- Underestimating Regulatory Risk
Regulatory compliance may seem like a nuisance or a “necessary evil” to most business owners but, if neglected, it can actually be much worse than that. Three trends appear to be emerging in this area. First, the number of regulations—both federal and state—is growing at an extraordinary rate, and not all of the new rules are made widely known (and may not even be logical). Indeed, we seem to moving from an era of regulations that have the import of “do this (or don’t do this) and you could be sued by private parties that are harmed” to and era where the effect is “do this (or don’t do this) and you will be guilty of a violation for which there are civil and possibly criminal penalties”. Second, regulators are becoming more aggressive about enforcement and less forgiving of first-time violations. The days of the “warning” for first-time violations seem to be disappearing. And third, regulators typically put emphasis on, and ask for, a company’s policies and procedures when investigating possible violations. Each of these trends becomes more relevant as a business grows and its operations become more diverse and complex.
Of course, the risks are higher for some companies than others. Heavily regulated industries, government contractors, companies with overseas sales, and manufacturers of consumer products have special concerns. That is not to say, however, that other businesses can simply deal with regulatory risk when problems arise. Every business is regulated to some extent, and if the full scope of the regulatory environment is not known and addressed, the result can be unexpected (and intrusive) governmental inquiries, fines, legal fees, bad publicity and, for some officers, embarrassment or even reputational damage.
One valuable tool that companies can use to address regulatory risk is a compliance audit. This audit should cover all regulatory compliance issues applicable to the business (including anticipated new regulations) and the policies and procedures of the company to comply with those regulations. The policies and procedures can take many forms, such as a compliance manual or part of a risk register that includes all risks facing the business or separate, regulation–specific policy statements aimed at certain personnel. It should be clear who is responsible for managing each of the risks and what steps need to be taken to improve risk mitigation. In addition, the Board of Directors should be informed about the risks of non-compliance and the adequacy of the company’s compliance program. A compliance audit report developed by an attorney is not discoverable in an investigation or lawsuit because of the attorney-client privilege. Hence, hiring an attorney to perform the audit and make recommendations gives management more discretion when deciding whether the company will adopt the attorney’s recommendations. In some cases, the decision to implement changes or not will be determined by a cost/benefit analysis. The point is not to make every change that might possibly mitigate risk; rather, it is to understand the risks and make informed decisions about them.
A compliance audit should be done periodically. How often depends on the rate of growth of the company and the number of changes to its business plan. An interesting example of this concept can be found in the rules of the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization that regulates broker-dealers. While there is no simple correlation between a heavily regulated business like that of broker-dealers and companies in a more typical business environment, there are sometimes lessons to be learned by considering the requirements developed by regulators. For example, FINRA Rule 3130 requires the CEO (or equivalent) of each broker-dealer member to certify in writing annually that the firm “has in place processes to establish, maintain, review, test and modify written compliance policies and written supervisory procedures reasonably designed to achieve compliance with applicable FINRA rules, MSRB rules and federal securities laws and regulations, and that the chief executive officer(s) has conducted one or more meetings with the chief compliance officer(s) in the preceding 12 months to discuss such processes.” Adapting this concept to “unregulated companies” (a misnomer), the CEO or the Board might want an annual certification from one of the other officers in the company that describes the results of a compliance review. Not only might such a policy lead to a discovery of under-appreciated regulatory risks, but it can also provide evidence to government investigators that the company takes compliance seriously.
2. Not Using a Board of Directors Effectively
Too often, the Board of Directors acts as a “rubber stamp” for the CEO and Board meetings are viewed as a formality. This is not hard to explain. Directors who are employees of the company will invariably defer to the CEO. Directors who are not employees want to be collegial and supportive. Contentious Board meetings are unpleasant; directors do not want to diminish the CEO’s authority because, after all, the CEO was appointed to make the hard decisions; and the CEO undoubtedly has a more detailed understanding than the directors of any proposal or recommendation put before the Board. That said, a passive Board is a wasted resource.
Directors should have a meaningful opportunity to add items to the agenda of a meeting. This might be anything of interest to a director, e.g., an analysis of competitors or competitive trends, a comparison of certain expenses on a period-to-period basis, financial projections using various assumptions, or a valuation of certain assets with a view to purchase or sale. The agenda should be a collaborative process. There are items that the CEO should cover and wants to cover, but the meeting is also an opportunity for the directors to learn about aspects of the business that feel they should know more about. The agenda controls the discussion. To expand the discussion, expand the agenda.
Independent directors are a good idea. Few are the employee-directors who will question, let alone challenge, the views of the CEO in a Board meeting. Moreover, independent directors can add a different perspective because they have not been so deep in the trees that they can no longer see the forest. For an employee-director, a Board meeting can be a “nuisance”, another internal meeting that must be endured while more pressing work awaits. This should not be the view of an independent director, who in most cases would not take on the responsibility of a directorship unless he or she was willing to give Board meetings the attention they deserve. Moreover, an independent director can fill a gap in the Board’s collective expertise. The company might want an accountant, an engineer, a lawyer or a person with a depth of experience in certain operations to be an independent director. The possibilities are numerous. It is a relatively inexpensive way to enhance the quality of Board discussions and Board decisions. And if an independent director is not noticeably adding value to meetings or is being overly critical without being constructive, they can and should be replaced.
Presentations made to the Board should be thorough and objective. If they are backward-looking (reviews) they should identify where expectations were met and where they were not met and, in the latter case, the reasons for the failure to meet expectations. If the presentations are forward-looking (planning or proposals) they should identify all the risks, all the assumptions and all alternatives to the plan or proposal being recommended. Any presentation can be “spun”, any statistics can be manipulated, and any idea can be made to look better than it is, especially with charts, artwork, photos and the other impressive techniques now readily available. Typically, such biased presentations are not deliberate attempts to mislead or deceive. They are simply “result oriented”, i.e., designed to show why someone’s good idea is really a good idea. This can be a disservice to the directors and the shareholders they represent. Shareholders are investors. Just as investors are entitled to accurate, fairly presented information when they make their initial investment decision (and the securities laws require this, whether in the context of a public offering or a private placement), investors’ representatives are entitled to accurate, fairly presented information so that they can discharge their responsibilities properly.
Another good idea is special committees. The Board can appoint a special committee for any purpose. The committee can have any number of directors, even just one. Typically, the special committee has no authority to make decisions. Its role is to study an issue or a plan and make recommendations to the full Board. This use of special committees offers two benefits. First, the committee will usually devote more time to their assigned task than the Board would devote on its own. The committee deliberations might even include seeking advice from outsider advisers. And second, this is a way to mitigate the dominating influence of one Board member, such as the CEO. Assuming the dominant director is not put on the special committee, the committee members will feel less like they are reacting to one point of view and more like they are exploring a range of ideas. Special committees consisting of independent directors are often used by publicly held companies in situations such as takeover proposals where insider-directors have a vested interest in the outcome of the decision. The same concept can be used by privately held companies for less significant matters.
Finally, the board of directors should have an appropriate number of members to conduct effective oversight. A board with too few members may not bring enough perspectives to ensure that plans are properly vetted and risks are fully understood. With an overly large board, individual directors may have less sense of individual responsibility for overseeing the financial affairs of the corporation
3. Not Anticipating Changes in Regulations
Change happens. In fact, change happens at an ever-accelerating pace. And there are many types of change: technology, the competitive landscape, laws and regulations, taxes, costs, consumer preferences, accounting standards, etc. The list is endless. There are now many consultants who specialize in “change management” because change is often disruptive, unsettling for employees, and threatening to organizational efficiency. This all speaks to coping with change. An even bigger challenge lies in anticipating change.
For example, businesses should understand the regulatory implications of any possible change to the business model before the change is adopted. It should also identify and prepare for changes in law and regulation, and look for ways to reduce the costs and effects of anticipated changes even if it means modifying the structure, traditional business practices or other aspects of business model, such as markets, products, or distribution channels. The common approach is to wait for such external events to occur (and be discovered) and then adapt as necessary. The problem with that “reactive” approach is that it takes time to learn and adapt and in that span of time, even if relatively short, unexpected problems can arise. To give just one example, consider the recent Treasury Department requirement that officers of a company report annually the foreign bank accounts of the company over which they have signature authority, even if they have no personal or beneficial interest in the accounts. A company that was not monitoring regulatory developments might not have learned about and responded to this reporting requirement until the deadline for reporting had already passed.
This third “common mistake” relates to the first two. Understanding regulatory risk means learning about proposed regulatory changes before they occur. How does your company monitor regulatory developments? Who in the organization is responsible for this monitoring and do they know how to do this? Should you be using an outside firm for this monitoring? Law firms will do this, of course, but there are other, less expensive alternatives.
And the Board of Directors should be apprised of possible changes in laws and regulations and how it might affect the business. This is part of the Board’s oversight responsibility. It is far better to tell the Board what might be happening, even if it never occurs, than to explain to the Board why the company is paying a fine or responding to a regulator because it did not learn about a new regulatory requirement until it was too late to prevent a violation.
Publicly held companies make these mistakes, too, but to a lesser extent because they have more financial resources and personnel to devote to compliance and regulatory monitoring. They have also regular contact with outside law firms and accounting firms and many of them have dedicated compliance officers and/or in-house counsel (or a legal department) and their Board structure must meet SEC and other requirements, such as Sarbanes-Oxley. In contrast, privately held businesses must manage their risks with fewer resources. The risks may seem smaller, but not if they turn into problems.