Boards & Governance

Voluntary Public-Private Partnership on Cyber-Risk Oversight

NACD Blog Feed -

On Tuesday, the U.S. Department of Homeland Security selected and posted the NACD Director’s Handbook on Cyber-Risk Oversight on the Critical Infrastructure Cyber Community (C3) Voluntary Program website. At a press conference yesterday, four panelists, Ken Daly, president and CEO, NACD; Mark Camillo, head of cyber products for the Americas Region, AIG; Larry Clinton, president and CEO, ISA; and Dr. Andy Ozment, Assistant Secretary for Cybersecurity and Communications, DHS, spoke generally about cybersecurity as an issue for directors, and specifically about the contents of the handbook, created by NACD in association with AIG and ISA, which focuses on cybersecurity oversight at the board level.

Larry Clinton observed that the first of two goals for combatting cyber risks at board level is to raise awareness of cybersecurity as a risk directors must oversee. NACD has been actively engaged in educating the board member community on cyber issues for some time. In summer 2013, The Art of Cyber War graced the cover of NACD Directorship, followed by coverage in subsequent issues; NACD has held multiple roundtables and events focused on cybersecurity issues, including a day-long cyber-risk summit in Chicago, and has built the topic into the flagship Master Class program. In addition to the director’s handbook, other recent NACD thought leadership includes the white paper Cybersecurity: Boardroom Implications and a video series focused on technology and cybersecurity.

On Tuesday, Dr. Ozment emphasized the fact that cyber risks affect organizations of all sizes, sectors, and industries, stating that a director who doesn’t know about cyber incidents falls into one of two categories: either “your CEO doesn’t think you care about cyber incidents,” or “your CIO doesn’t know about the cyber incidents.” He followed with, “unfortunately the bad guys are doing more for cybersecurity awareness than any one of us can do.” Clinton’s first goal, realizing the “why” of cyber-risk oversight at board level, has been scarred into directors’ understanding.

Clinton’s second goal is simple but even more challenging: we have to work together to “solve it.” According to the forthcoming 2014-2015 NACD Public Company Governance Survey, 90 percent of directors believe their boards’ understanding of cyber risk needs improvement. Though directors get the “why,” they need guidance on the “how,” advice practical to boards’ oversight of cyber risk.

The NACD Director’s Handbook on Cyber-Risk Oversight provides insight into the “how.” Daly stated that cyber “is simply another risk [that] fits within the enterprise risk management system.” Camillo indicated that the handbook’s five principles “can be used immediately” and applied to an organization’s existing ERM program:

  • Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • Principle 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Principle 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  • Principle 4: Directors should set an expectation that management establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  • Principle 5: Board-management discussions about cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

Daly further emphasized the “voluntary public-private partnership” between NACD, ISA, AIG, and DHS reflected in the fact that the handbook is the first, and currently only, private-sector document featured on the DHS C3 Voluntary Program website. The concept of cross-sector partnership to combat cyber risks is a centerpiece of the president’s 2013 executive order, Improving Critical Infrastructure Cybersecurity. The handbook’s release signifies that the partnership-based approach is bearing fruit and the private sector is taking responsibility for cyber risk. Dr. Ozment agreed, stating that “managing cybersecurity is a shared responsibility,” and this handbook demonstrates widespread acceptance of the NIST cybersecurity framework. The handbook’s creators’ combined cyber, risk, and governance expertise to provide recommendations, broadly applicable to directors of all economic sectors, for combatting a national and international problem.

Through the Boardroom Lens

NACD Blog Feed -

Directors attending the recent NACD Directorship 2020® event in Denver, Colorado engaged in group discussions about how boards can anticipate and effectively respond to environmental and competitive disruptors in the marketplace.

The half-day symposium at the Ritz-Carlton on July 15 was the second of three NACD Directorship 2020 events this year addressing seven disruptive forces and their implications for the boardroom. Summaries of the Denver speakers’ main points are available here.

Following each speaker, directors developed key takeaways for boards. Those takeaways fell within the parameters of the five elements of effective board leadership defined at last year’s NACD Directorship 2020 forums: strategic board leadership and processes, boardroom dynamics and culture, information and awareness, board composition, and goals and metrics.

Environmental Disruptor Takeaways

Strategic Board Leadership and Processes

  • Crisis response plan. Ensure that the company has a contingency plan in place that takes into account a potential environmental crisis. The plan should include how the company will respond to disruptions in the supply chain and production cycle, as well as to employees, customers, and investors.

Boardroom Dynamics and Culture

  • Culture. Boardroom culture should reflect that directors are ready and willing to be held accountable for environmental or climatological issues that arise for the company.

Information and Awareness

  • Engagement. The company should have an established communications plan to use in response to requests from shareholders and stakeholders regarding environmental matters.

Goals and Metrics

  • Green metrics. Becoming a sustainability-focused company requires adopting a long-term commitment to the cause. The board can communicate that commitment by establishing environment-related performance metrics that align with the corporate strategy.

Competitive Disruptor Takeaways

Strategic Board Leadership and Processes

  • Board agenda. Set aside time on the board agenda to discuss forward-looking strategy, so that the board’s focus is not limited to reviewing the company’s past performance.

Boardroom Dynamics and Culture

  • Culture. Fostering innovation requires risk. The culture throughout the organization should support failure and risk taking within the company’s tolerances. Also invite outside experts—or “white space” teams—to help trigger new, innovative thoughts.

Board Composition

  • Composition. Board composition should reflect a diversity of thought and experience. Regardless of background, directors should be willing to ask probing questions and stay aware of marketplace trends.

Goals and metrics

  • Understanding the marketplace. Management should be able to answer who future competitors might be and what trends might gain traction.

The Environmental and Competitive Disruptors That Lie Ahead

NACD Blog Feed -

More than 100 directors gathered at The Ritz-Carlton, Denver on July 15 to learn about competitive and environmental forces that can disrupt business as usual.

The half-day symposium was the second of three NACD Directorship 2020® events this year. The forums are addressing seven disruptive forces (competition, demographics, economics, environment, geopolitics, innovation, and technology)—the major trends and transitions expected to drive significant change for companies and industries in the near future—and the implications for the boardroom.

Environmental Disruptors

Linda J. Fisher, vice president of safety, health, and environment and chief sustainability officer at DuPont, called attention to five key sustainability trends: population growth, water supply, climate change, resource scarcity, and circular economies.

Population growth. The earth’s population is expected to reach nine billion by 2050. Population growth will lead to increased demand for food and other goods, while supply may be limited. This could lead to price hikes, increased regulation, and shortages.

Water supply. Water will become limited somewhere within businesses’ value chains, potentially affecting—among other things—transportation of goods. In December 2012 and January 2013, low levels in Mississippi waterways resulted in more than $6 billion in commodity losses when barges carrying goods were unable to pass through the river, according to waterways groups.

Climate change. The Intergovernmental Panel on Climate Change reported last year that they are 95 percent sure that human activity is primarily responsible for global warming.

Resource scarcity. Focus also should be placed on resource efficiency concentrating mostly on improving building performance and food waste reduction.

Circular economies. Also gaining traction is the trend of circular economies in which products are designed so they can be used, deconstructed, and have the remaining materials captured for reuse or recycle.

And while companies are accustomed to the government regulating environmental issues, concerned consumers now are playing a regulatory role. These consumers increasingly are business savvy, understanding the degree to which companies rely on their reputations and brands. Activist consumers can call negative attention to a company’s brand until they see the change for which they have advocated.

These increased demands mean that companies should stay abreast of environmental and sustainability issues. There must be a balance found between sustainable market growth, environmental stewardship, and social responsibility.

Competitive Disruptors

Adam Hartung, managing partner at strategy consultancy Spark Partners, CEO of Soparfilm Energy Corp., board member of 6 Dimensions, and an NACD Fellow, shared his thoughts and concerns about the impact of competitive disruptors and how boards should help set the competitive edge at their companies.

People often think about bankruptcy filings as being the sign of business failure, but Hartung proposed that business failure begins when a company loses its relevancy.

He said the biggest risk to companies’ competitiveness is getting stuck maintaining the status quo. The secret of being successful in today’s marketplace is to overcome the “lock-in” to past successes.

Hartung detailed four steps that boards could take to stay competitive:

  1. Focus on trends and potential future competitors, rather than on companies that have been competitors in the past.
  2. Shift direction away from current solutions and customers’ desires and instead steer more toward marketplace needs and competitors.
  3. Ask how your company can disrupt the marketplace—not just how it can do things better, cheaper, and faster.
  4. Allow for white space innovation, in which creative thinkers (outside the board of directors) can develop business or product ideas that are outside the status quo. White space innovation can lead to ideas that will set the competitive curve in your industry.

Responding to Activist Challenges in the Boardroom

NACD Blog Feed -

Recently, NACD convened the spring 2014 meeting of the Nominating and Governance Committee Chair Advisory Council. Delegates discussed the impact of activist investor challenges in the boardroom, with guests Janet Clark, a former director of Dell and Bill McCracken, a former chairman of CA Inc. This session built on dialogue from the council’s previous meeting in November 2013, where delegates discussed shareholder activism from the investor perspective with two representatives of activist hedge fund Trian Partners: Nelson Peltz, CEO and founding partner and Brian Schorr, partner and chief legal strategist. Insights from the April meeting include:

  • Understand the specifics of key investors’ profiles and priorities: Boards should ask management to report on takeaways from the company’s dialogue with “both sides of the house”—that is, those making investment decisions, as well as those who vote the proxy statements.
  • Activist campaigns often have a significant impact on board dynamics: Directors may have differing views on how to respond to an activist campaign, which can create tension among board members.
  • Senior management should maintain a focus on employees during an activist campaign. Many delegates agreed with one who urged boards to keep an eye on culture and employees: “We have to keep generating revenue and retaining our talent, in an uncertain and potentially very contentious environment.”
  • Use outside perspectives to help prepare for potential activist challenges:Independent assessments, including analyst reports, shareholder surveys, and third-party reviews of board members’ tenure and skill sets, as well as perspectives from the firm’s independent advisors, can be useful in this regard.

The forum also included a discussion on building the boardroom of the future through effective “board refresh practices.” For an in-depth discussion of these and other insights and questions, click here to read the full Summary of Proceedings.

How Boards Can Strengthen the Risk Oversight Dialogue With Management

NACD Blog Feed -

This spring, members of the NACD Advisory Council on Risk Oversight convened in Washington, D.C., to discuss how boards can strengthen their dialogue with management on risk oversight. Participants—including Michael Hofmann, the former chief risk officer of Koch Industries and current director of Calpine—shared experiences, lessons learned, and effective approaches for embedding risk in board-level strategy dialogue. From that discussion—detailed in the meeting’s Summary of Proceedings—delegates focused on these steps directors can take. They include:

  • Establish a clear definition of what “risk” means at the company: For management and the board to work together, they need to establish a shared definition of what risk means to the company.
  • Monitor the company-wide risk culture: Directors should ensure that the company has a culture that supports the discussion of risk throughout the entire organization and is seen as part of the company’s fabric.
  • Avoid the trap of false precision: Looking at only the expected return of a new business program or strategic move can restrict dialogue and lead to minimization of the potential downside.
  • Get out of the weeds by taking a deep dive: To help counteract the tendency of boards and management to focus on operational, regulatory, and financial reporting risks, many boards conduct an annual “deep dive” or “off-site” meeting. These meetings are dedicated to thinking about, understanding, and challenging assumptions of strategic moves and risks.

The Summary of Proceedings also investigates ways in which directors can and do incorporate these practices into their boards’ activities. NACD members can click here to access the full list of takeaways.

Subscribe to Lonergan Partners aggregator - Boards & Governance