Trends and Key Issues in Governance for 2023

1. Attention turns to non-profit governance.

Hockey Canada’s governance was inferior (see independent report, here ^[1], and Dr. Leblanc’s media commentary, here ^[2] and here ^[3]) but not anomalous. Non-profits (sporting, educational and health care institutions, charities and associations) are often inferior when it comes to CEO succession; culture and conduct oversight; financial, governance and executive pay transparency; cyber-security; in camera sessions; gifts and other forms of self-dealing; term limits; size limits; insiders on committees; director competencies; auditor independence; financial literacy; risk governance; and not retaining independent advice. When a few or more of these shoddy governance practices occur, the board works for management and is a dormant risk.

The excuses for poor NFP governance are many-fold, but mainly is because there are no mandatory governance requirements for the not-for-profit sector. This gives management opportunity manage the board and the drift is too much of an uphill battle to counteract. Look for fresh regulation for the entire non-profit sector in 2023 or 2024, analogous to NP 58-201 (for-profit listed companies). There are significant public expenditures on non-profits, and poor governance wastes funding through self-dealing, mismanagement and impairment of stakeholder confidence.

2. The emperor wears no clothes.

The for-profit sector is not immune from governance infirmity either. Institutional investors such as Ontario Teachers lost $120M million dollars of teachers’ retirement money on FTX. Another firm invested $150M in a bankrupt crypto investment. Dr Leblanc called for greater regulation of crypto governance and institutional investors to protect investors and retirees (see media interview, here ^[4]). There still is a tendency to be enamored by misunderstood tech and young inexperienced individuals and fraudsters. Elizabeth Holmes was sentenced to eleven years in prison in 2022, and the ceremonial hand-picked board never ensured validated of the Edison machine. FTX had no independent board and a shocking lack of internal controls (see the independent report here). Boards are present to protect investors and other stakeholders and to ensure proper books, records and controls. Boards need to say “no” if or when they do not understand or cannot assure proper governance. Like Warren Buffet said about technology, here ^[5]: Do not invest if you do not understand the predictability of the economics of the business.

3. Regulators set their sights on director competency.

Regulators are focusing on cyber-security and climate expertise and financial literacy. Management should not adjust these competencies, or unduly influence the director competency matrix. If a board has any director on the audit committee who is not financially literate, this is a risk. “Expertise” normally requires 10,000 hours. It is implausible for a director to become an expert whilst on the board. This means that regulatory expertise requirements must involve director renewal and replacement. For the matrix to work, there should be independent validation of director competencies, and the competencies and attributes should be tied to a register, onboarding, and professional development. Many matrixes are manipulations to ensure that the desired director is selected or that under-performers are insulated. The universal proxy cards in late 2023 will give investors greater ability to replace directors who lack the independence and relevant competencies and attributes.

4. Boards get serious about ethics, culture and reputation.

Fraud and misconduct have increased during the pandemic. Many boards have long argued when ethical misconduct surfaces, “we missed it,” “it was a rogue employee,” or “soft” controls are difficult to implement. The reality is that there are a host of best practices and hard controls that regulators advise and good boards employ to ensure board oversight over ethics, culture and reputation, including: communicated, remedied, anti-retaliatory, anonymous whistle-blowing or safe report procedures; independent investigations; special committee of the board for CEO conduct investigation, other material reputation matters; anti-grooming policy; monitored no gift code, DEI policy, claw-back trigger, just cause, malus clause and sign off procedure; culture, wellness, spot and mystery shopper audits and reporting; exit interview data; integrity and reference checks; mandatory training and education on fair treatment, anti-discrimination and harassment, and unconscious bias; risk, ethics and behavioural gateways embedded in incentive pay for risk-takers and senior management; resume, education and employment verification; criminal record, judicial matter, sanction, offshore leak and vulnerable sector checks; and email and text analytics.

5. Boards approve playbooks over crises.

Here are crises boards experienced in 2022: encryption and exfiltration, and demand by threat actors for bitcoin payment; assassination of directors by an active shooter; CEO misconduct (all forms); leaks of workplace toxicity to the media; workplace fatalities; adverse brand effects of key employee termination; material loss of services or products; regulatory investigations; and weather-related disasters.

Significant unplanned events are not the realm of only day-to-day management. Crisis is part of risk governance, and internal controls exist prior to a crisis. If the controls are defective, this is the board’s fault for want of oversight. The crisis will be worse. Boards have an active role prior to the crisis, to approve crisis planning; and during the crisis, to oversee management’s response.

Boards in 2022 and 23 are reviewing and approving crisis protocols. This includes media training and the board’s prerogative to establish a special committee if the crisis is material and requires longer-term oversight and root cause remedy, e.g., independent investigation. See here ^[6], where Dr Leblanc talks about such a playbook in light of the Rogers outage and Suncor fatalities. Dr. Leblanc will be giving a keynote address on risk and crisis governance on January 24^th and a module for CEOs and Chairs on media relations on February 2^nd (slides can be provided upon request).

6. Post-COVID focus is on non-financial.

Investors and regulators continue their emphasis on non-financial strategic value drivers. This is because most of the value of a company is non-financial. And COVID-19 has shown that non-financial can kill. In Canada, codifying the Supreme Court, federal regulation changed as the pandemic began to enable boards to consider the impacts of decisions on the long-term, on the environment, and to consider stakeholder interests, including those of shareholders, employees, creditors and consumers, with no primacy towards any stakeholder. Institutional investors want transparency over the full value chain, and this means activists may and are attacking any portion of this chain. When a board approves the strategic plan without all value drivers and key performance indicators to measure their achievement, they are exposed themselves to regulatory, plaintiff, or investor scrutiny. Good boards are focusing now on the complete value chain, including stakeholders and non-financial drivers of value.

7. Changing risks require boards to act.

Boards have been operating under stable risk conditions in the aughts and teens. As risks change rapidly, boards need to keep up and insist that the controls, limitations and assurance are present and remedied. There is still immaturity and complacency by many boards in not exercising their duty of care and insisting on curing of defective controls of new, material non-financial or emerging risks. Risks include crisis, culture, interest rates, inflation, geo-political impact on the business model, safety, resiliency, redundancy, retention and ransomware. Risk-adjusted compensation, including risk-taker pay and claw-backs, are also immature, with boards not reacting to changing conditions in real time. Boards are also complacent and slow in receiving independent assurance and instructing investment in technology to monitor changing risks more continuously.

A board speaks with one voice, so all directors should keep up with science, facts and accurate information from validated sources as part of duty of care.

8. Chair and director recruitment professionalizes.

Boards in 2022 began, slowly, not tolerating top heavy entrenchment or inferior director recruitment. There has been an uptick in explicit policies on recruitment and appointment criteria; disclosing and managing conflicts of interest and pre-existing relationships; containing management funneling; full and diverse talent pool outreach; resumes to match desired competencies; attributes and proper interviews; background checks; even-handed, transparent and inclusive application; chair and director term limits; robust mandatory onboarding; off-boarding under-performing directors; and linking re-appointment to peer review. These practices will continue for effective boards.

9. Agile governance is becoming the norm.

Boards are not going back to exclusively in person board or annual meetings. Hybrid and virtual meetings offer flexibility and convenience. Investment in technology in boardrooms occurred in 2022 to enable this. Blended meetings are also shorter, more flexible, and enable less warm up time. Other agile trends include (i) strategic, shorter, responsive, deliberative and forward-looking agendas; (ii) tighter pre-reads, with greater narratives, layering and consents/appendices; (iii) emphasis on prework and preparation, with presentation time limited and discussion time enhanced; (iv) on-camera and virtual technology standardization in boardrooms and remotely; (v) removing some non-financial risks from the audit committee; (vi) more board-management inception partnering on strategy; (vii) director recruitment less anchored to geography; (viii) flexibility, emphasis on availability, and “micro” or issue meetings; and (ix) chair-director check-in calls.

10. The best cyber defense is a cyber offence.

There is an aggressiveness here that is beginning to emerge, so a company is less of a target. This includes robust ransomware policies; zero trust deployment; user, network, third party and WFH controls; penetration, back-up and restoration testing; ethical in-house hackers; prompt and effective control curing; a playbook for when the attack happens; advance discussion of payment; encryption and exfiltration tech first-responders and negotiators on the ready; most important, robust continuous testing using NIST, OSFI and Five Eyes; cyber-security expertise on the board; and a full IOF (independent oversight function) bench to provide assurance to the relevant board committee overseeing ransomware; and impenetrability assurance reporting to the full board. As digitization occurs, including companies using AI, AVR, blockchain, cloud/edge, drones, IoT/Metaverse and RPA, the risks and controls are in parity, or the technology cannot be deployed.