In the midst of this true madness in the NCAA tournament this year, Jay Rosen and myself take a look at some of the top compliance stories over the past week.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode I have back Dr. Marsha Ershaghi Hames, the Managing Director of Strategy at LRN. We discuss how leading with principles has become even more important after the current wave of corporate scandals all in the context of Board of Directors accountability. Some of the topics we discuss in this episode include:
From the Headlines, we explore some specific examples of recent cooperate scandals, including:
In this episode, Matt Kelly and I take a deep dive into the recent SEC enforcement action against Elizabeth Holmes, the disgraced founder of Theranos, for her massive fraud around the former unicorn. Holmes claimed to have developed a proprietary system of blood testing so that with only one pin-prick of blood over 200 diagnostic tests could be performed. It turned out to be completely smoke and mirrors as the company never came close to developing the technology. In fact, the company and Holmes specifically hid the true nature of the company’s technology from investors using an elaborate deceit.
Holmes was one of the most famous women to come out of Silicon Valley. She founded Theranos, hyped the fraudulent blood testing scam and became for a short time a billionaire. Now all of that is gone, gone, gone. According the SEC Compliant, Holmes agreed to a civil penalty of $500,000, returned some 18.9 million shares that she obtained during the fraud and relinquished her voting control of Theranos by converting her super-majority Theranos Class B Common shares to Class A Common shares and she is banded for 10 years from holding office in a publicly traded company.
We explore the questions surrounding this massive fraud and the penalty assessed by the SEC. Was the fine and penalty enough or should Holmes have been criminally prosecuted? Is there enough money left in Theranos to pay off all those the company defrauded? Where was the Board of Directors in all of this miasma? At what point does a start up with a revolutionary or innovative idea actually have to prove the idea works? Should the SEC regulate private companies which go into the market for capital? Matt and I take a deep dive into these and other questions in this fascinating look at one of the former highest-flying unicorns who fell to other with a resounding thud.
In this episode, I welcome back Steve Durham, a partner with Labaton and Sucharow to discuss the continued reverberations from the recent Supreme Court decision narrow the definition of whistleblowers in Digital Realty Trust v. Somers. Durham discussed the impact the decision may portend for the SEC Office of the Whistleblower and both the quality and quantum of tips and information brought forward to the SEC after the decision.
March Madness is upon us, with the first ever #16 knocking off a Number 1 see. In the midst of this true madness, Jay Rosen and myself take a look at some of the top compliance stories over the past week.
Henry Worsley and Ernest Shackleton are related by more than blood. They are related by their souls. A distant relative, Frank Worsley had accompanied Shackleton on his Antarctic expeditions, including the abortive Nimrod expedition where Shackleton had tried and failed to reach the South Pole coming with 90 miles of reaching his goal until he and his two-man team turned back. Inspired by this event, Henry Worsley and two other men successfully walked unaided to the South Pole and back in 2008-2009.
Shackleton is of course much more famous for his Endurance expedition, which one of the legendary 3-year (1914-1917) trip to the Antarctic where his crew was stranded on the ice; Shackleton and a few companions traveled some 800 miles in an open boat to the South Georgia Island whaling station to obtain a rescue craft. He then returned to the Antarctic and rescued all the men who have been stranded.
Both men provided some interesting leadership lessons from their experiences. Henry Worsley’s journey to the South Pole was recently chronicled in the New Yorker in a piece by David Grann entitled, “THE WHITE DARKNESS-A solitary journey across Antarctica”. Henry Worsley became interested in Shackleton as a child, marveled by his stories of exploring and adventure. For most of his life he was in the British Army, becoming a member of the elite Special Action Services (SAS). After his retirement, he met Shackleton’s grand-daughter who introduced him to Will Gow, the great-nephew of Shackleton who wanted to recreate the trek to the South Pole. They were joined by another relative of the Nimrod expedition Henry Adams who was the great-grandson of the Nimrod expedition’s second in command, Jameson Boyd Adams.
Together the three men trained in Artic treks and cold weather situations for several years, while fund raising for their own expedition. This training regimen was couple with meticulous planning for their trek. Each man was required to haul a sled weighing some 300 pounds across the ice. Henry Worsley’s pack was emblazoned with two phrases, “Always a little further” and “By Endurance we Conquer”. Henry Worsley drew the following leadership lessons from Shackleton, "His optimism and patience. That the welfare of his men governed all his decision making. His courage. The hope he instilled in others. His romanticism. His ability to hold a team together in adversity. His recognition of the qualities of Frank Wild and his choice to make him his second in command. The depth of affection and respect that his crew members (from all expeditions) had for him. That he never gave up on fulfilling dreams. But above all I believe that in times of deep trouble, when lives were at risk, he was able to instill in his men the confidence that he would get them out of the desperate situation they were in, because nothing was more important to him than their welfare." The three were able to accomplish their goal by safely trekking across the ice to the South Pole and back.
Shackleton is best known for his Antarctic expeditions failures. In addition to the Nimrod and Endurance expeditions, he was also the failed first South Pole trek by Robert Falcon Scott on 1901. According to Cathy Graham, writing in Workplace Navigator in an article entitled, “7 Characters of Leadership I Learned From Sir Ernest Shackleton” the tale of “how 28 men survived for 21 months after the ship was beset in the ice floes of Antarctica”, in sub-freezing temperatures, no digital equipment, not even a radio, numerous physical obstacles, including climbing for 36 hours over uncharted mountains without climbing gear, in one chock full of leadership lessons for today’s business leader. She noted seven lessons.
In this episode, Matt Kelly and I continue our exploration of the fallout from the recent Supreme Court decision in Digital Realty Trust v. Somers in light of the filing by BioRad in its appeal of the whistleblower award to its former General Counsel, Sanford Wadler. Wadler had internally reported allegation of FCPA violations by the company in China to its Board of Directors. Wadler was later terminated and filed suit claiming his termination had been in retaliation for his whistleblowing efforts. The jury agreed with him and he was awarded approximately $11MM in damages, including damages under Dodd-Frank.
Last week, BioRad filed notice in its appeal of the Digital Realty Trust v. Somers decision and asked for approximately $3MM in damages awarded to Wadler be thrown out as they were based on Dodd-Frank. There was no evidence that Wadler has whistleblown to the SEC, although there was evidence he reported as required under SOX. We explore three issues which the case raises:
For more information on these issues see Matt Kelly’s blog post Supreme Court Whistleblower Ruling, Already in Play
See Tom Fox’s blog post Whistleblowers at the Supreme Court-Part II: Impact of the Somers Decision
In this episode, I visit with Miller & Chevalier Member John Davis on the firm’s FCPA Winter Review 2017. We discuss the key FCPA enforcement actions from 2017 and developments in compliance. Davis identifies four theme’s from Miller’s report including: (1) What if any change did the new administration bring in FCPA enforcement; (2) the uptick in individual enforcement actions under the FCPA; (3) the new FCPA Corporate Enforcement Policy which incorporated elements from the 2016 FCPA Pilot Program and 2017 Evaluation of Corporate Compliance Programs and (4) the large, multi-national anti-corruption enforcement actions which are becoming more normalized.
We they discuss how these trends may continue into 2018 and beyond. The Miller & Chevalier quarterly FCPA report is always one of the most useful review of FCPA and related laws enforcement around. It reviews all the FCPA enforcement actions in the quarter as well as the key international anti-corruption enforcement actions. Also it has some very useful charts and graphics to summarize key trends. It is an invaluable resource for the compliance practitioner. You can check out the FCPA Winter Review 2017 by clicking here.
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week, including some fury.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode I consider the role of the Board of Directors in having a Compliance Committee and having a compliance expert on the Board itself. When you consider any of the most recent corporate scandals, from industries as wide as pharmaceutical to banking to manufacturing to transportation, one of the key themes in common was they had no compliance expertise on the Board of Directors. This lack of a key resource to the Board is something which has now drawn the attention of regulators and prosecutors.
At the Board of Directors level, a Board Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that compliance has become not only central to any well-run business but it is critical to overseeing a wider variety of risks than the typical Audit Committee has experience with, which is usually only aimed towards financial risks.
Every Board of Directors need a true compliance expert sitting on their Board. Almost every Board has a former Chief Financial Officer, former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance-based issues. All of these considerations were incorporated into the Justice Department’s thinking when it added the requirement for compliance expertise to a Board of Directors in the 2017 FCPA Corporate Enforcement Policy.
In this episode we explore the basic policies and procedures that you need to have in place to comply with the General Data Protection Regulation (GDPR). I am joined in the exploration by Jonathan Armstrong, a partner at Cordery Compliance in London. GDPR compliance mandates some specific policies and procedures that Jonathan Armstrong and the team at Cordery Compliance in London suggest that you put in place at this time for the GDPR go-live date of May 25, 2018.
In this episode, Matt Kelly and I explore the recent revelations of systemic sexual harassment and abuse present in the front office of the Dallas Mavericks. The allegations were not lodged against owner Mark Cuban but against his former team CEO, Terdema Ussery, who was CEO of the Mavericks from 1997 to 2015. The story was broken by Sports Illustrated in a stinging expose last month. Cuban claims the first he heard about these allegations were when the SI writers, Jon Wertheim and Jessica Luther contact him for comment on their piece.
Matt writing in his blog post Dallas Mavericks Scramble on Compliance noted the story had the three hallmarks we have seen from recent #MeToo scandals involving top CEOs. First, these organizations have unchecked senior executives — charismatic, larger-than-life figures who dazzle their peers and superiors, which leaves them in excellent position to abuse subordinates. Second, the organizations have flawed reporting mechanisms that don’t send allegations of misconduct to people empowered to do something about them. Third, the organizations allow a culture of protection to fester.
All of this led to years of harassment and physical abuse by members of the Mavericks front office. Some women in the article said it was safer in the player’s locker room, where the players were gentlemen. They contrasted it with the Animal House atmosphere of the team’s front office. Owner Mark Cuban has certainly said all of the right things since the story broke. He has even posted a job opening for the team’s first Chief Compliance Officer. You can apply here.
The sordid story is yet one more in a stinging line of unethical and illegal acts that a company’s management allowed to fester for year. It also points how compliance is assuming a greater importance to help a company prevent, detect and remediate nefarious conduct.
In this podcast I welcome back John Hanson, founder and President of the International Association of Independent Compliance Monitors (IAICM) the only professional group for independent corporate monitors. The IAICM was announced one year ago in conjunction with the ABA White Collar Conference. At it's one-year anniversary, Hanson returns to the podcast to reflect on the growth the IAICM, assess the first year of IAICM, discuss of the highlights of the first year for you as President of the IAICM and then goes into some of the goals or initiatives for the IAICM in year 2.
With the announcement of the Justice Department’s Evaluation of Corporate Compliance Programs in February and new FCPA Corporate Enforcement Policy in November, the landscape for monitors will likely continue to evolve in 2018. Hanson and I consider what these and other DOJ announcements may portend, including the following questions:
As with all visits with Hanson, they are thoughtful, well-informed and very insightful. If you practice in the FCPA world or in the broader international anti-bribery/anti-corruption sphere, you will not want to miss this interview.
For more information on the IAICM, including membership, resources, its Code of Conduct and services, check out the website IAICM.org.
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week as we celebrate Texas Independence Day.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode I visit with Joel Solomon, author of “The Clean Money Revolution”. Solomon has worked in the investment community for many years, both in the United States and Canada. He heads Renewal Funds, which is Canada’s leading mission venture capital investment firm, with $98 million of assets under management in early growth stage Organics and EnviroTech companies in Canada and the USA. The Fund has over 150 individual, family, and foundation investors mostly split between Canada and the USA, with several in Europe and Asia. The goal is above market financial returns from a portfolio of companies offering positive societal advances. Renewal Funds dynamic team is led by Paul Richardson, President and CEO, and Joel Solomon, Chair, with crucial backing from Carol Newell. Renewal Funds has been named a "Best for the World Funds" by B the Change Media, for setting the measurement and management bar for impact investing. It has also been named a B Corp for "Best for the World Company."
We discuss what is mission venture capitalism and Solomon’s leadership in this field. We discuss his book, The Clean Money Revolution and explore how clean money investing is different than other types of investing. We explore the role of money managers in the clean money revolution and explore the broader role of money managers in environmental, social and governance investing and management. We consider the role of the Boards of Directors in public companies in contributing to the clean money revolution. We conclude with a fascinating exploration of the role of US government pull back in ESG and clean money investments; leaving a very large role for corporations to step in and fill going forward.
For more about Joel Solomon, check out his website, joelsolomon.org.
In today’s episode of Countdown to General Data Protection Regulation (GDRP), Jonathan Armstrong, a partner at Cordery Compliance Ltd in London, and myself consider the role of the Data Protection Officer (DPO) in complying with the new regulations which go live on May 25, 2018. The Cordery Compliance FAQs note that DPO must be appointed to deal with data protection compliance where:
The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.
The role of the DPO is critical in complying with GDPR. The time to start is now. For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site.
In this episode, Matt Kelly and I take a deep dive into the implications flowing from the Supreme Court’s decision last week in the Digital Realty Trust v. Somers decision. Matt initiated a ‘tweetstorm’ in articulating his thoughts on the effects of the decision, including its effect on corporations, Chief Compliance Officers, corporate compliance functions and the Securities and Exchange Commission.
We consider what possible remedies Congress to engage into to help fix the Dodd-Frank Whistleblower protections and remedies to support employees who want to report internally and still be protected from discrimination and harassment. We consider whether corporate legal departments will now use this decision to root out and cudgel employees who report actions they believe are securities law violations. Finally we consider the potential negative impact of this decision light of the requirement for self-disclosure under the new FCPA Corporate Enforcement Policy.
For more on the Digital Realty Trust v. Somers decision, see the following:
Matt Kelly’s piece 16 Tweets About One Whistleblower Ruling
Last week the US Supreme Court issued its decision in Digital Realty Trust v. Somers (Somers). It was a closely watched case in the compliance community. Yesterday, I reviewed the Court’s decision. In this podcast, Roy Snell and I consider the impact of the Court’s decision on a variety of actors; including the SEC itself, Chief Compliance Officers (CCOs) and compliance practitioners, compliance programs and corporate America.
While we both agreed the Supreme Court came to the correct legal decision, there are several areas which this decision may well lead to negative impacts. The first is the message that it sends to potential whistleblowers; if you do not report to the Securities and Exchange Commission (SEC) you will not receive any legal protections against discrimination or retaliation.
Second, is the impact on every Chief Compliance Officer (CCO) or compliance practitioner. This decision will negatively impact attempts to create a best practices compliance program. A key part of any best practices compliance program is an internal reporting mechanism (Hallmark 8 of an Effective Compliance Program).
Third is that companies will be cut off from its best sources of information, that from its own employees, companies now will have less ability to detect and then remediate any problems before they become legal violations or keep legal violations from expanding.
Finally is the impact the decision will have on the SEC itself. Now there is no incentive to report internally because you are not eligible for any financial incentive nor will you receive any protections from discrimination or retaliation. It is possible the SEC will be literally inundated with potential securities-laws violations.
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week, including inquiring into where are the chickens in England.
The top compliance roundtable podcast is back with a wrap up with a review of the first year of the Trump Administration and its impact on the compliance profession. Stayed tuned to the end for riffs and rants in this edition.
For Matt Kelly’s musings on Jay Clayton, the PCAOB, government rule-making and the SOX compliance debate, see the following:
For Mike Volkov’s excellent 3-part podcast series on the Mueller investigation and related blog posts, see the following:
For the Cordery Compliance client alerts see the following:
For Jay Rosen’s post on the new FCPA Corporate Enforcement Policy see the following:
The members of the Everything Compliance panel include:
In this episode Matt Kelly and I go meta as we podcast about another podcast that Matt posted this week on his site, Radical Compliance, where he interviewed Paul Sobel, the incoming Chairman of COSO. We discuss how Sobel sees his new role at COSO, some of the initiatives that he has in mind for the organization and how companies can use the various COSO frameworks, including the Internal Controls and ERM frameworks to better manage risk some the strategic perspective.
We use the Sobel interview as a starting point to consider how Boards of Directors can think about risk management for a wide variety of issues, from climate change to cybersecurity to sustainability. We also discuss how the COSO frameworks can be used in conjunction with more tactical forms to create a more robust overall risk management program. Join Matt and myself as we go meta this week and take going into the weeds to a new level.
For Matt Kelly's interview with Paul Sobol click here.
For Matt Kelly's blog post on the COSO ERM Framework see, "COSO Debuts Final ERM Framework”
For Tom Fox's blog post on the COSO ERM Framework see, "The COSO ERM Framework”
Whether you are ready or not, the EU General Data Protection Regulation (GDPR) goes live on May 25, 2018. It will impact companies doing business in London as much as any other EU legislation. To help US companies prepare, Jonathan Armstrong and myself have started a countdown to GDPR podcast. In this premier episode we discuss what is GDPR and why it is so important that you begin preparing now.
It is quite a wide piece of legislation and covers all personal data. Armstrong noted it is incumbent to remember that the definition of personal information is much wider than the US definition as it includes information such as geographical locations. GDPR applies to anyone doing business in the EU. It could be as simple as having a website which is accessible to people in the EU. GDPR has heightened obligations on data security; in most cases your organization will be required to report data breaches to a UK data regulator within 72 hours of the awareness of the breach. Another distinction is the right for an individual to ask companies what information it may hold on them and to exercise the right to be forgotten. All of these requirements present special challenges for US companies. Finally, one area that has received quite a bit of attention is the fine range. Armstrong noted, “if you’re a small business then you’re subject to a fine of 20 million euros. And if you’re a larger business that fine can be 4% of your global annual general revenue.” Lastly, to top it all off, there is a private right cause of action under GDPR.
Even at this late date, there are steps you can take to begin to get ready. Armstrong laid out three steps a company can take now. First, through a proper plan which is achievable, and concentrates on the main issues, Armstrong believes “that are less likely to get you into trouble with the regulator or expose you to private rights of action.”
Second, Armstrong said you should look at how you relate to individuals, whether they are consumers or employees, you are going to have to be much clearer with them about how you are using data around them. To do so, you will need to engage with marketing and sales teams to provide them with some awareness as to the changes that GDPR is going to make to what they do with individuals and the transparency obligations.
Third is to have a real focus on data security. You will need to make sure that you secure everything that you can, including both soft and hard copies of data. In conjunction with this final point, you must plan for and rehearse data breach responses, because under GDPR you have, in most cases, just 72 hours to respond to a data breach so you need to practice the scenario to be able to do that efficiently.
Near and dear to the compliance professionals heart, Armstrong said it all begins with a risk assessment. This means your corporate compliance function may well play a very large role in your GDPR compliance. From there manage the risks that you see in your data protection and management program. In the Cordery FAQs (FAQs) regarding GDPR it states, “Privacy by design and/or default will not be an add-on, but, instead, will become the norm as businesses will have to incorporate data protection safeguards into their products and services from the beginning.”
You should anticipate the need to appointment a Data Protection Officer (DPO) in your company. The FAQs state:
A DPO will have to be appointed to deal with data protection compliance where:
“The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management.”
In addition to the basic risk assessment, Cordery advises, companies should undertake ““Data Protection Impact Assessments” (DPIAs). Where processing operations, in particular those using new technologies, “are likely to result in a high risk for the rights and freedoms of individuals,” an impact assessment of the envisaged processing operations on the protection of personal data must be carried out, prior to the processing, “taking into account the nature, scope, context and purposes of the processing.” The new rules also set out other additional criteria that will necessitate an impact assessment. A data protection regulator must also be consulted prior to the processing of personal data where an assessment “indicates that the processing would result in a high risk in the absence of measures taken by a data controller to mitigate the risk”.
DPIAs are likely to become common and should prove to be a very useful tool for businesses in addressing privacy risks.”
For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 PM. You can find out more information on the event and register by going to the GHBER.org site.
In this episode, podcast favorite James Koukios returns to discuss highlights from international anti-corruption efforts, enforcement actions and developments highlighted in Morrison and Foerster’s December report. We highlight five developments:
For more information read the full Morrison & Foerster white paper Top Ten International Anti-Corruption Developments for December 2017
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.
One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management.
The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer putting the little bit of sand in the shoe to make sure that you’re thinking about things carefully can cause you to step back and really focus your resources where they're needed.”
Board’s do this by posing questions to management that help them challenge their own assumptions, especially those assumptions which senior management is most confident about. Howell said that Board’s “need to help senior management consider the things that management is so sure about that maybe are going to play out the way that they expect. For example, the things that can hurt investors more than anything else is a surprise. Chaos does not help investors in general. The things that surprise investors frequently are the things that also surprise management. Does management consider all of the things that can go wrong and have they built an environment where they can both help prevent those things from happening and detect them when they’re small and they can actually do something about them.”
Howell noted the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “one very good example is the whole, the reputation of those stakeholders involved in the company and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell went on to state, “it’s very important as we go through some of the ways the board can help management in that role. I think the things that really make a difference to management is when the board is able to be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their own underlying assumptions and biases.”
One of continuing struggles I hear from Board members is asymmetrical information, largely due from the siloed nature of company information and structures. Howell acknowledged, “These sorts of barriers are pervasive in any company of any size that has a particularly operations and different product lines and different markets and different countries and different time zones. These limitations in the free flow of information by themselves create a risk to the organization, to the investors of the organization, to the employees of the organization and the board’s ability to ask questions. If nothing else in their governance control creates this reminder to management to open up itself to itself and listen carefully to its own organization and be able to link information to all of the places it needs to be fed.”
I asked Howell to further explain his phase “open itself up to itself and listen”. He provided the following example, “how can the Chief Financial Officer make sure that he is giving all the information that the Chief Compliance Officer needs to do his job? Those questions from the board can be very valuable in making sure that the Chief Financial Officer doesn’t forget these issues and the Chief Compliance Officer has an opportunity to engage constructively with the Chief Financial Officer and others in the organization.”
Somewhat counter-intuitively, Howell noted that when it comes to the Board’s oversight role around internal controls, less is often more. This occurs by helping management understand a company can overdo a control environment, “in the sense that when management guides controls around risks that are not going to be the most serious risks to the company, that they end up building excessive amounts of energy and protection where they're not really needed. That you as a management team end up deluding your attention and deluding your resources.”
Howell went on to explain it is simply a matter of resources, “When things do go wrong, you’re in effect spread so thin that you don’t see those risks coming at you. The real question where less is more can be very valuable is when the board continues to challenge the management team on the scenarios that could play out. That could be devastating to an organization where risk really matters.”
I asked Howell if he could provide any discrete examples and he pointed to the food service industry for the following., “For example, in a food service company or a restaurant company, if there were contamination or if there were things that could happen either at the plant or by people who are touching the food. Those are very serious risks that a company needs to both be mindful of and to be able to prevent. If something goes wrong, you need to be able to detect early. When customers of the company or others are hurt that there’s a consequence of failures that can be devastating.”
In another example Howell said he had seen situations where internal “controls that are used for financial reporting for example, when examined in the light of where the risk really exists for the company, the companies have been able to reduce their controls actually by as many as half and improve their overall control environment and reduce the aggregate risk to the company. It’s interesting that even spending less money on controls by having fewer controls can improve the overall comfort that the company and its management and investors are protected from risk.”
A Board is not simply there to be a rubber stamp for senior management. It must exercise independent judgment, action and oversight. Further, it is the Board’s role to ask hard, difficult and probing questions to make sure management is not only doing its job but has considered other risk possibilities.