While existing laws should have been enough to prevent the Enron and WorldCom scandals, their existence alone was not sufficient. Carole Edrich discusses the need for effective controls
Over the last decades, developments in the interpretation and refinement of law have slowly clarified views on who should bear the responsibility for actions taken on behalf of an organisation. Recent financial scandals and near-scandals have increased awareness of the accountability (and therefore liability for actions and inactions) of the board and senior managers.
Breaches that are a result of management overrides at board level are very difficult for internal auditors to deal with. They may be outside their formal mandate, or on the other side of a perceived glass ceiling. Enron displayed significant conflicts of interest and a board that was not operating for the benefit of shareholders. This was compounded by its approval of excessive remuneration packages for non-executive directors who put aside an ethics policy. The final form of high level monitoring was also compromised when the board permitted off-balance sheet activity, but did not enable the monitoring and control procedures necessary. Having the same organisation acting as external and internal auditors did not help the situation.
In retrospect, the danger signals were clear. Almost every aspect of fiduciary responsibility, corporate governance and internal and external control was compromised at the very top of the organisation. Each of the commonly accepted lines of defence was deficient.
In the light of these events, internal audit departments and associations everywhere are reviewing attitudes and practices in order to prevent further similar problems. The Institute of Internal Auditors in UK and Ireland has already issued a new agenda for corporate governance reform, with recommendations as to how efficient compliance can be implemented. It also performed post-Enron and post-WorldCom surveys to ensure that all lessons and current thinking were collected.
However, there is still widespread debate as to the best way to set up, and get agreement to, a formal and transparent process that enables the identification of the risks caused by very senior managers. It is all very well to say that an individual should go to the chairman if the CEO is doing something suspicious, but the reality is often more problematic. The necessary increase in independence of internal audit must therefore come about through clearly defined and implemented structures and processes.
Separating the role of the chief executive and chairman is one proposal. This is already practised more in the UK than the US, but it is not without its own risks.
Assigning a suitable number of non-executive board members might help by providing individuals capable of independent judgement, but current opinion indicates that there are too few good board members to go around, and that those who are good are often too stretched to provide value. Limiting the number of non-executive positions is a possibility, but one should question anything that limits an individual’s personal freedoms.
On other levels, formal fiscal law, company law and corporate governance require, either explicitly (as in Australia) or implicitly, that directors have to demonstrate that they have the appropriate skill, experience and capacity to fully understand the commercial, financial and legal risks the company faces. We have yet to see how and if the UK Financial Services Authority’s Prudential Source Book will influence the innovation and corporate performance of financial sector organisations in the UK - its wording is considerably less demanding than that of other countries.
It can also be argued that directors who are expected to be independent and to regulate management behaviour, should not have the same kind of incentive-based remuneration that executive directors receive. But since a great deal is going to ride on their shoulders, it is important to find a way of making them want to fill the non-executive role.
Share and performance-based schemes may also encourage directors and management to focus on short-term financial performance. This can encourage companies to concentrate on revenue growth derived from plans that may appear to make profit in the short term, but develop into loss making schemes over time. Examples include mergers and acquisitions, offloading of the ‘safer’ proven businesses or units to provide funds for new or emerging business areas, and other down-sizing or tax-driven legal and financial structures. Whether these add fundamental value to a company’s performance is a moot point, and future remuneration packages might explicitly include a view of fundamental value over a longer period of time.
At a recent IIAG (Insurance Internal Audit Group) meeting, Dennis Reynolds; a partner in KPMG’s financial services advisory group, said that the right methodology for risk assessment was also a framework that could be used to present reasonable reassurance to the board. He pointed out that the three major lines of defence for an organisation were the management team, the management system and the internal audit. He went on to say that, while aspects of defence could have been strengthened in the case of Enron, only a careful scrutiny and understanding of board minutes could have revealed the situation to internal auditors.
There is also inherent ‘riskiness’ in different types of organisational culture, local and business history and leadership styles. In the UK, the board usually contains a number of executive and non-executive directors who are involved in company management, whereas the US board is usually dominated by one powerful individual who may be both chairman and CEO.
US companies, with executive directors who are relatively passive, fewer in number, and who, historically, have regulated management rather than the company itself, are therefore less likely to pick up on breakdowns in internal control, ambiguous or illegal business practices.
So what might be done to prevent such events in the future? Most importantly, a change in attitude or empowerment is needed. It is imperative that individuals feel able to ask questions, and that they should have the belief that they deserve a reasonable answer. Questions that are asked and not pursued are valueless. It is important to understand that delegation does not relieve officers of the responsibility to demonstrate they have the appropriate skill, experience and capacity for their positions. Otherwise, ever more severe penalties are likely to result.
While it is in their nature to look for profit, it is important that investors are not blinded by greed. Since institutional investors and the share-owning public have an interest in the success of the company, and are now less willing to accept boardroom excesses, they should be even more prepared to participate in board level decision making. Putting resolutions forward to board meetings should be easier if proposals in the UK company law white paper come to pass.
Fuel is also added to the fire of short-termism as a result of competition for funds, such as those funds under management. If fund managers’ performance criteria were different, executives would be less focused on short term gains at the expense of the long term, and share prices might fluctuate less. Possibly they might even reflect the fundamental value and performance of the company.
Given public concern about the consequences of unregulated activities, governments all over the world seem to be adopting a prescriptive approach to business behaviour. The UK Government’s coordinating group on audit and accounting issues is undertaking a review. To date, they are particularly concentrating on the work being taken forward by regulators in auditor independence, corporate governance (particularly with regard to and the role of audit committees), regulatory oversight of the accounting profession, financial reporting (including standards and their enforcement), company law, directors’ duties, auditing standards, the smaller business, and the extent to which there are competition implications in all of them.
When properly implemented, and supported throughout the organisation, good corporate governance lies in the way board and management make and implement decisions that deal effectively with (rather than avoid) risk. Directors need access to detailed, independent, knowledge, and an understanding of the business. They also require timely, useful and accurate information, feedback between all levels of the organisation, sensible incentives that encourage a balance between short and long term gains, clear and non-restrictive compliance requirements from regulators, and a clear knowledge of the personal and organisational consequences of glitches or failures.
Probably the best way forward internally lies in careful tailoring of board composition, provision of controlled internal and external feedback mechanisms for staff, and protection for those whistle-blowers who are justified in their concerns. External auditors should be prepared to resign if nothing is done about such matters. While it is a difficult judgement call, such an action sends a strong message to the market and may even change internal management behaviours.
The concern that over-regulation can lead to stifling of business is one that is universally acknowledged. While such changes in practices might help defend against similar sorts of fraud, human nature is such that it is impossible that the western world will not be rocked by serious scandals again.
Carole Edrich is principal of KAI Corporation (Risk), Tel: 020 8530 3933, E-mail: cedrich@kaicorporation.com
Sources of Information
G Turnidge, ‘Corporate Governance and Growth’ in Niewenhuysen. www.dti.gov.uk
Institute of Internal Audit www.theiia.org
Institute of Internal Auditors, UK and Ireland www.iia.org.uk
The Political Economy of Basel II, Professor Avinash Persaud (managing director, State Street Corporation ). Inaugural lecture as Mercer Memorial Chair in Commerce at Gresham College.
