Welcome to BoardExpert

This blog is intended to be a governance resource and source of current governance commentary, offered by a corporate governance academic engaged in research, teaching and other ongoing academic activities. There is a very public element to the governance field, and it is hoped that this blog will contribute to the public discussion of current governance issues. It is also hoped that it will address a need in the governance field by presenting a holistic online approach to the topic. There is a rapid rate of change in the field of governance (public, private, government and not-for-profit entities) and developments in internet technology move swiftly. This governance gateway offers resources for a broad variety of stakeholders including: [...more]




The Problem with Independent Directors

“The Board Chair is owned by the CEO,” directors told me after I was called in by the regulator to assess the board. The Chair owned a condo next to the CEO and was a close personal friend. I have not assessed a board when there was not at least one director, and oftentimes, after governance failure, several directors who are viewed as non-independent by their fellow directors, even though these directors are independent by regulatory standards.

Academics have never been able to show that independent directors strengthen company performance for one major reason: true independence is not being measured from the outside, and can readily be undermined by clever, self-serving management and directors themselves by allowing it to occur. Bright-line independence tests or rules can be out-smarted, and many fail to capture the underlying conflicts of interests.

In my research involving shareholder activists, activists tell me how they investigate director backgrounds to show the compromising of independence. Activists’ inherent presumption is that each director is non-independent to begin with. They are put in place by management or other directors, not shareholders.

Here are the ways directorial independence is compromised, before or after a director begins to serve: a close social or personal relationship with another director or member of management; serving on another board or in another business relationship with a director; excessive tenure on the board; excessive director pay or expenses; an office at the company for the director; the use of secretarial staff; gifts such as cigars; vacations with other directors, a significant shareholder, or management; jobs or contracts for acquaintances or referrals of the director; lunches, dinners, entertainment or sporting events with a small group of directors and management (rather than collective board dinners); informal collaborating in a decision by a board or committee chair with management in advance of the meeting; boards or committees not hiring independent advisors but are beholden exclusively on management; directors taking advantage of a corporate opportunity, resource or perquisite with full knowledge (or not) of other directors; or having a bias towards a particular stakeholder in board deliberations (including a significant shareholder).

There exists pressure on Canadian directors to allow their independence to become diluted, directors tell me, and to be collegial in this dilution. I have interviewed some of the top board chairs in Canada, and one of their major concerns was the “slippery slope” of directorial independence. I have found that directors can become less independent, but I have never found them to become more independent. Boards, in theory at least, should decide what degree, if any, of independence slippage (see all of the above real examples) they are willing to tolerate.

If one or more directors has their independence compromised, particularly a board or a committee chair, then governance failure can and does occur. Conflict-seeking directors are toxic to a board and should be removed. Directors know which director(s) has lost their independence. By the time I arrive, I am confirming what they already know and failed to act upon. A trained outside expert can readily observe captured directors during board meetings, interviews and customized questions.

Why is There a Director Independence Dis-connect?

If director independence is compromised and regulatory standards fail to detect this, then the regulators have failed. It should not be possible, if regulators are doing their job, to have a director who is not independent, inside the boardroom, and at the same time that director complies with independence guidelines outside the boardroom.

What is the Standard for Independence of Public Company Directors in Canada?

Directorial independence in Canada is presently a subjective standard (what directors believe), rather than an objective one (what is reasonable to believe). This means that if directors collectively believe that a director does not have a “material” relationship that can reasonably be “expected” to “interfere” with that director’s independent judgment, then that is the end of the analysis. The absence of an objective, reasonable or perceived point of view is anomalous when it comes to overseeing conflicts of interest in the workplace, so why should boards be any different? What should matter is what is reasonable, not what a director or a board believes. This subjective view can be unreasonable.

How Can Director Independence Be Strengthened?

Director independence is important because independent directors control management. It is important to get independence right – in theory at least – but also in practice if directors are to possess independence of mind coming onto the board and maintain it once they are on.

Here are some reforms I recommend and use to address director and board independence:

  • Regulatory reform should occur so independence of directors espoused by regulators equates with actual independence inside boardrooms. An objective, reasonable person standard should be used.
  • Boards should enact a robust conflict of interest policy, for directors, not drafted by management, and this policy should be disclosed to shareholders.
  • Independent advisors should facilitate an annual peer review of director independence, as is done in the United Kingdom. The review process should be disclosed and acted upon.
  • Codes of conduct should be drafted (not by management) to apply to a board of directors. Boards should not be using the company code because director independence issues are not captured.
  • Boards (and if not, regulators) should impose reasonable term limits on director tenure, beyond which the director is not regarded as independent, as is done in several countries.
  • Boards should require the confidential disclosure of directorial perceived conflicts (including assets and financial information relevant to the company’s business) to the audit committee, including that of family and affiliates of the director.
  • Audit committees should review and recommend to the board perceived conflicts of interest by directors, and should create a special committee of independent directors who are independent of the matter and the director, if and when required, with independent advisors retained by the audit or special committee.
  • An anonymous procedure for reporting on directors who do not disclose potential conflicts should exist, to the audit or special committee.
  • The governance committee should recommend independent board and committee chairs, and the board chair should be selected by confidential ballot without the CEO being present or unduly influencial.
  • For significant shareholder boards, independent directors should be chosen by and from minority shareholders, so a portion of directors are independent of the significant shareholder, commensurate with the significant shareholder’s portion of common shares.
  • For widely held boards, shareholders should select a portion of directors so directors are independent of each other and management.
  • Boards should disclose the origination of each director, namely how that director came to be recommended for election by shareholders.
  • Boards (and if not, regulators) should diversify themselves so directors do not come from the same homogenous pool and are independent from one another.

Dr. Richard Leblanc, Editor of The Handbook of Board Governance (Wiley, 2016), can be reached at rleblanc@boardexpert.com.

 

CEO Coaching: Lessons from the Trenches

Alcohol problems, drug use, sexual misconduct, financial misconduct, defensiveness, denial, berating of other senior management and directors, litigation, loss of key employees, toxicity and bulling. There is not much I have not seen when I am called in to coach the CEO. And CEO misbehavior happens in the highest level of corporate Canada. You may be surprised, but I am not.

Here are ten recent examples, disguised for confidentiality purposes: The CEO called a CFO a “moron” in front of the board and finance staff. Another CEO went silent, not talking to the Board Chair for a month. A CEO sat, arms folded, and did not say a word during an entire board meeting. A fourth CEO coaching regime occurred after a major failure, involving death and property destruction. A fifth CEO coaching was of a large manufacturing company, where the CEO’s effect on board colleagues was highly disruptive. In a seventh example, the CEO’s behavior was so disruptive that a major board rift occurred. An eighth example involved loss of key staff and an investigation into CEO conduct. A ninth example involved a CEO deliberately blocking board access to a potential successor and silencing of other senior management, from the board. A tenth example was a CEO of an iconic Canadian company shielding his compensation and expense arrangements from all directors, until I was called in by a regulator to investigate.

By the time I am called in, much of the damage has been done. But it doesn’t need to be this way.

The board’s most important job is hiring, paying and firing the CEO. Boards can get all of corporate governance wrong, but hire the right CEO, and be successful. Boards can hire the wrong CEO, and the company will fail even if the board has high governance scores.

The question that boards, prior to my coaching, often have for me is “Can the CEO change?” There are two things that are needed to change: awareness of the deficiency, and a willingness to change. I am optimistic, and usually have coaching success, but in a few instances, the CEO would not or could not change and I recommended firing the CEO.

Here are lessons for CEO coaching for any board:

The CEO’s coach is always hired by, and accountable to, the Board Chair and the Governance Committee, not the CEO.

For CEO coaching to work, the coach should understand board dynamics and report directly to the Board Chair, not the CEO. The Coach reports on coaching sessions, developmental plans, deliverables and progress, candidly and thoroughly, without the CEO present.

Prospective CEOs should be thoroughly vetted.

Normally, people’s personalities are stable, and the warning signs were visible long before the CEO was hired. A wrong CEO hire is always the board’s fault. Proper vetting now includes detailed resume checks, reference checks, professional background checks, social media and profile checks, personality testing against culture, exposure to all Directors, and multiple interviews in different settings, using external assistance. Put rigor and independence behind the CEO hire, base it on the strategic plan, and conduct an external search if only to test the market. Boards then make the mistake of not working closely with the new CEO after hire, and not onboarding them.

Collect your data and listen to employees.

CEO evaluation should always be 360 degrees, and include a board line of sight to views of direct reports in an anonymous fashion. Employee surveys should not be funneled by management, but should occur anonymously, reporting right into the boardroom. There are even software programs now that will collect employee meta-data for boards so bad news rises.

Link CEO behavior to pay incentives.

Frequently, I find the CEO has little incentive to change, as most of the pay metrics are financial and short-term in nature. In CEO coaching assignments, I normally restructure the CEO’s pay package to include non-financial metrics such as leadership, employee engagement, customer satisfaction, company culture, CEO succession planning, and/or board relations, or a combination of the above. Indeed, now, 75% of the value of a company are leading intangible measurements, such as the ones I mention, so pay metrics should reflect this. People behave the way you pay them. Boards often make the mistake of incentivizing aggressive, even unethical behavior. CEO pay should be tied explicitly, unambiguously, to ethical conduct.

Have the tough conversation with the CEO early on.

In two recent board meetings, I had to ask both CEOs to leave the room. The conversation completely changes when this happens. A board talks about CEO performance openly. When the CEO is called back into the meeting, there is a message delivered to the CEO by the Board Chair. The message is that the Board wants the CEO to succeed, and that behavioural and leadership issues need to be addressed. The CEO has to receive this message, the board needs to be aligned, and the executive session without management is the first step. Executive sessions should occur at each and every single board and committee meeting. To this day, remarkably, there are still CEOs who do not leave board meetings. The last thing a dominant or misbehaving CEO wants to do (and many CEOs are type As) is to leave the room.

Craft the CEO contract properly.

The person advising on the CEO contract should not be the company lawyer, nor the law firm that advises management. These people have a vested interest in not making the CEO contract hard-hitting. Firing a CEO “for cause” should be defined and broader than fraud. Just as athletes and entertainers have morals clauses in their contracts, CEOs should as well. The reputational, morale, talent and financial damage from CEO misconduct, to the company and to Directors, can be significant. Misconduct should be properly drafted to include ethical and professional conduct, with a defined process to determine whether a CEO is ever offside, with which the Board and CEO agree.

Engage in CEO succession planning and be prepared to fire the CEO.

There is a direct relationship between CEO leverage over a board and the lack of CEO succession planning by that board. CEO behaviours can get worse when the Board has no immediate or near-ready CEO successor.

In one major company, I detected defensiveness by the CEO and disrespect of certain directors. I found out that the CEO refused coaching, and that the board was four years out from an internal candidate being CEO-ready. “This is your failure as a board,” I said. The CEO is taking advantage of you because you have no options.

Conclusion

Some of the country’s best CEOs have had personal coaching, and that has contributed directly to their and the company’s success. No one is perfect, and we all benefit from one-on-one feedback, peer assessment, mentoring, and motivating coaches and trainers. Boards should see CEO coaching as a wise investment, and in the longer-term so old habits do not return.

Richard Leblanc is a governance consultant, lawyer, academic, speaker and advisor to leading boards of directors. His recent book is entitled The Handbook of Board Governance. Dr. Leblanc can be reached at rleblanc@boardexpert.com or followed on Twitter @drrleblanc.

Boards Should Not Misjudge Regulators

When a regulator advises corporate directors that progress on gender diversity is “simply not good enough,” that is code that the status quo will not continue, and that more regulation may result. And the second wave of regulation is often worse than the first.

Regulators have limited levers at their discretion. They are not going to come into boardrooms and assess performance. Thus, they are tending to land on numbers: ranging from 9-10 years for director tenure and 25% – 50% quotas for women.

Once or if this happens, directors will complain that the regulator is imposing a ‘one sized fits all’ or ‘check the box’ solution, when directors had the chance to act but chose not to. We have seen this pattern before. Paradoxically, directors may choose not to act, waiting for stronger regulation, to which they can then point and say, “now we have no choice.” Even the CEO of a major bank told regulators, “you should push us on gender targets.”

Canadian regulators have adopted a flexible and progressive ‘comply or explain’ approach to director term limits and gender diversity.

The progress recently reported is, in a word, inadequate: Only 19% of boards surveyed have term limits; only 14% disclose written diversity policies; and only 7% have targets for women on their board.

Our comply or explain regime has the disadvantage of permitting explanations that are irrelevant or spurious, such as targets for women not being adopted because candidates are selected based on merit, as if both goals are mutually exclusive. There is not an excuse for inadequate governance progress that I have not encountered.

But the real reason for the above low figures, which is not in the public domain, is self-interest. Why would any director, particularly an over-tenured male director, agree to a policy that moved him out of the boardroom? Directors speak in code publicly, but in private interviews, many open up. I had a 28-year director tear up when I recommended a 12-year term limit for his board, without grandfathering.

The academic evidence in favor of director term limits and diversity is becoming more clear: Diverse groups make better decisions. And over-tenured directors are worse for innovation and shareholder value. Regulators – in several countries – are acting. Regulators want independent directors who are the most qualified sitting in boardroom seats. As they should.

In Canada, regulators have not imposed quotas or term limits, but these should not be ruled out if inadequate progress continues. Regulators have asked boards to articulate their own numbers, and why that number works for them.

This brings us to what directors and boards should be doing to forestall further regulation. Here are my recommendations:

  • Do not misjudge the regulator, or the importance of gender diversity for the new federal and the current provincial Liberal governments. Tone-deaf boards should listen.
  • Act on conflicts of interest. If a tenure or diversity policy affects one or more of your directors, excuse these directors from the room. They should not influence the decision.
  • Do not assume director consensus. There are directors who believe that other directors have outlived their usefulness and should be replaced.
  • Land on a target. If your board has zero women, start with one woman as your target. Targets should be aspirational and dynamic.
  • If you think 9 years is too low for director tenure, choose 12 years. 15 years is on the high end, and companies are landing on 12, particularly large, complex companies. But pick a target.
  • If you do not pick a target for director tenure, then you best have a rigorous and consequential peer director assessment regime, whose output is actual director resignations. The evidence is that many boards do not have or do this.
  • Do not assume that your board can draft an inadequate tenure or diversity policy, and that this will go unnoticed. The regulator is offering guidance and examples of robust policies.
  • Own the policy. Draft the policy yourself, or have an independent advisor assist you. Management or company advisors are not independent. They work for you and have a vested interest in keeping you satisfied.
  • Watch for past practices that might bias women, including assertions that your talent pool is shallow. If your talent pool are directors whom you know, rather than the best directors available, then you best enlarge your talent pool.
  • Regulators are giving you an opportunity to craft policies that work for you. Do so. No director is irreplaceable, and directorships are not lifetime appointments. But if you believe a particular director’s tenure is advantageous, use average director tenure or have exceptions built into a policy to give you degrees of freedom.

The regulatory evidence, above, is that boards may be incapable of changing from within. As such, regulators will act when boards do not.

How should a board oversee ethics?

I recently moderated a keynote address by Andrew Fastow, the former CFO of Enron, and followed up by delivering a keynote on the role of the board in ethics, tying in aspects of Mr. Fastow’s speech. What follows is based on my speech; incorporates not only my interactions with Mr. Fastow, but also Messrs. Conrad Black and Arthur Porter; and draws on my work with boards that have succeeded and failed in their ethics oversight.

Here are ten ways a board can oversee ethics:

  1. Ask the right questions.

Good questions for boards, when faced with an ethically problematic action, are: (i) How will this action impact our reputation? (ii) How will this action impact us over the long-term? (iii) What are the aggregate effects of this action? (iv) What will the view of this action be by objective parties, especially if current circumstances change? (v) Even if this action is technically correct or permitted, does it meet the principle or spirit of applicable guidelines and rules? and (vi) Are we doing the right thing?

Management should have detailed answers to these questions. And they should leave the room so only independent directors can discuss.

  1. Have a line of sight over ethics, integrity, reputation and culture.

Many behavioural and integrity controls fail in their design and implementation, and because they do not go far enough or are subject to management override. These controls should be independently audited. Good companies are measuring and assuring reputation, integrity and risk culture for boards. It is important that this assurance reach the board un-funneled by reporting management. Good Audit and Quality Committees are reaching deep into organizations to view culture, quality and “tone in the middle.” Toxic culture or wrongdoing can bring enormous and rapid harm to brand and reputation. Bad news needs to rise, without delay, and good boards do not want surprises. The days of boards overseeing just the CEO and other senior management are gone. Management needs to accept more activist boards. This does not mean boards are running companies, but they are overseeing conduct.

  1. Use executive sessions, questions and information as your leverage touch-points.

Have the authority in your board and committee charters to obtain any information, to interview any personnel, and to obtain any outside assistance that you need to in order to fulfill your duties. If management blocks access, you now work for them. Obtain disconfirming information from the outside as well. Meet directly with auditors, consultants, the risk function, and the compliance function, including without any manager in the room. Meet also with major long-term shareholders without any manager present. Only then will you hear what others hear. Boards can live in an echo chamber otherwise. You do not want to be the last to know.

  1. Make sure your lawyer is independent.

The person drafting the above charters, including your clawback clause (see 6. below), should not be the general counsel or the external counsel who works for management, or colleagues of lawyers at the law firm. None of these parties is independent. Just like auditors and compensation consultants must be independent, so should the board’s counsel. Independent assurance on related party transactions, conflicts of interest, the code of conduct, investigations, integrity risks, and whistle-blowing cannot occur by management or their advisors. Only independent advisors will be free to recommend action that corrects and directs (and when necessary, terminates) reporting management.

  1. Address whistle-blowing defects.

Once the Ontario Securities Commission enacts a whistle-blowing reward regime like has been done by the Securities and Exchange Commission in the U.S., there will be a changeover from defective regimes currently in place. If the point of contact for a whistle-blowing program is any manager, the policy is defective. The point of contact must be an independent person or party who reports directly to the Audit Committee. Only then will anonymity be preserved and the channel be used fully. Bad news needs to rise, and investigations need to occur when warranted, and neither happens if it is management investigating management.

  1. Pay for conduct and performance.

Pay drives behavior, including ethics. Many pay committees under-utilize their executive pay toolbox and control over management.

Because pay practices can incent risk-taking and unethical conduct, good regulators and pay committees require ethical conduct to be tied to executive pay. If risk management or the Code of Conduct is breached, executive pay should not vest and be clawed back if it has vested. Conduct and risks should be evaluated every pay period before the pay committee allows equity to vest or a bonus to be received. And ethics and morals clauses should be in every executive and employee contract. And directors need to lead by example, with ethics clauses drafted into their terms of service. A good board insists on resignation in advance if an ethics clause is breached.

  1. Oversee the oversight functions.

Your eyes and ears in the company are internal audit, risk and compliance. These functions must now have reporting channels right into the boardroom and committees. Does your board directly oversee these functions? Does your company have these functions? I have recommended to numerous boards the hiring of these functions and doing so can greatly improve toxic culture, flawed risk management, and unethical conduct. Just as in the early 2000s when the audit committee began to hire, fire and pay the external auditor, now the audit and other committees and the board hire, fire and pay risk, compliance and internal audit.

  1. Speak up and recruit a board challenger.

When directors and chairs are chosen on the basis of preexisting relationships, which many or most are, this means directors are beholden to each other, or worse yet, to management. These directors will not speak up or ask tough questions, as they are owned by their extra-boardroom relationships. The board becomes accountable to management rather than the other way around. Boards where fraud has occurred often met governance guidelines, including Enron. Andy Fastow said that the Enron board not only approved but encouraged his actions (in the words of one director): “Fastow you are a —- genius!” Recruit directors who have no pre-existing relationship to any other director or manager. This includes female directors.

  1. Recruit independent, competent directors with courage.

Independence of mind is not formal independence. Smart managers can capture directors through relationships, perks and incentives. There are directors on boards are well out of their depth. They are there because of relationships, profile and glow, but know little about the actual business and cannot or will not challenge because they are captured. Seeing them ask perfunctory questions is akin to a fork trying to hold water. Only when a director is truly independent and competent, can that director then challenge. Often directors are docile because they simply do not know what to do.

  1. Set tone at the top.

Lastly, and most importantly, set the ethical tone. The actions and behaviour you observe as a director is the tone that you have just accepted. Good tone at the top is unambiguous, applies to everybody, and is consequential. And it is exercised. It is the board, not just management, that sets tone. I recall the story of the audit committee chair who saw the CFO go through customs at an airport and not declare a bottle of wine. The next morning, the CFO was fired.

Management is fond of explaining unethical conduct away by saying it was a “rogue” employee. Boards are fond of explaining unethical conduct by saying “we missed it.” If boards and management teams are truly honest, they know they should not have missed it and that it was not a rogue employee. It was an employee operating within the culture that was accepted.

In all of my interviews of directors over the years, including during ethical failure, when I ask about directors’ greatest regret, the answer is consistently, “I should have spoken up when I had the chance.” Speaking up is incredibly important when it comes to tone at the top. If you are uncomfortable, “speak up” is the best advice I could give a director. Chances are, several of your colleagues are thinking the exact same thing.

Why integrity is good for business, and the role that boards play

“We didn’t know.” “We missed it.” “It was a rogue employee.” There is not an excuse I have not heard for ethical failure. But when I investigate a company after allegations of fraud, corruption or workplace wrongdoing, almost always there is a complacent, captured or entrenched board that did not take corrective action. In a few cases, boards actually encouraged the wrongdoing.

The first myth is that the board is a “good” board. There is no relationship between the “glow” or profile of directors and whether the board is “good.” Often times, there is an inverse relationship, as trophy or legacy directors typically lack industry and risk expertise in recognizing fraud or understanding what proper compliance looks like, are not really independent, are coasting and not prepared to put in the work, or they themselves may not possess integrity.

How important is integrity? Extremely. Three factors make for a good director or manager: competence, commitment and integrity, with integrity ranking first. Otherwise, you have the first two working against you.

Integrity needs to be defined, recruited for, and enforced. “Does your colleague possess integrity?” “Yes” is an answer to this perfunctory question. Full marks. But when I define integrity to include avoiding conflicts of interest, consistency between what is said and done, ethical conduct, and trustworthiness – and guarantee anonymity, I get a spread of performance scores. Those who do not possess integrity in the eyes of their colleagues are poison and should are extracted from any board or a senior management team. They never should have been elected or hired in the first place, which is a recruitment failure.

Fraud, toxic workplaces, bullying, harassment and pressure do not occur in a vacuum. Many people in the company know. The issue will not go away, will only get worse, and is a latent legal, financial and reputation risk.

For bad news to rise, boards need to ensure that protected channels exist and are used – including for a director or executive to speak up in confidence, and for an independent consequential investigation to occur.

Ethical reporting also needs to assure anonymity to the fullest possible extent to receive reliable information. If a whistle-blowing program has any manager as the point of contact, it is not effective. Whistle blowing, culture surveys, and ethics audits should be conducted independently and reported directly to the board without management interference.

Frequently, I find ethical design and implementation failure are the culprits, with codes of conduct, conflict of interest policies, whistle-blowing procedures, culture and workplace audits, and education and communication being perfunctory at best, overridden by management at worst, and not taken seriously by employees or key suppliers, with minimal assurance and oversight by the board.

Complacent boards and executives are the last to know and deny any wrongdoing, having creating the conditions for fraud to flourish. Shockingly, lacking any pride, in full denial, and further reinforcing their entitled self-serving mindset, they refuse to resign.

After ethical failure happens, executives argue that it is a lone rogue employee or an isolated incident. Nothing could be further from the truth. It is an employee who reflects the true and actual culture, internal control environment, and practices of the organization, and who is attracted to and flourishes within them. There is no such thing as a rogue employee. It is a board that approved the conditions that management proposed within which employees operate. The board’s leverage of approval, documentation and questions went unused and unasserted. They are the very people who should not be overseeing subsequent reforms, as they are assessing their own shoddy work.

This lax control environment, where self-interest is pursued and where pressure is applied, is the heart of ethical failure.

There is a shocking lack of internal controls over employee and agent behavior that I have found in corrupt jurisdictions in which Western firms do business. This means, not only is the potential for fraud rampant, but also that costs of compliance are being borne by companies who do not bribe and have proper controls. They are penalized for doing things right.

Furthermore, there are corrupt jurisdictions whose companies and government officials offer and receive bribes and advantage themselves over Western counterparts, including in Russia, China, India and MENA. The most recent example is bribery allegations at FIFA. This unequal playing field puts Western companies – in the US, UK, Canada and elsewhere – at a disadvantage, when competing for business, opportunities and contracts.

This is why Western governments are seeking to put their countries and companies in the most competitive position possible. They are enforcing anti-corruption laws using long arms of justice to prosecute bribery. They are also debarring companies from government contracts who commit ethical breaches. This debarment is a powerful motivator to spur investment to internalize the costs of internal controls over integrity.

Western industry will mistakenly argue that integrity laws will disadvantage them or cost their industry jobs, but the reality is the opposite. Tough integrity laws will prevent substandard competitors from offering bribes, will disincent recipients from receiving bribes, and will strengthen Western companies who compete on the basis of price, quality and service.

Richard Leblanc is a governance consultant, lawyer, academic, speaker and advisor to leading boards of directors. He can be reached at rleblanc@boardexpert.com or followed on Twitter @drrleblanc.

Executive compensation is broken: Three ways to fix it

President Obama said to a reporter recently, “We have corporate governance that allows CEOs to pay themselves ungodly sums.”

Why should this be the case, and how might this problem be addressed?

Following say on pay protests in Canada at CIBC, Barrick Gold and Yamana Gold, and others at BP, HSBC and JP Morgan, the Securities and Exchange Commission (SEC) recently proposed rules linking pay to performance, six years after Congress passed the law directing them to so in the first place.

Will the new rules work? Regulators have a poor track record of getting executive pay right. Indeed, some say Congress has been the single greatest driver of increasing CEO pay.

According to a survey by Mercer, a majority of UK board members believe the executive pay model is broken. Here are three ways to fix it.

First, look at who is negotiating the pay. A CEO pay contract is negotiated between a subset of company directors – the compensation committee – and the CEO. I remember a CEO telling me once, “I will out-gun any compensation committee.” He is right. For any contract to work, there needs to be proper motivation and equality of bargaining power. Many directors on pay committees are former CEOs, have been on the board for over nine years, or tend to be men recruited on the basis of prior relationships. These types of directors are not effective in negotiating a CEO pay contract.

Directors confide to me how perks compromise them, including jobs for acquaintances, gifts, vacations, and so on. There is no free market for CEO pay if the people on the other side of the table are captured.

An effective bargaining party should be independent of management and selected directly by shareholders to represent investor interests. In other words, shareholders should be selecting the directors, not directors and certainly not management.

I advise large investors that they should press for this right to select directors. Industry Canada is considering corporate reforms, and should give shareholders the right to select and remove directors without artificial barriers. In the Canadian companies above, not a single director on the compensation committees was forced to resign, including the compensation committee chair on the Quebecor board who failed to garner majority support.

Second, CEO pay has been driven upwards by a process known as “peer benchmarking.” Invented by pay consultants, one CEO’s pay is compared to pay of other CEOs, often at larger, complex companies (“peers”). Compensation committees, who purchase this comparative data, want to pay their own CEO, not at a 50th percentile (meaning that half of CEOs are better than their CEO), but at the 75th or 90th percentile. This inflationary effect, as you can imagine, has resulted in structural increases to CEO pay. Research confirms this. The process is made worse by rivalry, because CEOs see what other CEOs are earning, and think they deserve more. This knowledge and mindset increases the leverage of the CEO during pay negotiations.

One public sector organization, about to disclose pay for its employees, whom I recently advised, is not disclosing the identity of employees and their pay, but only the position title. This pay disclosure promotes good governance and accountability, but addresses peer rivalry, privacy and safety concerns. More regulators should exercise care over the inflationary results of disclosing pay. Compensation committees should focus less on inter-company comparison, and more on the performance and value creation within their company.

This brings me to the final pay reform, which is linking pay to sustained value creation within the company over the longer term. Performance metrics are what drives management. Most performance metrics for executive pay are short-term, financial, and based on total shareholder return (TSR). Even the new SEC rules rely on TSR. Research shows, however, that much of TSR is not under the control of management, but rather reflects exogenous market forces. In other words, executives benefit from factors beyond their control, such as a bull market.

Most of the business model and market value of companies are composed of broader, leading indicators that are non-financial in nature. By focusing just on financial results, boards lack the ability to track leading indictors, which could be customers, reputation, employees, innovation, R & D, ethics, risk management, safety, and so on, that measure risk and broader performance. Many boards desire these metrics but they are under-developed by management, which reflects board complacency.

90% of pay is short term, which is fewer than three years. This short-term focus causes executives to swing the fences for short-term gains, taking risks, because their pay incents them to do so, rather than being aligned with the product cycle of the company, which is in the range of five to seven years.

International Monetary Fund chief, Christine Lagarde, has called for banks to change the culture of short-term risk taking. There is also director leadership responding to short-termism: The subject of the Institute of Corporate Directors conference next month is titled “Short-Termism: A Problem or Not.”

The problem is that opposing the above reforms – shareholders selecting compensation committee members; relying less on peer benchmarking; and relying more on broader long-term performance metrics – are so entrenched into the status quo and vested interests that these reforms are almost unachievable. CEO pay problems will continue. To truly solve this issue, more leadership is needed from investors and directors. Models and best practices are needed to devise roles for shareholders in selecting directors and long term pay principles. Thoughtful regulation and more industry leadership and cooperation are needed.

 

25 Reasons for Risk Management Failure

I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.

Here are 25 reasons for risk management failure:

  1. Lack of enterprise risk management expertise on the board.
  2. Governance gaps over a material risk(s) within the board or across committees.
  3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
  4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
  5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
  6. Not upgrading information systems to track, monitor, integrate risks.
  7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
  8. Lack of conversations, common vocabulary and prioritization of the risks.
  9. Lack of internal audit, or not listening to internal audit.
  10. Internal controls that are weak, even non-existent, or capable of management override.
  11. Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
  12. Not considering impact on reputation, which can be greater than the primary impact considered.
  13. Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
  14. Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
  15. Lack of independent, coordinated assurance of internal controls provided directly to the board.
  16. Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
  17. Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
  18. Risk not based on the strategy, business model and key performance indicators.
  19. Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
  20. Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
  21. Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
  22. Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
  23. Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
  24. No sense of urgency to remedy the foregoing.
  25. The board does not know how bad it is.

The author thanks an anonymous senior risk executive for review of the foregoing items.

Twenty Anti-Fraud and Corruption Governance Red Flags

The following reflect my work in assisting regulators and enforcement authorities, and research on governance in companies that have been accused of fraud, bribery, corruption, and other malfeasance such as harassment, nepotism, expense reporting, and excessive compensation. I also draw on my interactions with, and guest lectures by, fraudsters who are currently in prison or who have served time in prison, and experts such as forensic accountants.

Here are the red flags, as I see them, in problematic companies and boardrooms that may contribute to fraud and other malfeasance going undetected or undeterred. Drawing on a speech I gave this month to a bribery and foreign corruption conference, and an earlier speech to corporate directors, the red flags are, in no particular order:

  1. Independent oversight functions (audit, compliance, risk) either non-existent or reporting to senior or operating management.
  2. A board lacking in risk, international and relevant industry expertise, and paucity of audit committee know how of how fraud is or may be committed.
  3. A whistle blowing procedure that is neither anonymous nor protected.
  4. A board that does not believe it sets tone at the top. A tone that is not equal and consequential.
  5. A focus on rule and legal correctness, not spirit and intent. Failure to account for exogenous shock, stress, and a different frame of analysis. Directors not speaking up.
  6. Complex design being approved by directors. Directors approving when management does not fully tell them the counter-argument, and directors do not ask (know), or press.
  7. Captured, conflict-seeking, self-dealing, over-compensated, over-tenured directors and gatekeepers who are not objectively independent.
  8. Immature risk management, non-investment in information technology, and defective or non-existent controls, particularly non financial, reputational and behavioural.
  9. Defective, non-existent, or dominated internal audit function.
  10. Lack of culture and reputation control assurance to the Board. No understanding of tone in the middle, or toxic or bullying work culture.
  11. Non-audited compensation, and improper incentives (quantitative, financial, short-term) that incent risk-taking behaviour. Unconstrained risk-takers and a complacent board.
  12. Clawbacks not at correct threshold of ethics or risk. Lack of risk-adjusted compensation.
  13. Charismatic, dominating, and/or stretched CEOs and CFOs, including distracting external activities, personal issues, living beyond their means, not tasking vacations, and undue attention to accounting.
  14. Ethical code poorly designed, controlled, monitored, enforced, assured and reported to the board.
  15. Lack of documentation with explicit limitations and thresholds for material risks, cascading to emerging markets and key suppliers.
  16. Lack of executive sessions, with only independent directors, and with only internal oversight functions (audit, risk, compliance).
  17. Lack of due diligence and integrity controls at the hire or contract stage. Lack of integrity controls over senior management, and capacity for over-ride.
  18. Non-zero tolerance of facilitating payments. Mixed message sent by the board.
  19. Lack of independent, expert validation (board, risk, controls) reporting directly to the board.
  20. Weak or corrupt host country auditors not vetted or overseen by the audit committee, and lack of availability and translation of documents.

Do you recognize any of the above red flags? On a board or in a company of which you serve? Allegations of wrongdoing can put assets and reputation at risk. Regulators have enormous power, and are focusing their sights much more on the role a board plays, or does not play, in overseeing the affairs of the company.

Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently?

Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.

In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders’ investment? Indicators are that many boards and directors may not be. Plaintiffs’ lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:

  • “Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable”;
  • “Social media is the number one activity on the web,” according to Belle Beth Cooper in a Huffington Post article;
  • The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;
  • The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;
  • Cybercrime constitutes the “greatest transfer or wealth in history,” according to the National Security Agency’s General Keith Alexander;
  • Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;
  • Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;
  • Fewer than 50% of companies use encryption techniques for devices;
  • 38% of companies do not address cloud risks;
  • “Only 56% of companies conduct penetration tests, and 19% fail to test at all,” according to an Ernst and Young report;
  • Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and
  • “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached,” according to a 2014 NACD (National Association of Corporate Directors) report.

What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?

  1. “You have to own this problem as a leader,” in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company’s business model resides on the Internet, consider having a separate technology and strategy committee.
  2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
  3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
  4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
  5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
  6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
  7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
  8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
  9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
  10.  Most of all, protect your company’s crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company’s valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.

Tis the Season to Prevent Cyber-Hacking

What are best practices individuals can employ to lessen the chance of hacking of their computer or device?

Here is a quick “top 20 list,” based on part of an education session I have been providing to directors of company boards on cyber security.

  1. Never click on unknown or non-credible emails, attachments or downloads.
  2. Never click “save password.”
  3. Never use the same password across multiple devices or accounts.
  4. Use smart, strong passwords, and regularly update and change your passwords.
  5. Have a second credit card that you use online, with a low limit.
  6. Use two-step authentication whenever possible.
  7. Install firewalls on all your computers and devices.
  8. Always update your software.
  9. Always logout at the end of your work-time.
  10. Always install anti-virus, anti-spam and anti-spyware or adware programs.
  11. Use only your own computers and devices.
  12. Never leave your device or desktop computer unattended or accessible.
  13. Have a professional validate all of the above and never give your password out.
  14. Cover any cameras that are not in use.
  15. Browse anonymously whenever possible.
  16. Use secure, encrypted connections: https where “s” means “secure.”
  17. Resist unencrypted, public wifi hotspots.
  18. Back up your data in real time, twice as a fall-back.
  19. Be careful what you store or send (crown jewels).
  20. Always use a document shredder.

“Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable.”

Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies.

The greater individuals are aware of steps that can be proactively taken, the less the chance that your property or data can be breached.


Back to top