As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
A company’s human capital can be a complicated area of oversight for any board, especially when attentions must be turned to the top spot in the C-suite. Here, directors must ensure that the company is attracting and retaining the next generation of leading talent that will realize the company’s future success while setting a tone that promotes integrity throughout the organization.
A daunting task, yes, but one that’s not insurmountable.
The National Association of Corporate Directors (NACD) invited Blair Jones, a managing director at Semler Brossy Consulting Group, and Craig Woodfield, a partner at Grant Thornton and leader of the firm’s audit services practice, to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is the compensation committee’s role in succession planning and talent development?
Blair Jones: While responsibility for succession planning ultimately rests with the full board, there are a number of things the compensation committee can do from a process perspective to support this objective.
First, the committee can look at leadership competencies and the overall leadership development process. The succession plan needs to be supported by a pipeline of talent throughout the organization. And the committee needs to know how that pipeline is developed—be it on-the-job mentoring, developmental role assignments, action learning programs, individual coaching, or relationships with business schools. Consider bringing in a leader who has been involved in these leadership development programs to speak about their experiences.
Second, the compensation committee can spend time with high potential candidates at board dinners and through individual meetings. When the committee is determining end-of-year pay decisions, the CEO typically reviews people. Having met some of these individuals, it’s easier to participate in a discussion of what’s being done to take them to the next level. The committee can also make sure that the pay decisions actually fit the directions coming out of the succession planning process.
Compensation committees should also consider following results from employee engagement surveys. Ask: What do these results say about our ability to motivate talent and to retain them in the organization? This will help you get a better feel for the tone and culture of the company.
Look at diversity and inclusion initiatives. Understand the statistics and how those are changing over time throughout the organization. Also, spend time with talent management and succession planning the next level down. The board primarily works with the senior level, but the company’s future leaders are going to come from another level in the organization and the compensation committee can help with succession planning by taking an initial look at the next generation.
What are the best practices for the board to make sure the company has the right tone at the top?
Craig Woodfield: I look at this from an auditor’s perspective, which defaults to the financial reporting side. The appropriate tone at the top deals with every risk of significance that could face a company.
Directors who are in a public company environment are probably familiar with the Committee of Sponsoring Organization of the Treadway Commission’s framework for internal controls and I would encourage private and nonprofit company directors to familiarize themselves with it. The revised framework from 2013 really is the gold standard and it applies to every company and every board. There are seventeen principles listed in that framework and the first five all deal with tone at the top issues. If you look at them, none of them are focused specifically on financial reporting.
As directors, we need to take these criteria seriously to ensure that there are structures in place that create a tone that promotes ethical values. The chief executive is the key here. As an auditor, I have a lot of exposure to public companies, and while most of them have a good tone, there are exceptions. The commonality among those exceptions is a chief executive who doesn’t have the right approach combined with a board that doesn’t have the right level of oversight.
Here are a couple warning signs: a chief executive who has a very domineering personality, that doesn’t take feedback well, or doesn’t respect the board’s responsibility to protect him or her. On the other side, if you have a weak leader and there’s a power vacuum at the top where there is no system of checks and balances, that’s an even greater warning sign because the board becomes dependent on each individual leader of each group within the organization. That situation is much more difficult to control.
We all want strong leadership in the companies we serve. One of the things that boards can do is help educate the chief executive about the nature of that relationship. And the role of the board is to help control that. A warning sign that that balance isn’t there is if we as board members don’t have access to the direct reports. And you want to empower the CEO—you don’t want to undermine or go around them. From an audit standpoint, it’s a real warning sign when the CEO or CFO tries to get in the way of the auditor or audit partner’s direct relationship with the board.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Next week, coverage of the Leading Minds of Governance–Southwest event continues with highlights from a discussion on cyber risk and the legal liabilities of international companies.
Reputation is a precious but fragile enterprise asset. What takes decades to build can be lost in a matter of days once the spotlight shines on unethical or illegal practices that place an organization’s stakeholders or the public at risk. Environmental catastrophes, financial restatements, fraudulent reporting to regulators, massive product recalls, efforts to mislead investors, and other highly publicized events erode brands and impair reputation. We define reputation risk as the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion.
We see 10 key functions of the board’s oversight of reputation risk management, and classify them in five critical areas below.
Effective board oversight – Reputation risk management starts at the top. Strong board oversight on matters of strategy, policy, execution, and transparent reporting is vital to effective corporate governance, a powerful contributor to sustaining reputation, and is the ultimate checkpoint on CEO performance. The board’s active risk oversight effort is important because effective, early identification, and management of risks can reveal major threats to the company’s reputation and ensure that the threats are reduced to an acceptable level.
Integration of risk into strategy-setting and business planning – The board must ensure that risk is not an afterthought in the strategy-setting and business planning processes. Integrating awareness of risks with core management processes makes risk a relevant factor at the decision-making table, facilitates a big picture view to undertaking risk, and intersects risk management with performance In an effort to make the strategy more robust, directors should understand the critical assumptions underlying the strategy; ask tough, constructive questions to challenge assumptions; and consider plausible scenarios that could render one or more assumptions invalid.
Effective communications and image- and brand-building – Building brand recognition unique to a business is vital and, when all else is working well, augments reputation. A good story is easier to tell than one with flaws, but every savvy board knows that some companies are better at telling their stories than others. Therefore, directors need to understand management’s image- and brand-building game plan and how significant changes to that plan could present a significant risk to the company’s reputation.
Strong corporate values, supported by appropriate performance incentives – The notion that, if tone at the top is good, the organization’s culture must be good, doesn’t always hold. Lower-level employees often pay more attention to the messaging and behavior of their supervisory middle managers than to communications from the organization’s leaders. Boards need to ensure that executive management implements a strong tone at the top, effective escalation processes, and periodic assessments of the tone in the middle and at the bottom. Directors need to ensure that management is paying attention to warning signs posted by independent risk management functions and in audit reports: failure to give these warning signs adequate attention on a timely basis reflects on the tone set by executive management. For example, the executive leadership of Barings ignored warnings from internal audit of the consequences of the lack of segregation of duties in its Singapore operations because those operations were making the bank a lot of money. Ultimately, the hidden trading losses took down the institution.
Positive culture regarding compliance with laws, regulations and internal policies – Few incidents undermine reputation more than serious, highly publicized compliance violations. Directors should ascertain that effective internal controls – including monitoring processes and robust training of employees – over compliance matters are implemented and executive management: “walks the talk” with respect to compliance; periodically conducts a comprehensive risk assessment; refreshes the compliance program for changes arising from new regulatory developments; and understands the players and third-party agents in countries in which the organization does business and monitors their dealings closely.
Priority focus on positive interactions with stakeholders – The board should ensure that there is a passionate focus on improving stakeholder experiences. These are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders, and other stakeholders have with a company as a result of its business operations, branding, and marketing. These interactions constitute moments of truth that, if internalized and acted upon, provide a powerful driving force for improving and sustaining reputation.
Quality public reporting – The markets take quality public reporting at face value. Once a company loses the public’s confidence in its reporting, it’s tough to earn it back. These points suggest that a strong audit committee is an imperative.
Strong control environment – A critical component of internal control, the control environment lays the foundation for achieving operational, compliance and reporting objectives. In addition to the board’s oversight and the organization’s commitment to integrity and ethical values, as mentioned above, the control environment consists of: the organizational structure and assignment of authority and responsibility; the processes for attracting, developing and retaining appropriate talent; and the rigor around setting the appropriate performance measures, incentives and rewards that drive accountability for desired results. Embarrassing control breakdowns can tarnish reputation; therefore, boards should demand a strong control environment.
Company performance relative to competitors – Market recognition of success is a huge validation of a company and its management team. Recognition of differentiating strategies, distinctive products and brands, proprietary systems, and innovative processes are intrinsic sources of value that can translate into superior quality, time, cost, and innovation performance relative to the company’s competitors. However, significant performance gaps can diminish reputation if not addressed in a timely manner. These factors should weigh heavily on a board’s evaluation of company performance over time.
World-class response to a high-profile crisis – Sooner or later, every company is tested. No company is immune to a crisis. As a crisis event is a severe manifestation of risk, crisis management preparation is a natural follow-on to risk assessment, particularly for high-impact risks with high velocity, high persistence, and low response readiness. The board should ensure that the risk assessment process is designed to identify areas where preparedness and a response team are needed. Fires cannot be fought by committee.
While a one-size-fits-all approach does not exist, the 10 keys listed above offer boards a framework for focusing on whether executive management is focused on the appropriate fundamentals for enhancing and preserving the enterprise’s reputation.
Jim DeLoach is managing director with Protiviti, a global consulting firm.