Aujourd’hui, je vous présente un formidable guide, publié par McCarthyTetrault, sur les risques associés aux questions de la cybersécurité dans les entreprises.
Vous y trouverez une information complète ainsi que divers outils de diagnostic essentiels aux conseils d’administration qui doivent se préparer à affronter des attaques de nature cybernétique, lesquelles sont de plus en plus fréquentes.
Cet excellent document a été porté à mon attention par Joanne Desjardins, LL.B., MBA, CRHA, ASC, associée de la firme Arsenal conseils, spécialisés en gouvernance et en stratégie.
L’ouvrage est divisé en quatre parties :
(1) une mise en contexte de la situation ;
(2) Pourquoi se préparer aux risques ;
(3) Le programme de préparation aux cyberrisques ;
(4) L’exécution efficace du plan d’intervention.
Voici un aperçu de l’introduction. Je vous invite à prendre connaissance de ce document très bien conçu.
Bonne lecture ! Vos commentaires sont les bienvenus.
Qui dit données dit possibilité de perte de données. La façon dont une organisation se prépare à une atteinte à la protection des données — et la gère si elle se produit – a un effet mesurable sur les répercussions d’une telle atteinte. En gérant efficacement un tel incident, qui peut coûter des millions de dollars et ruiner la réputation d’une organisation, on peut le maîtriser et réduire considérablement la gravité de ses conséquences. Par exemple, à la suite d’une atteinte très médiatisée à la protection des données par un logiciel malveillant installé sur les caisses en libre-service de Home Depot, deux sociétés canadiennes ont entamé des actions collectives, réclamant une indemnisation de 500 millions de dollars ; les recours ont finalement été réglés pour un montant de 400 000 $. Cette réduction importante est justifiée, dit le juge, au vu de la réponse « exemplaire » de Home Depot & NBSP ; : 1
Dans l’affaire en question, attendu : a) que Home Depot n’a apparemment commis aucun acte répréhensible ; b) qu’elle a réagi rapidement et d’une manière responsable, généreuse et exemplaire aux actes criminels perpétrés contre elle par les pirates informatiques ; c) que le comportement de Home Depot n’avait nul besoin d’être géré ; d) que la probabilité que les membres du groupe aient gain de cause contre Home Depot tant sur le plan de la responsabilité que de la preuve de dommages consécutifs était négligeable, voire nulle ; et e) que le risque d’échec devant les tribunaux et les frais de litige connexes étaient importants et immédiats, j’aurais approuvé l’abandon de l’action collective proposé par M. Lozanski, avec ou sans dépens et sans aucun avantage pour les membres du groupe présumés. [traduction libre].
Prolifération des données
Les renseignements personnels se définissent comme les données pouvant servir à identifier une personne, et leur collecte crée des obligations de protection de la vie privée (expliquant l’existence de lois sur la protection de la vie privée). Avec les progrès technologiques, les organisations recueillent, conservent et transfèrent plus de renseignements personnels sur les consommateurs, les professionnels, les patients et les employés que jamais auparavant. L’accumulation de grandes quantités de renseignements personnels dans d’immenses bases de données augmente le risque d’accès non autorisé à ces informations ainsi que les conséquences qui peuvent en découler. Une seule atteinte à la protection des données personnelles peut aujourd’hui toucher des millions de personnes.
L’adoption croissante d’identifiants biométriques (empreintes digitales ou vocales, reconnaissance faciale, etc.) par les entreprises crée aujourd’hui de nouveaux risques, soit la perte ou la mauvaise utilisation de ces éléments d’identification immuables.
Incidents de plus en plus importants et sophistiqués
Si les incidents connaissent une augmentation croissante, le problème le plus important est leur sophistication grandissante. Les modèles d’affaires des malfaiteurs ont évolué et, en plus de recourir à des méthodes toujours plus complexes, leurs cibles ont changé. Autrefois, le modus operandi consistait à voler des renseignements de cartes de crédit pour effectuer des transactions non autorisées. Aujourd’hui, les cyberadversaires utilisent des méthodes d’ingénierie sociale (comme l’hameçonnage au moyen de courriels frauduleux visant à amener par la tromperie des employés à fournir des informations confidentielles ou sensibles) pour obtenir des renseignements de valeur pour l’entreprise. Ces renseignements sont ensuite monnayés directement par leur utilisation dans le cadre de délits d’initiés, vendus à des concurrents (dans le cas d’une propriété intellectuelle ou d’un secret commercial) ou utilisés pour exiger une rançon.
Les hauts dirigeants d’entreprise craignent de plus en plus les atteintes à la protection des données, et il est désormais communément admis que les sociétés ne doivent pas se demander si un tel incident se produira, mais quand ?
Incidents de plus en plus coûteux
Les atteintes à la protection des données deviennent de plus en plus coûteuses. Si de nouveaux produits (comme les assurances contre les cyberrisques) contribuent à en défrayer les coûts, la réaction la plus fréquente au signalement d’un incident est une poursuite en justice (le plus souvent une action collective). Les dommages-intérêts octroyés ont certes été jusqu’ici relativement minimes, mais les coûts de gestion d’une atteinte à la protection des données peuvent être incroyablement élevés.
La réglementation en la matière a un coût. De récentes modifications apportées à la Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE) du Canada ont introduit l’obligation de notification d’une atteinte et une amende de 100 000 $ CA par atteinte en cas de non-respect de cette exigence — s’ajoutant aux frais financiers et aux coûts des atteintes à la réputation qu’engendrent les incidents liés à la confidentialité des données.
Les coûts ne se limitent pas aux dommages : la responsabilité des atteintes à la protection des données peut être imputée au conseil d’administration. Gregg Steinhafel, chef de la direction et président du conseil de Target, a démissionné tout juste après l’incident dont son entreprise a été victime. Un sort similaire a frappé Amy Pascal, qui a quitté ses fonctions de chef de Sony Pictures dans la foulée du piratage de Sony.
Les coûts ne se limitent pas aux dommages : la responsabilité des atteintes à la protection des données peut être imputée au conseil d’administration. Gregg Steinhafel, chef de la direction et président du conseil de Target, a démissionné tout juste après l’incident dont son entreprise a été victime. Un sort similaire a frappé Amy Pascal, qui a quitté ses fonctions de chef de Sony Pictures dans la foulée du piratage de Sony.
Voici la version 4.0 du document « The Directors’Toolkit 2017 » de KPMG, très bien conçu, qui répond clairement aux questions que tous les administrateurs de sociétés se posent en cours de mandat.
Même si la publication est dédiée à l’auditoire australien de KPMG, je crois que la réalité réglementaire nord-américaine est trop semblable pour se priver d’un bon « kit » d’outils qui peut aider à constituer un Board efficace.
C’est un formidable document électronique interactif. Voyez la table des matières ci-dessous.
J’ai demandé à KPMG de me procurer une version française du même document, mais il ne semble pas en exister.
Now in its fourth edition, this comprehensive guide is in a user friendly electronic format. It is designed to assist directors to more effectively discharge their duties and improve board performance and decision-making.
Key topics
Duties and responsibilities of a director
Oversight of strategy and governance
Managing shareholder and stakeholder expectations
Structuring an effective board and sub-committees
Enabling key executive appointments
Managing productive meetings
Better practice terms of reference, charters and agendas
Establishing new boards.
What’s new in 2017
In this latest version, we have included newly updated sections on:
managing cybersecurity risks
human rights in the supply chain.
Register
Register here for your free copy of the Directors’ Toolkit.
À nouveau, je vous présente un cas de gouvernance, publié en juin 2017, sur le site de Julie Garland McLellan* qui décrit une situation dans laquelle un membre de conseil d’une OBNL évalue les conséquences d’une décision pouvant entraîner des risques pour la santé des clients et conduire à une perte de réputation.
Les administrateurs connaissent maintenant le contexte de la décision prise par le conseil. Cependant, une nouvelle administratrice n’est pas « confortable » avec la décision ; elle se questionne sur le risque occasionné à la santé des athlètes à la suite d’une prise de position du conseil trop peu contraignante.
Notons que la directrice de la sécurité de l’entreprise avait qualifié d’infondée les arguments invoqués par une équipe sportive de ne pas utiliser les mesures de protection suggérées.
Le cas présente la situation de manière assez succincte, mais explicite ; puis, trois experts en gouvernance se prononcent sur le dilemme qui se présente aux personnes qui vivent des situations similaires.
Que devrait faire la nouvelle administratrice Pandora dans les circonstances ?
Je vous invite à lire les opinions des experts en allant sur le site de Julie.
Bonne lecture ! Vos commentaires sont toujours les bienvenus.
Pandora is a new NED on a peak sporting body board. She loves the sport and is thrilled to contribute. However, she is a bit worried about the risks of a recent board conversation.
Her sport has physical risks and is very dangerous if proper precautions are not taken; these include the use of personal protective equipment. At her most recent board meeting the directors discussed the revised sports safety guidelines which mandate the wearing of personal protective equipment during competitions. One of the directors mentioned that a large local club routinely participates in competitions with players who are clearly not wearing safety gear. Another director stated that the club had objected to the draft guidelines on the basis that, in some circumstances, the safety equipment might hamper players’ movements and create other risks. The safety manager, who was presenting to the board, clarified that the club had, indeed, made that claim but that it was, in her opinion, spurious.
The board then discussed the issues associated with banning the non-compliant club from competitions. This was considered a difficult action because the club is very successful and their absence would upset fans. Also, the club is in a high socio economic demographic and contributes funds and political connections to the sport.
Pandora is worried because the discussion was minuted and the decision was to write to the club and remind them of the need to wear safety equipment but not to threaten expulsion from the competition. Is her board now at risk and has she let down the whole sport by being a party to this conversation and failing to persuade her board colleagues to take firmer action?
Voici la version 4.0 du document australien de KPMG, très bien conçu, qui répond clairement aux questions que tous les administrateurs de sociétés se posent dans le cours de leurs mandats.
Même si la publication est dédiée à l’auditoire australien de KPMG, je crois que la réalité réglementaire nord-américaine est trop semblable pour se priver d’un bon « kit » d’outils qui peut aider à constituer un Board efficace.
C’est un formidable document électronique interactif. Voyez la table des matières ci-dessous.
J’ai demandé à KPMG de me procurer une version française du même document, mais il ne semble pas en exister.
Now in its fourth edition, this comprehensive guide is in a user friendly electronic format. It is designed to assist directors to more effectively discharge their duties and improve board performance and decision-making.
Key topics
Duties and responsibilities of a director
Oversight of strategy and governance
Managing shareholder and stakeholder expectations
Structuring an effective board and sub-committees
Enabling key executive appointments
Managing productive meetings
Better practice terms of reference, charters and agendas
Establishing new boards.
What’s new in 2017
In this latest version, we have included newly updated sections on:
managing cybersecurity risks
human rights in the supply chain.
Register
Register here for your free copy of the Directors’ Toolkit.
Deloitte a récemment publié un document très important intitulé Courage under fire : Embracing disruption(en anglais seulement) dans lequel trois administrateurs chevronnés échangent leurs points de vue sur les grandes perturbations que les organisations mondiales sont appelées à connaître en 2017.
Les questions posées sont les suivantes :
Étant donné les attentes croissantes envers les conseils d’administration, quelles devraient être les priorités des administrateurs ?
Les appels à une meilleure communication de l’information ne cessent de se faire entendre. Comment les conseils réagissent-ils ?
Les organisations sont nombreuses à subir des perturbations numériques. Est-ce un risque incontrôlable de plus à gérer ?
Les perturbations numériques créent beaucoup d’incertitude. Les conseils d’administration réussissent-ils à bien s’adapter à cette réalité ?
Nous publions ici un billet de Danielle Malboeuf* qui fait état des recommandations du vérificateur général eu égard à la gouvernance des CÉGEP.
Comme à l’habitude Danielle nous propose son article à titre d’auteure invitée.
Je vous souhaite bonne lecture. Vos commentaires sont appréciés.
La gouvernance des Cégeps et le rapport du Vérificateur général du Québec
par
Danielle Malboeuf*
À l’automne 2016, le Vérificateur général du Québec produisait un rapport d’audit concernant la gestion administrative de cinq cégeps. Ses travaux ont porté plus précisément sur la gestion des contrats, la gestion des bâtiments, les services autofinancés ainsi que sur la rémunération du personnel d’encadrement et les frais engagés par celui-ci.
Parmi les recommandations formulées à l’endroit des cégeps audités, on en retrouve une qui concerne plus précisément la gouvernance : « S’assurer que les instances de gouvernance reçoivent une information suffisante et en temps opportun afin qu’elles puissent exercer leur rôle quant aux décisions stratégiques et à la surveillance de l’efficacité des contrôles…»[1]
À la lecture de ce rapport et des constats de ces travaux d’audit, on ne peut qu’être qu’en accord avec cette recommandation qui invite les administrateurs à exercer leur rôle. Mais justement, quel rôle ont-ils ? Du point de vue légal, la Loi sur les collèges d’enseignement général et professionnel est peu éclairante à ce sujet. Contrairement à la Loi sur la gouvernance des sociétés d’État qui précise clairement les fonctions qui sont confiées au conseil d’administration (CA), dont l’obligation d’évaluer l’intégrité des contrôles internes. On y exige également la création de trois sous-comités dont le comité de vérification ou d’audit à qui on confie entre autres, la responsabilité de mettre en place des mécanismes de contrôle interne. De plus, ce sous-comité doit compter sur la présence d’au moins une personne ayant une compétence en matière comptable ou financière.
À mon avis, la gouvernance d’un cégep devrait s’apparenter à celle des sociétés d’État. À ce sujet, dans son rapport publié en mai 2011 soumettant un bilan de l’implantation de la Loi sur la gouvernance des sociétés d’État, l’auteur de ce rapport, l’Institut sur la gouvernance des organismes publics et privés (IGOPP) allait dans le même sens. Il formulait comme première recommandation : « Imposer les nouvelles règles de gouvernance aux nombreux organismes du gouvernement qui ne sont pas inclus dans la loi actuelle sur la gouvernance. »[2]
Malgré le fait que les cégeps n’ont pas l’obligation légale de créer un comité d’audit, plusieurs l’ont fait dans un souci de transparence et afin d’être soutenu par les administrateurs dans leur effort pour assurer une utilisation optimale des ressources financières de l’organisation. Toutefois, le mandat qui leur est confié se limite dans la majorité des cas à une analyse des prévisions budgétaires et des états financiers. Ce n’est pas suffisant !
Considérant la recommandation du vérificateur général, il serait tout à fait approprié d’élargir ce mandat. En plus d’examiner les états financiers et d’en recommander leur approbation au CA, le comité d’audit devrait entre autres, veiller à ce que des mécanismes de contrôle interne soient mis en place et de s’assurer qu’ils soient adéquats et efficaces ainsi que de s’assurer que soit mis en place un processus de gestion des risques.[3]Sachant que les cégeps ne comptent pas de vérificateur interne, il est d’autant plus important de mettre en place un tel comité et de lui confier des fonctions de contrôle financier et de gestion des risques.
Une fois le comité d’audit mis en place, il devrait se pencher prioritairement sur la surveillance du processus de gestion contractuelle. Rappelons que les étapes du processus de gestion contractuelle sont : l’établissement des besoins et l’estimation des coûts, la préparation de l’appel d’offres et la sollicitation des fournisseurs, la sélection du fournisseur et l’attribution du contrat, le suivi du contrat et l’évaluation des biens et des services reçus[4].
À ce sujet, le Vérificateur général, dans son rapport, nous fait part de ses préoccupations. Il a identifié des lacunes dans les modes de sollicitation et constaté des dépassements de coûts et des prolongations dans les délais d’exécution, et ce, sans pénalité. Il précise que «Des activités prévues dans le processus de gestion contractuelle des cégeps audités ne sont pas effectuées de façon rigoureuse.»[5] En jouant son rôle, le comité d’audit du CA pourrait s’assurer que le processus mis en place et le partage des responsabilités retenu sont adéquats et efficaces. Il ne devrait d’ailleurs pas hésiter à faire appel à des ressources externes pour évaluer la performance du Cégep à l’égard de sa gestion contractuelle, le cas échéant.
En terminant, rappelons l’importance de retrouver sur le comité d’audit des administrateurs compétents qui ont une connaissance approfondie de la structure, des politiques, directives et exigences réglementaires. Ils doivent avoir la capacité d’assurer l’efficacité des mécanismes de contrôle interne et de la gestion des risques (un sujet que je développerai dans un article ultérieur).
En présence de telles compétences, il sera plus facile d’assurer la crédibilité du CA et de ses décisions. Il s’agit d’un atout précieux pour toutes institutions collégiales.
_____________________________________
[1] Rapport du Vérificateur général du Québec à l’Assemblée nationale pour l’année 2016-2017, p.35.
[2] Gouvernance des sociétés d’État, bilan et suggestions, IGOPP, p.48.
[3]Loi sur la gouvernance des sociétés d’État, art 24, 3.
[4] Rapport du Vérificateur général du Québec à l’Assemblée nationale pour l’année 2016-2017, annexe 4.
[5] Rapport du Vérificateur général du Québec à l’Assemblée nationale pour l’année 2016-2017, p.9.
_____________________________________
*Danielle Malboeuf est consultante et formatrice en gouvernance ; elle possède une grande expérience dans la gestion des CÉGEPS et dans la gouvernance des institutions d’enseignement collégial et universitaire. Elle est CGA-CPA, MBA, ASC, Gestionnaire et administratrice retraitée du réseau collégial et consultante.
Articles sur la gouvernance des CÉGEPS publiés sur mon blogue par l’auteure :
Aujourd’hui, je partage avec vous la liste des dix thèmes majeurs en gouvernance que les auteurs Kerry E. Berchem* et Rick L. Burdick* ont identifiés pour l’année 2017.
Vous êtes assurément au fait de la plupart de ces dimensions, mais il faut noter l’importance accrue à porter aux questions stratégiques, aux changements politiques, aux relations avec les actionnaires, à la cybersécurité, aux nouvelles réglementations de la SEC, à la composition du CA, à l’établissement de la rémunération et aux répercussions possibles des changements climatiques.
Afin de mieux connaître l’ampleur de ces priorités de gouvernance pour les administrateurs de sociétés, je vous invite à lire l’ensemble du rapport publié par Akin Gump.
1. Corporate strategy: Oversee the development of the corporate strategy in an increasingly uncertain and volatile world economy with new and more complex risks
Directors will need to continue to focus on strategic planning, especially in light of significant anticipated changes in U.S. government policies, continued international upheaval, the need for productive shareholder relations, potential changes in interest rates, uncertainty in commodity prices and cybersecurity risks, among other factors.
2. Political changes: Monitor the impact of major political changes, including the U.S. presidential and congressional elections and Brexit
Many uncertainties remain about how the incoming Trump administration will govern, but President-elect Trump has stated that he will pursue vast changes in diverse regulatory sectors, including international trade, health care, energy and the environment. These changes are likely to reshape the legal landscape in which companies conduct their business, both in the United States and abroad.
With respect to Brexit, although it is clear that the United Kingdom will, very probably, leave the European Union, there is no certainty as to when exactly this will happen or what the U.K.’s future relationship, if any, with the EU will be. Once the negotiations begin, boards will need to be quick to assess the likely shape of any deal between the U.K. and the EU and to consider how to adjust their business model to mitigate the threats and take advantage of the opportunities that may present themselves.
3. Shareholder relations: Foster shareholder relations and assess company vulnerabilities to prepare for activist involvement
The current environment demands that directors of public companies remain mindful of shareholder relations and company vulnerabilities by proactively engaging with shareholders, addressing shareholder concerns and performing a self-diagnostic analysis. Directors need to understand their company’s vulnerabilities, such as a de-staggered board or the lack of access to a poison pill, and be mindful of them in any engagement or negotiation process.
4. Cybersecurity: Understand and oversee cybersecurity risks to prepare for increasingly sophisticated and frequent attacks
As cybercriminals raise the stakes with escalating ransomware attacks and hacking of the Internet of Things, companies will need to be even more diligent in their defenses and employee training. In addition, cybersecurity regulation will likely increase in 2017. The New York State Department of Financial Services has enacted a robust cybersecurity regulation, with heightened encryption, log retention and certification requirements, and other regulators have issued significant guidance. Multinational companies will continue implementation of the EU General Data Protection Regulation requirements, which will be effective in May 2018. EU-U.S. Privacy Shield will face a significant legal challenge, particularly in light of concerns regarding President-elect Trump’s protection of privacy. Trump has stated that the government needs to be “very, very tough on cyber and cyberwarfare” and has indicated that he will form a “cyber review team” to evaluate cyber defenses and vulnerabilities.
5. SEC scrutiny: Monitor the SEC’s increased scrutiny and more frequent enforcement actions, including whistleblower developments, guidance on non-GAAP measures and tougher positions on insider trading
2016 saw the Securities and Exchange Commission (SEC) award tens of millions of dollars to whistleblowers and bring first-of-a-kind cases applying new rules flowing from the protections now afforded to whistleblowers of potential violations of the federal securities laws. The SEC was also active in its review of internal accounting controls and their ability to combat cyber intrusions and other modern-day threats to corporate infrastructure. The SEC similarly continued its comprehensive effort to police insider trading schemes and other market abuses, and increased its scrutiny of non-GAAP (generally accepted accounting principles) financial measure disclosures. 2017 is expected to bring the appointment of three new commissioners, including a new chairperson to replace outgoing chair Mary Jo White, which will retilt the scales at the commissioner level to a 3-2 majority of Republican appointees. 2017 may also bring significant changes to rules promulgated previously under Dodd-Frank.
6. CFIUS: Account for CFIUS risks in transactions involving non-U.S. investments in businesses with a U.S. presence
Over the past year, the interagency Committee on Foreign Investment in the United States (CFIUS) has been particularly active in reviewing—and, at times, intervening in—non-U.S. investments in U.S. businesses to address national security concerns. CFIUS has the authority to impose mitigation measures on a transaction before it can proceed, and may also recommend that the President block a pending transaction or order divestiture of a U.S. business in a completed transaction. Companies that have not sufficiently accounted for CFIUS risks may face significant hurdles in successfully closing a deal. With the incoming Trump administration, there is also the potential for an expanded role for CFIUS, particularly in light of campaign statements opposing certain foreign investments.
7. Board composition: Evaluate and refresh board composition to help achieve the company’s goals, increase diversity and manage turnover
In order to promote fresh, dynamic and engaged perspectives in the boardroom and help the company achieve its goals, a board should undertake focused reassessments of its underlying composition and skills, including a review and analysis of board tenure, continuity and diversity in terms of upbringing, educational background, career expertise, gender, age, race and political affiliation.
8. Executive compensation: Determine appropriate executive compensation against the background of an increased focus on CEO pay ratios
Executive compensation will continue to be a hot topic for directors in 2017, especially given that public companies will soon have to start complying with the CEO pay ratio disclosure rules. Recent developments suggest that such disclosure might not be as burdensome or harmful to relations with employees and the public as was initially feared.
The SEC’s final rules allow for greater flexibility and ease in making this calculation, and a survey of companies that have already estimated their ratios indicates that the ratio might not be as high, on average, as previously reported.
9. Antitrust scrutiny: Monitor the increased scrutiny of the antitrust authorities and the implications on various proposed combinations
Despite the promise of synergies and the potential to transform a company’s future, antitrust regulators have become increasingly hostile toward strategic transactions, with the Department of Justice and Federal Trade Commission suing to block 12 transactions since 2015. Although directors should brace for a longer antitrust review, to help navigate the regulatory climate, work upfront can dramatically improve prospects for success. Company directors should develop appropriate deal rationales and, with the benefit of upfront work, allocate antitrust risk in the merger agreement. Merger and acquisition activity may also benefit from the Trump administration, taking, at least for certain industries, a less-aggressive antitrust enforcement stance.
10. Environmental disasters and contagious diseases: Monitor the impact of increasingly volatile weather events and contagious disease outbreaks on risk management processes, employee needs and logistics planning
While the causes of climate change remain a political sticking point, it cannot be debated that volatile weather events, environmental damage and a rise in the diseases that tend to follow, are having increasingly adverse impacts on businesses and markets. Businesses will need to account for, or transfer the risk of, the increasing likelihood of these impacts. The SEC recently announced investigations into climate-risk disclosures within the oil and gas sector to ensure that they adequately allow investors to account for these effects on the bottom line. The growing number of shareholder resolutions and suits addressing climate change confirm that investors want this information, regardless of the position of the next administration.
*Kerry E. Berchem is partner and head of the corporate practice, and Rick L. Burdick is partner and chair of the Global Energy & Transactions group, at Akin Gump Strauss Hauer & Feld LLP.
Si l’on pouvait identifier les variables qui contribuent à créer une culture d’entreprise corrompue, pourrait-on prévoir les comportements corporatifs fautifs ?
C’est essentiellement la question de recherche à laquelle Xiaoding Liu, professeur de finance à University of Oregon’s Lundquist College of Business, a tenté de répondre dans un article utilisant une méthodologie originale et une solide analyse.
L’auteur avance qu’une culture d’entreprise souffrant d’un certain degré de corruption, c’est-à-dire ayant une culture interne plus tolérante envers le manque d’éthique, est plus susceptible de mener à des manquements corporatifs significatifs eu égard aux malversations, aux conflits d’intérêts et aux comportements organisationnels «opportunistes».
In particular, they ask whether a firm’s inherent tendency to behave opportunistically is deeply rooted in its corporate culture, commonly defined as the shared values and beliefs of a firm’s employees.
Cet article montre qu’il y a un lien significatif entre une culture interne basée sur de faibles valeurs éthiques et la probabilité d’inconduite de la direction.
De plus, l’article montre que les comportements des employés basés sur de faibles valeurs éthiques sont transmissibles à d’autres organisations et que ces conclusions s’appliquent tout autant à la direction.
C’est la raison pour laquelle les conseils d’administration doivent se préoccuper de la culture de l’entreprise, s’assurer d’avoir le pouls du climat interne et être vigilants eu égard aux manquements à l’éthique.
Il est également crucial de s’assurer d’avoir une équipe d’auditeurs internes indépendants et bien outillés qui se rapporte au comité d’audit de l’entreprise.
À la suite de ce compte rendu, vous aurez sûrement des questions d’ordre méthodologique. Si vous voulez en savoir davantage sur la démarche de l’auteur, je vous encourage fortement, même si c’est ardu, de lire l’article au complet.
A key question in corporate governance is how to control problems arising from conflicts of interest between agents and principals. The existing literature has extensively investigated traditional ways of dealing with agency problems such as hostile takeovers, the board of directors, and institutional investors, and has found mixed evidence regarding their effectiveness. Acknowledging the difficulty in designing effective governance rules to curb corporate scandals and bank failures, regulators and academics have recently turned their attention inward to the firm’s employees. In particular, they ask whether a firm’s inherent tendency to behave opportunistically is deeply rooted in its corporate culture, commonly defined as the shared values and beliefs of a firm’s employees.
In my article, Corruption Culture and Corporate Misconduct, recently published in the Journal of Financial Economics, I investigate this question by studying the role of corporate culture in influencing corporate misconduct. To do so, I create a measure of corporate corruption culture, which captures a firm’s general attitude toward opportunistic behavior. Specifically, corporate corruption culture is calculated as the average corruption attitudes of insiders (i.e., officers and directors) of a company. To measure corruption attitudes of insiders, I use a recently developed methodology from the economics literature that is generally described as the epidemiological approach (Fernández, 2011). It is based on the key idea that when individuals emigrate from their native country to a new country, their cultural beliefs and values travel with them, but their external environment is left behind. Moreover, these immigrants not only bring their beliefs and values to the new country, they also pass down these beliefs to their descendants. Thus, relevant economic outcomes at the country of ancestry are used as proxies of culture for immigrants and their descendants. Applying this approach, I use corruption in the insiders’ country of ancestry to capture corruption attitudes for insiders in the U.S., where the country of ancestry is identified based on surnames using U.S. Census data.
Using a sample of over 8,000 U.S. companies, I test the main prediction that firms with high corruption culture, which tend to be more tolerant toward corrupt behavior, are more likely to engage in corporate misconduct. Consistent with this prediction, I find that corporate corruption culture has a significant positive effect on various types of corporate misconduct such as earnings management, accounting fraud, option backdating, and opportunistic insider trading. The effects are also economically significant: a one standard deviation increase in a firm’s corruption culture is associated with an increase in the likelihood of corporate misconduct by about 2% to 7%, which are comparable to the effects of other governance measures such as board independence.
I further show that my findings are robust to controlling for time-varying local and industry factors, and traditional measures of corporate governance including the board size, the percentage of insider directors, the presence of institutional investors, and the threat of hostile takeovers. Van den Steen (2010) proposes a model of corporate culture and predicts that the appointment of a new CEO will lead to turnover through both selection and self-sorting. Thus, although corporate culture tends to be persistent over time, it is likely to change in a significant way around new CEO appointments. Motivated by this prediction, I examine corporate misconduct 5 years before and after the appointment of a new CEO while controlling for firm fixed effects. I continue to find a significant positive relation between corruption culture and corporate misconduct, which further alleviates endogeneity concerns.
The theoretical literature has predictions regarding the mechanisms through which corporate culture would affect opportunistic behavior. The first channel predicts that corruption culture acts as a selection mechanism by attracting or selecting individuals with similar corruption attitudes to the firm, where these individuals act according to their internal norms that are then reflected in corporate outcomes (Schneider, 1987). Consistent with this channel, I find that individuals with high corruption attitudes are more likely to join firms with high corruption culture and an insider is more likely to leave the firm if his corruption attitudes are more distant from the corruption attitudes of the other insiders in the firm. The second channel predicts that corruption culture can operate beyond internal norms and have a direct effect on individual behavior through group norms (Hackman, 1992). To test this channel, I examine misconduct at the insider level and focus on the sample of insiders that have moved across firms. Holding the individual constant, results show that when the same individual joins a firm with high corruption culture, his likelihood of engaging in personal misconduct increases compared to when he was at a firm with low corruption culture, consistent with corruption culture working through group norms.
In summary, I show that a firm’s corruption culture is an important determinant of the firm’s likelihood of engaging in corporate misconduct. This finding echoes the growing focus on corporate culture by regulators in an effort to curb corporate wrongdoing. Moreover, I provide evidence on the inner workings of corruption culture, showing that it influences corporate misconduct by both acting as a selection mechanism and having a direct influence on individual behavior. To the best of my knowledge, this is the first paper to construct a novel measure of corporate culture based on the ancestry origins of company insiders. By doing so, I contribute to a growing finance literature examining the influence of corporate culture on corporate behavior, where the main challenge is measurement.
Voici un article d’Ann Yerger, directrice du Center for Board Matters, de la firme Ernst & Young, qui porte sur l’évolution significative des politiques de divulgation des comités d’audit aux actionnaires des entreprises cotées en bourse aux États-Unis en 2106. L’article est paru sur le site du Harvard Law School Forum on Corporate Governance le 9 octobre.
L’étendue des divulgations aux actionnaires est vraiment très importante dans certains cas. Par exemple, en 2012, seulement 42 % des entreprises dévoilaient explicitement que le comité d’audit était responsable de l’engagement, de la rémunération et de la surveillance des auditeurs externes, alors qu’en 2016, 82 % divulguent, souvent en détail, les informations de cette nature.
Plusieurs autres résultats font état de changements remarquables dans la reddition de compte des comités d’audit aux actionnaires des entreprises.
Ceux-ci sont maintenant plus en mesure d’évaluer la portée des décisions des comités d’audit eu égard à la qualité du travail des auditeurs externes, aux raisons invoquées pour changer d’auditeur externe, à la fixation du mandat de l’auditeur externe, à la composition du comité d’audit, à l’augmentation des honoraires des firmes comptables dans les quatre catégories suivantes : audit, relié aux travaux d’audit, fiscalité et autres services connexes, etc.
Audit committees have a key role in overseeing the integrity of financial reporting. Nevertheless, relatively little information is required to be disclosed by US public companies about the audit committee’s important work. Since our first publication in this series in 2012, we have described efforts by investors, regulators and other stakeholders to seek increased audit-related disclosures, as well as the resulting voluntary disclosures to respond to this interest.
Over 2015–2016, US regulators have placed a spotlight on audit-related disclosures and financial reporting more generally. The US Securities and Exchange Commission (SEC) and the US Public Company Accounting Oversight Board (PCAOB) have both taken action to consider the possibility of requiring new disclosures relating to the audit.
SEC representatives also have used speeches to urge companies and audit committees to increase disclosures in this area voluntarily. While additional disclosure requirements for audit committees are not expected in the near term, regulators continue to monitor developments in this area. This post seeks to shed light on the evolving audit-related disclosure landscape.
Context
Public company audit committees are responsible for overseeing financial reporting, including the external audit. Under US securities laws, audit committees are “directly responsible for the appointment, compensation, retention and oversight” of the external auditor, and must include a report in annual proxy statements about their work. This audit committee report, however, currently must affirm only that the committee carried out certain specific responsibilities related to communications with the external auditor, and this requirement has not changed since 1999.
In recent years, a variety of groups have brought attention to the relative lack of information available about the audit committee and the audit, including their view that this area of disclosure may not have kept up with the needs of investors and other proxy statement users. These groups include pension funds, asset managers, investors, corporate governance groups, and domestic and foreign regulators. As efforts to seek additional information have continued, there has been a steady increase in voluntary audit-related disclosures.
Over the last year, the SEC has taken a series of actions to consider whether and how to improve transparency around audit committees, audits and financial reporting more generally. The combined effect of these activities has been to increase engagement by issuers, audit firms, investors and other stakeholders in discussions about the current state of financial reporting related disclosure as well as how it should change.
Findings
Our analysis of the 2016 proxy statements of Fortune 100 companies indicates that voluntaryaudit-related disclosures continue to trend upward in a number of areas. The CBM data for this review is based on the 78 companies on the 2016 Fortune 100 list that filed proxy statements each year from 2012 to 2016 for annual meetings through August 15, 2016. Below are highlights from our research:
The percentage of companies that disclosed factors considered by the audit committee when assessing the qualifications and work quality of the external auditor increased to 50%, up from 42% in 2015. In 2012, only 17% of audit committees disclosed this information.
Another significant increase was in disclosures stating that the audit committee believed that the choice of external auditor was in the best interests of the company and/or the shareholders. In 2016, 73% of companies disclosed such information; in 2015, this percentage was 63%. In 2012, only 3% of companies made this disclosure.
The audit committees of 82% of the companies explicitly stated that they are responsible for the appointment, compensation and oversight of the external auditor; in 2012, only 42% of audit committees provided such disclosures.
31% of companies provided information about the reasons for changes in fees paid to the external auditor compared to 21% the previous year. Reasons provided in these disclosures include one-time events, such as a merger or acquisition. Under current SEC rules, companies are required to disclose fees paid to the external auditor, divided into the following categories: audit, audit-related, tax and all other fees. They are not, however, required to discuss the reasons why these fees have increased or decreased. From 2012 to 2016, the percentage of companies disclosing information to explain changes in audit fees rose from 9% to 31%. Additional CBM research examined the disclosures of the subset of studied companies (43) that had changes in audit fees of +/- 5% or more compared to the previous year. Out of these 43 companies, roughly 20% provided explanatory disclosures regarding the change in audit fees.
29 of the 43 companies had fee increases of 5% or more, out of which 8 companies disclosed the reasons for the increases. 14 of the 43 companies had fee decreases of 5% or more, out of which only one company provided an explanatory disclosure.
53% of companies disclosed that the audit committee considered the impact of changing auditors when assessing whether to retain the current auditor. This was a 6 percentage point increase over 2015. In 2012, this disclosure was made by 3% of the Fortune 100 companies. Over the past five years, the number of companies disclosing that the audit committee was involved in the selection of the lead audit partner has grown dramatically, up to 73% in 2016. In 2015, 67% of companies disclosed this information, while in 2012, only 1% of companies did so.
51% of companies disclosed that they have three or more financial experts on their audit committees, up from 47% in 2015 and 36% in 2012.
Le rapport annuel de Davies est toujours très attendu car il brosse un tableau très complet de l’évolution de la gouvernance au Canada durant la dernière année.
Le document qui vient de sortir est en anglais mais la version française devrait suivre dans peu de temps.
Je vous invite donc à en prendre connaissance en lisant le court résumé ci-dessous et, si vous voulez en savoir plus sur les thèmes abordés, vous pouvez télécharger le document de 100 pages sur le site de l’entreprise.
Davies Governance Insights 2016, provides analysis of the top governance trends and issues important to Canadian boards, senior management and governance observers.
The 2016 edition provides readers with our take on important topics ranging from shareholder engagement and activism to leadership diversity and the rise in issues facing boards and general counsel. We also provide practical guidance for boards and senior management of public companies and their investors on these and many other corporate governance topics that we expect will remain under focus in the 2017 proxy season.
Vous trouverez, ci-dessous, les dix thèmes les plus importants pour les administrateurs de sociétés selon Kerry E. Berchem, associé du groupe de pratiques corporatives à la firme Akin Gump Strauss Hauer & Feld LLP. Cet article est paru aujourd’hui sur le blogue le Harvard Law School Forum on Corporate Governance.
Bien qu’il y ait peu de changements dans l’ensemble des priorités cette année, on peut quand même noter :
(1) l’accent crucial accordé au long terme ;
(2) Une bonne gestion des relations avec les actionnaires dans la foulée du nombre croissant d’activités menées par les activistes ;
(3) Une supervision accrue des activités liées à la cybersécurité…
Pour plus de détails sur chaque thème, je vous propose la lecture synthèse de l’article ci-dessous.
U.S. public companies face a host of challenges as they enter 2016. Here is our annual list of hot topics for the boardroom in the coming year:
Oversee the development of long-term corporate strategy in an increasingly interdependent and volatile world economy
Cultivate shareholder relations and assess company vulnerabilities as activist investors target more companies with increasing success
Oversee cybersecurity as the landscape becomes more developed and cyber risk tops director concerns
Oversee risk management, including the identification and assessment of new and emerging risks
Assess the impact of social media on the company’s business plans
Stay abreast of Delaware law developments and other trends in M&A
Review and refresh board composition and ensure appropriate succession
Monitor developments that could impact the audit committee’s already heavy workload
Set appropriate executive compensation as CEO pay ratios and income inequality continue to make headlines
Prepare for and monitor developments in proxy access
Strategic Planning Considerations
Strategic planning continues to be a high priority for directors and one to which they want to devote more time. Figuring out where the company wants to—and where it should want to—go and how to get there is not getting any easier, particularly as companies find themselves buffeted by macroeconomic and geopolitical events over which they have no control.
In addition to economic and geopolitical uncertainty, a few other challenges and considerations for boards to keep in mind as they strategize for 2016 and beyond include:
finding ways to drive top-line growth
focusing on long-term goals and enhancing long-term shareholder value in the face of mounting pressures to deliver short-term results
the effect of low oil and gas prices
figuring out whether and when to deploy growing cash stockpiles
assessing the opportunities and risks of climate change and resource scarcity
addressing corporate social responsibility.
Shareholder Activism
Shareholder activism and “suggestivism” continue to gain traction. With the success that activists have experienced throughout 2015, coupled with significant new money being allocated to activist funds, there is no question that activism will remain strong in 2016.
In the first half of 2015, more than 200 U.S. companies were publicly subjected to activist demands, and approximately two-thirds of these demands were successful, at least in part. [1] A much greater number of companies are actually targeted by activism, as activists report that less than a third of their campaigns actually become public knowledge. [2] Demands have continued, and will continue, to vary: from requests for board representation, the removal of officers and directors, launching a hostile bid, advocating specific business strategies and/or opining on the merit of M&A transactions. But one thing is clear: the demands are being heard. According to a recent survey of more than 350 mutual fund managers, half had been contacted by an activist in the past year, and 45 percent of those contacted decided to support the activist. [3]
With the threat of activism in the air, boards need to cultivate shareholder relations and assess company vulnerabilities. Directors—who are charged with overseeing the long-term goals of their companies—must also understand how activists may look at the company’s strategy and short-term results. They must understand what tactics and tools activists have available to them. They need to know and understand what defenses the company has in place and whether to adopt other protective measures for the benefit of the overall organization and stakeholders.
Cybersecurity
Nearly 90 percent of CEOs worry that cyber threats could adversely impact growth prospects. [4] Yet in a recent survey, nearly 80 percent of the more than 1,000 information technology leaders surveyed had not briefed their board of directors on cybersecurity in the last 12 months. [5] The cybersecurity landscape has become more developed and as such, companies and their directors will likely face stricter scrutiny of their protection against cyber risk. Cyber risk—and the ultimate fall out of a data breach—should be of paramount concern to directors.
One of the biggest concerns facing boards is how to provide effective oversight of cybersecurity. The following are questions that boards should be asking:
Governance. Has the board established a cybersecurity review > committee and determined clear lines of reporting and > responsibility for cyber issues? Does the board have directors with the necessary expertise to understand cybersecurity and related issues?
Critical asset review. Has the company identified what its highest cyber risks assets are (e.g., intellectual property, personal information and trade secrets)? Are sufficient resources allocated to protect these assets?
Threat assessment. What is the daily/weekly/monthly threat report for the company? What are the current gaps and how are they being resolved?
Incident response preparedness. Does the company have an incident response plan and has it been tested in the past six months? Has the company established contracts via outside counsel with forensic investigators in the event of a breach to facilitate quick response and privilege protection?
Employee training. What training is provided to employees to help them identify common risk areas for cyber threat?
Third-party management. What are the company’s practices with respect to third parties? What are the procedures for issuing credentials? Are access rights limited and backdoors to key data entry points restricted? Has the company conducted cyber due diligence for any acquired companies? Do the third-party contracts contain proper data breach notification, audit rights, indemnification and other provisions?
Insurance. Does the company have specific cyber insurance and does it have sufficient limits and coverage?
Risk disclosure. Has the company updated its cyber risk disclosures in SEC filings or other investor disclosures to reflect key incidents and specific risks?
The SEC and other government agencies have made clear that it is their expectation that boards actively manage cyber risk at an enterprise level. Given the complexity of the cybersecurity inquiry, boards should seriously consider conducting an annual third-party risk assessment to review current practices and risks.
Risk Management
Risk management goes hand in hand with strategic planning—it is impossible to make informed decisions about a company’s strategic direction without a comprehensive understanding of the risks involved. An increasingly interconnected world continues to spawn newer and more complex risks that challenge even the best-managed companies. How boards respond to these risks is critical, particularly with the increased scrutiny being placed on boards by regulators, shareholders and the media. In a recent survey, directors and general counsel identified IT/cybersecurity as their number one worry, and they also expressed increasing concern about corporate reputation and crisis preparedness. [6]
Given the wide spectrum of risks that most companies face, it is critical that boards evaluate the manner in which they oversee risk management. Most companies delegate primary oversight responsibility for risk management to the audit committee. Of course, audit committees are already burdened with a host of other responsibilities that have increased substantially over the years. According to Spencer Stuart’s 2015 Board Index, 12 percent of boards now have a stand-alone risk committee, up from 9 percent last year. Even if primary oversight for monitoring risk management is delegated to one or more committees, the entire board needs to remain engaged in the risk management process and be informed of material risks that can affect the company’s strategic plans. Also, if primary oversight responsibility for particular risks is assigned to different committees, collaboration among the committees is essential to ensure a complete and consistent approach to risk management oversight.
Social Media
Companies that ignore the significant influence that social media has on existing and potential customers, employees and investors, do so at their own peril. Ubiquitous connectivity has profound implications for businesses. In addition to understanding and encouraging changes in customer relationships via social media, directors need to understand and weigh the risks created by social media. According to a recent survey, 91 percent of directors and 79 percent of general counsel surveyed acknowledged that they do not have a thorough understanding of the social media risks that their companies face. [7]
As part of its oversight duties, the board of directors must ensure that management is thoughtfully addressing the strategic opportunities and challenges posed by the explosive growth of social media by probing management’s knowledge, plans and budget decisions regarding these developments. Given new technology and new social media forums that continue to arise, this is a topic that must be revisited regularly.
M&A Developments
M&A activity has been robust in 2015 and is on track for another record year. According to Thomson Reuters, global M&A activity exceeded $3.2 trillion with almost 32,000 deals during the first three quarters of 2015, representing a 32 percent increase in deal value and a 2 percent increase in deal volume compared to the same period last year. The record deal value mainly results from the increase in mega-deals over $10 billion, which represented 36 percent of the announced deal value. While there are some signs of a slowdown in certain regions based on deal volume in recent quarters, global M&A is expected to carry on its strong pace in the beginning of 2016.
Directors must prepare for possible M&A activity in the future by keeping abreast of developments in Delaware case law and other trends in M&A. The Delaware courts churned out several noteworthy decisions in 2015 regarding M&A transactions that should be of interest to directors, including decisions on the court’s standard of review of board actions, exculpation provisions, appraisal cases and disclosure-only settlements.
Board Composition and Succession Planning
Boards have to look at their composition and make an honest assessment of whether they collectively have the necessary experience and expertise to oversee the new opportunities and challenges facing their companies. Finding the right mix of people to serve on a company’s board of directors, however, is not necessarily an easy task, and not everyone will agree with what is “right.” According to Spencer Stuart’s 2015 Board Index, board composition and refreshment and director tenure were among the top issues that shareholders raised with boards. Because any perceived weakness in a director’s qualification could open the door for activist shareholders, boards should endeavor to have an optimal mix of experience, skills and diversity. In light of the importance placed on board composition, it is critical that boards have a long-term board succession plan in place. Boards that are proactive with their succession planning are able to find better candidates and respond faster and more effectively when an activist approaches or an unforeseen vacancy occurs.
Audit Committees
Averaging 8.8 meetings a year, audit continues to be the most time-consuming committee. [8] Audit committees are burdened not only with overseeing a company’s risks, but also a host of other responsibilities that have increased substantially over the years. Prioritizing an audit committee’s already heavy workload and keeping directors apprised of relevant developments, including enhanced audit committee disclosures, accounting changes and enhanced SEC scrutiny will be important as companies prepare for 2016.
Executive Compensation
Perennially in the spotlight, executive compensation will continue to be a hot topic for directors in 2016. But this year, due to the SEC’s active rulemaking in 2015, directors will have more to fret about than just say-on-pay. Roughly five years after the Dodd-Frank Wall Street Reform and Consumer Protection Act was enacted, the SEC finally adopted the much anticipated CEO pay ratio disclosure rules, which have already begun stirring the debate on income inequality and exorbitant CEO pay. The SEC also made headway on other Dodd-Frank regulations, including proposed rules on pay-for-performance, clawbacks and hedging disclosures. Directors need to start planning how they will comply with these rules as they craft executive compensation for 2016.
Proxy Access
2015 was a turning point for shareholder proposals seeking to implement proxy access, which gives certain shareholders the ability to nominate directors and include those nominees in a company’s proxy materials. During the 2015 proxy season, the number of shareholder proposals relating to proxy access, as well as the overall shareholder support for such proposals, increased significantly. Indeed, approximately 110 companies received proposals requesting the board to amend the company’s bylaws to allow for proxy access, and of those proposals that went to a vote, the average support was close to 54 percent of votes cast in favor, with 52 proposals receiving majority support. [9] New York City Comptroller Scott Springer and his 2015 Boardroom Accountability Project were a driving force, submitting 75 proxy access proposals at companies targeted for perceived excessive executive compensation, climate change issues and lack of board diversity. Shareholder campaigns for proxy access are expected to continue in 2016. Accordingly, it is paramount that boards prepare for and monitor developments in proxy access, including, understanding the provisions that are emerging as typical, as well as the role of institutional investors and proxy advisory firms.
[1] Activist Insight, “2015: The First Half in Numbers,” Activism Monthly (July 2015). (go back)
[2] Activist Insight, “Activist Investing—An Annual Review of Trends in Shareholder Activism,” p. 8. (2015). (go back)
[3] David Benoit and Kirsten Grind, “Activist Investors’ Secret Ally: Big Mutual Funds,” The Wall Street Journal (August 9, 2015). (go back)
[4] PwC’s 18th Annual Global CEO Survey 2015. (go back)
[5] Ponemon Institute’s 2015 Global Megatrends in Cybersecurity (February 2015). (go back)
[6] Kimberley S. Crowe, “Law in the Boardroom 2015,” Corporate Board Member Magazine (2nd Quarter 2015). See also, Protiviti, “Executive Perspectives on Top Risks for 2015.” (go back)
Cet article porte sur l’importance accrue accordée au rôle de l’auditeur interne dans la vérification des mécanismes de contrôle interne, de la gestion des risques, notamment des risques de cyberattaques, ainsi que des processus de gouvernance et de conformité.
L’influence du département de l’audit interne prend une place quasi incontournable dans la vaste majorité des grandes sociétés comme en témoignent les statistiques à ce sujet.
Ainsi, 83 % des directions d’audit interne se rapportent au CA ou au comité d’audit du CA ; c’est un accroissement de 76 % en trois ans !
On peut certainement constater que les activités d’audit interne représentent les « yeux et les oreilles du comité d’audit ».
Également, les directeurs des services d’audit interne ont vu leur rémunération augmenter d’environ 30 % au cours des dix dernières années.
Les conseils d’administration accordent maintenant une grande importance à la sélection et à la rémunération des « Chief Audit Executive » (CAE).
Top watchdogs inside many companies bark louder these days.
They are known as chief audit executives, or CAEs, and they assess the effectiveness of corporate controls, risk management and governance processes. As boards worry more about cyber attacks, regulatory compliance and personal liability, these executives are gaining clout and commanding higher pay.
CAEs are becoming more visible in part because directors are playing bigger roles in selecting, evaluating and rewarding internal audit chiefs. In North America, 83 per cent of those executives now report to their employer’s full board or audit committee, according to a report by the Institute of Internal Auditors. That’s up from 76 per cent in 2013.
Another sign of their rising influence: this year, for the first time, the proportion of audit leaders who report to their chief executive matched those overseen by the chief financial officer, the report found.
Solid support from audit committees and top company leaders often give CAEs more freedom to raise red flags, experts said. It can also bring them sizeable pay cheques.
“Boards will pay a lot more for CAEs with superior risk-management and business acumen in their company’s industry,’’ said Richard Chambers, IIA president.
Recruiters agree. “Chief audit executives hired by large companies now command total pay packages approaching $US1 million — about 30 per cent more than a decade ago,’’ said Scott Simmons, a managing director at Crist Kolder Associates, which recruited nearly 15 current CAEs.
Sarbanes-Oxley, the sweeping corporate-reform law enacted in 2002, raised boards’ expectations for heads of internal audit, according to Charles Noski, chairman of the audit committee at Microsoft, Priceline Group and Avon Products.
“Internal audit really is the eyes and ears of the audit committee,’’ he said, adding that CAEs today “are stronger executives’’.
Mr Noski makes sure that’s true of candidates who interview for the job. He said he seeks “a strong backbone”, plus effective boardroom presence and communications skills.
Voici un article d’Ann Yerger, directrice du Center for Board Matters, de la firme Ernst & Young, qui porte sur l’évolution significative des politiques de divulgation des comités d’audit aux actionnaires des entreprises cotées en bourse aux États-Unis en 2106. L’article est paru sur le site du Harvard Law School Forum on Corporate Governance le 9 octobre.
L’étendue des divulgations aux actionnaires est vraiment très importante dans certains cas. Par exemple, en 2012, seulement 42 % des entreprises dévoilaient explicitement que le comité d’audit était responsable de l’engagement, de la rémunération et de la surveillance des auditeurs externes, alors qu’en 2016, 82 % divulguent, souvent en détail, les informations de cette nature.
Plusieurs autres résultats font état de changements remarquables dans la reddition de compte des comités d’audit aux actionnaires des entreprises.
Ceux-ci sont maintenant plus en mesure d’évaluer la portée des décisions des comités d’audit eu égard à la qualité du travail des auditeurs externes, aux raisons invoquées pour changer d’auditeur externe, à la fixation du mandat de l’auditeur externe, à la composition du comité d’audit, à l’augmentation des honoraires des firmes comptables dans les quatre catégories suivantes : audit, relié aux travaux d’audit, fiscalité et autres services connexes, etc.
Audit committees have a key role in overseeing the integrity of financial reporting. Nevertheless, relatively little information is required to be disclosed by US public companies about the audit committee’s important work. Since our first publication in this series in 2012, we have described efforts by investors, regulators and other stakeholders to seek increased audit-related disclosures, as well as the resulting voluntary disclosures to respond to this interest.
Over 2015–2016, US regulators have placed a spotlight on audit-related disclosures and financial reporting more generally. The US Securities and Exchange Commission (SEC) and the US Public Company Accounting Oversight Board (PCAOB) have both taken action to consider the possibility of requiring new disclosures relating to the audit.
SEC representatives also have used speeches to urge companies and audit committees to increase disclosures in this area voluntarily. While additional disclosure requirements for audit committees are not expected in the near term, regulators continue to monitor developments in this area. This post seeks to shed light on the evolving audit-related disclosure landscape.
Context
Public company audit committees are responsible for overseeing financial reporting, including the external audit. Under US securities laws, audit committees are “directly responsible for the appointment, compensation, retention and oversight” of the external auditor, and must include a report in annual proxy statements about their work. This audit committee report, however, currently must affirm only that the committee carried out certain specific responsibilities related to communications with the external auditor, and this requirement has not changed since 1999.
In recent years, a variety of groups have brought attention to the relative lack of information available about the audit committee and the audit, including their view that this area of disclosure may not have kept up with the needs of investors and other proxy statement users. These groups include pension funds, asset managers, investors, corporate governance groups, and domestic and foreign regulators. As efforts to seek additional information have continued, there has been a steady increase in voluntary audit-related disclosures.
Over the last year, the SEC has taken a series of actions to consider whether and how to improve transparency around audit committees, audits and financial reporting more generally. The combined effect of these activities has been to increase engagement by issuers, audit firms, investors and other stakeholders in discussions about the current state of financial reporting related disclosure as well as how it should change.
Findings
Our analysis of the 2016 proxy statements of Fortune 100 companies indicates that voluntaryaudit-related disclosures continue to trend upward in a number of areas. The CBM data for this review is based on the 78 companies on the 2016 Fortune 100 list that filed proxy statements each year from 2012 to 2016 for annual meetings through August 15, 2016. Below are highlights from our research:
The percentage of companies that disclosed factors considered by the audit committee when assessing the qualifications and work quality of the external auditor increased to 50%, up from 42% in 2015. In 2012, only 17% of audit committees disclosed this information.
Another significant increase was in disclosures stating that the audit committee believed that the choice of external auditor was in the best interests of the company and/or the shareholders. In 2016, 73% of companies disclosed such information; in 2015, this percentage was 63%. In 2012, only 3% of companies made this disclosure.
The audit committees of 82% of the companies explicitly stated that they are responsible for the appointment, compensation and oversight of the external auditor; in 2012, only 42% of audit committees provided such disclosures.
31% of companies provided information about the reasons for changes in fees paid to the external auditor compared to 21% the previous year. Reasons provided in these disclosures include one-time events, such as a merger or acquisition. Under current SEC rules, companies are required to disclose fees paid to the external auditor, divided into the following categories: audit, audit-related, tax and all other fees. They are not, however, required to discuss the reasons why these fees have increased or decreased. From 2012 to 2016, the percentage of companies disclosing information to explain changes in audit fees rose from 9% to 31%. Additional CBM research examined the disclosures of the subset of studied companies (43) that had changes in audit fees of +/- 5% or more compared to the previous year. Out of these 43 companies, roughly 20% provided explanatory disclosures regarding the change in audit fees.
29 of the 43 companies had fee increases of 5% or more, out of which 8 companies disclosed the reasons for the increases. 14 of the 43 companies had fee decreases of 5% or more, out of which only one company provided an explanatory disclosure.
53% of companies disclosed that the audit committee considered the impact of changing auditors when assessing whether to retain the current auditor. This was a 6 percentage point increase over 2015. In 2012, this disclosure was made by 3% of the Fortune 100 companies. Over the past five years, the number of companies disclosing that the audit committee was involved in the selection of the lead audit partner has grown dramatically, up to 73% in 2016. In 2015, 67% of companies disclosed this information, while in 2012, only 1% of companies did so.
51% of companies disclosed that they have three or more financial experts on their audit committees, up from 47% in 2015 and 36% in 2012.
Le rapport annuel de Davies est toujours très attendu car il brosse un tableau très complet de l’évolution de la gouvernance au Canada durant la dernière année.
Le document qui vient de sortir est en anglais mais la version française devrait suivre dans peu de temps.
Je vous invite donc à en prendre connaissance en lisant le court résumé ci-dessous et, si vous voulez en savoir plus sur les thèmes abordés, vous pouvez télécharger le document de 100 pages sur le site de l’entreprise.
Davies Governance Insights 2016, provides analysis of the top governance trends and issues important to Canadian boards, senior management and governance observers.
The 2016 edition provides readers with our take on important topics ranging from shareholder engagement and activism to leadership diversity and the rise in issues facing boards and general counsel. We also provide practical guidance for boards and senior management of public companies and their investors on these and many other corporate governance topics that we expect will remain under focus in the 2017 proxy season.
Vous trouverez, ci-dessous, les dix thèmes les plus importants pour les administrateurs de sociétés selon Kerry E. Berchem, associé du groupe de pratiques corporatives à la firme Akin Gump Strauss Hauer & Feld LLP. Cet article est paru aujourd’hui sur le blogue le Harvard Law School Forum on Corporate Governance.
Bien qu’il y ait peu de changements dans l’ensemble des priorités cette année, on peut quand même noter :
(1) l’accent crucial accordé au long terme ;
(2) Une bonne gestion des relations avec les actionnaires dans la foulée du nombre croissant d’activités menées par les activistes ;
(3) Une supervision accrue des activités liées à la cybersécurité…
Pour plus de détails sur chaque thème, je vous propose la lecture synthèse de l’article ci-dessous.
U.S. public companies face a host of challenges as they enter 2016. Here is our annual list of hot topics for the boardroom in the coming year:
Oversee the development of long-term corporate strategy in an increasingly interdependent and volatile world economy
Cultivate shareholder relations and assess company vulnerabilities as activist investors target more companies with increasing success
Oversee cybersecurity as the landscape becomes more developed and cyber risk tops director concerns
Oversee risk management, including the identification and assessment of new and emerging risks
Assess the impact of social media on the company’s business plans
Stay abreast of Delaware law developments and other trends in M&A
Review and refresh board composition and ensure appropriate succession
Monitor developments that could impact the audit committee’s already heavy workload
Set appropriate executive compensation as CEO pay ratios and income inequality continue to make headlines
Prepare for and monitor developments in proxy access
Strategic Planning Considerations
Strategic planning continues to be a high priority for directors and one to which they want to devote more time. Figuring out where the company wants to—and where it should want to—go and how to get there is not getting any easier, particularly as companies find themselves buffeted by macroeconomic and geopolitical events over which they have no control.
In addition to economic and geopolitical uncertainty, a few other challenges and considerations for boards to keep in mind as they strategize for 2016 and beyond include:
finding ways to drive top-line growth
focusing on long-term goals and enhancing long-term shareholder value in the face of mounting pressures to deliver short-term results
the effect of low oil and gas prices
figuring out whether and when to deploy growing cash stockpiles
assessing the opportunities and risks of climate change and resource scarcity
addressing corporate social responsibility.
Shareholder Activism
Shareholder activism and “suggestivism” continue to gain traction. With the success that activists have experienced throughout 2015, coupled with significant new money being allocated to activist funds, there is no question that activism will remain strong in 2016.
In the first half of 2015, more than 200 U.S. companies were publicly subjected to activist demands, and approximately two-thirds of these demands were successful, at least in part. [1] A much greater number of companies are actually targeted by activism, as activists report that less than a third of their campaigns actually become public knowledge. [2] Demands have continued, and will continue, to vary: from requests for board representation, the removal of officers and directors, launching a hostile bid, advocating specific business strategies and/or opining on the merit of M&A transactions. But one thing is clear: the demands are being heard. According to a recent survey of more than 350 mutual fund managers, half had been contacted by an activist in the past year, and 45 percent of those contacted decided to support the activist. [3]
With the threat of activism in the air, boards need to cultivate shareholder relations and assess company vulnerabilities. Directors—who are charged with overseeing the long-term goals of their companies—must also understand how activists may look at the company’s strategy and short-term results. They must understand what tactics and tools activists have available to them. They need to know and understand what defenses the company has in place and whether to adopt other protective measures for the benefit of the overall organization and stakeholders.
Cybersecurity
Nearly 90 percent of CEOs worry that cyber threats could adversely impact growth prospects. [4] Yet in a recent survey, nearly 80 percent of the more than 1,000 information technology leaders surveyed had not briefed their board of directors on cybersecurity in the last 12 months. [5] The cybersecurity landscape has become more developed and as such, companies and their directors will likely face stricter scrutiny of their protection against cyber risk. Cyber risk—and the ultimate fall out of a data breach—should be of paramount concern to directors.
One of the biggest concerns facing boards is how to provide effective oversight of cybersecurity. The following are questions that boards should be asking:
Governance. Has the board established a cybersecurity review > committee and determined clear lines of reporting and > responsibility for cyber issues? Does the board have directors with the necessary expertise to understand cybersecurity and related issues?
Critical asset review. Has the company identified what its highest cyber risks assets are (e.g., intellectual property, personal information and trade secrets)? Are sufficient resources allocated to protect these assets?
Threat assessment. What is the daily/weekly/monthly threat report for the company? What are the current gaps and how are they being resolved?
Incident response preparedness. Does the company have an incident response plan and has it been tested in the past six months? Has the company established contracts via outside counsel with forensic investigators in the event of a breach to facilitate quick response and privilege protection?
Employee training. What training is provided to employees to help them identify common risk areas for cyber threat?
Third-party management. What are the company’s practices with respect to third parties? What are the procedures for issuing credentials? Are access rights limited and backdoors to key data entry points restricted? Has the company conducted cyber due diligence for any acquired companies? Do the third-party contracts contain proper data breach notification, audit rights, indemnification and other provisions?
Insurance. Does the company have specific cyber insurance and does it have sufficient limits and coverage?
Risk disclosure. Has the company updated its cyber risk disclosures in SEC filings or other investor disclosures to reflect key incidents and specific risks?
The SEC and other government agencies have made clear that it is their expectation that boards actively manage cyber risk at an enterprise level. Given the complexity of the cybersecurity inquiry, boards should seriously consider conducting an annual third-party risk assessment to review current practices and risks.
Risk Management
Risk management goes hand in hand with strategic planning—it is impossible to make informed decisions about a company’s strategic direction without a comprehensive understanding of the risks involved. An increasingly interconnected world continues to spawn newer and more complex risks that challenge even the best-managed companies. How boards respond to these risks is critical, particularly with the increased scrutiny being placed on boards by regulators, shareholders and the media. In a recent survey, directors and general counsel identified IT/cybersecurity as their number one worry, and they also expressed increasing concern about corporate reputation and crisis preparedness. [6]
Given the wide spectrum of risks that most companies face, it is critical that boards evaluate the manner in which they oversee risk management. Most companies delegate primary oversight responsibility for risk management to the audit committee. Of course, audit committees are already burdened with a host of other responsibilities that have increased substantially over the years. According to Spencer Stuart’s 2015 Board Index, 12 percent of boards now have a stand-alone risk committee, up from 9 percent last year. Even if primary oversight for monitoring risk management is delegated to one or more committees, the entire board needs to remain engaged in the risk management process and be informed of material risks that can affect the company’s strategic plans. Also, if primary oversight responsibility for particular risks is assigned to different committees, collaboration among the committees is essential to ensure a complete and consistent approach to risk management oversight.
Social Media
Companies that ignore the significant influence that social media has on existing and potential customers, employees and investors, do so at their own peril. Ubiquitous connectivity has profound implications for businesses. In addition to understanding and encouraging changes in customer relationships via social media, directors need to understand and weigh the risks created by social media. According to a recent survey, 91 percent of directors and 79 percent of general counsel surveyed acknowledged that they do not have a thorough understanding of the social media risks that their companies face. [7]
As part of its oversight duties, the board of directors must ensure that management is thoughtfully addressing the strategic opportunities and challenges posed by the explosive growth of social media by probing management’s knowledge, plans and budget decisions regarding these developments. Given new technology and new social media forums that continue to arise, this is a topic that must be revisited regularly.
M&A Developments
M&A activity has been robust in 2015 and is on track for another record year. According to Thomson Reuters, global M&A activity exceeded $3.2 trillion with almost 32,000 deals during the first three quarters of 2015, representing a 32 percent increase in deal value and a 2 percent increase in deal volume compared to the same period last year. The record deal value mainly results from the increase in mega-deals over $10 billion, which represented 36 percent of the announced deal value. While there are some signs of a slowdown in certain regions based on deal volume in recent quarters, global M&A is expected to carry on its strong pace in the beginning of 2016.
Directors must prepare for possible M&A activity in the future by keeping abreast of developments in Delaware case law and other trends in M&A. The Delaware courts churned out several noteworthy decisions in 2015 regarding M&A transactions that should be of interest to directors, including decisions on the court’s standard of review of board actions, exculpation provisions, appraisal cases and disclosure-only settlements.
Board Composition and Succession Planning
Boards have to look at their composition and make an honest assessment of whether they collectively have the necessary experience and expertise to oversee the new opportunities and challenges facing their companies. Finding the right mix of people to serve on a company’s board of directors, however, is not necessarily an easy task, and not everyone will agree with what is “right.” According to Spencer Stuart’s 2015 Board Index, board composition and refreshment and director tenure were among the top issues that shareholders raised with boards. Because any perceived weakness in a director’s qualification could open the door for activist shareholders, boards should endeavor to have an optimal mix of experience, skills and diversity. In light of the importance placed on board composition, it is critical that boards have a long-term board succession plan in place. Boards that are proactive with their succession planning are able to find better candidates and respond faster and more effectively when an activist approaches or an unforeseen vacancy occurs.
Audit Committees
Averaging 8.8 meetings a year, audit continues to be the most time-consuming committee. [8] Audit committees are burdened not only with overseeing a company’s risks, but also a host of other responsibilities that have increased substantially over the years. Prioritizing an audit committee’s already heavy workload and keeping directors apprised of relevant developments, including enhanced audit committee disclosures, accounting changes and enhanced SEC scrutiny will be important as companies prepare for 2016.
Executive Compensation
Perennially in the spotlight, executive compensation will continue to be a hot topic for directors in 2016. But this year, due to the SEC’s active rulemaking in 2015, directors will have more to fret about than just say-on-pay. Roughly five years after the Dodd-Frank Wall Street Reform and Consumer Protection Act was enacted, the SEC finally adopted the much anticipated CEO pay ratio disclosure rules, which have already begun stirring the debate on income inequality and exorbitant CEO pay. The SEC also made headway on other Dodd-Frank regulations, including proposed rules on pay-for-performance, clawbacks and hedging disclosures. Directors need to start planning how they will comply with these rules as they craft executive compensation for 2016.
Proxy Access
2015 was a turning point for shareholder proposals seeking to implement proxy access, which gives certain shareholders the ability to nominate directors and include those nominees in a company’s proxy materials. During the 2015 proxy season, the number of shareholder proposals relating to proxy access, as well as the overall shareholder support for such proposals, increased significantly. Indeed, approximately 110 companies received proposals requesting the board to amend the company’s bylaws to allow for proxy access, and of those proposals that went to a vote, the average support was close to 54 percent of votes cast in favor, with 52 proposals receiving majority support. [9] New York City Comptroller Scott Springer and his 2015 Boardroom Accountability Project were a driving force, submitting 75 proxy access proposals at companies targeted for perceived excessive executive compensation, climate change issues and lack of board diversity. Shareholder campaigns for proxy access are expected to continue in 2016. Accordingly, it is paramount that boards prepare for and monitor developments in proxy access, including, understanding the provisions that are emerging as typical, as well as the role of institutional investors and proxy advisory firms.
[1] Activist Insight, “2015: The First Half in Numbers,” Activism Monthly (July 2015). (go back)
[2] Activist Insight, “Activist Investing—An Annual Review of Trends in Shareholder Activism,” p. 8. (2015). (go back)
[3] David Benoit and Kirsten Grind, “Activist Investors’ Secret Ally: Big Mutual Funds,” The Wall Street Journal (August 9, 2015). (go back)
[4] PwC’s 18th Annual Global CEO Survey 2015. (go back)
[5] Ponemon Institute’s 2015 Global Megatrends in Cybersecurity (February 2015). (go back)
[6] Kimberley S. Crowe, “Law in the Boardroom 2015,” Corporate Board Member Magazine (2nd Quarter 2015). See also, Protiviti, “Executive Perspectives on Top Risks for 2015.” (go back)
Voici un article très intéressant sur l’évaluation des risques publié par H. Glen Jenkins* et paru dans Inside Counsel (IC) Magazine.
Il s’agit d’un bref exposé sur la notion de risques organisationnels et sur les principaux éléments qu’il faut considérer afin d’en faire une gestion efficace.
The scope of legal responsibilities for in-house counsel varies depending on the size and complexity of the company. For instance, an attorney located at corporate headquarters could be chiefly responsible for issues affecting the shared services that are available and used by corporate headquarters, as well as every business unit and division. And yet at other times, in-house counsel’s concerns may be restricted to matters affecting only the parent company or a specific liability issue faced by only one business unit.
In each instance, however, in-house counsel are generally concerned with specific legal tasks and proactive risk management.
What exactly does risk management mean, and what does it encompass? Furthermore, once the definition of risk management has been established and accepted by the company’s management team, how can in-house counsel efficiently and comprehensively assess all possible risks?
Merriam Webster’s dictionary defines risk as “the possibility that something bad or unpleasant will happen.” Whenever many of us in the accounting and legal profession hear the word “risk,” we inherently may succumb to the aforementioned particular negative connotation of risk. How many times have we heard the phrase, “Risk is a part of life,’ and how often have we associated those five words with an undesirable implication?”
Alternatively, A Positive View of Risk
Taking risks does not always have to be painstakingly negative. It is unlikely that many will disagree with the Institute of Risk Management’s (IRM) assertion that “avoiding all risk would result in no achievement, no progress and no reward.” This statement undoubtedly portrays a different perspective of risk, indicating the potential of a positive outcome.
IRM goes on to define risk as “the combination of the probability of an event and its consequence. Consequences can range from positive and negative.”
Therein lies the basic premise of risk management. If the consequences of risk can be both positive and negative, it would seem only prudent to try and effectively manage risk to have the highest probability of a positive outcome.
Applying IRM’s definition of risk, together with the premise that avoiding all risk would result in no achievement, no progress and no reward, we intrinsically recognize that not all risks are bad and not all risks are to be avoided.
Over the course of three successive articles on risk, we will take a closer look at how in-house counsel works with internal and external resources to help identify, evaluate and categorize risk.
Risk Assessment: The Starting Point for Successful Risk Management
Risk assessment is the identification, analysis and evaluation of risks involved in a given situation. Risk assessment also implies a comparison against benchmarks or standards, and the determination of an acceptable level of risk. The evaluation of risks should also provide management with a remediation or control for the identified hazard.
The word “risk” alone without any context is a vague and ill-defined term. There is safety risk, country risk, political risk, health risk and the ongoing list is virtually boundless and it is next to impossible to comprehensively assess all possible risks.
According to Tori Silas, privacy officer and senior counsel with Cox Enterprises, Inc., Cox uses the external resources of multinational accounting and advisory companies to assist with its risk assessments. Using best practices they have developed by analyzing business processes and assessing risk for companies on a global level, these organizations assist in the identification of risks in particular areas of the business, and provide a framework within which to rate risks and prioritize remediation efforts associated with those risks.
Assessment Begins with Knowing Who Decides Acceptable Levels of Risk
As an example of financial risk, according to a Tulane University study, the chances of getting hit by an asteroid or comet are 1,000 times greater than winning a jackpot mega millions lottery. Yet, some have accepted that level of risk and will habitually trade their money to play the lottery rather than investing their money or capital in an endeavor that has a much higher probability of building wealth. Whether right or wrong, a good or bad decision, those who make the choice of playing the lottery have intrinsically accepted the financial risk of losing their money in lieu of the near impossible odds to reap a grand reward.
No matter our opinion of playing the lottery, I think we would all agree that it would be highly unlikely to find a pragmatic business executive allotting some portion the company’s wealth and assets to invest in lottery tickets. But why not? Who decides the parameters of acceptable levels of risk for a business and against what benchmarks are those decisions made?
The business owners, board of directors and executive management define the business objectives, and establish the risk appetite and risk tolerances that are to be contemplated on an overall basis by management when making decisions and evaluating options and alternatives. Together they establish a system of rules, practices and processes by which their company is directed and controlled. This concept is often referred to as corporate governance. Businesses of all sizes embrace this concept, but small businesses may cloak this concept within the singular frame of mind of its ownership’s values, ideologies, philosophies, beliefs and individual business principles.
As the privacy officer for Cox Enterprises, Silas strives to make certain the employees of their consumer facing companies are aware of Cox’s obligations regarding data privacy and that they are appropriately trained to identify and mitigate risk related to and to protect any private consumer data they may have collected.
Corporate Governance
Since the purpose of a risk assessment is the identification, analysis, and evaluation of risks that could adversely impact the business meeting its objectives, the process of conducting a risk assessment should be integrated into existing management processes. According to Silas, Cox Enterprises also utilizes its own internal audit services department to examine functional processes and identify opportunities to strengthen controls and mitigate risks. It is recommended that risk assessments should be conducted using a top-down approach beginning with the top level of the company and filtering its way down through each division and business unit.
For example, a company may have three divisions: manufacturing, marketing and finance. Each of those divisions may operate in four global sectors. Using a top-down approach the three top divisions would conduct a risk assessment and each subdivision that is located in each global sector would conduct their own risk assessment. The top-down approach would then be complimented by bottom-up process where the risk assessments are sent up the business chain, gathered and compiled into an integrated risk assessment matrix.
Ten Tips for Conducting an Effective Risk Assessment
In quick summary, here are ten additional tips for conducting an effective risk assessment:
Create, plan and conduct a formal risk assessment;
Define the context and objectives of the risk assessment;
Define and understand the organizations acceptable risk tolerance;
Bring together the best team to conduct the risk assessment;
Employ the best risk assessment techniques for the situation;
Understand control measures to mitigate risk;
Be objective and impartial conducting the risk assessment;
Identify the environment that is conducive to risks;
Identify who could be harmed; and
Review, revisit and re-perform the risk assessment.
_________________________________________________
*H. Glen Jenkins, CPA, CVA, CFE, is Senior Manager in the Fraud & Forensic Services practice in the Atlanta, Georgia offices of Warren Averett, the 26th largest accounting firm in the U.S. Jenkins has more than 20 years of experience assisting corporate counsel in complex commercial litigation, calculation of economic damages, fraud investigations and business valuations of tangible and intangible properties.
Voici la troisième édition d’un document australien de KPMG, très bien conçu, qui répond clairement aux questions que tous les administrateurs de sociétés se posent dans le cours de leurs mandats.
Même si la publication est dédiée à l’auditoire australien de KPMG, je crois que la réalité réglementaire nord-américaine est trop semblable pour se priver d’un bon « kit » d’outils qui peut aider à constituer un Board efficace.
C’est un formidable document électronique interactif de 182 pages. Voyez la table des matières ci-dessous.
J’ai demandé à KPMG de me procurer une version française du même document mais il ne semble pas en exister.
Our business environment provides an ever-changing spectrum of risks and opportunities. The role of the director continues to be shaped by a multitude of forces including economic uncertainty, larger and more complex organisations, the increasing pace of technological innovation and digitisation along with a more rigorous regulatory environment.
At the same time there is more onus on directors to operate transparently and be more accountable for their actions and decisions.
To support directors in their challenging role, KPMG has created an interactive Directors’ Toolkit. Now in its third edition, this comprehensive guide is in a user friendly electronic format. It is designed to assist directors to more effectively discharge their duties and improve board performance and decision-making.
Key topics
Duties and responsibilities of a director
Oversight of strategy and governance
Managing shareholder and stakeholder expectations
Structuring an effective board and sub-committees
Enabling key executive appointments
Managing productive meetings
Better practice terms of reference, charters and agendas
Establishing new boards.
What’s New
In this latest version, we have included newly updated sections on:
Roles, responsibilities and expectations of directors of not-for-profit organisations
Risks and opportunities social media presents for directors and organisations
Key responsibilities of directors for overseeing investment governance, operations and processes.
Plusieurs administrateurs et formateurs me demandent de leur proposer un document de vulgarisation sur le sujet de la gouvernance. J’ai déjà diffusé sur mon blogue un guide à l’intention des journalistes spécialisés dans le domaine de la gouvernance des sociétés à travers le monde. Il a été publié par le Global Corporate Governance Forum et International Finance Corporation (un organisme de la World Bank) en étroite coopération avec International Center for Journalists.
Je n’ai encore rien vu de plus complet et de plus pertinent sur la meilleure manière d’appréhender les multiples problématiques reliées à la gouvernance des entreprises mondiales. La direction de Global Corporate Governance Forum m’a fait parvenir le document en français le 14 février.
Ce guide est un outil pédagogique indispensable pour acquérir une solide compréhension des diverses facettes de la gouvernance des sociétés. Les auteurs ont multiplié les exemples de problèmes d’éthiques et de conflits d’intérêts liés à la conduite des entreprises mondiales.
On apprend aux journalistes économiques — et à toutes les personnes préoccupées par la saine gouvernance — à raffiner les investigations et à diffuser les résultats des analyses effectuées. Je vous recommande fortement de lire le document, mais aussi de le conserver en lieu sûr car il est fort probable que vous aurez l’occasion de vous en servir.
Vous trouverez ci-dessous quelques extraits de l’introduction à l’ouvrage. Bonne lecture !
« This Guide is designed for reporters and editors who already have some experience covering business and finance. The goal is to help journalists develop stories that examine how a company is governed, and spot events that may have serious consequences for the company’s survival, shareholders and stakeholders. Topics include the media’s role as a watchdog, how the board of directors functions, what constitutes good practice, what financial reports reveal, what role shareholders play and how to track down and use information shedding light on a company’s inner workings. Journalists will learn how to recognize “red flags,” or warning signs, that indicate whether a company may be violating laws and rules. Tips on reporting and writing guide reporters in developing clear, balanced, fair and convincing stories.
Three recurring features in the Guide help reporters apply “lessons learned” to their own “beats,” or coverage areas:
– Reporter’s Notebook: Advise from successful business journalists
– Story Toolbox: How and where to find the story ideas
– What Do You Know? Applying the Guide’s lessons
Each chapter helps journalists acquire the knowledge and skills needed to recognize potential stories in the companies they cover, dig out the essential facts, interpret their findings and write clear, compelling stories:
What corporate governance is, and how it can lead to stories. (Chapter 1, What’s good governance, and why should journalists care?)
How understanding the role that the board and its committees play can lead to stories that competitors miss. (Chapter 2, The all-important board of directors)
Shareholders are not only the ultimate stakeholders in public companies, but they often are an excellent source for story ideas. (Chapter 3, All about shareholders)
Understanding how companies are structured helps journalists figure out how the board and management interact and why family-owned and state-owned enterprises (SOEs), may not always operate in the best interests of shareholders and the public. (Chapter 4, Inside family-owned and state-owned enterprises)
Regulatory disclosures can be a rich source of exclusive stories for journalists who know where to look and how to interpret what they see. (Chapter 5, Toeing the line: regulations and disclosure)
Reading financial statements and annual reports — especially the fine print — often leads to journalistic scoops. (Chapter 6, Finding the story behind the numbers)
Developing sources is a key element for reporters covering companies. So is dealing with resistance and pressure from company executives and public relations directors. (Chapter 7, Writing and reporting tips)
Each chapter ends with a section on Sources, which lists background resources pertinent to that chapter’s topics. At the end of the Guide, a Selected Resources section provides useful websites and recommended reading on corporate governance. The Glossary defines terminology used in covering companies and corporate governance ».
Aujourd’hui, je vous propose la lecture d’un article paru dans la revue European Journal of Risk Regulation (EJRR) qui scrute le scandale de Volkswagensous l’angle juridique, mais, surtout, sous l’angle des manquements à la saine gouvernance.
Le texte se présente comme un cas en gouvernance et en management. Celui-ci devrait alimenter les réflexions sur l’éthique, les valeurs culturelles et les effets des pressions excessives à la performance.
Vous trouverez, ci-dessous, l’intégralité de l’article avec le consentement de l’auteure. Je n’ai pas inclus les références, qui sont très abondantes et qui peuvent être consultées sur le site de la maison d’édition lexxion.
Like some other crises and scandals that periodically occur in the business community, the Volkswagen (“VW”) scandal once again highlights the devastating consequences of corporate misconduct, once publicly disclosed, and the media storm that generally follows the discovery of such significant misbehaviour by a major corporation. Since the crisis broke in September 2015, the media have relayed endless détails about the substantial negative impacts on VW on various stakeholder groups such as employees, directors, investors, suppliers and consumers, and on the automobile industry as a whole (1)
The multiple and negative repercussions at the economic, organizational and legal levels have quickly become apparent, in particular in the form of resignations, changes in VW’s senior management, layoffs, a hiring freeze, the end to the marketing of diesel-engined vehicles, vehicle recalls, a decline in car sales, a drop in market capitalization, and the launching of internal investigations by VW and external investigations by the public authorities. This comes in addition to the threat of numerous civil, administrative, penal and criminal lawsuits and the substantial penalties they entail, as well as the erosion of trust in VW and the automobile industry generally (2).
FILE PHOTO: Martin Winterkorn, chief executive officer of Volkswagen AG, reacts during an earnings news conference at the company’s headquarters in Wolfsburg, Germany, on Monday, March 12, 2012. Volkswagen said 11 million vehicles were equipped with diesel engines at the center of a widening scandal over faked pollution controls that will cost the company at least 6.5 billion euros ($7.3 billion). Photographer: Michele Tantussi/Bloomberg *** Local Caption *** Martin Winterkorn
A scandal of this extent cannot fail to raise a number of questions, in particular concerning the cause of the alleged cheating, liable actors, the potential organizational and regulatory problems related to compliance, and ways to prevent further misconduct at VW and within the automobile industry. Based on the information surrounding the VW scandal, it is premature to capture all facets of the case. In order to analyze inmore depth the various problems raised, we will have to wait for the findings of the investigations conducted both internally by the VW Group and externally by the regulatory authorities.
While recognizing the incompleteness of the information made available to date by VW and certain commentators, we can still use this documentation to highlight a few features of the case that deserve to be studied from the standpoint of corporate governance.
This Article remains relatively modest in scope, and is designed to highlight certain organizational factors that may explain the deviant behaviour observed at VW. More specifically, it submits that the main cause of VW’s alleged wrongdoing lies in the company’s ambitious production targets for the U.S. market and the time and budget constraints imposed on employees to reach those targets. Arguably, the corporate strategy and pressures exerted on VW’s employees may have led them to give preference to the performance priorities set by the company rather than compliance with the applicable legal and ethical standards. And this corporate misconduct could not be detected because of deficiencies in the monitoring and control mechanisms, and especially in the compliance system established by the company to ensure that legal requirements were respected.
Although limited in scope, this inquiry may prove useful in identifying means to minimize, in the future, the risk of similar misconduct, not only at VW but wihin other companies as well (3). Given the limited objectives of the Article, which focuses on certain specific organizational deficiencies at VW, the legal questions raised by the case will not be addressed. However, the Article will refer to one aspect of the law of business corporations in the United States, Canada and in the EU Member States in order to emphasize the crucial role that boards in publicly-held companies must exercise to minimize the risk of misconduct (4).
II. A Preliminary Admission by VW: Individual Misconduct by a few Software Engineers
When a scandal erupts in the business community following a case of fraud, embezzlement, corruption, the marketing of dangerous products or other deviant behaviour, the company concerned and the regulatory authorities are required to quickly identify the individuals responsible for the alleged misbehaviour. For example, in the Enron, WorldCom, Tyco and Adelphia scandals of the early 2000s, the investigations revealed that certain company senior managers had acted fraudulently by orchestrating accounting manipulations to camouflage their business’s dire financial situation (5).
These revelations led to the prosecution and conviction of the officers responsible for the corporations’ misconduct (6). In the United States, the importanace of identifying individual wrongdoers is clearly stated in the Principles of Federal Prosecutions of Business Organizations issued by the U.S. Department of Justice which provide guidelines for prosecutions of corporate misbehaviour (7). On the basis of a memo issued in 2015 by the Department of Justice (the “Yatesmemo”) (8), these principles were recently revised to express a renewed commitment to investigate and prosecute individuals responsible for corporate wrongdoing.While recognizing the importance of individual prosecutions in that context, the strategy is only one of the ways to respond to white-collar crime. From a prevention standpoint, it is essential to conduct a broader examination of the organizational environment in which senior managers and employees work to determine if the enterprise’s culture, values, policies, monitoring mechanisms and practices contribute or have contributed to the adoption of deviant behaviour (9).
In the Volkswagen case, the company’s management concentrated first on identifying the handful of individuals it considered to be responsible for the deception, before admitting few weeks later that organizational problems had also encouraged or facilitated the unlawful corporate behaviour. Once news broke of the Volkswagen scandal, one of VW’s officers quickly linked the wrongdoing to the actions of a few employees, but without uncovering any governance problems or misbehaviour at the VW management level (10).
In October 2015, the President and Chief Executive Officer of the VW Group in the United States, Michael Horn, stated in testimony before a Congressional Subcommittee: “[t]his was a couple of software engineers who put this for whatever reason » […]. To my understanding, this was not a corporate decision. This was something individuals did » (11). In other words, the US CEO considered that sole responsibility for the scandal lay with a handful of engineers working at the company, while rejecting any allegation tending to incriminate the company’s management.
This portion of his testimony failed to convince the members of the Subcommittee, who expressed serious doubts about placing sole blame on the misbehaviour of a few engineers, given that the problem had existed since 2009. As expressed in a sceptical response from one of the committee’s members: « I cannot accept VW’s portrayal of this as something by a couple of rogue software engineers […] Suspending three folks – it goes way, way higher than that » (12).
Although misconduct similar to the behaviour uncovered at Volkswagen can often be explained by the reprehensible actions of a few individuals described as « bad apples », the violation of rules can also be explained by the existence of organizational problems within a company (13).
III. Recognition of Organizational Failures by VW
In terms of corporate governance, an analysis of misbehaviour can highlight problems connected with the culture, values, policies and strategies promoted by a company’s management that have a negative influence on the behaviour of senior managers and employees. Considering the importance of the organizational environment in which these players act, regulators provide for several internal and external governance mechanisms to reduce the risk of corporate misbehaviour or to minimize agency problems (14). As one example of an internal governance mechanism, the law of business corporations in the U.S., Canada and the EU Member States gives the board of directors (in a one-tier board structure, as prescribed Under American and Canadian corporation law) and the management board and supervisory board (in a two tier board structure, as provided for in some EU Member States, such as Germany) a key role to play in monitoring the company’s activities and internal dealings (15). As part of their monitoring mission, the board must ensure that the company and its agents act in a diligent and honest way and in compliance with the regulations, in particular by establishing mechanisms or policies in connection with risk management, internal controls, information disclosure, due diligence investigation and compliance (16).
When analysing the Volkswagen scandal from the viewpoint of its corporate governance, the question to be asked is whether the culture, values, priorities, strategies and monitoring and control mechanisms established by the company’s management board and supervisory board – in other words « the tone at the top »-, created an environment that contributed to the emergence of misbehaviour (17).
In this saga, although the initial testimony given to the Congressional Subcommittee by the company’s U.S. CEO, Michael Horn, assigned sole responsibility to a small circle of individuals, « VW’s senior management later recognized that the misconduct could not be explained simply by the deviant behaviour of a few people, since the evidence also pointed to organizational problems supporting the violation of regulations (18). In December 2015, VW’s management released the following observations, drawn from the preliminary results of its internal investigation:
« Group Audit’s examination of the relevant processes indicates that the software-influenced NOx emissions behavior was due to the interaction of three factors:
– The misconduct and shortcomings of individual employees
– Weaknesses in some processes
– A mindset in some areas of the Company that tolerated breaches of rules » (19).
Concerning the question of process,VW released the following audit key findings:
« Procedural problems in the relevant subdivisions have encouraged misconduct;
Faults in reporting and monitoring systems as well as failure to comply with existing regulations;
IT infrastructure partially insufficient and antiquated. » (20)
More fundamentally, VW’s management pointed out at the same time that the information obtained up to that point on “the origin and development of the nitrogen issue […] proves not to have been a one-time error, but rather a chain of errors that were allowed to happen (21). The starting point was a strategic decision to launch a large-scale promotion of diesel vehicles in the United States in 2005. Initially, it proved impossible to have the EA 189 engine meet by legal means the stricter nitrogen oxide requirements in the United States within the required timeframe and budget » (22).
In other words, this revelation by VW’s management suggests that « the end justified the means » in the sense that the ambitious production targets for the U.S. market and the time and budget constraints imposed on employees encouraged those employees to use illegal methods in operational terms to achieve the company’s objective. And this misconduct could not be detected because of deficiencies in the monitoring and control mechanisms, and especially in the compliance system established by the company to ensure that legal requirements were respected. Among the reasons given to explain the crisis, some observers also pointed to the excessive centralization of decision-making powers within VW’s senior management, and an organizational culture that acted as a brake on internal communications and discouraged mid-level managers from passing on bad news (23).
IV. Organizational Changes Considered as a Preliminary Step
In response to the crisis, VW’s management, in a press release in December 2015, set out the main organizational changes planned to minimize the risk of similar misconduct in the future. The changes mainly involved « instituting a comprehensive new alignment that affects the structure of the Group, as well as is way of thinking and its strategic goals (24).
In structural terms, VW changed the composition of the Group’s Board of Management to include the person responsible for the Integrity and Legal Affairs Department as a board member (25). In the future, the company wanted to give « more importance to digitalization, which will report directly to the Chairman of the Board of Management, » and intended to give « more independence to brand and divisions through a more decentralized management (26). With a view to initiating a new mindset, VW’s management stated that it wanted to avoid « yes-men » and to encourage managers and engineers « who are curious, independent, and pioneering » (27). However, the December 2015 press release reveals little about VW’s strategic objectives: « Strategy 2025, with which Volkswagen will address the main issues for the future, is scheduled to be presented in mid 2016 » (28).
Although VW’s management has not yet provided any details on the specific objectives targeted in its « Strategy 2025 », it is revealing to read the VW annual reports from before 2015 in which the company sets out clear and ambitious objectives for productivity and profitability. For example, the annual reports for 2007, 2009 and 2014 contained the following financial objectives, which the company hoped to reach by 2018.
In its 2007 annual report,VW specified, under the heading « Driving ideas »:
“Financial targets are equally ambitious: for example, the Volkswagen Passenger Cars brand aims to increase its unit sales by over 80 percent to 6.6 million vehicles by 2018, thereby reaching a global market share of approximately 9 percent. To make it one of the most profitable automobile companies as well, it is aiming for an ROI of 21 percent and a return on sales before tax of 9 percent.” (29).
Under the same heading, VW stated in its 2009 annual report:
“In 2018, the Volkswagen Group aims to be the most successful and fascinating automaker in the world. […] Over the long term, Volkswagen aims to increase unit sales to more than 10 million vehicles a year: it intends to capture an above-average share as the major growth markets develop (30).
And in its 2014 annual report, under the heading « Goals and Strategies », VW said:
“The goal is to generate unit sales of more than 10 million vehicles a year; in particular, Volkswagen intends to capture an above-average share of growth in the major growth markets.”
Volkswagen’s aim is a long-term return on sales before tax of at least 8% so as to ensure that the Group’s solid financial position and ability to act are guaranteed even in difficult market periods (31).
Besides these specific objectives for financial performance, the annual reports show that the company’s management recognized, at least on paper, the importance of ensuring regulatory compliance and promoting corporate social responsibility (CSR) and sustainability (31). However, after the scandal broke in September 2015, questions can be asked about the effectiveness of the governance mechanisms, especially of the reporting and monitoring systems put in place by VW to achieve company goals in this area (33). In light of the preliminary results of VW’s internal investigation (34), as mentionned above, it seems that, in the organizational culture, the commitment to promote compliance, CSR and sustainability was not as strong as the effort made to achieve the company’s financial performance objectives.
Concerning the specific and challenging priorities of productivity and profitability established by VW’s management in previous years, the question is whether the promotion of financial objectives such as these created a risk because of the pressure it placed on employees within the organizational environment. The priorities can, of course, exert a positive influence and motivate employees to make an even greater effort to achieve the objectives (35). On the other hand, the same priority can exert a negative influence by potentially encouraging employees to use all means necessary to achieve the performance objectives set, in order to protect their job or obtain a promotion, even if the means they use for that purpose contravene the regulations. In other words, the employees face a « double bind » or dilemma which, depending on the circumstances, can lead them to give preference to the performance priorities set by the company rather than compliance with the applicable legal and ethical standards.
In the management literature, a large number of theoretical and empirical studies emphasize the beneficial effects of the setting of specific and challenging goals on employee motivation and performance within a company (36). However, while recognizing these beneficial effects, some authors point out the unwanted or negative side effects they may have.
As highlighted by Ordóñez, Schweitzer, Galinsky and Bazerman, specific goal setting can result in employees focusing solely on those goals while neglecting other important, but unstated, objectives (37). They also mention that employees motivated by « specific, challenging goals adopt riskier strategies and choose riskier gambles than do those with less challenging or vague goals (38). As an additional unwanted side effet, goal setting can encourage unlawful or unethical behaviour, either by inciting employees to use dishonest methods to meet the performance objectives targeted, or to “misrepresent their performance level – in other words, to report that they met a goal when in fact they fell short (39). Based on these observations, the authors suggest that companies should set their objectives with the greatest care and propose various ways to guard against the unwanted side effects highlighted in their study. This approach could prove useful for VW’s management which will once again, at some point, have to define its objectives and stratégies.
V. Conclusion
In the information released to the public after the emissions cheating scandal broke, as mentioned above, VW’s management quickly stated that the misconduct was directly caused by the individual misbehaviour of a couple of software engineers. Later, however, it admitted that the individual misconduct of a few employees was not the only cause, and that there were also organizational deficiencies within the company itself.
Although the VW Group’s public communications have so far provided few details about the cause of the crisis, the admission by management that both individual and organizational failings were involved constitutes, in our opinion, a lever for understanding the various factors that may have led to reprehensible conduct within the company. Based on the investigations that will be completed over the coming months, VW’s management will be in a position to identify more precisely the nature of these organizational failings and to propose ways to minimize the risk of future violations. During 2016, VW’s management will also announce the objectives and stratégies it intends to pursue over the next few years.
Comment votre organisation peut-elle mieux contrôler les risques liés à ses tiers ? C’est ce que vous apprend ce document de Deloitte dans un numéro du bulletin « À l’ordre du jour du conseil ».
Encore récemment, le risque lié aux fournisseurs se limitait pour ainsi dire à la qualité des produits ou des matières premières fournies ou à la possibilité qu’un fournisseur ne respecte pas ses engagements d’approvisionnement et perturbe ainsi la production. Aujourd’hui, les entreprises sont de plus en plus tenues responsables du comportement de leurs fournisseurs, que ce soit en ce qui a trait aux pratiques en matière de santé, de sécurité et d’environnement, au respect des lois sur le travail et autres règlements, à l’utilisation de la propriété intellectuelle, à l’approvisionnement en matières premières, à la corruption et plus encore. Et comme les clients ne font pas de différence entre une organisation et ses fournisseurs, les actions de tiers peuvent également nuire à la réputation de l’organisation ou à la confiance de ses clients.
Voici un aperçu de ce document, notamment les questions que les administrateurs devraient se poser eu égard aux risques reliés aux entités tierces. On y présente également le point de vue de José Écio Pereira, administrateur de compagnie et associé retraité de Deloitte.
L’usine d’un fournisseur s’effondre, faisant des centaines de victimes parmi les travailleurs, dont certains sont des enfants. Des milliers de fichiers contenant des données sur les cartes de crédit de clients et d’autres renseignements financiers confidentiels font l’objet de piratage d’un tiers autorisé à accéder au réseau de l’entreprise. Un fournisseur a utilisé des matériaux contaminés et une vaste campagne de rappel visant certains produits doit être lancée.
Encore récemment, le risque lié aux fournisseurs se limitait pour ainsi dire à la qualité des produits ou des matières premières fournis ou à la possibilité qu’un fournisseur ne respecte pas ses engagements d’approvisionnement et perturbe ainsi la production.
De nos jours, des lois comme la Foreign Corrupt Practices Act aux États-Unis, la Bribery Act au Royaume-Uni et d’autres encore font en sorte que les entreprises sont de plus en plus souvent tenues responsables des agissements de leurs fournisseurs. De même, les clients ne distinguent pas toujours une entreprise de ses fournisseurs. Pour eux, l’entreprise est celle qui leur fournit une solution ; s’il survient un problème, c’est elle qu’ils tiennent responsable, et c’est donc sa réputation qui est en péril. C’est pourquoi les entreprises doivent maintenant élargir leur surveillance des risques à l’entreprise étendue1 et observer chez leurs tiers fournisseurs les pratiques de santé, de sécurité et d’environnement, le respect des lois sur le travail et autres règlements, l’utilisation de la propriété intellectuelle, l’approvisionnement en matières premières, la corruption et plus encore.
Questions que les administrateurs devraient poser
(1) Notre entreprise a-t-elle évalué de manière exhaustive son risque lié aux tiers et, si c’est le cas, quelles en sont les composantes les plus déterminantes pour l’entreprise à l’heure actuelle ?
(2) Quels sont les tiers susceptibles d’entraver le plus gravement la capacité de l’entreprise à atteindre ses buts et objectifs stratégiques ?
(3) Que faisons-nous pour gérer et surveiller de manière proactive le risque et son évolution au sein de notre entreprise étendue ? Quels outils de gestion du risque utilisons-nous ?
(4) Qui est responsable de la gestion du risque lié aux tiers dans notre entreprise ?
(5) À quelle fréquence la direction informe-t-elle le conseil d’administration de son évaluation des risques de tiers et du processus mis en place pour atténuer ces risques ? Cette information est-elle suffisamment détaillée et présentée en temps opportun ?
Le point de vue d’un administrateur
José Écio Pereira est membre des conseils d’administration de Votorantim Cimentos, Fibria et Gafisa et a été membre du conseil de BRMalls ; il préside également le comité d’audit de Votorantim Cimentos et de Gafisa. Il est le propriétaire fondateur de JEPereira Consultoria em Gestão de Negócios et a été associé, maintenant à la retraite, de Deloitte Brésil.
Le risque lié aux entités tierces figure-t-il à l’ordre du jour des conseils d’administration ?
Les conseils dont je connais le fonctionnement effectuent une évaluation du risque tous les trois ou quatre mois. Le risque lié aux entités tierces à proprement parler n’est pas un point distinct à l’ordre du jour, mais nous l’abordons dans notre analyse des risques. Ceci dit, il est clair que de nos jours, les conseils accordent plus d’attention au risque lié aux tiers qu’il y a à peine deux ans. Au Brésil, c’est principalement à cause de la loi anticorruption (Clean Company Act) de 2014. En vertu de cette loi, les entreprises peuvent être tenues responsables des activités illégales ou de la conduite contraire à l’éthique de leurs tiers fournisseurs.
Depuis que cette loi est en vigueur, les administrateurs examinent de beaucoup plus près les risques associés aux tiers fournisseurs des entreprises qu’ils supervisent. Ils examinent les pratiques de leurs fournisseurs en matière de conditions de travail, de normes pour les employés, de mesures de santé et de sécurité et d’autres facteurs pour s’assurer que tous respectent les normes de l’entreprise qui a fait appel à eux. La santé financière des fournisseurs est un autre paramètre fort important, surtout au vu de la situation économique actuelle au Brésil. Les entreprises veulent être sûres que leurs fournisseurs paient leurs impôts et respectent leurs obligations juridiques, en particulier dans leurs relations avec leurs employés, et qu’ils seront à même de poursuivre leur exploitation.
Les administrateurs examinent-ils les relations avec des tiers dans le contexte du cyberrisque ?
Je pense que les entreprises dont les systèmes sont connectés avec ceux de tiers fournisseurs à des fins d’approvisionnement ou de logistique sont conscientes de l’existence du cyberrisque et prennent les mesures nécessaires pour s’en prémunir. Mais ces mesures sont généralement liées aux échanges de produits et de services.
Dans une perspective plus vaste, je dirais que la plupart des entreprises ne disposent pas de systèmes d’information appropriés pour gérer leurs relations avec des tiers. Les systèmes de la plupart des entreprises ne sont pas assez sophistiqués pour se connecter aux systèmes des fournisseurs ; les entreprises ont recours à divers outils pour gérer leurs relations avec des tiers et souvent, ces outils ne sont pas très bien intégrés entre eux. Les relations sont par exemple gérées à l’aide de plusieurs systèmes, y compris des chiffriers et des outils manuels qui ne sont pas du tout conçus pour cet usage.
À qui devrait revenir la responsabilité des tiers fournisseurs ?
Le conseil d’administration doit jouer un rôle de supervision et faire en sorte que les cadres supérieurs disposent d’un processus de gestion du risque lié aux tiers.
Au Brésil, c’est souvent le service de l’approvisionnement qui reste responsable des problèmes opérationnels et qui vérifie que les produits et les services sont bien fournis selon les modalités du contrat conclu avec le tiers fournisseur. De plus, nombre d’entreprises mettent aussi sur pied une fonction particulière chargée de la gestion des contrats conclus avec des tiers. La plupart des entreprises brésiliennes entretiennent plusieurs relations avec des tiers : services alimentaires, sécurité, transports, fabrication. Toutes sont essentielles au fonctionnement d’une entreprise au quotidien. Les entreprises sont donc nombreuses à affecter davantage de ressources à la gestion efficace des contrats.
Certaines entreprises surveillent constamment leurs fournisseurs pour s’assurer que les contrats sont observés à la lettre. Bon nombre exigent que leurs fournisseurs autoévaluent leur conformité contractuelle, en plus d’effectuer des audits périodiques et d’autres tests afin de vérifier le respect des contrats. Toutes ces mesures représentent un travail colossal et parfois, il faut y consacrer une fonction administrative particulière.
Je vais vous relater un exemple authentique. L’une des sociétés avec lesquelles je collabore est en train de construire de nouvelles installations de grande envergure. C’est un investissement de près de 2 milliards de dollars américains, et c’est un projet d’environ : 18 mois. À l’heure actuelle, la construction vient juste de commencer. Plusieurs fournisseurs y travaillent, que ce soit pour la sécurité du chantier ou pour l’approvisionnement en matériel ou son installation.
L’entreprise a mis sur pied un comité directeur de projet qui comprend entre autres des membres de l’équipe de direction. Ce comité se réunit au moins une fois tous les : 15 jours, et les relations avec les fournisseurs reviennent justement sans cesse à son ordre du jour. C’est beaucoup plus qu’une question de diligence raisonnable ; le comité procède aussi au suivi constant des tiers fournisseurs.
Le comité directeur présente chaque mois au conseil l’état d’avancement du projet. Le rapport d’avancement consigne tout ce qui a trait aux tiers fournisseurs : le défaut de verser les retenues sur salaires des employés, de payer des impôts fonciers ou des avantages sociaux, la violation des règles de santé et de sécurité sur le chantier, aussi bien que les problèmes opérationnels comme le non-respect des échéances par un fournisseur ou la qualité insuffisante des services qu’il a rendus. Lorsque des problèmes surgissent, le comité de projet les reporte sur la « carte du risque » du projet, et la direction prend les mesures de suivi nécessaires, y compris l’application des pénalités contractuelles, le cas échéant.
Les entreprises devraient-elles aussi définir leurs propres normes déontologiques à l’endroit des tiers fournisseurs ?
Après l’entrée en vigueur de la loi brésilienne anticorruption, la plupart des entreprises ont passé en revue leurs normes déontologiques et leur code de conduite ; l’une des grandes nouveautés, c’est qu’elles y ont ajouté des procédures et des règles qui s’adressent aux tiers fournisseurs.
Par le passé, toutes les activités encadrant les règles de déontologie, comme la formation et les ateliers, étaient entreprises dans une perspective interne. Les normes s’appliquaient au personnel de l’entreprise, mais ne dépassaient pas les limites de celle-ci pour viser également les fournisseurs externes. Maintenant, la portée s’est élargie et les règles régissant les employés, les mesures de santé et de sécurité, les conditions de travail, l’obéissance aux lois, etc., englobent aussi les tiers fournisseurs. Les entreprises ont également étendu leurs programmes de formation et invitent leurs fournisseurs à leurs séminaires et ateliers où seront expliqués les règles et les processus de surveillance.
Gouvernance | Jacques Grisé 