Let’s say a worker is responsible for maintenance of a machine, but because of time pressures, cuts corners and does not address its wear and tear. And no one oversees this person’s omission. The machine fails and affects the failure of other machines nearby. The company is in an industry where, if that machine fails, hundreds of customers will likely die.
Is it fair to hold the board responsible for this sort of failure? Is it fair to hold the committee chair or committee overseeing this risk responsible, at least in part?
I’m not sure. It would depend on the actions (or inactions) vis-à-vis best practices and legal tests. One thing I can say, however, is that I have had the good fortune of interviewing and seeing how one or two excellent board or committee chairs, or directors on a board, can completely reform and turn around risk management of an entire large, complex organization by pressing management and holding them accountable. This is a pleasure to watch, how effective a strong board and strong directors can be. This is how boards should be.
I recently interviewed directors and senior management of an important organization, along with nine leading Canadian directors and audit committee chairs. Here are some questions that address the above and incorporate learning from my research and assessing of audit committees.
1. Risk management coverage and assurance mapping: Is each material financial and non-financial risk (no more than 12-15) covered (via explicit mapping) through identification, treatment, independent assurance and upward reporting? Do board guidelines and committee charters cover off all material risks so none slip through the cracks?
2. Whistle blowing and code compliance: Employees may now go directly to regulators without utilizing the company’s internal investigation procedures, and participate in a monetary reward. Does the company code of conduct have fair, impartial, credible investigation procedures that employees trust and actually use? Does effective oversight occur of ethical reporting by the audit committee?
3. Internal audit: Does the audit committee approve the appointment, compensation, work-plan, independence and accountability of this function? If not, why not? This person should report directly to the audit committee.
4. IT governance: Is IT risk and opportunity management adequately overseen by the board (or a committee), including over IT investment, cloud computing, social media, security of information, privacy, business interruption and crisis planning? Does management (and the board) have competencies in these areas?
5. Stress and scenario testing: Is the capital structure, quality of earnings and revenue tested under various adverse conditions (including regulatory, competitor and contagion), such as what if or when?
6. Audit committee bench strength: Does the audit committee have the competence and courage to understand and constructively challenge the basis and rationale for management’s estimates, assumptions, judgments and forecasts, both in terms of potential manipulation by management, and the fairness, balance and quality of financial disclosure?
7. Chair reporting to the full board: Does the audit committee chair (and other committee chairs overseeing non-financial risk) submit a written report that enables non-committee members to understand the deliberations, recommendations and reporting, and ask questions and receive satisfactory answers?
8. Auditor and financial management bench strength: Does the board have confidence in the quality of finance and risk management, and external and internal audit (including integrity, competence, responsiveness and reporting)? The board should oversee all of these positions, subject to shareholder approval for the external auditor.
9. Internal controls over non-financial reporting: This area may be a weakness for many boards. Has the regime for financial reporting and assurance been adopted for the most important non-financial reporting risks of the organization (e.g. operations, compliance, environmental, social, reputation)? Has the effectiveness of the design and implementation of internal controls been tested on and reported to the board or relevant committee, for these areas? Boards should press management for this reporting and obtain independent (outside) assurance for risks of concern, to put the heat on management.
10. Undue influence/reliance, integrity and fraud risk: Are there any pockets within the organization or executives who may have the opportunity, pressure or incentive to take inappropriate risks, or engage in potential fraud, that may be exacerbated during an economic downturn? As two audit committee directors said, the systems must be “person-proofed” and run on “auto pilot.” Can the board demonstrate that it has taken reasonable steps to satisfy itself that executive officers possess integrity? (The board is responsible for satisfying itself that executive officers have integrity under NP 58-201.)
Back to our original hypothetical scenario. Directors have said to me, “we missed it,” or that you cannot protect yourself against a “rogue” or someone who is intent on committing fraud. I am not sure these answers are entirely satisfactory.
It seems to me that if the above steps are followed, and a culture of risk management and tone-at-the-top is set by the board, it’s much less likely that “we missed it” will occur.