In my teaching, research and consulting, I no longer use "NP-58201 Corporate Governance Guidelines," June 17, 2005 ("Guidelines"), that apply to publicly traded companies in Canada, as an example of exemplary corporate governance. I regard them as stale and dated. I cannot think of another developed country that has not updated its governance guidelines in almost 10 years. There have been more changes to governance since the financial crisis of 2008 than in a generation. And we are only about half way through all of them. Canadian regulators -- including all provinces and territories -- need to keep up, and step up.
Here are the ten deficiencies to the guidelines as I see them:
1. Lack of principles and practices: Our Guidelines are four pages long. The UK's new Code (September 2014) is thirty-six pages. Australia's Principles and Recommendations (March 2014) are forty-four. South Africa's "King III" (2009) is sixty-six pages, to pick only three examples. Quantity is not necessarily quality, but by having such succinct guidelines, the opportunity to set out (i) best practices that (ii) achieve the objective of principles is gone. It is comply or explain against a perfunctory unitary guideline, which can be - and is - gamed by reporting management. There should be more robust guidance, where the regulator explains various ways good governance can occur, from which listed companies can pick and choose according to their circumstances.
2. Lack of focus on risk management: Take risk for example. The Canadian Guidelines simply state that the board should identify principal risks and ensure appropriate systems are in place to manage these risks. I have no idea what this actually means, nor may directors. Risk management oversight now involves an explicit risk appetite framework, internal controls to mitigate, technology, limitations, and assurance provided directly to the board and committees by independent risk, compliance, and internal audit functions. None of these practices, which are very much addressed by other regulators, appear in the 2005 Guidelines. Consequently, many public companies have immature risk management, especially in addressing non-financial risks such as cyber security, operations, terrorism and reputation. Regulatory inaction has an effect. Even a forward-thinking director may be blocked by intransigent management to devote greater resources to mitigating risk because of inadequate regulation.
3. Lack of independence of mind: In Canada, a board can subjectively believe a director to be independent, but this belief need not be independently validated, nor tied to any objective or reasonable standard. Nowhere else can a conflict of interest lack a perceptual foundation. As a result, directors tell me how colleagues are compromised by an office, perks, vacations, gifts, jobs for friends, social relatedness, relations to major shareholders, excessive pay, excessive tenure, interlocks, and other forms of capture. If a director or chair is captured, they are owned by management and totally ineffective. If there is a difference between regulatory independence and the independence of mind of directors, the fault lies with the regulation. Regulators should implement an objective standard of director independence, not a subjective one.
4. Lack of industry expertise: It was admitted in open forum that the original 1994 committee did little research. Sufficient industry expertise on boards is glaringly absent from the Guidelines, and consequently in many boardrooms. We are suffering from an independence legacy, perpetuated by entrenched directors, and unsupported by academic research. For example, in Australia, two academics claim has cost their country's decline in shareholder value between 30 and 50 billion Australian dollars ("Does "Board Independence" Destroy Corporate Value," by Peter L. Swan and David Forsberg).
Fraud, meltdowns and underperformance such as Nortel, RIM and CP all had a paucity of industry experts on their boards, including, most recently, Tesco in the UK. JP Morgan at the time of the risk management failure did not have a single independent director with banking experience. Prior to Bill Ackman's involvement in CP, not a single independent director had rail experience. I recently assessed a similar board and not a single director had the necessary industry experience. The Guidelines should require relevant industry expertise on boards. I recommended this to OSFI when I was retained by them to examine their earlier guidelines, and this is now the law for all federally regulated financial institutions, along with risk expertise being present on boards.
5. Lack of financial literacy and internal audit: There is no requirement to be financially literate to sit, initially, on an audit committee of a Canadian public company. This presumes someone can acquire financial literacy as opposed to having it to begin with. There is also no requirement to have an internal audit function for a Canadian public company. This should also change so audit committee members hit the ground running, and there should be a comply or explain approach to internal audit. In many compliance failures, there is a defective or non-existent internal audit function, with a weak audit committee lacking recent and relevant expertise. Regulators are now moving towards "independent coordinated assurance," which means that reporting to, and functional oversight by, the board and committees are fulfilled by internal and external personnel who are independent of senior and operating management, including, most importantly, an effective and independent internal audit function.
Join me next week where I will talk about 6-10, including: lack of shareholder engagement; lack of focus on strategy and value creation; lack of focus on sustainability; lack of compensation guidance; and lack of focus on the chair of the board.