One critical piece of the framework that can be overlooked is the importance of corporate governance to demonstrate structural sufficiency as well as to give leadership an opportunity to show they are accountable for the overall operations and risk management of the business. At its simplest level, corporate governance is the system of rules, policies, and practices to provide direction to management and set expectations around the operation of a company. Complexity of this framework should depend on the scale, scope, and intricacies of the business, and provide clear guidance and be designed around providing audit and risk management functions with the necessary controls to minimize risk to the business entity and also to the executive team.
To that end, thought and direction ought to be geared towards the relevant risks applicable to the business, which likely cover the following factors:
- Capital and Liquidity Risk: Risk that the business cannot meet financial obligations and/or customers or counterparties fail to perform on obligations. What happens if a buyer never pays their bill? Is any of the business’s credit callable?
- Operational Risk: Risk that processes, systems, or people may fail. What happens if a factory burns down or people stop coming into the office because of a pandemic?
- Market Risk: Risk of adverse movement in market rates or prices. What happens if the price of bitcoin plummets, or the price of steel increases?
- Compliance Risk: Risk of noncompliance with regulatory requirements. What happens if a sanction or fine is imposed?
- Legal Risk: Risk of lawsuits, adverse judgments, or unenforceable contracts. What happens if the business is subject to suit? What if a court decision invalidates some portion of the business?
- Reputational Risk: Risk that, deserved or otherwise, negative news harms the business. What happens if the public learns that the CEO has a controversial past? What if the CFO is offensive on social media?
A company can control these risks through a well-developed and thoughtful corporate governance program that incorporates a robust risk and compliance management system. The system should be designed to meet requirements and considerations for capital, liquidity, and required asset holdings, be capable of validating the accuracy and reliability of the financial activity and information of the institution, and proactively identify and address business practices that violate regulatory requirements and have the potential to cause harm to consumers.
A company that lacks strong corporate governance and has a CEO who “didn’t know exactly what was going on” runs some fairly significant legal risks. The company could face enforcement actions at the state and federal levels, as well as potentially risk significant civil and criminal exposure. Individuals in control of the business or deemed to have facilitated misconduct or harm (either internationally or through some form of dereliction of duty) face similar risks of enforcement actions, civil liability, criminal indictments, and lasting reputational damage. For example:
- Federal Enforcement Landscape: Federal regulatory enforcement authorities, particularly the CFPB, have been increasingly vocal about bringing enforcement actions against companies and their control individuals for violations of consumer protection laws. The Bureau under CFPB Director Rohit Chopra has made clear that it will bring enforcement actions under the Consumer Financial Protection Act’s prohibition on UDAAPs. The FDIC has also issued several cease-and-desist letters recently with respect to “making false and misleading statements about FDIC deposit insurance.” The FDIC has authority to enforce the prohibition against such statements, including by “issu[ing] cease-and-desist orders and [assessing] civil monetary penalties.”
- State Enforcement Landscape: Some state enforcement authorities are increasingly bringing actions against regulated entities, with focus on the kind of conduct that increases risk, but also on individuals they perceive as causing or allowing this conduct. For example, some state financial regulators, such as the California regulator, may bring an enforcement action to suspend or bar an individual’s continued and future employment with a state licensed financial services entity.
Strong corporate governance can be a critical step in preventing overt fraud by mitigating the risks set forth above as well as preventing mismanagement or poor oversight. A carefully thought-out corporate governance framework provides protection for the business, for its customers, and for its executives and owners.