One of the board‘s key responsibilities is the oversight of a company’s conduct, including the strength of its culture and the effectiveness of its ethics & compliance (E&C) program. In recent years, that responsibility has become even weightier. Recent corporate scandals, such as Volkswagen, Unaoil, and Mitsubishi Motors, have created public skepticism about business ethics, and policy makers have responded with a new emphasis on accountability for both companies and responsible individuals, including directors who are either negligent in preventing fraud or willingly participate in it. Enforcement agencies now scrutinize a company’s E&C efforts before making prosecutorial decisions by inquiring about board oversight in the company’s approach to E&C.
Organizations around the world invest tremendous resources to establish internal E&C programs and prevent corporate wrongdoing. Although E&C was historically a U.S. focus, a number of international standards have heightened the importance of E&C programs globally: the UK Bribery Act; the new International Organization for Standardization (ISO) 19600 Compliance Management System Guidelines; and the OECD Anti-Bribery Convention.
Directors observe these developments and scratch their heads. What does an effective E&C program look like? How can we succeed with E&C without stifling our business? What is the board’s role in E&C oversight? Has any organization gotten it right?
There is good news for directors. There are exemplary organizations—representing a wide variety of sizes, sectors, and industries—that have raised the bar even higher than mere compliance with the law. These organizations have transformed their workplaces through their E&C efforts to yield stronger, more positive results. And even better, there is now a framework to help directors guide their own organizations in establishing such an E&C program.
The Framework: Principles and Practices of High-Quality E&C Programs
In May 2015, the Ethics & Compliance Initiative (ECI) convened a group of 24 thought leaders with E&C program experience, including corporate directors, former deputy attorneys general, former members of the United States Congress, business executives, senior E&C practitioners, and academics. The panel produced a new report with leading principles and practices for effective E&C program implementation: Principles and Practices of High-Quality Ethics & Compliance Programs. The report includes five key principles practiced by organizations not satisfied with “minimum” E&C efforts; these organizations are referred to in the report as high-quality programs (HQPs). The principles, which should be tailored to each company’s individual circumstances, are adapted below from the original report:
Principle 1: Ethics and compliance is central to business strategy.
E&C is both a function on the organizational chart and is considered to be an essential element within every operation.
A high standard of integrity and compliance is articulated as a business objective, and every strategic decision is evaluated for alignment with the organization’s values and standards.
An HQP ensures compliance with law and regulation, and is resourced to help leaders across the organization understand their critical role in setting and meeting the standard for integrity.
The E&C program is expected to provide an independent voice, and regularly updates the board on E&C objectives, risks, and progress.
HQP staff maintains excellence by dedicating themselves to continuous improvement in E&C through innovation, engagement with stakeholders (inside and outside the organization), and consistent consideration of employee feedback.
Principle 2: Ethics and compliance risks are identified, owned, managed, and mitigated.
While organizational values are the heart of any E&C program, risk assessments provide the foundation upon which HQPs are built.
E&C staff collaborates across the organization to support a risk assessment process that identifies, prioritizes, and mitigates risk consistently.
Compliance performance, strength or weakness of organizational culture, employee willingness or fear to report, and other key E&C areas are evaluated and reported to the board as potential risks to the organization.
Leaders at all levels assume ownership for the ongoing identification and mitigation of risks that are relevant to their areas, both inside and outside the organization.
The board is regularly briefed on emerging E&C risks and how the E&C program is monitoring and mitigating risks where necessary.
Principle 3: Leaders at all levels across the organization build and sustain a culture of integrity.
Culture is the largest influencer of business conduct, and leaders are recognized as the primary drivers of that culture.
Leaders throughout the organization are committed to, and responsible for, making ethical conduct and decision making central to the organization and its operations.
The board assumes responsibility for evaluating the performance of senior management in providing ethical leadership and setting a proper tone at the top.
HQPs equip managers and supervisors with the support needed to make those values relevant to their day-to-day operations.
Recognizing that employees at all levels make ethics-related choices every day, HQPs provide resources, guidance, and training that emphasizes to all employees the importance of acting in accordance with shared values, seeking help, and speaking up.
Principle 4: The organization encourages, protects, and values the reporting of concerns and suspected wrongdoing.
HQPs focus on establishing an environment where issues can be raised long before situations are elevated to the level of misconduct.
HQPs prepare leaders and supervisors to respond appropriately if/when employees do come forward with concerns about wrongdoing.
Managers understand the impact of their actions, and HQPs hold them accountable for contributing to a culture that does not support the reporting of concerns.
There are focused efforts to prevent and deter retaliation.
HQPs treat all those who report violations fairly and consistently, and effectively support employees who report suspected violations.
The board is regularly briefed on high-level trends in employee reporting, and management is expected to be transparent with the board when substantive “bad news” transpires.
Principle 5: The organization takes action and holds itself accountable when wrongdoing occurs.
Investigations are timely, neutral, thorough, competent, and consistent.
When a violation is confirmed, the organization responds with appropriate consequences, regardless of the violator’s position within the company.
The organization maximizes learning from every substantiated case of wrongdoing.
HQPs recognize that technology has increased reputational risk.
HQPs have well developed systems for escalating issues, with regular testing for crisis management and response.
When appropriate, HQPs disclose issues to appropriate regulatory and government authorities and work cooperatively to respond to their concerns.
The board is well informed when substantive issues arise that require organizational accountability to stakeholders.
As corporate directors know better than anyone, there is no one approach to effective ethics and compliance. Each company’s circumstances are unique; therefore, their E&C programs must vary accordingly. But there are some universals among organizations that “get it right,” particularly when it comes to implementing a proper E&C tone at the highest levels of the organization. The board has an essential role in setting the expectation that the organization will not be satisfied with upholding only the minimum standard. Understanding the principles and practices that characterize leading E&C practice will help board members engage with management to ensure that the highest standard of integrity is seamlessly aligned with the performance of the organization overall.
Patricia Harned is CEO of the Ethics & Compliance Initiative (ECI) and frequently speaks and writes about workplace ethics, corporate governance, and global integrity. Ronnie Kann is executive vice president of research and program development at ECI, having served chief ethics and compliance officers, general counsel, and chief human resource officers throughout his career. Harned and Kann both contributed as authors to the ECI reportPrinciples and Practices of High-Quality Ethics & Compliance Programs. The Ethics & Compliance Initiative (ECI) empowers its members across the globe to operate their businesses at the highest levels of integrity. ECI provides leading ethics and compliance research and best practices, networking opportunities, and certification to its membership, which represents more than 450 organizations across all industries. ECI is comprised of three nonprofit organizations: the Ethics Research Center, the Ethics & Compliance Association and the Ethics & Compliance Certification Institute. www.ethics.org
Every corporate director knows the importance of M&A in the grand scheme of enterprise. With some 40,000 significant transactions announced annually, M&A is hard to ignore. Yet there are persistent risks that directors need to understand and mitigate through insightful questions and the dialogue that ensues.
Risk: Not all bets will pay off—at least not right away. Buying a company means placing a bet on the future. Given the level of unpredictability involved, there is some chance that the merger will fail to achieve its goals and/or fail to return incremental value to shareholders. It is commonly cited that “80 percent of all mergers fail” to add value; however, this percentage is an exaggeration. Event studies that compare transactions over time present a more realistic picture by showing that incremental financial value is not assured. For example, a study conducted by Kingston Duffie, publisher of the digital magazine Braid, indicates that companies actually lost 4.8 percent of their value when they spent at least five percent of their market capitalization on M&A during the 18-month period between October 2014 and March 2016. The interactive graphic included in the study shows differentiated performance during the period—high for Stamps.com Inc., medium for Starwood Hotels & Resorts Worldwide Inc., and low for EV Energy Partners. Your company could experience returns like any one of these.
Question for Directors:If this merger ends up havinga slightly negative result for our shareholders, what are the compelling strategic reasons to do this deal? When do we believe that deal synergies will materialize?
Risk: As a director, you could be named in a lawsuit—especially if you are voting on the sale of a company. In 2015, lawsuits were brought in 87.7 percent of completed takeovers. Although most cases settle, some do go to trial. In a trial setting there are four main standards for judging director conduct in the sale of the company, ranging from lenient to stringent:
The business judgment rule (trusting the decision as long as directors have no conflicts of interest and are reasonably well informed).
The Unocal standard (protecting anti-takeover moves only if a threat is real).
The Revlon standard (requiring an auction process once a company is in play).
Entire fairness (requiring both a fair price and a fair process).
In addition, when a company has promised its shareholders the right to have the company appraised, the court itself can impose its own valuation. In the original Dell go-private transaction, the court retroactively forced the company to pay aggrieved stockholders what the court deemed to be a missing increment to their premium.
Question for Directors:How can we find assurance that sale is in the best interest of the company and its owners, and that we have chosen an optimal price? How can we ensure that there is a litigation-ready record of our deliberations in this regard?
Risk: You could lose your board seat. According to a study by Kevin W. McLaughlin and Chinmoy Ghosh of the University of Connecticut, there is a higher rate of retention for directors from the acquiring firm (83 percent) following a merger, with the most likely survivors being individuals who serve on more than one outside board. Only about one-third of directors from the target board (34 percent of the inside directors and 29 percent of the outside directors) continue to serve after the merger.
This October, when Dell Inc. and EMC Corp. officially merge (assuming full regulatory clearance following their recent shareholder approval), many who serve on the EMC board may not be on the post-merger Dell board, including retiring EMC Chair-CEO Joe Tucci. When the merger was first announced last October, a spokesman for Elliott Management Corp. stated in a press release, “Elliott strongly supports this deal. As large stockholders, we have enjoyed a productive and collaborative dialogue with Joe Tucci and EMC’s Board and management. We are confident that this Board has worked tirelessly to evaluate all paths for the company and that today’s transaction represents the best outcome for stockholders.”
Saying goodbye to some or all of these incumbents this fall will seem to be an ironic outcome for creating value. And yet that is how it must be. Fiduciaries are not self-serving, but rather they serve on behalf of shareholders to promote the best interests of the company. As such, they need to be ready to move on when that is the best outcome for the corporation. Still, it is disruptive (and not always creatively so) to be a trusted voice of wisdom for the future one day, and mere history the next.
Question for Directors: If we sell this company and our board must merge or disband, who among us will be most useful in steering the combined company in the next chapter?
These are not easy questions. But by asking them, directors can help their companies beat the tough M&A odds.
Recently, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated enterprise risk management (ERM) framework for public exposure and comment. Why is it important for directors to heed and apply these updates to their work? What follows is a summary of five important insights for directors to implement in the boardroom from the revised framework.
1. Identifying risks to the execution of the strategy is not enough. Many organizations focus on identifying risks that might affect the execution of the chosen strategy. The process of identifying these risks is an inherently good exercise. However, COSO asserts that “risks to the strategy” are only one dimension of strategic risk. There are two additional dimensions to applying ERM in strategy setting that can significantly affect an enterprise’s risk profile.
The “possibility of strategy not aligning” with an organization’s mission, vision, and core values, which define what the organization is trying to achieve and how it intends to conduct business. Directors should ensure that the company doesn’t put into play a misaligned strategy that increases the possibility that the organization may run askew of its mission and vision, even if that strategy is successfully executed.
The “implications from the strategy.” COSO states: “When management develops a strategy and works through alternatives with the board, they make decisions on the tradeoffs inherent in the strategy. Each alternative strategy has its own risk profile—these are the implications from the strategy.” When overseeing the strategy-setting process, directors need to consider how the strategy works in tandem with the organization’s risk appetite, and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions.
In summary, the updated COSO framework asserts that all three dimensions need to be considered as part of the strategy-setting process. Failure to address all three could result in unintended consequences that lead to missed opportunities or loss of enterprise value.
2. Recognizing and acting on market opportunities and emerging risks on a timely basis is a differentiating skill. COSO asserts that an organization can be viable in the long term only if it is able to anticipate and respond to change—not only to survive, but also to evolve. Enterprise resilience, or the ability to function as an early mover, is an indispensable characteristic in an uncertain business environment. Therefore, corporate strategies must accommodate uncertainty while staying true to the organization’s mission. Organizations need to exhibit traits that drive an effective response to change, including agile decision-making, the ability to respond in a cohesive manner, the adaptive capacity to reorganize, and high levels of trust and collaboration among stakeholders.
3. Strengthening risk governance and culture sets the right tone. Effective risk governance sets the tone for the organization and reinforces the importance of, and establishes oversight responsibilities for, ERM. In this context, culture pertains to ethical values and responsible business behaviors, particularly those reflected in decision-making. COSO asserts that several principles drive the risk governance and culture needed to lay a strong foundation for effective ERM:
fostering effective board risk oversight;
recognizing the risk profile introduced by the operating model;
encouraging risk awareness;
demonstrating commitment to integrity and ethics;
establishing accountability for ERM; and
attracting, developing, and retaining talented individuals.
Whether an organization considers itself risk averse, risk neutral, or risk aggressive, COSO suggests that it should encourage a risk-aware culture. A culture in alignment with COSO’s revised principles is characterized by strong leadership, a participative management style, accountability for actions and results, embedding risk in decision-making processes, and open and positive risk dialogues.
4. Advancing the risk appetite dialogue adds value to the strategy-setting process. The institution’s risk appetite statement is considered during the strategy-setting process, communicated by management, embraced by the board, and integrated across the organization. Risk appetite is shaped by the enterprise’s mission, vision, and core values, and considers its risk profile, risk capacity, risk capability, and maturity, culture, and business context.
To be useful, risk appetite must be driven down from the board and executives into the organization. To that end, COSO defines the “acceptable variation in performance” (sometimes referred to as risk tolerance) as the range of acceptable outcomes related to achieving a specific business objective. While risk appetite is broad, acceptable variation in performance is tactical and operational. Acceptable variation in performance relates risk appetite to specific business objectives and provides measures that can identify when risks to the achievement of those objectives emerge. Operating within acceptable parameters of variation in performance provides management with greater confidence that the entity remains within its risk appetite; in turn, this provides a higher degree of comfort that the entity will achieve its business objectives in a manner consistent with its mission, vision, and core values.
5. Monitoring what really matters is essential to effective ERM. The organization monitors risk management performance and how well the components of ERM function over time, in view of any substantial changes in the external or internal environment. If not considered on a timely basis, change can either create significant performance gaps vis-à-vis competitors or can invalidate the critical assumptions underlying the strategy. Monitoring of substantial changes is built into business processes in the ordinary course of running the business and conducted on a real-time basis. As ERM is integrated across the organization, the embedding of continuous evaluations can systematically assist leadership with identifying process improvements.
Following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Is the board satisfied that the organization is adaptive to change, and that management is considering the effects of volatility, complexity, and uncertainty in the marketplace when evaluating alternative strategies and executing the current strategy?
Should management consider the principles supporting effective implementation of ERM, as set forth by COSO, to ascertain whether improvements are needed to the enterprise’s risk management capabilities?
Jim DeLoach is managing director with Protiviti, a global consulting firm.