Risk Management

The Rising Risk of Being CFO

The drive to combat corporate misconduct is making it a dangerous time to be a finance chief.
Randy MyersDecember 19, 2016
The Rising Risk of Being CFO

For CFOs, the margin for error continues to narrow as regulators strive to hold individuals responsible for companies’ misdeeds. In just a year, the pressure has been turned up considerably: In September 2015, U.S. Deputy Attorney General Sally Yates warned in a widely published memo that the Department of Justice would be doubling down on efforts to hold individuals accountable for corporate wrongdoing. Then, last August, the 9th U.S. Circuit Court of Appeals ruled that a CFO could be forced to give back incentive and stock-based compensation if his or her company has to restate its financial results—even if that restatement is not attributable to CFO misconduct.

Want more? Over the past decade, the plaintiffs’ bar has unleashed a small avalanche of class-action lawsuits against corporate and institutional retirement savings plans and their fiduciaries. These suits allege excessive payment of fees and other violations of the Employee Retirement Income Security Act. They put CFOs at risk because finance chiefs often serve on retirement plan committees, making them fiduciaries under ERISA.

A Better Way to Do Ecommerce

A Better Way to Do Ecommerce

Learn how Precision Medical leveraged OneWorld to cut the cost of billing in half and added $2.5M in annual revenue.

More recently, the plaintiffs’ bar has sued individual executives over allegations of self-dealing and embezzlement in corporate health-care plans. And while all this has been happening, increased protections for whistleblowers introduced by the Obama administration have boosted incentives for workers to report their employers’ missteps, creating still more potential for civil and criminal investigations.

“The regulatory environment has heightened dramatically,” says Matthew Flanigan, CFO of manufacturing company Leggett & Platt. “And the plaintiffs’ bar mindset, as a business model, is much more in place than it was 10 or 15 years ago.”

“This doesn’t keep me up at night,” says Jim Moylan, CFO of network equipment company Ciena, echoing a common refrain among finance chiefs. “But the fact that there is so much risk has forced us to have a much heightened sense of responsibility.”

16Dec_Accountability_CarneyWhat You Don’t Know…

The 9th Circuit decision in SEC v. Jensen revolved around a fraudulent revenue recognition scheme at a now defunct water-treatment company, Basin Water. The legal underpinning is Section 304 of the Sarbanes-Oxley Act, which requires CEOs and CFOs to repay bonuses and other incentive- or equity-based compensation in the wake of an accounting restatement triggered by misconduct. The decision to apply the law in cases where the finance chief is not the source of the misconduct is not binding on courts outside the 9th District, which covers the nation’s nine Western-most states. Therefore, its ultimate influence has yet to be determined. But for now it places CFOs in an even more precarious position every time they attest to the accuracy and completeness of financial statements.

“There’s not a public company in America that could withstand a full, substantive audit and not have errors and mistakes found in the books and records of the company,” explains John J. Carney, a former securities fraud chief for the Department of Justice and now co-leader of the white-collar defense and corporate investigations team at Baker & Hostetler. If his assessment is true, it means CFOs are routinely certifying documents that are not, to the nth degree, accurate. “God willing, the SEC won’t bring cases where there isn’t some direct evidence [of CFO wrongdoing],” Carney says. “But it’s very scary for a certifier of financial statements. Assuming you are an honest, diligent officer of the company, how do you get comfortable in an environment where the authorities are targeting individual liability, and the courts are saying that even an innocent mistake might form a basis for liability? If there were a bullseye painted in black on the back of the CFO, now it would be painted in red.”

The Yates memo amplifies the risk of serving as a corporate officer in several ways. Beyond vowing a new focus on individual responsibility—U.S. attorneys are now instructed to target individuals at the very start of an investigation—it mandates close cooperation between the department’s criminal prosecutors and civil litigators. It also says that, for companies to receive credit for cooperating with investigators, they must now identify all culpable individuals regardless of their position within the company and fully disclose all relevant facts about individuals’ misconduct (see “Pursuing People” at the end of this story).

“No more picking and choosing what gets disclosed,” Yates told an audience at New York University School of Law the day after circulating her memo. “The public expects and demands this accountability. Americans should never believe, even incorrectly, that one’s criminal activity will go unpunished simply because it was committed on behalf of a corporation.”

All surely true. But as Kevin LaCroix, executive vice president of specialty insurance broker and consultant RT ProExec explains, the Yates memo sets the stage for potentially deep conflicts of interest between corporations, which often want to earn cooperation credit, and their own executives, who want to avoid individual prosecution.

“If it appears the company is targeting you,” Carney says, “you have to ask the question, ‘Is it better to go directly to the government?’”

In part because past vows by the DOJ to crack down on individuals have yielded few results, LaCroix suggests it’s too early to know for sure what impact the Yates memo will have on the prosecution of corporate executives. Many, though, are closely following the DOJ’s investigation of German automaker Volkswagen’s cheating on U.S. emissions tests. In September, the DOJ announced that a VW engineer had pleaded guilty for his role in the scandal and would cooperate with the government in its ongoing investigation. In the meantime, defense attorneys argue that the influence of the Yates memo may already be visible in a handful of recent cases:

  • In January 2016, the former owner and CEO of Bostwick Laboratories agreed to pay at least $2.6 million, and potentially up to $3.75 million, to resolve alleged violations of the False Claims Act, the law that imposes liability on people for defrauding the federal government. The claims were related to Medicare and Medicaid billings originally brought to light by a whistleblower.
  • In April, three former district managers at specialty pharmaceutical manufacturer Warner Chilcott pleaded guilty to conspiracy to commit health care fraud and HIPAA violations, after their employer cooperated with the government’s investigation.
  • In September, the chairman of privately held nursing home operator North American Health Care agreed to pay $1 million to settle allegations of violating the False Claims Act. The company’s senior vice president of reimbursement analysis settled too, agreeing to pay $500,000.
  • Also in September, the former CEO of hospital operator Tuomey Healthcare System agreed to pay $1 million to settle claims related to illegal Medicare and Medicaid billings. Notably, the settlement required the former executive to release Tuomey from any indemnification claims he may have had against the company.

Whatever the impact of the Yates memo on these settlements—these cases had been underway before it was issued—Stephanie Resnick, chair of the directors and officers liability and corporate governance practice at Fox Rothschild, says, “Being a CFO in today’s world certainly subjects oneself to danger.”

Which raises the question, what to do about it? No one is suggesting that CFOs leave their jobs. But attorneys, insurance specialists, and CFOs who’ve thought about the issue agree there are things finance chiefs can do to manage the personal risks associated with leading the finance organization.

An Ounce of Prevention

It starts, of course, with the obvious: adopt policies and processes that meet the standards of the Sarbanes-Oxley and Dodd-Frank Acts, deliver great documentation to auditors, create a culture of compliance, develop a code of conduct, make it easy for employees to report suspected wrongdoing, and require financial personnel to certify their work in writing each quarter.

But even after all that, compliance can be a tricky undertaking across a large organization. Accordingly, veteran CFOs cite a litany of other strategies they’re embracing to mitigate the risk of anything going wrong, or, if something does, to prevent it from slipping by them.

At Jabil Circuit, a provider of electronic manufacturing services and solutions that employs more than 160,000 people globally, CFO Forbes I.J. Alexander places immense stock in having a robust enterprise risk management process, which his company has been fine-tuning for years. The process is now embedded deeply into the corporate culture, says Alexander. At network specialist Ciena, CFO Moylan puts special emphasis on controls for revenue recognition, since that’s an area shown to be problematic for many companies.

Elsewhere, CFOs are counting on technology for help. Engine and power products manufacturer Briggs & Stratton is in the process of upgrading its ERP system, says CFO Mark Schwertfeger, to provide easier, faster access to clean and reliable data. Having that is critical to reporting and certifying accurate financial results and spotting discrepancies before they become problems. “Information is power,” Schwertfeger says, “and it’s absolutely critical to keeping your finger on the pulse of things.”

16Dec_Accountability_SylvesterBecause even the best technology can carry an organization only so far, though, Schwertfeger also relies on smart, talented finance personnel who understand how the company works, stay connected with the business, and routinely exercise professional skepticism. This helps them develop reasonable expectations about how the company’s numbers should look and a sense for when they might be wrong. It’s akin to what Jon Wolk, CFO and treasurer of Mistras Group, an asset-protection company, calls a “two ears, one mouth” approach to running a finance function.

“The best CFOs are terrific business partners,” Wolk says. “When you’re a terrific business partner, you’re both helping to identify and achieve important opportunities and also identifying and mitigating the biggest risks. The first thing you have to do is listen and learn and understand the operating environment.”

David Sylvester, senior vice president and CFO of office furniture firm Steelcase, says a flat organizational chart can contribute to a safer environment for CFOs by facilitating the flow of information organization-wide. So can an employee evaluation process that considers both the performance of employees and their adherence to company values. At Steelcase, that twin assessment is incorporated into annual performance reviews that in turn factor into compensation decisions—and, in some cases, continued employment. “When you replace someone who was performing at a relatively high level but didn’t play by all the rules we expect our people to play by, it shows employees we’re serious about it,” Sylvester says.

Sylvester also has made it part of his operating protocol to personally review every issue reported though the company’s integrity hotline and to personally attend every disclosure control meeting the company holds before quarterly or annual SEC filings, quarterly calls with analysts, and financial press releases. “I think it’s important to understand the things being discussed and vetted about whether disclosure should be at this or that level,” Sylvester says.

Where process and policy aren’t enough, good old-fashioned experience can help CFOs navigate risk. Sylvester values his 22 years at Steelcase, including the past 10 as CFO. “I feel like I know our organization, know our culture. I’m not saying it’s necessarily better than anyone else’s, but I know it and understand it and therefore I can put things in context quickly. You start working for a new company, and in 90 days you have to file your first 10-Q and feel pretty confident about its accuracy. That person certainly has more at risk than the tenured executives in our industry.”

Lawyering Up

What happens when something does go wrong? Historically, a CFO’s first call is to the company’s general counsel. Today, that won’t always be the smart choice. It almost certainly will be the wrong choice if the CFO receives the so-called “Upjohn warning” from corporate counsel, advising that an internal investigation is underway and that corporate counsel represents only the company, not the individual. That CFO will want to retain his or her own counsel.

Many executives appear to be getting the message. Officers of public companies where investigations are underway, Carney says, are reaching out for personal representation more frequently, and sooner in the process, than they were even a year ago. “They’re lawyering up—and they need to,” agrees Fox Rothschild’s Resnick. “They can’t simply rely on the company’s counsel now.”

Carney says he can envision instances in which CFOs merely concerned about how their employer is handling a potentially controversial issue—a revenue recognition matter, perhaps—might want to hire their own counsel to advise on the matter. “If you think it’s a risky situation, it is reasonable and fair to ask the company to either allow you to explicitly rely on the advice of the company’s general counsel or outside counsel, or allow you to have your own counsel,” he says. “The fact that you’re arguing on revenue recognition for three hours should make you uncomfortable. One mistake that brings you under the scrutiny of the SEC can ruin your career forever. That’s why it’s important.”

In fact, Carney says, hiring counsel with expertise in the area in question, and taking their advice, can be a nearly absolute defense if authorities later determine that your course of action was illegal. It establishes that you acted in a reasonable and prudent manner.

When All Else Fails

CFOs will find that, in most cases, the cost of hiring their own attorney will be covered by their employer, often via the company’s directors and officers insurance policy. But not always.

Sarah Downey, D&O product leader with insurance broker Marsh USA, recommends that CFOs make sure they understand their employer’s obligation to indemnify them, which can vary by state and company bylaws. They should also ensure that the company’s D&O policy has adequate limits for Side A coverage, which insures losses to officers and directors that are not indemnified by the corporation. “I also recommend that clients look at the severability language in their policy,” she continues. “You want to make sure that if an individual is eventually held liable for wrongful conduct, that liability is not imputed to other officers and directors.”

LaCroix of RT ProExec adds that CFOs may want to go so far as to negotiate their own, separate, written indemnification agreement with their employer, instead of relying on the indemnification provisions of the company’s bylaws or state statutes. Such agreements are more common for CEOs and chairmen, he says, but it’s perfectly appropriate for CFOs to broach the topic.

LaCroix also encourages a review of all D&O policy limits in the increasingly fraught legal and regulatory environment in which companies now operate. In an extreme case where multiple officers and directors are hiring their own lawyers, he warns, policy limits can be used up fast.

Finally, LaCroix encourages CFOs to be mindful of the language in their D&O policies. Many are worded to exclude coverage for fraudulent or criminal activity, which is fine. But, LaCroix says, it’s important that the policy exclude such coverage only after a final, non-appealable adjudication. “If there’s a conviction that you want to appeal, you want to be sure the exclusion isn’t cutting off attorney’s fees right at the time you need them most,” he says. “I also like to see the word ‘intentional’ or ‘deliberate’ in there, so you don’t have mere negligence or even recklessness triggering the exclusion.”

It all sounds messy, but that’s the point for anybody sitting in the CFO chair, or thinking about it. “If you’re offered the CFO job, take it,” Carney says. “But understand you are wearing a white linen suit to a picnic—and you can’t get a stain on that suit.”

Randy Myers is a freelance writer based in Dover, PA.

6 Ways to Avoid Trouble

These basic steps can go a long way in mitigating the personal risks associated with leading the finance organization.

  1. Adopt and follow policies, processes, and controls that meet or exceed the standards of the Sarbanes-Oxley and Dodd-Frank acts.
  2. Deliver great documentation to internal and external auditors.
  3. Create a culture of compliance modeled and championed by the C-suite.
  4. Develop a code of conduct, have employees acknowledge in writing that they’ve received it, and communicate its message regularly throughout the enterprise.
  5. Make it easy for employees to report suspected wrongdoing to internal auditors and the board of directors.
  6. Require controllers and other financial accounting personnel to certify their work in writing each quarter, and mandate that business managers and sales leaders do the same.

Pursuing People

The following are excerpts from the September 9, 2015, memo of U.S. Deputy Attorney General Sally Quillian Yates, “Individual Accountability for Corporate Wrongdoing.”

“… One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing. Such accountability is important for several reasons: it deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions, and it promotes the public’s confidence in our justice system. … ”

“… In order for a company to receive any consideration for cooperation under the Principles of Federal Prosecution of Business Organizations, the company must completely disclose to the [DOJ] all relevant facts about individual misconduct. Companies cannot pick and choose what facts to disclose. That is, to be eligible for any credit for cooperation, the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the [DOJ] all facts relating to that misconduct. …”

“ … by focusing our investigation on individuals, we can increase the likelihood that individuals with knowledge of the corporate misconduct will cooperate with the investigation and provide information against individuals higher up the corporate hierarchy. …”

“ … There may be instances where the [DOJ] reaches a resolution with the company before resolving matters with responsible individuals. In these circumstances, [DOJ] attorneys should take care to preserve the ability to pursue these individuals. … Absent extraordinary circumstances or approved departmental policy … [DOJ] lawyers should not agree to a corporate resolution that includes an agreement to dismiss charges against, or provide immunity for, individual officers or employees.” …

Featured image: Thinkstock