As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
A company’s human capital can be a complicated area of oversight for any board, especially when attentions must be turned to the top spot in the C-suite. Here, directors must ensure that the company is attracting and retaining the next generation of leading talent that will realize the company’s future success while setting a tone that promotes integrity throughout the organization.
A daunting task, yes, but one that’s not insurmountable.
The National Association of Corporate Directors (NACD) invited Blair Jones, a managing director at Semler Brossy Consulting Group, and Craig Woodfield, a partner at Grant Thornton and leader of the firm’s audit services practice, to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is the compensation committee’s role in succession planning and talent development?
Blair Jones: While responsibility for succession planning ultimately rests with the full board, there are a number of things the compensation committee can do from a process perspective to support this objective.
First, the committee can look at leadership competencies and the overall leadership development process. The succession plan needs to be supported by a pipeline of talent throughout the organization. And the committee needs to know how that pipeline is developed—be it on-the-job mentoring, developmental role assignments, action learning programs, individual coaching, or relationships with business schools. Consider bringing in a leader who has been involved in these leadership development programs to speak about their experiences.
Second, the compensation committee can spend time with high potential candidates at board dinners and through individual meetings. When the committee is determining end-of-year pay decisions, the CEO typically reviews people. Having met some of these individuals, it’s easier to participate in a discussion of what’s being done to take them to the next level. The committee can also make sure that the pay decisions actually fit the directions coming out of the succession planning process.
Compensation committees should also consider following results from employee engagement surveys. Ask: What do these results say about our ability to motivate talent and to retain them in the organization? This will help you get a better feel for the tone and culture of the company.
Look at diversity and inclusion initiatives. Understand the statistics and how those are changing over time throughout the organization. Also, spend time with talent management and succession planning the next level down. The board primarily works with the senior level, but the company’s future leaders are going to come from another level in the organization and the compensation committee can help with succession planning by taking an initial look at the next generation.
What are the best practices for the board to make sure the company has the right tone at the top?
Craig Woodfield: I look at this from an auditor’s perspective, which defaults to the financial reporting side. The appropriate tone at the top deals with every risk of significance that could face a company.
Directors who are in a public company environment are probably familiar with the Committee of Sponsoring Organization of the Treadway Commission’s framework for internal controls and I would encourage private and nonprofit company directors to familiarize themselves with it. The revised framework from 2013 really is the gold standard and it applies to every company and every board. There are seventeen principles listed in that framework and the first five all deal with tone at the top issues. If you look at them, none of them are focused specifically on financial reporting.
As directors, we need to take these criteria seriously to ensure that there are structures in place that create a tone that promotes ethical values. The chief executive is the key here. As an auditor, I have a lot of exposure to public companies, and while most of them have a good tone, there are exceptions. The commonality among those exceptions is a chief executive who doesn’t have the right approach combined with a board that doesn’t have the right level of oversight.
Here are a couple warning signs: a chief executive who has a very domineering personality, that doesn’t take feedback well, or doesn’t respect the board’s responsibility to protect him or her. On the other side, if you have a weak leader and there’s a power vacuum at the top where there is no system of checks and balances, that’s an even greater warning sign because the board becomes dependent on each individual leader of each group within the organization. That situation is much more difficult to control.
We all want strong leadership in the companies we serve. One of the things that boards can do is help educate the chief executive about the nature of that relationship. And the role of the board is to help control that. A warning sign that that balance isn’t there is if we as board members don’t have access to the direct reports. And you want to empower the CEO—you don’t want to undermine or go around them. From an audit standpoint, it’s a real warning sign when the CEO or CFO tries to get in the way of the auditor or audit partner’s direct relationship with the board.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Next week, coverage of the Leading Minds of Governance–Southwest event continues with highlights from a discussion on cyber risk and the legal liabilities of international companies.
With an expected regulatory downshift under the incoming Trump Administration, standard-setting for business conduct may move from the government to the corporate sector, with shareholders and socially conscious directors driving the trend in myriad areas, from industry-specific concerns such as animal welfare to broader issues such as climate change. To be sure, we will continue to see proxy resolutions in the dozen general categories that have become hallmarks for activists, but the rise in attention to social issues by activists seems inevitable (See Figure 1).
Corporate leaders and major shareholders alike are recognizing the role that social issues can play in corporate value. In 2016, corporate leaders and prominent investors issued “Commonsense Principles of Corporate Governance,” a collaborative document containing a key message: “Our future depends on…companies being managed effectively for long-term prosperity, which is why the governance of American companies is so important to every American.” Among their recommendations was the suggestion that boards pay attention to “material corporate responsibility matters” and “shareholder proposals and key shareholder concerns.”
As revealed in the NACD Resource Center on Board-Shareholder Engagement, proxy resolutions can play a role in raising board awareness of key issues. Although shareholder resolutions rarely win by a majority, and even then are only “precatory” (non-mandatory), they do raise boards’ awareness of issues and can spark change over time. Many of today’s governance practices began as failing proxy resolutions but ended up as majority practices, with or without proxy votes.
Take for example proxy bylaw amendments, which have only been fair game for proxy votes since spring 2012 (thanks to a new rule that removed director nominations from the list of topics disallowed for shareholder resolutions). That season saw only three proxy access resolutions at the largest 250 companies, and only one got a majority vote. Fast forward to spring 2016 when 28 companies had such votes, and nearly half succeeded in getting a majority vote. By December 2016, proxy access had been adopted by a majority of Fortune 500 companies, as Sidley Austin reports. Those early proxy access resolutions lost their early battles, but in the end, they won the larger war. The same could happen over time to social resolutions over the next four years.
Directors Want More Dialogue on Social Issues
Interestingly, directors seem to be intuiting that they will need to step up on social issues this year.The 2016-2017 NACD Public Company Governance Survey, which features responses from 631 directors surveyed in 2016, reveals a significant finding in this regard. When asked to judge the ideal amount of time to be spent on various boardroom topics, directors ranked five topics as highest in terms of needing more discussion time:
director succession; and
corporate social responsibility.
One in three respondents said they would like more time devoted to discussing the “social responsibility” topic. For all issues other than these five, fewer than a third of respondents said that the topics merited more board attention. While this is a relatively new question, NACD has asked similar questions in the past, and this is the first time our respondents have ever ranked social issues so highly as a “need to know” topic.
A Gravitational Pull to Social Issues With a Strategic Slant
So what lies ahead for the next proxy season in the social domain? Aristotle is attributed with coining the phrase “nature abhors a vacuum,” a theorem in physics aptly applied to the likely vacuum in new corporate rule-making in 2017. USA-first trade rules aside, we believe that shareholder activists may try to fill the break in Dodd-Frank rule making with their own social agendas.
As we go to press, attorney Scott Pruitt is slated to head his institutional nemesis, the Environmental Protection Agency, while Governor Rick Perry, former leader of oil-rich Texas, is in line to direct the Department of Energy. Neither man is likely to crack down on carbon-based fuels, so if shareholders want carbon reduction, they will need to redouble their own efforts—and indeed that seems to be the plan.
According to the environmental group Ceres, quoted in an overview by Alliance Advisors, LLC, U.S. public companies will face some 200 resolutions on climate change in 2017, up from a total 174 such resolutions during 2016. This prediction may be conservative. According to Proxy Monitor, in 2016 the 250 largest companies alone saw 58 environmental proposals—meaning that nearly one out of every four large companies faced one.
In other developments, As You Sow, a community of socially engaged investors, has already announced 46 of its own proxy resolutions, including three on executive pay. All the rest are on social issues, including climate change (11), coal (10), consumer packaging (5), and smaller numbers of resolutions in a variety of other social issues, including antibiotics and factory farms, genetically modified organisms, greenhouse gas, hydraulic fracturing, methane, nanomaterials, and pharmaceutical waste. The gist of many of these resolutions is to ask for more disclosure, including more information on the impact of current trends on the company’s strategy and reputation. For example, the “climate change” resolution in the Exxon Mobile proxy statement asks Exxon to issue a report “summarizing strategic options or scenarios for aligning its business operations with a low carbon economy.”
Similarly, the Interfaith Center on Corporate Responsibility has already announced the filing of five shareholder resolutions for the 2017 proxy of its longtime target Tyson Foods on a variety of issues, including one on the strategic implications of plant-based eating. Sponsored by Green Century Capital Management, the resolution seeks to learn what steps the company will take to address “risks to the business” from the “increased prevalence of plant-based eating.”
In the same vein, at Post Holdings, which holds its shareholder meeting January 28, a shareholder resolution from Calvert Investment Management asks for disclosure of “major potential risks and impacts, including those regarding brand reputation, customer relations, infrastructure and equipment, animal well-being, and regulatory compliance.” Note that animal welfare is only one factor here; Calvert is making a business case for the social change.