Future Students, Alumni & Visitors


This blog is intended to be a governance resource and source of current governance commentary, offered by a corporate governance academic engaged in research, teaching and other ongoing academic activities. There is a very public element to the governance field, and it is hoped that this blog will contribute to the public discussion of current governance issues. It is also hoped that it will address a need in the governance field by presenting a holistic online approach to the topic. There is a rapid rate of change in the field of governance (public, private, government and not-for-profit entities) and developments in internet technology move swiftly. This governance blog offers resources for a broad variety of stakeholders including: [...more]




Executive compensation is broken: Three ways to fix it

President Obama said to a reporter recently, “We have corporate governance that allows CEOs to pay themselves ungodly sums.”

Why should this be the case, and how might this problem be addressed?

Following say on pay protests in Canada at CIBC, Barrick Gold and Yamana Gold, and others at BP, HSBC and JP Morgan, the Securities and Exchange Commission (SEC) recently proposed rules linking pay to performance, six years after Congress passed the law directing them to so in the first place.

Will the new rules work? Regulators have a poor track record of getting executive pay right. Indeed, some say Congress has been the single greatest driver of increasing CEO pay.

According to a survey by Mercer, a majority of UK board members believe the executive pay model is broken. Here are three ways to fix it.

First, look at who is negotiating the pay. A CEO pay contract is negotiated between a subset of company directors – the compensation committee – and the CEO. I remember a CEO telling me once, “I will out-gun any compensation committee.” He is right. For any contract to work, there needs to be proper motivation and equality of bargaining power. Many directors on pay committees are former CEOs, have been on the board for over nine years, or tend to be men recruited on the basis of prior relationships. These types of directors are not effective in negotiating a CEO pay contract.

Directors confide to me how perks compromise them, including jobs for acquaintances, gifts, vacations, and so on. There is no free market for CEO pay if the people on the other side of the table are captured.

An effective bargaining party should be independent of management and selected directly by shareholders to represent investor interests. In other words, shareholders should be selecting the directors, not directors and certainly not management.

I advise large investors that they should press for this right to select directors. Industry Canada is considering corporate reforms, and should give shareholders the right to select and remove directors without artificial barriers. In the Canadian companies above, not a single director on the compensation committees was forced to resign, including the compensation committee chair on the Quebecor board who failed to garner majority support.

Second, CEO pay has been driven upwards by a process known as “peer benchmarking.” Invented by pay consultants, one CEO’s pay is compared to pay of other CEOs, often at larger, complex companies (“peers”). Compensation committees, who purchase this comparative data, want to pay their own CEO, not at a 50th percentile (meaning that half of CEOs are better than their CEO), but at the 75th or 90th percentile. This inflationary effect, as you can imagine, has resulted in structural increases to CEO pay. Research confirms this. The process is made worse by rivalry, because CEOs see what other CEOs are earning, and think they deserve more. This knowledge and mindset increases the leverage of the CEO during pay negotiations.

One public sector organization, about to disclose pay for its employees, whom I recently advised, is not disclosing the identity of employees and their pay, but only the position title. This pay disclosure promotes good governance and accountability, but addresses peer rivalry, privacy and safety concerns. More regulators should exercise care over the inflationary results of disclosing pay. Compensation committees should focus less on inter-company comparison, and more on the performance and value creation within their company.

This brings me to the final pay reform, which is linking pay to sustained value creation within the company over the longer term. Performance metrics are what drives management. Most performance metrics for executive pay are short-term, financial, and based on total shareholder return (TSR). Even the new SEC rules rely on TSR. Research shows, however, that much of TSR is not under the control of management, but rather reflects exogenous market forces. In other words, executives benefit from factors beyond their control, such as a bull market.

Most of the business model and market value of companies are composed of broader, leading indicators that are non-financial in nature. By focusing just on financial results, boards lack the ability to track leading indictors, which could be customers, reputation, employees, innovation, R & D, ethics, risk management, safety, and so on, that measure risk and broader performance. Many boards desire these metrics but they are under-developed by management, which reflects board complacency.

90% of pay is short term, which is fewer than three years. This short-term focus causes executives to swing the fences for short-term gains, taking risks, because their pay incents them to do so, rather than being aligned with the product cycle of the company, which is in the range of five to seven years.

International Monetary Fund chief, Christine Lagarde, has called for banks to change the culture of short-term risk taking. There is also director leadership responding to short-termism: The subject of the Institute of Corporate Directors conference next month is titled “Short-Termism: A Problem or Not.”

The problem is that opposing the above reforms – shareholders selecting compensation committee members; relying less on peer benchmarking; and relying more on broader long-term performance metrics – are so entrenched into the status quo and vested interests that these reforms are almost unachievable. CEO pay problems will continue. To truly solve this issue, more leadership is needed from investors and directors. Models and best practices are needed to devise roles for shareholders in selecting directors and long term pay principles. Thoughtful regulation and more industry leadership and cooperation are needed.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

25 Reasons for Risk Management Failure

I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.

Here are 25 reasons for risk management failure:

  1. Lack of enterprise risk management expertise on the board.
  2. Governance gaps over a material risk(s) within the board or across committees.
  3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
  4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
  5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
  6. Not upgrading information systems to track, monitor, integrate risks.
  7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
  8. Lack of conversations, common vocabulary and prioritization of the risks.
  9. Lack of internal audit, or not listening to internal audit.
  10. Internal controls that are weak, even non-existent, or capable of management override.
  11. Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
  12. Not considering impact on reputation, which can be greater than the primary impact considered.
  13. Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
  14. Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
  15. Lack of independent, coordinated assurance of internal controls provided directly to the board.
  16. Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
  17. Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
  18. Risk not based on the strategy, business model and key performance indicators.
  19. Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
  20. Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
  21. Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
  22. Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
  23. Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
  24. No sense of urgency to remedy the foregoing.
  25. The board does not know how bad it is.

The author thanks an anonymous senior risk executive for review of the foregoing items.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Twenty Anti-Fraud and Corruption Governance Red Flags

The following reflect my work in assisting regulators and enforcement authorities, and research on governance in companies that have been accused of fraud, bribery, corruption, and other malfeasance such as harassment, nepotism, expense reporting, and excessive compensation. I also draw on my interactions with, and guest lectures by, fraudsters who are currently in prison or who have served time in prison, and experts such as forensic accountants.

Here are the red flags, as I see them, in problematic companies and boardrooms that may contribute to fraud and other malfeasance going undetected or undeterred. Drawing on a speech I gave this month to a bribery and foreign corruption conference, and an earlier speech to corporate directors, the red flags are, in no particular order:

  1. Independent oversight functions (audit, compliance, risk) either non-existent or reporting to senior or operating management.
  2. A board lacking in risk, international and relevant industry expertise, and paucity of audit committee know how of how fraud is or may be committed.
  3. A whistle blowing procedure that is neither anonymous nor protected.
  4. A board that does not believe it sets tone at the top. A tone that is not equal and consequential.
  5. A focus on rule and legal correctness, not spirit and intent. Failure to account for exogenous shock, stress, and a different frame of analysis. Directors not speaking up.
  6. Complex design being approved by directors. Directors approving when management does not fully tell them the counter-argument, and directors do not ask (know), or press.
  7. Captured, conflict-seeking, self-dealing, over-compensated, over-tenured directors and gatekeepers who are not objectively independent.
  8. Immature risk management, non-investment in information technology, and defective or non-existent controls, particularly non financial, reputational and behavioural.
  9. Defective, non-existent, or dominated internal audit function.
  10. Lack of culture and reputation control assurance to the Board. No understanding of tone in the middle, or toxic or bullying work culture.
  11. Non-audited compensation, and improper incentives (quantitative, financial, short-term) that incent risk-taking behaviour. Unconstrained risk-takers and a complacent board.
  12. Clawbacks not at correct threshold of ethics or risk. Lack of risk-adjusted compensation.
  13. Charismatic, dominating, and/or stretched CEOs and CFOs, including distracting external activities, personal issues, living beyond their means, not tasking vacations, and undue attention to accounting.
  14. Ethical code poorly designed, controlled, monitored, enforced, assured and reported to the board.
  15. Lack of documentation with explicit limitations and thresholds for material risks, cascading to emerging markets and key suppliers.
  16. Lack of executive sessions, with only independent directors, and with only internal oversight functions (audit, risk, compliance).
  17. Lack of due diligence and integrity controls at the hire or contract stage. Lack of integrity controls over senior management, and capacity for over-ride.
  18. Non-zero tolerance of facilitating payments. Mixed message sent by the board.
  19. Lack of independent, expert validation (board, risk, controls) reporting directly to the board.
  20. Weak or corrupt host country auditors not vetted or overseen by the audit committee, and lack of availability and translation of documents.

Do you recognize any of the above red flags? On a board or in a company of which you serve? Allegations of wrongdoing can put assets and reputation at risk. Regulators have enormous power, and are focusing their sights much more on the role a board plays, or does not play, in overseeing the affairs of the company.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently?

Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.

In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders’ investment? Indicators are that many boards and directors may not be. Plaintiffs’ lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:

  • “Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable”;

 

  • “Social media is the number one activity on the web,” according to Belle Beth Cooper in a Huffington Post article;

 

  • The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;

 

  • The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;

 

  • Cybercrime constitutes the “greatest transfer or wealth in history,” according to the National Security Agency’s General Keith Alexander;

 

  • Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;

 

  • Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;

 

  • Fewer than 50% of companies use encryption techniques for devices;

 

  • 38% of companies do not address cloud risks;

 

  • “Only 56% of companies conduct penetration tests, and 19% fail to test at all,” according to an Ernst and Young report;

 

  • Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and

 

  • “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached,” according to a 2014 NACD (National Association of Corporate Directors) report.

What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?

  1. “You have to own this problem as a leader,” in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company’s business model resides on the Internet, consider having a separate technology and strategy committee.
  2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
  3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
  4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
  5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
  6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
  7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
  8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
  9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
  10.  Most of all, protect your company’s crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company’s valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.
Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS

Tis the Season to Prevent Cyber-Hacking

What are best practices individuals can employ to lessen the chance of hacking of their computer or device?

Here is a quick “top 20 list,” based on part of an education session I have been providing to directors of company boards on cyber security.

  1. Never click on unknown or non-credible emails, attachments or downloads.
  2. Never click “save password.”
  3. Never use the same password across multiple devices or accounts.
  4. Use smart, strong passwords, and regularly update and change your passwords.
  5. Have a second credit card that you use online, with a low limit.
  6. Use two-step authentication whenever possible.
  7. Install firewalls on all your computers and devices.
  8. Always update your software.
  9. Always logout at the end of your work-time.
  10. Always install anti-virus, anti-spam and anti-spyware or adware programs.
  11. Use only your own computers and devices.
  12. Never leave your device or desktop computer unattended or accessible.
  13. Have a professional validate all of the above and never give your password out.
  14. Cover any cameras that are not in use.
  15. Browse anonymously whenever possible.
  16. Use secure, encrypted connections: https where “s” means “secure.”
  17. Resist unencrypted, public wifi hotspots.
  18. Back up your data in real time, twice as a fall-back.
  19. Be careful what you store or send (crown jewels).
  20. Always use a document shredder.

“Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable.”

Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies.

The greater individuals are aware of steps that can be proactively taken, the less the chance that your property or data can be breached.

Save and Share
  • Print
  • PDF
  • email
  • LinkedIn
  • Twitter
  • Facebook
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Add to favorites
  • RSS