Providing Directors the Risk Information They Need

My column last month outlined the kind of information boards of directors need to execute their responsibilities, viewed from the director’s perspective. This month I want to continue that discussion, but looking at the opposite side of the coin: what information chief executives, chief compliance officers, chief risk officers, and other top executives should be providing to help directors in their oversight activities.

The most important information provided to a board comes directly from the company’s CEO, both in board meetings and off-line. Experienced CEOs recognize that most directors are smart, skilled, insightful individuals who can recognize messages behind the words (especially since many are former or current CEOs themselves, and know all too well the pressures and incentives that can cloud judgment). Accordingly, effective CEOs go to great lengths to ensure that communications to the board are straightforward, accurate, complete, candid, and forthcoming.

Naturally a chief executive wants board approval of his (or her) current performance and new strategies and initiatives, and we’ve seen where some have fallen into a trap of putting a positive spin on their plans where the unvarnished truth is needed. Most directors can see through these covert efforts, and they do little more than increase skepticism and distrust. I’ve seen such sugarcoating efforts, and I can assure you that they only emphasize the importance of being forthright from the start.

Key Supporting Staff

Of course, many other senior executives work with their board and its committees as well—including many who are Compliance Week readers. You know what directors want in terms of accurate and relevant information: details on financial reporting, internal control, and related information for the audit committee; salary, pension, healthcare benefit data, performance assessments, and succession information for the compensation committee; risk and risk-management information for the audit or risk committee or full board; strategy information for the board; and so on. But beyond what the board wants, senior corporate staff must consider what the board needs.

That thinking should begin with the “board book” containing materials for upcoming board and committee meetings. Directors need information that provides a full picture of past and expected future performance, issues, risks, and whatever else will help the board stay informed and make wise judgments. Of critical importance—and where significant improvement often is needed—is providing a clear roadmap to the truly relevant issues to be considered at an upcoming meeting and beyond. Board books typically contain a great deal of data and analysis; it’s essential that attention be directed to what really matters. Corporate staff are in the best position to know and facilitate directors’ focus on those issues.

Compliance Officer

A company’s chief compliance officer is usually expected to brief the CEO and the board. But too often the compliance chief is put in an untenable position—not because of the individual’s shortcomings, but because of the way the compliance process is structured and responsibilities assigned.

Take the case of a compliance officer (be it the general counsel or other in-house lawyer or professional) who has responsibility for ensuring the company is in overall compliance with all relevant laws and regulations. This individual will typically sharpen the code of conduct and related policies, monitor instances of potential or actual non-compliance, and report periodically to a management committee, the CEO, and the audit committee or full board. Reports typically include information coming through whistleblower channels, new and pending legal cases, corrective actions taken, and the like.

Of critical importance—and where significant improvement often is needed—is providing a clear roadmap to the truly relevant issues to be considered at an upcoming meeting and beyond.

While this information is useful to the board, a major problem (obvious to those of you who have operated in this environment) is the mistaken belief that a compliance officer can be responsible for ensuring compliance in an organization. Reality is that he can’t. The compliance officer is responsible for creating an effective compliance process, which includes putting responsibility where it needs to be: in the line and staff leadership, cascading through the managerial structure to encompass the entirety of the organization. As such, the compliance officer enables and monitors the process, ensuring that reporting mechanisms are sending relevant information upstream through the management structure, and seeing that managers receive information on new laws and regulations and how they affect managers’ scope of activity.

In this context, the CEO and board need to know the following: how the compliance process is working; how information is flowing through the managerial structure; and where bottlenecks or breakdowns might be occurring. The chief compliance office can play a pivotal role compiling relevant information for the board—including the extent to which the line and staff management team has accepted and is carrying out their compliance responsibilities.

Risk Officer

The approach outlined above holds for a chief risk officer as well. The risk officer should not be held accountable for identifying, analyzing, managing, and reporting risks. Rather, the chief risk officer is positioned to ensure an effective and efficient risk-management process exists in the organization. Because of the essential nature of building risk management into the fabric of a company, reporting to the board is best provided through the management structure—up to the CEO and then to the board. Yes, a chief risk officer should be positioned to monitor line and staff reporting, and where critical risks are not brought forth, that officer can (and should) be a fallback for reporting what the board needs to know.

As with compliance officers, the board should recognize where responsibilities lie and the sources of information it receives. But the board needs to know how the process is working, and what might be necessary to get it to where it needs to be.

Additional Relevant Information

As noted in the last month’s column, boards not only need information about what happens within the company; they need context about their whole industry (competitors, consumers, suppliers, and the like) as well as political, social, and economic factors. This is where management, supported by a governance officer or the corporate secretary, can be of tremendous service in giving directors what they need. They can provide, for example:

A useful cross-section of securities analyst reports—both those supportive of the company and those more critical.

Targeted sections of trade publications providing important insights into the industry and marketplace.

Links to those Internet sites most relevant to the company, its products, reputation, and the like.

Communications from shareholders providing insight into matters foremost on the minds of the company’s owners.

Senior executives typically know a wide range of information sources useful to directors. Senior management has a wonderful opportunity to provide relevant information to the board, and is well served by doing so. Of course it’s not quantity that matters, but rather quality with related clear direction to the critical issues.

Letting the Board Look for Itself

As noted last month, more and more directors are getting outside the boardroom to gain greater firsthand knowledge about the company, and management can be a catalyst and facilitator to make the time spent most worthwhile.

There are, however, some important dos and don’ts. Avoid sending directors to parts of the company pre-selected to provide positive input. This is a recipe for disaster; directors will recognize it for what it is and question their trust in management.

More effective is offering a cross-section of locations within and outside the company where each director can decide for himself what is most appealing for obtaining information. To the extent practicable, visits should be unstructured, and while ensuring ready access, allowing free and open and unmonitored communication with company personnel. When visiting retail outlets for the company’s and competitors’ products, directors often find it most effective going incognito, getting straight talk from sales people and customers. Whether visiting company facilities, customers, or suppliers, the goal is to enable the director to arrive with as little fanfare as possible, with ready access to individuals who will be forthcoming in answering questions and discussing issues.

Trust

This column began talking about trust, and ends on that note as well. The board wants desperately to be able to truly trust management, executives’ character, and what they say and do. Suffice it to say that management is absolutely best served when it operates in a manner where such trust continues to be well deserved.