More diligence is required to protect board members in the wake of a crisis, suggests a new white paper prepared by Osler, Hoskin & Harcourt LLP for the Institute of Corporate Directors (ICD).
Based on a survey of 400 Canadian directors (ICD members), director roundtable meetings and a cross-country series of panel discussions, the paper released this week indicates 50.6% of respondents fail to review directors and officers (D&O) indemnity agreements annually, and 44.7% of those surveyed fail to have D&O insurance policies reviewed annually by an external advisor.
Crises, of course, can range widely and can take many forms: from terrorist events to natural disasters, computer hacking, the unexpected illness or death of an organization’s leader or a damaging video or comment posted to social media about the organization’s business practices or ethics. “Regardless of the cause, crises have the potential to unleash a great deal of damage in a very short time,” states The Board’s Role in Crisis Management.
The white paper reveals important governance issues that need to be addressed by board and management, suggests a statement from Osler, Hoskin & Harcourt. “A crisis is a litmus test for effectiveness of a company’s reputation. And the skills, commitment and judgment of management and the Board of Directors will determine how well the enterprise weathers the storm,” the firm points out.
Osler, Hoskin & Harcourt reports that findings suggest overarching confidence expressed by directors is at odds with survey data in some key areas.
Consider that while 66.9% of respondents report having a formal crisis response plan and 79.3% believe their management teams have the skills to handle a sudden crisis, just 29.3% of respondents state they were “comfortable that [their] enterprise risk management system has identified the material risks of the business” (40% were moderately comfortable and almost a third was “somewhat,” “not very” or “not at all” comfortable).
Even worse, the white paper states, was the admission by 40% of respondents that “our enterprise risk management system only ‘somewhat’ considers the interdependencies of risks and the compounding effects of two or more risks occurring at the same time.”
Beyond that, 20% of those taking part say they do not receive enough information to oversee management generally.
“Should a crisis hit, 53.2% of directors expect to rely on existing company advisors for advice to both the company and the board,” the Osler, Hoskin & Harcourt statement notes. That said, just slightly more than a quarter of respondents (27%) admit they do not have, or do not know if they have, a succession plan in place.
“Effective board stewardship of crisis management requires oversight of a rigorous enterprise risk management system, promotion of a culture of integrity and transparency and approval of crisis management plan,” Andrew MacDougall, governance advisory partner for Osler, Hoskin & Harcourt, says in the statement.
“In our view, heightened priorities should be to safeguard reputation and culture and to identify necessary tools and resources,” MacDougall continues.
Other findings in the white paper include the following:
although a solid whistleblower program is key to building a culture of integrity, only 30.9% of respondents were very confident in the effectiveness of their whistleblower program and only 17.5% are very confident employees perceive the program as useful for raising potential concerns;
over 75% state crisis management was important compared to other board responsibilities, with 42.3% rating it as very important and 35.8% rating it as moderately important;
over 83% cite reputation risk as an important material risk to the organizations they serve; and
though a high proportion of respondents view reputational risk as very important, only 24.6% regard social media as being a key material risk.
“Surprisingly, only 57% of the directors who had served on the board of a company that experienced a crisis reported making any change to the company’s risk management systems in response to the crisis,” states the paper, adding this “raises questions about the rigour or frequency of the post-crisis assessments.”
When a crisis hits, the paper notes the organization’s ability to side-step disaster will be determined by the effectiveness of its response. “The reputation, skills, commitment and judgment of its management and Board of Directors, along with the quality of support by their advisors, are crucial.”
A formal risk enterprise management system does not capture all risks that can lead to a crisis. “A board needs to be alert to early warning signs of a potential future crisis. The board needs to be able to spot signs of management complacency, over-optimism or blinkered thinking that might allow a budding risk to develop into a crisis,” the paper cautions.
The following actions are recommended:
consider whether or not the organization’s practices for identifying and managing risk are sufficiently robust;
assess whether or not management is taking appropriate steps to maintain or enhance the organization’s culture and reputation;
approve a formal crisis management plan prepared by management; and
view oversight of crisis management as an ongoing aspect of their mandate.