Boards & Governance

Four Questions to Ask to Probe Your Company’s Cyber Resiliency

NACD Blog Feed -

Kelly Bissell

Cybersecurity is the bedrock of intelligent business. Companies that hope to develop superior customer knowledge, unique insights, and proprietary intellectual property by utilizing digital capabilities will require a robust cybersecurity strategy to underpin the whole. Companies need a strategy that leads to true cyber resilience.

To create a resilient enterprise, companies must make changes in four areas: leadership and governance, funding, organizational culture, and security measurement and monitoring.

Directors and executives should be asking themselves the following questions in order to ensure that they are on the right track.

1. Leadership and governance: Do we really understand what’s at stake for the business?

CEOs and boards of directors fortunately are ramping up their engagement and accountability for cybersecurity. Most CEOs, however, have much more to do. The chief executive’s relationship with his or her chief information security officer (CISO) is critical to the right kind of engagement. The CEO’s relationship with the CISO is also important to the board’s ability to perform sound cyber-risk governance.

CISOs should have oversight of more than just the corporate office, to include functions, subsidiaries, joint ventures, and labs. They should be involved in discussions of any new business initiatives or technologies that will increase cyber risk. CEOs and boards should bring them into the inner circle to help build risk management strategies to support business goals and objectives. The bottom line is that CISOs must become business advisors to leadership and informants of business challenges and successes to boards.

2. Culture: Do we truly put security first?

A big part of embracing a security-first culture is having the right mindset. At the C-suite and board level, cyber resilience and operational performance management should go hand in hand. Security must be a strategic priority tracked and reacted to as part of the tempo of normal business management, much the same as with the profitability of business units. It is a new competence that needs to be built, just like manufacturing excellence or personalization in digital marketing.

This mindset must spread throughout the organization and serve as a spur to proper actions. Line management must understand that they have a primary objective: Protect customers’ data and the company’s digital assets and operations. Fail at this and all else is irrelevant. The same is true for the front lines.

Cultural change must be backed by action and investment, and the buck stops with the board. Ensure your board is asking management whether or not this key culture change is being made across the organization.

3. Funding: How much is the right amount?

Answering this difficult question requires breaking it into two parts:

  1. Is the company brilliant at the basics? This means properly investing to resolve challenges of any magnitude—from intruders who want to get at a particular customer, to attackers after the company’s most critical assets, whether they be data or key intellectual property that differentiates the company in the market.
  2. Is the company innovating to improve its security? The only way to lower the cost of cybersecurity (or at least slow cost increases) while improving overall capability is to innovate upon current security practices.

Getting the basics right isn’t easy. It requires understanding and preparing for the many potential intentions of cyberattackers. It also means hardening high-value assets. Companies must make it as difficult as possible for attackers and limit the damage that’s possible when they do breach the walls.

Breakthrough innovations come from many corners, including business partners, vendors, and alliances across other ecosystems. CEOs and boards should think of the startup community as their company’s route to innovation and experimentation. Once partners demonstrate how their products will integrate efficiently and drive  value in the security mission, security professionals must rapidly scale the innovations across their organizations. The CEO can empower that scaling, and the board should be asking the CEO about plans to do so.

4. Metrics and monitoring: Are we measuring for business relevance?

The metrics used in the past to measure business success won’t help in the future. For example, low, medium, and high compliance scores don’t communicate enough about business risk. Rather than information such as project plans on encryption, CEOs and board members should receive metrics on protecting customer data. Rather than metrics around patching (updating software with the latest, most secure versions), they should hear about how the integrity of production environments is being maintained. Companies need business-relevant scorecards on security.

In addition to receiving better information on more relevant metrics, CEOs and boards should improve their own monitoring and understanding of cyber threats. They need to develop muscle memory by taking part in crisis drills and working through attack scenarios. Such practice helps track improvements and lessons learned, and to be prepared to respond immediately when a threat occurs.

The Path to Cyber Resilience

CEOs and boards of big organizations that have been successful at demonstrating cyber resiliency are leading wise pivots to new strategies for security. While these pivots are essential to the survival of businesses, they do bring risks and increased attack surfaces to critical digital assets and operations. Business leaders must engage more directly to own this challenge, because in the future, the only resilient business will be one that is cyber resilient.

Basic Income: A Bold Solution to a Big Problem

NACD Blog Feed -

Peet van Biljon

While most corporate directors in the United States are focusing on the social and business impact of recent tax reform, some of them have another economic matter on their minds: the concept of universal basic income (UBI). This is our future, says a recent article quoting Silicon Valley’s Ray Kurzweil, Google’s director of engineering. Kurzweil is not alone. Other tech luminaries such as Marc Zuckerberg and Elon Musk have expressed support for it. Meanwhile, public sector leaders from Canada to Kenya are already looking at implementing this economic model.

So, what is UBI? One way to define it is to see what it is not. It was reported recently that Finland has discontinued its year-old UBI pilot. The Finnish government’s discomfort with handing out money with no strings attached got the upper hand. (However, Finland retains its generous unemployment, free college, and universal healthcare benefits.) While Finland is abandoning unconditional income guarantees, it will be lumping all government benefits together in a single monthly sum, a universal social credit. The UK government is following a similar lump-sum approach, the so-called universal credit. But neither is a basic income.

A true UBI is both universal (i.e. paid to every citizen), and unconditional, ( i.e. recipients do not have to meet any obligations to maintain their eligibility). The tax treatment of a UBI is intended to avoid any distortions normally associated with the transition point between social benefits and wage income. This distortion can be a disincentive for benefit recipients to start working. On the other hand, UBI is tax free; only additional income from other sources like wages, called the market income, is taxed. Even as market income goes up, UBI is not taxed. Tax brackets are designed so that a gross income (UBI + market) above a certain level makes an individual a net contributor, meaning what someone pays in taxes will exceed his UBI receipts. For example, with a 33.33 percent flat income tax rate, the recipient of an annual UBI of $12,000 will reach the breakeven point when her taxable market income is $36,000, on which she will be paying $12,000 in taxes balancing out the UBI. Every dollar of market income after that makes her a net contributor of taxes. The system is startling in its simplicity.

The modern idea of a basic guaranteed income has been around since Bertrand Russell made the case for it 100 years ago, but Thomas Paine proposed a form of basic income as far back as 1797. A close variant of UBI is the negative income tax, which entails payments only to those who would be net recipients under the basic income system, like those earning less than $36,000 in the example above.

So, why are so many leaders of institutions (from government and non-governmental organizations to corporations) looking at UBI right now? It is because of the ongoing unemployment trends in recent decades. In countries such as the United States, these trends are better reflected in a 20-year low workforce participation rate and precarious employment than in unemployment claims, which are currently low. There is widespread fear that the elimination of low- and medium-skilled manufacturing and administrative jobs will accelerate as new automation technologies such as artificial intelligence (AI)  spread like brushfire through the economy.

The predictions on the worker dislocation by AI and other automation technologies are piling up: In 2013 Oxford University researchers estimated that 47 percent of U.S. jobs had a high probability of being automated by 2033. This started off a range of estimates and predictions by consultancies, think tanks, and governments. For example, late last year McKinsey estimated that by 2030 between 400 to 800 million jobs worldwide may be lost due to automation, including 73 million lost jobs in the United States. PwC in 2017 estimated that up to 38 percent U.S. jobs are vulnerable to automation by 2030. On the low end is the Organisation for Economic Cooperation and Development’s 2016 measure, which estimated that 9 percent of jobs are highly automatable and another 32 percent have a significant risk of automation. There are also optimistic estimates of millions of new jobs being created by this technology—but most such predictions only offset the job loss. They do not erase the net loss that will surely result.

Both job losses and job creation have indeed been part of previous industrial revolutions, but that does not mean serious disruption can be avoided in the transition. We could have one or more lost generations of workers before the system rights itself. Just this past month, Brookings researchers provided a grim warning that with job dislocation around 38 percent (a forecast mean), “Western democracies likely could resort to authoritarianism as happened in some countries during the Great Depression of the 1930s in order to keep their restive populations in check. If that happened, wealthy elites would require armed guards, security details, and gated communities to protect themselves, as is the case in poor countries today with high income inequality. The United States would look like Syria or Iraq, with armed bands of young men with few employment prospects other than war, violence, or theft.”

This is a bleak future we all want to avoid. What’s needed is a policy response equal in size to the disruption. UBI may be a big part of the answer, but the concept is too often met by skepticism or outright hostility from business leaders who have a distaste for anything that smells like socialism.

Concerns for personal responsibility immediately come up when UBI is discussed: Won’t it take away the incentive for people to work? Won’t some people abuse it? Perhaps no one better addressed these concerns than that paragon of free market capitalism, Milton Friedman, in a famous 1968 article titled “The Case for a Negative Income Tax: A View from the Right.” Friedman pointed out that onerous conditions for social assistance interfere with personal freedom and dignity when large numbers of government bureaucrats have to screen and police recipients to make sure they do not violate eligibility requirements. It is also highly inefficient. Friedman argued that replacing the multitude of existing welfare measures with one unconditional payment would be much more efficient, increase the incentive to work, and reduce the number of permanent poor living off government programs.

More practically, if the UBI is set at a low-enough amount, and recipients keep their after-tax income from employment, ample incentives remain for people to find work to improve their status in life. For example, the Ontario pilot UBI for individuals is set at only $13,000 US per year per individual, and $19,000 US per couple. This is hardly enough to live a life of luxury on the dole.

For the same reason, companies need not worry that a modest UBI will drive up wages for low-wage workers, because the UBI might depress the labor supply.  It may do the opposite, that is enable more people to take low-wage jobs similar to the current situation where many low-wage workers in the United States are supported by the Supplemental Nutrition Assistance Program (SNAP, previously known as food stamps) program. It is estimated that U.S. taxpayers already provide working families  with over $150 billion in annual public support through the current patchwork of state and federal programs like SNAP, Temporary Assistance for Needy Families, Medicaid, and the Children’s Health Insurance Program. By design, UBI eliminates the so-called poverty trap in which people are discouraged to take work because they may earn less from wages than from the sum of these benefits. And since everyone from the CEO to janitor will get a monthly UBI directly from the government, there is no regulatory or administrative burden for companies. Furthermore, the UBI becomes a permanent safety net for laid-off employees who have exhausted their termination and unemployment insurance benefits.

Will UBI give struggling people the opportunity to lift themselves up or will it create a permanent underclass? Preliminary anecdotal feedback from the Ontario pilot is that participants are eating healthier, retiring debt, and feeling less stressed, enabling them to focus on economic advancement. This is consistent with the so-called Maslow argument for UBI. Longitudinal data is needed to properly assess the societal welfare effects of UBI and these are scarce, which is precisely why properly designed UBI pilots should be supported. One of the only UBI-like programs to have existed for years is the payment funded by casino royalties (currently about $12,000 annually) to every member of the Eastern Band of Cherokee Indians in North Carolina. The program has been extensively studied by social scientists who found compelling benefits: a 40 percent decrease in behavioral problems among poor children to a level equal to non-poor children, and a 22 percent decrease in minor crimes which means fewer kids in jail, and higher high school graduation rates.

The last big concern is the cost burden of UBI for a country. A full-scale UBI implementation could be partially funded by absorbing many existing programs into the single universal payment. Significant savings will also come from collapsing the large government bureaucracies currently employed in administrating those programs. A tiny new bureaucracy can send every citizen a monthly check or bank transfer, and the existing tax bureaucracy (e.g., the Internal Revenue Service) will process any taxable income and payments as usual. But some incremental public spending will likely be needed, and new revenue sources found for it.

Earlier this month, Canada’s Parliamentary Budget Office estimated the cost of extending the Ontario pilot to every Canadian citizen at the current rates, net of expected savings in existing spending, to be in the order of $23 billion (Canadian). To scale this to other economies like the United States, this is roughly one per cent of gross domestic product, and could be paid for with about three additional points on the federal Canadian general sales tax (GST).

UBI is a bold new mechanism for social support. But so was unemployment insurance and Social Security in their time. There are details to be worked out, and hypotheses to be tested, before rolling out such massive programs nationwide. The best way to do that is to proceed with, and copy, controlled experiments like the current pilot in three cities in the Province of Ontario. Board members and other business leaders would do well to monitor these developments and to keep an open mind on UBI. It may just save our society from the social havoc that could be wreaked by artificial intelligence.

Peet van Biljon is founder and CEO of BMNP Strategies LLC. He advises clients on strategy, innovation, and new business building. He focuses on Industry 4.0 and transformative technologies such as artificial intelligence, digitization, fintech, and the Internet of Things. He previously managed McKinsey’s global innovation practice from 2010 to 2015. Peet is an adjunct professor at Georgetown University, where he teaches a graduate course on innovation. He co-chairs the General Principles Committee of the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems (A/IS). Peet authored a book on business ethics, Profit with a Higher Purpose, and has developed Ethics-driven Innovation, an innovation process to help clients meet the highest ethical standards. He is an electrical engineer, licensed as a professional engineer in Ontario, and also has degrees in accounting and economics. All thoughts expressed here are his own.

How Does Your Board Define Age Diversity?

NACD Blog Feed -

Paula Loop

Age diversity is an important factor to achieving diversity of thought. That’s how 91 percent of directors responded in our 2017 Annual Corporate Directors Survey. They even rated age diversity higher than any other element of diversity, including gender and race. However, we noticed that more than half (52%) of directors said they have age diversity on their board and don’t need any more of it. Herein lies the disconnect: Our definition of age diversity differs from that of most directors.

So what does age diversity mean to corporate directors? Maybe it means their board has directors who are in their 50s, 60s and 70s. Or perhaps they have one director who is 55 and one who is 80. With an average age of 63 for independent directors on S&P 500 boards (and going up), what it likely means is that they don’t have many directors who are 50 or younger. In fact, there are more directors aged 75 or older in S&P 500 boardrooms than there are 50 or under, according to our new research paper, Board composition: Consider the value of younger directors on your board. That figure demonstrates that there really isn’t a broad definition of age diversity.

To find out more about age diversity on US public company boards, we analyzed the population of directors aged 50 or under serving on boards of S&P 500 companies as of the end of 2017. We wanted to see who these directors are and what their board service looks like. What we found out is that there really aren’t many of them at all: According to our analysis of BoardEx data, directors aged 50 or under make up only 6 percent of the seats on S&P 500 company boards.

What does this mean for your board? First, if it hasn’t already, your board should consider age diversity and determine what it means for your company. Second, you might consider adding a younger director or two to the board. Most younger directors (96%) have active jobs or roles, so they can bring critical workforce skills and know-how back to the boardroom. They are more likely to have hands-on experience with newer technologies like artificial intelligence or the internet of things, technologies that companies are investing in and adopting to get ahead and stay competitive. And, in many cases, younger directors are closer to the consumers that their companies are targeting. They’re also closer to millennials, whose spending habits and workplace expectations are turning traditional marketing and human resources processes and plans on their heads.

We know that board composition and refreshment is a hot topic today, and the topic of age diversity is a good conversation for boards to have. Though there’s not one accepted dictionary definition of what age diversity is, boards may also want to develop an agreed-upon understanding about what it means to their board—and why all aspects of diversity make for healthy board discussions and better board performance.

One of the most interesting data points that came out of our new report details how companies made room for younger directors. For 62 percent of the S&P 500 board seats held by independent directors 50 and under, companies increased their board size to accommodate them. The board did not wait for traditional succession planning tools to play out, such as a director leaving the board due to retirement or term limits. Increasing board size to bring younger directors on as soon as possible indicates a real desire for and appreciation of the value those individuals would bring to the boardroom. That alone should tell you that age diversity is something to consider for your board.

Leading Change

NACD Blog Feed -

Martin Coyne

Each of us can look back and be baffled by how much change is possible in a short amount of time. Remember landlines? Flip phones? How about the BlackBerry? It’s human nature to be resistant to change: boards and corporate directors are no different. Maintaining the status quo is more comfortable than change. Especially because leading the change requires a straightforward vision, strong leadership, and clear communication. In the words of the cartoon Dilbert: “Change is good, you go first.”

But change is necessary for company growth and success. And the National Association of Corporate Directors is one organization that not only talks about change but gives board members and leaders the tools to help boards model and implement change. At NACD’s Global Board Leadership Summit this fall, we’ll discuss how we as board directors can embrace our leadership role, set a positive example, and encourage change.

Oversight Is No Longer Enough

Emerging technologies and new customer demands are now constant threats to established products and business models. These threats affect sustainable and profitable growth, but boards can counter these issues by continuously helping management to evolve their business models, investments, and skill sets.

Expectations of capitalism and acceptable corporate behaviors are also changing, forcing a better balance of achieving profits and having a positive societal impact. A good example is a company’s focus on reducing its environmental footprint. This means that we are now seeing the focus on shareholders shift to include all stakeholders, such as employees, suppliers, customers, and communities.

All this is part of taking an active role in creating the optimal organizational mission and culture. Changing our behavior, processes, and interactions from oversight and support to an active leadership model is crucial to ensure success in our evolving world.

Leading Change Is Necessary

External pressures, rapidly changing governance requirements, and differing stakeholder expectations are all good reasons to call for change.

Failure to change may jeopardize not only a company’s performance, but also its very survival. Poor performance impacts everyone, but proper board and director performance can create a competitive advantage that increases value for all stakeholders. Stagnation is the enemy and change will keep your organization sustainable and on the lookout to avoid pitfalls.

Necessary Board Components for Success

When I look back over my career as a board member, these four pieces are critical to effectively lead and enact change:

  1. Boards need to be comprised of directors who understand and have effectively led change management;
  2. A board’s culture of embracing change should be a model for the entire company;
  3. Board information and processes need to align with and support the new culture to achieve its goals; and
  4. A board’s composition should reflect and support its new evolving culture and behavioral design.

Key Takeaways to Remember

To start leading change in your boardroom, define and describe the mission, values, and culture that you want your company to embody. Boards should assess what the organization needs to retain and what aspects would be most beneficial to change.

Build off of the strengths in your company and initiate change management plans to achieve your new vision. This includes evaluating the current board composition, leadership and processes and taking action to make changes in a timely manner. Once initial changes have been made, continually assess progress towards your vision and course correct as needed. Don’t be afraid of needing to shift direction in the future.

If there’s one constant, it’s that change will always continue. It never stops. Change impacts all of us, and for boards and company leadership to be successful, effective change management should be a required element in the makeup of every board.

Like our cartoon friend Dilbert challenges us, are you ready to go first, lead, and create an inspiring vision for sustainable value creation for your constituencies? I’m looking forward to discussing change, the ever evolving transformation of our world and more at the 2018 Global Board Leaders’ Summit September 29 through October 2 in Washington, DC. Register now and join me there.

Martin Coyne is a director of EyeNuk. Coyne is the chair and founder of the CEO Learning Network and he is the chair emeritus of the National Association of Corporate Directors’ New Jersey Chapter.

The Future-Ready Workforce: Lead the March

NACD Blog Feed -

Brian Baker

Some claim that seven million jobs will be lost, and more than half of jobs will be replaced. Others claim that 2.3 million jobs will be created, exceeding the 1.8 million that it will removed. These are just some of the forecasts pundits are making about the impact artificial intelligence (AI), automation, robotics, and more will have on jobs and the changing nature of work in the United States.

When taken together with many other forecasts, there is really only one conclusion. We really don’t know what the impact will be. What we do know is this: change is happening and it’s happening fast. And beware, we humans tend to underestimate the amount of change that will happen in the next 5 years. Don’t get caught. One of the single biggest questions the board needs to be asking of their CEOs is, “Is our workforce strategy built for the future of work?”

Despite all of the rhetoric about advanced and emerging technologies creating massive job losses, our economy will continue to function as the “human operating system” that will power organizations of all sizes. The most adept leaders will recognize advanced technologies as opportunities to unlock the full potential of humans rather than considering those technologies as simply a way to replace jobs and reduce costs. Our capacity for curiosity, customer devotion, empathy, problem-solving, relationship building, and more will be difficult to replace.

Technology, automation, robotics, AI, side-by-side with the human operating system, is the new currency in a workforce prepared for the future of work. Importantly, 62 percent of organizations rate themselves as ineffective at this type of workforce planning.

Board members in companies of all sizes should be asking, therefore, the following questions of the C-Suite.

What should our workforce look like in five and 10 years, and what is our plan to achieve that end state? So far, only one in five human resources leaders have begun implementing strategies to develop their workforce for tomorrow. While this figure is surprisingly low given the urgency with which company leaders need to act, it’s these leaders who are positioning their companies ahead of the curve and widening their competitive moat against those who choose to delay or take no action at all.

What are the external trends defining the future of work that we are harnessing for success? Which ones could prevent us from delivering on our goals? Mercer’s 2018 Global Talent Trends report is a good starting point to learn more.

Is the leadership team and workforce ready for the speed of change required to win? Only 18 percent of C-Suite leaders describe their organization as agile enough today to succeed through change.

Should we be measuring the long-term health of our company differently than just earnings or stock price given the changing nature of work? What are we doing to develop and retain talent? Does our mission statement reflect the need for customer devotion and a purpose-driven culture? How are we measuring whether or not we are delivering on our mission?

What are we doing to upskill and reskill our workforce to improve their digital literacy? Only 15 percent of company leaders consider themselves leaders a digital organization, with 53 percent reporting they have not yet begun their journey or have a long way to go. That makes it even more surprising that only 15 percent of C-Suite leaders believe that upskilling and reskilling employees for new and changed roles, driven by digital and technology, will make a sizable difference to business performance.

Today’s board members and leaders can’t afford to wait any longer. The technology innovation curve is a hockey stick and many believe we are about to hit the elbow as AI and other technology capabilities begin to approach and surpass human intelligence. Those leaders who embrace the pace with urgency will set themselves up for accelerating growth while those who don’t will find that the notion of being able to catch up has vanished.

No business is immune, and how the workforce will morph and adjust needs to be at the center of gravity in all board room discussions. Think about these facts from the World Economic Forum:

  • 35 percent of the core skills of today could change by 2020
  • 65 percent of the jobs our own children in elementary school will be doing in the future do not yet exist

These are just a couple of data points that capture the significant change ahead. Are you ready? If you believe your C-Suite is behind in developing a workforce strategy to compete in the digital age, now is the time to leap forward. If you believe they are ahead, it’s time to invest in accelerating their march.

Brian Baker is a Partner in Mercer’s New York office and the US Digital Workforce Leader. He is focused on helping business leaders determine and build their Workforce for the Future strategy and execution plans.

Tone at the Top: Making the Music Match the Words

NACD Blog Feed -

Roger O. Goldman

“What would you do if I sang out of tune? Would you stand up and walk out on me? Lend me your ears and I’ll sing you a song, and I’ll try not to sing out of key. Oh, I get by with a little help from my friends.”

When The Beatles first recorded that song in 1967, it’s a safe bet they weren’t thinking about corporate governance and the role of the board of directors. Yet, as I’ve pondered the array of corporate scandals over the past decade, I found these fifty-one-year-old lyrics floating to the forefront of my mind.

Here’s why.

Whenever there is a highly publicized failure of corporate governance, the first question that’s typically posed is, “Where was the board?” However, in my experience—after 20-plus years of service in public and private companies, both in the for-profit and nonprofit sectors—that question rarely gets to the heart of the matter because process isn’t the primary culprit. A better question is, “What happened and why?”

Conventional wisdom examines whether the board had sufficient information, process, and the right reports. What often doesn’t get scrutinized is whether the board had the right people in the right places and if the chair or lead director is doing his or her job setting the tone at the top.

In this rapidly changing, complex world, it is incumbent upon the chair or lead director to continuously improve both the process and substance of governance, even in the strongest and healthiest of companies. This is where The Beatles’ lyrics come into play.

The Complexities of Conducting

The role of the chair or lead director is similar to that of an orchestra conductor. The conductor’s primary duties are to interpret the musical score of the composer via an ensemble of players. Using indications within the score, the conductor sets the tempo, shapes the phrasing, and guides the players to perform in concert. While it sounds simple enough, it’s a task of enormous complexity.

The sheet music that an orchestra is given can be likened to the committee charters and board responsibilities. The paper needs to contain the “right tune” and the right mix of notes, etc., but those same notes can be played beautifully or poorly, in harmony or in discordance. Even if individual performers are playing well, one bad violinist can wreck the whole orchestra if his or her part is not minimized or if the conductor doesn’t have the power or influence to get rid of the bad player. Taking the analogy further, the conductor also has to spot the talented players (i.e. board members), even if they are hidden away or young, and feature them.

Then there’s the pacing of the score—think board process. Whether it’s played loudly, softly, fast or slow, is a matter of feel. That’s what the conductor is expressing with his or her gestures and baton-waving. And, of course, the conductor has to be ahead of the music, so the sound carries to the audience, as well as anticipate what’s next.

So, you can have all the scores (or board processes) you want, but if the conductor can’t make the band of sterling musicians work together, the net result is less than stellar performance.

It’s doubly challenging in cases where the board doesn’t have an independent chair because the power of the lead director is usually quite limited, leaving him or her to conduct solely through influence versus explicit authority. In the corporate realm, these are some of the factors that must be considered when making governance better.

Soft Yet Hard

In its recent report, the NACD Blue Ribbon Commission on Culture as a Corporate Asset aptly stated, “While it is often perceived as a ‘soft issue,’ [culture] is actually a hard issue—both in the sense of having concrete impact, and in the sense of being difficult to assess.” The same is true of tone at the top. It can be incredibly hard to assess because it’s ethereal in nature, like the orchestra conductor filling the concert hall with melodious music.

But it does come down to the interactions among the board and its committees, and the transparency of information flow between management and the board at all levels. The responsibility for the “tone” of these interactions, i.e., getting the music to sound good, resides with the board chair or lead director.

In the collective interest of corporations and shareholders everywhere, there’s much to be gained by the ongoing tuning of this tone. Regularly posing the following questions is one example:

  • Are your governance processes appropriate for the speed of change today?
  • Is there sufficient clarity about the roles and responsibilities of the directors and management?
  • Are the right people in the right places for today and tomorrow?
  • Is the orchestra playing in concert in the eyes of the audiences, i.e.. customers, employees, shareholders and the broader community?

The answers are less important than asking the questions and bringing this kind of curiosity to the board room now.

As the aforementioned NACD Blue Ribbon Commission reported, even for companies with healthy cultures, resting on laurels isn’t an option. The stakes are simply too high and the operating environment too volatile not to seek continuous improvement.

It concluded that, “Performed properly, culture oversight not only can be embedded into directors’ existing activities, but also can significantly improve the quality and impact of the board’s work overall.” This notion of making the music match the words when setting the tone at the top goes right along with the Commission’s finding. That, and a little help from friends, might even mean singing on key.

Roger O. Goldman is chair of the executive committee of American Express National Bank, lead director of Seacoast Bank, and former chair of the board for Lighthouse International. Opinions are his own.

Talk to Your Auditors About Cybersecurity

NACD Blog Feed -

Cindy Fornelli

If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.

Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.

The Importance of Communicating About Cybersecurity

Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.

Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”

Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.

At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.

CPA Firms and Cybersecurity: Bringing Expertise and Values

Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.

  • Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
  • Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.

Key Topics to Discuss with Your Auditor

So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.

How the Financial Statement Auditor Considers Cybersecurity Risk

An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).

A talk with the external auditor might involve the following questions.

  1. How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
  2. If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
  3. Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
  4. What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
  5. In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?

How CPA Firms Can Assist Boards in Cyber-Risk Oversight

Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.

One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.

Here are seven questions to ask CPA firms about these initiatives.

  1. How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
  2. How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
  3. What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
  4. The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
  5. What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
  6. What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
  7. What other types of engagements are available to help board members with cybersecurity risk oversight?

These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.

Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.

The Relevance of Sustainability Performance to Board Risk Oversight

NACD Blog Feed -

Jim DeLoach

As discussions of sustainability move beyond financial performance, they tend to spawn divergent views. Many frame the term as what constitutes responsible behavior in driving continued development and growth without deteriorating the environment, depleting natural resources, or creating conditions that destabilize the economy and vital social institutions. Still others prefer to cleave to the traditional view of the corporation and remove external stakeholders and the environment all together to focus solely on the sustainability of the business and its profits.

The type of short-term thinking applied when formulating policy and the kinds of long-term thinking driving sustainability development discussions are like oil and water, and looking to the business world, short-termism on the part of senior management is a sustainability killer. Without a long-term outlook in both the private and public sectors, the sustainability discussion will continue to be over before it begins.

Straight talk about sustainability leads to acknowledgement of several important realities:

  • Sustainability performance without acceptable financial performance is untenable. The two must be integrated, and neither is a substitute for the other. Overreach in pursuing either preempts long-term progress.
  • Many directors and senior executives believe the focus on sustainability is inevitable and, of necessity, strategic. Some constituencies believe that investments on the environmental, social, and governance fronts are incompatible with positive near term returns.
  • Reasonable people can differ in their views as to the appropriate sustainability objectives for a given organization, based on the industry, stakeholder interest, and long-term outlook, as well as the time frame in which the entity should pursue those objectives.
  • A meaningful impact is only possible through the collective efforts of multiple entities in the private sector, sound policies in the public sector, cross-border global cooperation, and investors committed to the sustainability agenda.

The concept of selective investing offers a set of standards for a company’s operations that socially conscious investors use to evaluate investment alternatives. As professionally managed funds deploying environmental, social, and governance (ESG) factors to screen investments have increased assets under management into the trillions of dollars, directors and executives have taken notice. Earlier this year, the CEO of BlackRock issued a letter to chief executives calling for a “positive contribution to society” beyond financial performance in realizing their organization’s full potential, with emphasis on “understand[ing] the societal impact of [their] business as well as the ways that broad, structural trends—from slow wage growth to rising automation to climate change—affect [its] potential for growth.” As these and other related demands have increased from the investor community, so have requests for increased transparency.

Governance—the “G” in “ESG”—has steadily emerged as a significant differentiator and, increasingly, a make-or-break factor for investors. Bad corporate behavior during the Enron era at the turn of this century, reckless risk-taking precipitating the 2007-2008 financial crisis, catastrophic cyber breaches, egregious violations of laws and regulations, and wanton disregard of safety considerations in addressing cost and schedule pressures have accentuated the importance of effective governance and the strong organizational culture it encourages. As important as these matters are, they’re mere table stakes. The focus on sustainability raises the bar further, with the BlackRock letter calling for a “new model for corporate governance.”

There are other reasons why ESG is important. Younger generations place high importance on sustainability issues. A recent survey noted that 56 percent of public company directors believe that a corporate social responsibility policy increases a company’s ability to attract and retain employees. Also, deploying cost-effective technologies to increase process efficiencies and develop environmentally friendly products and services has become attractive in many sectors. While there is a long road to travel littered by brutal politics and more questions than answers, world opinion has been coalescing around achieving the goal of sustainable development.

Perhaps this is because the world around us all is changing so much. Advanced technologies make feasible what was impossible a decade ago. Global population growth continues to explode, and changing demographics and resource scarcity affect operations. Businesses are left to ask themselves what they are to do in the face of these changes, and corporate directors have a role in leading their companies to action.

Directors should ensure that management answers the question, “What does the organization do about sustainability?,” based on the nature of the entity’s industry, culture, markets, stakeholder priorities, regulatory environment, appetite to lead and invest, intrinsic challenges from an execution standpoint, and long-term outlook. Approaches to consider might include the following:

  • Articulate sustainability guiding principles and core values;
  • Assess current ESG performance to identify gaps and opportunity areas;
  • Conduct an assessment of opportunities to improve performance and address the risks of inaction;
  • Assess the entity’s current policies, processes, organizational structure, reporting, methodologies, and systems supporting the pursuit of sustainability objectives;
  • Based on the above, formulate a sustainability strategy and road map of key initiatives supporting that strategy;
  • Establish accountability for results by setting targets, assigning executive sponsorship, defining initiative ownership, specifying the appropriate performance metrics, and integrating those metrics with operational performance monitoring and the reward system; and
  • Establish disclosure controls and procedures to ensure reliable internal and external ESG reporting.

The strategy taken by investors in this age of sustainable development is challenging perceptions of the role of the corporation in society. The questions around sustainability—and how hard companies should be working to drive it as a goal—require serious reflection for executive management and the board. A strong commitment to sustainability places an emphasis on actions, not words; on disruptive innovation, not “business as usual”; and, most importantly, on leadership, collaboration, and transparency.

Jim DeLoach is managing director of Protiviti. 

What New Directors Should Expect from Cybersecurity Briefings

NACD Blog Feed -

Tom Turner

As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.

However, not all directors are familiar with cybersecurity operations and how to assess the associated risks. If you’re a newer member of your company’s board, you may wish to review some of the following topics that you should expect from security and risk teams in their cybersecurity presentations.

Navigating Your First Briefing

If this is your first time listening to a cybersecurity presentation at a board meeting, you can expect the chief information security officer, or CISO, to provide a short background on the company’s cybersecurity practices and how they define cybersecurity in their organization. They’ll also discuss how the board should approach oversight of cybersecurity. The most effective CISOs talk in terms of risk management, which means cutting out technical jargon and focusing on business value. They may also draw the board’s attention to cybersecurity’s impact on stock price and bottom line to establish a common language.

Below are some of the topics you can expect to be reviewed:

  • How the company generally approaches cybersecurity, including the organizational structure.
  • The company’s security performance benchmarked against industry peers.
  • Risks to the company’s cybersecurity environment.
  • The types of data that security teams think is most critical or sensitive to your company’s continued operations.
  • The critical operations that could be impacted by a cyber incident.
  • Some of the key external threats, insider threats, and third-party risks the CISO believes the company faces. This may include examples of cyber incidents that have occurred in other organizations in your sector or beyond.
  • How they envision board member involvement in cyber-risk oversight and to which types of issues the board should be involved in the response.
  • The cybersecurity and risk management programs the organization has in place.
  • How employees are trained on security internally.
  • The cybersecurity policies the company has in place today and the effectiveness of compliance with those policies.
  • They type of information they plan to share in future presentations.

What to Expect Going Forward

Now that you’ve experienced your first cybersecurity presentation as a board member, you can expect that the CISO will continuously educate you and the rest of the board on critical issues. You can expect to be briefed on the effectiveness of the risk management tactics the company is employing. In other words, you should know where and how the company is succeeding or failing (and how that compares to previous quarters), as well as any areas that need strategic improvement.

Here are some topics you can expect from the CISO in their ongoing security presentations to you and the rest of the board:

  • Technology that the company has purchased and integrated—with a focus on what it is doing for the organization.
  • Technology the CISO wants to purchase and why.
  • The accountability metrics the security team has created, categorized in the following ways, and followed by questions directors should ask the reporting CISO:
    • Audit & Compliance Metrics
      • Are we ISO-27001 compliant?
      • Do we have a vendor risk management program?
      • Do we have any outstanding high-risk findings open from our last audit or assessment?
      • What percentage of the NIST framework are we implementing?
    • Operational Effectiveness Metrics
      • How quickly can we remove employee network access?
      • How quickly can we (or our vendors) identify and respond to incidents?
      • What percentage of our users click on spear-phishing training emails?
      • How did we compare to our peers across certain time spans?

There is a lot to consider and process when listening to an effective cybersecurity presentation. Be sure to prepare yourself beforehand so that you know what to expect and can contribute to future meetings accordingly.

 

Tom Turner is CEO and President of BitSight.

Culture and ESG Governance: Inseparable In the #MeToo Era

NACD Blog Feed -

Andrea Bonime-Blanc

While I am not sure that it should be a radical idea, the following concept seems radical to some: internal organizational culture and external environmental, social, and governance (ESG) matters are, and should be, intimately and inextricably interconnected. They’re two sides of the same coin. I believe that it is not only time for boards to get cracking on internal culture governance, but that it is also a core part of good modern governance for directors to know the key ESG and corporate responsibility issues relevant to their companies. By tying the two together, boards can proactively and carefully oversee management’s efforts to act on these often siloed, disparate, or even ignored and untreated parts of a more resilient organization.

#MeToo, #TimesUp, and #NeverAgain

In the first and second installments in this series, I discussed these movements, context around them for corporate governance, and what directors might do to best oversee these risks. It has grown apparent that these movements also are related. So, what do the #MeToo, #TimesUp, and #NeverAgain movements have in common? Beyond simply being hashtags, they are movements that emerged in reaction to perceived and real decades of troubling policies, behaviors, and practices in both the private and public sectors. They represent both external stakeholders’ reactions as well as potential reputation risk and attendant financial losses to companies and their leaders (including boards).

These movements also represent a singularly contemporary phenomenon which both management and the board should proactively respond to: the intricate and deepening interrelationship of internal corporate culture and external ESG and stakeholder issue management. These two aspects of running a business have been long ignored or sidelined as not important to a business, but they are now emerging and, arguably, merging before our eyes. It is the job of management and the board to understand, manage, and oversee these governance imperatives effectively.

Mini-Case Studies 

A company’s treatment of external stakeholders is a mirror of its culture. The following four cases offer stark examples of the two extremes of how companies treat their stakeholders.

Cautionary Tales

  • The Weinstein Company The toxic culture spread by its CEO and founder Harvey Weinstein was ignored, supported, tolerated, and proactively encouraged by its executives and board for many years. Take a look at this “Frontline” documentary to understand the full extent of the actions that led to the bankruptcy of this Hollywood film powerhouse. This case illustrates the intertwining of toxic culture on the inside with no sense of corporate responsibility. It also demonstrates disrespect for outside stakeholders such as established and aspiring actresses and other key third parties.
  • Wynn Resorts The news out of this company affords another example of a long-standing toxic culture initiated and vitiated by the CEO and apparently supported or ignored by his handpicked board. Key stakeholders such as employees and third parties were adversely affected. Now the ex-wife of the deposed CEO and chair is leading the charge to create positive change at both management and board levels with an aggressive plan to cleanse and grow a healthy culture from the boardroom down into the organization.
  • In both of these cases it’s likely that neither board ever asked the CEO or management questions about internal culture or exercised oversight of ESG and stakeholder issues. It would not be surprising in both cases to learn that the board actively or passively ignored culture and responsibility issues while focusing exclusively on the financial bottom line.

Model Responses

  • Merck & Co. The pharmaceutical company has for decades had a succession of great CEOs who have led the company to financial success while building a strong culture of integrity and social responsibility. Witness the crisis management of the complicated Vioxx case by former CEO Ray Gilmartin who voluntarily withdrew the medication, in contrast to Merck’s competitor with equivalent challenged medications. The explanation? Merck did not want to adversely affect their most important stakeholders: customers and patients. Current Merck CEO, Ken Frazier, continues their long-standing tradition of having both a strong internal culture and being a leader on cutting-edge ESG issues externally.
  • Starbucks A company with leadership that for years was known for having an enlightened corporate culture and for proactively managing its corporate social responsibility (CSR) initiatives may weather its current Philadelphia store racial incident better than most because of this close interrelationship. Starbucks’ ingrained, demonstrated care for its stakeholders were like muscle memory, allowing their management team to respond in lockstep with their lived values. How else does a company’s reputation survive this kind of incident and go further than probably any other company would by shutting down 8000 stores country-wide for a day for implicit bias training?

The Role of the Board

In the face of this challenge and opportunity, what should boards do? First, they should oversee the internal culture of the organization which we talked about in part 2 of this series, and which the NACD Blue Ribbon Commission Report on Culture as a Corporate Asset discusses at length.

Second, boards must get much more involved in overseeing and ensuring that management has the right ESG and stakeholder relations program in place. The right program will  embrace the interests of important stakeholders like customers, regulators, the media, suppliers, and current and future employees, among others.

And third, any discussion at the board level of culture or ESG should connect the two topics. Culture is part of ESG, and ESG is part of culture.

Crises that are not well managed can mean the difference between value creation and value destruction. Organizations need to forge a culture that is consistent both on the inside and the outside. When something critical happens, an organization that has forged a robust and resilient culture on the inside is more likely to weather the storm than a company that has paid little or no attention to laying a sound culture of values. Indeed, such enlightened companies may even have a reputation and value creation advantage, as I have discussed at length in my book The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparency.

Seven Critical Questions the Board Should Ask Management

As boards wrap their minds around the oversight of internal and external culture, they should consider asking the CEO and management the following critical questions:

  1. Does the leadership (CEO/C-Suite) ever discuss culture?
  2. If so, is it only culture talk (nice speeches, pretty pictures, glad-handing) or does it include culture walk (budgets, resources, reports)?
  3. Is there at least one high level executive who has “culture” explicitly included in his or her portfolio of responsibilities? If not, why not?
  4. Is there at least one high level executive who is in charge of managing ESG issues that are critical and important to the mission, vision, values and strategy of the company? If not, why not?
  5. Have ESG issues been identified as core and critical to the wellbeing of shareholders and key stakeholders (employees, customers, regulators)?
  6. When there has been a crisis involving ESG issues (e.g., a chemical spill, an allegation of executive harassment, an accusation of corruption) what is the track record of the company in handling that crisis? Were they prepared or did they manage the crisis by the seat of their pants?
  7. Is there an effective integration of key roles on ESG issues between human resources, legal, ethics and compliance, risk, public relations, and others that are relevant? Or is the management of such issues siloed, fly-by-night, or otherwise non-existent?

The answers to these and additional questions will lead to a holistic look at the culture of the organization, and will allow the board to understand what buttons need to be pushed to help the organization attain consistency, synchronicity, viability, transparency, and value in the marketplace.

The way a company treats its external stakeholders starts with its internal culture. And the internal culture of an organization starts and ends with leadership. The greatest responsibility of the board at the end of the day is to hold the CEO and the executive team responsible and accountable for all aspects of strategy—not just financial results.

#TimesUp for boards that are ignorant, negligent, or oblivious to these central issues.

 

Dr. Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory, a strategic governance, risk, cyber and ethics advisor, board member, and former senior executive at Bertelsmann, Verint, and PSEG. She is author of numerous books including The Reputation Risk Handbook (2014) and co-author of The Artificial Intelligence Imperative (April 2018). She serves as Ethics Advisor to the Financial Oversight and Management Board for Puerto Rico, start-up mentor at Plug & Play Tech Center, life member at the Council on Foreign Relations and is faculty at the NACD, NYU, IEB (Spain) and IAE Business School (Argentina). She tweets as @GlobalEthicist. All thoughts shared here are her own. This blog series borrows in part from her forthcoming book with Routledge/Greenleaf (2019), Gloom to Boom: How Leaders Transform Risk into Resilience and ValueAll opinions expressed here are her own. 

Subscribe to Lonergan Partners aggregator - Boards & Governance