United States: Corporate Governance: Five „Worst Practices“: 15 June 2010 / Article by Daniel Hurson. In the ever-expanding universe of corporate governance and compliance, we are constantly reading of „best practices“ recommended by one expert or another. They tend to be somewhat sterile, repetitious, and obvious. A book full of such insights, while important, can be a very dull read.
It is certainly true that company executives or managers who zealously follow „best“ practices will become better at their jobs and help their companies, and if properly documented by those individuals such sterling habits can promote bonuses and career advancement. We are not here to denigrate that which has been declared „best.“
But let’s be honest, it’s much more interesting to read about the seemingly endless number of screw-ups, acts of misfeasance and malfeasance, scandal, and downright stupidity that has in recent years characterized many corporate actions. How did they make such errors, we ponder, and are amazed at what they failed to see coming and how badly they handled it once it hit. Depending on how honest we are with ourselves, our reaction is usually either „I would never make such a mistake“ or „there but for the grace of God go I.“
In that somewhat contrarian spirit, I present my short list of „worst practices“ in corporate governance and compliance. My list is not exclusive by any means, and may reflect heavily on my background as a lawyer, with prior prosecutorial stints with the DOJ and SEC, and as an in-house lawyer for a large public company. After reading mine, I encourage you to write one for yourself, draw upon your own experiences, and be honest. In the process, take a hard look at your own company and the challenges and risks it faces today, and see if you can’t identify a „worst practice“ or two in your organization. Here’s my list:
Worst Practice One: Always Believing „The Smartest Guys in the Room“
In business, as in life, we are constantly reminded that there is always someone around who is just plain smarter, more articulate, or successful, than we are. Often they are better looking too, which will usually explain everything. Those types generally seem to know it, live it, profit from it, and probably flaunt it. In the business world, they often become CEO’s, influential board members, rising stars, consultants, experts, gurus and in general exporters of influence and advice. Many corporations retain them, promote them, and routinely follow their advice. Sometimes they are viewed as comers and you just want to be on their team. Sometimes they are hired to provide bulletproof CYA insurance for managements and boards of directors. Painful as it may be, they are sometimes right (maybe some of them really are smarter) and should be followed. But sometimes they are wrong, and companies follow them right down the path to terrible consequences.
How too many times have you been in a meeting, read a report or otherwise had to defer to the supposed wisdom from such folks, and felt like saying „that’s just a bunch of [supply expletive].“ You have seen wide-eyed board members misled, confused or bowled over by such folks with presentations and reports which you know are misleading, self-aggrandizing, or just flat wrong. How often has your company hired expensive supposed experts to tell it something that sounds impressive but just doesn’t sit well with you? You firmly believe you know more than they do, and want to speak up or reply, but you are intimidated, unsure, or unwilling to stick your neck out. Just like in grade school, the safe route is to keep silent, don’t raise your hand, and see which way the wind blows.
How many recent corporate governance disasters can trace their origins to such dumb acts of personal timidity and self-preservation? How many smart people in so many places knew that home loans were being made to people who could not or would not repay them? We all know now how such selfish „head in the sand“ avoidance cumulatively led to an enormous, world-wide financial disaster which almost certainly could have been avoided. Most recently, how many smart engineers, technicians or scientists knew there was something wrong on the BP drilling platform, or more broadly knew the company (or the industry) had not sufficiently anticipated, quantified or prepared for the risks of deep water drilling, but chose not to speak up?
What is it at your company that’s being driven by the „smart guys“, or the hired guns, that you think is wrong-headed, misguided or just plain reckless? How long will you be content to stay silent? Being able to say „I should have told you so“ is not very satisfying after your company fails or worse, kills someone. This attitude is my nominee for the first, and perhaps most insidious yet easiest avoided, of the worst practices.
Worst Practice Two: Allowing Strategic Planning and Risk Management to Become Problem Avoidance
In business, as in life, there are certain problems that stare us in the face, are not going away, and must be dealt with despite the near certainty of painful consequences if they are dealt with directly. Conversely, for most problems in business, as for some (but not all, in life) there is usually a solution, however difficult. The „worst practice“ is papering it over, studying it, deferring it, or ignoring it. I call this „problem avoidance.“ I would venture to guess you are experiencing it right now in your company. Make an „honest“ list just for yourself: column one, the problems; column two, how to fix them (in six words or less); column three, what is been done about it right now; column four, how you think it’s going to come out.
If you find that your organization is doing nothing about the problem(s) on your list, you have a problem. Your company is reckless, stupid or both. If it is aware of the problem and is addressing it with some committees, or outside consultants, waiting for some future event which may never happen, or just waiting for the next fiscal year, you are probably already in trouble. Ditto if you identify good „fixes“ that are not being implemented right now, have been deemed too expensive, or have been studied before without resolution. If the „problem“ is the presence in your organization of a toxic individual, how long before they do something very destructive? In short, what might look like a „best“ practice, addressing a strategic issue in some deficient manner, may just be a „worst“ practice—problem avoidance with no resolution in sight.
Worst Practice Three: Denigrating, Underestimating, or Infuriating Regulators
In a world in which the government has become such a pervasive regulator and overseer of every facet of business activity, it is astounding that so many otherwise smart, seemingly well run organizations continually get themselves in trouble with the government. Some of these confrontations end quietly, with a reprimand or fine, maybe a one-day story in a trade publication. Others fester into full blown disasters, involving at a minimum fines and bad publicity, and at worst, criminal investigation and sometimes prosecution of individuals. Most end somewhere in between, but the result is never very good. Shareholder funds get spent needlessly, market value is diminished, reputations and careers are harmed, and sometimes people, or the environment, are injured.
Upon closer examination, many of these situations need never have happened. Some companies and their managements simply view their regulators as hacks who must be tolerated, and any time they can be thrown off the scent, misled, or delayed in doing their jobs, is considered a victory. Sometimes the company tries to cooperate, explain, or compromise, but falls short because someone is caught playing fast and loose with the regulators, which may consist of as little as dragging out responses to questions, misleading them on some seemingly minor matter, withholding documents in an investigation, taking an overly technical or legalistic position known to infuriate the government, or making a dumb statement to the media (see, e.g. „I want my life back“ Tony Hayward, BP, May 2010).
Sometimes the mistake is well intentioned, and may for legal reasons be the most protective, but not in the context in which it is employed. For example, companies lately seem to be sending representatives to congressional hearings who are not well prepared, are personally clueless about how politicians function, or are so over-lawyered and fearful of admission of some liability they can barely state their names. The auto execs who flew in to Washington last year on their private planes while looking for billions in handouts come to mind, as do the BP, Transocean, Halliburton trio of pathetic finger pointers dragged before congress in the Gulf oil spill debacle.
Johnson & Johnson, a venerable company with a huge stake in brand protection, has recently been accused by a congressional committee chairman of frustrating his committee’s investigation into the recall of children’s Tylenol and other medicines. The possibility of criminal penalties has even been raised. Misinformation and delaying tactics have been used, says the Chairman of the House Committee which oversees the company. Of course the company sees it otherwise, pointing to thousands of pages of documents provided.
The Chairman, however, says he is troubled by discrepancies in statements made to the committee staff and at hearings, which may be contradicted by company documents. In appears that these issues may have simply involved which plant was making certain products and actions taken by a subcontractor without Johnson’s knowledge. But the distrust is there, the seed is planted and tends to grow into further investigation, and the story rates the front page in the New York Times business section.1
These missteps have a common thread: lack of appreciation of the power of the government to react harshly, even if unpredictably, unreasonably, or in error. The organization that plays around the margins with its regulators, or allows itself (rightly or wrongly) to be perceived as standing in the way of the regulator’s inquiry, being less than totally transparent, or of displaying a deaf ear to the public interest (at least as seen by the regulator), is committing a „worst practice.“ Once done, it is hard to repair the damage.
Worst Practice Four: Investigating, Documenting, and then Ignoring Problems
We live in the golden age of the internal investigation. The government wants corporations to investigate themselves at the hint of any impropriety. Typically the investigation is done by a law or consulting firm and then turned over to the SEC, DOJ or whoever is the appropriate regulator. Credit is usually given for a full, prompt, and honest report. Such reports, sometimes called internal evaluations, have in one form or another been done for years, even before they were routinely demanded by and given to the government. Boards of Directors and general counsel like to have them written, even if they get filed away, to show they are doing their jobs.
While such reports and evaluations, together with the usual set of recommendations, are presumably read, discussed at high levels, and some action may or may not be taken, the issues raised often persist, inadequately addressed, if addressed at all. Some investigations and reports, as time passes and personnel change, are more or less forgotten. A recent example is a report done by a law firm years ago for Wal- Mart. The company, according to a recent New York Times article2, had hired the firm „to examine its vulnerability“ to a sex-discrimination suit. The 1995 report allegedly found „widespread gender disparities in pay and promotion at Wal-Mart and Sam’s Club Stores.“ The lawyers are said to have concluded that without significant changes, Wal-Mart „would find it difficult to fashion a persuasive explanation for disproportionate employment patterns.“ Wal-Mart has now called the report „deeply flawed“ and „stale.“
Inevitably, a massive class action sex-discrimination suit was filled in 2001. The long forgotten report was recently leaked and the class action lawyers, who have just achieved class certification after years of pre-trial motions, are trying to get their hands on it, despite the obvious initial obstacle of attorney-client privilege.
A similar paper trail may haunt BP as well. Pro Publica and the Washington Post have recently reported that BP had initiated „a series of internal investigations over the past decade [which] warned senior BP managers that the company repeatedly disregarded safety and environmental rules and risked a serious accident if it did not change its ways.“ Pro Publica3 These internal reports will surely be on the exhibit lists for the endless congressional hearings and court cases that the company will face for years to come. concludes that the documents „portray a company that systematically ignored its own safety policies across its North American operations…“
No good deed goes unpunished, so no good internal investigation should go unheeded. How many studies, reports, evaluations, critical emails, committee minutes, speeches, internal audit reports, external auditor management letters, and similar time bombs are lying around your company? If you sat across from a good plaintiff’s lawyer and he asked if each recommendation and warning in each report had been acted upon, how would your answer sound? Filing away internal reports and investigations for another day, or failing to address their recommendations in a demonstrably effective manner, is a worst practice which can boomerang anytime from here to eternity.
Worst Practice Five: Failing to Make Your Outside Auditors Uncomfortable
Public companies generally pay handsomely for competent audit services, including the annual clean audit opinion and favorable opinions regarding internal controls. In the course of doing their work, outside auditors should be looking into many aspects of the company’s internal controls, financial operations, and, informally or otherwise, the personalities and practices of the company’s top officers and managers. Auditors learn things during their work that they do not always disclose to their clients. They are required, under GAAS standards, to conduct an annual „brainstorming“ session with the members of the full audit team to assess the possibilities for fraud at the company.4 Even junior auditors are encouraged to speak up and discuss how fraud might develop, and who might be prone to engage in fraud. A memo of that meeting should be created, and it can make for fascinating reading. Likewise, when auditors decide to take on new clients or retain them for another year, they generally do risk assessments of the client evaluating the odds that the company may engage in fraud.
Audit partners, who generally do most of the interface with the audit committee and top management, are generally loath to discuss these evaluations outside the audit firm (unless the firm concludes some obvious and serious issue exists), as they may cast aspersions, even indirectly, on top managers with whom the audit firm is most anxious to maintain good business relationships.
Top management, especially the CFO, and audit committees, should press to see these SAS 99 memos and any internal audit documents reflecting potential fraud risks at the company, however speculative or hypothetical. They should also demand the right to separately question junior members of the audit team, who may be more candid with the audit committee. There are too many cases to count where the auditors knew something was wrong in time to avoid disaster but chose, for whatever reason, not to follow up and not to report it to the audit committee. Even if a company is very satisfied with its auditors and considers them competent and candid, there is no reason not to press them hard for any and all information about what may be concerning them, and how they have quantified any concerns, for those observations should be concerning the board as well.
This is my short list of „worst practices.“ More important is what is on your list. Indeed, your company should consider having every top manager make their own list, and deliver it to some designated officer who can decide if action is needed. The successful corporate compliance program must be a pro-active, aggressive and occasionally uncomfortable search for the worst, not just the best, practices.