Whether you’re a board member of a retailer like Starbucks or sitting on a large financial services board like JPMorgan Chase, I’ll bet you’re pleased at this point that you said no to SONY board membership. Though Enron is now nearly 13 years behind us, you may recall the U.S. Senate subcommittee finding that ultimately led to the passage of the Sarbanes-Oxley (SOx) Act in 2002, that “the Enron Board of Directors failed to safeguard Enron shareholders and contributed to the collapse of the seventh largest public company in the United States, by allowing Enron to engage in high risk accounting, inappropriate conflict of interest transactions, extensive off-the-books activities, and excessive executive compensation.” SOx better delineated the board’s oversight role where financial accuracy is concerned, called for board level audit committees made up of outside (independent) directors, required attestation on internal controls, and emphasized that directors on boards are responsible for direct supervision of the company. At another level, it established independent oversight of public company audits, via the PCAOB (Public Company Accounting Oversight Board), fondly referred to as “peek-a-boo” to the profession, which had for the prior 100 years engaged in self-regulation. Over 2,000 firms from over 80 countries are registered with PCAOB today.
As financial losses mount from mismanaged vendors, gaps in internal controls and service outages from natural disasters or from cyber-attacks on publically traded entities, many boards have paid more attention and modified selection criteria for its members. No longer are boards simply cheerleaders for the CEO. Technology has become more critical to high-speed digital transactions, so companies have sought out directors with IT chops, just like they have recruited independent experts to sit on their audit committees. But rarely do companies require significant continuing education for board members, especially on esoteric topics like strategic risk, high speed trading, privacy, business continuity or cyber-threats. So it’s entirely possible that a board member could read about the Target breach or the more recent SONY hack, ask a few questions and be reassured that it could not happen here.
If you’re not already a member of (for example) the U.S. National Association of Corporate Directors (NACD), then how do you learn and what should you be looking for?
Overconfidence from the C-Suite. The belief that “it can’t happen here” needs to be proved out to the board. If in fact, the board is not receiving threat or gap analyses directly from the Chief Information Security Officer and the Chief Internal Auditor on a quarterly basis, you should ask why not and raise the bar. For each explanation you receive from the executive team, you should ask how clearly the company’s program is explained in terms of importance and relevance, to employees and customers, in a show of “tone at the top.”
Vague or inaccurate responses to questions. Don’t let executives “dumb down” explanations. Read widely in the company’s lines of business, and then be sure you get real answers to your questions. It is possible for executives to prepare briefing papers in clear English even though the material may be technical. In each case, the questions of risk and impact to revenues and reputation should be dealt with in addition to the costs being discussed.
Issues not on the radar. Sometimes the CEO and CFO do not have a clue as to what could be going wrong on the operational side. I’m looking closely at this issue in the book I’m working on right now. At each level of the company, analyses can get simplified in the name of “executive presentation” to the point that the CEO/CFO believes that the risk level is being managed, or is manageable. In such instances, it is not that the C-suite is trying to conceal information from the board, which is why one of your primary responsibilities as a board member is to ask questions based on information you’ve received from other sources or events experienced by other companies. A prime example here is General Motors, where damaging information and costs were concealed for years. Bad news or an unfavorable review of a new product/service always carries the potential for reduced support or loss of position, which is why no one likes to let his/her manager know when sometime goes quite wrong. Asking questions is the best way to be sure that the board has all the information from a detailed briefing before making a decision.
Finally, look for the outliers. When you join a board, one of your first requests should be for the regulatory and audit reports over the past few years so that you can see where the gaps in controls are and to monitor what is being done to close the gaps. Are there consistent patterns, such as mishandling of vendors or of confidential information? Is the technology up to date and redundant? What does the level of turnover look like at both the senior management and the executive level?
Well-informed board members bring us one step closer to corporate stability.
Annie Searle, Principal of ASA, helps companies build world-class risk programs. An internationally known expert in operational risk management, with extensive experience in the financial, IT and business sectors, Searle thrives on complex challenges.
Originally posted in the January 2015 issue of the Risk Universe magazine.