Alan Calder on IT Governance, information security & ISO 27001

Warren Buffet encourages boards to develop meaningful penalties for executives who fail to fully and personally own risk control in their business.

He is, of course, right. In the UK, the Combined Code expects directors and the board to own risk and provides, in the Turnbull Guidance, comprehensive guidance on what is expected.

My impression is that, in the US, the CEO gets stratospheric compensation - and, the bigger and more complex the business, the more s/he gets paid. It seems wrong that the shareholder should stump up the funds for an acquisition, should see their investment savaged if the deal goes sour, have no real control over the acquisition strategy, get to pay the CEO more and more, but for there to be no real penalty for the CEO when s/he screws up - and being forced out with a big compensation package is no penalty.

It’s great that Hector Sants has said that “delivery of supervision has to be done in partnership with responsible firms, shareholders and auditors.” (It’s a pity that Sants is inconsistent, but that’s another matter.)
The thing is, he’s not exactly saying anything new. I summarised the current position last year in my book on Corporate Governance (the square brackets are my current interpolations):

Institutional Shareholders

The Combined Code [UK Combined Code on Corporate Governance – in place for 10 years] also requires institutional shareholders to interact proactively and objectively with the companies in which they are invested. There are three main principles for institutional shareholders to observe: 

1. Institutional shareholders should enter into a dialogue with companies based on the mutual understanding of objectives. (E.1)
2. When evaluating companies’ governance arrangements, particularly those relating to board structure and composition, institutional shareholders should give due weight to all relevant factors drawn to their attention. (E.2)
3. Institutional shareholders have a responsibility to make considered use of their votes. (E.3)

The Combined Code explicitly recommends that institutional investors should not accept a ‘box-ticking’ approach to corporate governance, and that their consideration of disclosures made by the company in relation to the Code should take into account the “size and complexity of the company and the nature of the risks and challenges it faces” (supporting principle to E.2)

The Combined Code recommends (supporting principle to E.1) that City [ie investing] institutions should follow “The Responsibilities of Institutional Shareholders and Agents – Statement of Principles”, which were drawn up by the Institutional Shareholders’ Committee (ISC)^[1], whose associations represent virtually all UK institutional investors.

The principles were the first comprehensive statement of best practice governing the responsibilities of institutional shareholders and investment managers in relation to the companies in which they invest. 

“They aim to secure value for ultimate beneficiaries – pension scheme members and individual savers – through consistent monitoring of the performance of those companies. This is to be backed up by direct engagement where appropriate.  The principles make it clear that if companies persistently fail to respond to concerns, institutional shareholders and investment managers, ISC members will vote against the Board at general meetings.

The principles set out best practice for institutional shareholders and investment managers, under which they will:

· Maintain and publish statements of their policies in respect of active engagement with the companies in which they invest;
· Monitor the performance of and maintain an appropriate dialogue with those companies;
· Intervene where necessary;
· Evaluate the impact of their policies; and
· In the case of investment managers, report back to the clients on whose behalf they invest.”^[2]

What’s the reality? 

The reality is that active shareholder engagement has – in both London and New York - been extremely limited; after all, the management fees they were earning from ignoring the real risks being run by the companies in which they were invested supported an exciting personal life style. The real victims are the ordinary folk who fell for the polished pitch of the fund managers, who sold so effectively the idea that managing cash is so difficult and complex that ordinary people can’t do it. (An ordinary person said, on a panel interview programme here a couple of weeks ago: ‘I can’t run a bank; can I get a £695k pa pension?’). It’s all very well asking the institutional investors to exercise their governance responsibilities responsibly, but they too have their fingers in the till.

So, isn’t it time we taught basic financial risk management to ordinary people? I know this might require breaking the centuries-old link between financiers and politicians, but perhaps that might start a move toward a society in which those who produce the cash don’t have it conned out of them…..sorry, that’s a bit hopeful…

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent - and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO - however mighty, however well-rewarded - reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ’senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year - it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken - and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

Final settlement of the WorldCon case, which involved eleven outside directors contributing rather more than they received as compensation for their stewardship of the company and guardianship of the interests of their shareholders, was announced today. The directors’ settlement, announced back in March involved them paying, between them, a total of $20.25 million from their own pockets - and this is in addition to the amounts paid out to the creditors and shareholders under the board’s Directors’ and Officers’ insurance policy.

What does this mean for corporate governance generally, and for IT governance specifically? Well, it clearly establishes the outside directors of a company as a legitimate, attractive target for aggrieved creditors and shareholders when a company goes bankrupt. Given the increasing extent to which organizations are dependent on IT - and the extent to which a significant IT failure can now impact the long term competitiveness and viability of any organization - it’s not going to be long before the expectation of transparency around general corporate governance extends to IT governance.

Sure, SOX has already transformed the early awareness of the need for proper IT governance, that was created by the Turnbull report in the UK, into a far more significant board issue. Let’s hope it doesn’t take a significant IT failure, leading to a corporate collapse, before boards really get to grips with their responsibilities. Reality suggests otherwise, though.

In an article yesterday, a National Computing Centre survey revealed that 44 percent of IT decision-makers admitted they were not fully aware of IT standards and legal requirements, with 22 percent claiming complete ignorance of the issue! Once you include the significant portion of people who will have claimed full awareness even though they don’t have it, you create the alarming picture that about half the people who are responsible for IT are not fully aware of the laws and regulations they’re supposed to be complying with.

A similar survey of CEOs and Chairman, if it revealed that about half of them were not aware of their corporate governance obligations, would provoke outrage in the press and parliament. Considering the extent to which organizations are data-dependent these days, it’s about time that the board stepped up to its governance obligation where information security and IT governance is concerned - abdicating responsibility to the Head of IT is clearly not working as a strategy.

Recent months have seen a series of widely publicized personal data thefts from companies that ought to have known better - and, in parallel, a series of US legislative proposals for bills that would have the characteristics of both California’s SB1386 and the Sarbanes Oxley Act. Of course, those organizations who lost data - and those who, but for the grace of [insert], go there - don’t think that more legislation of this sort is called for.

The choice, though, is quite easy: improve security voluntarily, so that people feel their privacy is properly protected, or be forced to do so - the outcome is not in doubt, just the pain and expense of getting there has still to be determined.

My expectation is that, just as with financial corporate governance, organizations will have to be forced to take proper steps to really protect personal data. A pity, because the total cost of that route is invariably greater than if it is tackled voluntarily.

With the exception of a small number of enlightened boards, most businesses assume that, because information technology is the functional responsibility of the IT department, IT is strategically accountable for it as well. Of course, this means that IT is also responsible for information security, protecting the reputation of the organisation from breaches to confidentiality, availability and integrity of its information, as well as from organised crime and terrorists - is this fair on the IT team, or is it the board ducking a critical corporate governance responsibility?

The rapidly changing world of corporate governance (driven particularly by the UK’s Combined Code and the US Sarbanes Oxley Act) make it essential for listed companies to implement IT governance structures - common sense would argue that, if a substantial part of your shareholder value is tied up in intangible assets and if your business model in any way depends on your investment in IT, you would see IT governance as a ’sine qua non’ - I recently did a presentation on all this in Oxford, UK. I would welcome views on how corporate governance, IT and information security are currently interacting.