On best behaviour

Since the beginning of the financial crisis, commentators have questioned why organisations were unable to anticipate the events which unfolded a year ago. The finger of blame has been pointed at directors, shareholders and non-executive directors and at the corporate governance framework itself. But it is evident, with hindsight, that the dynamics of the boardroom itself have been a major contributory factor to the crisis. How much the board delegated to their committees, whether or not they asked the right questions or evaluated the company’s risk appetite effectively, has had an enormous effect on how well companies have weathered the storm.

Earlier this year, the UK Institute of Chartered Secretaries and Administrators

(ICSA) embarked on a survey of boardroom behaviours with the company secretarial community operating in boardrooms across the UK to determine the driving principles of best practice in boardroom behaviour. The report based on the findings was then sent to Sir David Walker and to the Financial Reporting Council, both of whom noted many of its key points in their recently published reviews on the Combined Code and corporate governance in UK banks.

Despite the importance of these and other considerations, it is remarkable that there is practically no guidance in the Code on the main drivers of, and factors affecting, boardroom behaviours. While we consider it may be undesirable, even unhelpful, to prescribe appropriate behaviours by legislative provision, supported by penal or regulatory sanctions, we nevertheless consider that it is possible to formulate guidelines on the behaviours to be expected of directors when discharging their duties to the company. ‘Getting the best out of the board’, and encouraging best practice boardroom behaviours, are critical aspects of corporate governance, but seem currently to be a neglected area.

As matters stand, it is ICSA’s view that the absence of guidance on appropriate boardroom behaviours represents a structural weakness in the current system. It is possible that, had some guidance already been in place and conscientiously observed, some of the subsequent failures in corporate governance would have been less pronounced, and their consequences less severe. In any case, prevention of a recurrence of the events of the last year is at least partly dependent upon more robust guidance on boardroom behaviours being incorporated in the UK Combined Code on Corporate Governance.

A flexible approach

We continue unequivocally to support fully the principles based ‘comply or explain’ model of corporate governance over rules-based regulation. The more flexible approach created by this system, when it is properly implemented, allows companies to tailor governance to their specific and changing needs and permits a greater speed of response to developing circumstances. By its very nature ‘comply or explain’ should encourage companies to give governance matters full consideration; and where it is properly implemented, to change behaviours and create a framework for effective external challenge.

A rigid rules-based system would force companies into a ‘one size fits all’ framework of governance, unlikely to achieve appropriate outcomes for all companies, but resulting in increased costs of compliance and of addressing unintended consequences. It would also result in less informative explanations, driven by a ‘box ticking’ mentality in order to comply with the letter of the law rather than the spirit of properly applied principles.

Board support

Sight has been lost of the key responsibility of the board, which is to look after the interests of the investors in the company. Legally, a director must exercise independent judgment, and reasonable care, skill and diligence in the performance of his or her duties, and must act to promote the success of the company for the benefit of its shareholders. As one commentator has it, the board is not ‘one step up from management’; rather it is one step down from the shareholders. The board’s role is to appoint the chief executive; critically appraise the company’s business plan and the strategy for its execution proposed by the chief executive and his or her colleagues, and monitor performance against the plan and objectives.

The board appoints the chief executive and should critically appraise his or her business plan and the strategy for its execution. The board, acting collectively, must monitor the company’s performance against that plan and its objectives. In order to do that effectively, the board should – as stated by the UK’s Turnbull Committee in 1999 - determine the nature and extent of the risks facing the company, and the extent and categories of risk which it regards as acceptable for the company to bear. The risks to be considered include financial, operational, macro-economic, environmental, legal, regulatory, reputational and product-obsolescence risks, amongst others.

This process is necessary for protecting the company’s assets and the shareholders’ investment, without which it is difficult for directors to discharge their legal duty to act in a way that they honestly believe will promote the company’s success. In the run-up to the recent crisis, the boards of banks and other mortgage lenders failed to enquire about a number of the risks their organisations were assuming.

The board should be satisfied that there are processes in place within the business to eliminate risks regarded by the board as unacceptable, and to manage other risks deemed acceptable. This is about the board of directors – the stewards of the company’s assets – understanding the principal risks, and the consequences if those risks should materialise.

The failure to tackle risk at the appropriate level has been exacerbated by the trend of placing too much reliance on, and too much faith in, board committees – at the expense of the role of the board. There is an assumption in too many boardrooms that as long as one of the board committees, whether an audit or risk committee, has looked into a particular issue – such as reviewing the company’s system of internal control and its management of risk – the other directors can be taken to have discharged their responsibilities for critically appraising the principal risks to the achievement of the business plan. There is anecdotal evidence that in some companies the only attention given by boards to risk is a passing nod when receiving the annual, and brief, oral report from the chairman of the audit committee on its review of the effectiveness of the company’s system of internal control.

The board as a whole, mindful of the possibility of the aggregation of risks, should categorise the types of risk which are acceptable for the company to bear in pursuit of its business objectives. Those which should not be tolerated, either at all or subject only to certain specified restrictions, having regard to the business objectives of the company, should be identified. Upon becoming aware of any infringements of the policy, executive management or the company’s risk manager should report them to the relevant oversight committee chairman, or company chairman who should arrange for a full report to be made to the board at its next meeting on the infringement and any corrective action taken.

Circumvent the glass ceiling

The glass ceiling which often discourages or even stops risk (and other) managers talking directly to the board has to be circumvented. To improve the understanding of the business by directors and therefore the risks faced (remembering that executive directors may not themselves be appropriately familiar with all operations), directors, but non-executives in particular, should be encouraged to make visits within the business, which are not ‘stage-managed’ by executive directors, to facilitate interaction by the non-executive directors with the business managers below board level and to enable direct relationships to be fostered.

Corporate governance codes should encourage the embedding of risk analysis within business objectives and strategy. On the basis of appropriate advice from the company’s duly qualified or experienced risk manager and, where necessary, external professional assistance, the board should be responsible for agreeing the risk parameters within which the company should operate. This is a matter for the board acting collectively: it is not one that can properly be delegated to a board committee, even if a risk committee exists and can advise the board in matters of detail, and even if an audit committee undertakes the review of the effectiveness of the company’s system of internal control.

This does not mean that governance codes should in any way discourage risk taking per se; rather that the extent of the risks taken should be agreed by the board, as stewards of the owners’ assets. The board should not only review the matter of risk on a regular basis, perhaps at least quarterly, possibly at every board meeting, but also should set out its policy clearly so that this can be implemented by management on a day-to-day basis, possibly subject to continuing oversight by the risk manager. Management’s implementation of, and compliance with, the board’s policy on risk, should be subject to regular review.

By ending the indirect and passive relationship between the board and risk, companies will be able to adopt a much more strategic approach to risk management as a whole. With the economy on the road to recovery, investors will be seeking out organisations which can demonstrate both their capacity to manage risk effectively and a commitment to delivering long term value rather than short term gains.