Corporate governance after 2002
The purpose of this chapter is to consider who should have been responsible for keeping an eye on the value of assets in which Lehman Brothers chose to invest heavily, and on its risk management procedures. Lehman's board, as any other board, would have been expected to monitor the company in accordance with corporate governance requirements. The first question therefore is: what exactly was the Lehman board expected, indeed, required to do. The other two questions are considered later in this chapter. They are: was the board capable of carrying out its duties? Did the board actually meet the corporate governance requirements?
As corporate governance in the USA (as in other countries) continues to evolve, this description of corporate governance refers only to what was in force at the time. This is not as simple a task as it might seem. The sources of corporate governance law and regulation are state corporate law (mainly Delaware, since over half of US publicly traded companies are incorporated there); the federal Securities Act 1933 and the Securities Exchange Act 1934, and regulations of the Securities and Exchange Commission under those Acts; stock exchange listing rules (mainly the New York Stock Exchange (NYSE) and the NASDAQ); the Federal Reserve and other federal and state agencies with respect to banks and other financial institutions and the Sarbanes-Oxley Act 2002, amongst others.
Because of the federal system of US law, these different sources of law are not always harmonised and corporations are often subject to different obligations to federal and state governments, as well as regulators at each level of government. This mosaic of rules and regulations, and the various authorities and mechanisms by which they are implemented and enforced, make for an environment of frequent change and evolution.1
That is certainly an understatement. The patchwork leads to confusion. It is entirely unclear which set of rules takes precedence over the others, where they conflict or appear to conflict. To an outsider that is a key question, yet that is not necessarily the case in the USA, where they are accustomed to the existence of more than one regulator at federal level and regulation at state level.2
The scandals leading to the Sarbanes-Oxley Act
Reforms in corporate governance were introduced with the Sarbanes-Oxley Act, after the major accounting scandals involving Enron and WorldCom emerged. Enron's reported revenues grew from under $10bn in the early 1990s to $139bn in 2001. The firm had invested heavily in broadband at the peak of the dot.com boom, but falsified its accounts, so that the losses were apparently occurring to ‘independent’ firms called ‘Raptor entities’. Raptor had apparently agreed to absorb Enron's losses. Raptor entities were simply accounting contrivances, created and controlled by management. Once all was revealed, 80 per cent of Enron's profits since 2000 vanished. The Enron scandal was quickly followed by another, WorldCom. The company announced that its recent financial statements would have to be revised, after accounting irregularities came to light on 25 June 2002. The company had discovered errors amounting to $3.8bn in its accounts, which meant that it had net losses for 2001 and for the first quarter of 2002. Other companies, such as Tyco and Adelphia, were found to be weaker than appeared at first sight, because their executives had indulged in self-dealing transactions or had taken too much out of the company. On 28 June 2002, the SEC called for the CEOs and CFOs to personally certify in writing and under oath the accuracy of their recent annual and quarterly financial statements, thus making them personally liable. The SEC's action applied to the 947 largest publicly listed companies in America. Congress responded to the public outrage, and the result was the Sarbanes-Oxley Act.
The Sarbanes-Oxley Act 2002, introduced a number of changes related to corporate governance, which formed the basis of corporate governance until further changes were introduced following the financial crisis. Many of these related to the appointment of auditors, the processes of auditing and the presentations of financial data. It was thought that audit firms might (or had) become too closely involved with the company they audited, so changes in the relationship between auditors and their clients were introduced.
For the first time, auditing firms were prohibited from providing non-audit services to their clients, apart from tax compliance. Audit firms were required to disclose information about their operations for the first time, such as names of clients, fees and quality controls.
The audit committee of the board, composed of independent directors, became responsible for the appointment, compensation and oversight of the external auditor, rather than management. The Act also required lead audit partner rotation every five years instead of seven. Firms must have a system of internal accounting controls, which management is required to fully disclose and which the external auditors are obliged to test and evaluate.
- The Act clearly defines and places the responsibility for a company's financial statements on the CEO and CFO.
- Companies must certify (amongst other items) that they have reviewed each annual and quarterly report.
- Based on their knowledge, the financial information is fairly presented and does not include any untrue statement of material fact, or omit a material fact that would make the financial reports misleading.
- Companies must acknowledge their responsibility for establishing and maintaining internal controls over financial reporting and other disclosures.
- Companies must have evaluated the effectiveness of these controls, presenting their conclusion as to their effectiveness, and disclosing any material changes in the company's controls.
- They are responsible for maintaining ‘disclosure controls and procedures’, to make sure that they have all the relevant information, especially during the time in which a quarterly or annual report is being prepared.
The Act established other important investor protections:
- Companies must provide enhanced disclosures in annual and quarterly reports regarding material off-balance sheet transactions, arrangements and obligations.
- Companies must report material changes in the financial condition operations of the company on a rapid and current basis.
- Board members of public companies, officers and investors who own more than 10 per cent of the shares must file reports specifying the number of shares bought or sold within two days of the transaction.
- Board members and executive officers of public companies are prohibited from trading shares during a specific ‘blackout period’ before and after earnings reports or when other material results are disclosed.
New York Stock Exchange listing rules
The Act led to the introduction of new rules for listed companies on the New York Stock Exchange. These include the requirement for boards to have a majority of independent directors on the board, with a stricter definition of ‘independence’. NYSE's Corporate Governance rules3 state that a director is not independent if he has been an employee of the company during the past three years, holds a senior position with a company which carries out a significant amount of business with the company concerned, or if he is involved with a charity which receives substantial sums from the company.
The board must establish three committees: an audit committee, a compensation committee and a nominating committee, composed of independent directors. All members of the audit committee must be financially literate, and must include at least one financial expert.4 In addition, each committee must publish a charter setting out specific tasks and powers of the committee.5
The NYSE amplifies the duties of the audit committee. It should discuss critical accounting policies and practices, alternative treatments of financial information under GAAP, and any accounting disagreements and other relevant written agreements between the auditors and management with the auditor and senior management. The audit committee is also required to receive and deal with any complaints about accounting, internal control and audit, and also to provide any employee the chance to make confidential and anonymous submissions about accounting and audit matters. This followed the collapse of Enron in 2001, following the revelations made by Sherron Watkins, then a Vice President of Enron and head of internal audit. She also revealed the contents of anonymous complaints from other employees.6 These events were the background to the rules concerning whistleblowers introduced as part of the Act.
The full board of directors delegates the financial oversight responsibility to the audit committee, but both have a duty of care to the company and its shareholders, which means that the board members must be duly diligent and must act in good faith. For audit committee members the duties are more onerous. They must be fully informed, have a thorough understanding of the company's business, its risks and critical accounting policies, attend regularly, and proactively engage in discussions with the management and independent auditors. They must make sure that the company has an adequate system of internal controls and be able to monitor red flags as well as overseeing the integrity of financial reporting. Section 301 of the Sarbanes-Oxley Act added a new section to the Exchange Act covering these issues, so that by 26 April 2003, the SEC had to, by rule, direct the national securities exchanges and NASDAQ to prohibit the listing of securities of any company, including foreign companies that did not meet these requirements.
The SEC welcomed the Act and had completed most of the rule-making within six months and all of it in under a year, so that by 2004, the largest companies were fully subject to all the new regulatory requirements of the Sarbanes-Oxley Act. It was especially welcomed by SEC as it strengthened the enforcement of federal securities laws. It added a number of new weapons to the Commission's enforcement arsenal, in particular section 1103, which enables the Commission to seek a temporary order to escrow extraordinary payments by an issuer to its directors, officers, partner, controlling persons, agents or employees, whilst they were subject to a Commission's investigation.7 All the Sarbanes-Oxley requirements for audit committees were adopted by the Commission and applied to the stock exchanges to prohibit the listing of any security of a company that has not met these requirements. It seems that at that time, not only the Commission but many others involved in the capital markets believed that these new rules would mean that the news headlines would no longer be ‘dominated by reports of financial fraud, lapses in audit and corporate governance responsibilities and intentional manipulation of accounting rules’.8
In assessing the extent to which the board and the senior management of Lehman Brothers can be held responsible, the Examiner turned to Delaware law, since Lehman was incorporated there. The Examiner's conclusions are set out in the next section.
Corporate accountability under Delaware's General Corporation Law
This statute states that, ‘The business and affairs of every corporation … shall be managed by or under the direction of a board of directors.’9 The corporation law of all other US states also assigns corporate managerial power to the board of directors. Its meaning is determined by case law. One of the key cases is Caremark International (1996), which held that the board of directors' duty of oversight includes a duty to ensure that ‘appropriate information and reporting systems are in place so that the board has access to timely, accurate information to ensure corporate compliance and business performance, but the level of detail is a matter of business judgement.’10
The judgement in this case seems to suggest that when evaluating a company's management systems and controls, the board or audit committee should test and challenge these systems, rather than just relying on the auditors' and management's reports to identify any deficiencies. Previous case law accepted a presumption of business regularity and did not require affirmative obligations on directors where there were no reasons for suspicion. The judgement in the Caremark case nevertheless indicated that directors are able to fulfil their duty of monitoring by making a good faith, reasonable effort to implement an adequate reporting system. The SEC, however, concluded in another case that ‘an officer or director may rely on the company's procedures for determining what disclosure is required only if he has a reasonable basis for believing that those procedures have resulted in full consideration of those issues.’11 The latter is a more stringent requirement. Under Delaware law, the directors' civil liability is mitigated by the business judgement rule, due diligence defences, and by good faith reliance on the records of the corporation and upon such information, reports, statements or opinions provided by corporate officers, employees, board committees and professional advisors.
The implications of the ‘business judgement rule’ are set out by the Examiner. Valukas provides clear analyses of the interpretations of duties recognized under the law: due care, loyalty and good faith, as well as the ‘business judgement rule.’ This principle protects officers and directors from personal liability for business decisions that have resulted in financial losses to the corporation unless their actions have been proved to be grossly negligent. Noting that the ‘Delaware courts will not substitute their own judgements for those of corporate directors’, the Examiner details the presumptions and conclusions of a number of court cases relevant to the apportionment of blame arising from Lehman's bankruptcy.
The business judgement rule creates a ‘presumption that in making a business decision the directors of a corporation acted on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company’.12 Again under this rule, directors'
decisions will be respected by courts unless the directors are interested or lack independence relative to the decision, do not act in good faith, act in a manner that cannot be attributed to a rational business purpose or reach their decision by a grossly negligent process that includes the failure to consider all material facts reasonably available.
In other cases cited, the court considered that it was not per se a breach of fiduciary duty that a board of directors did not read a merger agreement but relied instead on a summary of the terms, and again that a board of directors could rely on an expert in making a business judgement and to rely on that opinion without necessarily evaluating the facts and the judgement independently.13
A member of the board or a member of any committee designated by the board of directors, shall … be fully protected in relying in good faith upon the records of the corporation and upon such information, opinions, reports, statements presented to the corporation by any of the corporation's officers or employees or committees of the board of directors.
The report must be germane to the subject on which the board is called to act. A later judgement stated that the ‘court will not substitute [its] judgement for that of the board if the latter's decision can be attributed to any rational purpose’.14 The business judgement rule does not protect the board for decisions involving fraud or illegality. Finally the ‘business judgement rule does not apply to director inaction. The appropriate standard for determining liability for director inaction is generally gross negligence’.15 One is tempted to ask exactly what the point of being a member of a board is, when no independent judgement, knowledge or research seem to be required.
Valukas then turns to an analysis of the business judgement rule as applied to officers, but given there are only a few cases in which breaches of fiduciary duty are brought against officers, he assumes that the fiduciary duties of directors and officers are ‘identical’ so that officers are protected by the business judgement rule when they act under an express delegation of authority from the board.16 But the rule may not apply when the officer fails to be informed about all of the facts relevant to the decision or without disclosing relevant information to the board or to the superior officer about the decision or when the decision is beyond the scope of the officer's authority. Then the officer's action may be thought to have been taken in bad faith and would then fall outside the protection of the business judgement rule. The rule does not provide any protection against fraud, or in the case of AIG, for materially misleading financial statements that overstated the value of the corporation by billions of dollars and made AIG appear more financially secure than it really was. The officers who participated in a sham transaction ‘violated their fiduciary duties by causing AIG to engage in illegal conduct’.17
The business judgement rule pretty much says that if you have process in place and you are acting – you are making a rational decision – you are permitted to do so. I would say that the issue wasn't necessarily just within Lehman as to what Lehman was doing so much as it might have been with regard to the regulators who need to be able to say to a business person, that might be a business judgement you are prepared to make, but we are not prepared to let you make that judgement.18
He also made it clear that the risk committee and its senior officers did not have a direct line to the board. It is interesting because the regulators, in this case the SEC, would presumably apply regulations derived from federal securities law or from other laws such as the Sarbanes-Oxley Act, and, if they were held to account under such regulations or laws, pleading the business judgement rule would not help. The board's failure, in his eyes, was due to the behaviour of Lehman's senior management in withholding information from the board and the regulators. In his testimony before a Senate committee, Valukas stated that: ‘If Lehman had earlier presented a fair and accurate picture of its financial condition, regulators and Lehman's board might have had a fighting chance to make a much-needed correction or arrange for a smoother landing.’19
Apart from the business rule, the Examiner considered the place given to the duty of care in Delaware company law. The duty of care required by directors is a duty of informed decision-making. Exercising ‘due care in the decision-making context is process only’. Delaware ‘protects directors from personal liability to the extent their decisions are based on information provided to them by management.’20 Like many other Delaware companies, Lehman's certificate of incorporation provides:
A director shall not be personally liable to the Corporation or its stockholders for monetary damages for breach of fiduciary duty as a director; provided that this sentence shall not eliminate or limit the liability of a director (i) for any breach of his duty of loyalty to the Corporation or its stockholders, (ii) for acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law, (iii) under Section 174 of the (Delaware Corporation Law,) or (iv) any transaction from which the director derives an improper personal benefit.21
There have been very few cases testing the meaning of a duty of care, but in some cases the courts have held that failing to consider a proposed transaction with sufficient information, consideration or deliberation might constitute a breach of the duty. A director's duty of loyalty ‘essentially … mandates that the best interests of the corporation and its shareholders takes precedence over any interest possessed by a director, officer or controlling shareholder and not shared by the stockholders generally’.22 The duty to act in good faith is regarded as subsidiary to the duty of loyalty and apart from self-interested dealing, this duty imposes personal liability only on directors ‘who have handled their responsibility in a reckless or irrational manner’.
The Delaware courts also seem to establish a ‘duty to monitor’, which can be breached, following the Caremark decision, if (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls consciously failed to monitor or oversee the operations thus disabling themselves from being informed of risks or problems requiring their attention. The Supreme Court ruled that the emphasis should be on the word, ‘conscious’, or to put it in another way, ‘directors will be potentially liable for breach of their oversight duty only if they ignore red flags that actually come to their attention, warning of compliance problems.’ Directors' liability for the failure to monitor is strictly limited.23
The Delaware courts redefined the duty of care as a duty of loyalty, arguing that
where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith … To be able to hold a director liable for failure to monitor, the director's indolence [must be] so persistent that it [can]not be ascribed to anything other than a knowing decision not to even try to make sure the corporation's officers had developed and were implementing a prudent approach to ensuring law compliance.24
It also means that duty of loyalty claims do not fall under the protection of the law, as duty of care claims do. The bar for claims under the duty of loyalty with regard to monitoring what the company does are set too high, given that the picture of such an indolent director attending board meetings regularly seems improbable. He would have to face his colleagues at every meeting, and the ‘indolence’ would be clear to all. Both he and the rest of the board might fail with regard to a duty of loyalty because of a lack of understanding of the key issues and the presence of a strong and overbearing chairman who was also the CEO. Indeed, analyses of the impact of failures and weaknesses in corporate governance do not suggest indolence as the main or even a contributory cause. What the Examiner's analysis of corporate governance shows is that, for a company incorporated in Delaware, it is very difficult to find colourable claims against Lehman Brothers. The Examiner therefore concludes that ‘the conduct of Lehman's officers, while subject to question in retrospect, falls within the business judgement rule and does not give rise to colourable claims’.25 Lehman's directors did not breach their duty to monitor the company's risks.
The answer to the first question is that, given the mishmash of laws and regulations, it would not be too far off the mark to say that the duties and responsibilities of the board were not entirely clear for a company headquartered in Delaware. Furthermore, laws and regulations changed during the time some of Lehman's board members were on the board. It is good practice for companies to ensure that their board members are aware of changes in the requirements placed on boards, and to ensure that the structure and practices of the board are altered accordingly. There is no sign that Lehman ever considered educating the board about changes in corporate governance or about matters such as their use of derivatives.
Was Lehman's board able to carry out its duties?
In his testimony to the House Committee on Financial Services, Thomas Cruikshank, former chairman of the Audit Committee and member of the board since 1996, stressed that the Examiner found no ‘colorable claims against the independent directors’, and also that their duties were confined to ‘thoughtfully appointing officers, establishing or approving goals and plans and monitoring (a company's) performance’.26 He also refers to the large number of meetings between the beginning of 2007 to September 2008, over 80 meetings in all. He describes the range of management presentations to the board during that period, but says nothing about the frequency of meetings before 2007. Management presentations to a board require careful consideration and should be subject to rigorous questioning.
As directors, we took great comfort from management's reports regarding Lehman's risk management system, which was widely regarded as being among the best in the business … how the firm's CEO, President and entire Executive Committee took an active and leadership role in key risk decisions and oversight … how Lehman made decisions on large risk exposures by committee … The Board was further reassured by the size, structure and expertise of Lehman's Global Risk Management Group.
The board, however, rather than being reassured by the structure of risk management, should have asked what exactly were the views of the Risk Committee and the Risk Management Group on at least the major decisions Lehman took at that time, and what the differences of opinion were between the two.
Events such as the removal of Madelyn Antoncic, Chief Risk Officer and Michael Gelband, head of Lehman's Fixed Income Division, are the kind of events a board should question, because of their possible significance. In fact, they were removed from their positions ‘because of their opposition to management's growing accumulation of risky and illiquid assets’. Antoncic's public speeches as early as December 2006 had warned of ‘a seemingly overwhelming sense of complacency’, ‘with volatility low, corporate spreads growing ever tighter, and markets all but ignoring bad news’, although she was careful to defend her own company.27
It is true that Lehman had an impressive risk management structure, and an array of stress tests to determine the potential financial consequences of an economic shock to its portfolio of assets and investments. These, as the Examiner points out, were more for show, to impress investors, regulators and the rating agencies. They were not meant to influence Lehman's strategy or its decisions. He notes that the risk limits and stress tests, ‘did not impose legal requirements on management or prevent management and the board from exceeding those limits if they chose to do so … Lehman's management chose to disregard or overrule the firm's risk controls on a regular basis’.28 Once again, Lehman's actions did not give rise to any colourable claims.
It would have taken determined questioning by the board to discover what happened to the risk limits. Lehman's management exceeded risk limits, that is, concentration limits, on their leveraged loan and commercial real estate limits, including single transaction limits, designed to ensure diversification, on their leveraged loans. As a result they exceeded the limits by 70 per cent on commercial real estate and by 100 per cent on leveraged loans. They left out their commercial real estate investments, private equity investments and its leveraged loan commitments for a time. The Examiner comments that Lehman ‘did not have a regular and systematic means of analysing the amount of catastrophic loss that the firm could suffer from these increasingly large and illiquid investments’.29 Nor did they strictly apply balance sheet limits, designed to contain the overall risk of the firm and maintain its leverage ratio. No one asked any questions about the stress tests, such as which investments were covered by the stress tests. Lehman informed the SEC in their regular meetings that the firm-wide risk appetite limit was a real constraint of Lehman's risk-taking, although it was treated as a ‘soft’ target within the firm. It was clearly not enforced, since between December 2006 and December 2007, it was raised from $2.3 to $4.0bn in January 2008 and then backdated to 3 December 2007. It was not, however, unlawful for Lehman to secretly violate its increased limits and backdate its documents to disguise the breaches of its risk limits. They were self-imposed risk limits, exclusively intended to allow Lehman's management to make their own estimates about the future of the company. Its commercial real estate investments, such as their bridge equity position in Archstone of $2.3bn, were excluded from Lehman's risk appetite limit and from its stress testing. When Archstone was eventually included, Lehman continued to exceed the limit for a few months and raised its firm-wide risk limit again.
The Examiner did not find that there were colourable claims against Lehman's senior management on the grounds that they failed to inform the board about the level of risk that they were taking, nor that the board had failed in its duty to monitor Lehman's risk-taking activities. On the one hand, Lehman's management did inform the board that it was taking ‘increased business risk in order to grow the firm more aggressively; that the increased business risk resulted in higher risk usage metrics, and ultimately firm-wide risk limit overages, and that market conditions after July 2007 were hampering the firm's liquidity’. The Examiner added, ‘Lehman's risk limits and controls were designed primarily for management's internal use in making business decisions.’30 Lehman's board ‘fully embraced’ the growth strategy, and was informed about the large increase in the risk appetite for fiscal 2007. All of the directors told the Examiner that they agreed with the strategy ‘at the time it was undertaken’. They were not told about the exclusion of real estate owned and private equity from stress testing until January 2008, but none of the directors remembered the disclosure. They were also not informed about the decision not to apply single transaction limits to its leveraged loans.31
With regard to the board, in the context of Delaware law at that time, the Examiner does not find a breach of fiduciary duty. He notes that the board received reports about Lehman's business and its risk-taking at every meeting; that, although the level of risk was incomplete, management assured directors that it was taking prudent steps to address these risks in the context of the developments in the subprime markets and the credit markets. Management informed the board that they saw the unfolding crisis as ‘an opportunity to pursue a countercyclical growth strategy’, and their reports did not raise any “‘red flags” imposing on the directors a duty to inquire further’.32 Delaware law allows directors to rely on management reports and exempts them from personal liability when they do.33
The final question is more difficult to answer, partly because the board was not provided with all the relevant information by senior management. Lehman's senior management provided the board with just enough information to support the conclusion that the board was not actually deceived or misled, and that the frequent and full management reports gave the board the opportunity to raise questions, had they so wished. The Examiner's report does, however, indicate that significant information (such as what was actually covered in the stress tests) at perhaps sensitive times was not given to the board then, but management advised the board at another time. The board may have fulfilled their duties under Delaware General Corporation Law, but probably did not meet the standards expected at that time under Sarbanes-Oxley and the New York Stock Exchange Listing Rules, which envisaged an audit committee able to review and challenge financial statements and also to ‘discuss policies with respect to risk assessment and risk management’, but noting that ‘it is the job of the CEO and senior management to assess and manage the company's exposure to risk’.34 Most members of the board had senior positions in industry, but in 2007 only four had been on the board for five years or less. All the others had been independent directors for between 12 and 23 years. Only one, Jerry Grundhofer had recent experience of leading a large US bank, as a former director of Bancorp. The relationship can become very cosy between the board and the management after so many years. The legal requirements under Delaware law were fulfilled, but the board itself was hardly effective.
The fundamental issue for corporate governance is why boards were not effective before the crisis, especially since so much emphasis has been placed on internal controls although this was often restricted to financial accounts. The Institute of International Finance reported in July 2008 that ‘events have raised questions about the ability of certain boards properly to oversee senior managements and to understand and monitor the business itself’.35 Other analyses of banks' boards suggest that boards need further training on risk issues, and the ability to measure the company's risk appetite and measuring the firm's performance against it. But just enabling a bank to tick a box saying that there is a risk committee is not enough. Fuld usually made sure that the bank conformed to formal requirements.
In general, the quality of board members is a matter of particular concern, even where the ‘fit and proper’ test is applied. For the UK, that test is extended to ‘fit and proper, honest and competent’, which is an attempt to deal with the issue of independent board members being able to handle the technical knowledge required and the detail involved in monitoring the risks and activities of large, complex, global banks. Writing in the Financial Times, Guerrera and Thai-Larsen examined the boards of the eight most important US financial institutions (Citi, JP Morgan Chase, Bank of America, Goldman Sachs, Merrill Lynch, Morgan Stanley, Lehman Brothers and pre-rescue Bear Stearns), and noted that two-thirds of the board members had no significant recent banking experience and less than half had no financial services industry experience at all. Many of the directors without any financial background were also members of the highly technical board committees.
For example, Roger Berlind, director of Lehman, a theatre impresario and private investor, was a member of both the board's audit committee and finance and risk committee. At Citi, John Deutsch, a former head of the CIA and a Professor of Physical Chemistry at MIT, was a member of the audit and finance committee. Tommy Franks, a retired US Army general, was a member of the audit committee of the Bank of America.36
However difficult it may be to judge the quality of board members from the outside, the fact remains that boards at many of the major financial institutions failed to alert the CEO and management to the coming storm. In 2008 and 2009, opinions differed as to the causes of the failure, with some regarding this as being due to the attitude and lack of effort on the part of board members. Some described them as being asleep on the job, and others claimed that they did not want to disturb a quiet and lucrative position. Even when boards had knowledgeable and experienced individuals working on them, it appears that they did not ask the tough questions and work with the CEO to reinvent the business.
Strengthening corporate governance
Since the financial crisis, regulators in the USA, the UK and elsewhere, have set out new requirements for board membership and its conduct in overseeing senior management. The first steps in the USA were taken in the Dodd-Frank Act, which was signed into law by President Obama on 21 July 2010. NYSE and NASDAQ listing rules require a majority of members of the board to be independent, as well as disclosure of the experience, qualifications or skills of each director nominee that led the board to nominate that person to serve as a director. They must also show whether and how its nominating committee considers diversity in identifying director nominees. The Dodd-Frank Act requires companies to disclose in their annual meeting proxy statements whether the same person serves as chair and CEO, and if so to explain why. The gradual governance trend is towards separating the functions of chairman and chief executive.
The Securities and Exchange Commission introduced new reporting rules on 16 December 2009, which took effect on 28 February 2010.37 The rules apply to those regulated by the SEC and require new disclosures about compensation policies; director and nominee qualifications and legal proceedings; board leadership structure and the board's role in risk oversight, amongst others. The amendments about the leadership structure of the board are designed to provide shareholders with the reasons for combining or separating the role of the chairman and chief executive of the board. The company is also required to explain why it considers the choice it has made to be the most appropriate structure at the time of filing. If the roles are combined and a lead independent director is designated to chair meetings of independent directors, then the company has to explain why, as well as the specific role the lead independent director plays in the leadership of the company. ‘These amendments are to provide investors with more transparency about the company's corporate governance, but are not intended to influence a company's decision regarding its board leadership structure.’38 However, the lead independent director is one of the independent directors of the board, who takes over the position of chair for a limited period of time. It is only an informally instituted designation, without the responsibilities, it seems, of the role of chairman. The SEC agreed (with commentators on its proposals) that risk oversight is a ‘key competence’ of the board and that additional disclosures would benefit investor and shareholder understanding of the company. Disclosures about the board's involvement of the risk management process should provide information about how the company sees the role of the board and senior management in managing the risks the company faces, whether through a separate committee or the whole board and to whom individuals supervising the day-to-day risk management responsibilities report.39 As it stands, this would seem to be a rather weak requirement. The chief risk officer should have a mandated role to report to the board or perhaps to one of its committees.
The SEC's new rule reflects a trend in corporate governance in the USA. At least a quarter of the major US companies have separated the roles of chairman and chief executive and over 70 per cent of the National Association of Corporate Directors have voted for separation. The logic is clear. ‘The CEO should not be chairing the independent board which is supposed to be monitoring his or her activities.’40 The matter is still being debated in the USA even after the financial crisis, and especially after the collapse of Lehman. The current expectation in the USA is that companies will increasingly and voluntarily accept the need for a separate chairman, followed by the banking regulators.
In various speeches, Thomas Curry, appointed as Comptroller of the Currency in April 2012, explained what led to the ‘heightened expectations’ for risk management and corporate governance. ‘As much as any other factor, the financial crisis can be traced back to failures of corporate governance and risk management systems. At some institutions, boards of directors and senior managers did not sufficiently comprehend aggregate risk within their firms and lacked a sufficiently robust risk framework – that is, the people, systems and processes for monitoring a complex set of risks’. Other problems included inadequate and fragmented technology infrastructures, hindering the assessment of risk.41 He reiterated the same point in a later speech to a conference on Governance, Compliance and Operational Risk: ‘One of the central lessons coming out of the financial crisis was that supervisory expectations for risk management, internal audit and corporate governance in our largest and most complex banks needs to be substantially higher, especially for the most systemically important institutions.’42 He regards these expectations as ‘an important milestone on the road to completing the rules implementing the Dodd-Frank Act’. The largest banks are indeed large, including JP Morgan Chase, the main subsidiary of JPM with total assets in excess of $1,990 trillion; Bank of America with total assets at $1.439 trillion; Citibank NA at $1.334 trillion and Wells Fargo, the main subsidiary of WFL at $1.328 trillion.
The Office of the Comptroller of the Currency issued its final rules and guidelines for large national banks, insured with the Federal Deposit Insurance Commission, and insured Federal branches of foreign banks with average consolidated assets of $50bn or more on 2 September 2014. The guidelines may apply to any other banks that the OCC considers to be appropriate, that is, if the bank's operations are highly complex or otherwise present a heightened risk, based on the bank's complexity of products and services, risk profile and scope of operations. The focus is on the risk governance framework and minimum standards for the board overseeing the framework's design and implementation. The guidelines specifically state that these are ‘enforceable by the terms of a Federal statute that authorizes the OCC to prescribe operational and managerial standards for national banks and Federal savings associations.’ The guidelines themselves are consistent with the principles embedded in the Federal Reserve's expectations for large bank holding companies.
The OCC has established a mandatory base upon which banks are expected to build their risk governance frameworks, and banks may well consider it wise to go beyond these basic principles. The risk governance framework has to be a formal written document setting out the management of risk-taking activities. The document itself will be wide-ranging, covering clearly defined roles and responsibilities, the risk appetite statement, risk policies processes and procedures; risk limits, metrics and analytics as well as risk data aggregation, monitoring and reporting. All of these elements should be combined in the bank's strategic plan and its risk appetite should be integrated, which may not always be the case for very large banks. It may seem obvious that they should be combined, and that a bank should not pursue certain strategies or opportunities which suddenly arise without considering if they fall outside the risk appetite. This is precisely what Lehman ignored when it continually overshot its own risk limits in pursuit of investments in commercial real estate.
Other important considerations in the management of risk include the issues of performance management and financial incentives, again lessons to be learnt from the collapse of Lehman. That also applies to the establishment of a risk culture and the ability to communicate the importance of awareness of risk and the way in which it should be handled. The OCC focuses on the ability of the bank to evaluate and manage risk separately from the parent company in order to ‘protect the national bank charter’, by ensuring that the bank operates in a safe and sound manner rather than simply as an extension of its parent holding company and other group affiliates. From the point of view of the OCC, banks should be able to manage risk so that it is integrated with the bank's strategy, but as these may change, it means that the risk appetite has to be reviewed, as it should be before the bank embarks on any new or evolving strategy. This, for example, may be due to sudden changes in the market or in economic circumstances. A risk management framework therefore cannot be set in stone, but any changes should be supported by a clear statement of the risks and risk limits, which are acceptable to the bank and risk monitoring, analytics and metrics.
The expected risk governance structure should include three distinct units: frontline units, independent risk management and internal audit. The frontline unit is any part of the company which is responsible for one or other of the full range of risks from credit risk to liquidity risk to reputational risk. The OCC sets out three additional criteria for the frontline units which may either generate revenue or reduce expenses for the parent company; operational support or servicing for the delivery of products or services to customers and technology services.
These guidelines are quite specific in that each frontline unit has to be accountable to the CEO and the board for assessing and managing all of the risks they take on. They have to work together with the frontline unit to set out and keep to written policies and procedures to manage risk and to be consistent with the bank's risk appetite statement. Frontline units must also report to independent risk management at least quarterly on their risk limits.
Each bank will have a unit which is responsible for identifying, measuring, monitoring or controlling aggregate risks independently of the CEO and other frontline units. This unit, headed by a Chief Risk Officer (CRO), will design a comprehensive written risk governance framework, and will be accountable to the CEO and to the board. The CRO is then responsible for identifying and assessing risks, ensuring that the frontline units keep to the risk limits and all the procedures involved, informing the CEO and the board of any significant increases in risks or breaches of the framework. The CRO and his staff review and report to the board at least quarterly on the bank's risk profile in relation to its risk appetite and its compliance with concentration risks. The most difficult task is to inform the board of any significant cases in which his assessment of risk differs from that of the CEO or cases in which the CEO is not sticking to agreed risk limits or is not ensuring that the frontline units do so. For this reason, the CRO in heading up the risk management unit should be only one level below the CEO.
The guidelines also repeat the existing requirement for an internal audit unit, headed by a Chief Audit Executive (CAE), with perhaps the only additions being that of the detail of the investigations and reporting requirements. The internal audit unit reports to the audit committee of the board, including any instances of failure to adhere to the framework. The internal audit unit's programme makes sure that its policies, procedures and processes comply with current regulations and are updated to take account of any changes in risk factors internal or external. This must of course be independent of all the operations of the bank, and again headed by a CAE at one level below the CEO.
The OCC requires a much more comprehensive risk appetite statement, setting out its risk appetite, that is, the aggregate level and types of risk that its board and management are willing to assume to achieve the bank's strategic objectives and business plan, consistent with the capital, liquidity and other regulatory requirements. It should also set out the safe and sound ‘risk culture’, quantitative limits, including stress tests, and deal with the bank's earnings, capital and liquidity. Both the risk limits and concentration of risk limits should be clearly defined and enforced. The board or its risk management committee should review and approve the framework at least annually, or any significant changes to it, as well as monitoring compliance with it. Banks are allowed to use the parent company's framework where appropriate, and may tailor it to their own requirements, but must document any material differences between the risk profiles of the parent company and the bank.
The guidelines make it clear that the board's responsibility is to actively oversee the bank's risk-taking activities and hold management accountable. This includes questioning, challenging and opposing recommendations and decisions made by the management when necessary. The board may rely on risk assessments and reports prepared by independent risk management and internal audit to support it in its role. The board should be provided with training programmes tailored to their specific needs. The programme should cover complex products, services, lines of business and relevant risks, as well as the laws, regulations and supervisory requirements applicable to the bank. The directors should also be ‘independent’, which is defined solely in terms of links with the bank; that is, they are not a current officer or employee of the bank and have not been such for the past three years. A director cannot be regarded as ‘independent’ if he is a member of the ‘immediate family’ of a person who is or has been an ‘executive officer’ of the bank or its parent company. ‘Independence’ is defined in terms of relationships to the staff of the bank, which would be seen to create obvious conflicts of interest, without any reference to the length of service which, when it runs to twenty years or more, means that a director is no longer independent of the bank. Indeed he or she has become part of the company.
The Federal Reserve Bank has not yet set out such a detailed programme for the reform of corporate governance. The most recent supervisory and regulatory letter about corporate governance was issued on 17 December 2012, and briefly summarizes the role of the board. Each firm's board of directors and its committees, with the support of senior management should:
- Maintain a clearly articulated corporate strategy and institutional risk appetite. The board should set direction and oversight for revenue and profit generation, risk management and control functions and other areas essential to sustaining the consolidated organization.
- Ensure that the firm's senior management has the expertise and level of involvement required to manage the firm's business lines, critical operations, banking offices and other material entities. These areas should receive operational support to remain in a safe and sound condition under a broad range of stressed conditions. ‘Material entities’ are subsidiaries or foreign offices of the firm that are significant to the activities of a core business line or critical operation.
- Maintain a corporate culture that emphasizes the importance of compliance with laws and regulations and consumer protection, as well as the avoidance of conflicts of interest and the management of reputational and legal risks.
- Undertake recovery testing and training exercises that consider a broad range of internal and external risk scenarios and account for interconnectedness across operations and legal entities.
- Ensure that the recovery plan is updated as needed and reflects lessons learned from reviews of trigger events, testing and training exercises.
- Ensure that recovery planning is sufficiently integrated into corporate governance structures and processes, subject to independent validation, and effectively supported by related MIS reporting to the board and its committees.
All of this applies particularly to the eight largest banks – Bank of America, Bank of New York Mellon, Citigroup, Goldman Sachs, JP Morgan Chase, Morgan Stanley, State Street Corporation and Wells Fargo, and to other large banks supervised by the Federal Reserve Bank.
Other regulations regarding corporate governance have been issued by the Federal Reserve Bank since the financial crisis, but in a somewhat piecemeal fashion. They add to existing regulations or introduce new regulations. For example, state member banks and bank holding companies must give the Federal Reserve thirty days' prior notice before adding or replacing a board member if the bank is not in compliance with all minimum capital requirements.43 The Federal Reserve Bank has the power to disapprove the notice. A new election of board directors may be ordered if the bank is not in compliance with all minimum capital requirements applicable to the institution as determined on the basis of the institution's most recent report of the condition of the bank or the report of an examination or inspection. Since the crisis, expectations of the board have increased either in terms of federal law or regulations and the ones identified here are simply some of the requirements set out by the Federal Reserve Bank.
The regulations or expectations set out by the Federal Reserve Bank are incomplete, as the Bank has yet to flesh out its requirements. This will be completed in 2015. Their requirements will in all probability be in line with the OCC's ‘heightened expectations’, and both will reflect the Basel Committee's Corporate Governance Principles for Banks, due to be finalized in 2015.
It is interesting to compare the range of corporate governance requirements and their gradual development in the USA with developments in the UK, where the first and only corporate governance code, the Combined Code, was set out in 1998 and has developed over the years since then, culminating in the UK Corporate Governance Code 2014. This sets out standards for good practice in relation to board leadership and effectiveness, remuneration, accountability and relations with shareholders.44 Listed companies are required to report on how they have applied the main principles of the Code in their annual report and accounts, and either to confirm that they have complied with the Code's provisions, or where they have not, to provide an explanation. This is a more effective provision than might appear at first sight, so that companies which are not required to publish their compliance with the Code, do so in order to show that they comply with the standards.
There are two vital issues: the division of responsibilities and the length of time a member serves on the board. The Code is entirely clear: the roles of the chairman and chief executive should not be exercised by the same individual. The division of responsibilities between the chairman and the chief executive should be clearly established, set out in writing and agreed by the board. The Code then spells out the responsibilities of the chairman. He is responsible for setting the board's agenda and ensuring that adequate time is available for discussion of all the agenda items, in particular strategic issues. The chairman should also promote a culture of openness and debate by facilitating the effective contribution of non-executive directors in particular and ensuring constructive relations between executive and non-executive directors. He is also responsible for ensuring the directors receive accurate, timely and clear information, as well as effective communication with shareholders. The chairman must also be entirely independent and should not be the former chief executive of the company, unless there are very specific reasons, which have to be publicly explained, and only after consultation with the major shareholders.
The separation of these two roles is a key principle for corporate governance of UK listed companies, given the significance of the role; for example, ensuring that there is a flow of all the required information to the board so that the board can challenge the management, providing a fresh perspective, especially when management can fall into the trap of ‘groupthink.’ The chairman's role is crucial to the effectiveness of the board, since he sets the agenda, ensures that directors receive accurate, timely and clear information, ensures that time is allowed for matters of substance to be discussed by the board, providing the opportunity for independent directors to discuss issues without the presence of executives as part of the process of co-operatively agreeing a strategy for the company. The chairman will be particularly involved in developing the risk strategy and will also engage with the major shareholders. This will lead to a time commitment of two or three days a week. It is a pivotal role between the independent directors and the CEO and senior management, and an especially difficult role to fulfil. Anyone appointed as Chairman of Lehman Brothers with Dick Fuld as CEO would have had an extremely challenging role. Probably few would have applied for the role. A dominant chairman and CEO has destroyed more than one company. This is why the separation of roles is vital.
The UK Corporate Governance Code effectively limits board membership to nine years, but each three-year break provides an opportunity for a director who has not made a contribution to the board to step down or be advised to step down. The issue of term limits was first raised in the USA by the National Association of Corporate Directors in 1996, but has clearly made little headway since then. The California Public Employees Retirement System, CalPERS, has raised the issue more than once on the grounds which underlie the UK approach, namely that after ten years or so, the lengthy tenure compromises independence. Whilst the issue of tenure and independence is becoming more important, the overriding view is that this is a matter of evaluation of directors, rather than strict term limits. Changes are also taking place in terms of length of tenure, with the average in 2008 being 7.6 years, according to the National Association of Corporate Directors.
The board of Lehman Brothers was obviously not in a position to provide proper oversight of the company or to prevent the excessive risks being taken on from 2006 onwards in a falling market. The severe limitations of most of the board members in terms of their lack of knowledge and the lack of a counterbalance of a strong chairman meant that Dick Fuld's powers as a domineering CEO were unshackled. Andrew Gowers, who served as Director of Communications, described the corporate governance structure as ‘almost pre-programmed to fail’.45 The separation of the roles of the CEO and the chairman together with time limits on the length of service of the independent directors might have helped, provided a chairman could have been found of sufficient stature and authority to challenge Fuld, and if the board had been composed of directors with relevant experience and independence of mind to question the company's strategy and the risks it was taking.
A clear summary of the role of corporate governance in the crisis and in its possible prevention is given by Sir David Walker:
Serious deficiencies in prudential oversight and financial regulation in the period before the crisis were accompanied by major governance failures within banks. These contributed materially to excessive risk-taking and to the breadth and depth of the crisis. The need is now to bring corporate governance issues closer to the central stage.
Structure and procedures may be necessary conditions but they will not work if the chairman is weak and if the board is inadequate. Nor can better corporate governance ensure there will not be another crisis, but ‘it will make a rerun of these events materially less likely’.46