A brief published by the National Association of Corporate Directors takes a serious look at the critical interaction between the general counsel and the board during a crisis.

The information contained in the brief was captured from an in-depth discussion of Fortune 500 board leaders.

The publication, titled “Communicating in Times of Crisis: Insights From Fortune 500 Committee Chairs,” can be downloaded from the NACD website at no charge.

It addresses the question: How can the general counsel manage the timing of communications with stakeholders and balance the need for transparency with the organization’s risk appetite—amid an ongoing investigation?

Download the brief.

The use of subcontractors helps to ensure construction projects are completed in a timely and efficient manner, but it also creates a wide range of contractual risks, cautions Tommy Williams, USI Uniondale vice president, in an article for Property Casualty 360⁰.

“Without a properly structured risk-transfer program, a general contractor (GC), owner or property manager would assume financial responsibility unnecessarily for losses caused by a third party, who is contractually obligated to control or prevent those losses. The financial impact could be significant — more so in certain jurisdictions,” he explains.

His article discusses the basics of contractual risk transfer, common subcontractor policy exclusions, and the need for expert advice.

Read the article.

NAVEX Global has published its 2017 Third-Party Risk Management Benchmark Report to document how practitioners are successfully conducting third-party risk management — including screening, monitoring and auditing techniques.

“Third parties can be unpredictable,” the company says on its website. “When managing hundreds or even thousands of third parties, keeping an eye out for red flags may seem a herculean task. Use the report to improve your own program outcomes, stop bad behavior in its tracks, and ensure you know how to spot the warning signs.”

The study, which includes information from more than 400 professionals, offers guidance on the approach to third-party risk management that organizations find most effective, how they are using outside providers to assist with third-party due diligence, if automated due diligence affects ROI, and more.

Download the benchmark report.

Contract management is a distinct profession with a well understood body of knowledge, writes Mark Little of Berkman Solutions.

“Contract management is not the practice of law. That said, contracts have a life of their own which requires monitoring and nurturing. In many organizations the legal department simply throws an executed contract over the wall into the contract management department. The legal department may hear about it again when it is time to renew, amend, or terminate the contract. This approach to contractmanagement misses revenue opportunities and causes unexpected risk to materialize,” he explains.

“A shared contract management system that focuses on the contracts which are fully executed promotes collaboration between the general counsel and the management team. Effectively managing the contract portfolio together allows both general counsel and contract managers to make a measurable impact on revenue and contract risk management. No one will remember that you drafted the force majeure clause just so, but everyone will remember that you identified an opportunity to decrease prices during the term of the purchasing contract.”

Read the article.

NAVEX Global will present a free webinar, “Using Metrics to Improve Your Third-Party Risk Management Program,” on how to set up a third-party risk management program for success.

The event will be Thursday, Oct. 26, at 10 a.m. PDT/1 p.m. EST.

Participants will learn how companies with advanced programs manage their third-party risk and due diligence processes and will get industry benchmarks to size up your program.

Expert presenters will discuss the steps that should be taken to improve a program and minimize risk — regardless of organization size or number of third parties managed.

Organization following the steps have:

• Reduced their risk of legal or regulatory action
• Appropriately defined “high risk” third parties
• Found the most powerful screening and monitoring methods
• Measured the effectiveness of their third-party due diligence programs

Register for the webinar.

The National Association of Corporate Directors has published an article that outlines five key steps to help companies prevent negative headline events and respond when a crisis can’t be avoided. The article can be downloaded from the NACD website.

With social media as an accelerant, a smoldering corporate crisis or failure can almost instantly flare into the firestorm of a viral headline event. In this recent interview in NACD Directorship magazine, Robert E. Bostrom outlines the five key steps companies can follow. He strongly recommends that companies take the following measures:

• Establish an enterprise-wide risk committee.
• Proactively evaluate and prioritize a broad portfolio of risks.
• Empower the GC as the representative on risk to the board.
• Use risk management as a business tool for evaluating strategies, plans, and investments.
• Strategize and plan for managing negative events.

Bostrom provides some strong insights into the role of the GC in both preventing and managing crises. He also offers his thoughts on how boards and management must align in order to prevent (or survive) headline events.

Download the article.

Independent marketing research firm Phase5 is conducting a comprehensive study on the current state of third-party risk management and is seeking input.

Confidential responses will be aggregated with other responses, summarized, and published in a comprehensive report.

A spokesman said anyone participating will receive a copy of the final report. That report will show how others manage their third-party risk and due diligence processes and discover techniques for effectively reducing legal risk.

Take the survey.

The National Association of Corporate Directors Advisory Council on Risk Oversight met in February 2017 to discuss the board’s role in the development and oversight of risk appetite. NACD offers a complimentary copy of the report.

The discussion – cohosted by NACD, PwC, and Sidley Austin LLP – highlighted a number of takeaways for directors:

• Align the risk appetite statement with company strategy.
• Use the risk appetite statement to inform critical processes and decisions.
• Continually reevaluate the risk appetite statement.

The NACD Advisory Council on Risk Oversight: Board-Management Dialogue on Risk Appetite resource can help boards to take the following steps:

• Determine which metrics to use in the risk appetite statement.
• Establish performance targets in incentive plans that promote high performance and limit unhealthy risk-taking.
• Shape company culture by defining tolerance levels for risk.
• Improve communication across the company and boost reporting to the board.

Download complimentary copy of the report.

The National Association of Corporate Directors’ new article, “Seeing Opportunity in Reputation Risk,” explores how effective board oversight of corporate responsibility (CR) and environmental, social, and governance (ESG) strategies, practices, risk management, and crisis preparedness can not only help manage strategic risk, but also result in enhanced reputation.

The article can be downloaded from the NACD site at no charge.

The following is an excerpt from this article by Jeff Hoffman and Andrea Bonime-Blanc, which appears in the March/April issue of NACD Directorship magazine:

“ESG and CR are frequently not on boards’ radar. When they are, there is rarely sufficient time allocated to their discussion. There are reputation risks and value creation opportunities that can be found beyond what is normally discussed at board meetings. Unfortunately, many ESG and CR risks are unknown to the board until an incident happens and it goes public—and possibly viral. The risks around ESG and CR are generally easy to identify, mitigate, and plan around. While being prepared for the worst-case scenario may take time and effort, it will be far less painful than the alternative: negative headlines and conversations on social media.”

Download the article.

Keller and Heckman will produce a new seminar, “The Connected Product Intensive: A Framework for Regulatory Compliance and Risk Management,” May 2-3, 2017 in San Francisco, CA.

Keller and Heckman’s Connected Products Team will focus on the regulatory and litigation risks affecting connected products, and offer practical tips on compliance, risk avoidance, and risk management. Learn how to keep your customers safe and secure and to protect your company’s reputation and investments.

Highlights from the agenda include:

• Guidance on developing compliance frameworks
• Drafting privacy policies
• Responding to a security breach and best practices for encryption
• Environmental considerations including California’s Proposition 65 and state green chemistry laws
• FCC issues from equipment certifications through spectrum availability
• Handling product recalls, crisis management, and product liability litigation
• Energy efficiency considerations
• Advertising and marketing emphasizing claims, price, safety, and social media
• Rules surrounding In-app purchases
• End-User License Agreements

Register for the seminar.

Navex Global has produced a benchmark report that can be used to help organizations judge how effective their third-party risk management systems are and how to make improvements.

On its website, Navex says one-third of organizations have faced recent legal action related to their third parties.

The new 2016 Third Party Risk Management Benchmark Report is available for free downloading.

Use this report to identify gaps, get buy-in for additional resources and make your program more efficient. The report discusses:

• Trends for screening and monitoring third parties
• About the program maturity model and how it impacts your due diligence programs
• How automated systems help increase performance satisfaction
• Recent developments in legal costs and number of incidents

Download the Navex report.

If your job includes reviewing, drafting or negotiating contracts, you’ve probably seen  provisions relating to insurance, indemnification, and limitation of liability, writes Kenneth Gorenberg of Barnes & Thornburg LLP.

“Are they boilerplate that you spend little time on? Do you fully understand exactly what they do? Do you negotiate or revise them?” he asks.

“Fundamentally, the purpose of insurance, indemnification, and limitation clauses is to allocate risks,” Gorenberg explains. “In general, insurance transfers risk from the contracting parties to a third party—an insurance company. Indemnification usually transfers risk between the parties to the contract. Limitation of liability prevents or limits the transfer of risk between the parties.”

Read the article.

Phase 5, an independent market research firm, is conducting a comprehensive study of how third-party risks are managed within organizations.

Participants in the study will receive complimentary copies of the final report. All responses are confidential and will be reported only in aggregate form.

Some of the questions to be considered include:

• What are the top objectives organizations have when it comes to their third party risk management programs?
• What challenges do organizations face when developing their third party risk management programs, and what could undermine the effectiveness of their efforts?
• What processes do organizations employ to conduct third party due diligence?
• How does your organization compare to your peers when it comes to its level of third party program maturity?

Take the survey.

M&A deal volume in the U.S. reached a record high in 2015, reports the National Association of Corporate Directors. The NACD is offering a complimentary copy of the summary from a recent meeting of the NACD Advisory Council on Risk Oversight, which focused on the board’s oversight of M&A transactions including understanding the board’s role during a transaction, identifying questions to consider when evaluating potential deals, and establishing a process for determining transaction success.

Topics covered include:

• Engaging management about possible deals
• Determining if a proposed deal advances company strategy
• Identifying culture and talent risks
• Measuring the success of a transaction
• Establishing effective oversight processes

Download the summary.

By Paul Williams
Partner and Co-Lead of Board & Governance Practice at Allegis Partners

Few people need to be told of the increasing degree and variety of risks to corporate entities in the 21st century. And anyone familiar with the ramifications of those risks on the governance structure knows that vulnerabilities extend to individual board members as well as the companies and shareholders they serve.

Those risks include digital breaches, corporate scandals, rising litigiousness, globalization, acquired problems in M&As, increasingly stringent regulatory regimes – and what is unforeseeable. Everyone from the C-suite and directors through senior and middle managers on down bears some role in mitigating these risks. But to inform our perspective as the global leader in legal professional search at Major Lindsey & Africa, we recently hosted a panel discussion on how the presence of senior lawyers, those who currently or formerly have served in the role of the general counsel (GCs), can play a vital role in the management and prevention of risk as board members.

I was one of four panelists corralled by Kim Rucker, former General Counsel and Corporate Secretary for Kraft Foods Group, the panel moderator. Kim led a lively discussion that unearthed several important ideas and concepts from my fellow panelists: Sara Hays, Managing Director and Co-Leader of the North American Board Practice, Allegis Partners; Mary Ann Hynes, Senior Counsel, Dentons and a GC veteran of five international corporations and a board member of several corporations and non-profit organizations); and Rick Palmore, Senior Counsel, Dentons and board member for Goodyear Tire & Rubber Company, the Chicago Board Options Exchange and Express Scripts.

The area of risk that gets the most attention lately is cybersecurity. It’s clear from the alarming business news on digital security breaches that there is much to lose when nefarious parties hack into our information systems. These attacks can damage reputations and brands, affect employee morale and cost a great deal of money. Additionally, they carry obligations to notify third parties, to work with law enforcement, to meet state and federal compliance matters, and they might trigger litigation (for example, the class action suits by financial institutions and individuals against Target Corporation in the wake of their 2013 data breach that affected 110 million customers). This provides a good case for why board members with the background and expertise of lawyers, preferably those with GC experience, can be extremely valuable.

My fellow panelist Sara Hays mentioned an attorney she’s worked with who, while widely recognized as a solid GC, in fact developed supplementary expertise in cybersecurity. Given the list of issues that can arise in a breach or even in planning for a potential attack, is it any wonder why that particular lawyer is also an excellent candidate for a corporate directorship?

Also, in October 2015 a California federal judge ruled that whistleblowers may seek compensation from company directors. This was a definitive expansion of liability in cases where directors might be judged for retaliating against such individuals. This same level of responsibility extends to instances of product failure, fraud and tort actions.

Perhaps foremost on the minds of directors and officers are the implications of the Department of Justice’s “Yates Memo,” where Deputy Attorney General Sally Yates directed federal prosecutors to focus on individuals and hold them accountable when investigating and resolving allegations of corporate misconduct (of either a civil or criminal nature). This promises to significantly impact how corporate internal investigations are conducted, including by in-house counsel. Again, a director with a broad business understanding complemented by a granular understanding of recent courts rulings might prevent as well as fix adverse situations.

The panel discussed other issues that elevate the importance of a legal background in key decision-making and oversight. I pointed out how in the case of a merger involving a foreign-run business we unearthed a significant issue relative to the Foreign Corrupt Practices Act (FCPA) that could have been of concern to the U.S. Securities and Exchange Commission (SEC). In my role as a GC, it became clear we need to self-report to the SEC. Note the other party wasn’t trying to cheat but instead was simply acting within their own country’s business culture (i.e., they didn’t understand U.S. regulations). These are the kinds of things that directors are at an advantage to consider as early as possible in the M&A process.

Risk planning includes establishing priorities

My colleague Sara pointed out there is a tendency in risk planning to think a preconceived structure such as a risk management plan covers off on risk. I’ve observed this too and feel that everyone owns risk – and at all times. This includes all board members and every board committee. Perhaps what might Riskbe more important is to know when to elevate an issue to other parties. Mary Ann Hynes related a scenario of a cybersecurity breach that ultimately required calling in the FBI. The GC had to work with the CFO, the CIO and the audit committee, all of whom had to work “hand in glove” with their respective board members. This is why I personally advocate for having a board-adopted crisis management plan, where you can work through a hypothetical process that would identify ideas on how to act as well as which people need to be involved.

Mary Ann asked who among us had worked with a chief information systems officer, a CISO. We agreed this is more common in larger companies, those with as many concerns about brand and reputation as they have about potential litigation. But even in cases where the problem is low profile (i.e., no media) there very often can be a huge impact on the enterprise in information systems-related litigation.

The characteristic of good GCs is that they are “steady Eddies,” with a composed demeanor in the face of crisis. They have a sense of where and how to separate legal and compliance functions. They also understand the tension points in risk-containment scenarios – which include external communications and board member liabilities. Again, these are the kinds of considerations that a GC should be attuned to if he or she wishes to be considered for a board appointment.

A point on which all panelists agreed was the need to plan: Develop a framework for managing in a crisis. It has to be adaptable to the variety of known and unknown risk scenarios because one size does not fit all, so to speak. This is where, as panelist Rick Palmore pointed out, you set the enterprise priorities. The board may determine that litigation ranks first or fourth or somewhere in between – knowing that much in advance, calibrating possible outcomes, helps everyone move quickly toward a resolution, to adopt positions and to communicate with consistent messaging. Regardless of the intensity of a situation, a GC will typically understand you cannot operate effectively “with your hair on fire;” rather, everyone up and down the ranks will take their lead from the steady Eddies at the top.

Anticipate the most probable scenarios

This is not to say the crisis/risk planning process shouldn’t on some level address known probabilities for certain kinds of risk. Sara related to the panel how the board of a company where she was the GC did an annual “deep dive” to explore potential risks. From the short list of what might happen they were able to determine which committees and individuals would assume oversight responsibilities. From there, those individuals were tasked with providing quarterly updates on various scenarios – which might include running practice drills and developing a framework for messaging and identifying who delivers the message (note: something as simple as having up-to-date personal and business phone numbers of board members and officers should not be overlooked).

To be clear, there is some risk in documenting risk. While it needs to be approached on a case-by-case basis, the board should consider how and where such documentation might later be used against the company and its governance structure – another reason why a board member with GC experience can provide fundamentally important perspective.

There are some ways in which even a seasoned attorney on the board could be problematic. First, he or she shouldn’t simply put up roadblocks due to a known or suspected legal risk. The lawyer has to have sufficient business acumen to propose two or more workable alternative solutions. Second, that individual should not be mistaken for legal counsel; it’s not the board member’s responsibility, and would likely trip on what the company’s actual GC is engaged with every day.

In wrapping up, several panel members stressed how the risk management strategy needs to line up with the overall company strategy – all the more reason why having a seasoned attorney on the board means having a business-minded attorney. In fact, my colleague Sara Hays herself has an MBA, made all the more valuable in one appointment because of her experience in the construction industry. “The mistake some GCs make is when they think of themselves as just being a lawyer,” she said, noting how this goes against the grain of conventional wisdom that attorneys can only advise on legal questions. The value proposition for filling a board seat is different from what makes someone a good GC, she told us.

What does success look like when a board manages risk with an attorney as part of governance? It is when instead of risks being siloed, with attorneys picking up the pieces after the damage is done, that instead everyone thinks about risks, adopts them as a fact of life – and acts proactively to minimize or mitigate problems before they occur or are able to cause meaningful damage.

The announcement by the Department of Justice Fraud Section that it hired Hui Chen, a lawyer with previous experience as a federal prosecutor and international corporate compliance, as a full-time Foreign Corrupt Practices Act compliance expert shows that compliance should be high on corporate agendas for 2016., writes Sarah C. Baskin in the Corporate Compliance and White Collar Advisor, published by Jackson Lewis.

“The DOJ’s move will likely lead to even greater and closer scrutiny of compliance programs. The first step employers should take in responding to this change is to conduct a prompt and thorough review of their compliance programs, starting with their Code of Conduct, their internal controls, monitoring, hotline, management of investigations and reporting protocols to law enforcement,” Baskin writes.

The article lists the key elements of a good compliance program.

Read the article.