RISK OVERSIGHT VERSUS RISK MANAGEMENT
Given evolving Delaware law, understanding the difference between “risk oversight” and “risk management” is an increasingly important board task.
In the Marchand and Clovis decisions, the Delaware courts sent an important new message of their (heightened) expectations for boardroom attentiveness. This development will prompt greater director engagement in risk oversight and monitoring activity.
“Risk oversight” refers to the board’s responsibility to exercise reasonable review of the company’s primary risk factors and executive implementation of steps necessary to address those risk factors. “Risk management” refers to the policies and procedures implemented by executive leadership to identify and evaluate the scope of mission-critical corporate risks, address instances of risk management breakdowns, and mitigate and respond to such circumstances.
In exercising its risk oversight duties, the board may wish to:
- Maintain an awareness of mission-critical risks
- Ensure that senior executive leadership allocates sufficient time to risk management efforts
- Monitor the effectiveness of management-to-board risk reporting mechanisms and of internal risk mitigation efforts
- Confirm the consistency of corporate strategy with established risk protocols
- Support an organizational culture that encourages meaningful attitudes, actions and decision-making as to risk.
IN SEARCH OF BEST PRACTICE
A leading governance observer argues against adoption of certain structural mechanisms solely on the assumption that doing so will serve as evidence of governance “best practices.”
In a recent paper, Stanford University Professor David Larcker observes that a clear understanding of the elements of “effective governance” remains elusive. This ambiguity is due to the tendency to overgeneralize and to use central concepts without clear and accepted definitions.
One of Professor Larcker’s most important points relates to the limitations of reliance on perceived structural best practices (e.g., independent chairs and committees, board structure, share structure). His research indicates that these types of structural features don’t universally lead to good governance, and, moreover, no list of best practices along these dimensions appears to exist.
Instead, Professor Larcker observes that a reliable governance system depends primarily on organizational features that are unrelated to the structure of the board and shareholder rights, but still improve decision-making and reduce the likelihood of misbehavior. A non-exclusive list of such features includes, according to Larcker:
- Leadership quality (the skill, knowledge, judgment and character of both the board and the management team)
- Culture (the modes of behavior prevalent in the organization that guide individual choices)
- Incentives (the financial and nonfinancial rewards that reinforce behavior and shape decision-making).
There certainly is a good faith desire on behalf of many executive and board leaders to adopt, pro forma, what have been publicly promoted as best practices. Applying Professor Larcker’s view, board governance committees should be careful not to adopt publicly announced structural features simply because they are viewed as synonymous with good governance. Rather, they should give greater weight to the non-structural indicia that he identifies as likely more significant determinants of good governance.
BROADENING BOARD FOCUS ON PATIENT SAFETY
Several highly publicized risk-related developments prompt boards to re-examine how they exercise oversight of patient safety matters.
A children’s hospital in the Pacific Northwest is the latest in a line of highly regarded institutions found to have significant—and often persistent—patient safety issues. In this instance, the issues related to findings of mold in the hospital’s operating rooms that is alleged to have contributed to patient infections and deaths. Examples such as this highlight the role of the hospital’s governing body, which bears the ultimate responsibility for hospital operations, including oversight of quality and patient safety.
News reports suggest that leadership of this particular hospital was aware of the mold issue for more than a year, while still scheduling patient surgeries and exposing staff to the affected areas. These reports have led to the expected “where was the board” questions regarding oversight during this time. Boards may have historically shied away from direct involvement in “clinical matters,” but emerging risk oversight principles are prompting healthcare boards to develop a more robust board reporting framework for quality and patient safety issues, and increasing board involvement in remediation plans.
Another patient safety development, with implications for strategic planning, is new research published in the New England Journal of Medicine concluding that hospitals acquired in the recent wave of M&A activity do not experience improved safety and quality. While the new survey is understandably controversial, the author is influential, and one should assume that this is the default view of Federal Trade Commission attorneys and economists. This new survey is another reminder for health systems to continue documenting improvements in safety, quality and patient experience at recently acquired facilities to provide more credibility in connection with future acquisitions.
THE ROLE OF “SHADOW GOVERNANCE”
A recent academic paper notes the increasing influence of non-bylaw documents on corporate decision-making.
Shadow governance documents are generally considered to include those required by the US Securities and Exchange Commission (SEC) or by NYSE and NASDAQ listing requirements (e.g., board committee charters, corporate governance guidelines and conflict minerals disclosures), as well as other non-required documents such as sexual harassment guidelines, campaign finance disclosures, environmental sustainability statements, diversity disclosures, succession protocols and supporting policies.
The authors’ research demonstrates the importance of shadow governance documents in guiding board and committee behavior, and in shaping routine decision-making. This influence is felt even though the board can generally change such documents at any time, without consequence.
The authors’ research suggests a relationship between board size and the number of shadow governance documents adopted and potentially disclosed by a company. For example, as board size increases, so does the number of shadow governance documents. One reason is that new incoming or interlocking directors often recommend adopting new documents based on their experience and their broader access to peer company policies. Larger boards also tend to have more committees and therefore need more documents to guide their work.
It is important for the governance committee to remain aware of the distinctions between bylaw- and non-bylaw-related governance documents in regards to form, adoption process and disclosure requirements. Similarly, the governance committee should recognize shadow governance documents as both important and influential, and thus meriting greater internal board awareness of their role, authority, impact, manner of adoption and use within the organization’s governance structure. Boards should particularly monitor the extent to which these documents are applied and updated, and the frequency with which directors are educated on their existence and purpose.
AUDIT COMMITTEE DEVELOPMENTS
Recent comments by SEC Chairman Jay Clayton reflect the importance of the role and function of the audit committee, and of auditor independence matters.
In his comments, Chairman Clayton confirmed the instrumental role of the committee in “setting the tone for the company’s financial reporting and the relationship with the independent auditor.” He encouraged audit committees to create and maintain an environment that supports the integrity of the financial reporting process and the independence of the audit. A notable recommendation was for the audit committee “to set an expectation for clear and candid communications to and from the auditor, and likewise to set an expectation with both management and the auditor that the audit committee will engage as reporting and control issues arise.”
Chairman Clayton also offered a reminder that compliance with auditor independence rules is a shared responsibility of the audit firm, the issuer and its audit committee. He pointed to the Sarbanes provisions that mandate that audit committees be directly responsible for the oversight of the engagement of the company’s independent auditor. In that vein, he encouraged audit committees to consider periodically the sufficiency of the auditor’s and the issuer’s monitoring processes. This periodic review should include corporate changes or other events that could affect auditor independence (e.g., changes or events that may result in new affiliates or business relationships), and those events should be shared with the audit firm.
The vital importance of the board’s audit committee is not a new development. However, Commissioner Clayton’s comments are a reminder to boards of public, private and nonprofit health care companies of the need to ensure that such committees are properly structured. Key structural elements include committee composition, the scope of committee duties, the engagement of committee members, the frequency with which the committee meets, its staff support from management, and its horizontal and vertical reporting.
COMPLIANCE OVERSIGHT DEVELOPMENTS
A recent compliance oversight development involves human-resources-related functions of a major financial services company and serves as a reminder of the important contribution that oversight of compensation arrangements, including incentive compensation programs, can make to effective compliance programs.
In this situation, the financial services company was publicly rebuked by its principal regulator for failing to resolve inadequate human resources policies for clawing back compensation from executives, and for controls around pay that were insufficient to prevent potential misconduct. Incentive pay (i.e., compensation arrangements that incentivize conduct inconsistent with corporate ethics and compliance) and clawbacks (or the lack thereof) were major issues in a prior scandal that prompted extraordinary regulatory scrutiny and reputational harm for this company.
Another development was a recent Wall Street Journal interview in which Deputy Attorney General Matthew Miner addressed US Department of Justice (DOJ) efforts to incentivize companies to invest in compliance, and why companies that do so should be given special consideration by the DOJ. In the interview, Mr. Miner emphasized the need for prosecutors to assess a company’s compliance both at the time a violation occurred and at the time it reaches a settlement with the DOJ. Indications that the compliance program identified the misconduct and allowed the corporation to investigate and remediate, as well as self-disclose to the government, would weigh “very, very heavily in favor of mitigating [the severity of the] resolution, relative to the aggravators of the misconduct.”
Mr. Miner acknowledged the need to overcome skepticism in the corporate community that DOJ is serious about corporate compliance and that it will not evaluate compliance programs “. . .with perfect 20-20 hindsight—with an eye on the misconduct, and then thinking the compliance program didn’t work.”
“We’ve messaged that internally to say that that’s not the standard,” Mr. Miner said. “We want the companies to invest in remedial compliance measures and to talk about those when they come in and present, about how far they’ve come based upon the lessons learned.”
SEN. GRASSLEY’S LATEST FOCUS
The chairman of the US Senate Finance Committee has renewed his highly publicized scrutiny of tax-exempt hospitals’ debt collection practices.
Sen. Charles Grassley’s particular focus is on compliance with IRC Section 501(r), through scrutiny of the debt collection practices of two large health systems. Section 501(r) requires tax-exempt hospitals to:
- Meet certain community needs assessment requirements
- Maintain financial assistance policies
- Limit amounts charged for medically necessary care provided to patients eligible for financial assistance
- Refrain from pursuing extraordinary collection practices against patients before determining whether they are eligible for financial assistance.
The new scrutiny of the two health systems (see here and here) comes primarily in the context of a detailed list of questions that focus on perceived deficiencies in how those systems have complied with Section 501(r), including what Sen. Grassley has described as “extraordinary collection actions against patients eligible for financial assistance.”
These new investigations follow Sen. Grassley’s highly publicized 2015 investigation of the Mosaic Life Care hospital system, which resulted in the health system implementing changes such as a three-month debt forgiveness period, actual forgiveness of the debt of more than 5,000 patients, and hiring of new employees to assist low-income patients in applying for financial assistance.
BASEBALL’S CORPORATE ETHICS CRISIS
The burgeoning “sign stealing” scandal involving several Major League Baseball (MLB) teams offers important lessons for corporate ethics policies.
The Astros and the Red Sox have been at the center of MLB’s investigation of allegations of wide-spread use of electronic equipment for the purpose of stealing signs from the catcher or a coach, in apparent violation of established (but quite possibly ambiguous) rules. The recently concluded investigation resulted in severe penalties against the Astros, with a ripple effect on several other teams and their then-managers.
The sign stealing scandal speaks—loudly—to those difficult situations when teams (and corporations) are confronted with attractive business options for which the legal rules aren’t clear but the optical risks are more obvious. When does a hard slide, or a brush back pitch, cross the line from “good baseball” or “sending a message” to the physically dangerous? Pressure and temptation can run high in these scenarios. Everyone else is doing it, why can’t we? And who within the organization makes that call?
These are the kind of circumstances in which a preexisting culture of “doing the right thing” can pay enormous dividends. Such a culture empowers the application of common sense and a recognition of behavior that appears bad, or unfair or improper.
Which such a culture is lacking, circumstances can create enormous corporate risk. Indeed, the Astros’ and the Red Sox’s respective brands as innovative, successful organizations are suffering, and the reputations of many of their executives and leaders are at risk. MLB’s investigation is worthy of consideration by the board’s audit committee from a “culture of ethics” perspective.
THE NACD PUBLIC COMPANY SURVEY
The 2019–2020 version of the National Association of Corporate Directors’ Public Company Survey is an important resource for corporate boards and their primary committees, including those of large nonprofit and private companies.
Key survey results include the following:
- Boards are being more proactive in setting strategy while being sufficiently flexible to alter strategic direction as circumstances warrant.
- Human capital oversight is viewed as an increasingly important board responsibility.
- Almost 80% of surveyed boards are giving more serious consideration to environmental, social and governance issues as they affect their company.
- A majority of directors believe that greater levels of engagement on key topics will yield little improvement in board oversight, and there is a sense that they are already committing sufficient time to board service.
“Yellow flags” from the survey include the following:
- There are indications that many directors may already be “maxed out” in terms of their commitment.
- Only 56% of responding directors believe that the information they receive from management is sufficient to support informed decision-making and oversight.
- Committee structures remain primarily grounded in traditional practice and scope.
- Boards are willing to subordinate cybersecurity risks to the achievement of certain business goals.
- Board refreshment practices are apparently lagging.
EQUITABLE PENALTIES FOR BREACH OF DUTY
A recent settlement between directors of a prominent charitable foundation and the state attorney general includes several unique breach of duty penalties.
The settlement was entered into between the New York Attorney General and individual board members of a charitable foundation created by a prominent elected official. The settlement was intended to resolve charges that the directors breached their fiduciary oversight duties by allowing waste to occur where the elected official used the foundation for his own personal, business and political interests.
Among other terms, the settlement agreement imposes a regime of restrictions on any future service by the elected official on a charity’s board of directors, including a total ban on any self-dealing. Any charity the elected official joins as a director must have a majority of independent directors, must engage counsel with expertise in New York not-for-profit law, and must engage the services of an accounting firm to monitor and audit the organization’s grants and expenses. If the official forms a new charity, such an organization must comply with these requirements and also report to the New York Office of the Attorney General for five years.
The settlement also requires the children of the elected official to receive training on the duties of officers and directors of charities so that they cannot allow the illegal activity they oversaw at the foundation to take place again.