This blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will be released at NACD’s Global Board Leaders’ Summit , Oct. 1–4.
A panel discussed how the iconic company became embroiled in scandal.
Wells Fargo & Co., Volkswagen AG (VW), Mylan NV, and Valeant Pharmaceuticals International are just a few of the companies that have recently experienced high-profile corporate crises stemming from ethics and compliance breakdowns. As corporate directors look to learn from these scandals, the John L. Weinberg Center for Corporate Governance, Association of Corporate Council, and Bloomberg Law® this April co-hosted the event Volkswagen Emissions Scandal—Lessons for Investors, Boards, Chief Legal Officers and Compliance & Governance Professionals.* The panel discussed the VW emissions scandal and lessons for boards of directors and general counsel (GCs) on instituting a corporate culture that promotes ethics and compliance.
Corporate Governance Causes of the VW Scandal
Charles M. Elson, director of the University of Delaware’s John L. Weinberg Center for Corporate Governance, notes in an article that three main governance practices at VW created a perfect environment for noncompliant behavior stemming from a lack of independent shareholder representation on the board:
A complicated web of interests with dual-class stock, pyramidal ownership, and family control. The Porsche and Piëch families own just over 50 percent of VW’s voting rights through their preferred class stock in Porsche Automobil Holding SE, which in turn owns shares of VW (known as pyramidal ownership). Ferdinand Piëch, the grandson of Porsche company founder Ferdinand Porsche, was chair of VW’s supervisory board at the time of the scandal and served as CEO from 1993 to 2002. Piëch’s primary goal is said to have been to create the largest automaker in the world, with less regard for creating profit and shareholder value. This directive from the company leader, in an environment where shareholders outside of the family had little influence over the board, created a corporate culture where employees chose noncompliant behavior over failure when designing the “defeat devices” used to cheat U.S. emissions tests.
The government as a major shareholder. VW was a state-owned enterprise until 1960 when it became privatized and left Germany’s Lower Saxony region with a 20 percent stake in the company. Elson opines that the interest of government officials is to be re-elected, often achieved through high employment rates. Therefore, government representatives on the board of VW were driven to create jobs at VW, the largest employer in Lower Saxony, even if adding those jobs was detrimental to profits.
Labor representation on the board (codetermination). German law requires all companies with more than 2,000 employees to fill half of the board with employee representatives. Elson argues that the board’s ability to provide effective compliance oversight was diluted by labor representatives on the board who were essentially monitoring themselves, and hence more focused on obtaining higher compensation and decent working hours for employees.
In light of these conditions at VW, panelists shared a number of leading practices for GCs and directors in creating a compliant corporate culture:
Lessons for GCs
“You can’t legislate ethics, but you can promote them,” said one panelist. Be the devil’s advocate and stress the importance of risk management and cultural tones at different levels of the organization, i.e., the so-called tone at the top, mood at the middle, and buzz at the bottom.
Ensure your board spends adequate time on compliance issues. Directors are often bogged down by compliance and want to spend more time on strategy, but prioritizing compliance at the board level will create a culture that allows strategy to be carried out successfully.
Get the right information to the board at the right time. According to one panelist, “The GC—as well as risk managers and in-house lawyers—need to be tough enough to speak up and report to the board. At Lehman Brothers, the CEO was known as the ‘gorilla on Wall Street.’ He doubled down on real estate, which the risk officer beneath him knew was risky, but their concerns were never known to the board.”
Remember that your duty is to the company—not the CEO—even if you’re reporting to him or her. “If [you as] the GC [are] aware of a violation, you need to do the right thing and not be swayed,” said one speaker.
Lessons for Directors
Increase your exposure to more employees, including mid-level employees, to get a better sense of the corporation’s culture in practice below the C-suite.
Create straight reporting lines from the compliance officer, chief risk officer, and internal auditor to committee chairs. This empowers these officers to speak openly with board members about their concerns without management present. (See NACD’s brief on Audit Committee Oversight of Compliance, which is open to the public for download.)
* The distinguished panel of speakers included: Robert E. Bostrom, senior vice president, general counsel, and corporate secretary at Abercrombie & Fitch Co.; Charles M. Elson, Edgar J. Woolard, Jr. chair in corporate governance, director of the John. L. Weinberg Center for Corporate Governance, and professor of finance at the University of Delaware; Meredith Miller, chief corporate governance officer at UAW Retiree Medical Benefits Trust; Gloria Santona, retired executive vice president, general counsel, and secretary at McDonald’s Corp.; Professor Christian Strenger, academic director, Center for Corporate Governance at the HHL Leipzig Graduate School of Management; Anton R. Valukas, chairman at Jenner & Block LLP; and The Honorable James T. Vaughn, Jr., justice of the Delaware Supreme Court. Italicized comments above are from panelists that participated in this event. However, this discussion was conducted under the Chatham House Rule, so quotes are not attributed to individuals or organizations.
As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
A company’s human capital can be a complicated area of oversight for any board, especially when attentions must be turned to the top spot in the C-suite. Here, directors must ensure that the company is attracting and retaining the next generation of leading talent that will realize the company’s future success while setting a tone that promotes integrity throughout the organization.
A daunting task, yes, but one that’s not insurmountable.
The National Association of Corporate Directors (NACD) invited Blair Jones, a managing director at Semler Brossy Consulting Group, and Craig Woodfield, a partner at Grant Thornton and leader of the firm’s audit services practice, to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is the compensation committee’s role in succession planning and talent development?
Blair Jones: While responsibility for succession planning ultimately rests with the full board, there are a number of things the compensation committee can do from a process perspective to support this objective.
First, the committee can look at leadership competencies and the overall leadership development process. The succession plan needs to be supported by a pipeline of talent throughout the organization. And the committee needs to know how that pipeline is developed—be it on-the-job mentoring, developmental role assignments, action learning programs, individual coaching, or relationships with business schools. Consider bringing in a leader who has been involved in these leadership development programs to speak about their experiences.
Second, the compensation committee can spend time with high potential candidates at board dinners and through individual meetings. When the committee is determining end-of-year pay decisions, the CEO typically reviews people. Having met some of these individuals, it’s easier to participate in a discussion of what’s being done to take them to the next level. The committee can also make sure that the pay decisions actually fit the directions coming out of the succession planning process.
Compensation committees should also consider following results from employee engagement surveys. Ask: What do these results say about our ability to motivate talent and to retain them in the organization? This will help you get a better feel for the tone and culture of the company.
Look at diversity and inclusion initiatives. Understand the statistics and how those are changing over time throughout the organization. Also, spend time with talent management and succession planning the next level down. The board primarily works with the senior level, but the company’s future leaders are going to come from another level in the organization and the compensation committee can help with succession planning by taking an initial look at the next generation.
What are the best practices for the board to make sure the company has the right tone at the top?
Craig Woodfield: I look at this from an auditor’s perspective, which defaults to the financial reporting side. The appropriate tone at the top deals with every risk of significance that could face a company.
Directors who are in a public company environment are probably familiar with the Committee of Sponsoring Organization of the Treadway Commission’s framework for internal controls and I would encourage private and nonprofit company directors to familiarize themselves with it. The revised framework from 2013 really is the gold standard and it applies to every company and every board. There are seventeen principles listed in that framework and the first five all deal with tone at the top issues. If you look at them, none of them are focused specifically on financial reporting.
As directors, we need to take these criteria seriously to ensure that there are structures in place that create a tone that promotes ethical values. The chief executive is the key here. As an auditor, I have a lot of exposure to public companies, and while most of them have a good tone, there are exceptions. The commonality among those exceptions is a chief executive who doesn’t have the right approach combined with a board that doesn’t have the right level of oversight.
Here are a couple warning signs: a chief executive who has a very domineering personality, that doesn’t take feedback well, or doesn’t respect the board’s responsibility to protect him or her. On the other side, if you have a weak leader and there’s a power vacuum at the top where there is no system of checks and balances, that’s an even greater warning sign because the board becomes dependent on each individual leader of each group within the organization. That situation is much more difficult to control.
We all want strong leadership in the companies we serve. One of the things that boards can do is help educate the chief executive about the nature of that relationship. And the role of the board is to help control that. A warning sign that that balance isn’t there is if we as board members don’t have access to the direct reports. And you want to empower the CEO—you don’t want to undermine or go around them. From an audit standpoint, it’s a real warning sign when the CEO or CFO tries to get in the way of the auditor or audit partner’s direct relationship with the board.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Next week, coverage of the Leading Minds of Governance–Southwest event continues with highlights from a discussion on cyber risk and the legal liabilities of international companies.