Boards & Governance

At a Glance: The Cycle of Continuous Improvement

NACD Blog Feed -

As the bar for director performance continues its steady rise, public company boards are expected to ensure that composition, skill sets, and core processes remain fit-for-purpose. The following infographic derived from the 2016–2017 NACD Public Company Governance Survey illustrates the different mechanisms boards are using to keep board composition and director turnover attuned to the organization’s evolving needs.

For more insights, download a complimentary copy of the executive summary of the survey.

Robotics and Automation: The Fourth Industrial Revolution Begins

NACD Blog Feed -

Anthony Caterino

Robotic process automation (RPA) is among the hottest topics in today’s enterprise. RPA simplifies business processes by mimicking human actions and automating repetitive tasks without altering existing infrastructure and systems. Nearly every day, we hear stories of organizations streamlining operations and optimizing costs with RPA.

Why is this technology gaining such attention? Because it has the potential to make enterprise-wide business transformation a reality.

As directors continue to rethink and address their organization’s strategy, RPA should be considered as one component of an array of emerging technologies that are changing the game. These solutions include artificial intelligence, cognitive computing, and machine learning. Many call this the Fourth Industrial Revolution, and for good reason. Nearly half (47%) of US jobs could be impacted by computerization, according to a 2016 report authored by Oxford University and Citibank.

Sitting on the sidelines is no longer an option. Robotics technology has moved beyond proof of concept, and the business benefits are increasingly clear and attainable. In a recent example, EY worked with the Robotics Center of Excellence for a major U.S. bank to scale robotics on a global level. Results included a significant reduction in full-time employees (FTEs) across back- and middle-office business processes and decreased runtimes for automated processes. Leading organizations will focus on the long game, planning for scale, speed and pace of adoption on the automation journey.

Boards will play an important role in helping organizations seize automation’s full advantages—reduced redundancies, improved accuracy, speed to market, and the ability to free human staff for high-value work. Vigilant corporate governance will help promote the establishment of a robust operating model and provide oversight of controls and risk management. From the highest levels, the enterprise must successfully manage changes in technology, processes, and people to seize opportunity while enhancing risk management.

The Need for Strategic Vision

Boards looking to enhance oversight of corporate strategy in response to these disruptive forces can learn from the industry’s early successes and failures.

Despite industry promises of rapid, low-cost success, automation is not a one-size-fits-all journey. The board must guide leadership to make certain that a robust operating model exists for leveraging the best-fit technologies to meet the organization’s needs.

The operating model must adapt to support a hyper-agile implementation approach. EY recently worked with the C-suite of a leading financial services corporation to design a centralized automation strategy. This strategy established a common framework to support its federated environment. Ensuring that the company has adopted the right operating model is key to accelerating technology adoption and streamlining change management to succeed in an environment that is continually evolving.

The automation journey should also be results-driven, with an emphasis on return on investment. For one global insurer, EY developed a proof-of-value to explore opportunities to automate labor-intensive back-office processes. The results helped management make an informed decision based on tangible outputs. When implemented, robotics cut the cost to deliver high-frequency tasks in half. If properly designed, the automation journey can be self-funding using a laddered process, with the cost savings realized on initial programs used to fund successive initiatives. This contrasts with the enterprise-wide implementation model common with many legacy solutions.

A robust operating model can also help mitigate risk. For example, because many automation solutions are engineered to work with current enterprise software, the operating model must account for changes in an organization’s software layer. If changes are made without considering the automation tools, they can quickly crash important processes.

The Human Equation

Along with planning for the technology changes, boards must foresee the human elements of transformation and embrace the workforce of the future.

It is not uncommon for today’s powerful RPA technology to reduce the number of humans needed on a data-intensive process from 50 people to five. A robot costs approximately one-third the price of an offshore FTE and as little as one-fifth the price of an onshore FTE, according to the Institute for Robotic Process Automation. Boards must think strategically about a company’s entire workforce mix—from where people are located to who (or what) performs specific roles.

Yes, the opportunity for cost optimization exists. But forward-thinking companies will seize the advantages of reallocating and retraining people currently in rote functions to higher-value tasks that generate business insight. The board should set clear expectations for managing human capital beyond layoffs—to leverage people to gain a competitive advantage.

The bottom line is that workforce transformation enabled by automation is coming quickly. In fact, it’s already happening. The boards that realize this soonest and come prepared to lead management on a journey that optimizes both technology and people will position their organizations to win in the long run.

Anthony Caterino is vice chair and regional managing partner of the Financial Services Organization at EY. Steve Klemash is a leader in the EY Center for Board Matters in the Americas.

Responding to a Cybersecurity Breach: Crisis Communications Considerations

NACD Blog Feed -

While technical defenses might help stave off some attempted hacks, sooner or later a company will become a victim of cybercrime, and a contingency plan for communicating about the aftermath of an attack is critical for any organization. RANE recently reached out to several experts for their advice to companies for managing the flow of information and maintaining control of an organization’s reputation in the event of a breach.

The Initial Response

Ann Walker Marchant

“There’s a lot to gain or lose when you approach the equity you’ve built in your brand—and trustworthiness is part of the value of your brand,” says Ann Walker Marchant, CEO of The Walker Marchant Group. After a breach, an organization’s leadership must keep in mind all of the people who have placed trust in the brand. The impacted enterprise must convey that it is “willing to do whatever it takes to ensure you minimize risk to them,” she adds.

“You have to understand that it’s most important you’re communicating with your own people internally,” Christopher Winans, executive vice president and general manager at Hill+Knowlton Strategies, argues. Organizations should not allow internal stakeholders to learn about a crisis from external sources. “When your own people are finding out through press reports, it harms confidence within your [entire organization].”

“With a cybersecurity breach, you often don’t know what’s been compromised, at least at the very beginning,” Walker Marchant explains. Often, the best bet is to expect the worst. “You’ve got to assume they’ve got everything and act accordingly without appearing to create fear and panic with your internal and external audiences,” while simultaneously dealing with pressure from various audiences and stakeholders, Walker Marchant said.

Reaching Out to Regulators

A client update published by Debevoise & Plimpton LLP, titled “How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience,” states that Fortune 100 companies disclosed 20 “incidents of major data breaches or cybersecurity events between January 2013 through the third quarter of 2015.” Most of the affected organizations made initial public announcements via news reports instead of a current report on Form 8-K. Debevoise & Plimpton notes that companies that did go the Form 8-K route “most often did so where the breach involved customer financial information.” Organizations, the report’s authors add, “should also be mindful of selective disclosure issues and their obligations under Regulation FD.”

Debevoise & Plimpton also warns against the risk of disclosing incomplete information regarding a breach, noting that “the ‘known’ facts may represent a small piece of the cybersecurity risk mosaic, which can require significant forensic research to assemble.” Potential inaccuracies in any disclosure represent yet another risk for organizations.

Subsequent reporting of updated cyber risk factors were largely contingent upon how breaches were initially disclosed in periodic corporate reports. In annual reports that come after a material breach, the Debevoise & Plimpton report notes, many corporations “view their annual report as an opportunity to update and tailor risk factors more generally, and the occurrence of an intervening cybersecurity event provides fodder for such fine tuning.”

Differing Perspectives Within an Organization

Caution is important, although any delay in responding in a timely manner also presents a risk for targeted enterprises. At the outset of planning the response, Winans adds, “It is better to tell your constituencies what you don’t know than it is not to tell them anything.”

Steven Bucci

However, there are often conflicting viewpoints of how to act in the immediate aftermath. “The tech guys will weigh in and say the best thing the company can do is get a hold of the FBI and find all the things in the network that are screwed up so they can take action to fix it,” says Steven Bucci, a visiting fellow for special operations and disaster management at The Heritage Foundation. “But you’d be hard pressed to find any lawyers to give their leaders that advice; instead, they’ll say it will hurt the company’s bottom line, it’ll hurt the company’s stock, and it could open up the organization to claims by competitors. While all of that, frankly, is true, that leaves the organization as vulnerable as they were before the breach—and probably also in violation with the Securities and Exchange Commission, as well as open to potential lawsuits from customers or clients.”

Still, it’s understandable that a cautious approach may appeal to many who don’t want to create panic, or those who are simply conflicted over the best course of action, Walker Marchant says. On the other hand, any delay in crafting a measured public response can result in harm to an organization’s brand equity. “Stakeholders will want to know who knew what, when, and why didn’t you tell us?”

Christopher Winans

Winans says that a clear organizational response plan that involves upper management is crucial before a crisis. “The very first thing you need to do is create a team, a coordinating committee, that is made up of all the functional parts of the company—the C-suite, the CEO or COO. Ideally, it’s got to be the leader of the company that takes charge of the situation, and you have to have people from HR, legal, operations, IT and investor relations.” For a company that answers to a variety of regulators, it’s even more important to get people in different roles together.

“That’s a team that needs to meet every day,” Winans adds. And before an actual breach takes place, that same team should be practicing how they will respond to a worst-case scenario. Winans proposes a “flight school.” “We set up people to actually play out an actual scenario,” he says. “The whole thing is designed to feel like an actual crisis.”

Lessons of a Real World Response

The Sony Pictures hack is an instance where the company was a little more forthcoming, at least with law enforcement, because they had no idea who could be penetrating their systems so extensively. Nevertheless, they suffered serious criticism and ridicule for how poorly they guarded their network.

“Exactly what the breach entailed wasn’t clear at the very beginning,” Walker Marchant says. “It was death by a thousand knife wounds because it was that trickle-down approach, because every day was something different.” Lists of salaries, copies of unreleased films, and sensitive e-mail from senior leadership were also part of the data theft. Still, Bucci argues that “while they did get beat up pretty badly,” in the end “they got through it faster and with far more sympathy from the public by saying, ‘We got hammered.’”

As recent examples of flawed responses by organizations following cyber breaches highlight the risks of incomplete or inaccurate information, boards have one clear warning: Doing nothing is not an option. The age of instant communications and 24/7 media coverage ensures that very little in the cybersecurity universe can reliably remain under wraps for long—lessons that others have already learned the hard way.

“I think the biggest mistake is deluding yourself that you can contain this and no one will find out,” Winans says. “The fact is that very often the worst thing that can happen to a company isn’t a crisis situation. It’s how they respond to it.”

About the Experts

Steven Bucci is a Visiting Fellow for Special Operations and Disaster Management, as well as primary instructor in leadership, at The Heritage Foundation.

Debevoise & Plimpton LLP is a premier law firm with market-leading practices, a global perspective and strong New York roots.

Ann Walker Marchant is recognized as a preeminent strategist and counselor with more than 20 years of experience developing and leading wide-ranging initiatives for the White House and Fortune 100 brands.

Christopher Winans, executive vice president and general manager at Hill+Knowlton Strategies in New York, has 22 years of experience in journalism, 10 of those at The Wall Street Journal.

 RANE is an information services and advisory company serving the market for global enterprise risk management. Learn more at www.ranenetwork.com.

Proxy Season 2017: Proposals on Top Compensation Turn Social

NACD Blog Feed -

This spring, as usual, most pay-related resolutions in proxy statements will be from corporations seeking shareholder approval of pay packages for named executives. But not all the pay votes will implement this now-familiar “say on pay,” where shareholders look back at the past year’s compensation plan to give thumbs up or down. More shareholders will be proposing their own pay concepts for a vote this season—and many of these proposals will reflect shareholder’s growing interest in social issues.

Who Needs Dodd-Frank?

Click to enlarge.

Directors in 2017 may see a new kind of resolution meant to re-assert any Dodd-Frank pay rules that get stalled or repealed this year. As reported in detail in the January/February 2017 issue of NACD Directorship magazine, President Trump may use executive orders to delay or undo Dodd-Frank, and Congress may revive a number of bills to repeal Dodd-Frank, including the parts of the law focused on executive pay. As expected, the president on February 3 issued an executive order outlining core principles that should guide the rollback of Dodd-Frank era regulations. As a result of this potential pullback on pay rule-making, companies may see shareholder resolutions mandating what those rules would have imposed, e.g., mandates for stricter executive pay clawbacks or for pay-versus-performance and pay-ratio disclosures.

Not surprisingly, directors and shareholders have been talking face-to-face about pay in preparation for this season. The 2016–2017 NACD Public Company Governance Survey reveals some interesting trends. In 2016, 48 percent of respondents indicated that a representative of their board had held a meeting with institutional investors over the past 12 months, compared to 41 percent in 2015. The most common discussion topics at those meetings were executive pay and CEO performance metrics and goals. Another common topic was “specific shareholder proposals,” which no doubt included the range of causes noted in our recent post predicting a rise in socially-minded proxy resolutions.

For many companies, measurement of performance includes social goals. In 2016, 80 percent of respondents to the NACD survey indicated that they consider non-financial metrics when evaluating executive perfor­mance to determine executive compensation. The metrics they use include, in descending order from 37 percent to 8 percent, the following:

  • Employee engagement/morale;
  • Customer satisfaction;
  • Workplace safety;
  • Maintaining good standing with regulators;
  • Product quality;
  • Employee turnover;
  • Sustainability-related measures, and;
  • Workplace diversity.

Many of these performance metrics could be considered “social” aspects of pay.

Executive Pay Proposals at Apple, Walgreens Boots Alliance

The 2017 proxy at Walgreens Boots Alliance (WBA) reveals that Clean Yield Asset Management proposed that WBA issue a report linking sustainability metrics to executive pay. The proposal asks the board compensation committee to prepare a report “assessing the feasibility of integrating sustainability metrics into the performance measures of senior executives,” and defines sustainability as “how environmental and social considerations, and related financial impacts, are integrated into corporate strategy over the long term.” The company recommends a vote against this proposal, highlighting its achievements in the field of sustainability, and concluding that preparing this report would not be a productive use of company resources.

On another note, Apple’s 2017 proxy statement contains two shareholder resolutions on pay—one focusing on increasing the requirements for stock ownership, and one that takes a more social turn. In proposal 8, shareholder activist Jing Zhao brings into the current season an economic concern voiced by a significant number of shareholders across several companies in 2016, when the 250 largest companies saw 38 shareholder-sponsored proposals on pay. While the subjects of these proposals varied, most of the 2016 proposals alluded, in one way or the other, to compensation practice reform.

Zhao’s current resolution proposes the following: “Resolved: Shareholders recommend that Apple Inc. engage multiple outside independent experts or resources from the general public to reform its executive compensation principles and practices.”

In summary, Zhao’s proposal takes aim at the identical nature of the senior executive pay below the CEO, and questions the need of a compensation consultant given such conformity. But the supporting details reveal that the proposal is not really about how many advisors Apple engages. Rather, it is about income inequality. Zhao’s commentary goes on to address the larger picture of societal well-being. He quotes Thomas Piketty, arguing that income inequality “has contributed to the nation’s financial instability,” and tracing this inequality to “the emergence of extremely high remunerations at the summit of the wage hierarchy.” (Capital in the Twenty-First Century, Harvard University Press, 2014, pp. 297-298, reviewed here in NACD Directorship).

The response from Apple management addresses the proposal itself rather than the surrounding complaint. Apple’s executive officers “are expected to operate as a high-performing team; and we believe that generally awarding the same base salary, annual cash incentive, and long-term equity awards to each of our executive officers, other than the CEO, successfully supports this goal.”

The Sleeper Issue: Director Pay

The sleeper issue this year may be director pay. The 2015-2016 Director Compensation Report, authored by Pearl Meyer and published by NACD, showed only a modest rise in director pay, and predicted the same for 2017. Nonetheless, director pay is becoming a hot issue for shareholders.

Consider the new guidelines from the leading proxy advisory firm, Institutional Shareholder Services (ISS), which serves some 60 percent of the proxy advisory market. Proxy voting guidelines of ISS and Glass, Lewis & Co. contain updates to discourage perceived director overboarding—and compensation does not follow far behind. It is notable that ISS amended its proxy voting guidelines, effective February 1, 2017, to include director pay. The ISS voting changes also include changes to ISS policies on equity-based pay and other incentives, as well as amendments to cash and equity plans, such as mandatory shareholder approval for tax deductibility. But the most unexpected development was ISS’ support for “shareholder ratification of director pay programs and equity plans for non-employee directors.”

ISS says that if the equity plan is on the ballot under which non-employee director grants are made, ISS policy would assess the following qualitative factors:

  • The relative magnitude of director compensation as compared to similar companies;
  • The presence of problematic pay practices relating to director compensation;
  • Director stock ownership guidelines and holding requirements;
  • Equity award vesting schedule;
  • The mix of cash and equity-based compensation;
  • Meaningful limits on director compensation;
  • The availability of retirement benefits or perquisites, and;
  • The quality of disclosure surrounding director compensation.

These values are not new. NACD went on record supporting such concepts in our Report of the NACD Blue Ribbon Commission on Director Compensation, issued in 1995. Every year since then we have issued an annual survey on director compensation with Pearl Meyer (cited above), reinforcing these key points.

In explaining the rationale for its policy update, ISS notes that there have been several recent lawsuits regarding excessive non-employee director (NED) compensation. For a summary of these lawsuits, see the Pearl Meyer/NACD director compensation report cited above.

ISS notes activity behind the scenes re director pay. According to the proxy vote advisor, “some companies have put forth advisory proposals seeking shareholder ratification of their NED pay programs,” and further, “ISS evaluated several director pay proposals during the 2016 proxy season, and we expect to see more submitted to a shareholder vote.”

Say on Pay for Directors?

Given the new interest in director pay, might it become subject to “say on pay” in the U.S.? Such a mandate has already begun overseas. Since 2013, Switzerland has had an “Ordinance against Excessive Compensation with Respect to Listed Companies.” The law mandates annual shareholder votes on the total pay awarded in any form by the company to its directors and, in a separate vote, to its senior executives. The pay period can be retrospective (last year) or prospective (next year). So far, after an initial wildensprung of rebellion against some boards, approval ratings have been very high. The 2017 proxy season may continue this trend—or contain surprises. Given volatility in the global economy, and in shareholder sentiment, it is wise to avoid complacency.

To prepare for proxy season, directors can benefit by visiting the National Association of Corporate Directors’ (NACD) various resource centers, including centers on the compensation committee and on preparation for proxy season.

Experts Comment on International Regulations, Cybersecurity Risks

NACD Blog Feed -

Overseeing risk is no small task for boards as a company’s footprint is no longer confined to local or even national boundaries. The globalization of business—spurred in large part by the Internet—has simultaneously expanded business opportunities while also introducing new worlds of risk that an organization must contend with.

The National Association of Corporate Directors (NACD) invited Joan Meyer, a partner at Baker McKenzie LLP, and SecureWorks Chief Threat Intelligence Officer Barry Hensley to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.

Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.

What is your outlook on the complexities of being an international company?

Joan Meyer: It’s becoming extremely complex because there is increasing enforcement from other jurisdictions. Five or six years ago, the U.S. was the predominant regulator and multinationals only had to deal with certain European countries in addition to the United States. Now, we are seeing emerging markets that are getting extremely aggressive. They are also putting in more restrictive laws and data privacy rules about the transfer of data. It’s a real conundrum for companies because they not only have to comply with U.S. law but the more robust law of various regimes, which create conflicts. Some of that risk may be theoretical because certain jurisdictions have not begun enforcing these laws —but it’s out there.

If you are disclosing information to a U.S. enforcement authority but you can’t get information out of a foreign jurisdiction, a U.S. regulator might not care— they just want the information. In this situation, not only is executive management caught in a bind, but the board will be asked: “What do we do?”

The U.S. Department of Justice is also pursuing individual prosecutions of mid-level managers and the C-suite, and there is increasing pressure on companies dealing with U.S. authorities to get cooperation credit by identifying individuals who are culpable for the misconduct. And it’s not only in the U.S. where that’s happening. Because the government wants real-time cooperation in pursuing individuals, it’s frustrating for companies because they are being pushed to provide investigatory conclusions to the government which they may not have completed. On a global basis—whether it’s Saudi Arabia, China, Russia, or Brazil—individuals are being actively pursued. The problem is compounded if they are expatriates who are working in these foreign countries for a limited period of time, don’t understand the culture, and are suddenly being subjected to detention or prosecution. This puts managers working outside countries with an established legal system at real risk because they may be pursued by authorities simply for a perceived failure to exercise their supervisory responsibilities in the right way.

What questions should a board chair ask the chief information security officer [CISO]?

Barry Hensley: First: What are our top five risks? Only by thinking like the enemy can the CISO begin to itemize and categorize the company’s security risks. Consider the following ways you may be attractive to cyber threats: your brand and how you’re perceived on the world stage; your digital capital, such as intellectual property, electronic currency, and personal data and how it’s secured; and your internet-exposed vulnerabilities.

Second: Does our security program have the visibility to detect an advanced adversary whose work eludes security controls? The threat does not remain static nor does the network. While some tactics and tradecraft are well known, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, while implementing multi-factor authentication is important, bad actors are finding ways to impersonate users and hijack credentials. Does your risk assessment learn from the headlines and adapt? It’s important to keep risk assessments current and update your mitigation strategies and budgets against these threats.

Third: Does your staff collectively understand the term “breach” and the conditions that trigger a formal response? Are you prepared with a meaningful, rehearsed, cross-disciplinary crisis response plan? While no company wants to dwell on the potential for serious incidents and breaches, preparation is still essential. This requires a real understanding of what constitutes an addressable incident, what triggers it, the steps that must occur to resolve the incident, and the people involved. Key tenets should be established, such as: knowing who’s in charge, how the board contacts the key players, and what the measurable actions we take to address the incident are.

Fourth: Is security training tailored to ensure appropriate audiences are aware of threat actors and their tactics? Different segments of the workforce present different risks, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise. Boards need to ask: Do employees understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? And remember: there is no such thing as one-size-fits-all security training.

Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.

Click here to read addition coverage of the Leading Minds of Governance–Southwest event with highlights from a discussion on the board’s role in overseeing talent and tone.

Focus on These Four Internal Audit Areas

NACD Blog Feed -

Jim DeLoach

As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.

Here’s a closer look.

Culture

A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.

Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:

  • understand the overall working environment;
  • identify the unwritten norms and rules governing employee interactions and workplace practices;
  • highlight possible barriers to an effective internal environment and communication flow;
  • report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
  • make recommendations to address identified problems.

Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.

Competitiveness

Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.

Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.

Compliance

Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:

  1. Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
  2. The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.

Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.

Cybersecurity

In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?

  • Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
  • Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
  • Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.

By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.

Jim DeLoach is managing director of Protiviti. 

Best Practices for Overseeing Talent and Tone

NACD Blog Feed -

A company’s human capital can be a complicated area of oversight for any board, especially when attentions must be turned to the top spot in the C-suite. Here, directors must ensure that the company is attracting and retaining the next generation of leading talent that will realize the company’s future success while setting a tone that promotes integrity throughout the organization.

A daunting task, yes, but one that’s not insurmountable.

The National Association of Corporate Directors (NACD) invited Blair Jones, a managing director at Semler Brossy Consulting Group, and Craig Woodfield, a partner at Grant Thornton and leader of the firm’s audit services practice, to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.

Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.

What is the compensation committee’s role in succession planning and talent development?

Blair Jones

Blair Jones: While responsibility for succession planning ultimately rests with the full board, there are a number of things the compensation committee can do from a process perspective to support this objective.

First, the committee can look at leadership competencies and the overall leadership development process. The succession plan needs to be supported by a pipeline of talent throughout the organization. And the committee needs to know how that pipeline is developed—be it on-the-job mentoring, developmental role assignments, action learning programs, individual coaching, or relationships with business schools. Consider bringing in a leader who has been involved in these leadership development programs to speak about their experiences.

Second, the compensation committee can spend time with high potential candidates at board dinners and through individual meetings. When the committee is determining end-of-year pay decisions, the CEO typically reviews people. Having met some of these individuals, it’s easier to participate in a discussion of what’s being done to take them to the next level. The committee can also make sure that the pay decisions actually fit the directions coming out of the succession planning process.

Compensation committees should also consider following results from employee engagement surveys. Ask: What do these results say about our ability to motivate talent and to retain them in the organization? This will help you get a better feel for the tone and culture of the company.

Look at diversity and inclusion initiatives. Understand the statistics and how those are changing over time throughout the organization. Also, spend time with talent management and succession planning the next level down. The board primarily works with the senior level, but the company’s future leaders are going to come from another level in the organization and the compensation committee can help with succession planning by taking an initial look at the next generation.

What are the best practices for the board to make sure the company has the right tone at the top?

Craig Woodfield

Craig Woodfield: I look at this from an auditor’s perspective, which defaults to the financial reporting side. The appropriate tone at the top deals with every risk of significance that could face a company.

Directors who are in a public company environment are probably familiar with the Committee of Sponsoring Organization of the Treadway Commission’s framework for internal controls and I would encourage private and nonprofit company directors to familiarize themselves with it. The revised framework from 2013 really is the gold standard and it applies to every company and every board. There are seventeen principles listed in that framework and the first five all deal with tone at the top issues. If you look at them, none of them are focused specifically on financial reporting.

As directors, we need to take these criteria seriously to ensure that there are structures in place that create a tone that promotes ethical values. The chief executive is the key here. As an auditor, I have a lot of exposure to public companies, and while most of them have a good tone, there are exceptions. The commonality among those exceptions is a chief executive who doesn’t have the right approach combined with a board that doesn’t have the right level of oversight.

Here are a couple warning signs: a chief executive who has a very domineering personality, that doesn’t take feedback well, or doesn’t respect the board’s responsibility to protect him or her. On the other side, if you have a weak leader and there’s a power vacuum at the top where there is no system of checks and balances, that’s an even greater warning sign because the board becomes dependent on each individual leader of each group within the organization. That situation is much more difficult to control.

We all want strong leadership in the companies we serve. One of the things that boards can do is help educate the chief executive about the nature of that relationship. And the role of the board is to help control that. A warning sign that that balance isn’t there is if we as board members don’t have access to the direct reports. And you want to empower the CEO—you don’t want to undermine or go around them. From an audit standpoint, it’s a real warning sign when the CEO or CFO tries to get in the way of the auditor or audit partner’s direct relationship with the board.

Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.

Next week, coverage of the Leading Minds of Governance–Southwest event continues with highlights from a discussion on cyber risk and the legal liabilities of international companies.

Subscribe to Lonergan Partners aggregator - Boards & Governance