Board directors can be a demanding lot. For the compliance officers trying to report the right information to them about risks, compliance, and other elusive data, working with directors can be that much harder.
Participants at Compliance Week 2010 tried to approach the problem from both perspectives: in a panel discussion of compliance officers talking about the information they provide, and a panel discussion featuring three audit committee chairmen talking about the information they want to receive.
One overwhelming challenge repeatedly expressed by all panelists: “Finding the right balance between over-reporting and under-reporting to the board,” said Curtis Lu, chief ethics and compliance officer at Time Warner.
At Allstate Insurance, for example, the compliance department must review hundreds of laws and regulations each quarter. “If we were to report that degree of detail, we would clearly be over the top,” said Richard Crist, chief ethics and compliance and chief privacy officer at the company.
But often, Crist added, he is unsure exactly which of those hundreds of regulations are the important ones. “The issue I think we face most often is the tug between transparency and relevance,” he said. “A lot of information appears relevant, but gets you down into the weeds.”
At Time Warner, Lu said, employee theft is a recurring problem—but while the aggregate dollar amount can be high, it’s small in comparison to the media giant’s scale and size. So “it’s a question of whether to let the board know about that lower-level employee,” Lu said.
The panelists also cited hotline calls as a common example of confusion. At Host Marriott, a hospitality real estate company, many of the hotline calls are about human resource issues that don’t really concern the audit committee, “so you don’t want to get audit involved in everything,” said John Morse, who chairs the company’s audit committee.
Lu, who reports to Time Warner’s audit committee six times a year, said he gives a high-level overview of hotline calls, detailing the number of calls and how many in each category. “What they’re really interested in is trends,” he said.
Of course, every company has its exceptions. At NRG Energy, the chief compliance officer has established a mandatory reporting requirement for any allegation against senior management, any financial or books-and-record allegations, and any whistleblower or threatened whistleblower claims,” said Michael Bramnick, NRG’s general counsel.
Board Perspective
From a board director’s perspective, the biggest mistake risk and compliance officers make is that they try to be “too comprehensive in your discussion,” said David Flaschen, audit committee chairman for payroll processing company Paychex.
Flaschen
Senior managers often make the mistake of speaking at one committee meeting as if it were a continuation of the last meeting, Flaschen said. The truth: “We forget what was talked about last year, or even at the last meeting.” A more effective approach would be to first review what was said at the last meeting, and then compare it to where the company currently stands, he said.
Board members are part-time and don’t know the company as intimately as senior officers do, said Stephen Harlan, audit committee chairman for Sunrise Senior Living. He urged executives to ponder the company from that perspective, and to think about what information directors really need to know, assess whether the directors do actually know that information, and how they’re able to know it.
“The issue I think we face most often is the tug between transparency and relevance. A lot of information appears relevant, but gets you down into the weeds.”
—Richard Crist,
Chief Ethics & Compliance Officer,
Allstate Insurance
In general, boards prefer a bird’s eye view of the company. At NRG Energy, for instance, Bramnick said the board primarily wants to know what last year’s compliance goals were and whether they were achieved; how that process worked; and what the new year’s compliance goals are going to be.
“Focus on less, as opposed to more,” Flaschen said. Limit the conversation to the company’s biggest risks, using specific examples to define them, he said. Then follow up with an explanation of why they are the company’s biggest risks.
Flaschen acknowledged that reporting risks is particularly challenging when the company is doing well. Nobody wants to hear about risks during an upturn, and yet “when things are going well, risks are heightened,” he said.
Sometimes board members themselves may ask for too much information. “On a strong board, you’re going to a have a wide range of diverse experiences and personalities, so you have to be prepared for a wide range of questions,” Crist said.
Communication Tips
To avoid spending too much time on trivial matters, it helps to have an established level of communication with board members, Bramnick said. “You can’t emphasize enough having an open, honest dialogue with the board and building a rapport of trust,” he said, “because if you have that, then it’s much easier to talk about complicated issues and push past issues that don’t need their attention.”
One way to build trust: Report information early. “[G]et the idea of routine quarterly updates out of your head,” Flaschen said. “If it’s an important risk, discuss it every time you meet,” Harlan added.
Crist said he meets once a year with the full board, twice a year with the audit committee, and as often as needed with both when special issues arise.
Harlan further recommended calling the board or audit committee chair before the meeting to go over the agenda, to ensure every issue that’s supposed to be covered does indeed get covered, as well as to discuss any concerns.
At Allstate, for example, the internal audit team and the chief risk officer coordinate to make sure their agendas are in synch, Crist said. When their views on certain topics differ, “we discuss that, and we’re aware of that going into the meetings,” he said.
“We spend a lot of time on preparations for the meetings and sharing pre-reads,” Crist added. “Our culture is one of providing the information upfront and engaging in dialogue, as opposed to going through the formal presentation in the meeting.”
Another challenge for risk and compliance officers is alerting boards to emerging risks that still linger on the horizon, but nonetheless merit board consideration now, Lu said.
Some boards are already at that level. “Over the last year, in particular, there’s been a heightened interest in the rapidly changing regulatory environments,” Crist said. As a result, his board has been spending lots of time probing what the company normally calls “watch-list items.”
Crist and Lu also said it is incumbent the compliance executive to bring both internal and external viewpoints into the boardroom. Such examples include focusing on corruption issues, enforcement actions brought by the Justice Department, as well as lessons from other companies’ wrongdoings.
Said Lu: “I just give them some sense of context about what is going on outside the world.”
No comments yet