More on Culture/NACD, and Risk Management

I did some weekend reading. The following are two items of interest.

New NACD Report on Culture

The following is a link to the page for the NACD Commission Report on Culture as a Corporate Asset – the complimentary material (28 pages) is worthwhile reading if you are not a NACD member: https://www.nacdonline.org/Resources/Article.cfm?ItemNumber=48256

Of course, the NACD culture report doesn’t carry with it any force of law or requirement, and, although the report is fairly specific while at the same time also vague in that it often refers to comments by commission members who are unnamed, the report is significant because it is provided and supported by a leading board director organization as an indicator that entity culture is an important area for board oversight.

New Post by Norman Marks About Risk Management

And from part of a blog post by Norman Marks about risk management, which you can see at the following link  https://normanmarks.wordpress.com/2017/10/14/is-it-about-managing-risk/

” . . . board should be asking these questions:

  • How likely are we to achieve our objectives?
  • If the likelihood is less than acceptable, why? What can we do about it?
  • If there is a possibility of exceeding our objective, what can and should we do?
  • What assurance do we have that management is taking the right risks, making intelligent and informed decisions?
  • Are there any risks that we should be concerned about, that merit our attention and possibly our action?”
Advertisements

Culture and Governance; The Weinstein Company, Uber, Fox, WFB and Others

Each of the four above listed businesses, and others, have been in the news for issues relating to culture and governance, and other related matters. The legal structures of these four businesses differ significantly, from privately held, to privately held but with high value and reputation venture capital, to publicly held. I have blogged about the new COSO enterprise risk management (ERM) framework, and that the first of the five major components pertains to culture and governance, and the fifth of the five major components pertains to communicating and reporting.

Would the news about these businesses have been different if COSO ERM had been implemented and followed? Perhaps, perhaps not. We might also ask about and evaluate the executive officers; board, board committees and director oversight; the responsibilities of in-house counsel; the actions of the chief compliance officer (if any); how internal audit (if any) might have been helpful; whether issues came or should have come to the attention of the external auditor (including, for example, during the audit planning phase, or even during a more limited review engagement); workplace practices and policies; and perhaps the actions or inactions of the regulatory agencies (if any).

Culture and governance carry with them the potential to affect value (both positive and negative, and for both financial and reputation value), liability, and damages, not only for the business, but, of course, also for victims (and erroneously accused as we have also seen those situations), and for the executive officers and other management, the board and the directors, HR, the chief compliance officer, in-house legal counsel, the chief of internal audit, the partner running the external audit, the employees for their jobs and possible investment and pension holdings, creditors who have loaned money to the business, founders, owners and investors, customers, consumers, and other stakeholders. And these issues apply not only to public and private businesses, but also to nonprofits and governmental entities, and to the people who are involved in and with them.

It isn’t surprising that actions and events occur that are different than reasonably and primarily anticipated (that is the nature of risk management), and that negative and detrimental events also occur, sometimes without legal fault or liability. However, it is somehow also more disappointing to hear that possible or actual problems were known or might have been known to exist for a length of time without being addressed and remedied.

That’s all. I don’t have any personal knowledge about these specific situations other than what I read in the news. And I’m not casting fault, culpability or liability – each situation needs to be internally and/or externally investigated and evaluated by qualified people with the requisite experience, knowledge, demeanor and approach (i.e., objectively and prudently, and where necessary and prudent by people who are independent and without conflict or bias). Often times (practically always) the situations and facts are different (sometimes better, and sometimes worse) than first thought. And then there is always the prospect for litigation to establish responsibilities and rights, liability, causation, damages and remedies including recovery of damages.

We do seem to be seeing an uptick in discussions about the culture and governance of businesses (private, public, and nonprofit) and government – we’ll see if it lasts, and if more specific expectations develop including greater design, implementation and oversight of culture and governance controls.

Please note that the comments in my blog posts are my own, and are not by no one else, and do not apply or related to any particular or specific person, business or other entity, or situation.

* * * * *

 

New Governance Guidance Stretches Thinking on Ethics, Risk, and More

​The King IV draft code has much to say about governance, risk management, compliance, and assurance. Click on the following link for the discussion by Norman Marks and see my comments below: iaonline.theiia.org

This article by Norman Marks discusses parts of the new King IV code that concentrate on culture, ethics and risk. It’s interesting for thought with respect to your own organization. It is and has been long well-known that all three corporate areas, culture, ethics and risk management, are instrumental to business performance and legal compliance.

And although these areas are discussed, and significant strides have been made in or discussed about risk management during the past couple of years, there still are no universally recognized standards or criteria to evaluate or audit how the business is doing in these areas.

I have long been surprised that the auditing professions, external and internal, have not jumped on these areas and also governance.

See also Tate’s Excellent Audit Committee Guide at CLICK HERE

Best, Dave Tate, Esq. (San Francisco and California), http://auditcommitteeupdate.com, http://californiaestatetrust.com, http://tateattorney.com

DTatePicture_Square

‘Internal audit is crucial to assessing impact of corporate culture’

Internal audit’s mandate is much broader than external audit’s, says Richard Chambers of Institute of Internal Auditors

Click on the following link for the article: www.thehindubusinessline.com

Dave Tate, Esq. comment.

 

I’m going to disagree with Mr. Chambers on this one. I believe it is better for external audit to be auditing this issue – which is an issue that external audit already should be taking into consideration when designing the audit and the extent to which management and the accounting and internal control functions can be relied upon.

 

Although internal audit could be assigned a task or project relating to culture, on this topic I would keep the task or project very specific. Internal audit does also work and interact with management and executive management – assessing culture might detrimentally impact those relationships. I would however recommend that internal audit be more involved in risk management, which could involve culture but in a different context.

 

Audit committee, D&O, risk management, etc. blog: http://auditcommitteeupdate.com

Website: http://tateattorney.com

Trust, estate, conservatorship and elder abuse litigation blog: http://californiaestatetrust.com