Dix éléments majeurs à considérer par les administrateurs en temps de COVID-19


Voici dix éléments qui doivent être pris en considération au moment où toutes les entreprises sont préoccupées par la crise du COVID-19.

Cet article très poussé a été publié sur le forum du Harvard Law School of Corporate Governance hier.

Les juristes Holly J. Gregory et Claire Holland, de la firme Sidley Austin font un tour d’horizon exhaustif des principales considérations de gouvernance auxquelles les conseils d’administration risquent d’être confrontés durant cette période d’incertitude.

Je vous souhaite bonne lecture. Vos commentaires sont appréciés.

Ten Considerations for Boards of Directors

 

Boards and Crisis Infographic

 

The 2019 novel coronavirus (COVID-19) pandemic presents complex issues for corporations and their boards of directors to navigate. This briefing is intended to provide a high-level overview of the types of issues that boards of directors of both public and private companies may find relevant to focus on in the current environment.

Corporate management bears the day-to-day responsibility for managing the corporation’s response to the pandemic. The board’s role is one of oversight, which requires monitoring management activity, assessing whether management is taking appropriate action and providing additional guidance and direction to the extent that the board determines is prudent. Staying well-informed of developments within the corporation as well as the rapidly changing situation provides the foundation for board effectiveness.

We highlight below some key areas of focus for boards as this unprecedented public health crisis and its impact on the business and economic environment rapidly evolves.

 

1. Health and Safety

 

With management, set a tone at the top through communications and policies designed to protect employee wellbeing and act responsibly to slow the spread of COVID-19. Monitor management’s efforts to support containment of COVID-19 and thereby protect the personal health and safety of employees (and their families), customers, business partners and the public at large. Consider how to mitigate the economic impact of absences due to illness as well as closures of certain operations on employees.

 

2. Operational and Risk Oversight

 

Monitor management’s efforts to identify, prioritize and manage potentially significant risks to business operations, including through more regular updates from management between regularly scheduled board meetings. Depending on the nature of the risk impact, this may be a role for the audit or risk committee or may be more appropriately undertaken by the full board. Document the board’s consideration of, and decisions regarding, COVID-19-related matters in meeting minutes. Maintain a focus on oversight of compliance risks, especially at highly regulated companies. Watch for vulnerabilities caused by the outbreak that may increase the risk of a cybersecurity breach.

 

3. Business Continuity

 

Consider whether business continuity plans are in place appropriate to the potential risks of disruption identified, including through a discussion with management of relevant contingencies, and continually reassess the adequacy of the plans in light of developments. Key issues to consider include:

  • Employee/Talent Disruption. As more employees begin working remotely or are unable to work due to disruptions caused by COVID-19, continually assess what minimum staffing levels and remote work technology will be required to maintain operations. (Also, as noted above, consider how to mitigate the economic impact of absences due to illness as well as closures of certain operations on employees.)
  • Supply Chain and Production Disruption. Review with management the risks that a disruption in the supply chain will cause interruptions in operations and how to protect against such risks, including the availability of alternate sources of supply. Ask management to assess the risks that the company will have difficulty in fulfilling its contractual obligations and how management is preparing to address those risks, including through review of relevant provisions in customer contracts (e.g., force majeure, events of default and termination) to determine what recourse is available.
  • Financial Impact and Liquidity. Review with management the near-term and longer term financial impact (including the ability to meet obligations) of the COVID-19 pandemic and the related impact of the extreme volatility in the financial markets. Understand the assumptions underlying management’s assessment and discuss the likely outcome if those assumptions prove incorrect. Consider the need to seek additional financing or amend the terms of existing debt arrangements.
  • Internal Controls and Audit Function. Consider whether COVID-19 may have an impact on the functioning of internal controls and audit. For publicly-traded companies, remember that any material changes in internal control over financial reporting will require disclosure in the next periodic report.
  • Recent Securities Exchange Commission (SEC) guidance: In a March 4, 2020 press release, SEC Chair Jay Clayton urged companies to work with their audit committees and auditors to ensure that their financial reporting, auditing and review processes are sufficiently robust to enable them to meet their obligations under the federal securities laws in the current environment.
  • Key Person Risks and Emergency Succession Plans. Consider whether an up-to-date emergency succession plan is in place that identifies a person who can step in immediately as interim CEO in the event the CEO contracts COVID-19. Consider the need to implement similar plans for other key persons.
  • Incentives. Consider whether incentive plans need to be reworked in light of the circumstances, to ensure that appropriate behaviors are encouraged. Consider delaying setting incentive plan goals until the uncertainty has subsided or try to build in flexibility with respect to any goals set.
  • Board/Governance Continuity. Consider whether the board is appropriately positioned to provide guidance and oversight as the COVID-19 threat expands. Consider scheduling in advance special board meetings and/or information conference calls over the next three to four months, which can be cancelled if not needed. Decide whether to replace in-person meetings with conference calls to help limit the threat of contagion. Consider whether contingencies are in place if a board quorum is not available. Continue to meet regularly in executive session to discuss assessment of how management is managing the crisis.

 

4. Crisis Management

 

During this turbulent time, employees, shareholders and other stakeholders will look to boards to take swift and decisive action when necessary. Consider whether an up-to-date crisis management plan is in place and effective. A well-designed plan will assist the company to react appropriately, without either under- or over-reacting. Elements of an effective crisis management plan include:

  • Cross-Functional Team. Crisis response teams typically include key individuals from management, public relations, human resources, legal and finance. Identify these individuals now and begin meeting so that they are prepared to respond quickly as the crisis develops. The team should be in regular contact with the board (or a designated board member or committee) as the COVID-19 pandemic evolves.
  • Quick and Decisive Deployment. The plan should include crisis response procedures, communications templates, checklists and manuals that can be readily adapted to a variety of situations for effective, time-critical and agile deployment. The crisis response team should be familiar with the elements of the plan and ready to implement it at a moment’s notice.
  • Contingency Plans. A crisis is inherently unpredictable. However, the company should endeavor to anticipate all potential crises to which it is vulnerable and develop contingency plans to deal with those crises to minimize on-the-fly decision-making.
  • Examples of scenarios to prepare for: What will our response be if there is a confirmed case of COVID-19 within the company? How will we notify employees of a confirmed case and what privacy implications do we need to consider? What planning (e.g., IT training) is required if we need to mandate that our employees work remotely?
  • Thoughtful Communications. The board should oversee the company’s communication strategy. Clear communication and planning within the crisis response team will allow the company to communicate internally and externally in a calm and thoughtful manner, which will help build confidence during a volatile situation.

 

5. Oversight of Public Reporting and Disclosure for Publicly-Traded Companies

 

Companies must consider whether they are making sufficient public disclosures about the actual and expected impacts of COVID-19 on their business and financial condition. The level of disclosure required will depend on many factors, such as whether a company has significant operations in China or is in a highly affected industry (e.g., airlines and hospitality companies). In any event, boards should monitor to ensure that corporate disclosures are accurate and complete and reflect the changing circumstances.

Because the COVID-19 pandemic is unprecedented and changing by the day, the SEC acknowledges that it is challenging to provide accurate information about the impact it could have on future operations.

Recent SEC guidance: “We recognize that [the current and potential effects of COVID-19] may be difficult to assess or predict with meaningful precision both generally and as an industry- or issuer-specific basis.” Statement by SEC Chairman Jay Clayton on January 30, 2020.

  • Earnings Guidance. Consider whether previously issued earnings guidance should be downgraded to reflect the actual or likely impact of COVID-19 and, if so, how to describe the reason for the revision. Due to the current unpredictability of COVID-19’s impact, consider withdrawing previously-issued earnings guidance altogether or refraining from issuing guidance in the near term.
  • Risk Factor Disclosure. Consider how the COVID-19 pandemic may require additions or revisions to risk factor disclosures.
  • Recent SEC guidance: “We also remind all companies to provide investors with insight regarding their assessment of, and plans for addressing, material risks to their business and operations resulting from the coronavirus to the fullest extent practicable to keep investors and markets informed of material developments.” SEC March 4, 2020 press release.
  • Potential topics for risk factor disclosure include:
      • Disruptions to business operations whether from travel restrictions, mandated quarantines or voluntary “social distancing” that affects employees, customers and suppliers, production delays, closures of manufacturing facilities, warehouses and logistics supply and distribution chains and staffing shortages
      • Uncertainty regarding global macroeconomic conditions, particularly the uncertainty related to the duration and impact of the COVID-19 pandemic, and related decreases in customer demand and spending
      • Credit and liquidity risk, loan defaults and covenant breaches
      • Inventory writedowns and impairment losses
      • Ensure that risk factor disclosure is consistent with the board’s conversations with management about material risks.
  • Recent SEC guidance: “One analytical tool to evaluate disclosure in this context is to consider how management discusses … risks with its board of directors. Obviously not all discussions between management and the board are appropriate for disclosure in public filings, but there should not be material gaps between how the board is briefed and how shareholders are informed.” Statement by SEC Director, Division of Corporation Finance William Hinman on March 15, 2019.
  • As always, risk factor disclosure should be specific to a company’s individual circumstances and avoid generic language. Finally, be careful not to describe a risk related to COVID-19 as hypothetical if it has actually occurred.
  • Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A). Consider whether the actual or likely impact of COVID-19 on a company’s business (including its supply chain), financial condition, liquidity, results of operations and/or prospects would be deemed material to an investment decision in the company’s securities and require disclosure. Consider whether the impact or potential impact of COVID-19 on the company is a “known trend or uncertainty” requiring disclosure in the MD&A of the next periodic report. Tailor any MD&A disclosures to the impact of COVID-19 on the company’s business in particular. Consider whether disclosures appropriately address the potential impact of the COVID-19 pandemic on future results of operations.
  • Subsequent Events. A joint statement by SEC and Public Company Accounting Oversight Board (PCAOB) leadership on February 19, 2020 specific to COVID-19 reporting considerations encouraged companies to consider the need to potentially disclose subsequent events in the notes to the financial statements in accordance with guidance included in Accounting Standards Codification 855, Subsequent Events.
  • Forward-Looking Statements. Consider whether the company’s forward-looking statement disclaimer language adequately protects the company for statements it makes regarding the expected impacts of COVID-19. It should be specific and consistent with updates made to the risk factors and other public disclosures.
  • Recent SEC guidance: “Companies providing forward-looking information in an effort to keep investors informed about material developments, including known trends or uncertainties regarding the coronavirus, can take steps to avail themselves of the safe harbor in Section 21E of the Exchange Act for this information.” SEC March 4, 2020 press release.
  • Updates. Consider whether prior disclosures should be revised to ensure they are accurate and complete. While there is no express duty to update a forward-looking statement, courts are divided as to whether a duty to update exists for a forward-looking statement that becomes inaccurate or misleading after the passage of time (from the perspective of claim under Exchange Act Section 10(b) and Rule 10b-5).
  • Recent SEC guidance: “Depending on a company’s particular circumstances, it should consider whether it may need to revisit, refresh, or update previous disclosure to the extent that the information becomes materially inaccurate.” SEC March 4, 2020 press release.
  • Proxy Statements. Given the SEC’s emphasis on discussion of how boards oversee the management of material risks, consider expanding the proxy statement disclosure of board oversight of COVID-19-related risks where material to the business. 5Recent SEC guidance: “To the extent a matter presents a material risk to a company’s business, the company’s disclosure should discuss the nature of the board’s role in overseeing the management of that risk. The Commission last noted this in the context of cybersecurity, when it stated that disclosure about a company’s risk management program and how the board engages with the company on cybersecurity risk management allows investors to better assess how the board is discharging its risk oversight function. Parallels may be drawn to other areas where companies face emerging or uncertain risks, so companies may find this guidance useful when preparing disclosures about the ways in which the board manages risks, such as those related to sustainability or other matters.” Statement by SEC Director, Division of Corporation Finance William Hinman on March 15, 2019.
  • Also, consider cautioning stockholders that the annual meeting date and logistics are subject to change.
  • Current Reports. Consider the need to file a Form 8-K for material developments such as if the CEO or another key person or a significant portion of the workforce contracts COVID-19.
  • Conditional Filing Relief. Companies that anticipate filing delays due to COVID-19 should consider taking advantage of the SEC’s March 4, 2020 order granting an additional 45 days to meet Exchange Act reporting obligations for reports due between March 1 and April 30, 2020. See the Sidley Update available here for more details.

 

6. Compliance with Insider Trading Restrictions and Regulation FD for Publicly-Traded Companies

 

  • Insider Trading. Closely monitor and consider further restricting trading in company securities by insiders who may have access to material nonpublic information related to COVID-19 impacts (e.g., by requiring additional training, imposing blackout periods or enhancing preclearance procedures).
  • Recent SEC guidance: If a company “become[s] aware of a risk related to the coronavirus that would be material to its investors, it should refrain from engaging in securities transactions with the public and … take steps to prevent directors and officers (and other corporate insiders who are aware of these matters) from initiating such transactions until investors have been appropriately informed about the risk.” SEC March 4, 2020 press release.
  • Carefully consider whether the company should potentially buy back stock to take advantage of significantly depressed stock prices.
  • Regulation FD. Be mindful of Regulation FD requirements, particularly if sharing information related to the impact of COVID-19 with customers and other stakeholders.
  • Recent SEC guidance: “When companies do disclose material information related to the impacts of the coronavirus, they are reminded to take the necessary steps to avoid selective disclosures and to disseminate such information broadly.” SEC March 4, 2020 press release.

 

7. Annual Shareholder Meeting

 

With the Center for Disease Control recommending that gatherings of 50 or more persons be avoided to assist in containment of the virus, consider with management whether to hold a virtual-only shareholders meeting or a hybrid meeting that permits both in-person and online attendance. Public companies that are considering changing the date, time and/or location of an annual meeting, including a switch from an in-person meeting to a virtual or hybrid meeting, will need to review applicable requirements under state law, stock exchange rules and the company’s charter and bylaws. Companies that change the date, time and/or location of an annual meeting should comply with the March 13, 2020 guidance issued by the Staff of the SEC’s Division of Corporation Finance and the Division of Investment Management. See the Sidley Update available here for more details.

 

8. Shareholder Relations

 

Activism and Hostile Situations. Continue to ensure communication with, and stay attuned to the concerns of, significant shareholders, while monitoring for changes in stock ownership. Capital redemptions at small- and mid-sized funds may lead to fewer shareholder activism campaigns and proxy contests in the next several months. However, expect well-capitalized activists to exploit the enhanced vulnerability of target companies. The same applies to unsolicited takeovers bids by well-capitalized strategic buyers. If they have not already done so, boards should update or activate defense preparation plans, including by identifying special proxy fight counsel, reviewing structural defenses, putting a poison pill “on the shelf” and developing a “break the glass” communications plan.

 

9. Strategic Opportunities

 

Consider with management whether and if so where opportunities are likely to emerge that are aligned with the corporation’s strategy, for example, opportunities to fulfill an unmet need occasioned by the pandemic or opportunities for growth through distressed M&A.

 

10. Aftermath

 

Consider with management whether the changes in behavior occasioned by the pandemic will have any potential lasting effects, for example on employee and consumer behavior and expectations. Also, be prepared when the crisis abates to assess the corporation’s handling of the situation and identify “lessons learned” and actionable ideas for improvement.

Guide des administrateurs 2020 | Deloitte


Le document suivant, publié par Deloitte, est une lecture fortement recommandée pour tous les administrateurs, plus particulièrement pour ceux et celles qui sont des responsabilités liées à l’évaluation de la  performance financière de l’entreprise.

Pour chacun des sujets abordés dans le document, les auteurs présentent un ensemble de questions que les administrateurs pourraient poser :

« Pour que les administrateurs puissent remplir leurs obligations en matière de présentation de l’information financière, ils doivent compter sur l’appui de la direction et poser les bonnes questions.

Dans cette publication, nous proposons des questions que les administrateurs pourraient poser à la direction concernant leurs documents financiers annuels, afin que ceux-ci fassent l’objet d’une remise en question appropriée ».

Je vous invite à prendre connaissance de cette publication en téléchargeant le guide ci-dessous.

Guide des administrateurs 2020

Résultat de recherche d'images pour "guide des administrateurs 2020 Deloitte"

 

Le dilemme d’un administrateur indépendant dans un cas de vol de données


Voici un cas publié sur le site de Julie McLelland qui aborde une situation où Trevor, un administrateur indépendant, croyait que le grand succès de l’entreprise était le reflet d’une solide gouvernance.

Trevor préside le comité d’audit et il se soucie de mettre en place de saines pratiques de gouvernance. Cependant, cette société cotée en bourse avait des failles en matière de gestion des risques numériques et de cybersécurité.

De plus, le seul administrateur indépendant n’a pas été informé qu’un vol de données très sensibles avait été fait et que des demandes de rançons avaient été effectuées.

L’organisation a d’abord nié que les informations subtilisées provenaient de leurs systèmes, avant d’admettre que les données avaient été fichées un an auparavant ! Les résultats furent dramatiques…

Trevor se demande comment il peut aider l’organisation à affronter la tempête !

Le cas a d’abord été traduit en français en utilisant Google Chrome, puis, je l’ai édité et adapté. On y présente la situation de manière sommaire puis trois experts se prononcent sur le cas.

Bonne lecture ! Vos commentaires sont toujours les bienvenus.

Le dilemme d’un administrateur indépendant dans un cas de vol de données

 

 

 

 

 

 

 

 

 

Trevor est administrateur d’une société cotée qui a été un «chouchou du marché». La société fournit des évaluations de crédit et une vérification des données. Les fondateurs ont tous deux une solide expérience dans le secteur et un solide réseau de contacts et à une liste de clients qui comprenait des gouvernements et des institutions financières.

Après l’entrée en bourse, il y a deux ans, la société a atteint ou dépassé les prévisions et Trevor est fier d’être le seul administrateur indépendant siégeant au conseil d’administration aux côtés des deux fondateurs et du PDG. Il préside le comité d’audit et, officieusement, il a été l’initiateur des processus de gouvernance et de sa documentation.

Les fondateurs sont restés très actifs dans l’entreprise et Trevor s’est parfois inquiété du fait que certaines décisions stratégiques n’avaient pas été portées à son attention avant la réunion du conseil d’administration. Comme l’expérience de Trevor est l’audit et l’assurance, il suppose qu’il n’aurait pas ajouté de valeur au-delà de la garantie d’un processus sain et de la tenue de registres.

Il y a trois semaines, tout a changé. Une grande partie des données de l’entreprise ont été subtilisées et transférées sur le « dark web ». Ce vol comprenait les données financières des personnes qui avaient été évaluées ainsi que des données d’identification tels que les numéros de dossier fiscal et les adresses résidentielles. Pire, la société a d’abord affirmé que les informations ne provenaient pas de leurs systèmes, puis a admis avoir reçu des demandes de rançon indiquant que les données avaient été fichées jusqu’à un an avant cette catastrophe.

Plusieurs clients ont fermé leur compte, les actionnaires sont consternés, le cours de l’action est en chute libre et la presse réclame plus d’informations.

Comment Trevor devrait-il aider l’entreprise à surmonter cette tempête ?

Pour prendre connaissance de ce cas, rendez-vous sur www.mclellan.com.au/newsletter.html et cliquez sur « lire le dernier numéro ».

Adam’s Answer

 

This is a critical time for Trevor legally and reputationally, it is also a time when being an independent director carries additional responsibility to the company, the shareholders, the staff and the customers.

All Directors and Executives can only have one response to a blackmail attempt.  That is to immediately report it to the police and not respond to the ransomware demands.  Secondly the company should have had a crisis management plan in place ready for such an eventuality.  In this day and age, no company should operate without a cybercrime contingency plan.

In this case it is unclear, but it appears that the authorities were not informed and that Trevor’s company was unprepared for a data breach or ransomware demands.

There are 2 scenarios open to Trevor:

1) If Trevor was not informed straight away of the ransom demands and the CEO and founding Executive Directors knew but did not brief him on the ransom issue and the company’s response, then his independent status has been compromised and he should resign.

2) If Trevor was informed and the whole Board was involved in the response, then Trevor must remain and help the company ride out the storm.   This will involve working with the police, the ASX and crisis management guidance from external suppliers – technical and PR. 

The rule to follow is full transparency and speedy action. 

Trevor should refer to the recent ransomware attack on Toll Logistics and their response which was exemplary.

Adam Salzer OAM is the Chair and Global Designer for Whitewater Transformations. His other board experience includes Australian Transformation and Turnaround Association (AusTTA), Asian Transformation and Turnaround Association (ATTA), Australian Deafness Council, Bell Shakespeare Company, and NSW Deaf Society. He is based in Sydney, Australia.

Julie’s Answer

 

This is a listed company; Trevor must ensure appropriate disclosure. A trading halt may give the company time to investigate, and respond to, the events and then give the market time to disseminate the information. His customer liaison at the stock exchange should assist with implementing a halt and issuing a brief statement saying what has happened and that the company will issue more information when it becomes available.

This will be a costly and distracting exercise that could derail the company from its current successful track.

Three of the four board members are executives. That doesn’t mean the fourth can rely on their efforts. Trevor must add value by asking intelligent questions that people involved in the operations will possibly not think to ask. This board must work as a team rather than a group of individuals who each contribute their own expertise and then come together to document decisions that were not made rigorously or jointly.

Trevor has now learnt that there is more to good governance than just having meetings and documenting processes. He needs to get involved and truly understand the business. If his fellow directors do not welcome this, he needs to consider whether they are taking him seriously or just using him as window-dressing. He should ensure that the whole board is never again left out of the information flow when something important happens (or even when it perhaps might happen).

He should also take the lead on procuring legal advice (they are going to need it), liaising with the regulators, and establishing crisis communications. Engaging a specialist communications firm may help.

Julie Garland McLellan is a non-executive director and board consultant based in Sydney, Australia.

Jinan’s Answer

 

I recommend three separate parallel streams of work for Trevor. 

1. Immediate public facing actions
Immediately apologize and state your commitment to your customers.  Hire a PR firm and have the most public facing person issue an apology. The person selected to issue the apology has to be selected carefully (cannot be the person responsible for leak, and has potential to become the new trusted CEO)

2. Tactical internal actions
Assess the damage and contain the incident.  Engage an incident response firm to assess how the breach happened, when it happened, what was stolen. Confirm that leak doors are closed. Select your IR firm carefully – the better reputed they are, the better you will look in litigation.
Conduct an immediate audit and investigation. You need to understand who knew, when and why this was buried for a year.
Take disciplinary action against anyone who was part of the breach. Post audit, either allow them to keep their equity or buy them out.

3. Strategic actions
Review and update your cybersecurity incident response process.  This includes your ransomware processes (e.g. will you pay, how you pay, etc.), and how you communicate incidents. 
Build cybersecurity awareness, behavior and culture up, down and across your company.  Ensure that everyone from the board down are educated, enabled and enthusiastic about their own and your company’s cyber-safety. This is a journey not a one-off miracle.
Extend cybersecurity engagement to your customers. Be proactive not only on the status of this incident, but also on how you are keeping their data safe.  Go a step further and offer them help in their own cyber-safety.
Create a forward thinking, business and risk-aligned cybersecurity strategy. Understand your current people, process and technology gaps which led to this decision and how you’ll fix them.
Elevate the role of cybersecurity leadership.  You will need a chief information security officer who is empowered to execute the strategy, and has a regular and independent seat at the board table. 

Jinan Budge is Principal Analyst Serving Security and Risk Professionals at Forrester and a former Director Cyber Security, Strategy and Governance at Transport for NSW. She is based in Sydney, New South Wales, Australia.