Pressures Mount For The Right Governance, Risk and Compliance Programs

Transcription

1 Pressures Mount For The Right Governance, Risk and Compliance Programs John Michael Farrell, KPMG LLP, and Cathy L. Reese, Fish & Richardson P.C. For boards and senior management, the pressure is intensifying to better manage risk governance. Since the financial crisis shareholders have filed scores of lawsuits against boards of directors and C suite management claiming that they failed to protect corporate assets and properly manage risks. Meanwhile, organizations such as the National Association of Corporate Directors and the Business Roundtable are stressing the role of risk oversight at the board level. At the same time, government agencies such as the Securities and Exchange Commission (SEC) and the U.S. Sentencing Commission are putting in place new obligations for implementing and reporting risk oversight functions, as well as creating incentives for compliance. By looking at the legal and regulatory environment related to corporate risk management, Boards and management will easily see that getting Governance, Risk and Compliance (GRC) right is critical. However, companies that develop a holistic GRC model will realize that there are benefits to the organization beyond simple compliance. Meeting the 'Duty of Oversight' Historically, the business affairs of a corporation are overseen by its board of directors. As part of its responsibilities, the board has authority to appoint officers who assume day to day management functions under the direction of the board. Directors and officers, in turn, are bound by fiduciary duties to shareholders. These fiduciary duties generally entail affirmative, open ended obligations to maximize shareholder value and fall within two categories: the duty of care and the duty of loyalty. The duty of care requires that directors and officers exercise due care in decision making and act on an informed basis. Corporate fiduciaries satisfy the duty of care when their decision making is based upon reasonable knowledge of the company s business, credible information on issues being decided, and an understanding of the consequences of each decision. When directors and officers comply with these obligations, their decisions are given deference under the business judgment rule, meaning that courts will not second guess the wisdom or the propriety of decisions, even if they turn out in retrospect to have been improvident. Further, corporations are permitted to indemnify officers and directors against personal liability for any damages that the corporation incurs as a consequence of decisions made in breach of the duty of care. The duty of loyalty requires that directors and officers serve the interests of the corporation and its This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.

2 shareholders with undivided allegiance. Unlike the duty of care, corporations are not permitted to indemnify officers and directors against personal liability for breaches of the duty of loyalty. Historically, the duty of loyalty came into play only in cases involving conflicts of interest for example, when a director was presented with a business opportunity that was also a business opportunity for the corporation. In such cases, the director was required, in accordance with the duty of loyalty, to present the opportunity to the corporation before pursuing it him or herself. A Landmark Case The scope of the duty of loyalty expanded somewhat as a result of a landmark 2006 opinion in a case known as Stone v. Ritter 1. The opinion adopted the concept of oversight liability, which had been discussed some 10 years earlier in the influential 1996 In re Caremark 2 opinion by the Delaware Court of Chancery. The Caremark opinion posited a corporate fiduciary duty of oversight, which required that corporate fiduciaries institute monitoring and reporting systems sufficient to bring information concerning the corporation s compliance with law and its business performance to the attention of senior management and the board. In Stone v. Ritter, the Delaware Supreme Court embraced the duty of oversight as law, albeit with one important distinction. The original Caremark opinion envisioned breach of the duty of oversight as a breach of the duty of care. Stone v. Ritter clarified that breach of the duty of oversight is a breach of the duty of loyalty. The implications of the Stone v. Ritter opinion are significant and assume even greater importance in an economic climate where scrutiny of risk management functions has been greatly heightened. It is interesting to note that the duty of oversight requires ensuring that reporting and information systems and controls precisely the types of tools that are part of sound Enterprise Risk Management (ERM) or Governance, Risk, and Compliance (GRC) programs are in place. Of particular relevance to those who serve as corporate officers and directors is the characterization of breach of the duty of oversight as a breach of the duty of loyalty. As discussed above, corporations may not indemnify corporate fiduciaries from personal liability for breaches of the duty of loyalty. Consequently, under Stone v. Ritter, directors face personal monetary liability for corporate losses that result from their inattention if knowing failure to exercise reasonable oversight including failure to attempt to assure reasonable information or reporting systems exist is proven. Regulatory Pressures Grow Worldwide In addition to this threat of personal liability, corporate managers face mounting worldwide pressure to better oversee risks facing their organizations. Regulators around the world are reviewing and revising their requirements for risk management and governance. On an international level, the Basel II Accords seek to create international standards for assessing bank capital reserve requirements in light of financial and operational risks that banks typically face. In addition to purely financial risk factors, the Basel II Accords also provide a framework for assessing strategic, reputational, and legal risks, and contemplated review of systems implemented to manage such risks. Building on the Basel II Accords, the Solvency II Directive is currently being designed for assessing capital requirements for insurance firms in the European community, incorporating requirements for governance and risk management. In March 2010, the German Federal Financial Supervisory Authority, BaFin, updated its Minimum Requirements for Risk Management, introducing

3 tougher and more wide ranging supervisory requirements for risk management and monitoring. In the United States, new disclosure rules from the SEC require companies to describe in their proxy statements the role of the board of directors in overseeing risk management. The SEC says a company must disclose the extent of the board s role in risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board s leadership structure. Other rules require disclosure of the company s compensation policies and practices as they relate to corporate risk management. In particular, the Compensation Discussion and Analysis is required to disclose information regarding the company s compensation policies and the extent to which those policies create incentives that can affect the company s risk taking or its management of risk. Under recent amendments to the Federal Sentencing Guidelines, which took effect on Nov. 1, 2010, business organizations may limit liability for corporate wrongdoing by implementing effective compliance and ethics programs. The exculpatory provisions of the amended guidelines require that the organization s compliance and ethics program is followed, and that the program is periodically evaluated for effectiveness and provides a means for anonymous reporting of actual or suspected criminal conduct. Fallout from the Financial Crisis Certainly, the financial crisis has driven much of the recent regulatory and legal activity. Shareholders are angry over their losses, and they are using the courts to hold corporate officers accountable and, if possible, recoup capital. Regulatory bodies are compelled to address weaknesses in the capital markets system and are demanding greater accountability and transparency from the leaders of private industry. Companies are clearly recognizing that good risk governance is a key to operational efficiency. In fact, in October 2009 the National Association of Corporate Directors issued a report offering suggestions to directors on how they can improve their processes for overseeing a company s risk management activities. The report features Ten Principles of Effective Risk Oversight as guidance for directors. Changing Nature of Risk and Key Assets That Drive Corporate Brand and Value Companies are also recognizing that risk governance is an evolving area and that the risks themselves have changed. Over the last three decades, as the United States has shifted from a manufacturing to a knowledge based economy, intangible assets have supplanted tangible assets as the most significant share of corporate value. There is plenty of research to back this up. For instance, research conducted by Baruch Lev of the Brookings Institution showed that in 1982, 62 percent of the market value of S&P 500 companies (as measured by market capitalization) could be attributed to tangible assets, with only 38 percent attributable to intangible assets. Within 10 years, these numbers had essentially reversed: data collected in 1992 showed that only 32 percent of the market values of S&P 500 companies were attributable to tangible assets, while 68 percent were attributable to intangible assets. This trend toward intangible assets as the primary source of corporate value has continued. Additional data from a 1998 study showed that the ratio had further shifted to 85 percent intangible and only 15 percent tangible assets, according to the Brookings Institute and the ABF Journal, July/August The definition of intangible assets has itself expanded over time. The most common concept of intangible assets includes what has been historically referred to as intellectual property patents, trademarks, copyrights, and trade secrets, among

4 others. A broader view of intangible assets would include any type of non physical, non monetary asset that a company can use to derive value. Brand is one example; other intangible asset areas include reputation, supply chain integrity, data security, human capital, and know how. In a 2004 speech at the World Affairs Council regarding the management of business risk, Lord Levene, chairman of Lloyd s of London, estimated the value of intellectual property for the world s 500 largest corporations at over $3 trillion. In 2005, economists Kevin Hassett and Robert Shapiro estimated the value of intellectual property in the United States at between $5 trillion and $5.5 trillion. One need only look to the public relations impact of crises that have consumed companies such as BP, Toyota, Goldman Sachs, and Massey Energy in the past few months to find examples of the relationship between corporate reputation and corporate value. The New, Holistic Approach to Risk Governance In this environment, meeting the challenges of risk while improving the governance of the organization and achieving compliance with the vast spectrum of regulatory changes requires a new approach. In our experience, a holistic approach can provide a unified or converged view of risk, reduce redundancies, increase efficiencies, and keep the unique compliance needs of the various operational units in sync. The most basic view is that good GRC, when effectively implemented across the organization, allows companies to base their decisions on a balanced set of information. It provides better visibility of decision making at all levels, allowing executives to see the ripple effect of decisions being made even if these decisions are being made in geographically dispersed locations. Developing the GRC Model The model begins with efforts to link GRC with the mission of the organization a critical foundation for the overall approach. For a GRC program to be effective, implementation must occur in small steps. Executives overseeing GRC must partner with the business. One approach might include integrating risk discussions within strategic planning discussions on major initiatives. Companies also should determine how well positioned they are to mitigate key risks, and review the usefulness of any group level risk policies and controls, discarding those that are considered not critical. Conditions unique to each company may require a change in oversight structure, or even advocate a change in workflow. An attempt should also be made to simplify the often unwieldy committee and reporting structures around risk. Here are some first steps companies should consider: Get strategic and embed GRC in the culture: Be sure to align GRC to the company's organizational strategy and mission to drive performance and compliance, taking into account the needs of all constituencies, and foster a culture that understands and embraces GRC as a source of competitive advantage. Establish a target operating model: Determine the operating model for GRC that would be most advantageous for your organization in order to understand the future state sought in terms of technology, people and processes. Consider three lines of defense : Build upon a thorough "vertical" risk management structure with independence and clear accountability. Align roles and responsibilities in connection with risk management: business owners take on risk content ownership; standard setters focus on risk process

5 ownership and certain monitoring; and assurance providers can take on risk process and control monitoring. Get proactive to monitor risk drivers: Perform continuous, timely analysis of risk drivers and performance metrics from business functions, and support an efficient response to challenges posed by evolving risks and changing regulatory requirements. Ensure that your risk lens has equal weight relative to your growth lens. Establish Reporting and Information Systems and Controls that Lead to the Board Room The Stone v. Ritter case discussed earlier offers some instructive guidance in how to apply GRC principles. First, as simple as it sounds, corporate directors need to stay informed. Although management has a critical role in assessing risks, as well as developing appropriate controls and compliance programs to address them, the board must make its own objective and independent assessment to determine that the company s compliance programs are effective. One way to keep directors informed is for board meetings to include presentations on all high risk issues facing the company and how the compliance program is addressing these risks. This assessment should be documented in board meeting minutes. Directors should also consider seeking the assistance of outside advisers to carry out an independent assessment of the institution's compliance programs. Such an assessment may be performed by reputable independent third parties that understand leading industry standards or practices for the particular area being reviewed. It is crucial, however, that once the assessment is performed, the board require detailed action plans by management to rectify deficiencies noted by the assessment in an efficient and sustainable manner and also require management to provide regular progress updates. Failure to follow through in this manner may create liability based upon the articulated standard contained in Stone. Key Benefits of GRC In a post recession environment, where all key performance indicators have been reset, converging GRC to create more efficient programs is a prerequisite. With greater visibility and control over risk, organizations can gain a real competitive edge, enabling them to make decisions in the knowledge that they are unlikely to exceed their risk appetite and that there is built in resistance within their systems. Utilizing GRC to take a fully holistic approach and having better information, particularly around risk issues, allows organizations to speed decisionmaking, amounting to survival of the most informed. There are also ancillary legal and regulatory benefits that relate to the duty of oversight and new SEC regulations. Indeed, shareholder protection is the underlying public policy for both the imposition of fiduciary obligations upon corporate officers and the enactment of the Federal Securities Exchange statues. Corollary to shareholder protection is the requirement under both of these regimes that corporate fiduciaries protect shareholder interests by ensuring against liability and protecting the value of corporate assets. Another important aspect of risk governance and oversight, particularly applicable in the realm of intangible assets, is the new incentives that these policies place on management to consider corporate use and handling of value enhancing and valuecreating assets that are not accounted for in financial statements. The significance of such assets to corporate value may easily be overlooked by solely financial analyses, whereas an enterprise wide view of value, commensurate with an enterprise wide view of risk, may underscore the importance of intangibles. Systematic evaluation of intangibles as

6 strategic assets may serve to strengthen their value, for example, through recognition of the need to develop more defensive intellectual property portfolios. Finally, as public companies adjust to new obligations and expectancies such as disclosure requirements which now emphasize risk management and oversight, forward thinking companies are presented with the opportunity to distinguish themselves in a market that increasingly values meaningful risk management. Companies that embrace and implement the new regime have the opportunity to promote themselves as conscientious and committed to self scrutiny in an environment where shareholder trust has been shaken. not necessarily represent the views or professional advice of KPMG LLP. 1 Stone v. Ritter, 911 A.2d 362 (Del. Ch. 2006). 2 In re Caremark Intl. Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). John Michael Farrell is a New York based partner in the Risk and Compliance practice at audit, tax and advisory firm KPMG LLP. He is the firm s Leader for Enterprise Risk Management and Governance, Risk and Compliance. Mr. Farrell may be reached at e mail: johnmichaelfarrell@kpmg.com. Cathy L. Reese is a principal in the Delaware office of the international law firm Fish & Richardson, where she heads the Corporate Governance and Chancery practice, and is Co Chair of the IP Risk Management Group. She is an established trial attorney with extensive experience in corporate, technology, trade secrets and complex commercial litigation, as well as corporate governance counseling and corporate opinions. She counsels corporations, their boards of directors, committees of the board, officers, stockholders and investors regarding corporate and fiduciary issues pertaining to corporate transactions and intellectual property. Ms. Reese may be reached at e mail: reese@fr.com. The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your professional adviser. This article represents the views of the authors only, and does