The past year has had its fair share of corporate scandals and breaches of conduct by senior management. Some of these arose out of personal greed but there are also instances where employees brushed aside laws and regulations in order to meet their revenue targets or achieve their key performance indicators.
Admittedly, the business environment is getting tougher, with the emergence of new technologies and consequential disruption to traditional business models. Globally, the displacement of human capital, widening income inequality, and growing pressure for sustainable business practices have increased the scrutiny on board accountability.
Principle 1 of the revised Code of Corporate Governance (the Code) released in August 2018 provides that a company "is headed by an effective board which is collectively responsible and works with management for the long-term success of the company".
As boards of directors plan their agenda for the coming year, several key issues loom.
The Corporate Governance Council, when amending the Code, decided to trim the overall length of the Code but added a new Principle 13, on managing stakeholder relationships. This reminds all companies to adopt "an inclusive approach by considering and balancing the needs and interests of material stakeholders".
Boards now have to disclose their plans for the management of material stakeholder groups, in addition to the sustainability reports which are prepared by the companies in accordance with the listing manual of the Singapore Exchange (SGX).
The global reality is that investors are stepping up in unprecedented numbers to act on climate change, and governments are under increasing pressure to tighten legislation. Principle 13 is a timely reminder that a company's mission is not purely to expand its financial bottom line in the short term but also to maintain long term sustainability by considering the interdependencies between the company and its employees, customers, suppliers and other stakeholders.
The SGX listing rules have also been amended to provide that if a director has been on the board for an aggregate period of more than nine years, his or her continued appointment as an independent director must be approved by a two-tier shareholders' vote with effect from 1 January 2022.
The Code requires that the board, together with the Nominating Committee, should have on its agenda a succession plan for the directors, the CEO and other key members of the senior management.
The board could request the CEO to organise events or activities which enable the board to interact more closely with the next level of identified talent and assess them over a period of time. In the event that there is an unexpected CEO departure, death or disability, the board will then be in a better position to implement its succession plans if it knows the rest of the senior management team and the upcoming talent pipeline.
Principle 2 of the Code makes it clear that the board should have an "appropriate level of independence and diversity of thought and background in its composition to enable it to make decisions in the best interests of the company".
Ultimately, the quality of the board is of paramount importance. When filling vacancies, the board should try to avoid focusing on ad hoc replacements. A good approach is for the Nominating Committee to tabulate a matrix setting out the skills and experience of each of the directors. Once the skills matrix has been completed, it will become clear which skills are lacking within the board.
At the end of the day, it makes sense to assemble a well-rounded board that works well together and possesses skills which complement each other and serve the company well. It is also important to spend time considering the team dynamics of the whole board.
Cybersecurity risk management
Directors should be mindful that their duties extend to the protection of the company against cyber breaches or theft of data. Principle 9 of the Code provides that the board is "responsible for the governance of risk and ensures that management maintains a sound system of risk management and internal controls, to safeguard the interests of the company and its shareholders".
The Code makes it clear that it is up to the board to determine the nature and extent of the significant risks which the company is willing to take in achieving its strategic objectives and value creation. Cybersecurity risk is one of these risks that are the board's responsibility.
It is therefore important that the board asks the right questions and sets management on the right track to ensure that it has in place a reasonable standard of cybersecurity. It is no longer a question of "if" a cyberattack will occur but "when". Thus, when a cyberattack happens, the board will want to be in a position to say that it has implemented all that could reasonably have been done in this area.
In conclusion, boards should aim to go beyond a "review and concur" role. Being cognisant of wider global trends and helping to incorporate some of these into the agenda for the meetings will serve to contribute to better governance and add value to management.
The writer is a member of the SID Review Panel for the Remuneration Committee Guide of the Corporate Governance Guides for Boards in Singapore.