head of Internal Audit. The board should direct the CEO and CFO to commit resources for further design and test of internal controls whenever necessary.

4. As a director, you are entitled to any piece of information and access to any personnel in fulfilling your duties under any circumstance. If any manager blocks you from doing your job, this is a red flag. Go on unscripted company tours unaccompanied by management to test for tone and culture whenever you can.

5. Direct management to conduct a survey on company culture, assisted by an independent firm, with results reported directly to the board. Act on the results. You may have a toxic workplace with undue influence, internal control override and bullying and not even know it.

6. The independent whistle-blowing hotline must have a protected mechanism for people to come forward. When fraud happens, fellow employees know and are your best source of defense. If employees do not have confidence they can come forward and have a proper investigation conducted, they won’t and fraud will fester. Whistleblowers can go to regulators directly (in the US) now and participate in a monetary reward. If they don’t have confidence in the hotline, they will quit, acquiesce or go directly to the regulator.

7. Direct independent advisors (consultants, and now auditors) to conduct a risk assessment of all management compensation packages to ensure compensation is not driving potential fraud, such as bonuses awarded on profit.

8. If any company officer is not 100% transparent with you, this is a red flag. You should meet in executive session without management in the room to discuss your concern, which is likely shared by other directors. If the CEO or CFO lack integrity, the tone at the top is broken and you have a serious problem. You do not need a reason to fire your CEO.

9. Your responsibility as a director is to direct if and when necessary. Legislation gives you this power but protocols enable it. If management has undue influence and keeps you at bay, your protocols are likely deficient. Boards, committees, chairs and directors all need terms of reference now. Don’t let management draft these important documents as they have an interest in not giving you the power you are entitled to by law. Draft your own protocols or have someone independent do it if you have a concern or want best practices.

10. Above all, be vigilant and assertive if or when necessary. No amount of compensation can ever make you whole for the reputational damage inflicted and protracted litigation that could follow allegations of fraud or other misfeasance for a company of which you are or were a director. The number one regret directors have is not speaking or acting when they could have or should have. Don’t let this happen to you and follow the above steps.