May 08, 2013
Michael Breit, CPA
Steven Kreit, CPA
This 4th annual edition of our Concerns About Risks Confronting Boards continues to explore the trends, changes, and issues facing American boards today. Reputational risk, whether related to financial, regulatory compliance, fraud or privacy and data security issues, has been exacerbated by the growing use and impact of social media. It is paramount that boards and executives remain attentive to and ahead of the curve on challenges that exist not only in operations and reporting, but in the digital domain.
In this edition, we review the general trends out of the 235 respondents. However, we have introduced a new facet to our analysis: We identify the similarities and differences between those serving on public, private, not-for-profit, and private equity-owned boards.
This report delivers insight based on our findings, professional expertise, and the conversations we have with clients and contacts. We welcome the opportunity to further these discussions with you.
EisnerAmper's 4th annual Board of Director's Survey was designed to gain insights into the risks being discussed and addressed in American boardrooms. Directors were polled via a web-based survey sent to select EisnerAmper contacts and members of the NACD Directorship database.
This survey was conducted during January and February 2013 and measures the opinions of 235 directors serving on the boards of publicly-traded, private, not-forprofit and private equity-owned companies across a variety of industries. Directors' participation on key committees is identified in the chart below.*
While 12% of our respondents did not currently participate on any committees, 40% served "other" committees. To help create a better picture of the participants in this survey, and to better understand the concerns of the issues being addressed by their boards, the following highlights the responses provided by multiple respondents detailing the "other" committees:
- Executive Committee
- Risk Oversight
- Sustainability and Corporate Responsibility
- IT Planning/Oversight
EisnerAmper Intelligent Data (EisnerAmper ID) uses proprietary market research conducted by EisnerAmper and leading market research firms, along with analysis from EisnerAmper's partners and principals, to produce insightful articles, events and data designed to educate and stimulate discussion on the issues of most interest to business leaders today.
The survey results were prepared by EisnerAmper and are accompanied by EisnerAmper's observations of industry trends and issues. While EisnerAmper believes the information is from reliable sources, it should not be relied upon as, or considered to be, investment or legal advice.
* Where applicable, directors were able to select more than one response.
It's Always the One That Got Away…
Our data shows that the most significant concern for boards today is the issue over which they have increasingly less control: public perception or, as it's become known, reputational risk. Driven by brand experience, service, product, quality, integrity, ethics and fraud and amplified by the growing power of social media, public perception is quickly and easily swayed with statements, pictures, and stories that live forever.
As reflected in the responses relating to risk management, not-for-profit organizations are quick to recognize reputational risk, most likely since it can dramatically impact their lifeline: fundraising. This is perhaps best demonstrated by the change in the Susan G. Komen Foundation's funding decisions in response to overwhelming social media activity.
Recognizing and Addressing Risk: Inconsistent Approaches
Internal audit is most widely utilized by public companies. It makes sense that public companies have, by far, made the most positive changes in the use of the internal audit process: adding staff, outsourcing functions and/or increasing coverage. That trend has existed for some time. And, while it has slowed a bit this year, public companies continue to focus on investing in its use.
Responses from board members serving on private equity-owned entities indicate they do not seem to derive value from internal audit.
Based on the responses to our survey, it is hard to tell where and how not-for-profit boards are identifying risk. From the numbers, it is not primarily from internal audit. It seems that board meetings are utilized to address (not necessarily identify) risk. In this case, this insular method, using those closest to the organization, does not take advantage of the vantage point of external resources — or even distinct internal departments.
In addition to the use of internal audit, close to 50% of public company boards indicated they had comprehensive, fully implemented enterprise risk management (ERM) programs.
From what we've observed, the use of internal audit and ERM programs enable boards to spend less time addressing specific operational risks. Optimally, boards should be guiding strategy and managing direction and risks, not overseeing day-to-day operational issues. Therefore, companies without well-developed ERM programs and with under-staffed and/or under-utilized internal audit functions may want to reconsider their investments in these areas.
Board Focus and Investment
In addition to risk and reputation management, strategic direction had the attention of all boards.
An overwhelming majority of board members — 87% — felt it was important to not just discuss strategic direction, but invest in it. The key focus was on internal betterment: expansion, IT infrastructure, and staffing. While 68% of public companies saw opportunity for investment in business process improvement, all others (private, not-for-profit, and private equity-owned entities) saw an even greater opportunity to strengthen and invest in this area. This may be due to the fact that these boards tend to be more focused on and involved in day-to-day operations than public company boards.
A distinct difference emerged with mergers and acquisitions: Half of public company boards, as compared to one-third of all other boards, felt the topic warranted attention, a drop from previous years.
Company Leadership: Expectations Increasing
With new cyber threats, new regulations and an increasingly dynamic environment, boards expect top company management to expand their expertise. Ironically, with a good deal of concern and focus on the digital world, CEOs or CFOs (for all companies) could stand to improve their understanding of cyber security and how to better align business goals to IT. Many of the other failing grades can be attributed to the type of companies or roles in which they occur: CFOs know tax but CEOs do not. All entities think their CFOs are ready for IFRS, except for not-for-profits. And, finally, perhaps indicative of ownership/management styles, private equity-owned companies do not believe that their CEOs have a strong understanding of broad-based risk assessment.
Despite the range of knowledge, one thing is clear: To adequately manage operations and address risk and the ever-changing environment, executives today must make education and professional development a priority — not only for their teams, but themselves.
The recent uptick in research and news discussing the benefits of women on boards led us to add this new dimension to our survey. Surprisingly, 20% of boards have not officially engaged in discussion around women or diversity. Of those that have discussed it, just over 10% felt that women on boards had no impact and the issue did not warrant any further action.
The outside research shows clear benefits, including reduced restatements, overall fiscal responsibility, etc. However, this can be due to simply a forward-thinking board and those that are paying more attention to a variety of details. It is also possible, that the women being recruited are so carefully scrutinized, they are bringing the necessary level of insight and expertise to raise the boards' performance. Maybe, as the Grateful Dead have surmised, "that's right, the women are smarter."
RISKS DRIVING CONCERN
In framing our survey, it is important to begin by understanding the risks at the forefront of directors' concerns.
Since we began this survey four years ago, reputational risk has increased 19%, to become the primary concern of boards. It is close to 20% higher than every other issue. In spite of increased regulatory scrutiny every year, compliance, while still consistently garnering concern from close to 60% of the respondents, is taking a back seat to reputational risk. Cyber security is a growing concern, likely due to its connection to reputational risk. In light of previous years, concern about CEO succession planning has decreased.
After making their selections, respondees were asked why these areas were of most concern to boards. The responses showed understanding that reputation is difficult to build, but important to maintain. In addition, the answers demonstrated that whether a product or service business, public perception is a fragile asset. Here are selected responses from the directors:
- It's the most critical asset
- Our brand is everything. Also, in financial services, setting right an error can be expensive.
- My companies have significant brand recognition which has to be protected and enhanced
- [My company] has a superb brand name in the energy industry and we work diligently to preserve it.
- As service entities, loss of reputation is greatest
- Reputational risk and cyber security/IT risk seem to be two of the underserved risks that can lethally threaten an organization
It is clear that reputational risk is a dominant concern — and links to many other issues and more "tangible" concerns.
When asked to identify the top three reputational risks, the majority of responses could be assigned to the following categories:
- Product quality/liability/customer satisfaction
- Public perception/brand
In addition to reputational risk, regulatory compliance is another top concern for directors. Specifically, more than half of the directors were concerned or very concerned about accounting standards and tax.
While accounting standards have always ranked highly, for the past two years, only 20% or so of respondents identified tax as "of concern" to their boards. This year, that number increased to more than 60%.
"In light of recent FCPA issues and the efforts required to comply with the conflict minerals reporting requirements, more and more companies are reaching out to their supplier community and other significant stakeholders to work jointly on issues of ethics, and compliance."
Peter Bible, CPA
Chief Risk Officer
"The FASB Convergence Standards [for Revenue, Leases and Financial Instruments] will represent some of the most pervasive standards issued by the board. More importantly, these standards will be principles-vs.-rulesbased, which will create a need for audit committees to understand management's judgments, estimates and assumptions more so than today."
Peter Bible, CPA
Chief Risk Officer
There is clear concern about the pending new guidance around revenue recognition, lease accounting and financial instruments. This is also reflected in the significant jump in concern surrounding accounting standards and tax. Dodd-Frank is also clearly on the radar for more than half of the respondents.
While energy and the JOBS Act gain a lot of media coverage, they are of lesser concern to most boards. Additional comments from the directors participating in this survey indicated a surprising lack of knowledge of the details and scope of the JOBS Act.
The relevance of the other issues identified were highly dependent on the type of boards on which the directors served:
"Over the past few years, the not-for-profit sector as a whole has been increasingly challenged by a growing need for its services at a time when funding has become more difficult to obtain. Regulation and scrutiny of the sector continues to tighten and as 'unrestricted' or administrative monies are harder to obtain, many of these organizations are 'doing more with less.' The risks are obvious and far ranging. They include a decline in financial controls, an inability to address current economic issues, and an inability to strategize for future opportunities. This trend is made further worrisome by the increasing retirement of top leadership in the sector. These are obviously areas of concerns for the board members of these organizations."
Julie Floch, CPA Partner-in-Charge, Not-for-Profit Services Group
Risk may be addressed through different approaches and the use of entities within and outside an organization. Their roles and performance may drive the success of risk mitigation.
While all of the respondents clearly lean towards a favorable view of how risk is being addressed by the entities above, one individual explained "there may be 'room for improvement' even if things are not 'poor.'"
Many comments focused the effort on the management team — the right personnel (and their knowledge/competence), strategic planning, and/or ongoing discussion of the top risks. Additionally, a number of board members touted the enterprise risk management function and related programs — whether existing or planned.
Interestingly enough, one director mentioned "public input" — a strategy few, if any others, seem to have explored at all. Another director said "Boards are focusing too much time and effort to financial risk and CEO 'single-point' of information."
The breakdown among the directors serving on different types of boards becomes useful in understanding how the boards and organizations function in relation to risk identification:
Last year's survey indicated close to 80% of boards were using internal audit to address identified risks. This year, we inquired as to the value of internal audit in identifying risk:
However, internal audit, on average, has a far more significant impact managing risk for directors of public companies:
"Considering private equity-owned companies are geared towards medium term exits, including IPOs, it may be prudent to more closely emulate public companies' use of internal audit. Despite this finding, behavior dictates internal audit will likely become more important to these entities as they get closer to an exit."
Steven Kreit, CPA
This is something both private and private equity-owned companies may want to consider in strategic planning — especially when you consider the changes being proposed to internal audit functions, by each type of organization:
Directors involved with public companies, relying heavily on internal audit for protection, continue to invest the most in its growth.
Risk is managed differently by every company. One of the more widely discussed, commonly accepted tools is an ERM program. However, the low level of implementation of these programs is significant:
Public companies, overall, were 10% more likely to have comprehensive, fully implemented programs — and were about 10% less likely to be without any program.
In addition to addressing risk, directors are concerned with a number of strategic topics affecting their companies. Of the overarching topics identified, strategic direction continued to be the most important issue; issues like finance and mergers and acquisitions depended heavily on the type of organization:
There has been a significant decline in the steadily waning interest in mergers and acquisitions, with the exception of public companies — where it has risen. And, while commercial real estate regained some traction, it continues to garner the least attention for investment.
These opportunities, however, were more clearly understood when viewed by the type of board on which the directors serve. That being said, social impact was of relatively low concern across all boards — despite the attention it draws in the media.
"Organizations, whether public, private, not-forprofit or private equityowned, are challenged with addressing key risks on a continuous basis, beginning with the board and C-level suite. Clearly, they seek improvement through their communication forums and committees. Those with ERM programs are finding better communication and accountability amongst the management team and other key members of the organization, while being able to more efficiently advance the strategic and operations objectives of the organization."
Jim Mack, CPA Consulting Services Group
Considering the range of issues that impact organizations, the knowledge of the functional leadership, in addition to the directors, can have a tremendous effect on the implementation of the strategy set by the board and the management of identified risk. Everyone may know what risk-based issues are important, but do the CEO and CFO understand them and know how to address them?
For example, earlier in this report, cyber security rated in the top three concerns. Yet, it was one of the topics on which CEOs and CFOs were least knowledgeable. (Perhaps most interesting in today's environment was one director's statement: "…most fellow directors cannot spell IT.")
Considering our 2011 survey indicated that directors were increasingly (73%, up 10% from 2010) turning to company management to better understand the issues facing the organizations, it is clearly of value for CEOs and CFOs to have a strong grasp and deep understanding of the operational concerns related to risk.
"Quite simply, director education is more important than ever. Directors that keep fully abreast of the latest governance issues and research pertaining to risk prevention and mitigation will clearly come out ahead in 2013 and for years to come."
Christopher Y. ClarkPublisher
NACD Directorship Magazine
While the breakdown among directors serving on different types of companies may provide insight to operations and functions, it continues to beg the question of who is taking ownership of these issues on a daily basis and are they really suited to do so?
WOMEN ON BOARDS
In November 2012, Melissa Korn of The Wall Street Journal blogged on a commonly discussed topic: women and diversity on boards. This time, she made a bold statement. "But it turns out that even the smallest step — adding a single woman director — correlates with positive results. New research shows that firms with at least one woman director are significantly less likely to restate quarterly or annual earnings than are companies with an all-male slate of directors — 40% less likely, researchers say."1
Gender diversity's value in mitigating financial risk is only further supported by a study detailed in "The survival of newly-incorporated companies and founding director characteristics"2 published in February 2013. According to the findings by a team led by Nick Wilson at Leeds University Business School in the UK, newly incorporated companies with one female director have a 27% lower risk of becoming insolvent than comparable firms with all-male boards. The effect decreases as the number of female directors rises, suggesting that what matters is diversity rather than the specific number of women on the board.3
Despite the research-based arguments for improving diversity, the number of women holding corporate board seats at Fortune 1000 companies grew just 1% in a year (to 15.6%). The directors participating in this research weighed in on their experiences with gender diversity.
"Many boards today work hard to achieve diversity. Boards that have successfully integrated diverse board members have greatly benefitted from their contributions."
Charles Weinstein, CPA
Chief Executive Officer
The opportunity to provide "other" comments solicited some responses that may have been expected. For example, the boards on which the directors serve…
- Already have (a parity or substantial number of) women on the board
- Have a female chair
- Are currently adding women
- Select people based on competence, not gender
- Value all types of diversity
- Added women and immediately saw the benefits
When looking at the different types of companies, it was clear that private equity-owned companies are far behind their counterparts: Of those companies that have discussed diversity, only one-third of directors serving on private equity-owned companies indicated their boards took action; approximately half of directors serving on the boards of public companies, private companies and not-for-profit organizations have taken action. However, the disparity in this industry is not something new: It was observed and the subject of an article at the end of 2011 that private equity and venture capital (as well as finance in general) lack powerful, female leadership.4