Advice for board members on creating effective business controls

(Robert J. Stuckey and Kenneth Carlton Cooper, The Corporate Board, November/December 2002, Vol. XXIII, No. 137, pgs. 14-18.)

We’ve all been driving down the highway during rush hour and inched past a multi-car fender bender thinking, “Thank goodness that’s not me.” Still, we subconsciously take the accident site as a warning and slow down a bit to create a bigger safety margin between our car and the one ahead of us.

It’s been a like that in looking at recent headlines in the major business publications and Web sites. There are these strings of financial wrecks strewn across the business landscape. As we read about them, the feeling at first is one of relief at not being entangled in one of these situations. Then the uncomfortable question pops up, “I wonder if this could happen to me?” The answer is that it’s probably already happening to some extent in your company, although hopefully something short of a “multi-car pileup.”

This is not to say that you have fraud or deception to be ferreted out. Purposeful deception is a matter of ethics and behavior, not processes and performance, and is a topic for a different article. Because of control problems, even honest and hard-working companies with sterling reputations are getting hammered in the market. For example:

• A leading automobile manufacturer had to write off $1 billion in excess commodities because the R&D department didn’t talk to the purchasing people. They lost nearly one-fourth of their market capitalization when this was announced.
  
• A simple keystroke error at a large investment house cost the company $6 million.
  
• Hotels and airlines have lost hundreds of thousands of dollars and taken major PR hits honoring ludicrously low rates that were erroneously posted to their e-commerce sites.
  
• Supervisors at a public agency were using their procurement credit cards to buy lap dances at the local watering hole.
  
• A major telecommunications company was fined $27 million for mishandling DSL service orders.

The list could go on and on. While the reasons for these incidents vary, the underlying problem is more than purely financial. These are really business control issues, i.e., mismanagement of people, processes, assets, and liabilities. Organizations today are incurring needless major expenses because their business is out of control. Our research suggests that improving business controls is the fastest way to put money back onto your bottom line. The questions are how to do it and what the role of the board is in improving business controls.

Who’s responsible?

Effective business controls are not just the responsibility of finance, accounting, or internal audit. Thinking that effective business controls will come from these departments generates a false sense of security. Every company generating lurid headlines today had these departments in place and working.

It’s also easy to blame supervisors and middle management since they’re doing the work and producing the numbers. Yet in most organizations, these managers have never received so much as one minute’s training on controls.

Since the Enron, Global Crossings, and WorldCom debacles, attention and blame has primarily focused on the roles of the CEO and CFO. Your two leading executives must now attest, under penalty of law, that your financial statements are accurate. The government’s attitude is, “Who cares how they do it? They either figure out how to get it done right or they get punished.”

So how does control get accomplished and whose responsibility is it?

You have been fortunate so far—no one is threatening to fine or jail the board. Although your CEO’s and CFO’s personal necks are now on the line, the ultimate responsibility for insuring that business control is in place is at the board level. Control starts at the top. This requires that board members address two concerns:

What do I need to know and do in order to be an effective contributor to the company’s control structure?

How can the people who operate my company know how to assess control status, design and implement controls, prevent control problems and costs, and report accurately on a timely basis?

Let’s look at each of these questions step-by-step.

Improving control at the board level

Here’s what you need to do first:

1. Increase your involvement in asking the right, salient, probing, and detailed business control questions both during the year, and during the audit committee’s review of the annual report’s Management’s Discussion and Financial Results prior to the annual report’s issuance. For board members not on the audit committee, questions are still appropriate and can be asked of the audit committee members. All the board members have a stake in the financial portrayal, not just the audit committee.

2. The audit committee should be composed only of outside directors who have adequate training and experience in finance, accounting, and auditing. For the audit committee’s review of the annual report, there should be an active exchange among board members and the CEO and CFO. The external auditor and the head of internal audit should be present. Support material for the meeting should be made available to board and audit committee members at least one week in advance of the meeting. The audit committee meeting notes should be made available to the entire board at the conclusion of the audit committee meeting.

3. Increase your involvement in making sure that compensation packages for all employees have controls built in to them that discourage or penalize gamesmanship. For example, an executive bonus on revenue attainment might be segregated properly by tying in corresponding measures on credit levels. Building controls in, versus building them on after the fact, avoids problems and embarrassment for senior management.

4. Insist that the chairman of the board and CEO be different people. While this is not popular in the United States, it is common in Europe. This is an important segregation of duties. While the CEO is being rewarded for achieving business results, sometimes the seeking of rewards can cloud judgement on protecting shareholder interests.

Resist the CEO’s argument that this added layer will slow down critical business decisions and will be costly to the company. Keeping the CEO separate from the chairman removes a potential conflict of interest control issue. Someone has to be solely concerned with the company’s long-term health versus short-term results that generate a quick personal payoff.

5. Be alert to potential control exposures and make plans for prevention. Our research has identified six "Out-of-Control Incubators" that supply the equivalent of a warm place, light, moisture, and nutrients for small control issues to grow into big problems. The incubators are:

• Traditional tree-structure reporting that creates “silos”
• New IT systems implementation/integration
• Restructuring/reorganization
• Downsizing
• Outsourcing
• Merger/acquisition/divestiture

When any of these incubators exist, there are changes in the control environment that must be addressed. The first two incubators are ever-present in most organizations. The remaining four are trigger events. Recognizing these incubators allows you to prevent control problems before they occur, rather than react to them after the Wall Street Journal has received a tip about your problems.

6. Review your formal damage control process to ensure that situations do not reach the critical “crash” stage. Minor, seemingly inconsequential control events, (i.e., a “fender bender”) left unattended can escalate into embarrassing or fatal situations that reflect on not only senior management but also the board. For example, an improper tax rate (off by only .004 percent) in the computer system of one major retail auto parts company turned into a $5 million problem twelve months later.

Senior management may take the position, “This is an operational issue (i.e., quality, financial, human resource, environmental, etc.) that is immaterial to the total company and will be handled internally.” Insisting on monthly status updates on all control problems under study can keep issues to the forefront and prevent them from evolving into a big surprise at year’s end.

Make certain you get accurate information

The next challenge is to make certain that you are receiving the right data. Here’s how to accomplish that:

1. Insist on having the company’s external auditor changed every two years, even if government regulators or legislators don’t ultimately mandate it. The longer your auditor is with you, the less “external” it becomes. You can’t expect a long-time auditor to self-tattle on previous years’ engagements and impair the client relationship with you. There’s too much audit income at stake.

The standard argument against changing external auditors is that it is too costly. Consider that the Enron, Global Crossings, WorldCom debacles were certainly far more costly than changing auditors.

2. Have unrestricted, direct access to internal audit department reviews without filtering by senior management. Board independence requires not being impeded by politics. Candid discussions with internal auditing during the early stages of any of the six incubators can either effectively minimize or prevent an issue.

3. Make certain that all managers in your company know what their control and reporting responsibilities are and have the skills to meet them. Add “business controls” to the list of company core competencies, and insist on having all levels of management capable of designing and implementing effective controls—regardless of the tenure or position of the manager. You must eliminate the excuse, “I didn’t know.”

4. Provide for employee risk-free notification of any control or reporting problems. Create a formal business controls hot line monitored by an independent third party, with details fed unabridged to the board, CEO, CFO, and the legal department. Mandate detailed quarterly reviews by the CEO and CFO. This communication channel is particularly important if any of the six incubators are present.

The common theme to these reporting recommendations is that governance needs formal assessment, open communications, and cross-checked information. Someone has to be looking at the whole picture, and from an independent viewpoint.

Best practices for business control

The final board responsibility is to make certain management institutes a best practices control process.

A dedicated business controls focus is necessary both to minimize avoidable costs of out-of-control problems, and is also required to mount an active defense for honest mistakes in the reporting process. Because of the new legislation, your CEO and CFO need to be able to show that your company has done everything possible to control the business and accurately report results. Any errors that occur can then be shown to be the result of incorrect interpretation of regulations, unintentional mistakes, or individuals’ malfeasance. Here’s what is required:

1. Let everyone know “you really mean it.” Business controls must be added to company-wide beliefs, value, culture, and behavior statements, and specifically addressed in annual reports, management manuals, policy manuals, hiring documentation, and so on throughout your company. Management, employees, partners, investors, and analysts must understand that this is a major cultural shift, not just a knee-jerk response to the latest reporting crisis or legal requirements.

Companies are already implementing pieces of these best practices, and are actively promoting these moves with press releases and interviews. Publicize and communicate your control initiatives, and confirm your commitment to reducing costs and providing accurate information.

2. Establish business controls as a new core competency. Add it to managerial competency models, job descriptions, performance plans, appraisals, and coaching forms. Mandate management and supervisor training on business controls, with testing required for successful completion. Over the long-term, provide business controls refresh training sessions—much as you currently do with hiring rules or sexual harassment.

3. Add business controls considerations to acquisition analysis, decision-making, and project management processes. This includes expanding analysis or decision forms or evaluation models to include a controls section, and adding business control development steps to project management templates. Checklists based on the business controls training can be used to help all decision teams assess risk and develop effective controls structures.

4. Create a dedicated business controls function reporting directly to the CEO. As you’ve seen, business controls cannot be addressed completely by line management, finance, internal auditing, external auditors, or outside consultants. With the CEO and CFO now personally at risk, and with the above board reporting recommendations, a dedicated business controls function is required. The primary purpose of this function will be to lead a business controls cross-functional team.

5. Establish a business controls cross-functional team. Business control is a company-wide task that works across functional departments and individual processes. For example, procurement cards reduce purchasing’s workload, but dramatically increase tax accounting complexity. And that automotive company’s R&D department figured out how to reduce catalytic converter palladium requirements to one-tenth previous amounts while purchasing was locking in a future supply at the old run rates. Someone has to be looking at the whole picture.

This team’s mission is to perform control assessments and to deal with the issues created by the six incubators. The primary goal is prevention rather than remediation. (“You know, R&D and purchasing aren’t talking to each other. I wonder what the ramifications are?”) A secondary goal is to resolve problems. (“That’s the second ridiculously low rate we’ve had to honor on our e-commerce site. What does it take to stop that from here on out?”)

This is not the “controls police,” but is instead a small group focusing on the overall controls status of the company, and positioned to address specific pain point issues or general assessments from a global viewpoint. This team must have direct access to the CEO and CFO, and should provide quarterly updates to the board.

The team should be made up of very strong, high-potential, fast-track managers from the major groups within the company. While membership on this team is not a full-time job, it could be half-time or more at times of major change. This is a highly visible team with great impact on the company’s success. Your future top leaders and global thinkers may well come out of this team.

6. Formally communicate control problems and resolutions. In-control organizations don’t bury their mistakes, they learn from them. They reinforce a “don’t fix blame, fix the process” culture that is required for continuous controls improvement. This means formally sharing control successes, errors, and problems across the entire company to all stakeholders who can affect controls—employees and partners alike. It’s similar to the FAA sending crash analysis data to all licensed pilot instructors. The goal is to fully understand what happened and prevent a reoccurrence.

This public reporting requires an extraordinary capability to be candid about operations, and must be supported by a “learn vs. punish” culture. And it’s another reason why there needs to be an independent business controls function that can sit outside traditional departments and vendor relationships and analyze controls performance.

7. Follow-up on control issues. How many times in your career did you hear someone remark, “We waste sooooo much money around here!” Lots of companies recognize problems. Some of them even do something about them. The business controls team is not just another committee to be stifled by the internal political shark pool. Assessments are completed, controls are designed, and solutions implemented.

In addition, controls are reevaluated as required. Control is not an implement-and-forget process. A control environment is continuously shifting as processes and people change. Also, tightening up one control often exposes another risk. So business controls is often a process of attacking the next weakest link in the controls structure—similar to continuous quality improvement.

8. Formally certify that managers understand the requirement for business control in their workgroup and that they are following company policies and practices. This is an important requirement in protecting your CEO and CFO.

Have managers sign that they have been trained in business controls practices, and will accurately report their activities and business results. This can be done by making business controls a part of the company policy manual that is reviewed and signed annually, or could consist of a special form that is placed in managers’ personnel files. This, together with business controls training attendance records and test results, establishes that abuses are the result of individual action and not company condoned activities.

9. As mentioned previously, establish a tips hotline for any employee to report control concerns. Again, the key features are an outside administrator, and reports going to the board, CEO, CFO, and legal. Regardless of the call volume, you want to be able to assert that you have made every effort to encourage notification of any controls or reporting irregularities or problems.

These best practices ensure that your company is doing everything it can to support this typical CEO’s statement in the annual report:

“The company maintains an internal control structure intended to provide, among other things, reasonable assurance that its records include transactions of its operation in all material respects and to provide protection against significant misuse or loss of Company assets.”

Delivering shareholder value in a socially responsible manner through effective governance is challenging to both the board and the senior management team. Successful companies always run the risk of complacency. One of the first symptoms of complacency is the breakdown in the traditional controls which have helped the company become successful.

As the board evaluates future plans, business controls should become a standard component to any new strategy. Just as specifications are listed for a new product rollout, building, or marketing program, controls specifications are needed. Assuming that existing controls will continue to be effective in a changed environment creates a false sense of security.

Bottom line … Business controls is a new core competency. It is part of everyone’s job. Maintaining adequate control requires a thorough approach and dedicated resources. The alternative is to end up in a long line of crumpled cars, with everyone else inching past looking at you.

Top