While governance has always been important for companies, recent events that have shaken the foundations of corporate America have escalated it to an imperative. As regulators, lawmakers, exchanges, investors and other stakeholders look on, boards and CEOs have no choice but to examine their processes to maintain and, for many businesses, regain confidence.
Responding to the New Environment
President Bush recently signed into law the Sarbanes- Oxley Act of 2002. This law sets forth, among other things, new corporate governance standards for public companies within the United States. Publicly traded companies — specifically the CEOs and CFOs that lead them — must now certify the accuracy of all financial results and reports. The Securities and Exchange Commission, the New York Stock Exchange and NASDAQ have also issued proposals for expanded listing requirements that most certainly will alter the governance landscape. These organizations and other regulators have stressed the importance of companies maintaining sound ethical practices to protect their reputations.
Clearly the global business environment has changed in the wake of highly publicized accounts of misleading financial reporting and other improprieties within large corporations. These events came as a surprise to some executives and board members who either had no advance warning they would occur or were not aware of the risks facing their companies.
Under the new requirements, this knowledge gap will no longer be acceptable. It will be incumbent upon boards of directors, CEOs and CFOs to not only design and implement appropriate corporate governance processes, but also to assess the risks their businesses face today and can reasonably expect to face in the future, and to manage those risks in an appropriate manner. In the process, they will find a very different risk profile than just a few years ago. As business climates and economies shift, so, too, do the associated risks.
Personal Accountability is a Vital Tenet of Governance
In this challenging environment, it is the shared responsibility of management and the board of directors to define roles, responsibilities and authorities to make decisions and take action, and to establish the appropriate framework for reinforcing personal accountability.
The new SEC guidelines on public reporting have raised the bar on corporate accountability, but they may not be enough if boards and management want to preserve shareholder value and, more importantly, investor confidence. Accountability must be clarified at all levels and for all key processes in the organization, including the financial reporting process and the assessment and management of risk. Gaps that exist when there is no one responsible for managing a critical risk or process should be eliminated, and overlaps that occur when there are multiple owners of a critical risk or process should be minimized.
Management and boards should consider certain standards when setting accountability. Application of these principles will create a healthy tension within the organization and facilitate communication between management and the board.
- Balance shareholder value creation with shareholder value protection. Investors in corporate America lost significant wealth over the past two years. While a decline may have been inevitable due to the high stock price multiples built up over the past decade, some organizations bet too much on what they believed to be a promising marketplace. For example, telecommunications companies built excess capacity in bandwidth to meet an anticipated explosion in customer demand. When that demand failed to materialize, shareholders suffered the consequences. Boards and management must balance risk taking with the long-term interests of investors by defining the appropriate risk management oversight structure and addressing how the enterprise’s culture influences behavior. With the cost of strategic error so high, nothing less than the very survival of your company could be at stake. If asked, investors would likely assert that boards are ultimately responsible for the oversight that leads to balancing of shareholder value creation and preservation.
- Make discussions of risk tolerance more explicit. As management recommends specific strategies and action plans to the board, they should also articulate their tolerance for risk. The board, in turn, must understand and concur with management’s risk tolerance and the impact of the recommended strategies on the organization’s risk profile. Risk is inherent in any business model; therefore, the board and management need to be on the same page with respect to the specific risks that will be taken. For example, what are the most significant business risk exposures, and what are the potential upside and downside implications of those exposures? An explicit dialog on the organization’s risk tolerance will assist the board in setting accountability with senior management for performance and in understanding the risks inherent in the organization’s strategies and plans. Lack of clarity on these issues or failure to develop a plan to address them could signal key problem areas for which no one will be accountable when they materialize later.
- Establish responsibilities and authorities. Once the risk tolerance level has been set by management and approved by the board, personnel at all levels of the organization must be provided with clearly articulated descriptions of their respective responsibilities and authorities. Starting with the CEO, everyone in the organization should understand what it is he or she is expected and authorized to do and under what circumstances others must be consulted
- Align performance measures and compensation systems. Enforcing accountability requires articulating performance expectations and aligning performance appraisals and reward systems with those expectations. For example, the manner in which business unit managers and risk managers are rewarded will significantly impact their behavior. These individuals should be compensated based in part on their ability to achieve goals linked to enterprise-wide risk management and the control environment. Effective alignment will help management keep the organization’s entrepreneurial risk-taking activities and control activities in balance, so that neither of the two is disproportionately strong relative to the other.
- Focus on the selection and accountability of internal audit and external audit. The audit committee of the board should guide the process for selecting internal and external auditors and should oversee their performance. What experience and qualifications are necessary to ensure the audit function is effective? Are the requisite staffing and budget available to achieve goals and meet expectations? How should the performance of internal and external auditors be evaluated? What interaction is expected between internal and external auditors, and how is that interaction facilitated? Boards and management should also determine that there is appropriate respect for the internal and external audit functions within the organization.
- Develop specific steps to encourage responsible behavior.While the dynamics by which a board operates are vital to its success in representing stakeholder interests, stakeholders need more. Responsible business practices are fundamental to a board’s mission to ensure that business activities are conducted with integrity. In the aftermath of recent corporate scandals, directors need assurances that the affairs of the business are beyond reproach. Management must clearly state corporate values and promote a culture, both with words and with deeds, that encourages responsible business behavior. This represents a critical accountability issue for directors and management because the organization’s culture significantly affects the board’s effectiveness over time in carrying out its defined oversight roles. Rules are helpful but not enough. Establishing and enforcing a code of conduct, implementing a system of appropriate checks and balances, taking timely disciplinary action on ethical violations, and executing focused internal audit procedures are specific steps that should be considered.
- Evaluate any activities of the business that might impair the enterprise’s image as a reputable corporate citizen and erode its brand name.When evaluating governance, accountability for social responsibility cannot be ignored. Because most large public companies operate in a fishbowl, it is incumbent upon the board and senior management to establish such accountability from the top. Otherwise the message gets lost. For example, are there specific areas where a company faces the risk of restating its financial results from a prior period? Are there any risks with respect to the tax positions the company is currently taking or contemplating? Health and safety (employees, customers and the general public), product warranty and environmental issues are other areas that require attention to determine if there are potential sources of embarrassment that would shift management’s agenda from achieving long-term objectives to crisis communication and damage control.
These are a few of the standards and guidelines that boards and management should consider when setting accountability in public reporting, in risk management as well as in other areas of the organization. In today’s environment, many directors are asking how, as board members, they should manage their personal risk. In addressing the new rules and challenging business environment, a critical part of a board’s response will be increased knowledge of the enterprise’s risks and risk management capabilities. This will be attained through more anticipatory and proactive oversight as well as more explicit dialogue with management and continued emphasis on establishing personal accountability throughout the organization.