When a catastrophic risk is present, the profound consequences of making a poor decision, either by act or omission, and the complex human dynamics that attend issues of this magnitude, demand a risk analysis process that requires discipline, wisdom and most importantly, the courage to act in a manner that may counter to the company’s and board’s culture and expectations. This is particularly true if the magnitude of the risk is not readily apparent. While we ordinarily may take comfort in the use of increasingly sophisticated planning and risk avoidance processes, the best practice for the avoidance of catastrophic events lies in the consistent use of a three-part strategy:

1. Understanding the reoccurring human qualities that have resulted and will continue to result in catastrophe,
2. Recognizing the bias that exists when information is presented and received, and
3. Daring to be dumb enough to understand and avoid those situations that may result in a catastrophic event.

Robert C. Boneberg

This strategy is important when facing a known catastrophic risk, but it is essential when the risk is unknown, or more dangerously, thought to be understood. In sum, since the nature of any given risk is, at best, is uncertain, this strategy should always be consciously employed.

It is false comfort to conclude that a catastrophe was no one’s fault-it could not be prevented- it was a 100 year storm- the perfect confluence of overwhelming negative factors. It is true that sometimes, some catastrophes cannot be avoided no matter how much able planning is done. More often, however, the fault continues to lie with ourselves, and in the repeated display of those human frailties that singly and in combination lead to catastrophe: Greed, arrogance, complacency, obsequiousness, fear.

Discussed below are a number of well-known decisions, in numerous areas of human endeavor that ended in catastrophe. All of these catastrophes, all the lives ruined, and in some cases the lives lost, could have been avoided, or at least mitigated, if the pre-event analysis had been 1/100th as thorough and rigorous as the deep and reflective post-event studies have been. For us, in retrospect, they present obvious questions: what common factors affecting decision-making are present; what processes could the decision-makers have engaged in that might have avoided the catastrophe; and what decision-making processes should we employ to avoid catastrophes for those entities for which we are responsible.

In these examples we see the repetition of familiar patterns of all too human behavior: the arrogant, single-minded leader, the timid subordinates, the failure to pursue obvious red flags and the pursuit of misunderstood goals. The people involved in these events were not unsophisticated, inexperienced or naïve. To the contrary, they were some of the smartest, best educated, experienced and accomplished people of their time or any other time. The flaws and frailties that they showed are ours, and the traps they wandered into await us all. As we review these examples, we might consider whether or not, if we had been present, would we have had the wisdom and courage to stand against the prevailing institutional culture until the risk was recognized and avoided.

In 1912, one of the greatest vehicles ever designed for the transportation of people set sail. A few days later Royal Mail Ship Titanic sank and 1500 people died. One of the explanations suggested for the catastrophe was the arrogance of the Captain, and others who encouraged him, who, it is said, steered the ship at high speed through the iceberg lanes in an effort to show the speed of the marvelous, new ship and reap the publicity and acclaim that would follow. But pointing an accusatory finger at one or two persons is not the whole answer. Equally profound was the group decision of the owners, designers and builders who provided a wholly inadequate, but legal, number of life boats, based on the ship’s tonnage without regard to the number of persons on board.

In 1944, one of the greatest armies ever assembled, the Allied Expeditionary Force, was pushing across Europe while its commanders considered how to cross the Rhine into Nazi Germany. One of the most fabled generals in the Allied Force hit upon a brilliant, but completely unworkable, plan to parachute some 10,000 men behind the Nazi lines to capture a bridge across the Rhine. The main army would then mount a two day attack and relieve the paratroopers, who were to hold on at this distant bridge. In deference to or in fear of the great commanding general, and those supporting him, no one vigorously challenged his assumptions or criticized the plan’s numerous flaws, including the assumptions that the area around the bridge would be lightly defended and that the isolated paratroopers could be reached by the main army in two days. Nine days after the attack began, when the main army finally reached them, the 2000 surviving paratroopers swam and rafted back across the river. A bridge across the Rhine would not be seized by the Allies for another six months.

In 1986, one of the greatest vehicles ever designed for the transportation of people was launched. Seventy three seconds later the Challenger space shuttle exploded. NASA concluded that its personnel were too focused on maintaining the launch schedule, and that those who were concerned that the cold temperatures at launch might jeopardize the space shuttle were either too intimidated or too unsure of themselves to object vigorously and, to the extent that anyone dared to speak out, they were over-ruled. This, NASA said, would never happen again in NASA’s new climate of safety.

In 2003, one of the greatest vehicles ever designed for the transportation of people, the Columbia space shuttle, disintegrated during reentry. The specific cause of the catastrophe was a hole punched into the left wing at launch by falling foam. But, the underlying causes were identified as a desire by NASA management to present the space shuttle missions as relatively safe and even routine that could proceed on fixed schedule, a flawed and untested belief that foam falling on the space shuttle at launch was harmless even if outside safety parameters, a refusal to consider that the space shuttle design might be inherently flawed and significantly less safe than understood, and publicly presented, and a desire not to be the one who would stand up and challenge any of the foregoing assumptions.

A key focus of the conversation was board governance structure and who, at the board level, “owns” risk oversight. Most directors place responsibility for risk oversight on the audit committee, although many of those assembled agreed that certain types of risks—including technology, reputational and strategic risks—need to be addressed by the full board. The consensus that risk can be managed within the existing committee structure, or by the full board where needed, runs somewhat counter to calls from shareholders and regulators for the creation of specific risk committees for banks and financial institutions. Outside of financial services companies, it was generally agreed that there is no real need for specialist risk committees.

For some directors, creating a risk committee can lead boards to think, in the words of one participant, that “risk is being dealt with and therefore I don’t have to think about it.” However, this is likely not the case, which may mean that risks are not getting the full consideration they require.

To that end, it was noted that there is now a trend for the non-financial services companies to bring all committees involved into the risk oversight process. While the audit committee may take overall responsibility for oversight of the risk management policies and procedures, the nominating and governance and compensation committees may analyze and discuss risks within their specific purview. Regardless of how the responsibility is delegated, it is critical that there is a structure in place to ensure oversight of the risks identified in the process and that none “fall through the gap,” and that all committee charters clearly state the committee’s responsibility with regard to risk oversight.

All of the directors in attendance maintained they are devoting increased time and attention to risk oversight. They are more involved, more aware and are receiving far more information on risk than ever before, they said.

Maureen Errity, a director with Deloitte and a leader of Deloitte’s Center for Corporate Governance, highlighted the concerns of some directors that, although financial risk remains at the heart of the discussion, boards may be spending time on it at the expense of other concerns, such as strategic business risks. Boards should address those enterprise-wide issues that may have the most significant impact on the organization, as well as on the strategic risks that could create opportunity for the business.

Broadening the scope of the board’s risk analysis requires directors first to understand what risks a company really faces. Dan Konigsburg, a director with Deloitte LLP and the Center for Corporate Governance, suggested the board gather information from a wider group of company executives and employees.

Indeed, some directors at the roundtable admitted being less than optimally familiar with the senior risk managers in their organizations. These managers occasionally make presentations to the board, but directors asked if it is desirable to establish a closer relationship. Emerging thinking says it is.

One consideration is that many companies do not have a chief risk officer, and directors may receive risk reports from different sources and at different times. A significant topic being analyzed is the risk management infrastructure. For nonfinancial services companies, the CFO or chief compliance officer may be tasked with leading risk management. Participants agreed that centralizing the information flow to directors provides the board with greater understanding of how risk is being assessed and managed.

Perhaps one of the most pressing questions for directors is how to align risk with strategy. Businesses have inherent risks, but the key, Errity explained, is to strike the right balance and establish the company’s risk appetite. This also raises the question of how much money the company is willing to spend to mitigate risks, since many systems and processes have associated implementation costs.

Many directors believe the line between risk and strategy is blurry. Capital financing, mergers and acquisitions, market listings and the like are strategic issues, yet they all involve risk. The challenge is thinking through all the risks and presenting them not only individually but in the aggregate. Further, some companies are using risk management as a foundation for broader strategic thinking by holding discussions with management to explore “what-if” scenarios and new-business paths that will have associated risks but that may create long-term value for the organization.

Perhaps the best way to address these issues, participants suggested, is to create a structure whereby board members can question and challenge the assumptions and decisions of management in relation to the intersection of strategy and risk. The culture of each board is unique, and so the exact process of achieving effective risk management will vary, but there are some common factors. Success involves asking the right questions and making sure directors understand the answers, while also recognizing the value and experience the board can bring to the risk and strategy discussion.

Often, management will suggest strategies that seem sound, but directors need to analyze them in relation to industry trends, the company’s internal risk appetite and what is best for long-term shareholder value.

In fact, the directors noted, the lack of unified risk oversight actually opens the company to risk in and of itself. While it may not have overall ownership of the various risk functions, the board must have a clear picture of all the material risks facing the company and the certainty that senior management is well apprised and equipped to manage these enterprise-wide risks effectively.

Participants:

Gary G. Benanav: Director, Barnes Group

James Benson: Director, Sapient Corp.

Neil Braun: Dean, Pace University’s Lubin School of Business; Director, IMAX Corp.

Beth Bronner: Managing Director, Mistral Equity Partners; Director, Jamba Juice, Syms Corp.

Laura L. Brooks: Director, Provident Financial Services

Phebe Neely Ciulla: Senior Manager, Deloitte Financial Advisory LLP

James W. Dyke Jr.: Director, WGL Holdings

Maureen Errity: Director, Deloitte LLP Center for Corporate Governance

David R. Haas: Director, National CineMedia

Nitish Idnani: Principal, Deloitte ERS

Matthew S. Kissner: CEO, The Kissner Group; Director, John Wiley & Sons

Dennis E. Klima: Director, WSFS Financial Corp.

Dan Konigsburg: Director, Deloitte LLP Center for Corporate Governance

W. James MacGinnitie: Director, RenaissanceRe Holdings

Harvey Morgan: Managing Director, Bentley Associates LP; Director, Family Dollar Stores

Richard G. Nadeau: Founder, Chairman, Vistair Ventures; Director, IRIS International

Wilmer F. Pergande: Chairman, Director, Consolidated Water Co.

Dr. Warren R. Phillips: Professor Emeritus, University of Maryland; Director, CACI

Michael Pocalyko: Managing Director and CEO, Monticello Capital; Director, Herley Industries

Scott Roulston: Managing Partner, High Road Partners LLC; Director, Developers Diversified Realty

Laurie M. Shahon: President, Wilton Capital Group Director, Knight Capital Group

Ervin R. Shames: Director, Choice Hotels International, Select Comfort Corp., Online Resources Corp.

Burt Steinberg: Director, Provident, New York Bancorp

Stephen E. Wasserman: Partner, Wasserman & Associates; Director, IRIS International

Karen Hastie Williams: Director, NACD

Steve Starbuck

In the 2011 proxy season, resolutions on corporate responsibility issues made up about 40 percent of all of shareholder proposals up for a vote during meetings that took place through June, according to the Ernst & Young corporate governance database. As in 2010, these proposals represented the largest category of shareholder proposals. The 40 percent figure also represents a significant increase over the 2010 full year figure of about 30 percent.

Initial projections by Ernst & Young analysts predicted the proportion of social/environmental proposals would reach 50 percent of all shareholder proposals. However, the actual proportion that came to a vote was 40 percent, partly due to a higher-than-expected number of submitted proposals that were later withdrawn by proponents.

A significant number of corporate responsibility resolutions were withdrawn by proponents, as a result of substantive dialogue with and/or action taken by companies, which is an indication of how company shareholder engagement can lead to mutual agreement on complicated issues. This is a level of success that is not captured in vote outcomes.

The increase in voting support for CSR-related proposals may be a significant factor influencing why companies are increasingly open to reaching an agreement with shareholders on these matters, rather than putting them up for vote on the proxy. For example, of the nine proposals on hydraulic fracturing (a controversial natural gas extraction technique) submitted this proxy season, half were withdrawn due to company action. The remaining proposals, which were included in proxy ballots, received very high levels of support, averaging more than 40 percent of votes cast; one won support from 49.5 percent of votes cast.

Ann Brockett

Investor and Regulator Focus
While the number of CSR resolutions is increasing, so to is the level of support, especially among mutual funds and other important institutional investors. Partly, this is because investors and regulators such as the Securities and Exchange Commission (SEC) are becoming more aware of the reputational and financial risks associated with social and environmental issues. Shareholder proposals have become increasingly prescriptive in asking boards to mitigate potential risks tied to evolving regulations, shifting global weather patterns and heightened public awareness of climate change issues—any of which can affect a company’s business.

These developments have placed more pressure on companies to show they appreciate such risks and are taking appropriate steps to manage them. Board members and senior management need to understand requests for information related to environmental subjects. Just as important, they must work actively to mitigate shareholders’ concerns about environmental issues whether the board considers them legitimate or not. Increasing support on shareholder proposals will put pressure on boards to respond. Although non-binding, failure to respond to a shareholder proposal that receives 50 percent or more of votes cast may result in votes against directors in the following year. First steps toward addressing shareholder concerns related to environmental risks include understanding their investment philosophies and voting policies; knowing who is responsible for key voting decisions; and becoming familiar with shareholders’ history of activism with other target companies.

Greater Support for CSR-Related Proposals
Shareholder proposals are important because they shape the corporate landscape and often frame conversations that take place in corporate boardrooms. Resolutions linked to corporate social responsibility (CSR) historically have been skewed toward social issues. But now, environmental sustainability has become the fastest-growing and most prominent issue, as more institutional investors begin questioning the potential financial impact of CSR issues on their investee companies.

A 2010 survey conducted by ISS, a proxy advisory firm, shows that 83 percent of investors now believe environmental and social factors can have a significant impact on shareholder value over the long term. This belief is clearly visible in the rising level of support for shareholder proposals requesting action related to social and environmental issues.

Additionally, according to our research, the average voting support for CSR-related shareholder proposals rose from 7.5 percent in 2000 to 18.4 percent in 2010, and data for 2011 shows that to date, average voting support on these issues has further increased to 21.4 percent.

Broader support means that proponents gain more traction with investee companies and put greater pressure on their boards. This is especially true if the proposals reach critical thresholds. For example, many boards take note once support levels reach the 30 percent mark. In 2005, only 2.6 percent of all shareholder resolutions related to social/environmental issues received average support of more than 30 percent of votes cast, according to our research. Last year, more than one-quarter of proposals reached the critical 30 percent support threshold, and so far in 2011, the figure has grown to nearly a third.

Regulatory changes are also driving broader support for resolutions linked to environmental risks. In late 2009, the SEC began to allow shareholder proposals to include the phrase “financial risk” in discussing environmental and other issues. In February 2010, the agency issued guidance reminding companies of their responsibility to disclose their material risks related to climate change.

Support From Mutual Funds Grows
A clear example of the growing support for environmentally related proposals comes from the mutual fund industry. According to an analysis by Ceres, a coalition of environmentally oriented investors, average support by mutual funds for climate change-related resolutions grew from 14 percent in 2004 to 27 percent in the 2009 proxy season, and the percentage of abstentions increased as well. In the same period, opposition to those resolutions fell from 76 percent to 55 percent, reflecting a sharp departure from traditional voting policies. The Ceres analysis evaluates proxy votes on climate change-related proposals by 46 mutual fund companies with more than $5 trillion in total assets under management.

Director Expertise, Compensation Targeted
A growing number of shareholder proposals are linking social and environmental matters to traditional governance issues such as compensation and the qualifications of board members. For example, some resolutions advocate tying performance metrics used for determining executive compensation to environmental goals. Others seek to ensure that board members have the environmental expertise needed to deal with sustainability and other environmental issues.

For example, at a 2010 annual meeting for a large oil and gas company shareholders filed a proposal requesting that the company have at least one board member with expertise in environmental matters relevant to hydrocarbon exploration, and that the business and environmental communities recognize the board member as an authority on environmental matters. This proposal received support from 27 percent of the votes cast. A similar initiative last year at a large mining and metals company was supported by 34 percent of votes cast. This year, shareholders of a major energy company asked the company to spell out how it planned to strengthen its risk management function to better prepare for environmentally related incidents, and how it would move to a low-carbon economy.

Corporate responsibility resolutions receiving highest levels of voting support to date include those requesting:

• A sustainability report disclosing the company’s environmental, social and governance performance, including a discussion on water risk and greenhouse gas reduction targets and goals (92.8 percent of votes cast)
• A report on the company’s risk management efforts related to coal combustion waste (52.7 percent)
• A report on the board’s oversight of process safety management and related operational safety efforts (54.3 percent)
• Disclosure of the company’s policies and procedures for making political contributions and expenditures, directly and indirectly, with corporate funds (53.3 percent)
• An amendment of the company’s EEO policy to explicitly prohibit discrimination based on sexual orientation and gender identity (61.7 percent)

The specific proposal requesting a corporate sustainability report received a dramatic and historically unprecedented level of support in part because a similar proposal at that company’s 2010 meeting had received 60.3 percent of votes cast and shareholders appeared to be dissatisfied with the company’s response. Another factor in raising the 2011 support is that, in an unusual step, management recommended that shareholders vote in support of the shareholder proposal.

Actions to Take
Risks related to sustainability, including climate change risk and other environmental issues, matter a great deal to shareholders. Yet many corporate directors lack a deeper understanding of these issues. Board members, as a result, would greatly benefit from formulating a strategy for anticipating shareholders’ future concerns. At a minimum, companies and their boards must be prepared to do the following:

• Enhance dialogue with shareholders and improve disclosure in key areas, particularly those related to social and environmental issues. Robust sustainability reporting can help with this.
• Ensure that directors’ skills are relevant to the chief areas of stakeholder concern, including risk management tied to social and environmental matters. In particular, companies must communicate with shareholders. They could, for example, take advantage of the SEC disclosure rules around director qualifications to explain how the qualifications, backgrounds and skill sets of their directors—both individually and as a group—contribute to overall corporate strategy, including risk mitigation.
• Consider whether using non-traditional performance metrics—including those related to environmental/sustainability issues—could help align compensation with risk. In addition to financial metrics, performance goals could align with overall environmental strategy, including clearly defined metrics relating to energy efficiency, water usage and the reduction of carbon emissions.
• Shareholders are paying closer attention to environmental and social matters, believing them to bear closely upon the risk to which investee companies are exposed and, ultimately, upon the financial performance of those companies. The 2011 proxy season reflects this deepening trend. Driven by concerns about the financial and reputational risks associated with climate change, institutional investors will likely push harder for action on these matters. Forward-thinking companies will be prepared to address their concerns.

Takeaway: Leading Practices in CSR Governance

Shareholder pressure and increasing legislative and regulatory requirements are driving boards to take a more active role in managing corporate strategy and engaging stakeholders. Here are some steps your organization may want to consider taking to improve its CSR-related governance:

• Board. Make sure your board has a standing agenda item to review emerging environmental and social issues, opportunities and risks.
• Board committee. Install a dedicated board sub-committee to oversee the company’s management of environmental and social issues, opportunities and risks.
• Committee composition. Ensure that relevant committees are composed of executive and non-executive directors with the expertise to assess the organization’s progress in environmental matters.
• Materiality. Apply a systematic process to determine which environmental and social issues are most relevant to the organization.
• Accountability. Hold individual leaders accountable for environmental performance, and schedule regular presentations to the appropriate committees to document progress.
• Reporting. Establish clear frameworks for reporting on the issues most material to the organization. Regularly publishing a sustainability report is one of the best ways to do this. Relevant board committees should sign off on all sustainability reports.
• Assurance. Obtain both internal and external assurance of all reports to gain independent insights on emerging risks and progress, and to be confident that disclosures are accurate.

Steve Starbuck is Americas Leader and Ann Brockett is Americas Assurance Leader for Climate Change and Sustainability Services at Ernst & Young LLP.

Without effective insurance, the risk of uninsured personal liability would be much greater. However, directors and officers should not assume, as Professor Davidoff does, that they have insurance that adequately responds to the real, developing exposures facing today’s directors and officers. Effective, responsive directors and officers liability coverage is the product of hard work from experienced lawyers, brokers and insurers, with vigilant attention paid to legal, litigation and cost trends.

In our world of D&O claims, the risks of being sued or investigated as a director or officer of a public company have never been greater. What’s changed?  To name a few factors:

• Unprecedented breadth of new regulations, creating heightened uncertainty.
• Aggressive government enforcement agencies armed with new tools, like Dodd-Frank whistleblower bounties, and several recent criminal convictions.
• Escalated corporate derivative suits generating settlements exceeding $100 million and a verdict in excess of $2 billion.

While indemnification and insurance can help mitigate liability, the many personal costs of getting sued or investigated by the government should not be underestimated. Even the directors and officers of BankAtlantic, whose trial outcome the professor trumpeted as evidence that the coast is clear for directors and officers, had to suffer through years of litigation, a full trial, a jury finding of more than $40 million in liability and several months of additional briefing and waiting before the trial judge struck down the verdict against them. The financial exposures and the peril of criminal liability, even for those who may ultimately be vindicated if they have the nerve to see it through to the end, are knee-buckling. These considerations alone may justify the demands of directors and officers seeking to be compensated for their risks.

Perhaps the biggest risk Prof. Davidoff overlooks is that statements like his feed complacency, and complacency is likely to result in uninsured personal liability. To enjoy the comforts of effective insurance protection, stay attentive to your insurance, and work with experienced, proven lawyers, brokers and insurers.

Rob Yellen is chief underwriting officer, executive liability at Chartis.

Herbert S. Winokur

At present, boards are organized into standing committees (e.g., audit, compensation) and occasionally ad hoc committees. Some entities, particularly financial institutions, have standing risk committees, which generally concentrate on financial risk management. But boards’ agendas have become increasingly crowded with “check the box” activities, and committee and board meetings have expanded to make sure defensive processes are followed. As a consequence, board committee charters have become more “stove-piped,” which hinders board committees from ensuring that risks that cut across the organization are being considered and monitored appropriately. In addition, board members receive information up from within the organizational hierarchy, which is by definition limiting.

A new approach to risk management is needed. Risk mapping offers a substantially more productive method of defining risk than does current practice. Risk mapping requires an in-depth look at all types of risks that could affect the organization. It requires reviews of history, competitive practices, regulatory activities, approaches to personnel and compensation, corporate value systems, intellectual property, as well as brainstorming, simulations and “war gaming” about possible scenarios that could affect the organization.

Given the need to examine known risks and speculate about unknown ones, the board meeting structure and schedule are inadequate to the task. In addition, on most boards only a few independent directors are intimately familiar with the activities of the organization they are overseeing. (Other directors may be chosen for reasons of specific expertise, customer or supplier relationships or diversity.) Other individuals who are likely to have a deep understanding of risks would be senior (including recently retired) executives below the CEO/COO, and perhaps recently retired directors of the organization or of its competitors.

A group of people, perhaps five to eight, drawn from these ranks should be organized to form a risk mapping advisory committee. Outside counsel, brand consultants, enterprise risk management specialists and insurance experts are examples of potential staff that could be chosen to support the committee. Enterprise risk management processes, with the help of outside experts, can be a good complement or support to the advisory committee. It is important that the risk management process be separated from the time and experience limitations that any board faces, so that risks can be reviewed with adequate time from a 360-degree perspective.

This group should meet three or four times per year for part or all of a day, outside of the board meeting cycle. Its charter would be first to identify as many risks as possible, and measure them both by the likelihood of their occurring and by the consequences to the organization if those negative events were to occur. Second, the charter would empower the committee to determine what organizational units were responsible for addressing and mitigating these risks and, by default, which risks were not being addressed. The committee would be charged to report to the full board of directors once each year and to provide interim reports as would be helpful. The board would be then both better informed about the organization’s risks and about areas in which additional focus or mitigation would be required.

Some scenarios are worth considering. If, for example, a director of a large financial organization, home builder, insurance or building products company had asked, “What happens if housing prices decline nationally by 5 to 10 percent and stay lower for an extended period?” an interesting discussion might have ensued.

If, in another case, a director of a large financial institution, energy company or pharmaceutical firm had asked, “What is the trade-off between our current short-term profit-maximizing practices and the alternatives of building brand value over a longer period by tightening compliance, safety, and/or lobbying practices?” some important declines in market value might have been avoided. A director of a major research university might have wondered about the trade-offs in allocating endowment to increasingly illiquid investments and the resulting consequences to stability in faculty hiring and construction projects.

Most board meeting structures do not provide opportunities to address and debate the assumptions underlying an organization’s strategy and operations. Management, appropriately, is highly focused on opportunities and challenges in the short run, meeting their operating plan, dealing with problems of people and programs, etc. Spending time on what management may view as theoretical and lowprobability events may be seen as academic and unproductive. But identifying and mitigating risks early, which may involve strategy changes, organizational realignments or just better understanding, certainly should be worth the small investment in time and cost to experiment with this proposed risk mapping approach.

Identifying and mitigating risks early, which may involve strategy changes, organizational realignments, or just better understanding, certainly should be worth the small investment in time and cost to experiment with this proposed risk mapping approach.

Management should be encouraged to provide outputs of its internal risk management activities to the risk mapping advisory committee, and to coordinate those activities with this group over time. (The committee process should be designed to preserve “privilege” and to be sensitive to disclosure issues.)

After the risk mapping advisory committee reports to the board, a number of responses should occur.

• First, the board should ensure that all identified risks of consequence are being considered by one or more organizational units and appropriate steps for risk mitigation are being taken.
• Second, to the extent changes in strategy, processes or procedures are required, they should be taken.
• Third, the board’s nominating committee may want to consider the risks identified as a partial basis for determining what kinds of expertise would be beneficial to obtain from new directors.
• Finally, the board may want, with the help of a crisis consultant or other advisors, to explore possible responses to negative outcomes that might occur.

While it is unlikely that the negative outcomes being studied are the ones that will actually happen, crisis management preparation of any kind is likely to be helpful in any scenario. The new committee could be a potential source of advice should a crisis occur. By repeating this process over time, the organization is likely to reduce the impact of a large and negative surprise on its activities.

Herbert S. “Pug” Winokur Jr. is chairman and CEO of Capricorn Holdings, Inc., a private investment firm. He has served on a number of public and private for-profit and nonprofit boards, and has attended more than 300 public company board meetings.

Jim DeLoach (Copyright Gittings, 2007)

As new legislation, shareholders and disclosure requirements force boards to rethink their risk oversight process, they should consider these seven recommendations in view their organizations’ current operations and risks:

1. Implement a more structured process for moni­toring and reporting critical enterprise risks and emerging risks to the board – While most companies monitor and report risks, survey results suggest opportunities for improvement. For example, a com­pany might formalize the common risk assessment methodology that is based on subjective inputs of the severity of impact of potential future events and the likelihood of those events occurring by mak­ing it a regular and more robust process with results shared with the board periodically.

2. Look for opportunities to make the risk reporting process more effective and efficient and increase the regularity of report­ing according to the organization’s operations and risk profile – According to a majority of respondents, reports that the board does not receive at least annually include: scenario analyses evaluating the effect of changes in key external variables impacting the organization; a summary of exceptions to man­agement’s established policies or limits for key risks; and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps.

3. Come to an agreement with management on the risk-related matters that need to be escalated to the board, addressing the what, when and why – Escalation protocols specifically tailored to the company’s operations and risks are important. For that reason, it’s vital to the risk oversight pro­cess to determine what must be escalated to the board (e.g., limits violations), as well as when and why.

4. Encourage employment of techniques that foster out-of-the-box, big-picture thinking focused on the critical assumptions underlying the corporate strategy to assess the strategic risks and uncer­tainties the enterprise faces – Given the volatility of the times, organizations may want to allocate more time and resources toward under­standing what they don’t know by employing techniques focused on the critical assumptions un­derlying the corporate strategy. As they do so, they may identify opportunities to enhance and focus the board risk oversight process further.

5. At least annually, focus on whether developments in the business environment have resulted in changes in the critical assumptions and inherent risks underlying the organization’s strategy and the effect of such changes on the strategy and business model – Less than 15 percent of respondents are fully satisfied with the processes for understanding and challenging assumptions and in­herent risks associated with the corporate strategy and monitoring the impact of changes in the environment on the strategy and business model. Implementation of, or enhancements to, these processes may help the board address two questions fundamental to the risk oversight process – “What do we do if the critical assumptions underlying our strategy and busi­ness model are no longer valid?” and “How would we know if our assumptions were no longer valid?”

6. Implement a more defined, rigorous process supporting the risk appetite dialogue between the board and management, and ensure the results of this dialogue are driven down into the organization in an appropriate manner – Risk levels and uncertainty have changed signifi­cantly over recent years for most organizations. The board and management may find it beneficial to en­gage in a periodic dialogue regarding risk appetite, possibly covering topics such as the maxi­mum acceptable level of performance variability in specific operating areas; targeted strategic, financial and operating parameters; upside/downside debates on significant matters; risks and assumptions inherent in the corporate strategy; and “hard spots”/“soft spots” in the business plan. The board also may consider when and under what circumstances it should be informed of exceptions and near misses to the organization’s risk tolerance parameters and any planned actions to address them.

7. Incorporate appropriate questions relating to risk oversight in the board’s periodic evaluation of board performance effectiveness – Depending on the business and its risks, one practi­cal approach for self-evaluating the risk oversight process is to incorporate an assessment of it within the board’s existing periodic self-assessment process, such that the evaluation of the risk oversight process is conducted at least as often as the overall assess­ment of board effectiveness.

For the complete survey report, visit www.protiviti.com.

Jim DeLoach is managing director of Protiviti.

Author Adam J. Epstein

Especially since so much of the discourse in corporate governance focuses upon large-cap, headline-making events (e.g., Enron, Lehman, etc.), it’s easy to overlook that in excess of seven out of every ten public companies in the U.S. have a $500 million market capitalization or below. At many of these companies, boards are not only leanly-staffed, but the annual budgetary expense for the entire board can be less than the amount a large-cap company expends on just a couple of directors. When taken together with the fact that small-cap companies have demonstrably smaller margins of error in managing risk, what can the governance community at large learn from the way risks are managed at the smallest of public companies?

1.  Risk is relative. Small-cap companies are immune suppressed versions of large-cap companies; a poorly mitigated risk that gives a large-cap company a “cold” will kill most small-cap companies. Accordingly, small-cap companies are uniquely attuned to survivalist risk mitigation; whether a risk is simple or complex is neither here nor there, rather risks that have serious corporate consequences require serious oversight.

2.  The answers are not in the boardroom. The first step in managing risks is to identify them.  But the majority of small-cap companies can’t afford to retain board consultants to identify and confirm risks. Instead, financial restraints compel small-cap directors to be more hands-on—speaking with employees, customers, and suppliers in the field.  As Laban Jackson and Suzanne Hopgood so eloquently stated to a room full of directors at the Directors Forum in January, the answers to most governance questions are not in the boardroom.

3.  Read trade publications. Small-cap companies can rarely afford to purchase proprietary third-party industry reports.  Accordingly, many directors of small-cap companies develop the requisite industry expertise by reading relevant industry publications, which are often compelling sources of statistics, trends, and analyses.

4.  Take advantage of publicly-available information. The public filings and quarterly earnings calls of publicly-traded competitors are treasure troves of information about macro and micro risks, and the steps taken to mitigate them. For example, are there risks which similarly situated companies seem to be more (or less) concerned about than your company? Does your company seem to be facing risks that your competitors are not? Do your competitors have creative ways of managing some risks which your board hasn’t entertained?

5.  Ongoing dialogue with other directors. Because the process of identifying and managing risk is more the same than it is different, industry notwithstanding, having an ongoing dialogue with other directors outside of your company is always time well spent. Local NACD chapter meetings and director education forums are great venues for such interaction.

Whether it’s a visit with a large customer that gives rise to material doubts about the scalability of your legacy ERP system, a passage in an industry trade publication that identifies a new, well-funded Brazilian competitor, a comment from another company’s CFO during their earning call about a creative new way they found to hedge currency risk, or a conversation with another director over coffee wherein you learn about a problem they found with their existing insider trading policy, all of these risk mitigation tools have one thing in common – they fit any budget.

Adam J. Epstein is a director of OCZ Technology Group, Inc., and is the founding principal of Third Creek Advisors, LLC (“TCA”), which acts as a special advisor to small-cap boards with respect to corporate finance and capital markets. Epstein can be contacted by email at ae@thirdcreekadvisors.com.

David M. Lynn

Seeking Accountability: Increasing Activism Leads to Harsh Consequences.
The consequences for any perceived failings or missteps on the part of compensation committees have become increasingly more severe. Institutional investors (and their advisors) have used the director election process to express displeasure with the performance of compensation committee members, the overall executive compensation policies and practices of a company, or even individual components of executive pay. With an ever-increasing number of public companies moving to a majority voting standard for director elections, compensation committee members are increasingly at risk of losing their board seats through a withhold vote campaign targeting the individual members of the compensation committee and the compensation committee chair.

Moreover, executive compensation concerns could compel “activist” investors to target a board of directors with a proxy contest, a “poison pen” letterwriting campaign, or other hostile techniques to put pressure on the compensation committee to change its policies or decisions (or to ultimately unseat them). These same investors may soon have access to the company’s proxy statement to conduct a contested election, if the SEC prevails in its court fight to implement the “proxy access” rules adopted in August 2010. Companies will also be closely watching the results of the advisory votes on executive compensation required by the Dodd-Frank Act, because these high-profile votes will serve as a referendum on the performance of the compensation committee and the pay programs that the company has implemented. Finally, the current environment may ultimately lend itself to litigation, where investors resort to the courts to allege a breach of fiduciary duty on the part of the members of the compensation committee in making what are viewed as egregious executive pay decisions.

Click here to view the full Director’s Guide to Compensation

More stories in the Director’s Guide to Compensation:
An Investor’s Point of View
Executive Pay and the Boardroom After Dodd-Frank
New Rules Give Power To The Compensation Committee

The Best Defense is Good Offense: Protecting the Compensation Committee with the Right Tone and Tools.
The calls for accountability—and the substantial risks arising from the efforts employed today to compel that accountability— increase the pressure on the board of directors and the members of the compensation committee to set the right “tone at the top” when it comes to matters of compensation. Compensation decisions should not be an afterthought, or unduly influenced by management’s expectations. Rather, the members of the compensation committee need to focus on making their own independent judgments based on the best available data and independent, unbiased advice. Much like the move toward independence and engagement that we have seen with audit committees over the past 10 years, compensation committees are rapidly moving toward an increasingly independent and analysis-intensive role in the board process, all as a means to set the right tone, ensure fulfillment of the members’ fiduciary duties and ultimately protect the members from the expanding list of risks arising from the public outcry over executive compensation.

The independence of compensation committee members was the subject of recent legislative action under the Dodd- Frank Act, and exchange listing standards will need to be amended in order to implement those provisions. As contemplated by Dodd-Frank, compensation committee members would be subject to the independence standards that are comparable (but not identical) to the standards applied today to audit committee members of a listed company. Notwithstanding this legislative directive, compensation committees have become more and more independent over the past several years, such that in many cases it will not actually be necessary to change the composition of the compensation committee when new standards are adopted. However, while compensation committee members are increasingly likely to be free from any material ties to management or the company, it is also incumbent on the compensation committee, in setting the right tone, to act independently in fulfilling its duties. This translates into having the appropriate resources so as to not rely too much on management’s data, analysis or judgments, and to confer with all appropriate members of the board of directors, management and advisors (both company and board advisors) when making important compensation decisions.

To further this move toward independence, the members of the compensation committee need unfettered access to their own unquestionably independent advisors. The advisors (which could include compensation consultants, legal counsel, valuation experts and others) do not in and of themselves fully protect the members of the compensation committee from risks associated with the compensation committee’s actions, but rather can serve as a valuable source of unbiased advice concerning compensation matters that is less susceptible to be questioned down the road.

Further, the advisors can provide valuable insights into what others are doing from a compliance and “best practice” standpoint, so that it is less likely that the compensation committee’s actions would be seen as out of line with norms of good governance and oversight.

While every company espouses a philosophy of “pay for performance”—and indeed the implementation of that philosophy is the most important concern for investors when evaluating a company’s executive compensation program— the actual implementation and ongoing evaluation of the relationship between pay and performance is a difficult task that must remain the highest priority of the compensation committee. Compensation committees need to utilize their available tools and make sure that the company lives the “pay for performance” philosophy, and that the results achieved when executing on that philosophy are clearly communicated to investors. Finally, an important means for compensation committees to address the risks that they now face is to ensure that they and the compensation-setting process are fully integrated into the overall risk-oversight activities of the board and the company. The financial crisis and its legislative and regulatory aftermath have focused considerable attention on the relationship between incentives in compensation programs and the risks that arise for companies, and as a result the compensation committee has become a crucial component of the risk-oversight process. The compensation committee’s attention to risks—through a periodic evaluation of the compensation program and how pay elements could create risks—has now become a regular part of the analytical framework.

A New Era for Compensation Committee Leadership.
Events of the past three years have reshaped the role of the compensation committee, raising its profile and adding to its burdens. With the enhanced role, members of the compensation committee face significant new risks. These risks can be managed, however, with the presence of an engaged, independent compensation committee that is cognizant of its risk-oversight responsibilities and has access to the independent advisors and fulsome data necessary for informed decision-making and policy formulation. With these attributes, the members of compensation committees can lead the efforts toward restoring investor confidence and improving the adverse perceptions about executive compensation.

David M. Lynn is co-chair of the public companies and securities practice at the law firm Morrison Foerster.

Author Urmi Ashar

Panelists were the Hon. Cynthia A. Baldwin, general counsel of Pennsylvania State University, director of Koppers Holdings, and immediate past chair, Association of Governing Boards of Colleges and Universities; William Hernandez, a director of Albemarle, Black Box, Eastman Kodak Company and USG Corp.; George Long, chief governance counsel and corporate secretary, The PNC Financial Services Group; and George L. Miles Jr., director of AIG, HFF, Harley-Davidson, WESCO International and EQT.

Rising Value of Reputation
The meaning of “reputation” depends on the context. In the context of risk management and value creation, a useful definition for reputation is an impression held by stakeholders that creates both a future expectation and a present behavior. “Reputation is the way that others see the company,” said the Hon. Cynthia A. Baldwin.

How stakeholders view a company’s actions is the primary force behind the company’s reputation. Specifically, stakeholders consider how well a company fosters an ethical environment (internally and externally), promotes innovation, conforms to standards of quality and meets expectations for safety, security and sustainability. A positive reputation drives positive behaviors with internal and external stakeholders, making it easier to command preferential terms in the purchase of goods and services in the supply chain, attract talent, secure affordable financing and command a price premium in the marketplace. A positive reputation raises equity value, as shown by the consistent observation that companies with superior reputations outperform their peers.

Click here to view the embedded video.

The value of reputation has risen over the past two decades. “It’s an intangible (asset),” noted Hernandez. The rise of reputational value parallels the rise of the amount by which enterprise value exceeds tangible book value. As per Steel City Re’s analysis, in the 1980s, the average intangible asset value of a constituent member of the S&P 500 Index was around 20%. In 2010, the average intangible asset value was around 80%. After Lehman Brothers filed for bankruptcy former Chairman Alan Greenspan observed: “In a market system based on trust, reputation has a significant economic value.”

Reputation’s increasing contribution to enterprise value has not been overlooked by the the world of corporate governance and in popular public opinion. In addition, the relationship between reputation and corporate director liability is now finding its way into the courts. Historically, director liability came into play only in cases involving conflicts of interest. However, in its 1996 In re Caremark decision, the Delaware Court of Chancery ruled that the fiduciary duty of corporate directors includes having a process in place to ensure that they are informed of information sufficient to allow them to oversee the company’s business performance and compliance with law.

A decade later, the Delaware Supreme Court’s 2006 opinion in the case of Stone v. Ritter highlighted that the board’s duty of oversight applies to all corporate assets, including intangible assets. The Court stated that director oversight liability may be predicated on facts showing that either: “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”

On December 17, 2010, a shareholder group brought reputation into the mix when it filed a lawsuit against Johnson & Johnson’s directors and managers, alleging failure to uphold their duty of oversight, and breach of their duty of loyalty, by allowing adverse events to cascade which inevitably “destroyed the company’s hard-earned reputation.”

There are two issues that should be of particular concern to directors related to reputation loss liability. First, the Johnson & Johnson filing is the first known case that attempts to impose liability on directors based on a decline in a company’s reputation. This case will be of particular interest to Delaware corporations, as Delaware law does not permit corporations to indemnify officers and directors against personal liability for breaches of the duty of loyalty. Second, “[t]he collapse of a company’s reputation can stain its directors,” observed George Miles. There are connections between a company’s reputation and the individuals associated with the company. Adverse events, even linked to questionable issues, may have a spill-over effect on other boards and may attract public and shareholder scrutiny. Empirical data indicate that the number of board seats held by independent directors drops three years after a shareholder lawsuit has been filed.

Prior to this proposed rule, a slate of directors was nominated and included in the proxy materials and it was difficult to influence this process. Now, there are no restrictions on the relationship between the nominating shareholder and the nominee. However, candidates must satisfy standards of being independent as well as must satisfy specific director qualifications established by the board.

Stuart R. Levine

This new rule requires boards to become knowledgeable about how they conduct their nominating and governance processes, as well as the implications for maintaining director standards and a productive board culture that enables them to be effective in both stable and challenging times.

How ready is your board? Obtaining both qualitative and quantitative research on this subject, in addition to your annual board evaluations, will help to protect and position your board as a “blue ribbon” governance company and keep you out of the limelight on issues that will not serve to protect your shareholders and increase value for your organization.

This increased involvement and engagement of shareholders will require new approaches and a systematic review of a board’s preparedness in response to risk and potential crises, with a strong board culture where clear and effective communications strategies can be developed and presented. Laying the groundwork to get in front of a crisis, before it becomes one, is just smart risk management for independent board members, CEOs and boards as a whole. When a shareholder can own as little as 3 percent and be put on the board, this may open the boardroom up to potential disruptions and potentially competing strategic agendas.  Both boards and CEOs will be defined by the way they prepare and respond to potential crises.

Just as independent directors request that consultants and attorneys be retained to assist in ensuring that their decision-making is sound and protected, I strongly suggest that you consider retaining a firm to assist you with facilitating high-level enterprise risk management discussions at the board level, which include the subject of reputational risk.

The first step is education about and understanding of these new regulations and forces that will affect your board in serious ways. Then put into place an assessment process that identifies critical gaps between where your board is and where it should be. The next step is to close these gaps and prepare for any potential incidents or movements that might take you away from creating value for your shareholders.

How can boards exercise their fiduciary responsibility or intelligent risk management as it relates to the board nominating process, board membership and board culture? This is not a one size fits all process. The goal should be to establish levels of trust on your board to ensure that honest communication can exist on a board without retribution. If and when a crisis comes every few years, due to product error, succession planning or a shareholder event, your board has the strength of character to respond appropriately and be sheltered from any losses due to reputational risk.

Strengthening your board culture before any incidents, with the assistance of an independent consulting firm, (not as a budget line item) will serve to start the conversation about these new levels of risk and will help your board stay highly focused and get to the right outcome in a highly volatile and highly charged political environment.

Here are the five questions and conversations your board should be asking and having:

• Board Culture: How effective is your board’s culture? Can it sustain a challenging conversation or a crisis? Are you comfortable engaging in a succession discussion with your CEO?
• Understanding of Proxy Access Regulations: Is your board up to date on the new proposed Proxy Access regulations and how they will require major changes in the preparation of your proxies, nominating process and director qualifications? Are they aware of the new current realities and their implications?
• New Levels of Accountability: What is the increased level of accountability required by board members in this new environment? Are you bringing the right issues to the table? Is your board engaged at the level they need to be?
• Readiness Preparation/Reputational Risk: Is your board effectively prepared for a “disruptive event”? How would it perform under this kind of pressure and what impact would this have on your company’s reputation, which impacts your company’s financial bottom line?
• Strategic Business Planning: Are the assumptions that you are working with for strategic planning being evaluated and re-evaluated to ensure keeping up with the changing times?

These issues should not be viewed in a limited traditional PR or investor relations bucket. Board culture, establishing the right skills sets and qualifications for directors founded on continuous director education that ensures currency and intelligent responses are all on the horizon for director service in the new decade. Start thinking about your role in bringing your board to this new level of competency and engagement.

Stuart R. Levine, the founder, chairman and CEO of Stuart Levine & Associates (www.stuartlevine.com) is a director of Broadridge Financial Solutions and chairman of the governance and nominating committee and lead director for J. D’Addario & Company.  He serves on the Advisory Council: The Directorship/NYSE Boardroom Guide for the New Director.

Clawbacks are a post-payout approach that attempts to recoup unearned income after an earnings restatement.  Clawbacks do not necessarily work in favor of shareholder interests; when the corporation seeks to recoup an executive’s unearned compensation, it may well come up empty, for legal reasons or because the executive may have spent the bonus and isn’t able to repay it.

Holdbacks are pre-payout payment recovery mechanisms that require the executive’s incentive compensation award to be mandatorily credited to a deferred compensation account and to be subject to forfeiture/adjustment during a pre-specified vesting period. If the public company restates its earnings during this period, the portion of the unearned incentive compensation award that is determined to be “unearned” due to the restatement can simply be rendered null and void, as the credit to the executive’s account is a mere bookkeeping entry.  Thus, holdbacks are far more efficient, and they are less likely to trigger expensive lawsuits. In my opinion, they also can be designed to satisfy the mandated requirements of Dodd-Frank.

It’s not just me claiming that holdbacks encourage improved governance, an alignment of executive behavior with long-term shareholder interests and a reduction of excessive risk taking; it’s also:

• The Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation which last summer issued their Interagency Guidance on Sound Incentive Compensation Policies.  The guidance stated, in part: “Incentive compensation arrangements for senior executives at LBOs [large banking organizations] are likely to be better balanced if they involve deferral of a substantial portion of the executive’s incentive compensation over a multi-year period…”

  http://edocket.access.gpo.gov/2010/pdf/2010-15435.pdf

• The Conference Board Inc.’s Task Force on Executive Compensation which stated, “If appropriate, incentive plans may incorporate some form of bonus banking, deferred bonuses, longer-term performance periods, or other tools to more closely align payouts with such risks and better ensure measurement of true performance.  …  In appropriate circumstances, all or a portion of a bonus payout can be held back in a bonus account and paid out in the future…”

  http://www.conference-board.org/pdf_free/ExecCompensation2009.pdf

• A scholarly work in the area of systemic risk and executive compensation entitled, Working Paper: Regulation of Executive Compensation in Financial Services, drafted by the Squam Lake Working Group on Financial Regulation.  It asserts that the structure of an executive’s incentive compensation arrangement has more effect on systemic risk than the amount of the executive’s compensation, and says in part, “…This deferred compensation reduces management’s incentive to pursue risky strategies that might result in government bailouts.  …  Because taxpayer losses trigger executive losses, holdbacks better align the personal incentives of managers with the fiscal and systemic goals of taxpayers.”

  http://www.cfr.org/content/publications/attachments/Squam_Lake_Working_Paper8.pdf

• An op-ed piece by Robert J. Shiller appearing in the New York Times describing the Squam Lake Working Group’s published report under the title, “Help Prevent a Sequel. Delay Some Pay.”

  http://www.nytimes.com/2010/06/20/business/20view.html

For footnotes and additional information on these items, read the comments of Robert W. Kaufman, Esq., Clark Consulting’s VP-Legal and Technical Resource Group, submitted to the Commissioner of the Securities and Exchange Commission.  Mr. Kaufman’s comments are available on the SEC’s website at: http://www.sec.gov/comments/df-title-ix/executive-compensation/executivecompensation-22.pdf

Michael Goldstein is senior vice president and national director for strategic development for Clark Consulting, a leading provider of nonqualified deferred compensation plans as well as the informal funding solutions for those plans.

Michael Goldstein is a registered representative of and securities products and services are offered through Clark Securities, Inc. DBA CCFS, Inc. in Texas, 2100 Ross Avenue, Suite 2200, Dallas, Texas 75201-7906, Ph:  800.999.3125, member FINRA and SIPC.  Clark Consulting and Clark Securities, Inc. are affiliated entities.

This blog is for informational purposes only; it is not intended as an offer or solicitation for the purchase or sale of any financial instrument and is not intended as advice on legal, tax, accounting or investment matters.

Conventional risk management, and its obsession with prevention of risk, just doesn’t work in today’s complex business environment, as evidenced by the cause and effect of the recent financial crisis and ensuing economic recovery. If the impact of the global recession has affected the way we look at risk, so, too, has the source of the economic downturn. Despite strict audit and regulatory oversight, the financial services-sparked credit crisis that drove the recession resulted from insufficiently balanced strategic risk management. As a result, regulatory agencies around the world increasingly now require corporate executive teams and their boards to demonstrate stronger strategic risk management.  The Financial-Regulation bill will certainly drive a more balanced approach to both risk-taking and risk avoidance.

Shayne Gregg

Corporate boards are required to oversee not only the operational risks companies face, but also credit risks, liquidity risks and other high-level “material” risks. This need ensures that boards expect more risk intelligence from CEOs, CFOs and, more than ever, CAEs.

Changing Role of Internal Audit

The new role of the Internal Audit function can fall anywhere along the spectrum of independent assurance to strategic advisor. Internal Audit will need to adopt both roles, respecting the broader expectations from the various stakeholders. Regardless, the ability to truly impact the decisions of the organization will be key. Just as business success will be determined by risk intelligence at the strategic level rather than risk aversion on a tactical level, so too, will Internal Audit’s ultimate value be determined by strategic contributions to the business rather than through tactical accomplishments from ’rear view’ audits.

Additionally, the interaction between the Internal Audit and its major stakeholders is an important reflection point, as identified in a recent Deloitte survey on the changing role of Internal Audit. Executive management is requesting more advisory involvement of Internal Audit, including performing reality checks on key management decisions before they are made. Board members will also increasingly seek more value from Internal Audit where they perceive valuable, independent business insight.

To successfully fill the new seat at the senior decision-making table, CAEs need to take a stronger role in boosting the organization’s risk-taking. This requires a combination of leadership, processes and tools, including a much greater use of automation and analytics such as continuous auditing.

Managing Internal Audit’s traditional risk terrain remains a strict requirement; however, given current economic, regulatory and competitive conditions, these traditional risk areas need to be managed in a much more efficient way without sacrificing a shred of effectiveness. This means the application of technology has become more crucial than ever before.  John Verver from ACL Services Ltd., a leading software provider for audit and compliance professionals, captures this point well: “Internal audit can examine the results from the monitoring processes and determine what controls and risks are being satisfactorily managed, as well as where there are apparent problems. This allows the audit committee to better understand areas of strategic risk and encourage the appropriate response as part of the overall risk management process.”

Identifying the CAE’s Risk IQ

Fifteen years ago, senior executive teams explored emotional intelligence in an effort to bolster organizational competitiveness by identifying high-potential employees and future leaders. Today, companies that are most effective and efficient in managing risks to both the existing value-creation activities and to future profitable growth opportunities will, in the long run, outperform those that are less so. In other words, risk intelligence now serves as the basis for competitive differentiation. The CAE can and should serve an important role in the risk intelligence equation.

How do Audit Committees evaluate the risk IQ of Internal Audit teams and CAEs?

•       Are they speaking the language of management? Are they assessing risks to future growth (value creation) or are they solely focused on the protection of existing assets and reputation?

•       Are they assessing risks in isolation or looking at how these risks may interact and cascade, particularly with other corporate initiatives?

•       Does Internal Audit have the capability to assess potential risk exposures against the risk appetite of the Board and management?

•       Is Internal Audit recommending strategies that leverage organizational data and technology?

At its foundation, the risk intelligent company manages risk in a holistic way; these companies not only prevent, detect and correct critical risk issues quickly, they use their risk management capabilities to improve organizational flexibility so that strategic opportunities can be leveraged.

Shayne Gregg is a partner in the Enterprise Risk practice of Deloitte in Vancouver, BC.

This is an excerpt of Surviving and Thriving in Uncertainty, Creating the Risk Intelligent Enterprise by Frederick Funston and Stephen Wagner (Wiley Books, 2010).

Conventional risk management focused on asset protection, typically in the form of insurance. It was also believed that risks could be identified and managed within silos and that risk aversion would maximize shareholder value. Risk was typically seen as a cost, not an opportunity. Risk management programs took “one size fits all” forms. For these and many other reasons, conventional risk management has failed.

In the turbulent and uncertain 21st century, the buffers of space and time no longer exist. Information has become instantly available. It still confers power, but now everyone has it. Communities of interest can form overnight. Centralized control often fails in the face of turbulence. Fixing pieces no longer solves problems. Many assets are now intangible and cannot be protected in traditional ways. Many risk events are unknown and perhaps unknowable.

Surviving and thriving in uncertainty and turbulence requires unconventional thinking and calculated risk taking. The enterprise must be understood holistically and seen as a living organism. Risks must also be understood as opportunities that can be optimized or exploited, not just as costs. Risks must be viewed as interconnected and difficult to contain. Like wildfires, they cross boundaries and must be managed accordingly. If a risk is relevant and potentially life-threatening, be prepared for it.

Everything has changed but human nature. Judgment will always be difficult. The 21st century enterprise must develop a 21st century view of risk and risk management. Nearly all enterprises have certain characteristics in common. They all operate to a large degree in the same macro-economic environment. The “fatal flaws” and corresponding “risk intelligence skills” described in Part II apply almost universally.

That said, every enterprise is also unique and differs from all others in key ways. Every enterprise operates at a different stage of development. It possesses different skills, understanding, awareness, and culture. Each of these distinct characteristics must be considered carefully by leaders trying to improve risk intelligence, along with the unique benefits the enterprise can realize through that improvement.

The benefits of improved risk intelligence
Demonstrating the value of prevention is often difficult. It should be intuitively obvious that the improved ability to protect existing assets while more effectively managing the risks to future growth ought to improve the enterprise’s chances of survival and success. The enterprise that builds risk intelligence into the core ways of running its business can improve its resilience and agility and should realize the following benefits:

• Challenging basic business assumptions can help identify “Black Swans” provide first-mover advantage
• Defining the corporate risk appetite and risk tolerances can help reduce the risk of ruin
• Improving signal detection can provide advance warning and enable more proactive responses
• Identifying mission-critical interdependencies can help establish an appropriate margin of safety
• Anticipating potential causes of failure can improve chances of survival and success through improved preparedness
• Factoring in momentum and velocity can improve speed of response and recovery
• Verifying your sources and corroborating the reliability of information can improve insights for decision making and thus the quality of decisions
• Taking a longer-term perspective can aid in identifying the potential unintended consequences of short-term decisions
• Improving operational discipline helps sustain success
• Understanding the Total Cost of Risk (TCOR) can help demonstrate the value proposition and reduce the Cost of Failure while improving risk intelligent enterprise management

Making the transformation
Once the enterprise understands its current state of risk intelligence and the best opportunities for improvement, it needs a plan to close the gap and transform the way it comprehends and manages risks to value. It takes time and effort to become a risk intelligent enterprise.

Risk intelligence is not a status or designation that can be attained and then enjoyed ever more. Rather, it is a way of making better decisions amid uncertainty and under turbulent conditions. Thus, risk intelligence is not an end in itself but a way of doing business, not a goal but a developmental journey. By the same token, improving risk intelligence must be a deliberate and sustainable enterprise process, rather than a mere project.

Voice of experience
“To be successful, risk management has to be a core process of managing the enterprise, not merely a project. A lot of directors seem to think that because they devise a ‘strategy’ to deal with known risk, they’ve got a good handle on risk. My perception is that they don’t. Too often, all they want to do is identify the top 10 risks based on what people know. It’s a project approach—and that’s not what’s really needed. A systematized approach of understanding the most basic business assumptions has more long-lasting potential.”

—Larry Rittenberg, Professor and Chairman Emeritus, Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Developing and applying the necessary supporting processes, systems, and tools enterprisewide requires a “fractal” approach, in which any part of the whole embodies the properties of the whole. That implies that skills, processes, systems, and tools are common at every organizational level.

To be effective, these processes, systems, and tools must be deployed throughout the enterprise and applied with discipline. Although they will be applied differently at different levels, if the skills, processes, systems, and tools work for senior executives and the board, then directors and executives should have confidence that they will work elsewhere. Also, as with any skills, the more you practice, the better you become—provided you practice properly and maintain discipline.

At its best, risk intelligence informs every area of the business at every level such that the practices become part of every function, strategy, initiative, decision, activity, and job. This entails making risk intelligence an organizational value on the order of practicing true customer focus or achieving high quality through zero defects.

Such values do not come about by themselves or by executive decree or through a one-shot training initiative, a short-term project, or a “check the box” approach. They come about because the board and management view them as worthwhile, practice them publicly, recognize them in compensation programs, and embed them in core processes and systems.

The transformation challenge
In many organizations, despite the number and severity of risk management failures, executives still remain unconvinced of the business case for improved risk intelligence and thus risk management. Given this, there are several possible explanations as to why transformation efforts may fail.

For starters, even though the greatest value of risk management is prevention and preparation, demonstrating its value in advance often proves daunting. People may say, “That can’t happen here,” or “It can’t happen again,” or “We’re too smart to let that happen to us.”

Voice of Experience
“People don’t see the need for prevention until it’s too late. Obviously when a crisis occurs, everyone recognizes the need; it’s self-evident. It ought to be obvious that prevention is less expensive and more effective than response and recovery. I’ve tried to create recognition of the need for prevention in stages by starting with a risk scan. Let’s make sure we understand the risks that we have in the organization and the need to take some actions to mitigate the risk, understand it more, and be more involved in what this looks like.”

–Suzanne Hopgood, director

Prevention, therefore, is much less likely to receive priority, especially when resources are scarce. A clear statement of the TCOR may be required to demonstrate the value of improved prevention and preparation. Even when executives are convinced of the value, those who try to implement a systematic approach may experience flawed or prolonged execution.

Generally, it is best to aim for rapid implementation by building more systematic consideration of risk to value directly into core business processes. Early wins are important to demonstrate value. Nothing succeeds like success, and word of mouth can aid implementation.

Lack of program management such as specific milestones and metrics as well as a failure to recognize the level of effort required can contribute to failed implementation. The implementation may also fail if the implementation team lacks dedicated, credible, and capable resources; if the vision and expectations are poorly communicated; and if the enterprise lacks a common language of risk. Difficulties in reconciling the different perspectives of various specialist silos also can result in a lack of cross-functional alignment and coordination.

Conclusion
The first part of this book addresses the reality that conventional risk management has failed. The 21st century enterprise requires an unconventional approach to the understanding and management of risk to value in times of uncertainty and turbulence. Because turbulence cannot be predicted or modeled, the enterprise needs to improve its vigilance and preparedness.

The second part of the book describes 10 risk intelligence skills that ought to be common to directors, officers, and employees even if the challenges and decisions they must make will be different. The development of these ten skills is, of course, no absolute guarantee of success. However, their absence is likely a harbinger of fatal flaws that could lead to the demise of the enterprise.

The third part of the book describes the characteristics of the risk intelligent enterprise and the responsibilities of directors, officers, and employees. It outlined steps that can be taken to improve risk intelligence. It also discussed some missteps that ought to be avoided.

While all these parts when taken together may seem to be onerous and costly, the reality is that decisions that affect the enterprise’s survival and success are made every day at every level of the enterprise. This is enterprise management.

Now, since I last spoke here two years ago, our country has been through a terrible trial. More than 8 million people have lost their jobs. Countless small businesses have had to shut their doors. Trillions of dollars in savings have been lost — forcing seniors to put off retirement, young people to postpone college, entrepreneurs to give up on the dream of starting a company. And as a nation we were forced to take unprecedented steps to rescue the financial system and the broader economy.

Complete text of President Obama’s speech on Wall Street reform yesterday at Cooper Union College.

And as a result of the decisions we made — some of which, let’s face it, were very unpopular — we are seeing hopeful signs. A little more than one year ago we were losing an average of 750,000 jobs each month. Today, America is adding jobs again. One year ago the economy was shrinking rapidly. Today the economy is growing. In fact, we’ve seen the fastest turnaround in growth in nearly three decades.

But you’re here and I’m here because we’ve got more work to do. Until this progress is felt not just on Wall Street but on Main Street we cannot be satisfied. Until the millions of our neighbors who are looking for work can find a job, and wages are growing at a meaningful pace, we may be able to claim a technical recovery — but we will not have truly recovered. And even as we seek to revive this economy, it’s also incumbent on us to rebuild it stronger than before. We don’t want an economy that has the same weaknesses that led to this crisis. And that means addressing some of the underlying problems that led to this turmoil and devastation in the first place.

Now, one of the most significant contributors to this recession was a financial crisis as dire as any we’ve known in generations — at least since the ’30s. And that crisis was born of a failure of responsibility — from Wall Street all the way to Washington — that brought down many of the world’s largest financial firms and nearly dragged our economy into a second Great Depression.

It was that failure of responsibility that I spoke about when I came to New York more than two years ago — before the worst of the crisis had unfolded. It was back in 2007. And I take no satisfaction in noting that my comments then have largely been borne out by the events that followed. But I repeat what I said then because it is essential that we learn the lessons from this crisis so we don’t doom ourselves to repeat it. And make no mistake, that is exactly what will happen if we allow this moment to pass — and that’s an outcome that is unacceptable to me and it’s unacceptable to you, the American people.

As I said on this stage two years ago, I believe in the power of the free market. I believe in a strong financial sector that helps people to raise capital and get loans and invest their savings. That’s part of what has made America what it is. But a free market was never meant to be a free license to take whatever you can get, however you can get it. That’s what happened too often in the years leading up to this crisis. Some — and let me be clear, not all — but some on Wall Street forgot that behind every dollar traded or leveraged there’s family looking to buy a house, or pay for an education, open a business, save for retirement. What happens on Wall Street has real consequences across the country, across our economy.

I’ve spoken before about the need to build a new foundation for economic growth in the 21st century. And given the importance of the financial sector, Wall Street reform is an absolutely essential part of that foundation. Without it, our house will continue to sit on shifting sands, and our families, businesses, and the global economy will be vulnerable to future crises. That’s why I feel so strongly that we need to enact a set of updated, commonsense rules to ensure accountability on Wall Street and to protect consumers in our financial system.

Now, here’s the good news: A comprehensive plan to achieve these reforms has already passed the House of Representatives.  A Senate version is currently being debated, drawing on ideas from Democrats and Republicans. Both bills represent significant improvement on the flawed rules that we have in place today, despite the furious effort of industry lobbyists to shape this legislation to their special interests.

And for those of you in the financial sector I’m sure that some of these lobbyists work for you and they’re doing what they are being paid to do. But I’m here today specifically — when I speak to the titans of industry here — because I want to urge you to join us, instead of fighting us in this effort.  I’m here because I believe that these reforms are, in the end, not only in the best interest of our country, but in the best interest of the financial sector. And I’m here to explain what reform will look like, and why it matters.

Now, first, the bill being considered in the Senate would create what we did not have before, and that is a way to protect the financial system and the broader economy and American taxpayers in the event that a large financial firm begins to fail. If there’s a Lehmans or an AIG, how can we respond in a way that doesn’t force taxpayers to pick up the tab or, alternatively, could bring down the whole system.

In an ordinary local bank when it approaches insolvency, we’ve got a process, an orderly process through the FDIC, that ensures that depositors are protected, maintains confidence in the banking system, and it works. Customers and taxpayers are protected and owners and management lose their equity. But we don’t have that kind of process designed to contain the failure of a Lehman Brothers or any of the largest and most interconnected financial firms in our country.

That’s why, when this crisis began, crucial decisions about what would happen to some of the world’s biggest companies — companies employing tens of thousands of people and holding hundreds of billions of dollars in assets — had to take place in hurried discussions in the middle of the night. And that’s why, to save the entire economy from an even worse catastrophe, we had to deploy taxpayer dollars. Now, much of that money has now been paid back and my administration has proposed a fee to be paid by large financial firms to recover all the money, every dime, because the American people should never have been put in that position in the first place.

But this is why we need a system to shut these firms down with the least amount of collateral damage to innocent people and innocent businesses. And from the start, I’ve insisted that the financial industry, not taxpayers, shoulder the costs in the event that a large financial company should falter. The goal is to make certain that taxpayers are never again on the hook because a firm is deemed “too big to fail.”

Now, there’s a legitimate debate taking place about how best to ensure taxpayers are held harmless in this process. And that’s a legitimate debate, and I encourage that debate. But what’s not legitimate is to suggest that somehow the legislation being proposed is going to encourage future taxpayer bailouts, as some have claimed. That makes for a good sound bite, but it’s not factually accurate. It is not true. (Applause.) In fact, the system as it stands — the system as it stands is what led to a series of massive, costly taxpayer bailouts. And it’s only with reform that we can avoid a similar outcome in the future. In other words, a vote for reform is a vote to put a stop to taxpayer-funded bailouts. That’s the truth. End of story. And nobody should be fooled in this debate.

By the way, these changes have the added benefit of creating incentives within the industry to ensure that no one company can ever threaten to bring down the whole economy.

To that end, the bill would also enact what’s known as the Volcker Rule — and there’s a tall guy sitting in the front row here, Paul Volcker  — who we named it after. And it does something very simple: It places some limits on the size of banks and the kinds of risks that banking institutions can take. This will not only safeguard our system against crises, this will also make our system stronger and more competitive by instilling confidence here at home and across the globe. Markets depend on that confidence. Part of what led to the turmoil of the past two years was that in the absence of clear rules and sound practices, people didn’t trust that our system was one in which it was safe to invest or lend. As we’ve seen, that harms all of us.

So by enacting these reforms, we’ll help ensure that our financial system — and our economy — continues to be the envy of the world. That’s the first thing, making sure that we can wind down one firm if it gets into trouble without bringing the whole system down or forcing taxpayers to fund a bailout.

Number two, reform would bring new transparency to many financial markets. As you know, part of what led to this crisis was firms like AIG and others who were making huge and risky bets, using derivatives and other complicated financial instruments, in ways that defied accountability, or even common sense. In fact, many practices were so opaque, so confusing, so complex that the people inside the firms didn’t understand them, much less those who were charged with overseeing them. They weren’t fully aware of the massive bets that were being placed. That’s what led Warren Buffett to describe derivatives that were bought and sold with little oversight as “financial weapons of mass destruction.” That’s what he called them. And that’s why reform will rein in excess and help ensure that these kinds of transactions take place in the light of day.

Now, there’s been a great deal of concern about these changes. So I want to reiterate: There is a legitimate role for these financial instruments in our economy. They can help allay risk and spur investment. And there are a lot of companies that use these instruments to that legitimate end — they are managing exposure to fluctuating prices or currencies, fluctuating markets. For example, a business might hedge against rising oil prices by buying a financial product to secure stable fuel costs, so an airlines might have an interest in locking in a decent price. That’s how markets are supposed to work. The problem is these markets operated in the shadows of our economy, invisible to regulators, invisible to the public. So reckless practices were rampant. Risks accrued until they threatened our entire financial system.
And that’s why these reforms are designed to respect legitimate activities but prevent reckless risk taking. That’s why we want to ensure that financial products like standardized derivatives are traded out in the open, in the full view of businesses, investors, and those charged with oversight.

And I was encouraged to see a Republican senator join with Democrats this week in moving forward on this issue. That’s a good sign. That’s a good sign. For without action, we’ll continue to see what amounts to highly-leveraged, loosely monitored gambling in our financial system, putting taxpayers and the economy in jeopardy. And the only people who ought to fear the kind of oversight and transparency that we’re proposing are those whose conduct will fail this scrutiny.

Third, this plan would enact the strongest consumer financial protections ever. And that’s absolutely necessary because this financial crisis wasn’t just the result of decisions made in the executive suites on Wall Street; it was also the result of decisions made around kitchen tables across America, by folks who took on mortgages and credit cards and auto loans. And while it’s true that many Americans took on financial obligations that they knew or should have known they could not have afforded, millions of others were, frankly, duped. They were misled by deceptive terms and conditions, buried deep in the fine print.

And while a few companies made out like bandits by exploiting their customers, our entire economy was made more vulnerable. Millions of people have now lost their homes. Tens of millions more have lost value in their homes. Just about every sector of our economy has felt the pain, whether you’re paving driveways in Arizona, or selling houses in Ohio, or you’re doing home repairs in California, or you’re using your home equity to start a small business in Florida.

That’s why we need to give consumers more protection and more power in our financial system. This is not about stifling competition, stifling innovation; it’s just the opposite. With a dedicated agency setting ground rules and looking out for ordinary people in our financial system, we will empower consumers with clear and concise information when they’re making financial decisions. So instead of competing to offer confusing products, companies will compete the old-fashioned way, by offering better products. And that will mean more choices for consumers, more opportunities for businesses, and more stability in our financial system. And unless your business model depends on bilking people, there is little to fear from these new rules.

Number four, the last key component of reform. These Wall Street reforms will give shareholders new power in the financial system. They will get what we call a say on pay, a voice with respect to the salaries and bonuses awarded to top executives. And the SEC will have the authority to give shareholders more say in corporate elections, so that investors and pension holders have a stronger role in determining who manages the company in which they’ve placed their savings.

Now, Americans don’t begrudge anybody for success when that success is earned. But when we read in the past, and sometimes in the present, about enormous executive bonuses at firms — even as they’re relying on assistance from taxpayers or they’re taking huge risks that threaten the system as a whole or their company is doing badly — it offends our fundamental values.

Not only that, some of the salaries and bonuses that we’ve seen creates perverse incentives to take reckless risks that contributed to the crisis. It’s what helped lead to a relentless focus on a company’s next quarter, to the detriment of its next year or its next decade. And it led to a situation in which folks with the most to lose — stock and pension holders — had the least to say in the process. And that has to change.

Let me close by saying this. I have laid out a set of Wall Street reforms. These are reforms that would put an end to taxpayer bailouts; that would bring complex financial dealings out of the shadows; that would protect consumers; and that would give shareholders more power in the financial system. But let’s face it, we also need reform in Washington.  And the debate — the debate over these changes is a perfect example.

I mean, we have seen battalions of financial industry lobbyists descending on Capitol Hill, firms spending millions to influence the outcome of this debate. We’ve seen misleading arguments and attacks that are designed not to improve the bill but to weaken or to kill it. We’ve seen a bipartisan process buckle under the weight of these withering forces, even as we’ve produced a proposal that by all accounts is a commonsense, reasonable, non-ideological approach to target the root problems that led to the turmoil in our financial sector and ultimately in our entire economy.

So we’ve seen business as usual in Washington, but I believe we can and must put this kind of cynical politics aside. We’ve got to put an end to it. That’s why I’m here today. That’s why I’m here today.

And to those of you who are in the financial sector, let me say this, we will not always see eye to eye. We will not always agree. But that doesn’t mean that we’ve got to choose between two extremes. We do not have to choose between markets that are unfettered by even modest protections against crisis, or markets that are stymied by onerous rules that suppress enterprise and innovation. That is a false choice. And we need no more proof than the crisis that we’ve just been through.

You see, there has always been a tension between the desire to allow markets to function without interference and the absolute necessity of rules to prevent markets from falling out of kilter. But managing that tension, one that we’ve debated since the founding of this nation, is what has allowed our country to keep up with a changing world. For in taking up this debate, in figuring out how to apply well-worn principles with each new age, we ensure that we don’t tip too far one way or the other — that our democracy remains as dynamic and our economy remains as dynamic as it has in the past. So, yes, this debate can be contentious. It can be heated. But in the end it serves only to make our country stronger. It has allowed us to adapt and to thrive.

And I read a report recently that I think fairly illustrates this point. It’s from Time magazine. I’m going to quote: “Through the great banking houses of Manhattan last week ran wild-eyed alarm. Big bankers stared at one another in anger and astonishment. A bill just passed… would rivet upon their institutions what they considered a monstrous system… such a system, they felt, would not only rob them of their pride of profession but would reduce all U.S. banking to its lowest level.” That appeared in Time magazine in June of 1933.  The system that caused so much consternation, so much concern was the Federal Deposit Insurance Corporation, also known as the FDIC, an institution that has successfully secured the deposits of generations of Americans.

In the end, our system only works — our markets are only free — when there are basic safeguards that prevent abuse, that check excesses, that ensure that it is more profitable to play by the rules than to game the system. And that is what the reforms we’ve been proposing are designed to achieve — no more, no less. And because that is how we will ensure that our economy works for consumers, that it works for investors, and that it works for financial institutions — in other words, that it works for all of us — that’s why we’re working so hard to get this stuff passed.

This is the central lesson not only of this crisis but of our history. It’s what I said when I spoke here two years ago. Because ultimately, there is no dividing line between Main Street and Wall Street. We will rise or we will fall together as one nation.  And that is why I urge all of you to join me. I urge all of you to join me, to join those who are seeking to pass these commonsense reforms. And for those of you in the financial industry, I urge you to join me not only because it is in the interest of your industry, but also because it’s in the interest of your country.

Given the pressures on management, internal controls, and financial-reporting systems in this environment, the audit committee’s role—and its effectiveness—will be pivotal. We recently spent two days talking with 120 audit committee members from around the United States—across industries, large- and mid-cap—about their top concerns and priorities, and what they see as keys to audit committee effectiveness going forward.

Not surprisingly, the three areas cited by conference attendees as the “top concerns” for 2010 are the uncertainties of the economic/legislative environments, risk management/oversight and financial communications.

Risk, uncertainty and the audit committee’s role. The search for top-line growth is a critical priority for companies today, and boards are mobilizing management to rethink the company’s strategy, stress-test the business model and address—head-on—the challenges of a low-growth environment. Audit committees are helping to “ignite” the conversation about where the risks are in this environment—whether it’s Foreign Corrupt Practices Act risk associated with the search for growth in emerging markets, or focusing internal audit on the risks associated with the company’s new strategic initiatives.

Audit committees are also rethinking their risk oversight role. While more and more boards are assuming oversight responsibility for strategic risks, some boards still see an expansive role for the audit committee, encompassing oversight of the company’s risk-management processes as well as key substantive areas of risk.

Others take a much more restrictive view, as one panelist noted: “The audit committee exists to deal with one very significant enterprise-wide risk, and that’s the risk of either fraudulent or erroneous financial reporting. That’s plenty.”

Deeper involvement in all financial communications. Audit committees are intensifying their focus on all financial communications—from earnings guidance and earnings press releases to the MD&A and other disclosures. Some companies have taken the financial crisis as an opportunity to either discontinue earnings guidance, or reconsider the types and frequency of guidance they provide.

Our discussions also pointed to the earnings press release as perhaps the most important communication to investors today: “It’s where the action is,” said one director. But earnings releases often pose more issues than 10-Qs, as they contain important business information that often does not come from the financial reporting system, is not audited, and is not subject to internal controls.

The dialogue also highlighted key disclosure areas the Securities and Exchange Commission will be focusing on in 2010, including new disclosures companies must make about how they address risk, compensation, leadership and other aspects of corporate governance.

And, of course, audit committees will need to stay focused on a number of key financial reporting issues that became particularly acute during the financial crisis, including fair value, goodwill and intangible impairments, pension assets and obligations, and tax valuation allowances.

Gauging the audit committee’s effectiveness. Given the challenges ahead, conference attendees emphasized the need for audit committees to take a close look at their effectiveness, to ensure the committee is focused on the right issues and is in a position to help lead the business forward. To this end, panelists highlighted a number of questions for audit committees to consider as they monitor their performance:

• Do we have the right people on the committee—directors who understand the business and are willing and able to ask the right questions?
• Is each member of the committee capable of understanding the financial reporting issues and complexities arising from the company’s business activities?
• Do we take an active role in determining the committee’s agenda and defining its information requirements?
• Do we insist on transparency—both internal transparency (between management and the audit committee) and external transparency?
• Do we speak our mind? Do we listen? Do we build consensus?
• Do we take a hard look at our committee’s performance, and assess the performance of individual committee members?

Mary Pat McCarthy is U.S. vice chair, KPMG, and executive director of KPMG’s Audit Committee Institute.

THE GOLDEN RULE IS RISK MANAGEMENT. Unidentified, unquantified and unmitigated risk of all kinds is the enemy. It’s critical to invest the resources necessary to establish sound risk-management techniques. Through these, you’ll be able to weather the remainder of the current crisis and be prepared for the inevitable next crisis to follow.

IF YOU DON’T SPEAK UP, NO ONE WILL HEAR YOU. Right now, during the ongoing legislative debate and ensuing regulatory overhaul, there’s a window for thoughtful discussion and debate that can strongly influence the outcome. Take every opportunity to initiate and advocate your views on what the regulatory landscape should look like at the end of the process. Be reasoned and honest in your advocacy. Develop relationships of trust and respect with regulators and legislators, so your voice will be heard.

TRANSPARENCY IS ESSENTIAL. Nearly everyone looking at the regulatory environment agrees on the need for transparency, although as with so many things, no one has actually defined what that means. This creates both a problem and an opportunity for you, since the age-old approach, ‘Let’s only tell everyone what we’re required to tell them’ no longer works, if it ever did. The toughest part may not be regulators, but those who run the companies on whose boards you serve. There’s a definite need for a re-education process and thoughtful reflection on how best to achieve this critical goal.

IT’S NOT HAPPENING TO THEM, IT’S HAPPENING TO US. When we read in the press or otherwise learn of companies that find themselves in huge difficulty or learn of a regulatory failure to find corporate misconduct, we may succumb to the understandable but pernicious tendency to think either “Thank goodness it’s not happening to me’ or to assume that this has nothing to do with you. But, when any business suffers, all businesses suffer. And, the fact is that if we don’t look upon the foibles of other companies as cautionary tales from which to learn and that must be avoided, others will be looking at you as their cautionary tale.

AVOID THE SARAH PITT SYNDROME. Sarah Pitt was my beloved mother and she was a self-medicating health fanatic. She took hundreds of vitamins and minerals daily and believed that she was better than any physician. As a result, when she developed stomach pains, it took us nearly two years to get her to visit the doctor. After she finally visited the doctor, I called her to get her take on how the visit went and she somberly told me, in very stern tones, ‘You know, Harvey, I was never sick a day in my life until I went to visit that damn doctor.’ Unfortunately, that’s how many CEOs and boards operate. They think that just because nobody tells them they have cancer, they don’t have it, but we know that the real world doesn’t work that way. You can and you must look for potential problems before they come around and bite you in parts of your anatomy in which you’d rather not be bitten.

BEWARE OF THE CEO’s NOMW SYNDROME. The term NOMW stands for Not On My Watch. It’s a dirty little secret in life that no one wants problems to emerge on their watch. What we all secretly hope for is that any problems emerge either after we’ve left the company or before we’ve arrived. Take it from one who knows this all too well. What this translates into is that a board’s desire to detect problems early and solve them before they turn into crises isn’t necessarily shared by the company’s CEO. He or she merely wants to finish his or her tenure with no resulting scandal and let the next CEO clean up any mess that surfaces after the CEO departs. Directors can’t afford to play that game. More importantly, they have to be wary of the possibility that the CEO may actually be playing that game right now.

DIRECTORS SHOULDN’T ACT LIKE PERFECT CHILDREN. As the father of four, I strongly believe the perfect child is one who speaks when spoken to, doesn’t speak out of turn, respects authority, doesn’t drive, and never asks for money. I have four wonderful children, but not a one of them answers that description. Yet, so many directors actually think that’s how they should behave. Outside directors need a lead outside director if the chairman of the board is also the CEO. Every quarter, the outside directors need to convene and generate their own agenda of issues. Again, this should be done working collaboratively with management. And, by all means, directors must remember that the only dumb question is the one that doesn’t get asked.

THERE IS NO SUCH THING AS A SMALL PROBLEM. Small problems have one enormously annoying habit. Left unaddressed, they will coalesce and morph into big problems. That’s particularly true when economic pressures or other external influences act as an irritant. Life is simply a lot easier if problems are identified and addressed early.

BEING SMART IS GOOD, BEING TOO SMART IS DANGEROUS. When seeking to make money or circumvent obstacles, it’s tempting to develop novel, unique, or clever approaches. Making money should be encouraged and circumventing obstacles is great, but only if the proposed plan is thoroughly vetted and understood first.

DON’T BECOME THE VICTIM OF YOUR OWN SUCCESS. Bill Gates had it exactly right when he observed that success is often the worst of teachers. That’s because when we succeed, we’re tempted to believe that our success was because of something we did. But, success can ultimately lull us into a false sense of security. If you hope for the best, but plan for the worst, you’re never likely to be caught off guard, be unprepared, or wind up disappointed.

HEED UNCONVENTIONAL WISDOM. Constructive dissent and contrarian thought ought to be encouraged to counterbalance groupthink mentality that, left unchecked, results in the emperor parading naked while everyone else loses their shirts.

AVOID THE MAE WEST FALLACY. Mae West was a one-of-a-kind actress with a very cheeky outlook on life. One of her pet sayings was that too much of a good thing is just enough. In the boardroom, I’m afraid, we must disagree with Mae. The development of audit committees was a truly inspired idea; over the years, that idea has been honed and massaged to the point where audit committees perform critical functions and provide a measure of protection every corporation requires and deserves. Alas, the very success of audit committees has led many companies to overburden them with additional functions. There’s only so much responsibility any single board committee can undertake and still perform at a high level. I advocate separate committees for risk management and legal compliance, assuming that there are enough directors to serve on each of those committees. This doesn’t mean, however, that these important functions should be performed in a vacuum. Overlapping committee membership should ensure that the audit committee is fully apprised of what is actually going on.

MAINTAIN A SENSE OF HUMOR. Over the last several years, we’ve probably all taken ourselves somewhat too seriously. Adlai Stevenson had it all wrong when, after he lost to Dwight Eisenhower yet again, he somberly intoned, ‘I’m too old to cry, but it hurts too much to laugh.’ If you don’t laugh, the pain is only that much harder to handle.

ADDITIONAL COVERAGE FROM THE AUDIT COMMITTEE ISSUES CONFERENCE:

• Uncertainty Rules: The 2010 Audit Committee Agenda Roundtable
• The Top 10 Concerns of Today’s Audit Committees
• Donna E. Shalala: Prescient remarks about healthcare reform
• Arthur Levitt: The Real Governance Problem

Moody’s released a report on how some large banks have changed their boards to be more effective with strategy. The report reviewed board composition at 20 large  global banks in North America and Europe since the beginning of the crisis in July 2007.

The SEC’s new disclosure rules play an obvious part in the revamping of bank boards. Director nomination standards now require information about the nominee’s experience, qualifications, and attributes and reasons why that person should serve on the company’s board. A new leadership structure rule mandates that a company disclose why it has chosen to either combine or separate the positions of chairman and CEO.

The bank boards included in this report turned over 32 percent of their non-executive directors. This provides boards with an original perspective and new ideas about how to bounce back after the crisis. Author of the report, Christian Plath, said the turnover on bank boards was the most interesting trend post financial-crisis: “The turnover on some of these boards, particularly boards that received extraordinary government assistance, some of those boards saw more than half their board turn over.

Experience in the financial industry is now a much more prominent factor in building bank boards.  Of the 20 banks examined, 46 percent now have outside directors with financial backgrounds. This is up 14 percent from July 2007. Plath said this comes after serious criticism about the quality of board members: “Many of these banks were strongly criticized for not having enough directors with financial backgrounds…All of this points to the criticism that banks were engaged in excessive risk taking…you want some directors on the boards that can know the right questions to ask.”

Banks that received the most government assistance–Bank of America, Citigroup, Lloyds, RBS and UBS–added the most financial experience to their boards, the Moody’s report found.

Several of the banks examined by Moody’s researchers also reduced their board size. Plath said this could be for several reasons concerning the particular bank’s restructuring process. “There are a couple of big advantages of having a smaller board size and one is that it better stimulates discussions at the board level. It enhances the board’s ability to respond in the event of a crisis.” Plath also said that a smaller boardroom means a bigger spotlight for each director: “It also makes it harder for directors to hide in terms of boardroom discussions. It forces all of the directors to speak up.”

The average board size is now 16 members. Bank of America, for example, reduced its board size from 17 to 15. Not every bank downsized the board, however. Four of the 20 banks in the report maintain a board size of 20 or more members. HSBC increased its board size from 18 to 21 members.–Ashley Chaney

Nor have directors viewed public relations as a proper management function worthy of their oversight. Yet here in Goldman Sachs we have the incumbent in that function, a partner, being a large part of the problem, not aiding in the solution. The global head of communications, aka public relations, is reportedly abruptly dismissive of the press, combative, smug and condescending feeding tabloids and the blogosphere juicy morsel demeaning the company by his arrogant attitude. For example, its recent charm offensive via multiple philanthropies, was brushed aside as merely obligatory. A graduate of a revered British university, he might have prepared better if he’d majored in English literature rather than economics and perhaps caught the drift of English poet Samuel Butler’s cautionary comment, “For as you sow, ye are likely to reap.”

It’s a pity that any company should be brought to its knees through acute astigmatism. Ignoring the ultimate impact of today’s invasiveness of the media is irresponsible. It’s immaterial whether the barbs are factual or fabricated, the public’s perception is the bottom-line that must be addressed. Boards may honestly feel they’ve addressed every contingency yet leaving open the only unscripted function of management, the matter of public relationships. It is time to separate the policy from the communications process, the former well within the purview of boards.

In a similar vein the widespread criticism of Toyota’s ineptness in crisis communications during the recall of millions of its cars for product fixes will no doubt bring this matter to board attention. Unfortunately the emphasis will be on reaction more than on prevention. The board’s scrutiny should be on the mindset that birthed the issue. Attitude before aptitude is the relevant maxim.

John F. Budd Jr. is chairman and CEO of Omega Group, and editor of Observations. This commentary was originally published in the March 2010 newsletter.

1. Truth
This is a powerful principle. It has been stated simply as, “Say what you do, and do what you say.”

Michael Ross

When searching for solutions to problems, there are often several alternatives. Directors and senior management often engage in cost-benefit or risk-reward analysis, and sometimes obtain expert opinions. This is certainly appropriate, but in some instances, decisions can be reached, or at least some alternatives eliminated, by simply sticking to the facts. When an alternative has the “benefit of being true,” it is likely to be a viable one.

Decisions based on the assumption, or hope, that “no one will know” are very likely to turn out badly. This is probably truer now than historically was the case because there are so many parties interested in finding the truth for their own purposes. It is not just the press, the various levels of Federal, state and local government and the class action bar. There are also shareholder activists, special interest groups, whistle-blowers and bloggers. They are all out to “scoop” the company with some evidence of the truth that has not been told by the company.

Illustrations of the importance of truth come from many of the investigations of wrongdoing by corporate executives. These investigations often turn from the underlying allegations of substantive violations of law to allegations of obstruction of justice, commonly making false statements to government officials or destruction of documents. How different might the result have been if Martha Stewart had been motivated by truth as a guiding principle during the investigation of her alleged insider-trading.

Truth promotes long-term credibility and inspires confidence among the company’s constituencies. A company’s reputation for truthfulness can facilitate dealings with regulators, help manage investigations into alleged wrongdoing and get the company’s story effectively communicated to the public. We know how we feel about companies whose explanations do not make sense or contradict prior explanations, and it is not good.

2. Disclosure
A general inclination toward disclosure can be a sign of a healthy corporate culture. If the issue is whether or not to disclose material unfavorable facts, stretching to rationalize non-disclosure can be dangerous. A good general indicator of integrity is management’s willingness to disclose material adverse facts. Disappointing financial results or other adverse developments are bad enough, but the failure to make required disclosures compounds the problems. Material misstatements and omissions will cause the company to bear the costs of investigations and litigation, and possibly fines, damages and the loss of credibility with investors and the public.

The disclosure question arises in many contexts, e.g., public company reports and releases to investors, regulatory filings, certifications to creditors, advertisements and promotions and product labeling. Senior management’s propensity to engage in effective disclosure and resist burying salient facts in fine print or behind puffery is an indication of integrity.

There are, however, exceptions to the benefits of disclosure. Competition requires keeping secrets. Strategies for reducing the pressures from Wall Street for short-term profits may include limiting or eliminating disclosure of projections and “guidance.” Shareholder activists tout “transparency” as a bell-weather of good corporate governance, but there are limits. For example, when pressures for disclosure become a de-facto requirement that a company post its code of business conduct on its web site, the benefits of “transparency” may be outweighed by the costs. The incentives to create and take competitive advantage of a confidential, superior code are lost; many companies merely look to see what is prevalent in the industry, and there is a tendency for the substance of the codes to sink to the “lowest common denominator.”

3. Clarity of Communications
The business world is full of important communications. Companies constantly communicate with numerous audiences by a variety of means. Clarity in these communications is a sign of a well-run business and a healthy corporate culture. Fuzzy language is often a pretty indicator of fuzzy thinking.

For the board of directors to discharge its responsibilities, management must give directors clear information about the company’s strategy and its plans for execution. When (not if) problems arise, communications often break down, and what communication there is becomes unclear. The board must insist, in good times and bad, that management give the board concise, understandable information on a timely basis.

For its part, the board must be direct with management about what information it wants, and how and when it wants it. In setting policy, the board must be certain that management understands the policy, the rationale for it and how the board expects to see the policy implemented and its effectiveness measured.

Management should be clear with analysts and investors in describing the company’s strategy, plans and results. Confusion in the marketplace will generally lead to lack of confidence, and that will usually adversely affect shareholder value.

Clarity is also important in communications to customers. In advertising, marketing, promotions, labeling, warranties, disclaimers and customer relations, management should be sure customers know what they are buying and what they are not buying. Putting the bad news in the “fine print” is not likely to be a sensible long-term tactic. Bold print might do a better job.

Employees cannot be expected to perform unless they understand what is expected of them, and the consequences for them and the company of success and failure. To avoid misunderstanding, multiple communications, by various means may be necessary. When it comes to codes of conduct and compliance, effective communications should include the reasons for the rules and illustrative examples.

If management’s communications with regulators are straightforward, the company should gain a reputation for integrity that will pay off in the long run. Regulators will be around forever, and the regulatory, institutional memory is long. Regulators will discover and seize upon inconsistent company communications to various constituencies, e.g., investors, customers and employees.

4. Consent
Consent goes hand in hand with disclosure. It is often the next logical step. Consent is relevant with many constituencies, not just shareholders, but also employees, customers and suppliers.

Consent is not always required, as a matter of law, contract or otherwise. In many circumstances, it is not advisable or practicable to obtain consent. Consent may be implied in some situations, such as, when a customer has full and fair disclosure about the company’s products or services, and makes a purchase. In more sensitive contexts, such as, the confidentiality of personal medical or financial information, advance written consent may be more appropriate.

This is not to say that public companies should seek shareholder consent for actions that do not require shareholder consent as a matter of law. It also does not mean that companies should give counter-parties more consent rights than are customarily negotiated in commercial contracts or corporate transactions. The principle of consent may, however, be instructive in making decisions about the treatment of stakeholders. We know from our personal experience when we think that our consent is required, and how we feel when our consent is obtained and when is it not.