United States

Author: | Published: 9 Oct 2003
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

A year ago, the events leading up to the enactment of Sarbanes-Oxley made it clear that traditional corporate governance structures and risk management systems did not address the challenges faced by companies and boards of directors. The enactment of Sarbanes-Oxley and actions by the Securities and Exchange Commission (SEC) and the exchanges should have served as the catalyst for management and boards of directors to align strategy, operations, risk management systems, corporate governance structures and decision-support capabilities in a proactive manner to detect, assess and manage continually-changing risks and challenges to enterprise sustainability and to ensure enterprise resilience in the face of pressure from a variety of sources.

It has now been over a year since the accounting and corporate governance scandals in the US occurred that led to Sarbanes-Oxley and actions by the SEC and the exchanges. Those events also significantly raised the level of diligence and demands that shareholders, institutional investors, regulators, rating agencies, key customers, D&O insurers, the plaintiffs' bar, analysts, trade counterparties and vendors, and the market have come to expect from senior executives, boards and board audit committees in assuring the integrity, safety and sustainability of companies. Sarbanes-Oxley and the ensuing public outcry resulted in an increase in board audit committee responsibilities, imposed new CEO and CFO disclosure and certification requirements for financial and other information and for the adequacy of internal controls, and heightened the obligations of management and boards dramatically.

Yet somehow, as recently as July 22 2003, the following headline appeared on the front page of The Wall Street Journal - "Wall Street Plays Numbers Games with Earnings, Despite Reforms." Reports and disclosures of accounting irregularities, earnings restatements, violations of law, enforcement actions and corporate governance breakdowns have continued notwithstanding legal requirements, market outcry, criminal prosecutions and penalties, demands from regulators, the plaintiffs' bar and civil lawsuits, institutional investors, shareholder activists, corporate governance ratings, analysts, director fears of personal liability and reputational harm, decreased D&O coverage availability, market pressures, actions of competitors, reports of experts and think tanks on corporate governance. Although there has been much rhetoric about corporate governance reform, the underlying reality is that changes in culture and values have been slow in coming. The response of management and boards has been slow - evolutionary at best, but certainly not revolutionary.

It appears inevitable that the market, directors (in order to minimize personal liability and reputational risk), shareholders, institutional investors, regulators, corporate governance rating programmes, key customers, analysts, trade counterparties and vendors should distinguish those enterprises that have not only met minimum legal standards for corporate governance structures and risk assessment and management systems, but are adopting best practices and seeking to change culture and values. In order to maintain earnings consistency, preserve and grow shareholder value, and satisfy these various groups, companies and boards need to examine and adopt best practices in corporate governance to pre empt problems and proactively respond to increasingly complicated levels of risk.

This article will outline current developments in corporate governance best practices and the assessment and management of risk in this new and uncertain environment. They include the following:

  • The emerging shift in dynamics between boards and management. Boards will cross the traditional boundaries between management and the board and evolve from a resource role to an oversight role as a result of new legal standards, market pressures, liability fears and reputational concerns.
  • Non-legal pressures for transparency. Boards, the market, institutional investors, shareholder activists, and rating agencies will demand increased financial, people and process, sustainability and vendor transparencies beyond what is legally required.
  • Non-executive chairman. The chairman of the board will increasingly be a non-executive.
  • Development of corporate governance officers. Corporate governance officers or committees will become the norm whether as part of management, the board, or both.
  • Board interaction with management. It will be necessary for the board to develop a personal relationship and interaction with senior management below the executive management level. Increasingly, directors will seek direct interaction and exposure to lower levels of management in order to fulfil their newly emerging and perceived oversight role.
  • Board infrastructure and support. Given the complexities of many large corporations, an effective and independent board may require board-managed and -directed infrastructure support in the legal, accounting, risk management, audit and corporate governance areas.
  • Expansion of audit committee role. The roles and responsibilities of the audit committee will expand into the full range of enterprise-wide risk management and compliance areas. In the alternative, boards may create risk committees.
  • Board composition. Board and committee composition qualifications will move beyond the legal requirements of independence to real independence.


The pressure for these developments will come from a variety of sources including:

  • regulators;
  • the plaintiffs' bar;
  • institutional investors;
  • shareholder activists;
  • corporate governance ratings;
  • analysts;
  • director fears of personal liability and reputational harm and risk;
  • decreased D&O coverage availability;
  • market pressures;
  • actions of competitors; and
  • reports of groups of experts and trade associations on corporate governance.

Although many of the best practices reviewed are not specifically legally required, pressure and incentives for companies and boards to move in this direction will come from these sources.

The plaintiffs' bar

An increasingly active plaintiffs' bar will continue to turn from more traditional mass tort and product liability litigation to securities fraud litigation, with increased attention on directors. Class action lawyers have initiated nationwide advertisements seeking clients who have sustained losses. Directors and senior executives will be potential targets for these suits as losses are blamed upon fraud, mismanagement and breaches of fiduciary duties.

Rating agencies

New corporate governance rating systems have emerged and companies, the market, investors, and the plaintiffs' bar are focusing on them. For example, Institutional Shareholder Services' Corporate Governance Rating System ranks each public company against a relevant market index and one of S&P's industry groupings based on the following seven core evaluation metrics:

  • board structure and composition;
  • continuing education for directors;
  • director and officer stock ownership;
  • qualitative factors (for example, retirement age, meeting of outside directors);
  • charter and by-law provisions;
  • state of incorporation; and
  • executive and director compensation.

Although the initial ratings systems relied too heavily on a check-the-box approach, they have evolved into more subjective and qualitative systems and become increasingly interactive with rated companies. Criticism has been levied at some of the systems based upon the necessity of paying a fee to have access to the rating criteria. However, the fact remains that a low rating troubles companies enough that they will make corporate governance changes to improve their rating. They are an immediate source of competitive market pressure and could become a weapon of the plaintiffs' class action bar.

The Corporate Library has developed another rating system and released its first set of ratings in June 2003. This system goes beyond strict legal requirements and is a move toward a subjective assessment of best practices.

Decreased availability of D&O insurance

In reaction to securities lawsuits resulting from these events, directors and officers (D&O) insurers are tightening terms, seeking to rescind policies, reducing coverage amounts and significantly increasing rates. D&O insurance protects directors and officers against claims of negligent acts, errors or omissions, or breaches of duty. However, there are numerous gaps in coverage, which have become increasingly significant post Sarbanes-Oxley. Insurance companies have sought to deny coverage on the grounds that certain facts were not fully disclosed in the insurance application. In particular, because a company's financial statements are incorporated as part of the insurance application, a restatement of a company's financial statements can be used as a defence to coverage. In addition, issues related to coverage limits and shared limits have arisen. Significant issues have arisen in bankruptcy proceedings as to whether insurance payments are part of the bankrupt estate. Significantly, insurers are seeking to eliminate severability clauses. Without severability clauses, all directors could lose coverage if one director is found guilty of having committed fraud. This development could change the dynamics of the board by making each director much more mindful of the actions of other directors. On the positive side, in response to director and company concerns, D&O insurance carriers such as Chubb and AIG have developed new forms of policies tailored to individual board members that are designed to take over when certain losses are not covered by primary D&O insurance. These policies are intended to be a separate layer of coverage for directors, specifically independent directors.

Fears of personal liability and reputational harm

Director fears of personal liability and reputational risk have increased dramatically as the regulators and the courts seek to change the role of the board from resource to oversight. As the plaintiffs' class action bar, shareholder activists and institutional investors raise their expectations of, and demands on, directors, they will become increasingly sensitized to personal liability and reputational harm resulting from events occurring at, or affecting, companies for which they serve as directors. Significant numbers of lawsuits have been filed naming directors and officers as defendants. The impact of this will be magnified by the changes in D&O insurance discussed above.

The recent Disney decision is an example of changing judicial responses to claims of director negligence. In June 2003, the Delaware Chancery Court allowed a suit against the Disney board of directors to proceed that alleged negligence in its oversight in the hiring of the president and the terms of his compensation and severance arrangements. The compensation committee allegedly ratified the hiring after the position had been offered by the Disney CEO without the prior consent of the compensation committee and without having adequately reviewed the terms of his employment.

In another recent case in New York, a federal district court held that several directors of a private company were liable for $40 million in damages for breaching their duties of loyalty and care. In this case, the court held that the board members failed to exercise adequate oversight and diligence. Regulators have been active as well. In a recent speech, SEC Chairman William Donaldson noted that during his tenure as chairman, the SEC brought 258 enforcement actions of which 72 involved financial fraud or reporting. This does not include the multitude of informal and formal investigations that are ongoing. In addition, he noted that the SEC has sought to bar 95 executives and directors from holding such positions with public companies.

One recent example of such SEC initiatives involves an enforcement action against the Chancellor Corporation and its officers, directors and auditors for financial fraud. The claims against the outside director involve breaches of the duty of care by failing to ensure that the company maintained accurate books and records and adequate internal controls. In addition, the actions initiated by various state attorneys-general, in particular New York and Oklahoma, have received widespread publicity in the US.

As a result, directors have become less trusting of management and may increasingly seek to independently assess and review what is going on in the company. As discussed below, the time commitment required to do so will result in the evolution of professional non-executive directors and senior level third-party advisors or senior level employees employed by and reporting directly to the board.

Shareholder activism and institutional investors

Because of fears of liability and reputational risk, the demands and complaints of shareholder activists and institutional investors will receive much more attention and focus from the board. In addition, as a result of Sarbanes-Oxley and the current environment, shareholder activists and institutional investors will become emboldened and press significant demands for corporate governance reform and director accountability.

Shareholder activists have long been active in pressing for corporate governance changes based on tracking by the Investor Responsibility Research Center. However, until recently, these shareholder activists have been largely ignored. In this new era of accountability, traditional shareholder activists cannot be so easily ignored and new shareholder activists have emerged to take advantage of the new environment.

Institutional investors, such as the AFL-CIO, TIAA-CREF and CalPERS, have also increased their oversight activity, forcing directors to resign and be accountable for events at their companies, seeking board and corporate governance changes, challenging executive compensation and filing lawsuits to recover losses.

Regulatory and financial incentives

It is important to keep in mind that, under the 1991 Federal Sentencing Guidelines for Organizations (promulgated by the US Sentencing Commission); a comprehensive compliance programme can minimize the prospects of criminal charges and fines against companies for corporate wrongdoing. These guidelines and subsequent memoranda from the Department of Justice (DOJ) have affirmed and gone beyond the guidelines to highlight the critical importance of compliance programs, information reporting systems, and voluntary cooperation with government investigations.

Shortage of qualified directors

As a result of the factors outlined above, a shortage of willing and qualified directors may develop as the composition of current boards change. In light of legal requirements and restrictions, it will be extremely difficult for a board member to meet the time commitments required by new levels of accountability, shareholder and market demands while serving as a senior executive of another company and serving as a director of a number of other companies. As a result, companies will be more likely to agree to the demands and expectations of a new breed of non-executive director who may be a professional director. These demands and expectations may include:

  • boards consisting in part of professional directors who have no full-time employment position;
  • a non-executive chairman; and
  • independent board advisors and infrastructure initially consisting of independent third parties, who may evolve into permanent senior level advisors and who are employees reporting directly to the board.

Reports of groups of experts and trade associations on corporate governance

Some of the recommendations and trends identified in this article have appeared in reports issued by a number of blue ribbon panels, the Commission on Public Trust and Private Enterprise, the National Association of Corporate Directors and other groups, as well as reports issued by groups outside the US, such as the Higgs Report and the Smith Report in the UK. The collective influence of these groups and reports will reinforce, and in many cases serve as a catalyst for, non-executive chairmen, director independence standards, new and broadened roles and responsibilities for directors and audit committee members. The publication of codes of conduct and guidance will evolve into benchmarks against which boards and companies will be evaluated.

Recently, in July 2003, the Council of Institutional Investors released a report entitled: "Private Entity With a Public Purpose: Governance of the New York Stock Exchange". This report made a number of observations related to corporate governance, disclosure and transparency, including the composition of the board and committee members and personal, social and business links between board members and management. Significantly, many of these observations were not related to legal requirements applicable to the NYSE, but rather best practices.


Significant changes will be required as a matter of law and rule - in particular the listing standards of the NYSE. On April 11 2003, the NYSE released a notice of rulemaking with proposed amendments to its listed company manual to implement significant changes aimed at restoring investor confidence by empowering and ensuring the independence of directors and strengthening corporate governance practices. These requirements include the following:

  • Independent directors. Listed companies must have a majority of independent directors.
  • Independent directors must satisfy a defined standard of independence. To qualify as an independent director, certain determinations must be made.
    1. The board of directors must affirmatively determine that the director has no material relationship with the listed company (either directly or as a partner, shareholder or officer of an organization that has a relationship with the company). Companies must disclose these determinations.
    2. In addition, the standards set forth a number of circumstances in which a director will not be independent. They are as follows:
      1. A director who receives, or whose immediate family member receives, more than $100,000 per year in direct compensation from the listed company, other than director and committee fees and pension or other forms of deferred compensation for prior service (provided such compensation is not contingent in any way on continued service), is presumed not to be independent until five years after he or she ceases to receive more than $100,000 per year in such compensation.
      2. A director who is affiliated with or employed by, or whose immediate family member is affiliated with or employed in a professional capacity by, a present or former internal or external auditor of the company, is not independent until five years after the end of either the affiliation or the auditing relationship.
      3. A director who is employed, or whose immediate family member is employed, as an executive officer of another company where any of the listed company's present executives serve on the company's compensation committee, is not independent until five years after the end of such service of the employment relationship.
      4. A director who is an executive officer or an employee, or whose immediate family member is an executive officer, of another company: (a) that accounts for at least 2% or $1 million, whichever is greater, of the listed company's consolidated gross revenues; or (b) for which the listed company accounts for at least 2% or $1 million, whichever is greater, of such other company's consolidated gross revenues, in each case is not independent until five years after falling below such threshold.
  • Meetings of non-management directors. Non-management directors must meet at regularly scheduled executive sessions without management.
  • Nominating corporate governance committee. Listed companies must have a nominating/corporate governance committee composed entirely of independent directors. In addition, the nominating/corporate governance committee must have a written charter that addresses:
    1. the committee's purpose - which, at minimum, must be to identify individuals qualified to become board members, and to select, or to recommend that the board select, the director nominees for the next annual meeting of shareholders and develop and recommend to the board a set of corporate governance principles applicable to the corporation.
    2. the committee's goals and responsibilities - which must reflect, at minimum, the board's criteria for selecting new directors, and oversight of the evaluation of the board and management; and
    3. an annual performance evaluation of the committee.
  • Compensation committee. Listed companies must have a compensation committee composed entirely of independent directors. In addition, the compensation committee must have a written charter that addresses:
    1. the committee's purpose - which, at minimum, must be to discharge the board's responsibilities relating to compensation of the company's executives, and to produce an annual report on executive compensation for inclusion in the company's proxy statement, or, if the company does not file a proxy statement, in the company's annual report filed on Form 10-K with the SEC, in accordance with the applicable rules and regulations;
    2. the committee's duties and responsibilities - which, at minimum, must be to:
      1. review and approve corporate goals and objectives relevant to CEO compensation, evaluate the CEO's performance in light of those goals and objectives, and have sole authority to determine the CEO's compensation level based on this evaluation; and
      2. make recommendations to the board with respect to non-CEO compensation, incentive-compensation plans and equity-based plans; and
    3. an annual performance evaluation of the compensation committee.
  • Audit committee. Each company is required to have a minimum three-person audit committee composed entirely of independent directors that meet the independent director requirements of the NYSE and the independence requirements of Exchange Act Rule 10A-3(b)(1), subject to certain exceptions. Exchange Act Rule 10A-3(b)(1) provides that to qualify as independent, an audit committee member may not, other than in his or her capacity as a member of the audit committee, the board of directors, or any other board committee: (i) accept, directly or indirectly, any consulting, advisory or other compensatory fee from the issuer or any of its subsidiaries; or (ii) be an affiliated person of the issuer or any of its subsidiaries. The audit committee must have a written charter that addresses:
    1. the committee's purpose - which, at minimum, must be to:
      1. assist board oversight of: the integrity of the company's financial statements; the company's compliance with legal and regulatory requirements; the independent auditor's qualifications and independence; and the performance of the company's internal audit committee and independent auditors;
      2. prepare the report required by the SEC's proxy rules to be included in the company's annual proxy statement, or, if the company does not file a proxy statement, in the company's annual report filed on Form 10-K with the SEC;
    2. the duties and responsibilities of the audit committee set out in sections 303A(7)(c) (which are discussed below under Audit committee responsibilities); and
    3. an annual performance evaluation of the audit committee.
  • Audit committee responsibilities. The audit committee must:
    1. directly appoint, retain, compensate, evaluate and terminate the company's independent auditors;
    2. establish procedures for the receipt, retention and treatment of complaints from employees on accounting, internal accounting controls or auditing matters, as well as for confidential, anonymous submissions by employees of concerns regarding questionable accounting or auditing matters;
    3. obtain advice and assistance from outside legal, accounting or other advisors as the audit committee deems necessary to carry out its duties; and
    4. receive appropriate funding, as determined by the audit committee, for payment of compensation to the outside legal, accounting or other advisors employed by the audit committee.

    In addition, the duties of the audit committee must be, at a minimum, to:

    1. at least annually, obtain and review a report by the independent auditor describing: the firm's internal quality-control procedures; any material issues raised by the most recent quality-control review, or peer review, of the firm, or by any inquiry or investigation by governmental or professional authorities, within the preceding five years, respecting one or more independent audits carried out by the firm, and any steps taken to deal with any such issues; and (to assess the auditor's independence) all relationships between the independent auditor and the company;
    2. discuss the annual audited financial statements and quarterly financial statements with management and the independent auditor, including the company's disclosures under "Management's Discussion and Analysis of Financial Condition and Results of Operations;"
    3. discuss earnings press releases, as well as financial information and earnings guidance provided to analysts and rating agencies;
    4. discuss policies with respect to risk assessment and risk management;
    5. meet separately, periodically, with management, with internal auditors (or other personnel responsible for the internal audit function) and with independent auditors;
    6. review with the independent auditor any audit problems or difficulties and management's response;
    7. set clear hiring policies for employees or former employees of the independent auditors; and
    8. report regularly to the board of directors.
  • Internal audit function. Each listed company must have an internal audit function.
  • Corporate governance guidelines. Listed companies must adopt and disclose corporate governance guidelines covering the following areas:
    • director qualification standards;
    • director responsibilities;
    • director access to management and, as necessary and appropriate, independent advisers;
    • directors compensation;
    • director orientation and continuing education;
    • management succession; and
    • annual performance evaluation of the board.
  • Code of business conduct and ethics. Listed companies must adopt and disclose a code of business conduct and ethics for directors, officers and employees, and promptly disclose any waivers of the code for directors or executive officers. Each code of business conduct and ethics must also contain compliance standards and procedures that will facilitate the effective operation of the code. Companies can determine their own codes of business conduct and ethics but should address the following areas:
    • conflicts of interest;
    • corporate opportunities;
    • confidentiality;
    • fair dealing;
    • protection and proper use of company assets;
    • compliance with laws, rules and regulations; and
    • encouraging the reporting of any illegal or unethical behaviour.
  • Corporate governance CEO certification standards. Each listed company CEO must: (a) certify to the NYSE each year that he or she is not aware of any violation by the company of NYSE corporate governance listing standards, and (b) must promptly notify the NYSE after any executive officer of the listed company becomes aware of any material non-compliance with any applicable provisions of the standards.


It is not sufficient to simply comply with the letter of these requirements in this new environment. In order to respond to the spirit of these requirements and move to best practices, a number of corporate governance changes should be considered.

Corporate governance changes

As discussed above, the trend towards truly independent professional directors, non-executive chairmen, the establishment of senior executive corporate governance officers and board corporate governance committees, expansion of the roles and responsibilities of the audit and corporate governance committees, and board third-party advisors and infrastructure support are driven by a number of factors. One best practice approach is to take the lead in all of these areas. Some companies have had some of these elements in place for some time and others are now adopting them in response to the pressures identified above.

In addition, in response to such pressures, companies and their boards should consider changes that go beyond the listing requirements in the following ways: increasing the percentage of independent directors; eliminating stock options as compensation for directors; having independent directors meet separately; appointing a lead or senior independent director; imposing stricter limitations on the number of boards on which their directors may sit; limiting the number of boards on which executive officers may sit; instituting tenure and retirement ages for directors; and requiring independent evaluation and professional development training and other measures intended to assure the market that corporate governance is a priority.

Boards should also consider creating board meetings with extensive agendas (with board input) to encourage detailed discussions, retreats with senior executives to get to know the company and the executives, and periodic contact with senior and middle management.

Last year, Cendant Corporation announced a number of changes to its corporate governance policies, including the requirement that two-thirds of the board be independent, the elimination of stock options as compensation for directors, the increase in the responsibility of the audit committee to include more interaction between the committee and the auditors, and the issuance of a new code of ethics for senior management.

It was recently announced that Countrywide Financial added two independent directors to its board, which means that 11 of its 13 directors are independent. More recently, it was reported that E-Trade Group, in response to investor reaction and the resignation of its CEO, had adopted major corporate governance reforms beyond what is legally required. For example, with the exception of the CEO, all of the directors are independent. Further, it was reported that: a recent board meeting lasted two days, including meetings with senior officers and director orientation for all directors; a rule was adopted requiring directors to resign if their job changes; compensation packages are being renewed; and a non-executive chairman has been appointed.

Corporate governance officers

For many years, Pfizer has had a corporate governance position and, in 1999, Ford created a corporate governance department. In the past year, a number of companies including Citicorp, Tyco, Pitney-Bowes, Sunoco, Eastman Kodak, Hershey, Disney and Computer Associates have appointed chief corporate governance officers. This has been supported by the Conference Board and Institutional Shareholder Services, which includes the existence of a corporate governance officer in its rating criteria. The American Society of Corporate Secretaries has put together a list of possible activities for a corporate governance officer which include:

  • Keeping directors current on corporate governance trends and issues, thereby providing occasional reviews and updates for the board.
  • Ensuring that corporate governance information is recent, reliable and from outside sources.
  • Relaying information on institutional ownership of the company and any concerns vocalized by institutional investors.
  • Considering ways to get input from large institutional investors when the board is nominating directors and how to recruit and retain directors with diverse skills and backgrounds.
  • Being an advocate for the board. Encouraging top management to view the board as a resource and asset of the company.
  • Encouraging board members to spend more quality time on their directorship and to take on fewer board memberships.
  • Encouraging better proxy disclosure, including a discussion of corporate governance guidelines.
  • Ensuring that the board is informed on the business issues of the company.
  • Serving as a facilitator for the board. Encouraging the board to be constructive and work towards consensus.
  • Helping the board not to rubber stamp.
  • Providing assistance with the evaluation process expected of the board.
  • Ensuring proper and timely distribution of board agendas and allowing for input from appropriate parties.
  • Encouraging a strategic planning session and helping prepare the agenda.
  • Ensuring that directors actually direct, not micromanage.

However, the issue has been raised as to whether this should be a board-appointed and -reporting position due to the potential for conflicts and whether a parallel committee or position should exist at the board level.

Board advisors and infrastructure

Much has been written regarding pressures on the board to seek outside help in various areas. The new board-level issues including corporate governance, compliance, risk management, internal controls and disclosure, and others will require expert independent advice and oversight because the activism and expectations around these issues will increase and independent analysis and review will become critical. Some boards will require and establish senior level advisory positions reporting to the board. The appointment of these advisors will assist the board in connection with the new corporate governance standards and function as a management alternative to field employee complaints, initiate inquires, and to independently evaluate corporate actions.

For example, HealthSouth Corp announced the creation of an outside group of advisors to work with the board and outside search firms to find new candidates for the board and to advise the board committee on corporate governance.

Appointment of a non-executive chairman

As noted above, the appointment of a non-executive chairman has been the subject of numerous recent experts' reports. Although the subject is of great controversy in the US, it has been the norm in the UK since the Cadbury Report and has functioned quite well. It is a step that should improve the monitoring of management and help an increasingly overburdened CEO. There are a number of recent examples in the US and Canada including Chubb Corp, Midas Inc, Pathmark Stores, E-Trade, Citicorp, Canadian Imperial Bank of Commerce and Toronto-Dominion Bank. As pressures mount, the examples will increase. The code recommendations in the UK Higgs Report provide an ideal template that sets forth the roles, responsibilities, terms of engagement, and duties of the non-executive chairman. However, it is open to discussion whether having the former CEO serving as non-executive chairman goes far enough.

Truly independent directors and committee composition

It is important to consider that independence in a best practice sense goes well beyond legal standards. There is increased sensitivity from a number of sources in a variety of contexts about independence and conflicts of interest.

The report of the Council of Institutional Investors on the NYSE referenced earlier makes extensive observations about personal and professional connections, including overlapping board memberships and business relationships among board members and independent board committee members and the board. It also references board member company employee interlocks and employment track record. In addition, the press has been critical of large corporate philanthropic contributions to non-profit organizations with which board members are affiliated.

Another example of intense scrutiny of independence is the Oracle case. This is a Delaware Chancery Court Case involving the independence of a special litigation committee appointed to review sales of stock by the Oracle CEO. In denying a motion to dismiss the shareholder suit, the court went beyond traditional legal definitions of independence and focused on the interrelationships among the directors, the company, the CEO, the employer of the directors and significant charitable contributions to the employer of the special litigation committee.

Boards should be sensitive to these types of appearances and should undertake adequate due diligence and review of board and committee nominees to be aware of such ties and make reasoned and informed decisions. For example, how independent can members of the audit, corporate governance and compensation committees be if extensive relationships of the types described above exist?

Separate meetings of non-management directors

The fundamental issues to raise here are whether these meetings should be limited to independent directors and the duration and substance of these meetings. Best practices would suggest that these meetings will be most open if they are limited to independent directors and are run formally with an agenda and, if necessary, include sessions with senior executives.

Practice role of the corporate governance committee

The traditional role of the nominating committee has changed dramatically in the new environment. In addition to the newly defined roles and responsibilities required by the rules, significant questions arise from a best practice perspective. Should the corporate governance committee be pro-active and exercise leadership in raising or advocating best practices approaches with the board and management? For example, should the corporate governance committee discuss issues such as whether all directors other than the CEO should be independent? Should a definition of independence be adopted that goes beyond the requirements? How does the committee interact with the chief corporate governance officer? Should there be more stringent limitations on the number of jobs and board seats that directors may have? How much and what type of director training should be required? What standards should exist for director qualification? What type of evaluation should be implemented - self-evaluation, third party or both?

Undertake an independent, third-party, enterprise-wide risk assessment and create an enterprise-wide, integrated risk management control group

It is imperative that companies and boards assume a lead role in assuring that all risks faced by the company are identified and assessed and that a risk management system is in place to be proactive in managing and mitigating those risks. The board has the responsibility to make sure that it is fully apprised of risks faced by the company and that it can make an independent determination that management has implemented and maintained effective, enterprise-wide, integrated risk management policies and procedures, including internal controls and compliance. This is required by the NYSE listing standards and is the clear import of prior case law and DOJ guidelines and subsequent DOJ memoranda.

Third-party risk assessment

It is imperative that a broad enterprise-wide risk assessment is undertaken by an independent third party and that it be updated periodically. This risk assessment is critical to establishing appropriate risk management structures as outlined below.

Creation of an enterprise-wide integrated control group structure

An enterprise-wide, integrated risk management control group structure to deal with the management of the three risk management components should be created if one does not already exist. This system should be centred around a risk management committee consisting of senior executives from each of the principal business units, the heads of credit, technology, human resources and corporate compliance, the general counsel, the CEO, the CFO, the COO, the head of corporate governance (if there is one), the internal auditor, and other officers as appropriate. This senior-level group should meet regularly over the course of each year and review every aspect of the company's business. The risks reviewed should include not only business and financial risks, but also legal, compliance, operating, vendor, customer, product, political, supply, reputational, human resources, technology, insurance and audit risks. The frequency of review of a particular area should be based on a risk-based prioritization.

Business heads, the heads of credit, technology, human resources, corporate compliance, the general counsel, the CFO, the COO, the head of corporate governance (if there is one), and the internal auditor, should make formal presentations to the risk management committee describing and analyzing all of the risks their business units and departments face, what controls were or will be put in place to minimize those risks, where a loss occurred or might occur and how to assure proper accounting and reporting of financial data. In addition, the risk management committee should review new products and business initiatives. these senior officers should be subject to questioning by the risk management committee with respect to the risks identified, the risks not identified, and the controls put in place to minimize or eliminate those risks.

The board should receive regular reports from the risk management committee and assess them. In order to do this in a meaningful way, it may be necessary to rely upon independent board staff.

Expansion of the roles and function of the audit committee

As a result of the proposed NYSE listing standards, the role of the audit committee has moved well beyond simply being responsible for financial reporting and the audit process.

It is imperative that the audit committee be fully aware of, and familiar with, risk management, internal controls, and compliance policies and procedures. A technical review and approach is not adequate. The audit committee should have first-hand knowledge and contact with the audit staff, the CFO staff and the officers who implement the risk management, internal controls, and corporate compliance procedures and policies. They should also understand how they are implemented and know what type of training occurs. In addition, the officers responsible for risk management, internal controls and corporate compliance should report directly to the audit committee and the general counsel and meet regularly with the audit committee.

Audit committee members must make a serious, proactive effort to know the people involved with the process and to understand the company's risk management, internal controls and compliance culture. In order to be effective, this must be more than just policies and procedures - it must include the people responsible for implementing them and the dissemination of risk management, internal controls and compliance knowledge throughout all levels of the organization. Audit committee members should regularly meet with the internal auditor, CFO, general counsel, head of corporate compliance, business heads, and then move down to the next level of management in the organization so as to gain a full and meaningful understanding of the company's business and operations. The audit committee should also meet with members of the outside audit team. This will assist the audit committee in probing for disagreements between the auditors and management. The audit committee also must ensure that policies and procedures do not just exist on shelves but are available to and understood by the employees. In this respect, it is important that the company's management, from the CEO down, supports the risk management, compliance and internal controls process and culture.

Audit committee meetings should be held as frequently as board meetings and, at a minimum, the audit committee should meet monthly. Outside auditors should clearly know that they work for the audit committee and not management.


Although all of the elements of the approach described in this article may not be appropriate in all circumstances, this article does identify current trends and identify some best practices to be considered in a new era of corporate governance and accountability. Implementation of a proactive, preventative approach to managing risk and corporate governance at the board and management level is critical. It creates a clear message to the officers and employees of the company and to the public that these issues are not just legal requirements but ethical and cultural imperatives as well, and represent sound business practices that are part of the company's culture.

As noted above, these ideas should be considered not only as a possible response to the letter of Sarbanes-Oxley and related actions but also to the spirit of the best practices of corporate governance and accountability. They may also provide senior management and the board with a justifiable best effort defence if unfavourable circumstances develop and perhaps, most importantly, a proactive, early warning structure designed to identify and address issues before they become problems.

Winston & Strawn
200 Park Avenue
New York
NY 10166
Tel: +1 212 294 6700
Fax: +1 212 294 4700