Joe: [00:00:00] Hello and welcome to On Boards, a deep dive at what drives business success. I’m Joe Ayoub, and I’m here with my co host, Raza Shaikh. Twice a month, On Boards is the place to learn about one of the most critically-important aspects of any company or organization; its board of directors or advisors with a focus on the important issues that are facing boards, company leadership, and stakeholders.

Raza: Joe and I speak with a wide range of guests and talk about what makes a board successful or unsuccessful, what it means to be an effective board member, and how to make your board one of the most valuable assets of your organization.

Joe: Our guest today is Ian Roffman. Ian is a Partner at the law firm of Nutter McClennen & Fish where he leads a securities enforcement and litigation team that clients rely on when facing SEC [00:01:00] investigations, government inquiries, and corporate governance disputes. Before joining Nutter, he served as a Senior Trial Counsel in the SEC’s Division of Enforcement.

Raza: In addition to representing companies, directors, and boards involved in government investigations, Ian conducts internal investigations for board to uncover potential wrongdoings, make independent findings, and works to head off litigation or regulatory inquiries. He also sits on his firm’s executive committee.

Joe: I also want to mention that Nutter McClennen & Fish, where many years ago I was a Partner, is a sponsor of the On Boards’ Summit 2023 on November 1st, and they are sponsoring On Boards for Season 8, so thank you very much to our friends at Nutter McClennen & Fish. And welcome, Ian, thank you so [00:02:00] much for joining us today on On Boards.

Ian: Thanks, Joe. Thanks, Raza. It’s a pleasure to be here.

Joe: Ian, let’s start with a little background about what you do specifically and a little general background about Nutter’s governance practice.

Ian: I’m not sure I can improve on the introduction that you just gave, so thank you for that. We have a group that focuses on SEC enforcement and litigation as well as a group more broadly focused on government investigations and corporate governance issues as well.

We help boards, directors, company executives when they’re facing what can be significant moments in the existence of a company. Those moments can come upon the receipt of a government subpoena, a whistleblower complaint, or even something as seemingly innocuous as a letter or a phone call from a [00:03:00] government regulator, but we come in, we help the boards, we help individual directors, we help executives as they make their way through those sometimes sticky periods.

Joe: Thanks for that, Ian. When we spoke a couple of weeks ago and asked you when companies or boards call you, your comment was during a time of “crisis,” so talk a little about the type of situation that causes them to call you.

Ian: One of the lawyers that I worked for when I first got out of law school used the analogy of weather, what your obligations are as a director on a sunny day, what their obligations are on a cloudy day, what their obligations are on a rainy day, and my group generally comes in on the cloudy days, that are to be rainy sometimes we don’t get the call until the rain has already started.

But a lot of different things can prompt the call, it can be a subpoena that they receive, it can be a whistleblower complaint, it can be an internal [00:04:00] report, that there’s something wrong and a decision has to be made about whether to self-report to the government or regulator or law enforcement. It can be a lot of things that prompt that first call.

Joe: One of the important things that the board or the company can do when one of these events occurs. Talk about what they should be doing and how they would best respond to help themselves through whatever the situation is.

Ian: What does the company do when the clouds are on the horizon or maybe they’re overhead? Those things obviously always depend on the particular facts and circumstances. One of the most important things a company can do, a board can do especially, is try to get its arms around the issue as soon as possible.

There’s a balance that you have to strike between speed and hastiness. You want to act quickly, but you don’t want [00:05:00] quick action to be at the expense of good judgment, good information, and those sorts of things that enable you to make good decisions.

Generally speaking, a board ought to know the relevant facts before the regulators do, before law enforcement does, before plaintiff’s attorneys do, whoever your sort of relevant bogeyman may be on the other end of the issue. But you want to get together, you want to figure out what’s your plan, what do we understand the issue to be, what are the facts we know, what are the facts we don’t know, how can we go about learning the facts that we don’t know. Once you start to do that, you start to get your arms around the issue, then a board can start making decisions about strategy, next steps and so forth.

Joe: When you say get your arms around it quickly but don’t rush, would it be fair to say though that whatever pace you’re going in any way of avoiding it or procrastinating responding is[00:06:00] one of the worst things you can do.

Ian: The human desire to ignore bad news is pretty strong. Everyone experiences it, everyone feels it, and you’re sitting on a board, you have a fiduciary duty, and that fiduciary duty, depending on the type of entity it is, it could be a fiduciary duty to your shareholders, it could be a fiduciary duty in an LLC, for example, to the members of the owners of the entity. If you’re in a nonprofit, it could be a fiduciary duty to your constituencies or to society at large, but everyone who’s sitting in a board function has a duty, so what the board needs to do is think about what are the steps that they need to do to reasonably make sure that they’re fulfilling their duty to whoever the relevant constituency may be.

Joe: The other aspect that I’d be concerned about maybe would be whether they’re going to allocate appropriate resources and [00:07:00] attention, because it’s one thing to say, “Well, can we get our arms around it?” But I’d be concerned maybe, and I’m sure you see this now and then where companies are facing it, but they don’t want to make a ” big deal” of it because maybe other people will hear about it, maybe it’s too costly, whatever the reason may be, partly, as you said, because the instinct to avoid something bad is sometimes difficult to resist.

Ian: Yeah, your budgeting to deal with crises can be really challenging because often you don’t know the scope of the issue at the outset and we don’t live in a world of unlimited resources. Entities have constraints, there’s only so much money in the bank, and there may be only so much money that can be allocated to dealing with an issue.

Proportionality is important. It’s hard to make those sorts of judgments generally, or sort of have general standards that you apply other than to say an organization who’s [00:08:00] facing a crisis issue or is facing a government investigation needs to deal with it appropriately and responsibly.

If there are the resources to do it the right way, you have to do it the right way. If the resources don’t exist to do a complete internal investigation and all the things that you would ordinarily want to do in a perfect world, then there are just difficult discussions that have to take place about what’s the most efficient way to get to the bottom of the issue and who do we enlist, and how do we enlist the help of potentially our regulators or whoever it may be. But those problems need to be tackled head on and transparently and explicitly if they exist.

Joe: Talk a little bit about a decision by the company or organization, whether to cooperate, so to speak, with whatever the issue is, an investigation or whatever it might be, what are the considerations, and what does it mean to cooperate? Because I’m guessing there are many ways you could potentially cooperate without [00:09:00] appearing to stonewall something, which is probably not a good approach.

Ian: Yeah, cooperation is a very, very challenging issue, and your crises come up in a lot of different flavors. The easy side of the spectrum would be something like a board discovers that a rogue employee engaged in inappropriate conduct, financial or otherwise, that’s not a systemic issue or at least maybe at the outset, you don’t believe it’s a systemic issue, you can look into it, and that’s a pretty easy analysis in terms of cooperation. When I say cooperation, I mean cooperation with law enforcement or a regulator or something like that.

At the other side of the spectrum, maybe an issue where there’s a regulator or a law enforcement agency who believes that the company may have some systemic issue, and the company may disagree. It may be aware of the issue and doesn’t believe it’s a problem or [00:10:00] has an argument as to why what it’s doing is appropriate. It may not believe that there is an issue, that the regulator of the government is way off base, and those are much more challenging questions around what does it mean to cooperate.

Certainly, any organization that is a good corporate citizen, and I’ll use that as sort of a big category, a good corporate citizen, meaning it’s got well-meaning board, well-meaning executives, it’s trying to fulfill its mission in an appropriate way, those sorts of organizations ought to want to cooperate with the government if the government is looking into something, but that doesn’t mean you roll over and you don’t defend yourself if you think that your practices are appropriate.

There’s a lot of different ways that you can work through it. We could probably talk for three days about the various permutations of cooperation ,what does it mean, and how does it play out.

Joe: How often do you come across a client [00:11:00] that appears to be trying a more extreme version of avoidance by maybe covering up what may have gone on? What do you tell them?

Ian: Well, that doesn’t happen after I get there. It may have happened before I got there.

Joe: Yeah.

Ian: Look, I mean, there’s the old cliche, the cover up is worse than the crime, and that’s almost always true, and those sorts of things, it’s a great question, Joe, because it does relate to this cooperation question.

Actually, almost 20 years ago exactly, I think it was fall 2003, the SEC issued a report in which it outlined what it views as corporate cooperation, sort of the four pillars. This is something called the Seaboard Report. Seaboard was the name of the company, but it doesn’t appear anywhere in the report. It’s just known by everybody as the Seaboard Report.

But there are four pillars that the SEC identified, and it’s self-policing as number one. [00:12:00]Number two is self-reporting. Number three is remediation, and number four is cooperation.

What the SEC says, and I think this is generally followed by other regulators even if it’s not explicit, what the SEC is basically saying is, “Look, these are the four things we’re going to look at to evaluate whether you’re a good corporate citizen.

Number one, were you at the time that the conduct took place already policing yourself? Did you have in place good internal controls? Did you have a good risk function? Did you have an internal audit function or whatever you may call it within your organization? Were you policing yourself? That’s number one.

Number two is self-reporting. That is when you found a problem, did it get reported? Was it transparent now? Self-reporting might mean to the government. It also might mean from the management team to the board, or it might mean from middle management to upper management. But was there transparency in the reporting of the [00:13:00] issue?

The third is remediation. Whatever the problem was, did you fix it? If people were owed money, did they get their money back? If employees engaged in inappropriate conduct for one reason or another, did you figure out how that could have happened and did you make sure that it can’t happen again? Remediation could be financial or it could be non-monetary.

Then lastly, cooperation. When we asked you for documents, did you give them to us, says the government? Did you even give us the documents that we didn’t know to ask for? Did you say, “Hey, you guys are asking for A, B and C, but you didn’t really ask for X, Y and Z, but those are the relevant ones, so we’re going to give you X, Y and Z also.”

 The SEC is very clear that cooperation doesn’t just mean you did the things you’re required to do. It means you did something in addition. You didn’t just give us what we asked for. You did something that made our jobs easier.

Those are the four pillars; self-policing, [00:14:00] self-reporting, remediation, cooperation, and even though other regulators don’t use that same nomenclature, the concepts are always the same. The concepts are always there.

Joe: Well, it seems like a good guideline whether the SEC is involved or not so I think that makes sense. You referred to the expression, “the coverup is worse than the crime,” as a cliche, which it may be, but I would also say it is one of those cliches that is so painfully true, and yet, repeatedly, we see that individuals, organizations, corporations, whatever it might be, routinely try to go down that road, and I think, obviously, as you said, by the time they call you, they’ve already decided they’re going to do something about it.

When you get there and you see that there has been some, let’s call it, avoidance or cover up, what kinds of [00:15:00] things do you tell them to do then?

Ian: Yeah, it’s a great point, Joe, and it depends on the situation. I hate to sound like a lawyer by saying it depends all the time.

Joe: But you want to sound like a lawyer!

Ian: Often it comes from a really good place, which is that people see a problem and they try and fix it. Where it becomes, I think, a “cover up” rather than a solution if there’s a lack of transparency. Really, the key, I think, is if you identify a problem and you’re trying to fix it secretly versus trying to fix it transparently, and to be fair, the fix might be identical, and a secret fix is a problem, but a transparent fix is a solution. I see that all the time.

Take, for example, maybe in a financial situation, there’s a trade that goes bad, so you frequently see the issue of whether it’s smaller funds or other financial people trying to trade out of a problem, and [00:16:00] trading out of a problem rarely goes well.

But now think about it this way, you identify a problem, you tell the investor, “Hey, here’s the problem, maybe together we can try and engage in this trade and we might make the money back,” and the investor says, “Okay, why don’t you give that a try?” Well, it’s the same solution, it may have the same result, but doing it in secret is very different from doing it transparently.

Joe: Yeah, great example, actually. In order to be proactive, I’m sure you give advice to boards and company management about what are the best practices that will allow them to avoid this kind of problem because no one wants it. It’s obviously counterproductive no matter who you are. What are some of the things that you tell them to be vigilant about?

Ian: Yeah. Avoiding a government subpoena is not possible. People will get subpoenaed. No organization can have control over all of its people at all [00:17:00] times, and so let me just say that the question is not how do you avoid government scrutiny or regulatory scrutiny, the question is how you put yourself in the best position to deal with it when it inevitably happens.

Joe: For companies and organizations that want to avoid these difficult situations, what kind of advice do you give them about how they should conduct themselves so they’re not likely to run into these problems. I know sometimes not avoidable, but I’m sure there are things you can do to make it unlikely.

Ian: Joe, there are absolutely things a company can do to put itself in a position to deal with regulatory inquiries as well as they can. I would put at the top of the list to have a focus on a compliant structure, or maybe to say it a better way, a compliance-minded culture. We’ve talked already today about transparency and the importance of transparency. [00:18:00] Transparency and collaboration within an organization are among the most powerful things that companies can do.

When you’re having a sort of a general conversation like this, that may be applicable to small companies, big companies, middle-sized companies, private, public, nonprofit. There are a lot of different variations out there, but there, but there are, you know, and so the larger you are, the more infrastructure you have, and there are some complications and complexities maybe is a better word for larger organizations in terms of how you structure, but at the heart of it um, yeah. are going to be a compliance-minded culture, a culture of transparency, a culture of collaboration when issues come up, which they inevitably will within an organization that people feel empowered and comfortable to to raise them and try and solve them in an open way.

Joe: That’ll, yeah, that makes sense. Um, What about board process, [00:19:00] what kinds of things within the board would help? I think one of the things you mentioned was an audit committee with an independent director as chair of the audit committee That seems pretty simple. I think it’s pretty standard for well-run companies anyway. What other kinds of things can people put in place that are likely to reduce the possibility that they’re going to run into some trouble?

Ian: There’s a lot embedded in that question. It’s a great question. because there’s a lot embedded in it. Director obligations have dramatically increased over the last 10, 20 years. Some of the listeners may be familiar with what’s sometimes called Caremark duties. In the nineties, a lot of the standards for director conduct come out of Delaware laws, as many people know, and there was a case that involved the question of what are our director’s duties to oversee the management of the company in the nineties, and those were often referred to as Caremark duties, the name of the case.[00:20:00]

The principle at that time was essentially that the directors had an obligation to put in place appropriate, reasonable reporting systems, and in fact, in the context of that case, the then vice chancellor of the Delaware Court of Chancery was essentially saying, “Look, it’s really hard to bring a case against a director for essentially dereliction of duty so long as they have appropriate reporting procedures in place and information is coming up and they’re relying on experts and they’re relying on management.”

That standard, it’s hard to say that that’s still the current standard. There was a more recent decision called Marchand about five years ago from the Delaware Supreme Court. It was a decision written by Judge Strine, who is one of the more well-known judges on the Court of Chancery. The Marchanddecision, I would say, is sort of Caremark duties on steroids. That case involved the Blue Bell Ice Cream Company, which had a Listeria outbreak in [00:21:00] its ice cream. The directors were sued, essentially another sort of dereliction of duty-type theory, and what the Delaware Supreme Court said was that directors have a much more active duty to oversee the operations of the company, especially when it comes to areas of significant risk within the important areas of the company’s operations. In that instance, it was food safety.

That concept is easily applied to all sorts of other companies and all sorts of other industries and other types of risk, but the heightened duty of directors to have a more active role in overseeing risk was clear and clearly announced by the Delaware Supreme Court.

Raza: Ian, you mentioned the Caremark duties and the culture of compliance in an organization, and one of the ways you mentioned to bring that culture is by separating out things.[00:22:00] When are the situations where we think we should have a separate risk committee and a separate audit committee, and where does it make sense to have one in the same?

Ian: The audit function and the risk function of boards are both among the most important functions that directors fulfill. The question of whether to put those functions on the same committee or different committees, I think depends a lot on the nature of the company and its operations, its business, its industry. An audit committee in the ordinary course is going to be certainly dealing with traditional audit issues, but also looking at the internal control structure within an organization.

Internal controls include financial and non-financial controls, and depending on the nature of the company, adding a risk function to that committee, maybe a relatively small incremental add. I certainly can imagine companies and [00:23:00] industries where the risk function is really different from the internal control function, either because you need specific technical expertise to really assess risks, or they’re just really fundamentally non-financial in important ways.

What I would think about in in the question of do you want your risk committee and your internal or your audit committee to be one and the same is really to what extent are the risks that you want your board to have oversight of. Do they require specialized expertise? Are they financial or non-financial, and is the incremental work that you’re asking your directors to do really significant?

Raza: Yeah, the other way to look at it is that audit usually looks backward on what has happened, and risk in some ways, in many ways, is looking around the corner or looking to the future of what might happen. It’s a mindset [00:24:00] difference as well. If you wanted that to be separated and people to look at it in different ways, then that might be another reason.

Joe: I was going to take one example. There are organizations where maybe the most significant risk, non-financial risk, they have is reputation, so companies spend a lot of time trying to create trust among its stakeholders or among its consumers or whatever it might be. That seems very much like something that an audit committee would not necessarily really be equipped to do. Wouldn’t that be a situation where you might want a separate risk committee?

Ian: It could be. I think an audit committee frankly ought to be concerned about reputation, positive and negative, and frankly, Raza, I think your point was a great one, but the line between retrospective and prospective is often not so clear, so many public companies will have projections. They may [00:25:00] have forward-looking commentary in their case. They may do earnings projections for the street. Those are all areas in which the audit committee is going to have a role and oversight of forward-looking analysis. I think both of your comments are correct, but as is always the case, there’s overlap.

Raza: I think there are many other kinds of risks that may come up that bolster your argument for the skills. For example, today’s questions of the risks of AI, would those get considered in the audit committee? And I think the other fundamental reason for a separate risk committee is the positive notion of risk taking by an organization, and sometimes that comes in the form of the strategic plans and what should we do with this raise, and maybe another number of things that are not necessarily financial, although every risk does translate to financial risk for a company, but may just have more [00:26:00] meat and discussion in a risk committee than only the audit committee,

Ian: Yeah, I think that’s 100 percent right when you’re talking about operational risk, when you’re talking about strategic risk, those are things that strike me as being fundamentally different from the types of exercises that the audit committee is engaged in.

Raza: Ian, you’ve also represented whistleblowers and can you talk about how that representation ends up intersecting with boards or organizations. Are you on a different side of the table in those cases? And maybe inform our listeners about just generally whistleblower laws and how those things work out and what does it mean to do whistleblowing?

Ian: Yeah, I will say it’s not a major part of my practice. I’m almost always on the side of directors, boards, executives and companies, but I have had a couple of occasions where,[00:27:00] I’m representing a fairly senior person who has real concerns about conduct that their organization is engaged in.

I’ve done it three times. We’ll just get down to nitty gritty numbers. Two is still in process, one of which resulted in a seven-figure whistleblower award for my client from a government agency. It is an interesting lens when you look at issues from the perspective of someone on the inside who’s really identified where a company has gone wrong.

Look, you can see from that perspective all of the wrong decisions that they made and in a couple of instances where we’ve been closely interacting with the SEC, they sometimes let you in and see their work in a way that you don’t when you’re on the defense side, so it’s been a great lens.

Raza: Yeah, that’s what it sounds like, that when you are working with whistleblowers or representing them, you will be working with government rather than the [00:28:00] company, and most of the interactions will be in that direction of the regulators or government.

Joe: Yeah, great perspective to have.

Ian: Yeah, it’s exactly right, and the situations I’ve been involved in, going to the company was futile at best and probably counterproductive, and sometimes there’s a fair amount of money that’s at stake here, and people’s reputations and, at times, personal safety.

My experience, I worked at the SEC for a while. I’ve now been back in private practice for a long time. I’m doing SEC matters on all, and every SEC staffer is different. They all have different personalities. We’re all human beings, and so some let you in more than others do, but it does give you an opportunity to see sort of what arguments on the company side resonate and which ones fall flat.

Raza: Yeah, and the ones that fall flat, does it also happen that these are more on the frivolous side, and [00:29:00] how should the company view those if that’s the case?

Ian: Raza, that’s a great question. I would say there are probably two reasons/arguments that companies may fall flat that I’ve seen sort of in broad category. One is the company really doubles down on a factual scenario. That’s wrong. It’s wrong because maybe they haven’t done the due diligence to get the information, or they just don’t have access to information, but they’re really insisting that the sky is red, the sky is red, the sky is red, but the sky is actually blue, and they’re just doubling down on wrong facts. That’s one.

The other can be just a difference in interpretation of the law. We’re in an environment right now where many government regulators are taking very aggressive positions on the interpretation of law, and there’s frankly more litigation because you may not get a resolution within the government [00:30:00] agency that you might have five years ago, and so you have to go to a judge and get a more impartial because we’re in an environment of a very, very aggressive government regulation in certain areas and sometimes that’s just the way it is. We’re not going to convince the government to see things your way and you just have to go to a judge.

Raza: Yeah, but from the company’s end, it still is better to go after that it is frivolous rather than attacking the source of the complaint.

Ian: It’s in the company’s best interest to take the complaint seriously, so listen to what it is, look into it. If there’s something to it, deal with it. If there’s nothing to it, make clear to the government that there’s nothing to it, but not to be dismissive.

Joe: Let’s talk about another kind of a case that is in this same bucket, which are insider trading cases. What are the most significant risks to a company or organization from an insider trading matter?

Ian: [00:31:00] Insider trading is a fascinating topic. It’s another one where we could spend three days talking about it. I think I’ve probably handled more than a hundred insider trading investigations in the last 10 years or so for one party or another, and the law is fascinating. The facts are always interesting.

From a company’s perspective, assuming that you’re talking about a company whose stock is being traded, there’s very little likelihood that the company can have legal liability. Its risk comes in other areas. If one of its directors or executives engaged in insider trading, that’s a bad thing. There are rules that require companies to have policies and procedures in place to prevent insider trading. There aren’t a ton of cases that are brought under those, but no company wants their CEO to be walked off in handcuffs on the nightly news.

Reputational and loss of [00:32:00] personnel are really the biggest risk. There are some areas where there’s legal liability, but it’s really reputational and loss of personnel, but one of the things that I’ve done many times is go into companies, either the executive team or the board, and give trainings on insider trading law.

It’s more complicated than one would think, and I often think about insider trading risk as sort of two types of risk. There’s the risk that someone is actually engaged in insider trading, which is easy to talk about, but there’s the risk that the government might think someone engaged in insider trading, and that’s what I call investigative risk, the risk that you’re subject to an investigation.

Investigations are incredibly invasive, because when the government is looking to see if someone engaged in insider trading, they know just as well as you and I know that people communicate on their phones and through WhatsApp and WeChat and Slack and Telegram and [00:33:00] Snapchat and all those other things, and so the government is going to go in and they will take your devices. They can take your devices. They will require you to image your devices. They’ll get forensic images of your device. It is incredibly invasive, and so what a company ought to want to do is both manage its actual liability risk, but really its investigative risk around insider trading.

Joe: That makes a lot of sense. Ian, it’s been great speaking with you today. Thanks so much for joining us.

Ian: Thank you for having me. It’s been a lot of fun.

Joe: And thank you all for listening to On Boards with our guest, Ian Roffman.

Raza: Please visit our website at OnBoardsPodcast.Com. That’s OnBoardsPodcast.Com. We’d love to hear your comments, suggestions, and feedback. And if you’re not already a subscriber, please be sure to subscribe to Apple Podcasts, Spotify, or wherever you get your podcasts, and remember to leave us a five-star review.

Joe: Please stay [00:34:00] safe and take care of yourselves, your families and your communities as best you can. We hope you’ll tune in for the next episode of On Boards. Thanks.