CEO COMPENSATION ISSUE
There was little correspondence evidencing the basis on which total compensation was awarded to the CEO. There was a spreadsheet with a password that was provided to the author by the CEO's assistant. When the author interviewed the chair of the compensation committee about the lack of either supporting documentation or independent assurance by a compensation consultant, the compensation committee chair told the author that the compensation committee was composed of experienced businessmen who were of the view that the CEO's compensation was appropriate given the CEO's performance.
The author was not provided with any CEO goals and objectives, key performance indicators, or trigger and target requirements for short-term or long-term incentives to be awarded or to vest. The foregoing items were asked for but, to the author's knowledge, did not exist. The compensation committee chair had friendships and social relationships with a number of directors, including the CEO. The basis for the quantum of compensation awarded to the CEO (1) relative to peers or (2) relative to company performance was not explicit.
The board chair and compensation committee chair said to the author that the regulator did not have the business judgment to opine on the quantum of CEO compensation. The author responded by saying that (1) the quantum of total compensation was very high compared to industry peers of a similar size and complexity, but, more importantly and particularly given this fact, (2) there should be a visible, diligent process to employ such business judgment of directors and to explicitly link pay to performance, which appeared to be what was lacking in any event.
There were very few explicit risk management protocols or systems to identify and mitigate material risks, including operational risk in particular. In the cash room, the controls were all manual (i.e., paper, with greater capability for management override or weaker controls, it would appear), as information technology was not used. Risk identification and assessment were not documented explicitly. There was no risk function reporting directly to the board or to a committee. Indeed, there was no risk function.
There was little evidence that internal controls over operational and compliance risks were designed and/or effective, regularly tested by the internal audit function, and reported to the board or a committee. A number of directors appeared blindingly ignorant of their obligation to oversee risk management.