Corporate Governance: The Latest

Corporate Governance The Latest

In the UK, the debate about corporate governance has been running since the Cadbury Code of 1992. Since those early days, a number of corporate scandals have provoked various revisions of the code. The latest iteration has just been issued in July 2018 by the Financial Reporting Council (FRC). There is no requirement to follow the Code, but the Code operates a principle of “comply or explain”. This is clearly rather more dirigiste than just leaving companies to decide whether to follow it or not, though there is only one mention of compliance throughout.

There are five elements of the revised Corporate Governance Code, with related principles. All are ones which should form part of the overall system of governance of a company, but there are others, some elements of the Code do not sit well with each other, and other areas are omitted entirely. Let’s take a look:

1. Board Leadership and Company Purpose

A. A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.
B. The board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are aligned. All directors must act with integrity, lead by example and promote the desired culture.
C. The board should ensure that the necessary resources are in place for the company to meet its objectives and measure performance against them. The board should also establish a framework of prudent and effective controls, which enable risk to be assessed and managed.
D. In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure effective engagement with, and encourage participation from, these parties.
E. The board should ensure that workforce policies and practices are consistent with the company’s values and support its long-term sustainable success. The workforce should be able to raise any matters of concern.

The place to start is with the vision for the organisation and its rationale. It is extremely difficult to work out what to do effectively if the corporate destination is unknown. Start with “Why?” Once current and future locations are known, the company’s mission is far easier to set. The final part of setting a governance structure is culture. This is also vital from an intellectual property perspective. Whilst products and services can be copied, and values mimicked, culture is almost impossible to steal. Clarity on the above is the foundation upon which the other elements referred to can be built and operated.

2. Division of Responsibilities

F. The chair leads the board and is responsible for its overall effectiveness in directing the company. They should demonstrate objective judgement throughout their tenure and promote a culture of openness and debate. In addition, the chair facilitates constructive board relations and the effective contribution of all non-executive directors, and ensures that directors receive accurate, timely and clear information.
G. The board should include an appropriate combination of executive and non-executive (and, in particular, independent non-executive) directors, such that no one individual or small group of individuals dominates the board’s decision-making. There should be a clear division of responsibilities between the leadership of the board and the executive leadership of the company’s business.
H. Non-executive directors should have sufficient time to meet their board responsibilities. They should provide constructive challenge, strategic guidance, offer specialist advice and hold management to account.
I. The board, supported by the company secretary, should ensure that it has the policies, processes, information, time and resources it needs in order to function effectively and efficiently.

The best starting point for the above is to map an organigram of the organisation, both in its current state and future desired end state. Go through it to ensure all business functions are included. Next, check against all potential conflicts of interest, and assess ideal reporting lines, finally checking the balance between all elements and ensuring against a 50/50 lockout.

3. Composition, Succession and Evaluation

J. Appointments to the board should be subject to a formal, rigorous and transparent procedure, and an effective succession plan should be maintained for board and senior management. Both appointments and succession plans should be based on merit and objective criteria and, within this context, should promote diversity of gender, social and ethnic backgrounds, cognitive and personal strengths.
K. The board and its committees should have a combination of skills, experience and knowledge. Consideration should be given to the length of service of the board as a whole and membership regularly refreshed.
L. Annual evaluation of the board should consider its composition, diversity and how effectively members work together to achieve objectives. Individual evaluation should demonstrate whether each director continues to contribute effectively.

Diversity is an interesting topic. The assumption appears to be that diverse boards and organisations produce better decisions than those which are not so diverse. A word of warning, however, to avoid diversity for diversity’s sake. Ensuring that the necessary skills, knowledge and experience exist and work well together is one thing. Ending up with a Tower of Babel where the decision making process is mired in correctness and there is no effective organisational culture is quite another. Getting people who align with the culture will be more of a key to success. A warning on evaluation settings too, as these can take over a decision making process and heavily distort success. Make sure they are useful, and aligned with organisational culture.

4. Audit, Risk and Internal Control

M. The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.
N. The board should present a fair, balanced and understandable assessment of the company’s position and prospects.
O. The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.

Avoidance of bias and conflict is crucial, as indicated above. Yet this needs to be applied to other functions of the organisation than audit. Remember that risk is not necessarily a bad thing. No risk, no action. No action, no success. Carry out a benefit cost analysis, not a cost benefit analysis.

5. Remuneration

P. Remuneration policies and practices should be designed to support strategy and promote long-term sustainable success. Executive remuneration should be aligned to company purpose and values, and be clearly linked to the successful delivery of the company’s long-term strategy.
Q. A formal and transparent procedure for developing policy on executive remuneration and determining director and senior management remuneration should be established. No director should be involved in deciding their own remuneration outcome.
R. Directors should exercise independent judgement and discretion when authorising remuneration outcomes, taking account of company and individual performance, and wider circumstances.

This element has become highly politicised, essentially since remuneration multiples have increased as between the highest and lowest paid in organisations in recent years. What might be more useful is to avoid taking on the corporate “surfers”. These are easy to spot as they are the directors who move on every two years, are really only in it for themselves, almost guaranteed to be a drag on your organisation’s success, usually massaging results by cutting vital elements of the organisation’s services to improve profitability with no thought to the future (as they will be gone within two years anyway).

The latest version of the Code thus has some useful elements, but do not view them as comprehensive, and do not ignore the practicalities behind organisational success. It would be interesting to gain your views on the new Code and what has been set out above. Do not hesitate to get in touch!

Read More

EU Cybersecurity Policy in the Financial Sector

EU Cybersecurity Policy in the Financial Sector

With the inexorable rise of e-commerce comes the inexorable rise of the e-criminal. Cybercrime is now the world’s fastest growing crime. It has leapt to number two of the top ten business risks worldwide, from not even appearing in that list five years ago. For certain countries, cyberattack is now the risk of greatest concern. Gone are the days of concern about a low level hack of a website by a script kiddie. Today’s attackers are multi-faceted and increasing in sophistication, ranging from advanced persistent threats, corporate espionage, organised crime and “hactivists” to cyberterrorists, ever more competent, and ever better funded. Cybersecurity has moved from being a technical issue to a political and boardroom issue. Financial markets are particularly important as they oil the wheels of all member state economies.

So what should the priorities of cybersecurity be? There are three core themes to address:

  • Governance (at all of organisational, international and national levels)
  • Risk Management (both contextually and intelligence driven)
  • Capability (cybersecurity by design and by default, using a standard framework applied to context)

Amid several large cyberattacks in 2017, the European Commission adopted its multi-sector cybersecurity package. Nonetheless, a multitude of issues remain that the financial sector needs to address in order to bolster its resilience against current and future threats.

An EU Task Force on Cybersecurity Policy for the Financial Sector was established, chaired by Richard Parlour of FMLI. The key policy recommendations are set out below.

The policy recommendations

1. Convergence in the taxonomies of cyber-incidents is needed.

2. The framework for incident reporting needs to be significantly improved to contribute fully to financial institution cyber-resilience.

3. Authorities should assess how and to what extent data held by the centralised hub should be shared and with whom.

4. Ambitious policies are needed to develop consistent, reliable and exploitable statistics on cyber-trends.

5. Best practices for cyber-hygiene should be continuously enhanced.

6. The European Cybersecurity Certification Scheme needs to be strengthened to contribute better to cybersecurity, cyber-risk management and capability.

7. The reinforcement of cross-border cooperation and legal convergence remains a priority, both within the EU and more widely.

8. Best practices in remedies in case of cyberattacks need to be further encouraged.

9. Policy-makers should further assess the pros, cons and feasibility of creating an emergency fund in case of large cyberattacks.

A common taxonomy for cyber-incidents

A common taxonomy across regulations, jurisdictions and sectors should ease the understanding of multi-country and multi-sector cyberattacks, and eventually strengthen the quality of responses. Given the ever-changing nature of cyberspace, the reference taxonomy should be flexible enough to be revised regularly. This common taxonomy should include specific variants applicable to different sectors.

Wherever possible, convergence in templates for incident reporting is needed across legislation. However, given the diversity of purpose of legislation, full harmonisation in those templates remains challenging.

Incident reporting framework

The emergence of different reporting requirements (notably in GDPR, PSD2, NISD, ECB/SSM, eIDAS regulation and Target 2) raises questions as to the best cyber-incident framework to boost financial institution cyber-resilience financial.

First, national templates for the NISD and GDPR should be harmonised across the EU. Secondly, large firms active in different countries need to develop adequate consolidation processes of the “overall cyber-risk” at group level. Thirdly, authorities should be able to exploit the content of incident reporting to inform and advise CSIRTs in return. For that purpose, policy-makers and firms should assess together the risks and opportunities of developing a standard messaging system.

Fourthly, the creation of a European sectoral hub in charge of centralising all incident reports, dispatching the right information to stakeholders and advising both authorities and CSIRTs could greatly reinforce the incident reporting framework. Finally, in order to create a resilient cybersecurity framework that could efficiently handle multi-sectoral cyberattacks and prevent contagion from one sector to another, the hub should also be able to cover all economic sectors.

Data sharing by a centralised hub

Authorities should encourage the set-up of platforms to facilitate voluntary exchange of cyber-information between financial institutions. In parallel, incident reporting requirements should fully contribute to financial institution cyber-resilience. Incident reporting data should be quickly shared with relevant stakeholders.

First, a centralised hub in charge of incident reporting should quickly provide relevant supervisors with the right information on cyberattacks. Secondly, the hub needs to share relevant information with financial institutions, provided there is balance between building up an efficient collective response to cyberattacks and safeguarding firms’ interests. To provide technical assistance to those firms, the hub would need a clear mandate.

Sharing information with firms’ potential clients through development of cyber-ratings that mirror the cyber-risk to which each supplier, and therefore their potential clients, is exposed should be based on market rather than regulatory initiatives. Tight security of the data managed by the centralised hub should be the main priority.

Macro statistics benchmark

The absence of a macro statistics benchmark on cyber-trends and the poor consistency across sources raise the risk that the cyber-strategies of firms and cyber-policies are not well-founded. If a centralised framework is developed for incident reporting, robust and relevant macro statistics could be developed at national and European level.

Specifically, robust statistics on the financial impact of cyberattacks will enable better understanding of the overall impact of attacks and inform cyber-policies and strategies. However, the complexity of measurement at firm level has so far made consistent methodologies impossible. A principle-based list should operate at EU level, with the aim of enhancing best practices to measure both “tangible” and “intangible” factors. Convergence should be achieved provided that collaboration is improved between cyber-authorities, CSIRTs, CFOs and CIOs, authorities, etc.

Promoting cyber-hygiene

Authorities should continue to enhance best cyber-hygiene practices. Principle-based lists should be updated on a regular basis. At present they should for example include conducting adequate education and awareness activities, updating programs regularly and patching systems, creating complex passwords and changing them frequently, using micro-segmentation, multifactor authentication and encryption of sensitive data, implementing the least privilege principle, developing an adequate strategy to handle shadow IT and establishing an incident response and reporting plan.

European Cybersecurity Certification Scheme

Given the rising importance of digital technologies and their vulnerability to cyberattacks, authorities need to address information asymmetries and the fragmentation of standards in national certification. A European Cybersecurity Certification Scheme could be a powerful tool for reinforcing harmonisation, raising awareness and ensuring mutual recognition.

Yet the Commission’s current proposal lacks practical operability and adds unnecessary complexity. As the scheme’s success depends on voluntary participation, value added must exceed costs. With too many issues left unclear, the current European Cybersecurity Certification Scheme needs to be strengthened to have a positive impact on cybersecurity.

Reinforcing cross-border cooperation and legal convergence

The cross-border framework to facilitate exchange of information and electronic evidence for prevention, investigation and attribution of cross-border cybercrimes needs further development. When cyber-criminals are identified, convergence in national legal frameworks is needed to facilitate extradition.

Enhancing best practices in remedies after cyberattacks

Best practices in cyberattack remedies need encouragement by EU and national supervisors through core principles. These include robust methodologies to assess how firms and/or clients share cyber-liability. Principles should also cover the best remedies where data theft has no immediate financial loss.

Emergency fund in case of large cyberattacks

Authorities should assess the feasibility of developing an emergency cyber-fund to alleviate the risk of financial instability in case of major cyberattack. Criteria for a cyber-incident to qualify will have to be well defined in advance.

The benefits and costs of the different options to create such a fund require careful analysis. Could existing EU natural disasters funds be extended to cyberattacks or would it make more sense to create a fund that covers all operators of essential services?

Please contact us if you would like a copy of the full report, or to discuss any cyber issues you may have.

Read More

AML THREE LINES OF DEFENCE: TIME FOR SOMETHING THAT WORKS!

Topolcany Castle - Slovakia - Aerial

Topolcany Castle in the Slovak Republic is often acknowledged to be one of the best examples of mediaeval castle architecture anywhere in the world.

It was built on the classic three lines of defence model. There is an outer wall, an inner wall, and a keep.

Three barriers for an enemy to surmount.

The only builder of castles in latter day history, however, is Walt Disney.

So why has the three lines of defence model been so trumpeted as the best model of AML defence for financial markets?

Rorke’s Drift in 19th century South Africa. At least the military had stopped trying to build castles and defence was a bit more fluid. Three lines of defence again, however, a front line, middle line and rear line.

Although the battle resulted in a victory for those using the three lines of defence, it was without doubt a pyrrhic one, and no military uses it today.

Again, why has the three lines of defence model been so trumpeted as the best model of AML defence for financial markets? Was the issue with Topolcany Castle one of bricks and mortar? Was the issue with Rorke’s Drift a lack of machine guns?

The key issue is a psychological one. If you are in the keep, you don’t really pay much attention to those at the outer wall, or even at the inner one.

If you are in the third line, it doesn’t feel as exposed as being in the front line. The key issue, however, is multifaceted:

Three Lines of Defence is a static model, yet enemies probe and probe again until they get past the barriers or overcome them.

The Three Lines of Defence model focuses on defence of a particular area of ground or asset. The focus of defenders is very much an inward facing one.

The Three Lines of Defence model does not encourage best teamwork or use of assets.

The UK has recently seen the launch of the Queen Elizabeth II aircraft carrier.

Many seem to think that this ship has a lot of capability.

It does, but to set sail without a task force of ships, submarines and air cover would be suicidal. An aircraft carrier group is required, fully integrated and constantly communicating between the various elements.

It is not just at sea that such a concept of active integrated defence is used, but also on land, whether that is of an Army Group, or an Integrated Air Defence System.

The AML landscape has changed markedly since the Sommet de l’Arche in 1989.

The original objectives of preventing crime by taking the benefit of the proceeds of crime, of tracing the monies through criminal groups and seizing them, has transmogrified into an environment where drug deaths, terrorism, organised crime, cybercrime, etc., are all on the up and it is the financial institutions which are proceeded against.

Compliance has become little more than a process to follow regulation, with little thought, and even less impact on the underlying crimes for which the whole AML edifice was established.

Moving from an ineffective three lines of defence policy to an integrated anti financial crime system will assist achievement of the original aims, both at market and financial institution level.

Read More