Archive for the ‘Risk Governance and Combined Assurance’ Category

« Older Entries

25 Reasons for Risk Management Failure

Feb 24

Posted in Risk Governance and Combined Assurance | Comments Off on 25 Reasons for Risk Management Failure

I am speaking tomorrow to directors and officers about oversight of risk management by boards of directors. I prepared a list of 25 reasons that risk management failure happens, based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail. Almost all of what follows below is based on real examples. I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.

Here are 25 reasons for risk management failure:

  1. Lack of enterprise risk management expertise on the board.
  2. Governance gaps over a material risk(s) within the board or across committees.
  3. Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
  4. Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
  5. Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.
  6. Not upgrading information systems to track, monitor, integrate risks.
  7. Lack of oversight of the process by which management identifies, assesses and actions the risks.
  8. Lack of conversations, common vocabulary and prioritization of the risks.
  9. Lack of internal audit, or not listening to internal audit.
  10. Internal controls that are weak, even non-existent, or capable of management override.
  11. Not addressing interaction of risks, their speed, and exogenous shocks in modeling and scenario planning.
  12. Not considering impact on reputation, which can be greater than the primary impact considered.
  13. Immature controls over non-financial material risks, especially safety, operations, reputation, terrorism, bribery, technology.
  14. Risk appetite frameworks do not result in known thresholds, beyond which senior management and when necessary the board is notified.
  15. Lack of independent, coordinated assurance of internal controls provided directly to the board.
  16. Risk culture defective (toxicity, bullying, risk-taking behaviors) and not remedied.
  17. Whistle-blowing defective (not anonymous, no independent channel, no proper investigation).
  18. Risk not based on the strategy, business model and key performance indicators.
  19. Key performance indicators, and pay incentives and vesting of equity, not risk-adjusted.
  20. Board or committee cannot direct a third party review of risk governance, a specific risk, or a set of controls.
  21. Failure to anticipate and integrate risks. Pockets of acute, unknown catastrophic risk. (This item equals 13 + 6.)
  22. Enterprise risk management not really implemented but everyone thinks it is. False sense of reality.
  23. Tone at the top tolerates exceptions, complacency, and unequal treatment. Limited downside for excessive or imprudent risk taking. Encouragement, enabling or dependence upon high performing risk-takers.
  24. No sense of urgency to remedy the foregoing.
  25. The board does not know how bad it is.

The author thanks an anonymous senior risk executive for review of the foregoing items.

How do boards prepare for terrorism?

May 6

Posted in Risk Governance and Combined Assurance | Comments Off on How do boards prepare for terrorism?

In a board meeting, the military general asked the airline’s CEO, “Why is the pilot’s food being labeled?” “Because that’s the way we always do it,” the CEO responded. “Well then stop doing it,” the military director said. “If I’m a terrorist, I might have trouble getting through the cockpit door, but you’re putting a red flag for me on how to poison the pilot and take down the plane.”

In that exchange, the new military director on the airline’s board of directors I was advising proved his value.

I am currently advising another board whose company is a target for a terrorist attack. Many other companies in transportation, utilities, defense, property development and financial services could take a page from below.

Here are six areas for boards to focus on to prepare for a possible terrorist attack.

1. Military experience on the Board. Military leaders have logistics, supply chain, tactical and international theatre experience civilian directors lack. Their contacts include the intelligence community. They think differently and understand evil.

2. Intelligence gathering. Boards should commission multi-lingual analytics from terrorist websites and chat-rooms, where the company, industry or executive is mentioned. There should be governmental relations on the board’s competency matrix. Boards want to know about unknown unknowns, or emerging risks that can be catastrophic (the black swan), or interdependent risks that rapidly interact. Risk registers don’t capture this dynamism yet. Proper intelligence gives boards and management teams a heads up.

3. Scenario planning. Good boards in sensitive industries are insisting on disaster recovery, catastrophic event planning, mock dry runs, and schedules so if or when it happens, the company is ready. There is even off-site functioning if the office is blown up.

4. CEO compensation. In a disaster that happened involving property destruction and death (another board), I was called in to recut the CEO’s compensation. It went from financial short-term to include risk, relations, internal controls, and crisis management metrics. The compensation committee has enormous often unused control over behaviours and you reward what you pay for.

5. Communication. The CEO should have media training to prepare for scenarios, and respond to journalist questions. When the event happens, it is too late if you don’t have this. Opinion crystallizes in days if not hours. The CEO profile for succession planning should include communication, intelligence gathering, and political linkages.

6. Invest in enterprise risk management (ERM) and information technology (IT). Risk management is often immature, cyber threats are significant, and good ERM is bottom up to include focus groups and integrated real-time IT. There are vulnerabilities that are missed without good ERM. Without being explicit, there are vulnerabilities at universities, cities, shopping malls and events that will surface in good ERM.

The bombers in Boston capitalized on police that were not there, inadequate crowd control at the finish line, and unattended unchecked bags. New York is much better at this now. Cameras, K-9 dogs, screening, monitoring, crowd control and escorts are all about choices. Management can choose not to do something. Boards can DIRECT that they do. This deters potential targets.

Regulators turning up anti-bribery heat on corporate boards: But will practices change?

Nov 19

Posted in Audit Committee, Ethical Leadership, Citizenship and Integrity, Global Corporate Governance, Risk Governance and Combined Assurance | Comments Off on Regulators turning up anti-bribery heat on corporate boards: But will practices change?

Russia is one of the most corrupt nations in the world (see a recent anti-corruption story on Russia by the New York Times). It ranks 143rd of all 182 countries on Transparency International’s corruption perception index, with a score of 2.4. Canada ranks the 10th least corrupt country in the world with a score of 8.7. New Zealand is the least corrupt country globally, ranking first with an overall score of 9.5. The US ranks 24th and the UK 16th, with scores of 7.1 and 7.8 respectively. See the “Full Table and Rankings,” where countries can be searched via the table. Lower rankings and higher scores mean the country is perceived as being less corrupt.

Prime Minister Harper visited China, India and Brazil to enhance trade with these countries, which are also some of the most corrupt nations in the world, ranking in at 95th, 75th and 73rd respectively. Libya, which involved the alleged Montreal-based SNC Lavalin bribes of some $56 million, comes in at 168. Within these countries, the governments themselves are the net beneficiaries of much of the corruption, so these politicians are far from motivated to impose reform.

Is it realistic to expect that Anglo-American nations, such as the US, UK and Canada, can impose “Western” will on the very way business is done, and has been done, in some countries for centuries? And if things will not or perhaps cannot change, should home country boards of directors be held responsible for systemic local corruption that may be beyond their control?

Regulators are taking corruption and the role of boards and senior management very seriously. The Securities and Exchange Commission and Department of Justice recently released 130 pages of guidance (see the PDF and other coverage here and here) on the Foreign Corrupt Practices Act (“FCPA”). The US has had the FCPA since 1977. Enforcement and penalties have gone up dramatically in recent years. The UK Bribery Act, from 2010, has some of the most stringent bribery laws in the world. In Canada, we have The Corruption of Foreign Officials Act (since 1999) and the recent guideline from the OSC for issuers operating in emerging markets (see the PDF).

Emerging economies are future markets for Canadian companies. The Prime Minister has a vision for Canada to be an energy supplier superpower. For this to happen, Canada will shift its trade to markets with 100s of millions or billions of consumers and much higher growth rates than our current major trade partner, the US, which could be coping with austerity due to its debt for years to come. Harper was in India last week to boost trade.

What is clear is that there is an enormous disconnect between the home country regulations now being imposed, and host country actual practices on the ground.

What should boards that have operations in emerging market jurisdictions do? Six things. First, if you are doing business in such a market, you need a director with extensive on-the-ground experience at the board table, who can tell you and management what the hotspots are. You should move a board meeting to the jurisdiction once a year so directors can get a first hand look. Second, boards must make it crystal clear to management that if the company is not going to bribe, management must walk away from certain business. And the board must support this and not have incentives that promote bribery. Third, the internal controls over financial reporting must be as strong in the emerging market as it is in the home market. Investment and resource commitments need to be made. Fourth, boards must have their own experts to scrutinize off-balance sheet and related-party transactions and complex structures; validate and assure internal controls; and provide foreign language document translation. Fifth, local auditors should have the same oversight, scrutiny, and as necessary direct contact with the audit committee that the home auditors have. Lastly, there needs to be zero tolerance by the board communicated to each employee and supplier. The UK is even banning facilitating payments, which are regarded as a “tip,” as these may be bribes in disguise.

Companies and politicians are feeling the pain, including on Canadian shores. The Wal-Mart bribery probe has widened beyond Mexico to include China, Brazil and India. The RCMP is investigating the SNC Lavalin bribery allegations, on which I advised a law firm suing the company. I blogged about Sino-Forest, a case of alleged Chinese fraud by a Canadian-listed company. In Quebec, the corruption inquiry has cost the Mayors of Montreal and Laval their jobs and this is only the beginning. There are allegations of kickbacks in cash that may reach other more senior politicians. And Ontario is not immune either. A senior Canadian director remarked that Ontario has a reputation for being “the best place to carry out a stock fraud in the industrialized world.”

Clearly, more work needs to be done. Canada’s corruption ranking on Transparency International may go down in 2012 instead of up.

Banking Directors Need to be at the Top of Their Game

Nov 10

Posted in Financial Institution Governance, Risk Governance and Combined Assurance | Comments Off on Banking Directors Need to be at the Top of Their Game

There’s an old maxim that corporations don’t fail, boards do. And when banks fail, the reason is poor management, which is the fault of a poor board.

Take the case of Lehman Brothers, the financial services firm that collapsed in 2008 and played a big role in the global economic downturn. Stanford University professors David F. Larcker and Brian Tayan noted that Lehman’s board was lacking financial services experience and current business acumen. In fact, the former CEOs on the board were, on average, 12 years into their retirement. “This raises the question of whether the professional experiences of Lehman board members were relevant for understanding the increasing complexity of financial markets,” wrote Larcker and Tayan.

Well, the job of a bank board isn’t getting any easier. Following the financial downturn, banks have been placed under greater scrutiny and new regulations, both in Canada and abroad.

That’s why, more than ever, banking board directors need to be at the top of their game.

Last week, I spoke to bank directors in Dallas, Texas, about banking governance best practices as a result of a review that I had conducted for the Office of the Superintendent of Financial Institutions. (The OFSI is Canada’s banking regulator.) Specifically, I looked at Canada’s governance guidelines and board assessment criteria and compared them with international financial regulatory practices and recent developments. I provided the OFSI with suggestions for revisions.

Some proposed board reforms to Canada’s deposit-taking institutions and insurance companies sectors under the new guidelines include:

  • Having directors who possess risk management and relevant industry experience;
  • A risk committee that oversees enterprise risks, and a chief risk officer who reports directly to this committee and the board;
  • Board approval of the internal control framework to mitigate all material risks to the financial institution, and board monitoring of internal control effectiveness;
  • Expert third party reviews of the board’s effectiveness, risk management effectiveness, and effectiveness of oversight functions (such as internal audit), with results reported to the board;
  • Enhanced director orientation and training, self assessment and external reviews;
  • A board-approved risk management statement that translates into cascading limits and thresholds for all material business risks (e.g., credit limits, loan losses, capital levels);
  • The internal audit function should report directly to the audit committee; and
  • The audit committee, not management, should approve the scope of the external auditor’s engagement and fees.

When I asked for a show of hands as to how many banking directors adopted at least some of the above best practices, about half the hands went up.

However, it’s apparent that many boards aren’t prepared for a new era of banking regulations.

Remember the JPMorgan board of directors that oversaw the derivative failure that cost the bank several billion dollars? Well, here is the current board. Last I checked, not a single director other than the CEO had banking experience. This is wrong.

In 2009 and 2010, there were a total of 297 bank failures in the U.S., according to the Federal Deposit and Insurance Corporation. In the second quarter of this year, the FDIC identified 732 “problem” banks which are at risk of failing.

At the event in Dallas, one of the speakers brought up a good point. “Don’t get involved in something you don’t understand,” said Charles G. Cooper, commissioner of the Texas Department of Banking. He added: “The duties haven’t changed, but the topic is harder.”

And he’s right. That’s why it’s vital that banking boards are well-equipped with qualified directors for this increasingly complex environment.

 

New financial services governance guidelines for Canada: Analysis & summary

Oct 12

Posted in Global Corporate Governance, Governance of Financial Institutions, Risk Governance and Combined Assurance | Comments Off on New financial services governance guidelines for Canada: Analysis & summary

The proposed OSFI corporate governance guidelines have been criticized for blurring the line between the board and management and for adopting a ‘one sized fits all’ approach. This is hardly surprising, and is the criticism to many governance regulations over the last twenty years, along with cost, as boards have become more active.

The OSFI guidelines have not changed in almost 10 years. In full disclosure, I was asked by OSFI to a) conduct a review and assessment of OSFI’s 2003 Corporate Governance Guideline and the Board Assessment Criteria against other international financial regulatory practices and recent developments or recommendations, and b) provide suggestions for future revisions after taking into consideration current global governance developments, including those related to financial institutions.

I reviewed 57 codes in total for OSFI, carefully tracking developments globally since the financial crisis. There are four major changes (among others) since the 2003 guidelines as follows:

1.         Boards of federally-regulated financial institutions (FRFIs) will need to have risk and relevant financial industry expertise represented in their board. This is entirely reasonable and codifies what good boards already do in their competency matrix approach that I recommended to the OSC in 2005. The notion that a board such as JPMorgan should have no independent directors with banking experience, for example, can have dire consequences when approving complex products and risks that directors do not understand for want of expertise. OSFI is not being overly prescriptive, only saying it desires “reasonable representation” of risk and financial industry expertise, leaving it to FRFIs to define and determine. It is not unreasonable to have risk and industry expertise on the board of a financial institution.

2.         Second, independent third parties should be retained to assess the board, risk management and oversight functions. This does not mean the board is “managing,” but rather the board gets to see an objective view other than from management. Management is conflicted in assuring its own work and the board should not be beholden to this. The board should be free at any time to commission an independent review of any material risks or internal controls. This puts the heat on management, as a third party will be reviewing at some point. If management is doing its job, it should welcome this input. This proposal can be criticized for “offloading” oversight to outsiders, but with 100s of FRFIs that carry deposits and insurance of Canadians, independent reviews from time to time are a fail safe.

3.         Third, the board may need to have a dedicated risk committee and reporting function (e.g., CRO); and should approve a risk appetite framework (RAF) with cascading tolerance limits and implementation. This puts the heat on boards to know and understand the risks of their institution, and on management to translate that into thresholds complied with throughout the organization. OSFI set out at pages 19-20 of the draft guideline guidance on what the RAF should contain with areas and examples of best practices. It is not unreasonable for the board to approve risk, but with examples of what this actually entails. The OSC 2005 guideline (NP 58-201) is now out of date because risk is only a few lines: namely that the board should identify the principal risks and ensure implementation of appropriate systems to manage these risks – which is vague at best and wholly inadequate at worst.

4.         Lastly, the CFO, head of internal audit and appointed actuary (for insurance companies) should have a direct reporting line to the audit committee; and the audit committee should approve the external audit fees and scope. Not only is this best practice, internationally, but I would also add, as OSFI similarly goes on to write, that the audit committee should have private sessions with the internal audit, external audit and appointed actuary at every audit committee meeting. The audit committee should also approve the internal audit work plan, budget, independence, person and compensation.

Overall the draft OSFI guidelines are proportionate, pragmatic and reflect leading practices (e.g., G30, Walker and OECD reports and Basel principles). Canada has a very well regulated financial services sector, that some say is the envy of the world. These new corporate governance guidelines will help ensure that this fiscal prudence and stewardship continues.

E. Coli, Contaminated Beef and Shoddy Governance

Oct 3

Posted in Risk Governance and Combined Assurance | Comments Off on E. Coli, Contaminated Beef and Shoddy Governance

I interviewed an independent director of Canadian food retailer Loblaws about risk and he told me the most important risk for Loblaws that could cause a ‘run on the bank’ (his words) was food safety. Food safety was front and center in his mind, and each of the other independent directors and management. It seems the management of XL Foods Inc., which is owned by Nilsson Brothers Inc., has not figured this out. “Governance” does not even appear on their sparse website. Safety does, in a general way, here. Neither company appears to have any independent directors.

Contrast this with the other major beef processor in Canada, Cargill Ltd., which is owned by Cargill, Inc. in the U.S. See Cargill’s commitment to food safety here; their “ethics open line” here; their core competencies that include supply chain and risk management here; and that their board has six independent directors and five managers, according to Wikipedia. (Their 2008 accountability report stated a third of the board were independent directors.) Cargill claims to be the largest private company in the U.S. in terms of revenue. Although private companies like Nilsson Brothers and Cargill are not required to have independent directors, forward-thinking ones do. See McCain Foods here. Independent directors bring objectivity and an external perspective into the boardroom. They are honest brokers to keep an eye on management. A good independent board will not prevent a disaster but almost always will lessen its likelihood.

According to the Mayo Clinic, the most common way to acquire an E. coli infection is by eating contaminated food such as ground beef: “When cattle are slaughtered and processed, E. coli bacteria in their intestines can get on the meat. Ground beef combines meat from many different animals, increasing the risk of contamination.”

The way you mitigate food safety risk is through internal controls, including segregation of duties, restricted areas, approval, records and reconciliations – and a culture of food safety and not cutting corners. Management is inherently conflicted in assuring such controls, and internal controls cost money. This is the reason for government inspectors and, most importantly, a competent and independent board of directors to approve the control regime to begin with.

I am heading to Calgary next week to give speeches to the directors of Livestock Identification Services Ltd., as well as directors of a few additional beef industry groups and one being a newly formed national beef agency called Canada Beef Inc., on internal controls and risk. I have given speeches to farmers in the U.S. and am going again to Colorado in November to talk to CEOs and director-farmers on the latest trends in corporate governance, risk management and internal controls. Good agri-businesses take governance very seriously.

Risk management and internal controls are not profit producing activities per se. No one likes to be controlled, least of which entrepreneurial employees. However, ask yourself if defective internal controls are worth the price, reputationally and financially? Do you think XL Foods has taken a financial and reputational hit because of the tainted beef? What about the farmers coping with a price decline? What about Maple Leaf Foods? Most importantly, what about the health and safety of customers? It can indeed be a run on the bank if consumers don’t have confidence, and it can get worse unless governance checks are put in place.

See the long list of beef recalled here from the Canadian Food Inspection Agency, and the update from the USDA Food Safety and Inspection Service, here. Recall that the American inspectors detected the tainted beef before Canadian inspectors did. Rather than prioritizing the federal agency to re-open XL Foods, the premier of Alberta, Alison Redford, should insist that food safety for all Canadians (and consumers in America and other countries too) is number one. Then, and only then, should XL Foods be re-opened. Tainted beef from Alberta seems to be a pattern. And the Prime Minister should reform the governance of the Canadian Food Inspection Agency to require independent directors and an independent chair (it appears not to have either on its website here and here) like many other federal or provincial agencies. Maybe it’s also time that some private companies that affect a broad swath of the population should have a requirement for independent directors too.

 

The Enbridge Oil Spill and Role of the Board

Jul 15

Posted in Risk Governance and Combined Assurance | Comments Off on The Enbridge Oil Spill and Role of the Board

In a scathing report by the National Transportation Safety Board (“NTSB”), Canadian company Enbridge Inc. was rebuked for its pipeline rupture on July 25, 2010, and subsequent environmental damage. The pipeline ruptured due to corrosion fatigue cracks that grew and coalesced from multiple stress cracks.

The oil flow continued for 17 hours, according to the report. The oil saturated the wetlands in Michigan. Clean up continues with costs exceeding $767 million. The total release was estimated to be 843,444 gallons.

Enbridge CEO, Patrick Daniel, said on the news on that evening that Enbridge complied with all regulations.

If this is the case, then the regulations were defective or not enforced. They were, and the NTSB is addressing this.

Some of the highlights of the NTSB’s report, so far as Enbridge is concerned, include:

–       Enbridge’s integrity management program was inadequate.

–       Enbridge failed to train staff and failed to ensure staff had adequate knowledge, skills and abilities to address pipeline leaks.

–       Enbridge’s staff placed inadequate reliance on indications of a leak, including zero pressure.

–       Enbridge had a culture that accepted not adhering to procedures, including requiring a pipeline shutdown after 10 minutes of uncertain operational status. [This is perhaps the most damning conclusion from the report.]

–       Enbridge’s review of its public awareness program was ineffective.

–       Enbridge’s emergency response demonstrated a lack of training in the use of effective containment methods.

–       Enbridge’s facility response plan did not identify and ensure resources were available to the pipeline release in this accident.

–       Enbridge’s failure in respect of the above items were organizational failures that resulted in the accident and increased its severity.

What can we learn from Enbridge, from a governance, research and risk perspective?

–       The Board Chair, Mr. David Arledge, has served on the Enbridge board for 10 years.

–       The Chair of the Corporate Social Responsibility Committee, whose mandate includes oversight of Enbridge’s risk management guidelines applicable to the environment and health and safety, Mr. James Blanchard, has served on the Enbridge board for 12 years.

–       Mr. George Petty, also a member of the CSR committee, has served on the Enbridge board for 11 years.

–       Other countries are moving towards tenure limits for directors of 9 years, because of the effect that prolonged tenure could have on director independence.

–       Mr. Dan Tutcher, also a member of the CSR committee, was formerly an employee of a subsidiary of Enbridge.

–       The final CSR committee member, Ms. Maureen Kempston Darkes, has served on the Enbridge board for almost 2 years.

–       A majority of CSR committee members (three of four members) would be regarded as “busy” directors (generally 3 or more boards).

–       Enbridge would be regarded as a “busy” board, with a majority of directors (11 of 13 directors) holding multiple board seats (generally 3 or more), including the CEO, Patrick Daniels.

–       Enbridge’s CEO, Patrick Daniels, appears to be serving on seven other private and public boards. More than half of S&P 500 companies limit outside directorships for their CEO, a policy not widely in effect a few years ago, according to Stanford researchers.

–       Companies with busy boards tend to have worst long-term performance and oversight, according to the research.

–       Enbridge is a large board (13 directors). Larger boards tend to provide worst oversight (when company size is held constant), according to the research.

–       For the Enbridge directors serving on the CSR committee who have not worked at Enbridge, environment and health and safety (or related competencies such as sustainability) are not listed as areas of expertise within their website bios, or in in regards to committee membership, it would appear. Other natural resource companies and boards in Canada are addressing director competencies specifically. For example, “Sustainable Business Practices” and “Corporate Social Responsibility” are forming main areas of expertise or are on a skills and experience matrix.

Good boards, after the BP spill, pressed management to demonstrate how BP could not happen to them, and correct any deficiencies whatsoever, such as several of the above-mentioned items as applicable (training, resources, fatigue of equipment, crisis response, etc). Good boards insist on stress testing, crisis planning, and a comprehensive and robust risk management system. And, most importantly, there is no tolerance whatsoever for deviating from a culture of integrity, health and safety.

I taught a case last week to my corporate governance class based on Hydro One’s Enterprise Risk Management program. The role of the board and CEO is critical – if not essential – to risk culture and effectiveness. Hydro One specifically mentioned in a video I showed to my students how the company factors in transmission line aging and fatigue within a comprehensive risk management system. Workshops and stress testing occurs, within a comprehensive reporting and assurance system, right up to the board of directors.

Bribery, Cyber-Security and Derivatives: Is Internal Audit up to the Task?

May 25

Posted in Audit Committee, Risk Governance and Combined Assurance | Comments Off on Bribery, Cyber-Security and Derivatives: Is Internal Audit up to the Task?

Do internal auditors have the resources, skills and authority necessary to do their job? I wonder. I was asked recently to be an expert witness in an alleged bribery case. Internal audit is one of the first places I look to when assessing governance failure because they are the eyes and ears of the board.

I asked a question recently at two auditing conferences I spoke at. How many auditors use Twitter? In both cases, only one hand went up. Yet we know cybercrime is widespread, is under-reported, and management may not even know it is happening. It is a top concern of boards. How can internal auditors assure internal controls – not only over cyber-security but social media – when they themselves may be technically illiterate? IT literacy and data mining were two of the top skills required by internal auditors in a recent survey.

What about derivatives used by traders? How many auditors understand the use of derivative products such that they can attest to the internal controls over their use? The responses I received from my audiences were not encouraging.

What about corruption risk? How do auditors treat working notes, delegation to foreign auditors, language barriers, and do they even understand foreign practices? Do they visit the jurisdiction or audit from an office in Canada? The OSC came out with a scathing report recently about emerging market risks, chastising not just boards but the audit and underwriting professions.

What about fraud? Evidence from the conference board is that many whistle-blowing programs don’t work and aren’t used. Now whistle-blowers can go directly to the SEC in Washington, completely by-passing possible retaliation, flawed investigations or toxic workplaces.

Auditors cannot choose which internal controls they validate. Regulatory authorities are clear: every activity of every entity should fall within the scope of the internal audit function. This includes compensation structure of risk-takers. Combined assurance over all material risks should be undertaken.

Management may have vested interest in starving internal audit or compromising their objectivity with management responsibilities. Regulators have been clear here also: auditors, both internal and external, must maintain their independence from audited activities. They cannot assess their own work.

If the internal audit function is weak, or the chief audit executive does not have the experience or stature, or management disregards internal audit findings, this is the fault of the audit committee and the board. The audit committee should approve the head of internal audit, his/her compensation structure, the budget, work-plan and most of all the independence of the internal audit function. If the audit committee and ultimately the board does not ensure this, it is not doing its job. When or if governance failure happens, scrutiny will follow.

Derivatives May be Ungovernable

May 18

Posted in Audit Committee, Integrated Reporting and Accountability, Risk Governance and Combined Assurance | Comments Off on Derivatives May be Ungovernable

The recent loss of 2Billion dollars by JPMorgan confirms what is now a blindingly obvious governance reality. Board of directors do not understand derivatives and cannot control management’s use of them. The same may be said for regulators.

One job of a board is to identify risks and ensure a proper system of risk management. If you cannot do this, you should not be on a board. This means that a director needs to assess the adequacy of the design and effectiveness of internal controls to mitigate the risks. Of the over 300 interviews I have undertaken in my research, including directors of large banks, only one director claimed to understand complex derivatives. How can directors assess internal controls when they do not understand the very instrument itself?

Other than Jamie Dimon, CEO of JPMorgan, not a single director of the board has any experience in banking. See the roster of directors here. Even if some directors were from the sector, it is debatable whether they would still understand the complexities of these products. For a basic explanation of what derivatives are, see here. U of T Rotman professor John Hull, a derivatives expert, has stated in an email to me “There is no question in my mind that a large financial institution should have on its board people (perhaps 2 or 3) who understand derivatives and other complex financial products.” Unless bank boards that oversee derivatives are prepared to have subject matter experts on their board who can effectively question management and insist on proper risk controls, other governance or oversight structures are needed.

Not only are boards incapable of controlling derivatives, but regulators may not be any better. Warren Buffett has said “Central banks and governments have so far found no effective way to control, or even monitor, the risks posed by these contracts. In my view, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.” See Warren Buffett on Derivatives.

The question is what have we learned from 2008? Banks are bigger than ever, with most American mortgages concentrated in only a handful of banks, yet the risky bets and use of complex derivatives continue. Harvard law professor Elizabeth Warren yesterday called for a new version of the Glass Steagall Act. Yet independent Senator Bernie Saunders pronounced that Wall Street “runs” the Senate, implying that any attempt at further regulation would be forestalled. Mitt Romney has vowed to unwind Dodd-Frank on his first day as President. Look at the long list of political donations made by JPMorgan in 2011, here. And this is just one bank.

If derivatives are going to continue, regulatory conflicts of interest need to be addressed and boards need to have the directors with the expertise to oversee them.

SNC Lavalin and RBC in the News

Apr 4

Posted in Ethical Leadership, Citizenship and Integrity, Risk Governance and Combined Assurance | Comments Off on SNC Lavalin and RBC in the News

If the CEO of SNC Lavalin allegedly over-rode his own CFO and breached the company’s code of ethics in authorizing $56 million of questionable payments to undisclosed agents that the federal Canadian police are now investigating, did the board of directors of SNC Lavlin have a role to play?

If the RBC (formerly Royal Bank of Canada) is alleged by a US regulator to have made “material false statements” in connection with non-arms length trades, reported in the Wall Street Journal to be “a scheme of massive proportion,” did the board of directors of RBC have a role to play?

The answer is “it depends” in these and similar cases. Speaking generally, as all allegations have yet to be proven, it is not credible to argue that boards do not have a role to play in compliance and reputational oversight. A board is the only body that has the legal authority and power to control management and designate all compliance and control systems. It alone acts or fails to act. A board is paid, handsomely paid at the senior most levels in Canada, to take all reasonable steps consistent with best practices, to ensure that it does know.

More regulation now, such as the UK Bribery Act, and the SEC Whistle-Blower Rule, are attempting to hold directors responsible and accountable for failing to direct proper anti-corruption and whistleblowing systems. The SEC rule enables employees to report wrongdoing directly to the regulator, thereby completely bypassing toxic work cultures where whistleblowing is neither independent nor anonymous. This legislation is putting the heat on boards and senior management, or at least it should be.

The Ontario Securities Commission last month released a scathing report about governance, risk management, internal control and auditing failures in companies operating in emerging markets.

In SNC Lavalin’s case, how could anomalous payments of this magnitude and internal controls be allegedly manually over-ridden, as is being reported, and would payments of this nature require explicit board or committee approval? SNC’s own internal report reveals a lack of disclosure of contracting parties and improper documentation and passwords. The board chair, Gwyn Morgan, said that the board wasn’t “able to really determine the use of those payments.” Back in 2010, federal minister Stockwell Day had signaled that certain aspects of SNC’s pricing were “absolutely unacceptable.”

The former CEO, Pierre Duhaime, is receiving almost $5 million dollars. A portion of this is stock options awarded before an independent review was completed, as is reported in the press. Basel includes (at page 38 of this report) a malus scheme whereby vesting occurs only if there is no breach of the code of conduct. Boards may wish to consider comprehensive – and independently drafted – malus or clawback clauses that include similar provisions.

It may be highly unlikely for fraud, bribery or ethical breaches to occur in a vacuum. Employees may have knowledge. The 2011 National Business Ethics Survey reveals that those who reported bad behavior they saw reached a record high of 65% and retaliation against employee whistleblowers rose sharply to more than one in five employees. The Conference Board’s Directors Notes, in “Lessons for Boards from Corporate Governance Failures” (see the PDF at page 3), reveals defects in whistleblowing systems that include lack of anonymity, lack of independence, lack of communication and training, lack of incentive, and lack of a proper investigation. These defects are exactly what the SEC rule is designed to address. As Chairwoman Schapiro has argued, “I find that many of the business ethics problems severe enough to be investigated by us are the result less of individual greed than of individuals succumbing to pressure from their peers.”

Whistle-blowing defects may be faults of a board. If a board is getting its information only from management, this is a red flag. Management may not even possess accurate knowledge, as we see in cybercrime. Independent assurance over anti-fraud and whistle-blowing procedures must occur for any prudent board. And “independence” does not mean the company auditor or legal counsel who assess their own or their firm’s work, nor any firm who does, has done, or seeks to do work for company management. Any assurance provider in this area could likely recommend action adverse to incumbent management or service providers.

Directors and boards themselves also need to step up. This includes international directors, moving board meetings to emerging markets, understanding corrupt business practices, structured deep engagement by directors, receiving third party assurance and disconfirming information (including culture surveys), and using alerts and social media.  See “What Better Directors Do,” by NACD Directorship.

Both SNC Lavalin and RBC received governance recognition and were among the top twenty-five companies in the Globe and Mail’s Board Games for 2011. SNC Lavalin was the 2007 award winner from the Canadian Coalition for Good Governance.

The question therefore, is, could occurrences such as these happen on other boards of directors? If you are a director on a board and cannot reasonably answer “no,” to this question, perhaps you should consider some of the above recommendations.

« Older Entries

Back to top