This article was first published in the March 2021 issue of PLC Magazine.
Governance has never been more important than in the current climate, with company boards under close scrutiny from all stakeholders including regulators, customers and employees. There is a general expectation that global businesses are run by strong boards that hold management to account and ensure that good governance principles permeate throughout the company. This expectation is amplified by the growth of global accountability regimes for directors and senior managers. However, there are several areas where issues relating to governance may arise, including poor management information (MI) and inadequate meeting processes. These include:
- Clarity of reporting lines, roles and responsibilities.
- Quality of debate and challenge.
- Clarity of issue escalation protocols.
- Meaningfulness and relevance of management information.
- Inadequate board and committee meeting processes.
- Clarity of action tracking, review and closure.
- The tone from the top and how this affects the company’s culture.
- Operational resilience and sustainability.
- International differences in legal and regulatory requirements.
From a practical perspective, some of the root causes of these issues relate to companies failing to understand properly their business models and the risks that are specific to them. Some companies still have historic and standardised processes that have not been tailored or updated. Others may have detailed processes that are difficult to understand and operate in practice. Companies need to consider carefully their areas of weakness and work out how best to resolve them
MI and issue escalation
Many companies do not have MI that adequately considers the risks to their business and also to their customers. MI needs to be both qualitative and quantitative in order to help boards fully understand the relevant issues and challenge them where appropriate. While it is inevitable that executive directors will have more information available to them than non-executive directors, issues can arise from this imbalance and companies need to have processes in place in order to mitigate this.
MI frameworks need clear thresholds and tolerances for action where a metric is outside of what is deemed to be acceptable. These should be supported by defined escalation protocols for when and how issues need to be considered by senior management and the board. Directors need to be conscious of these processes in order to understand how they operate and to step in and question why they are not functioning if relevant matters are not communicated to the board on time. Similarly, companies need strong procedures for whistleblowing although, even where these procedures are well designed, in the heat of the moment those operating them may forget to observe critical aspects such as confidentiality or protecting the identity of the whistleblower (see feature article “Whistleblowing policies: reaping the rewards”).
Meetings and minutes
The current necessity for more virtual meetings due to the COVID-19 pandemic brings new challenges from a governance perspective. Remote meetings can make it more difficult for participants to follow the discussion and make contributions. Those chairing meetings should make sure that they invite contributions from everyone, particularly where there is a dominant personality or someone who is more reticent to challenge.
One of the key difficulties affecting both virtual and physical meetings is getting information to individuals with sufficient time to digest it ahead of the meeting. This may be particularly important for non-executive directors so that they are able to challenge executives who already have the information to hand. A follow-on issue is making sure that there is the right level of record-keeping and minute-taking afterwards. While there needs to be sufficient detail for directors to challenge minutes and record the decisions that they have taken, there can be tensions about the level of detail in minutes where businesses have an international footprint.
Traditions in global jurisdictions often vary regarding the level of detail in minutes. For businesses with a US presence, for example, too much detail can present a number of legal risks. It is also important to note that legal privilege rules vary across jurisdictions and so businesses with an international footprint should make sure that they understand exactly what communications might be privileged, how to preserve privilege and avoid any inadvertent disclosure. Similarly, in jurisdictions with banking secrecy laws, such as Hong Kong where there are narrow gateways of disclosure, the production of documents to foreign counsel or regulators during an investigation can be contentious.
International businesses are accustomed to having to manage the different requirements of the national legal and regulatory environments in which they operate. In some respects, corporate governance expectations have converged since the Organisation for Economic Co-operation and Development first issued its principles of corporate governance in 1999. However, there are still international differences in the roles, responsibilities and liabilities of directors. For example, the combination of the roles of chair and CEO is a particular feature of US boards compared with their European counterparts.
When it comes to foreign subsidiaries, there are competing challenges for the parent board to address. There is the search for balance between the degree of control that needs to be exercised by the parent over its subsidiaries and the degree of independence that needs to be provided to them, and between the standardisation of systems and processes across the whole business and local adaptation at the subsidiary level. The parent board may also need to consider putting in place systems and processes to ensure that the governance of subsidiaries reflects the values, ethics, controls and processes of the parent board. This will be particularly relevant in jurisdictions where there is a regulatory requirement for the subsidiary to have a separate board to the parent company.
Company boards also need to be aware of the growing need for their governance processes to take into account the global sustainable finance agenda. For example, in November 2020 the European Central Bank (ECB) published its final guidance on climate-related and environmental risks for banks. Boards supervised by the ECB will need to carefully review this guidance from a governance perspective in terms of how their company considers climate-related and environmental risks within its business strategies, governance and risk management frameworks. The ECB requires banks to perform a self-assessment in early 2021 ahead of a full ECB review in 2022, so their boards need to be properly engaged in this process.
A recent survey by Norton Rose Fulbright LLP asked senior directors from major organisations across the world for their views on current governance issues (the survey). While it was encouraging that most respondents stated that they had adapted reasonably well or well to the challenges brought about by the COVID-19 pandemic, over half reported that understanding and challenging what was going on across their company in a virtual environment was their biggest challenge. 53% of respondents reported finding it difficult to process regulatory guidance on governance in jurisdictions other than their home country during the pandemic.
With regards to ethical employee culture and conduct, 39% of respondents stated that their company’s training processes needed improvement and 28% said that their company had taken no steps over the last two years to improve their employees’ adherence to ethical standards. In addition, 47% of respondents noted that diversity and inclusion within their company had not progressed very far from a discussion about their internal staff to also considering their company’s customers.
Lessons learned reviews
Companies should consider undertaking “lessons learned” reviews in order to demonstrate and evidence that they have appropriately learned from issues that have occurred due to the pandemic. Notably, while the majority of respondents to the survey reported that their companies were intending to conduct a lessons learned review, many had not actually done so yet. Reviews of this type can be particularly insightful when trying to understand the root cause of governance issues. When an issue arises, often the focus is on trying to resolve the immediate problem rather than working out what caused it to happen. If root causes are effectively understood and addressed, this should significantly reduce the likelihood of the issue occurring again in the future.
Lessons learned reviews can also be useful to inform a company’s future strategy. This is particularly relevant when thinking about the evolution of the pandemic. Unfortunately, COVID-19 rates are currently rising across a number of regions which will affect customers, staff and third parties who companies rely on to deliver services. Companies will have learned a great deal in respect of their response to the initial wave of COVID-19 and it is important that these lessons are used to inform what they do next.
Companies seeking to take practical steps to explore lessons learned reviews should consider using the following lines of enquiry, such as asking whether:
- Appropriate governance systems were in place with clear reporting processes and relevant MI.
- Customers were dealt with appropriately, with any areas of detriment identified and remedied.
- Staff understood what arrangements were in place and what actions they were expected to take.
- Technology was used appropriately.
- The implications of regulatory guidance were considered, acted on and overseen properly.
- The company identified and appropriately managed its key stakeholder groups.
Once the scope of a lessons learned review is agreed, it is also important to set clear objectives for it. This should include considering the right stakeholders to be involved and whether a senior individual should sponsor it so that it gets the profile it needs. Companies should also consider, at an early stage, whether the review will attract legal privilege and whether any practical steps should be taken in this regard. It is also important that reviews have appropriate independence and oversight; for example, it can be valuable to have an independent function, such as internal audit or a third party, undertaking the review, to ensure that findings are presented without bias. It is also important to consider the governance over the review, including who within the company will be responsible for receiving, considering and, where necessary, challenging the outputs.
Once a review has been completed, this is not the end of the process. The way that the results of the review are applied is also critical. Some key practical areas to bear in mind include: having a clear action plan for dealing with the findings; ensuring that there is a clear view of what is required to sign off activities to complete and close the actions; and having regular oversight on the plan’s progress over time.
As the UK begins to enter the months of mass vaccination, which hopefully should bring an end to the pandemic, boards should be considering whether the governance arrangements that they instituted continue to stand up properly to regulatory scrutiny. If the answer to this question is negative or uncertain, they would be well advised to conduct a lessons learned review. When the pandemic is over, it is likely that boards will prefer to focus on energising their businesses to take advantage of the economy re-opening instead of having to defend a regulatory investigation.