It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.

Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.

Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.

At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.

• Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
• Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
• Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
• Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
• Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
• Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.

Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.

On May 23, NACD announced the election of Dr. Reatha Clark King to chairman of our board of directors. While Reatha’s role as chair is new, her relationship with NACD goes back many years. She has been a member of NACD since 1993, an NACD director since 2005, and chaired the governance committee in recent years.

An unconventional path

Reatha’s directorship experience is extensive; she has served on the boards of ExxonMobil, Wells Fargo & Co., H.B. Fuller Co., Minnesota Mutual Insurance Co., and The Lenox Group—in addition to several nonprofit organizations. She has followed, however, what I would call an unconventional path to the boardroom. After earning undergraduate degrees in chemistry and math and later a PhD in chemistry from the University of Chicago, Reatha began her career in the sciences, working as a research chemist for the National Bureau of Standards, and then becoming a professor of chemistry and an academic dean at York College. After earning another degree—this time an MBA—she became the president of Metropolitan State University in Minnesota. Reatha was then tapped to head the General Mills Foundation, where she spent 14 years leading the company’s community initiatives. From there, she added the aforementioned board seats to her already impressive resume.

Preparing for 2020 and beyond

Looking ahead, Reatha’s experience in both the corporate arena and academia makes her particularly well-suited to guide NACD and its NACD Directorship 2020 initiative. NACD Directorship 2020 aims to help boards understand, define, and prepare for the emerging and evolving issues that will shape the future of directorship. It gives me great confidence that Reatha will be leading our organization as we prepare for 2020 and beyond.

I’m also honored that Barbara Franklin, who has led our board for the last four years, will continue to serve as a director until May 2014. Barbara has had a tremendous impact on NACD, overseeing our unprecedented membership growth during her tenure and helping us solidify our position as the authority on leading boardroom practices.

As I look at our excellent board of directors and management team, I am more confident than ever in NACD’s ability to deliver on our mission to advance exemplary board leadership.

I’ve been around this board business for a long time but it never fails that I’m still regularly surprised by what others’ research exposes about the current boardroom environment.  Just recently I received a blog from the Wall Street Journal titled “A Boardroom With a View” that talked about how few current S&P 500 company CFOs serve on public boards and quoted studies done by James Drury, founder of his own executive search firm, and by Equilar titled “A profile of CFOs Serving as Independent Board Members.”  Equilar’s study looked at the performance of companies where S&P 500 CFOs serve on an outside board versus companies where their CFO currently doesn’t have that experience . I’ll let you review the article and see if you share the same reaction of surprise that I do, but it’s worth making some comments on.

First let’s talk about how few CFOs actually serve on boards.  Equilar’s study showed that only 102 of the S&P top 500 companies serve on a public company board.  Maybe equally surprising is that the same study shows that only 234 of the S&P 500 CEOs serve on outside public boards.  It seems like whenever you speak to a board every company wants a sitting CEO to serve on their board.  So I am surprised that both those CFO and CEO numbers are so low.  I will have to disagree with Mr. Drury’s comment that “he isn’t aware of any large company that would bar its CFO from accepting a seat on another board, so long as it made sense.”  He may not have experienced such but I know more than a handful of larger companies that have prohibited their CFO and on rare occasions their CEO from serving on an outside board.  Personally I think those companies are a little short-sighted on how it will help both the CEO and CFO, particularly CFOs who are potential candidates for succession to the chief executive.  I’m sure some companies recognize that when things go awry at companies these days, sometimes board members can have a meeting every week until the company is out of hot water.  That’s a big-time distraction to your senior executive, but I’m convinced that the pros of senior officers serving  seriously outweigh the cons and am confident that I would get confirming support from hundreds that have served, learned, and benefitted.

Regardless of the fact that some companies actually do restrict their executives even when it makes sense, a CFO is a very valued and potentially contributing board member that I would think would be especially sought after if for no other reason than his or her financial expertise on one’s audit committee.  When legislation passed years ago that required a financial expert on the audit committee, there was a rush to invite CFOs to boards.  I guess the question is…where did they go, and why aren’t we seeing more serving?

Equilar, which is currently the source for everything that touches tracking and benchmarking executive and board compensation, wanted to take its research a step further and analyze whether companies that let their CFO serve as an outside board member in fact, benefitted on the bottom line by those CFOs being more “experienced.”  The simple answer in its report was YES they are! (While confirming that this was the only variable to the improved performance would take a little more digging, the numbers speak for themselves.) Companies that have their CFOs serve on outside boards had a median three-year total shareholder return (TSR) of 19.9%. Compare that to those companies whose CFO didn’t serve as an outside board members, which reported a median three-year TSR of 15.2%.  Disputable or explainable—possibly as outlined above—but still interesting food for thought. 

Actually, I didn’t need this data to profess my support of having senior officers serve on outside boards, but it did make me dig deeper into its results to find out what else would surprise me.  One thing that was equally interesting was Equilar’s statistic whereby 20 of the 102 board-serving CFOs are women, which means that 45.5% of the S&P CFO women serve on a board versus only 18.7% of their male counterpart CFOs.  Rarely do I get to blog about a favorable diversity board statistic, so this is a treat. And even though it means we could still use more women CFOs, it does say that board nominating committees and/or search firms are finding them for board seats.

Studies and articles almost never result in a marked change in behavior, but I can guarantee that this one will raise some eyebrows of those companies that restrict senior executives serving as outside board members.  The bottom line is, the profession needs those CFO candidates as directors because they are some of the most qualified directors on the planet.  Maybe a little propaganda is needed to nudge companies in the right direction. Hmm, imagine a big poster with Uncle Sam pointing at the reader saying, ”We Want You To Serve!”

As reported in Directors Daily last week, Sir Alex Ferguson, manager of publicly traded Manchester United, announced his retirement. While the retirement of a sports figure, especially an English football (soccer) manager, would not normally provide fodder for an NACD blog post, Ferguson’s resignation underlies the need for succession planning and talent development, and serves as yet another warning about the risks of social media.

A soccer manager is often the most public face of the organization. Although not a traditional member of the C-suite, Ferguson’s relevance is illustrated by the announcement of his retirement. Within minutes of the open of trading following the resignation announcement, Manchester United’s stock price fell more than 5 percent. Directors, especially those who serve organizations where non-CEO employees maintain high levels of public visibility or influence, may want to look closely at Ferguson’s retirement as an example of a high-profile succession. While a coach of a sports franchise is a unique case, this succession plan looks to have been a long-term process resulting in unanimous board approval for the retiring manager’s recommended candidate.

The average tenure of a Fortune 500 CEO is 4.6 years[i], while the average tenure of a high-level English soccer manager is only 2.1 seasons. In a profession defined by short termism, Ferguson successfully managed his club for over 26 years, nearly 10 years longer than the next longest serving premier league manager. The Manchester United board allowed Ferguson to take the lead in the search for his own successor, and even allowed him to make the approach to the succession candidate. It is unusual for a board to cede so much control over the succession process. With directors serving for an average of nine years, their experience and longevity are essential to maintaining corporate continuity throughout the succession process. The board’s role in developing potential succession candidates is one aspect of executive talent development being explored by this year’s NACD Blue Ribbon Commission. The October release of the commission’s report will also examine the value of internal development, backed by a number of studies comparing internal and external succession.

The appointment of an outsider to the position of Manchester United manager was expected, but boards may wish to consider the value of recruiting internal candidates for CEO and other senior executive positions. Studies show that internally recruited CEOs deliver greater total financial performance and are more likely to retain the position[ii]. Also, senior executives hired from the outside have higher rates of failure than those internally promoted[iii], and organizations with greater reliance on external hires have twice the turnover as organizations that rely on internal promotions[iv]. While these studies point toward internal succession policies, boards may look outside when searching for fresh perspectives and thinking, or even contemplating a change in strategy. While Manchester United had been the world’s most valuable soccer club for many years, it fell to second in 2013. Could the appointment of an outside manager mean a change in strategy aimed at regaining the club’s title as the most valuable soccer team in the world?

While Manchester United’s transition process may appear successful, the announcement of Sir Alex Ferguson’s successor did not unfold as planned. There was no “the king is dead, long live the king” announcement; Manchester United announced the impending resignation but waited until the next day to name the future manager. In that short span of time, social media threw a snag in the carefully planned announcement. Prior to officially naming Ferguson’s successor, Manchester United mistakenly tweeted a link to its Facebook page that congratulated the new manager, David Moyes, on his appointment; the tweet and Facebook page were withdrawn within one minute. Moyes had been predicted as the successor, so the ill-timed social media announcement did not receive the same level of attention as other high-profile public company social media announcements. These events surrounding the succession announcement underscore risks posed by social media. In this case, it seems that human error, not a technological glitch, was the source of the problem, reinforcing the fact that while directors’ focus on IT risk is important, they can’t neglect old-fashioned human risk.

In a rare overlap of soccer and governance, Manchester United can provide directors with an example of a high-profile non-CEO succession that has received significant attention worldwide.

[i] CEO Succession Practices

[ii] Outside and Inside Hired CEOs: A Performance Surprise

[iii] Hire Senior Executives that Last

[iv] Outside and Inside Hired CEOs: A Performance Surprise

In the past five months, the NACD blog has received more than 15,000 views. Review the five most popular blog posts of the last five months to keep track of what directors find most important.

NACD Directorship 2020: Sustainability, Stakeholders, and Performance Metrics – Capitalism, and the role of the director, is changing–should the focus on “total shareholder return” shift to “total stakeholder return”?

Going Private? – In 2012, just 128 IPOs were made, a decrease from 154 IPOs in 2011. Last May, The Economist observed that this decline was part of a larger trend: the decline in popularity of the public company. Based on NACD surveys, see six key differences in the governance practices of public and private companies.

Discussion Topics for Compensation Committees in 2013 – Although numerous rules mandated by Dodd-Frank affecting the compensation committee have been implemented, directors still brace for those to come. As such, it is expected that compensation committees will maintain their focus on executive compensation in the coming year.

Alphabet Soup: A Director’s Guide to Financial Literacy and the ABCs of Accounting and Auditing – Can you keep track of accounting and auditing (A&A) acronyms? This handy guide provides tips for non-CPAs to achieve A&A literacy.

Investors Recommend Board Oversight of Trading Plans – New oversight responsibilities could be in store for directors. Although 10b5-1 trading plans have existed since 2000, a confluence of events has recently placed these plans in the regulatory spotlight.

Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our committees not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.

But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in March 2013, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”

In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:

• Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
• Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
• Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
• Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
• Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.

Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.

Well I can’t say I was really surprised at the volume of emails I received, both pro and con, on my board term-limit thoughtful review.  Some readers saw red and fired off mean responses suggesting I didn’t finish any post-secondary education… seemingly without taking a moment to digest this reflective thought leadership piece.  A perfect example of this was my activist follower (see comments on last blog) who, in addition to regularly commenting on The Board Blog, once campaigned in his blog to “vote TK off the island.” This individual must feel that I don’t respect shareholders enough, but nothing could be further from the truth, particularly since I am a significant “shareowner” myself (as he chooses to call shareholders of public companies).

In a way, I’m glad he brought up this concern, because it gives me the opportunity to clarify why I have suggested a term-limit model of two, six-year terms.  His view is that shareowners would never go for six-year term limits because they want annual elections.  This is an important point, but in this context, it confuses term limits with director elections.  Term limits are a replacement for a mandatory age requirements or, as I will explain in a moment, a valuable tool for boards, companies, and shareholders. 

I am a proponent of annual elections for directors, and if a director doesn’t receive a majority of shareholder votes, they should be required to submit their resignation. There may be an extreme case where a board wouldn’t accept the resignation (it could happen), but typically boards should honor shareholders’ views that someone who is representing them should have the ability to be replaced.  Now, before my business-world friends fear that I have totally gone soft on the role of corporate boards, rest assured that with my support for annual elections comes the adamant request that shareholders stop submitting questionable proposals so they can sit on the shoulders of board members and second-guess every decision a board makes, even though they will never have the same access to information as the board.  If anyone has ever had a job where your supervisor just sits on your shoulder watching you work, you know it is one of the most annoying and least productive environments imaginable.  If we’re going with annual elections, please let the board do its job without second-guessing every decision.  We can’t let this board governance system deteriorate to a level that our most qualified directors don’t want to serve as public company directors.  Sorry, I didn’t mean to digress and get on my soapbox… so back to the issue at hand, which is term limits.

Let me explain why I think term limits is a good tool for all concerned.  Term limits are viewed favorably by shareholders because they don’t allow directors to become entrenched, out of touch, or lose independence after decades of years of service.  But more importantly, allowing two terms gives board leadership a tool to replace or, better stated, not re-nominate, directors who are not contributing.  I’d like to believe that with good board evaluations, this kind of assistance or tool wouldn’t be necessary. But the facts are, getting directors off a board is not easy, nor is it exercised as often as it should.  Boards strive to be collegial, and casting off directors who are close associates isn’t an easy task for anyone.  Term limits don’t eliminate the need to deliver the tough message, but it does make it easier.  There is no magic to the six-year terms I suggest, except that 12 years of service seems logical to me. 

It is interesting to me that since writing the first term-limit blog weeks ago, I have met two more young directors (below 40 years old) and have witnessed some bad examples of companies being hacked, which is the most rapidly growing risk challenge for managements and boards today. This supports one of my reasons for term limits, so that you have directors who are more familiar with today’s true enterprise risks.  It also provides some support to my premise that the benefit for term limits will continue to grow and that more companies should embrace it as a good step forward.  Another side benefit in planned board turnover is increasing director diversity, but I will save that issue for the future or you can read my past blogs on board diversity.

For those of you who are interested in the personal aspect of my activist saga, I should share that I had the opportunity to meet my challenger face to face when I was speaking at a directors’ conference in California.  As typically happens in these cases, we discovered that while we would never agree on the importance of certain issues, he was far from radical in his quest to improve board performance.  We parted amicably by agreeing to disagree, but interestingly, the more we interacted face to face, the more I discovered that our goals were, in fact, not that markedly different.  Time will tell, after he reads this, if he thinks I’m still bad for shareholders.  Right now I’m sleeping just fine, thanks.

For corporate directors, time is a valuable resource. As such, I’m frequently asked why directors should carve out three days to attend NACD’s annual Board Leadership Conference, which is held every October in the nation’s capital. To me, it is obvious why those in the boardroom should attend this first-rate conference.

Here are the 10 reasons I shared with our NACD chapter leaders at a recent meeting in St. Louis, Missouri:

1. Save $500 when registering by April 30. The NACD Board Leadership Conference is historically sold out, and this three-day conference represents the most important knowledge exchange for the world’s leading directors, C-suite executives, and governance experts.
2. For directors by directors. Learn from leading boardroom practitioners, those who have endured many hard lessons you may not want to encounter yourself! Hear firsthand from Laban Jackson, audit committee chair of JPMorgan Chase, about the London Whale controversy and his perspective on the board’s role in risk oversight. Learn more about the shifting landscape of social media from Clara Shih, Starbucks director and CEO of Hearsay. Get the latest on how big data is impacting business with Rich Relevance CEO David Sellinger.
3. Get more actionable takeaways than from any other conference. Address persistent challenges and gain “next practices” from your peers on the timeliest and most critical boardroom issues, including human capital management, emerging technology, compensation, and global markets.
4. Make your voice heard. Take part in shaping thought leadership and talk to influential legislators, regulators, and stakeholders.
5. Sharpen your committee skills. Attend a Sunday Board Committee Forum, including dedicated sessions on audit, compensation, nominating/governance, and risk. Network with peers during breaks following big-name keynote speakers, and share your opinion with peer-led panels and committee chairs who really understand your challenges.
6. Get hands-on with social media. Visit our first ever social media learning lab, staffed by experts in the latest social media trends, who can show you the ropes and help you understand how social medial is affecting your business.
7. Spark innovative thinking. Participate in active dialogues around Directorship 2020™—NACD’s new initiative—to explore how and why the boardroom will change over the next several years and what you as a director need to know to keep pace. Gain exclusive insights gleaned from thought leaders and directors around the country in a report from our Directorship 2020 regional events.
8. Build your network. Exchange ideas with nearly 800 directors from around the world, including those from Akamai Technologies, Ford, JetBlue, JPMorgan Chase, and Union Pacific, to name a few.
9. Strengthen your reputation. The most sought-after directors are well informed and well connected. Your participation at this event will earn you recognition for your commitment to continuous learning. For those who have completed the Master Class, this conference confers all the elective requirements you need to become an NACD Board Leadership Fellow.
10. Tailor your experience. There’s something for everyone. Join special breakouts for general counsels, private company directors, small-cap directors, and nonprofits organizations. With nearly 50 sessions, choose from unmatched session selection to meet your own boardroom needs and interests.

In my opinion, NACD’s Board Leadership Conference is not only a great value, but an experience every corporate director should take part in.

I look forward to seeing you this October in Washington, D.C. Register here.

Know your audience–it’s often the first lesson in Public Speaking 101, but it’s also an important mantra for senior executives looking to improve the quality of their interaction with the board of directors. An issue my team often identifies when working with boards is a disconnect between the information the board needs and what the management team actually presents. We’ve seen this gap occur at companies of all sizes, industries, and levels of sophistication.

How management provides information to the board makes or breaks directors’ oversight role. Providing directors with the information they need to execute their duties is essential to fostering an environment where directors can succeed and be of most value to the company.

Through all my years of serving as general counsel, I have never received formal training on what directors require for their oversight role. Some questions that may arise are: What are their expectations for management? What perspectives do they bring to the table? What keeps them up at night? How much information is enough?

To help executive teams answer these questions, NACD recently introduced  Executive Professionalism: Understanding Board Expectations, an innovative program that allows the executive team to step into the boardroom in order better understand the fiduciary and strategic responsibilities that influence the questions directors ask. Led by seasoned directors, this in-boardroom program is specifically designed to help the senior management team better understand the role of the board, deliver the information directors need, and understand how to best engage with their board to meet and exceed expectations on both sides of the table.

In addition to my team’s direct experience with our clients, the issue of gaps in expectations between the board and management is raised by NACD’s members much more frequently. NACD has developed two tools to help companies address this gap:

• Bridging Effectiveness Gaps: A Candid Look at Board Practices addresses the gaps in information flow between management and the board.
• C-Suite Expectations: Understanding C-Suite Roles Beyond the Core offers guidance for interacting with non-traditional members of the C-suite such as the chief risk officer and the chief corporate responsibility officer.

To be or not to be? Shakespeare’s tragic character, Hamlet—the beloved prince of Denmark—is famous for posing this basic existential question. Yet even before one can query his or her own being, there is a much more fundamental question that needs answering: To decide or not to decide?

This primary question is the philosophical starting point for a unique new publication, Director Decision Making: A Sensible Approach. Authors Chuck Re Corr and Clark Abrahams, both experienced directors, approach decision making in two parts: (1) defining the decision, and (2) making the decision.

The first part, Defining the Decision, may sound academic or theoretical, however, it’s as real as can be. This means asking the reason for the decision, looking at the problem that is prompting the decision, assessing the importance of the decision/problem, and asking when the decision must be made and by whom (some decisions must be made by the board; others can/should be delegated).

The second part, Making the Decision, covers remaining checkpoints: information for the decision, formality of the decision (e.g., when/how to take minutes), range of possible solutions to the decision, desired outcome, and monitoring after the fact.

The 26-page highly practical guide includes commentary on intuitive vs. deliberative decisions, and on probabilities, as well as a 2-page worksheet with 20 simple questions every board can (and in most cases should) ask before making any decision.

Will your board be asking them when it makes its next decision? That is the question.

I hope the answer is yes.

Director Decision Making: A Sensible Approach is available at the NACD Bookstore for $15 for members, $25 for non-members.