Upload
dinhngoc
View
212
Download
0
Embed Size (px)
Citation preview
November 5, 2015 Electricity Distributors Association Fall Directors Summit Toronto, Ontario
Richard Leblanc, CMC, BSc, MBA, LLB, JD, LLM, PhD Associate Professor, Law, Governance & Ethics, York University, and Independent Advisor to Boards of Directors
Understanding Your Role as a Board Member: Delineation Between
the Board and Staff
Copyright © Richard Leblanc. All rights reserved.
Topics I will address 2
Ø 1. Risk governance red flags for failure; Ø 2. Relationship to management and staff; Ø 3. Importance of risk and internal audit; Ø 4. Connection between risk, culture and pay; Ø 5. Whistle-blowing and a protected channel; Ø 6. Company culture and the board’s role; Ø 7. Communication, education and controls; Ø 8. Technology: social media, reputation risk; Ø 9. Tone at the top, and now in the middle; Ø 10. Questions and answers;
Copyright © Richard Leblanc. All rights reserved.
Theory meets practice 3
n Two large banks;
n Health and safety, highly regulated company;
n Rail company;
n Two large IT companies;
n Two mining / oil companies;
n Global construction and aerospace companies;
n Pharmaceutical company;
n Religious organization with priests accused of wrongdoing;
n Two organizations with employees accused of sexual assault;
n Casino company;
Copyright © 2011 Richard Leblanc. All rights reserved.
Research and Practice 5
Copyright © Richard Leblanc. All rights reserved.
What does risk governance failure look like? 5
Copyright © Richard Leblanc. All rights reserved.
What was my role and what happened? 6
n Called in by board, regulator, police, monitor, judge, law firm;
n Bribery and corruption within the company and board;
n Property destruction and death;
n Stock manipulation and fraudulent financial statements (several);
n Sexual assaults (two);
n Improper expenses;
n Extensive lawsuits against directors: “I will [mess] up his life”;
n Significant fines and loss of reputation;
n Interviews of fraudsters (prison in three cases);
Copyright © Richard Leblanc. All rights reserved.
Methodology of my investigation 7
n Access to any personnel or any document;
n Directors and employees instructed: full cooperation;
n Confidential interviews and triangulation;
n Reporting to regulators and endorsement of recommendations;
n Recommendations and implementation: 6, 12, 18 month timelines;
n Counterpoint to industry assertions on integrity;
n Broader: 150 organizations; > 500 interviews;
n Other experts, including forensic accountants;
CEO Succession planning 8
Copyright © Richard Leblanc. All rights reserved.
Findings: Red flags for risk failure 8
n Weak oversight functions and board line of sight;
n Weak risk and internal audit functions in particular;
n Weak internal control environment, immature internal controls (existence, design, implementation);
n Tone at top not consistent, consequential (to come);
n Lack of documentation of risk appetite framework;
n Boards ignorant on risks and integrity practices;
n Lack of controls over emerging and interactive risks;
CEO Succession planning 9
Copyright © Richard Leblanc. All rights reserved.
Tone at Top: A Good Example 9
Copyright © Richard Leblanc. All rights reserved.
Red flags for risk failure, continued 14
n The so-called “rogue” employee vs. actual culture;
n Culture, integrity & their controls not independently audited;
n Pay for results rather than pay for conduct;
n Pay drives behaviour: Incented risk takers;
n Clawbacks not based on risk and ethics;
n Key performance indicators not risk-adjusted;
n Risk assessment before bonus and equity vests;
n Bullying, intimidation, fear: Not speaking up (to come);
n Poor crisis management: law tail wagging company dog;
Copyright © Richard Leblanc. All rights reserved.
16 Red flags for risk failure, continued n Whistle-blowing program run by management, and neither
anonymous nor rewarding (OSC / SEC examples);
n Flawed internal investigation and no confidence in it;
n Wrongdoer: dominant, bullying & charming, charismatic, high performing;
n Wrongdoing starts small, then capture, then bullying; then slippery slope of wrong doing (see video);
n Protect the company (leader) and performance at all costs;
n Broad confidentiality clauses override whistle-blowing and speaking up;
n No reputation or exogenous shock test;
Copyright © Richard Leblanc. All rights reserved.
19 Management or the Board?
Risk and compliance failure is always a failure of the
board. It is not just a management failure.
There is no such thing as a poor company, only a poor
board.
Copyright © Richard Leblanc. All rights reserved.
20 Management or the Board?
If internal audit, compliance or risk is weak, you likely
have a dominant management and a weak
audit committee and board. It is not possible to have a strong audit committee and weak oversight functions.
Copyright © Richard Leblanc. All rights reserved.
21 Advice to any employee + oversight function:
Speak up, speak up, speak up!
The behaviour and practices you observe are the
behaviour and practices that you accept.
Copyright © Richard Leblanc. All rights reserved.
22 Risk red flags, continued (general) n Captured, complacent, even encouraging board;
n Ambiguity and complexity is a red flag for fraud;
n Focus on narrow rule correctness, not cumulative effect, spirit or principle;
n Limited education and communication;
n Industry and past practices justified and generalized;
n Living beyond means and not taking vacations;
n Blocking third party expertise (very common);
n Defective Code of Conduct, COI policy, sign-off;
CEO Succession planning 23
Copyright © Richard Leblanc. All rights reserved.
Reputation Risk: Sources of Risk 23
Source: J. Fraser, Enterprise Risk Management course, MFAc Program, York University, 2015;
Note: The colours indicate the ratings to these sources of risks.
Uncoloured sources of risks were not rated as Medium or High at this date.
Risk Rating Key
Very High
High
Medium/High
Medium/High
Copyright © Richard Leblanc. All rights reserved.
Changes to risk management and audit: Review 24
n CRO, CAE, CCO, CAO: oversight functions: no functional oversight by management: baby steps;
n No CEO control any more: operational and executive management cannot interfere: client is board and committees;
n Selection, authority, mandate, resources, accountability, independence, compensation, succession;
n Compensation cannot include revenue or operational responsibilities as metrics;
n Board and Committee chair paper and training;
n RAF and limits / threshold best practices;
Copyright © Richard Leblanc. All rights reserved.
More on risk adjusted compensation 25
n Pockets of acute risk – complexity, cyber, safety, reputation – with opaque controls and management override;
n Immature, lack of controls, IT: RAF now;
n CAE restricted from compensation: Full scope;
n Deferral and explicit ex post adjustment;
n Compensation Committee has discretion;
n Risk adjusted metrics with denominators;
n RM and ethics in clawback or malus;
Copyright © Richard Leblanc. All rights reserved.
Oversight of Risk Management 26 26
Strategic
Financial
Information Technology
Human Resources
Accounting & Reporting
Integrity Operations
• Strategic Planning • Capital Investment • Corp. Organization
• R&D
• Acquisitions • Divestitures/Closures
• Manufacturing Strategy • Functional Location • Financial Planning &
Modeling
• Risk Management - Insurance • Risk Management - Interest Rates
• Investments • Financing
• Liquidity/Cash Flow • Credit/Bad Debts
• Performance Management
• SEC Reporting
• Financial Forecasts • Tax Accounting & Reporting
• Management Reporting
• Reputation
• Management Fraud • Employee/Theft/Fraud • Illegal Acts • Resource Misuse • Ethics
• Brand Image
• Tone At The Top
• SG&A • Capital Projects
• Quality • Customer Credits/Rebates
• Inventory Management • Procurement
• Training
• Perf/Rewards Alignment • Availability of Skilled Staff
• Communications • Morale and Job Satisfaction
• Leadership • Salary Inflation
• Knowledge Assets • Empowerment
• Access • Availability
• Information Relevance • Continuity
• System Integrity • Technology Infrastructure
• Tech Development & Integration • IT & Business Strategic Alignment
• Outsourcer Management • Cost Control
• Safety • Environmental Compliance
• Govt. Compliance • Reliability
• Operating Costs • Sales and Marketing
• Contract Compliance • Capacity Planning
• Engineering • Repair Services
Environment • Political • Legal
• Regulatory • Business Interruption • ExternalTheft/Fraud/
Illegal Acts • Business Practices
• Innovation
Customers • Customers’ sales
• Planning • Reliability
• Relationships • Contracts
• Standards and Expectations
• Customer viability
Suppliers • Supply • Pricing • Quality
• Relationships • Billing
• Logistics
• Risk Management – Foreign Exchange
Rating Agencies • Maxtor credit • Vendor terms (guarantees,
advance payments)
• Workforce management
Technology • Product
Obsolescence
• Tax Strategies • Debt Compliance
• Lease Compliance
• Statutory Reporting
• Analyst Communications
Competitors
• IP Protection
Source: N. Marks
“We missed it.”
Copyright © 2011 Richard Leblanc. All rights reserved.
Oversight of Risk Management, continued 27
Source: Basel (May 10), Europe (Dec 10) and FDIC (Feb 11) Copyright © Richard Leblanc. All rights reserved.
Internal Controls – Tools to Customize 27
§ Segregation of duties § Restricted areas
§ Approvals § Reconciliations § Record retention
§ Safeguarding and asset accountability § Management override
§ Manual controls § Data Security
§ IT, inventory and other controls; § Areas of vulnerability and fraud schemes;
Source: R. Leblanc, Assessment methodology for audit committees
Copyright © 2011 Richard Leblanc. All rights reserved.
Oversight of Risk Management, continued 28
Source: Basel (May 10), Europe (Dec 10) and FDIC (Feb 11) Copyright © 2011 Richard Leblanc. All rights reserved.
Internal Controls – Your Tools to Customize 28
§ Segregation of duties § Restricted areas
§ Approvals § Reconciliations § Record retention
§ Safeguarding and asset accountability § Management override
§ Manual controls § Data Security
§ IT, inventory and other controls; § Areas of vulnerability and fraud schemes;
Source: R. Leblanc, Audit Committee Review Copyright © 2011 Richard Leblanc. All rights reserved.
Comprehensive Risk Governance 28
Audit Committee (or equivalent)
Comp. Committee (or equivalent)
Nom/Gov. Committee (or equivalent)
Risk
Material financial and non-financial business risks & IC reporting
CFO
Committee Charter Coverage
CS, GC
S-Ox Dodd-Frank
EA CC GA, SF
Board of Directors
CRO
ICFR IA
CEO
ICNFR
Basel/King
RAP
SHRO
?
Copyright © Richard Leblanc. All rights reserved.
ERM Risk Register Template 28
§ University Strategic Direction
Risk
Inherent Risk Before Response
Overall I.R. Rating Before
Response
Risk Management Strategy & Points of Reliance
Residual Risk After Response
Overall R. R. Rating
After Response
Accountability & Action Required
Proba-bility Impact Proba-
bility Impact
University Strategic Directions
IT Infrastructure will not support University initiatives (p. 9)
4 - Likely
5 - Major
Reduce ICT Foundational Document ITS Unit Plan Data Use Policy Etc.
3 - Possible
4 - Major
Complete plan Develop & implement college & admin unit plans including contingency & recovery • Etc.
High Critical importance to the success of the University in meetings its financial and non-financial goals
Moderate Important but not critical to the success of the University in meetings its financial and non-financial goals
Low Risk does not have a material bearing to the success of the University in meetings its financial and non-financial goals
Source: University of Saskatchewan
Copyright © Richard Leblanc. All rights reserved.
Proper Internal Audit and Controls 29
n Independent;
n Compensation;
n Stature / Hiring / Firing;
n Work plan approved;
n Link to Audit Committee ~ Executive Sessions;
n Gross to residual risk for all material business risks;
n Testing design and effectiveness of all internal controls;
Copyright © Richard Leblanc. All rights reserved.
Weaknesses of Risk Management 30
n “Risk takers” & compensation;
n Non-financial risks and ICNFR: operations, technology, reputation, health, safety, security;
n Management knows the risks;
n Board:
n Protect Internal Assurance;
n Complete, coordinated, independent assurance;
MGMT Certif.
Integrated Mapped Assurance
Internal Assurance
Top Risk Families
External Assurance
Copyright © 2011 Richard Leblanc. All rights reserved.
Comprehensive Risk Governance 31
Audit Committee (or equivalent)
Comp. Committee (or equivalent)
Nom/Gov. Committee (or equivalent)
Risk
Material financial and non-financial business risks & IC reporting
CFO
Committee Charter Coverage
CS, GC
S-Ox Dodd-Frank
EA CC GA, SF
Board of Directors
CRO
IA
CEO
Basel/King
RAP
SHRO
Copyright © 2011 Richard Leblanc. All rights reserved.
Risk Governance ~ Best Practices 32
n Formal documented risk appetite framework, with tolerances, registers and accountabilities;
n ERM that is integrated, dynamic and culturally embedded;
n Oversight functions compensation determined independently from business units, based on achievement of objectives of functions; no undue influence / conflicts;
n Risk function has input into performance metrics and compensation decisions of senior management;
n Third party reviews of risk, oversight functions;
n Crisis, contingency, scenario planning to Board;
Copyright © 2011 Richard Leblanc. All rights reserved.
Risk Limits, Roles, Responsibilities, Implementation 33
n Risk Appetite Framework: all in, in writing, board approved;
n Risk Appetite Statement: qualitative and quantitative;
n Risk Limits: specific, containing, constraining, clear, controlled, reported, assured, in real time;
n Implementation: shared, communicated, tested, accountabilities, flowing from strategy, monitoring and reporting;
n New roles and responsibilities: Board, A/R Committee, CRO, CAE, Chairs and CEO, CFO, line and unit leaders;
n Risk expertise on board and committee coverage;
CEO Succession planning 35
Copyright © Richard Leblanc. All rights reserved.
Social Media, IT Governance Trends 35
n “Our entire lives are on connected to the internet” (FBI Director);
n Social media #1 activity on the web (HuffPo, BCooper);
n Average user picks up their device 1,500 times a week (MailOnline), and reaches for it at 7:31am each morning;
n Average smartphone owner uses their phone for three hours, 16 minutes each day;
n Only 13% of companies have BYOD policies (EY, 2014);
n < 50% companies use encryption techniques for devices;
n 38% of companies do not address cloud risks;
CEO Succession planning 36
Copyright © Richard Leblanc. All rights reserved.
Social Media, IT Governance Trends (cont’d) 36
n Cybercrime: ~ $9-21 trillion possibly at risk (NACD report);
n Cybercrime constitutes “greatest transfer of wealth in history” (NSA Chief);
n Head of FBI, James Comey: “impossible to count”. The internet is “the most dangerous parking lot imaginable.”;
n “There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.”
n “Only 56% of companies conduct penetration tests, and 19% fail to test at all” (EY, 2014);
n Cyber criminals are at world cup level, and we are at high-school soccer level (Head of FBI analogy);
CEO Succession planning 37
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Social Media, BYOD 37
n Many companies still do not have policies or controls (~ 50%) over social media, and 13% over BYOD;
n Education, communication, training: fair, clear and not misleading;
n Code of conduct and employment contract;
n Identify, explain, monitor, enforce: confidential information, brand, reputation, privacy, inside knowledge, copyright, fair dealing, record retention;
n Scope of employment, training program, and approval process;
Social Media Policies consulted: Apple, Coke, Best Buy, Cisco, on social media policy database: http://socialmediagovernance.com/policies/
CEO Succession planning 38
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Social Media, BYOD 38
n See social media policy database: http://socialmediagovernance.com/policies/
n Social media training and attacking / crisis simulation;
n Advanced social media analytics monitoring;
n Secure the data not the device (BYOD): permitted/ supported; content applications; acceptable use; Mobile Device Management, MAM, security; App development; passwords; monitoring; storage; ownership of apps and data; example policies and best practices; device payment / stipend; policy enforcement;
BYOD Policies consulted: White House, Dell, Citrix, others
CEO Succession planning 39
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 39
CEO Succession planning 40
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 40
CEO Succession planning 41
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 41
Source: A. Renda, Cybersecurity and Internet Governance Centre for European Policy Studies, 2013
CEO Succession planning 42
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 42
Source: PwC and IRRCi: “What investors need to know about cybersecurity,” 2014
CEO Succession planning 43
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 43
n Human error or carelessness one of the biggest risks;
n Cyber linked to social media: 30% security incident results from social networking (NACD report);
n Less than 1/3 (Carnegie Mellon) of boards addressing RM in relation to IT operations or computer and information security;
n “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached.” (NACD report);
n Not enterprise wide, integrated, strategic, cultural;
n Due diligence, cyber security frameworks and standards;
CEO Succession planning 44
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 44
n Organization and resources: framework; authorities; specialists; 24/7; background security checks; training/awareness to new and existing employees;
n Cyber risk and control assessment: people, process, data, technology; outsourcing; IT service providers; scans and testing for client, server, network infrastructure for gaps; regular penetration testing; testing with 3P cyber mitigation services; cyber attack (including DDoS) and recovery simulation exercises; Internet outage risk;
Source: OSFI, NIST, SANS Institute, ISO frameworks;
This is what strong cyber risk management looks like:
CEO Succession planning 45
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 45
n Situational awareness: Enterprise-wide knowledge of users, devices, applications, soft/hard, network maps; normalizing, aggregation and correlation of security event information; analysis of events to identify potential attacks; expert analysis follow-up; tracking & monitoring of incidents outside company; industry research;
n Threat and vulnerability risk management: Data Loss Detect/Prevent: Cyber Incident Detection & Mitigation: Software Security: Network Infrastructure: Standard Security Configuration and Management: Network Access Controls and Management: Third Party Management: Customers and Clients: controls all enterprise-wide, including reputation / behaviour based;
Source: OSFI, NIST, SANS Institute, ISO frameworks, check;
CEO Succession planning 46
Copyright © Richard Leblanc. All rights reserved.
Internal Controls Over Cyber Security Risk 46
n Cyber security incident management: rapid response and mitigation; authority; documented procedures; protocols; escalation taxonomy; pre-scripted communication; recovery; systems integrity; post incident review; controls upgraded; forensic investigation; closure;
n Cyber security governance: Policy and strategy: enterprise wide cyber security policy and strategy; Second line of defence (RM): Third line of defence (CAE, independent control group and challenge, resources and expertise, testing of controls): Senior management and board oversight (funding, implementation, assurance): External benchmarking;
Source: OSFI, NIST, SANS Institute, ISO frameworks, check;
CEO Succession planning 47
Copyright © Richard Leblanc. All rights reserved.
Resources for Directors, Regulatory Guidance 47
n “You have to own this problem as a leader”: Adm. Michael Rogers, Director of National Security Agency;
n “Big Delta”: legislation may be coming;
n Lead by example: Yahoo’s CEO’s smart phone did not phone did not have a password;
n As a Director, you do not need to be an expert, but you should be technology literate and informed;
n Information, documentation and questions are your influence touchpoints and oversight;
n See technology as an enterprise risk and strategic and business issue, not a narrow IT issue;
CEO Succession planning 48
Copyright © Richard Leblanc. All rights reserved.
Resources for Directors, continued 48
n Watch out for fuzzy reports, recent expertise, and cottage vendors;
n Brief one of these excellent reports: Nat Inst Stds Tech Framework for Improving Critical Infrastructure Cybersecurity; SANS Institute Critical Security Controls, ISO/IEC 27032; NACD Cyber-Risk Oversight;
n Glossary and acronyms: Brief these to understand;
n Your job is to understand, identify and oversee, not to manage: Budget, Talent, Resources, Reporting, Assurance, Disclosure: watch “technical devolution”;
n The risk: Cyber failure: Where was the Board?
CEO Succession planning 49
Copyright © Richard Leblanc. All rights reserved.
Questions for Directors, to Management 49
n Informed, best-practice and precise questions;
n Agree on a platform or framework (see my earlier links) and direct management to have an action plan and target date for full implementation;
n Management may be adverse to the spend and controls;
n Does management show you IT, and broader enterprise risk management, how identified, controlled & assured?;
n Are you satisfied with the IT, risk management and internal audit bench strength?: these are your eyes and ears: You may need to direct changes and resources;
CEO Succession planning 50
Copyright © Richard Leblanc. All rights reserved.
Questions for Directors, to Management 50
n Are your crown jewels/valuable assets protected, from outside, and once inside, also protected?; (Think like a thief.);
n Do you meet separately with risk, compliance, audit to assure cyber security risk?;
n Do you have scenario testing and mock exercises over digital media and cyber breaches?;
n Do you have the authority to retain a third party? Do you exercise this authority if or when you need to?
n Does your board have or need IT, risk expertise?
Copyright © 2011 Richard Leblanc. All rights reserved.
Research and Practice 51
Copyright © Richard Leblanc. All rights reserved.
Again: 51
There is nothing a board cannot control. There is no more power we can give to
boards. Risk failure, I find, is always traced to a board not
acting, or acting inappropriately.
Copyright © 2011 Richard Leblanc. All rights reserved.
“Comply or Explain” Regime 52
Source: Basel (May 10), Europe (Dec 10) and FDIC (Feb 11)
n CSA Staff Notice 58-306 (Dec10): “unacceptable”;
n EU Submission
Copyright © Richard Leblanc. All rights reserved.
Thank you! 52
Copyright © Richard Leblanc. All rights reserved.
Contact Information
Professor Richard Leblanc Faculty of Liberal Arts & Professional Studies York University tel: (416) 736-2100 x 33744 Email: [email protected]
Twitter: http://twitter.com/DrRLeblanc
LinkedIn Group: Boards & Advisors
53
Copyright © Richard Leblanc. All rights reserved.
Short bio 54
Professor Richard Leblanc is an award-winning teacher and researcher, consultant, lawyer and specialist on corporate governance and
accountability. He is a former recipient of Canada’s Top 40 Under 40™award, received a teaching award as one of the top five university
teachers in Ontario, and was named to Canadian Who’s Who. Ø Professor Leblanc’s research expertise is in corporate governance,
specifically in the effectiveness of boards of directors. He will provide hands on examples of how to maneuver the challenges directors could face based on his extensive service as an external advisor to boards
that have won national awards and peer endorsement from institutional shareholders for their corporate governance practices.
Ø His work, directly or indirectly, has impacted companies throughout the world, including those that have used Dr Leblanc’s methodology to
strengthen their governance effectiveness and accountability practices. Ø Dr. Leblanc brings to business and professional audiences a depth of
information from his extensive research and work with over 150 organizations; and training, assessment and development of over
1,000 directors and managers.