Board of directors risk management in changing times

BOSTON, MA -- Recent regulatory and business developments must be on the radar screen of general counsel and brought to the attention of management and (as appropriate) the board, as the directors must monitor significant emerging enterprise risks.

Does your company have the right systems to do this? Would your board be aware of the risks delineated below? Does your company have the right board to process those risks?

Foreign Corrupt Practices Act

On April 5, the U.S. Department of Justice announced a new program that rewrote the way it deals with FCPA violations.

FCPA presents significant risk: how to prevent employees or agents, working within foreign cultures, from violating stringent U.S. policies against bribing or influencing companies affiliated with offshore governments?

Financial liability has been enormous and well publicized, and FCPA rules affect both private and public enterprises.

The new program, "Cooperation Plus," keys off the U.S. sentencing guidelines. These guidelines, by their very name a scary way to think about fulfilling corporate obligations, have long-rewarded cooperation in FCPA enforcement.

To fall within the Cooperation Plus program you must: voluntarily disclose criminal conduct; fully cooperate with the government; and remediate.

Self-disclosure must occur promptly, prior to "imminent threat of disclosure or government investigation."

The company must demonstrate timeliness and provide names of individuals involved. Cooperation must be proactive; remediation must include a compliance program, accompanied by education, communication and training, capped by appropriate "tone from the top."

What do you get for complying? If you do not voluntarily disclose, but later fully cooperate and remediate, you receive a 25 percent reduction from the bottom of the sentence guidelines range of financial penalties. If you comply in all respects, you can get a 50 percent reduction, and generally avoid appointment of a monitor to police your company in the future. The fortunate also may get a "declination of prosecution."

FCPA compliance must be addressed at the operational, management and board levels. Failure of board involvement can open directors to substantial criticism, as financial and reputational risks inherent in FCPA are significant.

New revenue recognition standards

About two years ago, U.S. and offshore accounting regulators issued a converged standard on revenue recognition, eliminating some industry-specific guidance and providing a framework with required explanation of how a company recognizes revenues. The standard, mandatory starting in 2018, is now generally in use, because once effective it must be applied to prior years' comparative figures.

Although technical accounting is within the bailiwick of the CFO working with the CPAs, there are judgments that management and boards need to monitor under the new standard.

For example, a company must identify the nature of arrangements between customers, since research collaborations avoid the new guidance, but contract research falls under it; evaluate variable pricing terms such as performance bonuses, milestone payments and guarantees; reflect arrangements involving distributors, including allocation of carrying cost, profit guarantees and other concessions.

Another issue, facing public companies, involves utilization of non-GAAP measures. The SEC allows these financial measures, along with GAAP financials, provided such inclusion is not misleading. But use of such measures, without adequate explanation of adjustments to reconcile with GAAP, has been growing.

Particularly when financial news networks report earnings based only on the non-GAAP numbers, the risk of regulatory and civil litigation increases. Risks of restatements of financials (with risk to management of suffering a claw-back of previously paid contingent liability, as contemplated by federal securities law) require bringing these issues to senior management - and in some instances the board.

Exporting over the cloud

U.S.-based technology may not be exported unless there is a federal license to do so. Much technology, sent to many countries, enjoys a broad general license. However, two systems of regulation control some exportation: ITAR for military technology, and EAR for certain non-military technology.

Exportation of such technological information is regulated only if the content is necessary, related or required for the development, production or use of regulated items.

Specific encryption also can save the day if it is "end-to-end" (uninterrupted protection between origination and recipient).

And SaaS operated through the cloud is exempt (as it does not constitute a download of executable software). Thus, the first triage is to determine what is going into the cloud.

Assume your company's technology is not exempt and not fully encrypted; you upload it and it is stored in the cloud. That very uploading may itself constitute prohibited exportation. You have to ask: Where will the servers be located? Overseas? Can overseas administrators access the information? How secure is the cloud overseas (can users tap into your offshore server)?

Violation of export regulations is a serious matter, bringing regulatory, financial and reputational risk. Thus, analysis of this risk should not be isolated in the IT department, but must be brought to management and monitored by directors.

What boards must do

Directors have substantial risk management obligations, including monitoring emerging issues. These obligations arise under the common law duties of due care and loyalty; under the much-discussed Delaware Chancery Court decision In Re Caremark (establishing director responsibilities to supervise everything material); and for public companies, under SEC rules requiring establishment of internal controls and exchange governance standards.

Additionally, the DOJ also has issued "Principles of Federal Prosecution," emphasizing director and officer fiduciary duties owed shareholders. Recent enforcement makes clear there is growing criminal focus on individual directors and officers.

The "Principles" establish mandatory duties for boards, including establishing strong director and manager support for compliance programs; granting compliance personnel company stature; providing necessary compliance resources; ensuring provision of written publication and communication of clear policies; ensuring provision of repeated training and policy updates; and providing incentives for compliance and punishment for violations.

For public companies, SEC rules also require disclosure as to whether a board has adopted a code of ethics for senior officers (or explain why they have not, an explanation that virtually never happens). That code must, inter alia, address compliance with applicable governmental laws and regulations.

New York Stock Exchange requires establishing a mechanism for anonymous submission by employees of questionable accounting or auditing matters; NASDAQ requires audit committees to establish whistleblowing procedures.

It is the job of management to establish adequate enterprise risk programs. It is the job of the board to make sure that this is done, and to satisfy itself that new risks will be identified and bubbled up, as appropriate for their importance, to management and/or the directors themselves.

Numerous resources are available for management and boards in establishing appropriate ERM duties. Robust guidance is available from the National Association of Corporate Directors. Literature addressing board ERM obligations is vast. Consultants and CPAs stand ready to provide expert guidance.

The board should establish a separate risk management committee, or specifically identify ERM as a function of the audit committee. Governing corporate documents should align the board and management structures. Committee charters must delineate clear roles and responsibilities, reporting requirements as to substance and timing, and mandated information flows.

Substantive risk management, although supervised by a committee and implemented by executive management, must regularly come to the entire board for review as a standing agenda item.

Additionally, as risk inures in strategic decisions, explicit discussion and fixing of limits on risk tolerance should be part of any strategic discussion. SEC-reporting companies may well be used to this kind of granularity; private companies, perhaps not so.

The right board?

These obligations have implications for board composition. Do current directors have requisite expertise? Not every risk will be able to be evaluated by a director who happens to be a domain expert, but when constituting or upgrading a board some thought should be given to adding directors with particular strength in business aspects presenting high enterprise risk.

While generally speaking the directors are protected in the discharge of their fiduciary duties in relying on robust committee reports and the advice of outside expert consultants, when it comes to ERM it may be that such reliance alone will not give adequate insights in rapidly evolving areas.

I close with a recent example of the interplay between board composition and strategic risk: the 20 Volkswagen directors included only one who would be deemed independent by U.S. standards.

The general culture of Volkswagen, Germany's largest corporation, was to defer to senior management. The strategic Volkswagen decision to rely on diesel as opposed to hybrid electric technology, made a decade ago, placed the company at risk of failing to comply with tightening environmental standards, and likely incentivized the "fudging" of emissions reporting in its diesel fleet.

Did the Volkswagen board have the ability, structurally or in terms of substantive knowledge, to evaluate properly the enterprise risks of its strategic decision to rely on diesel?

Did management have the risk management systems necessary to reevaluate that decision as it became clear that environmental standards were changing?

You only need look at the devastating effect on Volkswagen's business when it was caught lying about its emissions performance. The risk was home-grown, but seemingly not monitored over time.

The true importance of risk management and the need for its continuous evaluation at the highest levels of corporate governance is demonstrated by the fallout now affecting Volkswagen's reputation and business - not to mention its bottom line.


Stephen M. Honig practices at Duane Morris in Boston.

Published: Tue, May 31, 2016