On September 1, 2009, the New York Stock Exchange (NYSE) announced the formation of its Commission on Corporate Governance. Fueled by the 2008 and 2009 financial crises, and with memories of Enron, WorldCom and Bernie Madoff still echoing across corporate America, the Commission set out to review corporate governance practices employed by a broad range of companies. The review culminated in the issuance of a Commission report on September 23, 2010. According to the Commission's mission statement, the report sought to "forge a consensus on a variety of today's most controversial corporate governance issues."1As a result, the Commission identified ten core principles essential for implementing effective corporate governance in today's helter-skelter economic and regulatory environment.2
The NYSE's ten principles of corporate governance hit on a wide spectrum of corporate governance topics, including areas relating to stakeholder and communications management, risk management and business process transparency. As we move into the second quarter of 2011, these corporate governance 'hot topics' take on additional importance as sweeping regulatory reform continues to impact the corporate landscape and how companies manage their business information.
Stakeholder And Communications Management
Principle 2 - ". . . a key aspect of successful governance depends upon successful management of the company, as management has primary responsibility for creating an environment in which a culture of performance with integrity can flourish."
Principle 2 in the NYSE Commission report focuses on the importance of the relationships and the communications between the board, internal stakeholders, such as management and employees, and external stakeholders, such as shareholders.3Establishing formal processes to frequently communicate with stakeholders is a necessary part of corporate governance.Developing and executing a communication plan that incorporates key audiences, messages and efficient delivery mechanisms is the basis for letting a company's stakeholders know how well, or not, it is doing. Along with processes, a company should also think about the tools used to deliver information. Research firm Gartner, Inc. recently announced that even though the use of social media is prolific (Facebook now claims more than 500 million active users), many companies are still without policies or procedures to control and manage social media use, resulting in an inability to ensure accurate and up-to-date information.4
Risk Management
Principle 4 - "Good corporate governance should be integrated with the company's business strategy and objectives and should not be viewed simply as a compliance obligation separate from the company's long-term business prospects."
Principle 4 of the NYSE Commission's report calls for corporate governance to be embedded into a company's overarching business strategy. Part of that overarching strategy is to include what the report calls "prudent risk management";5a component of which is to identify and protect a company's assets. In today's digital world, a company can have no greater asset than its information and must put in place the necessary policies and processes to ensure the protection of its information. For example, the need to identify and protect personally identifiable information (PII) has become a huge concern.6Recent changes to legislation, such as last year's Massachusetts Data Privacy Law 201 CMR 17,7and the European Union's recent announcement highlighting its intent to reform its existing data protection directive, highlight the huge complexity of global data privacy issues, and the potential damage to a company for failing to protect its information.
Business Process Transparency
Principle 6 - Good corporate governance includes transparency for corporations and investors, sound disclosure policies and communication beyond disclosure through dialogue and engagement as necessary and appropriate.
Principle 6 from the NYSE Commission on Corporate Governance calls for an increase in transparency into company operations.8After all, "governance is about processes, not about ends."9This transparency relates to all types and levels of company operations and processes; not just to company financials. Last year's Dodd-Frank Wall Street Reform and Consumer Protection Act, for example, is intended to promote financial stability by improving accountability and transparency into the financial system.10Part of this transparency relates to the retention and maintenance of certain sets of business information, including board and governance minutes, audit and compliance information and even marketing materials. By looking in detail at its business processes, a company gets a snapshot of its entire operations and identifies what information is where in the company and who "owns" that information.
Given the NYSE's principles of corporate governance and the hot topics for 2011, what does this mean for your company's information? Essentially, in looking to implement the key principles of corporate governance, a company should establish or improve upon an existing, formal company-wide information management program. By implementing an information management program, a company satisfies several key elements necessary for successful corporate governance.
There are four main steps a company can take to either build an information management program or to improve the program currently in place.
1. Understand what information is "out there."
• Improve your overall knowledge of your company's information and where it is.
• Start with an inventory of all company information and identify where the information is, including on social media sites.
• An Enterprise Information Map can help you identify your highest risk information regardless of its storage location inside or outside your company.11
2. Form partnerships between key management personnel and business areas.
• Bring together Information Management, Information Technology, Legal, Internal Audit, Finance and Business Line Leaders.
• Identify and discuss ongoing risks and mitigation strategies for the management and monitoring of information for business use.
• Identify how best to respond in the event of e-discovery.
3. Update your existing information management-related policies and processes.
• Records retention schedules and other key documents should include references to the management of all types of information, regardless of how or where that information may be stored or posted.
• Identify and understand relationships among all of the key elements that make up your company's information management program - primarily business processes, information, policy, applications, governance and infrastructure.
4. Adopt a process-centric approach to information management.12
• Identify the major functions your business conducts and the business processes that you use to conduct those functions.
• Identify the information that supports each business process and how information flows among the different business processes, systems and information repositories.
• Determine how information supports each business process.
• Determine where the information is stored.
• Identify who is responsible and/or has access to the information.
• Understand why the information is and/or must be retained and managed in the first place.
As we move into the second quarter of 2011, the scrutiny on corporate governance practices will only increase as the regulatory environment continues to change in response to an economic state of flux. The need to implement practical corporate governance solutions inevitably results in changes to how a company maintains, uses and manages its most valuable asset - its information. By looking at the principles of corporate governance, a company can identify the core elements of an information management program to develop or improve, in line with the company's overarching corporate governance strategy and business needs. 1 Report of the New York Stock Exchange Commission on Corporate Governance , September 23, 2010, p.A-.1.
2For a full version of the NYSE report and detailed descriptions of the ten identified principles, see http://www.nyse.com/pdfs/CCGReport.pdf.
3 Report of the New York Stock Exchange Commission on Corporate Governance , September 23, 2010, p.3.
4The full Gartner report, Social Media Governance: An Ounce of Prevention, available at http://www.gartner.com/DisplayDocument?ref=clientFriendlyUrl&id=1498916.Summary of the report available at http://www.arma.org/policy/policy/washingtonpolicybrief/11-03-01/Social_Media_Governance_Lacking.aspx. Statistics on Facebook available athttp://www.facebook.com/press/info.php? statistics.
5 Ibid. , p.4.
6PII is defined as any data about an individual that could potentially identify that person, such as name, street address or telephone number.
7Full text of MA 201 CMR 17 available at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
8 Report of the New York Stock Exchange Commission on Corporate Governance , September 23, 2010, p.5.
9 Governance: Past, Present, Future: Setting the Governance Agenda for the Millennium Declaration , Sakiko Fukuda-Parr and Richard Ponzio, October 2002.
10Full text of the Dodd-Frank Act available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h4173enr.txt.pdf.
11For further information on Enterprise Information Maps, see " GPS" For Your Organization: The Art and Science of the Enterprise Information Map, by Paula Walker, Maura Dunn and Jeff Pierantozzi, Duff and Phelps LLC, available at: http://www.metrocorpcounsel.com/current.php?artType=view&EntryNo=9252.
12For further information on the process-centric approach to information management, see The New Business of Managing Information: A Process-Centric Approach, by Robert Kirtley, Maura Dunn and Lee Karas, Duff & Phelps, LLC, available at: http://www.metrocorpcounsel.com/current.php?artType=view&artMonth=February&artYear=2010&EntryNo=10060.
Published April 3, 2011.