Corporate Governance Best Practices and Red Flags
Sometimes even well-managed companies get caught off guard by a flaw in a contract, an unexpected change in regulatory policy or even misbehavior by a senior officer.
Fortunately, most legal and regulatory problems don’t strike out of the blue. There are usually “red flags” – incidents or conditions hinting at trouble.
The Price of Bad Governance
Bad governance is worth catching and correcting because it’s costly. In 2017, Volkswagen was hit with $4.3 billion in criminal and civil penalties for emissions cheating.
A year later, Wells Fargo was hit with a $1 billion fine for wide ranging compliance violations.
What most see in the headlines is just the tip of the iceberg. Few heard that StarKist Co. pled guilty to a felony charge of price fixing on canned tuna in October of 2018 and faces a fine of up to $100 million.
Or that Hobby Lobby is facing class action lawsuits over marketing practices.
Wells Fargo’s independent directors detailed that company's compliance and governance failings in a 110 page “Sales Practices Investigation Report.”
Red flags flew for years.
They signaled that Wells Fargo’s culture, structure and compensation plans were putting the company on a collision course with regulators, prosecutors and plaintiffs.
The conduct included millions of unauthorized bank accounts, unauthorized charges for auto insurance and abusive mortgage rate-lock extension fees.
Scandals like these are shocking, but countless intentional and unintentional violations are continually set in motion at companies of all sizes and across all industries, often because of weak governance practices.
Legal and Regulatory Red Flags
Here are six common legal and regulatory red flags:
1. Customer Complaints. As general counsel, I always require regular updates on customer complaints. In particular, I want information on trends, clusters or allegations of unfairness or illegality.
Customer complaints sometimes need to be taken with a grain of salt, but turning a blind eye to concerning patterns is folly, as Wells Fargo ultimately learned.
It is generally good risk management to quickly resolve complaints in the retail customer’s favor, absent evidence of fraud.
2. Oversight Issues and Lack of Accountability. Any board that is not receiving regular and direct reports from its senior legal, compliance and regulatory officers is courting disaster. Where legal and compliance officers are relegated to reporting below the CEO, such as to the CFO, chances of timely and candid reporting to the board are reduced.
As general counsel, I insist on attending every board meeting and having a reporting relationship with the board’s audit committee. Legal and compliance officers with strong reporting lines are better positioned to deal with red flags.
"Drawing the Line as In-House Counsel" discusses some helpful techniques and strategies for stopping and preventing misconduct.
One thing many observers have pointed out about the Wells Fargo “Sales Practices Investigation Report” is the scarcity of any blame or accountability directed at, or accepted by, the board itself.
Legal and regulatory violations should trigger meaningful accountability all the way up the chain of command.
More concerning are leaders who publicly thumb their nose at regulators. Elon Musk’s attitude toward the SEC in 2018 has been a red flag for his board, investors and regulators. His attitude caused the SEC to push him off the Tesla board. And more issues could be coming for Tesla.
During my time in SEC Enforcement, we pushed for criminal prosecution by the Department of Justice when civil or administrative tools seemed inadequate to deter more bad acts by particular defendants. I worked on two prosecutions as a Special Assistant United States Attorney.
I was reminded of those interesting days when the Wall Street Journal reported on October 26, 2018, that the FBI is investigating Tesla's earlier production forecasts.
3. Willingness to Take Excessive Legal or Regulatory Risk. Good business lawyers help clients find better, smarter ways to comply with laws and regulations. There are always opportunities for legal and regulatory innovation. But directors, managers and others should be skeptical of those with an “ask for forgiveness later” mindset.
Musk’s statement that his $20 million SEC fine was “worth it” suggests he doesn't know about his fiduciary duty to handle regulatory matters at or above the "reasonable person" standard.
4. Conflicts of Interest. Conflicts of interest can be harmful in their own right, say if a company pays too much to a supplier controlled by an insider. They can also be signs of compromised governance policies or checks and balances. Weak checks and balances lead to bigger problems, like misuse of company assets, compensation abuses, or other forms of self-dealing.
Compensation schemes that pit compliance against profit create harmful regulatory dynamics. All of Wells Fargo’s problems stemmed from a combination of unrealistic sales goals and financial incentives that did not distinguish between legitimate and illegitimate new accounts.
When employees face conflicts of interest between doing the right thing or making piles of money, sometimes they choose piles of money.
5. Cozy or Controlled Boards. Most startups function well through their formative stages with very small boards, often consisting of just two or three founders. And many small “life style” businesses also do well with small boards.
But a small board of company officers and close associates is a bad fit for a company with substantial operations or substantial investments from third parties. Boards need to achieve and maintain appropriate scale and independence.
Many Silicon Valley companies develop similarly serious governance dysfunctions when founders award themselves super-voting shares to maintain board control. Many of Uber’s and Facebook’s legal and regulatory problems have been attributed to their boards' inability to effect governance and compliance reforms in the face of their founders’ tight control.
These companies demonstrate how a dominated board can be a predictor of legal and regulatory problems.
It is also worth noting that, on the other end of the spectrum, some boards are too large to operate effectively, particularly where difficult strategic decisions need to be made and executed.
6. Ethics or Moral Leadership Violations. Evidence of ethical or moral lapses by a company or its leaders is another red flag suggesting other legal or regulatory issues may be amiss. Uber’s gender discrimination problems drew even greater attention to the company's law breaking culture under the control of former CEO and co-founder Travis Kalanick.
The company faces criminal probes and lawsuits in the U.S. and abroad.
Governance Best Practices
So what governance practices can companies use to stay out of the headlines except to announce innovations and financial results? At its core, good governance requires a robust system of top down oversight and accountability, combined with bottom up reporting and transparency.
1. High Functioning Board. Good governance demands maintaining a consistently high-functioning board. This is often the hardest best practice to get right.
Board Makeup. Effective boards are composed of dedicated, intelligent individuals with relevant expertise who stay informed, keep up with the demands of the role and sometimes ask awkward questions of management and each other about company performance and direction.
While every situation is different, strong boards often have a mix of expertise in sales, marketing, finance, technology and in the company’s specific industry.
Strategic thinkers who can see above and beyond immediate challenges add special value to any board.
Every board should also have a least one director with proven leadership development and mentoring skills to pass on to and develop among the executive team.
Board Size. Board size usually depends on a company’s stage of development. At any stage, boards smaller than four or five members can suffer from limited independence and perspective, while boards larger than twelve or thirteen can become unwieldy, unaccountable and unfocused.
Some reports suggest that the ideal number of directors is between seven and nine.
Training and Education. Every board should adopt board member training and guidance materials or tools, educating members on their roles and setting expectations for performance.
These should cover:
The board’s obligation to manage the business and affairs of the corporation.
The respective roles and obligations of the board and the management team.
Board member attendance, engagement and preparation requirements.
Board education should also cover key governance principles, including:
A board member’s fiduciary duties, duties of loyalty and duties of confidentiality.
Prohibitions against conflicts of interest and self-dealing.
How conflicts of interest, self-dealing and other misconduct can void or nullify rights to indemnification or D&O insurance coverage.
Protecting decisions from judicial challenge under the “business judgment rule” by documenting the evaluation of a reasonable range of competing considerations in making important decisions.
Board member education helps ensure board members understand and meet their obligations. Hopefully it also discourages bad behavior.
Share board education materials with board candidates so they know what they are signing up for.
Performance Improvement. It’s not uncommon for a board to have a seat or two filled by underachievers or disruptors. Board member “360” evaluations are discussed below. As noted there, peer pressure to improve board member performance can be effective.
Other strategies for fixing board member performance issues are covered in "Fixing Problems in the Board Room."
The thorny issue of director removal is also discussed further below.
Small Company Boards. Smaller companies are often slow to evolve beyond two or three person, founder-only boards. These are fine for small life-style businesses and during a startup’s early days. Founders are naturally reluctant to share governance and leadership authority with others who might disagree and crush their idea.
But aversion to outside guidance is a red flag for potential investors. Growth generally causes and requires reductions in founder influence over a board. Founders have to accept that the depth and sophistication of the board has to grow with the company.
Case law and regulations attest to the beneficial influences of independent board members.
2. Clearly Established Roles and Expectations
Every organization should establish clear standards of conduct and clear roles and expectations for every employee, from the C suite to the mailroom, including directors.
Ethics Policies, Employee Handbooks, Travel Expense Policies. In physical buildings, decay can spread if it gains a foothold. The same is true for organizations.
Loose policies on travel and entertainment expenses, gifts from vendors, and the like, can lead some employees toward ever-larger indiscretions.
Preventing an unethical culture from taking root requires setting baseline expectations with an ethics policy, an employee handbook and whatever documents are chosen to lay out a company’s rules and policies governing employee, officer and director conduct.
They should spell out what is acceptable and what is not, so, among other things, individuals can be timely and confidently terminated for misconduct.
Offer Letters and Employment Agreements. Each employee and officer should sign an Offer Letter Agreement, Employment Agreement or similar document describing his or her role, duties and reporting relationship, and obligating him or her to follow all company rules and policies contained in its ethics policy, employee handbook and travel and entertainment policy, as applicable.
Senior Officers. Although most employees are terminable at will, senior officers often have non-at-will agreements with severance provisions and other benefits.
It is important that all employment agreements be terminable for cause. Cause should be defined to permit termination for, among other things:
conviction of certain crimes,
any material violation of company rules and policies,
breaches of fiduciary duties or duties of loyalty to the company,
failure to achieve agreed upon objectives,
neglect of duties,
failure to follow valid directives, and
insubordination.
Writing these provisions to withstand challenge requires consultation with employment law specialists, since applicable statutes and precedents vary.
Equity grants to senior executives should also always vest over an appropriate schedule to ensure performance and accountability. Companies should also consider appropriate stock claw-back provisions covering vested shares in the event of termination for cause.
The ability of a company to remove senior officers and other employees for poor performance and for suspected misconduct is critical for maintaining a proper chain of command and oversight from the board on down. More on this in 4. below, Accountability.
Director Removal. Nominees need to be very carefully vetted. As discussed below, litigation is generally not an option for removing even terrible directors.
Directors are only removable during their term (with or without cause) by a majority vote of the shareholders that would be entitled to vote for the election of a particular director.
Depending on a company’s articles (or certificate) of incorporation, that might mean:
majority vote of the common stock shareholders,
majority vote of a single class of preferred stock shareholders (e.g., Series A, Series B, Series C),
majority vote of all classes of shareholders voting together, or
majority vote of some combination of preferred classes or preferred and common.
In each such case, it is the majority of such votable shares that count toward removal of a specific director, whether removal is for “cause” or not.
A recent Delaware decision found that the majority vote standard for director removal was mandated under Section 141(k) of the Delaware General Corporation Law. The court struck down Nutrisystem’s adoption of a bylaw provision requiring a two-thirds vote to remove a director. (Taylor B. Bartholomew In Frechter v. Zier, C.A. No. 12038-VCG (Del. Ch. Jan. 24, 2017))
The only remotely viable process for forcibly removing director is a "derivative lawsuit" - a suit by shareholders in the name of and for the sole benefit of the company.
To remove a director through a derivative suit under Delaware law (most corporations), the court must find that the director engaged in fraudulent conduct, grossly abused his or her position, or "intentionally inflicted harm" on the corporation.
During a director’s term, it is nearly impossible to remove him or her for cause without the necessary majority vote in favor of removal.
Share Buyback Provisions. Employment agreements with founders and other senior officers should say what happens to shareholdings if an individual is terminated for cause. Co-founders or other investors may want the right to buy the equity of a bad actor co-founder or other executive terminated for cause.
This can limit the bad actor’s ability to further harm the company. It might also be helpful in removing the bad actor from the board, which could be very important for the company's well being.
3. Strong Internal Performance Review Systems
Clearly defined roles and expectations are important, but they are not self-enforcing. To ensure board members, officers and employees are performing up to expectations it is advisable for companies of all sizes to design and implement employee, officer and board member review processes.
While smaller companies usually put off launching performance review processes until they reach a certain scale, those that delay too long often find themselves stuck with limited tools and remedies when unpleasant personnel issues arise, particularly when those issues involve board members, founders or other key executives.
Define, Assess and Communicate. Performance review processes vary widely and should be tailored in scope and sophistication to a company’s size and complexity. The important thing is to have a process and make sure it: (i) defines specific performance obligations and objectives and (ii) provides for regular written feedback regarding the officer’s or employee’s performance against those obligations and objectives.
Good internal review programs for employees often occur annually, with mid-year “progress” evaluations.
The primary goal of any performance evaluation system is to provide employees with timely, objective written feedback to enable them to succeed in their role. This requires praise when appropriate and demands for corrective action when performance or behavior is off.
Manager Training. Managers need to be trained on how to give both types of feedback and monitored to ensure they are doing so.
Some managers give good feedback in writing but only give negative feedback orally. This is worse than having no review process at all, since it creates a written record glossing over the employee's performance issues. Attempts to terminate an employee based on negative feedback not included in the written evaluation are subject to challenge as a “pretextual” termination – i.e., termination for a reason other than the stated reason, discrimination, for example.
Performance Warnings. Routine annual and semi-annual reviews need to be supplemented with occurrence-driven procedures when performance or conduct issues arise between review cycles, or just to supplement other reviews. These are often called “performance warnings” or “performance improvement plans.”
A typical performance warning or performance improvement plan will give the employee 30, 60 or 90 days to make improvements or face “discipline up to and including termination.”
CEO Review Processes. Processes for reviewing CEOs often include feedback from the board of directors and from the CEO’s direct reports. Given the conflicts and awkwardness direct reports can experience reviewing bosses, boards should probably put more emphasis on CEO reviews received from their fellow directors.
For the same reasons, boards should listen to concerns raised by a CEO’s direct reports. Any direct report brave enough to express concerns about his boss deserves to have them considered.
Board Review Processes. Review processes for boards are somewhat less common but can be valuable for preventing issues, improving board performance and, where necessary, setting the stage for a board member’s negotiated removal or non-re-election.
Board member evaluations are usually “360 evaluations,” involving survey-type questions that each board member answers about the performance and contributions of his or her fellow board members.
Although it may seem like overkill for a small three-person startup board to institute an annual 360 board member review process, any board that finds itself with a problem director will wish one was already in place. Most importantly, having a plan in place early may stop problems before they start.
When problems are identified in a 360 process, the negative information can often be used to support multiple options, including:
guiding a board member toward better performance,
negotiating for a new designee if the director involved is the board designee of a VC or other investor, or
performing an “intervention” by the CEO, board chair and other directors to encourage an individual to resign.
“Interventions” to cajole or shame directors out of office are possibly one of the more common methods for quickly removing problem directors. Having well-documented, thoughtful feedback from a group of peers can facilitate the prompt and “amicable” removal of underperforming directors.
4. Accountability
Following through to hold employees, officers and even directors accountable when appropriate is another important governance best practice. Companies that treat everyone fairly and equally, and that timely remove poor performers, disrupters and bad actors are more likely to achieve their goals and more likely stay out of legal and regulatory trouble.
Routine Terminations. Naturally, it is usually easier to terminate lower level employees and officers for non-performance, misfeasance or malfeasance, but smooth, challenge-free terminations still require good documentation and good processes. These should be set up with the help of counsel.
Timely removing individuals following reasonable corrective measures helps to reinforce company policies and performance goals, and often boosts morale among a company’s other employees.
Senior Officer Termination. The termination of a CEO is generally a matter for the board of directors to handle, unless the company’s articles of incorporation or bylaws say otherwise. A Delaware court recently enforced this notion in rejecting the removal of a CEO by a vote of shareholders pursuant to a provision in a shareholder agreement. Pierre Schroeder, et al. v. Philippe Buhannic, et al., C.A. No. 2017-0746-JTL, order (Del. Ch. Jan. 10, 2018).
Any board considering terminating its CEO should consider consulting with human resources specialists, employment law counsel and even PR specialists. For larger companies, the removal of a CEO can pose serious legal and public relations challenges:
In July 2018, Barnes and Noble’s board quickly and decisively fired its CEO for cause and without severance for “violating company policies.”
In October 2018, General Electric fired its CEO for unspecified reasons, but seemingly related to financial performance and stock price issues.
Uber’s CEO was forced to step down in June of 2017 under mounting pressure following public reports of a toxic working and environment and of a Justice Department investigation of Uber’s use of software to evade law enforcement.
Ford Motor Company fired its CEO in May of 2017, with the company’s executive chairman saying the company needed to move faster to keep pace with new technology like electric and self-driving cars.
Contrast these relatively clean terminations with the 2018 Papa John's board room scuffle:
In July of 2018, Papa John’s founder, dominant shareholder and executive board chair heeded the board’s demand that he step down following an alleged racial slur.
He quickly reconsidered his resignation and launched highly public and damaging attacks against the company and its CEO, including two lawsuits alleging wide-ranging claims against the company, its board and CEO.
There were likely other red flags in Papa John’s governance leading up to this damaging food fight.
5. Compliance and Risk Management
Every company needs to assess and prioritize its own compliance and risk management needs. These are the steps, processes, personnel and other resources necessary for predicting, proactively addressing and responding to legal and regulatory issues.
The scope and nature of a company’s compliance and risk management efforts should be tailored to its business model, stage of development, regulatory environment and exposure to external liabilities to consumers, competitors, regulators, shareholders and others.
Appropriate Compliance Programs. All companies need to grow and evolve their processes and procedures for identifying and monitoring compliance issues, developing responsive processes for facilitating and ensuring compliance and for taking proper remedial action when compliance incidents occur.
Most successful companies reach a point where the board and management decide to conduct annual “risk assessments” to re-evaluate the scope and nature of compliance risks and requirements and assess whether gaps exist in meeting those risks and needs.
Routine Reports to the Board or Audit Committee. Companies with material exposure to compliance-related risks should adopt formal processes, relationships and timelines for ensuring that legal and compliance officers are providing regular reports to the board or audit committee.
Internal Reporting Systems. Companies should establish trusted, anonymous means by which employees, officers, customers and others can notify company higher-ups of legal, compliance or ethics concerns. These systems should be maintained, highlighted and monitored.
Issues submitted through whistle-blower channels should be thoughtfully considered and acted upon. Failure to do so could make matters worse, since "knowing" misconduct is generally penalized more severely.
Responding to Regulators. This topic will be the subject of a later article, but there is both art and science in responding to and dealing with regulators. These interactions should be focused on achieving the least harmful outcomes.
When regulators reach out in response to customer complaints, competitor complaints, current or former employee complaints, or merely of their own accord, the end goals should always be:
Make the issue go away as quickly as possible at the lowest cost.
Restore the regulator’s confidence in the company’s willingness and ability to solve its own issues.
Minimize negative impacts with customers, business partners, investors and others by containing the issues to the extent possible and restoring trust and confidence to the extent not.
Here are my preferred regulatory best practices:
Respond timely and thoughtfully to regulatory inquiries.
Respond in a manner that projects commitment to investigating and responding to the concerns.
Handle regulatory inquiries in a serious and thoughtful manner internally, with no hints of defensiveness or derisiveness toward the regulators that might be picked up by and channeled by others.
If wrongdoing is identified, take prompt proactive steps to stop it, remediate it and hold those responsible accountable.
Avoid half-measures in any remediation. If customers have been harmed, make them whole promptly and confirm that they are satisfied.
Unless otherwise advised by counsel, promptly convey the results of any internal inquiries in writing to the regulator, along with remediation steps taken, including appropriate disciplinary actions, measures to prevent recurrences, and efforts to mitigate or undo harm to consumers or others.
When a regulatory matter has been concluded, the company’s CEO should own up to the alleged mistakes, apologize, promise to do better.
These have proven to be reliable strategies for making regulatory problems go away and minimizing their impacts.
Despite my penchant for aggressive litigation strategies, pushing back against regulators sends the wrong signal: “fish on….” Denying claims and otherwise pushing back tells regulators there may be even more to their concerns than expected and that they will need to ramp up their enforcement resources to meet the challenge.
And unlike other litigants, regulators are specially positioned to escalate matters to the attention of other regulators and to the public at large.
Paul Swegle has served as general counsel to numerous tech companies and advises a dozen others as outside counsel. He has completed $12+ billion of financings and M&A deals, including growing and selling startups to public companies ING, Capital One, Nortek, and Abbott.
Paul has authored two authoritative and practical business law books, available for review and purchase here: