Recent events in the financial markets and the ensuing economic turmoil has shattered the trust of investors, regulators and Main Street in financial institutions and the capital markets on a global scale. The crisis has heightened focus on the importance of risk management at all corporations and has encouraged a fresh look at the role of the board in risk oversight. Although the manner in which a board fulfills its risk oversight responsibilities is a matter of business judgment, directors should bear in mind that conduct will be judged by investors, regulators, the media and others with the benefit of 20-20 hindsight. There is benefit to be had in going beyond the standards of care set by Caremark and its progeny, which require board oversight of an effective compliance and reporting system. Remembering that "best practices" provide a zone of comfort with respect to avoiding director liability, we set forth below ten areas for the board to enhance its focus in 2009 in light of the current environment. They are all related in some respect to enhancing the board's ability to oversee management's efforts to identify and avoid, mitigate or manage risk, with the caveat that specific actions to be taken will vary for each company.
1. Apply judgment in tailoring governance structures and processes to the current needs of the company. Remember that adopting a one-size-fits-all check-list approach to corporate governance is fundamentally inconsistent with effective governance. Care should be taken to avoid bowing to pressures to adopt practices that may not be in the company's interest, while at the same time actively considering the viewpoints of key shareholders on appropriate matters. Boards should tailor their governance practices and structures to the company's unique needs. The Key Agreed Principles to Strengthen Corporate Governance of U.S. Public Companies published in October 2008 by the National Association of Corporate Directors with support and input from The Business Roundtable and the International Corporate Governance Network (available at ttp://www.nacdonline.org/pdf/KeyAgreedPrinciples.pdf and briefly outlined in the Appendix to this document) reflect an effort to distill and articulate fundamental principles-based aspects of governance on which there is broad consensus. The Key Agreed Principles capture the current baseline consensus among boards, managements and shareholders about a range of effective governance practices. Their articulation may help improve the quality of discussion and debate about those governance issues that have not yet gained consensus, and also serve as a touchstone for boards in tailoring governance and avoiding a rote approach. We urge boards to gain familiarity with the Principles and consider them in tailoring their own governance structures and practices to meet the needs of their respective companies.
2. Take a fresh look at board composition and director competency. While a board is more than the sum of its parts, it requires key skill sets and experiences to be positioned to provide oversight of risk and compliance. The nominating/corporate governance committee should review with rigor the composition of the board and determine whether the board is comprised of people with the optimal mix of experience given the business, circumstances and nature of the risks facing the company. The right mix of competencies will change over time as the company evolves and care needs to be taken to avoid a mindset of "permanent tenure" for directors. The board should use the evaluation process (as well as term/age limits where appropriate) to refresh itself periodically. It is not enough to pull together a distinguished group of men and women if those directors do not have the expertise necessary to understand the fundamentals of the company's business as the business changes over time and the attendant risks. Given the emphasis on independent directors, boards need to take special care to ensure that persons on the board have industry specific expertise and distinct sources of information about the intricacies of the business and related risks. The board should consider ways to ensure that it is not simply dependent on management for its understanding of the business and the industry. The nominating/corporate governance committee should ensure that company-specific director education and orientation programs are presented to the full board periodically, especially programs that address risk oversight and risk management generally, providing directors with the opportunity to learn about specific risks affecting the company and changes in business conditions and legal standards that may impact on risk.
3. Consider implementing some form of independent board leadership. The ability to exercise effective oversight may be compromised where the board lacks any defined leadership for the independent and non-management directors. Management has natural conflicts and blind spots - in monitoring CEO performance, providing risk oversight and evaluating the strategic plan. The long-range trend is toward a separation of the chair and CEO positions, with an independent director filling the chair role, and that trend is likely to accelerate as shareholders seek assurances that the board is strongly positioned to provide objective judgment in its review of management decisions in key areas. The board - and in particular the independent directors assisted by the nominating/corporate governance committee - should evaluate whether to appoint a separate independent chairman or a strong lead director to assist the board in fulfilling its oversight responsibilities, and should explain its choice to shareholders. For companies that combine the roles of CEO and chairman, expect increased pressure from shareholders to separate the positions or at a minimum create a strong lead director position with an appropriate range of responsibilities. Indications are that independent board leadership will be a "hot button" issue for shareholders during the 2009 proxy season.
4. Ensure that risk oversight is on the board's agenda, as a matter of substance and process. Taking risk is at the heart of entrepreneurial activity, and risks are inherent in any business strategy. The Board has a vital role to play in assisting management to: (i) focus on the risks associated with corporate strategies and the business environment generally (risk substance); (ii) determine the degree of risk that the Company can withstand (risk appetite) and (iii) devote appropriate resources to risk identification, avoidance, and mitigation activities (risk process). Given the link between business strategies and risk, and the related link between risk and corporate performance, risk oversight is not a board responsibility that is easily delegated in whole to a board committee. While the audit committee is charged by New York Stock Exchange listing rules with risk oversight related to financial disclosures, and a board may decide to delegate oversight of risk processes to the audit committee or another board committee, the full board needs to be engaged in substantive discussions of risks associated with the business as well as understand the processes that management has in place to identify and manage risk. The board should pay special attention to the integration of risk management processes to ensure that risk management is not unduly "siloed." Risk management decisions with respect to one type of risk (e.g., market risk) reflect decisions made with respect to another type of risk (e.g., credit risk). The board should also pay special attention to reporting lines and responsibilities within the management team. The chief risk officer should have a direct and unfiltered reporting line to both the CEO and to the board. Authority and communication lines are vital to ensuring that both senior management and the board is aware of significant risks as necessary within an agreed timeframe. All of this requires reserving time on the board agenda for oversight discussions related to risk management on a regular basis.
5. Understand the impact of risk on strategic aspects of operations. Understanding the key risks associated with the drivers of corporate performance is key to the board's ability to evaluate the company's strengths, weaknesses, opportunities and threats, and thereby provide guidance on corporate strategy. Identifying and maximizing strategic opportunities within a framework of prudent risk-taking requires reliable risk-reward information. This may require reassessment of the company's appetite for risk by the board (or board committee such as the audit committee) and management, in light of recent events. And it may also require new competencies on the board. (See item 2, above.)
6. Reemphasize (and review) disclosure controls and procedures to ensure timely and accurate disclosures, as well as effective internal controls, compliance and ethics systems generally. Times of crisis and stock market freefall increase pressure on management to meet performance targets with a related increase in the risk of inappropriate earnings management and fraud. Tight credit markets and the economic downturn have already led many companies to significantly revise risk factors and MD&A in periodic reports so as to explain the impact of the crisis. To ensure that disclosures accurately reflect current conditions and increase investor trust in the veracity of disclosures, the audit committee should request that management's disclosure committee and the internal auditor review the company's internal control over financial reporting and disclosure controls and procedures in coordination with members of management who are focused on risk, and make improvements as needed. This may necessitate, for example, challenging management to strengthen and deepen procedures that support the CEO/CFO certification process and staffing senior management with risk expertise on the disclosure committee. The board should also think about foregoing earnings guidance as a way of mitigating risk. The company's commitment to maintaining strong controls is especially critical during times of crisis and the concomitant increased risk of fraud - it should not be viewed as a cost center that can be scaled back to marginally increase the bottom line.
7. Scrutinize compensation incentives through a risk-focused lens. Efforts should be taken to ensure that executives are not being rewarded for taking excessive risks. Compensation programs should be reviewed and reworked where necessary - whether or not the company is participating in the Treasury Department's Troubled Asset Repurchase Program. The compensation committee will need to work with appropriate members of management to identify the risks and implement appropriate compensation structures designed to reward long-term performance and incorporate enhanced claw-back features. The contours of such compensation programs vary from company to company: there is no magic formula. The compensation committee should also consider the rationale for all aspects of compensation and consider how such elements will be described in the company's CD&A. Compensation transparency is critical, not only at companies that participate in TARP or that have already adopted voluntarily a shareholder advisory vote on compensation ("say on pay"), which is likely to become a legislated requirement for all public companies in the near future.
8. Build risk management into CEO and senior executive evaluations. If compensation programs are to reward appropriate efforts at risk management by the CEO and senior executives, the CEO and other senior executives must be evaluated to some degree on their efforts at risk management. Boards should consider how to gauge risk-appropriate behaviors, and also consider the use of incentives and discipline to promote compliance and ethical conduct (a necessary but not sufficient factor in an effective compliance and ethics program under the Federal Sentencing Guidelines). In reviewing executive performance, the board should consider whether sufficient value and emphasis is given to rewarding managers who actively promote a culture of appropriate risk management and compliance.
9. Exercise caution in adjusting previous equity compensation grants (for example, repricings or exchanges) or in otherwise adjusting compensation with respect to missed performance goals. Modification of previous equity compensation grants and the exercise of compensation committee discretion to pay bonuses or make equity grants when performance targets have not been achieved can undermine the company's compensation philosophy and objectives, and send the wrong signal to shareholders that executives will be rewarded no matter what. Companies that wish to reprice or exchange underwater stock options (to assist in executive retention or other reasons) should be aware that such efforts may be treated with skepticism by shareholders as evidencing "pay for failure" - particularly when shareholders have experienced negative returns.
10. Ensure the vitality of the tone at the top and its alignment with risk profile, strategic direction, compensation incentives and financial reporting and controls. An appropriate tone of compliance, control and integrity should be promoted throughout the organization by the board and management. The corporate culture should emphasize a measured approach to risk-taking in making strategic decisions and a lack of tolerance for excessive business, financial, compliance and other risks. This tone should be reflected in management incentive programs which do not reward excessive risk-taking, as well as financial reporting and controls designed to provide accurate disclosure and mitigate risk. This type of holistic approach to risk - if adopted by all companies and disclosed as such to investors - should go a long way towards restoring trust in the board and, in turn, the market system generally.
Published March 1, 2009.