Boards & Governance

Culture and Compliance: Board Lessons From Volkswagen

NACD Blog Feed -

This blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will be released at NACD’s Global Board Leaders’ Summit , Oct. 1–4.

A panel discussed how the iconic company became embroiled in scandal.

Wells Fargo & Co., Volkswagen AG (VW), Mylan NV, and Valeant Pharmaceuticals International are just a few of the companies that have recently experienced high-profile corporate crises stemming from ethics and compliance breakdowns. As corporate directors look to learn from these scandals, the John L. Weinberg Center for Corporate Governance, Association of Corporate Council, and Bloomberg Law® this April co-hosted the event Volkswagen Emissions Scandal—Lessons for Investors, Boards, Chief Legal Officers and Compliance & Governance Professionals.* The panel discussed the VW emissions scandal and lessons for boards of directors and general counsel (GCs) on instituting a corporate culture that promotes ethics and compliance.

Corporate Governance Causes of the VW Scandal

Charles M. Elson, director of the University of Delaware’s John L. Weinberg Center for Corporate Governance, notes in an article that three main governance practices at VW created a perfect environment for noncompliant behavior stemming from a lack of independent shareholder representation on the board:

  1. A complicated web of interests with dual-class stock, pyramidal ownership, and family control. The Porsche and Piëch families own just over 50 percent of VW’s voting rights through their preferred class stock in Porsche Automobil Holding SE, which in turn owns shares of VW (known as pyramidal ownership). Ferdinand Piëch, the grandson of Porsche company founder Ferdinand Porsche, was chair of VW’s supervisory board at the time of the scandal and served as CEO from 1993 to 2002. Piëch’s primary goal is said to have been to create the largest automaker in the world, with less regard for creating profit and shareholder value. This directive from the company leader, in an environment where shareholders outside of the family had little influence over the board, created a corporate culture where employees chose noncompliant behavior over failure when designing the “defeat devices” used to cheat U.S. emissions tests.
  2. The government as a major shareholder. VW was a state-owned enterprise until 1960 when it became privatized and left Germany’s Lower Saxony region with a 20 percent stake in the company. Elson opines that the interest of government officials is to be re-elected, often achieved through high employment rates. Therefore, government representatives on the board of VW were driven to create jobs at VW, the largest employer in Lower Saxony, even if adding those jobs was detrimental to profits.
  3. Labor representation on the board (codetermination). German law requires all companies with more than 2,000 employees to fill half of the board with employee representatives. Elson argues that the board’s ability to provide effective compliance oversight was diluted by labor representatives on the board who were essentially monitoring themselves, and hence more focused on obtaining higher compensation and decent working hours for employees.

In light of these conditions at VW, panelists shared a number of leading practices for GCs and directors in creating a compliant corporate culture:

Lessons for GCs

  • “You can’t legislate ethics, but you can promote them,” said one panelist. Be the devil’s advocate and stress the importance of risk management and cultural tones at different levels of the organization, i.e., the so-called tone at the top, mood at the middle, and buzz at the bottom.
  • Ensure your board spends adequate time on compliance issues. Directors are often bogged down by compliance and want to spend more time on strategy, but prioritizing compliance at the board level will create a culture that allows strategy to be carried out successfully.
  • Get the right information to the board at the right time. According to one panelist, “The GC—as well as risk managers and in-house lawyers—need to be tough enough to speak up and report to the board. At Lehman Brothers, the CEO was known as the ‘gorilla on Wall Street.’ He doubled down on real estate, which the risk officer beneath him knew was risky, but their concerns were never known to the board.”
  • Remember that your duty is to the company—not the CEO—even if you’re reporting to him or her. “If [you as] the GC [are] aware of a violation, you need to do the right thing and not be swayed,” said one speaker.

Lessons for Directors

  • Increase your exposure to more employees, including mid-level employees, to get a better sense of the corporation’s culture in practice below the C-suite.
  • Create straight reporting lines from the compliance officer, chief risk officer, and internal auditor to committee chairs. This empowers these officers to speak openly with board members about their concerns without management present. (See NACD’s brief on Audit Committee Oversight of Compliance, which is open to the public for download.)
  • Incentivize compliance through compensation metrics. See NACD’s briefs on Incentives and Risk-Taking and Board-Management Dialogue on Risk Appetite for guidance on designing incentive programs that promote high performance while limiting unhealthy risk-taking.
  • Should your company have one in place, reevaluate multiclass stock structures in light of investor perspectives. Research from the Investor Responsibility Research Center Institute shows that “controlled companies generally underperform on metrics that affect unaffiliated shareholders,” while the “Commonsense Corporate Governance Principles,” released by major institutional investors and others, says that “dual class voting is not best practice.”

 

* The distinguished panel of speakers included: Robert E. Bostrom, senior vice president, general counsel, and corporate secretary at Abercrombie & Fitch Co.; Charles M. Elson, Edgar J. Woolard, Jr. chair in corporate governance, director of the John. L. Weinberg Center for Corporate Governance, and professor of finance at the University of Delaware; Meredith Miller, chief corporate governance officer at UAW Retiree Medical Benefits Trust; Gloria Santona, retired executive vice president, general counsel, and secretary at McDonald’s Corp.; Professor Christian Strenger, academic director, Center for Corporate Governance at the HHL Leipzig Graduate School of Management; Anton R. Valukas, chairman at Jenner & Block LLP; and The Honorable James T. Vaughn, Jr., justice of the Delaware Supreme Court. Italicized comments above are from panelists that participated in this event. However, this discussion was conducted under the Chatham House Rule, so quotes are not attributed to individuals or organizations.

Building a Cybersecurity Talent Pipeline

NACD Blog Feed -

While prominent companies and healthcare institutions around the world were reacting to a ransomware attack known as WanaCryptor 2.0, or WannaCry, a young man working for a cybersecurity firm in southeast England landed on a solution that cost just $10.69. He found the so-called “kill switch” in the malware’s code that involved the simple purchase of an unregistered domain name. He promptly registered the domain, halting WannaCry’s spread. The identity of this cyberknight remains anonymous, but one notable fact about his background has emerged: he’s only 22 years old.

According to a 2015 study by the Center for Cyber Safety and Education, the average age of security practitioners is 45 years old. Many security professionals will leave the workforce within the next 20 years, but younger professionals are not seeking careers in cybersecurity at a pace sufficient to keep up with companies’ demands. Developing a workforce that will be prepared to meet companies’ increasingly complex cybersecurity needs means companies—and educators—will need to build a bigger, more inclusive talent pipeline for people interested in the practice.

Summer Fowler

When I spoke with cybersecurity expert Summer C. Fowler for the cover story of the May/June 2017 issue of NACD Directorship magazine, I asked about her work at Carnegie Mellon University to recruit diverse candidates to the programs she leads at the CERT Division of the Software Engineering Institute. One look at her Twitter profile illustrates that she’s a passionate supporter of the Cyburgh, PA Initiative, a program developed in partnership between Carnegie Mellon and the Pittsburgh Technology Council to advance the city’s status as a leader in cybersecurity technology. The initiative could not be successful without being inclusive.

“The issue of building a talent pipeline is such a challenge because of what we’re offering by way of schooling,” Fowler said about the role of university-level education in developing the cybersecurity talent pipeline. She then drew a parallel between the education and training of doctors in the 1970s to the challenges the cybersecurity sector has with finding diverse candidates. “When you look back to the early 1970s, the medical field was exactly the same. Only about 11 percent of doctors were women. There also were not many minority doctors in this country. We’re investigating what changes in the medical community were made to bring in more women and underrepresented minorities, so that we can do the exact same thing with computer science and engineering fields.”

Fowler pointed out that there needs to be further delineation of roles in the cybersecurity industry to clarify the hierarchy of talent desired. “When we talk about cybersecurity, we all think about a Ph.D. from Carnegie Mellon or from Stanford,” Fowler said. “We need to get better at differentiating the roles and what training requirements are. When we get there, I think that striation of roles will naturally open a pipeline to more people who are interested in the field because it would be seen as this daunting job that requires a Ph.D.”

Still another challenge exists: getting diverse talent interested in the topic to begin with. I shared with Fowler an anecdote from my own high school experience. My path diverged from that of a male friend who was interested in white-hat hacking, which is the technology industry term for the benevolent hacking of systems to detect vulnerabilities. While I was curious about the world of professionals who were defending against cyberattacks, I had no outlet for learning about programming at the time. No one at my public high school in inner-city Memphis was engaging young women in learning about computer science in 2004, and my friend had family who supported and encouraged his interest.

Fast forward nearly 13 years later, and my friend is a practicing white-hat hacker for a Fortune 500 company. I, on the other hand, earned my bachelor’s degree in creative writing, and have since revived my interest in the topic and write about it from a governance perspective. Could I have been working at the same company with the helpful nudges of invested educators, or with after school programs for young women like Girls Who Code that are sponsored by interested corporations? Fowler seems to think the answer is “yes.”

She suggests that the solution now will not be to bring girls and young women to technology, but to bring discussions of technology to them within contexts that interest them. “Instead of saying to girls, ‘You need to belong to the computer science club,’ talk to them about what computer science might mean to ballet, or to whatever program they’re involved in.” She suggested discussing breaches to the entertainment industry with young people interested in acting or movies, for instance, as a way to pique their interest in a field they might not have considered before.

Ultimately, one of the greatest challenges to building the cybersecurity pipeline will involve developing aptitude tests, then encouraging promising young people to pursue a career down that pipeline. “It’s also a matter of figuring out what the specific competencies are. We’ve done a really good job for lots of different types of jobs at being able to say, ‘Let’s perform an assessment to see what your skills are and what you’d like to be doing.’ That process enables us to say, ‘Wow, you would make a great attorney, or you would make a really good financial analyst.’ We don’t have that in the realm of cybersecurity.

Building out more roles in cybersecurity and advocating for the inclusion of the role into other career aptitude tests would help young people—and perhaps even more women—to get excited to join the ranks of cyberkinghts in the future.

——

Katie Swafford is assistant editor of NACD Directorship magazine and also serves as editor of NACD’s Board Leaders’ Blog.

Click here to learn more about NACD’s online cyber-risk oversight program for directors.

Questions to Ask After the WannaCry Attack

NACD Blog Feed -

Major General (Ret.) Brett Williams

After last week’s devastating global ransomware attack, now known as WannaCry, directors will once again be questioning management teams to make sure the company is protected. The challenge is that most directors do not know what questions they should be asking.

If I were sitting on a board, this attack would prompt me to ask questions about the following three areas:

  • End of Life (EOL) software;
  • patching; and
  • disaster recovery.

EOL Software. EOL software is software that is no longer supported by the company that developed it in the first place, meaning that it is not updated or patched to protect against emerging threats. WannaCry took advantage of versions of the Microsoft Windows operating system that were beyond EOL and had well-known security vulnerabilities.

Typically, a company runs EOL software because they have a critical application that requires customized software that cannot run on a current operating system. This situation might force you to maintain an EOL version of Windows, for example, to run the software. In the instance of WannaCry, Windows 95 and 8 in particular were targeted. Boards should be asking what risks are we taking by allowing management to continue running EOL software. Are there other options? Could we contract for the development of a new solution? If not, what measures have we taken to mitigate risks presented by relying on EOL software?

Other times companies run EOL software because they do not want to pay for the new software or they expect a level of unacceptable operational friction to occur during the transition from the old version to the new. Particularly in a large, complex environment the cross-platform dependencies can be difficult to understand and predict. Again, it is a risk assessment. What is the risk of running the outdated software, particularly when it supports a critical business function? If the solution is perceived as unaffordable, how does the cost of a new solution compare to the cost of a breach? Directors should also ask where are we running EOL software and why.

Patching. Software companies regularly release updates to their software called patches. The patches address performance issues, fix software bugs, add functionality, and eliminate security vulnerabilities. At any one time, even a mid-sized company could have a backlog of hundreds of patches that have not been applied. This backlog develops for a variety of reasons, but the most central issue is that information technology staff are concerned that applying the patch may “break” some process or software integration and impact the business. This is a valid concern.

In the case of WannaCry, Microsoft issued a patch in March  that would eliminate the vulnerability that allowed the malware to spread. Two months later, hundreds of thousands of machines remained unpatched and were successfully compromised.

Directors should ask for a high-level description of the risk management framework applied to the patching process. Do we treat critical patches differently than we treat lower-grade patches? Have we identified the software that supports critical business processes and apply a different time standard to apply patches there? If a patch will close a critical security vulnerability, but may also disrupt a strategic business function, are the leaders at the appropriate level of the business planning to manage disruption while also securing the enterprise? Have we invested in solutions that expedite the patching process so that we can patch as efficiently as possible?

Disaster Recovery. It is considered a disaster when your company ceases to execute core business functions because of a cyberattack. In the case of WannaCry, many businesses, including essential medical facilities in the United Kingdom, could not function. WannaCry was a potent example of how a cyberattack, which is an abstract concept for many business leaders, can have devastating impact in the physical world.

One aspect of disaster recovery is how quickly a company can recover data that has been encrypted or destroyed. Directors should have a strategic view of the data backup and recovery process. Have we identified the critical data that must be backed up? Have we determined the period of time the backup needs to cover and how quickly we need to be able to switch to the backup? Have we tested ourselves to prove that we could successfully pivot to the backup? What business impact is likely to occur?

The hospitals impacted by WannaCry present another angle of the disaster recovery scenario. For these hospitals, the disaster wasn’t limited to the loss of data. Most medical devices in use today interface with a computer for command and control of that device. During this attack, those command and control computers were rendered inoperative when the ransomware encrypted the software that allows the control computer to issue commands to the connected device. In many cases there is no way to revert to “manual” control. This scenario is particularly troubling given the potential to cause bodily harm.

It is easy to see a similar attack in a manufacturing plant where a control unit could be disabled bringing an assembly line to a halt. And it is not hard to imagine a threat to life and limb in a scenario where we rely on computer control to maintain temperatures and pressures at a safe level in a nuclear power plant.

Directors should ask about the process to recover control of critical assets. Can we activate backup systems that were not connected to the network at the time of the attack? If we bring the backup system on line, how do we know it will not be infected by the same malware? Have the appropriate departments practiced recovery process scenarios? What was the level of business disruption? Does everyone in the company know his or her role in getting critical operations back up and running?

Directors provide oversight of the risk management process—they do note execute the process. Understanding how the company is managing risk around EOL software, patching, and disaster recovery sets the right tone at the top and ensures that the company is better prepared for the inevitable next round of attacks.

Major General (Retired) Brett Williams is a co-founder of IronNet Cybersecurity and the former Director of Operations at U.S. Cyber Command. He is an NACD Board Governance Fellow and faculty member with NACD’s Board Advisory Services where he conducts in-depth cyber-risk oversight seminars for member boards. Brett is also a noted keynote speaker on a variety of cyber related topics.

Looking to strengthen your board’s cyber-risk oversight? Click here to review NACD’s Cyber-Risk Oversight Board Resource Center.

The Board’s Role in a Crisis: Ready or Not?

NACD Blog Feed -

Kimberly Simpson

If power and cellular phone service to your plant were inoperable because of a devastating hurricane, how would you reach employees to confirm their safety first, and then address the status of the facility? If your company handled classified projects and a building’s power grid failed in a natural disaster, how long would backup generators work before being refueled by trucks that might not have an easy route to the building? What if the building’s doors were unlocked after the back-up locks failed—could the classified work within the facility be compromised?

These real-life stories, shared at the April program of the NACD Carolinas Chapter, illustrate the unpredictable nature of crises. How can companies prepare for the unknown, and what role does the board play in oversight and direct response in the event of a crisis?

James H. Hance, director for The Carlyle Group, Cousins Properties, Acuity Brands, and Ford Motor Co. (and a former director of Sprint Nextel Corp., Bank of America, and Morgan Stanley), and Linda P. Hudson, chair and CEO of The Cardea Group, and director of Bank of America, Southern Company, and Ingersoll Rand, shared their experiences and advice on crisis management. They were joined by Deloitte’s Henry Phillips and Theresa Drew, who moderated the conversation.

Lessons learned from real-world crises and how the boards of their companies responded follow.

1. Establish and understand what amounts to a crisis.

  • “As a director, you know the company will have a crisis,” said Hance. “But what will that crisis be and how do you prepare?” He defined a crisis as an immediate problem that “requires the CEO of the company to be involved.”
  • Further, the initial measure of a company’s successful response tends to be tied to how early the crisis is identified. Social media may lead to the whole world knowing about the crisis very quickly, so the company must be agile enough to respond very quickly in kind.

2. Prepare for the known, but expect the unknown.

  • According to Hudson, if your company hasn’t thought through the possible risks involved in crisis scenarios, then the company likely will fail in its response. However, even if risks have been evaluated, there “isn’t a high probability the crisis that happens will be what was originally identified.” Hance added that those companies with a robust enterprise risk management function will likely be more prepared for a crisis, whatever it might be.
  • During her time as CEO at BAE Systems, Hudson deployed playbooks that addressed key crisis management questions. Some of the most critical items included in those playbooks follow.
    • Who will identify the situation as a crisis?
    • Who is on the team that is pulled together to respond to a crisis?
    • What is the escalation protocol?
    • Who calls whom (ex., customers, regulators, and other stakeholders)?
    • Who will be the public face of the company?

3. Board oversight is critical.

  • “The board must be in the escalation cycle in a crisis management plan,” said Hudson. Hance agreed. He also added that the board should exercise policy oversight. Hance pointed to a recent story in the news. A board would not, for example, look at how passengers are removed from planes. However, it would review the airline’s policy for bumping passengers, as well as the company’s culture, and make suggestions to management based on those considerations.
  • Phillips also emphasized the role of the lead independent director given that a crisis can be very emotional for board members closer to the company. The lead independent director can act as a source of calm leadership through a crisis. In addition, Hance emphasized, “The CEO needs to have a sounding board, and this group of people should be identified and set up ahead of time.”

4. Learn from each crisis and study your competitor’s crises to help prepare for your own.

  • Each crisis—whether one of your own or one happening at a competitor’s company—is an opportunity to learn. For example, panelists pointed out how well the CEO of General Motors Co. handled the ignition switch crisis, and called out the genuine connection the company made with affected people. Hance concurred and noted that other car companies were watching and learning. He also shared how Ford changed some of its processes after Toyota Motor Corp.’s crisis over sticking accelerators.
  • Unexpected events like 9/11 and Hurricane Katrina taught companies valuable lessons. For example, many New York banks routed electronic traffic through networks at the World Trade Center. When those networks went down, so did the banks’ ability to do business, according to Hance. Similarly, Hudson shared that after Hurricane Katrina made landfall on the Gulf Coast in 2005, landlines and cell phones alike stopped functioning. Now the company has satellite phones in each of its locations, enabling seamless communications in the event of a communications-disrupting crisis.

5. Use outside help judiciously.

  • Depending on the industry, Phillips noted the importance of ensuring that the company has the right connections to important officials in the event of a crisis. For example, does the company have an established contact at the Federal Bureau of Investigations in case of a cyber-attack?
  • The panel agreed that, while legal help can be critical, it is also important to be open and honest, resisting any advice to keep silent during the crisis. Liability will follow, regardless. When asked about involving public relations firms, Hudson shared that each company “should tell its own story.” Doing so can be more authentic.

6. Always do the right thing.

  • The panelists agreed that the best defense in a crisis is to be sure the company directly addresses the personal needs of those impacted—whether they’re employees or members of the community. After Katrina, Hudson’s company assisted employees in Mississippi who had no access to banks by meeting their need for cash through the recovery period. The company never asked for that cash back.
  • Hance noted that the board is likely to be criticized in a crisis regardless of whether the proper oversight was exercised. So, as a company, the best approach is to identify what feels like the correct response for each event, and simply to “do the right thing.”

NACD Carolinas would like to thank the panelists for sharing their experiences with attendees and Deloitte for its support of the program.

Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.

Walter Isaacson on Going Home

NACD Blog Feed -

When Walter S. Isaacson winds down his 14-year tenure as the president and CEO of the Aspen Institute at the end of this year, his beloved hometown of New Orleans will be seeing more of him. Students in his classroom at Tulane University will be the lucky recipients of his rich knowledge and experience as he returns as a professor in those stately halls in the Garden District.

Walter S. Isaacson will speak at NACD’s 2017 Global Board Leaders’ Summit.

Isaacson, who has penned biographies of such greats as Benjamin Franklin, Albert Einstein, and Steve Jobs will speak at NACD’s 2017 Global Board Leaders’ Summit in October on innovation and disruption. (He will also release a new biography on Leonardo da Vinci in October.)

In addition to his work as a writer, Issacson keeps his governance plate quite full: he is a director of United Continental Holdings and an advisory board member of the National Institutes of Health. His nonprofit board service includes the Society of American Historians, the Carnegie Institution for Science, and My Brother’s Keeper Alliance. He also has served as an advisory board member at Parella Weinberg Partners, a global financial services and advisory firm, since 2015.

I recently had the opportunity to correspond with him via e-mail and ask him any question my heart desired. While the edited version of our full interview will run in the forthcoming May/June 2017 issue of NACD Directorship, I saved choice pieces from our exchange that unfortunately landed on the cutting room floor due to the physical constraints of a magazine page.

Many of my questions were inspired by newspaper headlines. “Why I’m Moving Home,” a recent New York Times op-ed piece by lawyer cum venture capitalist J.D. Vance, particularly grabbed my attention because it explores a common question: Can you really go home? Can you re-integrate yourself into that community—let alone revitalize it?

Isaacson seems to think so—and he’s a living example that it’s possible. Both he and his wife have divided their time between Washington, D.C. and New Orleans for some time. “I am happiest in my hometown of New Orleans dealing with issues of urban planning, jobs programs, and education reform,” he writes. “I got re-involved after Hurricane Katrina when I was made vice chair of the Louisiana Recovery Authority. My wife and I have a place in the French Quarter. I think there is more impact to be made when we act locally, and I am lucky that I have a deep passion for the town where I was born and raised.”

And how have the horrors of Hurricane Katrina shaped his worldview? The storm not only physically decimated New Orleans, but in its aftermath, the city’s population dropped by half largely due to storm-related displacements. Isaacson is determined to help reverse this radical demographic shift by invigorating education and entrepreneurialism to attract top talent and great thinkers back to the city.

“Hurricane Katrina reminded me of the value of home,” he writes. “I think that when we are looking for the good we can do and the impact we can have, now is a good time to be looking locally. I am fortunate to have New Orleans as my hometown. We are trying new ways to reform education and make an innovative environment for creative people and entrepreneurs.”

Do you have a similar experience of returning to your hometown to change it for the better? Do you serve on a board that inspires a company to better serve the communities in which the business operates? We’d love to hear from you. Share your experiences in the comment section.

Judy Warner is editor in chief of NACD Directorship magazine.

Would Your Board Pass This Cyber-Risk Oversight Test?

NACD Blog Feed -

Gov. Tom Ridge

“If you had to sign a cybersecurity certification similar to the financial reporting requirements for corporate officers under Sarbanes-Oxley (SOX) Section 302, could you do it?”

As my firm counsels boards and C-suite executives on cyber risk, we often begin by framing our conversation with that provocative question. How directors answer will indicate how confident they are in the cybersecurity posture of their business.

As an exercise, let’s review SOX Section 302. For the purposes of this discussion I have replaced the finance-related text with cybersecurity-specific language. These changes are bolded, and other elements that are critical SOX measures for proper oversight by officers and the board are underlined.

SEC. 302. CORPORATE RESPONSIBILITY FOR CYBERSECURITY REPORTS.

(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,78o(d)), that the principal executive officer or officers and the principal cybersecurity officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that— 

(1) the signing officer has reviewed the report; 

(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; 

(3) based on such officer’s knowledge, the cybersecurity statements, and other cybersecurity information included in the report, fairly present in all material respects the cybersecurity condition and results of operations of the issuer as of, and for, the periods presented in the report;

(4) the signing officers—

(A) are responsible for establishing and maintaining internal controls;

(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and

(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—

(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report cybersecurity data and have identified for the issuer’s auditors any material weaknesses in internal controls; and

(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and 

(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. 

Now, how confident are you in the state of your cyberposture? Fortunately, to use the old exercise phrase, “this has been only a drill.”

However, multiple federal regulators, including the Securities and Exchange Commission, the Federal Trade Commission, and state agencies such as the New York Department of Financial Services, have become far more aggressive in holding corporate officers and board members accountable for cybersecurity oversight. And it is not out of the question that SOX-like requirements may materialize in the future, should another series of damaging breaches occur impacting consumers.

Regardless of whether regulators may soon require such specific attestations, significant discomfort with these questions at the board and C-suite level can indicate that cybersecurity is not being managed as an enterprise, twenty-first century business imperative. With sensitive customer information, employee data, operational processes, intellectual property, and trade secrets all on your networks, cybersecurity represents a real business and reputation risk.

The truth is that most corporate boards aren’t prepared for cyberattacks. It is an esoteric topic that remains elusive to most corporate directors.

NACD has been leading on this issue to ensure that its members have the resources to get up to speed, increase their cyberliteracy, and enhance cybersecurity oversight. I am proud that my firm has been able to partner with them to create an education program specifically for corporate directors that leverages resources such as the NACD Cyber-Risk Oversight Handbook and the expertise of the CERT Software Engineering Institute at Carnegie Mellon University.

While no program or technology can guarantee that your organization will not be hit by a cyberattack, it is incumbent upon us all to learn what we need to know to ask the right questions and to close as many gaps as possible. As the regulatory environment continues to focus on our ability to provide effective oversight, doing nothing is a sure-fire way to find cyberthieves in your system as well as regulators, litigators, shareholders, and customers knocking on the boardroom door. 

Tom Ridge is chair of Ridge Global, a risk management and cybersecurity advisory firm. An experienced corporate board member, he previously served as the first U.S. Secretary of Homeland Security and as the 43rd Governor of Pennsylvania. 

Managing the Effects of Short-Termism on Risk Oversight

NACD Blog Feed -

Jim DeLoach

The complexities surrounding short-termism make it a tough nut to crack. Short-termism in this instance refers to a focus on short-term company performance results at the detriment of achieving long-term strategic goals. But in all its forms, short-termism is not sustainable in a rapidly changing world. That’s why directors need to ensure that the organizations they govern seek a healthy balance in addressing short- and long-term interests of the organization’s senior executives and stakeholders.

Short-termism is certainly not a new concept. In a recent survey of more than 600 public company directors and governance professionals conducted by NACD, 75 percent of respondents indicated that pressure from external sources to make short-term gains is compromising management’s focus on long-term strategic goals. This pressure can affect the board’s risk oversight.

Short-termism manifests itself in many ways. The more common example is focusing on quarterly earnings at the expense of funding long-term sustainable growth. But it can also lead to the pursuit of several risky activities, including: M&A deals for growth’s sake without clear linkage to the overall corporate strategy; releasing new products to market without sufficient testing; allowing cost and schedule considerations to undermine safety on significant projects (e.g., deferring maintenance or taking risky shortcuts); and taking on excessive leverage to pursue activities that are currently generating attractive returns.

Underlying the evidence of short-termism is a complex series of root causes. Globalization, technological developments, improved transparency, and reduced transaction costs have facilitated capital flows, enabling investors to reallocate their assets to seek higher yields with greater ease. Hedge funds and other activist shareholders are also acquiring small stakes in a company with the objective of steering profits to shareholders immediately (through higher dividends, stock buybacks, asset spinoffs, or downsizing in lieu of investing in innovation that will improve productivity and drive future growth, for instance). Still another cause is the existence of compensation structures emphasizing executive pay over the near term to the detriment of long-term shareholder interests. These compensation models skew management’s decision-making toward maximizing short-term profits even at the cost of taking on excessive risk.

Following are six concrete steps the board can take to ensure short-termism does not compromise risk oversight:

1. Focus the board’s oversight on risks that matter. If risk management is focused primarily on operational matters, chances are management is not focusing attention on the right question: Do we know what we don’t know? To face the future confidently, both management and the board need to focus the risk assessment process on:

a. identifying and managing the critical enterprise risks that can impair the organization’s reputation, brand image, and enterprise value; and
b. recognizing emerging risks looming on the horizon on a timely basis.

Even though the day-to-day risks of managing the business are important, they should not command the board’s risk oversight focus except when truly pressing issues arise.

2. Lengthen the time horizon used to assess risk. Focusing on quarterly performance, annual budgets, and business plans may lead to a risk assessment horizon of no more than three years. That period may be too limiting because strategic opportunities and risks typically have a longer horizon—even with the constant pressure of disruptive change on business models. For example, the World Economic Forum uses a 10-year horizon in its annual risk study. Longer risk-assessment horizons are more likely to surface emerging issues, along with new plausible and extreme scenarios, that might have been missed with a shorter time frame. Thus, the board needs to satisfy itself that management is using an appropriate horizon.

3. Understand and evaluate strategic assumptions. Management’s “worldview” for the duration of the strategic planning horizon is reflected in assumptions about several topics: the enterprise’s capabilities; competitor capabilities and propensity to act; customer preferences; technological trends; capital availability; and regulatory trends, among other things. Directors should weigh in on management’s assumptions underlying the strategy. Doing so could reveal insights into the external environment and internal operating impacts that could invalidate the critical assumptions underlying the strategy. This is a useful approach to understanding sources of disruptive change.

4. Integrate risk and risk management with what matters. Short-termism can render risk to an afterthought to the formulation of strategy. Risk management similarly can become a mere appendage to performance management. The strategy, therefore, may be unrealistic and may involve taking on excessive risk. In addition, performance management may be overly focused on retrospective, backward-looking lag metrics. The board should ensure the strategy-setting process considers risks arising from strategic alternatives, risks to executing the strategy, and the potential for the strategy to be out of alignment with the organization’s mission and values. Directors also should insist that prospective, forward-looking leading metrics be used to complement the more traditional metrics used to manage the day-to-day business operations.

5. Watch out for compensation imbalances. Publicly listed companies on U.S. exchanges are required to disclose in the proxy statement whether the company’s system of incentives could lead to unacceptable risky decision-making in the pursuit of near-term rewards. The compensation committee typically conducts a review for excessive risk-taking in conjunction with its oversight of the compensation structure. Board concerns with respect to short-termism are a red flag for the compensation committee to sharpen its focus on the potential for troubling compensation issues that could lead to bet-the-farm behavior. A key question: Do key executives have sufficient “skin in the game” so they will be incented to take risks prudently in the pursuit of value-creating opportunities?

6. Pay attention to the culture. Short-termism can contribute to a dysfunctional environment that warrants vigilant board oversight. For example, management may continue to execute the same business model regardless of whether market conditions invalidate the underlying strategic assumptions. Also, operating units and process owners may be fixated on making artificial moves (e.g., deferring investments) and manipulating processes (e.g., cutting costs to the bone) to achieve short-term financial targets. Instead, the strategy should be focused on fulfilling customer expectations and enhancing the customer experience by improving process effectiveness and efficiency. These and other red flags warrant the board’s attention because they signal the possibility of unacceptable risk-taking that must be addressed.

If short-termism is a concern of the board, directors need to ensure their risk oversight process isn’t compromised by it. A strong focus on linking risk and opportunity can help overcome some of the “blind spots” that a myopic, short-term outlook can create.

Jim DeLoach is managing director of Protiviti. 

Talent Development Leaders Tackle Four Challenges

NACD Blog Feed -

Directors spend the bulk of their time every quarter reviewing financial results and receive updates on enterprise risk. However, very little time is spent reviewing talent development and succession planning. Compensation committee agendas and metrics tend to be dominated by executive compensation discussions, and relatively little focus is given to measuring and tracking talent development and retention across the leadership suite.

From Left: Steve Newton, Barbara Duganier, Eileen Campbell,  and Doug Foshee

Panelists at a recent event hosted by NACD Texas TriCities’ Chapter, all leaders in the field of executive management and human resources (HR), discussed board-level talent oversight. Barbara Duganier, director, Buckeye Partners, served as moderator of a panel including Eileen Campbell, former vice president of human resources for Marathon Oil; Doug Foshee, former chair and CEO of El Paso Corp.; and Steve Newton, partner, Russell Reynolds Associates. The conversation confronted the fact that while the vast majority of CEOs are promoted from within, boards spend very little time on executive leadership development—and even less time on talent development beyond the chief executive.

The development of executive HR talent in an organization seems often to be left to chance. Whether it’s because the CEO and board don’t place critical importance on the position, or the HR leader views their role less as a strategic asset and more as compensation or benefits cost center, development of HR talent—and others in the executive pipeline—deserves more board-level attention.

Below are several challenges that were discussed, as well as some solutions to developing talent and value from your company’s HR leadership.

Challenge 1: People think they’re good at recognizing talent, but biases and lack of process might lead to missing out on promising people. Ask any executive to identify high potential employees, and they can always name a few promising people. However, because the ability to recognize a talented person is considered a soft skill, it doesn’t get measured or tracked on a regular basis. Interestingly, most people will identify people in their own image—just younger. Therefore, if the leadership team is not diverse, promising people may go overlooked that do not meet preconceived notions of what leadership looks like.

A Solution: Measure and track. HR leadership and the board should insist on tracking talent development-specific metrics with the same level of importance as financial metrics. Measuring also allows boards and executives to notice unconscious biases in recruitment and talent development.

Challenge 2: People are protective of their highest performers. Lateral moves and broadening development positions are imperative in order to assess and build talent across the organization. But as Campbell pointed out, managers are often reluctant to recommend their highest performers to other divisions.

A Solution: Once people are identified as high-potential employees, they should be considered “group resources” rather than belonging to a department or division. By operating across departments, leaders outside of the individual’s direct supervisors can take part in nurturing the long-term development of employees’ talents.

Challenge 3: People are reluctant to put high performers in certain roles due to a fear of failure that could result in career derailment. As a result, sometimes leaders are not “tested” outside their comfort zone, and can remain unproven until they’ve ascended to the role of CEO.

A Solution: Develop a program similar to General Electric Co.’s “popcorn stand,” a concept shared by Doug Foshee. This concept provides a future leader with significant responsibility outside his or her comfort zone in a part of the business where commercial impact on the overall organization is less relevant. In smaller organizations, these could be roles that require managing through ambiguity or necessitating cross-functional skills. In larger organizations, these could be special projects or small profit and loss businesses whose bottom line is minimal or negligent.

Challenge 4: Boards are not comfortable addressing CEO succession if they have just named a new CEO. Steve Newton remarked that given the average tenure of a CEO is four to five years, it’s never too soon to begin assessing readiness of internal candidates if you believe they have gaps between current and desired capabilities.

A Solution: Identify a wide candidate slate within an organization early in a CEO’s tenure and begin developmental plans to grow a leadership team that has both breadth and depth of understanding.

For additional NACD thought leadership on effective management of human capital culture and talent development, members can review the Report of the NACD Blue Ribbon Commission on Talent Development. Key takeaways from speakers at the chapter program can be downloaded here, and to view the entire program visit NACD Texas TriCities Chapter YouTube Channel.

Anna Catalano is director of Willis Towers Watson, Mead Johnson Nutrition, Chemtura Corp., Kraton Corp., NACD Texas TriCities Chapter, and the Alzheimer’s Association.

Subscribe to Lonergan Partners aggregator - Boards & Governance