Corporate directors are confronted with a variety of recently proposed governance standards, while activist investor campaigns are challenging both board composition and board effectiveness by targeting individual directors. Given the high level of personal reputational risk and the associated long-term financial consequences now faced by directors, a hard look at the adequacy of company-sponsored director and officer (D&O) risk mitigation and board compensation strategies is timely.
The Bedrock of Certainty Shifts
Shifting stakeholder expectations are codified in the frequently conflicting governance standards published in recent years. Following the National Association of Corporate Director’s own 2011 Key Agreed Principles, there are now draft voting guidelines from Institutional Shareholder Services (ISS) and Glass Lewis & Co.; standards from groups such as the Office of the Comptroller of the Currency (regulator), CalSTRS (investor), the G20, and the Organisation for Economic Co-operation and Development (influencer); and, most recently, the Commonsense Corporate Governance Principles from a group of CEOs led by JPMorgan Chase & Co.’s Jamie Dimon.
This proliferation of standards reflects differing stakeholder expectations and gives direct rise to new risks for directors. With these new risks and expectations emerge associated questions about the adequacy of current governance strategies, company-sponsored reputation-risk-mitigation packages, and director compensation.
Because the board is the legal structure administering governance, the standards that boards choose to guide their oversight have legal force. Furthermore, detailed, prescriptive standards have instrumental force.
For instance, ISS and CalSTRS are promoting highly prescriptive standards. ISS is exploring specific “warning signs” of impaired governance, including monitoring boards that have not appointed a new director in five years, where the average tenure of directors exceeds 10 or 15 years, or where more than 75 percent of directors have served 10 years or longer. CalSTRS expects two-thirds of a board to be comprised of independent directors, and defines director independence specifically as having held no managerial role in the company during the past five years, equity ownership of less than 20 percent equity, and having a commercial relationship with the company valued at no more than $120,000 per year.
The Commonsense Corporate Governance Principles released this summer was an effort to share the thoughts of the 5,000 or so public companies “responsible for one-third of all private sector employment and one-half of all business capital spending.” Certain background facts may lead some stakeholders to discount the Principles. For example, in addition to Dimon, the list of signatories was comprised mostly of executives who hold the dual company roles of chair and CEO. Also, according to the Financial Times, eyebrows have been raised by CEO performance-linked bonuses of about 24 to 27 times base pay at BlackRock and T. Rowe Price, two asset manager companies with executives who were signatories. Coincidentally, these asset manager companies were ranked among the most lenient investors with respect to the executive pay of their investee companies, according to the research firm Proxy Insight.
These standards can be deployed by checklist, and boards can be audited for compliance to the specifics of the adopted standards. But, more importantly, the very existence of these standards lends them authority through expressive force. What they express—or signal, in behavioral economic parlance—is intent, goodwill, and values. Signaling is valuable in the court of public opinion.
Personal Protection Strategies
As reported in NACD Directorshipmagazine earlier this year, activists often wage battle in the court of public opinion to garner public support when mounting an attack against a company. Emphasizing the personal risks, the Financial Times reported in August that “Corporate names are resilient: when their images get damaged, a change of management or strategy will often revive their fortunes. But personal reputations are fragile: mess with them and it can be fatal.”
Make no mistake: this risk is personal. A director’s damaged personal reputation comes with material costs. Risk Management reported in September that the opportunity costs to the average corporate director arising from public humiliation were estimated at more than $2 million.
Among the many governance standards, pay issues are the third rail of personal reputation risks. “If companies don’t use common sense to control pay outcomes, [shareholders have to question] what else is going on at the organization and the dynamic between the chief executive and the board,” an asset manager with Railpen Investments told the Financial Times recently. Clawbacks may be the most disconcerting pay issue because the tactic places directors personally between both the investment community and regulators.
Governance standards just over the horizon may give boards succor, and reputation-risk-transfer solutions may have immediate benefits. Since 2014, the American Law Institute (ALI) has been developing a framework titled, “Compliance, Enforcement, and Risk Management for Corporations, Nonprofits, and Other Organizations.” Members of the project’s advisory committee include representatives from Goldman Sachs & Co., HSBC, Google, Clorox, and Avon Products; diverse law firms offering governance advisory services; law schools; regulators including the Department of Justice; and representatives from a number of prominent courts. According to the ALI, the project is likely to hold an authority close to that accorded to judicial decisions.
The ALI work product remains a well-protected secret, but the project is expected to recommend standards and best practices on compliance, enforcement, risk management, and governance. It can be expected that the ALI standards will reflect the legal community’s newly acquired recognition of the interactions between the traditional issues of compliance, director and officer liabilities, and economics; and the newer issues of cognitive and behavioral sciences. Such governance standards will likely speak to the fact that while director and officer liability will be adjudicated in the courts of law, director and officer culpability will be adjudicated in the courts of public opinion.
Insurance Solutions Available Now
Boards that qualify for reputational insurances and their expressive force can mitigate risks in the court of public opinion. An NACDDirectorshiparticle noted earlier this year, “ . . . these reputation-based indemnification instruments, structured like a performance bond or warranty with indexed triggers, communicate the quality of governance, essentially absolving board members of damaging insinuations by activists.”
Given the increased personal reputational risks facing directors and the long-term financial consequences arising, it may be time for an omnibus revisit of the adequacy of both director compensation and company-sponsored D&O risk mitigation strategies in the context of an enhanced, board-driven approach to governance, compliance, and risk management.
Following the guidelines of the ALI’s project once they are published is a rational strategy. After all, the work product will be one that will have already been “tested” informally in the community comprising the courts of law, and will be designed to account for the reality of the courts of public opinion. And no firm today has natural immunity to reputation damage—even Warren Buffett’s Berkshire Hathaway appears to be in the ISS crosshairs. Reputational insurances which, like vaccines, boost immunity, are available to qualified boards to counter all that is certain to come at them in this upcoming proxy season. And for those who insist on both belts and suspenders, hazardous duty pay may seal the deal.
Nir Kossovsky is CEO of Steel City Re and an authority on business process risk and reputational value. He can be contacted at email@example.com. Paul Liebman is chief compliance officer and director of University Compliance Services at the University of Texas at Austin. He can be contacted at firstname.lastname@example.org.
The U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). In 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated its Internal Control—Integrated Framework, which was first released in 1992. This revised framework meets the SEC’s criteria for suitability and many companies have accordingly transitioned to this updated version. However, in addition to supporting the evaluation of IFCR, the framework offers other important lessons to boards of directors on the relevance of internal control to their risk oversight.
The control environment is vital to preserving an organization’s reputation and brand image. Since the release of the COSO framework, there have been a number of corporate scandals related to operational, compliance and reporting issues. These companies likely lacked a strong control environment in the areas that contributed to the crisis.
The control environment lays the foundation for a strong culture around the organization’s internal control system. It consists of the policies, standards, processes and structures that provide the basis for carrying out effective internal control across the organization. Through their actions, decisions, and communications, the board and senior management establish the organization’s tone regarding the importance of internal control. Management reinforces expectations at the various levels of the organization in an effort to ensure alignment of the tone in the middle with the tone at the top.
According to the COSO framework, the control environment comprises the
organization’s commitment to integrity and ethical values;
oversight provided by the board in carrying out its governance responsibilities;
organizational structure and assignment of authority and responsibility;
process for attracting, developing, and retaining competent people; and
rigor around performance measures, incentives, and rewards to drive accountability for performance.
Without a supportive boardroom culture and effective support from executive and operating management for internal control, the organization is susceptible to embarrassing control breakdowns that could tarnish its reputation and brand image. This issue is likely a contributing factor at the companies that have been hit recently with headline-grabbing scandals.
The control environment applies to outsourced processes. Organizations typically extend their activities beyond their four walls through strategic partnerships and relationships. The blurred lines of responsibility between the entity’s internal control system and those of outsourced service providers create a need for more rigorous controls over communication between all parties involved. For example, information obtained from outsourced service providers that manage business processes on behalf of the entity, and other external parties on which the entity depends for processing its information, should be subject to the same internal control expectations as information processed internally.
The point is clear: management retains responsibility for controls over outsourced activities. Therefore, these processes should be included in the scope of any evaluation of internal control over operations, compliance, and reporting, to the extent a top-down, risk-based approach determines they are relevant. Controls supporting the organization’s ability to rely on information processed by external parties include:
Vendor due diligence;
Inclusion of right-to-audit clauses in service agreements;
Exercise of right-to-audit clauses;
Obtaining an independent assessment over the service provider’s controls that is sufficiently focused on relevant control objectives (e.g., a service organization controls report); and
Effective input and output controls over information submitted to and received from the service provider.
The potential for fraud should be considered explicitly when conducting periodic risk assessments. Ongoing risk assessments are an integral part of a top-down, risk-based approach to ensuring effective internal control. In these assessments, directors should ensure that management evaluates the potential for fraudulent financial and nonfinancial reporting (e.g., internal control reports, sustainability reports and reports to regulators), misappropriation of assets, and illegal acts. In addition, the potential for third-party fraud is a relevant issue for many organizations. As the COSO Framework points out, fraud risk factors include the possibility of management bias in applying accounting principles; the extent of estimates and judgments in reporting; fraud schemes common to the industry; geographical areas where the organization operates; performance incentives that potentially motivate fraudulent behavior; potential for manipulation of information in sensitive financial and nonfinancial areas; entering into unusual or complex transactions; existence or creation of complex organizational structures that potentially obscure the underlying economics of transactions; and vulnerability to management override of established controls relating to operations, compliance and reporting.
There are important lessons learned in Section 404 compliance. Investors take reporting fairness for granted; however, when public companies restate previously issued financial statements for errors in the application of accounting principles or oversight or misuse of important facts, investors notice. The bottom line is that the markets take quality public reporting at face value. Once a company loses the investing public’s confidence in its reporting, it’s tough to earn it back.
Section 404 compliance is important in the United States because material weaknesses in ICFR provide investors early warning signs of financial reporting issues. We have gleaned many lessons in our work successfully transitioning numerous companies to the 2013 COSO framework. The most important of these lessons is that a top-down, risk-based approach is vital to Section 404 compliance. Some companies forgot to apply this approach when setting the scope and objectives for using the updated framework; as a result, they went overboard with their controls testing and documentation. We can’t stress strongly enough that the 2013 COSO Framework did not change the essence of and need for a top-down, risk-based approach to comply with Section 404.
Other lessons include:
Meet with your external auditor early and often to ensure that the company is fully aligned with the auditor on the appropriate process for transitioning to the updated framework.
Establish an effective and relevant mapping approach to link established key controls to the principles outlined in the COSO framework by leveraging the points of focus provided by the framework; start with existing controls documentation, and consider the nature of the framework’s components.
Manage the level of depth when testing indirect controls (often referred to as entity-level controls) by focusing on the specific objectives germane to ICFR; for example, for the indirect control emphasizing background checks, management should scope the application of this activity to the appropriate people designated with financial reporting responsibilities rather than all employees throughout the organization (unless management wishes to expand scope beyond financial reporting).
Focus on understanding and documenting control precision by understanding the control’s track record in detecting and correcting errors and omissions to support an assertion that the control effectively meets the prescribed level of precision.
Evaluate the completeness and accuracy of information produced by the entity to support the execution of key controls; the Public Company Accounting Oversight Board inspection reports are driving auditors to place more audit emphasis on validating system reports, queries and spreadsheets.
Applying the 2013 COSO framework to operational, compliance and other reporting objectives is virgin territory. In applying the updated COSO framework, most organizations have limited their focus to ICFR. Some organizations even believe that the framework was designed exclusively for Section 404 compliance. Such is not the case. There are benefits to using the framework for other objectives relating to operations, compliance, and other reporting. However, these efforts should be segregated from Section 404 compliance. Progressive organizations are applying the COSO Framework to other areas, such as sustainability reporting, regulatory compliance and controls over federal grants, to name a few.
Questions for Boards
The board may want to consider asking the following questions, based on the risks inherent in the entity’s operations:
Have directors paid close attention to whether the organization’s control environment is functioning effectively?
Does the organization periodically consider fraud risk in its risk assessments? Is the board satisfied that the risk of third-party fraud is reduced to an acceptable level?
Does the company’s process for complying with Section 404 apply a top-down, risk-based approach, and is the process cost-effective?
Has management considered applying the COSO framework to improve internal control in areas other than financial reporting?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
While the Internet initially was a communication tool between the U.S. Department of Defense and multiple academic organizations, it has become the backbone of a global economy and government operations, the Hon. Tom Ridge told a rapt audience of more than 200 directors at the NACD Strategy & Risk Forum in San Diego. The first secretary of the U.S. Department of Homeland Security, Ridge currently serves as president and CEO of the strategic consulting firm Ridge Global and is a director for the Hershey Co. Ridge delivered the opening keynote to directors convened for the two-day forum co-hosted by the National Association of Corporate Directors (NACD) and its sponsors.
“We’ve come a long way from a simple communication tool,” Ridge said. “What’s really remarkable is the tool is designed to be an open platform.… It wasn’t designed to be secure. It wasn’t designed to be global. The ubiquity of the Internet is its strength, and the ubiquity of the Internet is its weakness. For every promise of connectivity, there’s a potential vulnerability.”
A report released last year by McKinsey & Co. and the World Economic Forum found that more than half of all respondents surveyed—and 70 percent of executives from financial institutions—view cybersecurity as a strategic risk to their companies. The report was based on interviews with more than 200 chief information officers, chief information security officers, law enforcement officials, and other practitioners in the United States and around the world.
“In this world, you’ve got to manage the risk before it manages you,” Ridge advised the audience.
Support for the forum was provided by BDO USA, the Center for Audit Quality, Dechert, Dentons, Diligent, Heidrick & Struggles, KPMG’s Audit Committee Institute, Latham & Watkins, Pearl Meyer & Partners, Rapid7, and Vinson & Elkins.
The Chattering Class
Risks to reputation are nuanced and numerous. Jonathan Blum, senior vice president and chief public affairs and global nutrition officer for Yum! Brands Inc., which operates 41,000 KFC, Pizza Hut, and Taco Bell restaurants worldwide, has seen firsthand the damage that can be done to a company’s reputation. He recounted an incident that hit the brand’s reputation and bottom line, and ultimately spurred substantial changes in the company’s supply chain.
In December 2012, a state-owned television network in China reported that some local poultry suppliers were putting unlawful amounts of antibiotics in chicken. One of the many suppliers investigated happened to be one of KFC’s suppliers, albeit one of the restaurant chain’s smallest. “But, because we’re the largest brand in China, not just the largest restaurant, we obviously bore the brunt of the publicity,” Blum said.
The most damaging aspect of the negative attention, according to Blum, was not the investigative report that aired on television, but rather the chatter on social media in the wake of the report. The fallout was a tarnished reputation, a sharp downturn in sales, and some decisive action.
“Consumer trust plummeted. Belief in our brand plummeted. Our sales plummeted. We saw a huge drop in our stock,” Blum said. “Now, this was at the end of 2012, so the impact on our financial results that year was negligible. Up until 2013, we had had a 10-year run of at least 10 percent [earnings per share] growth year over year, which is pretty unusual. In 2013, given the ditch we were in in China, our earnings per share dropped 9 percent. We lost $270 million in profit as a result of this incident, and it took about a year to rebound.” In the aftermath of the negative publicity, Yum! Brands learned that its stakeholders wanted answers to three questions:
What was being done about it?
How would the company would prevent it from happening again?
Yum! Brands apologized to the public, fired about 1,000 small poultry suppliers, and worked with the Chinese government to upgrade the quality of the poultry supply.
“Over time, that rebuilt consumer trust,” Blum said.
The company also took a significant step toward managing its reputation on social media. “As a result of this incident, around the globe, 24/7, we monitor what consumers are saying about us and we immediately respond,” Blum said.