The following post comes to us from Michael W. Peregrine, Partner at McDermott Will & Emery LLP.
Outside counsel’s report to the General Motors Board of Directors on the ignition switch controversy offers important governance lessons on the potential frailties of risk management systems. These lessons speak to reporting breakdowns and cultural barriers that can arise within any organization, not just one of the world’s largest corporations. As such, the lessons transcend the automotive/manufacturing sectors to apply across industry lines. The conclusions and recommendations of the “Valukas Report” are painful to read, extraordinary in their scope, and are highly relevant to effective board oversight practices. They are well worth the attention of corporate leadership.
Overview of the Report
The report was commissioned directly by the GM board, and was conducted by the Jenner & Block firm under the direction of its senior partner, Anton J. Valukas. Dated May 29, the report is over 280 pages in length, not including appendices. Its fundamental conclusion is that the delay in recalling vehicles with the faulty switch was the byproduct of neglect, inaction and lack of accountability within several areas of the GM management structure.
These failures served to prevent the GM Board and its senior executive leadership (including the general counsel) from learning of the ignition switch issues until December 2013/January 2014 – over ten years after the problems first became known within the company. The Valukas Report concluded, though, that the inaction or delay was not the result of any organized cover-up or concealment.
The Valukas Report is receiving additional attention of late, given Congressional hearings relating to the delayed product safety recall; the introduction of proposed federal legislation that would criminalize the concealment by corporate officers of product safety defects; shareholder litigation alleging breach of fiduciary duty, and published reports that the Department of Justice is reviewing whether employees inside and outside of the GM legal department may have withheld from federal regulators information concerning the faulty ignition switch.
Risk Management Breakdowns
An interpretation of the Valukas Report suggests that the identified risk management-related breakdowns arose from a combination (in varying degrees) of several basic elements of organizational conduct as they related to the ignition switch problem:
- No demonstrated sense of urgency to fix the switch problem by the responsible GM personnel, from the identification of the problem until the very end; timetables were not set and action was not demanded.
- A failure to understand the consequences of the problem; to marshal the information and expertise at management’s disposal to solve the problem – when others outside the company did (and in some instances alerted the company to the problem); a lack of diligence and incisiveness.
- The unwillingness of those who had responsibility to exercise that responsibility by demanding action in the face of increasing evidence of injuries and fatalities, and to make themselves or others accountable (e.g. the “GM Nod”).
- Organizational responsibility for product safety at both the board and management levels had multiple facets, but no single committee at either level had direct responsibility. None of the management level committees or groups “took ownership” of the issue; indeed, their ability to do so was limited in many circumstances because committee members were not presented with fatality information (and therefore felt no sense of urgency to make a decision).
- That neither the slow pace of the internal safety investigation nor the emerging pattern of accidents potentially related to the safety defect were escalated to the most senior levels of corporate leadership – e.g. the board, the audit committee, the CEO, and the General Counsel – until early 2014.
A reader of the Valukas Report may fairly conclude that procedural and cultural flaws in the risk management structure of the organization created near-insurmountable barriers to the ability to bring to the board’s attention a safety defect of enormous proportions – with such significant resulting harm.
Broader Governance Lessons
The observations and recommendations of the Valukas Report offer a number of valuable lessons on effective board oversight of the risk management process, and how such process integrates with legal and compliance functions as well.
Lesson One: It’s the Board’s Job. Surely the board must work through senior management on these matters, but the ultimate responsibility for risk management, and its key partner functions the office of general counsel and the compliance office, rests with the governing board and its committees. The board must be pro-active in assuring that organizational-appropriate risk identification, management and reporting protocols are in place, in assigning clear measures of responsibility and accountability with specific members of the management team, and in periodically reviewing – in detail – the sufficiency of those protocols and assignments.
Lesson Two: Assume the Worst. No reporting and management system is fool proof. Frailties and faults in risk management and compliance/audit functions can be found in any organization. The Valukas Report makes it clear that these can occur in the least expected/most outrageous of circumstances. The board must be constant in its attentiveness to, and scrutiny of, the effectiveness of risk management, legal and compliance functions. It is neither fair nor appropriate to delegate this fully to management, as too much could be at stake.
Lesson Three: Crystal-Clarity. As the Valukas Report makes clear, it is entirely possible that even in the most sophisticated organizational structures “bombshell” information may not make its way – with immediacy – to board and senior corporate leadership. The board must send an unequivocal message through the risk management/legal/compliance structure that issues that “keep management awake at night” must be reported immediately to designated corporate leaders.
Lesson Four: Culture Matters. The “GM Nod”, as referred to in the Valukas Report, should be a powerful image to both the board and senior management that when it comes to risk management, culture can be critical. Leadership should take action necessary to foster an organizational environment in which employees feel comfortable in raising significant issues to key decision makers, and are encouraged to assume responsibility and to make decisions. The board must send a strong signal to the executive level, that management styles that discourage employees from reporting “bad news” or legal concerns will not be tolerated.
Lesson Five: Demand Incisiveness: The board should establish a level of expectation regarding the diligence and vision of executives responsible for risk management, compliance and legal matters. This is particularly the case as it relates to the need to fully understand the scope or nature of issues presented to them, to probe issues with energy, to project the potential consequences to the organization of those issues, and to be willing to re-evaluate initial conclusions when provided with more information and perspectives.
Lesson Six: The Office of General Counsel. The stunning revelation that the GM general counsel was not informed by his subordinates of the ignition switch issues until the latest possible moment should resonate with corporate leadership. An organization’s general counsel should be encouraged to adopt specific guidelines on the types of issues that should be elevated to the general counsel’s attention from associate general counsel. Similarly, the associate general counsel should be instructed to request the general counsel’s guidance when appropriate legal and risk processes are not moving forward in a timely and effective manner.
Lesson Seven: No Silos. Special, board-driven emphasis should be placed on knowledge and information sharing amongst personnel, and management and board committees, with risk/compliance/legal responsibilities. Cross-disciplinary communication should be formalized where necessary to reduce the risks of organizational “silos.” The board should be intolerant of artificial barriers (e.g., concerns re: “independence”) that limit the extent and effectiveness of coordination between the general counsel, the compliance officer and the internal auditor.
Lesson Eight: Evaluation and Incentives. Use the board, executive and managerial performance evaluation process to emphasize the achievement of goals related to risk management, information sharing, timeliness of reporting and legal compliance. Incentive compensation arrangements for employees at every level should include awards related to training and education on risk management topics and the achievement of specific related goals, on both departmental and organizational levels.
Lesson Nine: Form and Content. The board, and its key risk-related committees, must be placed in a position to exercise their oversight responsibilities. That means that not only is timing important when it comes to the reporting of risk/legal/compliance issues, but the form and content of that reporting is, as well. The risk message must be in a context that the board or key committee can readily recognize the organizational implications of what is being reported; as well as the magnitude of the risk. Governance can’t be expected to need a “decoder ring” to evaluate risk reports.
Lesson Ten: Tone at the Top Matters. Just because it’s a term often used by federal regulators doesn’t mean that it’s not a valid concept. The most effective way for executives, managers and other employees to embrace more aggressive risk management goals is if the commitment of corporate leadership to those goals is clear, convincing and continuous. The board should work with senior executives on a set of clear messages and examples of conduct that members of leadership can regularly practice, both individually and collectively.
The Valukas Report presents an “It can happen here” scenario that should attract the attention of corporate boards, generally. While the Report does not attribute the problematic recall delay to any lapse in governance practice, it does describe a series of material executive level shortcomings that conceivably could occur in any risk management process. The observations and recommendations of the Valukas Report thus serve as a broad-based call for more engaged board oversight of corporate risk management (and indirectly, legal and compliance) functions.