The Wells Fargo scandal stands as a poignant example of what can happen when company leadership sets the wrong kinds of incentives for employees. It's such a great example of mis-alignment because, at some level, we all understand and have significant exposure to the retail banking system. Even if you are not a Wells Fargo customer, it's easy to empathize with them and see how the corporate ship veered off course. But the lesson is not new or novel. History is replete with examples of misguided corporate incentives undermining culture—from the Dutch East India Co. to Enron—second verse, same as the first. Board oversight is a familiar theme. Like Enron, we have a special report issued in 2017 to figure out why it all went wrong for Wells Fargo. Last week, the company added a Business Standards Report to the narrative styled, “Learning from the past, transforming for the future.”

The report echoes some of the rebranding the company has focused on in digital and television advertising to regain customer trust. The bank's wrongheaded incentive and decentralization story has been widely circulated (who can forget the images of Sen. Elizabeth Warren searing CEO Tim Sloan and suggesting he be fired). The report provides at least some answers to the questions posed by Warren and Wells Fargo customers. The report contains a lot to digest (honestly, it could have been a bit more concise and simpler). It begins by reminding readers that Wells Fargo is a storied institution (picture stagecoaches protecting gold) that customers have trusted since 1853. The introduction follows with statistics showing the bank has an equally impressive footprint today, including employing approximately one in 600 working Americans, providing significant benefits to U.S. communities, and serving one in three U.S. consumer households. The most interesting part of the report, however, deals with risk management and board oversight.

In 2017, following the company's annual meeting, the board took a look in the mirror, meeting with investors, other stakeholders and retaining third parties to provide guidance on what they could do better. From a design perspective, the report notes that the board made significant changes to the board's structure and composition, reconstituted several board committees, and amended committee charters to sharpen the focus and reduce duplication of risk oversight. The Risk Committee now includes members with experience identifying, assessing and managing risk exposure of large financial companies, with risk management experience in financial reporting and technology/cybersecurity. Six new directors have joined the board since 2017. The company also separated the roles of the CEO and board chair (now required to independent under the bylaws).

Wells Fargo also created a Risk Committee, which oversees compliance, operational and information security risk, as well as complaint management. Historically, the Board's Audit and Examination Committee oversaw these areas. Wells Fargo said that the board recognized the need for more focused oversight of compliance and technology risk and formed two subcommittees, the Compliance Subcommittee and the Technology Subcommittee. In the report, Wells Fargo recognizes that while it may be a financial company, it's also a people business, and it needed a separate Human Resources Committee tasked with enhanced oversight responsibilities, including human capital management, culture and ethics.

The report also notes that Wells Fargo enhanced the board materials and information flow between company leadership and the board (as well as exposing board members to meetings with customers to receive direct feedback). The Wells Fargo board now conducts a rigorous self-evaluation process to assess its own effectiveness, review governance practices and identify areas for enhancement. This process is a key part of the director nominating process and succession planning. The report also contains great takeaways from a company and culture perspective, traps of working in silos and lack of accountability, and vision for the company's future as part of the “transformation.”

Audit and risk have been hot topics in recent years for boards. Less than an hour away from Wells Fargo's headquarters, each summer, Stanford Law School and the Rock Center for Corporate Governance put on the best education program in the world for board members that routinely discusses these and other critical board agenda items. A look at this year's agenda, put together by corporate governance gurus Mike Callahan, Amanda Packel and Kristen Savelle (as well as Joseph Grundfest and other luminaries), appears right on point. In November, the Silicon Valley Directors' Exchange and the Rock Center put on an event at Stanford focusing on similar risk and culture issues.

Clearly these topics are on the minds of corporate boards. But it will be interesting to see how other boards more formally incorporate risk management into board design in the future. Risk assessment and management are a key part of a corporate compliance program. Analysis of risk and legal requirements drive policies and procedures, training and monitoring of a compliance program. Regulators have provided specific guidance on the components of a risk assessment. For instance, the DOJ's guidance, Evaluation of Corporate Compliance Programs, specifically references the OECD risk assessment approach: establish the process; identify the risks; rate the inherent risk; identify and rate mitigating controls; calculate the residual risk; and develop an action plan. But the process only works if the board and leadership understand the results.

Effective design includes board reporting and helping board members sort compliance and enterprise risk. If a compliance risk such as privacy shows up as a significant risk on your enterprise risk assessment, you have a serious problem. The Wells Fargo report reminds us that as we think about how we monitor enterprise and compliance risk, we have to understand how those outputs enable the board and company leadership to make key decisions on risk and mitigation.

Whether Wells Fargo can sell its story to its customers remains to be seen. On Feb. 7, some of the bank's customers complained on social media about the bank's service outage, which prevented customers from using their debit cards or accessing their online accounts. Wells Fargo tweeted, “We apologize to our customers who may be experiencing an issue with our online banking and mobile app. Thanks for your patience while we research this issue. If you are impacted, please check back here for updates.” One customer responded that he/she was stuck out of state and couldn't use their debit card to purchase fuel. They probably have not seen the report. But it seems like the company may still have some work to do on the second part of that tagline.

Ryan McConnell and Meagan Baker are lawyers at R. McConnell Group—a compliance and internal investigations boutique law firm in Houston, Texas. McConnell is a former assistant U.S. Attorney in Houston who has taught criminal procedure and corporate compliance at the University of Houston Law Center. Baker's work at the firm focuses on risk and compliance issues in addition to assisting clients with responding to compliance failures. Send column ideas to [email protected]. Follow the firm on Twitter at @rmcconnellgroup.