AFM 434: Corporate Governance and Risk Management
Jonny Le Leu
Estimated study time: 1 hr 12 min
Table of contents
Sources and References
Primary frameworks — COSO. Enterprise Risk Management — Integrating with Strategy and Performance. COSO, 2017; OECD. G20/OECD Principles of Corporate Governance. OECD Publishing, 2023. Core textbooks — Larcker, D. & Tayan, B. Corporate Governance Matters, 3rd ed. Pearson, 2021; Monks, R. A. G. & Minow, N. Corporate Governance, 5th ed. Wiley, 2011; Beasley, M., Branson, B. & Hancock, B. Developing Key Risk Indicators to Strengthen Enterprise Risk Management. COSO, 2019. Regulatory sources — Sarbanes-Oxley Act of 2002 (US); National Instrument 52-109 (Canada); TSX Company Manual; Basel Committee on Banking Supervision, Principles for Enhancing Corporate Governance, BIS, 2015; ISO 31000:2018 Risk Management — Guidelines. Supplementary — Freeman, R. E. Strategic Management: A Stakeholder Approach. Cambridge University Press, 2010; Jensen, M. C. & Meckling, W. H. “Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure.” Journal of Financial Economics 3(4), 1976; TCFD, Recommendations of the Task Force on Climate-related Financial Disclosures, 2017.
Chapter 1: Foundations of Corporate Governance
1.1 What Is Corporate Governance?
Corporate governance encompasses the structures, processes, and mechanisms through which organizations are directed and controlled. It defines the relationships among shareholders, the board of directors, senior management, and other stakeholders, and establishes accountability frameworks that align decision-making with the interests of those the organization is meant to serve.
Good corporate governance is not merely a compliance exercise. It provides the foundations for trust between capital providers and those entrusted with deploying that capital. In doing so, it lowers the cost of capital, supports sustainable business performance, and reduces the risk of catastrophic organizational failure driven by misaligned incentives or unchecked managerial discretion.
The OECD defines good corporate governance as helping to build an environment of trust, transparency, and accountability necessary for fostering long-term investment, financial stability, and business integrity. Weak governance, by contrast, is associated with capital misallocation, accounting fraud, excessive risk-taking, and reputational collapse.
1.2 Why Corporate Governance Matters
Governance failures cause tangible economic harm — to investors, employees, creditors, customers, and the communities in which corporations operate. At the micro level, poor governance allows self-dealing executives to extract value from shareholders; at the macro level, systemic governance failures can destabilize financial markets (as in the 2008 global financial crisis) and undermine public trust in market capitalism itself.
Evidence from empirical finance research consistently shows that firms with stronger governance earn higher valuations (measured by Tobin’s Q), experience lower cost of equity capital, and are less prone to earnings management. The Gompers, Ishii, and Metrick (2003) governance index — based on anti-takeover provisions — found that a portfolio long high-governance firms and short low-governance firms earned abnormal returns of approximately 8.5% per year over the 1990s.
The benefits of governance reform are not limited to individual firms. Country-level governance quality — measured by rule of law, minority investor protections, and regulatory quality — is strongly positively correlated with the depth of equity markets, foreign direct investment flows, and long-run economic growth.
1.3 Agency Theory: The Intellectual Foundation
The core intellectual framework underpinning corporate governance is agency theory (Jensen & Meckling, 1976). An agency relationship arises when one party (the principal) delegates decision-making authority to another (the agent). The relationship creates problems because principals cannot costlessly observe agent behavior, and agents have their own utility functions that may diverge from principals’ preferences.
In the corporate context, shareholders (principals) delegate operating authority to managers (agents). Agency problems arise because:
- Divergent interests: Managers may prioritize personal gain — excessive compensation, empire-building through value-destroying acquisitions, quiet-life preferences, or entrenching themselves in office — over shareholder wealth maximization.
- Information asymmetry: Managers possess superior information about the firm’s operations, risk exposures, and strategic options compared to shareholders. This informational advantage enables opportunism.
- Moral hazard: After delegating authority, principals cannot perfectly observe or verify agent actions. The agent may shirk, take undue personal risks, or engage in self-dealing.
Corporate governance mechanisms are essentially solutions to agency problems. Every governance tool — boards, audits, incentive contracts, ownership concentration, debt — either reduces information asymmetry, constrains managerial discretion, or realigns manager incentives with shareholder interests.
| Governance Mechanism | How It Reduces Agency Costs |
|---|---|
| Board of directors | Independent oversight; hire/fire/pay the CEO; approve major decisions |
| Executive compensation design | Links pay to shareholder value creation; reduces divergent interests |
| Financial reporting and audit | Reduces information asymmetry through verified disclosure |
| Concentrated ownership | Large shareholders have incentive and ability to monitor management directly |
| Debt financing | Creates hard commitments; creditor monitoring; restricts free cash flow |
| Market for corporate control | Takeover threat disciplines underperforming or entrenched management |
| Proxy voting and shareholder meetings | Gives shareholders voice on key decisions |
| Regulatory requirements | Sets minimum governance standards for public companies |
1.4 Stakeholder Theory
Agency theory focuses on the shareholder–manager relationship, but stakeholder theory (Freeman, 1984) argues that organizations have obligations to all parties who are affected by or can affect the organization’s activities — employees, customers, suppliers, communities, regulators, and the natural environment.
The shareholder primacy model (dominant in Anglo-American governance) holds that management’s primary obligation is to maximize shareholder value. The stakeholder model (more prevalent in continental European and Japanese governance) requires management to balance competing stakeholder interests.
These paradigms have different governance implications:
| Dimension | Shareholder Primacy | Stakeholder Model |
|---|---|---|
| Primary goal | Maximize shareholder wealth | Balance all stakeholder claims |
| Board composition | Independent outside directors | May include employee/creditor representatives |
| Time horizon | Often short-term (quarterly earnings) | Longer-term; relationship investing |
| Geography | US, UK, Canada, Australia | Germany, Japan, Scandinavia |
| Capital structure | Active use of leverage; hostile M&A | Stable banking relationships; hostile M&A rare |
| Disclosure | Market-based; broad public disclosure | Relational; less to public markets |
1.5 The Principal–Principal Problem
In addition to manager–shareholder agency conflicts, governance scholars identify a second, equally important category of conflict: the principal–principal problem between controlling shareholders and minority shareholders. In many economies outside the US and UK — including Canada, much of Asia, and emerging markets — ownership is concentrated in the hands of founding families or the state.
Controlling shareholders can extract private benefits of control: tunneling (moving value out of the firm to related parties), appointment of under-qualified family members to management and board positions, and self-dealing transactions at non-arm’s-length prices. Minority shareholders bear these costs but lack the voting power to resist.
Governance mechanisms that address principal–principal conflicts include: independent audit committees, related-party transaction rules requiring shareholder approval, independent legal counsel, and legal systems that provide private rights of action for minority shareholders.
Chapter 2: Enterprise Risk Management Frameworks
2.1 The Evolution from Silo Risk Management to ERM
Traditional risk management operated in functional silos. Treasury managed foreign exchange and interest rate exposures. Insurance departments purchased property and liability coverage. Legal handled litigation risk. Operations managed production disruptions. These silos rarely communicated, reported through different channels to senior management, and had inconsistent methodologies for measuring and comparing risks.
The failure of this approach became catastrophically visible in the early 2000s corporate scandals and again in the 2008 financial crisis. Risk interactions — the way that credit risk, liquidity risk, and operational risk can simultaneously crystallize in a self-reinforcing spiral — were completely invisible in siloed systems.
Enterprise Risk Management (ERM) is an integrative, organization-wide approach to identifying, assessing, managing, and monitoring risks in a coordinated manner aligned with strategic objectives.
Key distinguishing features of ERM versus traditional risk management:
| Dimension | Traditional Risk Management | Enterprise Risk Management |
|---|---|---|
| Scope | Siloed by function/hazard | Organization-wide, portfolio view |
| Ownership | Risk specialists | All management levels; board oversight |
| Integration with strategy | None or minimal | Embedded in strategy setting |
| Risk types | Primarily insurable/financial | All risk categories including strategic |
| Risk appetite | Implicit | Formally defined and approved by board |
| Objective | Risk minimization | Optimal risk-taking aligned with strategy |
2.2 The COSO ERM Framework (2017)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its foundational ERM framework in 2004 and substantially updated it in 2017. The 2017 framework reflects a fundamental shift: it places the integration of ERM with strategy and performance at its centre, recognizing that organizations cannot manage risk effectively without embedding risk thinking into how they set strategy and evaluate performance.
The 2017 COSO ERM framework is organized around five interrelated components and twenty principles:
Component 1: Governance and Culture
Governance and culture together establish the organizational context for all risk-related decisions. The board exercises oversight of ERM; senior management sets the ERM operating model; and culture reflects the shared values, attitudes, and behaviors that shape how risk is experienced and managed throughout the organization.
Four principles under Governance and Culture:
- Exercises Board Risk Oversight: The board must accept responsibility for overseeing ERM. This includes defining the appropriate oversight body (full board or risk committee), specifying what risk information the board receives and how often, and ensuring board members have sufficient risk literacy.
- Establishes Operating Structures: Management must establish clear lines of authority and responsibility for ERM. This includes defining the role of the Chief Risk Officer (CRO) or equivalent, embedding risk roles within business units, and ensuring risk functions have adequate resources and authority.
- Defines Desired Culture: Leadership must explicitly articulate the risk culture they wish to cultivate — the degree of risk-taking that is acceptable, the norms for escalating risk concerns, and expectations around ethical behavior.
- Demonstrates Commitment to Core Values: Actions must match words. If senior management tolerates breaches of stated values to achieve short-term results, the cultural signals overwhelm formal policy statements.
Component 2: Strategy and Objective-Setting
This component addresses the critical linkage between risk and strategy. Strategic choices create risk; the nature and magnitude of risk an organization faces is inseparable from the strategy it pursues. ERM must therefore be integrated into the strategy development process, not appended to it after the fact.
Four principles under Strategy and Objective-Setting:
- Analyzes Business Context: Understanding the external environment (competitive, technological, regulatory, macroeconomic) and internal environment (operating model, culture, capital structure) provides the foundation for identifying strategy-relevant risks.
- Defines Risk Appetite: The board approves the risk appetite — the types and amount of risk the organization is willing to accept in pursuit of its strategy and value creation objectives.
- Evaluates Alternative Strategies: Risk considerations should inform the selection among strategic alternatives. A strategy that promises high returns but involves risk that exceeds appetite — or risk that cannot be adequately managed — should be rejected or modified.
- Formulates Business Objectives: Objectives cascade down from strategy. Each objective has associated risk tolerances — the acceptable variation in performance around the objective.
The relationship between risk appetite and tolerance can be visualized as follows: risk appetite is the broad zone within which the organization is comfortable operating; risk tolerances define the specific boundaries around individual objectives that must not be breached without triggering management action.
Component 3: Performance
This is the operational core of ERM — the systematic identification, assessment, prioritization, and response to risks, together with the development of a portfolio view of the organization’s overall risk profile.
Five principles under Performance:
- Identifies Risk: Systematically inventorying events — both threats and opportunities — that could affect the organization’s ability to achieve its objectives.
- Assesses Severity of Risk: Evaluating identified risks in terms of likelihood and impact to determine which risks require priority attention.
- Prioritizes Risks: Ranking risks by their significance relative to the organization’s objectives and risk appetite.
- Implements Risk Responses: Selecting and implementing the appropriate risk response strategy.
- Develops Portfolio View: Aggregating individual risks into an overall picture of the organization’s risk profile, including identification of risk correlations and concentrations.
Risk Identification Techniques:
Risk identification must be systematic and comprehensive. Common techniques include:
- Brainstorming workshops: Cross-functional groups generate risk scenarios using facilitated structured discussion.
- Interviews and surveys: One-on-one conversations with subject-matter experts surface risks that individuals may not raise in group settings.
- PESTLE analysis: Structured scan of the external environment — Political, Economic, Social, Technological, Legal, Environmental dimensions.
- SWOT analysis: Threats map to risks; weaknesses signal internal vulnerabilities.
- Historical loss event analysis: Review of past incidents (internal and industry-wide) to identify recurring risk categories.
- Scenario analysis: Structured exploration of plausible future states, particularly useful for low-frequency but high-impact risks (cyber breach, pandemic, geopolitical disruption).
- Process mapping: Identifying failure modes within specific business processes.
- Risk register review: Updating and refreshing the organization’s documented inventory of identified risks.
Risk Assessment:
Each identified risk is assessed along two primary dimensions:
- Likelihood (probability): How probable is it that this risk event will occur within the assessment horizon (typically 1 year or 3–5 years)?
- Impact (severity): If the risk event occurs, what is the magnitude of its effect on organizational objectives — financial, reputational, operational, strategic, compliance?
Both dimensions may be assessed qualitatively (high/medium/low) or quantitatively (probability percentages, dollar impact ranges). The choice between qualitative and quantitative assessment depends on data availability and the nature of the risk.
The heat map (risk matrix) is the standard tool for visualizing assessed risks. Risks are plotted on a two-dimensional grid — likelihood on one axis, impact on the other — divided into zones that correspond to risk priority:
- Red zone (high likelihood, high impact): Requires immediate management attention and robust controls.
- Amber zone (moderate likelihood or impact): Managed with ongoing monitoring and proportionate controls.
- Green zone (low likelihood and impact): Accepted with minimal management intervention; periodic review.
Inherent vs. Residual Risk:
The gap between inherent and residual risk represents the effectiveness of existing controls. If residual risk still exceeds risk tolerance, additional responses are required. If residual risk is significantly below tolerance, the organization may be over-spending on controls relative to the risk.
Risk Response Strategies:
For each assessed risk, management selects one or more responses:
| Response | Description | When Appropriate |
|---|---|---|
| Accept | Tolerate the risk with no specific mitigation action | Residual risk falls within risk appetite; cost of mitigation exceeds benefit |
| Avoid | Exit the activity, market, or relationship that generates the risk | Risk is unacceptable and cannot be efficiently reduced; regulatory prohibition |
| Reduce (Mitigate) | Implement controls or process changes to reduce likelihood, impact, or both | Risk can be managed to within tolerance at acceptable cost |
| Share (Transfer) | Transfer some or all of the risk to a third party | Insurance available; hedging instruments exist; outsourcing feasible; risk pooling with partners |
In practice, most significant risks are managed through a combination of responses — for example, reducing operational risk through process controls and training (reduce), and purchasing insurance against residual catastrophic events (share).
Component 4: Review and Revision
The risk landscape is dynamic. Strategic pivots, new business models, regulatory changes, competitive disruptions, and macroeconomic shifts all alter an organization’s risk profile. ERM must therefore be continuously updated and refreshed.
Three principles under Review and Revision:
- Assesses Substantial Change: Organizations must proactively identify and assess changes in the business context and risk environment that may require revision to the ERM framework or specific risk responses.
- Reviews Risk and Performance: Periodic formal review processes compare actual risk experience against appetite and tolerances; evaluate the effectiveness of risk responses; and identify emerging risks not previously captured.
- Pursues Improvement in Enterprise Risk Management: ERM itself must improve over time — in methodologies, data quality, tools, and integration with decision-making processes.
Component 5: Information, Communication, and Reporting
ERM generates and relies on information that must flow vertically (to board and senior management) and horizontally (across business units and functions) to support informed decision-making.
Three principles under Information, Communication, and Reporting:
- Leverages Information and Technology: Modern ERM relies on integrated data systems, dashboards, and analytics tools to aggregate risk information from across the organization in a timely and reliable fashion.
- Communicates Risk Information: Risk information must reach the right decision-makers — boards must understand the organization’s risk profile; business unit leaders must understand how portfolio-level risk appetite translates into operational guidance; employees must know what risks they own and how to escalate concerns.
- Reports on Risk, Culture, and Performance: External reporting on risk management practices — through annual reports, regulatory filings, and sustainability disclosures — is increasingly expected by investors and regulators.
2.3 ISO 31000:2018 Risk Management Standard
ISO 31000 is an international standard published by the International Organization for Standardization that provides principles, a framework, and a process for managing risk. Unlike COSO (which is specifically designed for corporate governance contexts), ISO 31000 applies to any organization — public, private, not-for-profit — and any type of risk at any level.
The 2018 revision strengthened the emphasis on leadership commitment, integration with organizational governance, and the human and cultural factors that shape risk management effectiveness.
ISO 31000 Principles state that effective risk management is:
- Integrated — part of all organizational activities, not a standalone function.
- Structured and comprehensive — producing consistent, comparable, and reliable results.
- Customized — tailored to the organization’s external and internal context.
- Inclusive — involving stakeholders appropriately, capturing diverse knowledge and perspectives.
- Dynamic — anticipating and responding to change.
- Best available information — drawing on historical data, expert judgment, and forecasts.
- Human and cultural factors — recognizing that human behavior significantly shapes risk outcomes.
- Continual improvement — learning from experience and improving the risk management framework over time.
ISO 31000 Process covers: establishing the context (external and internal environment); risk identification; risk analysis (understanding the nature and characteristics of risk); risk evaluation (comparing assessed risk against criteria to determine significance); risk treatment (selecting and implementing responses); monitoring and review; and communication and consultation (ongoing throughout).
Comparing COSO ERM and ISO 31000:
| Dimension | COSO ERM (2017) | ISO 31000 (2018) |
|---|---|---|
| Origin | US-based; accounting and internal control tradition | International; broad applicability |
| Primary audience | Corporate boards and management; public company governance | Any organization; any sector |
| Integration with strategy | Explicitly central | Emphasized as a principle |
| Risk categories | All categories relevant to objectives | Technology/sector-neutral |
| Prescriptiveness | Structured 5-component, 20-principle framework | Principles and guidelines; less prescriptive |
| Internal controls | Strong linkage to COSO Internal Control framework | Separate from internal control |
| Compliance use | Frequently cited in SEC/SOX context | Referenced in ISO management systems |
Chapter 3: ERM Process — Deeper Dive on Risk Types
3.1 A Common Language for Risk
One of the most important preconditions for effective ERM is a common risk language — consistent definitions and categories that allow risks to be compared and aggregated across business units and functions. Without a common language, a “high” risk in one division may be very different from a “high” risk in another, and portfolio-level risk assessment becomes meaningless.
Most ERM frameworks adopt a risk taxonomy — a hierarchical classification of risk types. A typical corporate risk taxonomy:
| Risk Category | Sub-category | Example |
|---|---|---|
| Strategic | Competitive | Market share loss to new entrant |
| Strategic | M&A | Acquisition integration failure |
| Financial | Credit | Customer default on receivables |
| Financial | Market | Interest rate or FX movement |
| Financial | Liquidity | Inability to fund short-term obligations |
| Operational | Process | Manufacturing defect or service failure |
| Operational | People | Key person departure; fraud |
| Operational | Technology | IT system failure; cybersecurity breach |
| Compliance | Regulatory | Violation of environmental regulations |
| Compliance | Legal | Litigation or contractual dispute |
| Reputational | Brand | Negative media coverage |
| Environmental | Climate | Physical climate risk to operations |
| Environmental | Transition | Regulatory shift away from fossil fuels |
3.2 Strategic Risk
Strategic risk is the risk that events or decisions will undermine the organization’s ability to achieve its long-term objectives. Unlike operational risk (which concerns the execution of the current strategy), strategic risk concerns the appropriateness of the strategy itself.
Strategic risks include:
- Disruptive technology: Emergence of a new technology that renders the organization’s business model obsolete (e.g., digital streaming vs. physical media rental).
- Competitive dynamics: A competitor entering the market with lower costs, superior products, or disruptive distribution.
- Customer preferences: Shifting demand patterns that reduce demand for the organization’s core products or services.
- M&A risk: Acquisitions that destroy value through overpayment, culture clashes, or integration failure.
- Reputational risk: Events that damage the organization’s reputation and consequently its ability to attract customers, employees, and capital.
Strategic risk management requires the board to actively challenge management’s strategic assumptions rather than simply ratifying management proposals.
3.3 Financial Risk
Financial risk encompasses the risks that arise from the organization’s financial structure, transactions, and market exposures.
Credit risk: The risk that a counterparty will fail to meet its financial obligations. Relevant for banks and financial institutions in their lending portfolios, but also for any company with material receivables, customer concentration, or counterparty exposures in derivative contracts.
Market risk: The risk of loss from changes in market prices and rates:
- Interest rate risk: Changes in interest rates affect the value of fixed-income instruments and variable-rate debt.
- Foreign exchange risk: Companies operating internationally face the risk that currency movements will reduce the domestic-currency value of foreign revenues or assets.
- Equity price risk: Pension funds, insurance companies, and any firm holding equity portfolios face the risk of market value declines.
- Commodity price risk: Manufacturers and energy companies face exposure to changes in the price of raw materials or energy inputs.
Liquidity risk: The risk that the organization will be unable to meet its financial obligations as they come due, or can only do so at excessive cost. Liquidity risk has two components: funding liquidity (access to financing) and market liquidity (ability to sell assets without severe price concession).
3.4 Operational Risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. The Basel II definition (adopted by banks but broadly applicable) explicitly excludes strategic and reputational risks.
Key operational risk sub-types:
- Process risk: Failures in business processes — errors, inefficiencies, inadequate procedures. Example: a loan approval process that inadequately verifies borrower income.
- People risk: Errors, fraud, misconduct, or departure of key personnel. Example: a trader who circumvents risk controls (Barings Bank, Société Générale).
- System/technology risk: IT failures, software defects, cybersecurity breaches. Example: a ransomware attack that disables manufacturing operations.
- External event risk: Natural disasters, pandemics, terrorist attacks, political disruptions. Example: a factory disruption caused by an earthquake in the supply chain.
Key Risk Indicators (KRIs): Forward-looking metrics that signal changing risk levels before losses materialize. Examples: employee turnover rate (signals people risk), number of system outages per quarter (signals technology risk), customer complaints (signals product quality risk).
3.5 Compliance Risk
Compliance risk is the risk of legal or regulatory sanctions, financial penalties, and reputational damage arising from failure to comply with laws, regulations, internal policies, or ethical standards.
The compliance risk landscape has grown dramatically more complex. Major compliance domains for Canadian public companies include:
- Securities regulation: OSC/CSA requirements for timely disclosure, prohibitions on insider trading, continuous disclosure obligations.
- Environmental regulation: Emissions standards, environmental assessment requirements, remediation obligations.
- Anti-corruption: Corruption of Foreign Public Officials Act (CFPOA) in Canada; Foreign Corrupt Practices Act (FCPA) in the US; UK Bribery Act.
- Data privacy: PIPEDA (Canada); GDPR (EU); provincial privacy statutes.
- Financial reporting: NI 52-109 (CEO/CFO certification); Public Company Accounting Oversight Board (PCAOB) standards for US-listed companies.
- Tax compliance: CRA requirements; international tax (transfer pricing, country-by-country reporting).
3.6 Risk Monitoring and Key Risk Indicators
Risk management is not a static one-time exercise. Risks evolve continuously as the business and external environment change. Effective monitoring uses both lagging indicators (reporting on losses or near-misses that have already occurred) and leading indicators (KRIs that signal changes in risk levels before events materialize).
An effective KRI framework specifies:
- The risk being monitored: A specific, clearly defined risk from the organization’s risk register.
- The metric: A measurable indicator that correlates with the level of that risk.
- Data source and frequency: Where the data comes from; how often it is measured.
- Thresholds: Green (within tolerance), amber (approaching tolerance — escalate and investigate), red (tolerance breached — immediate management action required).
- Ownership: The individual responsible for monitoring, reporting, and acting on the indicator.
Chapter 4: Corporate Governance Framework
4.1 The OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance (first published 1999; revised 2004, 2015, and 2023) represent the internationally accepted benchmark for corporate governance. They are used by governments, regulators, stock exchanges, and companies worldwide as a reference framework. The 2023 revision strengthened attention to sustainability, digitalization, and concentration of ownership through passive investment.
The six core areas of the OECD Principles are:
I. Ensuring the basis for an effective corporate governance framework: The governance framework should promote transparent and efficient markets, be consistent with the rule of law, and clearly articulate the division of responsibilities among different supervisory, regulatory, and enforcement authorities.
II. Rights and equitable treatment of shareholders and key ownership functions: All shareholders — including minority and foreign shareholders — should have the opportunity to participate in, and obtain adequate information on, material decisions including the election of directors, approval of major transactions, and amendments to the constitutive documents. Shareholders should be protected from abusive self-dealing and insider trading.
III. Institutional investors, stock markets, and other intermediaries: The governance framework should provide sound incentives throughout the investment chain and provide for stock markets to function in a way that contributes to good governance. Institutional investors acting in a fiduciary capacity should disclose their corporate governance and voting policies.
IV. The role of stakeholders in corporate governance: Companies should recognize stakeholder rights established by law or through mutual agreements. Performance-enhancing mechanisms for stakeholder participation (employee representation, profit-sharing, whistleblower protections) should be permitted. Stakeholders should have access to effective redress for violation of their rights.
V. Disclosure and transparency: Timely and accurate disclosure should be made on all material matters including financial performance and results, objectives, major share ownership and voting rights, remuneration policies, related-party transactions, risk factors, and corporate governance policies and structures.
VI. Responsibilities of the board: The board should fulfill functions including reviewing and guiding corporate strategy, setting risk policy and appetite, ensuring integrity of accounting and financial reporting systems, overseeing CEO selection and compensation, and being accountable to shareholders.
4.2 Board Structures: Unitary vs. Two-Tier
Boards are structured differently across legal and cultural traditions. Two dominant models exist worldwide:
Unitary (Single-Tier) Board: A single board comprising both executive directors (management insiders, though often none in Canada/US practice) and non-executive directors (independent outsiders). The board collectively holds ultimate governance authority. Specialized committees (audit, compensation, nominating/governance, risk) typically consist entirely of independent directors. This model dominates in the US, Canada, UK, and Australia.
Two-Tier Board: A supervisory board composed entirely of external members — which under Germany’s co-determination (Mitbestimmung) law must include employee-elected representatives (up to half of board seats in large companies) — that oversees and appoints a separate management board comprising executive directors responsible for day-to-day operations. Common in Germany, the Netherlands, Austria, and other continental European countries.
| Feature | Unitary Board | Two-Tier Board |
|---|---|---|
| Board composition | Mixed (or all non-executive) | Supervisory: all external; Management: all executive |
| Employee representation | Rare (shareholder-elected) | Mandated in Germany (up to 50% of supervisory board) |
| Internal monitoring | Board-committee structure | Supervisory board monitors management board |
| CEO accountability | CEO accountable to full board | Management board accountable to supervisory board |
| Information flow | CEO attends board meetings | Management board presents to supervisory board |
| Jurisdiction | US, Canada, UK, Australia | Germany, Netherlands, Austria |
4.3 Board Independence
Director independence is the cornerstone of effective board oversight. Independent directors have no material relationship with the company beyond their board mandate — no current or recent employment, no family ties to management, no significant business relationships, and no compensation other than director fees.
Independence matters because it enables objective assessment of management performance, unbiased compensation decisions, and credible audit oversight. A board dominated by insiders or directors with conflicts of interest cannot effectively challenge management decisions or represent shareholder interests in executive pay negotiations.
Independence criteria under Canadian (TSX/CSA) rules: A director is independent if she or he has no direct or indirect material relationship with the issuer. Relationships that automatically preclude independence include: current employment with the issuer or a related company; being a family member of a current executive; receiving more than $75,000 per year in direct compensation from the issuer (other than board fees); being, in the past three years, an employee of the external auditor.
Board independence requirements:
| Jurisdiction | Requirement |
|---|---|
| TSX / CSA (Canada) | Majority of directors must be independent; audit committee 100% independent |
| NYSE (US) | Majority independent; audit, compensation, and nominating committees 100% independent |
| Sarbanes-Oxley (US) | All audit committee members must be independent; must have at least one financial expert |
| UK Corporate Governance Code | At least half the board (excluding chair) should be independent NEDs |
| ASX Corporate Governance Principles (Australia) | Majority independent; independent chair recommended |
4.4 Board Composition: Size, Diversity, and Expertise
Board size: Research suggests that smaller boards (7–11 members) tend to outperform larger boards on average. Very small boards risk inadequate oversight capacity; very large boards suffer from coordination costs, free-rider problems, and excessive deference to management (“groupthink”). Most major Canadian public companies have boards of 9–13 directors.
Board diversity encompasses multiple dimensions:
- Gender diversity: The Canadian Securities Administrators (CSA) adopted “comply or explain” requirements for gender diversity disclosure in 2014 (NI 58-101). Many institutional investors and proxy advisors now apply voting pressure for boards with fewer than 30% women. Evidence suggests that gender-diverse boards are associated with better monitoring, reduced earnings management, and stronger ESG outcomes.
- Racial and ethnic diversity: Growing investor pressure; several institutional investors have adopted policies requiring minimum representation of underrepresented racial and ethnic groups.
- Functional expertise diversity: Boards need directors with diverse professional backgrounds — finance, technology, operations, legal, regulatory, industry-specific expertise, and sustainability.
- Cognitive diversity: Different analytical frameworks, decision-making styles, and perspectives reduce the risk of groupthink.
4.5 Board Committees
Modern boards delegate much of their detailed oversight work to specialized committees. Each committee consists of independent directors with relevant expertise; the committee chair reports to the full board. Key permanent committees:
Responsibilities of the Audit Committee:
- Recommend appointment and compensation of the external auditor; pre-approve all audit and non-audit services.
- Review management’s assessment of internal controls over financial reporting (ICFR).
- Meet separately with external auditors (without management) and with internal auditors.
- Review quarterly and annual financial statements; challenge management on significant accounting estimates and judgments.
- Oversee the whistleblower program and investigate reported concerns.
- Oversee compliance with laws and regulations.
Chapter 5: Executive Compensation Design
5.1 The Pay-for-Performance Principle
Executive compensation design is one of the most contentious and technically complex areas of corporate governance. The fundamental objective — pay for performance — is broadly accepted: executives should be rewarded when they create value for shareholders and other stakeholders, and should bear cost when they destroy value. The design challenge lies in translating this principle into compensation structures that genuinely align incentives without creating perverse behaviors.
Poorly designed compensation can produce exactly the opposite of its intended effect. Executives who are rewarded primarily for short-term earnings may:
- Cut R&D and capital expenditure to boost near-term profits at the expense of long-term competitiveness.
- Use accounting choices to manipulate reported earnings.
- Take excessive financial leverage to inflate short-term returns.
- Resist strategically necessary restructurings that reduce near-term earnings.
5.2 Components of Executive Compensation
A well-designed executive compensation package combines fixed and variable elements with different time horizons and performance metrics:
| Component | Description | Risk/Horizon | Governance Purpose |
|---|---|---|---|
| Base salary | Fixed annual cash | No performance link; certain | Retain talent; baseline market competitive |
| Annual (short-term) bonus | Cash tied to annual performance metrics | 1-year horizon; moderate risk | Reward achievement of near-term goals |
| Long-term incentive plan (LTIP) — stock options | Right to buy shares at a fixed exercise price; vesting typically over 3–4 years | 3–4 year horizon; option leverage | Align with share price appreciation |
| LTIP — restricted share units (RSUs) | Notional shares that convert to real shares on vesting | 3–5 year horizon; moderate | Retention; share price alignment |
| LTIP — performance share units (PSUs) | Notional shares with vesting contingent on performance criteria | 3–5 year horizon; high | Strongest alignment with long-term value |
Performance metrics for variable compensation:
Good metric design selects measures that:
- Are within management’s control or influence.
- Correlate with long-term value creation (not just short-term accounting outcomes).
- Are objectively measurable and difficult to manipulate.
- Balance financial and non-financial dimensions.
Common executive performance metrics:
- Financial: Total shareholder return (TSR) vs. peer group; earnings per share (EPS) growth; return on equity (ROE) or return on invested capital (ROIC); revenue growth; free cash flow.
- Operational: Customer satisfaction (NPS); market share; product quality metrics; employee engagement scores.
- ESG: Greenhouse gas emissions reduction targets; gender pay equity ratios; safety metrics (total recordable injury rate); community investment.
5.3 Governance Controls on Executive Pay
Say-on-pay votes: Non-binding advisory shareholder votes on executive compensation programs, now required in the US (Dodd-Frank Act), Canada (for most major companies under institutional investor pressure), UK, Australia, and many other jurisdictions. A negative or low-support say-on-pay vote signals shareholder dissatisfaction and typically triggers engagement with the compensation committee.
Clawback provisions: Allow the company to recover previously paid compensation if:
- Financial statements are restated due to material error or fraud.
- The executive engaged in misconduct.
- Performance metrics underlying awards are subsequently found to have been calculated incorrectly. The SEC adopted mandatory clawback rules in 2022 (implemented by US exchanges); Canadian companies increasingly adopt clawbacks voluntarily or under institutional investor pressure.
Independent compensation consultants: The compensation committee must retain its own independent compensation consultant, separate from any consultant engaged by management. The consultant advises on market competitive pay levels, peer group selection, and compensation design.
CEO pay ratio disclosure: Under SEC rules (effective 2018), US public companies must disclose the ratio of CEO pay to median employee pay. This disclosure has attracted significant public attention and renewed debate about income inequality within corporations.
Share ownership requirements: Many companies require executives to hold a minimum multiple of their base salary in company shares (typically 3–6x for CEOs) to ensure sustained alignment with long-term shareholder interests.
Chapter 6: Financial Governance and Regulatory Environment
6.1 The Sarbanes-Oxley Act (2002)
The Sarbanes-Oxley Act (SOX) was enacted in July 2002 in response to the devastating corporate accounting frauds at Enron, WorldCom, Tyco, Adelphia, and other companies that collectively destroyed hundreds of billions of dollars of investor value. SOX represents the most significant reform of US financial governance since the Securities Exchange Act of 1934.
SOX’s principal provisions and their governance implications:
Section 302 — Corporate Responsibility for Financial Reports: The CEO and CFO must personally certify in each quarterly and annual filing that:
- They have reviewed the report and it does not contain material misstatements or omissions.
- The financial statements fairly present the company’s financial condition and results.
- They are responsible for establishing and maintaining internal controls (ICFR) and have evaluated their effectiveness within 90 days of filing.
The personal certification requirement radically changed CEO and CFO behavior. Prior to SOX, executives could credibly claim ignorance of accounting irregularities. Post-SOX, they cannot.
Section 404 — Management Assessment of Internal Controls: The annual report must contain a management assessment of the effectiveness of ICFR, and the external auditor must attest to that assessment. Companies must use a recognized control framework — the COSO Internal Control — Integrated Framework (1992, updated 2013) is the standard.
Section 301 — Public Company Audit Committees: Listed company audit committees must be composed entirely of independent directors; must have authority to appoint and oversee the external auditor; must provide whistleblower complaint procedures for employees reporting accounting, internal controls, or audit concerns.
Section 401 — Disclosures in Periodic Reports: Companies must disclose all material off-balance-sheet transactions, arrangements, and obligations. This provision directly addressed the SPE (special purpose entity) abuses at Enron.
Section 409 — Real-Time Disclosure: Material changes in financial condition or operations must be disclosed “on a rapid and current basis” — effectively requiring current reports (Form 8-K in the US) for material events.
Section 802 — Criminal Penalties: Knowing destruction or falsification of documents related to federal investigations carries criminal penalties of up to 20 years imprisonment. Whistleblower protections are codified.
The Public Company Accounting Oversight Board (PCAOB) was established under SOX to oversee the auditing profession — a function previously held by the profession itself through the AICPA. The PCAOB sets auditing standards and conducts inspections of registered audit firms.
6.2 Canadian Financial Governance: National Instrument 52-109
Canada’s analogous regime to SOX CEO/CFO certification is National Instrument 52-109 — Certification of Disclosure in Issuers’ Annual and Interim Filings, adopted by the Canadian Securities Administrators (CSA). Under NI 52-109:
- The CEO and CFO must certify quarterly and annual filings in terms substantially similar to SOX Section 302.
- Larger issuers (non-venture issuers) must include in annual filings a management report on ICFR — a management assessment of the design and operating effectiveness of ICFR.
- Unlike SOX, NI 52-109 does not require external auditor attestation of the ICFR assessment for non-accelerated filers, reducing compliance costs for smaller public companies.
Other key Canadian governance instruments:
- NI 52-110 (Audit Committees): Prescribes audit committee composition (all independent, at least one financially literate) and responsibilities for non-venture issuers.
- NI 58-101 (Corporate Governance Disclosure): Requires “comply or explain” disclosure of governance practices relative to best practices — board composition, independence, diversity, director term limits, board evaluations.
- NI 51-102 (Continuous Disclosure): Requires timely disclosure of material changes and annual disclosure of management discussion and analysis (MD&A).
6.3 TSX Corporate Governance Guidelines
The Toronto Stock Exchange (TSX) requires listed companies to comply with or explain their departure from the CSA’s corporate governance best practices (set out in National Policy 58-201 and NI 58-101). This “comply or explain” approach — borrowed from the UK Corporate Governance Code — allows flexibility while requiring transparency.
Key TSX/CSA governance best practices:
- The majority of the board should be independent directors.
- The roles of board chair and CEO should be separated; if combined, a lead independent director should be designated.
- The board should adopt a written charter specifying its responsibilities.
- The board should adopt a written position description for the CEO and, where applicable, the executive chair.
- The board should implement a process for regularly assessing its own effectiveness.
- The board should adopt a written code of business conduct and ethics.
- The nominating committee should be responsible for identifying new director candidates.
- The board should disclose its approach to board diversity and its targets or outcomes.
6.4 The COSO Internal Control — Integrated Framework
Alongside its ERM framework, COSO has published the foundational Internal Control — Integrated Framework (1992, updated 2013), which defines the structure and components of effective internal control over financial reporting.
The COSO ICIF organizes internal control into five components and seventeen principles:
- Control Environment: The set of standards, processes, and structures providing the foundation for internal control. Encompasses integrity and ethical values, oversight by the board, management’s philosophy and operating style, and assignment of authority and responsibility.
- Risk Assessment: The dynamic, iterative process for identifying and assessing risks to the achievement of objectives. Management must identify and analyze risks — financial reporting errors, fraud, compliance failures — and determine how they should be managed.
- Control Activities: The actions taken to mitigate risks to the achievement of objectives. Include authorizations, verifications, reconciliations, segregation of duties, physical controls, and application controls in IT systems.
- Information and Communication: The organization must obtain or generate and use relevant, quality information to support the functioning of other internal control components. Communication must flow internally (across levels and functions) and externally (to relevant outside parties).
- Monitoring Activities: Ongoing and separate evaluations to ascertain whether each of the five components of internal control is present and functioning. Deficiencies are communicated to management and the board on a timely basis.
The Three Lines of Defense Model (now reconceptualized as the “Three Lines Model” by the IIA in 2020):
| Line | Role | Examples |
|---|---|---|
| First line | Business units and functions that own and manage risks; implement controls | Operations management; sales; finance business partners |
| Second line | Risk management and compliance functions that set policy, provide oversight and challenge of the first line | Chief Risk Officer; Compliance department; Legal |
| Third line | Internal audit — independent, objective assurance and advisory to board and senior management | Internal audit function |
Chapter 7: Governance — Boards and Their Committees (Deep Dive)
7.1 The Board’s Fiduciary Duty
Directors owe fiduciary duties to the corporation. Under Canadian corporate law (Canada Business Corporations Act, provincial equivalents), directors must:
- Act honestly and in good faith with a view to the best interests of the corporation (duty of loyalty).
- Exercise the care, diligence, and skill that a reasonably prudent person would exercise in comparable circumstances (duty of care).
The business judgment rule provides protection to directors who make informed decisions in good faith, even if those decisions turn out badly. Courts will not second-guess business decisions that were made on an informed basis, in good faith, with no conflict of interest. Directors lose this protection if they fail to be adequately informed, act in bad faith, or have undisclosed conflicts.
Fiduciary duty runs to the corporation, not directly to shareholders in most Canadian jurisdictions. However, in practice — particularly regarding major transactions, poison pills, and change-of-control situations — courts scrutinize whether the board adequately protected shareholder interests.
7.2 The Board’s Role in Strategy
The board’s strategic role has evolved substantially. The traditional model was purely reactive: management proposes strategy; the board approves or rejects. Modern governance expects more proactive board engagement:
- Setting strategic direction: The board articulates the organization’s purpose, values, and long-term strategic objectives in dialogue with management.
- Challenging management assumptions: The board stress-tests management’s strategic analyses, competitive assessments, and financial projections.
- Evaluating strategic alternatives: Before approving a major strategic initiative (acquisition, divestiture, market entry), the board should evaluate alternatives and their associated risks.
- Monitoring strategic execution: The board tracks progress against strategic milestones through quarterly reporting and scorecards.
- Adapting strategy in response to change: When market conditions, competitive dynamics, or external shocks render the existing strategy untenable, the board must be willing to require strategic pivots.
7.3 CEO Selection, Evaluation, and Succession
CEO selection is widely regarded as the most consequential decision a board makes. The process should be:
- Criteria-driven: The board should define the leadership capabilities, experience, and personal qualities required for the CEO role given the company’s strategy and challenges.
- Comprehensive: Both internal and external candidates should be systematically evaluated against the defined criteria.
- Confidential: Premature disclosure of succession processes can destabilize the organization.
- Proactive: Succession planning is ongoing, not triggered by crisis. The board should always know who could step in as interim CEO.
CEO evaluation: The board (through the compensation committee) should conduct an annual formal evaluation of the CEO against pre-established goals and leadership criteria. The evaluation should directly inform compensation decisions and, when performance is persistently inadequate, the decision to seek new leadership.
CEO dismissal: One of the board’s most difficult but essential powers is the ability to remove an underperforming or misconducting CEO. Boards that are reluctant to exercise this power — often due to personal loyalty, conflict avoidance, or captured independence — fail in their fundamental fiduciary duty. High-profile cases of delayed CEO action (Yahoo, Uber, WeWork before IPO) illustrate the cost of board passivity.
7.4 Director Evaluation and Renewal
Board effectiveness requires ongoing self-assessment and renewal. Best practices include:
- Annual board evaluation: The board as a whole evaluates its own effectiveness — governance processes, meeting quality, committee effectiveness, culture and dynamics, strategic engagement.
- Individual director evaluation: Peer evaluation assessing each director’s contributions, preparation, engagement, and expertise.
- Skills matrix review: Regular review of the board’s collective skills against the skills required given the company’s strategy and risk profile — identifying gaps to address through director recruitment.
- Director tenure and retirement policies: Term limits (often 10–15 years) or mandatory retirement ages (typically 72–75) ensure board renewal and prevent director entrenchment.
Chapter 8: Financial Governance, the Audit Committee, and Stakeholder Management
8.1 The Audit Committee’s Central Role
The audit committee is often described as the most critical board committee. It sits at the intersection of financial reporting, internal controls, external audit, internal audit, and compliance. Its effectiveness is a cornerstone of investor confidence.
The external audit relationship:
The audit committee — not management — is the external auditor’s client under SOX (US) and NI 52-110 (Canada). This matters enormously. Prior to these reforms, management effectively controlled the audit relationship — selecting auditors, negotiating fees, and managing the engagement. Management’s control of the auditor created obvious conflicts.
Key audit committee responsibilities regarding external audit:
- Appoint, compensate, and oversee: The audit committee recommends appointment of the external auditor to shareholders; negotiates fees; evaluates audit quality annually.
- Assess independence: The audit committee monitors auditor independence and pre-approves all non-audit services (to prevent fee dependence that might compromise audit integrity).
- Review audit findings: Discuss significant audit findings, areas of significant judgment, management disagreements with auditors, and audit adjustments proposed but not recorded.
- Private sessions: The audit committee meets privately with external auditors (without management present) at least annually to surface any concerns the auditors are reluctant to raise in management’s presence.
The internal audit function:
Internal audit provides independent, objective assurance over governance, risk management, and control processes. The internal audit function:
- Reports functionally to the audit committee (ensuring independence from management) and administratively to the CFO or CEO.
- Develops a risk-based audit plan — focusing audit resources on the highest-risk processes and controls.
- Conducts operational, financial, compliance, and IT audits.
- Reports findings to the audit committee; tracks management remediation of identified deficiencies.
8.2 Whistleblower Programs and Ethics Hotlines
An effective whistleblower program is a critical internal control. It provides a mechanism for employees, contractors, and other stakeholders to report concerns about accounting irregularities, fraud, legal violations, and ethical misconduct confidentially and without fear of retaliation.
Under SOX Section 301, audit committees must establish procedures for receiving and addressing whistleblower complaints about accounting and internal control matters. The SEC’s whistleblower program (Dodd-Frank, 2010) provides financial incentives (10–30% of sanctions exceeding $1 million) and strong anti-retaliation protections for individuals who report securities law violations.
Research consistently shows that whistleblowers are the most common first detection mechanism for occupational fraud — more effective than internal audits, external audits, or management review. The Association of Certified Fraud Examiners (ACFE) Report to the Nations (2022) found that 42% of fraud cases were detected by tips, versus only 12% by internal audit and 4% by external audit.
8.3 Stakeholder Management: Theory to Practice
Moving from stakeholder theory to practice requires identifying stakeholders, understanding their interests and concerns, and designing engagement processes that are genuinely two-way.
Stakeholder mapping: A common tool is the stakeholder salience matrix, which classifies stakeholders by:
- Power: The stakeholder’s ability to influence the organization’s decisions.
- Legitimacy: Whether the stakeholder’s claim on the organization is appropriate or proper.
- Urgency: Whether the claim demands immediate attention.
Stakeholders who score high on all three dimensions — definitive stakeholders — receive highest management priority.
Shareholder communication: Listed companies communicate with shareholders through:
- Annual reports and sustainability reports: Comprehensive disclosure of financial performance, strategy, governance, and ESG.
- Management Discussion and Analysis (MD&A): Required narrative analysis explaining financial results, significant risks, and material trends.
- Annual General Meetings (AGMs): Forum for shareholders to vote on director elections, auditor appointment, say-on-pay, and shareholder proposals; opportunity to ask questions of the board and management.
- Investor Relations programs: One-on-one and group meetings with institutional investors; investor days; earnings calls.
Chapter 9: Shareholder Rights and Shareholder Activism
9.1 Shareholder Rights
Shareholders are the residual claimants on the corporation’s assets and earnings. Their governance rights are fundamental to the accountability of management and the board.
Core shareholder rights:
- Right to vote: On director elections, auditor appointment, major transactions (mergers, significant asset sales), amendments to constitutional documents, and advisory matters (say-on-pay).
- Right to receive dividends: When declared by the board; shareholders cannot compel dividends absent contractual provisions.
- Right to transfer shares: Free transferability is a fundamental feature of the public corporation.
- Right to information: Access to financial statements, proxy materials, and other required disclosures; rights to inspect corporate records in certain circumstances.
- Right to bring derivative actions: Shareholders may bring legal action on behalf of the corporation where the board fails to act (e.g., to recover damages from self-dealing directors).
Proxy voting: Most shareholders exercise their governance rights through proxy votes rather than attending meetings in person. The proxy system enables shareholders to instruct their votes in advance. Institutional investors typically vote through custodian banks based on policies developed by their investment governance teams, often informed by proxy advisor recommendations.
9.2 Shareholder Activism
Activist shareholders seek to change corporate behavior by leveraging their ownership position. Activism has grown dramatically since the early 2000s, driven by the rise of dedicated activist hedge funds and the increasing willingness of institutional investors to engage directly with companies on governance issues.
Types of activism:
- Governance activism: Pushing for board independence, executive pay reforms, majority voting for directors, proxy access, elimination of staggered boards or supermajority vote requirements, poison pill removal.
- Strategic activism: Demanding strategic changes — divestitures, spin-offs, return of capital, opposition to proposed acquisitions, or replacement of the CEO.
- ESG activism: Demanding stronger climate commitments, improved disclosure, diversity targets, or alignment with specific sustainability frameworks. May be pursued by long-term institutional investors or specialized ESG-focused activists.
The activist playbook:
Activists typically follow an escalating engagement process:
- Build a shareholding position (often below reporting thresholds initially).
- Conduct private engagement — meetings and correspondence with the board and management.
- If private engagement fails, go public: issue a white paper or open letter setting out the activist thesis and demands.
- File a proxy contest — nominate alternative directors or propose shareholder resolutions at the AGM.
- Seek support from other institutional shareholders — success typically requires coalitions.
- In extreme cases, launch a hostile takeover bid or seek board control.
9.3 Institutional Investor Stewardship
Institutional investors — pension funds, mutual funds, insurance companies, endowments, sovereign wealth funds — collectively own the majority of listed equities in developed markets. In Canada, the five largest pension funds (CPP Investments, Ontario Teachers’, OMERS, OTPP, PSP Investments) together manage assets exceeding $1 trillion.
This concentration of ownership creates significant governance leverage. Stewardship — the responsible exercise of shareholders’ rights to protect and enhance long-term value — has become a central focus of institutional investor governance.
Stewardship codes establish expectations for institutional investor engagement. The UK Stewardship Code (2020) requires signatories to:
- Establish and disclose stewardship policies.
- Engage with investee companies on governance, strategy, and sustainability.
- Escalate concerns through voting and public advocacy when engagement fails.
- Report on stewardship activities and outcomes.
Canada’s equivalent is the Canadian Coalition for Good Governance (CCGG) governance guidelines, which set out best practices for shareholder engagement and voting by institutional investors.
Proxy advisors: Institutional Shareholder Services (ISS) and Glass Lewis are the two dominant proxy advisory firms. They provide vote recommendations on proposals at shareholder meetings based on standardized governance criteria. Their recommendations significantly influence institutional voting — studies suggest that a negative ISS recommendation can swing 20–30% of institutional votes against management’s position. Proxy advisors are controversial: critics argue they apply formulaic standards without adequate company-specific analysis, and their potential conflicts of interest (ISS provides consulting services to some of the companies it advises on) attract regulatory scrutiny.
Chapter 10: Governing in New Spaces — Cybersecurity, AI, and ESG
10.1 Cybersecurity Governance
Cybersecurity has become one of the most significant risks facing organizations across all sectors — not merely a technical concern but a board-level governance imperative. The frequency, sophistication, and financial consequences of cyber attacks have grown dramatically.
Why cybersecurity is a board issue:
- The financial consequences of major breaches are severe: direct costs (breach response, legal fees, regulatory fines, notification), indirect costs (lost business, reputational damage, customer attrition). The global average cost of a data breach was approximately $4.5 million in 2023 (IBM Cost of a Data Breach Report).
- Regulatory requirements increasingly mandate board-level disclosure and oversight. The SEC’s 2023 cybersecurity disclosure rules require US public companies to disclose material incidents within four business days and to annually disclose their cybersecurity risk management processes and board oversight mechanisms.
- Directors may face personal liability if they fail to exercise adequate oversight of material cyber risks.
Board responsibilities for cybersecurity:
- Ensure adequate cybersecurity expertise exists — at least one director with substantive cyber knowledge; periodic board education on the evolving threat landscape.
- Oversee management’s cybersecurity risk framework — governance structure, policies, incident response plans, third-party risk management.
- Receive regular reporting — at least quarterly — on the organization’s cybersecurity risk posture, significant threats, and incident response activities.
- Ensure timely and accurate public disclosure of material cybersecurity incidents.
- Integrate cyber risk into the organization’s overall ERM framework and risk appetite.
Three Lines of Defense applied to cybersecurity:
- First line: Business units that use IT systems and handle data; responsible for following security policies and reporting anomalies.
- Second line: Information Security and Compliance functions that set policy, monitor threat intelligence, test controls, and manage incident response.
- Third line: Internal audit’s independent review of cybersecurity controls effectiveness.
10.2 Artificial Intelligence Governance
The rapid deployment of AI — particularly generative AI and machine learning models — creates novel governance challenges that boards are only beginning to grapple with.
Key AI governance risks:
- Algorithmic bias and discrimination: AI models trained on historical data can perpetuate or amplify historical biases. Examples: biased hiring algorithms, discriminatory credit scoring, facial recognition with higher error rates for non-white faces.
- Explainability and accountability: “Black box” AI models make decisions that cannot be explained in human-intelligible terms, creating accountability gaps. Who is responsible when an AI system makes a harmful decision?
- Data governance: AI models require large amounts of data. Ensuring data quality, privacy compliance (GDPR, PIPEDA), appropriate consents, and security is a major governance challenge.
- Regulatory risk: Rapidly evolving AI regulation — EU AI Act (effective 2024–2026), proposed Canadian Artificial Intelligence and Data Act (AIDA), US executive orders on AI — creates compliance uncertainty.
- Concentration and vendor risk: Heavy reliance on a small number of AI platform providers (Google, Microsoft, OpenAI, Amazon) creates concentration risk and vendor dependency.
Board oversight of AI:
Boards must ensure that management has:
- An AI ethics policy and governance framework.
- A process for identifying and assessing AI-specific risks before deployment.
- Mechanisms for ongoing monitoring of AI system behavior (bias auditing, performance monitoring).
- Incident response plans for AI failures.
- Alignment with emerging regulatory requirements.
10.3 ESG and Sustainability Governance
Environmental, Social, and Governance (ESG) considerations have moved from the periphery to the centre of corporate governance, driven by investor expectations, regulatory requirements, and the growing recognition that ESG factors are financially material — they affect long-term performance, risk profiles, and access to capital.
Environmental Governance:
Climate-related risk has attracted the most attention, driven by the physical and transition risks associated with climate change.
The Task Force on Climate-related Financial Disclosures (TCFD), established by the Financial Stability Board in 2015, published recommendations in 2017 that have become the global standard for climate risk disclosure. TCFD recommendations are organized around four pillars:
| TCFD Pillar | Key Disclosure Questions |
|---|---|
| Governance | What board oversight exists for climate-related risks? Who in management is responsible? |
| Strategy | What are the material climate-related risks and opportunities? How might different scenarios affect strategy? |
| Risk Management | How does the organization identify, assess, and manage climate risks? How is this integrated with overall ERM? |
| Metrics and Targets | What metrics does the organization use to assess climate risks? What GHG reduction targets have been adopted? |
TCFD recommendations have been incorporated into the IFRS Sustainability Disclosure Standards (IFRS S1 and S2, published by the ISSB in 2023) and are required or expected in an increasing number of jurisdictions including Canada, UK, EU, and New Zealand.
Social Governance:
Social factors encompass labor practices, human rights, supply chain standards, community relations, diversity and inclusion, and customer privacy. Key governance mechanisms:
- Human capital disclosure: Workforce composition (diversity metrics), turnover rates, pay equity data, health and safety performance. The SEC requires human capital disclosure (conceptually defined); specific metrics are at company discretion.
- Supply chain due diligence: Boards must ensure adequate oversight of social and human rights conditions in supply chains. Canada’s Fighting Against Forced Labour and Child Labour in Supply Chains Act (S-211, 2023) requires certain companies to report on risks of forced labour in their supply chains.
- Diversity, equity, and inclusion (DEI): Board-level oversight of DEI strategy; diversity metrics in executive compensation; pay equity reviews.
ESG Reporting Frameworks:
| Framework | Published by | Primary Focus |
|---|---|---|
| GRI Standards | Global Reporting Initiative | Multi-stakeholder; sustainability impacts |
| SASB Standards | Sustainability Accounting Standards Board (now part of ISSB) | Industry-specific; investor-focused materiality |
| IFRS S1 & S2 | International Sustainability Standards Board (ISSB) | Investor-focused; enterprise value; climate |
| TCFD | Task Force on Climate-related Financial Disclosures | Climate-specific; integrated into IFRS S2 |
| CDP | Carbon Disclosure Project | Environmental disclosure; climate, water, forests |
| UN SDGs | United Nations | Societal goals; aspirational framework |
Chapter 11: Governance Case Studies — Learning from Failures
11.1 Enron Corporation (2001)
What failed:
Board oversight failure: Enron’s board suspended its own code of ethics twice to approve the related-party transactions structured by CFO Fastow (through SPEs named LJM1 and LJM2), in which Fastow personally profited at Enron’s expense. The audit committee reviewed complex SPE structures for only 45 minutes. Independent directors lacked the financial sophistication to understand the transactions they were approving.
Audit failure: Arthur Andersen, one of the then-Big Five accounting firms, failed to independently scrutinize Enron’s SPE structures and mark-to-market accounting practices. Andersen earned $25 million in audit fees and $27 million in consulting fees from Enron in 2000 — a conflict of interest that likely impaired audit independence. Andersen was subsequently convicted of obstruction of justice for shredding Enron documents (later overturned on procedural grounds, but the firm had already collapsed).
Culture failure: Enron’s “rank and yank” performance management system — which annually terminated the bottom 15% of employees — created a culture in which employees were unwilling to raise concerns or challenge management. Sherron Watkins raised concerns internally (and to Andersen) but was effectively silenced.
Governance lessons: (1) Related-party transactions require arm’s-length review and should never be approved if a senior executive personally benefits. (2) Board members must have the financial sophistication to challenge complex transactions. (3) Audit independence from management is essential — the auditor-appointment authority must reside with the audit committee. (4) The compensation structure must not punish honest communication of bad news.
Regulatory response: Enron directly precipitated the Sarbanes-Oxley Act of 2002.
11.2 Nortel Networks Corporation (2004)
What failed:
Earnings management and “cookie jar” reserves: Nortel’s management used improper accounting techniques to inflate and smooth reported earnings. Excessive provisions (“cookie jar” reserves) were established in profitable periods and reversed in subsequent periods to hit earnings targets — triggering bonuses. When the telecom bubble burst, management reversed provisions to avoid reporting losses and continue earning bonuses.
Compensation incentives: Nortel’s executive compensation was heavily weighted to short-term earnings targets, creating powerful incentives for earnings management. The board’s compensation committee failed to scrutinize the integrity of the earnings figures underlying bonus calculations.
Weak audit committee: Nortel’s audit committee, despite including directors with financial qualifications, failed to adequately challenge management on the pattern of provisions, reversals, and restatements. The committee’s reliance on management explanations, without independent inquiry, allowed the manipulation to continue.
Auditor failure: Deloitte & Touche served as Nortel’s external auditor for decades without detecting the manipulation.
Governance lessons: (1) Compensation metrics must use audited, independently verified financial measures. (2) Audit committees must be willing to probe management’s explanations — scepticism is a fiduciary virtue. (3) External auditor independence and rotation matter. (4) Restatements are red flags warranting deep investigation, not just accounting corrections.
11.3 SNC-Lavalin Group (2012–2019)
What failed:
Anti-corruption governance: SNC-Lavalin’s board failed to establish adequate oversight of the company’s practices in high-corruption-risk jurisdictions. The company operated a global infrastructure practice with major projects in notoriously corrupt markets without board-level visibility into how contracts were won and retained.
Senior management misconduct: Former CEO Pierre Duhaime was convicted of breach of trust in connection with improper payments. The misconduct extended to the highest levels of management, suggesting a culture in which bribery was accepted as a business practice.
Tone at the top: The company’s stated ethics and anti-corruption policies were evidently not embedded in the culture of its project operations — a classic governance gap between policy and practice.
The political dimension: In 2019, the SNC-Lavalin affair became a significant Canadian political controversy when allegations emerged that the Prime Minister’s Office had pressured then-Attorney General Jody Wilson-Raybould to allow SNC-Lavalin to enter into a deferred prosecution agreement (DPA) rather than face criminal trial — on the grounds that a criminal conviction would threaten thousands of Canadian jobs. Wilson-Raybould resigned; two other senior officials resigned. The affair raised fundamental questions about the independence of prosecution decisions from political interference.
Governance lessons: (1) Anti-corruption governance must extend to project-level operations in high-risk jurisdictions — board-level policies alone are insufficient. (2) The board must ensure that management maintains ethical standards in competitive situations where bribery may provide short-term advantage. (3) When corporate scale creates “too big to prosecute” dynamics, governance failures have public policy consequences beyond the company itself.
11.4 Wells Fargo Unauthorized Accounts Scandal (2016)
What failed:
Incentive compensation design: Wells Fargo’s aggressive “cross-selling” strategy — selling multiple products to each customer — was incentivized through compensation plans that rewarded sales volume. Branch employees faced intense pressure to meet daily and weekly “solutions” quotas. The bank’s compensation committee and board failed to assess the behavioral incentives created by this system or monitor for misconduct indicators (customer complaint volumes, account closure rates, employee ethics reports).
Risk governance failure: Internal audit and the risk function identified concerns about sales practices as early as 2004. These concerns were not escalated effectively to the board or acted upon by management. The compliance function was inadequately resourced and positioned relative to the intensity of the problem.
Culture of fear: Employees who refused to meet quotas or raised concerns faced discipline or termination. The “pressure cooker” culture suppressed internal whistleblowing. Whistleblower retaliation, despite legal protections, was documented.
Board inaction: Congressional testimony revealed that board members were aware of elevated employee ethics complaints in the retail banking division years before the public scandal. The board’s failure to escalate its inquiry and hold management accountable for the cultural drivers of misconduct constitutes a significant governance failure.
Consequences: CEO John Stumpf resigned with $41 million in clawbacks. The bank paid over $3 billion in total fines and penalties. The Federal Reserve imposed an unprecedented asset cap (still in effect years later) prohibiting Wells Fargo from growing its balance sheet until governance and control deficiencies were remediated.
Governance lessons: (1) Incentive compensation must be evaluated not only for whether it rewards desired financial outcomes but also for what behaviors it induces. (2) Boards must insist that risk and compliance functions have direct access to board committees and sufficient organizational authority. (3) Whistleblower programs must be genuinely confidential and protected — a program that exists on paper but tolerates retaliation provides no protection. (4) Persistent elevated volumes of employee misconduct reports or customer complaints are board-level risk indicators, not merely management-level operational issues.
Chapter 12: Integrated Reporting and Sustainability Disclosure
12.1 The Case for Integrated Reporting
Traditional annual reports focused almost exclusively on financial performance — historical results, balance sheets, cash flows. This backward-looking, financially-bounded disclosure fails to convey the full picture of organizational value creation and risk exposure that investors and other stakeholders need to make informed decisions.
Integrated Reporting (IR) is a concept and framework developed by the International Integrated Reporting Council (IIRC, now merged into the IFRS Foundation) that proposes a concise communication of how an organization’s strategy, governance, performance, and prospects lead to the creation of value over the short, medium, and long term.
The IR Framework identifies six capitals that organizations use, transform, and create value through:
| Capital | Description |
|---|---|
| Financial capital | Funds available for producing goods/providing services |
| Manufactured capital | Physical objects available for use in value production |
| Intellectual capital | Organizational knowledge; patents; systems; brand |
| Human capital | People’s competencies, capabilities, experience, motivations |
| Social and relationship capital | Relationships; networks; shared norms; trust |
| Natural capital | Renewable and non-renewable natural resources and environmental processes |
IR requires organizations to articulate how they draw on each of these capitals, how their activities transform them, and what the outputs and outcomes are — including effects on capitals that the organization does not own (externalities).
12.2 IFRS Sustainability Disclosure Standards
The International Sustainability Standards Board (ISSB) was established by the IFRS Foundation in November 2021 and published its first two standards in June 2023:
IFRS S1 — General Requirements for Disclosure of Sustainability-related Financial Information: Requires entities to disclose information about sustainability-related risks and opportunities that could reasonably be expected to affect the entity’s cash flows, access to finance, or cost of capital over the short, medium, and long term.
IFRS S2 — Climate-related Disclosures: Requires disclosure of climate-related risks and opportunities, following the TCFD structure (governance, strategy, risk management, metrics and targets). Requires disclosure of Scope 1, 2, and 3 greenhouse gas emissions (with a phased approach for Scope 3).
Canada’s securities regulators are developing mandatory climate-related disclosure requirements for Canadian public companies, informed by IFRS S2. The Canadian Sustainability Disclosure Standards (CSDS) will apply on a phased basis, with largest non-venture issuers beginning disclosure for fiscal years starting in 2025.
12.3 Assurance of Sustainability Information
As sustainability disclosures become more formal and materially significant, the question of assurance — independent verification of the information — becomes important. The assurance of sustainability information is an evolving field:
- Limited assurance: The assurance provider conducts review-level procedures and concludes that nothing has come to their attention to suggest material misstatement — a lower bar than reasonable assurance.
- Reasonable assurance: Full audit-level procedures; positive conclusion that information is free from material misstatement.
Most sustainability reports currently obtain limited assurance, if any. Regulatory requirements in the EU (under the Corporate Sustainability Reporting Directive, CSRD) and, increasingly, in other jurisdictions will require at least limited assurance, moving toward reasonable assurance over time.
Chapter 13: Summary — The Integrated Governance and Risk Management Framework
13.1 Connecting Governance and Risk Management
Corporate governance and enterprise risk management are not separate disciplines — they are two aspects of the same organizational imperative: ensuring that the organization is directed and controlled in a way that enables sustainable value creation while managing threats to that value.
The board of directors provides the apex of both governance and risk oversight:
- Through its governance role, the board sets the strategic direction, ensures management accountability, and protects stakeholder interests.
- Through its risk oversight role, the board approves risk appetite, oversees the ERM framework, and ensures the organization maintains an effective system of internal controls.
These roles are interconnected. Strategic choices create risks; risk management supports strategy execution; governance processes ensure that both strategy and risk management are subject to independent oversight.
13.2 The Governance-Risk-Performance Cycle
Effective organizations manage a continuous cycle:
- Strategy and objective-setting: The board and management define the strategy and cascade objectives throughout the organization.
- Risk appetite setting: The board approves the risk appetite that bounds acceptable risk-taking in pursuit of strategy.
- Risk identification and assessment: Management inventories and assesses risks to strategic and operational objectives.
- Risk response: Management selects and implements appropriate risk responses — accept, avoid, reduce, or share — to bring residual risk within appetite.
- Internal controls: The control environment, control activities, and monitoring processes are designed to manage risk to within tolerance.
- Performance monitoring: Actual performance is measured against objectives; risk indicators are monitored.
- Board reporting and oversight: The board receives integrated reporting on strategy execution, risk profile, and control effectiveness.
- Review and revision: Strategy, risk appetite, risk responses, and controls are revised in light of performance outcomes and changes in the environment.
- External disclosure: Transparent reporting to shareholders, regulators, and other stakeholders on governance, risk, and performance.
13.3 Key Exam Concepts Summary
| Topic | Key Framework/Concept |
|---|---|
| Governance foundations | Agency theory (Jensen & Meckling); stakeholder theory (Freeman); principal-principal conflict |
| ERM structure | COSO ERM 2017: five components, twenty principles; ISO 31000: eight principles |
| Risk categories | Strategic, financial (credit, market, liquidity), operational, compliance, reputational, ESG |
| Risk assessment | Likelihood × impact; heat maps; inherent vs. residual risk; risk appetite vs. tolerance |
| Risk responses | Accept; avoid; reduce/mitigate; share/transfer |
| Board structure | Unitary vs. two-tier; board committees (audit, compensation, nominating, risk) |
| Director independence | Material relationship test; TSX/CSA, NYSE, SOX requirements |
| Financial governance | SOX 2002 (Sections 302, 404, 301); NI 52-109 (Canada); PCAOB |
| Internal controls | COSO ICIF: control environment, risk assessment, control activities, information and communication, monitoring |
| Three Lines of Defense | Business units (1st); risk/compliance functions (2nd); internal audit (3rd) |
| Executive compensation | Base salary + annual bonus + LTIP (options, RSUs, PSUs); pay-for-performance; say-on-pay; clawbacks |
| Shareholder activism | Governance, strategic, and ESG activism; proxy contests; institutional investor stewardship |
| Cybersecurity governance | Board oversight requirements; SEC 2023 rules; integration with ERM |
| ESG governance | TCFD framework; IFRS S1/S2; physical and transition climate risk; CSRD; supply chain ESG |
| Integrated reporting | Six capitals framework; ISSB standards; sustainability assurance |
| Governance failures | Enron (SPE fraud, audit failure); Nortel (earnings management); SNC-Lavalin (corruption); Wells Fargo (incentive design) |
These notes synthesize content from COSO ERM (2017), ISO 31000 (2018), the OECD Principles of Corporate Governance (2023), Larcker & Tayan’s Corporate Governance Matters (3rd ed.), the Sarbanes-Oxley Act (2002), National Instrument 52-109 and 52-110 (CSA), the TCFD Recommendations (2017), and the IFRS Sustainability Disclosure Standards S1 and S2 (ISSB, 2023).
