Additional praise for Governance, Risk Management, and Compliance It Can’t Happen to Us—Avoiding Corporate Disaster While Driving Success “In this complex and perilous global marketplace, it is vital that corporate leaders—senior officers and board members—put the highest premium on being smart about managing risk Richard Steinberg has written a superb resource not only for strengthening your governance, risk management, and compliance practices but also ensuring they lead to competitive advantage.” —James Kristie, Editor, Directors & Boards “A practical and commonsense approach to corporate governance from someone who knows the subject well!” —Richard Koppes, former Deputy Executive Officer and General Counsel of CalPERS, founder of the National Association of Public Pension Attorneys, and board member of the National Association of Corporate Directors “This compelling work by Rick Steinberg enables even experienced senior managers and board members to fully appreciate how governance can and should work Filled with critical analyses of how major companies have stumbled or failed, with clear lessons to be learned of what needs to go right, this book should be required reading for all of us striving to see our businesses thrive and grow shareholder value.” —Scott Eston, former Chief Operating Officer, GMO Governance, Risk Management, and Compliance Governance, Risk Management, and Compliance It Can’t Happen to Us— Avoiding Corporate Disaster While Driving Success RICHARD M STEINBERG John Wiley & Sons, Inc Copyright # 2011 by Steinberg Governance Advisors, Inc All rights reserved Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages Some content in this book was originally published in columns by the author in Compliance Week, an information service on governance, risk and compliance For more information, visit www.complianceweek.com or call (888) 519-9200 For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books For more information about Wiley products, visit our web site at www.wiley.com Library of Congress Cataloging-in-Publication Data: Steinberg, Richard Governance, risk management, and compliance : it can’t happen to us—avoiding corporate disaster while driving success / Richard Steinberg p cm Includes index ISBN 978-1-118-02430-0 (hardback); ISBN 978-1-118-10255-8 (ebk); ISBN 978-1-118-10256-5 (ebk); ISBN 978-1-118-10257-2 (ebk) Corporate governance Risk management Compliance Business planning I Title HD2741.S7636 2011 658’–dc22 2011012036 Printed in the United States of America 10 This book is dedicated to my wonderful wife, Lana, without whose love and support it never would have been written Contents Foreword Preface xiii xix Acknowledgments xxiii Chapter 1: What Is GRC, and Why Does It Matter? What Is GRC? Why GRC Matters Chapter 2: Culture, the Critical Driver What Is Culture? More Cultural Failures Companies That Got It Right Being Legal, Honest, Candid, and Integrity versus Spin Speaking the Same Language Chapter 3: Cost-Effective Compliance Programs The Back-Breaking Costs Beyond the Direct Costs Major Mistakes at Platinum-Branded Companies How Companies Got Where They Are Keys to Getting It Right The Compliance Office Making It Happen The Rewards 5 10 13 16 21 22 24 24 30 31 36 38 39 ix x & Contents Chapter 4: Ethics Programs: Another Foundational Block Tone at the Top Problems at Daimler Elements of an Ethics Program Setting the Tone at the Top: Hewlett-Packard Chapter 5: Risk Management and the Financial System’s Near Meltdown What Went So Terribly Wrong The Regulatory System Merrill Lynch Where Were the Boards? Did CEOs See It Coming? Chapter 6: What Is Risk Management About? Risk Risk Management Enterprise Risk Management Is It Really Worth the Effort? ERM Application Techniques Key Risk Indicators BP 41 42 42 43 51 59 59 63 65 68 70 75 76 79 80 85 88 91 92 Chapter 7: Implementing ERM 99 Drivers for ERM Pitfalls Effective Implementation Roles and Responsibilities 99 102 106 114 Chapter 8: Does Internal Control Really Matter? Impact of SOX 404 on Financial Reporting Responsibility for SOX 404 Other Relevant SOX Provisions Do Effective Financial Reporting Controls Really Prevent Fraudulent Financial Reporting? Real Life in the C-Suite 119 122 124 126 127 130 Contents Chapter 9: Control over Operational Performance & xi 133 IT Controls Soci et e G en erale Washington Mutual Countrywide Financial Corporation The Foreclosure Fiasco 134 135 139 143 144 Chapter 10: Boards of Directors’ Focus 153 A Focus on the Rules Truly Effective Boards A Public Watchdog? Societal Responsibility Potential Pitfalls Chapter 11: Overseeing Strategy and Risk Management Strategy Risk Management 155 156 158 160 163 169 169 173 Chapter 12: CEO Compensation, Succession Planning, and Crisis Management 185 CEO Compensation Succession Planning Crisis Management Chapter 13: Performance Measurement and Reporting Performance Measures Financial Reporting Chapter 14: Building an Effective Board Looking Objectively A Shift in Direction Building a Better Board Board Assessments Bottom Line 185 192 196 201 201 205 219 220 221 223 226 230 xii & Contents Chapter 15: Avoiding Board Pitfalls Following the Herd Obtaining Critical Information A Leaky HP Board Another Leak—What Was He Thinking? Chapter 16: Where the Power Lies A Tug of War Shareholder Activism Recent Achievements Dodd-Frank’s Proxy Access Where to Draw the Line Finding the Right Balance Where We Need to Evolve Chapter 17: Structural Issues at the Board Combined versus Separate Chairman and CEO Empowering CEOs in a Shifting Landscape Director Compensation Chapter 18: Looking to the Future New Models for Board Governance A Healthy Governance Environment Boards’ Perspectives on Risk Grasping the Holy Grail of Governance What the Future Holds About the Author Index 301 299 231 231 238 245 249 251 252 252 253 256 261 262 264 265 265 271 274 281 281 285 289 290 293 Foreword I N T H E A F T E R M A T H O F the worst economic and financial crisis in the United States in decades, policymakers, journalists, investor advocates, and others have been hard at work trying to identify those responsible Commissions have met and studies have been undertaken, and people are beginning to reach their conclusions But at the very core of this crisis was not a single set of actors The problems stem significantly and systematically from the failure of governance, oversight, and risk management at the corporate, legislative, and regulatory levels Those in position to imagine, identify, and reduce the possibilities of failure simply did not their jobs As Richard Steinberg makes clear in these pages, the price of inattention or inaction by managers, regulators, and board members could be measured not in the hundreds of millions of dollars, but in the hundreds of billions of dollars He explains how reputations and corporations were shattered in a matter of weeks and months, because individuals and institutions had no means of checking and correcting their market assumptions and their culture of risk-taking In short, not enough people were asking: “What could go wrong?” This failure in governance pains me deeply, primarily because as a regulator throughout the 1990s I was able to see many of these same failures play out once before in corporate America and our regulatory infrastructure Many of the biggest changes in corporate governance were launched just after the Enron, WorldCom, and other major scandals of the early 2000s And the resulting reforms, especially Sarbanes-Oxley, have had deep and lasting impacts In the immediate aftermath of those scandals, we saw a revolution in thinking about governance Most boards are now majority independent—and key committees are now entirely independent, except at some controlled companies Most companies have a lead independent director and/or a separate chairman Boards meet more frequently—both as a whole and in executive session without the CEO—and are under significant scrutiny by shareholders What’s more, SEC rules have enabled shareholders to interact with each other xiii 298 & Governance, Risk Management, and Compliance The Environment in which Businesses Operate Will Continue to Be Challenging Naturally, we operate in an increasing global environment, with the success of American business dependent on the economy—that of the United States and indeed the rest of the world Here at home we have serious issues, including large federal deficits and a huge national debt, balance-of-payments shortfalls, and the state of the pension and health care systems—national, state, municipal, and private—to name just a few Our country is at war, and the economic, political, and social impacts and our influence as a world leader are at stake Capital markets can be volatile, and global competition for capital fierce I won’t even think about trying to predict how this will all go But I know that how we deal with these issues will have a tremendous effect on businesses and how they operate, and the predictions outlined here will be affected as well I am an eternal optimist and believe we will find ways to deal with these issues constructively and achieve positive outcomes So, there we have it We have a good sense of what’s coming down the pike and how best to deal with the challenges With continued effort, diligence, intelligence, and innovation, there’s no doubt we will succeed NOTES The title Chancellor applies to the chief judge on the Delaware Chancery Court, with the other four judges on that court having the title of Vice Chancellor Wachtell, Lipton December 3, 2010 memo, Risk Management and the Board of Directors Directorship, December 2010–January 2011 Directorship, December 2010–January 2011 Thomas Green, a well-recognized white-collar-criminal-defense lawyer, takes this position: “My experience suggests that resisting the investigation almost always leads to a better result for the company than had it surrendered at the outset.” For more, see Directors & Boards, Fourth Quarter 2010 See also discussion in Chapter of this book About the Author Richard M (Rick) Steinberg is the founder and CEO of Steinberg Governance Advisors, Inc He is an internationally recognized expert on governance, risk, and control He advises boards of directors of major multinational, large, and middle-market companies on board responsibilities and governance best practices, and senior managements on governance, risk management, control, and compliance Previously he was a senior partner of PricewaterhouseCoopers (PwC) and the leader of its corporate governance advisory practice He was also a founder of PwC’s risk management and control consulting practice, and served as its global leader In addition, he was a founder and leader of PwC’s U.S Strategic Risk Services practice, developing and implementing clients’ risk management processes As an expert in internal control and risk management, Steinberg served as the lead project partner in developing the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework and led development of COSO’s Enterprise Risk Management— Integrated Framework, the landmark reports recognized as standards for effective internal control and risk management Steinberg has authored numerous highly acclaimed reports, including Corporate Governance and the Board—What Works Best and its companion, Audit Committee Effectiveness—What Works Best He is quoted in the financial press—including Businessweek, Fortune, the Wall Street Journal, Dow Jones MarketWatch, CNN Money, Institutional Investor, Investor’s Business Daily, and the Financial Times—is a monthly columnist for Compliance Week, and is an active and sought-after speaker by major companies and business and professional organizations He has been featured on CNBC TV’s Morning Call and Bloomberg TV’s On the Markets and The Bloomberg Report, and has guest lectured at such leading business schools as Auburn, Columbia, Delaware, Duke, MIT, NYU, and UCLA 299 Governance, Risk Management, and Compliance: It Can’t Happen To Us— Avoiding Corporate Disaster While Driving Success by Richard M Steinberg Copyright © 2011 Steinberg Governance Advisors, Inc 300 & About the Author Steinberg is a member of the Open Compliance and Ethics Group Executive Advisory Panel, is cofounder of the Directors’ College, presented by PricewaterhouseCoopers and the University of Delaware Center for Corporate Governance, and served as a member of the Conference Board’s Global Corporate Governance Research Center Advisory Board and as co-chair of Corporate Board Member’s Academic Council He is a graduate of the University of Pennsylvania’s Wharton School and holds an MBA from New York University’s Graduate School of Business Index Accountability, 34 Activist firms, 253 Activists See also Shareholder activists governance, 258 institutional, 185 pay decisions, 262 Administrative costs, 32 Aflac, 189 Alignment, 293 Allen, William, 286 Allstate, 149 Ambac Assurance, 149 American International Group (AIG), 15, 65, 67, 149 Anderson, Richard, Andreessen, Marc, 53 Apotheker, Leo, 56, 57 Application Techniques in Enterprise Risk Management (COSO), 88, 89, 90, 91 Arthur Andersen, 3, 7, 232 Association of Corporate Counsel, 49 Atkins, Betsy, 160–162 Audit committee, 102, 128, 130, 178, 205–206, 213 Audit Committee Effectiveness (PricewaterhouseCoopers), 218 Audit committee performance external auditors, 216–217 internal auditors, 217–218 management, 214–216 Auditor attestation, 124, 133 Auditor reporting obligations, 49 Augustine, Norman, 199 Bair, Sheila, 145 Bank fraud, 136, 137 Bank of America, 144, 149, 150, 152 Barings Bank, 136 Bear Stearns, 70, 149 Berkshire Hathaway, 13, 275 Bernstein, Peter, 76, 77 Best practices, 231, 233–238 Black swans, 77 Blankfein, Lloyd, 249 Board book, 215, 238, 239, 242–243 Board governance models about, 281–282 considerations, 284–285 dual boards, 283 full-time boards, 283–284 shareholders’ authority, 282–283 Board of directors See also Personal liability of directors; Pitfall avoidance agendas, 162 and alignment, 292–293 annual workload, 213–214 communication timing to, 217 communication with shareholders, 261, 274 composition of, 266, 267 with constituent groups, 259 distractions, 122 dynamics within, 158 failures of, 68–70 groupthink in, 236–237 with internal divisions, 262 monitoring role, 159 newly-mandated practices, 156 oversight, 69, 100 oversight vs management, 176 performance measures role, 204–205 pitfalls, 164–167 301 Governance, Risk Management, and Compliance: It Can’t Happen To Us— Avoiding Corporate Disaster While Driving Success by Richard M Steinberg Copyright © 2011 Steinberg Governance Advisors, Inc 302 & Index Board of directors (continued ) responsibilities for risk management, 175–176, 178–179 responsibility allocation, 208 responsibilities of, 117 risk averse, 122 roles of, 159–160 time limitations, 162 tone at the top, 51 value addition areas, 156–157 Board of directors, structural issues CEO powers, 271–274 chairman-CEO, combined vs split, 265–271 director compensation, 274–279 Board of directors’s focus areas requiring attention, 156–158 potential pitfalls, 163–167 responsibilities of, 162–163 recent changes, 153–155 rules, 155–157 societal responsibility, 160–163 watchdog role considerations, 158–160 Board-management interface, 96 Born, Brooksley, 236 Bouton, Daniel, 136, 139 Bowsher, Charles, 64, 236 BP about, 92–93 culture, 94–95 risk management, 92–93 risk management failure, 95–97 safety focus, 95–97 Bribes, 28–29, 43 Bridging Board Gaps, 269 Broker no-vote, 253, 256 Buffett, Warren, 13, 62, 64, 72, 236, 275 Business objectives and compliance programs, 21 Business Roundtable, 257, 258 Business units, responsibility of, 115 CalPERS, 259, 261 Candor and communications, 10 culture of, 10–13 and honesty, 239 Capital deployment, 87 Caremark decision, 286 Casey, Kathleen, 259 CEOs about, 70–71 changes in functions, 273 commitment to enterprise risk management, 102–106 communications with board of directors, 242 enterprise risk management focus, 99 management focus, 71–72 responsibility of, 117 retention of, 195–196 risk awareness, 72 risk management quality, 71 selection of, 166 CEOs’ compensation about, 185–186 attention to, 186 and best practices, 234 board of directors and, 189, 190–192 CEOs as entrepreneurs, 188 future of, 190 historic problems, 186–188 key questions regarding, 188–192 say-on-pay votes, 189–190 and share price, 187 CEO’s powers boardroom revolt, 271–272 changes, 273–274 effects of, 273 Chairman-CEO, combined vs split about, 265–266 combined role, 266–267 pitfall avoidance, 269 right answer, 269–271 separated roles, 267–269 Chairman-CEO role prevalence of, 266 separation of, 268 Chandler, William, 286–287, 288 Change-of-control provisions, 187 Checklist approach, 211 Chief audit executive, 116–117, 124–125, 126 Index Chief compliance officer, 35–36 Chief executive officers (CEOs) See CEOs Chief internal auditor, 212 Chief risk officer (CRO), 67, 83, 104, 115, 116, 141, 244 Citibank, 152 Citigroup, 144, 146, 286 Clawback provisions, 142, 154, 257, 288 Coca-Cola, 275, 276, 279 Code of conduct, 42, 43, 128, 130, 208, 243, 267 Collateralized debt obligations (CDOs), 65–67 College Board, 179 Collegiality, 223, 230, 261 Commodities Futures Trading Commission, 236 Communication, 95 Communications and candor, 10 Community standing, 162 Company performance, 257 Compensation, 154, 292 See also CEOs’ compensation Compensation committee, 190–192, 235, 256, 262 Compensation consultants, 257 Compensation disclosure, 297 Compensation paradigm, 274 Complaints, 212 Compliance, 1, 2, 21 Compliance failures, 23 Compliance officer, 43, 243–244 Compliance programs about, 21–22 compliance costs, 22–23 compliance office, 36–38 compliance process establishment, 38–39 focus on, 289 getting it right, 31–36 indirect costs, 24 mistakes, 24–30 paths to untenable positions, 30–31 rewards of compliance, 39–40 Compliance responsibility, 32–33, 34, 37 Computer and data security, 135 Conference Board Blue Ribbon Commission, 267 Constituent directors, 294 & 303 Constructive skepticism, 211 Consumer Financial Protection Bureau, 150 Consumer Reports, 26 Control activities, 120 Control environment, 17, 120 Cooper, Cynthia, 129, 131 Corporate culture, 28, 30, 33, 43 Corporate espionage, 135 Corporate governance, 18 Corporate Governance and the Board—What Works Best, 170, 234 Countrywide Financial, 232 Court rulings on foreclosure, 147 Credit card companies, Credit default swaps (CDS), 65 Crises company response to, 199 types of, 196–197 Crisis management about, 196–197 plan elements, 198 plan execution, 199–200 planning for, 197–199 Crisis to catastrophe steps, 199–200 Critical information about, 238–240 assembling, 241–242 compliance officer, 243–244 first-hand information, 245 industry information, 244–245 management perspective, 242 outside sources, 241 risk officer, 244 sources of, 240–241 supporting staff, 242–243 Critical risks knowledge of, 165–166 vs problems, 165 Cross-enterprise risks, 86 Culture candor, 10–13 corporate successes of, 8–10 described, 5–6 effective communication, 16–20 failures of, 6–8 integrity vs spin, 13–16 of Societe Generale, 139 of Washington Mutual (WaMu), 140 304 & Index Culture change, 10 Customer satisfaction measures, 203 Customers, 203 Day, Robert, 15 Daimler, 42–43 Debt level exemption, 63 Deepwater Horizon disaster, 93 Defaults, 60 Delaware Chancery Court, 286 Department of Justice (DOJ), 24, 43, 295 Derivatives, 64, 236 Developing Key Risk Indicators to Strengthen Enterprise Risk Management (COSO), 92 Dimson, Elroy, 76 Director compensation about, 274–275 bottom line, 277–279 criticism, 276 intent, 275 reality, 276–277 unintended consequences, 275–276 Director disclosure, 254–255 Directors See also Board of directors; Personal liability of directors certification of, 282 from constituent groups, 236–237, 285 eligibility requirements, 260 full-time, 284 offline discussions, 237, 238 qualification disclosures, 260 replacement of, 57 risks taken by, 278 selection of, 164 shareholder activism and liability, 263 with specialized agendas, 263 time devoted by, 284 Disclosure controls, 248 Disclosure requirements, 253, 254 Disclosure rules, 154, 202 Disney, 260, 287 Dissident directors, 259 Dodd-Frank Act, 7, 22, 47–48, 65, 124, 150, 154, 179, 189, 202, 288, 294 Drivers for enterprise risk management implementation about, 99–100 board of directors, 100–101 business case, 101–102 senior managers, 101 Drucker, Peter F., 176–177 Dudley, Robert, 97 Due diligence, 61 Dunn, Patricia, 54, 246, 247, 248, 272 Earnings management, 131, 275, 276 Educational programs, 33 Effective risk management, 175–176 Elements of ethics programs about, 43–44 code of conduct, 44 communication from senior management, 51 concerns going forward, 47–50 education and training, 45 employee screening, 44–45 ethics office, 50–51 job responsibilities, 45–46 program monitoring, 51 whistleblower channels, 45–47 Ellison, Lawrence, 55, 56 Elson, Charles, 54, 188, 268 Embracing Enterprise Risk Management (COSO), 109 Employee median pay, 257 Endowment investments, 233 Enforcement and regulatory actions, 24 Enterprise Risk Management (COSO), 18, 81, 88, 106, 110, 112, 177 Enterprise risk management (ERM) about, 80–85 characteristics of, 83 common roadblocks, 108 cultural and behavioral change requirements, 106 and culture, 18–19 Drucker principles, 176–177 objectives and components of, 82 pitfalls, 103–106 steps to success, 107 time and cost of, 105 value of, 85–88 Enterprise risk management (ERM) application techniques event identification, 89 internal environment, 88 Index objective settings, 88–89 risk assessment, 89–90 risk response, 90–91 Enterprise risk management (ERM) implementation drivers for, 99–102 effort, 114 guidance, 109–110 methods for, 106–107 pitfalls, 102–106 roles and responsibilities, 114–117 Sarbanes-Oxley Act and other compliance, 110–113 starting point, 108–109 success factors, 107–108 technology, 113–114 Ethics officer, 43 Ethics policy, 33 Ethics programs about, 41 Daimler, 42–43 elements of, 43–51 and Sarbanes-Oxley, 127 tone at the top, 42, 51–57 Ethics training, 45 Evaluation of management, 157 Executive compensation, 53–54, 257 Expense reports, 54, 55 External audit, 130, 207 External auditors, 211–212, 216–217, 267 External communications, 157–158 External hiring, 193, 195 Falsified expense reports, 52 Fannie Mae, 149 Fat tails, 77 Federal Deposit Insurance Corporation (FDIC), 141, 152 Federal Reserve, 151–152 Financial disclosures, 153 Financial Fraud Enforcement Task Force, 150 Financial performance linkage, 202–204 Financial reporting about, 205–206 advisors, 213 audit committee performance, 214–218 & 305 balance, 213–214 execution depth, 209–214 fraudulent, 129–130, 131, 277 scope of responsibilities, 206–209 Financial reporting misstatements, 127 Financial system crisis, 235–236 Fiorina, Carleton (Carly), 246, 272 Fisher, Jodie, 52, 54, 56 Focus See also Board of directors’s focus on compliance programs, 289 on enterprise risk management, 99 of management, 71 on responsibilities, 166 on rules vs responsibilities, 166 on safety, 95–97 short-term, 186 on strategy, 202, 273, 282 Foran, Margaret “Peggy,” 260 Forecast of future board of directors improvements, 297 CEO compensation, 295–296 challenges, 298 disasters, 296–297 regulations and enforcement, 295 risk management, 296 shareholder power, 294 unintended consequences, 294–295 Foreclosure fiasco cause of, 145 first awareness of, 144–145 how it happened, 145–147 implications, 148–152 internal controls, 148 Foreign Corrupt Practices Act of 1977 (FCPA), 43, 122, 295 violations, 50 Forthcoming communication, 11–13 Fraud, 48, 137, 181 Fraudulent financial reporting, 129–130, 131, 277 Freddie Mac, 149 Future(s) board governance models, 281–285 board’s risk perspective, 289–290 general counsel, 293–298 governance, 290–293 governance environment, 285–289 306 & Index Galleon Group, 249 GE, 260 General counsel board assessment, 226 compliance programs, 31, 112, 243 enterprise risk management, 101, 116 ethics programs, 41, 112 internal control, 131 internal investigation, 247 responsibility of, 116 risk awareness, 101 Getting compliance right clarity of responsibility, 34 compliance built into business processes, 32–33 compliance office strength, 35–36 ethics and integrity, 33–34 risk-based approach, 34 strategic perspective of compliance, 31–32 technology, 34–35 Gift-giving policy, 162 Gilbert, John, 252 Gilbert, Lewis, 252 GlaxoSmithKline, 48 GMAC, 144, 146, 152 Goals business, 32, 72, 75, 80, 143 constituent, 260 corporate, 157, 163, 186, 202, 271, 292 operational, 76 performance, 203 profit, 67, 164, 1446 risk-based, 203 strategic, 157 Goldman Sachs, 67, 146, 249 Governance alignment, 290–292 alignment benefits, 292–293 defined, vs management, 18 path to, 293 Governance environment expanding requirements, 288–289 personal liability of directors, 286–288 shareholder rights, 285–286 Governance ratings, 164 GRC (governance, risk management, and compliance) about, 1–2 described, 2–3 importance of, 3–4 Greenberg, Maurice (Hank), 14–15, 272, 273 Greenspan, Alan, 64, 235 Gregory, Holly, 263 Groupthink about, 233–235 in board of directors, 236–237 corporate failures from, 231 financial system crisis, 235–236 of management, 237–238 rejection of, 237–238 Groupthink (Janis), 235 Gupta, Rajat, 249, 250 Hackers, 134 Hayward, Tony, 93, 96, 198 Heidrick & Struggles, 193 Herd mentality about, 233–234 best practices, 233–238 Herz, Bob, 60 Hewlett-Packard See HP High-impact risk, 96 Hodgson, Paul, 13 Holston, Michael, 52 Home Depot, 187 Honesty and candor, 239 Houston, Oberon, 93–94 HP See also HP board leaks about, 51–52 aftermath, 56–57 board actions, 52–53 board actions in firing, 55–56 Hurd actions, 53–54 past problems, 54 reaction to firing, 54–55 HP board leaks about, 245–246 additional problems, 248 investigation, 246–247 leaks, 245–246 mistakes, 247–248 aftermath, 248–249 Index Hurd, Mark, 52, 53, 54, 55, 56, 245, 248, 249, 272, 273 Immelt, Jeff, 260 Imperial CEO, 222, 266, 273 Incentives and temptations, 129 Independent directors, 267 Information See also Critical information and communication, 120 disclosure, 245 industry, 244–245 insider, 249 sensitive corporate, 134 sugar coating, 242 Insider trading, 56 Institutional investors, 165 Institutional Shareholder Services (ISS), 57, 260 Integrity and ethical values, 129 Integrity vs spin American International Group (AIG), 14–15 culture and spin, 16 General Electric (GE), 14 Societe Generale, 15 Internal audit, 36, 129, 207–208, 212 Internal auditors, 43, 217–218 Internal communications channels, 49 Internal control about, 119–122 components of, 120–122 failure of, 138 fraudulent financial reporting, 127–130 other Sarbanes-Oxley provisions, 126–127 reality regarding, 130–132 responsibility for Sarbanes-Oxley Section 404, 124–126 Sarbanes-Oxley Section 404 and financial reporting, 120–122, 208 system, 17, 42 weaknesses, 127 Internal Control—Integrated Framework (COSO), 17, 42, 119 Internal investigation, 53, 54, 180–182 Internally-promoted hiring, 193, 195 Investigation, 246–247 Investor feedback, 241 & 307 J&J Health Care Systems, 28 Janis, Irving, 235 Jett, Joseph, 136 Johnson & Johnson, 3, 6, 260 Joint chairman-CEO See Chairman-CEO JPMorgan Chase, 67, 144, 146, 149, 151, 152 Kanas, John, 66 “Keeping up with the Joneses” syndrome, 231–233 Kerviel, Jerome, 15, 135–138, 143 Key controls, 19 Key performance indicators, 91, 173 Keyworth, George, 247, 248 Khuzami, Robert, 28 Kickbacks, 27, 29 Killinger, Kerry, 139, 141 Koppes, Richard, 194 KPMG, 14 Kristie, Jim, 68 Labor unions, 258 Lake Wobegon syndrome, 186, 234, 295 Lamb, Stephen, 286, 287 Lane, Ray, 56, 57 Lay, Ken, 181 Lead director, 267 Lead independent director, 267 Leaks, 245–246 Leeson, Nick, 136 Legal and regulatory precedent, 112 Leidesdorf, William, 278 Levin, Carl, 140 Liability potential, 165 Liar loans, 232 Lipton, Martin, 262 Lochner, Phil, 239, 240, 241, 278 Lorsch, Jay, 13 Making the numbers, 14, 275 Management See also Chief executive officers (CEOs); Senior management audit committee performance, 214–216 in board of directors meetings, 215 vs governance, 18 groupthink, 237–238 as information source, 210, 214–215 308 & Index Management compensation, 157 See also CEOs’ compensation Management philosophy and operating style, 129 McAfee, 135 McGurn, Patrick, 261 McNeil Consumer Healthcare Products, 27 Media coverage, 240 Meeting fees, 277 Merck, 181 Merrill Lynch, 65–68 Metrics business, 172 comparative, 195 compensation, 103, 187, 191, 195, 274 financial performance, 202 for implementation, 172 noncompliance, 36 performance, 157, 165, 202–204, 228, 235, 290–293, 296 return, 202 Millstein, Ira, 263, 268 Minow, Nell, 278 Miscommunication, 17 Mistakes at platinum companies about, 24 Johnson & Johnson, 27–29 lessons to be learned, 29–30 Toyota, 25–27 Monitoring, 121 Monitoring board, 283 Mortgage Electronic Registration Systems (MERS), 147 Mortgage generators, Mortgage servicing, 145 Mortgage-backed securities, 141, 149 Motrin, 27 Mozilo, Angelo, 143, 144 Multiple risks, 86 Murray, Alan, 271–273 Mustier, John-Pierre, 15 Nardelli, Robert, 187 NASA, 80 National Transportation Safety Board, 181 New York Stock Exchange (NYSE), 42 listing standards, 206, 208 New York Times, 134, 145, 271 NINJA (no income, no job, no assets) mortgages, 232 Nominee disclosure, 254–255 Noncompliance metrics, 36 Nonprobabilistic techniques, 90 Objectivity, 125 Ombudsman, 50 O’Neal, Stanley, 66 Open Compliance and Ethics Group, 36, 112 Operating managers’ responsibility and accountability, 104 Operational performance about, 133–134 Countrywide Financial, 143–144 foreclosure fiasco, 144–152 IT controls, 133–135 Societe Generale, 135–139 Washington Mutual (WaMu), 139–143 Operational surprises and losses, 86 Operations controls, 119, 145–146 Oracle, 56 Ortho-McNeil-Janssen Pharmaceuticals, 27 Outside sources, 241 Outsourcing firms, due diligence for, 148 Oversight responsibilities risk management, 173–182 strategy, 169–173 Pascal’s wager, 77 Pay-for-performance, 186, 191 Peer comparison, 234–235 Performance assessment, 46 Performance board, 283 Performance categories, 203 Performance measurement and reporting financial reporting, 205–218 performance measures, 201–205 Performance measures, 157, 164, 173, 204–205, 291 See also Metrics Perkins, Thomas, 247, 248 Personal liability of directors, 122, 159, 165, 206, 209, 246, 264, 278, 286–288 Pfizer Corp., 179 Phantom recall, 28 Pitfall avoidance Index critical information, 238–245 follow-the-herd mentality, 231–238 groupthink, 233–235 HP board leaks, 245–249 leaks, 249–250 Pitt, Harvey, 78 Political agendas, 258 Power of shareholders vs boards about, 251–252 balance, 262–264 Dodd-Frank Act proxy access, 256–261 goals, 264 good intentions, 259–261 limitations, 261–262 shareholder achievements, 253–256 shareholder activism, 252–253 Presiding director, 267 Pretexting scandal, 54, 247 Preventive measures, 96 Probabilistic techniques, 90 Problem notification, 217–218 Project governance, 18 Proxy statement access, 154, 253, 257–259, 294 Public Company Accounting Oversight Board, 127 Quality vs quantity, 142 Rajaratnam, Raj, 249 Recalls, 25–27, 28 Refinance penalties, 60 Regulatory standards, 32 Regulatory systems, 61 Reich, Robert, 188 Reporting relationships, 37 compliance officer, 233–244 Reputation damage, 24, 27 Reputations, 29, 30 Responsibilities of board of directors, 117, 175–176, 178–179 to borrowers, 62 of business units, 115 of chief audit executive, 116–117 of chief executive officers (CEOs), 117 of chief risk officer (CRO), 116 clarity of, 34 & 309 and compliance, 31 of enterprise risk management, 114–117 for financial reporting, 206–209 of general counsel, 116 insurance companies, 62 job, 45–46 management, 61–62 mortgage generators, 62 of operating managers, 104 operational, 35 for oversight, 169–182 rating agencies, 62 regulators, 62 and reputations, 30 for risk management, 175–176, 178–179 for risk management placement, 104 for Sarbanes-Oxley Section 404, 124–126 social, 160–162 Revolt in the Boardroom (Murray), 271–272 Righteous culture, 8–9 Risk See also Enterprise risk management; Risk management about, 79–80 attending to, 78–79 betting on, 77 BP experience, 92–97 defined, 76–77 key risk indicators (KRIs), 91–92 Risk appetite vs risk tolerance, 177–178 setting limits to, 88 and strategy, 86 Risk assessment, 19, 120, 174 Risk avoidance, 90 Risk committee, 179, 208 Risk identification process, 175 Risk management about, 75–76, 173–174 absence of, 67 board of directors’s responsibilities, 175–176, 178–179 board of directors’s role in, 157 CEO on, 174–175 communications problems, 177–178 and culture, 310 & Index Risk management (continued ) design of, Drucker principles, 176–177 implementation, 69 meaning clarification, 18 oversight and reporting, 178 placement responsibility for, 104 problem investigation, 180–182 responsibility for placement, 104 risk, 76–79 risk denial, 179–180 Risk management and financial sector meltdown board of directors, 68–70 CEO awareness, 70–72 Federal Reserve, 64–65 going forward, 65 insurance company regulators, 65 Merrill Lynch, 65–68 regulatory system, 63–65 Securities and Exchange Commission (SEC), 63–64 what went wrong, 59–63 Risk officer, 2, 104, 140, 143, 235, 244, 250 See also Chief risk officer (CRO) Risk oversight, 154 “Risk Oversight—Board Lessons for Turbulent Times” (NACD), 199 Risk reduction, 90, 200 Risk-related culture survey, 88 Risk-response decisions, 86 Risktaking, 289–290 Risk tolerance, 177–178 Robo-signers, 146 Rohatyn, Felix, 64, 236 Rosneft, 97 Rowley, Coleen, 131 SAP, 56 Sarbanes-Oxley Act, 22, 46, 153, 208 Section 302, 208, 248 Section 404, 17, 19, 110, 119, 122–124, 133, 208, 248 SAT scoring scandal, 179–180 Say-on-pay votes, 154, 189–190, 253, 256, 262, 294 Schultz, Howard, 10 Securities analysts’ report, 240 Securities and Exchange Commission (SEC), 24, 48, 49, 143, 249 filings, 248 Regulation FD, 245, 261 rules on conflict of interest, 255 rules on disclosure, 253, 254 Securitization of mortgage products, 141 Senior management See also Tone at the top and alignment, 292 board of directors and, 159, 162, 170, 174–177, 219, 223, 228, 230, 232, 242, 244–245, 250, 256, 266, 285, 292 code of conduct, 51 communication, 51 compensation, 274 compliance programs, 22, 23, 35, 38 in crisis, 197, 198 culture of, 142, 239 enterprise risk management, 99, 100, 103–106, 108–109, 111, 114–115, 117 ethics programs, 43, 51 financial reporting, 122 institutional investors and, 290 performance assessment of, 172 risk management, 66, 67, 69–71, 85, 91, 95 Sarbanes-Oxley Section 404, 122, 125 whistleblowers, 48 Sentencing guidelines, 112 Servicemembers’ Civil Relief Act, 151 Shareholder achievements about, 253–254 board of directors’s role in risk management, 256 compensation consultants, 255 compensation discussions and analysis, 254 director and nominee disclosure, 254–255 leadership structure, 255–256 Shareholder activists, 187, 253, 261–264, 271, 294 Shareholder concerns, 251 Shareholder power, 288 Shareholders and alignment, 293 Index communication with board of directors, 274 communications channels for, 153 communications from, 241 Sheehan, Anne, 261 Shiller, Robert, 235, 236 Short-term focus, 186 Siemens, Signing bonus, 276 Smith, Howard, 15 Smith, Neil, 161 SmithOBrien, 161 Social responsibilities, 160–162 Societe Generale about, 135–136 chairman response, 139 culture of, 139 internal control, 137–139 Society of Corporate Compliance & Ethics, 36 Software needs, 113–114 Sokol, David, 13 Sonnenfeld, Jeffrey, 54 Special interests, 258 Spencer Stuart (search firm), 193 Spin, 242 State Attorneys General, 150, 151 State court rulings, 150 Steering committee, 108 Stewart, Potter, 42 Stock options backdating, 155, 276 Stock options vs restricted stock, 278 Strategic initiatives and related risks, 203 Strategic planning, 171 Strategy about, 169–170 alignment, 186, 290–293 board of directors’s response to, 11, 12, 203, 242, 292 board of directors’s role in, 68, 156–157, 159, 163, 165, 166, 175–176, 182, 194, 209, 292 compensation linkage, 256, 262, 292 crisis response, 199 critical success factors, 171–172 culture and, development of, 109, 117, 228, 266 exit, 225 & 311 focus on, 202, 273, 282 implementation, 123, 166, 201, 291, 292 measurement, 172–173 performance and, 164, 205, 291 performance measures, 164 pitfalls, 170–171 real-time adjustments, 173 review of critical assumptions, 171–172 risk appetite, 86 risk management, 71, 83, 86, 87, 89 shareholder knowledge of, 190, 253, 261 Strine, Leo, 288 Succession planning board of directors’s role in, 157 challenges of, 196 executive grooming and selection, 193–196 sudden departure, 192–193 Supporting staff, 242–243 Surveys, 51 SWOT analysis, 170 Tone at the top, 3, 42, 51–57, 66, 157 Toyoda, Akio, 26 Toyota, 3, 25–27 Trade publications, 240 Trade secrets, 134 Transformational transactions, 157 Transparency, 191–192 Trust, loss of, 55 “Trust but verify” philosophy, 210–211 Tylenol, 3, 27 Uncertainty, 85–86 Union officials, 259 Upstream reporting, 115 U.S Bancorp, 150 U.S Chamber of Commerce, 257 U.S Department of Justice, 96 U.S Sentencing Commission, 112 U.S Sentencing Guidelines, 37 Value addition, 274 Velocity and impact, 110, 197 Vioxx problems, 181 312 & Index Wall Street Journal, 188, 258 Washington Mutual (WaMu) about, 139–140 broader picture, 141–142 claims against, 149 culture of, 140 fraud in, 141 lessons to be learned, 142–143 peer competition, 232 systemic problems, 140–141 Watkins, Sherron, 131, 181 Weil, Gotshal and Manges, 263 Weldon, William C., 28, 29, 260 Wells Fargo, 144, 150, 152 Whistleblower channels, 33, 42, 43, 127, 128, 130, 212, 267 Whistleblower payouts, 50 Whistleblower process, 207 Whistleblower provisions, 154 Whistleblowers, 48, 294 WorldCom, 233 Zero tolerance approach, 34 .. .Governance, Risk Management, and Compliance Governance, Risk Management, and Compliance It Can’t Happen to Us Avoiding Corporate Disaster While Driving Success RICHARD M STEINBERG... recesses of an organization But that’s just not Governance, Risk Management, and Compliance: It Can’t Happen To Us Avoiding Corporate Disaster While Driving Success by Richard M Steinberg Copyright... entity’s good reputation is so valuable, the Governance, Risk Management, and Compliance: It Can’t Happen To Us Avoiding Corporate Disaster While Driving Success by Richard M Steinberg Copyright