Used appropriately, executive sessions can be an important part of a board’s risk oversight process. Below, we discuss how to approach these sessions with the objective of maximizing their value.
Executive sessions may be held by independent directors for a number of reasons, including to evaluate chief executive officer (CEO) performance, compensation and succession; address issues related to how the board operates, including resolution of conflicts and disagreements among board members; consider the results of investigations into irregularities involving senior management; discuss board practices and performance; and cover matters requiring confidentiality in a restricted session.
Our focus below is on using executive sessions as part of the board’s risk oversight process, as these meetings present an opportunity for directors to obtain unfiltered input from selected executives who otherwise might be influenced to couch or hold back on their responses to questions in the presence of senior executives.
An executive session is a meeting of independent directors in which the proceedings are confidential. This means members of the executive team are not present or aware of the matters discussed.
Conducting regular executive sessions is considered a sound practice for boards when the purpose is well understood. While the rationale for an executive session varies depending on the organization’s culture and circumstances, certain issues require more candid, confidential conversations and, consequently, a more limited audience.
These sessions also can be perceived as awkward, and can foster unnecessary anxiety and distrust if abused. If an executive session results in discussion about issues with which the board has limited information, it may be unproductive and even inappropriate. Given these caveats, relevant questions include:
- Why hold executive sessions?
- How often should they be held?
- Who should be asked to participate?
- What topics should be discussed?
- How should they be conducted?
- How should the consequences of these sessions be handled?
While there isn’t a one-size-fits-all response to these questions, we offer some observations below.
Why hold executive sessions: Some CEOs and board members don’t believe executive sessions are necessary. Others view these sessions as an integral part of the board’s oversight agenda. Occasionally, the board needs time to focus on its governance duties in a restricted session. Executive sessions provide an opportunity for independent directors to meet without being unduly influenced by the CEO, thus encouraging more open and robust communication. Some assert that if the board doesn’t provide a regular time and location for private discussion, directors will interface with one another informally outside of regular board meetings. While directors can always interact outside of regular meetings, this practice may not be optimal if allowed to spiral out of control.
For example, not everyone who should participate is able to, the participating directors may not have access to all the relevant facts, and the board may even become dysfunctional in terms of working relationships among directors and with senior management. Periodic executive sessions provide a formal process or outlet for such discussions, permitting independent directors to speak their mind and ask the tough questions they might not raise otherwise, all with the support of the CEO and executive management.
Rather than debate the pros and cons with respect to executive sessions, our purpose is to point out the merits of such sessions to risk oversight. For example, the COSO 2013 Internal Control – Integrated Framework states:
The audit committee along with a strong internal audit function is often best positioned to identify and promptly act in situations where senior management overrides internal controls or deviates from expected standards of conduct. The committee interacts with the external auditor, meeting regularly to discuss the scope of planned audit procedures and the results of those procedures. Meetings with external auditors include executive sessions without management present to provide a forum for further dialogue between external auditors and audit committees.
The COSO Framework also states:
As part of assessing fraud risk, management assesses the risk of management override of internal control. The board of directors or subset of the board (e.g., audit committee) oversees this assessment and challenges management depending on the circumstances. The entity’s control environment can significantly influence the risk of management override. This is especially important for smaller entities where senior management may be very involved in conducting many controls.
Management override describes action taken to supersede an entity’s controls for an illegitimate purpose, including personal gain or an enhanced presentation of an entity’s financial condition or compliance status. Actions to override typically are not documented or disclosed because the intent is to cover up the actions.
However, management override should not be confused with management intervention, which represents action that departs from controls designed for legitimate purposes. Management intervention is necessary from time to time because controls cannot be designed to anticipate and mitigate every risk. Management’s actions to intervene are generally overt and documented or otherwise disclosed to appropriate personnel and, if the matter is significant, to the board.
With appropriate knowledge, attention and communication, the board is positioned to provide an effective means of offsetting the effects of management override of established internal controls and risk management practices, particularly as they relate to financial reporting and managing critical risks. Executive sessions provide an opportunity for directors to obtain insights regarding sensitive matters on a timely basis; otherwise, they likely will be informed of such matters on a delayed basis.
Frequency of executive sessions: These sessions should be held on a regular, scheduled basis. They should be expected, with their purpose defined and understood by everyone, so there is no reason for anxiety about why they are being held. These sessions typically are held after the full board or committee meetings. Such scheduling provides an opportunity for independent directors to engage in a candid discussion of topics covered during the full board or committee meeting, without fear of management influence.
Executives targeted by executive sessions: Personnel in sensitive positions – including the chief financial officer, chief accounting officer, chief audit executive, chief risk officer and chief compliance officer – provide meaningful insights regarding sensitive financial reporting, accounting, risk and compliance matters of which directors should be aware. To that end, the boards of some issuers conduct executive sessions with one or more of these parties to provide independent directors an opportunity for one-on-one sessions with key executives responsible for critical functions.
Topics discussed during executive sessions: Frank, open discussions among independent directors provide (1) an effective check on the risk of management override; (2) insight on the effectiveness of critical internal controls and risk management processes; and (3) an opportunity to obtain signs of important cultural and other issues of which directors should be aware. Meetings may be convened in executive sessions when dealing with confidential matters such as, but not restricted to, disciplinary actions, litigation, business-critical issues and board performance issues.
Conducting executive sessions: When not well managed, executive sessions can fuel problems ranging from lack of transparency and disregard for public accountability to inappropriate board member behavior, distrust, and ineffective relationships between the board and management. Simply stated, the board must address the right issues in the right setting with the right individuals present. If the setting calls for privacy, an executive session is a means to that end.
Handling the consequences of executive sessions: Regarding the results of executive sessions, independent directors must have an appropriate channel for communicating with the CEO and executive management any concerns arising from such sessions. With respect to minutes, there is no one-size-fits-all prescription. The directors themselves should decide, after each executive session, whether or not minutes should be created and, if so, what should be included.
Questions for Boards
The board of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- Are executive sessions conducted on a regular, scheduled basis?
- Do the executive sessions provide an opportunity for independent directors to engage in open and frank dialogue with each other and with any senior executives who may be present?
How Protiviti Can Help
As the board evaluates how to organize for risk oversight, Protiviti can assist it and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We assist companies with integrating their risk assessment process with their core business processes, including strategy-setting. We help organizations improve their risk reporting to better inform the risk oversight process, a key to the success of any board risk oversight process.
Board Perspectives: Risk Oversight (Issue 62)