Few people need to be told of the increasing degree and variety of risks to corporate entities in the 21st century. And anyone familiar with the ramifications of those risks on the governance structure knows that vulnerabilities extend to individual board members as well as the companies and shareholders they serve.
Those risks include digital breaches, corporate scandals, rising litigiousness, globalization, acquired problems in M&As, increasingly stringent regulatory regimes – and what is unforeseeable. Everyone from the C-suite and directors through senior and middle managers on down bears some role in mitigating these risks. But to inform our perspective as the global leader in legal professional search at Major Lindsey & Africa, we recently hosted a panel discussion on how the presence of senior lawyers, those who currently or formerly have served in the role of the general counsel (GCs), can play a vital role in the management and prevention of risk as board members.
I was one of four panelists corralled by Kim Rucker, former General Counsel and Corporate Secretary for Kraft Foods Group, the panel moderator. Kim led a lively discussion that unearthed several important ideas and concepts from my fellow panelists: Sara Hays, Managing Director, Allegis Partners; Mary Ann Hynes, Senior Counsel, Dentons and a GC veteran of five international corporations and a board member of several corporations and non-profit organizations); and Rick Palmore, Senior Counsel, Dentons and board member for Goodyear Tire & Rubber Company, the Chicago Board Options Exchange and Express Scripts.
The area of risk that gets the most attention lately is cybersecurity. It's clear from the alarming business news on digital security breaches that there is much to lose when nefarious parties hack into our information systems. These attacks can damage reputations and brands, affect employee morale and cost a great deal of money. Additionally, they carry obligations to notify third parties, to work with law enforcement, to meet state and federal compliance matters, and they might trigger litigation (for example, the class action suits by financial institutions and individuals against Target Corporation in the wake of their 2013 data breach that affected 110 million customers). This provides a good case for why board members with the background and expertise of lawyers, preferably those with GC experience, can be extremely valuable.
My fellow panelist Sara Hays mentioned an attorney she's worked with who, while widely recognized as a solid GC, in fact developed supplementary expertise in cybersecurity. Given the list of issues that can arise in a breach or even in planning for a potential attack, is it any wonder why that particular lawyer is also an excellent candidate for a corporate directorship?
Also, in October 2015 a California federal judge ruled that whistleblowers may seek compensation from company directors. This was a definitive expansion of liability in cases where directors might be judged for retaliating against such individuals. This same level of responsibility extends to instances of product failure, fraud and tort actions.
Perhaps foremost on the minds of directors and officers are the implications of the Department of Justice's "Yates Memo," where Deputy Attorney General Sally Yates directed federal prosecutors to focus on individuals and hold them accountable when investigating and resolving allegations of corporate misconduct (of either a civil or criminal nature). This promises to significantly impact how corporate internal investigations are conducted, including by in-house counsel. Again, a director with a broad business understanding complemented by a granular understanding of recent courts rulings might prevent as well as fix adverse situations.
The panel discussed other issues that elevate the importance of a legal background in key decision-making and oversight. I pointed out how in the case of a merger involving a foreign-run business we unearthed a significant issue relative to the Foreign Corrupt Practices Act (FCPA) that could have been of concern to the U.S. Securities and Exchange Commission (SEC). In my role as a GC, it became clear we need to self-report to the SEC. Note the other party wasn't trying to cheat but instead was simply acting within their own country's business culture (i.e., they didn't understand U.S. regulations). These are the kinds of things that directors are at an advantage to consider as early as possible in the M&A process.
Risk planning includes establishing priorities
My colleague Sara pointed out there is a tendency in risk planning to think a preconceived structure such as a risk management plan covers off on risk. I've observed this too and feel that everyone owns risk – and at all times. This includes all board members and every board committee. Perhaps what might Riskbe more important is to know when to elevate an issue to other parties. Mary Ann Hynes related a scenario of a cybersecurity breach that ultimately required calling in the FBI. The GC had to work with the CFO, the CIO and the audit committee, all of whom had to work "hand in glove" with their respective board members. This is why I personally advocate for having a board-adopted crisis management plan, where you can work through a hypothetical process that would identify ideas on how to act as well as which people need to be involved.
Mary Ann asked who among us had worked with a chief information systems officer, a CISO. We agreed this is more common in larger companies, those with as many concerns about brand and reputation as they have about potential litigation. But even in cases where the problem is low profile (i.e., no media) there very often can be a huge impact on the enterprise in information systems-related litigation.
The characteristic of good GCs is that they are "steady Eddies," with a composed demeanor in the face of crisis. They have a sense of where and how to separate legal and compliance functions. They also understand the tension points in risk-containment scenarios – which include external communications and board member liabilities. Again, these are the kinds of considerations that a GC should be attuned to if he or she wishes to be considered for a board appointment.
A point on which all panelists agreed was the need to plan: Develop a framework for managing in a crisis. It has to be adaptable to the variety of known and unknown risk scenarios because one size does not fit all, so to speak. This is where, as panelist Rick Palmore pointed out, you set the enterprise priorities. The board may determine that litigation ranks first or fourth or somewhere in between – knowing that much in advance, calibrating possible outcomes, helps everyone move quickly toward a resolution, to adopt positions and to communicate with consistent messaging. Regardless of the intensity of a situation, a GC will typically understand you cannot operate effectively "with your hair on fire" rather, everyone up and down the ranks will take their lead from the steady Eddies at the top.
Anticipate the most probable scenarios
This is not to say the crisis/risk planning process shouldn't on some level address known probabilities for certain kinds of risk. Sara related to the panel how the board of a company where she was the GC did an annual "deep dive" to explore potential risks. From the short list of what might happen they were able to determine which committees and individuals would assume oversight responsibilities. From there, those individuals were tasked with providing quarterly updates on various scenarios – which might include running practice drills and developing a framework for messaging and identifying who delivers the message (note: something as simple as having up-to-date personal and business phone numbers of board members and officers should not be overlooked).
To be clear, there is some risk in documenting risk. While it needs to be approached on a case-by-case basis, the board should consider how and where such documentation might later be used against the company and its governance structure – another reason why a board member with GC experience can provide fundamentally important perspective.
There are some ways in which even a seasoned attorney on the board could be problematic. First, he or she shouldn't simply put up roadblocks due to a known or suspected legal risk. The lawyer has to have sufficient business acumen to propose two or more workable alternative solutions. Second, that individual should not be mistaken for legal counsel; it’s not the board member's responsibility, and would likely trip on what the company's actual GC is engaged with every day.
In wrapping up, several panel members stressed how the risk management strategy needs to line up with the overall company strategy – all the more reason why having a seasoned attorney on the board means having a business-minded attorney. In fact, my colleague Sara Hays herself has an MBA, made all the more valuable in one appointment because of her experience in the construction industry. "The mistake some GCs make is when they think of themselves as just being a lawyer," she said, noting how this goes against the grain of conventional wisdom that attorneys can only advise on legal questions. The value proposition for filling a board seat is different from what makes someone a good GC, she told us.
What does success look like when a board manages risk with an attorney as part of governance? It is when instead of risks being siloed, with attorneys picking up the pieces after the damage is done, that instead everyone thinks about risks, adopts them as a fact of life – and acts proactively to minimize or mitigate problems before they occur or are able to cause meaningful damage.