Article

Board Oversight in 2019 Needs to Consider Emerging Challenges

two directors reviewing reports at the board table
Contributing Writer

12 minutes

Many board responsibilities intersect in the aim of internal fraud prevention.

Credit union boards are hard-pressed keeping pace with emerging challenges—new competitors, new technology and new regulations come to mind. And, as if that weren’t enough, they must also maintain the perennial aim of strong financial safeguards, including the prevention of internal fraud.

Financial oversight as part of a broader emphasis on enterprise risk management is one of the pillars of effective credit union governance, along with strategy and a forward-looking view of board makeup, says Les Wallace, Ph.D., president of Signature Resources, Aurora, Colorado, and lead faculty for the 2019 CUES Director Development Seminar. According to Wallace, directors must look beyond the traditional dashboard of financial performance to fulfill their risk management responsibilities—and can wield a variety of tools to head off or quickly detect internal fraud.

Attend to the Tone at the Top

The board’s role in preventing malfeasance begins with a thorough vetting of CEO candidates during the selection process and setting the same expectations for the hiring of other executives. There have been instances when even the largest companies have been so taken in by charismatic leaders that they bypassed the extensive reference checks that might have turned up phony academic credentials and dismissals from previous positions, says Richard Powers, national academic director of the Directors Education Program, University of Toronto’s Rotman School of Management and lead faculty for CUES Governance Leadership Institute™. Conducting background inquiries on candidates with suspect histories requires tenacity, as former employers may try to protect their reputations by skirting questions, Powers notes.

Properly aligning the CEO’s compensation structure is another board responsibility that can help deter financial mischief. In research on “why good people do bad things, the smart money is on the situation,” Powers notes. “The board should be cognizant of those situations that may promote bad behavior. If there’s a sense of unfairness, perhaps with what similar organizations are paying their CEOs, the feeling that they’re being treated unfairly can lead people astray.”

To head off that potential, it falls to the board, and especially the chair, “to know exactly what’s going on with the CEO,” he adds. “Are they happy? Do they feel valued? Is the compensation system aligned with the mission of the organization?”

Over the long term, boards can enhance their oversight of credit union operations by broadening their interactions with other members of the senior management team, Powers recommends. “Those relationships may reveal cultural issues or instances where perhaps members of the senior leadership team haven’t acted in a manner that would be consistent with the organization’s mission.”

In addition, “having other members of the senior management team present to the board gives directors an opportunity to see the talent within the organization and to give some thought to possible internal succession plans,” he adds.

Organizational culture can also play a role in either quashing bad behaviors or allowing them to persist. The danger of permitting an “imperial CEO to reign over an organization” creates a culture of fear that may shut down warning signs, Powers says. Executives are more likely to get away with bullying employees if the board is unaware of an unhealthy work environment.

“One of the big things we talk about is the tone of the top. To assess that, directors need to hear the message from the middle, so they need to get out of the boardroom and get to know some of the other employees,” he recommends. “Culture develops over time, and you’re not going to see that in a boardroom. You have to get out into the branches and get to know the people because that’s the only way to get a sense of what the culture of the organization is like.

“I do not propose that directors step on management’s feet in the process,” he clarifies. “All such visits should be coordinated through the CEO’s office so that he/she is aware of what is going on. It should not be seen as ‘checking up’ ... —it is purely educational. Attending credit union conferences, reading credit union materials and industry publications are other ways that the directors can get and stay up to speed with the industry and their credit union’s place in it.”

A positive and open culture is necessary for a whistleblower system to function. If employees do not feel that they are protected, they will not come forward to raise concerns, Powers says.

Maintain a ‘Culture of Inquiry’

An employee determined to commit fraud against a credit union may find a way despite the board’s best faith efforts to fulfill its fiduciary oversight duties. To protect a financial cooperative from malfeasance, several accountability mechanisms can and should be implemented, and the board is responsible for monitoring that those safeguards are maintained.

One overarching measure is to establish “a culture of inquiry where it’s appropriate for board members to ask hard questions of management and each other, a culture of accountability where it’s appropriate to hold each other and the CEO and senior team accountable, and a culture of trust—of trust, but verify,” says Michael G. Daigneault, CCD, founder and CEO of Quantum Governance L3C, Herndon, Virginia.

A strong supervisory or audit committee is another essential cog in a culture of inquiry and accountability, Daigneault says. Careful selection of supervisory or audit committee members, especially candidates with financial oversight and risk management backgrounds, and comprehensive training should be a priority.
 

Michael Daigneault
Michael G. Daigneault, CCD
founder/CEO
Quantum Governance L3C
There is a complex, nuanced set of checks and balances in a credit union between the supervisory or audit committee, the board and the senior team, but the board is ultimately responsible for making sure that the governance system is working as well as it reasonably can.

In addition, the board and executive team should recognize the crucial oversight role of this committee and ensure that it does its job. Among its key duties, a proactive supervisory or audit committee develops and executes a plan for internal checks and balances in support of risk mitigation, asks insightful, penetrating questions, and interacts regularly with the board, while maintaining an appropriate degree of independence.

“There is a complex, nuanced set of checks and balances in a credit union between the supervisory or audit committee, the board and the senior team, but the board is ultimately responsible for making sure that the governance system is working as well as it reasonably can,” Daigneault notes. “Board members need to hold the staff and themselves to a specific set of standards of behavior, values, and clearly articulated policies and procedures, with consistent follow-up to ensure execution and any needed correction.”

This commitment at the board level must be consistent over time, from one chair to the next, Daigneault adds. “It doesn’t mean board members should have a distrusting attitude toward everything that management does. That actually is quite counterproductive and puts management on the defensive. But it does mean that they have to have the kind of relationship with management such that management understands and respects that it is the job of the board and the supervisory or audit committee to ask some hard questions in order to do their due diligence.”

Rely on the Experts

Fulfilling their oversight responsibilities may be better accomplished through a big-picture view rather than a focus on details that might obscure other threats, Daigneault suggests. As with other aspects of their responsibilities, credit union directors will be well-served by maintaining a strategic perspective on how best to marshal the necessary resources to carry out their fiduciary duty.

“It’s not the job of the board to be experts in fraud control, but directors do need to ensure appropriate controls are in place at a level of risk the organization is willing to accept and that there is a means to monitor and verify that staff are following policies and procedures,” agrees Stephen G. Morrissette, assistant adjunct professor of strategic management at the University of Chicago Booth School of Business and lead faculty for Strategic Growth Institute™.

In short, directors are responsible for acting at the policy and testing level and for “continuing to listen and learn” about emerging threats and safeguards, Morrissette says.

Good Controls

The root cause analysis when fraud occurs often finds that financial institutions did not have proper controls in place to prevent or detect wrongdoing quickly. For example, through segregation of duties, no single employee should be responsible for the entirety of a task in which fraud might occur, making it difficult to cover up. The idea of dual controls is for two people to sign off on certain transactions and large spending authorizations, to open and close the vault, and to override a hold on a dormant account—all of which pose the threat of theft if left to a single employee.

The board relies on managers and staff to carry out those policies and procedures and on auditors to determine that the controls are adequate and enforced. “Their job as board members isn’t to write the policies but to review them—and ensure they are followed,” Morrissette notes. “Their job isn’t to go out every time employees open the vault to make sure it’s under dual control. Their job is to hire an auditor to go in and make sure those things are happening and to identify any problems.”

The board also needs to ensure that the audit digs deep enough to uncover such practices as a branch manager giving tellers her authorization code so they can override transactions without bothering her or allowing address changes to be processed by a single employee, which opens the door to fraud.

Other tools include active whistleblower programs to encourage employees to report suspicious activity, policies prohibiting employees from accepting gifts from third parties over a certain amount ($25 is typical) and spot audits on spending authorizations where embezzlement is most common across business sectors, like big travel budgets or major building projects.

“Doing random spot audits has a deterrent effect, and forensic audits really dive into the details of receipts and authorizations,” Wallace says. “Any authorizations involving large contracts for construction, technology or training are areas where it could be easier to commit fraud. These audits would include talking to contractors to discover if there was any intent in the process to get kickbacks or special considerations.”

More Steps to Take

Another best practice is to change audit firms every three or four years. “Auditors can get comfortable with staff, and staff get comfortable with auditors, and sometimes there’s a little gray area that auditors might allow because of those relationships,” Wallace says. “When the credit union hires a new external auditor, they may discover something different. They will ask different questions. It gives the board extra confidence to say, ‘OK, we had some fresh eyes look at everything, and we still got a very good audit, so there’s no unwanted variation there.’”

Some credit unions have taken the additional step of creating an internal auditor position that reports directly to the board, he says. There may be some resistance to the structure of a staff member working with the board, but the larger the organization, especially in the $1 billion-plus range, the more likely the board or supervisory committee is to be able to rely on an internal auditor conducting financial checks at its direction.

Stephen G. Morrissette
Assistant Adjunct Professor of Strategic Management
University of Chicago Booth School of Business
Directors need to focus on the most important issues around strategy and risk management, not just their ‘hot button’ interests.

The boards of smaller credit unions have the option of directing the finance or risk management department to conduct spots audits or hiring an auditor to investigate a staff report of suspected fraud.

When considering auditors’ recommendations, “the board has to make some judgment calls and business decisions,” Morrissette adds. No credit union can afford to adopt every recommendation for fraud control and risk management, and directors of smaller financial cooperatives are especially likely to be faced with hard choices about the costs of adequate staffing to enact extensive controls and of external and internal audits.

Stay Focused and Informed

Board meetings with auditors offer opportunities for director education on current trends in fraud detection in financial services and new mechanisms for risk management, Wallace notes. And the board should ensure that the credit union offers regular staff training on whistleblower responsibilities and protections.

Board oversight entails continual diligence, vigilance and commitment to seek out training to round out directors’ understanding of their governance and risk management responsibilities. Given their emphasis on recruiting directors from their fields of membership, credit unions may be more prone to gaps in key areas of expertise than the boards of banks and other more prominent organizations, Morrissette suggests.

“Directors need to focus on the most important issues around strategy and risk management, not just their ‘hot button’ interests,” he adds.

Morrissette cites his own service on a hospital board of directors. While he can contribute business and financial expertise to board deliberations, it is harder for him to weigh in on discussions about clinical policies and issues. In the same way, many credit union directors are not steeped in knowledge about financial services and so need to take advantage of training and education so they can fulfill their oversight responsibilities. (In fact, the National Credit Union Administration requires through rule 704.1 that boards gain a certain level of financial knowledge.) In addition, recruiting director candidates with governance and risk management expertise can help support the board’s work.

Stay Vigilant and Up To Date

The challenges in providing effective oversight may vary for smaller credit unions without adequate resources to hire extensive outside auditing support and for larger institutions where directors are charged with ensuring the integrity of complex, multifaceted operations. Regardless of organizational scope and size, “it can be difficult to identify wrongdoing by a knowledgeable insider, so board members need to be committed to continual due diligence in order to protect the members and the credit union’s name and reputation,” Daigneault says.

Wallace agrees. “Board members need to be reading industry literature about where fraud is happening in financial services and becoming literate about how to guide the organization in making sure it doesn’t happen to them,” he recommends.

On the whole, credit unions are well run with only rare incidence of fraud, which raises the risk of complacency, he cautions. “When fraud does happen, it puts the brand of the organization and the financial health of members at risk. It hits the front page of newspapers” and makes headlines on social media.   cues icon

Karen Bankston is a long-time contributor to Credit Union Management and writes about membership growth, operations, technology and governance. She is the proprietor of Precision Prose, Eugene, Oregon.

Compass Subscription