Martin T. Biegelman (martin.biegelman@sunhawkconsulting.com) is Managing Director & Investigations Practice Leader at SunHawk Consulting LLC in Phoenix, Arizona, and the author of the book, Building A World-Class Compliance Program.
The importance of corporate governance and a resilient board of directors is not a new concept. It has long been held that effective board oversight can do much to reduce the risk of management misconduct. In fact, this concept was reinforced many years ago in the October 1987 Report of the National Commission on Fraudulent Financial Reporting. The Report opined on the increased prevalence of fraud with “the absence of a board of directors or audit committee that vigilantly oversees the financial reporting process.”[1] Unfortunately, that premise has not been universally embraced, and fraud and other misconduct persist.
Whether it is the headline-grabbing corporate fraud cases of Enron, WorldCom, Adelphia, and a host of others from 20 years ago or the more recent ones at Volkswagen, Theranos, Luckin Coffee, and Wirecard, we are compelled to ask the provocative questions: Where was the board; what did they know; and when did they know it? Or did they not even know? While we have seen very few cases where the board was complicit in management fraud, in such cases we must ask, why did they not do more in their governance and oversight role to detect and prevent rampant misconduct? Why have the gatekeepers and the guardians of governance let us down in so many instances? At times, boards have failed miserably but faced few consequences.
To reinforce the failure of board governance, I will discuss three organizations from the public, private, and nonprofit sectors that made headlines, and not in a good way, for their misconduct. The common denominator in these case examples is the action, or rather the inaction, of the boards of directors involved. I will then discuss the questions that boards need to ask themselves to ensure they are fulfilling their roles effectively.
Red flags missed at Wells Fargo
Wells Fargo’s reputation was damaged by a sales practices scandal where management pressured employees to meet unrealistic sales targets that resulted in the opening of unauthorized customer accounts. Initially 2.1 million phony accounts were disclosed, but subsequently the number increased to 3.5 million.[2] The practice may have started as early as 1998. More than 5,300 employees were fired for these phony accounts between 2011 and 2016.[3] The former CEOs were forced out, executives linked to the inappropriate sales practices were fired, there were multiple government investigations, and billions were paid in fines and class-action settlements. So, where was the board?
The Wells Fargo board missed the numerous red flags that screamed misconduct. There were the aggressive and unrealistic sales goals for bank employees, the focus on cross-selling, and the decentralized business model that siloed interactions and limited transparency. Then there was the prior reporting by employees of the sales practices; the greatest number of internal ethics complaints going back more than 15 years related to “sales integrity” issues.[4] There was no follow-up and more unheeded red flags. An employee filed a whistleblower lawsuit in 2011 that should have put the board on notice. In one of the related depositions, a lead teller stated, “Everyone at the branch…was aware of the unethical conduct of bankers.”[5] We do not know if the board was ever specifically told about these issues back then, but if they were told and did nothing, their severe lack of oversight would be an even worse failure.
The one red flag that should have caused the board to respond sooner was the aggressive sales culture that former CEO Richard Kovacevich brought to Wells Fargo and was later promulgated by his successor, John Stumpf. “Kovacevich had initiated the ‘GR-8’ program to pursue cross-sell at Norwest and brought that focus to Wells Fargo” after Norwest’s 1998 purchase of Wells Fargo.[6] Kovacevich coined the term “Go for GR-Eight” that meant each Wells Fargo customer should have eight products, such as checking accounts, savings accounts, auto loans, mortgages, credit cards, and the like. Kovacevich left the CEO role and became chairman in 2007, leaving Stumpf to take over the CEO role. Stumpf continued this aggressive sales culture with his own mantra of “eight is great.”[7] In 2013, the Los Angeles Times reported that “Wells Fargo said it averages 6.15 financial products per household—nearly four times the industry average.”[8] This disparity alone should have indicated to the board that something was amiss and needed immediate inquiry.
When Wells Fargo whistleblowers reported sales practices violations to the Wells Fargo helpline and nothing changed, the whistleblowers apparently went to the newspapers.[9] The sales practices were not deep, dark secrets at the bank, so where was the board in its oversight role? It was not until the Los Angeles Times published its 2013 article that the board got involved. The board did not even consider sales practices as a business risk until 2014.[10] Did they not consider the implications of the “eight is great” mantra and its pressure on employees?
It was not until 2016 that the board finally learned of the prior terminations of the 5,300 employees for sales practices violations.[11] Even if the board was misled by management, the board had the governance requirement to conduct its own independent investigation years earlier. It was not until the scandal became even more public through a multitude of media reports that the independent directors of the board retained counsel to investigate the sales practices. The subsequent independent investigation report was released in April 2017.
There is no doubt that the Wells Fargo board has taken significant steps to reform the company’s practices and culture, but the damage was done. Today, Wells Fargo is still recovering from its past, and it will take many years to fully gain back customer, investor, and regulator trust. While many in management and across employee ranks were responsible, the question of “Where was the board?” persists.
The all-star board at Theranos
Suffice to say, it is troubling when an organization fails to disclose to its board a serious whistleblower allegation of a pervasive fraud involving the deceiving of investors, partners, customers, and government regulators. One can argue that it is problematic when the board, or in this case, a board member, learns of this allegation and does not take appropriate action. It is even worse when that board member is the grandfather of a company whistleblower, and that board member not only does not take appropriate action to get to the bottom of the allegation but takes the company’s side over his grandson.
That is what happened in the case of George Shultz, a board member at Silicon Valley start-up Theranos. Shultz was a renowned statesman having served as US secretary of state and other cabinet positions in three presidential administrations. He was but one luminary on an all-star board of directors at Theranos. Other board members included former secretary of state Henry Kissinger, former senators Sam Nunn and Bill Frist, former commander of the U.S. Central Command James Mattis, former Wells Fargo CEO and Chairman Richard Kovacevich, and others.[12]
Theranos was a privately held healthcare technology company that promised to change the world of medicine through its disruptive blood-testing technology. Its charismatic Stanford University dropout CEO enthralled venture capitalists and other wealthy investors who invested millions in the start-up, resulting in a company value of $9 billion. Yet it was the integrity and strength of character of a young Theranos employee who discovered that the ground-breaking blood testing technology was allegedly a fraud. The young man was Tyler Shultz, the grandson of George Shultz. Tyler’s whistleblowing along with other disclosures of fraud eventually brought down the company and resulted in indictments of the CEO and chief operating officer.
George Shultz used his influence as a Theranos board member to obtain employment for Tyler in 2013. Tyler worked at the company for only a few months when he came to realize that the supposedly innovative blood-testing devices did not provide the promised results. He quit the company and began speaking to a Wall Street Journal reporter and others about what was going on at Theranos. Subsequently, Theranos learned that Tyler was speaking with the newspaper, so George Shultz called his grandson to say that he was “in a world of trouble” and needed to quickly meet with him and the company’s attorneys.[13] Tyler told his grandfather he wanted to just meet with him without any attorneys present, so he went to his grandfather’s house for this private meeting.
There, Tyler told his grandfather about why he believed that Theranos was engaged in fraud and that “the company performed only a small fraction of its blood tests on its proprietary Edison devices.”[14] George Shultz did not believe his grandson. What followed is an incident that Wall Street Journal reporter John Carreyrou called an “ambush.”[15] George Shultz told Tyler that there were two attorneys who represented Theranos in the house who wanted to speak with him, leaving Tyler “blindsided and betrayed.”[16] The attorneys wanted Tyler to sign certain documents that would benefit Theranos, but he stood his ground and refused to sign the papers.
Tyler Shultz later advised that his grandfather did not agree with how the Theranos lawyers treated him but George “still believed the Theranos technology worked.”[17] Unfortunately he believed the company over his grandson. Had George Shultz at least investigated Tyler’s information and brought in independent outside counsel, he would have better exercised his corporate governance responsibilities. Even though Theranos was a private company, George Shultz and the board had a fiduciary responsibility to its investors, not mere subservience to the CEO. In a subsequent investor lawsuit against Theranos, during the deposition of former board member (and former Wells Fargo CEO) Richard Kovacevich, he stated, “I don’t remember disapproving with anything that she [CEO Elizabeth Holmes] did,” and, “Ultimately, Elizabeth made the decisions.”[18] Kovacevich has the dubious distinction to have been in important oversight roles at two companies with massive failures of leadership and governance, along with allegations of fraud.
In 2019, Tyler Shultz received the Association of Certified Fraud Examiners’ Sentinel Award recognizing whistleblowers who, without regard to personal or professional consequences, publicly disclosed wrongdoing in business or government.
The failure of Hacienda HealthCare’s Board
More than public and private businesses require effective governance and oversight from their boards. Nonprofit boards must also maintain independence and provide the appropriate oversight of the organization; boards face public scrutiny when they fail in this role.
The case at Hacienda HealthCare (Hacienda), a long-term care, not-for-profit healthcare facility in Phoenix, Arizona, is a sad story that made headlines a few years ago and laid bare a board’s inadequacy for oversight. An incapacitated patient who was at the facility for 26 years due to a brain injury was raped and gave birth on December 29, 2018. No one knew the patient was pregnant until she went into labor. After a police investigation and DNA testing of all employees, a nurse at the facility was arrested and charged with the crime.
But this horrific act exposed other serious issues at Hacienda. The CEO worked at the facility for 28 years and had long fostered a climate of fear and tyrannical behavior.[19] Starting in 2006 and continuing over the years, employees filed complaints accusing the CEO of sexual harassment, groping, bullying, and other unacceptable behavior that went unchecked. After these issues became public, the board ordered counseling and training for the CEO and docked his pay, but the behavior continued. Former employees “contend the board was more interested in protecting [the CEO] than in putting a stop to his behavior,” and “instead [the CEO] was given a license to continue targeting employees.”[20]
The CEO “oversaw two for-profit companies that did business with Hacienda: a medical supply company, the other a home-health company.”[21] Clearly this was a serious conflict of interest. In 2016, the Arizona attorney general criminally investigated the facility for $4 million in alleged fraudulent billings to the state. The CEO refused “to turn over financial records required by law,” and the probe “was dropped because of a lack of evidence.”[22] The board claimed they were unaware of the attorney general’s investigation.[23] In late January 2019, the board’s president said they did not previously fire the CEO because they had to weigh his many years of service and the families he helped against the complaints of employees about the behavior.[24] Incredulously, the former chairman of the board added that after the CEO’s resignation “people have raised the question of whether he should have been fired years ago,” and “while in hindsight it may appear to be an easy call, it was not that simple in the moment.”[25]
Articles began to report that Hacienda “board members and their relatives benefitted financially from their positions.”[26] The benefits included business dealings and children of board members being hired at the facility. In one example of a conflict of interest, the board chairman “brokered health insurance for roughly 800 Hacienda employees through his private company for decades, reaping lucrative commissions on the contracts.” Their defense was that their positions were voluntary, and to avoid conflicts of interest, they would “abstain from voting on issues involving their businesses and relatives.”[27] The board’s fiduciary responsibilities come into question when they have business relationships with the organization they are supposed to oversee.
After the disclosures in early 2019, the board hired outside counsel to determine how the rape and pregnancy went undetected and to assess the policies and procedures. The board brought in a former county prosecutor to lead a comprehensive internal investigation. Within two months of his hiring, the outside counsel abruptly quit citing unspecified issues with the board. What little he said about his departure was telling, even though he did not specifically mention the board that hired him. He stated, “When I started this assignment, I made it very clear if I was not able to conduct my work with complete objectivity and if any issue came up that caused me any concerns, I would terminate my contract.”[28]
After the CEO resigned, the chief financial officer confessed to the board that he and the CEO knew that “costs had not been allocated correctly” regarding a Medicaid contract with the state of Arizona.[29] In September 2020, the former CEO and chief financial officer were indicted on multiple fraud charges for defrauding Arizona and Medicaid out of more than $11 million over many years. Hacienda agreed to repay the state for these fraudulent billings. The board chairman and most of the board members resigned in March 2019.
The board’s role done right
It is not hard to imagine that if the boards of Wells Fargo, Theranos, and Hacienda were more focused on their independence and oversight roles, including mitigating the risk of fraud and other misconduct, the public failures and resulting scandals of these organizations might not have occurred.
There are numerous actions that demonstrate a board’s fiduciary duties of care and loyalty related to fraud risk management and protecting an organization from financial, litigation, and reputational risk. While not an all-inclusive list, here are some of the most important questions for a board to ask itself to ensure that the organization has a robust fraud detection and prevention program:
-
Does the board demonstrate appropriate oversight of the organization’s compliance program to ensure it is well-designed and effective as per the U.S. Federal Sentencing Guidelines?
-
For example, does the organization incorporate compliance program best practices and guidance as detailed in the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs?
-
-
Does the board provide appropriate oversight of management to ensure that the organization has an effective fraud risk management program and process that provides an integrated approach that considers and mitigates fraud risk and conducts periodic fraud risk assessments?
-
For examples, does the organization incorporate best practices and other guidance from the Fraud Risk Management Guide published by the Committee of Sponsoring Organizations of the Treadway Commission?
-
-
Does the board provide oversight of management to ensure a robust anti-fraud program to detect and prevent fraud that encompasses investigations, training, communications, controls, and other key program aspects?
-
For example, does the organization include guidance from the American Institute of Certified Public Accountants’ Management Antifraud Programs and Controls and the Association of Certified Fraud Examiners’ Anti-Fraud Playbook?
-
-
Do board members have risk management, compliance program, and anti-fraud experience and expertise?
-
Does the organization’s chief compliance officer have unfettered access to the board without having to go through management?
-
Does the organization’s chief compliance officer have either direct or dotted line reporting to the board or a committee of the board, such as the audit committee?
-
Does the board assess the organization’s internal audit function to ensure it has a robust audit plan to determine the fraud and overall misconduct risk and that it is appropriately staffed with experienced auditors to accomplish its mission?
-
Does the board conduct independent investigations using experienced outside counsel and forensic consultants when management is involved in misconduct such as financial accounting fraud, corruption and bribery, sexual harassment, and other serious violations of the organization’s code of conduct?
-
Does the board ensure that management strongly messages that retaliation in any form is unacceptable and that swift and compelling action will be taken against anyone engaging in such conduct?
-
Does the board ensure management has a third-party, confidential, and anonymous reporting system for employees and others outside the organization to report concerns, complaints, and allegations of misconduct?
One more needed board enhancement
There is another meaningful action that boards can take to change the conversation from the criticism of “Where was the board?” to the improved “Here is the board” messaging of championing governance and organizational oversight. This can be accomplished by placing more women on boards. Besides the obvious reasons of increasing diversity and inclusion to add new perspectives and expertise, there is another new and essential rationale for including more women on boards: A recent study in the United Kingdom found that “banks with more women on their boards commit less fraud.”[30] The study reviewed fines imposed by the US government since the global financial crisis on major European financial institutions for misconduct. The finding was that “banks with more female directors faced lower and less-frequent fines for misconduct, saving those institutions $7.84 million a year, on average.”[31]
I will leave you with two profound quotes on boards and their governance role. The first is from Cyrus Pallonji Mistry: “Shareholder value gets lost when things are done illegally, when corporate governance is not adhered to, when cohesive action is not taken.” The second is from Pearl Zhu: “The heterogeneous BoDs [boards of directors] with independent thinking enforce governance, and diversity strengthens creativity.”
About the author
Martin Biegelman has spent a lifetime detecting, investigating, and preventing fraud and corruption in various leadership roles in law enforcement, consulting, and the corporate sector. His work on behalf of corporate management and boards includes conducting internal investigations alleging fraud, corruption, Foreign Corrupt Practices Act violations, conflicts of interest, whistleblower retaliation, and other employee and vendor misconduct; he has developed, enhanced, and assessed corporate compliance and ethics programs, including internal investigative and anti-bribery compliance programs; and he has performed fraud risk assessments.
Takeaways
-
When CEOs pursue a culture of aggressive and unrealistic sales targets for employees, that should be a huge red flag for boards to act.
-
Effective boards are the guardians of governance and especially so when whistleblowers approach board members with significant allegations that must be fully vetted.
-
Conflicts of interest among board members call into question their fiduciary responsibilities and duties of care and loyalty, and those conflicts must be appropriately resolved.
-
Inquisitive and independent boards can lessen the risk of organizational misconduct and promote a culture of ethics and compliance.
-
Embracing and implementing diversity and inclusion is a must for today’s successful boards and the organizations they govern.