Ethical Boardroom Summer 2017 by Ethical Boardroom

Published by Ethical Board Group Limited | www.ethicalboardroom.com

Summer 2017 Were you ready for WannaCry?

Improving resilience through better cybersecurity

Effective anti-money laundering oversight Enhancing board knowledge to bolster your defences

Keeping it above board Ensuring a level playing field

How sport must tackle governance issues

Leadership in a turbulent world

Why Latin American boards must listen to key stakeholders

Taking control of board culture Is it time to up your game?

9 772058 611002

DEWA’s MD & CEO Saeed Mohammed Al Tayer discusses the organisation’s vision of becoming a sustainable innovative world-class utility

UK £9.95 USA $14.99 CAN $16.99 EUR €11.99

POWERING THE FUTURE

ISSN 205 8- 61 1 6

Your Bank More than 190 Branches More than 1,5 million Clients Province of

Luanda (117 Branches)

Cacuaco

City of Luanda Viana Belas

BFA is growing with Angola. With 16 Corporate Centres, 9 Investment Centres and 165 Agencies across the country, it now serves more than 1,5 million Clients. With a competitive and wide range of financial services available and a commercial network that reaches almost every part of the country, BFA is growing to meet all its Clients’ needs wherever they are and wherever they need to be. For further information on how to start or strengthen your business relations with Angola, visit any BFA Agency, Corporate Centre, Investment Centre or go to www.bfa.ao

in Angola. Cabinda (7 Branches) Soyo

Uíge (2 Branches)

Dundo

Negage

N’zage

Caxito Province of Luanda

Lucapa N’dalatando

Catete Porto Amboim

Dondo

Cacuso

Saurimo (2 Branches)

Malanje

Calulo

Gabela Waku-Kungo

Sumbe

Luena

Bailundo

Catumbela Benguela (6 Branches)

Kuito Lobito Huambo (11 Branches) (4 Branches) Ganda Caála Cubal Caconda

Lubango (8 Branches) Namibe

Menongue

Matala Chibia

Tômbua Ondjiva

Santa Clara (2 Branches)

Ethical Boardroom | Contents

COMMENTARY

UK Governance Code – the next 25 years The UK framework is respected worldwide but needs to evolve with changing circumstances

Will US investors diverge from Trump on climate change? Despite the US President’s withdrawal from the international climate accord, shareholders will always have Paris

The executive board’s role in cybersecurity Cyber-responsible boards are pushing their organisations to innovate

Why good companies end up on the wrong side of the law Despite a rise in compliance programmes, more and more executives are accused of wrongdoing

MIDDLE EAST

18 20

Global News: Middle East Gender diversity, corporate governance and ageism COVER STORY DEWA: Standing for generations to come The Dubai Electricity and Water Authority aims to be a sustainable and innovative world-class utility

Championing integrity in Gulf countries A voluntary initiative is setting the benchmark for honourable business

Alba aims high Aluminium Bahrain B.S.C. – a trailblazer in corporate governance – is reaping the awards

BOARD LEADERSHIP

Taking control of board culture and new realities How to optimise board culture to make sure time is used effectively

46 10

Reframing the role of an interim CEO Interim CEOs can be more than ‘temps in the corner office’ – the right leadership can make the difference between success and failure

Planning for succession Running a smooth CEO takeover process is the ultimate responsibility of any board... but how?

4 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Contents | Ethical Boardroom

42 44

The incumbents’ view What makes a chair of the board of directors effective? Board refreshment: New paradigms for board effectiveness To bring new ideas and perspectives to the boardroom, it is time for organisations to embrace change

EUROPE

48 50

Global News: Europe CEO pay, Italian activism, corruption and ethnic diversity

CONTENTS

Diversity on bank boards: Evidence from Bulgaria Good practices in governance demonstrate the importance of a qualified board for successful supervision and risk management

Why it’s time to start the trust fightback Business needs to rebuild public confidence by demonstrating it deserves it

Resolving the issue of NPLs There is a cosy link between poor corporate governance and non-performing loans, which is sinking profits and capital

BOARD GOVERNANCE

Institutional investors turn to the courts When protecting asset value through litigation is increasingly seen as your fiduciary duty

Optimising forward-looking information for the board Internal audit analytics can open the board’s eyes to strategic risks and keep it one step ahead of the game

PAN-PAN! An airline’s lesson in staying calm in crisis Establishing mechanisms that allow you to consider every possible scenario will best prepare you for the unexpected

20 C

Integrated reporting: chance to make a difference Shifting to an IR model creates a strong narrative at a time when corporate behaviour is under scrutiny

www.ethicalboardroom.com

Y Summer 2017 | Ethical Boardroom 5

Ethical Boardroom | Contents

Good governance: the foundation for a good game The future trust in sport will rely on fairness, transparency and stakeholder engagement

LATIN AMERICA

78 80

Global News: Latin America Corporate governance, corruption and codes of conduct

Latin America in a VUCA world Boards in the region are struggling in today’s volatile, uncertain, complex and ambiguous climate

Board gender diversity in Latin America The feminine advantage: an integral vision of strategic risks

90 108

Novo Mercado: paving the way The role of the Brazilian stock exchange in shaping Latin America’s corporate governance

THE EB 2017 CORPORATE GOVERNANCE AWARDS

Introduction & Winners list We reveal our 2017 North and Latin American Award winners

Banorte’s perfect vision Grupo Financiero Banorte on its strategic plan to become the best bank in Mexico

Creating shared value and modern corporate governance As one of Brazil’s largest electricity utilities, EDP Brasil is committed to the practices of business sustainability

NORTH AMERICA

Global News: North America Shareholder dispute, pay ratios, CEO activism and diversity

ACTIVISM & ENGAGEMENT

Successful activism — what does it mean? Understanding how activists get paid will enhance sensitivity to shareholders and the ability to respond

Proxy voting in Spain: the investors’ autumn There will be no ‘shareholder spring’ for Spain, but autumn will bring new responsibilities for investors

6 Ethical Boardroom | Summer 2017

132

www.ethicalboardroom.com

Contents | Ethical Boardroom

102

Navigating expectations on human rights The UN’s reporting framework can help improve business performance

104

Activist shareholders and executive compensation Activist shareholders are increasingly applying pressure to curb pay

108

Law and economics of hedge fund activism Effective engagement of institutional investors in corporate governance

AFRICA

112

Global News: Africa Executive pay, corruption, bribery and corporate governance

128

RISK MANAGEMENT

114

Putting cybersecurity at the top of the board’s agenda Adopting good cybersecurity practice can make a considerable difference in the resilience of your organisation

116 120

Cybersecurity: A fiduciary duty Good cybersecurity hygiene will not make company directors ‘WannaCry’

92 86

Wolves in sheep’s clothing How your organisational culture and management practices may be causing resentment

124

Aviation risk: Cyber threat flies into the boardroom How to mitigate the impact of cyber threats in aviation

128

Transparency: The key to risk management Adverse public and stakeholder sentiment has led firms to incorporate ESG issues into business decisions

ASIA & AUSTRALASIA

130

Global News: Asia & Australasia Shareholder returns, gender diversity, ethical investments and transparency

REGULATORY & COMPLIANCE

132

Oversight of AML: Time to take notice Boards need to take responsibility for preventing money laundering

136

General Data Protection Regulation: Are you ready? What the EU’s new data protection regulation means for your company

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 7

Ethical Boardroom | Foreword

Welcome to the Summer 2017 edition of Ethical Boardroom magazine

Are you cyber ready? No one expects you to be a cybersecurity expert, but with the first half of 2017 witnessing an inordinate number of cybersecurity crises, it is critical that as an organisation you start to understand and manage cyber risks if you want to avoid a much-publicised catastrophe. Ransomware – a malicious program that locks a computer’s files until a ransom is paid – is not a new phenomenon but the size of attacks this year has been described as ‘unprecedented’, with variants becoming increasingly complex and faster-spreading. The WannaCry ransomware wreaked havoc in early 2017 in one of the highest profile malware attacks for years, with infections hitting more than 150 countries and hundreds of thousands of computers. NHS hospitals and GP surgeries in the UK were among the worst hit, with WannaCry scrambling data on computers and demanding payments of $300 to $600 to restore access. People in affected areas were being advised to seek medical care only in emergencies. Then along came Petya, a ransomware affecting computer systems across Europe, causing issues primarily in Ukraine, Russia, the UK and India. It spread rapidly through networks that use Microsoft Windows through a software update mechanism built into an accounting program. Such malicious and destructive attacks are designed to spread fast and cause

8 Ethical Boardroom | Summer 2017

widespread damage, yet, security experts say most organisations could have avoided an attack by maintaining better standards of cyber hygiene and getting the basics right. It is vital to build a security culture, raise awareness among staff and assess current controls against best practice in order to identify any gaps. According to the recently released BT and KPMG cybersecurity report The Cybersecurity Journey – From Denial to Opportunity, firms should be focussing on ‘good governance processes, the proper integration of technologies and to consider outsourcing some less critical aspects of their security to a trusted partner’ in order to address risks and gain true leadership in cybersecurity. In this issue of Ethical Boardroom, the #CyberAvengers – a group of self-proclaimed ‘salty and experienced professionals who work together to help defeat cybercrime’ – address the recent WannaCry ransomware attack and provide the questions that boards should ask regarding the prevention and mitigation of ransomware (page 116). On page 114, Control Risk’s Toby Chinn discusses how moving toward a common perception of cybersecurity as a holistic business risk and educating all employees on the importance of good cybersecurity practice are the important next steps in tackling today’s challenges. Meanwhile, John Riggi – former FBI executive and head of BDO USA’s Cybersecurity Practice – takes a look at the executive board’s role in cybersecurity and its responsibilities (page 14). If your business is online then it is a target. How well-prepared are you?

www.ethicalboardroom.com

Contributors List | Ethical Boardroom

Our thanks to this issue’s contributing writers SAEED MOHAMMED AL TAYER MD & CEO, DEWA SANTIAGO CHAHER Managing Director at Cefeidas Group & Co-Director at Universidad de San Andrés Corporate Governance Program TOBY CHINN Head of Control Risks’ cybersecurity practice BRIAN CHRISTENSEN Executive Vice President, Protiviti ALEXANDRA MIHAILESCU CICHON Head of Sales and Marketing, RepRisk GIAN PIERO CIGNA, MILOT AHMA & PAVLE DJURI’C Gian Piero is Associate Director, Senior Counsel, Milot is an Associate and Pavle is Counsel at the European Bank for Reconstruction and Development THE #CYBERAVENGERS Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma & Christophe Veltsos CHARLES DEMOULIN Partner at Deminor Recovery Services PROFESSOR ALFREDO ENRIONE Founder & Chairman of the Center for Corporate Governance and Society at ESE Business School HARM VAN ESCH & JUSTUS O’BRIEN Harm leads the European Board Services Practice and Justus is Co-leader of the Board and CEO Advisory Group, Russell Reynolds Associates RICHARD FENNING Chief Executive Officer of Control Risks

STEPHEN HADDRILL Chief Executive Officer of the Financial Reporting Council

MICHAEL PEDERSEN An internationally recognised expert in sport governance, transparency, ethics and integrity

PATRICK HAGGERTY & IRA T. KAY Patrick is a Partner & Ira is Managing Partner at Pay Governance in New York

CHRISTIAN PETERSEN Chief Executive Officer, Admincontrol

BRYAN HARRIS Chief Internal Auditor & Risk Officer, Aluminium Bahrain B.S.C. (Alba)

JUAN M. PRIETO Founder and Managing Director of CORPORANCE ASESORES

JAMES JARVIS Corporate Governance Analyst at the Institute of Directors

JOHN RIGGI Former FBI Executive and Head of BDO USA’s Cybersecurity Practice

CARLA KOFFEL Executive Director, Pearl Initiative

HANNA ROBERTS CEO for GES International

PATRICIA LENKOV Founder & President, Agility Executive Search

PROFESSOR PAUL ROSE Bazler Designated Professor in Business Law at the Ohio State University’s Moritz College of Law

STUART R. LEVINE Chairman & Chief Executive Officer, Stuart Levine & Associates LLC ALEJANDRA MASTRANGELO Consultant in Corporate Identity and Governance JOÃO PAULO MATEUS Compliance Director, EDP Brasil TOM McLEOD Managing Consultant, McLeod Governance GERRIT VAN DER MERWE Chief Executive Officer, Candor Governance MIROSLAV NEDELCHEV Executive member, Bulgarian Institute of Directors ALESSIO M. PACCES Professor of Law and Finance at Erasmus University Rotterdam

JASON SCHLOETZER Associate Professor of Accounting at Georgetown University SAMANTHA SHEEN AML Director Europe, ACAMS STANISLAV SHEKSHNIA INSEAD and Ward Howell International CAS SYDOROWITZ CEO at Georgeson Corporate Advisory LUKE TREGLOWN Organisational Psychologist at PGI GLYN THOMS Executive Director, Cyber & TMT, Willis Towers Watson

EDITOR Claire Woffenden DEPUTY EDITOR Spencer Cameron EXECUTIVE EDITOR Miles Hamilton-Scott ART DIRECTOR Chris Swales CHIEF SUB Sue Scott ONLINE EDITORS Allegra Cartwright, Hermione Bell PRODUCTION MANAGER Jeremy Daniels SUBSCRIPTIONS MANAGER Lucinda Green HEAD OF ONLINE DEVELOPMENT Solomon Vaughan ONLINE DEVELOPMENT Georgina King, Rosemary Anderson MARKETING MANAGER Vivian Sinclair CIRCULATION MANAGER Benjamin Murray HEAD OF SALES Guy Miller SALES EXECUTIVE Michael Brown PRODUCTION EDITORS Tobias Blake, Dominic White VIDEO EDITOR Frederick Carver VIDEO PRODUCTION Tom Barkley BUSINESS DEVELOPMENT Dammian Botello, Giles Abbott, Gerald Fox, Steven Buckley ASSOCIATE PRODUCER Suzy Taylor ADMINISTRATIVE ASSISTANT Abigail Fitzwilliam HEAD OF ACCOUNTS Penelope Shaw PUBLISHER Loreto Carcamo Ethical Board Group Ltd | Ethical Boardroom Magazine | 1st Floor, 34 South Molton Street, Mayfair | London W1K 5RG S/B: +44 (0)207 183 6735 | ISSN 2058-6116 | www.ethicalboardroom.com | Ethical Boardroom | twitter.com/ethicalboard Designed by Yorkshire Creative Media | www.yorkshirecreativemedia.co.uk. Printed in the UK by Webmart Ltd. Images by www.shutterstock.com All information contained in this publication has been obtained from sources the proprietors believe to be correct, however no legal liability can be accepted for any errors. No part of this publication can be reproduced without prior consent from the publisher.

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 9

Commentary | UK Governance Code

UK Governance Code – the next 25 years The UK’s framework for corporate governance is respected worldwide but needs to evolve with changing circumstances Since its inception 25 years ago, the UK Corporate Governance Code has been a major force for good and it makes an important contribution to the high regard in which the UK business framework is held globally, which in turn is a key reason why global investors commit their capital to the UK. In short, the Code has made a significant and important contribution to sustainability in the UK economy and the creation of jobs, growth and prosperity. Nonetheless, after a quarter of a century and with the apparent decline in public trust in business it is time to review the Code and its framework to ensure it is fit for the future. The Cadbury Report was published in 1992 as a response to corporate scandals at the time involving BCCI, Polly Peck and Maxwell, and was followed by the creation of the UK’s Corporate Governance Code. A key aspect of the Code from the onset has been the ‘comply or explain’ approach. This has allowed companies to respond confidently and effectively to evolving market circumstances, because it offers flexibility in how companies apply the principle to their own particular situations and business models. Hard rules don’t cope 10 Ethical Boardroom | Summer 2017

Stephen Haddrill

Chief Executive Officer of the Financial Reporting Council easily with the variety of British business and are inevitably more difficult to change. As well as the ‘comply or explain’ approach, the strength of the unitary board and strong shareholder rights are important planks of the framework. These factors have long delivered economic success and must be preserved. But more can be done. While compliance with the Code’s provisions is high, our monitoring shows that some explanations when boards choose not to follow provisions are of poor quality. We have called on shareholders to challenge companies where they do not believe that explanations given are sufficiently persuasive.

Evolving framework

As we look to the next 25 years, it is important that our framework of corporate governance continues to evolve. The demands on business and the expectations of stakeholders are growing. Inevitably, we are looking at the risks and opportunities presented by Brexit. If we maintain the advantages gained over the last quarter of a century, investors will continue to look to the UK as a destination of choice for their capital. Businesses will continue to see the merit in being listed in

the UK. A proportionate, principles-based framework for corporate governance will help to achieve these outcomes. Codes put forward principles for best practice that make bad behaviour less likely to occur; and public reporting can make it harder to conceal such behaviour. But, on its own, a code does not prevent inappropriate behaviour, strategies or decisions. The commitment of people, particularly the leaders within a business is required. Our report Corporate Culture and the Role of Boards and our work to tier the signatories to the Stewardship Code are good examples of fresh thinking. There are certain principles mentioned earlier that underlie corporate governance in the UK and which we feel must be retained. The law holds all directors equally responsible for the decisions of the board. But their responsibility now needs to be more closely aligned to the broader factors in section 172 of the Companies Act and should be reported on and effectively monitored. Our report on promoting good corporate culture helps them in this regard and sets out several key observations as well as case study examples, some of which I will highlight. In particular, it encourages boards to: ■ Recognise the value of culture A healthy corporate culture is a valuable asset, a source of competitive advantage and vital to the creation and protection www.ethicalboardroom.com

Commentary | UK Governance Code BUSINESS IN BRITAIN Evolving the Code will ensure investors continue to look to the UK

of long-term value. It is the board’s role to determine the purpose of the company and ensure that the company’s values, strategy and business model are aligned to it. Directors should not wait for a crisis before they focus on company culture. ■ Demonstrate leadership Leaders, in particular the chief executive, must be seen to live the desired culture, embedding it at all levels and in every aspect of the business. Boards have a responsibility to act where leaders do not deliver. Remuneration decisions must be consistent with the desired culture. This includes decisions on appointments and remuneration incentives, and disincentives. ■ Be open and accountable Openness and accountability matter at every level. Good governance means a focus on how this takes place throughout the company and on those who act on its behalf. It should be demonstrated in the way the company conducts business and engages with and reports to stakeholders. ■ Seek to measure behaviours Metrics should be tailored to the behaviours and include external as well as internal stakeholder views. Another observation from the report calls on investors to exercise stewardship. Increasingly investors, in looking at the long-term, have recognised the importance of culture and are asking questions about it in their stewardship meetings with companies. They and we are finding that www.ethicalboardroom.com

reporting of culture is an area where more can be done. To further encourage good stewardship, we have recently categorised signatories to our Stewardship Code into tiers. The tiering exercise was undertaken to improve the quality of reporting against the Code, encourage greater transparency in the market and maintain the credibility of the Code. It distinguishes between signatories who report well and display their commitment to stewardship, and those whose reporting needs further improvement. Code signatories were encouraged to improve their statements and thereby reaffirm their commitment to stewardship.

Twenty-five years after Sir Adrian Cadbury’s report, the UK remains in a good position globally with high levels of trust and confidence among investors There are nearly 300 signatories to the Code. More than 120 are in Tier 1 – the top tier, representing nearly 90 per cent of assets under management by members of the Investment Association. Asset owners are now better able to discuss with asset managers their different approaches to stewardship and ensure that these best meet their needs. Signatories will be encouraged

to engage in continuous improvement of their reporting and stewardship activities.

Consultation process

With all this considered and after a programme of engagement with many stakeholders from many different sectors, we will issue a consultation on reforms to the UK Corporate Governance Code later this year. This consultation will broadly look at whether the Code should be amended to encourage boards better to take account of a wider group of stakeholders, whether we can do more to encourage engagement on remuneration issues and whether more needs to be detailed in the Code about culture. Looking at the guidance on board effectiveness, which we released in 2011, we will again assess if it is addressing the issues relevant to board and company governance and how it could be amended to raise standards. We will also look at how the guidance could be amended to take account of the role of boards in setting, assessing and embedding a company culture. Reputation in business is also key to this success, and corporate governance can help to instil this in an organisation. Business has a duty to its stakeholders to be transparent, true and fair, because without it, our economy will not thrive. Twenty-five years after Sir Adrian Cadbury’s report, the UK remains in a good position globally with high levels of trust and confidence among investors. Corporate governance must help to maintain that trust. At a time when geopolitics and world economics look less certain, both are ever more important. Summer 2017 | Ethical Boardroom 11

Commentary | Climate Change

Will US investors diverge from Trump on climate change?

Donald Trump’s decision to pull the United States out of the Paris Agreement on climate change was unwelcome, but not unexpected, by many US business leaders. The decision, it seems, was not the consequence of deeply held beliefs about climate science (or, rather, disbelief in climate science). To cheers from his audience in the White House Rose Garden, President Trump spoke of keeping the promises he made to the American people during his campaign by ridding citizens of a burdensome agreement “that disadvantages the United States to the exclusive benefit of other countries”. The Paris Agreement, in Trump’s words, is “less about the climate and more about other countries gaining a financial advantage over the United States”. Most public company CEOs had a different view. Lloyd Blankfein, CEO of Goldman Sachs, tweeted that Trump’s decision was “a setback for the environment and for the US’s leadership position in the world”. Two members of Trump’s business advisory council, Bob Iger of Walt Disney and Elon Musk of Tesla and SpaceX, left the council after the decision. Many of the remaining 12 Ethical Boardroom | Summer 2017

Despite the US president’s withdrawal from the international climate accord, shareholders will always have Paris Professor Paul Rose

Bazler Designated Professor in Business Law at the Ohio State University’s Moritz College of Law members took an opportunity to distance themselves and their companies from Trump’s position, even though they remained engaged with the advisory council.

The small business response

A different chorus emerged from small business owners and managers. Instead of expressions of dismay and defiance, small business owners largely cheered Trump’s decision to withdraw from the Paris accord. This comes as no surprise to observers of Trump’s interactions with small business owners on the campaign trail: these business owners – and many of their employees – quickly warmed to Trump’s promise to

lower taxes and reduce the regulatory burdens that often disproportionately impact smaller businesses. To many of these small business owners, the Paris accord represented another costly set of regulations imposed by detached, urban elites. While public company executives in urban America operate within a global economy in which climate change and sustainability are issues of undeniable importance, small business owners in suburban and rural America operate in local economies in which the more pressing concerns lie much closer to home. The weather, rather than climate, is much more likely to be the topic of conversation. Donald Trump did not win the election by persuading the public company CEO, but by appealing to rural Americans – business owners and employees alike – who felt ignored and disrespected by the urban elite. A recent New York Times report notes that the withdrawal from the Paris accord has “opened up a fissure between smaller companies and some of the biggest names in business”. A more accurate characterisation would be that Donald Trump recognised an existing fissure between small and large businesses and their owners and managers; the Paris Agreement is a wedge that further widens the divide. www.ethicalboardroom.com

Climate Change | Commentary Perhaps even more importantly, most of the shares of these large firms tend to be owned by institutional investors, some of which control billions or even trillions of dollars in shares. And, it is these shareholders, the large (and often relatively passive) institutional investors, who are beginning to tilt the scales in favour of a concerted corporate response to climate-related risks.

CLIMATE DISCLOSURE Shareholders will pay attention to the evolving regulatory environment

The impact of shareholder engagement on climate change

Even if small businesses may rightly complain of disproportionate impacts from environmental regulation, large businesses are no less vocal about costly regulatory measures. Why, then, were large businesses eager to publicly distance themselves from Trump’s decision to withdraw from the accord? The answer does not seem to be merely because they are better able to bear the costs of regulation, compared to small businesses; no business gladly accepts a regulatory burden (although, admittedly, some regulatory burdens may be welcome if they serve as barriers to entry for new competitors). There is another significant difference between small businesses and most of the large companies that took public positions against the withdrawal from the Paris accord: shareholders. The small firms that cheered the withdrawal tend to be sole proprietorships, partnerships, limited liability companies and closely held corporations in which ownership is concentrated in a single person or a small group of individuals. The vocal corporate dissenters, on the other hand, tended to run very large, publicly traded firms with a broad investor base. www.ethicalboardroom.com

the shareholder vote, the 2014 slate a little more than 20 per cent, and the 2016 slate less than 22 per cent. ExxonMobil’s shareholder proposal may mark a turning point in shareholder proposals on environmental issues, not because shareholders have finally recognised the risks associated with climate change, but because governments are recognising these risks. And because governments have The ExxonMobil vote: recognised these risks and have begun to a tipping point? implement mitigating efforts, such as the A significant, recent example of this shift Paris accord, institutional investors have may be seen in the ExxonMobil shareholder begun to adjust their votes accordingly. vote. In the same week that President Trump Because the regulatory risks appear initiated the process to withdraw the US from to be driving shareholder support for the Paris climate accord, the shareholders at least some environmental and climate of ExxonMobil approved a shareholder change proposals, there should be no resolution, calling on the company to suspicion that institutional investors are disclose the “long-term portfolio impacts of basing their support on social policy technological advances and global climate preferences. Indeed, large institutional change policies”. In particular, it wanted investors, such as BlackRock, have typically to know the impact on ExxonMobil’s oil been clear that support for a given and gas reserves and resources as a result environmental or climate change-related of a reduction of demand consistent with shareholder proposal will depend on the the ‘globally agreed upon two degree target’ company at issue. For a company that has set out in the Paris accord. Although a similar little to no identifiable regulatory exposure proposal only received approximately to climate change risk, they will be less likely 38 per cent of the vote in 2016, the to support such a proposal, consistent with shareholders approved this year’s proposal their fiduciary obligations to maximise with more than 62 per cent of the vote. returns for their investors. As we learn more What changed between 2016 and 2017? about the potential effects of climate change The turning point appears to be the support (and particularly if we discover greater of several large institutional risks from climate change), investors, including Vanguard investors must Even with the institutional and BlackRock. These investors update and adapt their policies. potential US are developing a clearer picture of Even with the potential how climate risks are likely to US withdrawal or attempted withdrawal impact their portfolio companies. renegotiation of the Paris or attempted Agreement, the regulatory BlackRock, for example, noted in 2016 that while “some may renegotiation environment has changed question the science behind significantly for many of the Paris [climate change], all are faced international companies, with a swelling tide of regulations such as ExxonMobil. If the accord, the and technological disruption”. Trump administration reduces regulatory The key point, then, is this: the federal government’s environment commitment to environmental for BlackRock and other large institutional investors, climate has changed regulation, international and change is not merely about the even US state regulations will significantly physical risks associated with continue to affect markets in rising global temperatures, such which these companies operate. for many as less predictable weather and for instance, recently international California, rising sea levels, but also – and passed the Clean Energy perhaps even primarily – about and Pollution Reduction Act. companies the regulatory risks faced by The act dramatically reduces companies like ExxonMobil. “The resulting demand for fossil fuels by energy producers regulatory risks,” the BlackRock Investment in a state that, on its own, would rank Institute explains, “are becoming the key as the world’s sixth largest economy. drivers of investment returns.” Shareholders will be paying attention The law firm Simpson Thatcher & Bartlett to the evolving regulatory environment. counted 90 environmental shareholder Even if Trump turns his back on the risks proposals in 2016 among the broad Russell of climate change, large, multinational 3000 index of US-listed public companies, companies and their shareholders will up from 58 in 2014 and 42 in 2012. And yet always have Paris and the myriad of support for these proposals, while improving other climate change agreements, codes, incrementally, remains weak. The 2014 slate standards and regulations to take into of proposals garnered less than 18 per cent of account in the coming years. Summer 2017 | Ethical Boardroom 13

Commentary | Cybersecurity

The executive board’s role in cybersecurity Cyber-responsible boards are pushing their organisations to new levels of innovation As the recent WannaCry ransomware attacks proved, there is no doubt that cyberattacks and data breaches are growing – in number, sophistication and severity – and are a great cause for concern for small and large businesses alike.

John Riggi

Former FBI Executive and Head of BDO USA’s Cybersecurity Practice to four per cent of annual global turnover or €20million (whichever is greater). Similarly, in the US, the New York Department of Financial Services (NYDFS) recently issued a first-of-its-kind cyber regulation impacting all New York-regulated financial institutions, including New York branches of foreign banks. The NYDFS regulation mandates the implementation of a risk-based cyber risk management programme, the appointment of an individual to oversee the programme and, in an unprecedented step, the ground-breaking regulation holds company board members and senior officers personally liable for annual compliance certification.

The increasing number of major breaches across the globe has prompted regulators to act. In many jurisdictions, businesses are now required to meet strict cyber risk management mandates or face penalties. New regulations not only require organisations to put appropriate security measures in place to protect personal information (of their people, their clients/customers and their suppliers), but also to have mandatory data breach Taking on responsibility notification systems in place to report privacy Approximately three-quarters of public breaches to authorities and individuals whose company directors say that their board is information was compromised. The tightening more involved with cybersecurity than it was regulatory environment has prompted boards 12 months ago and 80 per cent of directors to take an say they have increased increasingly active role in Organisations company investments by implementing effective have adapted an average of 22 per cent cyber risk management to new cyber over the past year to defend programmes within their against cyberattacks. organisations in an effort to requirements in This is the third consecutive mitigate the risk of disruption a very pragmatic year that board members have to their business operations, avoid costly fines and damage way, often relying reported increases in time and dollars spent on cybersecurity. to their brand as well as on compliance Additionally, the number of significant financial losses. boards with cyber incident The EU General Data criteria to response plans in place has Protection Regulation comes determine increased from 45 per cent to into force in May 2018 and their corporate 63 per cent. Nevertheless, significantly expands the barely one-quarter are sharing scope and enforceability of cybersecurity information and threat the EU’s data privacy regime. policies intelligence on cyberattacks Companies are required to with entities outside of their inventory all personal data, business – a practice that must become incorporate risk-based cybersecurity more prevalent for reasons of public safety, measures and report any data breach to the protection of a nation’s critical infrastructure, supervisory authority within 72 hours. national security and economic security. Non-compliant organisations may be fined up 14 Ethical Boardroom | Summer 2017

Generally, larger organisations with well-funded and mature cybersecurity programmes are well-positioned to contribute valuable technical cyber threat intelligence along with a cyber adversary’s identified tactics, techniques and procedures, which would assist in the defence all of organisations… and the defence of nations.

The ascension of cybersecurity

There is no doubt that cybersecurity continues to move up on the boardroom agenda. Corporate directors are briefed more frequently on the organisation’s cybersecurity posture and related vulnerabilities. They are responding with increased budgets to address this critical area of enterprise risk, However, significant vulnerabilities remain, as less than half of board members surveyed worked with their organisations to prioritise the identification and development of solutions to protect their critical www.ethicalboardroom.com

Cybersecurity | Commentary

Develop a deep understanding of the business’ critical assets Quantify these assets by modelling the potential financial impact if the organisation experiences a cyberattack that disables, limits access to, or destroys these assets. the risk to 2 Understand those business assets

In order to understand how to mitigate risk, boards must determine the current state of their organisation’s cyber risk profile. And performing a cybersecurity risk assessment is far less expensive than the cost of reacting to a breach, which can not only cause reputational harm, but can also find them in breach of regulation for not having been prepared. By conducting a risk assessment and gap analysis, boards can quickly assess current policies and operations, identify holes and prioritise remediation initiatives. inventory of sensitive 3 Take company data

Information is often an organisation’s most valuable asset. And today, more than ever before, the confidentiality, integrity and access to that information is at risk. The increased threat of cyberattacks in recent years, along with the creation of new data privacy regulations, only emphasise the need for boards to implement strong policies to achieve compliance and mitigate information-related risks. Understanding what information the organisation has, where it resides, and its purpose, are key factors in identifying the highest risk areas and developing a mitigation strategy.

TAKING ACTION Board members have reported an increase in time and dollars spent on cybersecurity

digital assets. Even fewer organisations have put cyber risk requirements in place for third-party vendors – a major source of data breaches.

Beyond ticking the boxes

Executive boards allocate resources and provide management with the necessary tools to identify and mitigate cyber risks. Cyber-responsible boards go beyond checking policy, overseeing, verifying and advancing cybersecurity measures so that they keep – or better yet, exceed – pace with the latest developments in cybercrime. Organisations have adapted to new cyber requirements in a very pragmatic way, often relying on compliance criteria to determine their corporate cybersecurity policies. This approach to cybersecurity often results in a ‘tick the box’ security posture, failing to appropriately address the organisation’s greatest vulnerabilities and identify areas for www.ethicalboardroom.com

improvement. A compliance-driven stance on cybersecurity can jeopardise its effectiveness. It is the responsibility of board members to ensure their companies strike a balance between effectively meeting compliance requirements and implementing a risk-based cyber programme that addresses the areas of vulnerability unique to each organisation. In a position to command resources and influence strategy, boards should push their organisations to new levels of innovation, not only in service and product offerings, but also in cyber risk management in order to ensure adequate protection from cyber threats.

Guarding the ‘crown jewels’

A board’s cybersecurity responsibilities are among its most complex – requiring members to actively engage in informed oversight of the organisation’s overall cybersecurity. Among their responsibilities, board members should:

and implement an 4 Develop incident response plan

A rapid response during a data breach can make all the difference. Boards should oversee the development of a comprehensive, regularly tested and updated incident response plan that not only outlines immediate action, but also considers company processes, internal and external communications, legal and regulatory issues, contact with law enforcement, crisis management plans, and the roles and responsibilities of individuals throughout the firm in order to manage and mitigate the impact of a breach. insurance plans to ensure 5 Examine adequate levels of cyber coverage

Cyber insurance may be purchased as a stand-alone policy or included as an additional coverage under a professional liability policy. However, coverage levels and terms can vary greatly and work in conjunction or conflict with other insurance policies held by the organisation. Boards should evaluate current policies and levels of coverage, particularly if cyber coverage is added to another policy, to ensure their organisations are properly protected from the potential losses from a cyber incident. Summer 2017 | Ethical Boardroom 15

Commentary | Corruption

HOPING FOR THE BEST Modern corporations are often too big and complex for compliance systems to work well

Why good companies end up on the wrong side of the law Despite the significant growth of compliance programmes, the number of executives accused of wrongdoing appears to be increasing 16 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Corruption | Commentary

You might easily believe that the world is in the grip of a pandemic of corporate fraud and corruption. One after another, countries are launching anti-corruption campaigns or introducing new regulatory measures to combat attempts by dubious executives – aided and abetted by venal public officials – to steal money and undermine public ethics.

Different countries are throwing themselves at the task of rooting out sleaze in different ways. In China, the anti-corruption drive is part of a long-term concerted attempt by the Chinese leadership to assert the authority of the Communist Party and tackle one of the key issues that undermines the legitimacy of the Chinese state. In Brazil, the panoply of judicial investigations that has rocked both the corporate and political elite started almost by accident with the Lavo Jato – car wash – investigation into allegations against Petrobras and has spread its tentacles into the deep recesses of the Brazilian economy, fuelled by an admirably determined cohort of public prosecutors responding to genuine public anger at widespread graft. It is not just Brazil and China; it seems that almost every country is introducing new laws, empowering prosecutors or setting up special commissions to tackle a problem that shows no sign of abating. For international companies operating in these countries, this can be anxiety inducing. The risk of being inadvertently entangled in a bribery scandal is a genuine peril for firms with complex international structures and long supply chains. And in some countries, foreign companies are deliberately targeted by capricious authorities keen to apply leverage and extract fines.

Good people doing bad things

On the front-line are executives whose actions can determine whether a company becomes enmeshed in a reputational and legal morass. It is worth pausing to reflect on what divides behaviour that ensures the company remains scrupulous in its dealings and others whose actions spill over a line and attract the attention of law enforcement and prosecutors. In our experience at Control Risks, it is only occasionally a simple case of entrenched dishonesty. More often, it is a question of good people doing bad things.

www.ethicalboardroom.com

Richard Fenning

jumble of cultural justifications. This is particularly the case in countries with established patterns of doing business where the regulatory and legal framework is at What motivates people to do the wrong best opaque and often applied inconsistently. thing? Well, a few of them are just It is also not uncommon for executives downright dishonest; the better angels of accused of wrongdoing to have been willing their nature have effectively been silenced participants in compliance systems designed and the normal boundaries of personal and to prevent the very activity of which they corporate morality have disappeared. But in are subsequently accused. We should most cases, the reason is not some genetic never underestimate the capacity of the predisposition to criminal wrongdoing. human mind to compartmentalise our We often come across executives who have own behaviours in ways that internally become too inured to the characteristics of a at least do not seem to be contradictory. specific market. For example, if a particular And this is not the preserve of businesses business technique is an established method and executives operating in complex of winning new contracts – the payment of emerging markets. We see exactly the same commissions to a small number of agents cycle of self-justification and warped moral for instance – then over time it becomes reasoning in the financial centres of North possible to see no other way in which that America and Europe. Executives drawn from market might operate and the commonplace the same socio-economic class, educated at and open nature of the transactions seems the same exclusive schools and universities, to legitimise the activity. People tend to working for an elite group of financial think of criminal acts as being secretive institutions and enjoying themselves in the and clandestine and have difficulty seeing same country clubs, ski resorts and summer impropriety in the open and familiar. retreats, can lose perspective just as easily as Similarly, we see executives the executive long-forgotten who have become completely It is not by head office in some remote absorbed into prevailing frontier market. uncommon for business environments Again, it is mostly that are characterised by not a question of intrinsic executives cronyism, nepotism and wrongness but the accused of the sense that all of this is consequences of wrongdoing to cultural. We hear this often: myopia-induced distortion ‘It is just the way things get have been willing of what justifiable risk-taking done here – it’s cultural’. It is and what is beyond the rarely is cultural for there are participants pale of ethical boundaries. few cultures where stealing Senior financiers genuinely in compliance something that is not yours to a range of systems designed committed is an authentic ingrained philanthropic and charitable characteristic of society. causes in private will commit to prevent the And even if something can acts that go beyond what is very activity of be deemed quasi-cultural acceptable not because they which they are – the exchange of lavish gifts consciously have crossed the for example can at a push line between right and wrong subsequently be seen as part of ingrained but because their judgement accused social behaviour in some has been muted by the circumstances – that does closed social and professional not mean that it remains immutable for all echo-chamber in which they live and often by time. But it is a common explanation even the wholly disproportionate rewards on offer. if it is erroneous and used by executives There may be no simple answer to these who have too easily allowed themselves to problems. Modern corporations are often become embroiled in illicit activity on the too big and complex for compliance systems justification that it is so widespread that little to work well – despite huge advances in is done to hide what is going on. When the technology – and human nature too malleable prevailing definition of what constitutes in its ability to justify bad behaviour. But there normal suddenly changes – as it has in is a need for brave people to give voice to their China and Brazil – they find that the defence inner misgivings more often. After every of universal complicity is worthless. major scandal there is always somebody – an independent director maybe – who Willing participants knows that they suppressed their instinctive It is often hard for compliance programmes fears and suspicions about what was going designed at head office, sometimes with on in the company for fear of stepping out insufficient input of ‘ground-truth’, to of line and looking foolish. It is time to listen penetrate and be relevant in this complex more carefully to these voices.

Chief Executive Officer of Control Risks

Summer 2017 | Ethical Boardroom 17

Global News Middle East

MENA forum addresses governance goals Corporate governance experts have stressed the importance of diversity and the independence of boards in the Middle East at a recent forum held in Dubai. Organised by UAE-based Hawkamah, the forum attracted corporate governance practitioners, drivers and regulators from across the region. Speaking at the forum, leadership adviser Johan Brand said: “Boards in the Mena region

Saudi embraces women in leadership

Saudi Arabia is going through a ‘genuine reform process’ and has recognised that the exclusion of women from leadership roles impacts economic potential, an industry observer has told Forbes. Earlier this year, Rania Nashar was named chief executive of Samba Financial Group, becoming the first female CEO of a listed Saudi commercial bank. Saudi stock exchange Tadawul introduced a new chairwoman — Sarah Al-Suhaimi — and Latifa Al-Sabhan was named CFO of Arab National Bank. Bessma Momani, a professor at the University of Waterloo in Canada, said of the recent appointments and legal amendments: “It’s driven by necessity — the necessity of recognising that economically the exclusion of women is basically keeping 50 per cent of its economic potential completely dormant. “For decades, Saudi has been trying not only to diversify [its portfolio] but also trying to find a way to tap into its existent resources and known input goods. What it has is human capital and talent that is underutilised.” 18 Ethical Boardroom | Summer 2017

comprise known members and while this makes them quite comfortable and enhances the trust, there can also be some negative implications. “As such, independent boards should be encouraged in order to facilitate a stronger and more concrete business model.” Discussions also highlighted the importance of diversity across age, ethnicity and gender in order to manage the goals of organisations and meet the expectations of their shareholders.

Qatar Airways CEO sorry for hostess slur The chief executive of Qatar Airways has apologised for comments he made about US flight attendants that were condemned as both sexist and ageist. CEO Akbar Al Baker (below) described the American airline industry as “crap” and said passengers are “always being served by grandmothers”. Al Baker made the remarks in Dublin, while speaking at an event commemorating Qatar Airline’s new flight route between Ireland’s capital and Doha, Qatar. In a letter to the US trade union body, the Association of Flight Attendants (AFA), Al Baker later said: “For the cabin crew serving aboard all air carriers, professionalism, skill and dedication are the qualities that matter. I was wrong to imply that other factors, like age, are relevant.”

Iran Air appoints first female CEO

Iran has appointed a female chief executive to lead its national airline for the first time since it was established in the 1940s. The state-owned Iran Daily announced that the transport minister had named Farzaneh Sharafbafi, who holds a PhD in aerospace engineering and previously served on the board of Iran Air. According to the Associated Press, Iran President Hassan Rouhani, who was re-elected earlier this year, has recently appointed women to a number of management posts, breaking with tradition in the Islamic republic.

Jordan updates governance instructions

The Jordan Securities Commission (JSC) has issued compulsory corporate governance instructions for listed shareholding companies, The Jordan Times has reported. Previous JSC governance instructions for companies on the Amman Stock Exchange, which were issued in 2009, were voluntary guidelines. JSC chief commissioner Mohammad Hourani said the instructions, which he described as in line with international practices, would further protect investors and improve the investment climate in Jordan. www.ethicalboardroom.com

Download the App, experience the brand RAK Insurance mobile app is now available for download. It offers: • Easy access to your medical network • A wide range of insurance products online • Exclusive customer portal • Emergency contact services • Simple and hassle-free guidelines on how to make a claim We believe that a beautiful tomorrow begins with a wiser today.

800 RAKI (7254)

www.rakinsurance.com

Cover Story | DEWA

Saeed Mohammed Al Tayer MD & CEO, DEWA

DEWA: Standing for generations to come Ethical Boardroom talks to the head of the Dubai Electricity and Water Authority on the company’s mission to become a sustainable and innovative world-class utility Ethical Boardroom: Dubai Electricity and

Water Authority (DEWA) recently conducted a periodic review of its corporate governance system. What steps have been made to ensure its effectiveness going forward? SAEED MOHAMMED AL TAYER: DEWA’s corporate governance framework includes a range of elements, such as IT governance, internal governance, sustainability governance, water governance and project governance, which are constantly reviewed and updated. DEWA follows the rollout of research and guidance issued by organisations, such as the World Bank, United Nations, the Organisation for Economic Co-operation and Development (OECD), the International Monetary Fund (IMF) and the International Finance Corporation (IFC), as well as various energy agencies and regulators worldwide. The comprehensive review of our governance is an ongoing exercise which must happen at least twice a year. All progressive organisations that seek to implement corporate governance best practices should conduct periodic reviews to inculcate good governance practices. These reviews and focus on governance have already delivered positive results. In terms of financial robustness, DEWA is the only government body in Dubai with credit ratings and has continually advanced its ratings since 2010 based on its strong financial performance, with a Baa1 rating from Moody’s and BBB+ from Standard & Poor’s. DEWA has also won numerous awards and certifications. These are achieved only if the corporate governance framework, policies and processes are maintained and up to date. EB: Why is it essential for a state-owned

enterprise, such as DEWA, to have in place a modern and advanced governance system? AT: Good governance is essential for any organisation and more so if it is a public organisation. DEWA is committed to good governance as a strategic objective and as a core value of its principles. This is essential for any utility, whether publicly or privately owned. This has been supported by the OECD, 20 Ethical Boardroom | Summer 2017

showing the need for good governance in transparency, good governance and state-owned enterprises (SOEs) in its sustainable growth.” DEWA considers Guidelines on Corporate Governance for innovation a key strategic role, as shown State-Owned Enterprises, released in 2015. by its vision to become a sustainable The traditional concept of good corporate innovative world-class utility. governance being a necessity for listed DEWA takes pride in being a leader in the companies has changed considerably and now implementation of good governance, with the ‘governance of things’ is essential for all the UAE announcing its being a leader in organisations, whether corporate, listed or the implementation of the fourth industrial government-owned. revolution, DEWA is working to ensure that DEWA has pioneered good governance corporate governance is agile and dynamic, and adopted its own framework more than a by applying innovative approaches to ensure decade ago. This framework has the four basic better compliance and oversight. This requires pillars: accountability, transparency, that it cannot be relegated to committees responsibility and fair practices, and polices but has to be all of which are embedded in practised and proclaimed. DEWA has the corporate culture of DEWA. Good governance is not included The board, MD & CEO, and just a part of our culture at strategic management oversee the DEWA, it is also one of our core effective implementation of values, and DEWA aims to set objectives these pillars and lead the way the pace for the best governance within its to establish DEWA as one of practices of the fourth the most trusted and respected strategic map industrial revolution. organisations in the region that focus on EB: Please tell us about and instil a culture of good DEWA’s Strategic Plan governance at DEWA. envisioning 2021 and how is it aligned These in turn have enabled the future, to the Dubai Plan 2021? DEWA to forge strong innovation and AT: DEWA is committed to relationships with its achieving the objectives laid stakeholders, based on trust happiness of out in the Dubai Plan 2021 and accountability. DEWA has stakeholders that were unveiled by HH identified seven stakeholder Sheikh Mohammed bin Rashid categories. These include Al Maktoum, to become a smart and customers, government, employees, partners, sustainable city, as well as being sustainable suppliers and sub-contractors, investors, and with its resources. This has shaped our society and future generations. vision to become a sustainable innovative EB: Corporate governance in the UAE world-class utility that implements is constantly evolving. What is DEWA world-class governance and management doing to stay ahead of the curve? standards within the DEWA 2021 strategy. AT: One of the main reasons for this evolution Alignment is essential to our strategic is the onset of disruptive technologies and planning, which is one of the reasons why the increased application of innovation, DEWA is a strategy-focused organisation especially in Dubai. In the words of HH Sheikh that was the first in the region to be inducted Mohammed bin Rashid Al Maktoum, Vice into the Palladium Hall of Fame for strategy President and Prime Minister of the UAE and planning and execution. DEWA’s alignment Ruler of Dubai, “The UAE attracts great minds to the Dubai Plan 2021 is based on delivering because they value opportunity, quality of life, on one of its key objectives that Dubai www.ethicalboardroom.com

DEWA | Cover Story becomes transparent and reliable, which is a key objective of the government pillar for a pioneering and excellent government. in turn based on a comprehensive governance framework. EB: DEWA has an established best-in-class risk management structure. Is having a coherent enterprise-wide strategy essential to DEWA’s growth? AT: Risk management and a well-designed enterprise risk management (ERM) programme are essentials of modern organisations. The OECD has also highlighted the need for a well-designed risk management process as a part of an organisation’s governance framework. DEWA’s ERM clearly identifies the various risks that the organisation faces today and those anticipated in the immediate future. DEWA has outlined its risk mitigation and risk appetite definitions to support this. EB: Cybersecurity is a global issue affecting companies large, small, private and state-owned. Can you tell us about DEWA’s cyber risk strategy? CEO: There are increasing challenges and threats with the rapid developments in technology and the accelerating growth of smart transformation and the spread of technologies, such as the Internet of Things. Cyberattacks are estimated to cost companies around the world $300billion annually as almost one million new pieces of malware, computer viruses or other malicious software are created every day. The economic cost of cyberattacks, cybercrime and scams, are expected to reach $3trillion by 2020. Cybersecurity has become a key requirement for smart cities. That’s why DEWA is looking at the latest updates and adopting the best international practices in cybersecurity.

DRIVING FORCE DEWA CEO Saeed Mohammed Al Tayer www.ethicalboardroom.com

EB: Can you tell us why it’s important to have CSR at the heart of your operations? AT: At DEWA, we are committed to giving back to the society and communities in Dubai. From an early stage, we have adopted an explicit policy for corporate social responsibility (CSR) aligned to international best practices. We have also set an integrated framework, which meets CSR standards, as we realise that our contribution to the local communities is essential. This framework includes social initiatives that are aligned with the UAE Vision 2021, the Dubai Plan 2021, and the DEWA Strategy 2021. In order to develop and implement our CSR strategy, we identified the actual needs of our stakeholders and developed an action plan around those needs. This maps out our objectives for sponsoring, implementing and assessing our internal and external CSR initiatives, and figuring out how they are meeting our stakeholders’ needs. Summer 2017 | Ethical Boardroom 21

Cover Story | DEWA The Higher Committee of the Year of Giving at DEWA has approved 12 main programmes to provide 27 social and humanitarian initiatives, covering the three themes of the Year of Giving in the UAE. DEWA’s CSR efforts have contributed to an increase in community satisfaction and happiness levels from 82 per cent in 2013, to 89 per cent in 2016. DEWA also received many international awards and certificates in CSR, including the MVO8000 global certification in CSR, becoming the first government organisation in Dubai to receive this global recognition. EB: What does it mean for DEWA to have received the BS 13500 certification – the code of practice for effective organisational governance? AT: I recently honoured the management team who took part in getting the BS 13500 code of practice for delivering effective governance of organisations’ certification. Obtaining the BS 13500 certification was based on their hard work and commitment to ensuring good governance is at the heart of our operations, and an established part of our culture at DEWA. EB: Why is DEWA making clean energy a priority? AT: It’s one of the prominent ways of using energy sources in the UAE as the country is located within the world’s sun belt. In Dubai, the potential of solar power can be harnessed by photovoltaic technology, reaching 2,150 kWh per square metre per year, while the direct part of the energy that can be used in concentrated solar power (CSP) technology is about 1,850 kWh per square metre per year. Such features further promote the use of solar energy in the Emirate. Dubai launched the Dubai Clean Energy Strategy 2050 in 2015, to increase its share of clean energy in the energy mix in Dubai to reach 75 per cent by 2050. DEWA will achieve this with the Mohammed bin Rashid Al Maktoum Solar Park going on stream, which is part of the infrastructure pillar that is one of the five main pillars of the Dubai Clean Energy Strategy 2050. These five main pillars are: infrastructure, legislation, funding, building capacities and skills, and having an environment-friendly energy mix. The Mohammed bin Rashid Al Maktoum Solar Park is the largest single-site solar park in the world, with a planned capacity of 1,000 MW by 2020 and 5,000 MW by 2030, with a total investment of AED 50billion. This will eventually save approximately 6.5 million tonnes per annum in emissions. DEWA intends to build the largest CSP project in the world, based on the independent power producer (IPP) model. DEWA has received the lowest international bid for its CSP plant at USD 9.45 cents per kilowatt hour. It will be operational by April 2021. 22 Ethical Boardroom | Summer 2017

DEWA will generate 1,000MW using this technology by 2030. DEWA gives its customers the chance to produce clean energy following the resolution issued by the Dubai Executive Council to integrate electricity produced from photovoltaic panels with the power distribution system in Dubai. The resolution formed a comprehensive legislative framework to connect electricity produced from solar power to the distribution system. The resolution supports the Smart Dubai initiative launched by HH Sheikh Mohammed bin Rashid Al Maktoum, to transform Dubai into the smartest city in the world and encourages customers to produce clean energy. This engages the community in the production of electricity from solar energy, diversify energy sources by increasing renewable energy targets, preserve the environment and lower the country’s carbon footprint, while also encouraging the development of a green economy to achieve sustainable development. DEWA’s Shams Dubai initiative also allows customers to install photovoltaic panels on their rooftops to generate electricity from

DEWA IN CONTROL Warsan control centre

Highness launched to make Dubai the city of the future by bringing about comprehensive change in the government work system, and developing innovative ideas and future plans. We work to keep pace with the Fourth Industrial Revolution and make use of disruptive technologies in the generation, transmission, and distribution of electricity and water, to provide world-class services that make life better for the citizens, residents, and visitors of Dubai, and provide electricity services that meet the highest standards of availability and reliability. DEWA has incorporated innovation in its vision and raised its importance to encompass 40 per cent of DEWA’s strategic map. DEWA has also included strategic objectives within its strategic map that focus on envisioning the future, innovation and happiness of stakeholders to achieve DEWA’s vision to become a sustainable innovative world-class utility and the Dubai Plan 2021 to make Dubai a city of happy, creative and empowered people. At DEWA, we have always invested in developing people who are capable of spearheading research and development in clean and renewable energy to further preserve natural resources and protect the environment. DEWA has launched several promising programmes, initiatives, and projects to achieve this goal, including MORO, which specialises in providing information storage services, cloud computing, and IT for the public and

CLEAN ENERGY Mohammed bin Rashid Al Maktoum Solar Park

solar power. The electricity is used onsite and the surplus is absorbed into DEWA’s grid. EB: How will innovation make a difference in your strategic priorities? AT: At DEWA, we work according to the directives of HH Sheikh Mohammed bin Rashid Al Maktoum, to promote Dubai’s global leadership and to continue the path of leadership and excellence to reach number one globally. We continuously review our work processes and procedures to maintain our lead, in line with the 10X initiative, which His

private sectors in the UAE and the region. These efforts support the National Innovation Strategy to make the UAE one of the most innovative countries in the world in support of the Smart Dubai initiative, to make Dubai the smartest city in the world. We still look to new ideas and disruptive technologies that will shape and change our future. Innovation will continue to make a difference as long as we adhere to a culture of innovation, because we owe it to our children, and we stand by our motto: ‘for generations to come.’ www.ethicalboardroom.com

CORPORATE GOVERNANCE STUDY TOUR - NEW YORK OCTOBER 23-27, 2017

- Expand your network of board members, top executives and governance experts from prestigious global organizations - Discover practical innovations in governance that you can take back to your organization - Revolutionize your leadership modus by absorbing how other experienced directors cope with their boardroom challenges

For more information & registration, please contact info@hawkamah.org or call us on: +971 4 362 2551

Middle East | Integrity

Championing integrity in Gulf countries

A new voluntary initiative is setting the benchmark for honourable business Throughout my career as a legal counsel and now as head of a Gulf-led, non-profit organisation that promotes transparency and accountability as a measure of business competitiveness, I have often seen the word integrity make its way in to conversations.

Carla Koffel

Executive Director, Pearl Initiative story is not very different internally. Domestic investors frequently face obstacles obtaining key information regarding the ownership, performance and the business integrity of their partners, suppliers and customers. From a policy standpoint, the decade-long deliberations on the need for integrity have culminated in serious action in the Gulf, especially now as governments in the region are seeking to transition from the public-sector led development model towards private sector-led development.

More often, integrity appears to be unequivocally a fundamental measure of the way people do business, both in this region and across the world. That said, if you scratch the surface, most corporate leaders would agree that while integrity More action needed means good business, it can often be While most Gulf countries have general considered a nice-to-have rather than a anti-corruption provisions in their penal sustainable long-term business requisite. codes or other criminal legislation, some It helps to have perspective in this instance. countries in the region have passed additional There is a lot of money to be lost with the specific legislation criminalising bribery. deterioration of integrity and growth of These laws have been crucial in expanding corruption. The World Economic Forum the scope and definition of transactions estimates that corruption increases the cost of considered as bribery with criminal doing business by up to 10 per cent on average. implications, as well as in setting out At a more human level, the value of integrity more significant sanctions for the rises as we see a millennial and Gen Z influx breach of these laws. For instance, in in to the workforce. As the 2017 Deloitte the UAE, the revision of the Millennial Survey confirms, Federal Penal Code in 2005 today’s growing young workforce Corruption: resulted in the criminalisation is most motivated to work with Behaviour of bribery in the private sector, companies that put a culture on the part impressing a greater ethical of trust and integrity at the core of officials in drive in the market. of their operations. Nevertheless, the position Across the Gulf region, efforts the public and of the Gulf countries on to improve and formalise private sectors, international business integrity processes around corporate in which they and anti-corruption rankings integrity, corporate social improperly and highlights the need for greater responsibility and corporate governance have been ongoing unlawfully enrich action to implement effective integrity measures. This view for more than a decade. However, themselves was mirrored at the Pearl they have gained further urgency and/or those Initiative and United Nations in the current low oil price Global Compact annual forum, environment where companies close to them, ‘Sustainability in Action: Business are increasingly looking for or induce and the UN Global Goals’, held in foreign capital opportunities. others to do October 2016, which saw more Yet, foreign investors are so, by misusing than 700 public and private sector often held back by the lack representatives examine the of transparency or access to the position role of the Gulf private sector sufficient information and in which they in advancing the Sustainable knowledge about the Gulf are placed Development Goals. Notably, corporate sector as a potential partner, client or supplier. The OECD Glossaries 78 per cent of the participants at 24 Ethical Boardroom | Summer 2017

the forum’s session on the role of integrity in fostering secure and peaceful communities felt that right business conduct was integral to ensuring peace and stability in the region. A majority of respondents also agreed that Gulf businesses understand, in varying degrees, the business case for integrity and anti-corruption practices. However, compared to this, close to 55 per cent of those surveyed agreed that regional businesses did not have adequate measures in place to manage risks associated with regional instability, pointing to a clear gap in building integrity in to the corporate fundamentals.

The business case for integrity

Besides the inherent benefits of clean business practices, integrity levels are clearly correlated with better economic performance. Understandably, the UAE, which ranks the highest in the region in the World Bank’s ‘Doing Business’ index, has improved its economic landscape through better checks and balances in the business sector. Emphasising this point, a 2016 IMF report clearly shows that investment in corrupt countries is almost five per cent less than in their peers which are relatively not corrupt. Responding to this reality, the region is seeing a greater thrust towards integrity, moving from mere lip service to time and fund investments to root out corruption. In recent times, for example, corporate spending on integrity practices has seen an increase, with an OECD survey indicating that 80 per cent of respondents confirmed that their company’s board was strongly involved in the design and implementation of their company’s integrity policy. Close to 20 per cent of respondents estimated integrity budgets to have increased by 25 per cent to 50 per cent over the last five years.

Going beyond policy and regulation

With the growing body of knowledge on the advantages of integrity within business, it becomes more and more apparent that real change can only be possible if the corporate sector takes a more introspective role in effecting clean business. While strict legal measures can complement such actions, fundamental breakdown of corporate governance can be extensively damaging, www.ethicalboardroom.com

Integrity | Middle East combining wealth and resource depletion with a more catastrophic destruction of trust. In this respect, the Pearl Initiative has partnered with Siemens to create the first-ever Integrity Indicator for the private sector in the Gulf region. Designed as a voluntary framework for private firms in the Gulf to measure their performance in relation to international benchmarks in integrity and regional best practices, the initiative also seeks to trigger a conversation on practical measures to improve integrity levels in regional firms. Currently in its pilot stage, the Integrity Indicator will be formally rolled out this September. It will focus on six pillars of integrity best practices, namely: the company’s integrity framework; its integrity risk assessment; the implementation of integrity policies; the management of integrity incidents; the role of the board and executives, and business integrity reporting.

While the Indicator follows a rigorous methodology, combining qualitative and quantitative factors, what we also expect is that it will provide a strong starting point for corporate leaders to reassess and strengthen their anti-corruption and transparency measures. To accommodate the diverse business sector in the Gulf, the indicator is applicable irrespective of a company’s sector, size and nature of interactions with public stakeholders as well as foreign partners. By developing this as a voluntary initiative, we also look forward to inviting the participation of companies that are leading the way in adopting strong integrity practices, and can set a benchmark for the rest of the region. These ‘integrity champions’ could go a long way in potentially influencing positive change within the business community, and suitably complement the efforts of regulators and governments to implement enabling

www.ethicalboardroom.com

Bribery: The promise, offering or giving, to a public official, directly or indirectly, of an undue advantage, for the official himself or herself or another person or entity, in order that the official act or refrain from acting in the exercise of his or her official duties OECD Glossaries legislative reform. Ultimately, what we hope to achieve with this project is an action-oriented dialogue within the private sector, enabling a collaborative approach to improving integrity in the region.

INTEGRITY CHAMPIONS Companies that adopt transparency measures can influence positive change

Summer 2017 | Ethical Boardroom 25

Middle East | Good Governance WORLD BEATING When Alba’s sixth potline comes on line it will become the largest single-site aluminium smelter

Alba aims high

Aluminium Bahrain B.S.C. was one of the first companies in the country to embrace the Corporate Governance Code – and the impact has been transformational Aluminium Bahrain B.S.C. (Alba), Bahrain’s flagship industrial company, owns and operates one of the largest aluminium smelters in the world, together with significant assets in power generation, water desalination and calcining production. Its products are considered to be of the highest quality and are sold across the MENA region, Europe, Asia and North America.

Alba has had a dual listing on the Bahrain Bourse and on the London Stock Exchange since 2010. This required significant changes to its corporate governance structure as well as processes to ensure compliance with the various regulatory bodies. Also, in 2010, Bahrain’s Ministry of Industry and Commerce and the Central Bank of Bahrain issued a new Corporate Governance Code modelled on leading international codes. Alba was a leading adopter and the changes of this Code. The changes in the company over the past seven years arising from these events, led by a rejuvenated board of directors and executive management team, have been transformation for the company. Speaking on Alba’s corporate governance journey, it’s chairman Shaikh Daij Bin Salman Bin Daij Al Khalifa said: “We pride ourselves on the open and transparent manner in which 26 Ethical Boardroom | Summer 2017

Bryan Harris

Chief Internal Auditor & Risk Officer, Aluminium Bahrain B.S.C. (Alba) Alba operates. We are also grateful for the efforts undertaken by our board of directors and executive management to protect the rights of our valued shareholders as well as safeguard the company’s values.”

Governance and expansion

The construction of Alba’s sixth potline for its aluminium smelter, together with an additional 1,792 MW power station, has recently begun, with a planned capital expenditure of approximately $3billion. When completed in 2019, it will boost per-annum production by 540,000 metric tonnes, bringing its total production capacity to 1.5 million metric tonnes per year, making Alba the world’s largest single-site aluminium smelter. The sheer size of this mega-project has resulted in the need to demonstrate sound corporate governance, a well-established corporate social responsibility programme, and project governance and transparency to a wide variety of stakeholders – namely, shareholders, lenders, commercial partners and regulatory authorities, as well as the local community.

Developing clear guidelines

Since March 2011, Alba’s board of directors has presented a comprehensive annual corporate governance report at each shareholders’ meeting. This report, also available on Alba’s website, sets out the company’s compliance with the code and

with the additional guidelines, along with transparently providing explanations for areas of non-application and required disclosures. New charters were also developed for the board and its sub-committees to ensure that their powers and activities were aligned with best international practices. Clear levels of authority were developed to ensure that key decisions are taken at the appropriate level, and clear budgeting, performance management and industry benchmarking tools were put in place to ensure transparency and clear line of sight on critical areas, such as product pricing and raw material costs. The chief internal auditor and risk officer reports independently to the board and board audit committee and has authorisation to review any aspect of Alba’s controls. A board-approved code of conduct, on par with leading international codes of ethics, was developed and launched to all employees and communicated to all suppliers. The code of conduct provides a set of expectations and guidelines to all those working for and with Alba and ensures that we uphold the highest standards of integrity and personal conduct in our business and professional activities and when dealing with colleagues, vendors, customers, contractors, government agencies and the public. Compliance with the code of conduct is monitored by Alba’s Integrity Task Force, comprising the chief internal auditor and risk officer, legal manager and the director of administration, which reports directly to the board audit committee. Monitoring tools www.ethicalboardroom.com

Good Governance | Middle East include an independently operated confidential hotline and reporting system that provides for reporting in multiple languages by phone and intranet 24 hours a day, every day. This hotline enables Alba employees, contractors and commercial partners to report in confidence any breaches of Alba’s code of conduct, such as frauds and other matters that could potentially prove damaging to the company. Alba’s development and roll-out of the code of conduct and confidential employee reporting system was

MILESTONE The company’s first Sustainability Report was published in 2016

on those areas that are the most critical. It was designed to be consistent with l eading international standards on enterprise risk management, including ISO 31000. The resulting high-level risks and the status of required mitigating actions are reviewed by the audit committee regularly and by the full board periodically. Alba published its first Sustainability Report in 2016 where it featured three dimensions for the company performance – economic, environmental and social – for the year ending 31 December 2016. The Sustainability Report covers We pride the significant environmental, ourselves on economic and social aspects of the company’s business and the open and highlights its sustainability transparent performance and strategies for integrating sustainable manner in which principles into its Alba operates. We development operations and services. An important milestone for are also grateful Alba, the report was developed for for the efforts 2016 was developed to share Alba’s undertaken journey using the internationally recognised sustainability by our board reporting framework from the of directors Global Reporting Initiative (GRI).

to identify and report directors’ and executives’ ownership and trading of the company shares. The company has issued policies on key persons dealing/insider trading and has established quarantine periods for the trading in Alba shares. Alba’s investor relations (IR) department proactively develops investor relations products and tools aligned with international best practices. Relevant communications are posted on the company’s website, including quarterly IR presentations, a financial calendar and toolkits. Alba’s IR

and executive management to protect the rights of our valued shareholders as well as safeguard the company’s values

CODE OF CONDUCT Alba’s internal code applies at all levels of the organisation

used as a best practice case study in a Pearl Initiative and University of Cambridge study on transparency and ethics in the Middle East. The board and its three sub-committees – the board audit committee, the nomination and remuneration committee and the executive committee – conduct annual self-evaluations to review their independence and performance as well as identify areas of improvement. A process has been implemented www.ethicalboardroom.com

department was declared the best company for investor relations in Bahrain at the Middle East Investor Relations Society (ME-IR) Annual Conference and Awards 2016. Alba has also implemented an enterprise risk-management framework where it sets out the principles, policies and procedures for the identification, evaluation, treatment and monitoring of the key risks that Alba faces, enabling resources and effort to be focussed

Future plans

Alba’s ambitious Line 6 Expansion Project mentioned above, is one of the largest brownfield projects in the region. The Line 6 Expansion Project, in compliance with the Equator Principles and the International Finance Corporation (IFC) Performance Standards, will develop and implement a comprehensive stakeholder engagement plan (SEP). The objective of Alba’s SEP will be to provide a technically and culturally appropriate approach to consultation, disclosure and understanding of the Line 6 Expansion Project to the stakeholders in a timely manner. The SEP will also make provision for stakeholders to have an opportunity to voice their opinions and any concerns through a formal grievance mechanism system that may influence project decisions. Alba believes in upholding the highest standards of ethical and professional behaviour in everything it does. While Alba follows the Corporate Governance Code of Bahrain and the Corporate Governance Module of the Central Bank of Bahrain, we continue to assess our standards and practices against other international codes, such as the UK Corporate Governance Code. Although Alba is not required to comply with it (having only a standard listing on the London Stock Exchange), Alba’s board of directors and management are keen to review any gaps as well as identify and implement any valuable improvements. Summer 2017 | Ethical Boardroom 27

YOUR INVESTMENT MANAGER YOUR TRUSTED PARTNER

€1,083 Bn

of Assets Under Management

No.1

Close to

Present in

employees

countries

4,100

in Europe

No. 1 European asset manager based on global assets under management (AUM) and the main headquarters being based in Continental Europe - Source IPE “Top 400 asset solicitation to sell, nor does it constitute public advertising for any product, fi nancial service or investment advice. The value of an investment and any income from it can go down with a registered capital of €746,262,615 - Portfolio Manager regulated by AMF under number GP 04000036 - Registered offi ce: 90 boulevard Pasteur, 75015 Paris, France -

The No.1 European Asset Manager

YOUR INVESTMENT MANAGER YOUR TRUSTED PARTNER

amundi.com managers” published in June 2016 and based on AUM as at December 2015. Amundi fi gures as of 31 December 2016. This material does not constitute an offer to buy or a as well as up and outcomes are not guaranteed. Investors may not get back their original investment. This advertisement is issued by Amundi Asset Management, Société Anonyme 437 574 452 RCS Paris - amundi.com - April 2017. |

Board Leadership | Culture

Taking control of board culture and new realities Directors spend around one full month a year on board-related matters. So how do you optimise board culture to make sure this time is used effectively? Dysfunctional boards waste time and, more importantly, dysfunction depletes the organisation’s resources through unwise decisions and missed opportunities. Highly functioning boards have the courage to step back and take a hard look in the mirror to grasp what is working well and what needs to be improved.

One best practice that will help your board achieve and maintain peak performance is a board assessment. Annual evaluations of the full board, as well as of the committees, set an important baseline for engagement of all directors. A growing trend would indicate that individual directors be reviewed every two years. Furthermore, retaining a qualified independent third party to assist in this process, will encourage candour and deliver an agnostic perspective. This initiative engages the board to identify and maintain its strengths and identifies opportunities for the continuing strengthening of the culture. It additionally will serve as the basis for an intelligent re-nomination of director candidates. Successful boards are rooted in mission-driven core values and focus on creating long-term sustainable value for shareholders and customers. They are fully engaged and they assure their organisations have the requisite skills and tools to maintain a culture of competence, open communication and constructive challenge both within the board and with C-suite executives. They address the continuing obligation for succession planning. They focus on strategy, with an in-depth understanding of where the company is and where it is going. A critical addition to board conversations is having at least one director who has expertise in current technology and cybersecurity.

Protecting shareholders

Well-functioning boards recognise the speed at which customers, employees and everyday realities are dramatically changing, especially across generations from iGen and millennials through to retirees. As an example, if you have not read the fascinating 30 Ethical Boardroom | Summer 2017

Stuart R. Levine

Chairman & Chief Executive Officer, Stuart Levine & Associates LLC book Big Shifts Ahead by John Burns and Chris Porter, I highly recommend it. The book’s subtitle Demographic Clarity for Businesses describes the speed at which each decade’s customers, employees and realities are dramatically changing. These changes are critical to understand in order to protect shareholder needs and interests and to provide the necessary financial and human capital oversights. The authors appreciate that these changes must be understood to look after shareholder needs and interests and to provide the necessary financial and human capital oversight. Highly functioning boards operate in a zone of alignment and collaboration with senior management around ethics and values. With the rise of social media and deteriorating public trust, CEOs are being held to even higher levels of ethical accountability, creating a greater need for board alignment and transparency around succession-related matters. It can be tough, however, for board members to take a hard look at themselves. An independent and professional ‘mirror’ makes it a little easier to absorb. The assessor gathers independent and confidential input from all board members on how the full board is performing. Some boards will go beyond board member interviews and perform a complete 360-analysis for directors. This top-down, bottom-up approach can provide individual board members with valuable feedback on their areas of strength and those areas that need strengthening.

What assessment is needed?

Asking yourself these excellent questions can help you determine the level of assessment that is required. ■■ Board culture Is it collegial? Does your board and senior management have strong internal communication? How is consensus formed? Does collegiality contribute to frank discussion; does it inhibit it? Can your board’s culture sustain challenging conversations or a crisis? Is your board

bringing the right issues to the table? ■■ Director performance Are directors adequately prepared? Is ‘airtime’ well distributed? Is there sufficient on-boarding? Are there appropriate levels of director accountability? ■■ Strategic planning and risk management Is your board engaged in strategic conversations at every meeting? Are you clear on what is considered an enterprise risk and how risk is evaluated? Are you evaluating the assumptions underpinning your strategic plan? ■■ Succession planning Is your board comfortable engaging in succession planning discussions with your CEO? Is there succession planning for board members, as well as C-suite executives? ■■ Logistics Is meeting frequency adequate? Are board materials sufficient and provided in a timely manner? ■■ Committees Are the correct committees in place? How well are they functioning? ■■ Board composition Does diversity in talent, skills, race, gender and outlook support the company’s needs? Should certain members leave the board due to age, longevity or lack of participation, collegiality or needed skills? Do your board members effectively represent your customer base? Do they possess the talent needed for your current and future strategies? ■■ Continuous learning How are outside perspectives and new information acquired? Do board members appreciate, and are they equipped to handle, the rapid demographic and related changes affecting customers, employees and the business environment? If you answer ‘no’ or are uncertain about any of these questions, an in-depth discussion and assessment will assist you to work through these challenging issues. Confidential detailed interviews conducted with every board member and the CEO provide the insights that can be analysed against generally accepted best practice standards. The aggregated data will then be shared with the entire board in a reflective process, with appropriate recommendations and personalised solutions. There is no one-size-fits-all. www.ethicalboardroom.com

Culture | Board Leadership

With the rise of social media and deteriorating public trust, CEOs are being held to even higher levels of ethical accountability, creating a greater need for board alignment and transparency around succession-related matters

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 31

Board Leadership | Culture The presentation of findings must stimulate discussion, be constructive and not appear punitive. Recommendations are designed to create a common understanding of the investments in human capital needed to ensure board optimisation and effectiveness. The board gains perspective on working in a collaborative manner with the leadership team and can more effectively participate in setting strategic direction.

Focussing on individuals

This transparent process could surface ‘underperforming assets’ on the board. This should be a business learning opportunity to strengthen board functioning. Under independent lead director oversight, the process should provide systems and means that support board members in better serving the organisation. For example, those members who should sharpen certain board skills, can be coached with a goal to increasing that individual’s productivity. Individual assessment, feedback and coaching should be designed so that each board member is pursuing their key responsibilities effectively. A lack of improvement, however, should result in the director not getting re-nominated. According to the National Association of Corporate Directors (NACD), re-nomination to a board should not be a given. All directors should be regularly evaluated and receive a review at the end of each term. Unfortunately, in 2015, NACD reported that only 40.7 per cent of respondents to the NACD public company governance survey said that their boards do evaluations at the individual director level. This is clearly a missed opportunity for those boards and companies that don’t. Complicating a board’s ability to address director skill gaps is the fact that board composition changes infrequently. Statistics show that on public boards, on average, a seat may open every three to four years. Additionally, director ages continue to rise and director tenure is getting longer. A recent trend is a mandatory retirement age of 75 years. However, according to the Spencer Stuart study Board Refreshment: Investors Respond To Trends In ASSESSING THE BOARD Discover how agile and prepared your company is for change

Mandatory Retirement Age and Tenure With More Stringent Voting Policies, almost two-thirds have no term limits. Moreover, 27 per cent either don’t discuss mandatory retirement or don’t have a mandatory retirement age. Director evaluations should determine whether directors are ‘leaning in’ and learning. The issue of continuous learning often gets swept under the rug, but the quality of ‘listening to learn’ should be part of a director’s review. Sometimes, directors need to be replaced when needed learning or improving skills are not occurring. Nobody wants to leave a board – it’s human nature. Getting past the short-term stigma of a director leaving a board, however, can allow a spot for someone who better fits the organisational need. Furthermore, the gracefully departing director can find another board more suitable for his/her existing skills. Companies are being bombarded with changing demographics, economics, technologies and customer needs. This requires shifting strategies that demand directors stay current and that they continuously learn.

Improving overall service

Another new and healthy trend is the inclusion of the executive team in the board assessment process. Information is gathered from the top leadership of the company on a track that parallels that of the board members. Areas of exploration can include insights on how management believes the board can serve the organisation more effectively and what the board/management team interface looks like. This information provides valuable input as board members seek a better sense of how to improve their board service. Planned rotation of committee chairs is another benefit of the assessment process. The assessment conversation should engage board members in strategic conversations of board committee leaders, with a goal to strengthen the board in experience and knowledge. We have seen mistakes occur when strong-willed board chairs allow board members to default to the chairman on major decisions, instead of expressing an independent view. One director should never be in a position to inhibit the full functioning of the board. If a director, for example, wants to have a meeting with the potential CEO successor candidate, that director should not have to get permission from the chair. Decision-making should be the shared responsibility of all board members. Additionally, there should be a defined process for rotating chairs of the committees so that there is no lapse in

service or institutional knowledge. This best practice for the management team’s leadership development and succession planning serves the board as well. Succession planning for both directors and CEOs is a fundamental board responsibility. Independent board assessments are a great way to begin this important conversation that includes an understanding of the transformations the future will bring and how the company will agilely and strategically respond. As an example, a board that was structured five years ago, when the company was in the financial services industry, may require dramatically different skill sets designed for a company that is now in the fintech industry. The skillsets considered necessary for the corporate CEO of 10 years ago are probably quite different now due to new and evolving technologies, customer needs and the evolution of the customer base. This pivot requires insights and different ways of thinking about succession planning for candidates for the CEO, board chair and board members. For example, when I was chair of the nominating and governance committee on a public board, the chairman asked me which candidate I thought should be the company’s next CEO. My response was that we needed to define the vision for the company for the next five years. That vision would inform the skillsets, knowledge base and leadership capacity required to suit that position. It’s the same question you should ask at the board level as directors reach ‘retirement age’ and ‘board tenure age’, even if your board does not have mandatory ages for either. When recruiting the next generation of board members, the same questions must be asked. What skill sets will you need to provide intelligent oversight? The same honest, ongoing discussion that you would put in place for the succession planning for the CEO must occur at the board level in order to understand and evaluate the attributes of directors that are needed going forward.

Ensuring continuous value

In another new trend, institutional investors are following high-performing directors to new companies and making larger initial investments in those firms. Investors seek trust in a director’s ability to protect and increase shareholder value. They see that all directors are not created equal; some providing greater value than others.1 Director bios and skill sets appear in the company proxy each year. Companies will be served by the ability to express the skill sets that enable their directors to provide continuing value to the organisation. Highly-functioning, engaged boards do all that they can to up their game. Qualified independent third-party assistance on a periodic basis is a tool that will help. Jay Dahya and Richard Herron, April 28, 2017, Do Investors Follow Directors to Other Companies?

32 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

PROVEN LEADERSHIP FOR COMPLEX LEGAL CHALLENGES FIRST-TIER NATIONAL RANKING IN CORPORATE LAW — U.S. News – Best Lawyers® “Best Law Firms” Survey 2017

Sophisticated advice for the full spectrum of corporate governance issues. Ever-evolving laws and regulations, coupled with heightened scrutiny into corporate governance and compensation practices, have created an increasingly complex environment for publicly traded corporations, privately held entities and their individual executives and directors. We offer our clients advice on a range of issues impacting their business, including board management, financial reporting compliance, risk management and crisis preparedness, takeover defenses, proxy contests, shareholder relations and executive compensation. TALENT. TEAMWORK. RESULTS.

Holly J. Gregory holly.gregory@sidley.com +1 212 839 5853 John P. Kelsh jkelsh@sidley.com +1 312 853 7097

AMERICA • ASIA PACIFIC • EUROPE

sidley.com Attorney Advertising - Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Prior results do not guarantee a similar outcome. MN-5240

Board Leadership | Interim CEOs

Jason Schloetzer

Associate Professor of Accounting at Georgetown University

Reframing the role of an interim CEO

Interim CEOs can be more than 'temps in the corner office' — the right leadership at the right time can make the difference between success and failure for a company in leadership crisis

UNLOCKING POTENTIAL Appointing an interim CEO can be a wise decision rather than knee-jerk reaction to a crisis 34 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Interim CEOs | Board Leadership

Shira Goodman’s appointment as interim CEO of Staples Inc. in May 2016 followed a tumultuous time for the company. The US government had rejected its proposed mega-merger with Office Depot and its 14-year company head Ron Sargent had just resigned. Three months later, Goodwin was confirmed as the permanent CEO after the board evaluated internal and external candidates with the assistance of an executive search firm. Jeffrey Boyd’s appointment as interim CEO at online travel agent Priceline Group in April 2016 came on the heels of Darren Huston’s termination as CEO due to the board’s conclusion that Huston's had broken the company’s code of conduct policy by having an extramarital affair with an employee. Eight months later, based on the recommendation of the board’s search committee, Priceline’s board elevated company veteran Glenn Fogel to the CEO position. These two examples demonstrate the unique circumstances that are often present when boards of directors appoint an interim CEO. Approximately 10 per cent to 15 per cent of CEO successions among large US companies involve such an appointment.1 Interim candidates are often seasoned executives who have held increasing levels of responsibility in the company, such as Goodwin at Staples, whose tenure with Staples exceeded 20 years. Interim CEOs are also frequently selected from the board, as was the case with Boyd at Priceline, who was the company’s non-executive board chairman. The average interim CEO remains in the www.ethicalboardroom.com

position for six to nine months before a permanent CEO is appointed.

Asleep at the wheel

It is not that straightforward. A comparison of stock price declines around the announcement of an interim CEO to more routine, permanent successions events, is certainly informative as it suggests there is greater uncertainty facing boards that appoint an interim relative to boards that appoint a permanent successor. However, as the Staples and Priceline examples highlight, it is reasonable to believe that stock prices are adjusting to more than the interim CEO appointment itself. For Staples there was the confirmation of the failed Office Depot merger and that a change in the strategic direction of the company was forthcoming. For Priceline, it was the revelation of unexpected internal actions that provided new information regarding the firm’s corporate culture. Both of these events were likely to increase uncertainty and have a negative impact on stock price. This clouds our ability to attribute a negative short-window market reaction to the appointment of an interim CEO itself. Moreover, it becomes important to compare the stock price reactions of companies experiencing similar strategic circumstances whose boards selected interim CEOs, versus permanent CEOs. This type of comparison is difficult to make, given the unique situations that are often present when an interim CEO is appointed.

Interim succession is traditionally viewed as a significant corporate governance failure. Directors were asleep at the wheel, unable to develop the next generation of top leadership and adequately prepare for a CEO succession. The result is a board that is scrambling to organise a search committee and, to buy Long-term reaction themselves some time, is forced to appoint Another way to view the implications a ‘temp in the corner office’. This kind of of an interim CEO would be to assess interim CEO does little more than increase post-appointment company performance stakeholder uncertainty, muddle through over a longer period, not just the initial strategic decisions and polarise the top stock market reaction. However, there is management team due to infighting among little evidence regarding the longer-term potential permanent CEO candidates.2 Evidence used to support this view performance implications associated with of interim CEOs as value destroyers is an interim CEO. The available evidence two-fold. First, multiple surveys highlight suggests company performance after an that directors allocate little interim CEO is appointed time in board meetings to is similar to that of other This kind of discuss succession companies that experience a interim CEO planning, perhaps as little permanent CEO succession. does little more For instance, the stock market as two hours per year. 3 If boards devote such little performance and return on than increase time to routine succession assets over the following year stakeholder planning issues, how could were not statistically lower the board be prepared for a (or higher) among a sample of uncertainty, non-routine event? Second, that appointed an muddle through companies corporate governance interim CEO compared with commentators might point companies that appointed a strategic to the larger decline in permanent CEO.4 decisions and Another recent study stock price when the board polarise the top provides little evidence of poor appoints an interim CEO performance in the months compared with companies management following the appointment of whose boards appoint a team due an interim CEO, with negative permanent internal or market value implications external candidate, as to infighting reflected until an interim clear evidence of a failed among potential not had served for more than succession. Both pieces of evidence suggest permanent CEO one year and little evidence of an increased likelihood directors have failed their candidates of corporate failure.5 shareholders, right?

Summer 2017 | Ethical Boardroom 35

Board Leadership | Interim CEOs It seems reasonable to interpret the negative relation between a company’s market value and the presence of an interim CEO who has served for more than one year as being driven by the specific circumstances of these companies rather than to the long-term use of an interim CEO itself. So, while interim CEOs are often viewed as value destroyers whose only function is to provide an unprepared board the time they need to get their act together, the available evidence is not as negative and persistent as one might think. Perhaps there is another, less dismal, view of interim CEOs, one that contextualises the succession decision, given the company’s current needs. Rather than force a one-sizefits-all view of interims as value destroyers, what if one instead analyses the 'match' between the interim CEO’s characteristics and the situation? Recent research observes that the notion of an interim CEO simply serving as a seat warmer – a board member who acts as the temporary CEO for less than three months while the board finalises its search for an external replacement – reflects only one of the six types of interims that directors appoint during a time of transition. The other five types of interims are the contender, marketer, cleaner, fixer, and groomer.6

New directions

Consider the situation the board of Staples found itself in – the directors had supported a major strategic shift involving a large merger in order to increase the company’s competitive capabilities. Now, the board finds itself needing a substantially new strategic direction. It would arguably be prudent for the board to take some time to reflect on how best to handle the fact that a new direction was needed to compete with online powerhouses, such as Amazon. This new vision could come from an internal or external candidate but certainly would require deliberation. To facilitate this internal discussion, the board selected Goodwin, a company veteran with significant operating experience and an heir apparent for the CEO role even before Sargent’s departure. Goodwin fits the mould of a contender – she was an interim selected from the management team who ran the day-to-day operations of the firm as if she were the permanent CEO. Evidence of this is that she was not an external hire and did not possess a lengthy track record of negotiating ways to sell the company. This would be the typical profile of an interim who is a marketer – an outsider with experience setting companies up for a sale. Goodwin was also not given a clear, publicly stated mandate to quickly divest a significant part of the business in 36 Ethical Boardroom | Summer 2017

order to boost lagging company performance. That would be the role of an interim who is a cleaner – an outsider with turnaround experience who has a proven track record of divesting parts of a business or entire segments. So why did the board choose to appoint Goodwin as an interim CEO? Contenders are given time to prove to the board that she/he should be named the permanent CEO. While Goodwin had significant operating experience, she had only been promoted to a role consistent with heir apparent five months before the succession event took place. By naming her as interim CEO, the board effectively accelerated what was likely a pre-existing, organised succession plan, giving her time to demonstrate she was ready for the position while also giving the board an opportunity to vet other internal and external candidates. Given the situation, naming an interim CEO seems like an informed decision and investors did not seem disappointed – there was no difference between Staples' stock price movement in the days around the announcement of Goodwin as interim CEO relative to its competitors. Besides, what would shareholders think if the board had succumbed to the pressure of appointing Goodwin as a permanent CEO only to find a few months later that she was not a good fit? Appointing the wrong permanent successor would have certainly been a succession failure. Turning to Priceline, Boyd was chairman of the board at the time he was appointed to the interim CEO role. He was Priceline’s CEO for 11 years and thus had deep knowledge of the company and its competitive position. Priceline did not need a fixer – a board member, former CEO, or founder whose charge is to quickly repair a failing company – because

Priceline did not have poor financial performance at the time of Huston’s departure. Huston had been in the CEO role for less than three years, so it is likely that the board’s new succession planning process was still taking shape. And, given the circumstances surrounding Huston’s departure, external stakeholders needed some assurance that Priceline’s board had the situation under control and that the internal investigation did not uncover other malfeasances. Given this situation, Boyd’s appointment as an interim CEO fits the mould of a groomer – a former CEO or founder whose main responsibility is to manage external stakeholders while grooming the permanent replacement. Boyd was a good fit, given Priceline's circumstances at the time. He had the experience to assuage external stakeholder concerns and had the organisational legitimacy to shake up the top management team by replacing a key executive (and potential successor) from one of the company’s operating units. Boyd’s significant experience as the company’s CEO provided him with the skills needed to groom company veteran Glenn Fogel as his replacement after serving as interim CEO for eight months.

Getting it right

The Staples and Priceline examples illustrate a broader point: while boards certainly should avoid the circumstances that often lead to the appointment of an interim CEO, it remains unclear whether the use of an interim CEO itself is evidence of a corporate governance failure. Rather, it is important to consider the ‘match’ between the interim’s characteristics and the company’s needs. The use of an interim CEO provides boards with a valuable option that can minimise the risks associated with the immediate appointment of a permanent CEO when directors find themselves in a unique corporate situation. Jason D. Schloetzer, Matteo Tonello, and Gary Larkin, CEO Succession Practices: 2017 Edition, The Conference Board, forthcoming. 2 Christine Mooney, Matthew Semademi, and Idalene Kesner, The Selection Of An Interim CEO: Boundary Conditions And The Pursuit Of Temporary Leadership, Journal of Management, forthcoming. 3 2010 CEO Succession Planning Survey, Heidrick & Struggles and the Rock Center for Corporate Governance at Stanford University, 2010, p. 10 (www.gsb. stanford.edu/cldr/research/surveys/ succession.html) 4 Matthew Semadeni, Christine Mooney, and Idalene Kesner, Interim CEO: Reasonable Choice or Failed Selection?, The Conference Board Director Notes, DN-V6N12, June 2014. 5 Gary Ballinger and Jeremy Marcel, The Use of an Interim CEO during Succession Episodes and Firm Performance, Strategic Management Journal, Vol. 31, No. 3 (March 2010), p. 262-83. 6 Much of this discussion is drawn from insights in Christine Mooney, Matthew Semademi, and Idalene Kesner, Six Ways Companies Use Interim CEOs, Organizational Dynamics, Vol 41, (2012), p. 13-22. 1

www.ethicalboardroom.com

Direct to your Door! Email our team now at subscriptions@ethicalboard.com

Board Leadership | CEO Succession

Planning for succession Running a smooth CEO takeover process is the ultimate responsibility of any board... but how? Harm van Esch & Justus O’Brien

Harm leads the European Board Services Practice and Justus is Co-leader of the Board and CEO Advisory Group, Russell Reynolds Associates

A regularly reviewed, timely, transparent and structured succession plan is essential for success – the cost of a poor CEO succession process can be detrimental to a company’s financial stability and reputation.

Russell Reynolds research has shown that companies that have experienced forced or unplanned CEO turnover forego an average of $1.8billion in shareholder value. However, on the upside, when properly planned and thoughtfully executed, CEO succession can enable organisations to envision new opportunities for growth, align the development of the senior management team with the strategic needs of the company and, ultimately, ensure the continued momentum of the organisation, despite considerable change. A smooth process requires the absolute focus and prioritisation of the topic on the boardroom agenda.

What does the ideal CEO succession process look like?

The ideal process is not always possible. Ultimately, even if everything is done right, people are unpredictable and this has the ability to derail the process and destroy value. CEO succession can be fraught with hidden risks and challenging dynamics, and in the majority of cases, it is far from ideal. Consequently, focussing the board on the following key points will help organisations bring a degree of order to a challenging process. Create a culture of succession Creating a culture where the importance of a rigorous succession process is baked into the principles of the company is integral to a successful outcome. This will enable the board to start talking about CEO succession from day one of the current CEO, thereby allowing the process to be given the time that it needs to be impactful. Furthermore, a culture of succession allows the process to be transparent and inclusive, with all key stakeholders engaged and playing their part.

KEY PHASES IN THE CEO SUCCESSION PROCESS DEVELOPING A STRATEGY-DRIVEN CRITERIA AND ROLE PROFILE ■ Board (or chosen committee) dedicates a share of every meeting to CEO succession ■ Initial draft of strategy-driven criteria and role profile is created with input from current CEO and board

DETAILED TIMING OF SUCCESSION PLAN ■ Board plans detailed timing for CEO succession ■ Internal CEO candidates are appointed to more challenging leadership roles, based on professional development plans ■ Successor criteria continues to be refined in the face of potential changes in the company/market

CURRENT CEO AND BOARD WORK CLOSELY WITH FINAL CANDIDATES ■ Final candidates confirmed with current CEO and board input ■ 360-degree leadership assessment of all candidates ■ Final candidates have increased exposure to investors © Russell Reynolds Associates

CRITERIA AND ROLE PROFILE REFINED ■ Criteria and role profile is reviewed and adjusted ■ Internal CEO succession candidates are identified and professional development plans of these leaders are drawn up ■ Potential external candidates are identified ■ Emergency succession plan is finalised 38 Ethical Boardroom | Summer 2017

INTERNAL, EXTERNAL AND INSURANCE ■ Internal candidates increasingly exposed to the board; the board is briefed of their progress within targeted development plans ■ Strategic sourcing of external candidates for CEO role and internal benchmarking ■ Insurance candidates for emergency succession plan are confirmed

FINAL DECISION AND TRANSITION PLANNING ■ Board interviews individual candidates – candidates questioned by board to understand their vision for the company ■ Final review and evaluation of candidates against strategic needs of the company ■ Final decision and transition plan development www.ethicalboardroom.com

CEO Succession | Board Leadership SMOOTH TRANSITION Create a working document that outlines the CEO succession process

A partnership between the board and CEO A successful process must include both the board and current CEO in partnership. The chairman and board are ultimately responsible for the process and setting the objectives. However, the CEO plays a crucial role in developing the potential internal successors through professional guidance and giving them opportunities to prove themselves. Without clear and unambiguous roles between the board and CEO, the process may resort to being entirely ‘board-led’, which would result in a loss of the key contribution that the current CEO plays in the process. This relates to the importance of the board creating a culture of succession, where open dialogue between the board and CEO on the process of succession allows the topic to be actively approached and given the due time that it deserves.

Developing a strategy-driven criteria and role profile Developing a strategy-driven criteria and role profile is integral to the process. Ideally, the entire board, together with the current CEO, should work to design a clear and structured role brief. The board and current CEO must converge in defining what is needed in a clear and strategic context. The current CEO’s first-hand experience provides an invaluable contribution to what is needed in a future CEO, while the board can provide a more objective perspective, which can eliminate any potential favouritism or bias. The company should begin by examining its strategy over a five to 10-year time period, factoring in the impact of various scenarios, such as how the business will be affected by challenges, including the continuing globalisation of supply chains, customers, competitors and investors, or the risks and

opportunities brought by changing climate and global health conditions. Looking at the impact of broad trends, such as these, helps ensure that the company’s next leader will have the capabilities and experience necessary to respond to complex events across numerous fronts. The board then distils these considerations into a set of required capabilities. It is key to note that the role brief is a living document and must be constantly reviewed and adjusted in the face of changing circumstances. Internal, external and insurance Having a clear and structured role profile that is agreed upon by all key stakeholders will allow the company to measure internal and external potential CEO candidates, against the same fair and objective process. Candidate management of internal, external and ‘insurance’ contenders is key to a successful outcome.

The current CEO’s first-hand experience provides an invaluable contribution to what is needed in a future CEO, while the board can provide a more objective perspective, which can eliminate any potential favouritism or bias www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 39

Board Leadership | CEO Succession Internal contenders – uncover the potential internal candidates early Uncovering the internal candidates early will allow the company to groom them and direct their careers more effectively. The CEO is ultimately responsible for the professional development of the potential internal successors. The development plan should be designed so that they are exposed to multiple aspects of the business and given responsibilities for key initiatives – such as overseeing entry into a new geographic region or the integration of an acquisition – that will mirror the sort of complex challenges they would have to face as CEO. The current CEO’s effective coordination of this will give the board an opportunity to evaluate their performance. To fully achieve this, the board should be regularly briefed on the internal candidate’s progress and given exposure to the internal candidates’ directly through board presentations, field observations and site visits. This will allow the current CEO and board to

mistrust of the process and, in the worst circumstances, the loss of key potential successors. One of the most important ways to combat this is to ensure an open line of communication between the board, current CEO and internal candidates. External contenders – strategic sourcing of external candidates Strategic sourcing of candidates in the market will allow the board to track potential external candidates’ careers in order to make use of the right timing. An awareness of potential successors’ career direction and key milestones will ensure that the board approaches these executives at the right time, should the company decide to recruit externally. Furthermore, uncovering the key executives in the market is vital to ensuring that the company’s internal candidates are competitive with the rest of the market. This will ensure the company is choosing the best CEO available, rather than merely the best choice from within its own ranks.

customers, analysts and regulators. Following this, the incoming CEO should be introduced to the company’s stakeholders in a series of informal information gathering sessions. This will allow the incoming CEO to build the support and trust of various key players. Developing a written transition plan, led by the board but with the involvement and support of the senior management team, allows for the orderly transition of roles and responsibilities. The plan must be effectively communicated internally and externally to project a sense of stability. Crucially, the board must make key steps to strengthen the relationship between themselves and the new CEO. Even if the new CEO is known to the board, it is important that they begin to relate to him or her in the new role through a series of one-to-one meetings. Developing a trusting relationship between the board and CEO is critical to the future success of the company, as well as enabling another CEO succession to begin on day one.

Uncovering the internal candidate pipeline early will also allow the current CEO and board to realise if there are no internal candidates that align with the desired role profile

FORM A QUEUE Creating a culture of succession will help the board evaluate performance

address any potential concerns, which might result in revisions to the leadership development plans of each candidate. Uncovering the internal candidate pipeline early will also allow the current CEO and board to realise if there are no internal candidates that align with the desired role profile. In that case, the board may decide to bolster the talent pipeline by recruiting from the outside. However, this requires advance planning as bringing in a senior executive who could potentially step into the CEO role typically requires a three-year lead time so that the candidate will have fully been absorbed into the firm’s culture prior to the transition. Managing internal candidates requires transparency and creating a culture of succession within the company will allow this. All too often, the CEO and board do not know enough about what is on the minds of these executives and this can lead to 40 Ethical Boardroom | Summer 2017

Insurance – develop a contingency plan The board must have a contingency plan should the current CEO suddenly depart. Whether this be a board member that could step down and become interim CEO or one of the internal candidates that could step up to the role sooner than expected, having an insurance candidate is vital to the process and gives all key stakeholders a level of comfort in the process.

The successful transition

Once the final candidate has been selected, it is critical that the board develops a thorough transition plan so that the new CEO has the benefit of a strong start. The outgoing and incoming CEOs should meet frequently for in-depth discussions regarding operating styles, expectations of the board and other senior executives, as well as other stakeholders, such as investors, creditors,

Timing is key

To undergo a smooth CEO succession process, timing is key. This will allow the board to engage all the relevant stakeholders in the process, ensuring their full support, active contribution and ultimate satisfaction. Furthermore, starting ‘on time’ allows the board to be more creative and consider new and perhaps ‘non-traditional’ ideas, thereby encouraging greater diversity of the candidates in the process, whether that be inherent diversity or diversity of thought. If a company runs out of time, these important factors tend to be driven out by what is more urgent. The transition from one CEO to another is a critical period in a company’s history. A timely, properly designed and executed succession plan is at the centre of any successful transition, and it is the board’s ultimate responsibility to ensure that this happens. www.ethicalboardroom.com

UP.

IT’S WHEN YOUR SENIOR LEADERSHIP TEAM IS ALIGNED AND REACHING ITS FULL POTENTIAL. Together, Korn Ferry and Hay Group work with boards, CEOs, and executive teams to address the drivers affecting team dynamics and performance. Because we know that when leaders thrive, entire organizations succeed with them. kornferry.com/boards

Board Services:     

CONTACT Irv Becker 215.861.2495

Dennis Carey 215.656.5348

Board Director/CEO Search & Selection Board Succession Planning Board Effectiveness Executive Pay & Governance Board Building (Spins, IPOs, Bankruptcies)

Board Leadership | Effective Boards

The incumbents’ view Since the work of the chair is done behind closed doors, little is known about the people who preside over what is the most powerful body in any organisation – the board of directors.

To shed light on the workings of board chairs in different countries, a team of researchers put together by the INSEAD Corporate Governance Initiative and Ward Howell Talent Equity Institute conducted 74 face-to-face interviews with experienced professional chairs (not doubling as CEOs) in nine countries – Belgium, Denmark, Italy, Netherlands, Russia, Singapore, Switzerland, Turkey and the UK. Among the main issues explored were what makes an effective chair and what key factors contribute to the chair’s performance.

What do effective board chairs do?

To our surprise, across countries, respondents had a similar view of what it means to be an effective chair. Cultural differences appeared in detail, such as the length of board meetings, communication formats or the meals a chair invites other directors to. But our respondents believe that a good chair, first and foremost, provides effective leadership to the board, enabling the latter to function as the highest decision-making body in the organisation. Good boards make decisions that allow executives to run the business efficiently. A good chair works for the board, while the board works for the company and its long-term development and success. As one respondent put it: “The chair is responsible for and represents the board, while the CEO is responsible for and is the public face of the company.” Effective chairs lead directors by engaging them in a collective effort, creating an environment for collaboration, encouraging productive behaviour (and discouraging non-productive behaviour) by facilitating group reflection, giving feedback, and creating opportunities for learning and development. A chair from the UK defined his approach as follows: “I try to take as little room as possible. My task is to help others to speak their minds.” Good chairs don’t give orders or issue directives; instead they steer or nudge followers by setting agendas, framing discussion items, soliciting opinions, selecting a format and order of deliberation, reframing, re-stating and synthesising information. A Dutch chair explained: “I need to think very 42 Ethical Boardroom | Summer 2017

What makes a chair of the board of directors effective? Stanislav Shekshnia

INSEAD and Ward Howell International

clearly about whom I ask to talk first and who talks last about the specific topics. Who is irritated by who or what? Who is brooding about what? I need to be very alert about recognising body language.” Effective chairs set clear expectations and establish rules, but the latter serve as guidelines rather than set-in-stone laws. Good chairs provide exemplary leadership by consistently displaying the attitudes and behaviour they expect others to follow. Providing ‘indirect leadership’ is probably the most accurate way to describe it. As a chair from Russia put it: “I rarely express my position. If I do – I speak last.” Chairs also represent the board in relationships with key stakeholders. These may vary from company to company and country to country, but, in all cases, include shareholders and CEO/management.

The chair’s presence should be felt as little and as much as necessary. A good chair gives other directors room to speak and yet is there to direct the conversation In working with shareholders, effective chairs strive for a balance between proactivity, equality and fairness. They want to be seen as available, listening and attentive, but independent and non-partisan, always putting the interests of the company before those of individual shareholders, no matter how big or important the latter may be. They protect the board’s independence and shield it from shareholders’ interference. A respondent from the UK described how: “We operate under the two meetings principle: one is for directors (the board), another for shareholders. If you happen to be both, learn to behave yourself.” Our research also demonstrated that board chairs of companies with reference shareholders are more proactive and performance-oriented than those of widely held public companies, who tend to be more

reactive and compliance-oriented. As one of the latter noted: “I make sure shareholders know that I am available, and I also make sure none of them gets more than others from me.” Effective chairs build productive relationships with the CEO, albeit in different ways, as three of them explained: “We fix annual objectives for his development and have a formal coaching session every quarter”, ““[We have] one-to-one informal meetings every two weeks”, “We SMS each other every day”. But the outcome is the same: effective collaboration between the board and management, filling the information gap between non-executive directors and management, and reinforcing the CEO’s commitment to the company. Good chairs interact with the CEO as representatives of the board rather than independent players, and ensure the whole board is involved in issues such as CEO compensation, evaluation and development.

What makes an effective board chair?

From the research we were able to distill a number of personal characteristics that incumbent chairs considered as enablers of effective work. Although most respondents came to the chair position via the CEO job, all agreed that the work of a chair required a very different type of leadership, and that some CEO habits reduce the chair’s effectiveness. As a chair from Russia put it: “My advice to novice board chairs is: ‘What got you here will not make you successful. Unlearn your CEO activism and become a hands-off, reflective leader’.” Collectively, the respondents identified four personal attributes and two sets of skills as enablers of the chair’s effectiveness, as follows: Passion A good chair not only does the job professionally, but also cares about the company, the board and the people. In the words of one respondent: “It’s like any other profession – you can only reach the top when you are passionate about what you do. In this case it’s the board and the company it governs.” Humility and ego management One of the most experienced participants from the Netherlands described it this way: “If you intend to use your chair position as a platform for self-aggrandisement, you are in for trouble.” Words, such as ‘restrain’, ‘non-domineering’ and ‘leaving room for others’, were often used to refer to fostering productive board discussions which lead to effective decisions. www.ethicalboardroom.com

Effective Boards | Board Leadership Patience and reflectivity Passion creates energy, enthusiasm and a focus on achieving results. But in leading the work of a group of professionals it must be tempered by patience and the ability to pause and reflect. The chair should not rush to get things done quickly but focus on getting things done properly. Among the questions respondents ask after every meeting was, ‘What will you take home to reflect about?’ Availability and presence The chair’s presence should be felt as little and as much as necessary. A good chair gives other directors room to speak and yet is there to direct the conversation. In the words of one respondent from Denmark: “It may be called a non-executive and part-time job, but I have no illusions: I have to be ready to mobilise and commit all my time to this board if the need arises. And I stay in permanent contact with the company to make sure I don’t miss this need.” ‘Soft’ and ‘hard’ skills While to an outsider it may look highly technical or even purely ceremonial, the work of a

chair is almost exclusively about human relations – often with specific types of people: senior, successful, action-oriented, performance-driven, sophisticated individuals from different backgrounds and countries. Managing these relations requires exceptional behavioural skills. Among them, respondents most often mentioned the ability to listen, ask questions, frame issues, and provide feedback. As one put it: “It is important to listen to someone who is labelled a trouble-maker with a non-judgemental attitude. When you listen to them genuinely, you deserve the right to say something.” In the ‘hard skills’ category they referred to business acumen and systemic thinking. Interestingly, many incumbent chairs do not consider industry knowledge a must. As one of them put it: “For a chair to enable the board to make decisions it’s better to have ‘an empty head’ – to have no opinion on the subject matter. When you are an industry expert, it’s hard to achieve.”

CHAIRING THE BOARD An effective leader needs to be passionate and reflective www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 43

Board Leadership | Board Refreshment

Board refreshment: New paradigms for board effectiveness To bring new ideas and perspectives to the boardroom, it is time for organisations to embrace change

TIME FOR A MAKEOVER Well-run boards are continually looking to refresh themselves 44 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Board Refreshment | Board Leadership

Board refreshment is trending. For those of us not of the millennial generation (myself included) this simply means that board refreshment is popular, praised and finally becoming mainstream. The reasons for this are numerous. Firstly, diversity in the boardroom has been a hot topic for years now. These days we clearly understand that diverse boards make better decisions and these better decisions lead to improved business results. Yet, despite the knowledge that diversity in the boardroom is not primarily a social good but rather a business imperative, many companies are still having a hard time diversifying their boards. One of the reasons for this is that there is simply not enough turnover of directors. Not enough open seats. Another reason for the current focus on board refreshment is because the rate of change and evolution in our business environment is brisk, to say the least. Customers, employees, competitors and investors are dynamic and ever-changing. Boards need to adjust accordingly. Skill sets and experiences quickly become obsolete and refreshment can counter this. Director tenure, and the implications of this for boards and their effectiveness, is often debated and related to the issue of board refreshment as well. In August 2016 the Financial Times reported that US boards are ‘maler, staler and frailer’ than their European counterparts. In fact, the average director tenure in the US was disclosed to be more than eight years while in the UK this number was just under six years. Tenure is meaningful for several reasons but, importantly, director independence naturally diminishes the longer the time spent on a board. In an ISS (Institutional Shareholder Services) 2016-2017 policy survey with investors, 51 per cent flagged lengthy average tenure as problematic. Just 11 per cent among investors said tenure was not a concern for them. In a paper that focussed on the link between director tenure and innovation, Ning Jia of the School of Economics and Management at Tsinghua University in Beijing observed: “Stagnant boards that are filled with directors with extended tenure fail to refresh themselves in a timely manner, can no longer keep current with technological developments and grow unable to offer new insights into corporate issues… long executive tenure is often associated with rigidity and a commitment to established policies and practices that potentially kill the entrepreneurial spirit and hinder innovation.” Board refreshment is on the minds of shareholders and regulators. They seek to understand the value and contributions www.ethicalboardroom.com

Patricia Lenkov

evaluation should be conducted. There are all sorts of methodologies that can be used, but the ultimate goal should be a comprehensive and objective enumeration made by the board in its entirety as well of individual director performance. as individual directors. Board refreshment Interestingly, from almost the moment has come to be understood as a best one enters the workforce, performance practice of corporate governance. Board evaluations are commonplace and even memberships are no longer treated as expected and yet, at the board level, until lifetime appointments, as was the case recently directors were usually considered not too long ago. Yet how to effect board beyond evaluation. Among the S&P 1500 refreshment is not straightforward. There firms, board evaluations are now close to is no cure-all and it is certainly not easy. universal (97 per cent according to a survey There are also no hard and fast rules, but conducted by ISS). However, according to it can unequivocally be said that it should the PwC 2016 Annual Corporate Directors never be done arbitrarily. Survey, only 49 per cent said their board actually made changes as a result of their Operationalising refreshment self-evaluation. Board evaluations cannot a step at a time be a box-checking exercise. Rather their Board refreshment cannot be some value and purpose must be understood and random formulaic activity. It must be the results should bring about meaningful judicious, thoughtful and relevant to change and improvement. the company’s overall objectives and Board evaluations cannot be conducted strategy. Changing directors simply to in a vacuum, either. They must take into change them makes no sense. consideration the unique circumstances The exercise of creating a board matrix of the board and company in question. that lists directors on one axis and their This should include the company’s strategy. skills and competencies on the other can What are the near and medium-term goals allow a board to begin to understand itself and challenges and does the board have and enumerate its areas of proficiency or the requisite skills to guide the company lack thereof. The skills and appropriately? The competencies listed should competitive environment Boards are no contain those necessary for needs to be considered longer treated the future of the business as do expectations from as lifetime and not only those that are investors. To evaluate currently present on the the board is to consider appointments, board. For example, perhaps risks the company faces the company is moving into a as was the case and make a determination new emerging market, such that the board is equipped not too long as Africa. Experience running not only to plan for ago. Yet how to a business in this region them but also to properly may be a new skill to include effectuate board react if the worst case on the board matrix. Social comes to pass. refreshment is not scenario media or cybersecurity Many discussions of straightforward. expertise are relatively board refreshment do not current and in-demand skills include board evaluation There is no and might be something to as if they are separate cure-all and consider including on any aspects of the functioning matrix. For most companies, of the board. To effectively it is certainly if these are not currently refresh one has to present on the board they will not easy effectively evaluate first. need to be sometime soon. Board evaluations can Ultimately, there will be many opinions help pave the way for board refreshment. about how and when refreshment should Age limits and term limits are additional take place and who is to be refreshed. means of refreshing a board. There are many For example, Warren Buffett has been diverging opinions as to the effectiveness on the Berkshire Hathaway board for 51 of these ‘forced exit’ mechanisms. It is often years and Rupert Murdoch has been on argued that experienced directors add value Twenty-First Century Fox for 37 years. and that there is little to compare to the Should they step down from these roles wisdom and institutional knowledge that to make room for new talent? comes with time spent affiliated to a board. No matter the situation, the foremost Nevertheless, according to the 2016 Deloitte criteria when reviewing any board must Board Practices Report, among large-cap be contribution and performance. This companies, 81 per cent have age limits and is the ultimate benchmark. As such, before five per cent have term limits. In mid-cap embarking on any board refreshment companies, 74 per cent have age limits and exercise a full and thorough board six per cent have term limits.

Founder & President, Agility Executive Search

Summer 2017 | Ethical Boardroom 45

Board Leadership | Board Refreshment In spite of the prevalence of age limits, directorships in the S&P 1500 held by 70-something board members rose from 11.7 per cent in 2008 to 18.6 per cent in 2016. Those aged 80 and above represented 1.8 per cent in 2016. But, again it is performance that matters. There is an expression ‘It’s not the age, it’s the sage’. It should be noted that a board that is entirely composed of a particular generation may suffer from the same lack of diversity limitations that boards without gender or ethnic diversity do. As for term limits, all of the large-cap companies that have them, specify a maximum term of between 12 and 15 years. Notably, according to a study by the Investor Responsibility Research Center Institute (IRRC) and ISS, ‘term limits led to a meaningful decrease in average board tenure and younger directors and it is the most effective tool if the goal is to ensure board turnover”.1 It should also be noted that there are some practical considerations that need to be taken into account in any discussion about board refreshment. Board committee structure and participation will impact the amount of refreshment that a board undertakes. It has been shown that ‘service on the nominating, audit and compensations committees may lead to longer tenures due to the desire to retain subject-matter expertise.1

Succession planning

Effective board refreshment goes hand in hand with board succession planning. Like board refreshment, succession planning is also a relatively new proceeding for corporate

boards. The Council of Institutional Investors (CII), which is a nonprofit with members who have combined assets that exceed $3trillion maintains that ‘boards should implement and disclose a board succession plan that involves preparing for future board retirements, committee assignment rotations, committee chair nominations and overall implementation of the company’s long-term business plan’. Board succession planning, like all other business succession planning, is part of sound business foresight and risk management. A robust and regular board succession planning process focusses the board on its future. Through deliberate thinking about where the company is heading strategically as well as the challenges it will encounter along the way, boards can prepare to recruit the requisite skills and experiences necessary to guide the company into that future. A board that is planning for succession is inherently planning for refreshment. In other words, refreshment is a natural byproduct of board succession planning.

Culture shift

Currently there are somewhat limited options and tools for refreshing boards. We have discussed evaluations as well as term limits and retirement policies and board succession planning. Above and beyond all of this there needs to be a culture shift in the mindset and expectations of board directors and the stakeholders they serve. There is an underlying expectation that director appointments, while no longer for life, are at the very least long term. Intrinsic to this

is the feeling that stepping down from a board position is akin to failure or deficiency of some sort. Board membership can feel like joining a club and, as is the case with other exclusive clubs, once you get in, you don’t want to leave. This thinking is so embedded in board membership that it is unspoken and, in many cases, unconscious. For boards to truly embrace refreshment and all of the tools and accoutrements to get there, reasoning and thinking must be adjusted and an appreciation for the value of change must be developed.

And finally...

Fresh perspectives can be very valuable when trying to solve any problem or make important decisions. On the other hand, experience and expertise contribute clarity and, of course, wisdom. The right combination of these attributes can be difficult to obtain but that should not discourage trying. Boards have not always been proactive about their own evolution and effectiveness. However, they no longer have much of a choice. Boards need to become more self-aware. Complacency and being opaque about their internal workings are things of the past. The word refreshment, of course, conjures up the word fresh and one look at the definition of fresh should make any doubt surrounding refreshment dissipate: Fresh: having its original qualities unimpaired, such as (1) full of or renewed in vigor, (2) not stale, sour or decayed (3) not faded2. Can your company afford anything less? Davis Polk Governance Briefing. Merriam-Webster dictionary.

IMPROVING THE BOARD Fresh perspectives are pivotal to a company’s success in a changing world

46 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

LOOK TO THE IIA FOR RESOURCES ADDRESSING ETHICS, GOVERNANCE, BOARD-LEVEL CONCERNS, AND MORE

Visit The IIA’s new Stakeholder Resource Exchange to gain an in-depth understanding of internal audit best practices. Sign up for a free subscription to Tone at the Top, a bimonthly publication with concise information and perspective on top-of-mind issues and guidance for boards, audit committees, and senior management.

2017-0871

www.theiia.org/StakeholderResources

Global News Europe

Investigation into claims of huge German car cartel Germany’s biggest car manufacturers are under investigation amid claims that they have been operating a cartel since the 1990s, colluding on everything from vehicle development and engines, to suppliers and diesel emissions systems. BMW, Daimler and Volkswagen saw their stocks immediately decline after a Der Spiegel report claimed the top car brands had colluded on technologies. The report says the car giants agreed to limit the size of the tanks holding a urea solution used to reduce diesel emissions, cutting costs and freeing space in the vehicles. Officials at the European Commission and the German competition authority, the Bundeskartellamt, say that they are assessing information but it would be “premature to speculate further”.

Spain tackles football boss over corruption Spain’s administrative court for sport has initiated disciplinary procedures against Spanish Football Federation president Ángel María Villar Llona after he was arrested and held without bail in a corruption investigation. Villar Llona, who is also a senior vice-president at Fifa and Uefa, was arrested along with his son and three other federation executives as part of the probe. The four were arrested on charges of improper management, misappropriation of funds, corruption and falsifying documents. 67-year-old Villar has been accused of misappropriating private and public funds received by the federation “at least since 2009”.

48 Ethical Boardroom | Summer 2017

Activism on the rise in Italy Activist investors in Italy are being spurred on by improving corporate governance and the weakening of traditional company owners during Europe’s sovereign debt crisis, says FT.com. According to its report, 12 Italian companies were on the receiving end of activist intervention in 2016, compared to four in 2013. Italian companies that came under pressure from activists last year include dairy group Parmalat and media organisation Mediaset. FT.com associates the increase of shareholder activism in Italy with the ‘comprehensive dismantling of company cross-shareholdings’ and Europe’s sovereign debt crisis ‘loosening the grip of the Italian government and powerful family owners on many of the country’s largest businesses’.

UK firms ‘must deliver’ on diversity

Europe’s top bank CEOs ‘paid less’ Executive pay at US banks is more than double European levels, according to joint research from the Financial Times and pay consultancy Equilar. The FT’s latest bank CEO pay review shows that CEOs running JPMorgan, Goldman Sachs, Citigroup, Wells Fargo, Bank of America and Morgan Stanley were paid 2.1 times as much as Europe’s top bank CEOs last year. Analysts argue that in Europe there is a ‘social contract’ that pay should not go above a certain level as “a result of engagement with shareholders who are increasingly sceptical about rising level of pay”. Overall, CEO pay for Equilar 500 companies — a sample of the largest public companies as measured by revenue — increased 6.1 per cent in 2016 to a median $11million, which was the biggest gain since 2013.

Britain’s biggest businesses need to improve the diversity of their workforces and publish a breakdown of their black, Asian and minority ethnic (BAME) employees, a new report has warned. Around 12.5 per cent of the UK population are BAME yet they hold just six per cent of top management positions, according to the report by the Chartered Management Institute and the British Academy of Management. The report outlines a seven-point plan for business leaders to adopt, including the creation of more ‘opportunities for senior leaders to meet emerging BAME leaders and build diverse networks’ and making ‘clear that the company values difference and diversity so no minority employee is left questioning their perceived fit in the company’. www.ethicalboardroom.com

Relax. You’ve got a strong partner by your side. At the Swiss Exchange, you benefit from unique strengths: the highest market share of Swiss equities and the widest range of asset classes. All traded with the fastest and most secure tech nology. So you can stay relaxed in any market situation. And be cause we are constantly evolving, this partnership also helps you advance. You can count on it: www.six-swiss-exchange.com

Europe | Bulgaria

Diversity on bank boards: Evidence from Bulgaria The development of good practices in corporate governance demonstrates the importance of a qualified board for ensuring successful supervision and robust risk management The corporate board is defined as a body consisting of ‘members without executive powers’, according to the European Commission policy on diversity. In a two-tier system of corporate management, the non-executive members of the supervisory board are the main decisionmakers, exercising supervisory functions over and above the management board and managers. In its policy on board diversity, the European Commission terminology is not clear on the scope of the board in the case of one-tier management systems, but the logic of good corporate practice would suggest non-executive members are also included on the board of directors. In this article, we consider the ‘diversity of the board’ in reference to the percentage of the members of the supervisory board by profession, nationality and gender.

50 Ethical Boardroom | Summer 2017

Miroslav Nedelchev

Executive member, Bulgarian Institute of Directors

Professional expertise diversity

Since diversity of professions is considered as a key to the effective operation of bank boards, EU rules require members to possess appropriate knowledge, training and skills to provide banks with proper and prudent management. It is recommended to introduce a committee for selecting candidates whose activity is consistent with finding a balance between knowledge, skills, diversity and experience of the board members. This diversity includes the availability of experience and knowledge from many different fields, such as finance, accounting, crediting, banking and payment systems, strategic planning, communication, management, risk management, internal control, banking regulation,

audit, regulations and so on. Given the involvement of the state in the financial strengthening of banks, important areas of professionalism include knowledge of the political environment and legal literacy and, currently, specific knowledge and expertise on mergers and acquisitions. To achieve professional diversity, it is not necessary that every board member is an expert in each of these areas, but it is of great importance that the board, as a whole, has high erudition and expertise across all areas.

Given the involvement of the state in the financial strengthening of banks, important areas of professionalism include knowledge of the political environment and legal literacy

www.ethicalboardroom.com

Bulgaria | Europe An additional element of professional diversity is conducting training to meet the current needs of banks, such as in risk management and corporate governance practices, and the roles and responsibilities of board members. Board members should also learn how to avoid conflicts of interest. Our survey on diversity on Bulgarian bank boards ranks professional experience in finance highest (52 per cent), followed by the economy (14 per cent) and management (nine per cent) – see Figure 1 opposite. In the survey, we take into account another characteristic of professional diversity – the distribution of higher education. For example, economists (44 per cent), financiers (20 per cent) and lawyers (12 per cent). The gap between higher education and work experience reflects the pay gap between the different professions in the local market. The greatest diversity on boards is in foreign banks – among their directors is a significant number of individuals representing entities, who are majority shareholders without economic experience. The boards of banks with local capital have a great diversity of experience beyond economics – with engineers, diplomats, representatives of healthcare, insurance and pension companies. The dynamics of professional diversity lies in increasing control, planning and law. In 2007, a small number of professions were relatively evenly distributed – an average of 20 per cent for each of the five professions. The effects of the global crisis and increasing competition from 2015 onwards is reflected

in diversification, with two new professions emerging (control & planning and law), and with uneven representation across a wide range of professions (from five per cent to 52 per cent).

Board diversity by nationality

Globalisation defines diversity in nationality when it comes to the composition of boards. The average number of foreigners on EU boards sits at a third. Regardless of the processes of integration and harmonisation, the differences in individual EU countries remain great. For example, in the Netherlands 54 per cent of board members are not native Dutch, whereas in Spain just two per cent are not Spanish. The nationality of board members reflects the origin of the capital invested in banks. The bank boards in Bulgaria are extremely international – the average participation of

non-Bulgarian board members exceeds 58 per cent. This high percentage can be explained by the high foreign share in bank ownership. In 53 per cent of cases, the chairman of the board is not Bulgarian. In looking at the dynamics of nationality diversity on boards, we will look at the following relationship between capital and representation: ■■ Does the increase in foreign participation in ownership leads to an increase in the number of board members and the share of foreign presence on it ■■ If the share of foreign participation in ownership is lowered, do the number of foreign board members fall while still retaining a share of foreign presence? ■■ Does increasing foreign presence on the board reduce or increase the diversity of nationalities?

FIGURE 1: DIVERSITY OF PROFESSION ON BANK BOARDS 60%

■ 2007 ■ 2015

50%

52%

40% 30%

31% 25%

20% 10% 0%

22% 14%

g in nt ting u i co ud Ac& A

0% 7%

& ol g tr nin n Co lan P

0% 7%

ics om n o Ec

e nc na i F

w La

13% 5%

t en m e ag an M

g tin s ke Sale r a M &

DIVERSIFYING THE BOARD The greatest nationality on Bulgarian boards is at foreign banks www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 51

Europe | Bulgaria

MAKING ITS MARK Board diversity at Bulgarian banks is above the EU average

Banks in Bulgaria have found the following cases:

In case of ownership outside the EU, the board lacks members from the state providing the capital (e.g. Investbank and D Commerce Bank have capital respectively from Oman and Turkey without a board member from these countries). cases where the bank capital 2 Inoriginates from the EU, board members

are mainly from the state providing the capital, but they can also be from other countries, depending on the structure of the banking group. For example, UniCredit Bullbank’s major shareholder is from Italy, but the board has members from Italy, Austria and other EU countries. At TBI Bank, the country providing capital is the Netherlands, but the board has a representative from the parent company, based in Israel. At the subsidiary bank Emporiki Bank – Bulgaria EAD, which has Greek capital, the board includes a Greek citizen, as well as a French citizen, France being a major source of capital. The situation is similar in the case of MKB Unionbank, where the board has representatives from Hungary as well as the ultimate owner, Germany. a result of the effects of the global 3 Ascrisis, boards can include members

whose nationality does not reflect the country which provides the capital nor the structure of the banking group (for example, the board of Societe Generale Expressbank, where the investment comes from France, has a French and Italian citizen on the board.

Gender diversity

An EU requirement to have more gender diverse bank boards does not confer automatic and unconditional advantage of the underrepresented gender compared to other candidates for appointment, but it does aim to change attitudes and culture over time. The issue of increasing participation of women in all areas of business, including on boards, has great social resonance. But while it is easier to measure an increase in their presence, it is harder to explain the reasons 52 Ethical Boardroom | Summer 2017

behind it. The study shows that measures to increase the number of women on boards occupy a leading position among the initiatives undertaken to diversify boards. Over the last decade the statutes of companies resemble constitutions of countries – like them, they contain declarations of gender equality, which are transformed into demands for diversity with preserved quotas for women on the boards. The practice of individual countries, however, marks a variable success in the implementation of these requirements. The most significant progress in achieving gender diversity is in countries that have introduced mandatory measures, while those relying on self-regulatory initiatives have not reported significant achievements. The average share of women on the boards of banks in the EU is 12 per cent. In most member states, nominating committees have been created, which decide on the target level of representation of women in the governing body and develop policies to increase their number.

The study shows that board diversity in Bulgarian banks is above the EU average. The greatest diversity is nationality followed by gender and professional diversity The highest average representation of women on the board is in France (41 per cent), followed by Sweden (33 per cent) and Spain (25 per cent), while the lowest is in the Netherlands (18 per cent). Norway achieved the impressive 40.2 per cent participation of women on boards, due to legislation providing a quota and sanctions, including the deletion of the company and delisting from the stock exchange in violation of the quota. In Eastern Europe, women occupy 35 per cent of senior management staff. The high value of diversity is explained by the legacy of the communist regime, under which gender equality was a universal principle. In regard to the requirements for achieving gender diversity, the trend in Bulgaria is relatively constant – 16 per cent of members on bank boards are women. The positive

dynamics in this area are due to the fact that in 2015 two banks have a woman as a chair of the board (Bulgarian-American Credit Bank and Investbank) and in one bank a woman is both representative of the qualified shareholder (61.43 per cent) and a chair of the board (Bulgarian-American Credit Bank). In most cases, women participate in banks with local capital and with a small share of the banking market, and represent the majority shareholder, who is typically a foreign entity. The banks with nationality diversity are without a broad representation of women (these are mostly subsidiaries of large banking groups that operate across the EU).

Conclusions & recommendations Economic development and the effects of the global crisis has put diversity firmly on the agenda. Given its importance to good practices in corporate governance, the composition of a corporate board is seen as fundamental to long-term, sustainable economic development and competitiveness of a corporation. The changing focus in corporate governance to board diversity is a qualitative step towards a new form of good practice. Initial steps to diversify boards coincided with the onset of a global crisis and should be seen as a major step towards the future framework of good practices in corporate governance. The survey highlights the qualitative dimensions of diversity on bank boards in the EU and internationally. Regardless of the time of application, the three components of diversity of profession is given a leading role in shaping boards while diversity of nationality is most apparent on boards of subsidiary banks in their host country. The last component of diversity, gender, is the first in history and is the most difficult to quantify an impact, besides achieving certain social expectations. The study shows that board diversity at Bulgarian banks is above the EU average. Board diversity is determined by environmental factors, such as legislation, path dependence and parent bank practices. The greatest diversity on boards is nationality, due to a prevailing foreign ownership, followed by gender diversity and professional diversity.

www.ethicalboardroom.com

Europe | Trust

WORKING TOGETHER To rebuild trust, there needs to be a coordinated effort, involving all elements of business

Why it’s time to start the trust fightback “Once bitten by a snake,” the Dalai Lama says, “you feel suspicious when you see a piece of rope.” To put it in a less mystical way: trust is easily lost, and very hard to rebuild. Arguably, we are currently experiencing a global breakdown in trust. A comprehensive annual survey, the 2017 Edelman Trust Barometer, displays this dearth of faith in business, politics and the media.1 The British public’s trust in the government is at just 26 per cent; for business the figure is 33 per cent, while the media only manages 24 per cent. The historic low levels of respect for traditional media sources have given rise to a widespread belief that much of the news is fake, a belief that has been exploited and exacerbated by populist politicians in many countries. This is a striking example of what can happen when the public stops believing in the institutions around them. UK chief executives are experiencing a reputational crisis, too, with just 28 per cent of Britons saying they trust business leaders 54 Ethical Boardroom | Summer 2017

Business needs to rebuild public confidence by demonstrating it deserves it James Jarvis

Corporate Governance Analyst at the Institute of Directors – 12 per cent lower than during the same period last year, and lower compared than the 37 per cent across the rest of the world. This decline in trust comes in part from high-profile instances of corporate chicanery, such as the Volkswagen emissions scandal, and in part the slow recovery from the 2008 recession, which has seen poor growth for many people’s wages. Issues, such as public distaste for high executive pay, tax avoidance, the banking crisis and corporate governance failures, including Sports Direct and BHS, all feed into a general mistrust in business. This has a detrimental effect on the majority of businesses that operate in an ethical manner with mind to the society and community they inhabit. Just because an

individual business may behave well, it doesn’t mean they can ignore the wider trend.

Lack of faith

Weak trust matters for business because it can demotivate workforces, anger customers and, in some cases, prompt government intervention. Taken together with the lack of faith in government, it also suggests dissatisfaction with the way the economy is working for sections of society – a central part of Jeremy Corbyn’s pitch to voters at the election. Just as business is now truly global, the response to the trust challenge also needs to be viewed as an international project. The Institute of Directors (IoD) Director General, Stephen Martin, recently chaired a panel on rebuilding trust at the recent European Conference on Corporate Governance in Malta.2 Panelists and audience alike shared in the concern that recent patterns of mistrust throw up and there was a general consensus that excessive executive pay and public perception of the issue were among the primary causes. As to the steps business could take to address this issue, there was relative alignment between the conclusions of the panel and those found in Edelman’s research. www.ethicalboardroom.com

Trust | Europe Unsurprisingly, these focus on business conducting itself in an ethical manner, grounded in a sense of responsibility to a wide set of stakeholders. Businesses and policy makers alike need to wake up to this reality and realise the inherent danger of the society they serve losing faith in their ability to provide solutions and play fair. The so-called ‘rise of populism’ can in part be attributed to an electorate seeking answers in new places. For business, this constituency represents not just potential customers but future employees, investors and suppliers. Data has shown that the next generation of employees place company values and societal contribution above personal remuneration. As highlighted in research by Global Tolerance, of respondents born between 1981 and 1996, 62 per cent wanted to work for an organisation that makes a positive impact, half prefer purposeful work to a high salary and 53 per cent would work harder if they were making a difference to others. Investors are also becoming increasingly interested in a company’s impact on society and the environment. Earlier this year, industry giant Legal & General wrote to 84 global companies, warning that they would vote against chairs in businesses that failed to prepare for a move to a greener economy. 3 This should all act as a warning for businesses that lag behind in these areas. We are also seeing creative approaches to bringing about more ethical business practice in the investment industry. The People’s Trust is one example of individuals taking up the cause themselves and coming at the issue from a market-side approach. During the recent election campaign, the IoD published specific manifesto proposals on corporate governance, intending to contribute to the effort to repair some of the lost faith in business. The first suggestion was aimed at increasing shareholder power over executive pay. We suggested that binding votes on pay policies, currently held every three years and requiring a 50 per cent majority to pass, be amended so that where there is a large minority (30 per cent) voting against the policy, the company should be required to revise the policy before putting it to a second vote (this time requiring the original 50 per cent).

Enfranchising shareholders

We believe this would go some way to putting power on pay back with the ultimate owners of an organisation while still allowing companies themselves to be the architects of the package. Moreover, this could have a secondary benefit of making shareholders feel more enfranchised on the issue, hopefully leading to a reduction in the number of abstentions and non-votes. This is the start of a solution to a very real problem (public perception of executive pay) and one that 68 per cent of IoD members recently said was the primary threat to trust in business. www.ethicalboardroom.com

Public anger over executive pay is palpable essential that they are encouraged to keep their and can be tied to two key issues with the knowledge and skills topped up throughout current framework: firstly they do not perceive their career. To ensure that boards are meeting it as being tied to overall performance and, their requirements, companies need to be secondly, it is seen as being out of line with encouraged to conduct regular and thorough the remuneration of the rest of the workforce. board evaluation. Already in 2017 we have seen The IoD does not advocate placing pay caps examples of leaders at some of the country’s on executive pay, which we believe would largest companies not being fully aware of have a distorting effect on the market and the regulatory requirements and duties. would affect the ability of our companies to Ignorance should not be an excuse and we attract and retain the best talent. That said, are seeing shareholders reject this as a reason. we do believe that, through out proposal, With the advent of the ‘fourth industrial greater power can be given to shareholders revolution’ and the rise in the digital economy, to ensure that pay is scrutinised and tied to the need for people to be able to trust company performance. The fact that executive business, especially when it comes to personal pay has trebled since the dotcom bubble, data, is only going to increase. Pair this with far outstripping rises in the the increased presence of the Weak trust matters private sector in the delivery FTSE, shows that there are grounds for taking action. for business because of public services and the case In our second manifesto for ethical and trustworthy it can demotivate proposal, we focussed of the businesses becomes all the UK’s largest private companies. more pressing. Companies workforces, anger While the legal requirements that get ahead on the issue customers and, on directors on unlisted boards will reap the benefits. are the same as their public To do so will need a in some cases, counterparts, they do not fall coordinated effort involving prompt government under the same reporting all elements of business: intervention. Taken companies and investors, requirements. This has led to a ‘black box’ situation, where regulators and industry together with the governance arrangements bodies. There is a real the lack of faith of these companies are often opportunity for these unknown until a problem elements to come together in government, occurs. This matters as, while and bring about the it also suggests they may not have shareholders required changes. The FRC is dissatisfaction with reviewing both its Corporate in the listed sense, they do have a diverse and large number Code and the way the economy Governance of stakeholders who rely its Stewardship Code. As is working for on the company’s long-term part of this there will be sustainability. One only has to a consultative period, sections of society look at the example of BHS to which we would urge see the widespread impact that failure in large anyone with ‘skin in the game’ to contribute private companies can have. to. The IoD will certainly be doing so. We would urge those who fall under the Establishing a governance code auspices of either of the codes to embrace In response to this issue, the IoD has any changes in spirit as well as by letter. proposed that a corporate governance code Looking at the interventionist suggestions in for unlisted companies is established, the three main parties’ manifestos leading monitored and enforced by the Financial into the recent election, it’s clear that business Reporting Council, much like the code for is not the political flavour of the month. listed companies. While such a framework It is time for business leaders to show initiative would not be appropriate for all companies, and will. They need to prove, through action, many being far too small, we would suggest that profit, shareholder return and ethical an initial threshold of 2,000 employees. This business conduct are not mutually exclusive. threshold may be lowered over time as the The suggestions outlined in the IoD’s manifesto, code gains credibility and becomes something alongside the UK’s existing and world-renowned that private companies actively want to governance framework, will contribute to this comply with for reputational reasons. The goal. It should worry us all if business is seen, IoD produced a set of guidelines for unlisted to return to the Dalai Lama, as a risk to society, companies in 2010 and this could provide rather than an essential part of it, generating the framework for any code going forward.4 jobs and prosperity. After an election where Our final proposal was to attach greater little positive was said about commerce, it’s importance to the issue of director training and vital that the trust fightback starts now. 1 the board evaluation processes. The need for http://www.edelman.com/trust2017/ 2 https://www. youtube.com/watch?v=l9QxRzBX4F8 3 https://www. directors to keep up to date with the regulatory ft.com/content/05b5dc92-1884-11e7-9c35-0dd2cb31823a environment, the new challenges and 4 https://www.iod.com/Portals/0/PDFs/Campaigns and opportunities for business, and their duties to Reports/Corporate Governance/Governance code for unlisted companies.pdf?ver=2016-11-29-134715-607 stakeholders is of utmost importance. It is Summer 2017 | Ethical Boardroom 55

Europe | Non-performing Loans

Resolving poor corporate governance and NPLs There is a cosy link between poor corporate governance and non-performing loans, which is sinking profits and capital at European banks The existing stock of non-performing loans (NPLs) in Europe – estimated at more than €1trillion – remains a serious concern for European regulators and national authorities. NPLs impact banks’ profitability, divert banks’ resources from ordinary lending activities and reduce new lending into the economy. This ultimately holds back the country’s potential for growth and, in high NPL countries, can even pose a threat to the stability of the financial system as a whole.

The roots of the NPL crisis are largely derived from the economic and financial crisis – i.e. retail and corporate borrowers in dire straits because of the crisis – but in some cases or jurisdictions the high level of NPLs might have been exacerbated by poor corporate governance practices in banks, including the (lack of) oversight capacity of boards. The link between poor corporate governance and high NPL ratio has not yet been clearly demonstrated, but there are undoubtedly a number of factors suggesting a strong causal relationship.

Kissing shares

Some illuminating stories are now starting to appear in the media. Take Veneto Banca and Banca Popolare di Vicenza, both Italian unlisted mutual banks with a very high NPL ratio, as case studies. These banks received media attention because of a practice nicknamed ‘kissing shares’ – borrowers were granted loans that otherwise would not have been granted or would be granted on less favourable terms under the condition that they would buy shares in the banks. In this way, both banks were simultaneously expanding their capitalisation, shareholding base and their loan portfolio, which allowed ‘extravagant remuneration for directors and sweet financing deals for some on the board’.1 56 Ethical Boardroom | Summer 2017

Gian Piero Cigna, Milot Ahma & Pavle Djurić

Gian Piero is Associate Director, Senior Counsel, Milot is an Associate and Pavle is Counsel at the European Bank for Reconstruction and Development Because the banks were not listed, the price of their shares was determined on an annual basis by management, endorsed by the board, validated by auditors and submitted for approval to the shareholders’ meeting, including those shareholders that took the loans, all happy to see the share price increasing.2 Shares prices were calculated at 1.5 times the banks’ net assets, while other banks were usually pricing their shares at 0.5 times. In the course of five years, shareholders' equity halved and the net-NPLs/shareholders’ equity ratio rocketed. Few questions were asked on the sustainability and soundness of the lending practices associated with the kissing shares until it was too late. At Veneto Banca, the numbers tell the story. In 2011, it made a profit of €160million. In June 2012, it had 54,000 shareholders. But its losses began to mount – and so did the number of shareholders. In 2014, Veneto Banca had 88,000 shareholders

The shift in board composition away from insiders towards independent directors has been one of the most important developments in international corporate governance over the past few decades and made €2.4billion of new loans. It also made a €650million loss for the year, the worst in its history. 3 In 2016, the share prices of both banks crashed to 10 Euro cents from their highest value of €62.50 and €40.75 a few years before. Is there a ‘corporate governance story’ behind all this? Well, clearly kissing shares practices were not sustainable and the lesson that can be learned from it is not

much different from what was learned in the aftermath of the financial crisis.4 In particular, we could argue that not enough attention was paid to the oversight of credit risk, including the creditworthiness of borrowers and the value (and depreciation) of collaterals. Banking is an inherently risky business and ensuring a sound risk management system within banks is a key board responsibility. However, this now universally accepted truth became apparent only after the financial crisis. As a matter of example, in the 2006 Basel Committee’s eight principles for good corporate governance of banks – the key benchmark for corporate governance of banks at that time – the word ‘risk’ does not appear at all. 5 In Europe, only in 2013 did the Capital Requirements Directive IV (so-called CRD IV) provide for the first time some mandatory regulation of different governance aspects for banks, including the need for independent and qualified directors on the board and its committees. For many European banks, this came too late.6

Lessons to be learned

So, taking inspiration from the story above, we asked ourselves if there are any corporate governance lessons that can be drawn. To answer the question, we looked at the disclosure offered by those two Italian banks mentioned above. On paper, both banks appear to have sound governance in place with various committees, clearly articulated ‘lines of defence’ and charters requiring boards to be staffed with independent directors.7 However, there are a number of unanswered questions as to who was sitting in these committees, whether those sitting at the board – in both banks pretty much ‘male, pale and stale’ – and in the committees had the right mix of skills to direct the banks and keep management accountable. And, last but not least, who the ‘independent’ directors were. These are key questions, as those www.ethicalboardroom.com

Non-performing Loans | Europe people were supposed to ensure the soundness of the banking practices and operations, including the sustainability of the business. Having an appropriate number of qualified and independent directors was especially important in these banks as they both had an executive board chair and a substantial presence of executive committee members in the board.8 The shift in board composition away from insiders towards independent directors has been one of the most important developments in international corporate governance over the past few decades. Indeed, we could not find a single corporate governance code in the world that does not emphasise the need for independent directors on the board. However, independence must be coupled with proper qualification to be meaningful – how can somebody be objective if he/she does not understand what they are talking about? It's a correlation that has been historically largely ignored.

Introduction of requirements

The CRD IV was the first mandatory European act that emphasised the need for diversified boards in banks so to avoid ‘group thinking’. The same directive required members of the audit and risk committees to be non-executives and ‘have the knowledge, skills and expertise required for the committees’. This requirement was

then complemented by the new wording of the audit directive, which now requires the audit committee to be made up by a majority of independent directors and that the ‘committee members as a whole have competence relevant to the sector in which the audited entity is operating’ with ‘at least one member to have competence in accounting and/or auditing’. The CRD IV also makes a specific reference to integrity and ‘independence of mind’ that all board members should possess, another important cornerstone of the reform. Thanks to the supervisory work by the European Central Bank (ECB) over banks in the Euro area, this is now becoming a standard, but it is still largely overlooked: by looking at the definition of independence in most legislation and corporate governance codes, what is generally meant as ‘independence’ is largely confused with ‘non-affiliation’. This is misleading as the two concepts are profoundly different. While ‘non-affiliation’ can be defined in negative terms only (e.g. not being an employee of the company or not having a material business relationship with the company, etc), independence is a positive characteristic – the ‘objectivity of mind’ – which should be demonstrated and explained in practice – hence the need for proper disclosure. In practical terms, this translates to the ‘challenging attitude’ that all board members – and especially

independent directors – must have. The same attitude that could have saved many banks from entering into toxic practices. The same attitude that external auditors must have and that can be undermined if the auditor becomes too entrenched with the institution being audited. As a matter of fact, it appears that in both banks the same audit firms performed statutory audits for many years while also providing other non-auditing services in the same period.

Challenging auditors

It is not our intention – and we do not have any grounds – to provide any allegation of auditors’ misconduct, but it has been often argued that auditors that have become too close to the company or that have over-relied on income from a single source might have their objectivity challenged and independence compromised. In fact, in 2014 new European legislation entered into force to restrict the non-audit services that auditors can provide to EU public interest entities, which include banks. The same directive requires public-interest entities to have an audit committee, in charge – among others – to ‘review and monitor the independence of the statutory auditors or the audit firms… and in particular the appropriateness of the provision of non-audit services to the audited entity’.

SINKING PROFITS Non-performing loans remain a serious comcern in Europe www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 57

Europe | Non-performing Loans

In the two banks, the audit committee – which in Italy is called the ‘collegio sindacale’ – is composed of non-board members only. This is a common practice in a number of countries, but we are not convinced this is the right solution, especially when the functions delegated to the committee are typical board functions. We think instead that it is essential that audit committee members who are recommending specific actions to the board are then able to follow up on them when they are discussed and voted at the board. This would reinforce their positions and the board’s ‘objective judgement’ – to the extent that, of course, those sitting in the audit committee are truly independent and qualified board members. It's worth noting that there is no mention of qualification and independence of those sitting at the board and at the collegio sindacale in the annual report of either bank. Further, we believe that committees’ members should have a thorough understanding of the bank’s business when performing their duties, while ‘outsiders’ – as they do not sit at the board – might only have a partial vision and understanding of the bank’s activities. While it is legitimate that committees might need external advice or expertise on specific issues, they should be able to request such advice but without allowing outsiders to take the place of board members in their determinations. Finally, committees that include outsiders might have confidentiality and accountability issues, since outsiders might not be bound by the same duties of loyalty and care required to be board members. In some countries where this practice is allowed, audit committee members are accountable to the board but only on a contractual, not fiduciary basis. This might create perverse incentives. In other countries – as we believe it is the case in Italy

- the accountability of the audit committee is directly to the shareholders. Interestingly, in Italy ‘foundations’ are major shareholders in banks9 and foundations are subject to political influence.10 Similar characteristics can be found in the Spanish cajas, which accounted for a vast majority of NPLs in Spain. Some authors suggest that in state-owned banks, the public authorities could have influenced their lending decisions towards excessive risks relative to expected returns.11 A recent study found that cajas whose chairmen were previously political appointees had significantly worse

Outside the EU, efforts seem mostly dedicated to NPLs workout strategies while little attention is focussed on governance of banks loan performance.12 This toxic relationship seems also confirmed by a recent OECD study on Slovenia which points out that ‘the bust has not affected all banks equally.13 The quality of the loan portfolio has deteriorated the most for large state-controlled banks.... For these banks, the ratio of NPLs to private corporations increased from two per cent in 2007 to 30 per cent in October 2012. In comparison, the corresponding ratio for foreign banks amounted to 11 per cent and for small domestic banks to 23 per cent. This suggests that the increase in bad loans of state-controlled banks is not driven just by the business cycle’.

Reform progress inches forward The good news is that substantial reforms are currently ongoing. Cajas in Spain and banche popolari in Italy are being restructured – even if in Italy the reform is moving slowly – and

governance issues are being tackled and improvements are visible in the most recent banks’ disclosures. In Slovenia, the largest bank in the country is planning to go public during 2017 and this should also help to improve its governance. The ECB – through the Single Supervisory Mechanism – working closely with the national supervisory authorities, is leading the supervision of systemically important banks in the Eurozone. The ECB has also recently published the new Guidance to Banks on NPLs, which includes some important corporate governance elements.14 A major development, one of the ECB key priorities of 2017, that it is expected to enter into force in January 2018, is the introduction of a new IFRS 9, which should help tackling the delayed recognition of credit losses associated with loans and contribute to a better assessment and disclosure of banks’ credit portfolio quality.15 However, most of the corporate governance reform seems to stay within the European Union. Outside the EU, efforts seem mostly dedicated to NPLs workout strategies while little attention is focussed on governance of banks. A recent review of the disclosure by some banks affected by high NPL ratio in countries neighbouring the EU, reveals that the issues mentioned above are still present. Information about the qualifications and independence of board members is vague or non-existent, audit committees are staffed with outsiders and the role of the banking regulator in overseeing governance of banks is still limited to a quantitative approach, not appropriate to oversee governance practices. Clearly a lesson not yet learned. The opinions expressed are of the authors only and do not necessarily reflect the views of the European Bank for Reconstruction and Development (EBRD). Footnotes will be run in full online.

REFORM PROGRESS Governance issues are being tackled

58 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

What are your shareholders looking at?

More and more institutional investors are integrating ESG factors into their investment processes and creating ESG investment products. MSCI ESG Research provides in-depth research, ratings and analysis of the environmental, social and governance-related business practices of companies worldwide, including: • More than 6,000 publicly traded companies • Over 8,300 corporate, sovereign and government-related issuers • 23,000 mutual funds and ETFs

MSCI ESG Research is committed to robust and transparent engagement with all corporate issuers in our coverage universe. Contact us: esg_corporate_communications@msci.com

Board Governance | Litigation

Institutional investors turn to the courts When protecting asset value through litigation is increasingly seen as your fiduciary duty

Institutional investors are encouraged to exercise the rights attached to the securities in which they invest assets for their beneficiaries (retirees, clients, etc) and to actively engage with investee companies.

There is also a renewed interest for ‘fiduciary duties’ of institutional investors and the extension of those duties to environmental, social and governance (ESG) issues related to their investments. Institutional investors must often manage assets in the long-term interest of their beneficiaries while taking into consideration the long-term consequences, both financial and non-financial, of their investment activities. By acting as ‘good stewards’ through the exercise of due care in the selection of investments and the monitoring of investee companies, institutional investors can contribute to the creation of value in the long term for their beneficiaries. It can also help investors prevent, to some extent, undue destruction of value. Unfortunately, institutional investors are sometimes confronted with misconduct, wrongdoing or even fraud that can lead to significant losses on their investments, which also harm the interests of beneficiaries. Institutional investors must then consider available options to recover the value that has been destroyed – or at least part of it. While looking at the recent developments and how industry practices have evolved, it 60 Ethical Boardroom | Summer 2017

Charles Demoulin

Partner at Deminor Recovery Services

seems increasingly more difficult to disregard the option of litigation when harm has been done to assets entrusted to a professional investor. We will therefore focus on some aspects related to legal actions that can help institutional investors protect the assets under their management.

Evolution towards a more active and direct participation in litigation to protect the assets For many decades, investors have been able to rely on the mechanism of class actions in the United States in which one or several (institutional) investor(s) act(s) as ‘lead plaintiff(s)’ in the interest of an entire class of aggrieved investors. Where those class actions lead to recoveries, most often through a class settlement, investors included in the class can claim their own share of those recoveries even if they have not been themselves directly and actively involved in the litigation. There have been discussions and opinions in the United States about whether and to what extent institutional investors have a fiduciary duty to take the necessary steps to collect available damages to which they are entitled as a result of a class action. A related issue is whether those investors have a duty to take a more active role in this type of litigation (e.g. by acting as lead plaintiff) or to leave the class (opt out) in order to pursue individual claims for their own benefit.

In Europe, the question of the involvement of institutional investors in securities class actions has also been raised. In a 2007 paper, the UK National Association of Pension Funds (NAPF) asked the question “Do trustees have a fiduciary duty to join a securities class action?” and answered that “It seems self-evident that trustees have a duty to protect the assets in their scheme and that they should therefore at the very least not neglect opportunities to recoup losses, where the cost and effort are commensurate with the expected return.”1 This is not limited to trustees in the strict legal sense but also applies to other ‘fund fiduciaries’ (as confirmed by NAPF in a document from 2015). At first sight, starting a court action could be considered as taking investor stewardship obligations to another – more contentious – level. We see however no reason to exclude litigation and the enforcement of rights from the scope of engagement activities that can be expected from institutional investors. In its Global Stewardship Principles that were ratified in 2016, the International Corporate Governance Network (ICGN) provides under Guidance 4.3 ‘Engagement escalation’: “Investors should clarify how engagement might be escalated when company dialogue is failing including… seeking governance improvements and/or damages through legal remedies or arbitration.”2 The relevance of this issue for institutional investors has not diminished, quite the contrary. Over the last years, they have been presented with a higher number of opportunities to recover losses through www.ethicalboardroom.com

Litigation | Board Governance litigation, which are no longer limited to securities class actions. This is due to some extent to a landmark opinion of the US Supreme Court of 24 June 2010 (Morrison vs National Australia Bank) which significantly restricted the scope of US securities regulations (and related class actions) with respect to ‘foreign cases’. As a result, institutional investors had to consider alternatives to litigation in countries where US-style class actions are not necessarily available and investors have to be directly and personally involved in a court action. This is very often the case in Europe. This evolution had an impact on how institutional investors could effectively discharge their duty ‘to protect the assets’. If litigation requires a direct and active involvement from the investor, the decision whether or not to be involved in a court action can have far-reaching consequences. importance of taking informed 2 The decisions and monitoring the

investment chain Where an institutional investor has a (fiduciary) duty to consider participating in litigation, the first step consists in being properly informed, essentially about (1) the existence of a potential claim, (2) the size of the recoverable losses, and (3) how and under what conditions those losses can be recovered. Investors usually want to be involved in meritorious claims (even if they can participate based on a ‘no cure, no pay’ model) and to understand the consequences of being involved in a court action (what can be expected from the investor during the proceedings? etc). Institutional investors should gather as much information as possible at an early stage, bearing in mind that claims for damages can sometimes be subject to relatively short limitation periods. Even though there are differences between jurisdictions and the same questions are not relevant in all of them, certain issues can be common to various legal systems. It can be useful to draw a list (or to seek assistance to draw such a list) of all key issues related to potential litigation for which investors should seek input before deciding whether or not to participate. Once the investor has received the information, the next step consists in analysing it in order to come to an informed decision. Even where investors owe a fiduciary duty towards beneficiaries, this does not prevent them from seeking proper advice before taking their decision. Investors may also adopt standardised procedures to facilitate their work and decision-making process, including by adopting internal policies with respect to litigation. The exercise of an investor’s duties towards its beneficiaries to protect their assets and interests must also take into account the roles and tasks of third parties throughout the www.ethicalboardroom.com

entire investment chain. Institutional investors should start by making sure that the information about potential litigation efficiently flows back to them, so they can rapidly consider this option and take an informed decision. In relation to the decision-making process, it is also important to identify the persons or entities vested with the proper powers and authority when it comes to actively participating in litigation. Indeed, the management of investments is often characterised by a certain degree of delegation to third parties (asset managers, custodian banks, etc). It is problematic if an institutional investor is prevented from claiming or recovering damages because no timely action was taken. It can be equally problematic if a claim is brought without the required authority or if several similar claims are brought by, or on behalf of the same investor due to a lack of coordination or oversight. This pleads for clear, robust and transparent processes, not only at the level of the institutional investor (including its own internal governance) but also in its relationships with all parties involved in the investment chain. While the support of other parties is often required in order to participate in litigation (e.g. a custodian bank providing statements of the investments to support the

If litigation requires a direct and active involvement from the investor, the decision whether or not to be involved in a court action can have far-reaching consequences claim for damages), the institutional investor should also make sure that decisions to actively participate in litigation are taken at the proper level and that those decisions, once taken, are executed accordingly. This includes the issue of delegations (to the extent they are legally and/or contractually possible) and the extent of those delegations. The same goes for the ongoing monitoring and reporting on the further steps of the litigation. Institutional investors should therefore include appropriate clauses in their agreements with parties involved in the management of the assets. Delegation of tasks and responsibilities (which can make sense from a practical point of view) should not entail any dilution of fiduciary duties and accountability on the part of the institutional investors. In this respect, we can refer to the ‘Model Contract Terms Between Asset Owners and Managers’ proposed by the ICGN to help asset owners formulate their contracts with fund managers.3 The ICGN document includes

proposed model terms for stewardship under which it suggests the following additional clause, depending on the extent of delegation of stewardship activities to the manager (language used here is equity-specific but could be easily amended for relevant rights under other asset classes): “The manager is granted authority to carry out the following rights in respect of assets held in the Portfolio: (voting/ bringing forward counterproposals/ proposing shareholder resolutions/calling for special audits/attending general meetings/calling an EGM/recovering the proceeds of class actions or other litigation brought by other parties/ bringing class actions, derivative actions or other litigation]. An appropriate proportion of the costs of any such exercise of rights will be attributable to the Portfolio. The Client retains the following rights in respect of assets held in the Portfolio: [bringing class actions, derivative actions or other litigation/recovering the proceeds of class actions or other litigation brought by other parties/calling an EGM/ attending general meetings/calling for special audits/proposing shareholder resolutions/ bringing forward counterproposals/voting). The Manager undertakes to raise with the Client situations in which the exercise of some of these rights might be appropriate, and the parties will agree on an appropriate good faith allocation of any associated costs.”

Conclusion

Institutional investors should act as good stewards by making sensible investment decisions, by exercising their rights as shareholders and investors and by engaging with companies in order to create value in the long term for their beneficiaries. This may also help them prevent such value from being destroyed or at least better understand or mitigate the risk of value destruction. However, there will still be circumstances in which, in spite of all their due care and efforts, undue harm will be done to the assets under their management. At that point, bringing a claim can become a valid option to recover (part of) the losses, in the interest of the beneficiaries. Recent examples of successful recoveries show that litigation, even outside of the context of US securities class action, is an efficient and valid way to recoup losses suffered as a result of misrepresentations, fraud or other forms of misconduct. Over the last few years, institutional investors have demonstrated a high level of awareness and interest for this concrete way of ‘protecting the assets’ being placed under their care. It is, therefore, not surprising that an ever-increasing number of those investors consider participation in litigation, whenever possible and justified, as part of the duties they owe towards their beneficiaries. NAPF, Securities Litigation – Questions for Trustees, p.2 2http://icgn.flpbks.com/icgn-global-stewardshipprinciples/#p=1 3https://www.icgn.org/sites/default/files/ ICGN_Model-Contract-Terms_2015.pdf 1

Summer 2017 | Ethical Boardroom 61

Board Governance | Internal Audit

Optimising forward-looking information for the board Staying ahead of disruptive changes is not easy for boards of directors to manage these days. Until recently, disruptive innovations generally took a decade or more to transform an industry. Today, industries can be entirely remade by agents of disruption in half that time, or even less, as the half-life of business models continues to compress.

This shrinking interval leaves board members precious little time to react, let alone anticipate potential disruptions that could emerge without warning. To sniff out the threats and opportunities zeroing in on their industries and organisations, boards need to optimise all of the resources at their disposal, including internal audit reports and information. The most valuable internal audit information is delivered by functions that routinely produce data-driven insights about the strategic risks confronting the business. When internal audit functions deploy advanced analytics, they can harness relevant data points to deliver a contrarian perspective that opens the eyes of audit committee and other board members to what they do not yet know. As such, boards and audit committees should challenge their chief audit executives (CAEs) to optimise the internal audit function’s use of data analytics to help them obtain sharper, timelier insights on operational risks, marketplace conditions, competitors and other strategic risks. New research on the data analytics capabilities within internal audit functions indicates that CAEs can benefit from some prodding and support on this count. Most internal audit functions have achieved a relatively low maturity level of integrating data analytics into the audit process. Only three per cent of internal audit executives describe their analytics capability as ‘optimised’, while nearly

Internal audit analytics can open the board’s eyes to strategic risks and keep it one step ahead of threats and open to opportunities Brian Christensen

Executive Vice President, Protiviti three out of four describe their analytics capability either as strictly ad hoc or as a collection of repeatable processes, according to Protiviti’s 2017 Internal Audit Capabilities and Needs Survey. As CAEs strive to develop their function’s analytics capabilities, internal audit stakeholders who already have benefited from analytics are demanding more data-driven insights from internal audit. The need for boards to receive more relevant, data-driven and forward-looking insights regarding strategic risks is also intensifying. The price of lacking this access is painfully evident in the growing number of organisations with seemingly sound strategies and growth plans that have struggled or even ceased to exist when disruptive changes impact their industry. By challenging CAEs to deliver more data-driven insights regarding strategic risks, boards can improve their odds of recognising and responding to the market opportunities and emerging risks associated with major disruptions earlier and more effectively than the competition.

Four ways to optimise internal audit insights

In a recent global survey of internal audit stakeholders conducted as part of The Institute of Internal Auditors’ ongoing Common Body of Knowledge research, seven out of 10 board members and executive decision-makers reported that they want

internal audit leaders to focus on strategic risks in addition to operational, compliance and financial risks in the audit plan. Internal audit functions that fulfil this requirement are better positioned to deliver the type of insights and analyses that boards need to stay ahead of the disruption curve. To that end, audit committee chairs and other board members should consider challenging CAEs to execute the following four activities:

Understand the critical assumptions underlying the business model Management’s assumptions about markets, customers, competition, digital and other technology, as well as regulatory behaviour and other external factors, are fundamentals that shape the organisation’s strategy. Because the organisation’s business model is typically designed to function within the business environment envisioned by management, a dramatic shift in any of these drivers would likely require a swift re-evaluation of the model’s continued validity. Given their independent status and continuous scrutiny of activities and risks throughout the enterprise, internal audit functions are well-positioned to monitor the strategic fundamentals of greatest interest to boards. When CAEs understand the business model’s key pillars, they can think more strategically when working with the audit committee and executive management to formulate audit plans and analysing risks. Although auditors have traditionally focussed on operational, compliance and reporting issues, they must think more strategically. For CAEs and other internal audit leaders, this means being able to access and understand the contrarian points of view within and outside the organisation that are relevant to the sustainability of the business. To have their CAEs think along these lines, board members should consider asking internal audit leaders what concerns them when they listen to earnings calls of the company and its competitors – and also what critical business-model assumption concerns

By challenging CAEs to deliver more data-driven insights regarding strategic risks, boards can improve their odds of recognising and responding to the market opportunities and emerging risks associated with major disruptions earlier and more effectively than the competition

62 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Internal Audit | Board Governance them the most in terms of disruptive threats in the marketplace.

Apply scenario analyses to evaluate situations that could threaten critical assumptions Analysing different scenarios can help executive teams and board members understand and identify the factors that directly influence the failure or success of the business model. Scenario planning and analysis focusses attention on the potential sensitivity of changes in any of the fundamental business model assumptions. Industries that lack strong entry barriers may be especially susceptible to technological shifts, for example. As a result, these companies are more likely to face new and unexpected sources of competition.

TOUGH QUESTIONS FOR INTERNAL AUDIT CHIEFS Board members can get a read on the internal audit function’s ability to deliver the unvarnished truth on the organisation’s business objectives, strategy and culture by putting the following questions to their CAEs:

How does internal audit maintain a contrarian point of view while identifying strategic concerns, supported by data points, in a timely manner?

Does the organisation’s risk management process misunderstand or underestimate the timing, impact or magnitude of emerging and existing risks?

Is the organisation unduly relying on the past in evaluating/ predicting market behaviour?

What internal audit data do you share with senior executives to help them monitor progress on strategic objectives and risks?

Does your function possess the right capabilities, including the necessary data analytics and supporting technology and expertise, to support evidence-based assessments of strategic risks?

DATA-DRIVEN INSIGHTS Effective IT audits can help organisations improve internal controls and security

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 63

Board Governance | Internal Audit Since internal audit is one of the organisation’s key risk management functions, it can help identify an event (or combination of events) that could invalidate one or more of the entity’s critical assumptions. Boards should challenge CAEs to conduct scenario analyses that centre on identifying potential emerging or underestimated risks. For example, consider asking CAEs which fundamental assumptions look too good to be true based on internal audit’s work and consideration of plausible and extreme scenarios. competitive intelligence 3 Evaluate To facilitate the timely recognition of

change, the gathering and assessment of competitive intelligence provides executives and board members with a valuable frame of reference concerning the effectiveness of organisational processes and customer experiences, the company’s response to market changes, and other strategic focal points. The most effective forms of competitive intelligence are aligned with the most critical assumptions underlying the strategy and business model while offering relevant perspectives and insights about evolving conditions through a range of quantitative and qualitative measures. Leading competitive intelligence capabilities also tend to access and analyse non-traditional information and data that often offer a contrarian view to conventional wisdom and entrenched management biases. Internal audit is well-suited to assist the organisation’s efforts with analysing competitive intelligence to more effectively mitigate the impact and likelihood of negative disruption. and demystify timely 4 Distil information for board members

The board must receive timely, quality information regarding strategic risks. This information should be unfiltered and devoid of any sugar-coating. When this information relates to customer experience, for example, it should contain candid insights directly from customers concerning their interactions with the company. Data-driven insights on new and emerging strategic risks from internal audit are valuable on this count because they provide evidence-based clarity from an independent source. The more forward-looking these data-driven insights are, the better informed the board and executive management will be.

Maturing audit analytics capabilities

By applying data analytics to larger portions of their function’s audits, CAEs and their audit staff can generate data-driven insights on more aspects of organisational risk and the company’s progress toward its strategic objectives. The continuous auditing and monitoring technology tools that help produce analytical insights also will reduce the 64 Ethical Boardroom | Summer 2017

amount of manual information-gathering that internal audit conducts. In turn, these efficiency gains can enable CAEs to allocate more expertise to focus on the areas and issues of greatest concern to executive management and the board. For these reasons, CAEs and board members alike should make data analytics a critical component of the internal audit function. This means sustaining a consistent effort to advance the internal audit function’s analytics capabilities beyond ad hoc activities to an optimised maturity level. Boards can assist this maturation process by encouraging CAEs to take the following actions:

indicators, key risk indicators in operational processes, and information used in strategic decision-making activities conducted by the senior executive team and the board. ■■ Seek ways to increase the level of input audit committee members and other key stakeholders provide when developing, using and expanding analytics tools and when determining what data should be monitored by these tools. ■■ Implement steps to measure the success of data analytics efforts and consider the most effective ways to report success and value to the audit committee, the board and other key stakeholders.

ANALYSING DATA Internal audit champions can deliver better access to information

■■ Seek out opportunities to expand internal audit’s knowledge of sophisticated data analytics capabilities so that the function has a more comprehensive and precise understanding of what is possible with analytics, what similar organisations are doing with analytics and what progress is needed to advance these capabilities. ■■ Consider the use of ‘champions’ to lead the analytics effort and, when appropriate, to create a dedicated internal audit analytics function. Internal audit analytics champions help bridge the gap between the analytics function and operational auditors while encouraging greater analytics use throughout the internal audit function. Compared to other organisations, those with analytics champions and dedicated analytics functions in place deliver more value, experience higher demand for their analytics services, and obtain better access to higher-quality data.1 ■■ Identify new data sources, both internal and external, that can enhance internal audit’s view of risk across the organisation. Increase the use and reach of data-based continuous auditing and monitoring to perform activities such as monitoring fraud

As the pace of industry disruption quickens, there is growing recognition that an ‘analogue’ approach to auditing can no longer suffice as a long-term strategy if the function is to help executive and board-level decision-makers anticipate, analyse and respond to relevant strategic threats and opportunities. The good news is that the technology tools and data exist to help CAEs and their internal audit functions operate in a more digital, data-driven and real-time manner. Structured data is particularly plentiful in all organisations – and can, and should, be harvested by internal auditors to uncover the valuable insights, efficiencies and issues buried within it. What’s more, roughly two out of three internal audit functions already use some form of data analytics in their audit process. Of course, advancing a fledgling analytics capability to a more mature state that delivers timely, relevant insights to the board and executive team is not easy. However, analytics can prove to be a game-changer in helping board members and senior executives stay ahead of disruptive trends looming on the horizon. Protiviti’s 2017 Internal Audit Capabilities and Needs Survey

www.ethicalboardroom.com

CAN YOU PROVE POLICY COMPLIANCE? Audit ready proof of understanding and acceptance is the elephant in the boardroom…

01908 904400

info@EssentialSkillz.com

Board Governance | Crisis Management

PAN-PAN! An airline’s lesson in staying calm in crisis Establishing mechanisms that allow you to consider every possible scenario will best prepare for the unexpected A few weeks ago over the clear, cold winter skies of Sydney in Australia, a China Eastern passenger plane bound for Shanghai radioed that it needed to make an emergency landing. Anxious passengers described hearing a very loud noise and a burning smell soon after MU736 left Sydney Airport on the Sunday evening. What they most likely heard – for it is now the subject of an official air safety investigation – was an explosion in the left-side wing engine casing that left a large hole. Thankfully, the plane was able to return safely to Sydney for inspection. Media reports at the time shared the cockpit’s voice recording and what was noticeable was two-fold – firstly the calmness and professionalism of both the air traffic control and the China Eastern pilots and, secondly, the use of the phrase ‘pan-pan’ to describe the situation. The use of pan-pan was appropriate and consistent with the universally accepted distress signal hierarchy of mayday and pan-pan. Mayday is used when there is imminent danger to life or the continued viability of the distressed vessel. Pan-pan is used to alert everyone that there is an urgency on a vessel but that – in the opinion of the caller – there is no immediate danger to life or the vessel itself. Watching the media reports and listening to the audit it struck the author that, at least in terms of matters of life and death involving stricken crew and passengers, there is a consistent framework for airline staff to handle a crisis in a manner so that everyone understands the importance of the message and the level of response that the stricken vessel could expect. It’s worth taking a moment to consider that again: a consistent framework to 66 Ethical Boardroom | Summer 2017

handle a crisis; in a manner that everyone Tom McLeod Managing Consultant, understands the importance of the message; McLeod Governance in a manner that everyone understands the level of response that the stricken vessel response to it. These objectives are could expect. fundamentally different. Many an How many organisations can say that organisation has tried to do the former – outside specific areas where, as is the only to make the latter much more case here, there is government intervention difficult to achieve. for the betterment of society – they have Acceptance that not everyone sees the something similar in place. world in the same way that you do. This is Crises – by their very nature, for it wouldn’t particularly important in a crisis. When be called a crisis otherwise – happen when the proverbial organisational sun is shining you least expect it. They can be – and are it is very easy to be lulled into the thought – man-made, acts of God, financial, that there is broad agreement on how operational or reputational. They, of course, things should progress. When the dark can also threaten life and limb, as was the clouds of uncertainty visit in the shape case with the China Eastern saga. So how of an unexpected event that does one develop a framework collegiate assumption is that addresses such a myriad There is a often the first tenant to be of potential circumstances? consistent sorely tested. Firstly, it is by acknowledging framework Accepting that that is the that you can’t prepare for every case and designing your crisis possible scenario but you can for airline management framework to put in place mechanisms that staff to be open to different views is allow you to consider every a critical aspect of a robust possible scenario. The most handle a response. A word of caution, effective frameworks that we crisis in a though – accepting that there have developed and reviewed are divergent views is not the are those that are based on clear manner so as endlessly debating and well-articulated principles. that everyone same those divergent views. There What those principles are is is no such thing as a perfect ultimately at the determination understands crisis management plan, just one of the relevant organisation. that is best suited to the circumstances. The British standard on crisis management You can’t endlessly consider your options does a good job in seeking to define them. in an environment where the crisis itself has For us, there are five key principles that robbed you of the one commodity you need we have relied on in more than a quarter most –and that is time. of a century of reviewing crisis responses.

Acceptance

Acceptance that the world is a confusing place sometimes and that a crisis management framework is not necessarily seeking to control that confusion but seeking to manage the organisation’s

Accountability

The cliché that success has many fathers but failure is an orphan could have been written specifically for the post-event evaluations on how one responds to a crisis. A crisis managed well soon leads to a return to www.ethicalboardroom.com

Crisis Management | Board Governance

UNDER CONTROL The airline’s crisis management plan kicked into action over Sydney

business as usual. A crisis poorly managed will lead to finger pointing and organisational retribution. While I acknowledge that this is a scientifically untested hypothesis, we would suggest those times where there has been a crisis managed well there has been someone that has been given by the crisis management framework accountability to do something and that they have done that something exactly as was envisioned. This accountability is not in terms of a title – we should note that we are not a great fan of a ‘crisis management leader’ title as it suggests that those with ‘normal’ operational responsibilities can somehow abdicate their responsibilities in the moment of greatest need. The accountability that we mean is more in terms of being capable of taking control and being seen to be capable of taking www.ethicalboardroom.com

control. Nothing is more cancerous to the likelihood of a successful management of a crisis than when those seeking leadership look to those with designated accountability and see that those that have been gifted the awesome responsibility have shirked their obligations at the worst possible time.

Expertise

There is a wonderful New Yorker cartoon, that mocks the recent trend towards anti-intellectualism. In the cartoon a passenger on a plane stands up and declares:

“These smug pilots have lost touch with regular passengers like us. Who thinks I should fly the plane?” If there is one place – actually there are many places, including an airplane – where you don’t want overconfident amateurs then it is in a crisis or, equally importantly, in the construction of a well-thought-through crisis management plan. When that moment of great urgency visits your organisation it is no time to be testing out whether someone is competent or not at their role. You need the very best to be giving their very best. Summer 2017 | Ethical Boardroom 67

Board Governance | Crisis Management Sometimes short-sighted organisations will invoke the specter of cost management as a reason to perhaps go with that person that little bit less experience or who hasn’t actually gone through a crisis before but has read about it in a Harvard Business School case study. Resist that temptation as strong as you can. The money spent on subject matter experts with relevant and recent expertise will be repaid many times over for the simple reason that they will be able to make rational decisions based on an understanding of the consequences much quicker than someone that is making such fraught decisions for the first time. In a crisis, it is worth reiterating that time is the most critical factor you have. Don’t waste it and don’t think that you are doing your organisation any favours by cutting costs at this most precarious of moments.

Transparency

Misery may love company. In a crisis, conspiracies love an information vacuum. A CEO once told me about their response to a food contamination scare of an international subsidiary of a major American company. The communication protocol within that organisation was that everything had to go through corporate head office before being released. That sounded good in practice but for the fact that the food contamination scare happened on the other side of the world to where corporate head office was and where it was Sunday afternoon. The CEO had to make a decision as to whether he respected the business as usual protocol or to take matters into his own hands. He erred on being transparent with all his stakeholders as soon as possible. When challenged by his superiors he said that he wanted to make sure that everyone had at their disposal all the information that he had so that educated decisions could be made. A well-constructed crisis management plan enshrines transparency as a core value. This is not to say that you need to be giving everyone a play by play to the detriment of actually managing the crisis, but it does mean that you need to be ready. A way to do this is to designate someone as the sole person who can speak on behalf of your organisation so that others have their focus elsewhere. Equally importantly, your framework needs to consider – and test pre-crisis – your approach to communication. Should you have

68 Ethical Boardroom | Summer 2017

pre-prepared statements that mirror the general stages of a crisis and fill in the unknowns as and when needed? If you are not comfortable with that, have you decided what approval process will be enacted in the event of a crisis, remembering that the normal review and approval channels that a ‘traditional’ communication piece would be subjected to are likely to be too cumbersome in the event of an emergency? And have you debated – outside the intensity of a crisis – whether your organisation would be comfortable in releasing publicly that you have no information that can better decipher the

In a crisis, it is worth reiterating that time is the most critical factor you have. Don’t waste it and don’t think that you are doing your organisation any favours by cutting costs at this most precarious of moments current crisis than that which everyone else has? This last point is one that is hotly debated within organisations. Does the admittance of limited or no knowledge enhance or hinder the credibility of your crisis recovery effort? We have always thought that the best strategy is to err on the side of too much communication as it generates trust that you will tell stakeholders what you know as soon as you know it. If you are seen to be less than transparent what happens is that prejudices and gripes usually completely unrelated to the matter at hand are brought in by mischievous players that may see the crisis as an opportunity to further their agenda.

Note-taking

This may sound a strange criteria to have in an otherwise esteemed list of values that should be incorporated into a robust crisis management plan. Yet, for us, it is on par with all the others. A crisis is an unpredictable cyclone of events, information, emotion and – nearly

inevitably – blame. In such an environment, it is critical that there be as near as possible contemporaneous documentation of the key events and decisions. Why? When the post-crisis review (as should happen after all crisis incidents) comes and the moment for learnings is upon the organisation, you want to be able to rely on as near as possible objective chronology of what has happened. How is this achieved? The contemporaneous note-taker should have access to all meetings to document all key decisions, noting who was there; what, if any, divergent views were expressed, and the agreed decision of the collective. As an aside, that there were divergent views is not a sign of weakness of the crisis response, in fact it is the opposite; it shows that those entrusted with responding to the crisis acted in a manner that was debated and appropriately considered. Those who are more litigious of mind should consider how such work can be under the protection of legal professional privilege or its local jurisdictional equivalent. Imagine if you will that the China Eastern pilots had not adopted an agreed crisis management response to the incident over Sydney in June 2017. One of the things that makes air travel tolerable is knowing that – should the worst happen – then there is an approach that will be enabled where everyone knows what to do and when. This sense of comfort, of predictability, is that which a good crisis management plan should engender. Does yours?

SAFE LANDING With a clear framework for action, you can pilot your organisation through a crisis

www.ethicalboardroom.com

If the board is thinking about it, we’re talking about it. Since 1999, KPMG’s Audit Committee Institute has been helping boards and audit committees focus their agendas on what matters most. For timely insights and informed, board-level perspectives on top-of-mind issues, visit kpmg.com/globalaci Audit Committee Institute

© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Board Governance | Integrated Reporting

Integrated reporting: chance to make a difference Humanity has evolved to the level where two dominant systems reign supreme: democracy and its sibling capitalism. The difference between the twin systems is that democracy implies that the average member of society rules mankind’s destiny and capitalism elevates the financially endowed above all others. Should we be concerned?

Comparing large companies rated by revenue and large countries rated by GDP, we note that the aggregate of the top 10 companies’ revenue is greater than all but the top four countries. Those top four countries, of course, include the top 10 companies’ revenue, enhancing the skewed power distribution towards companies. The handover of power was only temporarily from kings and emperors to presidents and prime ministers, as chairmen and managing directors have largely usurped that power. Considering the effect that capitalism has had on the Earth’s resources, we’re confronted with the realities of climate change and stark wealth inequality. Notwithstanding the identification of several stakeholder groups, boards and company executives have maintained their short-term focus on keeping shareholders happy. There remains a preoccupation with enhancing financial capital, often at the expense of other interests. This makes sense in the prevailing system – not only does a financial focus remunerate the executives the most efficiently, but it also represents the de facto capitalist scorecard. Tracking financial growth is also the most comfortable way to track progress. This systematic comfort is a concerning aspect – from the time when Italian monks devised the double entry bookkeeping method to current international technology firms coding financial systems, the entire capitalist foundation has been built for supporting financial capital. In comparison, non-financial measurement systems are fledgling upstarts, struggling to gain acceptance. The United Nations estimated the Earth’s population at 7.5 billion in April 2017, with an expected slowdown of population growth until 2050. Note a slowdown in growth rate, not a decline in population. Therefore, we can project more people competing for the same, or declining, resources. 70 Ethical Boardroom | Summer 2017

Shifting to an IR model creates a strong narrative at a time when corporate behaviour is under intense public scrutiny Gerrit van der Merwe

Chief Executive Officer, Candor Governance

Environmentally, it is clear that a lack of resources, other than financial capital, is fast becoming Earth’s major priority. With companies’ power growth gaining momentum, and with their focus on short- term financial capital growth in the face of a failing environment, governance systems are critically important to maintain Earth’s equilibrium. The world has governance systems – plenty of them, in fact. Unfortunately, regardless of all the governance legislation, codes and standards, there doesn’t seem to be much of a dent in the harm capitalism is causing our planet. Perhaps integrated reporting (IR), and the holism and transparency it requires, is the very mechanism we need to ensure that our planet’s sustainability is preserved.

Integrated reporting and governance

Before considering the full impact of what integrated thinking requires of organisations, the way integrated reporting dovetails with governance methodologies needs to be considered. Governance, after all, primarily addresses the way the leaders of organisations wield their power. The International Organization for Standardization (ISO), held its first plenary session in Quebec City in May 2017 to consider an international standard for the governance of organisations. The discussions indicated an appreciation for the recently completed King IV Report on Corporate GovernanceTM in South Africa 2016 (King IV). Arguably, South Africa leads the world in its adoption of integrated reporting. The fusion of King IV and integrated reporting capably acts as a prototype for the world. The King IV Report adeptly summarises the leadership duties of the governing body. The governing body should:

■■ Determine strategy ■■ Approve policies that give effect to organisational strategy ■■ Provide oversight of the effective implementation of strategy and policies ■■ Disclose on performance and sustainable value creation

Enter integrated reporting

John Elkington coined the phrase ‘triple bottom line’ of ‘people, planet and profit’, which has been expanded into six capitals by the International Integrated Reporting Council (IIRC) – financial, manufactured, intellectual, human, social and relationship, and natural capital. Instead of merely requiring organisational disclosure on how the six capitals were affected, the IIRC craftily requires ‘integrated thinking’, which is ‘the active consideration by an organisation of the relationships between its various operating and functional units and the capitals that the organisation uses or affects. Integrated thinking… considers the creation of value over the short, medium and long term’. If an organisation is to disclose the impact that its business model, both use and outcome, had on the capitals, it stands to reason that its strategy, policies, procedures and reporting mechanisms should be similarly designed. Integrated reporting therefore requires integrated thinking at board level, which, in turn, requires integrated operational business models that cater for all capitals. By requiring integrated reports to be issued by companies, we require the responsible and sustainable treatment of the Earth’s resources.

Integrated reporting defined The IIRC defines an integrated report as a ‘concise communication about how an organisation’s strategy, governance, performance and prospects, in the context of its external environment, lead to the creation of value over the short, medium and long term’. In no uncertain terms, the integrated report is the responsibility of the governing body, or board of directors.

www.ethicalboardroom.com

Integrated Reporting | Board Governance There are three concepts key to IR: the capitals and integrated thinking, the IR guiding principles and the IR content elements. Integrated thinking and its value creation process is intuitive, and it makes sense that organisations use the same six capitals that the value creation (or destruction) process affects. Let’s consider the six capitals: ■■ Financial capital This capital represents the standard, though very important, measures of success that accountancy disciplines record ■■ Manufactured capital Those physical objects that are available for use in production, such as buildings, equipment and infrastructure

■■ Intellectual capital Intangible, knowledge-based assets, such as patents and know-how ■■ Human capital Represented by people, their skills and experience, including their motivation, loyalty and ability to innovate ■■ Social and relationship capital Communities and stakeholder groups, their shared values as well as the organisation’s social licence to operate ■■ Natural capital Renewable and non-renewable resources, including air, water, land, minerals, fauna and flora as well as biodiversity and eco-system health

The IR guiding principles

Interestingly, an independent 2016 KPMG study in 16 countries regarding integrated reports, determined several overlaps of investor requirements and IR guiding principles. Larry Fink, CEO of the largest institutional shareholder BlackRock, was prominently quoted with requirements for long-term, strategic insights. The IIRC describes the following IR guiding principles: ■■ Strategic focus and future orientation Insight into an organisation’s strategy and how it relates to its ability to create value in the short, medium and long term and to its use of and effects on the capitals

Considering the effect that capitalism has had on the earth’s resources, we’re confronted with the realities of climate change and stark wealth inequality. Notwithstanding the identification of several stakeholder groups, boards and company executives have maintained their short-term focus on keeping shareholders happy

INTEGRATED REPORTING DEFINED An integrated report will provide an insight into an organisation’s ability to create value and meet targets www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 71

Board Governance | Integrated Reporting ■■ Connectivity of information A holistic view of the combination, interrelatedness and dependencies between factors that affect the organisation’s ability to create value over time ■■ Stakeholder relationships An insight into the nature and quality of the organisation’s relationships with its key stakeholders, how and to what extent their legitimate needs are considered ■■ Materiality Disclosure only of information about matters that substantively affect the ability of the organisation to create value over time ■■ Conciseness While this points towards materiality, it also considers a balance between materiality and other guiding principles, a logical structure, plain language and links to other sources of relevant information ■■ Reliability and completeness All material matters, both positive and negative, are disclosed in a balanced and accurate way ■■ Consistency and comparability Consistency over time with comparatives to previous periods, benchmarks and industry norms

What is holding back an international roll-out of integrated reporting?

Silos in a multi-code world

There are at least three distinct governance philosophies in the world: the US rules-based approach: the UK-initiated principles-based approach; and the delegation of power between executive- and non-executive directors (blended boards vs separate advisory and executive boards). With these differences among jurisdictions, it is little wonder that there seems to be such an apparent lack of alignment between stock exchanges. Had there been alignment, a listing requirement mandating integrated reporting – such as that which exists in South Africa and Brazil – would have been a simple matter. Following that would have been the establishment of international assurance codes, similar to IFRS, resulting in spotlights on unsavoury practices. Instead, a mixture of financial, sustainability, annual and integrated reports, often voluntary, has resulted in disclosures that are difficult to standardise and control.

and even more unlikely to make its environmental requirements known to company boards of directors.

Proxy activists

Institutional shareholders rely on proxy advisors, such as Glass Lewis and Institutional Shareholder Services. They require these proxy advisers to analyse and advise on the corporate governance aspects of resolutions that require voting at company general meetings. The proxy advisory business model is not quite as fragile as that of the credit rating agencies – often paid by the issuers – which eliminates some aspect of independence. The advice is costly, necessary and usually conservative, though accurate. It is, perhaps, the conservative service that eliminates an advisory notice regarding an investee company’s integrated report. Similarly, international investment research firms could enhance their services, such as ‘Morningstar Sustainability Rating’ by noting the existence or quality of integrated reports of the companies they research.

IR content elements

With the value creation impact on the capitals and guiding principles in place, the IIRC suggests the following components to an integrated report: ■■ Organisational overview and the external environment What does the organisation do and what are the circumstances under which it operates? ■■ Governance How does the organisation’s governance support its ability to create value in the short, medium and long term? ■■ The business model What is the organisation’s business model – i.e. its inputs, activities, outputs and outcomes? ■■ Risks and opportunities What are the specific risks and opportunities that affect the organisation’s ability to create value over time, and how is the organisation addressing them? ■■ Strategy and resource allocation Where does the organisation want to go and how does it intend getting there? ■■ Performance To what extent has the organisation achieved its strategic objectives and what are its outcomes in terms of effects on capitals? ■■ Outlook What challenges and uncertainties are the organisation likely to encounter in pursuing its strategy and what are the implications for its business model and future performance? ■■ Basis of preparation and reporting guidance How does the organisation determine what matters to include in the integrated report, and how are such matters quantified and evaluated? 72 Ethical Boardroom | Summer 2017

INTEGRATED METHODOLOGY Piecing together business processes while considering the environment is the logical and ethical step

Reluctant owners

Initial governance measures were instituted to guard against agency risk – that risk that exists if ownership and management vest in different bodies. Audit committees, remuneration controls and the elimination of conflicts of interests are, in theory, well managed. However, corporate governance requires that owners assume some responsibility. This responsibility has become more difficult to ensure, as there has been a marked ownership shift from individuals and families to institutional shareholders to index funds. A static index fund, with hardly any movement in its asset holding, is hardly likely to vote on company resolutions

Conclusion

The International Integrated Reporting Council reports that more than 1,000 companies in the world are using the International Integrated Reporting Framework to communicate with their stakeholders. The natural progression towards an integrated methodology that encompasses organisations’ strategy, business processes and reporting, while also considering the Earth’s capitals in a way that will ensure those resources for our children, simply seems like the most logical end ethical step in our corporate governance path. International acceptance and development of this evolutionary step may be exactly what our planet and our children demand. www.ethicalboardroom.com

KEEPING IT ABOVE BOARD

PLACE YOUR ADVERT HERE It’s the best way to

reach your audience that is spread over

60 countries to know the latest in

Board Leadership • Board Governance Technology • Activism & Engagement Regulatory & Compliance • Risk Management “Essential reading for boards who want to stay ahead of the governance curve”

Contact: Guy Miller email: guy@ethicalboard.com twitter.com/EthicalBoard

www.linkedin.com/in/ethicalboardroom/

Board Governance | Sport

Good governance:

The foundation for playing a beautiful game Especially in the sport sector, management practices ought to exemplify the highest levels of fairness, transparency and stakeholder engagement. In fact, the future trust in sport depends on it… As the continued headlines about corruption, doping, match-fixing and other governance-related issues indicate, these are unprecedented and extraordinary times indeed in sport.

While a lot of work remains to be done in terms of motivating change and in developing customised, adequate and effective governance solutions, there has been noteworthy progress lately, too. Firstly, more and more sport leaders, organisations and stakeholders are acknowledging a range of governance issues to be addressed in making sure that sport organisations remain fit for purpose. Also, more and more solutions are being developed and implemented in and across sports, countries and regions, including those with the support of governments and other stakeholders in and of sport.

Complex issues

Consensus on the scope and nature of sport governance has yet to be established. Sport governance headlines this year reflect that fact. Appreciating that issues continue to be numerous, multifaceted and complex, it is helpful to take a broad and holistic approach to sport governance. In doing so, critical current sport governance issues can be summarised along the lines of the following three dimensions:

Critical governance issues related to the political and operational integrity of a sport organisation Nepotism in hiring, vote-buying in elections, conflicts of interest, lack of diversity, very long terms in office, culture of yes-saying, lack of a merits-based boardroom, no clear separation of roles and responsibilities between political and operational management, lack of transparency and accountability – for instance in not making audited financial 74 Ethical Boardroom | Summer 2017

Michael Pedersen

An internationally recognised expert in sport governance, transparency, ethics and integrity statements publicly available – no formal voice to key stakeholders and development funding as a source of corruption. governance issues related 2 Critical to a level playing field for athletes

Doping, match-fixing, illegal betting, unequal access to sport participation and to talent spotting and talent development, abuse of athletes, athlete safety and agents as a source of corruption. governance issues related 3 Critical to the integrity of sport events

Bidding processes and selection of sport event hosts as a source of corruption, unfair ticket pricing and distribution, reselling of tickets as a source of corruption, selection of sponsors and granting of media broadcasting rights as a source of corruption. In the case of big sport events, issues also include critical societal challenges that are directly associated with the building of event infrastructure and indirectly associated with the event being hosted by a particular country, i.e. concerns related to human rights, labour standards, the environment and anti-corruption.

Emerging solutions

Various solutions to address these sport governance issues are being developed by sport organisations and governments; some individually, some collectively and some through multi-stakeholder partnerships. While most of these solutions address a range of sport governance issues, some of them are also issue specific. At a national level, many recent solutions in the form of governance reforms of sport organisations have been initiated as a

LEVEL PLAYING FIELD Sporting organisations are starting to acknowledge governance issues www.ethicalboardroom.com

Sport | Board Governance response to a governance-related crisis and on the basis of a governance review. That was, for instance, recently the case of the English Football Association. In an increasing number of countries, either the national Olympic committee and/or the government have also been developing national frameworks and tools for good governance in sport. In some cases, compliance with minimum governance criteria has also become a prerequisite for national sport organisations to remain eligible for full public funding.

International Solutions

At an international level, the International Association of Athletics Federations (IAAF) has been the most recent international sport organisation to follow FIFA’s lead in developing solutions and subjecting itself to comprehensive governance modernisation. Following the approval of wide-ranging constitutional changes last year, IAAF has been putting in place three particularly noteworthy governance measures, reflecting and further defining evolving good governance practices in sport. First and foremost, the IAAF set up a new independent Athletics Integrity Unit in April 2017. The Unit is to manage all doping and non-doping integrity matters, including assuming responsibility for education and testing and for investigation and prosecution of breaches of IAAF’s Integrity Code of Conduct. It also takes over responsibility for investigating and prosecuting anti-doping rule violations of all international level athletes, which used to be carried out at a national level. To ensure the independence of the Athletics Integrity Unit, it has its own board and staff. The Unit is housed and operates separately from IAAF. A new independent Disciplinary Tribunal has also been established. The Tribunal is to hear and decide on all breaches and impose sanctions More and more under IAAF’s Integrity Code of Conduct. The IAAF Disciplinary sport leaders, Tribunal consists of a panel of organisations lawyers, from which members are and stakeholders allocated to each case. The panel members is proposed by the are acknowledging ofIAAF Council for approval by the a range of IAAF Congress. Decisions of the governance issues Tribunal can be appealed to the Court of Arbitration for Sport. to be addressed Last but not least, IAAF has also put in place a so-called Vetting Panel. in making sure Comprised of three independent that sport persons, appointed by the IAAF organisations Congress on the recommendation of the IAAF Council, the Panel is to remain fit check the eligibility of IAAF officials for purpose and decide if they meet IAAF’s vetting requirements. IAAF officials include all members of IAAF’s Council, Executive Board, Integrity Unit Board, Disciplinary Tribunal, commissioners and others acting for IAAF, including IAAF staff. www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 75

Board Governance | Sport IAAF officials are not considered eligible for office under certain circumstances, such as if they have ever received a criminal conviction, been declared bankrupt, disqualified as a director or breached any IAAF rule, including committing an anti-doping violation. Decisions of the Vetting Panel can be appealed to the Court of Arbitration for Sport. At a collective international sport organisation level, sport governance solutions are also being developed. For instance, under the umbrella of the Association of Summer Olympic International Federations (ASOIF), a Governance Taskforce has developed a method for the 28 summer Olympic international sport organisations to selfassess their governance standards in areas such as transparency, integrity, democracy, development and control mechanisms. The consolidated self-assessments were published in April 2017 and are seen as the beginning of a process that will offer support to international sport federations in ensuring that their governance frameworks are fit for purpose. ASOIF has committed to exploring the development of a compliance certification system in this context, too, in 2018. At an intergovernmental level, various sport governance solutions are evolving too. Recent noteworthy examples include the European Commission Pledge on good governance in sport, offering sport organisations a platform to commit to addressing issues related to integrity, accountability, transparency, democracy, participation and inclusivity. Such examples also include the ongoing further development of the Council of Europe’s recommendations related to good governance in sport and its continued work to ensure the effective implementation of conventions related to the fight against doping and match-fixing. Additional examples include strongly worded policy recommendations related to good governance in sport in the context of the recent 2017 Commonwealth Sport Policy Expert Roundtable, building on the Framework of Policy Recommendations on Integrity in Sport, already adopted by Commonwealth sport ministers last year. Other examples include strongly worded policy recommendations related to good governance in sport, adopted at the Sixth International Conference of Ministers and Senior Officials Responsible for Physical Education and Sport (MINEPS VI), which was recently hosted by UNESCO. Finally, at an international multistakeholder level, the emergence of the so-called Sport Integrity Global Alliance (SIGA) is particularly noteworthy. SIGA, first of all, stands out by being independent and multi-stakeholder in nature. Founding members and founding supporters include stakeholders such as national, regional and international sport organisations as well as governments, inter-governmental bodies, 76 Ethical Boardroom | Summer 2017

sponsors, media broadcasters, financial institutions, NGOs, academia and professional services/audit firms. The Alliance also stands out by offering a mix of universal standards on good governance in sport and a comprehensive implementation framework, which takes into account that sport organisations are very different in terms of size, resources and specific governance challenges.

Issue specific solutions

As far as issue specific international solutions are concerned, many observers have pointed to the World Anti-Doping Agency (WADA) as a model case for how to go about designing

Union, Terre des Hommes, Transparency International, Amnesty UK and Amnesty Holland. SRA’s mission is to ensure that sport organisations respect human rights, the environment and laws and regulations as part of organising major sporting events. While the Commonwealth Games Federation has been pioneering a human rights-based approach to hosting sport events, the Union of European Football Associations (UEFA) recently announced that the organising country has to respect human rights to be eligible to organise the 2024 European Championship. As far as other sport governance-related issue specific solutions

It is important to appreciate that sport is a reflection of society – with all its beauty and all its flaws. Along those lines, sport should neither be expected to be able to solve all its governance issues overnight nor in isolation good governance solutions in sport, not least because the agency is a partnership between sport organisations and governments – both in terms of decision-making structures and in terms of financing. Some have even suggested that the WADA mandate should be expanded to include good governance in sport. While such discussions continue, WADA is undertaking comprehensive governance reform. Issues considered in a transparent multi-stakeholder process include conflicts of interest, roles and responsibilities nationally vs internationally, separation of power between different bodies and increased funding. Other issue specific sport governance solutions evolving focus on issues such as human rights, the environment and protecting athletes. As for the former, a Sports and Rights Alliance (SRA) has been formed. SRA is a coalition of human rights organisations, sports organisations and trade unions, including the World Players Association, FIFPro, Football Supporters Europe, Human Rights Watch, International Trade Union Confederation, UNI Global

are concerned, Sport and Sustainability International (SandSI) held its inaugural congress in 2017. SandSI seeks to ensure that sustainability becomes a key business principle in sport. Safe Sport International (SSI) is also organising its first international convention at the end of the year and seeks to end violence and abuse against athletes.

The challenge ahead

Looking ahead, it is important to appreciate that sport is a reflection of society – with all its beauty and all its flaws. Along those lines, sport should neither be expected to be able to solve all its governance issues overnight nor in isolation. Two challenges especially need to be urgently addressed in taking current efforts to the next level; 1) mainstreaming and incentivising governance modernisation in sport organisations across sports, countries and regions and 2) developing a common understanding of the scope and nature of good governance in sport as well as aligning and merging initiatives, frameworks and tools being established at national, regional and international levels. www.ethicalboardroom.com

ProfessionalDirector™

The only world-class, university accredited director education delivered to you completely online. • Work at your own convenience and pace to earn your Professional Director™ designation! • Gain conﬁdence to meet the responsibilities expected of today’s board member • Build corporate governance knowledge in your business and sector

info@professionaldirector.com | www.professionaldirector.com PROMO CODE for 10% off: ETHICAL

Global News Latin America

Mexican former state governor charged

Enap to revamp corporate governance t

Chile’s senate (below) has approved a bill to overhaul corporate governance at national oil company Empresa Nacional del Petróleo (Enap). The legislation, which the senate passed in June, mandates that Enap has a fully independent board of directors — free of influence from union representatives or government. The bill establishes a board composed of seven members: two directly appointed by the President, of the Republic, four proposed by the high public management system and one that will be chosen by the company’s employees.

The bill was approved by the Chamber of Deputies with 98 votes in favour and now can be put into effect by the President of Chile.

Former Mexican state governor Javier Duarte (above) has been extradited from Guatemala to Mexico and charged with corruption, money laundering and involvement in organised crime. Duarte, who governed the state of Veracruz for six years, has been accused of siphoning off millions of dollars during his tenure. Mexican prosecutors say the ex-governor will stand trial, with prosecutors alleging that Duarte embezzled millions and used much of the money to buy properties. Duarte’s legal team has said the state charges are baseless and politically motivated.

Brazilian stock market operator B3 has announced that companies listed on the Novo Mercado segment have voted for a revision of regulations. The new listing rules bring changes that include mandatory auditing committees, improvement of the minimum requirements of codes of conduct (including with compliance and ethics requirements) and additional mandatory policies, such as on related parties transactions, appointment of managers and management of risks.

78 Ethical Boardroom | Summer 2017

“B3 is proud of the vote of confidence that it has received from the range of stakeholders involved in this process to play, once again, its institutional role of promoting changes that seek to uphold the excellence of capital markets in Brazil,” said Flavia Mouta, B3’s issuer regulation managing director. “The subject of corporate governance best practice is always on the agenda in our discussions about making the Novo Mercado into a national and international benchmark.”

Photo: jonel hanopol

B3 companies approve new regulation

Havaianas sold amid corruption scandal Brazilian flip-flop brand Havaianas has been sold for nearly $1.1billion as its owners liquidate assets to foot multi-billion corruption fines. Alpargatas, maker of Brazil’s Havaianas flip-flops, announced that controlling shareholder J&F Investimentos has sold its stake in the footwear company to Brazilian investment groups Itaúsa, Cambuhy and Brazil Warrant. J&F Investimentos, the holding company overseeing the fortune of Brazil’s billionaire Batista family, was fined more than $3billion in May for bribing nearly 1,900 politicians. Havaianas has dominated the global flip-flop market, selling around 200 million pairs a year — 16 per cent of them are exported.

www.ethicalboardroom.com

Latin America | Change Management

Latin America in a VUCA world The lives of those living in Latin American have evolved dramatically over the last couple of decades. From a starting point of centralised economies led by left-wing dictators, most societies have ended up embracing political and economic freedom. This democratisation process brought peace, stability and rapid growth which, together with a long cycle of high prices for commodities, meant moving the whole region from the very bottom to a league of ‘middle income countries’. Some countries even joined the ‘exclusive’ OECD (Organisation for Economic Cooperation and Development) club. In Chile, for example, development indicators, such as personal income or college enrolment, grew six-fold in just three decades. Besides the obvious reasons to celebrate, economic prosperity also brought unexpected consequences. The new middle-class generations became wealthier, more educated and, thanks to new technologies, better informed and empowered. Now they are questioning the status quo and pressing hard against those leading politics and corporations. In the last decade, these claims have been successful in mobilising change, such as tax and labour reform in Chile; pension reforms and upheaval in indigenous communities against mining in Peru and key government officers in at least seven countries facing jail, related to corruption schemes implemented by Brazilian corporation Odebrecht. Directors in the region are feeling the pressure for change, too, and the words

80 Ethical Boardroom | Summer 2017

Boards in the region are struggling in today’s volatile, uncertain, complex and ambiguous climate Professor Alfredo Enrione

Founder & Chairman of the Center for Corporate Governance and Society at ESE Business School

‘uncertainty’ and ‘risk’ are conjugated in boardrooms more than ever. In order to better understand this phenomenon, I was asked to help conduct a series of interviews and surveyed more than 500 CEOs and board members of the largest corporations in two countries: Chile (which ranks top in terms of economic and political transformation) and Peru (which ranks in the regional average).1 While the survey data comes from just two nations, for someone teaching and advising boards across the region, the findings seem to be quite representative. In the early 1990s, the US Army War College introduced the acronym VUCA (Volatile, Uncertain, Complex and Ambiguous) to describe the new world that emerged after the end of the Cold War. It was harder than ever to predict the nature and dynamics of change (thus, Volatile); the lack of predictability, awareness and understanding of issues and events (Uncertain); the multiplex of forces, the confounding of issues, no cause-and-effect chain and confusion surrounding organisation (Complex); the haziness of reality, the potential for misreads and the confusion of cause-and-effect (Ambiguous). VUCA seems to be a precise description of how Latin American board members perceive their region has evolved in the last decade. First, they feel very strongly that institutions, laws, regulation and rules of the game, in general, changed dramatically during the last

decade. Moreover, while the degree of change was perceived unanimously, the actual direction of change had different interpretations. For example, a group of directors perceived pieces of regulations, such as those protecting the natural environment, as extra burdens and costs. Others perceived those same regulations as a positive and necessary convergence towards international standards. New rules of the game generated passionate debates over the ways firms should change and adapt to them, but also created uncertainty regarding the ways regulators will eventually interpret and enforce the new policies (see Figure 1). CEOs and directors also acknowledged dramatic changes in their economies and civil societies in the last decade. Wealthier and better educated populations brought growth and business opportunities, but citizens became more demanding. Moreover, institutional investors, consumer associations, NGOs and local communities were amplifying their voices and increasing their relative political power. CEOs and directors realise that the long-term prospects of their corporations will depend upon their understanding of these social expectations (see Figure 2). Directors of the board also perceived significant change in the markets where their firms competed. On one side, customers were more demanding, more complex and harder to understand and serve. The traditional

www.ethicalboardroom.com

Change Management | Latin America

segmentation schemes were obsolete and the new middle class ‘millennials’ were particularly difficult to decode. On the other side, market growth, economic freedom and technological innovation brought new competitors and new business models. Those firms relatively accustomed to operating in protected markets, were suddenly disrupted by new, sophisticated and aggressive global competition (see Figure 3).

Change, risk and decision-making

The perceptions of dramatic and volatile change pose serious concerns at board level. Particularly, on their limited capabilities to visualise the likely scenarios in which their businesses will compete. In this sense, spirits of uncertainty and confusion are pervasive and these moods exacerbate perceptions of personal threat and risk. CEOs and directors consider that uncertainty is much higher than just a decade ago. Risks rose significantly in just about every aspect concerning their business operation. Even country risk increased in their view. This datum underlines the difference between perceptions and reality and how environmental change is affecting the former. As a matter of fact, the country risk ratings of these countries consistently improved in the last decade.2 Informed consumers, technology-induced transparency and more empowered citizens were also affecting the job security of those sitting on boards. It is not a coincidence that the last decade revealed more corporate scandals than ever in history. In Brazil, for example, the CEO of the largest construction company Odebrecht and one of the richest persons in Latin America was sentenced to 19 years in jail, following corruption charges. The Mexican Walmart bribery scandal ignited an expansive wave that spread not only to the global giant’s headquarters in Benttonville but also the boards in Latin America. In Peru, the chairman and the CEO of the giant contractor Graña y Montero resigned their positions to deal with accusations of corruption.

FIG 1: INSTITUTIONAL CHANGE IN LATIN AMERICA Institutions are consistent and predictable when applying regulation Institutional change has been better for business

40%

Peru Chile

49% 58% 22%

Institutions, regulations and rules of the game (tax, labour, environment, etc) have changed dramatically in the last decade

57% 87%

FIG 2: ECONOMY & SOCIETY CHANGES (% OF AGREE/STRONGLY AGREE) In order to survive in the long term it’s imperative for our company to understand and deal with the expectations of the different stakeholders The pressures of different stakeholders (activists, communities, etc) have increased dramatically in the last decade

95% 83% 77% 83%

Economic conditions and society have changed dramatically in the last decade

97% 94%

FIG 3: COMPETITION IN THE MARKET The demands of our customers have increased dramatically in the last decade The leading players in my industrial sector have been replaced by new companies in the last decade

90% 94% 50% 44%

The intensity of competition in my industrial sector has increased dramatically in the last decade

87% 88%

The degree of complexity in my industrial sector has increased dramatically in the last decade

78%

The degree of globalisation in my industrial sector has increased dramatically in the last decade

77%

81%

75%

LEADERSHIP IN A TURBULENT WORLD Uncertain boards are more willing to try new ways of working

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 81

Latin America | Change Management In Colombia, an embezzlement scandal at its main oil refinery, Reficar, became the country’s biggest scandal ever, with $4billion missing and a $16million prostitute bill. In Chile, the chairman of the board and two senior executives of retailer La Polar went to jail charged on a billion-dollar accounting fraud. Accordingly, for almost all directors in the sample, their personal risk, both legal and reputational, were perceived as higher than ever (see Figure 4). How did all the above-mentioned perceptions affect strategic decision-making at the board level? Did boards see opportunities or only threats in the social and market changes? How did their companies’ strategies reflect their perceptions? We classified strategic responses in two dimensions. First, we measured the perceived potential effects of change and classified the answers in an ‘optimist-pessimist’ axis. Those that perceived new emerging opportunities arising from shifts in the environment or just saw no clear negative effect on their companies were classified as ‘optimists’. The second dimension, defined as ‘active-passive’, considered if their companies were driving or not specific initiatives and capital expenditure to face the new situation. These initiatives and projects could be either offensive, pursuing opportunities, or defensive to mitigate the negative effects of change. The results were striking, as barely two thirds of companies were not able to see clear opportunities in the new milieu (see Figure 5).

Hope of change?

Until now, Latin American boards have been extremely resistant to the outside pressures to change their practices and composition. For instance, a recent study showed that the

FIG 5. STRATEGIC POSTURE TOWARDS A VUCA LATIN AMERICA (DISTRIBUTION OF RESPONSES AMONG CEOS AND BOARD MEMBERS) Optimist (~50%) Pessimist (~50%)

“We are well prepared to face the changes and have no need to make important adjustments”

PURSUING EMERGING OPPORTUNITIES 38% “We believe change is creating major opportunities and we are moving to capture them”

PARALYSED BY FEAR 26%

FLYING SCARED 24%

“We are waiting for the storm to pass before making the key strategic decisions”

“We are moving our operations towards markets with less risk and uncertainty”

IN DENIAL 12%

Passive (~38%)

Active (~62%)

82 Ethical Boardroom | Summer 2017

In the last 30 years, Latin America has changed dramatically in just about every dimension. Economic and political freedom brought peace, prosperity and globalisation current percentage of boards seats held by women in Latin America is 6.4 per cent and that since 2011 these proportion grew only two per cent per year (one third the speed of their peers in US/Canada and one seventh that of Europe). 3 However, the stress induced by the speed and nature of change may be melting resistances and facilitating a more rapid adoption of best practices. In that sense, our survey inquired on the willingness to change at board level. Apparently, directors are now very open to changing board practices. From their processes to their relationship with the

CEO, even diversity was less of a taboo (see Figure 6). In the last 30 years, Latin America has changed dramatically in just about every dimension. Economic and political freedom brought peace, prosperity and globalisation. Like their customers, local corporations grew richer, more sophisticated and faced new challenges and opportunities. Yet, their boards of directors seemed oblivious of the tectonic shifts. Now they are struggling to make sense of the new situation. They are surprised, uncertain and defensive, but also more willing to listen to key stakeholders and explore new ways of doing things. It is still too soon to tell if these processes will end up bringing real change in Latin American boards, but a VUCA world is a great reason to start. The survey was conducted by the author in the second semester of 2016 in collaboration with the organisations Virtus Partners, ICARE and EY. 2For example, from 2006 to dic. 2016 Moody’s ratings improved from A2 to Aa3 and from Ba2 to A3 in the cases of Chile and Peru, respectively 3 2016 Egon Zehnder Latin American Board Diversity Analysis 1

FIG 4: PERCEPTIONS OF UNCERTAINTY & RISK (% OF AGREE/STRONGLY AGREE) 95%

Uncertainty has increased dramatically in the last decade Country risk has increased dramatically in the last decade

95% 68% Peru Chile

74%

The risk of doing business has increased dramatically in the last decade

75% 80% 83%

Market risk has increased dramatically in the last decade

68%

Corporate risk has increased dramatically in the last decade

67%

85%

My personal, legal and reputatIon risk has increased dramatically in the last decade

96% 96%

FIG 6: WILLINGNESS TO CHANGE (% AGREE AND STRONGLY AGREE) 82%

Board willingness to give the CEO more power

77%

Board willingness to improve information gathering and processing

71% 72% 81%

Board willingness to embrace diversity Board willingness to improve understanding and communication with key stakeholders Board willingness to change the way it operates and makes decisions Controlling shareholder is willing to change governance practices

78% 56% 49% 60% 56% 74% 60%

www.ethicalboardroom.com

Resident in our offices in both Rio de Janeiro and São Paulo, Hogan Lovells lawyers work together as one team, along with our global Brazil practice, to provide our clients sophisticated international legal advice with a highly refined local perspective. Our team has the experience, connections, and knowledge to advise domestic and foreign companies doing business in Brazil on the increasingly pervasive issues surrounding investigations, compliance, and corporate governance. 2,500+ lawyers. 45+ offices. 26 countries. www.hoganlovells.com Hogan Lovells is an international legal practice that includes Hogan Lovells US LLP and Hogan Lovells International LLP. © Hogan Lovells 2015. All rights reserved.

Latin America | Gender Diversity

Board gender diversity in Latin America The feminine advantage: an integral vision of strategic risks There is a close relationship between the lack of gender diversity in decision-making positions and the increased risk and conflict with stockholders and stakeholders in an organisation.

In Latin America, where businesses are often subject to distortions and to the absence of regulations that are in place elsewhere, a multidisciplinary and diverse management team is a must. These teams are better prepared to address all potential risks at the time of investment. Research has proven that the participation of women on boards of directors helps to 84 Ethical Boardroom | Summer 2017

Alejandra Mastrangelo

Consultant in Corporate Identity and Governance take into account the voice of all stakeholders. In homogeneous corporate boards, lack of diversity is fertile ground for group thinking, which increases the risk for the organisation. That’s why experts recommend heterogeneous boards.

The female outlook

With regard to gender diversity specifically, studies of numerous disciplines, such as neuroscience, sociology and economics, found that men tend to have a style that is more focussed on the bottom line and on stockholders. Men use the analytical region

of the brain to a greater extent for decision-making. And, given that the region responsible for anxiety is four times smaller in men than in women, men have an innate ability to handle stress more effectively. Women often provide a 360-degree view of the organisation’s strategic risks, are less prone to confrontation and establish valuable relationships that raise levels of awareness and compassion in work teams. Their more collaborative style leads them to build consensus, use empathy and anticipate the impact of short, medium and long-term decisions for all stakeholders. Female brains are wired to facilitate communication between analytical and intuitive processing modes, which equips them with a greater ability to communicate. www.ethicalboardroom.com

Gender Diversity | Latin America Gender diversity promotes a balanced leadership that brings together the best qualities of both genders. It stimulates the development of more creative, innovative and capable teams able to obtain better results. It means that having women in leadership positions is not a matter of quotas or justice. It is a business imperative to remain competitive in the 21st Century. As a matter of fact, the feminine style has a huge advantage when it comes to the social licence to operate, a concept of fundamental importance in the Latin American region. If, like many of my clients, you are wondering, “Where do I buy the licence to operate?” the answer is that it is not for sale. It’s gained with good practices that build trust in the society where the organisation operates. For example, a mining company that takes care of the environment and minimises the negative impact of its activities on the population in the area from which it extracts its raw material will maintain its social licence as long as its relations with those stakeholders are constructive. That is, the social licence to operate is rooted in the beliefs, perceptions and opinions of the interested parties. It is intangible, dynamic and subject to the quality of formal and informal relations between the board, the organisation and the stakeholders.

Business reputation: challenges in Latin America

Faced with everyone’s easy access to mass communication platforms, organisations are increasingly exposed to online scrutiny of their business practices. Corporate identity, mission and values come into play here. In

Latin America, as in the rest of the world, various interest groups can block, judge and condemn an organisation and its executives for their bad reputation. There is a risk that they will revoke the social licence to operate. Hence, having a more holistic view from the board of directors will help to make decisions that can substantially reduce geopolitical risk. The Lava Jato operation, the corruption scandal originated in Brazil led by the construction company Odebrecht, generated a geopolitical risk of transnational corruption of unthinkable magnitude. It organised a system of bribery from Latin America that impacts at

Gender diversity promotes a balanced leadership that brings together the best qualities of both genders. It stimulates the development of more creative, innovative and capable teams able to obtain better results least 12 countries in the region. Latin America is learning the lessons that the rest of the world has learned from cases, such as Enron, Parmalat or Worldcom. Unfortunately, despite important anticorruption signals the region is sending, they are still insufficient. The countries involved want to get out of these types of situations and are giving clear signals of a cultural change. For example, Argentina is taking proactive measures. It is already working to be incorporated as a member of the Organisation for Economic

Co-operation and Development (OECD), with a government reform plan and modernisation of the state.

Diversity needs a positive discrimination quota

In the long run, investors should foster inclusion in corporate governance and align investors with broader social objectives. ■■ Invest in countries where states foster women’s rights, gender equality and diversity in their governing bodies ■■ Confirm that the Stock Exchanges of the countries where they are looking to invest have policies on gender equality in public companies ■■ Invest in countries where there is greater transparency. A key factor to look for is legislation on the subject, such as whistleblower laws or corporate criminal responsibility ■■ Prioritise investment in companies with corporate board diversity (gender, social class, education, region from which the director comes, type of experiences, etc). In terms of gender equity, a good practice calls for at least three women on the board of directors Until the legislation of Latin American countries catches up with international standards, the key is self-regulation and the implementation of best governance practices. To privilege the right thing over what is convenient. To do things honestly, regardless of geopolitical distortions to protect the organisation, and lead by example.

THE BELL FOR GENDER EQUALITY 2017RING

Multiple international organisations are contributing to the empowerment of women in economic and leadership fields. For example, in Buenos Aires on 9 March 2017, within the context of International Women’s Day, the National Securities Commission, together with the Buenos Aires Stock Exchange, promoted, for the first time in Argentina, Ring the Bell for Gender Equality. This initiative was held simultaneously in more than 43 stock exchanges around the world. It was organised internationally by UN Women, UN Global Compact, Sustainable Stock Exchanges and the International Finance Corporation (IFC) and at the local level had the institutional support of the Ministry of Finance, Women’s Economic Development Center of

www.ethicalboardroom.com

WOMEN’S EMPOWERMENT Chiming the stock market bells to raise awareness of equality

the National Ministry of Production, the Red Shoe Movement and Fundación Liderazgos y Organizaciones Responsables (FLOR) – all organisations actively working to raise awareness and promote changes in female participation in the business and financial sectors.

Summer 2017 | Ethical Boardroom 85

Latin America | Stock Exchanges

Novo Mercado: paving the way The role of the Brazilian stock exchange in shaping Latin America’s corporate governance Stock exchanges throughout Latin America have begun to realise the importance of good corporate governance in attracting investors after the success of Brazil’s Novo Mercado, a listing segment of B3 reserved for companies meeting high standards of corporate governance.1 Although Novo Mercado initially struggled after its launch in December 2000, it has since become the driving force behind the B3 exchange and an inspiration for improved corporate governance in the region. In its first two years, no companies listed on the segment but, by 2007, 57 per cent of companies traded on B3 were listed on the differing levels of Novo Mercado as opposed to the traditional segment. 2 Other exchanges in the region have taken note and hope to emulate this success. However, what is successful in one industry or market will not necessarily be guaranteed the same success in another. Rather than seeking to replicate Novo Mercado, other exchanges should aim to learn from Novo Mercado’s example and determine their own approaches for improving listed companies’ governance. If countries remain creative and build on what Novo Mercado has done, Latin America should have not just one, but several models of good corporate governance from which to establish coherent regulations for the region.

Argentina

Argentina is one of the many countries that has taken note of Novo Mercado’s success and currently has the opportunity not only to emulate it, but to improve upon it. Argentina’s newly formed capital market, Bolsas y Mercados Argentinos (ByMA), plans to create its own version of Novo Mercado by establishing a segment available only to companies with high standards of corporate 86 Ethical Boardroom | Summer 2017

Santiago Chaher

Managing Director at Cefeidas Group & Co–Director at Universidad de San Andrés Corporate Governance Program governance. By emphasising reliability and transparency, ByMA will set the bar high for what is required to list on the new segment and create protections for international investors who might otherwise be wary of investing. As Novo Mercado has already been through four sets of updated listing rules, ByMA will have the benefit of taking the best practices by following Brazil’s example. However, it will still need to take into account factors specific to the business environment in Argentina and adapt the rules. First, unlike Brazil in 2000, Argentina has relatively good corporate governance regulations that are on par with international standards. This presents the welcome challenge of raising the standards even higher to fit the needs of a more corporate governance–savvy, new market. Secondly, there still are many companies in the process of committing to good corporate governance practices, so the bar set by the new market must be realistic in setting their standard. Third, Argentina’s economy appears to be on a positive trajectory, but the country is still vulnerable to political and economic shifts. A struggling economy was one of the main reasons that Novo Mercado took so many years to catch on and an economic downturn would certainly have a similar impact on Argentina’s new market. Currently, there is also a political push in Argentina for the development of capital markets and Argentina has recently expressed interest in joining the Organization for Economic Cooperation and Development (OECD,) which has prioritised good corporate governance. If ByMA can capitalise on the window of opportunity it currently has and on the existing regulatory framework in the country, we expect that the new market

could see positive results much more quickly than did Novo Mercado and could begin to drive ByMA’s success in the same way Novo Mercado has driven B3’s.

Colombia

While Argentina is very closely modeling Brazil’s corporate governance segment, other countries have taken a different approach – emulating the spirit of Novo Mercado, without replicating the system. In Colombia, for example, rather than creating a separate segment with completely different listing rules, the Colombian Securities Exchange (BVC) has invested in perhaps, a slightly lower–maintenance approach by creating a specific designation for companies with high standards of www.ethicalboardroom.com

Stock Exchanges | Latin America attracting more investors. Novo Mercado can learn from B3’s experience and plan has been a positive influence in the ahead for this shift. region without demonstrating the Like Novo Mercado, ByMA will have to need for imposing a one–size– continually update its listing rules in order fits–all system. B3 and Novo to take into account the current business INSPIRING CHANGE Mercado appear to be pushing context. Novo Mercado was designed with Latin American for more regional integration, controlling owners in mind and ByMA’s countries can as they’ve already bought, new market will likely have a similar initial learn from the success of Brazil’s and are in the process of framework. However, knowing that this Novo Mercado buying, significant stakes in very framework may contribute to a shift the predominant demutualised in company composition, ByMA’s new exchanges in the region. As market should be ready to continually more exchanges in the region have reassess its listing rules in order to ensure demutualised, B3 has capitalised on they address the issues most relevant in that and bought enough shares to place the current business environment. a director on the board of the Santiago, The right frameworks Lima, Mexican and Colombian exchanges. As more good governance–focussed If B3 decides to invest in ByMA, putting markets pop up in Latin American, a director on ByMA’s board would be the implementing frameworks to encourage next logical move for B3. better governance will only get easier. If B3 hopes that this integration will help it ByMA can have more success by building to maintain its status as the most influential upon BVC and B3’s experiences and Latin American market, as well as increase integrating its own ideas, then the next liquidity and help the region compete with exchange to go through the same process global markets. Furthermore, through will have even more examples to follow and this representation, B3 is in a position to options to consider. While the ultimate goal directly influence the corporate governance for Latin America may be more coherent standards of the exchanges, as well as to standards for corporate push for coherent regulatory governance, we should be standards throughout the If countries reluctant to hold one model region. While it is not clear remain creative up as the gold standard exactly how B3 will use this at these early stages. strategy to exert its influence, and build on what Novo Mercado set the we should expect to see more Novo Mercado ball in motion, but now consistency in the listing other markets have the rules across Latin America as has done, Latin opportunity to test ideas of more markets demutualise America should their own and add to what and B3 continues to buy large have not just one, has been done. Together, stakes of the predominant governance called the Investor exchanges in the region. but several models B3 and the other key Latin Relations Quality Issuer. Companies markets have the As ByMA designs its listing of good corporate American receiving the designation voluntarily opportunity to collaborate rules and establishes a governance comply with international and find dynamic ways procedure for reevaluating best practices for investor relations (IR). to keep apace with foreign those rules to reflect changes from which to However, the initiative has faced its investors’ needs and in the market, it should be establish coherent expectations for good own challenges, which will be useful for aware of the main challenges ByMA to take into account as it develops its corporate governance. that Novo Mercado has faced regulations for own segment devoted to better corporate By choosing to set the bar so that it can address them the region governance. One downside is the IR high for good governance proactively should they recognition granted by the BVC does and responding nimbly to arise. For example, given the not provide feedback on the quality and changes in the market, we can expect Latin historic predominance of controlling accuracy of the content used for recognition American stock markets to gain the trust of owners in Latin America, Novo Mercado standards but rather only denotes a foreign investors, inspire the participation of took steps to encourage more dispersed verification that the information requested local companies and investors and increase ownerships by creating strong protections exists on the issuer’s website. As different liquidity in the region, helping it to become for minority shareholders. To further markets experiment and refine various a truly lucrative emerging market. encourage dispersed ownership, when Novo methods for addressing corporate Mercado launched, they mandated that 1 Novo Mercado was launched by BOVESPA in 2000 governance, the region will only become companies reserve 10 per cent of shares for and became a part of BM&FBOVESPA in 2008 a better example for good corporate individual (non–institutional) investors. when BOVESPA and BM&F merged. As of March governance practices over time. These rules led to more outside investors 2017, BM&FBOVESPA became B3 after buying out competitor Cetip. Novo Mercado is now a listing buying shares, more owners selling shares segment on B3. For consistency, B3 will be used Regional interaction of their companies and, eventually, a shift throughout the article to refer to all previous forms of These initiatives in Argentina and Colombia in company composition. B3. 2Novo Mercado and Its Followers: Case Studies in Corporate Governance Reform, IFC Global Corporate are just two examples of how Novo Mercado As ByMA finalises the listing rules for its Goverance Forum http://www.ifc.org/wps/wcm/connect/ has inspired other markets to experiment own new market, it is likely that corporate e1162a8048a7e69ea787e76060ad5911/Novo per with their own methods for encouraging governance improvements could produce cent2BMercado per cent2Btext per cent2Bscreen per cent2B4–21–08.pdf?MOD=AJPERES good corporate governance and are thus the same type of shift in ownership. ByMA www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 87

Corporate Governance Awards | Introduction

Ethical Boardroom North & Latin America award winners 2017 In the US, the dialogue around corporate governance is growing. At the start of 2017, the Investor Stewardship Group, a collective of some of the largest US-based institutional investors and global asset managers, launched with a mission to establish basic standards of investment stewardship and corporate governance for the US.

Roll on seven months and its membership has more than doubled, with 38 organisations now signed on to the mission, including HSBC Global Asset Management, J.P. Morgan Asset Management, Standard Life Investments and Walden Asset Management. The framework of basic standards for US institutional investors and boardroom conduct goes into effect on 1 January 2018, with the aim of giving organisations the time to adjust before the start of the 2018 proxy season. The initial focus will be on corporate governance principles, investment

stewardship principles and the promotion of long-term value creation for US companies and the broader US economy. The framework is likely to have a major impact on how US companies govern themselves, and also improve how asset managers and owners conduct their fiduciary activities on behalf of clients. Over in Latin America, directors believe that corporate governance has been addressed with greater depth by boards over the last couple of years and there is now an increasing

focus on sustainability management. It is the consensus among 99 per cent of directors on the boards of more than 500 Latin American companies that sustainability creates financial value, according to a recent study released by GRI and global management consulting firm A.T. Kearney. Four out of five directors in Latin America link sustainability to the corporate strategy and the identification of risks and opportunities, or understand it as an integral part of the economic, social and environmental management of the company. The Ethical Boardroom Corporate Governance Awards recognise and reward outstanding companies who have exhibited exceptional leadership in the area of governance. The awards highlight the important role that corporate governance plays in dictating a company’s success and a board’s contribution to the creation of long-term value. Ethical Boardroom is proud to announce its Corporate Governance Awards winners in North and Latin America.

It’s the consensus among 99 per cent of directors on the boards of more than 500 Latin American companies that sustainability creates financial value

88 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

AWARDS WINNERS 2017

The Winners | Corporate Governance Awards

WINNERS 2017

MIDDLE EAST THE AMERICAS NORTH AMERICA 2017 FINANCIAL SERVICES ROYAL BANK OF CANADA TRANSPORTATION & LOGISTICS THE CANADIAN NATIONAL RAILWAY CO. (CN RAIL) CONGLOMERATE HONEYWELL INTERNATIONAL INC. MANUFACTURING MAGNA INTERNATIONAL PHARMACEUTICALS PFIZER INC. TECHNOLOGY INTEL CORPORATION INSURANCE MANULIFE FINANCIAL FOOD & BEVERAGE PEPSICO INC. TELECOMMUNICATIONS TELUS MINING GOLDCORP INC. UTILITIES AVANGRID LATIN AMERICA 2017 FINANCIAL SERVICES GRUPO FINANCIERO BANORTE (GFNORTE) TRANSPORT & LOGISTICS GRUPO AEROPORTUARIO DEL CENTRO NORTE (OMA) FOOD & BEVERAGE UNION DE CERVECERIAS PERUANAS BACKUS Y JOHNSTON S.A.A. MINING CORPORACIÓN NACIONAL DEL COBRE (CODELCO) CONSTRUCTION GRUPO GRAÑA Y MONTERO MANUFACTURING NATURA BRASIL CONGLOMERATE GRUPO ARGOS HOLDING COMPANY GRUPO SURA OIL & GAS ECOPETROL UTILITIES EDP BRASIL AIRLINES LATAM AIRLINES

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 89

Corporate Governance Awards | Banorte

Banorte’s perfect vision Investors, customers and partners sit at the heart of Grupo Financiero Banorte’s strategic plan to become the best bank in Mexico

AWARDS

WINNER 2017 LATIN AMERICA FINANCIAL SERVICES

Carlos Hank González

Chairman of the Board of Directors at Grupo Financiero Banorte

Grupo Financiero Banorte is a leading and profitable financial franchise in Mexico, serving more than 22 million clients through retail, wholesale and premium banking platforms, along with insurance and pension fund management units. In 2016, Banorte ranked as the second best financial group in Mexico by net results.

Its story so far can be divided into four stages. The first stage – from 1899 until 1992 – is a regional bank established in the northern part of Mexico, in which it went through both nationalisation and privatisation processes; the second – from 1995 to 2000 – is when it grew to become a financial group; the third stage is when it diversified is business base with companies, such as Banorte Generali (insurance and annuities), Afore XXI Banorte (retirement savings funds), Ixe (strong preferred banking and brokerage platforms), Afore Bancomer (retirement savings funds); and the fourth, ongoing stage, is the one in which it aims to turn into the best bank in Mexico through the strategic plan 20/20– Perfect Vision. This plan is based on three pillars. ■■ Investors, for whom it seeks to generate added value and profitability ■■ Customers, for whom it aims to serve more closely 90 Ethical Boardroom | Summer 2017

■■ Partners, for whom it strives to offer the best conditions to develop

A five-year plan

In 2016, Banorte concluded the first year of its five-year plan with strong achievements in each of its established metrics, fulfilling satisfactorily each of the goals set for this period and laying solid foundations to grow sustainably in the future. On the financial side, the Perfect Vision plan aims to double profits and boost the return on equity (ROE) to 20 per cent in 2020. But how will this be achieved? Primarily, by increasing the cross-sales ratio from 1.8x to 2.2x with the help of analytics tools already in place. Since 2013, Banorte has partnered with IBM on the Sumando transformation programme, which has already delivered a central data repository that serves as the starting point for a series of projects on business intelligence, client interaction, industrialisation, risk management, next best action/offer and multichannel sales, which are already providing a new and enhanced experience for clients. This central data repository is unified with the loans, cards, checking accounts and treasury platforms to give a full picture of the products that customers have and their indebtedness profile. Moreover, during 2016 Banorte leveraged this knowledge by increasing sales capacity through a new multichannel architecture, meaning it is selling not only through branches as it used to,

but also through ATMs, contact centre, internet and mobile platforms. Banorte has also put together an analytics department, which has successfully launched personalised campaigns. Currently, the analytics process is carried out manually but in the short-term will be done online and in real time, which means that campaigns will receive feedback from former ones and will operate on a next best action strategy. Also, one of the processes enhanced by this programme is account opening: formerly, clients had to sign an agreement for each product and service, but now Banorte has implemented a single agreement, which will release branch employees from administrative paperwork so that they can focus on doing actual business with clients.

Recent performance

2016 was a challenging year in terms of the economic environment – nationally and internationally – as some of the events that occurred were considered unlikely. The news was centered on the UK’s referendum, which resulted in the decision to leave the European Union, as well as on the controversial election in the United States that ended in the victory of the Republican candidate. In the monetary field, the strengthening of the dollar led to a pronounced depreciation of most of the world’s currencies, especially in www.ethicalboardroom.com

Banorte | Corporate Governance Awards a relevant increase in recurring revenues and those of emerging markets’ and in particular responsible spending growth. of the Mexican peso; as well as to the The financial group’s net income for the first materialisation of a more restrictive US quarter totalled Ps5.53billion, showing an Federal Reserve monetary policy that resulted annual growth of 24 per cent. This is the result in a cycle of rising rates. of good strategy execution, solid fundamentals, In Mexico, despite a moderate GDP net interest margin expansion, stable cost of growth of 2.3 per cent in 2016, indicators risk and sound business diversification. It is related to domestic demand reflected a greater worth noting that operating results showed dynamism in household spending, recovery an annual growth of 35 per cent and recurring in the labour market, growth in the flow of revenues increased by 28 per cent. remittances and increased availability of Net interest income increased 16 per cent credit. Retail sales increased by 8.7 per cent in annually, reaching Ps15.55billion as of 1Q17. 2016, the highest growth rate in the past eight Core banking fees (account management, years. On the downside, the lower dynamism fund transfers and electronic banking in manufacturing production reflected services) closed the first quarter with an a poor performance of the external sector annual increase of 25 per cent. on a stronger dollar. However, Moreover, trading revenues for the manufacturing industry Banorte in 1Q17 registered a 66 per cent of final goods, as in the case of on course to year-on-year increase due to automotive production, recorded better performance in derivatives improved performance due to fulfil its aim of and higher revenue related to the increased competitiveness becoming the foreign currency transactions. of Mexican labour. Furthermore, the efforts to In the monetary field, the best financial improve efficiency amid an Mexican Central Bank decided environment of higher inflation to increase the benchmark rate group in by 250 basis points in 2016 and Mexico and by 125 basis points during 2017, favouring expectations for the for Mexicans coming years in the banking sector by leaving behind historically low levels of rates since 2008. The financial sector has turned very competitive as participants aim to seize the economic environment and the expansion of domestic demand; therefore, banks have become very active, especially in the segment of consumer credit and financial products for individuals. Although the Mexican equity and sharp FX depreciation reflect in the market showed little appetite for risk, still efficiency ratio that improved to 44.5 per cent some companies and funds went public. in 1Q17 from 46.8 per cent a year ago. In terms of credit, the first quarter of the year evolved positively with excellent growth CSR and corporate governance in virtually all segments, despite strong Banorte has developed a solid corporate and competition in consumer, commercial social responsibility programme, through and corporate segments. Consumer loans which it supports initiatives aiming to achieve increased 19 per cent year-on-year, partially sustainable development, foster social on the back of business analytics. responsibility in the pursuit of return of The long-term savings sector, comprised investment, convey awareness of sustainable of the insurance and annuities companies development and environmental protection and Afore XXI Banorte, which consolidates in day-to-day operations and integrate by the equity method according to its environmental protection in the operations 50 per cent ownership, stood out in 1Q17 of the bank. Such commitment has been with a five per cent year-on-year growth in recognised not only by Mexican institutions net income; all three companies benefited but also by international entities. For instance, from long-term customer relations and GFNorte has been included in the: profitability. The annuities company and Afore XXI Banorte continue as leaders in ■■ Dow Jones Sustainability Emerging terms of assets under management (AUMs) Markets Index and in number of pensioners. ■■ FTSE4Good Emerging Index of Banorte reported record net income and the London Stock Exchange further diversification of income sources. In ■■ Stoxx Global Climate Change Leaders Index 1Q17, performing loan portfolio and deposits ■■ Vigeo EM 70 Index increased annually by 10 per cent and eight ■■ Carbon Disclosure Projects per cent, respectively, improving asset quality ■■ IPC Sustainability Index of the Mexican as a result of adequate risk management. Stock Exchange Operational and strategic leverage resulted in www.ethicalboardroom.com

■■ Bloomberg Financial Services Gender-Equality Index Furthermore, Banorte maintains its commitment and adherence to the 10 Principles of the United Nations Global Compact on human rights, labour standards, environmental and anti-corruption practices – and to the Women’s Empowerment Principles, which seek to promote gender equality and empower women working at the financial group. Regarding corporate governance, Banorte has always been committed to exceeding best market practices. On 28 April 2017, the company held the annual ordinary general shareholders’ meeting, in which the board of directors for 2017 was approved. The board is made up of 15 members, 11 of whom are independent. This 73 per cent representation of independent members exceeds the 25 per cent set forth in the legislation and the 60 per cent suggested by best international corporate practices. Moreover, the audit and corporate practices committee is comprised fully of independent members, ensuring transparency

in operations, disclosure and in overseeing minority shareholders’ rights. In 2016, Banorte’s bylaws were modified so any acquisition by the company or its controlled companies shall be passed through the ordinary general shareholders’ meeting if: (i) the amount of the operation represents five per cent or more of the company’s consolidated assets; and (ii) the counterparties are related parties; the nomination committee be comprised of seven members of the board of directors – four of them independent members – and the chairman of the board, who will chair this committee. These initiatives aim to keep Banorte as a top-notch company on corporate governance, not only in Mexico, but on a global scale as well. In 2016, Banorte was included in the STOXX Global Climate Change Leaders Index, becoming the only Latin American institution to be included in the index. It was selected to participate in the Sustainability Index. FTSE4Good Emerging Index of the London Stock Exchange and is the only Mexican financial institution present in the Top 10 companies in Latin America of the index. Banorte in on course to fulfil its aim of becoming the best financial group in Mexico and for Mexicans. Summer 2017 | Ethical Boardroom 91

Corporate Governance Awards | EDP Brasil

AWARDS

WINNER 2017 LATIN AMERICA UTILITIES

João Paulo Mateus

Compliance Director, EDP Brasil

Creating shared value and modern corporate governance As one of Brazil’s largest electricity utilities, EDP Brasil is committed to the practices of business sustainability EDP Brasil’s strategic planning focusses on creating shared value. The company seeks to sustain a high standard of corporate governance and sustainability to ensure creation of shareholder value, involving the control of market, financial and regulatory risks. Consequently, the company depends on the support of management systems aligned to strategy, as well as improved internal and external communication processes. To that end, EDP Brasil’s governance model follows the best market practices with strict transparency rules. It adopts several recommendations from the Brazilian Institute of Corporate Governance (IBGC) and undertakes the necessary commitments to 92 Ethical Boardroom | Summer 2017

integrate the Novo Mercado da Bolsa de Valores de São Paulo (BM&FBovespa – New Market of the São Paulo Stock Exchange), that ensure a fair and equal treatment to shareholders, associates, customers and suppliers. According to the company’s bylaw, the EDP Brasil corporate governance structure is comprised of the board of directors, executive board and consulting committees within the board of directors and a general meeting of shareholders. All members of the board of directors and the general and supervisory board sign a statement of consent for the Novo Mercado listing regulation.

The board of directors

The highest governance level of the company, the board of directors is responsible for setting, reviewing and approving general business policies and guidelines, including risk aspects and defining the long-term strategy. It is also responsible for electing members of the executive board and monitoring their work, as well as supervising

EDP Brasil’s performance and management. The members are elected at the general meeting for one year of office and re-election is permitted. In December 2016, EDP Brasil board of directors was comprised of seven members, four of them nominated by the controlling shareholder and three independent members. Annually, the members of the board of directors perform a self-evaluation and an evaluation of EDP Brasil’s executive board, prepared through individual and confidential questionnaires that include financial, social and environmental aspects. EDP Brasil’s board of directors holds ordinary meetings every quarter. Extraordinary meetings may be convened whenever necessary by the chairman, the vice chairman or any of its two members jointly, upon written notification delivered five days prior to the meeting. In 2016, the board of directors met 16 times. Comprised of up to five members, elected by the board of directors, the executive board takes the following positions: chief www.ethicalboardroom.com

EDP Brasil | Corporate Governance Awards STRATEGIC VISION EDP Brasil focusses on creating shared value

meetings, the executive board assesses the company’s economic, environmental and social development. The executive board is also responsible for the approval of the annual sustainability report.

Consulting committees

EDP Brasil also has four consulting committees to the board of directors, whose members are the directors themselves (audit committee, sustainability committee, corporate governance and related parties committee, and remuneration committee). Among the four committees, independent board members lead the audit and the corporate governance and related parties. The audit committee meets quarterly and the others hold at least one meeting a year.

Risk management

EDP Brasil adopts a series of strict internal control measures to mitigate risks of corruption, bribery, money laundering, insider trading, price fixing, child labour, slavery or forced labour, among others, in 100 per cent of the company’s operations

EDP Brasil has a corporate rule that has guided its risk management strategy since 2006. This rule is managed by the internal audit and compliance board, which directly depends on the company’s presidency and is responsible for identifying, monitoring and assessing risks and mitigating activities (action plans). In 2016, the board’s challenge was to change the internal public’s view regarding compliance, making sure that it went beyond respecting rules, regulations and laws – an area worked under a risk management viewpoint, an essential philosophy to business continuity. To this end, one of the initiatives was to revitalise the risk committee comprised of members from the EDP Brasil executive board. The committee meets every quarter. Developed internally, according to the market best practices, EDP Brasil risk methodology is

HEALTHY CORPORATE CULTURE EDP Brasil aims to ensure a high level of individual ethical awareness

executive officer and investor relations officer; vice chief financial officer; vice chief of generation and sales officer; vice chief of grids officer; and vice chief of strategy and business development officer.

The executive board

Responsible for all topics related to the business administration, except those which the law or the bylaw assign to the general meeting or the board of directors, the executive board monitors the operational demands of business units. In weekly www.ethicalboardroom.com

Code of ethics

The code of ethics sets ethical principles and boundaries that govern all EDP Brasil practices and businesses in all regions where it operates, respecting the legislation in force as well as the commitments undertaken to stakeholders (associates, customers, shareholders, suppliers, community and government). The goals are to ensure a high level of individual ethical awareness, minimise the risk of corporate unethical practices and keep a corporate culture based on values, such as transparency, trust in relationships and accountability for decisions. Among its principles are compliance with legislations, integrity when handling financial matters, fight against corruption, bribery and conflicts of interests, proper use of information and assets, respect for human and labour rights, transparency and corporate social and environmental responsibility. Attached to the agreements signed by all suppliers and service providers is a printed copy of the code of ethics, which is also given to newly hired associates who undergo a special training on its content during the integration process. Additionally, it is available on the company’s website, which also hosts an ethics channel to receive reports, anonymous or identified, about conducts that violate the code of ethics principles, internal policies and local legislation. Such reports are also accepted by letter, email or telephone. In 2016, 33 cases were registered on the channel – the same number as registered in 2015. All of them were reviewed by the ethics committee, which determined disciplinary measures for every case always and only when justifiable. This committee was created in 2006. Although it is not a consulting committee from the board of directors, it is an

BRAZIL POWERHOUSE EDP serves 3.1 million customers in Brazil

based on recognised structures and standards, such as COSO (Committee of Sponsoring Organizations to the Treadway Commission), enterprise risk management (ERM) and ISO 31000 (risk management). EDP Brasil adopts a series of strict internal control measures to mitigate risks of corruption, bribery, money laundering, insider trading, price fixing, child labour, slavery or forced labour, among others, in 100 per cent of the company’s operations. In 2016, a new compliance assurance process was implemented in relation to third-party agreements.

extremely important entity for the company and its chairman is also EDP Brasil’s CEO, working alongside eight members – four of them from the company’s executive board. In monthly meetings, the committee reviews, monitors and decides on ethics issues reported by areas or received through the contact channels available. Every three months, any unethical conducts are reported to EDP Ethics Provider in Portugal, which is the centre for all complaints of such nature in the entire EDP Group. In 2016, no cases of corruption involving EDP Brasil were registered. Summer 2017 | Ethical Boardroom 93

Global News North America

ICGN appoints new board members

Demand for CEO activism on the rise

Millennials, more than any other generation, want CEOs to take a stand on political issues and champion their values, according to a study by Weber Shandwick and KRC. The research found that almost half of millennials (47 per cent) believe CEOs have a responsibility to speak up about issues that are important to society. Forty-four per cent of 1,021 US adults that are aged 18 and older, say they would be more loyal to their organisation if their own

CEO took a public position on a hotly debated current issue. Leslie Gaines-Ross, chief reputation strategist of Weber Shandwick, said: “For companies looking to increase sales, recruitment, innovation and word of mouth, millennials’ bias toward CEO activism should not be overlooked. This generation is heavily purpose-driven and is already changing the game when it comes to how we work and where people want to work.”

High CEO pay ratios ‘not so bad’

Photo: ChiralJon on Flickr.com

High pay ratios for CEOs are associated with better corporate outcomes, both in terms of accounting performance and stock performance, a new study has found. Researchers at Singapore Management University and Oakland University analysed 817 companies, whose CEOs had mean total annual compensation of around $7.8million and whose workers’ mean pay was roughly $74,000. The investigation identified that companies with higher CEO pay ratios are more likely to make acquisitions that added value to the firm. And, they are more likely to oust CEOs who deliver lacklustre results. A company whose CEO-to-worker ratio was near the 85th percentile was found to have a return on assets that was 13 per cent higher than companies at the median.

Shareholder sues Arconic over London fire

San Francisco silences salary chatter Employers in San Francisco will be prevented from asking potential employees about their salary history following the introduction of a new city law. The law, which will come into effect next year, is part of a drive to narrow the wage gap between men and women. In San Francisco, women are paid 84 cents for every dollar a man makes. Proponents say asking an interviewee about their salary history compounds the problem.

94 Ethical Boardroom | Summer 2017

Paul Schneider, head of corporate governance at the Ontario Teachers’ Pension Plan, has been appointed to the board of the International Corporate Governance Network (ICGN). Established in 1995, investor-led ICGN promotes effective standards of corporate governance and investor stewardship to ‘advance efficient markets and sustainable economies worldwide’. Paul Schneider, who has led the corporate governance function at Ontario Teachers’ since 2010, was appointed alongside two other new board members – Ian Burger, head of corporate governance at Newton Investment Management in the UK and Dana Hollinger, a board member at the California Public Employees’ Retirement System in the US.

“If you have a practice that relies mostly or completely on someone’s prior salary in setting pay, that disadvantages women who may not negotiate as much as men, and will perpetuate any disparity that already existed,” said Maya Raghu, director of workplace equality at the National Women’s Law Center.

New-York based building materials company Arconic has been accused of defrauding shareholders over its supply of cladding panels used at Grenfell Tower (above), the London high-rise where at least 80 people died in a fire in June. Arconic shareholder Michael Brave has filed a lawsuit against the company for allegedly failing to disclose its use of ‘highly flammable’ panels prior to the blaze. Brave believes shareholders were deceived by Arconic’s ‘inadequate disclosures’ regarding the panels and claims the company’s public statements were ‘materially false and misleading at all relevant times’. Arconic’s share price fell 21 per cent between 14 and 27 June after the company said it would stop selling the panels for use in high-rise buildings. www.ethicalboardroom.com

Words and actions matter when it comes to protecting and enhancing value through times of change. Trust us to be your partner in change.

abmac.com

amo-global.com

Activism & Engagement | Activists

Successful activism – what does it mean?

Understanding how activists gets paid will enhance corporates’ sensitivity to their shareholders and their ability to respond to a campaign Shareholder activism has taken its place as a major feature on the corporate landscape, whether companies like it or not. Companies worldwide have seen an increase in the number of activist campaigns, with US investors leading the charge. Interventions at companies headquartered in Europe were up 35 per cent from 2015 to 2016, a trend that shows no sign of slowing down in 2017. More and more campaigns are undertaken in Europe every year. For example, we have noticed a rapid increase in Germany; most likely activists have gained the confidence to tackle Germany’s two-tier board structure following TIC’s high-profile fight at Volkswagen. CBNC records a 170 per cent increase in activist campaigns in the UK since 2011.1 With Activist Insight recording that in 2016, 67.5 per cent of activist campaigns were successful, they are an asset class to pay attention to. A question remains, however: how do you quantify success in activism – and success for who?

Qualifications of success for an activist can be considered in a number of different ways

Understanding how activists get paid is fundamental to this discussion. Most activists charge a fee structure of two per cent of assets under management and 20 per cent for the success of specific trades. This 2:20 model focusses the activist on a few targets and when they proceed they have a high degree of certainty, given the reputational risk and the returns on the deep research conducted on the specific stocks, both internally and using external advisors. Success for the activist can be measured in three ways:

Achieving their stated aim If an activist can achieve his/her objectives without calling a meeting or running a very media intensive campaign that is the best outcome. Secondly, putting those same demands to shareholders and getting them approved, either through a meeting or widespread pressure, allows the activist to continue to unlock value. Those are usually interim steps in a wider plan to create more value for all shareholders. 96 Ethical Boardroom | Summer 2017

Cas Sydorowitz

was well placed to realise greater value through the sale of Gategroup to HNA instead of remaining independent.

Activists’ objectives can tackle a variety of corporate issues, with the highest percentage focussing on board-related interventions. Activist Insight records that 49.5 per cent of all activist campaigns conducted in 2016 were board-related and 48.8 per cent have been so far in 2017. The second most common activist demand focuses on issues of governance. The ways in which an activist goes about achieving his/her aims will depend on geography and the size of the holding. In the US, activists tend to achieve their stated aim by building a stake in the company and then engaging the media to spread word about what they believe needs changing. They will publish open letters to the CEO along with letters to shareholders, imploring them to vote in line with the activists’ proposals. European activism has frequently been considered to be a more private affair, with settlements being made behind closed doors and cooperation between the activist and the corporate being demonstrated. It is estimated that around 50 per cent of European activism never enters the public domain.2 The US activist strategy has resulted in them being described as ‘corporate raiders’; however, a visible change in trends is occurring. We are seeing more European activists employing more US style tactics, including media fanfare, microsites and public feedback from other investors.

– attracting new clients 3 Marketing from the success of an activist

CEO at Georgeson Corporate Advisory

campaign Critics are increasingly aggravated by activist campaigns that seek to boost their own profile. The Financial Times in 2014, published an article titled Activism has become a marketing strategy, in which it wrote that sentiment towards activism was short-term and opportunistic to catch the ear of the institutional investors. 3 Successful campaigns, particularly those that generate a large media buzz, will attract more investor clients to the activist. Bringing in more clients also creates incremental value and allows the activist to look at more opportunities and perhaps even bigger targets. This is where the two per cent of assets under management for their fees starts to kick in.

success of activist fund 2 Financial Activists won’t just launch into a proxy

fight on a whim; they take their time to conduct extensive research and hire multiple advisers to support them in their campaign. Activists will invest the equivalent of one to three man years of research in private equity- style due diligence. Financial success for an activist comes from unlocking material value in the stock of the target. They take their time to unlock this value. They make money when the stock price of their target goes up as a result of achieving their aims directly, or subsequently when the company is taken out. RBR demonstrated the virtue of patience after it successfully placed a nominee on the board of Gategroup in 2015. This meant that by 2016 it

UNDERSTANDING ACTIVIST ACTION It’s important to look at how activists achieve their objectives www.ethicalboardroom.com

Activists | Activism & Engagement

What does success look like for a company?

Activist takes a stake in the company and exits again without going public or making any demands In some situations, an activist may take a stake in the company and exit again without attempting to implement any changes. This activity implies that the stock price has closed the valuation gap the activist originally identified. Sherborne Investors, having successfully generated returns of an estimated 70 per cent at F&C Asset Management, invested in 3i. Its holding never evolved into an activist campaign with it exiting its five per cent holding with a 38 per cent gain. It then entered the stock at Electra Private Equity with the profit generated from 3i and, through a very public fight, was elected to the board. Ed Bramson, head of Sherborne Investors, was recently elected as interim CEO and he ousted the manager Electra Partners. Sherborne holds a 29.9 per cent stake.

As classic investors recognise that activist input can create enhanced alpha for their portfolios, we will most likely see more support in European campaigns, similar to the US. Success is subjective. Understanding how boards are paid and how activists are paid holds the key to determining who success rewards the most www.ethicalboardroom.com

It is easier to pick a stock and let the valuation gap narrow on its own without having to run a very public and acrimonious proxy fight. It is worth noting that activists don’t select targets specifically to run proxy fights, instead, in order to create more value, they pick good companies that are mispriced in the market where there are levers to be pulled. If the value can be realised without having to pull any levers, the activist will created value without spending fees for advisors. continued support for the 2 Ensuring existing management and strategy

Nothing takes the wind out of the sails of an activist campaign like a loyal and supportive shareholder base. The greatest factors that cause institutional investors to back an activist campaign are the failure of management to listen to shareholder concerns, underperforming share price and a poorly communicated strategy. Worse still is the absence of trust that the board can execute on that strategy. Successfully surviving an activist campaign is, in part, dependent on the continued support of shareholders. Recently at GAM, a Swiss asset manager, investors backed the incumbent board over activist RBR’s dissident slate. Remarkably in this situation, shareholders (such as 19 per cent holder Silchester) backed management

despite proxy advisors ISS and Glass Lewis recommending in favour of RBR’s nominees. Support from shareholders comes from ongoing and regular interaction with the management and the board. It requires a frank and honest dialogue. successful growth of the share 3 The price, as well as the divisional

performance, and the reduction of costs Much of the media coverage surrounding activism advises on how best to survive or resist an activist campaign. However, cooperation with a thoughtful activist can result in success for both sides. It begs the question; why don’t boards embrace more of the activist demands? Even so, it is unlikely that any activist will be met with open arms just yet, as companies continue to see activist involvement as negative. A NYSE Governance Services Report found that only 13 per cent of directors (polled from 300 directors of publicly traded US companies) would welcome an activist’s involvement and that 84 per cent believe it would create a negative distraction.4 Despite this, a McKinsey&Company study from 2014 concluded that shareholders ‘generally benefit’ from activist campaigns. 5 The study of 400 US activist campaigns found that the median activist campaign reverses the target company’s weakening performance and generates returns that persist for at least three years. The debate wages on about whether an activist campaign is beneficial or detrimental for a company long term. For now it seems that activism tends to improve corporate performance, however few boards are likely to embrace any external meddling. Activists are trying to create more value for all shareholders; their goals should be perfectly aligned with other investors and the board. Most investors who hold hundreds or thousands of stocks in their portfolio cannot dedicate the resources to push for change at their portfolio companies. As classic investors recognise that activist input can create enhanced alpha for their portfolios, we will most likely see more support for European campaigns, similar to those in the US. Success is subjective. Understanding how boards are paid and how activists are paid holds the key to determining who success rewards the most. http://www.cnbc.com/2016/05/09/activistinvestors-more-good-than-harm. html 2https://www.jpmorgan.com/ jpmpdf/1320656894344.pdf 3https:// www.ft.com/content/5d5209b2-1d6411e4-8b03-00144feabdc0 4https:// www.nyse.com/publicdocs/ Shareholder_Engagement_ Survey_Report_2016.pdf 5http:// www.mckinsey.com/businessfunctions/strategy-andcorporate-finance/our-insights/ preparing-for-bigger-boldershareholder-activists

Summer 2017 | Ethical Boardroom 97

Activism & Engagement | Investors GOLDEN DAYS Madrid's Buen Retiro Park – the Park of the Pleasant Retreat

Proxy voting in Spain: the investors’ autumn There will be no ‘shareholder spring’ for Spain, but autumn will bring new responsibilities and activities for investors In Madrid, we complain about the non-existence of a true spring season. After a cold but dry winter, followed by unstable and rainy weeks, a heatwave invades the country and temperatures suddenly rise up to near 40ºC to remain like that throughout the whole summer period. Then we enjoy a long and mild autumn with wonderful weather while we prepare for the next season.

During recent years, while US, UK, Germany, France and other European companies have been facing a shareholder uprising, with investors starting to raise their hands and challenge their agendas at the annual general meetings (AGMs), Spanish and Portuguese companies have remained relatively quiet, with a few exceptions. Their investors, far behind their European peers, have not shown great interest in matters, such as corporate governance, responsible investment or engagement. When voting, and only for domestic companies, they would usually support the board proposals without much analysis or discussion. This 98 Ethical Boardroom | Summer 2017

Juan M. Prieto

Founder and Managing Director of CORPORANCE ASESORES approach is fast evolving and, with the new EU Shareholders’ Rights Directive (SRD II), Iberian asset managers and insurance companies will be encouraged to improve transparency and active investment. No spring then, but after the summer, autumn will bring new responsibilities and activities for investors. The birth of the first Spanish proxy advisor, CORPORANCE, member of the international partnership of independent proxy advisors Expert Corporate Governance Service (ECGS) is another milestone in this process. It will increase the presence of the Spanish and Portuguese markets on the proxy map, both providing a better understanding of local practice globally as well as introducing international practices of voting and engagement policies for their investors.

Proxy voting in Spain and Portugal

In terms of voting, Iberian markets do not differ much from other European countries. Average participation in AGMs (last three years, as percentage of total capital) in Spain was about 68 per cent and Portugal 72 per cent. Western Europe averages 66 per cent, ranking

from 73 per cent in the UK and 70 per cent in France to 52 per cent in the Nordic countries. We can see in Figure 1 below the typical shareholder structure of a listed Spanish company, also showing the level of participation in the AGMs within the different groups. Strategic investors still count for roughly one-third of the capital and they usually vote massively in favour of the board proposals. Retail shareholders withdrew slightly from equities during the financial crisis but are coming back now to levels near 20 per cent. Their current voting rate is around 38 per cent, quite high for retail investors. Different legal initiatives to foster electronic voting and minority investors forums have not achieved the desired objectives, direct actions from listed companies having had more success in this sense.

FIGURE 1: SPANISH SHAREHOLDER STRUCTURE Foreign Investors 42% (voting 62%)

Strategic Shareholders 31% (v 95%) Spanish Institutional Spanish 10% (v 40%) Retail 17% (v 38%)

www.ethicalboardroom.com

Investors | Activism & Engagement

Spanish general meetings

Figure 3, below, shows the most contentious items during the last AGM season in Spain. We observe an increase in average opposition rates over the last three years. The higher dissent is due to an increased weighting of independent shareholders, but also to the creation of several Spanish boards. Unlike other European countries, the highest level of opposition is not about remuneration-related items, but is more related to the appointment of non-independent directors, in particular the ‘proprietary directors’ (13.4 per cent), a classic Spanish figure (‘consejeros dominicales’: directors representing a strategic shareholder, or more than three per cent of capital). Remuneration-related items are also contentious, with an average opposition rate of eight per cent. In 2016, we saw a rejection of both the remuneration policy and report in an Ibex-35 company. Capital and voting limits are also of concern, due to significant opposition regarding the authorisation to issue convertible bonds and to increase the share capital without pre-emptive rights. These resolutions are almost standardised in Spain (up to 50 per cent of the share capital with the possibility to exclude pre-emptive rights in connection with 20 per cent of the share capital), with no or little reference to the actual needs of the company. Again, Figure 3 shows this behaviour in more detail. Dissidence from voting recommendations of proxy advisors ranks from 10 per cent to 40 per cent roughly, depending on the companies and markets. Again, remuneration, board composition and capital are the most contentious topics. Actual opposition, albeit significantly increasing, is noticeably lower, ranging between less than one per cent to www.ethicalboardroom.com

FIGURE 2: INSTITUTIONAL INVESTORS’ VOTING IN SPANISH AGMs 80%

72% USA

70% 60%

VOTING PERFORMANCE

In Spain, foreign institutional investors follow similar patterns to those of other markets, with an average participation of 62 per cent, the highest of the free-float constituents. Depending on their country of origin, this participation ranks between around 70 per cent for US institutional investors and 10 per cent for their German counterparts. In Figure 2, right, we can observe the evolution over the last decade. The precipitous decline in participation rates among local institutional investors in Spain since 2013 is telling as current rates are dwarfed by those of US and UK investors. The message could not be any clearer: Spanish institutional investors have regrettably failed to effectively engage with issuers on their home turf. As mentioned above, Spanish institutional investors do not play an active role in local AGMs. Representing less than 10 per cent of capital, only 40 per cent of them vote, just over the retail tranche and usually in favour of the agenda proposals, delegating their vote to the board. Their voter turnout and engagement at AGMs in companies they invest in outside of Spain is negligible, a behaviour which strongly contrasts with that of their European peers.

55%

50%

40%

33% 30%

Spain France

20%

10%

Germany 0% 2011

2012

2013

almost 10 per cent in some cases, with an average in European AGMs of four per cent. At Spanish AGMs, the average dissidence ratio was 2.9 per cent while in Portugal it held at a higher 3.6 per cent.

International investor codes

In the US, mutual and pension fund managers are obliged to exercise their voting rights since 2003. This rule has created a global practice that has spanned overseas. The Organisation for Economic Co-Operation and Development (OECD) Principles of Corporate Governance of 1999 were updated in 2004 to add stewardship duties to institutional investors. In Germany, France, Holland, Switzerland or Denmark, responsible investment codes have been enacted with strong recommendations to enhance transparency and apply effective governance criteria to investment decisions, disclosing their voting and engagement policies, under the ‘comply or explain’ principles. Since 2014, the UK Stewardship Code of 2010 has been updated together with the UK Corporate Governance Code to show how

2014

2015

2016

duties and interest of both issuers and investors come together to achieve sustainable profits and long-term growth for companies. As a result, participation of European shareholders has improved significantly, not only in their local markets but also in other European and international markets, in line with their portfolios. No such investment or stewardship code exists in Spain or Portugal. In Spain, only the Funds Regulation in 2015 sets up the obligation to vote for those shareholders holding more than one per cent of a (Spanish) listed company for at least 12 months, unless there are clearly explained reasons not to do so. As a result, since it is unusual to reach this threshold, asset managers have decided not to develop voting guidelines and engagement policies until it becomes compulsory. In addition to the lack of obligation (or strong recommendation), other reasons to remain inactive are processing costs, unwillingness to take on responsibilities, little ability to influence company decisions or reluctance to get involved in potential conflicts.

FIGURE 3: MOST CONTENTIOUS ITEMS IN SPAIN 2016 SAY-ON-PAY

Remuneration policy

10.1%

Remuneration report

7.9%

Long-term incentive plans BOARD

6.6%

Proprietary directors

13.4%

Non-executive non-independent directors

11.4%

Executive directors Independent directors CAPITAL

Issuance of convertible boards Share capital increases without pre-emptive rights

5.6% 2.0% 10.2% 8.8%

Summer 2017 | Ethical Boardroom 99

Activism & Engagement | Investors

New regulations and obligations for investors

On 17 May 2017, we saw the adoption of the new 2017/828 Directive of the European Parliament and of the Council amending Directive 2007/36/EC regarding the encouragement of long-term shareholder engagement. The new requirements will help institutional investors and asset managers to be more transparent in their approach to listed companies. They will have to develop and publicly disclose a policy describing how they integrate governance criteria in their investment strategy and the engagement activities they carry out. Major European markets have approved policies and codes to manage this regulation from 2007. Member states will have two years to transpose the directive. For those countries, such as Spain, Portugal, Italy and others, it will represent an excellent opportunity to get up-to-date, and a challenge for regulators. Institutional investors in these countries will have to adopt international standards and mirror their peers’ behaviour as to transparency and active engagement.

invest in. After all, this is a dual responsibility; it defeats the purpose if companies improve but investors shirk their duty to monitor, more aptly put ‘it takes two to tango’. Another survey among Spanish asset managers highlights some interesting points: one-third declared that they never vote, and in more than 20 companies only one-quarter vote. This implies that not even companies on the Ibex-35 are monitored regularly from a corporate governance standpoint by their domestic institutional investors. Furthermore, the use of proxy advisors’ recommendations is scarce or almost non-existent. And of those voting, the vast majority neither disclose their vote nor receive confirmation from the company. Making matters worse is the fact that institutional investors have no structure in place to accommodate voting decisions, which are typically delegated to investment managers with other priorities or supporting staff. In a recent survey, 60 per cent of Spanish asset managers declared not to have developed a voting policy and 40 per cent not to have

service coverage globally, while retaining in-depth local market knowledge and independence. Every year, their members analyse and discuss voting results and governance levels to prepare and publish the ECGS Corporate Governance Principles and Voting Guidelines. CORPORANCE has just joined the alliance as representative for Spain and Portugal, to contribute with local knowledge of these markets and help institutional investors to adopt European best practices and international transparency standards, in order to improve corporate governance in the

carried out engagement activities with their investees. Almost 80 per cent, however, showed interest in corporate governance matters. It is time to convert desire into action.

Iberian markets. The Spanish proxy advisor will adhere to the Best Practice Principles for Shareholder Voting Research Providers and will publicly disclose its corresponding policies and activities.

SPANISH AUTUMN The fall will bring new activities for investors

There is no need for more corporate governance codes for issuers in Spain. The first Olivencia Code of 1998, was followed by the Aldama Report in 2003, the Unified Code (or ‘Conthe Code’, 2006) and the recent Good Governance Code of Listed Companies of 2015 (CNMV, the Spanish regulator), all underpinned by new rules under the revised Companies Act of 2014, completing the picture. However, there is a missing piece: not a single code for investors, other than the aforementioned soft obligations for mutual and pension funds.

Spanish investor behaviour

After more than a decade of efforts to strengthen the corporate governance of listed companies, Spanish corporations have reached international standards, even though there is still room for improvement in some aspects, such as board independence, remuneration and transparency (see Figure 3). Now it is time for the buy-side – the Spanish institutional investors – to manage their fiduciary role and act as responsible owners of the companies they 100 Ethical Boardroom | Summer 2017

Proxy advisors: CORPORANCE joins ECGS

The lack of a Spanish proxy advisor has not helped with this process. Most global institutional investors rely on the advice of these voting consultants to carry out their fiduciary duties. Otherwise it would be impossible to manage the voting process of thousands of companies in their portfolios. US advisors were the first to be created and are still the largest, following their asset managers’ obligation to vote. In Europe, Germany’s DSW, Proxinvest in France, Ethos in Switzerland, Frontis Governance in Italy and the UK’s Manifest were formed to help the needs of their local investors to fulfil their investment and engagement duties. In 2001, they set up the European partnership ECGS, to join forces and extend

The Spanish autumn

Challenging times are ahead. Like issuers, Iberian investors will have to evolve in terms of transparency and stewardship. We may have missed out on a shareholder spring but we are prepared for a long and eventful autumn. The evolution of the regulatory landscape in Europe, particularly with the arrival of the much-anticipated EU SRD II, has the potential to transform local investor behaviour, upending decades-old practices and ushering in a new era of shareholder engagement on a par with that of other markets. In Spain and Portugal, all players will work collectively for the sake of improved transparency and governance. Markets, regulators, intermediaries, proxy advisors and especially institutional investors must rise to the occasion. www.ethicalboardroom.com

WINNING WINNING IS IS EVERYTHING EVERYTHING Being Being thethe best best in our in our field field means means reliably reliably delivering delivering thethe results results ourour clients clients want, want, no no matter matter thethe challenge. challenge. OurOur track track record record of success of success is backed is backed by by ourour unparalleled unparalleled expertise expertise andand culture culture of of 24/7 24/7 client client service. service. There’s There’s a reason a reason why why we’re we’re engaged engaged on on more more proxy proxy contests contests than than all all others others combined: combined: WeWe win. win.

Activism & Engagement | Human Rights

Navigating expectations on human rights The United Nation’s reporting framework for business can help companies and investors improve ethical and financial performance Human rights is a vast area to handle for companies and investors alike and the link to materiality is not always clear.

Corporate-related wrongdoing can include issues as diverse as alleged violations of human rights in relations to hydropower or mining projects; impacts on indigenous people’s rights; and human and labour rights issues in the supply chain of commodities, from cocoa to cotton and palm oil, laptops to tablets and smartphones. There is a wide variety of corporate responses to human rights – from companies being unwilling to discuss the issue and not disclosing any human rights programmes, to companies proactively disclosing an increasing amount of material on preparedness and performance on various human rights topics. Variations in transparency can depend on many things, such as material risks connected to human rights issues, exposure to responsible investors and other stakeholders, size of the company, national context, company culture, as well as risk exposure. The consequences for a company with poor human rights policy and programmes are elevated risks, both reputationally and financially – for instance, protests, large legal fines and consumer boycotts, as well as being deselected as a preferred employer or as a business partner or supplier. So how should a company or investor navigate the field of human rights and what are the tools that can be of aid?

Hanna Roberts

CEO for GES International Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework (UNGPs), which were developed by the special representative of the UN Secretary General, Professor John Ruggie. The UNGPs addressed the issue in respect to transnational enterprises.1 The UNGPs state that business enterprises have the responsibility to respect human rights wherever they operate and whatever their size or industry. Some of the core concepts for companies to develop and implement in relation to human rights are on policy, due diligence and remedy. Corporations should publicly commit to respect human rights and embed this policy in all parts of the organisation. Furthermore, companies should perform due diligence and investigate the most salient human rights risks. For instance, a corporation should assess the scale of the potential impact – how serious is the risk, e.g. are resettlements necessary due to the company’s operations and have those affected been adequately consulted and fairly compensated for their losses? Are migrant workers’ labour rights respected while building a new football stadium? Does the company have an effective monitoring and remediation system in place to ensure child labour is not

prevalent in its agricultural supply chain? Will the local government ensure consultation and consent from project-affected indigenous peoples and what can the company do to support and ensure such rights are respected? Companies should also address the scope and number of people who are potentially affected in order to assess how salient and material these risks are. There will be a need to prioritise the actual or potential violations of human rights. Companies are increasingly asked by investors, consumers, media and non-government organisations (NGOs) to understand and handle these risks and use their leverage to ensure the respect of human rights wherever possible. Impacts on human rights can often converge with risks to the business as well. Apart from making a positive contribution in society and avoiding harm, there are often strong business cases for human rights – employees and business partners are motivated to work for, or with, a respectful company, legal risks decrease, long-term relationships can be built with communities close to operations, to name a few. If the situation has already turned bad, then there is a need to address and provide remedy options to those affected. The UNGPs also

An obligation to protect

There is an underlying and well-known Universal Declaration of Human Rights, adopted by the United Nations (UN) in 1948, and its codes: the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR), together with the principles concerning fundamental rights in the International Labour Organisation’s eight core conventions – as set out in the Declaration on Fundamental Principles and Rights at Work. Six years ago, the UN Human Rights Council unanimously endorsed the UN 102 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Human Rights | Activism & Engagement provide practical guidance on how remedy can be provided in the form of grievance mechanisms, i.e. appropriate channels where those affected can file claims and have them investigated and, ultimately be compensated through a reliable process. There is a growing number of best practice examples in this particular area that companies can learn from. Other important features in the area of business and human rights include an understanding of transparency, follow-up and communication. Communication can take a variety of forms, including face-to-face meetings, online dialogues, consultation with affected stakeholders, and formal public reports. Ensuring a consultation process and obtaining consent from indigenous people affected by, for example, a large infrastructure project, is a right that is protected under The Indigenous and Tribal Peoples Convention (ILO 169) and United Nations Declaration on the Rights of Indigenous Peoples. By engaging stakeholders, including local and indigenous people, companies can ensure they comply with international norms and gain what is often referred to as the ‘social licence to operate’. They also mitigate the risk of

Implementing human rights across a company’s activities and business relationships is not an easy task. It takes commitment, resources and time to embed respect for human rights

violating indigenous people’s rights and the related potential consequences, such as protests, road blocks, violence and other security issues. In order to assist companies navigating how to approach and report on complex human rights issues, the UN Guiding Principles Reporting Framework was developed in 2015 by the Human Rights Reporting and Assurance Frameworks Initiative (RAFI).2 It is backed by an international investor coalition representing more than $5.3trillion assets under management and companies in a number of sectors and countries are already using the framework for public reporting. It is useful for companies, as well as investors and active owners, as it provides a common set of questions to ask and respond to. As an investor advisor, we find it useful to frame dialogues around human rights policy, due diligence (or human rights impact assessments) and disclosure based on the reporting framework. According to a report by Shift, a nongovernment organisation whose mission it is to put the UN Guiding Principles into practice and who assisted Professor Ruggie in developing the UNGPs, the majority of the 74 companies assessed in 2017, disclosed human rights due diligence on a high abstract level, making it difficult to understand how processes are implemented in practice and whether they are effective or not. 3 In order to further back the public reporting, Shift created the online UNGP Reporting Database in 2016 to support the awareness and sharing of information regarding human rights reporting. 4 The database does

not rank or rate companies but can help find examples of leading practice that can inspire other companies. The recently published Corporate Human Rights Benchmark further helps investors understand the performance of a company in the areas of policy, due diligence, remedies, practices, responses and transparency. 5 The benchmark is not only a snapshot in time, but also an opportunity to engage and initiate conversation. In the first benchmark, three sectors known to have significant impacts on human rights were investigated (extractives, apparel and agricultural products). Implementing human rights across a company’s activities and business relationships is not an easy task. It takes commitment, resources and time to embed respect for human rights. It is important to be patient when dealing with these issues. It can take more than a year for a company to adopt a policy, a further one to two years to ensure that the policy is effectively executed and then some further time before the company feels confident to report publicly on human rights performance. As investors, it is important to premier the leaders and use their work as examples of best practice for companies embarking on the journey on human rights. The UN Guiding Principles on Business and Human Rights. http://www.ohchr.org/Documents/Publications/ GuidingPrinciplesBusinessHR_EN.pdf 2The UN Guiding Principles Reporting Framework. http://www. ungpreporting.org/ 3Human Rights Reporting: Are companies telling investors what they need to know?, SHIFT, May 2017 4The UNGP Reporting Database: http://www.ungpreporting.org/reportingdatabase/ 5 Corporate Human Rights Benchmark. https://www. corporatebenchmark.org/ 1

LEADING BY EXAMPLE Benchmarks were introduced to help companies improve practice www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 103

Activism & Engagement | Executive Pay

Patrick Haggerty & Ira T. Kay

Patrick is a Partner & Ira is Managing Partner at Pay Governance in New York

Activist shareholders and executive compensation Activist shareholders often apply pressure to curb remuneration levels and plans Broadly speaking, hedge funds have one common goal – to maximise returns to their investors. Some hedge funds use an investment strategy called activist investing, which involves buying a relatively large stake in a company to pressure management to make changes, such as cost savings, spin-offs and hire new management. In some cases, management will negotiate with the activist shareholders. In other situations, activist shareholders conduct proxy contests to gain control. CEO pay is an easy and obvious target for many activist shareholders as a lever to pursue their broader agenda that includes a desire for more board seats, changes in top management, or the pursuit of strategic change. The involvement of activist shareholders exacerbates the risk of ‘high pay and low performance’ situations for compensation committees. Creating aligned CEO pay for performance is very challenging in the current macroeconomic and regulatory environment. Each company has its own set of circumstances to ensure that the executive team is motivated and shareholders are satisfied (expressed via successful say-on-pay votes). This alignment frequently requires careful private analysis, negotiations and resolution under uncertainty. New shareholders with perfect hindsight may not agree with the prior decisions. Thus, good corporate governance and careful decisions about CEO compensation will be needed to withstand the potential pressure imposed by this type of investor. We base this assessment on our direct experience with roughly 10 activist 104 Ethical Boardroom | Summer 2017

shareholders, plus a review of proxy statements where activist shareholders are compensation committee members. Each situation is unique, but there are some common themes. First, we provide our observations regarding an activist shareholder’s pitch to a target company’s shareholders to solicit votes for their recommended board slate. Next, we provide commentary regarding actions taken by activist shareholders when they become members of the target company’s compensation committee. In these circumstances, management and existing board members need to be open to valid suggestions regarding potential improvements to its executive compensation programme. However, we also provide strategies and analysis that can help provide justification for the executive compensation programmes and decisions.

Activist shareholder pitch documents

Typical activist solicitations involve requests for board seats so they can influence strategy and tactics, including executive compensation. However, occasionally, activists use proxy contests to solicit votes to increase their board membership. Proxy contests receive a considerable amount of press coverage due to the high stakes and personal criticisms that activist shareholders often make against the company, its board of directors and its chief executive officer. When activist shareholders directly pitch their rationale to a company’s shareholders to vote for their proposals, they provide the business case for change that often focusses on executive compensation and governance issues. Common executive compensation-related themes that we have observed in these pitch documents are detailed below. Identifying pay-for-performance misalignment Activist shareholders generally start out identifying a

pay-for-performance misalignment with a variety of analyses. The most common approach is to simply comment on the history of annual bonus payouts expressed as a percentage of target compared against year-over-year total shareholder return (TSR) and/or key financial results. This type of analysis can be compelling to show pay-for-performance misalignment if annual bonus payments have paid above target year-over-year while annual TSR declined during the same period. The compensation committee is generally criticised for making consistently poor choices of paying incentives when TSR is declining. In a related analysis used by activist shareholders, they show realised pay compared to TSR. While definitions of realised pay varies, a common definition of realised pay equals sum of salary, bonus paid, earned performance shares, vested restricted stock and the gain from stock option exercises. Realised pay is generally calculated over the CEO’s tenure or over a three-year or five-year period. This type of analysis can be compelling to illustrate a pay-for-performance misalignment if the CEO is realising pay above target levels while TSR declined during the same period. Activist shareholders will also show cumulative CEO pay over his or her tenure compared to TSR over the same period. The optics of this analysis can be embarrassing because the information is gathered from the summary compensation table (SCT) of proxies, which is mostly comprised of target pay as opposed to realised pay. The graphic typically shown by activist shareholders shows SCT pay increasing while TSR is declining. And finally, we have seen examples where activist shareholders challenge the appropriateness of non-generally accepted accounting principles (GAAP) adjustments that are applied to incentive metrics. Activist shareholders will challenge adjustments to non-GAAP metrics especially if they significantly increase incentive www.ethicalboardroom.com

Executive Pay | Activism & Engagement payouts. However, we believe that most companies will continue to use non-GAAP incentive metrics because such measures provide management with the best line of sight and investment analysts will continue to rely upon adjusted metrics. We also expect companies to begin enhancing the disclosure of this topic in the compensation discussion and analysis by providing a rationale for using adjustments and, potentially, a reconciliation of actual reported results to adjusted results used to determine incentive awards. Illustrating lagging relative total shareholder returns While related to pay-for-performance misalignment, activist shareholders also make the point to illustrate the company’s lagging relative total shareholder returns. These common types of relative TSR analyses are typically calculated over the CEO’s tenure and previous one, three and five years. Depending on the circumstances, the

CEO PAY CHECK Remuneration is an easy target for activists

www.ethicalboardroom.com

company’s TSR results are shown relative to industry peers and a broad index.

be influential in terms of the weight of their comments and impact on actual voting recommendations.

Detecting corporate governance concerns The impact of activist It is common for activist shareholders to shareholders on a identify potential corporate governance compensation committee concerns at the target company. Some When shareholder activists get seats on the of the concerns can be personal in nature compensation committee, the executive and involve criticism of board member compensation areas that are commonly background, relationships and experience. focussed on include pay process, pay This tactic is taken because they want designs and pay levels. In our experience, to replace those board members with a the board members that shareholder slate of their own board members. Other activists recommend are very experienced governance concerns expressed by activist and knowledgeable in these areas. shareholders include compensation committee members that approve a peer Pay process The shareholder activists group that is much larger than the company start with a review of the company’s (so called ‘cherry picking’) and bonuses, compensation philosophy that drives despite a lagging stock price. And finally, executive programmes and levels. The activist shareholders will cite proxy advisors’ compensation philosophy negative comments about typically covers a the target company. Some When shareholder review strategic oversight of: of the proxy advisors, can activists get compensation programmes (e.g. develop and maintain seats on a the compensation strategy/ compensation philosophy; review and approve all compensation committee, and benefit plans designed the executive to support compensation compensation strategy), pay administration (e.g. review major areas commonly organisational changes focussed on with CEO; review and approve compensation); and include pay adjustments for CEO and process, designs executive officers; ensure competitiveness of executive and levels compensation) and other elements (e.g. oversee executive and director stock ownership guidelines; CEO succession; oversee director compensation). Next, the peer group used to evaluate executive compensation levels and programme is reviewed. We observe that shareholder activists take a hard line on peer group selection and focus on the following steps. First, they identify a group of similar companies based on industry and size; for size, the focus is on revenue and market capitalisation. Shareholder activists also like to consider enterprise value, which is broadly defined as (market capitalisation + total debt) – (cash, short-term investments). Finally, qualitative factors are assessed to make final adjustments to the peers. For example, companies with founders or ‘controlled’ companies might be excluded. Each compensation committee has a process to include company management in the design and recommendation of pay levels and programmes. Some compensation committees rely heavily on management to prepare analysis and recommendations while others have their compensation consultant take led on developing materials for the committee. Summer 2017 | Ethical Boardroom 105

Activism & Engagement | Executive Pay We observe that shareholder activists prefer to have a balanced approach that includes management and the committee’s consultant working together to prepare analysis and recommendations for the committee. Pay designs Shareholder activists tend to exert a high degree of influence and change on the company’s incentive designs. When incentives are on the compensation committee’s meeting agenda, we find that shareholder activists are very engaged by asking more questions and challenging management’s assumptions. With the underlying goal to improve the company’s pay-for-performance alignment and accountability, we observe several types of incentive design changes at companies with shareholder activists on the compensation committee. For annual incentive designs, shareholder activists generally eliminate the use of too many goals, discretion and measuring of

Shareholder activists also tend to include relative TSR as one performance-based LTI metric. We typically see a roughly equal mix of stock options and performance-based LTIs with no time-based restricted stock. There are some situations where activists have made very large lump sum grants of performance share units with very challenging stock price goals. The next pay programme that shareholder activists focus on is severance programmes related to change-in-control (CIC) and non-CIC situations. Key elements that are reviewed include eligibility, cash severance multiples, CIC definitions, excise tax gross-ups and events that trigger cash severance and equity acceleration. In general, we have found that shareholder activists simply want CIC and non-CIC related programmes to be fair and competitive. Their goal is to avoid high value severance benefits for termination due to poor performance (‘pay for failure’) or

TACKLING EXECUTIVE PAY Shareholders will address excessive pay levels

individual performance. As a result, the new annual incentive design is based solely on two or three key financial metrics. We have found that shareholder activists gravitate towards return on capital, profit margin, or earnings per share (EPS) metrics to encourage the company to conduct buybacks in order to increase EPS. While difficult to quantify, the new goals are deemed to be more challenging compared to prior goals. If maximum bonus opportunities are outside competitive norms, for example at 300 per cent of the targeted amount, shareholder activists push to bring maximum opportunities to market practice at 200 per cent. For long-term incentives (LTI), shareholder activists generally want to increase the weight of performance-based LTIs and reduce the weight of time-based LTIs, such as restricted stock units. Similar to annual incentives, the performance-based LTIs will vest based on two or three key financial metrics. 106 Ethical Boardroom | Summer 2017

following a change in control. This is a hot button issue with major institutional investors and their advisers. We do see some companies adopting an emerging best practice to include employing executives ‘at will’ without employment agreements, reducing or phasing out cash severance for termination without cause, reducing cash severance for termination following a change in control, requiring a double trigger for equity acceleration in a change in control, avoiding equity acceleration in the event of a termination without cause and avoiding the temptation to go beyond plan provisions and boundaries at separation. Pay levels While not at the forefront of making strategic changes, shareholder activists will address pay levels if they are deemed to be above market and not consistent with the company’s compensation philosophy. We have observed instances where target LTI

values are well above market (lump sum) and others where LTI grants for the CEO are reduced to be more aligned with market. Some shareholder activists also consider the relationship of CEO pay to other executives. If the CEO’s pay is relatively high compared to other executives, the shareholder activists may view that as a CEO with too much power. If perquisites are above norms, shareholder activists will likely take steps to align them with market practices.

Strategies to justify executive compensation programmes

Proactive strategies that a company can use to provide justification for potential shareholder activists’ criticism of its executive compensation programme can start in the company’s proxy CD&A. For companies with lagging TSR and operating performance, providing a detailed rationale for executive compensation actions can provide useful context for current shareholders and potential shareholder activists. For example, the following is a forwarding-looking disclosure from a company that took compensation actions to recognise a lower commodity price environment and declining TSR. Given the current, lower oil and gas environment and the company’s disciplined approach, the committee approved the following compensation actions for the next year: (i) freezing of base salaries for most senior executives, including NEOs; (ii) freezing of annual incentive targets at current levels; and (iii) reducing grant date values of LTI awards compared to the previous year’s grant date values. In addition, the company made substantive changes to its peer group on a prospective basis. Other reactive strategies to address shareholder activists’ criticism of its executive compensation programme were as follows. ■■ Management and existing board members need to be open to valid suggestions regarding potential improvements to its executive compensation programme ■■ Assuming favourable vote results, providing a history of the company’s say-on-pay voting record indicates that existing shareholders approved the executive pay programme ■■ Showing CEOs realised and realisable compensation over his or her tenure ■■ If the company’s stock price has been declining, realised and realisable analysis will illustrate that executive pay as a percentage of opportunity also declined ■■ Conducting analysis of correlation between incentive metrics and company’s stock price can indicate appropriateness of goals and alignment with TSR ■■ And finally, providing an analysis of goal difficultly can help support incentive plan designs and payout www.ethicalboardroom.com

ExpEriEncE | ExpErtisE | indEpEndEncE Trusted advisors on matters of executive compensation, board remuneration and corporate governance. Visit us at www.shallpartners.com to learn more. New York

212.488.5400

Activism & Engagement | Hedge Funds PUTTING THE PIECES TOGETHER The policy response to hedge funds activism cannot be one-size-fits-all

Law and economics of hedge fund activism

The effective engagement of institutional investors in corporate governance must rely on hedge fund activism, although their influence is not always efficient Activist hedge funds are the big thing in corporate governance today. They intervene in the governance of publicly held companies with the goal to make changes happen. Although hedge fund activism has emerged as an US phenomenon, it has now become international. Hedge fund activism is increasingly prominent in Europe, for instance in the UK. Moreover, hedge funds are active in concentrated ownership structures, too. Somewhat surprisingly, activist hedge funds have succeeded in 108 Ethical Boardroom | Summer 2017

Alessio M. Pacces

Professor of Law and Finance at Erasmus University Rotterdam extracting concessions also in the presence of dominant shareholders. Activist hedge funds screen the market for underperforming companies and buy a significant stake in them in order to engage their management. The goal of activists is to profit from increasing the company’s performance, which will be reflected by an increase in the value of their stake when it is sold back to the market. In doing so, hedge funds are coping with the fundamental agency problem stemming from separation

of ownership and control, namely the failure by management to maximize shareholder value. However, because hedge funds profit from a short-term change in the stock price of the target company, they may also be responsible for short termism in corporate governance. Feeling the pressure of hedge funds, managers may pursue short-term stock returns at the expenses of long-term value creation. For this reason, hedge fund activism is highly controversial today. From a law and economics standpoint, the question is whether hedge fund activism remedies or exacerbates market failure. On the one hand, the reduction of agency costs stemming from activism improves the www.ethicalboardroom.com

Hedge Funds | Activism & Engagement efficiency of corporate governance. On the other hand, if the profitability of hedge funds activism depends on short-term pricing, the ability of corporate governance to sustain certain long-term projects may be undermined. To answer these questions and identify the right policy towards hedge fund activism, it is crucial to understand what drives such activism as well as the factors affecting its success.

Hedge fund business model

Hedge funds have a different business model than other institutional investors. Hedge fund managers charge a performance fee in addition to a percentage of the asset under management. The remuneration usually follows the so-called 2-20 rule: two per cent of the asset under management plus 20 per cent of any increase in the value of the portfolio. This remuneration structure aligns the hedge fund incentives with investors having a relatively high appetite for risk. Two factors are key for the success of entrepreneurial activism. First, the hedge fund needs to be able to buy the bulk of its stake in the company while the stock market does not anticipate the engagement. The moment the engagement is revealed, investors will anticipate gains and free ride on them. Second, the activist needs to be able to persuade the management to implement the desired changes. For this purpose, the support by institutional investors is crucial. The typical hedge fund stake in a target company is slightly above six per cent, which is not nearly a controlling one. As a result, activists must persuade other investors to vote for them. The tremendous influence activists have gained in corporate governance depends on the reconcentration of ownership that has occurred in the past few decades. The bulk of equity investment is no longer in the hands of thousands of dispersed shareholders, but is managed by a few institutional investors. Although the style of engagement differs considerably across countries, hedge funds activism consistently gets traction wherever institutional ownership is concentrated. Despite their positive role in activating institutional investors’ voice, activist hedge funds have attracted a lot of criticism.

Critique of hedge fund activism A first point of criticism is that the institutional investors voting on a hedge fund engagement may fail to exercise judgment. Rather, they would blindly follow the recommendations of proxy advisors, notably including global market leaders, such as Institutional Shareholders Services (ISS) and Glass Lewis, to decide whether to vote for or against hedge funds. Empirical research suggests that the impact of proxy advisors on the voting by institutional investors may be not as decisive as it looks. For instance, a US study of uncontested elections reveals that ISS www.ethicalboardroom.com

advice against the management shifts term cannot be answered empirically. Data 10 per cent of votes at most. Moreover, it is reveal that successful activism, on average, is impossible to determine how much proxy associated with a stock price increase. However, advisors influence large institutional investors this result is uninformative because hedge fund and how much they are influenced by them. activism produces unobservable effects, too, Another fundamental critique levelled at and because the companies for which we hedge funds is that they may succeed without observe engagements cannot be meaningfully any screening by institutional investors if compared to those that are not engaged. they act as a coalition, namely as a so-called In theory, whether hedge fund activism is ‘wolf pack’. Empirically, wolf packs account efficient depends on context. Some companies for more than 20 per cent of the engagements benefit from the correction of underperformance observed internationally and are associated fostered by activist hedge funds, particularly with a much higher success rate than in the presence of investor expropriation or individual engagements. Therefore, wolf packs misuse of free cash. For other companies, look like a nearly riskless strategy for hedge though, underperformance is temporary and funds. However, the impact of wolf packs the change of strategy promoted by hedge could be overestimated. funds can destroy value. The Note that nearly 80 per cent disagreement on the proper The tremendous of the engagements mapped of time in which to influence activists length internationally are not assess performance reflects have gained wolf packs. This cannot a more fundamental conflict be random because hedge between two views of the in corporate funds choose their battles. target firm, one by the governance If they decide to join and activist hedge fund and the form a wolf pack only when other by the incumbent depends on the success is more likely, These views reconcentration of management. the success rate of wolf normally differ on strategic packs is overestimated. ownership that has issues, such as whether the The recurrent objection company should be leaner, occurred in the to hedge funds activism more focussed on certain past few decades. businesses and cost-effective is short-termism. In one respect, this critique is not in carrying them out, which The bulk of borne out by the empirical hedge funds typically like evidence. The announcement equity investment to see perhaps because they of hedge fund engagement are impatient to cash in is no longer leads, on average, to a the profit from engagement. in the hands significant increase of the The opposite view that the stock price. This increase company should pursue of thousands is not reversed for up longer term goals, typically of dispersed until five years down the fostered by the management, shareholders, but is equally legitimate although road, provided that the engagement is effective it may procrastinate the is managed by a in determining change. acknowledgement of few institutional However, while useful to mistakes or conceal the defend hedge fund activism extraction of private benefits investors from an easy rhetoric against of control. For this reason, them, this result says nothing about whether hedge fund activism should be framed the stock markets are myopic relative to some as a conflict of entrepreneurship. horizon longer than the activists’ holding The role of index funds period (about two years on average). Framing hedge fund activism as a conflict Theory and evidence of entrepreneurship brings up the question on hedge fund activism of who decides on the conflict and whether Underlying the short-termism discussion, this is efficient. Hedge funds need to garner there is a fundamental question about the institutional investors’ support in order to desirability of hedge fund activism. If financial succeed. Institutional investors, however, markets were informationally efficient, there differ considerably from each other and so would be no difference between short-term does their propensity to exercise voice. and long-term maximisation of shareholder Index funds are likely to cast the decisive value. However, if stock markets overweight votes on a hedge fund campaign because they the short-term profits of a company relative cannot exit an investment they are dissatisfied to its long-term profits, albeit temporarily, with, so long as this investment is part of the there is market failure and hedge fund index they track. Drawing on their long-term activism may be a problem, despite its positive commitment to index tracking, managers of impact on agency costs. large index funds have recently made public The question whether public companies statements to distance themselves from the should be managed for a shorter or a longer short-termism of activist hedge funds. Summer 2017 | Ethical Boardroom 109

Activism & Engagement | Hedge Funds Such statements must be taken with a grain of salt. Index fund managers cannot benefit from firm-specific monitoring because their competitors can free ride. In pursuing relative performance, index fund managers will rather choose low-cost voting policies that are generally appreciated by investors. For instance, index funds may vote for a hedge fund’s request to cut R&D expenditures not because it is efficient, but because the target has poor corporate governance. Because index funds do not have incentives to make an informed decision on individual company’s strategy, they cannot always be trusted to screen hedge fund activism. Nevertheless, the incentives of index funds are aligned with the interest of the investing public regarding the control of agency costs. Therefore, the problem whether a company should be exposed to hedge funds activism does not warrant a one-size-fits-all solution. Different companies may need different degrees of exposure to activism at different points in time.

Policies towards hedge fund activism

Policymakers have been sceptical towards hedge funds activism, based on a twofold assumption. The first is that hedge fund activism always leads to short-termism in corporate governance. The second is that short-termism is always value destroying. Although neither of these assumptions holds true across the board, they have supported anti-activist policies, such as ownership disclosure regulation and shareholder identification. Regulation mandates transparency of large ownership on both sides of the Atlantic. The purpose of ownership disclosure is to unveil the build-up of significant stakes in a company. For instance, in the US, ownership disclosure is

triggered by the crossing of a five per cent beneficial ownership threshold, after which the shareholder has 10 days to disclose its stake. A lower threshold or a shorter window to disclose undermines hedge fund activism by reducing their ability to profit from the purchase of undervalued stock. While a few proposals have been made in the US along these lines, none of them has become law. In the EU, curbs on hedge fund activism stem from the obligation to identify all shareholders owning more than 0.5 per cent of voting rights. This obligation will be introduced by the revision of the Shareholder Rights Directive. Although this rule differs from ownership disclosure, it may lead to a similar chilling effect on hedge fund activism unless multiple toeholds can be purchased below the threshold. This chilling effect is at odds with the purpose of the Directive to encourage shareholder engagement, considering that hedge funds are crucial to activate the voice of longer-term investors. One-size-fits-all curbs on hedge fund activism are inefficient and should be replaced by rules enabling individual companies to choose, with their shareholders, the optimal exposure to activism, and to alter this choice over time. In several jurisdictions, companies can opt out of hedge fund activism through dual-class shares, which are interesting relative to other anti-activist tools (such as low-trigger poison pills) because they commit some of the controller’s own wealth to a long-term project. However, dual-class shares can only be introduced before the company has gone public, unless they are presented as loyalty shares. Formally, loyalty shares do not discriminate between shareholders because they provide

super-voting rights to any owner that retains the shares for long enough – say, two years. Practically, however, loyalty shares are only interesting for controlling owners, because institutional investors are reluctant to give up the higher liquidity of common stock. Therefore, loyalty shares effectively operate as dual-class shares, although they can be introduced after companies have gone public. Explicit dual-class recapitalisations, which are currently prohibited, would be preferable to loyalty shares to the extent that institutional investors can veto them. The recent experience with French law (Loi Florange) reveals that institutional investors may be unable to stop the introduction of loyalty shares.

Conclusion

This article has discussed the role of hedge fund activism in corporate governance. Activist hedge funds are an important source of feedback in corporate governance. However, their influence is not always efficient. Although other institutional investors are typically decisive on a hedge fund campaign, their judgment cannot always be trusted. The optimal decision about whether a company should be managed for the short or the long term depends on the circumstances faced by the individual company. Therefore, individual companies should be able to tailor the exposure to hedge fund activism to their needs, and to alter this choice over time, for instance by way of loyalty or dual-class shares.

One-size-fits-all curbs on hedge fund activism are inefficient and should be replaced by rules enabling individual companies to choose, with their shareholders, the optimal exposure to activism

TAKING A SLICE OF THE ACTION Activists often buy a stake in underperforming companies 110 Ethical Boardroom | Summer 2017

www.ethicalboardroom.com

Global News Africa

Congo mining revenue hit by corruption More than 20 per cent of the Democratic Republic of Congo’s mining revenue is being lost due to corruption and mismanagement, an investigation has found. Data from 2013 to 2015 suggests that $753million in Congo’s mining revenue did not reach the national treasury and was held back by state-owned mining companies and national tax agencies. The Global Witness Report claims money is being distributed through corrupt networks linked to President Joseph Kabila (pictured). Congo is Africa’s top copper producer and the world’s biggest supplier of cobalt. It also produces coltan, diamonds, tin and gold.

Photo: GCIS

Kenyan organisations disclose CEO pay

Nigerian focus on corporate governance The Financial Reporting Council of Nigeria (FRC) and the Association of Corporate Governance Professionals of Nigeria (ACGPN) have pledged to work together to promote good corporate governance in the country. The ACGPN — the ‘voice’ of corporate governance professionals in Nigeria — had called on the FRC to recognise its training certificates and accredit its members to enable them to sign financial statements. According to reports, the FRC has agreed to look into the request in ‘due course’ and said it is also looking to ‘collaborate with professional and corporate bodies to carry out several researches in areas of financial reporting’. 112 Ethical Boardroom | Summer 2017

Seven Nairobi Securities Exchange (NSE)listed firms have published details of what their CEOs were paid last year in an executive pay transparency drive. According to Business Daily, most NSE firms treat executive pay as a strongly guarded secret and will often use reporting tactics that only meet the minimum regulatory requirements. In an opinion piece, Business Daily — Africa’s leading business publication — said: “The decision by seven firms listed on the NSE to disclose the executive pay is definitely setting the bar higher as far as corporate governance and transparency go. “We ask the Capital Markets Authority (CMA) to fully implement this requirement as a step of continuous reforms of Kenya’s capital markets and encouraging everyone else seeking to invest to do so having the right information, including executive remuneration.”

SAP Africa probes kickback allegations German technology company SAP has placed four senior managers in South Africa on leave and launched an investigation into reports connecting the company to a bribery scandal. The tech firm will probe allegations that SAP South Africa paid kickbacks in 2015 to a company linked to the infamous Gupta family in order to secure contracts with state-owned businesses. Reports allege that SAP paid a 10 per cent ‘sales commission’ to a company controlled by the Guptas to secure a contract worth at least R100million from state-owned Transnet. SAP has appointed an interim management team at its South African subsidiary, including Ashley Boag as acting chief operating officer; Peter David, chief financial officer for SAP EMEA and now acting CFO for Africa; Pieter Bouwer as South African MD; and Claas Kuehnemann as acting managing director at SAP Africa.

South Africa leads the way

South Africa, Kenya, Mauritius, Nigeria and Uganda have been named the top five African countries with robust corporate governance codes of practice that ‘positively impact economic prosperity’. The Association of Chartered Certified Accountants and KPMG’s study Balancing Rules and Flexibility for Growth examined the corporate governance requirements for listed companies in 15 countries in Africa. Examining the corporate governance requirements for listed companies against the Organisation for Economic Co-operation and Development (OECD) benchmarks across four tenets of corporate governance, the study ranked South Africa top. Ten out of the 15 countries studied have aligned their corporate governance requirements with more than 80 per cent of OECD principles. www.ethicalboardroom.com

We make it easier to invest in companies that invest in the future.

THE FTSE/JSE RESPONSIBLE INVESTMENT INDEX SERIES Indexing the leaders in environment, social and good governance practices. JSE. Driven for your growth For more information visit: www.jse.co.za/responsible-investment

E+I 3628

Johannesburg Stock Exchange

Risk Management | Cybersecurity

Putting cybersecurity at the top of the board’s agenda Adopting good cybersecurity practice can make a considerable difference in the resilience of your organisation Was cybersecurity at the top of your priority list when the WannaCry attack hit? When a cyberattack strikes it can quickly become headline news, causing serious disruption to an organisation for days on end and costing hundreds of thousands of dollars in lost data, reputational damage, lost customers and regulatory fines.

WannaCry, one of the largest cyberattacks ever seen, hit thousands of organisations worldwide within a day, causing severe damage. A summary by the BBC points out that, in the first few hours of the attack, 61 National Health Service organisations in the UK were disrupted – something that was echoed among many other organisations across the globe. One of the many lessons companies can draw from this attack is that if cybersecurity wasn’t a board-level priority before, it should be now. No company or country, however big or small, is immune to attacks by cybercriminals. In the worst case, breaches can cause major corporate crisis that can paralyse entire corporations for days, often 114 Ethical Boardroom | Summer 2017

Toby Chinn

Head of Control Risks’ Cybersecurity practice causing severe financial damage. According to the UK National Cybersecurity Centre, the average cost of a security breach is estimated today at between £600,000 and £1.15million. Unsurprising then that The World Economic Forum has rated cybersecurity as one of the top three risks for 2017. Control Risks’ latest State of the Cybersecurity Landscape report found that while most companies now have notional board oversight in matters of cybersecurity, around half of these companies’ key IT and business decision-makers think their boards have no proper grasp of the issues. Obviously, one of the main challenges board-level executives face in regards to dealing with cybersecurity is the technical complexity of the tools and strategies used. But as with every other kind of corporate risk, business directors don’t need to fully immerse themselves in technology in order to play an effective role in cyber risk oversight. An understanding at board level of the threats that an organisation faces is a first and vital step in the right direction. Without full board-level support, IT-departments, who are often in charge of dealing with cyber risks, find

themselves under-resourced, isolated from the rest of the business and without sufficient budget to manage these risks effectively. In interviewing large organisations of more than 2,000 employees across 20 countries, a number of key issues consistently presented themselves as key management issues concerning cybersecurity. In particular these concerned the approach to cyber risk management as well as the issue of third-party cyber risk.

Effective risk management is crucial to reduce damage

According to Control Risks’ survey, adopting a risk-based approach to cybersecurity is something companies are really struggling with. Worryingly, more than a third of organisations interviewed have not conducted a risk assessment at all within the past year. And even though the other 68 per cent of respondents have performed a risk assessment in the past year, 45 per cent of respondents cited it as their primary challenge. Furthermore, while the report found that the majority of organisations said the C-suite was most accountable for cybersecurity management and decision-making (77 per cent), almost half of these companies said they do not believe their organisation’s board-level executives take cybersecurity as seriously as they should. Reflecting this, around a third (31 www.ethicalboardroom.com

Cybsersecurity | Risk Management per cent) of the companies interviewed are either ‘very’ or ‘extremely’ concerned that they will suffer a cyberattack in the next year.

Third-party breaches are a growing concern

In today’s business environment, almost all companies rely on third parties in their supply chains. This creates a potential extension of their cyber risk and is especially the case as businesses increasingly outsource sensitive aspects of their business, such as payroll and other finance functions, technology service providers, legal functions and even research and development. A cyber breach on one third party’s systems can have significant consequences for the wider network. As Ben Lawsky, New York State’s top financial regulator, said in a letter to dozens of US banks: “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the security of its vendors.” 1 As found in the survey, 35 per cent of respondents said that a third party cyber breach had affected their organisation. This was lower for organisations in Europe and the Middle East (33 per cent) and Africa (21 per cent), but higher for respondents in Asia (39 per cent) and the Americas (38 per cent), which may lead to the assumption that there are regional differences in companies’ willingness to report cyber breaches to their customers.

Measures companies currently take to manage cybersecurity risk beyond their own IT ecosystem appear insufficient

According to the State of Cybersecurity Landscape report, 34 per cent of respondents said that vetting third parties’ cybersecurity standards is a challenge. This was significantly lower for companies in the Netherlands (13 per cent) and higher for companies in Germany (41 per cent). Only 23 per cent of the organisations interviewed described their companies’ approach to cyber risks resulting from the use or acquisition of third parties as excellent. Of organisations that have a cyber crisis management plan, a quarter say they do not address what third parties should do if they suffer a breach that may impact the respondent’s organisation, though regional differences here are significantly high with 62 per cent for Africa and 26 per cent for the Americas, 23 per cent for Europe and the Middle East and 21 per cent for Asia. Most (93 per cent) respondents’ organisations say that they have taken steps to evaluate their third parties’ cybersecurity measures. Around half acquire signatures on contracts that legally oblige the vendor to adhere to security and privacy practices (53 per cent), obtain evidence of security certification (49 per cent) or conduct an independent audit of the vendor’s security and privacy practices (48 per cent). Despite this, nearly half (48 per cent) of those surveyed www.ethicalboardroom.com

agree that their organisation does not consider the impact of partners/vendors’ cybersecurity as much as it should.

are a good way to educate employees on cybersecurity threats that the organisation might face. Conduct a risk assessment The way cyber threats are A comprehensive assessment is required to assessed and communicated identify gaps in cybersecurity across the wider organisation and potential legal, reputational throughout a business is key Control Risks’ advice is always to start with and financial implications of a breach. An the threat. This should involve considering assessment usually starts by taking employees the specific cybersecurity threats to the through the process of how an external threat organisation, what impact these threats might actor (e.g. a cybercriminal) may utilise a specific have and how current controls mitigate them. attack method to gain access to data and Having assessed these risks, the organisation systems and exploit them. Assessing risks on can then integrate them into the organisation’s this basis will help to explain exactly why other overall risk management strategy. departments and senior leaders need to take Taking the wider business through the action and champion relevant parts of any process of how an external threat actor (e.g. cybersecurity strategy. Such an approach also a cybercriminal) may utilise a specific attack ensures that the variables that indicate how a to gain access to data and systems and exploit risk may evolve over time (threat, likelihood, them will help to explain exactly why other impact) are fully understood, leading to clearer departments and senior leaders need to take discussions on prioritising spending and action and champion relevant parts of any focusing effort on the areas that matter most. Take steps to understand the impact cybersecurity strategy. Such an approach also a third-party breach could have on ensures that the variables that indicate how a the business This should go beyond simply risk may evolve over time (threat, likelihood, acquiring a signature on contracts to legally impact) are clearly understood, leading to oblige the vendor to adhere to security and clearer discussions on prioritising spending and privacy practices. Therefore, cybersecurity focussing effort on the areas that matter most. should be included in a company’s broader Building confidence in vendor vetting process, which should consider the board’s cybersecurity the company’s broader risk strategy and management capabilities account for accepted risks as well as proactive It is important that everyone across all mitigations. Beyond this, a company should levels of an organisation, including those at ensure that its crisis management plan C-suite and executive board level, approach accounts for circumstances that may lead cybersecurity as an enterprise to a loss of customer risk and develop a mitigation data, or fines as a result Moving towards a strategy that not only protects a third-party breach. common perception of When the company, its assets and it comes to a of cybersecurity as cyberbreach, it really its operations, but also enables business. Actionable a case any longer of a holistic business isn’t recommendations include: ‘if’ but ‘how badly’ your risk, and educating organisation could get hit. Ensure cybersecurity WannaCry serves as just all employees on becomes a regular of many examples the importance of one board agenda item This why having cybersecurity should include reviewing good cybersecurity on the board’s ‘to do’ list your external cyber threat is no longer sufficient. practice, must be landscape and include an Moving towards a common the next steps in IT expert; or create a perception of cybersecurity committee to address the as a holistic business risk, tackling today’s issue as a wider business and educating all employees challenges threat. This also ensures that on the importance of good the cybersecurity budget is cybersecurity practice, must being spent in the most effective way. be the next steps in tackling today’s challenges. Conduct regular cyber crisis There is no magic formula for protecting management exercises that involve all your organisation against the rapidly evolving relevant parties Include the C-suite, IT, legal, world of cyberattacks. But acknowledging communications and any other members of the this and adapting your cybersecurity crisis management team – so that all parties measures to match the threat landscape as understand their roles and responsibilities and well as upskilling the entire organisation the potential implications of a cyberattack. based on this understanding can make a Ensure all employees, including the considerable difference in the resilience board, are educated to understand of your organisation to resist the next their potential cyber exposure This cyberattack that you might face. includes how a breach might occur in any part 1 http://www.reuters.com/article/us-regulatorof the business. Risk assessments in particular cybersecurity-lawsky-idUSKCN0IB03220141022

Summer 2017 | Ethical Boardroom 115

Risk Management | Cybersecurity KEY TO CYBER SUCCCESS Boards that stay informed on security issues are likely to respond better to an attack

Cybersecurity: A fiduciary duty Practicing good cybersecurity hygiene will not make directors ‘WannaCry’ The #CyberAvengers are:

Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma & Christophe Veltsos

The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.

In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100 per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as: 116 Ethical Boardroom | Summer 2017

A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems

2 3

WannaCry had all these factors, and more. First, even though WannaCry was thought to be a zero-day exploit, it was not truly unknown. It had been disclosed in March 2017 as part of a broader

announcement of related exploits allegedly stolen from a US government agency. At that time, the software company involved (Microsoft) announced an emergency or ‘critical’ patch designed to fix the vulnerability that was ultimately exploited by WannaCry. A fix had been available for many systems in March 2017. Were all affected systems patched on time? Were all affected systems patched at all? We do not know for sure. The effectiveness of the WannaCry attack, however, gives a strong indication as to the answer. Secondly, and much worse for the companies and hospitals involved, this was not the first ransomware attack of 2017 (or 2016) or cyberattack on hospitals. A Michigan State University report examined US Department of Health and Human Services data and noted that almost 1,800 cyberattacks occurred in hospitals www.ethicalboardroom.com

Cybersecurity | Risk Management People were surprised that a simple patch existed that would have enabled companies to avoid the whole issue. Unfortunately, many were caught without back-up media. Serving on the front lines of the cybersecurity battlefield, we were not surprised, but were in fact saddened that WannaCry was so effective, unnecessarily. WannaCry could have been much, much worse.

How to tackle cyber threats

The purpose of this article is not to shame or call out any one particular company or hospital that was affected by WannaCry. The organisations that are bravely dealing with the aftermath of WannaCry have enough on their plates already. Rather, we write from a different point of view, i.e. that of a board of directors or board of managers of a company that is charged generally with a fiduciary duty of overseeing the cybersecurity posture of a company or organisation. This duty is part and parcel of their duty to oversee the entire enterprise risk management as a whole. As board members, the duty of the directors is not to ‘plug into the computer network’ but to: ■■ Ask questions designed to bring out potential improvements ■■ Engage directly with cybersecurity resources inside the company ■■ Continuously review and improve cybersecurity policies and procedures within the company

across the US over a seven-year period. Ransomware, in fact, has established itself as the bane of corporations. According to the FBI, ransomware is reported to have caused losses in 2016 of close to $1billion. This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware. No prudent, risk management-conscious executive or director could have been surprised by these broadly recommended best practices, nor by the more specific need for companies to have properly segmented back-up tapes, media or hard drives. Despite this, WannaCry surprised people across a myriad of roles and responsibilities.

This article provides ‘the questions’ that boards should ask regarding the prevention and mitigation of ransomware, as well as provide our suggested ‘right’ answers to those questions. We will leave it to the board members to exercise their fiduciary duty accordingly. Rather than having a ‘direct’ role in the information technology affairs of a company, a board has an ‘oversight’ duty. That means directors have a duty to (1) become reasonably informed about the company’s cybersecurity posture, policies and procedures implemented by the company’s senior executives, (2) ask questions of relevant personnel in the company (IT and executives) concerning the cybersecurity posture to see if those policies and procedures are being properly and effectively implemented, and (3) make suggestions or pose thoughts and ideas about how to improve this posture and the cyber risk culture of the company. In a speech at the New York Stock Exchange on 10 June 2014, former

WHO ARE THE #CYBERAVENGERS?

The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help our countries by defeating cybercrime and slowing down nefarious actors operating in cyberspace seeking to exploit whatever their tapping fingers can get a hold of. How? We do this by raising our collective voices on issues of critical importance so that we can keep America in the lead – both economically and technologically – and to keep it safe and secure. All the issues are intertwined and more complex than ever, which is why we have differing backgrounds, but have common cause. We complement each other, we challenge each other, and we educate each other. What do we get out of writing articles like this? Nada. Goose egg. We are friends. We are patriots. And we are not satisfied to sit around and do nothing. We want to keep our nations and their data safe and secure.

Securities and Exchange Commissioner Luis Aguilar stated: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber risk also must be considered as part of boards’ overall risk oversight. The recent announcement that a prominent proxy advisory firm is urging the ouster of most of the Target Corporation directors because of the perceived ‘failure…to ensure appropriate management of [the] risks’ as to Target’s December 2013 cyberattack is another driver that should put directors on notice to proactively address the risks associated with cyberattacks.” Cyber risk must now be viewed as an integral part of the overall enterprise risk management (ERM) framework for a board of directors and must be evaluated, documented and addressed/mitigated, according to the risk profile and economic realities of the company. Each company will have different economic constraints and a unique risk appetite. The exercise of evaluating the risk for the entity and coming to a decision about mitigation within an ERM framework is an essential part of the board’s fiduciary duty.

Cyber risk must now be viewed as an integral part of the overall enterprise risk management (ERM) framework for a board of directors and must be evaluated, documented and addressed/mitigated, according to the risk profile and economic realities of the company www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 117

Risk Management | Cybersecurity This fiduciary duty is extremely important (in the age of WannaCry and others). Cyberattacks not only cause costs and business disruptions, but also can cause negative publicity, reputational harm, litigation and regulatory proceedings, each of which negatively impacts the company or organisation involved. Examples of such high-profile cases in the United States are Target Corp, The Home Depot, and Wyndham Hotels. Though there is little case law in the area, courts in the US generally note the duty of a board member is ‘reasonable’ oversight. Not perfect oversight. Not flawless oversight. Just reasonable oversight.

The risk of cyber vulnerability

So, what is reasonable oversight? What questions should be asked to get the board there, especially in cybersecurity, where there is often no right answer (just multiple ‘less wrong’ answers)? The courts will ultimately decide what constitutes reasonable oversight. But in our view, here is how an effective board director might be able to get to the right place and demonstrate his or her oversight was reasonable:

Get the cybersecurity policies and procedures of your company. All of them. Including training manuals. Read them thoroughly and become acquainted with them. Remember, if something goes wrong and your company gets hacked, some third party might say those policies were ill-advised, not enough, or just plain wrong. how your company or 2 Understand organisation is regulated and by which

regulatory body. No two regulators are alike. There are material differences, especially between US and UK and EU regulators. Remember, regulators generally get involved when something bad happens and then look at things through a 20/20 hindsight view (which might not show a pretty picture). It is best to be proactive when it comes to cybersecurity. your company 3 Does perform employee training

on a semi-regular basis (at least twice a year or more)? Does this training address email policies and social media sites that employees might visit? If your company does not, or performs training only when it is convenient, this area alone could be a ‘red flag’ to regulators. your company have 4 Does in place some sort of

email ‘filtering’ system in order to reject any emails that might

118 Ethical Boardroom | Summer 2017

appear normal, but are actually sent from a spoofed or copycat address? In general, a company email address should be the only address used by company employees (and board members). Filters catch things which change the .com email address of a company in subtle ways to make it appear to be a legitimate email, when it is in fact very illegitimate.

When are critical patches and updates made to the network? Once a week, once a month? How quickly are critical or emergency patches made? 48 hours, 72 hours, two weeks, or longer? In general, critical patches should be made in 72 hours or less (e.g. WannaCry patch). Waiting too many days to make a patch effective could be your worst nightmare. Waiting months to make a critical patch effective might spell doomsday to your company. your company have enough IT staff 6 Does to handle not just security alerts that need

to be investigated, but also handle patching, applications, the Cloud, and a host of other daily jobs that need to be performed? The lack of skilled cybersecurity workers in the US and UK is critical at this moment, and many companies are simply unable to hire as many people as they need, or as many skilled IT executives they need at a reasonable price. Now is not the time to have an understaffed IT department and there is nothing worse than having an understaffed IT department in a company that gets hacked. There are solutions for this, like managed service providers, and machine-learning driven cybersecurity orchestration and automation solutions. But you need to find the staffing answer first. Then, seek out the help of professionals if necessary.

is your company’s password policy? 7 What Is it complex enough, with both letters

and numbers and symbols, or can a password, such as ‘password’ or ‘0123456’ be held as sufficient? The answer to this question will be self-explanatory. Complex is good. 0123456 is bad. And ‘P@$$w0rd2017’ is almost as bad as ‘0123456’ as it will be one of the top 100 passwords tested by attackers. what is your company’s back-up 8 Finally, procedure and what back-up media are

used by your IT department? This is a more complex question, but the generally rule is ‘back it up’ daily in at least three places: on site, off-site, and in the Cloud. Back-up solutions (which are relatively inexpensive and plentiful for both networks and desktops) should be enacted on a segmented basis, meaning that following the back-up they should be taken off-line and disconnected from the network so an encryption exploit cannot get to them. Remember, this is not like the old days where back-ups were few and difficult to employ. Major companies, such as Amazon (for the Cloud) and Carbonite (for smaller organisations) exist and can train your IT employees to become not only proficient, but fanatical about your company’s back-up policies and procedures.

Everyone is a target

Several factors existed in WannaCry that made us sad and all factors relate to the above questions we are asking you to consider: (1) improper or insufficient patching, (2) aging network architecture which was susceptible to ‘not’ being patched or not having patches readily available, and (3) insufficient back-ups. Unfortunately, each of these factors were and are, for the most part, entirely preventable or fixable at a reasonable cost. Yet they were not. Why? We don’t know. Is cybersecurity ‘an enigma shrouded in mystery’? Is cybersecurity too hard to understand by most people? Are companies not investing enough in cybersecurity? Do companies think they are simply too small and thus ‘not a target’? We don’t know, but each of these questions begs the following answer: if your company has data that is valuable or computer hardware that is critical to running its business, it is a target. And, even if your company simply sends a lot of email and has employees, it is still a target. Simply put, everyone and every company is a target. SECURING ALL YOUR SYSTEMS Ensure policies and procedures are firmly in place www.ethicalboardroom.com

$500 SAVINGS FORcyber Secure the premier Secure thefor premier cyber credential directors. NACD MEMBERS. credential for directors. Earn the CERT Certificate in Cybersecurity Oversight. Earn the CERT Certificate in Cybersecurity Oversight.

NACD Cyber-Risk Oversight Program. Enhance cyberliteracy. Understand your board’s NACDyour Cyber-Risk Oversight Program. responsibilities for overseeing cyber-risk preparedness. Enhance your cyberliteracy. Understand your board’s Earn the CERT Certificate in Cybersecurity Oversight by responsibilities for overseeing cyber-risk preparedness. completing this self-paced, online course. Earn the CERT Certificate in Cybersecurity Oversight by completing this self-paced, online course.

NACDonline.org/CyberCertificate NACDonline.org/CyberCertificate

$500 SAVINGS FOR NACD MEMBERS. $500 SAVINGS FOR NACD MEMBERS.

Risk Management | Sabotage

Wolves in sheep’s clothing How your organisational culture and management practices may be causing resentment and disenchantment among the workforce We are becoming increasingly more digitised. Both our private and professional lives are becoming engrossed in technology and there is no real stopping this rapid progression.

Luke Treglown

Organisational Psychologist at PGI property theft, half resulted in losses that exceed $1million. Research conducted by the FBI and CSI units found the average cost of an external attack is around $57,000. The average cost of an attack from an insider is $2.7million. Employees are the largest resource available to a company, yet they can also be the greatest source of liability. They are at their most dangerous when they are dishonest, devious and disenchanted. They are already one step ahead of external threats; they are within the barricades and know exactly where is most sensitive. They can bide their time, wait to strike and inflict damage that far exceeds what any external hacker can do.

So, it’s understandable that some companies are becoming increasingly pessimistic and paranoid about the cost of an impending external attack: viruses through emails, customer credit card details being cloned, and emaciated teenagers who can hack your website from their bedroom. Yet, is the worry being misplaced? There is no doubt that the external threat is real and worthy of concern. The recent WannaCry ransomware attack is estimated to amount to global losses of close to Hitting the headlines $4billion. However, is the external threat The most familiar insider attacks are those the most ominous one that faces that have captivated headlines. These businesses? Organisation leaders often attacks have been perpetrated focus so narrowly on fortifying by highly skilled individuals themselves against external Employees within an organisation, intruders that they become are the largest who aim to inflict harm in blind to the wolves within. a dramatic and public The nature of an insider resource manner. They are your attack is diverse with the available to ‘Edward Snowden types’. big-hitters including fraud, In these cases, it is difficult to sabotage, intellectual property a company, know how best to measure the theft and IT security breaches. yet they can damage done to an organisation. When you start to look at the also be the Vitek Boden caused enormous numbers, the risk from within begins to eclipse the external greatest source financial and environmental damage by leaking 800,000 litres threat: $2.9trillion per year is of liability. of sewage water into local lost globally through employee parks, rivers and businesses fraud. In its 2017 Global They are at in Queensland, Australia. Economic Crime Survey, PWC their most Companies can have their found that 86 per cent of dangerous reputations wrecked as a result organisations suffered from at of an insider leaking sensitive least one instance of fraud that when they information – or giving year (up from 82 per cent the entrance to a hacker who can. previous year). Yet, it is insiders are dishonest, Amy Pascal was forced to who are responsible for 81 per devious and resign from Sony Pictures cent of these attacks. Roughly disenchanted after private and confidential 90 per cent of Economic emails of staff were made public. Espionage Act prosecutions Target, the US retailer, had the credit card and thefts of trade secrets involve an insider. information of 40 million customers leaked When it comes to IT security, the average by external hackers with the aid of a current organisation can expect to experience employee. Yet, the very worst cost of an around four insider breaches a year. insider threat is that of a human life. The Carnegie Mellon University found that of 103 Ashley Madison leaks, now thought to have instances of insider-perpetrated intellectual

120 Ethical Boardroom | Summer 2017

involved the help of an insider, resulted in at least two users of site committing suicide. Not all insider attacks are as high profile as these. The attacks that make the news do so because they are so highly visible. The problem is that potential attacks that emerge from within are broad and disparate in scope. Just because an attack does not fill the tabloids does not mean it is any less devastating. Organisation leaders and their senior staff often have an appreciation of what the insider threat constitutes in this sense, but rarely do they grasp the full magnitude of its potential damage. The reason that hackers and malware are discussed with such vigour is due to the visible damage they leave. The problem is that the inside threat is being treated as a technological problem when it needs to be thought of as a human one. To do that, organisations need to understand what factors influence an employee to become a threat.

The bad apple

What motivates an employee to go rogue? To turn against their organisation and become a potential security risk? Organisations often want to be able to point the finger and distance themselves from current or former employees that have done the damage. There is a desire to explain the employee’s behaviour in relation to dispositional aspects; something about the employee that made them do it. Psychologists have spent the past few decades studying and understanding what personality variables or ‘dark’ traits make an employee inherently more likely to be a risk to their organisation; that make them likely to be ‘bad apples’.

www.ethicalboardroom.com

Sabotage | Risk Management

Academic research has mostly focussed on understanding the role of ‘dark’ personality traits. These are aspects of personality that are inherently self-serving and exploitative. They are damaging to the individual as well as those around them. There are three traits in particular that have attracted a large amount of empirical attention – this is the dark triad of narcissism, Machiavellianism and psychopathy. Narcissists are characterised by an overexaggerated belief in their own ability and an over-inflated sense of self. They believe that they are the best at what they do and want to ascend to positions of authority and power so that they can have this belief reinforced and confirmed by others. Narcissists become ‘bad apples’ when their ego is threatened; when they feel that others are not paying attention to them or giving them the recognition they feel they deserve. It pushes them either to make rash decisions in the hope it will make them appear impressive, or to act callously to undermine and punish people so that they feel socially superior.

INSIDER SABOTAGE Spotting the wolf in sheep’s clothing

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 121

Risk Management | Sabotage Machiavellianism is characterised by manipulation, a cynical view of human nature and a moral outlook that prioritises expediency over principle. Machiavellians desire control over information, materials and money because of the influence and power that it brings. However, Machiavellians become bad apples because they will act deviantly to get ahead. They will happily commit fraud or engage in sabotage if it helps put them in a position of power. Psychopaths have a disregard for others, impulsivity and a lack of guilt or remorse. Psychopaths become bad apples because of how these aspects interact. Psychopaths are thrill seekers and will do things impulsively if it brings them excitement. The problem is that committing fraud or sabotaging their colleagues falls into this category. And, as they have no remorse, guilt, or conscience, they have absolutely no issues in behaving this way. There has been ample high-quality evidence to support the bad apples hypothesis. However, it only explains half of the story. While there are dark traits that make someone more likely to become a risk, there are also perfectly normal traits that contribute to this literature. After reviewing the evidence, organisational psychologists found that an employee’s conscientiousness and agreeableness were direct predictors of deviant behaviour.1 The problem is that this only provides us with part of the picture. There are millions of employees who are low on both conscientiousness and agreeableness, but this does not adequately explain the prevalence of counterproductive work behaviours.

The bad barrel: disenchantment

The forgotten half of the picture is the ‘bad barrel’; if the apple is not rotten because of the core, then it must be something about the environment it is in. To have this kind of impact, the conditions of the barrel would have to leave the employee motivated to act against his/her own organisation. The most powerful driver for this is injustice; a belief that you have been wronged. Employees who feel unjustly treated become the bad apples because they are no longer motivated to follow compliance guidelines whilst simultaneously being motived to ‘balance the scales’ and enact revenge against their organisation or colleagues. When a secure, cyber infrastructure is operated by a disenchanted employee, the threat still remains. These employees are not inherently malicious, but have become disgruntled over time due to poor management and an abrasive culture. They resort to these types of attacks in order to rectify the inequity that they have experienced. PGI’s research with psychologists at University College London (UCL) have discovered that workplaces that foster disenchantment – a cognitive-affective response to workplace injustice – are the ones that turn normal, engaged employees into potential risks. 122 Ethical Boardroom | Summer 2017

It is about understanding what elements of the workplace are present and are driving disenchantment. Disenchanted employees have become detached, disillusioned and disengaged as a response to poor management practices and unfair organisational processes. Professor Adrian Furnham of UCL, along with John Taylor and Luke Treglown of PGI have been researching how management practices and organisational processes promote disenchantment and prevent engagement. Their research has identified five key factors that underpin disenchantment:

Our research has shown that disenchantment is a powerful predictor of who will become the bad apples and act against their organisation. It acts like a relay model; as disenchantment increases, so too does the risk of an employee engaging in abuse, product deviance, fraud and sabotage. The important aspect is that it is actionable; it is possible to identify where employees are going bad and how to remove the drivers before they cause any damage.

Taming the wolves

The bad barrel approach is not a new idea. Employee disgruntlement has frequently been ■■ Bullying and disrespect This is the cited as a leading cause for why employees belief that some senior people are callous, go rogue and damage their organisation. uncaring and nasty. The organisation But senior board members and managers is a place where being tough and ruthless is have placed little attention into discovering encouraged. Employees feel downtrodden the what, how and why of this issue. Our and belittled each day as they fall victim research into understanding disenchantment to continuous incivility. has led the way in developing a scientific and ■■ Broken promises This is all about academic measure of this phenomenon and expectations not being met, or that the how it leads to theft, fraud and sabotage. organisation has not held up its end of the The barrel can have a profound impact on bargain. For some, the selection interview the apple and can even have a reversing effect. and the induction period are where people A recent study at UCL found that set your expectations about working for the disenchantment (or more organisation. They tell you what importantly, the lack of it) they stand for, what they expect Protection had a controlling influence and how things work. Employees against the over dark personality become disenchanted when traits.Psychopathy is wolves lies in these expectations are broken. consistently noted to be the ■■ Perceived inequity The routing out most powerful personality idea that some people in the the causes of predictor of insider activity. organisation are treated very differently from others. The disenchantment However, when the organisation is causing hottest word at work is fair: and making it little to no disenchantment, that people are fairly assessed, psychopathy no longer promoted and rewarded. Yet, it right before it has an effect. It does not can seem to some that loyalty, comes back matter how ‘dark’ an hard work and productivity have employee is, if they feel to bite you less to do with success than enchanted at work they are some other attributes, such as no more likely to damage their company demography, brown-nosing, or nepotism. than their ‘bright’ counterparts. However, ■■ Distrust The feeling that the organisation when disenchantment was high, they became does not even trust its own employees. significantly darker and a far greater risk. Employees grow suspicious of their Enchantment has the power to temper the managers and colleagues, questioning the bad apples, but disenchantment has the genuineness of their behaviour. Employees power to exacerbate the risk. look over their shoulder, vigilant that a Detecting the insider should not be a colleague might stab them in the back. witch-hunt, but an investigation into how Disenchantment grows in two directions: the organisation is inspiring resentment managers are unwilling to let employees within its employees. There is little work without being monitored or accountability within organisations for how scrutinised, while the colleagues are or why disgruntled employees get to where secretive and uncooperative. they are. The reality is that insiders are often ■■ Organisational hypocrisy This is the made by their environment, not born. It comes perception by the employee that what the down to this: how do you know which of your organisation says about itself in public and employees are Red Riding Hood and which even to its employees is a pack of lies. There have become wolves in Grandma’s nightie? is an inconsistency between the words, Protection against the wolves lies in routing actions and decisions in the workplace. out the causes of disenchantment and making The organisation is seen as deceitful and it right before it comes back to bite you. lacking integrity. Employees become disenchanted when they realise their 1 Salgado, J. F. (2002). The Big Five Personality Dimensions workplace is nothing like how it appears and Counterproductive Behaviors. International Journal of Selection and Assessment, 10(1–2), 117-125. on the corporate brochure or website. www.ethicalboardroom.com

59% of boards say cybersecurity is the most challenging business risk.1 What do they see that the others don’t? Cyber security is a technical challenge, but the real consequences of a hack are financial. Data breaches, IT system failures, cyber extortion — these start in the server room and are felt in the boardroom. Are you confident you’ve properly valued your cyber risk and invested wisely to protect your firm? Marsh helps you reimagine cyber risk as an opportunity for performance improvement. By optimizing the efficiency of your investments in technology and insurance, we can replace worry with confidence, and help you unlock capital to power your business. So you can pursue the risks you want to take, not just the ones you are afraid of.

Assess and Analyze

Data-driven measurement of value at risk, tailored to your business.

Insure and Secure

Capitalefficient risk mitigation and award-winning risk transfer solutions.

Respond and Recover

Resilient cyber event management, from start to finish.

NACD, Public Company Governance Survey, 2016-2017

BECOME CYBER CONFIDENT To start getting ahead of cyber risk, contact Marsh’s cyber team or visit us at marsh.com/cyber. Tom Reagan +1 212 345 9452 thomas.reagan@marsh.com

Risk Management | Cybersecurity

Glyn Thoms

Executive Director, Cyber & TMT, Willis Towers Watson

Aviation risk: Cyber threat flies into the boardroom How to mitigate the impact of cyber threats in aviation Taking into account what has happened for a number of large, global airlines over the past six months to a year, it is clear that aviation risk is an issue that is front and centre for airline directors. Demonstrating preparedness in a volatile environment is an essential part of what is now a boardroom issue. Interestingly, from our Transportation Risk Index (TRI), if you look down at some of the top risks across the transportation sector – and across the aviation sector, specifically – these all ring true in terms of the incidents that we’ve seen. The TRI analyses the severity of impact and ease of management of the top 50 risks facing the transportation industry by grouping them into five megatrends and examining their current impact on the sector and how this will change in the future. The increased threat from cyber and data privacy breaches, failure of critical IT systems and the complexity of increasing global data protection and cyber security regulation are all key risks, which we’ve seen come to the fore within the airline sector.

Defining the threat

Most people’s definition of cyber historically has centred around malicious attacks and malicious third parties who are intentionally trying to do bad things to your IT systems and data – that is, invoking the idea of a ‘breach’ rather than a ‘failure’. But looking at what has happened to British Airways in 124 Ethical Boardroom | Summer 2017

recent weeks and some of the larger American airlines last year, these are issues that come more from ‘system failure’ than from cyber attacks, whether that is a result of negligent acts, deliberate acts or just component failures. These recent incidents have highlighted the fact that airlines, particularly consumer airlines, are complex logistics businesses. These ‘retailers with wings’ have exposure because they are effectively selling a product – that being getting someone from A to B – in the same way that you would sell a lot of other consumer goods. When things

The media coverage of recent incidents, including Delta and Southwest Airlines last year, shows consumer feedback wasn’t particularly complimentary. Those stories firmly bring response and disaster recovery into focus go wrong for these complex businesses there are huge ramifications. The actual outages and disruption that can occur can be relatively short, but the knock-on effects in terms of ongoing disruption, financial damage and reputational harm are very extensive: reports estimate that BA’s incident could cost as much as £150million. From that incident, 12,000 flights with more than 75,000 passengers were cancelled over three days – these are big numbers.

Adapt your approach

A corollary of the historical focus of cyber risk management on the threat of malicious actors is that organisational spend has largely been on technology – trying to build the wall higher to prevent people getting in. But there are a lot of exposures that can come from areas within the business that can cause the same levels of disruption. From an organisational context, this switches the way you approach cyber security and IT security: there needs to be a firm focus on incident response. When incidents happen – whether as a result of hacking or system failure – time is critical. The cascade effect kicks in very quickly and it’s at that point that you start looking at your disaster recovery and incident response planning. Organisations in the aviation sector and beyond need to have those processes, policies and procedures around incident response to allow them to deal with these things quickly. A lot of companies have these processes in place, but the key issue is how regularly you test those systems. There is no point in having a plan unless you test it. When these things happen, you need to be confident that your plan is going to work. Another shift in focus is occurring, moving away from technology protection that aims to stop incidents from happening, towards acceptance that incidents are now somewhat inevitable and looking at how the organisation is set up to respond. Response is largely what you are going to be judged on. That’s how the media will look at you, that’s the reputational impact. The media coverage of recent incidents, including Delta and Southwest Airlines last year, shows consumer feedback wasn’t particularly www.ethicalboardroom.com

Cybersecurity | Risk Management

complimentary. Those stories firmly bring response and disaster recovery into focus.

Dealing with data and regulatory reform

For airlines, a big piece of the cyber risk jigsaw is built around data risk and data privacy risk. Airlines hold lots of customer information – names, addresses, passport numbers, credit card information – that is attractive to hackers. In large international airlines, there is this further layer of complexity due to operating across multiple jurisdictions and bringing into play regulatory issues depending on which territories your consumers are located in. So when you look at the cyber-risk profile for airlines, there is not only the potential impact of catastrophic business interruption caused by a cyber event, but significant data privacy issues, too. This is particularly relevant for those in Europe where stricter regulations are either in place or coming into force. Next May the European General Data Protection www.ethicalboardroom.com

Regulation (GDPR) comes into effect, so airlines dealing with customers who are EU nationals have a much stricter regulatory regime that imposes significant requirements around the way consumer data is collected, handled and processed, with significant financial consequences if you get that wrong. Regulatory reforms are both a help and a hindrance. Take data privacy: formally legislated rules will focus the mind on the need to look at how data is collected, held and protected, and whether entities even know what data is being held. Questions then arise around whether sufficient controls and procedures are in place around that. Therefore, stricter regulations force companies who are collecting large volumes of consumer data to look at their overall approach and procedures more closely because, in the event of a breach, that’s going to be one of the areas that the regulator focusses on. When you talk of fines being levied – up to four per cent of global turnover – an airline that can

demonstrate good cyber hygiene, good risk management, good recognition of risks and controls (and which responded to the incident well) would likely be judged and penalised less harshly in comparison to a company that didn’t demonstrate any of these. So regulation in itself can potentially focus a company’s thinking around how it deals with some of these issues. Strong understanding and proactive compliance also have the potential to serve as a differentiator in terms of doing business. If consumers are confident around the way a business collects and stores their data, they are likely to be more comfortable using that business. The flip side is the increased burden that strict regulation brings for organisations implementing change to stay compliant. To some extent, it’s difficult to know whether you did the right thing until after an incident happens and an investigator decides whether your actions were right or reasonable. But with GDPR there’s a lot of grey area that companies must grapple with as well, but with GDPR enforcement less than 12 months away, we have certainly seen a marked shift with our client base in those sectors that are collecting lots of customer and personal information. There is a real focus now on making sure they can justify compliance. For consumer-facing business that are collecting large volumes of information, whether retailers, financial institutions or airlines, this is firmly on the boardroom agenda. As a member of the board of those companies where there is such a potentially significant exposure, you must be able to demonstrate that not only have you recognised that cyber or data is a risk for you, but that you are doing something about it in terms of protection and risk management.

Train pre-attack; communicate post-attack

Our claims data shows that workplace culture and employee engagement around cyber risk is also important to the risk profile. Building the wall higher to keep people out is useful, but neglects the fact that there are many threats from inside the wall. Negligent or deliberate acts from employees or contractors can lead to big exposure. Pre-loss, training and awareness around data and cyber security is critical. As is people buying into why this is important to the business. There is often a danger with training courses that they simply become a tick-box exercise. We continue to see a lot of cyber incidents arising from social engineering and phishing scams where people click on the link they weren’t supposed to. Summer 2017 | Ethical Boardroom 125

Risk Management | Cybersecurity The extent to which you can make employees engaged and help them understand the importance of these issues is going to infinitely improve your risk profile and reduce the potential for incident. Make sure that all employees know how to notify and escalate internally. Training and education is critical for prevention but also for responding appropriately. And remember that the method of training delivery is vital: this can’t be treated as a once-a-year, onerous compliance initiative where you pay lip service to the issue of training and then forget about it for another 12 months.

Predictability and preparedness

attack. If airline systems are interacting with a number of third-party systems then there is the potential that that becomes an access point and creates another exposure. That digital supply chain complexity is something all companies are grappling with and there is always a discussion around whether each component part of a supply chain is something that is better managed internally or externally. You may be giving away control to a contracted third party and therefore relying on the strength of a contract if things go wrong. But if you’re outsourcing to a major technology provider, they are continually reinvesting in making sure they have resilience, protection and recovery. While exposure comes from giving access away, at present we haven’t seen it causing huge issues for companies. So, the risk is there but this is often outweighed by cost benefits and by the fact that, for the most part, you actually improve your

Volatility around the risk environment is pretty extreme in this field. Take the WannaCry ransomware attacks: ransomware is not a new threat but the 2017 attack that crippled critical systems worldwide demonstrated the extent Most airlines to which this can spread so are reliant on quickly – there’s no geographical boundary. If third-party you’re looking at risk physically technology and and trying to protect against natural catastrophes like other providers earthquakes and hurricanes, to operate their there’s generally a blast radius which, if worse comes to worst, businesses limits the affected area. The WannaCry incident really emphasised the fact that this can impact multiple companies across multiple geographies quite quickly from a single attack. While that had always been a threat, incidents like WannaCry can act as scenario testing for organisations. While airlines would be prudent to map out a broad architecture for incident response, you also have to accept that the nature of a new incident could be uniquely complicated and something nobody has seen before, so adapting your response in real time is the only risk profile because you outsource to a way to counter volatility and uncertainty in company that is better placed to perform the risk environment. this function. You also have to look at motive when talking The question is: how do you select, vet and about risk – whether that’s monetary gain, contract to ensure a company is dealing with criminal hackers, activists with religious or data and IT security in the way you want ideological aims, a disgruntled employee with it dealt with? Have visibility on who your a grudge to bear, or even a negligent employee outsourced service providers are, how you or contractor. Look at those potential threat select and monitor them and contract with actors and establish what they will be interested them. Outsourcing is a business reality, in. That level of granularity to identify threat so make sure there is visibility, rigour and actors, and what they’re interested in, control around who you contract with, beyond will help you build the appropriate controls, just looking at cost. encompassing people, process and technology, around those risk exposures.

External v. internal management of supply chain

Most airlines are reliant on third-party technology and other providers to operate their businesses. That exposes them to failures or issues with the supply chain and increases the surface area over which they can suffer 126 Ethical Boardroom | Summer 2017

Cost cascade and controlling the controllables

All is not doom-and-gloom in the world of aviation cyber, however. With every incident, risk management standards subsequently improve, either through enforced regulation, or improved best practice (and investment) in recognition and preparedness.

Relative to the number of airlines and flights operating globally, incidents are not as commonplace as one would expect. It is an issue that can get exaggerated, but that’s not to say additional focus and investment is unwelcome. Incidents may be relatively few and far between, but the cascade effect of an outage and ongoing delay and disruption can be limitless. The direct impact and tangible cost impact comes through myriad factors, including loss of revenue from cancelled flights, the costs of staff overtime, of emergency practices to keep things ticking over, regulatory penalties and fines, fees for recovery assistance, legal and accountancy fees, insurance calculation time, and passenger compensation – which in some cases has been as much as €600 per delayed passenger. With up to 75,000 passengers impacted by an incident (for example through number of flights cancelled) this direct cost alone is potentially huge.

BE READY FOR TAKE-OFF Airlines need to be prepared to respond instantly to threats

Then there are intangible costs, such as reputational damage, additional regulatory scrutiny and damage to staff morale. This in turn can impact on an organisation’s ability to attract investment or to attract talent from a recruitment perspective. So, while annual reports and accounts can give an indication of what has been set aside, it is impossible to measure the true financial impact. Mitigating impact is easier than measuring it. Risk profile and incident response must therefore be a constant boardroom bullet point. Organisations must be mindful of new trends and track technology, as today’s outliers have the potential to become tomorrow’s norm - as we’ve seen with social engineering, a cyber threat that most companies are now exposed to. Mitigating the impact of this and other threats is easier than measuring them. Risk profile and incident response must therefore be a constant boardroom bullet point. Stay vigilant and control your controllables. www.ethicalboardroom.com

Board surveys around the world indicate growing dissatisfaction with traditional internal audit and ERM methods and tools. Find out why boards aren’t getting what they need and what to do about it. www.riskoversightsolutions.com

A better response to risk

Risk Management | ESG

Alexandra Mihailescu Cichon Head of Sales and Marketing, RepRisk

Transparency: The key to risk management

Adverse public and stakeholder sentiment has prompted organisations to incorporate environment, social and governance issues into day-to-day business decisions When the CEO of United Airlines tried to explain the treatment of David Dao, an Asian-American passenger on a flight from Chicago to Louisville, he unfortunately underestimated the power of social media. His remarks that Mr Dao had been ‘disruptive’ and ‘belligerent’ as photos on the web showed the passenger being dragged partially conscious down the aisle of the plane after refusing to voluntarily give up his seat, prompted a social media storm.

In barely 24 hours, there was an online petition demanding the CEO’s resignation, a plethora of tweets calling for Asian passengers to boycott United flights and numerous video clips and memes poking fun at the airline. Even though the airline reached a settlement with the passenger, Fortune Magazine reported that the incident had sparked a four per cent drop in the company’s share price, wiping off about $1.4billion in market capitalisation. One thing is certain: United Airline’s reputation is damaged and the company’s plans to expand into the coveted Asian market have faced a setback. In the past, such incidents would appear on the nightly news, but rarely beyond that. 128 Ethical Boardroom | Summer 2017

Now, with the internet and social media, information travels at lightning speed. And, non-traditional media and stakeholders – from individual customers to non-government organisations (NGOs) and activist groups to bloggers – have new communication platforms and a global audience at their fingertips. This has led us to an unprecedented level of transparency.

Power of big data

While companies may sometimes be the target of criticism, they also now have access to information that can be leveraged to shed light on risks in their business operations – and many do. Information from media and stakeholders external to a company, including NGOs, governments, regulators, and social media, can provide valuable insight and serve as a ‘reality check’ to what the company itself is reporting. For example, a company may have a human rights policy, but what do the sources on the ground report? More than 150 financial institutions and corporates use such data to flag and monitor ESG risks in their business, investments and supply chain – and to reduce blind spots that can turn into reputational, compliance or financial risks. The next challenge is to raise awareness of ESG issues and risks at the boardroom level. Senior management needs to understand that ESG violations can cause not only reputational damage, but also serious financial risk, including loss of access to capital, regulatory fines and even criminal proceedings. The now defunct British Home Stores (BHS) was a pillar of society in the UK, but its public image of respectability

obscured fraudulent behaviour by its former owners, Sir Philip Green and Dominic Chappell, who are being investigated by liquidators to determine whether they breached their duties. In April 2016, BHS went into administration, causing 11,000 job losses and leaving a £571million pension deficit. A parliamentary committee inquiry into its failure concluded that BHS had been systematically misappropriated by its directors. Following a public outcry, Mr Green agreed to pay £363million into the company’s pension scheme. Various international and national institutions, including the UN Global Compact, have already called for the role of the board of directors to be strengthened to ensure that the board is driving a company’s sustainability efforts. In the UK, since October 2015, the Modern Slavery Act has required boards of companies carrying out operations in the UK and that have a turnover of at least £36million to approve and publish an annual slavery and human trafficking statement.

Investor engagement

In early 2017, the OECD released its ‘responsible business conduct for www.ethicalboardroom.com

ESG | Risk Management

RISKY BUSINESS Companies need to engage more deeply on ESG issues to avoid embarrassing mistakes

concluded that board members who fail to consider sustainability issues can be perceived by stakeholders and the public as negligent. Interestingly, it is financial institutions that have been ahead of the game – many global banks have had policies, processes, and tools to manage and mitigate such risks for more than a decade. More recently, non-financial corporates have started looking closer at their supply chain after a series of tragedies and scandals brought to light the huge challenges in this area. For example, in the months that followed the 2015 revelations of slave-like working conditions at the Shirebrook warehouse, Sports Direct was removed from the Financial Times Stock Exchange (FTSE) 100, the company had to pay back £1million to workers and its shares reportedly fell 59 per cent from August 2015 to August 2016, after it was found to have been paying less than the minimum wage.

Responsible investment

institutional investors’, which encourages investors to engage with a company’s board of directors on the matter of business conduct risk (also referred to as ESG risk) whenever adverse impacts related to ESG issues have been identified. The document further states that part of a company’s fiduciary duty, for which boards carry responsibility, is considering long-term value drivers that also include ESG issues. In February 2016, the guidance document entitled Human Rights: Expectation Towards Companies, released by Norges Bank Investment Management (NBIM), which manages the assets of the Norwegian Government Pension (the world’s largest sovereign wealth fund), stated: “Boards should understand the broader environmental and social consequences of

business operations, and must set their own priorities and account for the associated outcomes.” Examples such as these clearly show shareholders increasingly expect the topic of sustainability to be an integral part of business strategy and decision-making at the board level. Despite these wide-ranging initiatives, only 22 per cent of respondents to a survey conducted in 2015 by MIT Sloan Management Review, in partnership with the Boston Consulting Group and the UN Global Compact, confirmed that their board of directors was engaged in sustainability efforts. The research indicated that board members have little awareness of the increasing materiality of soft and hard law requirements relating to environmental and human rights issues. The authors of the study

…Part of a company’s fiduciary duty is considering long-term value drivers that also include ESG issues www.ethicalboardroom.com

I am optimistic however. Shareholders are beginning to favour good ESG risk management and corporations are discovering that business conduct in line with international standards protects their bottom line. Young people are searching out socially responsible employers, ethically sourced goods, and sustainable investments. Activism will continue to grow and NGO campaigns have already led companies to reconsider their business decisions. For example, many banks have withdrawn financing from controversial activities or projects, such as mining near the Great Barrier Reef or the Dakota Access Pipeline. Consumers and shareholders are increasingly concerned about garments produced in sweatshops or production processes that cause animal suffering. The higher the stakeholder engagement and the higher the levels of transparency, the more companies will work towards fully embedding ESG issues into their daily operations and compliance and risk management systems. And we all benefit from that. Summer 2017 | Ethical Boardroom 129

Global News Asia & Australasia

More women on SGX-listed boards Women’s participation on boards of all Singapore-listed companies has exceeded 10 per cent for the first time, according to the Diversity Action Committee (DAC). The biggest improvement came at the top 100 largest SGX-listed companies, with the share of women on boards rising to 12.2 per cent from 10.9 per cent six months ago. Of these top 100 primary-listed companies, 24 have at least 20 per cent women’s participation on boards, 40 are gender-diverse with less than 20 per cent women and 36 are all-male. DAC’s chairman Loh Boon Chye said: “It is encouraging to see our larger companies taking the lead in increasing diversity by appointing women on their boards. We strongly encourage the remaining 76 companies who have not yet achieved 20 per cent women’s participation to act. Appointing one woman each would get the top 100 companies to 20 per cent.”

Infosys co-founder rues departure

Responsible investment on the rise in Australia Ethical investment funds are outperforming their average mainstream counterparts year on year in Australia, the latest Responsible Investment Benchmark Report 2017 has found. Ethical, or responsible, investments have more than quadrupled over the past three years to AUS$622billion, with nearly half (44 per cent) of Australia’s assets under management now being invested through some form of responsible investment strategy. This includes negative screening, impact investing, sustainability themed funds and the integration of environmental, social and governance considerations. Simon O’Connor, CEO of the Responsible Investment Association Australasia, said: “Responsible investors are increasingly focussed on investing in the sectors that are rapidly becoming the sustainable backbone of our future global economy.”

Chinese firms enjoy ‘honourable’ accolades Chinese companies are doing better in upholding corporate governance standards and engaging with investors, according to the 2017 All-Asia Executive Team Honored Companies Survey. The survey by international financial publication Institutional Investor collated opinions from portfolio managers and analysts at 2,510 companies across Asia. Three Chinese mainland companies — CSPC Pharmaceutical Group, China Medical System Holdings and 3SBio — secured the top three spots of ‘most honoured companies’. The top six companies in the internet sector all hailed from the Chinese mainland. Will Rowlands-Rees, managing director of Institutional Investor Research, commented to China Daily: “The results are not surprising as China continues to open up its markets and Chinese companies’ efforts to be transparent and trustworthy for domestic and international investors alike are being recognised.”

130 Ethical Boardroom | Summer 2017

Infosys co-founder NR Narayana Murthy has said he regrets quitting as chairman of the software company in 2014. Murthy has recently been embroiled in an acrimonious battle with the Infosys board and current management, led by Vishal Sikka, over corporate governance issues. Earlier this year, Murthy questioned if large severance payments to departing employees (particularly ex-CFO Rajiv Bansal) constituted ‘hush money’ and bemoaned what he described as a ‘concerning drop, in corporate governance’ at the company. In an interview with CNBC TV18 in July, Murthy said: “A lot of my founder colleagues told me not to leave Infosys in 2014, to stay a few years… A lot of my decisions are based on idealism and probably, I should have listened to them.”

Japanese firms reluctant to boost shareholder returns

Less than a third of Japanese firms plan to boost shareholder returns this financial year although nearly half have seen cash on hand climb, according to a Reuters poll. The Reuters Corporate Survey found 69 per cent of companies plan to keep shareholder returns flat this year and only 29 per cent plan to boost them. Two per cent plan to cut returns. Almost half of Japanese firms said that cash on hand had risen in the past financial year, which they intend to use on capital spending. Prime Minister Shinzo Abe has urged companies to either return more to shareholders or boost capital spending as part of a drive to improve corporate governance and make Japanese companies more attractive to foreign investors. www.ethicalboardroom.com

Regulatory & Compliance | Anti-Money Laundering

Samantha Sheen

AML Director Europe, ACAMS

Oversight of AML: Time to take notice

Boards need to demonstrate their awareness of and responsibility for detecting and preventing money laundering The last two years has seen significant changes across the globe, not only in relation to anti-financial crime regulation but also in terms of increased public interest and support for the disruption and prevention of financial crime.

Whether it’s bribery and corruption, economic sanction circumvention, money laundering or tax evasion, the world is seeing one of the most significant periods of change in the area of anti-financial crime. And this is accompanied by an increasing focus by regulators, the press and NGOs on boards (and equivalent bodies) and the oversight of their organisation’s anti-money laundering (AML) compliance frameworks.1

interview both executive and non-executive directors about the organisation’s AML compliance framework. In a handful of cases, where enforcement action was taken for non-compliance with those regulations, one of the more striking aspects was the perceived abdication of responsibility by some board members from actually understanding their business’s AML risks and how these were being mitigated. Despite colourful pie charts and spreadsheets of comparative data, some board members could not explain whether the information in the compliance reports they received told them that things were ‘good’ or ‘bad’. In other words, they were not able to discern from these reports whether the AML compliance framework was operating as it should or whether concerns were identified that required immediate attention.

Boards and AML frameworks

Regulatory expectations

I previously headed the financial crime team for a financial services regulator, where our activities included onsite examinations and enforcement of the local AML regulations. As part of those activities, we made it a point to 132 Ethical Boardroom | Summer 2017

Some regulators have attempted to increase board engagement around financial crime by issuing guidance or best practice examples. Earlier this year, the Department of Justice in the US issued further detailed guidance on the

types of questions the regulator will examine where suspected non-compliance has taken place. Although most regulated firms will be familiar with many of the questions listed, they illustrate the regulator’s clear expectations of the board. The list illustrates that in order for a board to effectively oversee a compliance framework, it requires a significant degree of transparency about the ‘nuts and bolts’ of that framework, how it is resourced, the expertise of personnel and the overall environment and attitude of senior management to applying the framework and dealing with non-compliance. Regulators are increasingly prepared to take board members to task for failing in their oversight duties, whether it’s in relation to AML-specific or compliance frameworks more generally. Although their decisions are not always published or issued as public statements, there have been a number of unreported instances where regulators have required that individual board members resign or have been prohibited from holding board positions for a period of time due to their failure to effectively oversee their organisation’s compliance framework. Boards www.ethicalboardroom.com

Anti-Money Laundering | Regulatory & Compliance

KEEPING CLEAN Regulators are prepared to take action against boards who ignore their oversight duties

should, therefore, be under no allusions that regulators are not prepared to take board members to task where compliance frameworks have been found wanting.

How boards can misunderstand AML risks

In order to oversee and form a view about the effectiveness of an AML compliance framework, board members must first be confident in their understanding about the factors that make up an effective framework. I often hear individuals talk about the lack of demonstrable knowledge that their boards show about AML requirements and how their compliance framework incorporates

them. At times, there also appears to be a limited understanding by some board members of what the ‘risk appetite’ of the business is (i.e. how much business with high-risk AML traits the organisation is prepared to take on, given the compliance costs and risks involved) and how this is incorporated into the compliance framework. I think there have been a number of reasons for these perceptions. One reason is the ‘bad news gets no views’ approach to AML compliance board reporting. This is where considerable time is spent by those who write, review and sign-off on AML compliance board reports to remove,

downplay or re-characterise deficiencies, regulatory breaches and other problems. In some cases, a high degree of sensitivity over potential regulatory scrutiny of these reports (i.e. during an onsite examination) has resulted in more effort being thrown into avoiding mentioning bad news rather than in providing the board with the full picture. This, in some cases, has led to board members and, in particular, non-executive directors, being given a false sense of assurance that the AML compliance framework is working as it should. Summer 2017 | Ethical Boardroom 133

Regulatory & Compliance | Anti-Money Laundering Another reason for this is a perceived lack of board ownership over AML compliance reports. In these situations, the AML compliance function appears to be deciding what information the board needs to receive. The problem here is that what the AML compliance function thinks the board needs to know may not necessarily align with what the board members themselves actually need to know in order to fulfil their oversight role effectively.

And finally, board members might consider the reports they receive and the information in them. Look at the most recent AML compliance report and ask: Why is this information being provided to the board? How does this help the board to understand whether the AML compliance framework is effective? How does this help the board to identify new or evolving AML risks? What additional/different information might assist the board to better understand these matters?

Empowering the board to provide effective oversight

Possible questions to ask in the future

Clearly, board members do not want to be left in the dark when it comes to AML risks and how they are being mitigated by the organisations they oversee. Equally, boards do not want to be lulled into a false sense of confidence because they are not receiving the right information. So, what might be starting point? The first is one that has been mentioned many times in the past – the tone at the top. Board members should take pause and consider whether past dialogue with the AML compliance function has encouraged a complete and transparent dialogue around framework deficiencies. While regulators

With the many regulatory initiatives underway, such as the transposition of the 4AMLD here in Europe, now may be the time for boards to refresh the way in which they fulfil their AML oversight obligations. By having a firmer grasp on the practical aspects of AML requirements, board members can start to learn how to ask the right questions. Because, without understanding the basics, boards are at risk of being drowned with unhelpful bar charts and data in reports that fail to clearly indicate underlying AML risks, both regulatory and operational, for their organisation.

Without understanding the basics, boards are at risk of being drowned with unhelpful bar charts and data in reports that fail to clearly indicate underlying AML risks, both regulatory and operational, for their organisation

been undertaken? How are the results incorporated into the organisation’s AML framework? What methodology is used to classify activities as ‘high’ versus ‘low’ risk? What are the operational consequences of classifying activities or customers as high risk? Based on the assessment’s results, what is the risk appetite of the business (i.e. at what point are we prepared to say ‘no’ to taking on a customer/new business relationship)? ■■ Customer risk profiles What sector of the organisation’s customer base is classified ‘high-risk’? Are they concentrated in one or two particular lines or business or spread evenly across the organisation? How often are these classifications reviewed to ensure they remain accurate? Has the proportion of high risk customers changed over time due to the introduction new products, services, geographic sales targets? ■■ Know your customer (KYC) remediation projects What problem is the project designed to resolve? Is this the most effective way to resolve the problem? Who ‘owns’ the project? What controls are in place to ensure that activities associated with higher risk customers are reviewed where KYC about them might be deficient or inaccurate? What additional regulatory concerns have been identified while the project was underway and how are these being managed? ■■ Assurance activities How is the effectiveness of the AML compliance framework assured? Which function in the organisation performs these activities? How are the results reported? How are recommended follow-up actions assessed for appropriateness? How are follow-up actions tracked to ensure their timely completion?

Conclusion

expect the heads of AML compliance functions to have direct access to the board, board members should consider how often those interactions have taken place and whether it has included the canvassing of potential AML risks or concerns. But in order to have a meaningful dialogue, an up-to-date level of AML knowledge is essential. So, the next step might be for board members to request a practical briefing from the AML compliance function on the AML regulations that apply to the organisation and, in particular, the specific obligations identified in those regulations attributable to the board. Next, a level of awareness about the AML compliance framework adopted by the organisation and who across the various lines of business is accountable for ensuring that the framework is applied. 134 Ethical Boardroom | Summer 2017

The following are some high-level examples of the types of questions and information that board members might consider requesting about activities that form a part of their organisation’s AML compliance framework: ■■ Introduction of new AML regulatory requirements What are the key requirements that have been introduced? What are the options to incorporate these changes into the existing AML compliance framework? What impact might those options have on day-to-day operations? Can existing controls or measures be capitalised upon to incorporate these changes? What is the roll-out plan and estimated time of completion? ■■ AML compliance framework Has an AML risk assessment of the business

The next few years will see a significant amount of regulatory change that will most certainly impact upon organisations’ AML compliance frameworks. The role of the board will prove to be an integral part of ensuring that these changes not only receive strong support from the top, but that they are appropriate for the business and effective in achieving regulatory compliance and mitigation of financial crime risks. Enhancing the board members’ knowledge of AML requirements will bolster their ability to ensure that the board receives the information needed to make informed decisions about the organisation’s AML compliance framework. Taking greater ownership around the reporting it receives also sends a strong message to the organisation as a whole that the board truly takes its oversight role in this area seriously. 1 For the purposes of this article, the term ‘AML compliance framework’ includes the organisation’s anti-financial crime-related policies, procedures and controls.

www.ethicalboardroom.com

BANKS: MAKE LIFE EASIER FOR YOUR CORPORATE CLIENTS ▪ Reduce onboarding time by more than 70% ▪ Cut risk costs by 50%

On-board your clients quickly with an automated business rule engine to conduct and refresh KYC screening, compliant with industry guidelines such as FATF and FCA and pre-checked against World Check and other PEP lists to identify high-risk profiles easily. Leverage innovations in technology such as Artificial Intelligence, Natural Language Processing and Contextual Search across both structured and unstructured data sources, including social media, to enhance your customer due diligence process by reducing false positives and managing compliance with KYC regulations. With the launch of Release 2016 of the formidable Global Transaction Banking solution (iGTB) with a built-in omni-channel Corporate Banking Exchange, you can power your way to serving corporate clients better as the Principal Bank. You finally have the digital financial technology you’ve always needed to provide your full expertise and on-field innovation capabilities to your clients.

RUN THE BANK. CHANGE THE BANK. DESIGN THE BANK. Designed for complexity reduction between banks ad corporate customer operations, superior workspace design technology assures enhanced operational productivity, while you deliver addictive customer experience through an agile architecture with banking services, apps and technology. With the top global transaction banks running on our solutions, we are the authority progressive banks rely on to realize their GTB ambitions.

Regulatory & Compliance | GDPR

General Data Protection Regulation: Are you ready? What is GDPR and what does the EU’s new data protection regulation mean for your company? Next year’s enforcing of the EU’s new General Data Protection Regulation (GDPR), will place concerns for data privacy and IT security firmly at the top of the board and management’s agenda. The board and executive management will be held responsible and regulatory breaches and non-compliance may cost the company dear. If you are sitting there thinking ‘GDPR what?’ and wondering what it means for your organisation, then you are not alone. A survey by Symantec revealed that as many as 96 per cent of the respondents, all decision-makers from France, Germany and the UK, did not fully understand what the GDPR is and what it will entail.1 In this case, there’s not necessarily any consolation in being in the same boat as most European decision-makers. The legislation comes into force in May next year, so it’s important to be prepared in order to avoid the risk of huge fines – up to four per cent of gross turnover. GDPR will place concerns for data privacy and IT security firmly at the top of the board and management’s agenda. Is your board properly prepared? So, where to start? A good place to begin is by getting an overview of the issue – of what the EU’s new data privacy regulation involves and what is new in the GDPR. Here are a couple of things everyone should know:

136 Ethical Boardroom | Summer 2017

Christian Petersen

Chief Executive Officer, Admincontrol

What is the GDPR?

The General Data Protection Regulation is the new data privacy regulation for EU and EEA member states. The GDPR replaces the EU Data Protection Directive from 1995 and comes into force on 25 May 2018. The existing legislation (the Data Protection Directive) is outdated in a number of areas and does not adequately cover how data is collected, stored and processed in our digital age. The GDPR is designed to close these gaps and strengthen the individual’s data privacy and control over the use of their data. Unlike its predecessor, the GDPR is a regulation, not a directive, which means that the EU will now have a single common law and there will no longer be supplementary laws and special schemes in the individual countries. It will apply to any company, inside or outside the EU, handling EU citizen data.

What is changing with the GDPR? The GDPR will lead to: ■■ An increased focus on data privacy – concern for data protection must be a built-in ‘default setting’ in systems and services ■■ A requirement for documented and intelligible consent and accompanying privacy policy – there must be no doubt about what is being consented to and its presentation must be appropriate for the target group: for example, if the service is aimed at children and young people, the provisions must be easily intelligible and accessible to this group

www.ethicalboardroom.com

GDPR | Regulatory & Compliance

EUROPE’S PRIVACY REGULATION CHANGE The EU’s new data privacy rules come into force on 25 May 2018

www.ethicalboardroom.com

Summer 2017 | Ethical Boardroom 137

Regulatory & Compliance | GDPR ■■ An increased focus on risk and more stringent consequences for infringements of data privacy – including notification (within 72 hours) of a breach – to both supervising authorities and data subjects who have been, or are believed to be, affected ■■ Many enterprises will need to have a dedicated data protection officer ■■ Regulatory breaches can lead to huge fines A breach of the GDPR could cost your company dear: fines of up to four per cent of gross turnover or €20million. There are various factors that contribute to the level of fines, including the degree of liability and repeated infringements. Which rules have been transgressed will also affect the level of fines. Board members risk being held personally responsible if they have not ensured that the enterprise has adequate measures and routines in place (and the measures must also be documentable).

New role: data protection officer (DPO)

As a result of the GDPR, many enterprises will now need to appoint a data protection officer (DPO). These include: ■■ Public-sector organisations (with a few exceptions, such as the courts) ■■ Enterprises whose core activities involve regular and systematic monitoring of people on a large scale ■■ Enterprises whose core activities consist of processing sensitive personal data on a large scale, or personal data relating to criminal convictions and offences Core activities can be defined as key functions for achieving the organisation’s objectives. These also include all activities

The DPO can be an employee of the organisation or an external resource employed under a service agreement. The GDPR requires that the DPO must be located within the EU, but in other respects the organisation itself may assess where best to locate the role. It is, however, important that the resource has comprehensive knowledge of privacy and applicable legislation. A law firm might, for example, act as a DPO for several companies under agreements with each individual company. The DPO must have an independent role, with the primary remit of monitoring compliance with the GDPR. The DPO will advise and inform employees and management and be a point of contact between the data protection authorities and the enterprise. The DPO will report directly to executive management (and/or the board).

What is personal data?

The GDPR defines policies for how to collect, store and process personal data. What does the term ‘personal data’ cover? The EU’s definition is: ‘Personal Data is ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly…’. 2 Article 25 of the GDPR talks about ‘data protection by design and by default’ and establishes that data protection must be built in to the functionality of systems. This has major implications for the entire business process, from planning and product development to actual business operations. The GDPR requires that you have a privacy policy that is easy to understand and readily accessible. Among other things, this means that enterprises must: ■■ Have an overview of all personal data processing in their organisation ■■ Be able to document that they have obtained consent from their users ■■ Provide users with a list of their data and privacy settings ■■ Give users the right to be forgotten/deleted and to have their data transferred to other entities on request ■■ Assess the risk and privacy consequences of processing personal data

How to start the conversion to built-in privacy?

Step one is that all companies must obtain an overview of how they use personal data today, and how they plan to use it in the future. It is also important to be aware that this is not a one-off exercise, but a permanent, long-term commitment. So, it’s important to instil good routines right from the start. 138 Ethical Boardroom | Summer 2017

PRIVACY PROCESS Organisations must provide policies that are easy to grasp

where data processing is a central aspect of the data processor’s or the data controller’s work. For example, processing of health data, such as medical records, will be considered a core activity of a health enterprise and a DPO will therefore be required. Support services, such as IT support and a payroll register, are necessary for a company, but are normally considered supplementary functions and not core activities. The GDPR does not define what ‘large scale’ entails, but Working Party 29, which acts as the EU’s advisory body for data protection, has issued guidelines showing what constitutes ‘large scale’. It includes the following factors: ■■ Number of persons registered either as an exact number or as a proportion of a population ■■ The volume of data and/or the range of different data items being processed ■■ The duration or permanence of the processing ■■ The geographical extent of the processing

Some final advice for you

■■ Be sure to have good documentation of the considerations that have been made ■■ Conduct regular reviews based on technological and regulatory developments ■■ Choose appropriate suppliers and partners, and make sure that adequate deals are in place. When using suppliers outside of the EU, model clause agreements are recommended ■■ It is important to have good control of customer data: access control, routines, suppliers, etc ■■ For organisations with offices in more than one EU/EEA country, determine which office will serve as the leading computer authority ■■ Have a plan for how to handle data requests and how to deliver data back to the owner in an available format https://www.slideshare.net/symantec/ symantec-state-of-european-data-privacy http://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=celex%3A52012PC0011

www.ethicalboardroom.com

in Angola. ENFORCE DATA PROTECTION IN YOUR COMPANY GDPR

Cabinda (7 Branches)

General Data Protection Regulation

Soyo

Uíge (2 Branches)

Dundo

Negage

N’zage

Caxito Province of Luanda

Lucapa

ACROSS ALL DATA WITH THE STORAGE MADE EASY ENTERPRISE FILE FABRIC N’dalatando

Catete Porto Amboim

Dondo

Cacuso

Saurimo (2 Branches)

Malanje

Calulo

Gabela

Waku-Kungo

Sumbe

Luena

Bailundo

Catumbela Benguela (6 Branches)

Kuito Lobito Huambo (11 Branches) (4 Branches) Ganda Caála Cubal Caconda

Lubango (8 Branches) Namibe

Menongue

Matala Chibia

Tômbua Ondjiva

Santa Clara (2 Branches)

StorageMadeEasy.com/GDPR

Retail Banking

Corporate Banking Investment Banking

+234 700 GTCONNECT or +234 700 482666328, +234 1 448 0000, +234 80 3900 3900, +234 80 2900 2900

Cote d’Ivoire • Gambia • Ghana • Kenya • Liberia • Nigeria • Rwanda • Sierra Leone • Uganda • UK

Private Banking Treasury Services

Connect with us

Wouldn’t you rather bank with us?