Understanding Your Role as a Board Member: Delineation ... · CEO Succession planning 23 ... Document ITS Unit Plan Data Use Policy Etc. 3 - ... n Crisis, contingency, scenario planning

November 5, 2015 Electricity Distributors Association Fall Directors Summit Toronto, Ontario

Richard Leblanc, CMC, BSc, MBA, LLB, JD, LLM, PhD Associate Professor, Law, Governance & Ethics, York University, and Independent Advisor to Boards of Directors

Understanding Your Role as a Board Member: Delineation Between

the Board and Staff

Copyright © Richard Leblanc. All rights reserved.

Topics I will address 2

Ø  1. Risk governance red flags for failure; Ø  2. Relationship to management and staff; Ø  3. Importance of risk and internal audit; Ø  4. Connection between risk, culture and pay; Ø  5. Whistle-blowing and a protected channel; Ø  6. Company culture and the board’s role; Ø  7. Communication, education and controls; Ø  8. Technology: social media, reputation risk; Ø  9. Tone at the top, and now in the middle; Ø  10. Questions and answers;


Theory meets practice 3

n  Two large banks;

n  Health and safety, highly regulated company;

n  Rail company;

n  Two large IT companies;

n  Two mining / oil companies;

n  Global construction and aerospace companies;

n  Pharmaceutical company;

n  Religious organization with priests accused of wrongdoing;

n  Two organizations with employees accused of sexual assault;

n  Casino company;

Copyright © 2011 Richard Leblanc. All rights reserved.

Continuing changes in governance 4


Research and Practice 5


What does risk governance failure look like? 5


What was my role and what happened? 6

n  Called in by board, regulator, police, monitor, judge, law firm;

n  Bribery and corruption within the company and board;

n  Property destruction and death;

n  Stock manipulation and fraudulent financial statements (several);

n  Sexual assaults (two);

n  Improper expenses;

n  Extensive lawsuits against directors: “I will [mess] up his life”;

n  Significant fines and loss of reputation;

n  Interviews of fraudsters (prison in three cases);


Methodology of my investigation 7

n Access to any personnel or any document;

n Directors and employees instructed: full cooperation;

n Confidential interviews and triangulation;

n Reporting to regulators and endorsement of recommendations;

n Recommendations and implementation: 6, 12, 18 month timelines;

n Counterpoint to industry assertions on integrity;

n Broader: 150 organizations; > 500 interviews;

n Other experts, including forensic accountants;

CEO Succession planning 8


Findings: Red flags for risk failure 8

n Weak oversight functions and board line of sight;

n Weak risk and internal audit functions in particular;

n Weak internal control environment, immature internal controls (existence, design, implementation);

n Tone at top not consistent, consequential (to come);

n Lack of documentation of risk appetite framework;

n Boards ignorant on risks and integrity practices;

n Lack of controls over emerging and interactive risks;



Tone at Top: A Good Example 9


Risk mitigation and 56% of boards no women 10


Risk and Industry Expertise 11


Risk often lowest rated role of board 12


Sample results (director weaknesses) 13


Red flags for risk failure, continued 14

n The so-called “rogue” employee vs. actual culture;

n Culture, integrity & their controls not independently audited;

n Pay for results rather than pay for conduct;

n Pay drives behaviour: Incented risk takers;

n Clawbacks not based on risk and ethics;

n Key performance indicators not risk-adjusted;

n Risk assessment before bonus and equity vests;

n Bullying, intimidation, fear: Not speaking up (to come);

n Poor crisis management: law tail wagging company dog;


Crisis Management: A Good Example 15


16 Red flags for risk failure, continued n Whistle-blowing program run by management, and neither

anonymous nor rewarding (OSC / SEC examples);

n Flawed internal investigation and no confidence in it;

n Wrongdoer: dominant, bullying & charming, charismatic, high performing;

n Wrongdoing starts small, then capture, then bullying; then slippery slope of wrong doing (see video);

n Protect the company (leader) and performance at all costs;

n Broad confidentiality clauses override whistle-blowing and speaking up;

n No reputation or exogenous shock test;


17 Why don’t people speak up?


18 Speak up, speak up, speak up!


19 Management or the Board?

Risk and compliance failure is always a failure of the

board. It is not just a management failure.

There is no such thing as a poor company, only a poor

board.


20 Management or the Board?

If internal audit, compliance or risk is weak, you likely

have a dominant management and a weak

audit committee and board. It is not possible to have a strong audit committee and weak oversight functions.


21 Advice to any employee + oversight function:

Speak up, speak up, speak up!

The behaviour and practices you observe are the

behaviour and practices that you accept.


22 Risk red flags, continued (general) n Captured, complacent, even encouraging board;

n Ambiguity and complexity is a red flag for fraud;

n Focus on narrow rule correctness, not cumulative effect, spirit or principle;

n Limited education and communication;

n  Industry and past practices justified and generalized;

n Living beyond means and not taking vacations;

n Blocking third party expertise (very common);

n Defective Code of Conduct, COI policy, sign-off;



Reputation Risk: Sources of Risk 23

Source: J. Fraser, Enterprise Risk Management course, MFAc Program, York University, 2015;

Note: The colours indicate the ratings to these sources of risks.

Uncoloured sources of risks were not rated as Medium or High at this date.

Risk Rating Key

Very High

High

Medium/High

Medium/High


Changes to risk management and audit: Review 24

n CRO, CAE, CCO, CAO: oversight functions: no functional oversight by management: baby steps;

n No CEO control any more: operational and executive management cannot interfere: client is board and committees;

n Selection, authority, mandate, resources, accountability, independence, compensation, succession;

n Compensation cannot include revenue or operational responsibilities as metrics;

n Board and Committee chair paper and training;

n RAF and limits / threshold best practices;


More on risk adjusted compensation 25

n Pockets of acute risk – complexity, cyber, safety, reputation – with opaque controls and management override;

n  Immature, lack of controls, IT: RAF now;

n CAE restricted from compensation: Full scope;

n  Deferral and explicit ex post adjustment;

n Compensation Committee has discretion;

n Risk adjusted metrics with denominators;

n RM and ethics in clawback or malus;


Oversight of Risk Management 26 26

Strategic

Financial

Information Technology

Human Resources

Accounting & Reporting

Integrity Operations

• Strategic Planning • Capital Investment • Corp. Organization

• R&D

• Acquisitions • Divestitures/Closures

• Manufacturing Strategy • Functional Location • Financial Planning &

Modeling

• Risk Management - Insurance • Risk Management - Interest Rates

• Investments • Financing

• Liquidity/Cash Flow • Credit/Bad Debts

• Performance Management

• SEC Reporting

• Financial Forecasts • Tax Accounting & Reporting

• Management Reporting

• Reputation

• Management Fraud • Employee/Theft/Fraud • Illegal Acts • Resource Misuse • Ethics

• Brand Image

• Tone At The Top

• SG&A • Capital Projects

• Quality • Customer Credits/Rebates

• Inventory Management • Procurement

• Training

• Perf/Rewards Alignment • Availability of Skilled Staff

• Communications • Morale and Job Satisfaction

• Leadership • Salary Inflation

• Knowledge Assets • Empowerment

• Access • Availability

• Information Relevance • Continuity

• System Integrity • Technology Infrastructure

• Tech Development & Integration • IT & Business Strategic Alignment

• Outsourcer Management • Cost Control

• Safety • Environmental Compliance

• Govt. Compliance • Reliability

• Operating Costs • Sales and Marketing

• Contract Compliance • Capacity Planning

• Engineering • Repair Services

Environment • Political • Legal

• Regulatory • Business Interruption • ExternalTheft/Fraud/

Illegal Acts • Business Practices

• Innovation

Customers • Customers’ sales

• Planning • Reliability

• Relationships • Contracts

• Standards and Expectations

• Customer viability

Suppliers • Supply • Pricing • Quality

• Relationships • Billing

• Logistics

• Risk Management – Foreign Exchange

Rating Agencies • Maxtor credit • Vendor terms (guarantees,

advance payments)

• Workforce management

Technology • Product

Obsolescence

• Tax Strategies • Debt Compliance

• Lease Compliance

• Statutory Reporting

• Analyst Communications

Competitors

• IP Protection

Source: N. Marks

“We missed it.”


Oversight of Risk Management, continued 27

Source: Basel (May 10), Europe (Dec 10) and FDIC (Feb 11) Copyright © Richard Leblanc. All rights reserved.

Internal Controls – Tools to Customize 27

§  Segregation of duties §  Restricted areas

§  Approvals §  Reconciliations §  Record retention

§  Safeguarding and asset accountability §  Management override

§  Manual controls §  Data Security

§  IT, inventory and other controls; §  Areas of vulnerability and fraud schemes;

Source: R. Leblanc, Assessment methodology for audit committees


Oversight of Risk Management, continued 28

Source: Basel (May 10), Europe (Dec 10) and FDIC (Feb 11) Copyright © 2011 Richard Leblanc. All rights reserved.

Internal Controls – Your Tools to Customize 28

§  Segregation of duties §  Restricted areas

§  Approvals §  Reconciliations §  Record retention

§  Safeguarding and asset accountability §  Management override

§  Manual controls §  Data Security

§  IT, inventory and other controls; §  Areas of vulnerability and fraud schemes;

Source: R. Leblanc, Audit Committee Review Copyright © 2011 Richard Leblanc. All rights reserved.

Comprehensive Risk Governance 28

Audit Committee (or equivalent)

Comp. Committee (or equivalent)

Nom/Gov. Committee (or equivalent)

Risk

Material financial and non-financial business risks & IC reporting

CFO

Committee Charter Coverage

CS, GC

S-Ox Dodd-Frank

EA CC GA, SF

Board of Directors

CRO

ICFR IA

CEO

ICNFR

Basel/King

RAP

SHRO

?


ERM Risk Register Template 28

§  University Strategic Direction

Risk

Inherent Risk Before Response

Overall I.R. Rating Before

Response

Risk Management Strategy & Points of Reliance

Residual Risk After Response

Overall R. R. Rating

After Response

Accountability & Action Required

Proba-bility Impact Proba-

bility Impact

University Strategic Directions

IT Infrastructure will not support University initiatives (p. 9)

4 - Likely

5 - Major

Reduce ICT Foundational Document ITS Unit Plan Data Use Policy Etc.

3 - Possible

4 - Major

Complete plan Develop & implement college & admin unit plans including contingency & recovery • Etc.

High Critical importance to the success of the University in meetings its financial and non-financial goals

Moderate Important but not critical to the success of the University in meetings its financial and non-financial goals

Low Risk does not have a material bearing to the success of the University in meetings its financial and non-financial goals

Source: University of Saskatchewan


Proper Internal Audit and Controls 29

n  Independent;

n Compensation;

n Stature / Hiring / Firing;

n Work plan approved;

n Link to Audit Committee ~ Executive Sessions;

n Gross to residual risk for all material business risks;

n Testing design and effectiveness of all internal controls;


Weaknesses of Risk Management 30

n  “Risk takers” & compensation;

n Non-financial risks and ICNFR: operations, technology, reputation, health, safety, security;

n Management knows the risks;

n Board:

n Protect Internal Assurance;

n Complete, coordinated, independent assurance;

MGMT Certif.

Integrated Mapped Assurance

Internal Assurance

Top Risk Families

External Assurance


Comprehensive Risk Governance 31

Audit Committee (or equivalent)

Comp. Committee (or equivalent)

Nom/Gov. Committee (or equivalent)

Risk

Material financial and non-financial business risks & IC reporting

CFO

Committee Charter Coverage

CS, GC

S-Ox Dodd-Frank

EA CC GA, SF

Board of Directors

CRO

IA

CEO

Basel/King

RAP

SHRO


Risk Governance ~ Best Practices 32

n  Formal documented risk appetite framework, with tolerances, registers and accountabilities;

n  ERM that is integrated, dynamic and culturally embedded;

n  Oversight functions compensation determined independently from business units, based on achievement of objectives of functions; no undue influence / conflicts;

n  Risk function has input into performance metrics and compensation decisions of senior management;

n  Third party reviews of risk, oversight functions;

n  Crisis, contingency, scenario planning to Board;


Risk Limits, Roles, Responsibilities, Implementation 33

n  Risk Appetite Framework: all in, in writing, board approved;

n  Risk Appetite Statement: qualitative and quantitative;

n  Risk Limits: specific, containing, constraining, clear, controlled, reported, assured, in real time;

n  Implementation: shared, communicated, tested, accountabilities, flowing from strategy, monitoring and reporting;

n  New roles and responsibilities: Board, A/R Committee, CRO, CAE, Chairs and CEO, CFO, line and unit leaders;

n  Risk expertise on board and committee coverage;


Another example: IT Risk 34



Social Media, IT Governance Trends 35

n  “Our entire lives are on connected to the internet” (FBI Director);

n Social media #1 activity on the web (HuffPo, BCooper);

n Average user picks up their device 1,500 times a week (MailOnline), and reaches for it at 7:31am each morning;

n Average smartphone owner uses their phone for three hours, 16 minutes each day;

n Only 13% of companies have BYOD policies (EY, 2014);

n < 50% companies use encryption techniques for devices;

n 38% of companies do not address cloud risks;



Social Media, IT Governance Trends (cont’d) 36

n Cybercrime: ~ $9-21 trillion possibly at risk (NACD report);

n Cybercrime constitutes “greatest transfer of wealth in history” (NSA Chief);

n Head of FBI, James Comey: “impossible to count”. The internet is “the most dangerous parking lot imaginable.”;

n  “There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.”

n  “Only 56% of companies conduct penetration tests, and 19% fail to test at all” (EY, 2014);

n Cyber criminals are at world cup level, and we are at high-school soccer level (Head of FBI analogy);



Internal Controls Over Social Media, BYOD 37

n Many companies still do not have policies or controls (~ 50%) over social media, and 13% over BYOD;

n Education, communication, training: fair, clear and not misleading;

n Code of conduct and employment contract;

n  Identify, explain, monitor, enforce: confidential information, brand, reputation, privacy, inside knowledge, copyright, fair dealing, record retention;

n Scope of employment, training program, and approval process;

Social Media Policies consulted: Apple, Coke, Best Buy, Cisco, on social media policy database: http://socialmediagovernance.com/policies/



Internal Controls Over Social Media, BYOD 38

n See social media policy database: http://socialmediagovernance.com/policies/

n Social media training and attacking / crisis simulation;

n Advanced social media analytics monitoring;

n Secure the data not the device (BYOD): permitted/ supported; content applications; acceptable use; Mobile Device Management, MAM, security; App development; passwords; monitoring; storage; ownership of apps and data; example policies and best practices; device payment / stipend; policy enforcement;

BYOD Policies consulted: White House, Dell, Citrix, others



Internal Controls Over Cyber Security Risk 39







Source: A. Renda, Cybersecurity and Internet Governance Centre for European Policy Studies, 2013




Source: PwC and IRRCi: “What investors need to know about cybersecurity,” 2014




n Human error or carelessness one of the biggest risks;

n Cyber linked to social media: 30% security incident results from social networking (NACD report);

n Less than 1/3 (Carnegie Mellon) of boards addressing RM in relation to IT operations or computer and information security;

n  “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached.” (NACD report);

n Not enterprise wide, integrated, strategic, cultural;

n Due diligence, cyber security frameworks and standards;




n Organization and resources: framework; authorities; specialists; 24/7; background security checks; training/awareness to new and existing employees;

n Cyber risk and control assessment: people, process, data, technology; outsourcing; IT service providers; scans and testing for client, server, network infrastructure for gaps; regular penetration testing; testing with 3P cyber mitigation services; cyber attack (including DDoS) and recovery simulation exercises; Internet outage risk;

Source: OSFI, NIST, SANS Institute, ISO frameworks;

This is what strong cyber risk management looks like:




n Situational awareness: Enterprise-wide knowledge of users, devices, applications, soft/hard, network maps; normalizing, aggregation and correlation of security event information; analysis of events to identify potential attacks; expert analysis follow-up; tracking & monitoring of incidents outside company; industry research;

n Threat and vulnerability risk management: Data Loss Detect/Prevent: Cyber Incident Detection & Mitigation: Software Security: Network Infrastructure: Standard Security Configuration and Management: Network Access Controls and Management: Third Party Management: Customers and Clients: controls all enterprise-wide, including reputation / behaviour based;

Source: OSFI, NIST, SANS Institute, ISO frameworks, check;




n Cyber security incident management: rapid response and mitigation; authority; documented procedures; protocols; escalation taxonomy; pre-scripted communication; recovery; systems integrity; post incident review; controls upgraded; forensic investigation; closure;

n Cyber security governance: Policy and strategy: enterprise wide cyber security policy and strategy; Second line of defence (RM): Third line of defence (CAE, independent control group and challenge, resources and expertise, testing of controls): Senior management and board oversight (funding, implementation, assurance): External benchmarking;

Source: OSFI, NIST, SANS Institute, ISO frameworks, check;



Resources for Directors, Regulatory Guidance 47

n  “You have to own this problem as a leader”: Adm. Michael Rogers, Director of National Security Agency;

n  “Big Delta”: legislation may be coming;

n Lead by example: Yahoo’s CEO’s smart phone did not phone did not have a password;

n As a Director, you do not need to be an expert, but you should be technology literate and informed;

n  Information, documentation and questions are your influence touchpoints and oversight;

n See technology as an enterprise risk and strategic and business issue, not a narrow IT issue;



Resources for Directors, continued 48

n Watch out for fuzzy reports, recent expertise, and cottage vendors;

n Brief one of these excellent reports: Nat Inst Stds Tech Framework for Improving Critical Infrastructure Cybersecurity; SANS Institute Critical Security Controls, ISO/IEC 27032; NACD Cyber-Risk Oversight;

n Glossary and acronyms: Brief these to understand;

n Your job is to understand, identify and oversee, not to manage: Budget, Talent, Resources, Reporting, Assurance, Disclosure: watch “technical devolution”;

n The risk: Cyber failure: Where was the Board?



Questions for Directors, to Management 49

n  Informed, best-practice and precise questions;

n Agree on a platform or framework (see my earlier links) and direct management to have an action plan and target date for full implementation;

n Management may be adverse to the spend and controls;

n Does management show you IT, and broader enterprise risk management, how identified, controlled & assured?;

n Are you satisfied with the IT, risk management and internal audit bench strength?: these are your eyes and ears: You may need to direct changes and resources;



Questions for Directors, to Management 50

n Are your crown jewels/valuable assets protected, from outside, and once inside, also protected?; (Think like a thief.);

n Do you meet separately with risk, compliance, audit to assure cyber security risk?;

n Do you have scenario testing and mock exercises over digital media and cyber breaches?;

n Do you have the authority to retain a third party? Do you exercise this authority if or when you need to?

n Does your board have or need IT, risk expertise?


Research and Practice 51


Again: 51

There is nothing a board cannot control. There is no more power we can give to

boards. Risk failure, I find, is always traced to a board not

acting, or acting inappropriately.


“Comply or Explain” Regime 52

Source: Basel (May 10), Europe (Dec 10) and FDIC (Feb 11)

n CSA Staff Notice 58-306 (Dec10): “unacceptable”;

n EU Submission


Thank you! 52


Contact Information

Professor Richard Leblanc Faculty of Liberal Arts & Professional Studies York University tel: (416) 736-2100 x 33744 Email: [email protected]

Twitter: http://twitter.com/DrRLeblanc

LinkedIn Group: Boards & Advisors

53


Short bio 54

Professor Richard Leblanc is an award-winning teacher and researcher, consultant, lawyer and specialist on corporate governance and

accountability. He is a former recipient of Canada’s Top 40 Under 40™award, received a teaching award as one of the top five university

teachers in Ontario, and was named to Canadian Who’s Who. Ø  Professor Leblanc’s research expertise is in corporate governance,

specifically in the effectiveness of boards of directors. He will provide hands on examples of how to maneuver the challenges directors could face based on his extensive service as an external advisor to boards

that have won national awards and peer endorsement from institutional shareholders for their corporate governance practices.

Ø  His work, directly or indirectly, has impacted companies throughout the world, including those that have used Dr Leblanc’s methodology to

strengthen their governance effectiveness and accountability practices. Ø  Dr. Leblanc brings to business and professional audiences a depth of

information from his extensive research and work with over 150 organizations; and training, assessment and development of over

1,000 directors and managers.

Documents

Understanding Your Role as a Board Member: Delineation ... · CEO Succession planning 23 ... Document ITS Unit Plan Data Use Policy Etc. 3 - ... n Crisis, contingency, scenario planning