In this American Banker article, Luse Gorman’s John Gorman discusses his concerns about – and opposition to – suggestions made by academics and others that bank directors’ fiduciary duties be broadened in the risk oversight area. His article was triggered by a recent speech by Federal Reserve Gov. Daniel Tarullo where he appeared to support the notion of expanding bank directors’ fiduciary duties – referencing a recent “provocative” academic paper proposing a simple negligence standard for expanded board oversight responsibility for risk-taking by “systemically important” financial institutions.
In the article, Gorman notes that expanding directors’ duties in this manner would expose boards to liability for good faith judgments as to risk management, increase litigation and expense, require boards to function in a management capacity, and discourage board service by capable candidates.
Kevin LaCroix echoes those concerns in this blog. Like Kevin, I too acknowledge stepping into an already-unfolding debate, but just have to note that I am similarly concerned about the implications of such a proposal. Among other things, it seems almost certain that the pool of aspiring and well-qualified bank board directors would shrink measurably as their potential liabilities increase, which would reduce overall board effectiveness – seemingly totally counter to the objectives of the proposal. Kevin’s blog further discusses his seemingly well-founded concerns that the notion of broadened fiduciary duties would quickly expand beyond just systematically important financial institutions to additional – or potentially all – bank directors.
On The Other Hand: Proposed Increased Protection for Australia’s Directors
While here in the US we are dealing with discourse around expanding the fiduciary duties of bank directors, proposals to limit director exposure to liability are being floated in Australia. This paper outlines the Australian Institute of Company Directors’ proposal for a new director defense to supplement the statutory business judgment rule.
The statutory business judgment rule is limited to a director’s duty of care and diligence – leaving directors exposed to liability for actions/omissions related to other Corporations Act provisions and laws that may impose personal liability. The Institute’s surveys (described in the paper) suggest that directors’ exposure to personal liability under the current regulatory scheme adversely impacts their decision-making and discourages their willingness to accept new board appointments. The proposed Honest & Reasonable Director Defense is designed to provide directors with appropriate protection.
The proposed defense is as follows:
Honest and reasonable director defence
Notwithstanding any other provision of this Act or the ASIC Act, if a director acts (or does not act) and does so honestly, for a proper purpose and with the degree of care and diligence that the director rationally believes to be reasonable in all the circumstances, then the director will not be liable under or in connection with any provision (including any strict liability offence) of the Corporations Act or the ASIC Act (or any equivalent grounds of liability in common law or in equity) applying to the director in his or her capacity as a director.
What is “Proxy Insight?”
In this podcast, Seth Duppstadt discusses how the new service – Proxy Insight – works, including:
– What is Proxy Insight?
– How does it differ from a proxy advisor?
– How does it differ from a governance ratings firm?
– Any surprises since you launched?
Jim Brashear of Zix Corporation addresses cybersecurity issues in this guest post:
At the ABA’s 2014 annual meeting earlier this month, delegates approved a resolution that “encourages all private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program.” When you consider that some pundits characterize lawyers as technology Luddites and law firms as “the soft underbelly” of data security in corporate America, it may seem odd for the legal industry to be lecturing other organizations about getting their cyber houses in order.
Law Firms Are Targets of Cyber Attacks
The ABA Cybersecurity Legal Task Force report accompanying the draft resolution warns that “the threat of cyber attacks against law firms is growing.” It notes that law firms collect and store large amounts of critical, highly valuable corporate records. The report points out that “lawyers and law offices have a responsibility to protect confidential records from unauthorized access and disclosure, whether malicious or unintentional, by both insiders and hackers.” Unfortunately, many lawyers don’t fully appreciate the scope of that responsibility, particularly as it applies to data transmitted via the internet or stored in the Cloud.
Data in Transmission is At Risk
A survey conducted in March 2014 by LexisNexis found that 89% of law firms use email daily for business purposes, but only 22% of law firms are encrypting email. A recent post in Law Technology News urges that It’s Time to Secure Privileged Communications. The post notes that “attorneys should be concerned about the general uncertainty of privacy expectations for email.” Those risks to email confidentiality are not merely a theoretical concern.
For example, in February the New York Times reported that a foreign spy agency intercepted email messages between a large U.S. law firm and its foreign government client and then shared the information with the U.S. National Security Agency. In a carefully worded statement, the law firm said: “There is no indication, either in the media reports or from our internal systems and controls, that the alleged surveillance occurred at the firm.” The statement misses the point, because unencrypted email is intercepted, undetectably, while it is being transmitted or stored outside the firm’s internal network.
That news report prompted the ABA to ask the NSA to explain how the agency deals with attorney-client privileged communications. As discussed in the post, Law Firm Email Security Questions The ABA Should Be Asking, the ABA was conflating legal privilege with client confidentiality and asking the wrong questions of the wrong organization.
Standards of Care
The fundamental question is whether the firm’s lawyers were taking reasonable steps in the circumstances in order to secure sensitive email communications. The ABA report acknowledges that “law firms are businesses and should take special care to ensure that they have a strong security posture and a well-implemented security program.” Many lawyers say the NIST Cybersecurity Framework can serve as a general guide for information security oversight and risk assessments, in order to establish that reasonable care was taken. The NIST Cybersecurity Framework includes an assessment of whether “data-in-transit is protected.”
Email fundamentally is a convenient but unsecure method of transmitting and storing data in the Cloud. There are many simple steps that lawyers can take to protect sensitive data that they exchange with clients and third parties, including email encryption. State bar associations, however, continue to draw an unfounded distinction between the data security measures required when transmitting and storing data “in the Cloud” versus those required for email.
GC’s Skill Set Should Include Understanding of Technology
I previously blogged about tips for GCs to respond to increasing governance demands based on this new study, which also identified key competencies GCs need to succeed in today’s environment.
This article argues that – as processes in every function of the business are being increasingly automated, the list of the GC’s key competencies needs to include an understanding of the automation side of the business. Here is the author’s suggested list of technology tools and concepts that every GC should be familiar with:
LAW DEPARTMENT PRODUCTIVITY AND ADMINISTRATION
Cloud resources vs. local servers and storage.
Work flow systems to control legal review processes.
Document assembly and contract management programs.
Document management systems.
Secure remote access systems.
Audio and video meeting apps and services.
Matter and budget management systems.
Secure mobile device management.
Legal hold management system.
SUBSTANTIVE LAW GOVERNING E-BUSINESS
Are you familiar with the laws governing e-business in each of the areas where the company operates?
Securities laws
Tax laws
Identity theft
Advertising
Children’s online access
Defamation
Trademark and copyright
CORPORATE COMPLIANCE
What is the corporate records management system?
How are compliance inquiries (e.g., hotline) managed?
How is risk assessment conducted? Updated?
How are reports generated on issues for board or audit committee?
Are policies available to all employees?
Is there an automated procedure in place to ensure that policies are current?
Is there a system to demonstrate compliance with each requirement of the Federal Sentencing Guidelines?
CORPORATE E-RISKS
Are there rules regarding employee use of social networks?
Are there internal social networks and how are they managed?
Are there corporate rules for management of personal devices?
Are their rules of personal use of company email?
Are their retention rules for company email?
Are corporate automated marketing and sales tools reviewed for compliance with laws and regulations (e.g., the Federal Trade Commission and the Food and Drug Administration)?
Are the computers in the company (particularly in the law department) compliant with ISO security procedures?
What procedures are in place to prevent company systems from being penetrated by viruses or spyware?
Does the company have a robust computer security policy for its data, including the data of customers, consumers?
Do third parties (such as dealers or franchisees) have access to company computer systems that could give rise to security breaches?
Does the company follow privacy rules of the US and other countries?
Is business done electronically (e.g., ordering, payment)? Are safeguards in place?
More on “The Mentor Blog”
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Auditor Engagement Letters: No Company Intervention in Auditor-Directed Work
– PCAOB Roundtable: Mixed Views of Proposed Changes to Auditor’s Report
– Perceived Board Effectiveness Linked to How Board Allocates its Time
– FINRA: Pre-IPO Selling Procedures Need to Be Adequately Supervised
– Board Trends at the S&P 1500
In a perfect world, you would never need to inform your directors that their communications and materials are subject to a discovery request. However, in the real world, it happens, and be assured that it’s never a pleasant experience – even under the best of circumstances. This Nelson Mullins blog provides a checklist of issues to consider to minimize the negative implications of such a request:
Some issues to consider as you explore information governance, litigation readiness and the Board:
– Information governance policies. What types of Board related information might be subject to corporate information governance polices? How are these policies and any requirements communicated to the Board?
– BYOD (Bring Your Own Device)- in specific. Do Board members use their own personal devices to receive Board-related information and communicate in connection with that information? If yes, consider whether user guidelines and device registration requirements may be appropriate.
– Commingled information. Have Board members been informed about possible risks of commingling Board information with other business or personal information? Do they understand that if they save or download Board information to personal devices, systems or email accounts, such information or communications might come under scrutiny and be discoverable?
– E-books, Board portals. Does your Board use these? If yes, consider: encryption and security requirements.
– Avoid storing unique information on personal devices or systems. Consider implementing practices to centralize Board information, and to design e-Board books and Board portals so that there is nothing unique on an e-Board book or device that is not on a centralized server.
– Communicate,train, acknowledge and improve. Train Board members on information governance expectations, risks and requirements.
See this associated Inside Counsel article for a more detailed discussion of these considerations.
Implementing an Information Governance Program
Management of board information – whether electronic or print – and including distribution, retention and destruction of emails, draft minutes and other materials, should be just one aspect of a comprehensive information management approach. In addition to realistically characterizing less-than-ideal, but common, records management practices, this Mayer Brown memo about establishing an information governance program provides helpful tips for establishing a best practice program that can minimize the risks and costs associated with the lack of a comprehensive, coordinated approach.
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Study: CEO Succession Planning Preparedness Lags Importance
– Should Boards Have Technology Committees?
– Delaware’s Unclaimed Property Voluntary Disclosure Program: June 30th Deadline!
– Study: IPO Companies Have More Freedom on Governance Practices
– New Intrastate Offering Exemptions: Not Useful
The PCAOB’s recent amendments to Auditing Standard No. 12 addressing financial relationships and transactions with the company’s executive officers (which Broc blogged about here) have not received much attention in view of the concurrent adoption of Auditing Standard No. 18 concerning Related Party Transactions. However, it’s worth specifically noting that amended Auditing Standard No. 12 requires auditors to obtain an understanding of the company’s policies & procedures for authorization and approval of executive officer expense reimbursements – an area that is often ripe for criticism and improvement. Even in the absence of conduct in this area that would appear to pose a risk of material misstatement based on a point-in-time review, a company’s executive expense approval process, as evidenced by the documentation (not just the paper policy, which may differ), reveals a lot about its corporate culture and tone at the top – which influence pretty much everything else.
One great way to see if your current process is working effectively and to have support vis a vis management for updating your policies & procedures is to have your Internal Audit department (assuming functional reporting to the audit committee) or an external audit consultant (if you lack resources in-house, or an independent internal audit of this area isn’t feasible under the circumstances) conduct an executive expense audit and make recommendations to management and the audit committee based on those results. Having once gone the latter route while serving as GC & Secretary, I highly recommend it – as this is one of those times when it makes sense to obtain a view from an outside consultant who is experienced in internal auditing, knowledgeable of mulitiple companies’ expense controls and internal controls generally, and has no ties with company management.
We have posted lots of memos about these new and amended PCAOB standards here in our “Related Party Transactions” Practice Area.
Is There a “Proper” CEO Expense Approval Process?
Perhaps prompted by the amendments to Auditing Standard No. 12, the “proper” approach to CEO expense approvals was recently bantered about on Proformative, an online resource primarily geared toward finance professionals – but often also of interest from a legal perspective. A member anonymously questioned on the site’s Q&A forum who should approve CEO travel expense reimbursements – the board or the CFO? He noted that many boards meet just monthly, which could make timely board approval difficult – but that the CFO of his company had not properly vetted senior management expenses in the past.
I thought this was a great question and, while I couldn’t resist contributing my own views based on past experience, I imagine there are multiple, sound approaches to the CEO expense approval process. My own view is that – outside of expenses that fall within objective, pre-established standards that apply to all executives in terms of dollar amounts and expense types such that the CFO (or whoever else internally is charged with expense approvals) isn’t capable of being pressured (directly or indirectly) to approve potentially questionable expenses – a formal process should be established so that the audit committee chair, independent lead director or board chair (or other designated independent director) reviews & approves the expenses. This is because – realistically, CFOs – or other subordinates of the CEO – often are not in a position to deny approval, ask probing questions about expenses that appear questionable or even demand additional supporting documentation.
Other views communicated by members in the forum were generally comparable – i.e., charge the CFO with approval of routine expenses as specifically defined by pre-established parameters via a written policy, and charge the audit committee or other independent directors with approval for any expenses that fall outside of those parameters. However, one company President/co-founder indicated that getting the board involved in this type of activity – even if just for the CEO – is difficult barring some evidence of problems that would trigger more robust board oversight. Unfortunately, based on my own experience, I think that that is what often occurs – a real problem that ultimately prompts intense board focus and development of a new process that includes some sort of board oversight as a component. It would seem like the more conservative, “safer” approach is to build that board oversight into the process in the first instance – recognizing the inherent difficulty in charging a subordinate with approval responsibility for outside-the-norm expenses. That said, I would be very interested in hearing others’ views on this if anyone is willing to share theirs.
More on “The Mentor Blog”
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Study: Board Oversight of Sustainability
– Board Committee Structures Logically Circumstances-Driven
– Climate Change Disclosure: Heads I Win, Tails You Lose?
– Hut, Hut, Hike! First Fantex IPO in NFL Player
– Insider Trading: Big “Downstream Tippee” Case Might Change Standard
The results of this recent director survey, Conflicts in the Boardroom, caught my eye – primarily because it’s an unusual survey topic but an inevitable occurrence for most boards at some point regardless of size, structure or internal cohesion. Given that these conflicts/disputes have the potential to significantly impact the board’s day-to-day functionality as well as overall oversight effectiveness, it’s worth our understanding how directors most frequently encounter conflicts, their reactions, and what they want in the way of skills training to more effectively manage these situations.
Key findings include:
– Almost 30% of respondents had experience with a boardroom dispute affecting the company’s survival. Short of that, commonly cited impacts include:
Wasting management time
Distracting from core business priorities
Reducing trust among board members
Affecting the functioning of the board
Affecting the efficiency of the organization
– Most common subjects of board disputes were, in descending order of frequency: 1) financial, structural, or procedural workings of the organization; 2) personal behavior and attitudes of directors; 3) strategy development, including M&A
– Most difficult factors in resolving board disputes were issues related to competing factions on the board—“handling the emotions of those involved and separating personal from business interest”
– While about 48% of respondents attempt to mediate board disputes, 34% admit to frequently being an active party in the dispute – and 25% frequently take a side of an active party.
– Directors are much more confident that they can resolve an internal board dispute than an external dispute involving the board and external stakeholders.
– Disputes are most commonly resolved through internal negotiation (61%) or internal mediation (25%). Boards are very reluctant to resort to litigation to resolve disputes.
– Over 67% of respondents reported that they have encountered unresolved issues. 24% of small company respondents reported that issues are frequently not resolved – whereas only 6% of medium company, and about 16% of large company, respondents reported frequently unresolved issues.
– Directors are extremely interested in receiving training for dealing with personal factors: 75% described training in the “ability to deal with different personalities” as very useful.
– A gender difference emerged regarding the kinds of skills desired: women are far more interested in receiving training in negotiation skills; men are more interested in training on how to deal with different personalities.
Toolkit for Resolving Boardroom Conflicts to the Rescue!
The Global Corporate Governance Forum publishes this free toolkit offering practical guidance on how to prevent and resolve boardroom conflicts/disputes (both internal & external) short of litigation. The toolkit addresses (1) the rationale for applying ADR-like processes to these sorts of conflicts, (2) implementation/use of dispute resolution mechanisms and services, and (3) associated necessary skill sets and training for directors to effectively manage these types of disputes.
More on “The Mentor Blog”
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Auditor Engagement Letters: No Company Intervention in Auditor-Directed Work
– PCAOB Roundtable: Mixed Views of Proposed Changes to Auditor’s Report
– Perceived Board Effectiveness Linked to How Board Allocates its Time
– FINRA: Pre-IPO Selling Procedures Need to Be Adequately Supervised
Surprise! It’s Randi blogging for the first time on this blog…Ever since the recent, highly publicized cyber breach incidents – whether warranted or not (see Broc’s recent blog) – it seems like hardly a day goes by without media coverage & third-party commentary about the board’s risk oversight role. This new Deloitte report– which addresses Deloitte’s findings of a global study addressing the prevalence and drivers of board-level risk committees – is very timely.
A primary theme is that board risk committees are just one tool that boards should at least consider to help effect their risk oversight responsibilities. That said, as the study shows, board risk committees (stand-alone or hybrid) for large companies outside the highly regulated financial services industry (FSI) are still relatively uncommon globally – and virtually non-existent in the US. This is the kind of benchmarking information most boards like to be aware of.
Most commonly, US boards effect their risk oversight by allocating responsibilities among multiple board committees; the balance typically retain responsibility at the full-board level. However, like all other governance practices, re-evaluating the approach to risk oversight periodically in the context of evolving macro & company-specific circumstances is important – even if it appears that the status quo is working. Sometimes this means reviewing particular governance practices outside of the board’s slated review time frame (e.g., proxy season). This report assists that review process by teeing up for the board’s consideration these potential benefits of a risk committee:
Depending on the organization and its industry, risks, and regulatory and risk governance needs, a board-level risk committee can enable the board to:
Assert and articulate its risk-related roles and responsibilities more clearly and forcefully.
Establish its oversight of strategic risks, as well as the scope of its oversight of operational, financial, compliance, and other risks.
Task specific board members, external directors, and other individuals with overseeing risk and interacting with management and the chief risk officer.
Recruit board members with greater risk governance and risk management experience and expertise.
Keep the board more fully informed regarding risks, risk exposures, and the risk management infrastructure.
Importantly, the report emphasizes that – outside of the FSI – risk committees aren’t normally required, and may not be desirable for every company. Each board needs to determine for itself how best to effect its risk oversight responsibilities; a dedicated risk committee is just one of several potential approaches. As noted in my previous blog about board technology committees, some boards function most effectively at the full board level with minimal work conducted in standing committees – whereas others function primarily through their standing committees. Both approaches can be equally effective. Along those lines, the board can certainly achieve the risk oversight benefits identified in the report without establishing a dedicated risk committee.
Should Directors Be Allowed to Attend All Committee Meetings?
Speaking of board committees, I couldn’t help but to add my 2 cents to a current spirited debate on LinkedIn about whether it’s appropriate for all board members to attend all committee meetings. It quickly became clear in my following of this group discussion that not only are the views about this topic widely divergent, but that my views appear to be in the minority on this issue.
So far, opinions weigh in favor of excluding all non-committee member directors from all standing committee meetings, whereas I and a few others believe that – generally (subject to independence & other relevant considerations) – allowing all directors to attend all committee meetings as observers/listeners is a net positive. What I am observing by following this discussion is that the views of those opposed to this “open invitation” approach are based on philosophical beliefs about “right and proper” governance and assumptions about director personality & behavior – rather than their personal experience. On the other hand, those of us in favor of this “open invitation” approach are basing our views on our positive first-hand experiences with this practice.
The “opposition camp” is largely attributing negative characteristics to directors who express a desire to attend committee meetings other than their own – including micromanagement, lack of trust of the competence of committee members, out-of-control egos, inexperience, etc. – that simply bear no resemblance to my (and a few others’) personal experience. There also appear to be concerns about potential inefficiencies, inadequate leadership skills of board chairs who would allow such a practice, the director’s desire to attend committee meetings possibly revealing tendencies to overstep into management territory, etc.
As I noted in the group discussion, while I was a corporate GC & secretary, two of my very seasoned and reputable directors who have served for many years as directors of other public companies suggested this practice of inviting (but not mandating) all directors to attend all committee meetings based on their positive experiences at one of the Fortune 500 company boards on which they (still) serve. Triggered by their recommendation, we adopted the practice at my company and it unquestionably resulted in a more aware and engaged board overall – as well as other upsides. These upsides (and others) are shared by the few other LinkedIn group members who expressed favorable views about this approach based on their personal experiences.
This is not to say that allowing all directors to attend committee meetings as a listener/observer is the right approach for every company; rather, each board should consider this based on its own facts and circumstances. However, those who have not experienced it should not automatically assume that a director’s request to attend committee meetings evidences personality (or other) flaws – or that adopting this approach would result in inefficiencies or other adverse implications.
Finally, I have to say that it seems counter-intuitive to me that – with all of the media and investor criticism lately about directors’ lack of sufficient awareness & engagement, people are so vehemently opposed conceptually to directors attending their own board’s key committee meetings.
Webcast: “Proxy Season Post-Mortem: The Latest Compensation Disclosures”
Tune in tomorrow for the CompensationStandards.com webcast – “Proxy Season Post-Mortem: The Latest Compensation Disclosures” – to hear Mark Borges of Compensia, Dave Lynn of CompensationStandards.com and Morrison & Foerster and Ron Mueller of Gibson Dunn analyze what was (and what was not) disclosed this proxy season.