AIG, Bear Stearns, Fannie Mae, Freddie Mac, Lehman Bros. et al. are not the failure of internal controls, examination of financials, or Sarbanes-Oxley, but they are the result of a more fundamental flaw in governance: Failure to assess, and advise the board of an understandable assessment of, risks to the enterprise of these organizations.
Nell Minow, editor and chair of The Corporate Library, states in a special to CNN that “[f]ailure this broad and deep takes a village, and regulators, lawyers, compensation consultants, auditors, executives, shareholders, and the press all played a part. But the people who are most responsible for the massive meltdowns of these institutions are the boards of directors.”
The Committee of Sponsoring Organizations of the Treadway Commission in its 2004 report on managing enterprise risk state that it must be effect from the top by an entity’s board of directors.
The failure at the top of AIG, Bear Stearns, et al. starts with the composition of those governing boards: Not enough persons with experience or expertise in risk assessment. Boards need to take corrective steps before Congress attempts to legislate.
Corrective steps for any organization to consider include:
- Charge nominating committees with identifying and recommending director candidates with experience and expertise in risk assessment.
- Charge appropriate members of management with responsibility for assessing, and reporting to the board their assessments of, enterprise risk. Two such persons in most organizations would be the chief legal officer who is trained to assess and report risks and the chief financial officer who often must quantify risks.
- Empower the identified risk assessors with direct access to, and with the responsibility to be available upon call of, the board and its committees. This access and availability should include periodic meetings of each of these identified risk assessors separately with the board in executive session.
- If the risks are complex, hire independent counsel to review and explain the risks to the board. A board that fails to take care for each of its members to understand such risks is likely in breach of its duties.
- Order periodic assessments of risks to the enterprise by someone independent of management. Consideration should be given to have the periodic assessment lead by independent counsel for the board because the risk assessment will likely be enhanced if protected by the attorney-client privilege controlled by the board in its collective capacity as the governing board.
Risks to assess include legal risks; unexpected hazard or calamity risks; operational risks; financial risks (including investment risks); strategic risks; and reputational risks.
Corporate America, public and private, taxable and tax-exempt, can do better.