Ethics and Governance

Ethics and Governance

Barry Robinson explains the obligations placed on private companies arising from the new EU Whistleblower Directive. On 7 October 2019, the EU approved a new Directive on the protection of persons reporting on breaches of European Union Law, also referred to as the Whistleblower Directive. In Ireland, public bodies have had regard to the Protected Disclosures Act 2014, which was amended in June 2018 to incorporate provisions of the EU Protection of Trade Secrets Directive. The current legislation entitles a worker (as defined in the 2014 Act) to report wrongdoing in a public body if there is a reasonable belief of such wrongdoing, and have their identity protected. However, the Whistleblower Directive, which must be adopted into Irish law within two years, will mean that the obligations under the 2014 Act will extend to the private sector as well. The Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations, a global analysis of the costs and effects of occupational fraud, shows that tip-offs or whistleblowing is still the most effective method of detecting occupational fraud, which highlights the importance of this legislation. What will the EU Whistleblower Directive mean for private companies in Ireland? The Directive will make it mandatory for companies with over 50 employees to establish internal reporting channels, both for reporting and follow-up. The Directive allows for companies with between 50 and 249 employees to share resources as regards the receipt of reports and any investigation to be carried out. Who will “reporting persons” be? The 2014 Act currently defines a “worker” who can make a protected disclosure as an employee or a contractor. In the future, under Article 4(1) and 4(2), the Directive will extend the scope of the definition of “reporting persons” to include shareholders, who are not currently included within the 2014 Act. It will also include volunteers and unpaid trainees, and individuals who report on breaches within their knowledge acquired through a work-based relationship, which has since ended. What are the required timeframes for following-up on a disclosure? The Directive will impose timeframes on companies that receive a protected disclosure by creating an obligation to respond to, and follow-up on, the whistleblowers’ reports within three months (with the option to extend this to six months for external channels in duly justified cases). The receipt of a disclosure must be acknowledged within seven days. Will the reporting channels be internal or external? The Directive seeks to encourage disclosures internally in the first instance. The Directive states: “as a principle, therefore, reporting persons should be encouraged to first use internal reporting channels and report to their employer, if such channels are available to them and can reasonably be expected to work”. However, the Directive also allows for external reporting channels. Third parties could be authorised to receive reports of breaches on behalf of legal entities in the private and public sector, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy. Such third parties could be external reporting platform providers, external counsel, auditors, trade union representatives or employees’ representatives. Protections against any form of retaliation from employers will be given to persons who report wrongdoing internally and externally. The protections under the Directive will also extend to persons “who make such information available in the public domain, for instance, directly to the public through online platforms or social media, or to the media, elected officials, civil society organisations, trade unions, or professional and business organisations.” Who are “prescribed persons”? The Directive includes provisions in respect of “competent authorities” to whom a disclosure can be made. The Directive states: “in the case of legal entities in the private sector that do not provide for internal reporting channels, reporting persons should be able to report externally to the competent authorities”. Are there any new requirements? The Directive introduces a wide range of new requirements for companies who receive disclosures, which are summarised below: Secure channels for internal reporting. The Directive states that internal reporting shall require “channels for receiving the reports which are designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members”. Dedicated, impartial staff to handle reports. The Directive requires the designation of a neutral person or department competent for following-up on the reports, which may be the same person or department as the one that receives the reports. These dedicated staff members will maintain communication with the reporting person and, where necessary, ask for further information from – and provide feedback to – that reporting person. Diligent follow-up. The Directive requires thorough follow-up and the provision of feedback within three months (which may be extended to six months in duly justified cases). Transfer to another competent authority. The Directive allows for the transfer of a disclosure to another competent authority where the receiving body does not have the competence to deal with the matter. The Directive states that this must happen “within a reasonable time, in a secure manner, and that the reporting person is informed, without delay, of such a transmission”. Reporting the outcome per national law. The Directive states that the receiving body must communicate to the reporting person the result of investigations triggered by the report, in accordance with procedures provided for under national law. Procedures for making a disclosure Article 13 of the Directive sets out the information a competent authority must publish concerning receipts of disclosures. The following information must be published on the competent authority’s website, which must be reviewed and updated every three years: The conditions under which reporting persons qualify for protection; Contact details for the external reporting channels – in particular, the electronic and postal addresses, and the phone numbers for such channels, indicating whether the phone conversations are recorded; Details of how the disclosure will be processed; Details of the timeframes and format for feedback; Details of the confidentiality regime and how personal data will be processed; Details of whether or not a discloser will be held liable for a breach of confidentiality; Remedies and procedures available against retaliation; and Contact details for any other relevant body or information body providing advice to the discloser. Protections against penalisation The 2014 Act makes clear the rights of an individual if an employee is penalised for making a Protected Disclosure. The Directive states: “it should not be possible for employers to rely on individuals’ legal or contractual obligations, such as loyalty clauses in contracts or confidentiality or non-disclosure agreements, so as to preclude reporting, to deny protection or to penalise reporting persons for having reported information on breaches or made a public disclosure providing the information falling within the scope of such clauses and agreements is necessary for revealing the breach. Where those conditions are met, reporting persons should not incur any kind of liability, be it civil, criminal, administrative or employment-related”. Article 20 of the Directive states that reporting persons shall not incur liability of any kind in respect of such a report or public disclosure, provided they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary to reveal a breach under this Directive. What about trade secrets? The 2014 Act was amended in 2018 to incorporate provisions of the EU Provision of Trade Secrets Directive. This required whistleblowers to demonstrate that they acted in “the general public interest” when disclosing commercially sensitive information. The Directive, however, states that where a reporting person can show “reasonable grounds”, they will incur no liability in respect of disclosures including for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or for compensation claims based on private, public, or collective labour law. This appears to narrow the burden of proof for reporting persons from acting in the public interest to acting on reasonable grounds. What should companies do? All companies in Ireland should review their obligations under the Whistleblowing Directive and assess their ability to implement internal reporting channels and assign dedicated staff to handle such reports. Companies should undertake planning to identify how reports will be investigated independently, and within the required timeframes of the Directive. While many companies may adopt a “wait and see” approach, companies must act to implement systems and reporting channels per the Directive. Barry Robinson FCA is a Director, Forensic Services, at BDO Ireland.

Feb 10, 2020
Ethics and Governance

It can take several years and a lot of hard work to build an effective board. David W. Duffy outlines key measures that can be taken to improve its effectiveness. It can take several years to build a fit-for-purpose board that has the leadership and dynamism to support the executive team. The most important element in any governance structure is the Nominations or Talent Acquisition Committee. The purpose of this committee is to help the board make sound business decisions by appointing the right board members. If this committee does not do its job, then the board and the organisation risk stagnating through the lack of new ideas or no challenges to the status quo. New appointments should be strategic and not tactical; they must bring unique skills and experience to the company that will have a real and tangible impact at board level.  This could include the world of digital, geopolitical insight, capital raising, or knowledge of a particular sector, such as offshore life assurance. Board appointments that are rushed are not a good sign of good corporate governance; each appointment should be considered carefully before being made. So, assuming the board is populated with the right talent, here are a few examples of other measures that can be taken to improve its effectiveness: Conduct regular external board evaluations to get an external perspective on the effectiveness of the board. Conduct 360 reviews of the board directors. Make sure that the information provided by the executives is assessed annually to ensure the board can do its job efficiently. Have an annual work plan for the board and for all its committees. This will help set the agenda for the year, and will also ensure the board spends enough time on the future by delegating as much as possible to its committees. Hold an away day at least once a year to reflect on the board’s strategy in some depth and to focus on specific issues, such as looming regulation or competition issues. This also provides an opportunity for the directors to get to know one another other better. Invest in the capability of the board through a professional development programme. The board evaluation may well indicate what the directors might like in terms of development, but it is helpful to also ask them. Topics will depend on the company, but the programme could focus on new regulation and compliance requirements, sustainability, diversity and inclusion, etc. David W Duffy FCA is the Founder and CEO of The Governance Company and the author of A Practical Guide to Corporate Governance, published by Chartered Accountants Ireland.

Jan 31, 2020
News

How can a board set the example rather than becoming one? Ros O’Shea gives a five-step approach to creating an ethical board. “Where was the board?!” is the question often asked in the immediate aftermath of corporate misconduct. Stakeholders, quite rightly, expect boards to ensure businesses are run ethically. Yet, sometimes boards (and usually their companies in turn) fail dismally in this crucial aspect of their role. What can a board do to ensure the highest levels of probity in their organisations? This five-step approach can help. Ensure the ethical infrastructure is in place From a code of conduct to ethics training, speak up channels, ethical due diligence procedures and incentives programmes that reward the 'how' and the 'what', directors must ensure the appropriate infrastructure is in place in their organisations to enable and foster a culture of integrity. This is akin to laying down an ethical 'base layer'. Appoint the right CEO In leading that culture, the CEO is key. On appointment, they are bestowed with the organisation’s most precious asset – its reputation – and must be responsible for its safekeeping. It is the most important decision the board makes and demands commensurate investment in a robust process to recruit the right leader. Act ethically It is rare for a board to deliberately endorse an illegal act, but we know there can be a vast difference between decisions that are legal and those that are right. Decisions are usually right when a director is comfortable being personally accountable for their part in it, especially if it would be made known to their family on the front page of the local newspaper. Directors would do well to assess all decisions through that lens and determine whether they want to simply meet a bar, raise the bar or – better – set the bar in terms of moral courage. Lead by example In order to effectively set the tone from the top, the board should be a microcosm of the organisation’s desired culture. Espoused values, such as respect and openness, should underpin board interactions and encourage constructive debate. IQ at this level is a given, but emotional intelligence (EQ) differentiates high-performing directors and their boards and should be a prized quality in director recruitment. Monitor culture Finally, directors must know that only so much governance can be done within the confines of the boardroom; they need to experience first-hand the organisation’s “mood music”. This provides the board with the holistic assurance it needs that the desired culture is truly living and breathing across the organisation. By following these five steps, the board will focus on doing the right things and asking the right questions, which will ultimately lead to the right outcomes. Briefly, that is the board’s role in relation to ethics: to stand squarely behind their chosen CEO and collectively set the tone from the top while providing independent oversight on the organisation’s ethical infrastructure and culture. Ros O’Shea is the founding partner of Acorn Governance Solutions.

Jan 31, 2020
News

With so many disruptive technologies available, is it possible for to directors keep up with the needs of the business? Kieran Moynihan explains how, with the right NEDs, a company can thrive in a constantly evolving digital world. As disruptive technologies such as artificial intelligence, robotic process automation and emerging payment technologies grow in adoption, many boards are struggling to understand how these will impact customers, market segment and the competitive landscape. Crucially, how can they incorporate these technologies into their overall strategy and business models? This relentless wave of new technology disruption is increasingly upsetting the traditional hierarchy of markets by lowering the barrier to entry for new competitors. Companies need to adapt to harness the opportunities and benefits of these disruptive technologies otherwise it risks being left behind irrespective of its traditional market position. Often, the reason behind this struggle to adapt to technological disruptions is that there is a significant lack of technology expertise among non-executive directors (NEDs). This is further compounded by a serious age diversity problem in boards where, across Ireland and the UK, the average age of many boards is late 50s to early 60s. The vast majority of these NEDs indicate that areas such as cyber-security are problematic for them. This, in turn, impacts their ability to provide high-quality, robust challenge, debate and oversight of the CEO and executive team in terms of how a company incorporates these disruptive technologies into its strategy. In marked contrast, younger NEDs in their 30s and 40s tend to be very comfortable in the digital and disruptive technology landscape, have a strong understanding of how customers’ requirements are evolving and can genuinely challenge and support the CEO and executive team in these areas. In most boards, the traditional approach to selecting NEDs has been focused on a majority of generalists with significant executive experience, and a number of sector specialists, which has led to a predominance of financial and general business skills around the board table. However, as both the pace and complexity of emerging disruptive technologies has significantly increased, this traditional model is breaking down and many of the sector-specialist NEDs are finding it challenging to keep up with the pace of change. Many CEOs and executive teams are struggling to make big calls around technology and business model choices. There is a growing trend of board chairs and CEOs who realise that, in order to thrive, the board team needs to be refreshed with the addition of NEDs who have advanced technology expertise. They will be able to provide ample support to both the overall board team and CEO/executive team, thereby strengthening the ability of the company to embrace disruptive technologies, understand the changing needs of their customers and position themselves for sustainable long-term success. Kieran Moynihan is the Managing Partner of Board Excellence.

Jan 31, 2020
Ethics and Governance

Boards increasingly need to show how they measure their organisation’s culture, but the key information is likely already available within the business, writes Ros O’Shea. The South Sea Islanders have a word, “mokita”, which translates as “the truth that everyone knows, but nobody speaks”. Other notable definitions of culture include “a system of beliefs, shared values and behavioural norms”, “the way to do things around here” or even the “mood music” or “resting heart-rate” of an organisation. Whatever the definition, stakeholders, still shaken by a litany of corporate scandals including endemic ethical failures in financial markets, now recognise that, as Peter Drucker said, culture does indeed eat strategy for breakfast – and arguably for lunch and dinner too. Their demands have led to concerted efforts in recent years to rebuild trust and restore integrity to the heart of the enterprise. Figure 1 highlights some of these welcome developments, which go way beyond extending the rule book or adopting a tick-the-box approach to compliance. It seems everyone has seemingly landed on the same page, which says: you can have all the rules in the world but there is no substitute for character. Much has been written already about how to cultivate character and foster a values-based culture. Indeed, Chartered Accountants Ireland published my book on the topic, Leading with Integrity, in 2016 and has issued several related guides and research papers since. As organisations seek to embed cultural change, the question everyone is now grappling with is: how do you measure it? How can those charged with governance determine if the tone from the top is being cascaded through the ‘muddle in the middle’ and reflected via the ‘echo from the bottom’? Is it possible, with any degree of accuracy, to properly calibrate an organisation’s mood music or gauge its steady-state operating rhythm?  The answer is yes. My ‘5 Organisational Culture Caps’ (5OCC) approach aims to do just that. Loosely based on Edward de Bono’s ‘Six Thinking Hats’ system (where coloured hats represent different modes of thinking), with 5OCC, each cap is assigned to one of five different stakeholders. By donning each cap in turn and thinking about culture from each of these perspectives, a holistic view is developed of how your espoused values align with how your organisation behaves towards these key constituencies in practice. Four caps are pre-assigned – your customers, staff, shareholders and community all deserve their own headgear. You get to pick who wears the last cap, and your choice is likely to be heavily influenced by the sector in which you operate. For example, financial services firms may well pick the regulator; key vendors may be a valid choice for those downstream in the supply chain; whereas for other organisations, agents or brokers, or other business partners on whom they rely to deliver products or services, may get to wear a cap. Once you determine the full suite of stakeholders, the next step is to select key metrics that best capture their unique expectations of your organisation’s culture. Let’s don each cap in turn. The customer Arguably the single best way to actively test the consistency of stated values with the customer experience to attempt to buy the product or the service. Or you could try to make a complaint and follow what happens. Other key cultural indicators from the customer perspective include: Customer surveys; Net promoter scores; Complaints statistics; Feedback from customer focus groups; Social media and press coverage; Litigation and claims; and Awards and ratings. The staff Here, staff is defined in its broadest sense (i.e. from the boardroom to front-line employees). Again, boards should recognise that only so much governing can be done within the confines of the boardroom, and one of the most effective means of assessing the organisation’s tempo and temperament is to get out and about and engage with staff at all levels. Ideally, this should be done in informal ways and settings (such as townhalls or listening lunches, for example) so that site visits don’t become ‘state visits’. The HR department will be a deep reservoir of information to help you understand and monitor the extent to which values are truly lived across the organisation. There are many possible metrics under this heading, some of which are set out below: Staff surveys, engagement indices and culture audits; 360 reviews of senior management and board evaluation surveys; Remuneration and incentive policies; Ethics training and communication strategies, and their effectiveness; Statistics on staff turnover, absenteeism, safety and disciplinary actions; Whistleblowing and grievance reports, and relationships with unions; Diversity and inclusion data; Recruitment processes, succession plans and promotion decisions; Integrity awards or similar; and Online employee feedback (e.g. via Glassdoor and exit interview notes). The shareholder The nature and extent of shareholder engagement will very much depend on the type of organisation, and metrics will need to be calibrated accordingly. For private, charitable or state-owned firms, it may be a relatively straightforward process to monitor the strength and success of the relationship with the organisation’s owners, trustees or relevant government department – most likely by being party to regular discussions. Some of the following metrics may also be relevant and will certainly be pertinent for companies with a larger and more dispersed share register: Governance structures and board performance; Correspondence and engagement with key shareholders; The AGM experience; Internal and external audit reports; Independence and competence of risk, compliance, audit and legal personnel; Investor or analyst reports; Industry benchmarks; and Transparency and disclosures of financial and other reports. The community Here again the relevant community may be local or global, or somewhere in between, and metrics will need to be commensurate with the organisation’s scale and footprint. Particulars will differ but overall, they will aim to measure the extent to which the business is contributing to – and valued by – the communities in which it does business. Specific metrics are more elusive under this heading, but assessment of culture wearing a community cap will include discussions around: CSR activity in the community; In-house ‘green’ initiatives; CSR ratings and ESG credentials; Sustainability reporting; Progress towards committed UN Sustainable Development goals; Carbon footprint, water use and waste; and Local press coverage. A.N. Other As outlined earlier, you get to pick who wears the fifth cap. If, for example, suppliers are an important stakeholder group for you, measures such as promptness of payment, supplier audits and feedback from key vendors would be important to consider. If the regulator is to wear the cap, relevant areas of focus could include the number of fines, regulatory breaches, risk appetite exceptions, inspection reports and the general tone of correspondence. Metrics can also be devised for any other stakeholders by considering what aspects of your culture are likely to matter most to them. Such metrics may best be ascertained by directly canvassing their opinions. The most helpful aspect of the 5OCC approach is its practicality. Most, if not all, of the information required for the various measures will already exist in your organisation. It is simply a matter of collating and synthesising these valuable, but currently disparate, sources of data to provide a five-way mirror back to the organisation showing how the espoused values are truly living and breathing. There is no doubt that what gets measured gets done. Metrics matter. Boards and directors will increasingly need to prove and publish how they measure and monitor their organisation’s culture and I hope this model is a helpful aide in that endeavour. But again, we must remember that there is no substitute for character. All the KPIs in the world won’t displace the board’s most important role, which is to ensure they have the right leadership team who will do the right things for the right reasons. You can’t cap that.   Ros O’Shea FCA is an independent director and governance consultant.

Dec 03, 2019
Ethics and Governance

Níall Fitzgerald explains how to achieve consensus, do your duty, and be yourself as a charity or non-profit trustee. There is something exceptional about those who volunteer their time, skill and expertise to a board, or sub-committee, for the benefit of a cause they feel passionate about. As Nelson Mandela put it, “there can be no greater gift than that of giving one’s time and energy to help others without expecting anything in return”. But being a board or sub-committee member (trustee) for a charity or not-for-profit organisation is not without its challenges. These challenges can present themselves around the board table in the form of disagreement or frustration as you strive to get things done. People skills and leadership skills will be called on in order to listen effectively and convey concern, constructively challenge and support the ideas of other trustees in order to achieve consensus. Difficult dilemmas Achieving consensus is not always easy, especially when resource constraints (financial or otherwise) impact the organisation’s ability to realise its strategic objectives. Difficult dilemmas can be tabled at board meetings, which can present challenges for the organisation and test the core values that compelled each trustee to volunteer in the first place. A classic example involves proposals to suspend services in one area to the detriment of some beneficiaries in order to ensure continuity in another. An avalanche of conflicting priorities around the board table can result in an impasse. Challenges like these can make a trustee grateful for a good governance framework. Such a framework can provide clarity on their duties and responsibilities to the organisation, including the various stakeholders it serves. There can be comfort in understanding the policies and procedures that ensure the collation and adequate flow of accurate information from the front-line service providers (both staff and volunteers) and senior management to the board. Such information results in better decision-making that is in the best interests of the organisation as opposed to any individual or group of trustees. Such a framework will also provide a welcome format for effective and well-chaired discussion at the board, and ensure that the right level of diversity, skills and expertise are enabled to inform the decision-making process. Rule of law But what about the rule of law regarding the trustee’s duties and responsibilities? An understanding of these rules will help channel a thought process towards what is important for the organisation. A trustee does not need a law degree to understand these requirements. Rather than feel overwhelmed, it is useful to first understand the organisation (including its vision, mission and values), its legal structure (e.g. company, trust, unincorporated etc.) and the area within which it operates. This process will highlight the laws and regulations that are most relevant for consideration. Figure 1 illustrates the types of legal and regulatory duties that apply to trustees. Notice that some overlap and they have a common design to ensure that the organisation is always the focus of consideration. Being involved as a trustee can be the gift that keeps on giving for the individual and the organisation. Challenges present opportunities for trustees to exercise values, apply skills, provide expertise, assess problems and inform decisions in a different way – for example, through the lens of life-changing consequences. A good governance framework and adherence to the rule of law will provide another useful lens to guide, rather than impede, trustees towards consensus on trickier dilemmas.

Dec 03, 2019