Welcome to BoardExpert

This blog is intended to be a governance resource and source of current governance commentary, offered by a corporate governance academic engaged in research, teaching and other ongoing academic activities. There is a very public element to the governance field, and it is hoped that this blog will contribute to the public discussion of current governance issues. It is also hoped that it will address a need in the governance field by presenting a holistic online approach to the topic. There is a rapid rate of change in the field of governance (public, private, government and not-for-profit entities) and developments in internet technology move swiftly. This governance gateway offers resources for a broad variety of stakeholders including: [...more]

Executive compensation is broken: Three ways to fix it

May 24

Posted in CEO, Organizational Performance and Compensation, Shareholder Accountability | Comments Off on Executive compensation is broken: Three ways to fix it |

President Obama said to a reporter recently, “We have corporate governance that allows CEOs to pay themselves ungodly sums.”

Why should this be the case, and how might this problem be addressed?

Following say on pay protests in Canada at CIBC, Barrick Gold and Yamana Gold, and others at BP, HSBC and JP Morgan, the Securities and Exchange Commission (SEC) recently proposed rules linking pay to performance, six years after Congress passed the law directing them to so in the first place.

Will the new rules work? Regulators have a poor track record of getting executive pay right. Indeed, some say Congress has been the single greatest driver of increasing CEO pay.

According to a survey by Mercer, a majority of UK board members believe the executive pay model is broken. Here are three ways to fix it.

First, look at who is negotiating the pay. A CEO pay contract is negotiated between a subset of company directors – the compensation committee – and the CEO. I remember a CEO telling me once, “I will out-gun any compensation committee.” He is right. For any contract to work, there needs to be proper motivation and equality of bargaining power. Many directors on pay committees are former CEOs, have been on the board for over nine years, or tend to be men recruited on the basis of prior relationships. These types of directors are not effective in negotiating a CEO pay contract.

Directors confide to me how perks compromise them, including jobs for acquaintances, gifts, vacations, and so on. There is no free market for CEO pay if the people on the other side of the table are captured.

An effective bargaining party should be independent of management and selected directly by shareholders to represent investor interests. In other words, shareholders should be selecting the directors, not directors and certainly not management.

I advise large investors that they should press for this right to select directors. Industry Canada is considering corporate reforms, and should give shareholders the right to select and remove directors without artificial barriers. In the Canadian companies above, not a single director on the compensation committees was forced to resign, including the compensation committee chair on the Quebecor board who failed to garner majority support.

Second, CEO pay has been driven upwards by a process known as “peer benchmarking.” Invented by pay consultants, one CEO’s pay is compared to pay of other CEOs, often at larger, complex companies (“peers”). Compensation committees, who purchase this comparative data, want to pay their own CEO, not at a 50th percentile (meaning that half of CEOs are better than their CEO), but at the 75th or 90th percentile. This inflationary effect, as you can imagine, has resulted in structural increases to CEO pay. Research confirms this. The process is made worse by rivalry, because CEOs see what other CEOs are earning, and think they deserve more. This knowledge and mindset increases the leverage of the CEO during pay negotiations.

One public sector organization, about to disclose pay for its employees, whom I recently advised, is not disclosing the identity of employees and their pay, but only the position title. This pay disclosure promotes good governance and accountability, but addresses peer rivalry, privacy and safety concerns. More regulators should exercise care over the inflationary results of disclosing pay. Compensation committees should focus less on inter-company comparison, and more on the performance and value creation within their company.

This brings me to the final pay reform, which is linking pay to sustained value creation within the company over the longer term. Performance metrics are what drives management. Most performance metrics for executive pay are short-term, financial, and based on total shareholder return (TSR). Even the new SEC rules rely on TSR. Research shows, however, that much of TSR is not under the control of management, but rather reflects exogenous market forces. In other words, executives benefit from factors beyond their control, such as a bull market.

Most of the business model and market value of companies are composed of broader, leading indicators that are non-financial in nature. By focusing just on financial results, boards lack the ability to track leading indictors, which could be customers, reputation, employees, innovation, R & D, ethics, risk management, safety, and so on, that measure risk and broader performance. Many boards desire these metrics but they are under-developed by management, which reflects board complacency.

90% of pay is short term, which is fewer than three years. This short-term focus causes executives to swing the fences for short-term gains, taking risks, because their pay incents them to do so, rather than being aligned with the product cycle of the company, which is in the range of five to seven years.

International Monetary Fund chief, Christine Lagarde, has called for banks to change the culture of short-term risk taking. There is also director leadership responding to short-termism: The subject of the Institute of Corporate Directors conference next month is titled “Short-Termism: A Problem or Not.”

The problem is that opposing the above reforms – shareholders selecting compensation committee members; relying less on peer benchmarking; and relying more on broader long-term performance metrics – are so entrenched into the status quo and vested interests that these reforms are almost unachievable. CEO pay problems will continue. To truly solve this issue, more leadership is needed from investors and directors. Models and best practices are needed to devise roles for shareholders in selecting directors and long term pay principles. Thoughtful regulation and more industry leadership and cooperation are needed.

 

25 Reasons for Risk Management Failure

Feb 24

Posted in Risk Governance and Combined Assurance | Comments Off on 25 Reasons for Risk Management Failure |

I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.

Here are 25 reasons for risk management failure:

  1. Lack of enterprise risk management expertise on the board.
  2. Governance gaps over a material risk(s) within the board or across committees.
  3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
  4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
  5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
  6. Not upgrading information systems to track, monitor, integrate risks.
  7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
  8. Lack of conversations, common vocabulary and prioritization of the risks.
  9. Lack of internal audit, or not listening to internal audit.
  10. Internal controls that are weak, even non-existent, or capable of management override.
  11. Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
  12. Not considering impact on reputation, which can be greater than the primary impact considered.
  13. Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
  14. Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
  15. Lack of independent, coordinated assurance of internal controls provided directly to the board.
  16. Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
  17. Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
  18. Risk not based on the strategy, business model and key performance indicators.
  19. Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
  20. Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
  21. Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
  22. Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
  23. Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
  24. No sense of urgency to remedy the foregoing.
  25. The board does not know how bad it is.

The author thanks an anonymous senior risk executive for review of the foregoing items.

Twenty Anti-Fraud and Corruption Governance Red Flags

Dec 22

Posted in Audit Committee | Comments Off on Twenty Anti-Fraud and Corruption Governance Red Flags |

The following reflect my work in assisting regulators and enforcement authorities, and research on governance in companies that have been accused of fraud, bribery, corruption, and other malfeasance such as harassment, nepotism, expense reporting, and excessive compensation. I also draw on my interactions with, and guest lectures by, fraudsters who are currently in prison or who have served time in prison, and experts such as forensic accountants.

Here are the red flags, as I see them, in problematic companies and boardrooms that may contribute to fraud and other malfeasance going undetected or undeterred. Drawing on a speech I gave this month to a bribery and foreign corruption conference, and an earlier speech to corporate directors, the red flags are, in no particular order:

  1. Independent oversight functions (audit, compliance, risk) either non-existent or reporting to senior or operating management.
  2. A board lacking in risk, international and relevant industry expertise, and paucity of audit committee know how of how fraud is or may be committed.
  3. A whistle blowing procedure that is neither anonymous nor protected.
  4. A board that does not believe it sets tone at the top. A tone that is not equal and consequential.
  5. A focus on rule and legal correctness, not spirit and intent. Failure to account for exogenous shock, stress, and a different frame of analysis. Directors not speaking up.
  6. Complex design being approved by directors. Directors approving when management does not fully tell them the counter-argument, and directors do not ask (know), or press.
  7. Captured, conflict-seeking, self-dealing, over-compensated, over-tenured directors and gatekeepers who are not objectively independent.
  8. Immature risk management, non-investment in information technology, and defective or non-existent controls, particularly non financial, reputational and behavioural.
  9. Defective, non-existent, or dominated internal audit function.
  10. Lack of culture and reputation control assurance to the Board. No understanding of tone in the middle, or toxic or bullying work culture.
  11. Non-audited compensation, and improper incentives (quantitative, financial, short-term) that incent risk-taking behaviour. Unconstrained risk-takers and a complacent board.
  12. Clawbacks not at correct threshold of ethics or risk. Lack of risk-adjusted compensation.
  13. Charismatic, dominating, and/or stretched CEOs and CFOs, including distracting external activities, personal issues, living beyond their means, not tasking vacations, and undue attention to accounting.
  14. Ethical code poorly designed, controlled, monitored, enforced, assured and reported to the board.
  15. Lack of documentation with explicit limitations and thresholds for material risks, cascading to emerging markets and key suppliers.
  16. Lack of executive sessions, with only independent directors, and with only internal oversight functions (audit, risk, compliance).
  17. Lack of due diligence and integrity controls at the hire or contract stage. Lack of integrity controls over senior management, and capacity for over-ride.
  18. Non-zero tolerance of facilitating payments. Mixed message sent by the board.
  19. Lack of independent, expert validation (board, risk, controls) reporting directly to the board.
  20. Weak or corrupt host country auditors not vetted or overseen by the audit committee, and lack of availability and translation of documents.

Do you recognize any of the above red flags? On a board or in a company of which you serve? Allegations of wrongdoing can put assets and reputation at risk. Regulators have enormous power, and are focusing their sights much more on the role a board plays, or does not play, in overseeing the affairs of the company.

Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently?

Dec 14

Posted in IT Governance | Comments Off on Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently? |

Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.

In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders’ investment? Indicators are that many boards and directors may not be. Plaintiffs’ lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:

  • “Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable”;
  • “Social media is the number one activity on the web,” according to Belle Beth Cooper in a Huffington Post article;
  • The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;
  • The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;
  • Cybercrime constitutes the “greatest transfer or wealth in history,” according to the National Security Agency’s General Keith Alexander;
  • Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;
  • Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;
  • Fewer than 50% of companies use encryption techniques for devices;
  • 38% of companies do not address cloud risks;
  • “Only 56% of companies conduct penetration tests, and 19% fail to test at all,” according to an Ernst and Young report;
  • Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and
  • “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached,” according to a 2014 NACD (National Association of Corporate Directors) report.

What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?

  1. “You have to own this problem as a leader,” in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company’s business model resides on the Internet, consider having a separate technology and strategy committee.
  2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
  3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
  4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
  5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
  6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
  7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
  8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
  9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
  10.  Most of all, protect your company’s crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company’s valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.

Tis the Season to Prevent Cyber-Hacking

Dec 14

Posted in IT Governance | Comments Off on Tis the Season to Prevent Cyber-Hacking |

What are best practices individuals can employ to lessen the chance of hacking of their computer or device?

Here is a quick “top 20 list,” based on part of an education session I have been providing to directors of company boards on cyber security.

  1. Never click on unknown or non-credible emails, attachments or downloads.
  2. Never click “save password.”
  3. Never use the same password across multiple devices or accounts.
  4. Use smart, strong passwords, and regularly update and change your passwords.
  5. Have a second credit card that you use online, with a low limit.
  6. Use two-step authentication whenever possible.
  7. Install firewalls on all your computers and devices.
  8. Always update your software.
  9. Always logout at the end of your work-time.
  10. Always install anti-virus, anti-spam and anti-spyware or adware programs.
  11. Use only your own computers and devices.
  12. Never leave your device or desktop computer unattended or accessible.
  13. Have a professional validate all of the above and never give your password out.
  14. Cover any cameras that are not in use.
  15. Browse anonymously whenever possible.
  16. Use secure, encrypted connections: https where “s” means “secure.”
  17. Resist unencrypted, public wifi hotspots.
  18. Back up your data in real time, twice as a fall-back.
  19. Be careful what you store or send (crown jewels).
  20. Always use a document shredder.

“Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable.”

Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies.

The greater individuals are aware of steps that can be proactively taken, the less the chance that your property or data can be breached.

2015 Trends and Answers in Corporate Governance

Dec 14

Posted in Global Corporate Governance | Comments Off on 2015 Trends and Answers in Corporate Governance |

2015 is shaping up to be a year where boards, once again, will be under intense pressure and scrutiny to get it right. Here is a list of trends and key issues, along with what boards are or should be doing in response.

1. Greater Director and Advisor Independence

Pressure:

A director or professional advisor can be formally independent, and yet captured inside the boardroom. Forms of capture reported to me include social relationships, donations, jobs or contracts for friends, perks, vacations, office use, director interlocks, supplier or customer relations, and excessive tenure and compensation. Look for more regulators implementing term limits and moving towards an objective standard of director independence. Look for activists going into the background of directors to demonstrate the capture. Look for investors focusing on the origination of each director and service provider, which is to say how he or she came to be proposed, to address social relatedness.

Answer:

Boards can protect themselves by terminating any director or professional advisor who cannot be reasonably seen, by directors themselves and more importantly by an outsider, to be independent from management in their oversight and assurance roles. Assume what boards know internally is what is or will become known externally. This trend towards tighter independence standards will continue: For example, internal oversight functions should also now be independent from senior and operating management, and that includes the risk, compliance and audit functions, who now should report functionally to the committees and board. Any director or external or internal advisor to the board or a committee should be, in law and in fact, independent of all reporting management or any other adverse interest, in order to be free to make recommendations that run counter to that of management. A board fully protecting itself would also require a third party anonymous review of director and advisory independence annually, and acting on the results. Directors know who is captured and there should be a mechanism for this to come through.

2. Better Board Composition and Diversity

Pressure:

Regulators are moving towards prescribed competency matrixes; the production of curriculum vitae (not perfunctory short bios); and interviews with directors and oversight functions to determine whether these individuals are fit for purpose. Activists are searching director backgrounds and track record to determine alignment between competencies and the business model and strategy of the company. Regulators are legislating board renewal and diversification, through quotas or the production of measureable objectives covering recruitment to retirement.

Answer:

Competency, diversity and behaviour matrixes should: flow from the purpose of the board and the strategic and oversight requirements of the company; be established by the nominating committee; and be independently designed and validated to ensure recent and relevant expertise is possessed by each director. The diversity policy should extend the prospective director pool to previously unknown directors and who may be joining their first board (80% of directors are on one board only). Tenure limits and excessive directorships (beyond two) should now be policied and capped (the average board position is 300 hours). Robust matrix analysis and director evaluation should occur by the nominating committee and its independent advisor, not management. The board should extract directors who do not possess relevant and recent competencies or desired behaviours. (See boardroom dynamics, below, for a separate discussion of director behaviour.)

3. Risk Governance

Pressure:

Plaintiff’s investor lawsuits and proxy advisory firms are targeting directors at risk for oversight failure. Regulators are imposing onerous risk coverage requirements on directors that require oversight of internal controls, risk-takers and limitations. Lack of understanding of social media, bring your own device, and cyber security are contributing to enormous investor loss and brand impairment, as an example of technology risk. Recent risk failure by boards also includes sexual harassment, safety, security, technology, bribery, fraud and reputation.

Answer:

Boards should now have directors possessing risk expertise, as regulators are requiring this. The identity of these directors should be disclosed. Every company should board-approve a risk appetite framework, including internal control reporting and independent, coordinated, assurance over controls mitigating each risk and their interactions. Directors using technology dashboards should oversee risks prospectively. Hiring of risk, compliance and audit functions should occur, reporting to the audit and risk committee. Known limitations should cascade throughout the organization, and back up to the board, with ease, including within each market in which the company operates, and to key suppliers. Annual third party reviews should occur, reporting directly to the board and audit and risk committees. Board and committee charters should have coverage over each material risk, financial and non-financial. Audit committees that oversee substantive non-financial risks may be a red flag. There will need to be significant investment and restructuring of reporting relationships for the foregoing risk governance regulation to occur.

4. Compensation Governance

Pressure:

Media and public pressure over the quantum and alignment of executive pay have resulted in regulation over: compensation committee and advisor independence; say-on-pay; proxy advisors; and pay ratios; but not over pay-for-performance (most important) and clawbacks, yet. Certain public regulators have become more aggressive, targeting the quantum of pay. Financial regulatory focus is on the delivery and alignment of pay. There is a modest, but will be a growing movement once full regulation occurs, moving from (i) short-term, quantitative, financial pay metrics, relying on comparator inter-company benchmarking, which exacerbates pay unrelated to performance, to include (ii) long-term, qualitative, non-financial pay metrics, with customized, risk-adjusted pay delivery commensurate with internal value creation and shareholder return.

Answer:

Boards should engage directly with long-term, major shareholders on their pay plans, without management influence. Clawbacks should be restructured or implemented based on risk management and ethical failure, not fraud, using an independent advisor not the company lawyer or management-retained counsel. Boards should approve key performance metrics based on an explicit full business model invoked from the strategy. 75% of the performance metrics reflecting the firm value chain should be leading and non-financial indicators. Peer benchmarking should be balanced with the foregoing pay principles and long-term alignment with the product cycle of the company (five to seven years, not three). Non-financial leading metrics such as innovation, value and quality, and financial metrics such as balance sheet and capital treatment and returns, should be incorporated into pay plans that have a line of sight to management performance, without any unjust exogenous enrichment. There is much work to be done here, and more regulation is expected in 2015 and 2016.

5. Greater Shareholder Accountability

Pressure:

Look for activism to grow unabated, and institutional shareholder and even regulatory support of proxy access in 2015, giving greater control to shareholders over director selection and removal. Look for further shareholder assertion of rights and coordination over the targeting of below-average management supervised by complacent boards. Look for shareholder focus on director mindset, track record, and lack of management capture or self-interest. Look for continued attack on entrenchment devices by management and their retained advisors to insulate under-performers.

Answer:

Camera-ready boards should implement private, candid, executive session meetings with long-term shareholders to discuss governance, risk, pay, and value creation. Investors and boards should focus on company performance in comparison to peers, and superior governance that exceeds the minimal. This includes background of directors. Independent governance auditors should be retained to provide an activist point of view, ahead of a possible attack. Any advisor to the board on shareholder engagement should be independent of management.

6. A Focus on Strategy and Value Creation Focus

Pressure:

Activist and, increasingly, good board focus is on the value creation plan, monitoring, and holding management responsible for its achievement. Complacent or inexperienced boards incapable of directing an under-performing, ineffective or inefficient management team are being targeted. Weak or legacy chairs and directors are also targeted. Excessive or non-performance based compensation is a red flag for governance intervention.

Answer:

Good boards are becoming engaged, focused, results-oriented and disciplined. Agendas and committee structures are being revised to focus on strategic primacy and value creation. Robust debate and review of the plan is the primary board agenda item each meeting, and strategic practices are adopted, such as, among others, that at least one presentation each meeting from key personnel below the senior level, on that person’s role in the value maximization plan, and a full discussion of progress to date in that regard. However, board renewal is not reflecting this structural and deeper board focus, yet. Ill-chosen directors are still unable to add value strategically, my applied research suggests. There remains ample opportunity for activist intervention.

7. Information Technology Governance

Pressure:

Rapid technology advancement has created opportunity and risk. There is profound technological ignorance by many or most boards that is creating an inability to direct and oversee management. Cyber security, bring your own device, and social media are just three IT risks that, reviews indicate, have deficient or non-existent internal controls, which in turn causes privacy breach, reputational damage, and significant investor loss. Plaintiff’s lawyers are suing boards, correctly alleging breach of duty of care. Regulation is not keeping up with cyber-threats and hacker advancement.

Answer:

Boards should be IT literate, agree on the standard and platform, and direct management to have an action plan and target date for implementation, covering crown jewels; assuming penetration; and including internal controls over behavior and human error. Boards should control the budget, talent, resources, reporting and assurance of IT risk as part of broader ERM (enterprise risk management) and strategic risk. Scenario testing, mock attacks, and expert assurance should be board-reported. If management resists third party validation, this is a red flag for any board.

8. Board Performance Audits

Pressure:

Regulation, activist, technical and public pressures are augmenting the objective standard of care for directors. Director action (or inaction) will be visible and risk liability or other loss post failure. Resourced and sophisticated investors are a particular threat, as are regulators. Complying with basic practices is no longer adequate assurance or protection for boards, as capture, entrenchment, self-dealing, complacency and non-performance have all been shown to occur within existing governance frameworks. Governance failure, including bribery, corruption, cyber and under-performance, have occurred at companies whose governance has been said to be exemplary.

Answer:

Good boards and regulators are moving towards independent, internal and deep reviews over the board, risks and internal controls, similar to financial audits. Just as management cannot assure its own work, neither can boards assure a self-review. A well-chosen third party or independent internal auditor provides boards with advance warning on precisely where their vulnerabilities and weaknesses are. An expert audit within an activist and emerging regulatory framework is a wise use of time and resources.

9. Tone at the Top – and Now in the Middle

Pressure:

Long arms of regulators are now able to hold boards vicariously responsible for fraud, bribery and other forms of corruption at deep levels within and even interacting outside their organization. The distraction, assets put at risk, and reputation damage can be significant. “Tone in the middle,” culture, and imprudent risk-taking are the new warning signs on which sophisticated boards are requesting concrete assurance, to ensure directors are not the last to know.

Answer:

Resourced boards are instituting: confidential and incented whistle-blowing procedures; audits of internal controls over culture and reputation; and amnesty, among other best practices, to ensure bad news rises. Explicit and monitored thresholds for the board-approved risk appetite framework are being instituted, along with a line of sight by the board that compensation is not driving bad behaviour. Due diligence, climate, values, spot audits, and the code of conduct are all being independently reviewed and reported to committees and boards, without interference or funneling of reporting management. Good boards are much less tolerant of ethical lapses or management blockage.

10. Boardroom Dynamics

Pressure:

Lastly, the board must gel as a team, and, as a team, control management. Any behavior gap – undue influence, reliance, dislike, dysfunction, or even contempt – by one or more directors or managers, introduces information and oversight asymmetry that can and does lead to governance failure. Every seat at and reporting to the board table matters. The pressure here is a toxic or under-performing director who refuses to resign out of self-interest, or a board allowing integrity breaches and leadership shortcomings by an officer to continue.

Answer:

Good boards: have behavior matrixes and performance reviews that define and rate behaviours at the board table; have peer reviews and mentoring that develops and refines behaviours; and act on the results regardless of profile or tenure. Due diligence, background checks, interviews, and assessments are all becoming commonplace. Personality testing is also developing.

Conclusion

There have been more governance change occurring in the last five years than in a generation. Enron, WorldCom and other implosions in 2001-02 are very different from the global financial crisis of 2008-09, which: was systemic, involved banking, and required broad government intervention. There is a regulatory and investor appetite for broad and deep governance change. The above ten changes and responses are touch-points for where governance change is happening the most. Boards and management teams are only about 40% through digesting all of the above reforms, and there are more to come in 2015.

Canada’s Corporate Governance Guidelines Are Out of Date, Part 2

Nov 2

Posted in Uncategorized | Comments Off on Canada’s Corporate Governance Guidelines Are Out of Date, Part 2 |

Following up from last week’s blog, I argued that Canada’s corporate governance guidelines were out of date because of: 1. Lack of principles and practices; 2. Lack of focus on risk management; 3. Lack of independence of mind; 4. Lack of industry expertise; and 5. Lack of shareholder engagement, here are reasons 6-10 that our Guidelines need an update:

6. Lack of shareholder engagement: The words “investor” and “shareholder” are mentioned once each, in a perfunctory manner, within the 2005 Guideline. Shareholders own the company and regulators and investors are explicitly providing context now: for investor input on director selection; for engagement and dialogue between investors and directors; and for the use of technology in shareholder communication and annual meetings. The foregoing are all absent from the Guidelines. Canada has still not adopted “say on pay,” which has also been a catalyst for shareholder engagement. The US, UK, Australia, Germany, France and other European countries either have say-on-pay or are moving rapidly in this direction. Canada is a laggard.

7. Lack of focus on strategy and value creation. “Strategy” is mentioned only once within the entire Guidelines, and that is that the board should approve a strategic planning process, and approve, at least annually, a strategic plan. It is hardly surprising that many boards short-change strategy at the expense of compliance. This requirement of once a year essentially marginalizes a board in its strategic role. When I interview top directors who add value strategically, the strategic oversight and involvement by boards are much more focused and engaged. There are strategic best practices here that would enhance the performance and value creation that a proper board can make. Regulators drafting this guidance should have experience creating listed company value.

8. Lack of focus on sustainability: The word “environment” or “sustainability” is not mentioned at all in the 2005 Guidelines, a noticeable omission. Australia’s emphasis on economic, environmental and social sustainability risks, within its Corporate Governance Principles and Recommendations, is second to none, as is South Africa’s focus on “integrated sustainability reporting” within King III. This omission is especially noticeable given investor focus on the environmental, social and corporate responsibility. The lack of environmental stewardship and response to climate change is also a broader issue. Canada is also a laggard here.

9. Lack of compensation guidance: The regulatory movement from short-term, quantitative, financial metrics, to risk-adjusted, long-term, qualitative, non-financial metrics for executives is absent from the Guidelines, as is guidance on non-executive remuneration. Investors, regulators and good boards are focusing on leading performance metrics that reflect the entire business model and value chain (most of which is non-financial), and that are longer-term in nature.

10. Lack of focus on the chair of the board: Lastly, but far from least, the position of the board chair has undergone a metamorphosis since 2005. There is no guidance at all offered on the role, responsibility and attributes of an independent chair, within the Guideline. Other codes offer extensive guidance on skill-sets and responsibilities that and on which the chair should possess and execute. Without this regulatory guidance, a chair (and committee chairs) can be bullied or unduly influenced by dominating reporting management such that they are rendered ineffective, albeit formally independent. More guidance is needed. Chair position descriptions should not be drafted by management lawyers or management-retained lawyers.

 

Conclusion

 

Does Canada improperly have a false sense of governance superiority? Perhaps so. But in this rapidly changing field, if you rest, you are left behind. Nine years is sufficient rest.

 

There are arguments (i) by industry and advisors to management that corporate governance in Canada is not broken so does not need to be fixed; and (ii) by regulators who complain of scarce resources and how difficult it is with fragmented securities commissions and the diversity of Canadian companies. I have never been persuaded by these arguments.

 

To address the second argument, what is required is leadership and political will. Premier Kathleen Wynne’s and the OSC’s Maureen Jenson’s emphasis on gender diversity have resulted in nine jurisdictions collaborating and endorsing recent changes to the disclosure of gender diversity, term limits, and measureable objectives, for example. To address the variety of Canadian companies, South Africa’s King III Code applies to all types of companies (public, private, state and non-profits). The issue is one of drafting.

 

To address the first argument, namely the arguments by industry, regulators should be conscious of undue influence by reporting management and service providers, whose internal power, business model, or commercial interests may be disrupted by governance rejuvenation. The primary consideration for policy renewal should be evidence-based policy and international consistency with best practices. Regulators should also guard against potential conflicts of interest and regulatory capture, by themselves, including those individuals within regulators who intend to return to private industry, or who have other close association with regulated companies. Regulators should also guard against those provincial regulators who oppose reform on the basis of extraneous and non-relevant considerations, such as a desire to maintain turf.

Richard Leblanc is a Principal at Boardexpert.com. He can be reached at rleblanc@boardexpert.com.

Canada’s Corporate Governance Guidelines Are Out of Date

Oct 27

Posted in Uncategorized | Comments Off on Canada’s Corporate Governance Guidelines Are Out of Date |

In my teaching and research, I no longer use “NP-58201 Corporate Governance Guidelines,” June 17, 2005 (“Guidelines”), that apply to publicly traded companies in Canada, as an example of exemplary corporate governance. I regard them as stale and dated. I cannot think of another developed country that has not updated its governance guidelines in almost 10 years. There have been more changes to governance since the financial crisis of 2008 than in a generation. And we are only about half way through all of them. Canadian regulators – including all provinces and territories – need to keep up, and step up.

Here are the deficiencies to the Guidelines as I see them:

1. Lack of principles and practices: Our Guidelines are four pages long. The UK’s new Code (September 2014) is thirty-six pages. Australia’s Principles and Recommendations (March 2014) are forty-four. South Africa’s “King III” (2009) is sixty-six pages, to pick only three examples. Quantity is not necessarily quality, but by having such succinct guidelines, the opportunity to set out (i) best practices that (ii) achieve the objective of principles is gone. It is comply or explain against a perfunctory unitary guideline, which can be – and is – gamed by reporting management. There should be more robust guidance, where the regulator explains various ways good governance can occur, from which listed companies can pick and choose according to their circumstances.

2. Lack of focus on risk management: Take risk for example. The Canadian Guidelines simply state that the board should identify principal risks and ensure appropriate systems are in place to manage these risks. I have no idea what this actually means, nor may directors. Risk management oversight now involves an explicit risk appetite framework, internal controls to mitigate, technology, limitations, and assurance provided directly to the board and committees by independent risk, compliance, and internal audit functions. None of these practices, which are very much addressed by other regulators, appear in the 2005 Guidelines. Consequently, many public companies have immature risk management, especially in addressing non-financial risks such as cyber security, operations, terrorism and reputation. Regulatory inaction has an effect. Even a forward-thinking director may be blocked by intransigent management to devote greater resources to mitigating risk because of inadequate regulation.

3. Lack of independence of mind: In Canada, a board can subjectively believe a director to be independent, but this belief need not be independently validated, nor tied to any objective or reasonable standard. Nowhere else can a conflict of interest lack a perceptual foundation. As a result, directors tell me how colleagues are compromised by an office, perks, vacations, gifts, jobs for friends, social relatedness, relations to major shareholders, excessive pay, excessive tenure, interlocks, and other forms of capture. If a director or chair is captured, they are owned by management and totally ineffective. If there is a difference between regulatory independence and the independence of mind of directors, the fault lies with the regulation. Regulators should implement an objective standard of director independence, not a subjective one.

4. Lack of industry expertise: It was admitted in open forum that the original 1994 committee did little research. Sufficient industry expertise on boards is glaringly absent from the Guidelines, and consequently in many boardrooms. We are suffering from an independence legacy, perpetuated by entrenched directors, and unsupported by academic research. For example, in Australia, two academics claim has cost their country’s decline in shareholder value between 30 and 50 billion Australian dollars (“Does “Board Independence” Destroy Corporate Value,” by Peter L. Swan and David Forsberg).

Fraud, meltdowns and underperformance such as Nortel, RIM and CP all had a paucity of industry experts on their boards, including, most recently, Tesco in the UK. JP Morgan at the time of the risk management failure did not have a single independent director with banking experience. Prior to Bill Ackman’s involvement in CP, not a single independent director had rail experience. I recently assessed a similar board and not a single director had the necessary industry experience. The Guidelines should require relevant industry expertise on boards. I recommended this to OSFI when I was retained by them to examine their earlier guidelines, and this is now the law for all federally regulated financial institutions, along with risk expertise being present on boards.

5. Lack of financial literacy and internal audit: There is no requirement to be financially literate to sit, initially, on an audit committee of a Canadian public company. This presumes someone can acquire financial literacy as opposed to having it to begin with. There is also no requirement to have an internal audit function for a Canadian public company. This should also change so audit committee members hit the ground running, and there should be a comply or explain approach to internal audit. In many compliance failures, there is a defective or non-existent internal audit function, with a weak audit committee lacking recent and relevant expertise. Regulators are now moving towards “independent coordinated assurance,” which means that reporting to, and functional oversight by, the board and committees are fulfilled by internal and external personnel who are independent of senior and operating management, including, most importantly, an effective and independent internal audit function.

Join me next week where I will talk about 6-10, including: lack of shareholder engagement; lack of focus on strategy and value creation; lack of focus on sustainability; lack of compensation guidance; and lack of focus on the chair of the board.

The Corporate Governance Game Changer That Needs to Come To Canada

Sep 29

Posted in Shareholder Accountability | Comments Off on The Corporate Governance Game Changer That Needs to Come To Canada |

I teach my students and counsel board clients that shareholders elect directors; directors appoint managers; directors are accountable to shareholders; and managers are accountable to directors. This is largely theoretical.

Here is the reality: Shareholders: (i) cannot select directors; (ii) cannot communicate with directors; and (iii) cannot remove directors, by law, without great cost and difficulty. Therefore, directors are largely homogenous groups who are selected by themselves, or, worse yet, management.

Addressing the foregoing is the one piece of reform that will change corporate governance and performance for the better. The rest is, as they say, window dressing.

I have encouraged institutional investors and regulators to consider advocating what is known as “proxy access.” This means that a shareholder, or a group of shareholders, who (i) own a modest, minimum threshold of shares (say 3%, although the percentage could be higher or lower, or floating, depending on the size of the company); (ii) for a period of time (say 3 years, although the time period could be shorter); (iii) can select up to 25% of proposed directors, of the total board size, in an uncontested election (meaning a change of control is not desired by the shareholders) in a given year.

When shareholders “select” their nominees for the board, these directors would be alongside, in the management proxy circular, in alphabetical order, with profile parity (short bios and areas of competency), the management slate of directors. Management would be obliged to include shareholder-nominated directors, at a cost to the company, not shareholders, if the above ownership and time requirements are met. There would be no costly proxy battles or dissident slates. There would be no undue influence by management to marginalize shareholder-nominated directors within or outside of the proxy. Rules of the road will be set.

Then, shareholders get to decide, as they should, on the best directors from among the management-proposed and the shareholder-proposed directors. Ideally, the selection should be as blind or neutral as possible. The focus should be solely on the qualifications, competencies and track record of the proposed directors for election at that company. May the best directors win, as should be the case in any election, versus a slate of management-nominated directors, which is the case now. Under this new regime, there will be winners and losers. The practical effect may be that legacy or unqualified directors may withdraw from this scrutiny, as Canadian Pacific directors did at the time of shareholder Pershing Square’s involvement. This is not an undesired outcome and creates a market for the most qualified directors to rise to the top.

When proxy access was proposed by the Securities and Exchange Commission (SEC) in the US, management and lawyers who work for management used shareholder money to fight proxy access proposed under Dodd Frank, and won in the US Court of Appeals, on the basis of an inadequate cost benefit analysis. (Canadian investors and regulators should learn from this experience.) Proxy access now is left to companies on a one-off basis, rather than being system wide. Meaningful proxy access has only occurred at a small number of companies as a result. The SEC should revisit proxy access. Industry Canada is currently looking at implementing proxy access at the 5% level for all federally incorporated companies.

Opponents to proxy access argue that shareholders selecting directors will propose special purpose directors or directors who lack the background or experience. The evidence is the opposite. Shareholders are better at proposing directors who have the shareholder track record and industry expertise that the current board lacks. Recall Canadian Pacific, where not a single director possessed rail experience prior to shareholder involvement. There are other examples at Hess, Office Depot, Darden, Bob Evans, Abercrombie and Occidental Petroleum (see Field Experience Helps Win Board Seats), where shareholder-advocated directors were either better than incumbent ones, or caused the renewal of management-advocated ones. A director qualification dispute is welcome and will focus the lens on competencies of directors, including industry expertise, which is a good thing. Ann C. Mule and Charles Elson report in “Directors and Boards” that “One study concludes that more powerful CEOs tend to avoid independent expert directors.”

Herein lies the real resistance to proxy access: Management does not want it, and, the record shows, will fight vigorously to resist it. Management-retained advocates hired to oppose proxy access should disclose whom their client is. Directors however, when deciding to support proxy access, or not, should not be beholden to management, nor their advisors, nor act out of self-interest in entrenching themselves, but should be guided only by the best interests of the company, including its shareholders. There is evidence that the market values strong proxy access positively, leading to an increase in shareholder wealth. If a director possesses the independence of mind, and the competency and skills to serve on the board, they should welcome proxy access. It will mean that the under performing directors on the board will be ferreted out, and current directors can avoid this uncomfortable task. Shareholders and the new competitive market for corporate directors will do it for them.

Advice to Boards: Renew Your Directors or Shareholders May Do It For You

Jul 4

Posted in Board and Committee Leadership, Member Selection, Competencies and Commitment | Comments Off on Advice to Boards: Renew Your Directors or Shareholders May Do It For You |

Here is a top 10 list reflecting forty recent director and executive interviews and ongoing advice and assessment provided to activist investors and boards.

Infuse your board with a shareholder mindset and directors with value creation track records

“Too many service providers” … “with no industry experience” … “who have not run anything” and “who lack value creation experience” go silent when tough business decisions need to be made, directors say. They “cannot provide the hard core insights to the management team” other than “be careful.” They default to process, “flavors of the day,” and recency, rather than leading substance and strategy. Directors and executives describe such formally independent but experientially lacking directors as “immature,” “provincial,” and “naïve.” Management is more critical: They “lack depth” and “contribute nothing.” Trying to get them off the board, in the words of one director, is like “pulling teeth.”

Remove over-tenured directors and ensure committee chair rotation

Long-serving legacy directors and committee chairs are described as “tired” and “complacent” by fellow directors who have been there “much too long,” and block renewal efforts when “they are the most conflicted.” Research suggests that directors beyond nine years diminish shareholder value. Tough discussions are occurring in boardrooms. Conflicted directors should leave the room during the discussion, directors say. Long-serving directors are loath to give directorships up, arguing they are different. Fellow directors and investors are increasingly unpersuaded by self-interest.

Conduct an independent performance review

One answer, according to head of corporate governance at CalSTRS Anne Sheehan who served on a recent panel discussion with me, is to have independent director performance reviews, with expectations set at the outset, and link the results to renewal. Don’t rely on retirement age as a performance proxy. Directors and regulators are mandating independent reviews. Blockage by self-serving chairs and directors are increasingly falling onto deaf ears. The review should have consequences, which means removing directors who have outlived their usefulness. “Rigorous evaluation,” consistently is a theme in my interviews. If a board blocks independent critical review, or does not act on the results, investors will step into the gap, and it will be far more consequential, costly and adverse.

Engage directly with investors on board performance and composition

What investors want to see now is recent, relevant, validated industry experience contributing directly to the company’s value creation chain, by each and every director. If a board cannot lead a value creation model that is endorsed by major investors, including capital and asset allocation and performance, and what each director’s contribution is to that, the board is vulnerable. Few boards have conducted this internal review with the rigor that an activist does. Camera-ready boards are having structured meetings with long-term shareholders to listen, learn and act. Boards ignore investors at their peril.

Address director origination and its impact on independence

Assume that investors will ferret out any and all conflicts, including friendships. If a director has previous or current relationships, to each other or to management, they lack independence and will not ask tough questions, new research suggests, unlike directors who are recruited primarily on the basis of merit who are unknown previously to the board. These directors are “owned” is the common refrain. Current examples include reciprocity, favours and capture. These directors cannot push back as the cost is too great. They are part of management. Therefore, boards need to rid themselves of these directors and discontinue recruiting based on prior relationships.

Diversify your board to add value

Make sure your board is diverse, and underpinned by the skill sets needed. Many companies do not have board diversity policies. Defensive, perfunctory policies are not useful. The best policies are prescriptive, have measureable objectives, and define diversity, with increasing numbers that a board holds itself responsible for meeting and on which progress is reported. There are measureable objectives for gender, age, ethnicity that align with the company, its business, its industry, and the markets in which it operates.

Focus on company performance over governance box-ticking

Governance has been a cottage industry dominated by self-serving professional advisors and associations, many directors and investors have told me. The pendulum as swung so far, such that investor performance is either entirely absent or an afterthought rather than the primary focus. “You can tick all the governance boxes, and underperform your peers,” one director states. So-called governance awarded companies have even been rife with corruption. Conversely, you can have many governance boxes unticked and perform for investors. Good boards do not let the governance tail wag the performance dog. Investors want performance, not governance accolades. We know that governance rating agencies and proxy advisory firms have metrics that lack prescriptive validity. We see award-winning companies who have failed in their performance, subsequently being attacked by activists with share price appreciation soon following. Activists are unimpressed, and, increasingly, the governance community is questioning its own focus and priorities. One award winning company with a director who has seen the activist light remarked that his board could be “10 times stronger.”

Conduct a thorough transparent director competency review, and act on the results

The director competency matrix belongs to investors and directors, not management. A matrix can be back-doored and manipulated, resulting in a complacent board. An inclusive, dynamic, objective, peer-to-peer, validated matrix review will generate development opportunities, remove directors who are lacking, and generate desired skills in the next directors. Regulators are calling for curriculum vitaes, interviews, and want to see each director is fit for purpose. Boards are wise to ensure that matrix design and administration is expert, free from management control, and reflects investor input.

Focus on softer director attributes

Skills I have recently developed for directors include: integrity, teamwork, communication and commitment. If only one director does not possess these, a board can be poisoned. These attributes can and should be recruited for and validated. A director who is lacking and cannot improve should be promptly replaced. The best boards are embarking on this review.

Display leadership and integrity

Lastly, ultimately, board renewal is about leadership and integrity. The Board Chair position is rapidly maturing. Directors who dig in and entrench are placing their own interests ahead of those of the company, resulting in grave disquiet. This is an integrity issue. Entrenched directors should do the right thing when it is time to go. Activism has become mainstream and shareholders may have much greater power in the future than they do now to propose effective and remove ineffective directors, if directors do not do it themselves.

« Older Entries Newer Entries »

Back to top