This blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will be released at NACD’s Global Board Leaders’ Summit, Oct. 1–4.
In a recent study by Stanford University’s Rock Center, less than half of directors surveyed strongly believe their boards tolerate dissent, and 46 percent expressed concern that a subgroup of directors has disproportionate influence on boardroom decisions. A 2015 survey cited by Heidrick & Struggles reflects similar concerns about culture in companies as a whole: 87 percent of organizations listed culture and engagement as a top challenge, with half of business leaders ranking the issue as “urgent”—a 20 percent increase from the prior year.
Sound, ethical culture in the boardroom sets the tone for the rest of the organization.
In light of the importance of the culture issue for boards, NACD, Heidrick & Struggles, and Sidley Austin LLP cohosted a meeting of the Nominating and Governance Committee Chair Advisory Council on March 28, 2017. The session and a related conference call brought together nominating and governance committee chairs from Fortune 500 corporations to discuss how boards can improve their own cultures and, by doing so, reinforce the elements of good culture in their corporations. The discussion was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.
The council meeting resulted in the following takeaways:
1. Recognize and implement characteristics of a strong board.
Council delegates at the meeting listed a number of indicators of productive boardroom culture:
Extensive and thorough preparation on the part of every director, without exception. “Every board member needs to have an in-depth understanding not just of the company, but its peers, competitors, and the broader industry. Passive reliance on management presentations for information is no longer sufficient.” Another director added, “Intellectual curiosity and learning agility are essential ingredients of good board culture.”
Directors are able to strike the right balance between collegiality and directness, challenging one another―and management―constructively. “Attack the issue, not the individual,” said one director.
The board has well-functioning continuous improvement processes, including regular evaluations, director and committee succession planning, and review of needed skill sets in light of current and future strategy. This includes the notion that board service is not a guarantee, but subject to the needs of the board and the strategic direction of the company.
The board should model the culture that the corporation as a whole desires: “Walk and talk the culture you’re expecting.”
Holly Gregory, partner at Sidley Austin, added that the notion of teamwork as an element of productive board culture goes beyond semantics. “Boards are teams in the legal sense,” she said. “The board’s authority is as a body, and board decision making is by collective action.”
2. Use inflection points as opportunities to address board culture.
Directors agreed that changes in board leadership—such as a committee chair, lead director, or nonexecutive chair—can be good opportunities to reevaluate board culture and performance. According to one delegate, “How are you challenging yourselves? Your board may be working fine today, but maybe you’re missing a chance to take the board’s performance and culture to an entirely different level.”
Council members also suggested a number of other inflection points to use as opportunities to examine board culture:
Patterns of breakdowns or concerns regarding compliance and ethics—“If we see two or three ethical violations and we don’t do anything about it, what does that say about our strategy and the performance of the board?”
Major transactions—“After a large acquisition, [a culture-consulting firm] came in to work with management. Then [the firm] came back and did a session for the full board. We got a much better understanding about how our culture was aligned with where the company was going.” Another director observed, “Creating the culture for a spin-off board was easy compared to [changing culture on] an established board. [In either case], team-building on the board is actually a good idea.”
CEO succession—“The previous CEO had a very strong demeanor in the boardroom and [held strong control] over strategy. After he stepped down, the lead director was in a position to take a much more active leadership role that coincided with a significant regulatory change. The board was much more challenged and became much more engaged in strategy and more productive and useful to the company.”
3. Proactively examine board culture at scheduled periods.
Although the inflection points described above can be useful opportunities to review board culture, council meeting participants agreed that boards should be proactive about assessing and molding their cultures. “You don’t know the culture you have before you hit a bump in the road,” one director said. “Be that person that says, ‘maybe we can improve by doing XYZ.’ If our major shareholders had been listening to the process we just went through, how would we feel about that?” Theodore Dysart, a vice chairman at Heidrick & Struggles, observed, “It’s important for boards to be able to rally after a crisis, but how can that cohesiveness of purpose be made more routine? We are seeing a growing number of boards making use of tools and processes to embed cultural assessments more deeply, but it is not yet a widespread practice.”
Directors provided a number of examples where their boards took a proactive approach to evaluating culture:
Board succession planning—“On one board, we initiated a self-examination of our culture in anticipation of some turnover coming up due to director retirements. We realized it was an opportunity to clarify what we stand for as a board, how we want to operate, and the elements of board performance we want to evaluate.”
Reviewing key management reports—“We use the review of the company’s sustainability report as an annually scheduled inflection point [to review culture]. It has extensive statistics on environmental, safety, and other issues, as well as key stakeholders and the firm’s interactions with them. It helps us see the cultural underpinnings of the company and also drives deep discussion about our own culture as a board.”
Risk appetite discussions—“Our board’s discussions about risk appetite led us to a conversation about culture. It emerged that we were not all on the same page with respect to the level of risk we felt was appropriate for the strategy. Some directors were gung ho; others were more reserved. The work we went through to gain alignment highlighted some important aspects of our board culture and dynamics.”
Council delegates emphasized that both measuring and changing culture can be extremely challenging, but the benefits are significant. As one director observed: “The board can have a culture and interact with senior management to form what you believe is the tone at the top. It takes a different curiosity to see if that trickles down into the institution. There’s no magic here; this is really hard work, but directors can have enormous positive impact when they model and reinforce the company’s desired cultural attributes.”
This blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will be released at NACD’s Global Board Leaders’ Summit , Oct. 1–4.
A panel discussed how the iconic company became embroiled in scandal.
Wells Fargo & Co., Volkswagen AG (VW), Mylan NV, and Valeant Pharmaceuticals International are just a few of the companies that have recently experienced high-profile corporate crises stemming from ethics and compliance breakdowns. As corporate directors look to learn from these scandals, the John L. Weinberg Center for Corporate Governance, Association of Corporate Council, and Bloomberg Law® this April co-hosted the event Volkswagen Emissions Scandal—Lessons for Investors, Boards, Chief Legal Officers and Compliance & Governance Professionals.* The panel discussed the VW emissions scandal and lessons for boards of directors and general counsel (GCs) on instituting a corporate culture that promotes ethics and compliance.
Corporate Governance Causes of the VW Scandal
Charles M. Elson, director of the University of Delaware’s John L. Weinberg Center for Corporate Governance, notes in an article that three main governance practices at VW created a perfect environment for noncompliant behavior stemming from a lack of independent shareholder representation on the board:
A complicated web of interests with dual-class stock, pyramidal ownership, and family control. The Porsche and Piëch families own just over 50 percent of VW’s voting rights through their preferred class stock in Porsche Automobil Holding SE, which in turn owns shares of VW (known as pyramidal ownership). Ferdinand Piëch, the grandson of Porsche company founder Ferdinand Porsche, was chair of VW’s supervisory board at the time of the scandal and served as CEO from 1993 to 2002. Piëch’s primary goal is said to have been to create the largest automaker in the world, with less regard for creating profit and shareholder value. This directive from the company leader, in an environment where shareholders outside of the family had little influence over the board, created a corporate culture where employees chose noncompliant behavior over failure when designing the “defeat devices” used to cheat U.S. emissions tests.
The government as a major shareholder. VW was a state-owned enterprise until 1960 when it became privatized and left Germany’s Lower Saxony region with a 20 percent stake in the company. Elson opines that the interest of government officials is to be re-elected, often achieved through high employment rates. Therefore, government representatives on the board of VW were driven to create jobs at VW, the largest employer in Lower Saxony, even if adding those jobs was detrimental to profits.
Labor representation on the board (codetermination). German law requires all companies with more than 2,000 employees to fill half of the board with employee representatives. Elson argues that the board’s ability to provide effective compliance oversight was diluted by labor representatives on the board who were essentially monitoring themselves, and hence more focused on obtaining higher compensation and decent working hours for employees.
In light of these conditions at VW, panelists shared a number of leading practices for GCs and directors in creating a compliant corporate culture:
Lessons for GCs
“You can’t legislate ethics, but you can promote them,” said one panelist. Be the devil’s advocate and stress the importance of risk management and cultural tones at different levels of the organization, i.e., the so-called tone at the top, mood at the middle, and buzz at the bottom.
Ensure your board spends adequate time on compliance issues. Directors are often bogged down by compliance and want to spend more time on strategy, but prioritizing compliance at the board level will create a culture that allows strategy to be carried out successfully.
Get the right information to the board at the right time. According to one panelist, “The GC—as well as risk managers and in-house lawyers—need to be tough enough to speak up and report to the board. At Lehman Brothers, the CEO was known as the ‘gorilla on Wall Street.’ He doubled down on real estate, which the risk officer beneath him knew was risky, but their concerns were never known to the board.”
Remember that your duty is to the company—not the CEO—even if you’re reporting to him or her. “If [you as] the GC [are] aware of a violation, you need to do the right thing and not be swayed,” said one speaker.
Lessons for Directors
Increase your exposure to more employees, including mid-level employees, to get a better sense of the corporation’s culture in practice below the C-suite.
Create straight reporting lines from the compliance officer, chief risk officer, and internal auditor to committee chairs. This empowers these officers to speak openly with board members about their concerns without management present. (See NACD’s brief on Audit Committee Oversight of Compliance, which is open to the public for download.)
* The distinguished panel of speakers included: Robert E. Bostrom, senior vice president, general counsel, and corporate secretary at Abercrombie & Fitch Co.; Charles M. Elson, Edgar J. Woolard, Jr. chair in corporate governance, director of the John. L. Weinberg Center for Corporate Governance, and professor of finance at the University of Delaware; Meredith Miller, chief corporate governance officer at UAW Retiree Medical Benefits Trust; Gloria Santona, retired executive vice president, general counsel, and secretary at McDonald’s Corp.; Professor Christian Strenger, academic director, Center for Corporate Governance at the HHL Leipzig Graduate School of Management; Anton R. Valukas, chairman at Jenner & Block LLP; and The Honorable James T. Vaughn, Jr., justice of the Delaware Supreme Court. Italicized comments above are from panelists that participated in this event. However, this discussion was conducted under the Chatham House Rule, so quotes are not attributed to individuals or organizations.
As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.