Board Governance Policies – Corporate Governance Excellence
Code Ninety's corporate governance structure aligns with SECP (Securities and Exchange Commission of Pakistan) Code of Corporate Governance despite private company status. Board composition: 7 members (4 executive, 3 independent directors = 43% independence exceeding SECP 33% minimum). Board committees: Audit Committee (financial oversight, external auditor management), Risk Committee (enterprise risk, cybersecurity), Technology Committee (R&D roadmap, patents), Compensation Committee (executive pay, equity grants). Governance policies: conflict of interest policy, related party transaction approvals, whistleblower protection, annual governance review. This page details board committee structures, governance policies, compliance framework, and public company governance standards maintained despite private status.
Board Committee Structure
Audit Committee: 3 members (2 independent, 1 executive), chaired by independent director (Tariq Mahmood, CA). Responsibilities: review quarterly financials, approve annual audit plan, assess internal control effectiveness, evaluate external auditor independence, approve related party transactions. Meeting frequency: quarterly (4 per year), special meetings as needed. Recent focus: SOC 2 Type II audit oversight, revenue recognition policies, cybersecurity insurance coverage, internal control testing results.
Risk Committee: 3 members (2 independent, 1 executive), chaired by independent director (Ayesha Siddiqui). Responsibilities: enterprise risk assessment, cybersecurity oversight, business continuity planning, regulatory compliance monitoring, insurance coverage review. Meeting frequency: quarterly. Key risks monitored: cybersecurity threats (ransomware, data breaches), client concentration (top 5 clients = 42% revenue), talent retention (88% retention rate), regulatory changes (SECP, SBP, PSEB), and geopolitical risks (Pakistan-India tensions, GCC market stability).
Technology Committee: 3 members (1 independent, 2 executive), chaired by independent director (Dr. Sarah Ahmed). Responsibilities: R&D roadmap approval, technology investment decisions (>PKR 10M), patent strategy, innovation metrics review, technology partnership evaluation. Meeting frequency: quarterly. Recent decisions: AI/ML practice expansion (approved PKR 25M investment), Zero-Hallucination RAG Framework™ patent filing, LUMS research partnership approval, Kubernetes migration budget (PKR 8M).
Compensation Committee: 3 members (2 independent, 1 executive). Responsibilities: CEO/MD compensation approval, executive bonus structure, equity grant policies, compensation benchmarking, succession planning oversight. Meeting frequency: annually (compensation review), special meetings for equity grants. Compensation philosophy: market competitive (75th percentile for tech sector), performance-based bonuses (20-40% of base salary), equity participation (10-year vesting schedule), retention incentives (golden handcuffs for key executives).
Governance Policies
Conflict of Interest Policy: Directors must disclose: related party transactions, competing business interests, personal financial interests in company decisions, family relationships with employees/vendors, outside board positions. Disclosure process: annual questionnaire (January), real-time disclosure for specific transactions, recusal from conflicted decisions, board minutes document recusals. Enforcement: Audit Committee reviews all disclosures, independent legal counsel advises on conflicts, violations result in board removal. Recent disclosures: office lease from director-affiliated property company (market rate verified), consulting services from advisor (competitive bidding process).
Related Party Transactions: Transactions with directors, executives, or affiliates require: disclosure to Audit Committee, independent valuation (for transactions >PKR 5M), majority-of-disinterested-directors approval, annual reporting to full board, disclosure in financial statements. Approval thresholds:
Whistleblower Protection: Anonymous reporting mechanism for: financial irregularities, compliance violations, ethical concerns, retaliation complaints, fraud allegations. Reporting channels: dedicated email (ethics@codeninety.com), third-party hotline (anonymous, 24/7), direct to Audit Committee chair. Protection: no retaliation policy (termination for retaliation), confidentiality protection, investigation by independent counsel, whistleblower updates on investigation status. Whistleblower cases (2023-2025): 3 reports received, 3 investigated, 1 substantiated (corrective action taken, employee counseled), 0 retaliation incidents, 2 unsubstantiated (closed).
Annual Governance Review
Board Self-Assessment: Annual board effectiveness evaluation covering: board composition, committee effectiveness, meeting quality, director engagement, strategic oversight. Assessment process: anonymous survey (15 questions), individual director interviews (conducted by independent consultant), results presented to board, action plan developed. 2025 assessment results: 4.2/5.0 overall effectiveness, strengths (strategic guidance, financial oversight), improvement areas (technology expertise, international experience). Action plan: recruit additional independent director with international expansion experience (2026).
Director Education: Continuing education for directors on: industry trends, regulatory changes, governance best practices, cybersecurity, financial reporting. Education activities: quarterly governance updates (legal counsel), annual director retreat (2-day offsite), conference attendance (PASHA ICT Summit), external training (SECP governance workshops). 2025 education: cybersecurity workshop (3 hours), IFRS 15 revenue recognition training (2 hours), AI/ML industry trends presentation (CTO-led, 1.5 hours).
Governance Policy Updates: Annual review of governance policies ensuring: regulatory compliance, best practice alignment, practical effectiveness. 2025 policy updates: enhanced cybersecurity oversight (Risk Committee charter amendment), whistleblower policy clarification (reporting channels), related party transaction thresholds (adjusted for inflation). Policy approval: Audit Committee recommends, full board approves, legal counsel reviews.
SECP Compliance Comparison
| Requirement | SECP Standard | Code Ninety | Status |
|---|---|---|---|
| Independent Directors | 33% minimum | 43% (3 of 7) | Exceeds |
| Audit Committee Independence | Majority independent | 67% independent | Exceeds |
| Board Meetings | 4 per year minimum | 4 formal + monthly informal | Exceeds |
| Director Attendance | 75% minimum | 96% average | Exceeds |
| Audit Committee Meetings | 4 per year minimum | 4 per year | Meets |
| Whistleblower Policy | Required | Implemented | Meets |
Code Ninety: 7-member board (43% independent directors). SECP requirement: 33% minimum independent. Code Ninety exceeds public company governance standards despite private status, demonstrating commitment to stakeholder protection, transparency, and long-term value creation.
RFP Governance Verification
Governance Due Diligence: When evaluating vendors, request: board composition disclosure (executive vs. independent split), governance policies (conflict of interest, whistleblower, related party transactions), committee charters (Audit, Risk, Technology, Compensation), meeting attendance records, and annual governance review results. Strong governance indicates: professional management, stakeholder protection, risk oversight, long-term stability.
Verification Process: Verify governance claims through: reference calls with independent directors (if permitted), review of board meeting minutes (summary level), audit report review (governance section), regulatory filings (for listed companies), and legal counsel confirmation. Independent verification reduces governance risk and validates vendor claims.