Ethical Boardroom Feeds

Legal assessments benefit the bottom line

By Robert Barker – Managing Director, BarkerGilmore

 

 

 

Staying ahead of the competition, combined with ever-changing priorities, regulations and technology, requires a legal department able to adapt to evolving company strategy and be responsive to the needs of its constituents.

Navigating this challenging business climate calls for frequent course correction and a business-minded general counsel (GC) at the helm. The rise of the business-minded GC represents a new wave of leadership within organisations, reflecting the value and increased responsibilities of in-house counsel.

At public companies, the GC’s responsibilities have grown tremendously, playing an integral role in strategic planning, especially as it relates to risk management and determining competitive advantages in the market. Multinational companies require their GC to understand the complex and various economic, social and political climates around the world, in addition to a myriad of legal issues. To be effective, a general counsel must be:

  • An expert in various areas of law that are core to the business enterprise
  • A skilled manager of a professional staff and outside legal counsel
  • A respected member of the C-Suite executive team
  • An important face of the company to external audiences
  • An efficient administrator of legal and related operations
  • An individual with a keen sense of the business, an effective negotiator and a diplomat who is adept at dealing with a variety of inside and outside constituents, from shareholders and directors to regulators, litigants and risk managers

The GC now has a broader leadership role

Benjamin W. Heineman Jr, former GE senior vice president for law and public affairs and current senior fellow at Harvard University’s schools of law and government, sums up the new standing of the GC within the corporate hierarchy in his book The Inside Counsel Revolution: Resolving the Partner-Guardian Tension. He states: “The general counsel now often has a broad leadership role and final decision-making authority beyond the legal department, heading such areas as tax, trade, environment, security, real estate, customer care, community relations and public affairs. The general counsel is now often seen as having importance and stature comparable to that of the chief financial officer by directors, CEOs and business leaders because the health of the corporation requires that it navigate complex and fast-changing law, regulation, litigation, public policy, politics, media and interest group pressures across the globe.”

In addition to the intellectual contributions that they make to the executive team and board, the areas where GCs add most value are related to corporate governance, compliance, risk management and mergers and acquisitions. As guardians of the company, it is imperative that they build, motivate and manage high- performance departments, implementing programmes that help identify and even reduce regulatory and reputational risks by having the requisite expertise to spot issues, trends and solutions, as well as the advocacy skills to implement the steps necessary to mitigate, if not eliminate those risks.

The most successful organisations are conducting more frequent performance reviews as a means to record and track the development and effectiveness of employees. This big-picture approach provides the data needed to know how the team is operating and where they are excelling, as well as where they are struggling.

Assessments can be focussed on a single aspect of legal department performance, cost-effectiveness or responsiveness, for instance, or can involve a more comprehensive review of the overall health and effectiveness of the entire department, especially when measured against other similarly situated legal departments, whether by size, industry or speciality.

Boards and senior management are subject to increased scrutiny by shareholders, the public regulators and rating agencies. To one degree or another, all of these constituents have higher expectations of performance, insight and control by the leaders of the firm. A comprehensive, objective assessment of the legal function, including some of the common ancillary roles with which it is often charged (i.e. the corporate secretary’s office, licensing, government relations and compliance), is the best way to check the overall quality, effectiveness and efficiency of the department, while also providing the salutary benefit of protecting the board and others from possible later challenges to their decision-making. If nothing else, the ‘business-judgement’ rule that underlies director exculpation from most shareholder liability claims is enhanced by this prophylactic action.

I spoke with some of BarkerGilmore’s most highly accomplished senior advisors on the subject of legal assessments and the rise of the GC’s role within successful organisations. These impressive individuals from across the country have managed the legal departments for some of the largest and most widely respected corporations in the world. Their insights on the importance and effectiveness of legal assessments and enhancing communications with the C-Suite and board affirms the importance of outside perspective and an impartial eye.

Reducing costs, not quality

Legal operations leadership is an expanding function within organisations, that continually monitors and drives efficiency standards throughout the law department. Michelle Banks, former GC of Gap Inc and a senior advisor at BarkerGilmore, was tasked with cutting costs by 20 per cent during her first year as GC. This was an across-the- board directive at Gap and certainly a challenge for any legal department.

Conducting a legal department assessment gave her the data she needed to create a cost reduction strategy, without compromising legal services and provided the springboard for conducting semi-annual stakeholder interviews and annual spending reviews. “A best-practice company does this all the time,” Banks advises. It should be an integral component of regular department reviews.

“The most successful organisations are conducting more frequent performance reviews as a means to record and track the development and effectiveness of employees. This big- picture approach provides the data needed to know how the team is operating and where they are excelling, as well as where they are struggling”.

As GC of The J.M. Smucker Company, Ann Harlan used both formal and informal assessments to plan the legal integration of newly acquired businesses. Evaluating the past legal issues, as well as where there may be risks and opportunities as the business is folded into the existing operations, allows the legal department to deploy already thin resources in the most effective and efficient manner. We are all asked to do more with fewer resources and an assessment of and, if necessary, reallocation of, talent and expertise allows the legal department to be proactive in addressing changes in workload and requisite expertise. “The idea is to create a culture of continuous improvement, not merely a reaction to a problem,” said Harlan. And an assessment held at regular intervals provides an opportunity to recognise and reward outstanding performers while also identifying gaps in service.

“It helps ensure that the department is doing the most valuable work as defined by business needs,” says senior advisor Marla Persky, who began making personnel and strategy changes at Boehringer Ingelheim within three months of joining the company as its GC.

Regular law department assessments are a kind of ‘wellness check-up’ for a healthy law department. Even if a problem isn’t immediately apparent, a check-up verifies that things are running smoothly and gives your law department a clean bill of health, or, conversely, allows you to diagnose any problems. Persky adds that proactively undertaking assessments and resolving inefficiencies in workflow, as well as clarifying individual roles and responsibilities, ‘helps to establish your leadership as strategic and business oriented. It also helps a newly appointed GC’s onboarding process’.

Where the business enterprise is one that is highly regulated and regularly examined, such as banking and financial services, the demands on management and especially the board of directors, have increased significantly since the last ‘Great Recession’. Bill Solomon, the former long-time general counsel of Ally Financial (formerly GMAC) reports that bank regulators have ‘piled on’ requirements of directors to know, manage and do more than just act in their traditional role as policymakers and overseers of senior management, to the point where the customary and legal construct of a director’s limited duties and responsibilities may be at risk of changing and not necessarily for the better. The Wall Street Journal recently published a lengthy article questioning why any prudent businessperson would ever want to be a director on the board of a bank or financial institution, given the increased demands and expectations of state and federal regulators, the always imminent challenge of plaintiff’s attorneys and shareholder ‘activists’. One clear, simple way for boards and senior management to mitigate these risks is to conduct a thorough and comprehensive assessment to ensure that its internal legal function is operating in accordance with industry best practices and to remediate those areas – whether with changes in process, technology, scope, strategy, structure, or staff – as needed to redress the shortcomings.

Enabling alignment between the legal department and company strategic goals as set by the C-suite and board is a tangible advantage of the assessment process. Roya Behnia, who was Pall Corporation’s GC, says the assessments can provide ‘a roadmap for goal-setting in a multi-year period’. A deep-dive review of the legal and compliance function can identify gaps in resources or misdirection of effort resulting from a lack of communication with the business or understanding of business goals. With these gaps identified, an assessment can help the legal function dynamically allocate resources according to company goals and identify and implement process tools that would allow the function to serve company strategy. The assessment process, in its highest form, can lead to ‘a defined strategic plan and cascading goals’ on a multi-year basis.

Compiling a successful legal assessment

What makes an assessment successful? Ultimately, the goal of a legal assessment is to recognise talent, streamline workflow, reduce costs and improve the overall quality and effectiveness of the legal department by identifying areas for improvement and engaging the entire department in implementing change. Building positive benefits directly into the assessment for your employees, as well as the business at large, will make regular assessments a welcome activity. The keys to a successful assessment implementation as recommended by BarkerGilmore’s advisors include:

  • Outside perspective and an impartial eye
  • Industry leadership and expertise
  • Consistency – timing, methodology, etc
  • Benchmarking against industry standards
  • Tailoring your assessment to your specific goals

These tools and methodologies take careful planning for successful implementation. In a changing legal environment, benchmarking against industry standards is increasingly complicated. Engaging industry experts allows for an unbiased and nimble approach to benchmarking that considers the most current and successful legal departmental standards and services.

Legal departments are in a state of flux. Leadership expectations for GCs are changing to include a wider range of responsibilities and influence; this in turn changes the way that departments are run. The legal profession itself is evolving amid increased regulation. Awash in new technology and technological threats, including privacy and cybersecurity concerns, departments can drift and lose sight of focus of business goals. While the legal profession continues to innovate, legal management and culture has not.

Of this phenomenon, Roya Behnia observes: “Our colleagues in operations, sales and marketing have used these kinds of assessment tools for years. Isn’t it about time the legal department catches up?”

A good start is an objective legal assessment process that identifies strengths and weaknesses and clarifies communication throughout the business. While business leaders have traditionally set their sights on the marketing department to reduce spending, there is growing recognition among the most innovative companies that a legal assessment can be a highly effective means to ensuring quality of products and services while benefiting the bottom line.

 

About the Author:

Bob is co-founder and Managing Partner at BarkerGilmore. He brings more than three decades of executive search and international business experience to his clients. Bob has successfully managed General Counsel and Chief Compliance Officer engagements for mid-sized to Fortune 500 companies including those in the financial, industrial, energy, technology, and consumer industries. Clients rely on Bob for advice and counseling both during and after the engagement. Some of Bob’s recent engagements include the General Counsel for a national property and casualty insurer, Chief Ethics and Compliance Officer for a privately-held CPG company, Chief Compliance Officer for a public healthcare services company, and the first-ever General Counsel for a non-profit corporation. He has partnered with numerous Fortune 500 companies to build out their legal and compliance departments.

Bob has been instrumental in expanding BarkerGilmore’s services to include advising and leadership development. He has assembled a team of distinguished former General Counsel and Chief Compliance Officers from some of the most highly respected public and private corporations who will serve as consultants to companies and individuals. These experienced leaders are passionate about helping others optimize their legal and compliance organizations and develop strong leaders.

Successful divestitures

By Paula Loop, PwC partner and the leader of PwC’s US Governance Insights Center & Catherine Bromilow, PwC partner in PwC’s US Governance Insights Center

 

Focussing on growth is a given when it comes to increasing value for a company’s investors. That can mean exploring an acquisition or a strategic alliance. But expanding isn’t the only way to unlock shareholder value.

Some companies have businesses that don’t contribute to core capabilities or fit with their current strategy. Perhaps a previously acquired company wasn’t integrated successfully. Perhaps a business is a drag on earnings because its financial performance lags other businesses. Or a thriving business may have outgrown the parent company and could be more valuable either on its own or as part of another company. By removing nonconforming businesses, a company can create a more focussed portfolio for shareholders.

Shareholder activists also often urge target companies to divest parts of their businesses. In 2016, activist hedge funds had US$176billion in assets under management and publicly targeted 329 public US companies, according to Activist Insight Annual Review 2017. As of July 2017, there were 91 US activist campaigns that called for companies to explore some type of sale process, more than double the number called for in the previous year.[1] See chart below (note, all deals of more than $100billion have been excluded). And with the money that has been flowing into activist hedge funds – at least in the United States – we expect such pressures to continue.

Any potential divestiture should be aligned with a company’s overall strategy and plans to create long-term value. Boards that understand the strategy and how each part of the company does or doesn’t contribute to it will better serve their shareholders.

Divestitures can be challenging. A company must identify the business unit to be separated, decide on the type of separation and either prepare it for sale or develop a standalone entity that will function outside of the parent. A divestiture ultimately is a surgical procedure, with a degree of complexity that demands careful planning and caution.

Boards should discuss with management the goal of any major proposed divestiture. That should include how removing a business unit will allow the company to do something it can’t do today. Once directors are satisfied with the strategic reasons for divesting, they can consider other important questions for the board, including:

  • What kind of divestiture should we consider?
  • How important is timing?
  • How are we handling talent?
  • What should our board watch out for after a deal is done?

What kind of divestiture should we consider?

Companies have multiple options for divesting a business unit and may choose to either maintain some type of connection with the divested unit or sever all ties. Depending on the exit structure, the regulatory, tax and financial reporting requirements can vary significantly and usually involve different timetables.

In a carve-out IPO, a company separates a business unit or subsidiary but offers only a minority interest in the new entity to outside investors. The result is two separate legal entities, each with its own financial statements, management team and board of directors. The parent company retains a controlling interest in the new company

A spin-off creates an independent company with its own equity structure, with shares in the new company typically distributed to the parent company’s shareholders. Unlike a carve-out IPO, the parent company doesn’t have a controlling interest and instead holds no equity or possibly a minority stake

A split-off is similar to a spin-off in that it also creates a new entity with its own equity structure and the parent company doesn’t have a controlling interest. The difference is that shareholders can essentially exchange shares in the parent company for shares in the new company. A split-off can have a less dilutive effect than a spin-off on the parent company’s earnings per share

A trade sale typically is the cleanest type of divestiture. A company completely turns over a subsidiary or business unit to another company, a private equity firm or some other buyer. A sale is usually easier and faster to complete than the other types of transactions

A parent company may contribute a portion of its business to form a joint venture (JV), with or without control. This kind of transaction can unlock synergies with a partner and provide access to other assets when other transactions may not be available. For board considerations when management is considering an alliance, see PwC’s paper Building Successful Alliances And Joint Ventures

How important is timing?

Different types of divestitures typically take different lengths of time to complete. That matters if a company needs to separate a business quickly because of broader company concerns or market issues. A sale usually takes the least amount of time – anywhere from a few months to a year. If a company needs to secure capital, reduce expenses or make some other financial or strategic move in the short term, it may be limited to contemplating a sale because other deals would take too long.

“Different types of divestitures typically take different lengths of time to complete. That matters if a company needs to separate a business quickly because of broader company concerns or market issues”  

A sale still raises key considerations for the board – notably, how to maximise value for shareholders. Management should tell directors if there’s a specific buyer in mind or if the business unit will be marketed to a wide range of possible buyers. Private equity buyers may have different requirements or conditions than corporate buyers. If the potential buyer is another company, the board should know if it’s in the same industry and be able to share any concerns it might have with management.

Carve-out IPOs, spin-offs, split-offs and JVs take longer to finalise – sometimes more than a year. Forming a new entity involves legal, regulatory and other requirements that simply selling a business to a buyer doesn’t. Without adequate resources, the transaction could become a distraction that affects day-to-day operations – and the board should discuss this with management ahead of time.

Before the company embarks on a divestiture, directors should ensure management has or will hire the right people to handle the heavy lifting. The board also should be confident in management’s plan to keep the rest of the company running effectively and employees engaged in their work.

How are we handling talent?

Depending on the type of divestiture, talent can be a relatively small issue or a more complex concern. In a sale, the business unit’s employees and leaders often stay in their existing roles as the business moves to new ownership. But the divesting company may want to retain certain talent, such as executives with senior leadership potential. Board members should be aware of those conversations and make sure such pursuits don’t jeopardise the transaction. Once the sale is completed, personnel and development issues become matters for the new owner.

Talent decisions are typically more complicated with carve-out IPOs, spin-offs, split-offs and JVs. Because parent company shareholders typically still have some level of investment in the new entity, boards should have a stronger interest in decisions about employees and leaders.

The board should ask management if the managers of the business unit being separated are willing and able to lead an independent company. If not, directors should discuss how new talent will be brought in.

Talent migration is complex, particularly for employees working outside the separating business unit, such as finance or IT. People attached to the divested business can expect to be affected. The transaction also could pull employees from these enterprise functions. Management needs to be strategic about who stays and who goes.

“With the right understanding and planning, companies that are considering a divestiture in a dynamic market can achieve strategic goals and ultimately deliver greater value for their shareholders”

Employees in these functions may question management’s decision to shift their employment to the new entity and some could choose to leave for jobs elsewhere. To retain them, management may need to offer compensation, career development opportunities and other incentives, such as stay bonuses. Management will also have to address deferred compensation for the individuals who are going to the new entity. The parent company board should ensure that leaders are equipped to communicate the rationale behind talent decisions.

Understanding at the start of the process where talent gaps will exist – both in the parent and separating companies – provides for more time to plan for the necessary incremental hiring from outside the companies. A divestiture also can affect employees and managers who aren’t directly involved in the transaction. The board should confirm that management is keeping the entire company in mind and has a comprehensive communications plan for the entire deal cycle.

For example, in some deals the selling company signs a transition service agreement (TSA) to provide certain services and support for a certain period after the deal closes. A seller with a TSA may need to maintain the resources to provide essential services in areas, such as finance and accounting, human resources (HR), legal, information technology (IT) and procurement. In some cases the TSAs may last more than a year.

What should our board watch out for after a deal is done?

A successful divestiture means going beyond executing the details of the transaction and taking the necessary legal steps to separate a business from the company. It requires putting both companies on the right trajectory for profitability and growth in the years following the deal.

This means striking the right balance when it comes to changes post-deal. If the new entity and parent company make only slight adjustments in strategy and operations, they run the risk of simply being smaller versions of the formerly combined company, with stranded costs and few, if any, new advantages. But if the two entities go to the other extreme and make drastic shifts, it could make the divestiture process even more complex and overwhelm the companies. The board can help by engaging management on the divestiture plan and, if it’s not a full sale, ensuring that it will leave both companies in competitive market positions.

One short-term challenge for the new entity after the transaction closes is the cost of establishing and managing processes and personnel that had been covered by the parent company. Those costs could be high, especially in the early months. The board should make sure there’s a cost-mitigation plan in place before the split.

The board also can help shareholders in the carve-out IPO, spin-off, split-off or JV understand how those added costs ultimately will be offset over time. Directors should understand how the divestiture may create opportunities for long-term value in both companies.

A divestiture can impact the original company, especially groups that support the enterprise. Large divestitures can leave the remaining company with more personnel than needed in some areas (e.g. HR, legal, IT). The board should discuss with management if the company will need to restructure to stop paying for services that are no longer needed once the TSA term is over.

The board should also discuss with management whether the divestiture process could make the company vulnerable to competitors. With highly visible and/or complex separations, other companies could see an opportunity to disrupt customer relationships and grab market share. Management should explain to the board how the company will provide business as usual for customers.

In conclusion

Done right, a divestiture can maximise shareholder value for all companies involved. The board of directors can play an important role in providing guidance at different stages of these complex transactions. With the right understanding and planning, companies that are considering a divestiture in a dynamic market can achieve strategic goals and ultimately deliver greater value for their shareholders.

For deeper insights into the board’s role in divestitures, read PwC’s full publication When A Piece Of Company No Longer Fits: What Boards Should Know.[3]

 

About the Authors:

Paula Loop is the leader of PwC’s Governance Insights Center, which strives to strengthen the connection between directors, executive teams and investors by helping them navigate the evolving governance landscape. With more than 20 years of experience at PwC, Paula brings extensive knowledge in governance, technical accounting, and SEC and financial reporting matters to organisations. Paula is a well known speaker on a variety of governance topics. She has also been quoted in publications such as the Wall Street JournalFinancial TimesForbes and CNBC. In 2017 NACD Directorship magazine named her for the third consecutive year as one of the 100 most influential people in corporate governance in the United States. Paula is a Certified Public Accountant (licensed in New York) and is a graduate of the University of California at Berkeley with a B.S. in Business Administration.

Catherine Bromilow is a partner in PwC’s Governance Insights Center, which strives to strengthen the connection between directors, executive teams and investors by helping them navigate the evolving governance landscape. With more than 19 years of experience at PwC, Catherine has focused solely on corporate governance. Earlier in her career, she worked in internal audit at a major financial institution. Catherine has authored and contributed to many PwC governance publications, including the new Risk Oversight SeriesGovernance for Companies Going Public — What Works Best and Director-shareholder engagement: the new imperativesNACD Directorship magazine in 2017 named her for the eleventh consecutive year as one of the 100 most influential people in corporate governance in the United States.

In governance we trust

By Héctor Lehuedé – Senior Manager, OECD Corporate Affairs Division

 

 

“Happy families are all alike; every unhappy family is unhappy in its own way,” wrote Leo Tolstoy in the opening lines of Anna Karenina, preparing the reader for the tragic fate of Princess Anna’s marriage to Count Karenin.

It is a stark reminder that for a marriage to succeed it has to juggle many moving parts, any one of which can send the relation out of equilibrium in a different direction. A similar claim could be made about firms’ governance. For governance frameworks to be effective, they have to find the right balance of a number of challenging aspects in a way that suits the features of the individual firm. Get one of them wrong and bad things will happen, sooner or later.

Impact of misconduct

Corporate misconduct is unfortunately a ubiquitous and gloomy by-product of bad governance in today’s markets, so there is no need to describe it here. It may suffice to say that, to a degree, we have become rather unemotional about breaking news regarding the latest scandal, as well as to the sheer magnitude of some of the consequences. One is the impact on trust, not only in business, but on trust in institutions more generally.

When corporate misconduct is uncovered, citizens first blame the company and its leaders, as they should, but then also fault the authorities under whose watch events unfolded as well as the market as a whole, wondering as to the extent of bad practices. Distrust is only more acute if citizens perceive that punishment is not sufficiently proportionate, especially if the culprits walk away free (and with a bonus). Whatever measure is used to assess the level of trust, there is clearly a very strong agreement in the data that it fell significantly in the Organisation for Economic Co-operation and Development’s (OECD) area after the widespread misconduct revealed by the financial crisis, from an already very low starting point. We haven’t yet recovered from this fall and we suffer the consequences in a post-truth and increasingly polarised world.

Drivers of trust

As discussed in a 2017 OECD report Trust And Public Policy, trust is usually understood as ‘holding a positive perception about the actions of an individual or an organisation’.[1] Trust works by giving us confidence that others will act as we might expect in a particular context. It is developed (or lost) on the basis of the individual’s actual experience although, as a subjective phenomenon, it is based on facts as much as on our own perception or interpretation of them. It is also shaped by the opinion of others and influenced by media.

From an economic point of view, trust reduces costs and increases the speed of social interactions, generating tangible benefits for all: a ‘trust dividend’. When present, trust allows us to make decisions without having to renegotiate with and/or reassure our counterparts at each interaction.

The OECD report further discusses what institutions can actually do to strengthen lost trust, which is essential for the effectiveness of public policy. It points in the direction of two fundamental building blocks: competency and values. These two concepts encompass a range of qualities and attributes that have been shown to inspire trust, in particular: reliability, integrity, responsiveness, fairness and openness. They contribute to an individual’s direct sense that the institutions with which he/she deals are trustworthy.

Governance failures

As argued by the G20/OECD Principles of Corporate Governance, the purpose of corporate governance is precisely to create an environment of trust, transparency and accountability necessary to obtain long-term investment, financial stability and sustainable growth.[2] This environment offers households the opportunities to hold equity and participate in the profits and wealth creation of the private sector, while facilitating the channelling of savings to promising business ventures that agree to adopt good governance to receive financing. Robust empirical results, including by the International Monetary Fund (IMF), show how good corporate governance reduces risk for individual firms as for the market as a whole.[3]

This link between risk and governance was also in the Financial Stability Board’s (FSB) mind in 2016 when it created its Working Group on Governance Frameworks (WGGF), chaired by Jeremy Rudin, Canada’s superintendent of financial institutions. The group, that was mandated to explore the use of governance frameworks to reduce misconduct risk, presented a first public report in May 2017 which includes an engaging literature review of root causes of misconduct.[4] For this, the WGGF scrutinised a dozen prominent institutional failures in the financial and non-financial sectors, distilling common governance problems that offer clues into the actual functioning of governance frameworks:

Pressure The WGGF learned that all institutions studied were subject to strong pressures when they failed. These pressures rose from external forces (such as the need to maintain political support for space activity in the case of NASA’s space shuttle disaster, or increased competition threats in the market in BP’s Deep Horizon oil spill) as well as from internal forces (like an overly ambitious growth strategy, as in many financial institutions during the financial crisis). These pressures put governance institutions to a test they didn’t resist

Leadership Pressure found its way into the organisation from the top, usually beginning with the board and senior management. The WGGF notes that this influenced their leadership styles and tone, as well as the strategy and decisions they adopted. Dominant leadership and stressed group dynamics left little room for dissent and constructive challenge, so people didn’t speak up or were ignored if they did. Inappropriate behaviour, or behaviour inconsistent with official policies and values, quickly became tolerated (something psychologists refer to as ‘normalisation of deviance’) and shaped a riskier ‘new normal’

Culture Yielding to pressure, leadership negatively influenced the organisational culture and behaviour of the entire company beyond previously established rules and procedures. Organisational mindsets were realigned with a desire to achieve results at the expense of security, compliance, ethical values ​​or long-term sustainability. As employees perceived few opportunities to escalate concerns, leaders didn’t receive crucial information that, in turn, predisposed their own decision-making. Firms accepted small deviations and misconduct as inevitable risks, assuming that if they didn’t result in a major negative event in the past, they might not cause one in the future

Governance frameworks Tested under pressure and without candid support from the top, frameworks revealed their weaknesses. Unclearly defined roles and responsibilities led to unaccountability, feeble escalating channels to dangerous silence while financial incentives overpowered insufficiently strong or independent control functions. Even when frameworks proved to be robust and well-designed enough to operate under stress, their input was overruled at the top. The WGGF notes that Lehman Brothers had sophisticated policies and metrics in place to estimate risk, as well as extensive staff dedicated exclusively to risk management. However, Lehman’s leaders relied more on their experience and successful track record, leading their company into default and triggering a global crisis in the process

Role of culture

The FSB’s WGGF report concluded noting the symbiotic relation between governance frameworks and corporate culture, which it defines as ‘an institution’s shared assumptions, values, beliefs and norms’. An effective framework can nurture the right culture in a firm, but a corrupt culture can significantly undermine efforts to set up an effective framework running against its current. In a July 2017 post on the UK’s Financial Conduct Authority (FCA) website, former FCA senior advisor John Sutherland argues that for a new culture to emerge, staff members need to understand that the new governance framework will expect them to start behaving differently.[5]

“From an economic point of view, trust reduces costs and increases the speed of social interactions generating tangible benefits for all: a ‘trust dividend’. When present, trust allows us to make decisions without having to renegotiate with and/or reassure our counterparts at each interaction”

Sutherland warns that old habits die hard, but suggests there are four drivers of behaviour that can influence cultural change: trust and trustworthiness, communication, decision-making and incentives (both financial and non-financial). He cautions that leaders can damage internal trust by responding to pressure with objectives that differ from firm values. He quotes employee surveys reporting they ‘don’t always trust senior leaders’, or that they feel it is expected they will ‘have to trade ethics for business’, as evidence of this. To foster a well-working governance framework, Sutherland argues, all four behavioural drivers must be aligned, understood and ideally overseen or controlled by the board.

Leadership in practice

This is also the view of some enforcement agencies. A July 2017 interview of Hui Chen, former US Justice Department (DOJ) compliance counsel, highlights how relevant this relationship between frameworks and the organisational culture is for prosecutors charged with evaluating corporate compliance programmes.[6] Ms Chen describes how investigated companies tend to present binders full of their compliance policies, although DOJ prosecutors don’t really care about what the policy says, but rather about how they actually operate: ‘we want to see evidence; we want to see data of effectiveness’. She goes on to advise firms to make sure their programmes produce actual results that are measured thoughtfully and to assume that prosecutors will see through ‘a programme that’s designed to satisfy them versus a programme that’s designed to work’.

The 2017 DOJ’s manual for evaluating corporate compliance programmes offers a useful guide to corporate leaders committed to building an effective governance framework.[7] The manual lists difficult questions covering issues from ‘analysis and remediation’ to ‘incentives and disciplinary measures’, including ‘autonomy and resources’ as well as ‘continuous improvement, periodic testing and review’ among others. On the role of the leadership, it covers three crucial issues:

Conduct at the top How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behaviour? How has senior leadership modelled proper behaviour to subordinates?

Shared commitment What specific actions have senior leaders and other stakeholders (e.g. business and operational managers, finance, procurement, legal, human resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company?

Oversight What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?

The rear-view mirror

Habitual readers of Ethical Boardroom may recall that the Spring 2015 issue hosted an editorial about a then-recent OECD project exploring what corporate governance frameworks could do to mitigate the risk of corporate misconduct.[8] The piece described the integrity recommendations of the G20/OECD Principles of Corporate Governance and asked, rhetorically, what those recommendations meant in practice for boards that take their responsibilities to heart. It concluded by outlining plans the OECD had to better understand why some companies fail to prevent misconduct and how to build effective compliance into corporate governance. It also promised to report back on the findings.

Looking back, it seems fair to say that we now have a wealth of knowledge and some robust findings from diverse sources at our disposal, which have enriched our understanding of how governance frameworks can succeed or fail. We can argue that we have better assessed the crucial role of trust and its drivers; we have carefully studied the conclusions from previous corporate failures and extracted valuable lessons; we have come to grips with the role of culture in governance and we have sharpened our tools to facilitate meaningful implementation of best practices.

We can declare we are better equipped to balance the many governance challenges, but this is, of course, no guarantee of success. As Tolstoy or anyone who has been in a relationship could attest, the path to success doesn’t only demand learning to juggle the moving parts, but also to find the commitment to keep doing it as consistently as possible for the long run.

 

About the Author:

Héctor is senior manager at the Corporate Affairs Division of the Organization for Economic Co-operation and Development (OECD) where he is in charge of overseeing the work of the OECD Corporate Governance Committee, which brings together experts from all OECD member and partner countries and meets twice a year in Paris. He is also responsible for policy dialogue, research and assessments of the implementation of OECD standards across jurisdictions, as well as manager of the OECD Russia Corporate Governance Roundtable (sponsored by the Moscow Exchange and the Siemens Integrity Initiative) and the OECD Trust and Business (TNB) Project.

Héctor joined the OECD in 2010 after serving as senior adviser to the Chilean Minister of Finance and having practiced for more than a decade as a lawyer at some of the best legal and audit firms in Chile. He has a J.D. degree from Universidad de Chile and holds a Master degree from Stanford University.

While the cat’s away

By Patricia J. Harned – Chief Executive Officer, Ethics & Compliance Initiative

 

 

When I was 10 years old, my mother took a full-time job in a nearby office so that she could provide a second source of income for our family. My siblings and I were old enough not to need a babysitter, so every day after school we became ‘latch-key’ kids – at home without supervision.

We were never big troublemakers as children, so there was no great risk that we would set the house on fire or cause some other calamity. Nevertheless, without fail, every afternoon the phone would ring at some point while we were home alone. When one of us would answer, my mother would inevitably be on the other end of the line explaining that she was calling ‘just to say hello’. Now, we might have been young kids, but my siblings and I all knew what she was really doing. She wanted to check up on us.

Nowadays, I meet leaders who have a similar perspective as my mom did, way back when. I have met CEOs who routinely call their offices while on travel, simply to be sure that their employees are actually working. I have heard other executives confess that they occasionally call remote employees, just to be sure that they are not ‘working’ while on the golf course. As leaders, we tell ourselves that it is all part of the effort to ‘trust but verify’ that the organisation is operating according to plan. However, on some deep level, I suspect that every one of us cannot help but wonder whether there is also some truth to the adage that, no matter how kind-hearted and trustworthy our employees may be, ‘when the cat’s away, the mice will play’.

We are not completely crazy to think that way. Despite the fact that most organisations today have established codes of conduct to set out their policies and standards for workplace conduct, and even though most supervisors say that their employees are committed to ethical conduct, each year an average of 44 per cent of workers at all levels say that they still observe at least one act that violates those standards, or the law. Thus it seems that, even if the cat is present in the workplace, the mice still play.

Importantly, however, levels of workplace misconduct have decreased by 25 per cent in the United States since several prominent regulations have been enacted; namely Sarbanes-Oxley, Dodd-Frank and a number of industry-specific requirements for corporate compliance programmes. Prior to the passage of those regulations, as many as 55 per cent of employees said they observed some type of wrongdoing in a given year. What has mattered is not that the regulations existed, but that companies established the systems and controls that are linked to the reduction of workplace wrongdoing. Those systems were prescribed by regulatory requirements and enforced when violations occurred. So, there is also some truth to the idea that we need the regulatory and enforcement cats to stay.

Is the cat going away?

Lately, I have received a number of calls from journalists asking me about the implications of what, so far, appears to be a loosening of US enforcement against corporate violations and the potential for the repeal of some of the legislation that has clearly influenced corporate conduct. There are some legitimate reasons for eyebrows to be raised. For example:

  • Wall Street regulators have imposed far lower penalties in Trump’s first six months of office than the Obama administration’s initial six months
  • So far, the Trump administration has collected about 60 per cent less money in fines from companies for violating pollution-control regulations compared to the same period of the past two presidential administrations
  • The only regulatory settlement that one of the biggest corporate scandals this year – Wells Fargo – has faced out of legal claims totalling $3.3billion has been a $185million settlement with Consumer Financial Protection Bureau (lead regulator), the Office of the Comptroller of the Currency and the LA City Attorney
  • The House of Representatives passed a bill in March that would substantially reduce private litigation by consumers against corporations and another bill in June that could undo significant portions of Dodd-Frank

Taken together, it comes to mind that once again, we are all concerned that we might be witness to the proverbial enforcement cat going away – and the likelihood that the corporate mice will begin to play in ways that we do not want them to.

“From a board perspective, it is easy to prioritise regulatory requirements and enforcement activities. Yet it is important for leadership to not lose sight of the importance of ethics and compliance programmes and strong cultures, simply on their own merits”

That worry may be well-founded. After all, the majority of these regulations were established as a result of corporate misdeeds. Sarbanes-Oxley didn’t exist until a rash of corporate scandals took place (Enron, Tyco and Comcast among them). Thanks to the financial crisis, the same was true for Dodd-Frank. Even Chapter 8 of the US Federal Sentencing Guidelines – the framework that has in many ways become the de facto standard for ethics and compliance programmes – did not exist until judges were in need of guidance in sentencing of corporations that had been convicted of a crime.

So, it begs a few questions: if the tides are turning and regulatory and enforcement efforts continue to recede, how should boards think about ethics and compliance in their organisations? Should they shout for joy and count the cost savings for lack of a need of internal controls? Or should they double down on their programmes for fear that if the cat is going away, the mice will begin to play?

Double down

One need only think of Uber, Rolls-Royce or Volkswagen to appreciate the need for boards to remain vigilant in insisting upon strong ethics and compliance programmes in the organisations they govern. In each of these instances, we have yet to see what will come from enforcement actions for alleged wrongdoing. But already we are witness to the significant reputational loss from which these organisations now need to recover. And sadly, directors of these organisations discovered far too late that their corporate compliance programmes and cultures were not what they thought them to be.

ECI’s research has shown that when an organisation has a high-quality ethics and compliance programme in place, acts of misconduct are reduced by as much as 34 per cent. These programmes include the following:

  • A code of conduct, or other form of written standards
  • Training of employees on what actually constitutes corruption
  • Risk assessment to determine areas of greatest exposure
  • Systems for employee reporting/raising of concerns
  • Protections for employees who take steps to report (internally or externally)
  • Disciplining of employees who violate the code of conduct

These efforts must be accompanied by a focus on building and sustaining a strong ethical culture in an organisation, too. Culture is not influenced by regulation; it is the result of several activities and commitments by management to:

  • Communication of a set of core values that are intended to guide employee decisions and actions
  • Leadership efforts to consistently talk about the importance of integrity and to model the conduct they expect from the workforce
  • Supervisors’ reinforcement of the core values and the messages senior leaders are communicating
  • Encouragement and reinforcement that management wants employees to raise concerns and reports of suspected corruption
  • Systems in place to fairly and consistently investigate reports of wrongdoing
  • Accountability of employees, regardless of the level, when they engage in corruption

From a board perspective, it is easy to prioritise regulatory requirements and enforcement activities. Yet it is important for leadership to not lose sight of the importance of ethics and compliance programmes and strong cultures, simply on their own merits. These values pay dividends. It’s been show that:

  • Employee pressure to compromise standards is reduced by 76 per cent
  • Misconduct is reduced by 66 per cent
  • Employee reporting rises by 31 per cent
  • Retaliation against whistleblowers is reduced by 54 per cent

Additionally, employee engagement increases and their overall satisfaction with the organisation rises when high-quality programmes are in place. All of these outcomes are well worth the investment of an organisation in ethics and compliance.

Become the cat

Boards should begin to think of their company’s ethics and compliance programme as being essential to business strategy, regardless of what happens with regulation and enforcement. In other words, the board should be the cat that ensures that the mice stay in line. How can they do that?

If you are a director and you want to monitor the well-being of your organisation’s ethics and compliance programme and culture, you should not allow any board meeting to adjourn unless the following metrics have been provided to your satisfaction.

1. Communication of values and standards Boards should expect that multiple efforts are underway to communicate the importance of organisational values and standards in everyday business activity. Directors should ask for metrics showing:

  • Direct mention of the organisation’s core ethical values in most formal and informal communications by the CEO and other C-suite executives
  • Visibility of the code of conduct and reference to policies that relate to key risk areas
  • Use of multiple methods of communication to promote helplines (and other reporting mechanisms)
  • Encouragement of employee reporting of concerns
  • Use of incentives to recognise employee performance that aligns with the organisation’s values

2. Employee perspectives of the organisational culture Ask management to regularly gather information from employees to gauge their perceptions of the workplace from an ethics and compliance perspective. When significant shifts occur, management should be able to explain root causes and address efforts underway to resolve any issues.

Methods for this data collection can vary, but directors should be able to regularly receive metrics demonstrating employee sentiment. Ask management to utilise:

  • Surveys of employees
  • Focus groups
  • Ambassador programmes (employees embedded in operations who serve as sounding boards)
  • Internal social media sites
  • External social media sites (e.g. LinkedIn)
  • 360 degree evaluations and other feedback loops (e.g. evaluations of training programmes)

Reports and investigations

When cultures begin to erode, employees stop reporting wrongdoing to management.  Or if they do come forward to raise a concern about observed misconduct, employees in weakening cultures often say that they experience retaliation for having done so. This is a very serious risk to an organisation. Once retaliation begins to occur, there is a silencing effect overall. The worst thing that can happen is for the organisation to become a place where wrongdoing is taking place and employees are afraid to make problems known.

“Boards should begin to think of their company’s ethics and compliance programme as essential to business strategy, regardless of what happens with regulation and enforcement. In other words, the board should be the cat that ensures that the mice stay in line”

Management should be able to provide the board with a high-level summary report on a regular basis, listing the concerns that are being raised. Additionally, directors should be aware that, on average, only five per cent of reports of alleged violations are made to a formal company helpline. If business leaders are not providing insight into the reports that are made directly to supervisors or other members of management, ask them to do so.

It is equally important to monitor the investigations and disciplinary processes in place. Ask management to regularly provide an in-depth report on a few randomly selected cases. Pay attention to the:

  • Length of time from the receipt of a report to the closure of an investigation
  • Treatment of the employee who reported and the employee who was alleged to have committed a violation
  • Consistency of the process from one case to another
  • Extent to which employees involved report that they experienced retaliation for having come forward
  • Root cause analysis of the problem, lessons learned by the company and changes being implemented as a result

Turnover rates

When employees are dissatisfied with their jobs, they leave the organisation. When the culture becomes toxic and trouble is brewing, they leave in droves. Ask management to provide regular reports of employee turnover, especially in key operations where performance pressure is higher.

Perhaps most importantly, as a director, the message that ethics and compliance programmes and culture are important begins with you. It is your job to insist that management continually finds new strategies, better benchmarks, or additional sources of information to satisfy the board that your organisation is aware of the observance of standards and the well-being of its ethical culture.

After all, when the cat’s away, the mice will play.

 

About the Author:

Dr. Patricia J. Harned is Chief Executive Officer (CEO) of the Ethics & Compliance Initiative (ECI). Dr. Harned oversees ECI’s research agenda and its networking and conference events. She also directs outreach efforts to policymakers and federal enforcement agencies in Washington, D.C., and speaks and writes frequently as an expert on ethics in the workplace, corporate governance and global integrity. Dr. Harned advises CEOs and directors on effective ways to build an ethical culture and promote integrity in organisational activities.

Dr. Harned has served as a consultant to many leading organizations, including Penn State University, BP and the New York Stock Exchange. She has testified before Congress and the U.S. Sentencing Commission. Dr. Harned has been featured in media outlets including the Wall Street Journal, Washington Post, USA Today and CNN, and has appeared on the “Diane Rehm Show.” She was selected by Ethisphere Magazine as one of the 100 Most Influential People in Business Ethics in 2014, and was named one of the Top 100 Thought Leaders in Trustworthy Business Behavior in both 2010 and 2011 by the non-profit organization Trust Across America. Dr. Harned holds a Bachelor of Science in education degree from Elizabethtown College in Pennsylvania, a Master of Education degree from Indiana University and a Doctorate in the Philosophy of education from the University of Pittsburgh.

Is cyber risk a D&O risk?

By Kevin Kalinich, Global Practice Leader – Cyber Insurance, Jacqueline Waters, Management Liability Legal & Claims Practice Leader and Chris Rafferty, US Sales & Growth Strategies Leader, Management Liability –  Aon Risk Solutions

 

For years, insurance industry pundits predicted that cyber-related losses could lead to directors’ and officers’ liability. Prior to 2017, that concern was largely overstated since most headlining cyber breaches resulted in dismissal of the related ‘follow on’ shareholder derivative directors’ and officers’ (D&O) litigation.

However, 2017 is a different story. The $350million Yahoo! purchase price reduction following its disclosure of massive breaches, the WannaCry ransomware incident, the NotPetya ransomware incident and the Equifax security breach have changed the paradigm. How do we know?

“Prior to suffering a cyber incident, businesses should confer with knowledgeable counsel and technology consultants to implement cybersecurity measures and compliance procedures”

1. Increased public company disclosures of cyber incidents that have a material impact on the organisations’ financial statements

2. Increased public company disclosures of potential material cyber risks[1]

3. Increased regulatory scrutiny[2]

4. Resignations of public company officers

5. The $5billion drop in Equifax market capitalisation

Cyber events now rank among the top three triggers for D&O derivative actions (along with M&A activity and environmental issues).

What are a board’s duties with respect to cyber risk management and disclosure?

On 13 October 2011, the US Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued a non-binding guidance on reporting obligations for public companies regarding cybersecurity risks and cyber incidents (the Disclosure Guidance). The Disclosure Guidance recognised that the growing reliance of companies on digital technologies meant that such risks and events could be sufficiently material to investors that they may be required to be disclosed in public securities filings.

How much information is vital to investors depends a lot on who is defining what information is material and what is immaterial. Generally, according to the SEC, information is material if it ‘limits the information required to those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered’.

In the US, directors are held to standards of fiduciary duty, loyalty and care, with the business judgement rule as a defence against many allegations of wrongdoing. The ability to demonstrate that directors have appropriately discharged their duties often dictates the ability to successfully rebut claims made against such individuals. Outside of the US, the standard to which corporate leaders are held in many cases is higher. For example, the European Union General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for all individuals within the European Union, with potential penalties of up to four per cent of an organisation’s worldwide revenues for noncompliance. All of these factors lead to significant care required of directors and officers and ensure that appropriate cyber controls are in place. It is interesting to examine recent cyber incidents and the frequency of follow-on D&O litigation in the US.

Selected cyber breaches

A brief scan of notable cyber breaches[3] in the public record includes the table (below).

Most of these matters have been dismissed with corporate defendants successfully rebutting the alleged wrongdoings. There are some lessons to be learned with regard to appropriate planning to reduce cyber risk and the successful defences asserted by corporate boards. One such example comes from the Wyndham cyber breach. In brief, a shareholder derivative suit was filed against Wyndham and its directors and officers in 2014. The suit alleged that Wyndham failed to implement adequate cybersecurity measures and disclose the data breaches in a timely manner, which caused the company to suffer damages. Ultimately, the court disagreed with the plaintiffs, citing that Wyndham and its directors and officers utilised appropriate (un-conflicted) counsel, the board investigated and took reasonable steps to familiarise itself with the allegations of the derivative demand, the board had taken prudent steps to familiarise itself with cyberattacks and had discussed the attacks at multiple board and committee meetings.

The Wyndham litigation provides several important lessons for businesses that may be subject to a cyber risk incident:[4]

1. Prior to suffering a cyber incident, businesses should confer with knowledgeable counsel and technology consultants to implement cybersecurity measures and compliance procedures. The board should document the steps taken to evaluate a company’s cyber exposures, the resulting recommendation, and, most importantly, the actions completed as a result

2. Following a cyber incident, businesses must be prepared to respond to civil legal proceedings and government regulatory inquiries and investigations. The best protection from such challenges is having a documented deliberative process resulting in formal prevention and crisis response plans that were routinely monitored

Impact to business results and financial reporting

In most situations where personally identifiable information (PII) was a prime source of the alleged breach, there was generally limited actual damage to the value of the business at hand. As of 31 December 2016:

  • 85 per cent < $1million damages
  • 10 per cent between $1million to $20million damages
  • 5 per cent > $20million damages

While PII will continue to be a prime source of cybersecurity exposure, it is expected that business interruption (i.e. supply chain), bodily injury (i.e. transportation GPS), tangible property damage (i.e. manufacturing hack and Internet of Things) and actual diminution in financial results (and, therefore, business valuation) will increasingly arise from cyber exposures. According to the 2017 Ponemon Global Cyber Risk Transfer Comparison Report:[5]

  • The impact of business disruption to cyber assets is 72 per cent greater than to property, plant and equipment (PP&E) assets
  • Quantification of probable maximum loss from cyber assets is 27 per cent higher than from PP&E
  • Organisations valued cyber assets 14 per cent more than PP&E assets
  • Organisations insure on average 59 per cent of PP&E losses, compared to an average of 15 per cent of cyber exposures

Growing impact of cyber assets and exposures

Yahoo!  The Yahoo! cyber breach, in which more than three billion user accounts were impacted, led to a material impact to deal valuation and significant repercussions for Yahoo! leadership:

  • Verizon Communications Inc. acquired Yahoo! Inc.’s internet properties at a $350million discount after revelations of security breaches
  • Yahoo! general counsel Ronald Bell has left the company after an investigation of security breaches
  • It was found that the legal team had enough information to warrant further inquiry but didn’t sufficiently pursue it[6]
  • Yahoo! chief executive officer, Marissa Mayer, has foregone her annual bonus, due to the breach

NotPetya  In June 2017, A.P. Moller-Maersk,[7] Mondelez,[8] Reckitt Benckiser,[9] Merck,[10] DLA Piper Law Firm[11] and DT Express, a FedEx subsidiary based in the Netherlands,[12] among other organisations, announced that the NotPetya virus had crippled supply chain operations.

The malware, disguised to appear as a ransomware attack, wiped the computers’ data instead. FedEx Corp. estimates it took a $300million hit from the late June cyberattack that started by targeting Ukrainian companies and spread globally, particularly affecting FedEx subsidiary TNT Express.

The attack resulted in a significant business interruption and financial impact. According to FedEx CFO Alan Graf: “The impact from lost revenues was and continues to be more heavily weighted toward our higher-yielding international shipments, resulting in a more pronounced impact on profits. It is taking longer to restore our international business due to the complexity of clearance systems and business processes.” Unfortunately, as FedEx explained to investors, the company did not have a cyber policy in place that would cover this type of attack.

Equifax13  Equifax announced that its CEO, Richard Smith, had retired following similar retirements by its top information security executives, the chief information officer and chief security officer. The market has continued to punish Equifax shareholders. The company’s market capitalisation was down nearly 30 per cent or about $5billion. As of 21 September 2017, more than 100 lawsuits had been filed, including shareholder derivative litigation against the directors and officers, some of whom sold stock between the 29 July 2017 date of discovery of the breach and the 7 September 2017 public disclosure of the incident.

Each of these instances – Yahoo!, NotPetya and Equifax – are examples of the evolving business impact resulting from cybersecurity breaches and the financial reporting considerations that follow. In each of these recent incidents, companies either had to disclose the materiality of the cyber breach as it relates to their financial reporting, or publicly reference the impact to future earnings and business operations resulting from the breach

“The brave new world of cybersecurity and the need for board-level focus on risk assessment, quantification, testing, mitigation, transfer and response, demands that corporate leadership cannot be complacent”

Going forward: be proactive

The brave new world of cybersecurity and the need for board-level focus on risk assessment, quantification, testing, mitigation, transfer and response, demands that corporate leadership cannot be complacent (see AON Framework, right). A number of realities have emerged from recent cyber incidents that corporate leaders should consider, including the following:[14]

1. Cybersecurity presents equal, if not more, risk than financial reporting failure and should receive the same level of oversight and audit

Organisations formulating their cybersecurity oversight need look no further than the current chief financial officer oversight paradigm for financial accounting and reporting. Organisations should establish governance procedures to oversee a corporation’s cybersecurity wellness substantially similar to those that have proven effective and sufficiently flexible to assess and validate financial statement accuracy and reliability.

2. Financial reporting related to cybersecurity is an increasing concern

While the disclosures required are a matter of regulation and statute, investors’ and regulators’ expectations about information to be disclosed evolve over time and the recent emergence of cybersecurity concerns are driving changes with regard to disclosure expectations.

3. Insurance as an effective risk reduction tool

As a general matter, D&O policies have responded effectively to cyber-related litigation. Cyber insurers are evolving with broader coverage and greater capacity to address the growing cyber threat. Property, general liability, crime (i.e. social engineering funds transfers), K&R (i.e. ransomware), EPLI and professional liability insurance programmes may also provide elements of risk transfer protection from cyber exposures.

A comprehensive cyber risk management programme can help serve to effectively achieve positive insurance programme results, aim to reduce an organisation’s cyber exposure and ultimately lead to a more resilient organisation

Conclusion

While there’s never been a more challenging time to be a director or officer given the intersection of information technology and corporate governance, there has never been a more exciting time to provide risk management advice given the growing complexity of risk. Insurance, both cyber and D&O, can be core compoPullnents of a company’s risk mitigation efforts. A well-crafted insurance programme can help maximise the recoveries available, both in efforts to remediate corporate breaches as well as to help protect the insured organisation’s and individual directors’ assets.

 

About the Authors:

Kevin Kalinich, Esq. – Global Cyber Insurance Practice Leader, Aon Risk Solutions. Following his career as a technology attorney and running an “Internet of Things” company, Kevin leads Aon’s global practice to identify exposures and develop insurance solutions related to technology errors and omissions, professional liability, media liability, network risk and intellectual property. He is a five time Risk & Insurance “Power Broker” and is a consistent source of expertise for numerous media publications, including the insurance chapters for three cyber books, as well as a frequent speaker on professional liability topics. Kevin earned a Mathematics and Economics B.A. from Yale University and a Juris Doctor from the University of Michigan.

Jacqueline A. Waters – Co-Practice Leader of Aon Risk Solutions’ Financial Services Group Legal and Claims Practice. Jacqueline Waters is the managing director and co-practice leader for Aon Risk Solutions’ Financial Services Group Legal and Claims Practice. Her expertise lies in management liability and cyber risks, including D&O, EPL, fiduciary, and certain E&O coverages. Her team serves as claim advocates and assists clients in interpreting carriers’ coverage positions, attending mediations and negotiating resolutions to coverage disputes. Ms. Waters, who is based in Chicago, has been with the firm for over a decade. She earned her Bachelor of Science degree in Music Education from the University of Minnesota and is a graduate of Northwestern University School of Law.

She is a member of the Chicago Bar Association and the Professional Liability Underwriting Society.  She is a regular speaker at industry events and conferences on management liability and cyber liability.

Chris Rafferty –  Managing Director and U.S. Sales & Growth Strategies Leader for Aon’s Financial Services Group. In this role, Chris is responsible for serving some of Aon’s largest FSG clients as well as driving growth strategy, collaboration and best practices across all of FSG’s specializations, including Management Liability, Professional Liability, and Transactional Liability. Prior to Aon, Chris was with Lincoln International, a Chicago-based mergers & acquisition investment bank. He earned a Bachelor of Science degree from University of Evansville and a MBA from Harvard Business School. He was recognized as a 2016 Power Broker and a 2016 Rising Star by Risk & Insurance magazine

Footnotes:

1. A July 26, 2017 Bloomberg article entitled Corporate Cyber Security Risk Disclosures Jump Dramatically in 2017 reports that “more public companies described ‘cybersecurity’ as a risk in their financial disclosures in the first half of 2017 than in all of 2016, suggesting that board fears over data breaches may be escalating.”

2. Newly appointed SEC chair Jay Clayton has emphasised that disclosure requirements extend to cybersecurity issues, stating that “public companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously.”  (July 12, 2017), https://www.sec.gov/news/speech/remarks-economic-club-new-york).

3. Multiple SEC filings: https://www.sec.gov/edgar/searchedgar/companysearch.html

4. Bracewell, Lessons for Corporate Directors from the Wyndham Data Breach Derivative Action http://www.bracewelllaw.com/news-publications/updates/lessons-corporate-directors-wyndham-data-breach-derivative-action.

5. 2017 Ponemon Global Cyber Risk Transfer Comparison Report: http://www.aon.com/forms/2017/2017-global-cyber-risk-transfer-comparison-report.jsp

6. Brian Womak, Yahoo! Counsel Leaves After Hack Investigation Finds Lack of Action https://www.bloomberg.com/news/articles/2017-03-01/yahoo-counsel-bell-leaves-after-hack-probe-finds-lack-of-action.

7. http://files.shareholder.com/downloads/ABEA-3GG91Y/5012608953x0x954059/3E9E6E5C-7732-4401-8AFE-F37F7104E2F7/Maersk_Interim_Report_Q2_2017.pdf; http://www.maersk.com/en/the-maersk-group/press-room/press-release-archive/2017/^8/a-p-moller-maersk-interim-report-q2-2017

8. http://files.shareholder.com/downloads/AMDA-1A8CT3/4967206879x0xS1193125-17-245459/1103982/filing.pdf

9. https://www.bloomberg.com/news/articles/2017-07-06/reckitt-benckiser-cuts-forecast-after-cyberattack-slows-sales

10. https://www.ft.com/content/3d7ac341-1742-3329-9a15-2dc269522d10

11. https://www.ft.com/content/1b5f863a-624c-11e7-91a7-502f7ee26895; 3 Lessons For Firms After Cyberattack on DLA Piper

12. 7/17/2017 SEC 10K Filing, pg 43 https://www.sec.gov/Archives/edgar/data/1048911/000095012317006152/fdx-10k_20170531.htm

13. Equifax Press Release, Equifax Announces Cybersecurity Incident Involving Consumer Information (Sept. 7, 2017), https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628.

14. David R. Fontaine and John Reed Stark, Yahoo’s Warning To GCs: Your Job Description Just Expanded https://www.law360.com/privacy/articles/907583/yahoo-s-warning-to-gcs-your-job-description-just-expanded.

Remuneration practices in 2017

By Fabio Bianconi – Director at Morrow Sodali

 

 

 

Executive remuneration is increasingly perceived by stakeholders as a window into how the board sets the strategy and how it motivates management.

The say-on-pay votes have thus assumed greater importance. Remuneration policies and practices are required to be in line with the business strategy and not encourage risk-taking. The engagement between companies and investors is still a key driver for the development of sustainable remuneration practices and long-term value creation.

USA and Australia

For companies belonging to the S&P 500, support levels in 2017 remained consistent with 2016 – 91.8 per cent average in 2017 (v. 91.4 per cent in 2016) and a median of 95.2 per cent in 2017 (v. 95.3 per cent in 2016). Pay for performance misalignment, magnitude of pay and ‘rigour’ of performance goals (i.e. how the compensation committee sets performance targets) under incentive schemes are the predominant themes for adverse proxy advisory firm vote recommendations and low support on 2017 say-on-pay. A total of 449 proposals had been voted up to 31 July 2017 and only four proposals failed (0.9 per cent in total). While the average support level on the proposals that passed was 91.8 per cent, the median was notably higher at 95.2 per cent.

Comprehensive disclosure on shareholder outreach, engagement discussions, actions taken (or to be taken) in response to ‘low support’ are expected to avoid potential negative vote recommendations against compensation committee members. If the issue persists, the full board may be held accountable.

With the exception of blind followers of ISS and Glass Lewis, institutional voting on say-on-pay is usually case-by-case. Early planning, year-round engagement to foster relationships with shareholders whose support may be needed in the future, comprehensive disclosure and effective communication of a company’s business strategy and its link to executive compensation and corresponding pay decisions are essential in garnering support.

Historically, proposals on incentive plans typically have not received the same level of attention, scrutiny or opposition as say-on-pay proposals – and that continued to hold true in 2017. A total of 120 proposals have been voted upon through to 31 July 2017.

Proxy advisory firm evaluations and vote recommendations are driven primarily by the size of the new share request and associated cost to shareholders, along with a company’s three-year average burn rate. Despite ISS adopting the Equity Plan Scorecard model beginning with the 2015 proxy season in an attempt to make the evaluation process more ‘holistic’ (i.e. take plan features and grant practices into consideration in addition to cost and burn rate), the primary driver for negative vote recommendations continues to be predominantly based on the shareholder value transfer cost and three-year historical share utilisation rate. Companies typically engage with shareholders on use of equity in the context of executive compensation and say-on-pay rather than exclusively on a company’s equity plan.

In Australia, the ‘two-strikes’ rule was introduced in 2011 to increase directors’ accountability beyond executive pay. The entire company board can face re-election (within 90 days) if the remuneration report receives two  strikes in a row (at least 25 per cent level of discontent). Among the top 180 Australian listed companies only 12 companies did not exceed the 75 per cent hurdle.

Europe

The United Kingdom is the highest performing country in which the average level of approval of the remuneration report is 92.9 per cent and reaches the 94.9 per cent threshold in relation to the binding vote on policies (that takes place every three years).

In France, as a result of the enforcement of the Sapin 2 Act, an increased level of transparency and explanations from issuers on executive remuneration has been noticed, notably pay-mix, benchmarks and rationale for the choice of the performance metrics driving variable remuneration components. However, this headway on transparency did not lead to a significant improvement in the average ex-post say-on-pay scores at SBF120 companies (average approval of 89.1 per cent v. 88.7 per cent in 2016). We even noticed a reduction of the average approval score at CAC40 companies compared to 2016. Indeed, proxy advisors and institutional investors have taken stricter stances on executive remuneration packages, placing greater focus on pay for performance alignment.

In the opposite direction, there is an increasing trend in the average scores of equity incentive schemes (authorisations to issue stock-options and performance shares). This development is likely due to greater transparency from issuers on the performance conditions tied to the equity awards in response to institutional investors and proxy advisors’ requests. While ex-ante disclosure on the performance targets is still scarce, issuers are becoming more explicit on the performance targets tied to past equity awards, or at least on the level of achievement thereof.

The 2017 scores also show that proxy advisors and institutional investors’ requirements on post-mandate arrangements in favour of executives are becoming stricter. The higher level of dissent may notably be explained by proxy advisors’ growing scrutiny of the methods used for the computation of rights under defined-benefit pension schemes, and continued concern regarding the performance conditions triggering executives’ entitlements to severance payments, on a ‘no pay for failure’ basis.

In Spain this year, the median investor support for remuneration reports across the IBEX 25 is 86 per cent, broadly in line with 2016. LTIs are increasingly better-aligned with international best practice and, therefore, institutional investors and proxy advisors are focussing more on specifics. But issues persist and namely pertain to disclosure on peer group composition for relative (e.g. TSR) metrics, targets and degree of achievement thereof. The implementation of qualitative metrics lead to another common issue related to discretionary power of boards in awarding bonuses. Investors are increasingly placing more attention on targets that are claimed to be ‘sufficiently challenging’. This is especially the case with relative metrics (e.g. TSR), which entail peer groups, normally expecting that there is no vesting/pay out in the case of performance below the median.

Among the 25 FTSE/ATHEX large cap companies in Greece, say-on-pay still remains relevant only to the very few companies headquartered outside of Greece. Of those having dual listings in the UK and/or Switzerland, we note a slight increase in approval (from 92.5 per cent in 2016 to 98.8 per cent and 99.2 per cent in 2017), suggesting an increased awareness of issuers in aligning their pay for performance practices.

Germany is the lowest performing country where there is still no obligation to present the say-on-pay resolution for shareholders’ vote. The average support for those companies that voluntarily submitted the remuneration policy in 2017 was 69 per cent.

“Early planning, year-round engagement to foster relationships with shareholders whose support may be needed in the future, comprehensive disclosure and effective communication of a company’s business strategy and its link to executive compensation and corresponding pay decisions are extremely essential in garnering support”

In Italy the level of support for remuneration policies slightly decreased from 91.5 per cent in 2016 to 88 per cent in 2017. A more in-depth analysis, which refers only to minority shareholders, however, reveals that in 2017, only 70.6 per cent approved remuneration policy reports, while the remaining voters dissented.

The major issues identified in 2017 essentially referred to the level of severance payments and the absence of transparency in the definition of the performance metrics for variable incentive plans. The main companies have undertaken structured engagement programmes (with proxy advisors and institutional investors) in order to understand their evaluation metrics to the fullest and to improve alignment with international best practice where needed.

The involvement of HR departments in engagement can be now considered a solid practice and contributed to a better understanding of institutional investors on the peculiarities of local compensation practices.

Conclusion

While shareholder engagement on compensation resolutions has historically come into play during proxy campaigns only as a result of negative voting recommendations from proxy advisory firms, good disclosure and early communication with top holders should be set as a company’s strategy to demonstrate alignment with long-term shareholder interests and to mitigate future shareholder concerns.

 

About the Author:

Fabio Bianconi is Director at Morrow Sodali, a global leader in corporate governance consulting, shareholder and bondholder transactions and institutional investor relations. He is focusing on helping companies to enhance communications with their stakeholders and third-party opinion-makers and to analyze their current practices in light of the current corporate governance landscape and their own business developments. Mr. Bianconi also assists companies in designing compensation related proposals and remuneration policies. During his career he has specialized also in capital markets regulation, activism, merger & acquisition, cross-border standard-setting providing expertise in both corporate and shareholder perspectives.

Mr. Bianconi has a strong experience in providing advice/consultation, educational sessions on specific governance related issues to boards, senior management, AGM planning groups and investors. Prior to joining Morrow Sodali, Mr. Bianconi served as Head of Corporate Governance Advisory at Georgeson and corporate governance analyst for ISS Proxy Advisory Services. He has also served as researcher at Financial Times Idc a leading international supplier of financial market and company information services to the finance, banking, corporate and government sectors. Fabio Bianconi has a degree in Political Science and a Master in International Affairs and Finance. He currently sits on the Ethics and Systemic Risk Committee at the International Corporate Governance Network (ICGN)

 

A smarter way to corporate governance

By Cristina Ungureanu – Head of Corporate Governance, Eurizon Capital

 

 

It is increasingly acknowledged that successful and sustainable businesses are not just good for the economy, they support the wider society by providing jobs and helping to create prosperity, too. Society wants evidence that companies exist for more than simply generating short-term profits and expectations are for corporate governance principles to enhance confidence that companies act in the public interest.

This has been an emerging mood across global economies, in the belief that sound corporate governance significantly influences the perspectives of organisations and makes them catalysts for improved societies.

The future of corporate governance is clearly marked by several social trends that have been taking place globally. ESG (environment, social and governance) and technology are fast-growing topics and may be the ones most impacting corporate governance.

ESG The focus on ESG as a means to creating sustainable value is on the rise. Socially responsible investing has become an important consideration for a growing number of investors, while ESG issues become more thoroughly integrated with company business as a whole. The aspect that is still elusive and is currently on the agenda of companies and investors, is how we can all leverage capital markets to improve not just risk-adjusted returns, but our society as a whole. In other words, how can ESG integration help create sustainable value? An appropriate corporate governance surely holds answers to this.

Technology Today, innovation is all around us. The Internet of Things (IoT) is the driving force behind the latest digital trend of improving everything in our society, and so making our lives ‘smarter’. Organisations whose leadership is able to understand the nature of these challenges and has the temperament to embrace it will have a meaningful advantage in the increasingly technological future.

Smart investors and smart companies

We seem to be living in the era of ‘smart’ – we have smart phones, we use smart cars and some of us are or will be soon living in smart cities. The smart part sits at the very core of economics and society – it empowers the community to make better choices for its future. Given these societal trends, it may be the time now in the corporate world to speak about ‘smart corporate governance’: smart investors, smart companies, smart boards of directors, smart principles.

“The future of corporate governance is clearly marked by several social trends that have been taking place globally. ESG and technology are fast- growing topics and may be the ones most impacting  corporate governance”

The changing landscape of corporate governance is stimulated by increasingly more responsible, more powerful and vocal institutional investors. Responsible investing and stewardship has gathered momentum across the world in the past decade, as we as investors look for financial returns while helping to achieve a positive impact on the world around us.

The rising voices of the investor community relates to the impact that investors have on company boards. Just by looking at the main takeaways from the 2017 AGM season, one can observe the evolving policies of voting and engagement of many institutional investors on ESG matters. Among all the shareholder proposals on the US AGM agendas, almost 60% are ESG-related proposals. Consequently, the newest and perhaps most important board risk oversight expectations are being elevated by investors, calling on executives and boards to spend more time and effort directing and overseeing long-term value creation for shareholders and stakeholders.

Companies, too, have new ways of doing things: the shift from a ‘linear’ to a ‘circular’ way of doing business will be one of the medium- and long-term goals of several companies, also through the development of new technologies. Companies are making more efforts to understand what part of their value chains are associated with the main environmental and social impacts, as well as the magnitude of such impacts.

From our investor perspective through monitoring and engagement, we can positively observe the fact that company boards are listening and are acting upon our suggestions and expectations. For example, many boards are adjusting their composition in response to investor requirements for specific skills, i.e. adding ESG skills, cyber skills, international experience or diverse members, refreshing the boards or, in some cases, even asking certain members who did not perform accordingly to step down.

Even traditional corporate governance issues, such as executive remuneration, are evolving to meet the alignment, not only with performance or shareholder interest, but also with stakeholder interest. As investors, we are encouraging companies to approach remuneration from a wider angle and many companies are responding or are proactive in this regard. Financial performance no longer makes up the only metric for setting executive pay; non-financial, discretionary metrics are starting to become part of the pay policies. Tying company integrity, ethics, diversity, employee or customer satisfaction and ESG conduct to executive pay is becoming best practice.

Smart boards of directors

The fast pace of change raises major issues for company boards of directors – how to achieve a balance between oversight and accountability on the one hand, while ensuring innovation and dynamism on the other. The focus of a smart board will be on ensuring that the business creates value for the company, its shareholders and stakeholders, while achieving its goals under conditions of uncertainty and unpredictable competition.

The smart board is fit for the future, is forward-looking with regards to future commercial and industry contexts, seeking to understand the driving forces that are impacting on the business. Many companies are looking not only to long industry experience, but for first-time directors who demonstrate good judgement, intellectual agility, knowledge of technology or digital and the ability to deal with complexity and fast-changing marketplace challenges.​ And, as fresh faces enter the boardroom, more attention will be paid to director onboarding, an area of corporate governance that has been underserved for some time now.

For years we have been talking about tone at the top, but this is no longer sufficient for a lot of companies. New risks, such as disruption, reputation risks or conduct risks, are determining several boards to start asking questions about the company’s tone at the bottom, about the company culture. These boards want to ensure that the tone that they set permeates through the entire organisation and that the tone of their company not only flows down but also flows up to the board, for example through organisational training, induction and through appropriate whistle-blowing procedures.

Things are also evolving with board committees. The traditional standing board committees – nomination, remuneration and audit – are no longer the only norm. Many boards are getting creative and setting up new special committees, as an increasing way for boards to be more efficient. These are generally a reflection of the environment and trends we are experiencing, such as technology, cybersecurity, climate change, social care. There are no limits to creating specialised committees and some are given unique nomenclature: from sustainability committee or technology & innovation committee, to environmental & safety committee to strategic planning or quality committees. In many circumstances these are not just special committees, but are chartered committees, which is an approach that we investors expect in order to understand the role and functioning of these new bodies.

Traditional board committees have also evolved, particularly as to their role and composition. The criteria for committee chairs has become an important challenge for the overall board composition. We have already seen this approach with the audit committee requiring financial experts as members. For the remuneration committee, a unique skill-set focussed on remuneration or employee issues is now becoming desirable, as well as an expectation from the investor community who will look to discuss remuneration plans with committee members rather than with the company’s human resources department. The risk committee in certain companies may also call for cyber or technology expertise because of these emerging corporate risks, placed high on board agendas.

Smart corporate governance principles

Corporate governance is indeed evolving to meet the changing needs of the society. The ‘new’ corporate governance seems to suggest that sustainability aspects (such as environmental matters, social and employee-related matters, human rights concerns, anticorruption and bribery) have a relevant impact on the business and should be considered in the definition of the risk profile and strategic objectives of a company. The definition of corporate governance is moving beyond ‘rules’ and ‘processes’ towards corporate culture, vision and responsibility, placing long-term value creation at centre stage.

Several corporate governance codes and principles have been updated across the globe in recent years and the main reason was to adjust them to the pace of the society. While keeping consideration for the context of the individual jurisdiction, society and culture have been firmly positioned as a common change agent in many of these reviews. The new codes also place more focus on transparency by the companies, to ensure there is no loophole and the preference – driven also by investors – is for simplicity rather than complexity of governance and its disclosure. The value of ‘comply or explain’ has been acknowledged and enhanced by most countries in the past years.

Looking at the principles that have marked the developments in corporate governance globally, one of the chapters of the recently revised OECD (Organisation for Economic Co-operation and Development) Corporate Governance Principles is actually dedicated to the role of stakeholders in corporate governance. This chapter outlines the benefit of active co-operation between corporations and stakeholders and underlines the importance of recognising the rights of stakeholders established by law or through mutual agreements. The chapter also supports stakeholders’ access to information on a timely and regular basis the possibility to obtain redress for violations of their rights.

In Italy, the most recent amendments of the Italian corporate governance code (which has in time inspired also legislative reforms of the national corporate law) covers different areas, including sustainability, a board’s approach to risk and the focussed role of the nomination committee. The code expands the role of the board of directors with reference to the sustainability of the business; the company risk profile is to consider also the risks that may be relevant for the sustainability of the business activities in the medium to long term. To further stress the importance of the sustainability matters for a good corporate governance, the code recommends relevant issuers (i.e. issuers included in the FTSE-MIB index) to consider setting up a committee having the task to supervise sustainability issues related to the relevant business and to its interactions with all the stakeholders. The Italian code also introduces the importance of a whistle-blowing system at relevant issuers within an adequate system of internal control and risk management.

The most important change introduced by the revised Dutch corporate governance code is placing long-term value creation centre stage, requiring executive and supervisory directors of Dutch companies to act in a sustainable manner by making deliberate choices on the sustainability of the strategy in the long term. Even more than previously, the code is predicated on personal responsibility on the part of management board and supervisory board members, the provisions being formulated in a principle-based way as much as possible, so that executives and directors are encouraged to find an appropriate way to fulfil their responsibilities. Notable, one of the principles in the code specifically states that the board is responsible for shaping a culture that is aimed at long-term value creation.

The most recent South African King IV report on Corporate Governance has advanced from the ‘apply or explain’ principle of the earlier King III report to ‘apply and explain’. Practically this means that companies are required to take measures to achieve the principles, but also to explain measures and their results. With the drafting of King IV, changes were effected to the code in order to present very clearly its contribution to organisational value, advocating that an organisation defines its role and purpose to create value not only for itself and its shareholders but also for all stakeholders. Clearly, the code in its revision has considered the realities of the South African landscape at country level, including  socio-economic inequality, economic and political instability, and skills shortage.

“Corporate governance is evolving to meet the changing needs of the society. The ‘new’ corporate governance seems to suggest that sustainability aspects have a relevant impact on the business and should be considered in the definition of the risk profile and strategic objectives of a company”

The US Commonsense Corporate Governance Principles published in 2016 were actually drawn up by large investors (not by market authorities or industry associations as in other countries). The aim was to create a logical reference piece and baseline principles that companies should follow in order to meet investor expectations. The most important message coming out of these principles is for the boards to think long term, as many international institutional investors are also committing their investment in companies long term.

Looking at Brazil, because of the strong legal framework and the force of the public prosecutors, it is not uncommon for companies in the country to face public civil actions in the case of ESG-related violations; and we’ve seen several recent cases. The new Brazilian Code issued in 2015 accommodates these issues and sees the role of directors evolving: becoming more proactive rather than reactive, focussing on the long term rather than on the short term, considering intangibles rather than tangibles, having a broad vision about the role of the company in the society and consider stakeholders rather than just shareholders.

Asia is also aligning, albeit slowly, to the global pace of corporate governance reforms. In Japan, a corporate governance code that took effect in 2015 seeks to make companies more transparent and responsive to shareholders, also giving consideration to the increase in foreign investments in the country. According to the Council of Experts Concerning the Corporate Governance Code of the Japanese FSA, ‘the code seeks growth-oriented governance (and) promotes timely and decisive decision-making based upon transparent and fair choices through the fulfilment of companies’ accountability in relation to responsibilities to shareholders and stakeholders’.

Most recently the reforms revealed by the UK government in 2017, which will impact the UK Corporate Governance Code, aim to create ‘efffective system of corporate governance which incentivises business to take the right long-term decisions’ through greater stakeholder participation, fairer executive pay and superior governance in private companies. The emphasis is on strengthening stakeholder voices in corporate decisions.

Interestingly, too, other countries that do not have a corporate governance history have put forward certain principles that are quite unique and that we may expect to find within future revisions of other countries’ codes. For example, in Pakistan the State Bank of Pakistan (SBP) has been developing a framework on ‘enterprise technology governance and risk management in financial institutions’ with a vision to provide baseline technology governance and risk management principles to the financial institutions. As part of the governance framework, SBP has mandated financial institutions to have a board IT committee with a minimum of three directors as its members, one of whom shall be an independent director and at least one member shall have relevant qualification or experience of IT.

All these approaches are marking a forward-looking corporate governance, an effective way to implement it for the future of our society: a smart corporate governance.

Smart approach

What is relevant for the recent global corporate governance codes and principles is that the new reforms are timely, addressing two crucial audiences: shareholders and stakeholders. They will respond to investor long-term interests, being complemented by the stakeholder interest, approaching the issues of governance with a view to companies’ broader role – as being responsible towards investors, employers, customers and as a force in society. Culture and ethics are also key aspects of the ‘new’ corporate governance principles and standards.

Nevertheless, while development of new frameworks for corporate governance are centred around the delivery of purpose and long-term value, companies do not need to wait for legislation or redrafted codes to act. Companies now have wide stimulus, from both investors and from society, to evolve governance reforms.

The challenge should not be underestimated but opportunities should not be underestimated either. Evidence shows that focussing on long-term value creation and treating stakeholders responsibly leads to superior long-term shareholder returns. So, across the world, it is in a company’s interest to outclass and be the driver in sustainable wealth creation.

 

About the Author:

Cristina Ungureanu is Head of Corporate Governance at Eurizon Capital SGR, the asset management company of Intesa Sanpaolo Group. She is responsible for Corporate Governance and Stewardship, being actively involved in Eurizon’s responsible investment approach and promoting sound corporate governance practices at investee companies.

Before her role in Eurizon, she worked in international corporate and academic environments in South Africa, United Kingdom and Italy, providing high-level corporate governance consulting and research to a diverse range of institutions.

Cristina started her career with Georgeson Shareholder Communications in Johannesburg as Key Foreign Account Executive and Director Corporate Advisory, five years later moving to London as Head of Corporate Meetings at Computershare Investor Services. Her London experience continued as Senior Associate Investor Relations with Taylor Rafferty, a US investor relations consultancy.  In 2007 she moved from UK to Italy, working in Genoa and Milan as consultant and research coordinator for various international corporate governance projects. She collaborated, among others, with the European Corporate Governance Institute, the University of Genoa and of Pavia, the Italian Association of Listed companies, the European Commission and the European Parliament.

Between 2012 and 2015, Cristina held the role of Senior Consultant at Crisci & Partners, an independent professional firm specialized in Board Governance consulting, and afterwards was appointed Head of Corporate Governance Advisory of Sodali, a global corporate governance and shareholder services consultancy. Cristina holds a Bachelor Degree in Economics and Business Administration, a Master’s Degree in International Affairs and a PhD in Finance and Banking. She is author of several publications on corporate governance and financial regulation and is often invited at international conferences to present on related topics.

Boardroom investment and engagement in Japan

By Yoshikazu Maeda – Head of Responsible Investment, GO Japan

 

 

Japan has the third largest economy in the world and its stock markets account for about  eight per cent of global equities, the second largest after US markets.

On one hand, the country might be known for its slowness to change and its sluggish growth over the past 20 years. However, on the corporate governance and investor stewardship fronts, Japan has been through drastic changes since Mr Abe became the Prime Minister in 2012.

Investor stewardship and corporate governance reforms have been one of the top economic agenda items under his administration and one of the most successful that he has implemented in recent years. The government introduced the Stewardship Code in February 2014 and the Corporate Governance Code in June 2015. The Stewardship Code was then revised in May 2017 to further promote investor stewardship. These initiatives are framed in the context of promoting sustainable growth of Japanese companies. It’s a unique aspect of the reform in Japan as in other countries corporate governance and stewardship reforms are often implemented against the background of corporate scandals.

Outside influence

This series of policy measures had significant impacts on Japanese corporates and investors. For example, 45 per cent of companies listed on the First Section of the Tokyo Stock Exchange had no outside directors on their boards in 2012. Currently, nearly all companies in the section have adopted outside representation on their boards and on average around 30 per cent of the board members are outsiders. Another example is that the number of companies  removing poison pills each year is increasing. There are clear signs that companies are responding to investors’ engagement and the Corporate Governance Code.

In the meantime, investors are stepping up stewardship activities in response to the Stewardship Code. More than 200 institutional investors have now signed up for the code and disclose their statement on stewardship responsibilities on their websites. Our firm, Governance for Owners Japan (GO Japan), has been engaging with Japanese companies on behalf of institutional investors since 2007 and is one of those signatories.[1]

Our first-hand experience over 10 years is that the environment of investor engagement has never been more favourable for investors; companies are more open to dialogue with investors and the two codes provide a common ground for dialogue. At the same time, investor engagement sheds light on some challenges and opportunities for investor stewardship in Japan. This article elaborates on the capability of investors to conduct investor engagement as a challenge and the use of collective engagement as an opportunity.

Institutional investors

While Japan’s Stewardship Code has many principles in common with the UK Stewardship Code the Japanese version has its uniqueness in principle seven. This says ‘institutional investors should have in-depth knowledge of the investee companies and their business environment and skills and resources needed to appropriately engage with the companies and make proper judgments in fulfilling their stewardship activities’. In short, it requires investors to achieve a deep understanding of the company’s business and business environment. However, statistics show that there is a large gap between what the code envisages and the reality.

“There has been a huge demand particularly from non-Japanese institutional investors for collective engagement in Japan and the revised Stewardship Code now makes it clear that collective engagement can be beneficial under certain circumstances”

According to a survey done by the Life Insurance Association of Japan, where the association sent questionnaires to 1,088 listed companies and received responses from 572 of them, 37.4 per cent of respondents said that investors’ analysis and understanding of the company is shallow.[2] The survey also found that 53.8 per cent of responded companies thought that investors’ dialogues are based only on short-term themes. Investor engagement is expected to contribute positively to the sustainable growth of investee companies, but a large number of companies see the expectation as unmet.

This is a flipside of the reality that investors are not experts in managing businesses and their knowledge about each business is always less deep than that of corporate managers. Also, stewardship and engagement activities only started for many investors around three years ago. The investor community should be able to do better with more experience. We believe that investors can provide a different perspective to corporate management given that they look into companies across different sectors. In our experience, companies often appreciate those different perspectives if they are keen to learn about good practices in other companies and if those suggestions are made in a supportive way.

Now onto the opportunity. There was one aspect that the original Japan Stewardship Code omitted that is included in the UK Stewardship Code; it is that UK investors are encouraged to engage collectively. On the other hand, there has been a huge demand particularly from non-Japanese institutional investors for collective engagement in Japan and the revised Stewardship Code now makes it clear that collective engagement can be beneficial under certain circumstances. In fact, collective engagement has not been prohibited. However, under Japanese financial regulations, if institutional investors together make important suggestions to companies in carrying out an investor engagement or in exercising their vote and if they are regarded as a concert party, they as a group will face stricter disclosure rules in reporting large shareholdings. Therefore, if large investors intend to engage with companies collaboratively, they risk being subject to the more stringent disclosure requirement. It therefore appears to be practically prohibitive for institutional investors to carry out collective engagements at the present time.

Get involved

Governance for Owners Japan has provided an engagement platform for institutional clients so that they can implement quasi-collective engagements within the current regulations. We therefore understand from our experience that it is sometimes beneficial to engage with companies on behalf of multiple investors. In my view, it is desirable for collective engagement to be more practically usable.

Asian Corporate Governance Association releases its CG Watch Report to summarise the corporate governance environment across Asian countries every two years. In its latest publication in 2016, the association described the Japanese situation as ‘the
hard work begins’.[3] I presented above a challenge and an opportunity that investor stewardship in Japan faces among others. These are still work in progress and we have yet to see how they develop.

As to the challenge, investor stewardship and engagement have just started and if investors can add to their experience, the challenge can be resolved; in other words, time may ease the current difficulty. This is consistent with our experience as our capacity to gain trust from corporate management and to achieve engagement objectives has increased gradually over around five years in a J-shaped curve.

As to the opportunity, it requires much harder work by investors if it is to be captured. The stricter disclosure regulations in place were introduced because some activist funds had abused the then disclosure framework and surprised company managements when they suddenly appeared on the share register as a large shareholder. Thus, it is not easy for the regulations to be reversed, given the expected negative reaction from companies to such a proposal.

In fact, the challenge and opportunity might be closely linked. It is now investors’ turn to show that their engagement adds value to corporates and enhances sustainable growth of  companies. Then, companies will view investor engagement and even collective engagement more favourably. Also, regulators could be more willing to make the regulations more practical if given evidence of the benefits of investor engagement.

The government is pressing corporate governance reform and Government Pension Investment Fund, the world’s largest asset owner, encourages stewardship activities by its external asset managers; the trend of investor stewardship in Japan therefore appears irreversible. From now on, investors have to focus on improving the quality of their stewardship activities; this will create a virtuous cycle. I am optimistic that investor engagement in Japan can only get better and there is nothing to lose.

 

About the Author:

Yoshi joined GO Japan in October 2009 and is Head of Responsible Investment, GO Japan. He leads engagement programmes for clients under Japan Engagement Consortium. Prior to joining GO Japan, Yoshi was a sell-side analyst at Goldman Sachs covering the Japanese banking sector. He also worked at the Financial Services Agency in Tokyo. He holds a Masters in Finance with distinction from London Business School as well as a Bachelor of Law from University of Tokyo. Yoshi is one of contributing authors to “21st Century Engagement” by BlackRock and Ceres.”

Footnotes:

3. Asian Corporate Governance Association, CG Watch 2016, September 2016

Hairline cracks in the glass ceiling

By Vladislav Ryabota – Regional Corporate Governance Lead, IFC South Asia

 

 

Many studies show the clear and positive correlation between increased gender diversity at top levels of corporate leadership and better company performance. The fundamental business case for more women on boards and in senior leadership positions is fast becoming undeniable: reduced risk, better decision-making, increased collaboration and broader market perspective, among many other benefits.

South Asian markets are slowly warming to this message. In India, 75 per cent of listed companies have one female director. Of Sri Lanka’s 20 largest listed companies, 14 have company boards that include one female director – up from nine just a few years ago.

That said, the overall picture is still not great. While the increased percentage of South Asian companies that have a female board member represents a step in the right direction, the fact is that one woman in an otherwise all-male board is usually not enough to drive meaningful change at her company. And, in the aggregate, it is not enough to drive change in the country or the region.

It does beg the question: with so much evidence pointing to the value of increased women’s participation on boards and in senior leadership, why aren’t there more women serving in these positions?

Well, it’s complicated. Many factors are at play, especially in this vibrant, diverse and rapidly developing region. Moving towards a more gender-inclusive corporate leadership approach involves changing a complex and entrenched social and business dynamic. Working in South Asia as part of IFC’s corporate governance group, I have seen that such seismic shifts require multipronged efforts at many levels.

At the societal level:  knowledge, information and change in mindset

Social change can be slow, particularly in a region characterised by contradiction when it comes to women’s advancement. Consider that women comprise nearly 60 per cent of Sri Lanka’s university graduates, yet they make up only 32 per cent of the labour force and a tiny four per cent of the nation’s top management cadre.

Only 28 per cent of India’s women work – one of the lowest percentages of working women in the world – even though nearly 50 per cent of its university students are women.

The talent pool is clearly growing. Even in business schools, where the number of female students has typically been low, women are catching up. In at least one of India’s graduate business programmes, the Goa Institute of Management (GIM), women and men are enrolled in equal numbers, according to GIM professor Divya Singhal, who has studied gender diversity in graduate degree programmes.

But somewhere along the way, too many smart and capable women are dropping out of the workforce and not ascending the ranks of corporate leadership. Typically cited reasons for this fall off include a need to care for children, family expectations to run the household and lack of ambition. I strongly disagree with this last presumption, which smacks of unfair stereotypes and flies in the face of reality. There are many highly capable women who have the drive and determination to make it to the top in these markets. Given the opportunity, they could become true agents of change.

Conferences, public events and positive media coverage can help to empower and encourage women to continue their climb up the corporate ladder. They also serve to educate men on the benefits of gender diversity in the workplace. For instance, at one event in Colombo, a panel of experts explored the reasons why there are fewer women in Sri Lanka’s corporate sector, even as women have achieved prominent leadership positions in the country’s professions, academia and judiciary. The back-and-forth focussed on the question of whether men in Sri Lanka were ready for women on boards.

Co-hosted by IFC and the Sri Lanka Institute of Directors, the event was well attended by both women and men. In India, last year’s Women in Leadership Conference drew more than 500 mid-career businesswomen, all of whom are being mentored by top business leaders. It’s another way to inspire women and encourage them to reach ever higher, beyond mid- and senior-level management and into the C-suite and boardroom.

We have also seen that widely publicised global events, such as the Ring the Bell for Gender Equality event held every year at stock exchanges around the world to mark International Women’s Day, have helped raise awareness, trigger discussion and spread the word on the business case for gender diversity. In South Asia, the exchanges in Dhaka, Colombo and Mumbai are all in on this initiative, hosting sessions aimed at spurring greater women’s participation at all levels of the economy.

At the market level: networking, mentoring and training

South Asian women who are poised for corporate leadership roles sometimes face significant barriers to entry. They have not been part of the traditionally male-dominated peer networks from which new board directors are often chosen. They may not know anyone who can provide guidance as they navigate their career path. And they may lack board skills and confidence in their own abilities.

IFC works in tandem with institutions, such as the Federation of Indian Chambers of Commerce and Industry, the Bangladesh Enterprise Institute and the Sri Lanka Institute of Directors (SLID), to address these issues. New networks and platforms now enable women to build their business contacts and share knowledge. Mentorships, through programmes such as the one SLID recently launched, connect senior executives with early- and mid-career professional women, offering an important source of support. Databases of qualified female director candidates are making it easier for companies to find appropriate nominees.

And then there is training, an all-important way to fill critical skills gaps. Recently, IFC piloted a global board training programme specifically aimed at female directors, with sessions focussing on soft skills, such as projecting confidence, negotiating and resolving conflicts. In post-event feedback, participants said that they welcomed the opportunity to learn in a safe environment, together with other women.

By contrast, the male and female participants of the technical board skills programmes we run for new and potential directors of South Asian companies have said that they liked the exchange of ideas and perspectives that comes from being in a mixed environment.

The lesson here is that it can be effective to provide women-only training on board dynamics and interpersonal relations, covering such sensitive topics as how to insert yourself into a discussion and make sure your voice is being heard, even when you are in the minority. But for general skills training, there is a strong argument for mixed participation.

In IFC’s own investee companies, we have seen the positive impact of all of these efforts as we aim for better gender balance in the boardroom. We are drawing from ever-growing databases of capable candidates, appointing board directors who graduated from mentorship and training programmes. Already they have shown themselves to be well prepared and ready to tackle the challenges ahead.

At the regulatory level: laws, corporate governance codes and non-financial reporting

Legislation and regulatory action can incentivise progress on the gender front. For example, employment laws that require equal pay for equal work, enable more liberal family leave, or support flexible work schedules can help break down some of the obstacles that are keeping more women from remaining in the workforce. Over time, this could help create a larger pipeline of women who have the expertise to take on senior executive positions and directorships.

Some countries, such as  India, have gone the legal route in a push for increased women’s representation on boards. India’s Company Act of 2013 requires all publicly listed companies to appoint at least one female director.

The law has definitely made an impact. According to a 2017 KPMG study, India saw a 180 per cent increase in the number of women on boards of its listed companies between 2013 and 2016.  In the early years, it seemed that many companies sought to comply by appointing family members of controlling shareholder families, but more recently, Indian companies have reported fewer such appointments. According to the IiAS, FICCI and Prime Database Group study, Corporate India: Women On Boards, today family members comprise only 16 per cent of female directors of NIFTY 500 companies.

The law may have made a difference in the Indian context, where women held only five per cent of board seats prior to the law’s enactment. Yet Bangladesh, with no quota system, actually has a higher percentage of female directors: 19 per cent, compared to India’s 13 per cent. Still, a look beneath the numbers reveals that many of Bangladesh’s female directors are wives or daughters of the controlling shareholder families, an indication that there is a room for improvement.

“With so much evidence pointing to the value of increased women’s participation on boards and in senior leadership, why aren’t there more women serving in these positions?”

Regulatory interventions, in the form of corporate codes or guidelines that encourage greater board diversity and increased disclosure on non-financial issues, such as gender balance, also have proven an effective way to incentivise companies to take action. Regulators in several countries across the region are moving on this front. For example, Bangladesh’s Securities and Exchange Commission is in the process of revising its corporate governance code to include a requirement for at least one female director in listed company boards. In India, IFC partnered with the Bombay Stock Exchange on a first-ever corporate governance scorecard. The scorecard, which includes a gender dimension, helps companies identify areas of improvement against generally accepted good practices.

As South Asian companies draw the attention of international investors, the regulatory push is becoming increasingly relevant. These investors, many of which have fully embraced the business case for diversity, are asking more questions about board composition as part of their due diligence. So, the availability of information – and demonstrated progress towards greater female representation – will be a critical factor for companies as they compete for investment.

At the company level: tone at the top trickles down

Companies can do a great deal to promote gender balance throughout their organisations. Primary responsibility for demonstrating commitment to diversity lies with the board and senior executives. “The tone at the top is crucial in enhancing gender diversity not only in the boardroom but at all levels of the organisation,” notes the KPMG study.

Actions companies can take include instituting formal on-boarding programmes for new directors – or setting aside funds to send nominees for such training. These programmes can help build skill sets for all new directors, male and female alike, to ensure they are ready for the boardroom. This will enhance overall board effectiveness, supporting improved decision-making and stronger strategy.

Companies also can appoint gender champions and institute women-friendly work policies to make it easier for women to continue their careers while balancing responsibilities at home. They can generate a deeper and wider pipeline by promoting competent and capable women. They can set up networks and encourage women to join. And they can nurture top talent through internal mentoring programmes that pair younger female professionals with more experienced executives.

At the board level, companies can ensure that nomination committees value gender diversity, with specific terms of reference on gender balance. Boards also can include an indicator to measure support for gender inclusiveness on board and senior management performance evaluations. Indeed, there is no limit to what companies can do in support of better gender balance.

The rate of continued development in the nations of South Asia depends on how effectively resources are used. And that includes drawing from an ever-growing pool of competent, highly educated women, creating an enabling environment that encourages their rise through the ranks into the boardroom. There is a clear need to build a critical mass of male and female champions who can move this agenda forward, because the region’s long-term economic health depends on it.

 

About the Author:

Ms. Vladislava (Slava) Ryabota, joined Mumbai office of IFC in October 2013. She is a key member of IFC’s Corporate Governance Leadership Team and the center point of contact for both investment and advisory services for IFC in South Asia. Ms. Ryabota joined IFC in 1997 and worked in a number of corporate governance advisory projects and was covering investment operations in Europe and Central Asia. Ms. Ryabota specializes in assessment of corporate governance practices, board evaluation, family business governance, governance of funds and SMEs, and has been regularly providing trainings for directors and corporate secretaries.

Ms. Slava graduated from the Law Faculty of Kyiv National Taras Shevchenko University in 1993. She continued her education at Essex University, UK. She holds a PhD degree and is a mediator accredited by the Centre for Effective Dispute Resolution in UK. She is a professional trainer and the author of a number of books and articles on corporate governance, commercial law and mediation.

Lessons learned by an auditor

By Tom McLeod  – Managing Consultant, McLeod Governance

 

 

 

A couple of years ago in a moment of unusually low work demands and perhaps even lower enthusiasm, I decided my goal for that day was to determine exactly how far I was through my career, working on an artificially-imposed retirement age of seventy.

Being a sprightly mid 40-year-old gentleman at the time, I realised that I was just before halfway through my career, which had started as a freshman undergraduate accountant at KPMG on a hot summer day in Melbourne, Australia, in December 1988. This realisation that my career was not even halfway through was quite a daunting moment because it raised the ghost of every university career counsellor shouting ‘well, what are you going to do with the second half?’. As I sat there staring at the accoutrements of this wonderful beast called a career I, however, chose not to reflect on the next stage of the journey but rather on the decades past.

What was it that I had learned and what was it that I still had to learn?

I realised that there were eight key governance, risk and audit lessons omnipresent in my wonderful journey in some of the world’s great corporations. I wrote them down on a piece of paper to serve as a lighthouse through the rough waves and calm waters that inevitably the next decades will bring. They were:

1. You can never stop learning

I remember the day very clearly when I became a chartered accountant. With great glee, I exalted to all who cared to listen that that was my last ever exam; that there would be no more tests for me.

Unfortunately, or more precisely fortunately, my older brother – long used to being the passive recipient of my extravagant claims – quietly mentioned that that may be the last time I took pen to paper (it wasn’t; an MBA followed) but that I was now entering a world where the great sought out new learnings; sought out new tests each and every day. How right he was that this is the cornerstone of a rich career.

When the day comes that the 25 years hence equivalent of a retirement gold watch is handed out and the speeches are said and done I want to be leaving the world of corporate meanderings and intrigue wanting to know that one piece of information more. That will be a career well finished.

2. Audit is a wonderful window on to the world of business

I have to start this observation with a confession. Despite now having spent more than a quarter of a century in a field of endless fascination to this simple mind, I hated audit at university.

I detested the whole thing. I cared not for the accuracy of financial statements or the intimacy of a good sample. Taxation advice was then for me where the real accountants ventured. And then one day a lecturer said to me ‘why do you hate audit’? My answer was along the lines that I sought the riches that would be bestowed on a world-class tax minimiser.

Sensing that I was not as superficial as my glib response suggested I was, he asked again ‘why do you hate audit?’ I had wanted to hate audit because that is what everyone else did. It had a bad rap and I was keen to jump onto the bandwagon of moral superiority.

What I did not realise then but surely do now is that audit is a wonderful window on to how a business operates. You may not have the depth of knowledge of a process gleaned from years of constant rework – instead, you have a breadth of experiences that remind you that issues in marketing are not all that dissimilar to the challenges that human resources are having on the floor above.

3. Your greatest value as a risk advisor is as a facilitator

Were I asked tomorrow, I could go to the candidate market in any major world city and find by the close of business probably 50 risk advisors that – on paper – would serve their organisations well just based on their qualifications and declared experience.

But of those 50 risk advisors there would be only two, perhaps three, that would really add value to their organisations. They are the ones that are the great facilitators.

By that I don’t (only) mean that they can host a good, interactive workshop. Rather, the memorable facilitator that I seek is the person who can move ideas and thoughts throughout an organisation with an invisible hand. It is the person who knows when the lawyer needs to speak with procurement; that the board member needs to spend time on the factory floor with the knowledgeable supervisor.

This may sound self-evident but it is a skill that is often lacking – for the simple reason that it forces the risk advisor out of their comfort zone. You are no longer just writing reports with the feeble hope of some future audience. You are creating an environment where real value exists; where an idea of one married with a thought of another may create something new and valuable.

4. Be prepared to ask how the internet actually works

Surely, you say, that after 25 years, any self-respecting business person knows how the internet works. Well, I guess we all do… now. But that wasn’t always the case and my experience about eight years into my career is a warning tale of note.

I was asked to complete an audit of a manufacturing company’s e-commerce approach. I (thought I) knew how to audit. I knew a little bit about commerce, given that I had spent four years enriching my mind at one of the region’s great universities. But what exactly was the e in front of the commerce thing?

I was too scared to ask for fear of exposing my ignorance and lack of worldliness. So, I preceded to undertake what I suspect (know) was my least useful piece of work in my whole career. I added even less than no value. I had wasted everyone’s time and had delivered a review that was a testament to my ego. I vowed that day that I would never again be embarrassed to ask the modern-day equivalent of how the internet works. And just before you think that this observation is not relevant today, ask yourself how would you explain (or audit) blockchain?

5. Everyone wants to be part of a fraud investigation. Don’t let them

There is an expressway car crash phenomenon that happens when a fraud is identified within an organisation. Everyone slows down and wants to have a look and, by doing so, they make the job of the first responders more difficult.

Anyone that has ever investigated corporate fraud will likely attest that in that first hour/day/week after awareness there are always too many people to update; too many people that want their opinions heard, even when their opinions are a distant relative to the actual need for their opinions to be heard.

Your role as the fraud investigator is – like the first responder to accident – to get to a scene quickly and then – also just like a first responder – respectfully but forcefully tell those who don’t need to be there to move on; nothing to see here.

A memorable moment in my career to date was when a very senior manager was insistent that on the first suggestion of corporate misadventure that the person so accused be marched out of the offices immediately. The discussion about the importance of due process (and the possibility that the initial indicators may have been wrong) were very telling.

What I only realised later is that they wanted to be part of the biggest show in town as they were certain that that response would show that they were a strong leader who had zero tolerance. (As an interesting aside, months later that same leader was accused of wrong doing. Due process all of a sudden became very important).

“Taking the time to properly educate your workforce is an investment that will have an incredibly long tail. Not only do the immediate recipients understand that they are being looked out for, but, more importantly, the organisation is setting up an environment of continuous improvement”

6. When there is a restructure/fraud/major event – respect the organisational grief cycle

My learned friend Wikipedia helpfully reminds me that the Kübler-Ross model of the five stages of grief, postulates a series of emotions experienced by terminally ill patients prior to death, or people who have lost a loved one. These five stages are denial, anger, bargaining, depression and acceptance. Just as they are real concepts in such personal traumatic circumstances, they are also very evident in organisations that are experiencing major corporate stresses – be they a restructure, a heinous fraud or another major event.

A risk and audit professional is well advised to consider the five stages of grief when they seek to impose a stronger or different control environment on the organisation.

Try imposing your will at the moment of immobilisation immediately after you hear of the traumatic news and you will spend an inordinate amount of time seeking to do what – had you waited – could have been done in a much shorter time when the person has accepted the situation. Respecting the organisational grief cycle is not as easy as it suggests as you do have that always present managerial imperative to move things forward. Proceed with caution.

7. The best board members are those that listen

The best board members are not those who need to tell you that they are important or who overly intervene in the management of the organisation’s affairs. They are the ones who listen. A board member who listens isn’t a board member who is silent. They just know when to speak and when to be quiet.

They synthesise information; they seek out alternative views; they are not immediately judgmental; they bring to the boardroom table their experiences from other organisations without seeking to suggest that those experiences are somehow better than those that are before them presently.

8. There is a silver bullet – it is called education

Some time since that day when my father drove me to my first day of work, workplace education morphed from training to learning and development to engagement.

Call it what you want. If you want to truly have a high-performing organisation that is cognisant and understanding of how best the organisation should be managed, then invest in education. Taking the time to properly educate your workforce is an investment that will have an incredibly long tail. Not only do the immediate recipients understand that they are being looked out for, but, more importantly, the organisation is setting up an environment of continuous improvement.

Resist with all your might when a cost-cutting focussed manager says that there is no return on education. Our classic one is fraud awareness training. There is always one manager that will argue that because we have had no recent frauds then we don’t need to invest in fraud awareness training. They never stop to think that it is because we have invested in fraud awareness training that you don’t have any frauds.

When the sun sets on our career it is too late to divine the lessons that the journey has gifted us. My strong encouragement to all who are reading this is to take the time to codify the great teaching moments. You may be the only student to study those lessons but the value will be immeasurable.

If the first half of the career is any indication, then retirement day in the late 2030s will come around quicker than one can even begin to imagine. It will be for others to judge whether I have added value in a manner that is befitting of the opportunities that I have been presented with. Until then, may I be blessed with good health, strong curiosity, a sound mind and a business world that values not only what my governance, risk and audit skills can bring to it, but also the way that I have gone about it.

 

About the Author:

Tom McLeod is considered one of the world’s leading Chief Audit Executives having been the Global Head of Internal Audit for Rio Tinto, one of the world’s largest mining companies and Head of Internal Audit and Fraud at one of Asia’s largest telecommunication companies. He now operates a boutique internal audit, corporate governance and fraud prevention consultancy called McLeod Governance which advises globally with Boards, Audit Committees and Chief Audit Executives.

AVANGRID: Utility of the future

By Scott Mahoney – Senior Vice President, General Counsel and Secretary; Chief Compliance Officer of AVANGRID

 

 

AVANGRID, a leading sustainable energy company, has developed a unique corporate governance system inspired by and based on a commitment to ethical principles, transparency and continuous improvement that reflect its role as the ‘utility of the future’.

Driven by the vision of being a leader in the energy sector, through service and innovations that make reliable, sustainable and cleaner energy a reality for millions of customers across the US, AVANGRID’s corporate governance system is integral to this corporate mission and the creation of sustainable value for society, customers and shareholders.

Powering up

Formed in December 2015 through the merger of Iberdrola USA, Inc. and UIL Holdings Corporation, AVANGRID has more than $31 billion in assets and operations in 27 states. AVANGRID owns network utilities and renewable power facilities through two primary lines of business, Avangrid Networks and Avangrid Renewables. Avangrid Networks is comprised of eight regulated electric and natural gas companies, serving approximately 3.2 million customers in New York and New England. Avangrid Renewables operates more than six gigawatts of owned and controlled renewable electric generation capacity, primarily through wind and solar, in 22 states across the United States. AVANGRID is the third largest owner/operator of renewable energy in the US.

AVANGRID’s corporate structure forms an essential part of its governance system, supporting a business model that promotes operational efficiency and implements best practices, while ensuring the proper checks and balances are in place. At the top of AVANGRID’s corporate structure is a holding company that consolidates the two AVANGRID subsidiaries (Avangrid Networks and Avangrid Renewables) that hold AVANGRID’s primary lines of business. These, in turn, hold their respective wholly-owned subsidiaries that operate AVANGRID’s primary lines of business.

This structure promotes an agile and rapid decision-making process in day-to-day management, while achieving appropriate coordination and supervision at the AVANGRID level. Management power is not centralised within a single governance body or officer, but rather is decentralised among the boards of directors of AVANGRID’s subsidiaries. AVANGRID engages an independent auditor annually to verify the effective application of this system of checks and balances, as part of an evaluation of the operation and performance of the board of directors and its committees.

A culture of ethics and transparency

Under the leadership of its chairman of the board of directors, Ignacio S. Galán, and its chief executive officer, James P. Torgerson, AVANGRID’s vision is to be a leader in the energy sector, providing reliable service for its customers with a commitment to the wellbeing of its communities. AVANGRID’s core values of ethical principles, good governance and transparency are fundamental to this vision.

“Through a constant process of review and improvement, AVANGRID continues to develop its robust governance system and incorporate the best practices in the United States and international markets”  

While only in its second year as a publicly-traded company, AVANGRID has implemented an extensive suite of policies and procedures that form the framework of AVANGRID’s governance, ethics and compliance programme and reflect best practices in both the United States, and internationally. Although not customary in the United States, all of the policies adopted by the AVANGRID board of directors are publicly available in the corporate governance section of AVANGRID’s website at www.avangrid.com. In furtherance of this commitment to transparency, AVANGRID makes publicly available on its website annual reports on ethics and compliance and an annual report on the activities of the audit and compliance committee of the board of directors, which includes an assessment of the committee’s performance.

AVANGRID supports this commitment to corporate governance best practices through a robust ethics and compliance programme implemented by an independent, permanent division directly supervised by the audit and compliance committee of the board of directors. The compliance division is responsible for overseeing regulatory compliance and fostering a preventive culture, which is committed to zero tolerance for corruption in connection with its business activities.

Extensive engagement and continuous improvement

Continuous improvement is one of AVANGRID’s core values and is a hallmark of its corporate governance system. AVANGRID is constantly looking across its business to identify and implement best practices that focus on building a diversified and sustainable business that delivers value to shareholders. AVANGRID is committed to the modernisation of the electric grid and transformation to a low-carbon, more reliable and efficient energy system. In particular, during the last two years AVANGRID has made significant investments in grid automation and modernisation and the expansion of wind and solar generation capacity. This includes AVANGRID’s deployment of smart meters, with more than one million currently installed and plans for an additional 1.8 million more over the next five years; and AVANGRID’s generation of approximately 86 per cent of its energy production from wind and solar renewable resources.

Similarly, AVANGRID’s corporate governance system is continuously being reviewed for opportunities for improvement. The annual independent audit of its governance system includes an assessment of how AVANGRID’s practices compare to peers as well as key leading governance indicators. Through this constant process of review and improvement, AVANGRID continues to develop its robust governance system and incorporate the best practices in the United States and international markets.

As part of this effort, AVANGRID launched a year-round shareholder engagement programme in 2016 to enable management and the board of directors to understand the issues that matter most to AVANGRID’s shareholders and address them effectively. AVANGRID reached out to holders of approximately 92 per cent of the company’s outstanding shares throughout 2016 and had discussions covering corporate governance, executive compensation, director skills and refreshment, and the board’s role in oversight of critical issues for the company. The board of directors carefully considered shareholder feedback and took a number of actions to enhance the company’s corporate governance system. These actions included the election of two new independent directors in July 2016 (each of which was overwhelming reelected by shareholders in 2017), the establishment of a new compensation, nominating and corporate governance committee, the implementation of a majority voting standard in uncontested director elections, and an increase in the minimum number of independent members of the board of directors.

Partially due to this extensive engagement programme, approximately 99 per cent of all issued and outstanding shares were present in person or by proxy at the 2017 annual meeting of shareholders. AVANGRID shareholders overwhelmingly supported all items proposed by the board of directors, voting to reelect each of the 14 members of the board of directors and approving all other items proposed, with at least 99 per cent of the votes cast in favour of each proposal.

AVANGRID’s commitment to ethical principles, good governance and transparency has been recognised within the energy industry and the business community. In 2016, AVANGRID’s businesses in Connecticut were awarded Corporation of the Year by the Greater New England Minority Supplier Development Council and its businesses in New York and Maine were named Utility Customer Champions by the Market Strategies International in the 2016 Utility Trusted Brand & Customer Engagement study. Additionally, AVANGRID was recently recognised for the second consecutive year as the North American utility with the best corporate governance practices for 2017 by this publication. In 2016, during AVANGRID’s first year as a company listed on the New York Stock Exchange (NYSE), NYSE Governance Services recognised AVANGRID’s governance and compliance programme and named AVANGRID as a Finalist in the Best Governance, Risk and Compliance Programme in the Large-Cap Company category at the NYSE Governance Services’ third annual Governance, Risk and Compliance Leadership Awards.

 

About the Author:

Mr. Mahoney is the Secretary for the Board of Directors, General Counsel for and a member of the AVANGRID Senior Management Team. Mr. Mahoney also serves as the Chief Compliance Officer for AVANGRID. He earned a Bachelor of Arts Degree from St. Lawrence University, a Doctor of Jurisprudence Degree, with honors, from the University of Maine, a Master’s Degree, with honors, in Environmental Law from the Vermont Law School, and a Postgraduate Diploma in Business Administration from the University of Warwick. He has received bar admission to the State of Maine, the State of New York, the U.S. Court of Appeals, the U.S. District Court, and the U.S. Court of Military Appeals. Mr. Mahoney is also a Certified Compliance & Ethics Professional and a member of the Society of Corporate Compliance and Ethics.

NOTEWORTHY EXPERIENCE: Energy Sector Serving as General Counsel of AVANGRID since 2012, he is responsible for managing all regulatory, litigation and corporate legal issues for AVANGRID. AVANGRID is the parent company of Avangrid Networks and Avangrid Renewables. He also heads the AVANGRID Compliance Program. He served as Deputy General Counsel and Chief FERC Compliance Officer for AVANGRID and Secretary of Avangrid Networks. He held several positions at AVANGRID subsidiaries, including Central Maine Power Company, including Vice President, Controller and Treasurer, Director – Executive Administration, and Legal Counsel.

Governance and compliance management in utilities

By Ashok Kumar Anjan – Chief Compliance Officer, Dubai Electricity and Water Authority (DEWA)

 

 

Utilities are organisations that produce and, in some cases, also distribute essential services for society, such as electricity and energy in the form of gas or fuel and water.

The term utility organisation is ideal, as most are not formed as companies, nor are they listed on any exchanges. Given the large investments required for setting up the infrastructure for production and distribution of utilities, such as electricity and water, most around the world are government-owned.

The ownership is either 100 per cent or majority-owned (51 per cent) or, as in some countries, the shareholding can be in partnership with businesses. In some countries utility producers or distributors can be entirely privately owned with the government laying down the regulations for the entities. The major utilities providers will also be serving a quasi-regulatory function by either laying down the regulations themselves or providing advice to the government body laying down regulations.

Guiding tenets

For state-owned enterprises that are neither incorporated as companies nor listed, the governance codes set in place by stock exchanges and capital market regulators may not apply. In such cases, the best practice is to lay down a governance charter and policy and then frame procedures accordingly. It is a practiced, good-governance model. The model should, however, incorporate all the guiding tenets of good governance, namely trust, accountability, transparency and fair practices. A well-designed vision, mission, values, motto and logo, along with a clearly articulated strategy are all essential for this. Utility organisations should also clearly identify their stakeholders, such as shareholders, investors and lenders, customers, partners, associates, employees and the societies in which they function. Stakeholders’ happiness should be a core objective of the organisation. A well-documented incorporation document that sets out the scope of activities and board composition is essential to establish the utility organisation within the government and infrastructure framework of the state.

Governance benchmarks exist in most countries for utilities. The British Standards Institution (BSI) published its code of practice for delivering effective governance of organisations BS13500 in 2013, which provides guidelines for corporate governance. But over the last decade, governance has taken on new mantles. It now includes board governance, internal governance, IT governance, project governance, sustainability governance and water governance, among others. Governance has now evolved across organisations to become the ‘governance of everything’.

International standards

The Organisation for Economic Co-operation and Development (OECD) published the OECD Guidelines on Corporate Governance of State Owned Enterprises in 2015, which serves as a broad compass for state-owned utilities. The International Organisation for Standardisation (ISO) has a wide suite of ISO standards that cover various elements of corporate governance for utilities to adopt and implement. Corporate governance has evolved from being tone at the top and boardroom governance to encompass all aspects of existence and functioning of organisations.

For utility organisations, compliance has a very broad bearing. Mapping all the legal, regulatory and industry-standard compliance is a task that should be taken up early in the life of the organisation and it should be revised and updated constantly to keep the utility in compliance at all times. Any non-compliance or breach of law and regulations as well as standards could have not only legal consequences but could also cause reputational damage. Health and safety standards are strictly to be followed and there can be no compromise on compliance with these standards. Environmental safety and protection should be the priority in all the activities in the utilities industry.

“For utility organisations, compliance has a very broad bearing. Mapping all the legal, regulatory and industry- standard compliance is a task that should be taken up early in the life of the organisation and it should be revised and updated constantly to keep the utility in compliance at all times”

A well-designed compliance charter, compliance monitoring programme, adequate resources, well-designed training programmes and a compliance risk self-assessment framework should be implemented. A dedicated governance and compliance department would also be key to good compliance in utilities.

Management plans

Transparency of policies and performance and a good stakeholder communication process should be one of the key pillars of the organisation. A well-designed business continuity plan, disaster recovery plan and a crisis management plan with the attendant groups set up to manage these events should be ready on 24/7 basis.

Risk management has now become essential for organisations and it is imperative for utility providers to understand risk management in perspective. An enterprise-wide risk management framework and programme are essentials for the functioning of a utilities provider.

The three lines of defence model should be implemented, the management being the first line, the control functions, such as legal, compliance and risk management, being the second and the internal audit and external audit being the third line of defence.

The lesson that comes up from the evolving theory and practise of governance and compliance in utility organisations is, fundamentally, agility. And what is agility? It is to meet changing requirements in a technology-driven world, where every day is a new day for good governance. This means governance professionals are not people who stick to tradition, but rather keep their fingers on the pulse of their industries, market conditions and the societies in which they operate.

 

Cyber resilience: A business priority

By Bob Parisi – Cyber Product Leader, Marsh

 

 

 

Cyber attacks are a potent and dynamic threat for all organisations, regardless of geography, size, or sector. Today, the biggest technological threats to organisations are not limited to server outages or data breaches.

Cyber events can result in significant disruption to supply chains, partial or complete shutdown of operations, even damage to property and other critical assets. The financial losses alone can reach hundreds of millions of dollars. As such, organisations and their senior leaders need to view cyber exposures as an operational risk to be managed, not a problem to be solved. No amount of money or technology will eliminate an organisation’s cyber risk. The goal instead, should be to become cyber resilient.

The WannaCry and NotPetya global ransomware attacks from earlier this year underscore the significant challenges facing organisations. While potential insured losses resulting from these events are still being determined, they are expected to exceed $100million. These attacks, which affected numerous companies around the world, encrypted files on computers and shut down operations for hours and even days, causing significant business interruption and disruption.

These recent events highlight that cyber risks are constantly evolving along with the ever-increasing scale and scope of cyber attacks.

And business leaders around the world are getting worried. According to the World Economic Forum’s proprietary Executive Opinion Survey that asked 12,411 executives across 136 countries to identify the five biggest risks to doing business in their respective countries, large cyber attacks ranked eighth on the top 10 list of global risks in 2017, moving up three spots from the previous year. Large cyber attacks were identified as a top concern of business leaders in a number of advanced economies, including the United States, Canada, Japan, Singapore and the UAE.So, how does an organisation become cyber resilient? At a macro level, it involves implementing the right mix of cyber risk mitigation, risk quantification and risk transfer strategies. Cyber resilience enables organisations to mitigate the effects of
cyber attack and continue operating.

Risk mitigation

Gone are the days when technology, data and other information could be secured by locking the door behind you when you left the computer room. Companies today need to approach cyber risk in the same way they do any other operational risk they face.

Like managing other operational risks, this means starting with an understanding of the exposure from the most broad level of ‘what specific actions should we take?’ to the more granular, ‘how do we value our assets and are we unknowingly placing them at risk?’.

“Gone are the days when technology, data and other information could be secured by locking the door behind you when you left the computer room. Companies today need to approach cyber risk in the same way they do any other operational risk they face”

Answering these questions with precision requires identifying which data, applications and systems are essential in conducting your organisation’s operations and then developing a cyber strategy that is driven by protecting core business functions – and not merely responding to threats. What are your potential losses? What are your most critical assets? Is it intellectual property? Customer data? Medical histories? Trade secrets? Proprietary financial data? Industrial control systems?

A good start is to adopt a management framework for cybersecurity. The Cybersecurity Framework published by the National Institute of Standards and Technology helps organization develop and manage its cybersecurity program through desired outcomes within five categories:

  • Identify: Develop the organisational understanding to manage cybersecurity risk to systems, assets, data and capabilities
  • Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
  • Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
  • Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

The NIST Cybersecurity Framework is a tool to help organisations to understand their cybersecurity posture – including business continuity, crisis management and IT disaster recovery – and to systematically improve it. By employing this framework, organisations can look at cybersecurity holistically to pursue resilience – not just security.

Cyber risk quantification

An often-quoted comment about cyber risk is that there are two kinds of companies: those that know that they have suffered a breach and those that have yet to discover the breach. Indeed, various experts estimate that 50 per cent of companies suffer a breach every year. So, simply putting in place preventive measures only gets you part of the way to resilience. The question remains: have you implemented and tested a plan that allows you to work through the crisis and minimise the disruption? A first step in that journey is a deeper understanding of what is at risk, both technical and financial.

Many organisations rely on traditional cyber risk assessment methodologies that are not designed to produce financial estimates of the exposure. Until you are able to understand the financial impact, you cannot begin to develop and implement a cyber strategy that is centred on proactively protecting core business functions.

Although historical data is well-suited to estimating the impact of data breaches, cyber business interruption costs can be more difficult to quantify because every company’s IT systems, infrastructure and exposures differ. How much a cyber event costs will depend on many factors, including the organisation’s business operation model, incident response capabilities, actual response time and insurance coverages at play. By undertaking a cyber business interruption risk quantification analysis, organisations can gain a better understanding of the risks and associated costs. They can also build a foundation for making more informed risk mitigation and transfer investment decisions and, by extension, improving cyber attack resilience.

One way of quantifying cyber business interruption risk is to use scenario-based analyses that focus on three factors:

  • Estimating the severity and likelihood of a cyber business interruption event Using realistic scenarios can allow organisations to more accurately quantify the potential financial loss from a cyber business interruption event. Equally important is to scope these scenarios such that their likelihood of occurrence falls within a preselected range based on enterprise risk appetite and tolerance considerations.
  • Identifying mitigation options Depending on the significance of an organisation’s cyber business interruption exposures, risk mitigation options could include changing business processes, re-architecting IT infrastructure to improve resilience, enhancing IT restoration capabilities, or strengthening technical cybersecurity controls. To properly evaluate these choices and identify the strategies that will have the greatest impact, it’s important to have a credible estimate of potential cyber business interruption exposure.
  • Evaluating risk transfer options Insurers are increasingly offering broader coverage for business interruption exposures in both cyber policies and traditional property all-risk policies. A scenario-based cyber business interruption risk quantification analysis can support the proper structuring of these insurance options, including selecting appropriate limits.

Risk transfer

All the risk identification, mitigation and quantification efforts will not stop a cyber attack or failure of technology from occurring. Risk transfer, typically in the form of insurance, can respond to the residual risk that cannot be prevented by providing financial recourse after a cyber loss – in effect bolstering resilience.

Cyber insurance, while relatively new compared to other lines of insurance cover, has been around for two decades and has evolved and grown to meet the changing nature of cyber risk. The number of new organisations in the United States purchasing standalone cyber insurance has steadily grown by double-digits year-on-year for the last 10 years. This is due in part to the ever-expanding recognition of the risk among organisations across a wider array of industries (see the 2016 Cyber Insurance table, below).Broadly, cyber insurance covers the risks companies face from handling data and relying upon technology. Adopted early on by certain industries – technology, retail, health care and financial institutions – the coverage has expanded to respond to risks well beyond privacy breaches that tended to dominate the news media until recently.

Cyber insurance now addresses the full spectrum of operational cyber risk faced by companies across all industries, including business interruption, contingent business interruption, loss caused by the failure of a Cloud services provider, harm associated with a breach attributable to the Internet of Things and property damage rising from a cyber event. Cyber insurance has also risen to the challenge of picking up where traditional insurance left off. As the risk profile of companies has changed – with unplanned technology outages presenting as big a threat as adverse weather and currency fluctuation – traditional property/casualty insurance has stumbled in matching coverage to risk. Cyber insurance has stepped in to fill that vacuum.

Just as cyber risks have expanded, so too has the penetration of cyber insurance into the economy. Over the past two decades, the cyber insurance market included a handful of insurers in the US and London that combined could offer a $100million policy for a potential buyer. It has now grown to more than 50 insurers offering close to $2billion in limits globally. In practice, individual cyber insurance programme size varies depending on industry and coverage, with many large organisations purchasing between $200million and $500million in limits. From a pricing perspective, organisations that buy cyber insurance have generally been experiencing a plateau in pricing, with cyber rates decreasing on average of 1.5 per cent in the second quarter of 2017.

Organisations continue to increase their total cyber programme size, due in part to growing recognition of the risk. The recent global ransomware and malware attacks have organisations paying more attention to business interruption exposures and how/if that can be insured. Even prior to WannaCry and NotPetya, the most recent survey by the Business Continuity Institute found that for the fifth year in a row, unplanned IT or telecommunications outages were the leading cause of supply disruption; cyber attacks and data breaches were identified as the third cause of a high-impact disruption. Recent enhancements to cyber insurance wordings for business interruption risk now provide a greatly improved means to manage this peril through risk transfer.

Cyber insurance is available that starts with the premise that all major technological risks should be covered. These types of policies offer broad protection, including coverages not typically available in commercial cyber insurance policies. Such insurance dovetails with other insurance policies to minimise potential gaps in coverage and maximise protection. Key features include triggers that allow a security incident or technology system failure to activate coverage; a waiting period treated as a qualifier instead of a deductible; and coverage for the cost of forensic accounting services. Work with your insurance advisor to understand how risk transfer – particularly cyber insurance – can best protect your organisation from a potential cyber event.

Conclusion

Your organisation will be affected by a cyber event, if it hasn’t already. Companies can no longer assume that more technology will be the solution to cyber issues. As an operational risk, cyber risks must be addressed through a combination of mitigation, quantification and risk transfer. Taking steps toward building cyber resilience can ensure that when your organisation is impacted by a cyber event, it can continue to operate and weather the attack.

This information is not intended to be taken as advice regarding any individual situation or as legal, tax, or accounting advice and should not be relied upon as such. You should contact your legal and other advisors regarding specific risk issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or of the financial condition or solvency of insurers or reinsurers.

 

About the Author:

Robert Parisi is a managing director and National Cyber Product Leader in Marsh’s New York City headquarters. His current responsibilities include advising clients on issues related to intellectual property, technology, privacy, and cyber related risks as well as negotiating with the carriers on terms and conditions. Robert is also responsible for coordinating Marsh’s Global Cyber Network.

Prior to joining Marsh, Robert was the senior vice president and Chief Underwriting Officer (CUO) of eBusiness Risk Solutions at AIG. Robert joined AIG in 1998 as legal counsel for its Professional Liability group and held several executive and legal positions, including CUO for Professional Liability and Technology. While at AIG, Robert oversaw the creation and drafting of underwriting guidelines and policies for all lines of Professional Liability. Robert was also instrumental in the development of specialty reinsurance to address aggregation of risk issues inherent in cyber, privacy and technology insurance. In addition to working with AIG, Robert has also been in private practice, principally as legal counsel to various Lloyds of London syndicates.

 

Charting rise of shareholder activism in Australia

By Jeremy Leibler – Partner at Arnold Bloch Leibler

 

 

 

While the impact of shareholder activism in Australia hasn’t yet been as seismic as predicted, its steady increase, growing sophistication and the breadth of companies being targeted is transforming our corporate landscape.

In October 2016, Arnold Bloch Leibler released the first-ever detailed analysis of activist investing trends and insights in the Australian context. Based on the firm’s experience in advising both activist investors and non-executive directors in responding to activist demands, we commissioned global data specialist Activist Insight to undertake the research.

Its report found that at least 50 Australian listed companies a year had received a public demand from investors since 2013 and activists had won 113 board seats – or around two-fifths of the total sought.

While the vast majority of equity activism in Australia (86 per cent) had been locally driven, we were squarely on the radar of major global activists looking to diversify their portfolios beyond the US.

And while the analysis indicated that Australia’s limited capital pool had targeted the smaller end of town, with 85 per cent of activist attention focussing on companies with a market cap of less than AU$331million, the data only tells half the story.

The report pointed to high-profile cases that had hit the headlines, such as Brickworks and Antares Energy, while explaining that activists were still exerting most of their muscle behind the scenes. Fast-forward 12 months and the Australian business media is rife with stories of under-performing boards being put under intense pressure by increasingly savvy activists.

Major strategic announcements, which we’re now seeing on a regular basis, have been triggered by pressure from activists, including asset disposals at top-50 companies. Which is why every competent ASX 200 board is preparing its company and management team for this potential and the inevitable consequences to business operations and reputation,

A market ripe for the taking

Boards that are not anticipating and preparing for activist activity are ignoring the legal and structural reasons why the Australian market is so conducive to it. Features of Australia’s regulatory framework that make it ripe for activism include:

  • The ‘two strikes rule’ that allows just 25 per cent of shareholders to vote down a company’s remuneration report and, ultimately, spill the board of directors (there is no such tool for activists in the US)
  • The relatively low threshold (five per cent of issued equity) required to call an extraordinary general meeting
  • Recent amendments to regulatory guidelines, clarifying that shareholders can communicate with each other about company performance
  • The relatively high degree of institutional shareholdings due to the large superannuation fund pool

The equally influential flipside of this regulatory incentive is the lack of regulation over proxy advisers in Australia, which has emboldened activists and provided them with disproportionate control over company decision-making.

Calls are building for greater oversight of the power being wielded by Australia’s proxy advisory industry, in line with external regulation enacted or proposed in jurisdictions including Britain, the US, Canada and the European Union. Clearly, proxy advisers have a role to play in our corporate landscape but it’s time they were scrutinised by regulators, just like every other provider in the financial services industry.

Regulation would help address issues of competence and conflicts of interest. And more explicit voting guidelines, similar to those in the United States, would discourage investors from abrogating their responsibility by simply ticking the box provided to them by proxy advisers with their own opaque agendas.

Free of any regulation or mitigating guidelines, proxy advisers are influencing shareholder voting, with scant regard for a company’s particular circumstances. They are incentivising shareholder activists to leverage off the two strikes rule and remuneration reports at a level that’s disproportionate to their shareholding and that has nothing to do with remuneration.

The impact of proxy advisers is too often demonstrably not in the interests of companies or the Australian economy. A case in point is how these advisers continue to rail against boards that have directors who are substantial shareholders, ignoring the reality that directors with nothing other than reputation riding on the success of a company are less likely to challenge out-dated business models, take necessary risks and innovate.

The current context, which reflects a shift from director-centric governance to shareholder-centric governance creates a weighty challenge for these directors. How do they resist the temptation to spend all their time and resources focussed on preparing for and responding to activists and proxy advisers instead of the broader, long-term strategic direction of company?

“Calls are building for greater oversight of the power being wielded by Australia’s proxy advisory industry, in line with external regulation enacted or proposed in jurisdictions including Britain, the US, Canada and the European Union”

Which brings me to another aspect of Australia’s corporate jigsaw that creates an environment ripe for activist intervention… the ‘NEDs (non-executive directors) club’. The latest data from the Australian Institute of Company Directors boasts that ‘only’ four directors held four board seats in ASX 200 companies in 2016, only two held five board seats. Across all ASX 200 companies, 182 people held 418 seats – or just more than a third of non-executive directorships. And this data doesn’t reflect the traffic of directors who flow from one board to another.

Reputation means everything when these directorships are the main source of people’s incomes, particularly as they move into retirement from more strenuous executive roles. A NED of an ASX 200 company, who typically attends a dozen or so meetings a year, takes home an average of $170,000 a year in cash (plus superannuation), regardless of the company’s performance. An independent director’s reputation is key to his or her ability to obtain the next board appointment. This delivers a powerful tool to the activist. A director with reputational risk is far more likely to engage and submit to an activist’s demands than a director who represents the interests of a major shareholder.

Australian research undertaken by Professor Peter Swan at the University of New South Wales suggests that the trend towards independent directors in Australia over the past 15 years has destroyed at least $20billion of shareholder value. It’s no coincidence that over the same period proxy advisers have become de facto decision-makers for many institutional investors.

Lessons learned

If we take the role of regulation and the consequences of insufficient regulation as a given, what are the core lessons Australian boards should have learned about activism to date? Let me draw on three recent examples to offer three topline responses – and none of it is rocket science

1. Know and engage with your shareholder: BHP

A responsible board needs a plan for dealing with the inevitable activist shareholders that will target an underperforming company and BHP, once known as ‘The Big Australian’, was caught out. After a torrid 10 years, even by comparison with its also-suffering peers in the resources sector, BHP dealt with two separate but related campaigns.

The first was driven by high-profile US activist investor Elliott Management, whose campaigns have a long track record of unlocking latent shareholder value. Elliott’s laundry list of demands included abandoning BHP’s costly dual-listing structure, ditching its failed US shale experiment and increasing returns to shareholders. In a victory of sorts for Elliott, BHP has since announced a plan to dispose of its US shale activities and pledged to adopt more rigorous capital management.

The second campaign involved a number of high-profile shareholders who took aim at incoming director Grant King, former CEO of Origin Energy and the current president of the Business Council of Australia, the country’s peak industry body representing big business. King’s appointment to the board of BHP was announced by outgoing chairman Jac Nasser in February this year, just one day after projects initiated at Origin on his watch were written down by $1.9billion – in addition to a $1.2billion write-down made six months earlier.

With significant shareholder concern around BHP’s poor historical capital allocation decisions (including in respect of US shale), the timing of Grant King’s appointment rankled with fund managers, proxy firms and shareholders alike. Ultimately, King succumbed to the pressure and withdrew his nomination for re-election at this year’s AGM.

As a result of the two campaigns and with BHP finally stepping up its public relations efforts, chairman-elect Ken MacKenzie has reportedly taken more than 100 meetings with investors.

2. Consider the activist’s track record: Ardent

An activist shareholder with an impeccable track record and a strong and detailed plan for the future of a company is difficult to thwart. A little closer to home than the BHP example, we acted for Dr Gary Weiss’s Ariadne in its campaign against Dreamworld owner Ardent Leisure.

Weiss, a close business associate of retail magnate Solomon Lew and well-respected in the Australian business community, had seen enough of Ardent Leisure’s underperformance over the last three years and engaged in a public campaign to appoint four directors to the board. Typically, an activist shareholder would require the company itself to call and hold a general meeting at the company’s cost to have the activist’s preferred directors appointed. The company would draft and distribute the notice of meeting, which would set out at length the incumbent board’s position in relation to the activist proposal.

The activist’s statutory 1,000-word statement would be relegated to the final paragraphs of a 20-page document. In this case, however, Ariadne called Ardent’s general meeting itself. This gave Ariadne complete control over the notice of meeting and, crucially, the messaging.

“For shareholders, directors, commentators and lawyers, increased activism has us all speculating on what’s coming next? Currently, all eyes are on the response of superannuation funds and hedge funds”

Ariadne was ready with a detailed, complex and considered turnaround strategy for Ardent and, in the notice of meeting, directed all proxies be sent to a share registry it had engaged. This meant that Ariadne had visibility over the proxies it had collected, while Ardent remained in the dark until 48 hours before the general meeting. Despite proxy advisors recommending a vote against the activist directors, by the time Ariadne shared the proxies showing strong institutional support with the incumbent board, the current directors knew they had been defeated. As a last-minute compromise, Ardent agreed to appoint Gary Weiss and Brad Richmond to its board and the general meeting was called off.

The final triumph in a campaign described by Australian Financial Review as the ‘biggest win by activist investors in decades’, Weiss was this month (October) appointed chairman of Ardent.

3. Don’t try to pull a shifty on shareholders: Praemium

We also acted for Praemium’s sacked CEO Michael Ohanessian in his successful spill of the entire Praemium board.

Ohanessian had overseen five years of strong growth and shareholder returns, when eight days after announcing record half-year results, he was abruptly fired by the Praemium board. Major shareholders had not been informed and the lack of transparency irreparably damaged the board’s reputation and relationship with those shareholders.

Three major shareholders (Australian Ethical, Paradice and the Abercrombie Group) were so incensed by the board’s actions that they joined Ohanessian to form a shareholder bloc to spill the incumbent board.

The shareholder bloc sought to replace the board with three new, highly qualified and independent directors. Despite irresponsible proxy advisers recommending against the shareholder bloc without attempting to engage with it, and the incumbent board airing a lengthy, damaging and one-sided account of the CEO’s sacking in its notice of general meeting, the shareholder bloc’s resolutions were passed and Michael Ohanessian reinstated as CEO.

Where to next?

For shareholders, directors, commentators and lawyers, increased activism has us all speculating on what’s coming next? Currently, all eyes are on the response of superannuation funds and hedge funds.

While superfunds/institutional investors are unlikely to become activists themselves in the classic sense, they recognise that in order to create value for their investors, they may need to pick sides in activist campaigns and/or seek out activists to drive campaigns they will support.

Australian Ethical is a conservative institutional investor that wouldn’t normally engage in activist activities. The fund was so aggrieved that shareholders weren’t consulted before Praemium’s high-performing CEO was sacked, it felt obligated to resort to activism to protect its clients’ investment. Hedge funds are a perfect match for activists and, having seen multiple hedge funds obtain control of Australian listed companies via debt to equity swaps in the distressed debt space, more of them will engage in classic activism to obtain controlling stakes or board seats.

The jury is still out as to whether activism is helping or harming companies and the Australian economy and, most likely, the reality is a bit of both. Detractors say activists reinforce short-termism and excessive attention on financial metrics rather than long-term growth and strategy.

Supporters believe activists are necessary to shake up underperforming companies
and overly cosy boards. Whatever the case, activism has well and truly arrived Down Under and it’s contributing to a far more complex, unpredictable corporate landscape.

 

About the Author:

Jeremy Leibler’s commercial and corporate law practice has a particular focus on mergers and acquisitions, public and private capital raisings, takeovers and takeover defences, and shareholder activism and board disputes. He has an intimate knowledge of the law and market practices relevant to listed companies in Australia, and is regularly quoted in the media on issues related to shareholder activism and proxy advisers. Jeremy was recently appointed as a non-executive director of ASX listed Thorney Technologies Limited and is also a member of the Australian Takeovers Panel.

PCAOB: Minding the GAAP

By Nemit Shroff – Associate Professor of Accounting, MIT Sloan School of Management

 

 

In the world of financial regulation, the US Public Company Accounting Oversight Board (PCAOB) is controversial. Created by the Sarbanes-Oxley Act of 2002 (SOX) after the Enron and WorldCom accounting scandals, many question whether it adds value to the financial reporting process.

At the heart of the debate is the reliability of companies’ financial statements. While it is the independent auditor’s job to check whether financial statements comply with generally accepted accounting principles (GAAP), auditors are typically paid by the companies they audit and managers often have significant influence in auditor selection. As a result, sceptics question the ability of auditors to stay unbiased and worry that auditors could be influenced by the demands of the companies they audit.

Adding to this issue is the lack of transparency in the auditing process. It’s hard for investors to know how much effort the auditor put into ensuring that the financial statements of companies comply with GAAP. In general, the auditor’s report provides investors only a pass/fail opinion regarding the financial statement’s compliance with GAAP, leaving investors with little information regarding any critical reporting issues that required significant auditor judgement.

Advocates of the PCAOB maintain that a public regulator increases confidence in an audit by inspecting the work performed by auditors, ensuring that the process conformed to certain minimum standards of quality and independence. However, critics contend that PCAOB inspectors do not have the expertise or incentives to evaluate the quality of an auditor’s work.

Confidence booster?

To get to the bottom of this issue, I conducted a study that looked at whether PCAOB oversight of a company’s auditor increases investor confidence in the audit process and, ultimately, audited financial statements. Since one of the primary purposes of external financial reporting is to facilitate the exchange of capital between companies and investors, I wanted to see (and measure) if companies whose auditors are inspected by the PCAOB are able to raise additional external finance as a result of their auditors’ PCAOB inspections. Further, I looked at whether companies are able to subsequently increase capital expenditures with the increased access to external finance (if any).

I used the PCAOB’s international inspection programme as a setting to test the effect of its oversight. SOX requires the PCAOB to inspect the auditing procedures of all auditors that participate in the audit of companies registered with the Securities and Exchange Commission (SEC). This means non-US auditors are subject to PCAOB oversight if the auditor has even one client that is registered with the SEC (e.g. since BP’s shares are cross-listed in the US, its independent auditor, EY-UK, is subject to PCAOB inspections). The big benefit of using the international inspection programme is that I can compare two companies of very similar sizes, performance and growth in a specific country but only one of whose auditor is inspected by the PCAOB in a given year. I constructed a sample of non-US companies from 35 countries whose auditors were inspected by the PCAOB at different points in time since the inception of the inspection programme in 2005.

“Findings show that the PCAOB adds significant value to the financial reporting process. It benefits investors and companies and helps auditors gain market share”

The study suggests that PCAOB inspections are good for companies and investors. Companies whose auditors had no deficiencies identified in the audit process raised significantly more external capital following the disclosure of the PCAOB inspection reports. The increase in capital amounted to 0.5 per cent of their assets, which is equal to approximately a 10 per cent increase in the average amount of external capital raised. While not all companies raise capital, the ones that do tend to raise 10 per cent more after a PCAOB inspection of their auditor. The increased capital is due to companies issuing additional debt and equity following the disclosure of their auditor’s positive PCAOB inspection report.

The data also show that companies use these additional funds to increase investment. Companies whose auditors were inspected by the PCAOB increased capital expenditures by 0.3 per cent of assets, which is equal to about six per cent increase in the average annual capital expenditures.

Highlighted problems

Not surprisingly, the extent of this impact is contingent on the content of the PCAOB inspection report. Companies raise significantly less capital and issue significantly less debt and equity capital when the PCAOB report reveals problems with the independent auditor’s auditing processes.

Figure 1 plots changes in the amount of external capital raised by companies following the PCAOB inspections of their auditors (conditional on the auditor receiving a clean PCAOB inspection report, i.e. one without a Part I Finding). Similarly, Figure 2 plots the changes in the amount of capital expenditures incurred by companies following the PCAOB inspections of their auditors (conditional on the auditor receiving a clean PCAOB inspection report, i.e. one without a Part I Finding). The figures also plot two-tailed 90 per cent confidence interval around each point estimate of the PCAOB effect to help assess the statistical significance of the effects.

Both figures show that the financing and investing patterns of companies significantly change once their auditors’ PCAOB inspection reports are made public. Since the PCAOB inspections occur in different years for different auditors, the patterns observed below are very unlikely to be explained by general economic or industry trends, or changes in the availability of capital over time.

Another finding was that financially constrained companies (i.e. smaller companies and those that do not pay dividends) increase external financing and capital expenditures by a larger magnitude in response to their auditors’ PCAOB inspection report than financially unconstrained companies. This means that firms below the median size in each country benefited the most.

Market share

Finally, in a separate study, I examine whether companies respond to these capital market benefits of hiring a PCAOB-inspected auditor by switching auditors if their incumbent auditor is not subject to PCAOB oversight. Since only a subset of public company auditors in every country (besides the US) participates in the audit of a US cross-listed/listed company, only this subset of auditors are subject to PCAOB inspections. I examine whether PCAOB-inspected auditors gain market share at the expense of those not inspected by the PCAOB. As expected, I find that PCAOB-inspected auditors gain four to six per cent market share from those not inspected by the PCAOB and these auditor market share gains occur only when auditors receive a clean PCAOB inspection report.

While several prior papers examine the effect of PCAOB inspections, my studies are the first to show that such oversight has significant effects on corporate finance decisions and to document the magnitude of those effects. By doing so, the paper also documents the spill-over effect of US securities regulation on companies operating outside the US, finding that non-SEC registered companies derive economic benefits from PCAOB oversight. The finding that PCAOB oversight has spill-over effects outside the US is relevant to European companies and auditors, some of whom benefit from these effects.

In summary, my findings show that the PCAOB adds significant value to the financial reporting process. It opens the black box of auditing via auditor inspection reports, which benefits investors and companies and also helps auditors gain market share when some of their peers aren’t subject to similar oversight. So, to answer the question of whether the PCAOB inspections are worthwhile? This study suggests that the answer is a resounding yes.

 

About the Author:

Nemit Shroff is the Class of 1958 Career Development Professor and an Associate Professor of Accounting at the MIT Sloan School of Management.

Nemit’s primary research interest concerns whether and why accounting disclosures such as audited financial statements, management forecasts, and press releases affect the corporate financing and investing policies of public and private companies. In addition, his research examines the reasons why corporate disclosure is regulated across the world and the economic consequences of regulating (or not regulating) disclosure. His research has been published in top accounting and finance journals and has received several awards, including the 2011 FARS Best Dissertation Award, the 2014 Competitive Manuscript Award, and the 2016 FARS Best Paper Award.

Born in India, Shroff earned his undergraduate degree from the University of Mumbai and his MBA from Amrita School of Business. He then came to the U.S. to pursue his doctoral degree at the University of Michigan.

The benefits of compliance training

By Sally Afonso – Compliance advisor within the financial services industry

 

 

The most visible and powerful support for corporate compliance training objectives comes from the boardroom. Executive boards should invest in and support compliance training as a priority.

In the complex and rapidly changing regulatory landscape of business today, the necessity for an informed approach to business strategy that complies with all applicable rules and regulations, to the letter and in spirit, is more important than ever. This approach takes a balanced view of both rules and values, from external forces and internal sources, in setting the tone at the top.

For this, compliance awareness is highly valuable, but alongside commercial objectives and the daily concerns that drive business, training for it does not always end up top of mind. Despite this, board members should view this training as critical to the success and sustainability of the business.

Employee awareness means employee engagement

Organisations of all types and sizes are in pursuit of a culture of active employee engagement and it is not hard to understand why. Engaged employees are focussed, on-message and productive. They are reliable performers as well as trustworthy stewards of corporate values. In order for employees to fulfil this role, though, they need incentive to engage. Compliance training can give them this by leveraging their content knowledge and understanding of good conduct expectations. Employees who are informed about compliance requirements and regulatory expectations will turn to their leaders as examples of accountability and integrity.

Management feels the ‘warm glow’

Managers whose employees are aware of their compliance obligations can derive satisfaction from the ‘warm glow effect’; that  their employees look to them as role models and standard-setters. The positive boost of this appreciation reinforces the power of integrity to act as one’s legacy in the workplace.

“Compliance training can offer inspiring and demonstrable results for executive boards who wish to instil corporate values and promote social responsibility, sustainability and organisational and employee integrity in the companies they serve”

It is always a career positive to be seen as an example of someone who does the right thing at the right time for the right reason. All other things being equal, any manager would like to be remembered for his or her exemplary integrity, rather than thought of as someone lacking in a moral code. This serves as motivation to contribute affirmatively to the culture of compliance and to support a strong tone at the top.

The mitigation of reputational risk is key

Executive boards take the brunt of public scrutiny and criticism when events leading to reputational risk occur. If the organisation ends up on the front page of the newspaper in a critical light, board members will be held accountable by the public and looked to in order to restore trust and suggest the path forward.

Compliance training helps employees at all levels to understand the importance of noticing and reporting unethical or fraudulent behaviour when they see it. This is the first step in preventing and mitigating the risks to reputation that businesses face. For public companies, enabling whistleblowers and, for private companies, avoiding a culture of fear, are key for the transparency that’s required to avoid major exposure to reputational risk.

Effective governance relies on clarity and dialogue

Governance structures are only as good as the knowledge and compliance sensitivity of the employees working within them. Expectations must be clear and discussions about dilemmas, scenarios and strategic suggestions need to be the norm in the workplace.

Boards can decide upon the most rigorous and carefully designed architecture for governance within their organisations, but if individuals do not know what they should do in order to be in accord with policies and regulations, then they are not prepared to succeed in making the right choices. Adequate training supports positive behaviour, which in turn makes control frameworks more effective.

Relevance supports risk management

Executive boards have complicated agendas when it comes to risk management. In many industries, such as financial services, these can be very technical and structured, requiring specialist expertise and constant discipline and attention. Compliance risk management likewise includes keeping up to date on an increasingly complicated and constantly changing regulatory and legal environment. But it can be made a part of business as usual in all areas of the organisation for all employees to take on personal accountability. Fostering relevance at all levels of the business helps employees to grow a fluency with compliance risk management and use their raised awareness to support the company’s overall compliance programme objectives.

Compliance training can offer inspiring and demonstrable results for executive boards who wish to instil corporate values and promote social responsibility, sustainability and organisational and employee integrity in the companies they serve. Taking a practical, rules-based approach to risk management, which also pays close attention to corporate values creation will allow board members to steer their organisations to future longevity and success.

 

About the Author:

Sally Afonso is a compliance advisor experienced in the financial services industry, currently working in banking in Amsterdam, Netherlands.

Board evaluations: Good defence & good offence

By Taylor Griffin – Chief Operating Officer & William Stern – Managing Director, The Miles Group

 

Concerns about whether a board is being effective have only grown for institutional and activist investors alike in recent years – raising questions around board tenure, term limits and how performance is being measured. ‘How long have these people been on the board?’ ‘How well are they doing their job?’ ‘How do you know how well they’re doing their job?’ ‘Shouldn’t we shake things up?’ – all these kinds of questions are forcing boards to think about how they rate themselves as stewards.

On the other side of the equation, most board members think they are doing a good job. When it comes to grading their own board’s effectiveness and performance, most directors use a pretty generous curve. In a study we conducted with the Rock Center for Corporate Governance at Stanford in the US,  nearly 90 per cent of directors said that their board had the skills and experience necessary to oversee the company. Directors, on average, rate their boards as a four on a scale of one to five in terms of effectiveness and nearly three-quarters (73 per cent) say that the individual directors on their board are extremely or very effective.

Belying this perceived satisfaction about their governance capability, however, are some evident cracks. Only about half of the directors we surveyed (52 per cent) believe that their board is very effective in dealing with directors who are underperforming or exhibiting poor behaviour. And only slightly more (57 per cent) believe that their board is effective in bringing in new talent to refresh the board’s capabilities before they become outdated. The fact that nearly half (46 per cent) of directors think that a subset of the board has an outsized influence means that more of the influence is being wielded by some than others. While stronger directors may typically have greater influence, less qualified but more vocal directors can exert influence in their own way, with their more passive (and sometimes more competent) peers capitulating.

The underperforming director — a ‘third rail’ for boards

In fact, perhaps the most significant finding in our study was that most directors would like to remove at least one fellow director from their board: when asked how many fellow directors they would want removed because they are ineffective, 28 per cent said one director, 18 per cent said two directors and eight per cent said three or more directors. Why? The reason can be any number of issues: from the professional (experience that has become less relevant to the company’s business over time) to the behavioural (either an overly aggressive attitude or, conversely, a lack of active participation in board discussions).

The issue of what to do about a problem director – if the person is even recognised as such – can cause a sticky situation in the boardroom. While there are certainly some directors who are so valuable that people want them around for a long time, problems may arise when those who bring less to the table are reluctant to step down as their effectiveness and relevance wanes. With the average tenure of public company directors at 9.1 years for large-cap companies and 8.4 years for small-cap (according to Equilar’s 2016 Board Composition And Director Recruiting Trends report), most board members have longstanding relationships with their peers. Confronting someone you’ve sat across from for nearly a decade is certainly not something directors want to do.

Director underperformance is a problem in its own right. What magnifies the problem is a board’s failure to regularly evaluate the performance of its individual directors. Absent a true evaluation, underperforming directors are kept in place well past their ‘sell by’ date – the point at which they are actually being useful. Having these directors around draws down the effectiveness of the board. If allowed to fester, these directors can become toxic, causing outright dysfunction. And when investors sense some blood in the water around particular negative boardroom dynamics, boards can get quickly put on the defence.

Getting into diagnostic mode: doing evaluations right

To short-circuit this path to dysfunction, it is critical for the chairman or lead director to adopt a diagnostic approach and take the results seriously. The best boards are already adopting rigorous annual performance reviews and moving past mere compliance-driven, check-the-box evaluations. To address these and other board performance issues, a robust evaluation should enable a company to assess – and rectify – the behaviour and practices of the full board and individual directors.

Most boards ask their CEOs to conduct annual assessments of their team and it makes sense for the board to do the same for themselves, not just around governance issues but also around skills, relevance of experiences and contribution. The best directors want feedback and want to grow and increase their effectiveness. Like some employees, some directors may be of greater service at another company. It is not helping the company or the director to keep them around if they are not a valuable contributor.

In our work with numerous boards around the globe, we have found certain common traits of successful board evaluations. By successful, we mean that these evaluations not only followed the letter of the process (by documenting that the assessment was conducted), but also the spirit of the exercise by addressing the question: what are these directors doing right and what could we be doing better? The diagnostic should indicate how the board can improve on its governance of the company.

Based on board evaluation processes that have worked, here is what has proven to be successful: 

Investment from board leaders in the process: Rather than a purely legal review, a board should conduct its evaluation with a focus on leadership development and board governance. It’s important for the board leadership to truly lead this process, signalling a high-level commitment by having the chair, lead director or chair of the nominating/governance committee spearhead the evaluation and endorse the remedies.

Assessing both individual and team performance: The board should be asking tough questions that go beyond governance processes and delve into individual director effectiveness, qualifications, contribution and the group’s effectiveness as a whole. Questions should include: How could the board as a whole be more effective? Are all members contributing at the same level? How could the board’s interface with management be improved? Does the board understand the market and customer segments? Does the board have a solid sense of its role, such that they probe management at the right level, but don’t micro-manage?

Taking into account the future needs of the company: The company should determine if the board’s composition is aligned with what the business needs one, five and 10 years down the line. One approach would be to develop a matrix of the experience, skills and industry or market perspective needed for the company to successfully execute its go-forward strategy and then compare that to the competencies of the current board members.

“The best boards are already adopting rigorous annual performance reviews and moving past mere compliance-driven, check-the-box evaluations”

Consistent standards applied to all directors: Attempting to remedy ineffective behaviour of an individual director (perhaps one who monopolises boardroom discussions or one who never sufficiently contributes) is a highly sensitive undertaking. Boards can make this process less contentious by soliciting individual feedback for each director so no single director appears ‘singled out’ for criticism.

Documentation of evaluation and next steps: A summary of the evaluation should be prepared, including the process itself and general observations. Given the sensitivity and liabilities that directors face, the summary should not contain any conclusions or assertions of incompetence, wrongdoing or failures to perform. Each director’s specific feedback should be structured the same way – with individual calls to action that will collectively raise the performance of the overall board.

Education and structural support for directors: Periodic sessions should be held to expand the entire board’s understanding of industry, marketplace, macroeconomic, or overall leadership issues. Objectively setting policies, such as rotating committee membership and establishing a process for removing ineffective board members, can create a better framework for improving director performance.

By applying the same rigour to assessing their own performance as they do to management’s performance, boards can lay a more solid grounding for their own effectiveness and demonstrate to investors and regulators that they are careful stewards of the company. These self-assessment exercises serve as evidence of the board’s commitment to process, engagement and excellence. Further, these assessments are symptomatic of care and diligence, which may pre-empt many challenges down the road. With investors feeling more and more empowered to call for board changes, boards can use evaluations in self-defence, but also in a very positive way to systematise their own misgivings and provide a forum for making the changes they feel must be made.

 

 

About the Authors:

Taylor Griffin is the Chief Operating Officer of The Miles Group. Her client work focuses on CEO and senior team succession planning, CEO and senior executive coaching, executive assessments (including pre-hire or pre-invest assessments), board evaluations and optimization, and top team effectiveness services.

 

William (“Billy”) Stern is a managing director at The Miles Group. Prior to joining The Miles Group, Mr. Stern was the Chief Legal Officer at Ancestry.com (“ACOM”). At Acom, Billy was responsible for ACOM’s initial public offering, secondary public offerings, domestic and international acquisitions, SEC and regulatory compliance and other corporate matters.

 

Promoting good governance in Canada

By Stephen Erlichman – Executive Director, Canadian Coalition for Good Governance

 

 

 

The Canadian Coalition for Good Governance (CCGG) is a non-profit corporation whose members are institutional investors that together manage more than C$3trillion in assets.

CCGG promotes good governance practices in Canadian public companies and the improvement of the regulatory environment to best align the interests of boards and management with those of their shareholders and to promote the efficiency and effectiveness of the Canadian capital markets. CCGG, which celebrates its fifteenth anniversary this year, accomplishes its mission by creating policies, by responding to requests for comment from regulators and governments, by making various submissions to have laws enacted or changed and by carrying out a board engagement programme on behalf of members, which is the focus of this article.

Helping boards to communicate better

In 2009, CCGG began a programme of engaging directly with the independent directors of Canadian public companies on governance matters of interest to our members. Currently, CCGG meets annually with independent directors of

45 to 50 issuers that represent a range of industries and market capitalisations. These meetings provide a private forum for dialogue and an exchange of views between independent directors and institutional investors. They also provide an efficient means for boards to communicate with many of their largest shareholders.

In the 2016 engagement season, CCGG held meetings with the independent directors of issuers that collectively represented more that 21 per cent of the total market capitalisation of the S&P/TSX Composite Index. Over the past six years, CCGG has held one or more meetings with the independent directors of 152 of the 250 companies that comprised the S&P/TSX Composite Index as at December 2016. That group represents more than 60 per cent by number and close to 85 per cent by market capitalisation of the index and includes companies from all 11 industry sectors.

The scope of CCGG’s dialogue with independent directors has expanded from an initial focus on governance policies and executive compensation practices to a broader discussion of board composition and the board’s approach to providing effective oversight and input in critical areas such as risk management, strategy setting and board and management succession.

A study of CCGG was carried out by four university professors resulting in a publication in 2015 that made the following conclusion about CCGG’s board engagement programme: “CCGG engagements had a statistically significant and economically meaningful impact on the likelihood of subsequent adoption of majority voting, say-on-pay, on compensation disclosure and structure and on incentives… Through board interlocks, we find the CCGG’s influence extends beyond the engaged firms.

“Our evidence suggests that a collective action organisation can have an impact on governance through activism. The CCGG’s structure facilitated activism by all types of domestic institutional investors, including those that are traditionally expected to be more passive. The factors that contributed to CCGG’s effectiveness may have relevance elsewhere. These include forming a powerful group with a small number of members by focussing on investor scale rather than type and harnessing social incentives, in addition to economic incentives, to improve group functioning and firms’ responses.”[1]

How it works

How does CCGG carry out its board engagement programme? In deciding with which companies to engage in a particular year, CCGG looks at various factors, including our members’ percentage ownership of a company (generally our members own between 15 to 30 per cent of the shares of engaged companies), the industries that we wish to focus on and the market capitalisation of the companies. Whether a company has ‘bad’ or ‘good’ governance is not a primary consideration; CCGG engages with many companies that have good governance because we believe that we can learn from those companies and even well-governed companies still can still improve.

“Governance gavels are awarded to issuers that best meet the guidelines set out in CCGG’s various governance policies, develop exceptional disclosure practices and actively engage with shareholders”

CCGG advises its members in advance of upcoming engagements and invites their input on potential discussion topics. We review the company’s public disclosure materials and prepare a summary that primarily considers the company’s governance practices relative to guidance provided in two of CCGG’s major publications, namely Building High Performance Boards and Executive Compensation Principles. CCGG’s analyst, as well as the CCGG staff member and the CCGG board member who will be attending the engagement, then discuss the summary and finalise the agenda for the meeting. In advance of the engagement meeting, the independent directors are provided with an outline of the intended topics for discussion and are invited to raise additional matters of relevance to their board. The CCGG attendees read the company’s proxy circular and other relevant public documents to prepare for the meeting. The meeting is held with the chair of the board (or if the chair is not independent, then with the lead independent director) as well as the chair of the compensation committee and/or the governance committee. All other independent directors of the company are invited to attend if they wish. CCGG does not ask questions that elicit material, non-public information.

During an engagement, CCGG will urge the independent directors to improve proxy circular disclosure in certain areas and to make substantive changes to improve aspects of their governance. CCGG meets with independent directors only, without company management present, because our institutional shareholder members elect directors (not management) and because our questions often deal with management issues, such as CEO compensation and succession planning.

Following the meeting, CCGG will prepare a confidential summary of what transpired, send the summary to the independent directors for their review and comments, finalise the summary after receiving those comments and then post the final summary on CCGG’s website for members only to assist members in carrying out their stewardship obligations. A copy of the final summary is also provided to the independent directors. If the engagement meeting was the first one with a company, CCGG generally will ask for a meeting the subsequent year in order to see whether the changes CCGG suggested were accepted. To the extent changes were not accepted, CCGG will ask why and, if we disagree, we again explain why we believe the changes should be made. We also will ask new questions based on the company’s latest public disclosure.

Best practices

Based on the numerous proxy circulars that CCGG reviews every year in connection with the board engagement programme, CCGG prepares an annual publication entitled Best Practices For Proxy Circular Disclosure to assist boards in preparing a proxy circular.

Closely tied to CCGG’s board engagement programme is our ‘governance gavel’ awards, whereby CCGG annually recognises excellence in corporate governance and disclosure. Governance gavels are awarded to issuers that best meet the guidelines set out in CCGG’s various governance policies, develop exceptional disclosure practices and actively engage with shareholders. On an ad hoc basis, CCGG also may recognise issuers that make significant year-over-year improvements in governance and disclosure practices as well as best practices in shareholder engagement.

CCGG recently published its updated stewardship principles. In these principles, CCGG states that institutional investors should engage with portfolio companies, either directly, or by collaborating with other institutional investors or by joining investor associations, such as CCGG. Thus, CCGG’s board engagement programme is a way in which Canadian institutional investors can fulfill one aspect of their stewardship obligations.

Making progress

Companies now sometimes ask CCGG to have an engagement, thus turning full circle from the initial hesitance that independent directors had when CCGG first commenced its board engagement programme.

 

About the Author:

Steve Erlichman has practised corporate and securities law throughout his career at major law firms in New York and Toronto and since 1999 has been a senior partner at Fasken Martineau, an international law firm with over 750 lawyers in offices across Canada and in the UK, France and South Africa. In 2011 Steve also became the Executive Director of the Canadian Coalition for Good Governance (CCGG), whose members include most of the largest institutional investors in Canada which collectively manage approximately $3 trillion of assets.

As Executive Director of CCGG, Steve develops CCGG’s agenda and strategy, is in charge of board and member relationships and is CCGG’s public spokesperson. Steve has spoken and written widely and has been interviewed by television, radio and newspaper reporters on numerous topics. The press have called Steve’s writing “insightful” and “prescient” and have referred to Steve as “a leading governance expert” and one of “Canada’s top M&A attorneys”. Steve is a member of the New York and Ontario bars and has law degrees from University of Toronto and New York University as well as an M.B.A. from Harvard University.

Footnote:

1Can Institutional Investors Improve Corporate Governance Through Collective Action?, Professors C. Doidge, A. Dyck, H. Mahmudi and A. Virani, April 2015

Aviation risk: Cyber threat flies into the boardroom

By Glen Thoms – Executive Director, Cyber & TMT, Willis Towers Watson

 

 

Taking into account what has happened for a number of large, global airlines over the past six months to a year, it is clear that aviation risk is an issue that is front and centre for airline directors. Demonstrating preparedness in a volatile environment is an essential part of what is now a boardroom issue.

Interestingly, from our Transportation Risk Index (TRI), if you look down at some of the top risks across the transportation sector – and across the aviation sector, specifically – these all ring true in terms of the incidents that we’ve seen. The TRI analyses the severity of impact and ease of management of the top 50 risks facing the transportation industry by grouping them into five megatrends and examining their current impact on the sector and how this will change in the future. The increased threat from cyber and data privacy breaches, failure of critical IT systems and the complexity of increasing global data protection and cyber security regulation are all key risks, which we’ve seen come to the fore within the airline sector.

Defining the threat

Most people’s definition of cyber historically has centred around malicious attacks and malicious third parties who are intentionally trying to do bad things to your IT systems and data – that is, invoking the idea of a ‘breach’ rather than a ‘failure’. But looking at what has happened to British Airways in recent weeks and some of the larger American airlines last year, these are issues that come more from ‘system failure’ than from cyber attacks, whether that is a result of negligent acts, deliberate acts or just component failures.

“The media coverage of recent incidents, including Delta and Southwest Airlines last year, shows consumer feedback wasn’t particularly complimentary. Those stories firmly bring response and disaster recovery into focus”

These recent incidents have highlighted the fact that airlines, particularly consumer airlines, are complex logistics businesses. These ‘retailers with wings’ have exposure because they are effectively selling a product – that being getting someone from A to B – in the same way that you would sell a lot of other consumer goods. When things go wrong for these complex businesses there are huge ramifications. The actual outages and disruption that can occur can be relatively short, but the knock-on effects in terms of ongoing disruption, financial damage and reputational harm are very extensive: reports estimate that BA’s incident could cost as much as £150million. From that incident, 12,000 flights with more than 75,000 passengers were cancelled over three days – these are big numbers.

Adapt your approach

A corollary of the historical focus of cyber risk management on the threat of malicious actors is that organisational spend has largely been on technology – trying to build the wall higher to prevent people getting in. But there are a lot of exposures that can come from areas within the business that can cause the same levels of disruption.

From an organisational context, this switches the way you approach cyber security and IT security: there needs to be a firm focus on incident response.

When incidents happen – whether as a result of hacking or system failure – time is critical. The cascade effect kicks in very quickly and it’s at that point that you start looking at your disaster recovery and incident response planning. Organisations in the aviation sector and beyond need to have those processes, policies and procedures around incident response to allow them to deal with these things quickly. A lot of companies have these processes in place, but the key issue is how regularly you test those systems. There is no point in having a plan unless you test it. When these things happen, you need to be confident that your plan is going to work.

Another shift in focus is occurring, moving away from technology protection that aims to stop incidents from happening, towards acceptance that incidents are now somewhat inevitable and  looking at how the organisation is set up to respond. Response is largely what you are going to be judged on. That’s how the media will look at you, that’s the reputational impact. The media coverage of recent incidents, including Delta and Southwest Airlines last year, shows consumer feedback wasn’t particularly complimentary. Those stories firmly bring response and disaster recovery into focus.

Dealing with data and regulatory reform

For airlines, a big piece of the cyber risk jigsaw is built around data risk and data privacy risk. Airlines hold lots of  customer information – names, addresses, passport numbers, credit card information – that is attractive to hackers. In large international airlines, there is this further layer of complexity due to operating across multiple jurisdictions and bringing into play regulatory issues depending on which territories your consumers are located in.

So when you look at the cyber-risk profile for airlines, there is not only the potential impact of catastrophic business interruption caused by a cyber event, but significant data privacy issues, too. This is particularly relevant for those in Europe where stricter regulations are either in place or coming into force. Next May the European General Data Protection Regulation (GDPR) comes into effect, so airlines dealing with customers who are EU nationals have a much stricter regulatory regime that imposes significant requirements around the way consumer data is collected, handled and processed, with significant financial consequences if you get that wrong.

Regulatory reforms are both a help and a hindrance. Take data privacy: formally legislated rules will focus the mind on the need to look at how data is collected, held and protected, and whether entities even know what data is being held. Questions then arise around whether sufficient controls and procedures are in place around that. Therefore, stricter regulations force companies who are collecting large volumes of consumer data to look at their overall approach and procedures more closely because, in the event of a breach, that’s going to be one of the areas that the regulator focusses on. When you talk of fines being levied – up to four per cent of global turnover – an airline that can demonstrate good cyber hygiene, good risk management, good recognition of risks and controls (and which responded to the incident well) would likely be judged and penalised less harshly in comparison to a company that didn’t demonstrate any of these.

So regulation in itself can potentially focus a company’s thinking around how it deals with some of these issues. Strong understanding and proactive compliance also have the potential to serve as a differentiator in terms of doing business. If consumers are confident around the way a business collects and stores their data, they are likely to be more comfortable using that business.

The flip side is the increased burden that strict regulation brings for organisations implementing change to stay compliant. To some extent, it’s difficult to know whether you did the right thing until after an incident happens and an investigator decides whether your actions were right or reasonable. But with GDPR there’s a lot of grey area that companies must grapple with as well, but with GDPR enforcement less than 12 months away, we have certainly seen a marked shift with our client base in those sectors that are collecting lots of customer and personal information. There is a real focus now on making sure they can justify compliance.

For consumer-facing business that are collecting large volumes of information, whether retailers, financial institutions or airlines, this is firmly on the boardroom agenda. As a member of the board of those companies where there is such a potentially significant exposure, you must be able to demonstrate that not only have you recognised that cyber or data is a risk for you, but that you are doing something about it in terms of protection and risk management.

Train pre-attack; communicate post-attack

Our claims data shows that workplace culture and employee engagement around cyber risk is also important to the risk profile. Building the wall higher to keep people out is useful, but neglects the fact that there are many threats from inside the wall. Negligent or deliberate acts from employees or contractors can lead to big exposure.

Pre-loss, training and awareness around data and cyber security is critical. As is people buying into why this is important to the business. There is often a danger with training courses that they simply become a tick-box exercise. We continue to see a lot of cyber incidents arising from social engineering and phishing scams where people click on the link they weren’t supposed to.

The extent to which you can make employees engaged and help them understand the importance of these issues is going to infinitely improve your risk profile and reduce the potential for incident. Make sure that all employees know how to notify and escalate internally. Training and education is critical for prevention but also for responding appropriately. And remember that the method of training delivery is vital: this can’t be treated as a once-a-year, onerous compliance initiative where you pay lip service to the issue of training and then forget about it for another 12 months.

Predictability and preparedness

Volatility around the risk environment is pretty extreme in this field. Take the WannaCry ransomware attacks: ransomware is not a new threat but the 2017 attack that crippled critical systems worldwide demonstrated the extent to which this can spread so quickly – there’s no geographical boundary. If you’re looking at risk physically and trying to protect against natural catastrophes like earthquakes and hurricanes, there’s generally a blast radius which, if worse comes to worst, limits the affected area. The WannaCry incident really emphasised the fact that this can impact multiple companies across multiple geographies quite quickly from a single attack. While that had always been a threat, incidents like WannaCry can act as scenario testing for organisations.

“Most airlines are reliant on third-party technology and other providers to operate their businesses”

While airlines would be prudent to map out a broad architecture for incident response, you also have to accept that the nature of a new incident could be uniquely complicated and something nobody has seen before, so adapting your response in real time is the only way to counter volatility and uncertainty in the risk environment.

You also have to look at motive when talking about risk – whether that’s monetary gain, criminal hackers, activists with religious or ideological aims, a disgruntled employee with a grudge to bear, or even a negligent employee or contractor. Look at those potential threat actors and establish what they will be interested in. That level of granularity to identify threat actors, and what they’re interested in, will help you build the appropriate controls, encompassing people, process and technology, around those risk exposures.

External v. internal management of supply chain

Most airlines are reliant on third-party technology and other providers to operate  their businesses. That exposes them to failures or issues with the supply chain and increases the surface area over which they can suffer attack. If airline systems are interacting with a number of third-party systems then there is the potential that that becomes an access point and creates another exposure. That digital supply chain complexity is something all companies are grappling with and there is always a discussion around whether each component part of a supply chain is something that is better managed internally or externally. You may be giving away control to a contracted third party and therefore relying on the strength of a contract if things go wrong. But if you’re outsourcing to a major technology provider, they are continually reinvesting in making sure they have resilience, protection and recovery. While exposure comes from giving access away, at present we haven’t seen it causing huge issues for companies. So, the risk is there but this is often outweighed by cost benefits and by the fact that, for the most part, you actually improve your risk profile because you outsource to a company that is better placed to perform this function.

The question is: how do you select, vet and contract to ensure a company is dealing with data and IT security in the way you want it dealt with? Have visibility on who your outsourced service providers are, how you select and monitor them and contract with them. Outsourcing is a business reality, so make sure there is visibility, rigour and control around who you contract with, beyond just looking at cost.

Cost cascade and controlling the controllables

All is not doom-and-gloom in the world of aviation cyber, however. With every incident, risk management standards subsequently improve, either through enforced regulation, or improved best practice (and investment) in recognition and preparedness.

Relative to the number of airlines and flights operating globally, incidents are not as commonplace as one would expect. It is an issue that can get exaggerated, but that’s not to say additional focus and investment is unwelcome. Incidents may be relatively few and far between, but the cascade effect of an outage and ongoing delay and disruption can be limitless.

The direct impact and tangible cost impact comes through myriad factors, including loss of revenue from cancelled flights, the costs of staff overtime, of emergency practices to keep things ticking over, regulatory penalties and fines, fees for recovery assistance, legal and accountancy fees, insurance calculation time, and passenger compensation – which in some cases has been as much as €600 per delayed passenger. With up to 75,000 passengers impacted by an incident (for example through number of flights cancelled) this direct cost alone is potentially huge.

Then there are intangible costs, such as reputational damage, additional regulatory scrutiny and damage to staff morale. This in turn can impact on an organisation’s ability to attract investment or to attract talent from a recruitment perspective. So, while annual reports and accounts can give an indication of what has been set aside, it is impossible to measure the true financial impact.

Mitigating impact is easier than measuring it. Risk profile and incident response must therefore be a constant boardroom bullet point. Organisations must be mindful of new trends and track technology, as today’s outliers have the potential to become tomorrow’s norm – as we’ve seen with social engineering, a cyber threat that most companies are now exposed to. Mitigating the impact of this and other threats is easier than measuring them. Risk profile and incident response must therefore be a constant boardroom bullet point. Stay vigilant and control your controllables.

 

About the Author:

Glyn joined the FINEX Division of Willis Towers Watson in 2015 to head the London Cyber and TMT E&O capabilities. Glyn has worked in the London insurance market for 15 years specialising in Cyber risk placements across a range of industry sectors as well as Errors & Omission placements speci cally within the Telecommunications, Media and Technology sectors. Glyn advises clients on programme design, placement and risk pro ling with a particular focus on policy wording and coverage analysis.

When sustainability chimes with stability

By Chris Landis – Division CEO, SIX Swiss Exchange

 

 

 

For any infrastructure provider, it is absolutely critical to ensure the stability of its services. From this perspective, any change equals a risk of creating instability. However, change is inevitable and has to be faced or, if possible, anticipated. Developments in the area of regulation and technology as well as competitive pressure require a constant development of systems and services.

An example from the technological perspective is digitalisation, which will no doubt change the way we do things, possibly also what we do. How exactly and how fast this will happen is difficult to predict. But the digital revolution is a reality and the upcoming challenges have to be met. These challenges could take many forms. Maybe new services will be created based on the data generated by the increasing interconnection between humans and machines or objects. Maybe they challenge existing business models
or even entire industries.

Digitalisation raises such questions for operators of the financial market infrastructure, including SIX. For example, bank customers now use more automated processes and mobile banking. This has created new demands within the financial market infrastructure. Which requirements will it have to meet? And from a governance perspective: what rules determine how data is used? What conditions does the State need to put in place to ensure that everyone benefits from digitalisation while upholding consumer or investor protection?

Finding the right balance

In the case of a stock exchange, the challenge is and always has been, to achieve a balance between stability and trustworthiness and serving the changing needs of its customers and the society at large. In this respect, SIX has a responsibility – not only at a corporate level, but also, even more importantly, on a societal level. Because some of the infrastructure it provides is systemically important: it is fundamental to the competitiveness and performance of the Swiss financial centre and therefore to the economy. To reflect this responsibility SIX has made the stability of the financial sector the first and most important of its corporate responsibility principles.

“Events, such as a prolonged power cut, floods, acts of sabotage or pandemics, could lead to chaos on the financial markets, destabilising financial systems and thereby the economy”

The availability and reliability of its infrastructure are the foundation of the stability of any financial centre. Every day, millions of financial transactions, a high volume of data and monetary amounts in the billions pass through the systems of a financial infrastructure service provider such as SIX. It is therefore crucial that this load can be handled by its systems reliably and at any time.

In recent times, the financial infrastructure in Switzerland has passed several such ‘stress tests’, the biggest one being the decision taken by the Swiss National Bank to abandon the euro exchange-rate floor on 15 January 2015. On that particular day, SIX had to handle six times the normal trading volume – and did so without any problems.

System availability: A top priority

Ensuring the availability, stability and security of the systems – especially in crisis situations – is at the core of financial services providers. Events, such as a prolonged power cut, floods, acts of sabotage or pandemics, could lead to chaos on the financial markets, destabilising financial systems and thereby the economy. Any infrastructure service provider for a financial centre should therefore be aware of its responsibility and act and plan accordingly. Redundancy, in terms of systems and connectivity, staff recovery and succession planning, and robust, rehearsed emergency procedures, form the basis of our ambition to operate responsibly. Infrastructures that SIX operates worldwide can be deployed all year round, 24/7 and the average availability of all SIX services is 99.95 per cent.

Forward-looking mindset

Corporate governance should be geared towards sustainability and longevity. This implies a mindset that is not only focussed on the present but also forward-looking. Financial market infrastructures need to be developed on an ongoing basis to meet future requirements and challenges. SIX aims to ensure this through a well-balanced ownership and through active participation in all relevant organisations.

Economic success, social responsibility and environmentally conscious actions should complement one another. Through the creation of appropriate framework conditions at national and international levels, SIX not only supports Switzerland’s sustainable development as a financial centre, but also contributes to the stability of the overall economy.

A greener future

Infrastructure is not the only area where a stock exchange can demonstrate its commitment to corporate responsibility: it can also relate to the financial instruments traded on it. A current example of a project that SIX is working on relates to the fixed income segment and the visibility of green bonds.

Green bonds are conventional fixed income instruments, created to (re)finance projects that have positive environmental and/or climate benefits. Several approaches can be used to define what a green bond is, using different data and parameters. One prevalent way is to apply the criteria of the Climate Bonds Initiative (CBI). The CBI is an international, investor-focussed not-for-profit organisation supported by a large network within the financial industry. Based on its data of labelled green bonds, these specific instruments can be identified.

Figures on the development in recent years show an increasing interest for sustainable investments. In particular, the issuance of green bonds has increased from $11billion in 2013 to $42billion in 2015 and estimates of CBI expect up to $130billion to be issued in green bonds in 2017. Of course, the success of green bonds also depends on how actively they are traded. A clear identification of green bonds will support investors and asset managers in their decision process.

On the route to introduce green bonds, SIX took a first step in November 2016 by organising an event in cooperation with the International Capital Markets Association (ICMA) and the Swiss Financial Analysts Association (SFAA). This event was very well received by investors as well as underwriters, encouraging SIX to continue on this path.

If green bonds can be added to the offering of SIX, it would support the growth of sustainable finance and therefore be a perfect fit with its corporate responsibility framework. Besides ensuring stability and being a responsible employer, the company concentrates its activities on strengthening social cohesion and the careful handling of natural resources – true to its principle ‘enabling a sustainable future’.

 

About the Author:

Chris Landis has been Division CEO of SIX Swiss Exchange since 12 November 2015. He had previously managed the business area on an interim basis since May 2015. Chris Landis has been at SIX Swiss Exchange since 1992. He was Deputy Director of Information Technology from 1999, with a major focus on developmental and external IT projects. He was appointed to the Management Committee of Swiss Exchange as CIO in 2003. He has been responsible for Operations since 2010, in the capacity of Deputy Division CEO since 2012. After graduating with a Type B Matura in Zurich in 1978, Chris Landis continued his studies in the fields of human medicine, information technology, and economics.

Pages

HKLPA (@the_hklpa) Tweets

RT @mikevolkov20: Episode 14 - What Every Compliance Officer Needs to Know About Data Privacy and the EU's GDPR - Corruption, Crime &… https://t.co/iZMjIPsBhs 3 weeks 16 hours ago
RT @ComplianceXprts: What You Need To Know About Auditing And Risk Management In The Transport Industry https://t.co/IuMnS7mtgd 1 month 1 day ago
RT @EthicalSystems: Our 2017 End of Year Letter from @JonHaidt and @azishf https://t.co/ukjVe2Lqti "This is the time for the business… https://t.co/jUSNcY4gco 1 month 3 days ago
RT @ComplianceXprts: Inspection of Facilities and Sporting Venues - Due Diligence https://t.co/uKa3rYTJX0 https://t.co/EBXi6aBsW5 1 month 3 days ago
RT @ComplianceXprts: 14 Essentials For Your Compliance Management System https://t.co/FcQa8nRGWm https://t.co/Ru1oVnJelN 1 month 2 weeks ago
RT @ComplianceXprts: Our focus is on what people don't want to do. #ce https://t.co/H8vN1euuAr 1 month 2 weeks ago
RT @mikevolkov20: ISO 37001: Board, Top Management and Anti-Bribery Compliance Responsibilities (Part III of V) - https://t.co/WyuoQi5RS3 3 months 6 days ago
RT @RSAFraud: 1 in 4 retailers state loyalty #fraud is one of the most detrimental threats to their e-commerce business… https://t.co/jfkD0QFcRW 4 months 11 hours ago
RT @ComplianceXprts: FTAs, Risk Management and The Transport Industry #riskmanagement https://t.co/zLp4vMSNno 4 months 11 hours ago
RT @ComplianceXprts: How To Navigate Audit Road Blocks : Part II Avoid Challenges To The Audit Scope https://t.co/JBDaI1gyEM 4 months 6 days ago