Boards & Governance

Reviewing the Corporate Counsel’s Playbook

NACD Blog Feed -

Hurricanes. Hostile Mergers. Data breaches. A misconstrued comment on social media. These are a few of the real and figurative storms that companies weather regularly with the help of internal and external staff, and regular advice from their general counsel (GC).

James Barron

The National Association of Corporate Directors (NACD) recently convened its General Counsel Steering Committee. Crisis communications counsel James Barron, a managing director of the New York office of Sard Verbinnen & Co. (SVC), a specialist financial and crisis communications firm, led a discussion of more than 30 GCs from top companies in a discussion on topics that keep them awake at night, including cyberattacks, scandals, and the delicate art of communicating to stakeholders when a crisis occurs.

Barron emphasized that often times the GC plays “the role of the company quarterback,” having witnessed this many times during his tenure at SVC. Directors often turn to their GCs to understand the roles they should play during a crisis, being cautious not to open themselves to future liability. General counsel can also be instrumental in ensuring that leadership proactively creates a response plan and then follows that plan should a crisis arise.

Concepts to include in the GC’s crisis playbook follow:*

1. Create a crisis response plan that is usable. No one has time to read dense policies in a crisis. “While there are some crises that can be anticipated and materials can be prepared in advance, I don’t believe in crisis plan books that are six inches thick,” Barron said. He pointed out that companies should take the time to identify and drill on the most likely crises, then use the lessons learned to refine crisis response processes and assign senior executives and board members to appropriate tasks.

2. Drill the plan. No company can prepare for every scenario that will emerge in a crisis, Barron noted that tabletop exercises can help GCs and boards identify their blind spots and fine-tune assignments of who will be responsible for what portion of the response. One Steering Committee member also pointed out that tabletop exercises surface differing opinions about how to handle a crisis. Consider, for instance, that the GC and the director of public relations often times have very different opinions regarding messaging and speed of outreach. Hashing out disagreements before an event occurs will encourage the GC, executives, and directors to present a united front when a crisis occurs.

3. GCs are Quarterbacks. Barron said GCs often play the role of organizing the team and breaking down silos. “GCs find themselves corralling multiple groups, including senior management, the Board, operational management and communications functions. In addition, they have responsibility for outside counsel and often specialist PR firms such as Sard Verbinnen,” he said. “Their role is often to balance competing needs, particularly where there is a tension between the business needs and legal requirements.”

4. Identifying the need for public communication. Barron reminded the members of the Steering Committee that during times of peace at the company, they should consider mapping out which scenarios will need to be communicated publicly and which shouldn’t, what regulatory and legal ramifications exist for disclosing and not disclosing certain matters, and communicate the plan to the board and senior executives accordingly.

5. Understand who must be included in a crisis response plan. One Steering Committee member brought to the group’s attention that sometimes regulations demand that the CEO is involved in response to a crisis. Still another mentioned that the board at his company could not be involved in crisis response because they could not move at the speed that their senior management team could respond.

6. Seek outside counsel when a key player acts out of step with the plan. Barron pointed out that even with a plan in place, sometimes a key executive speaks out of order during a crisis, causing tension and discord between the board, and other executives. In this case, Barron notes that it’s “sometimes easier for an external legal advisor or communications group to ensure that the right decisions are made.”

7. Update your corporate contacts regularly. Several participants pointed out that having the right phone numbers for the right people is essential when management, the board, and GCs have only minutes to respond to a crisis. While this seems like a fairly simple task, Steering Committee members pointed out that having a list of who needs to be contacted immediately should exist in the crisis-response playbook—including every possible phone number or other contact needed to reach that person. Contacts should also be kept fresh for essential regulators, outside counsel, and other stakeholders who may need to be contacted.

8. Plan for the long-haul. One GC pointed out that some crises require weeks and even months of attention from top-level executives and the board. In addition to planning for immediate response, Steering Committee members agreed that a chain of assistance should be built to support the work done by responding executives and GCs. Not doing so could create undue risk within the organization caused by neglected leadership.

NACD’s General Counsel Steering Committee brings together progressive general counsel from leading companies to engage in frank, informal discussions with each other and with NACD leaders about corporate governance practices and the changing business and regulatory environment. These conversations help inform the development of NACD resources, education programs, and events with a goal of strengthening the partnership between the general counsel and the board. NACD thanks the Steering Committee for its participation, and for strengthening and supporting the work of corporate directors across the country.

*All General Counsel Steering Committee meetings are held under Chatham House Rule. The names of GCs and companies are removed accordingly.

10 Turn-Around Lessons from Zale Corp.’s Theo Killion

NACD Blog Feed -

Jill Griffin

When former Zale Corp. CEO Theo Killion shared his leadership lessons of turning around Zales at a recent NACD TriCities Chapter program in Austin, Texas, it jogged some childhood retail memories for me.

Growing up in the 1960’s, my small hometown of Marshville, North Carolina, boasted a thriving town square of mom-and-pop stores. Because my family’s home was a hop, skip and a jump from these businesses, they became my playground. I was their frequent visitor, and with those visits came benefits. For example:

  • Remember when white go-go boots were all the rage? Mr. Gaddy, who owned the shoe store, made sure my sister and I scored pairs from his first shipment.
  • As a child, I received a personal call from Mr. Creech, the toy store owner, when his long-awaited skateboards arrived.
  • One spring, I stood with other locals as the Chrysler dealer eagerly removed the drop cloths revealing that year’s beautiful new big-fended models. (The fact the dealership offered up lots of free doughnuts, coffee, and soft drinks didn’t hurt either.)

I was rapt throughout the program as Melissa Fruge interviewed Killion, a modern-day version of my favorite childhood shop-owners, but on a grander scale.

Zales was on the brink of bankruptcy in 2004. Something had to be done. The bold and unvarnished self-assessment undertaken by the company’s senior leadership uncovered the business’s truths. These revelations, combined with sheer perseverance not to fail, brought the national jeweler back from the edge.

Here are some of my top take-aways from Killion about what executives and boards should do to turn around a struggling business:

1. Stay humble. Killion prefaced his remarks by stating that they were his opinion, and that many of the tenets he spoke about originated from great thought leaders. A mark of a strong leader is his or her ability to acknowledge with humility the admired ideas of others.

2. Interim in any title keeps you focused. By the time Killion took the reigns, Zale Corp. had had six CEOs in 10 years. When Killion’s best friend was fired as CEO, the board needed a quick fill. Killion was named interim CEO—leaving him keenly aware that he was considered temporary. He entered the role ready to make the most of the time he had.

3. Follow the money. Zales had six short months before its cash ran out. The company was in desperate need of an equity infusion. From day one, Killion and his finance team were reaching out to possible providers.

4. Dig deep for insight. Over a three-month period, Killion and his two-member strategy team worked 12- and 14-hour days, including weekends, to put a decade of operational decisions under a microscope. They carefully ferreted out what worked, what didn’t work, and why. They then presented these findings to the board.  Killion observed and reported that management’s bad decisions were made on the board’s watch. He wanted the board to feel the same deep discomfort that the executive leadership team was feeling.

5. Detail the new strategy. Zales’ new strategy document totaled 150 pages and spelled out in clear, concise details what the company would do going forward—and why. For example, severe cost cutting had reduced the customers’ experience of buying an engagement ring into a commodity. Consider, for instance, that the customer left the store with the ring—which often times is one of the most meaningful, expensive jewelry purchases a person will make—in a plastic bag.

The new strategy brought customer emotion and meaning back to a purchase at Zales. The purchase process was no longer treated as a transaction, and store training ensued to make it a well-crafted, loving, and memorable customer experience.

6. Flip the pyramid. Before Killion stepped in, the leadership philosophy of the company placed management at the top of the pyramid. The pyramid was inverted and a customer-focused culture was born. It looked like this:

  • Top tier: customers of Zales’ 1,100 stores;
  • Middle tier: 12,000 employees; and
  • Bottom tier: corporate management.

7. Think like Jeff Bezos. Bezos has built Amazon.com to be customer-obsessed, keen on technology and analytics, and is always testing new concepts. Killion sees this as a road-map for any retailer succeeding today.

8. The nominating and governance committee is key to matching strategy to board composition. Killion pointed out that Zales needed board directors with skill sets that matched the company’s five-year plan. Retail expertise was a must, and the nominating and governance committee needed to ensure its goals matched those needs. This committee must ask itself what skill sets the business needs. In retail today, Killion advises, a board member with deep literacy in e-commerce is essential.

9. Apply lessons from Vanguard’s 2017 Open Letter. Killion admires Vanguard CEO F. William McNabb’s open letter to public company boards of directors. Vanguard has 20 million investors, and currently is the second largest fund manager in the world. McNabb is keenly aware of the responsibility boards play in the success of the companies that the fund invests in. Here are the highlights of McNabb’s message to directors that especially resounded with Killion:

  • Sell quality things.
  • Practice good governance.
  • Pay close attention to the compensation program crafted for senior management.
  • Understand the company’s risks, and especially the role of climate risks.
  • Inclusion of women and other directors from diverse backgrounds on boards is important.

10. Brick-and-mortar retail is not dying. Instead, Killion believes retail is entering its golden age partly because of the many ways today’s retailer can reach a customer and make a sale.

The program is available to view via NACD Texas TriCities Chapter’s YouTube channel. It’s a meaty discussion and well worth your viewing time.

By the way, to this day I’m a recreational bargain shopper.  Simply walking into a favorite store lifts my spirits, and I’m glad that Killion and the directors of companies are working to help the retail industry thrive in the twenty-first century marketplace.

Avoid Deal Failure: Ask These Tough Questions Before Any Acquisition

NACD Blog Feed -

Justin Johnson

It is easy to get caught up in the excitement of a deal—the unvarnished optimism of the corporate development team, the bullish spreadsheets from the bankers, the juicy steaks at the closing dinner. The numbers, however, don’t lie. It is estimated that at least half of all merger and acquisition (M&A) deals ultimately fail, destroying shareholder value for the acquirer instead of increasing it. A disciplined valuation analysis—ideally conducted with minimal involvement of the deal team and bankers—can help board members avoid unsuitable matches and support deals that are a good long-term fit.

A Synergistic Match

Assume your company has identified an acquisition target operating in your business and serving similar customers. Cost savings from the combination are expected as the result of an overlapping distribution network and because redundant production and administrative staff can be eliminated. This is a classic synergistic deal, where the acquirer boosts overall profit by adding the target’s revenue to its topline while eliminating many costs associated with achieving that revenue.

The first step in evaluating such a transaction is establishing the market value of the target without regard to buyer-specific synergies. While acquirers are usually most interested in the valuation of the combined company, there are good reasons for first establishing a baseline market valuation of the target on a stand-alone basis:

  • It gives the buyer insight on a valuation the target might expect to receive in the deal.
  • It provides a reference point the buyer can use to evaluate how much synergy it brings to the table.

Determining Baseline Value                             

There are several common approaches for deriving the market value of an acquisition target, and an acquirer should undertake as many of them as possible to establish a baseline valuation matrix. The two common techniques for publicly traded entities are straightforward. They entail analyzing the target’s historical stock price and the premium at which its stock trades after the deal is announced. For our purpose, assume the target is not public and review the four valuation approaches commonly applied to private companies.

  1. One of the most common techniques is by referencing the trading multiples of comparable publicly-traded companies. Care is required in the selection of comparable public companies to ensure similarity of operations, size, and growth prospects with the target company.
  2. Another common method is to consider recent M&A deal multiples for similar companies. For this approach, make sure to distinguish between financial sponsor deals and strategic deals, as strategic deals frequently pay higher multiples due to acquirer-specific synergies. Value indications from these approaches entail applying observed market multiples to the target’s standalone earnings, typically before interest, tax, depreciation, and amortization (EBITDA).
  3. If a long-term forecast is available for the target, financial advisors sometimes use a discounted cash flow (DCF) analysis. It should be stressed, however, that this analysis is only as accurate as the underlying forecast, which may be suspect. For this reason, a DCF analysis often is underweighted—and sometimes omitted altogether—from a valuation exercise. Additionally, a “haircut” may be applied to the forecast itself before it is put into the model.
  4. Finally, if the target is likely to attract financial buyers, advisors may employ a leveraged buyout (LBO) analysis. This approach values the target by establishing what a financial buyer would be willing to pay for the company under the financing structure it might be expected to use—often a combination of debt and equity. If a company is underperforming its peers, the LBO model may also include some assumptions about reorganization and/or add-on acquisitions.

Once as many of the preceding approaches as practicable have been performed, financial advisors triangulate the various pricing indications to establish a baseline market valuation range for the target.

Establishing Pro Forma Value

The next step is assessing the value of the acquirer after acquisition. This analysis is different than the market valuation analysis because it factors in synergies to show the value of the acquisition to that specific buyer. A word of caution: Board members should be wary of synergy projections from bankers or corporate development personnel who are emotionally or financially invested in the deal. Considering the stakes, engaging an outside advisor not connected to the prospective transaction to provide an independent valuation and estimate the potential synergies can be a sensible course of action.

No matter who is performing the pro forma analysis, a number of factors should be evaluated: the amount of expected synergies, the costs associated with realizing those synergies, the amount and type of purchase consideration, and the trading multiples for the acquirer’s stock.

Even for a disinterested third party, it is challenging to estimate synergies with accuracy, so it is prudent to perform a sensitivity analysis of the transaction’s impact on the acquirer’s share price. This is best revealed in a sensitivity table that varies both the amount of assumed synergies and the purchase consideration. Layering in an additional variable to the sensitivity analysis, the estimated one-time integration costs incurred to achieve synergies can further enhance precision. These costs can be just as difficult to project as synergies, so a range of estimates is appropriate.

The resulting sensitivity table can provide board members a powerful visual tool to understand how much it makes sense to pay at varying levels of synergy and costs. If the resulting analysis shows that a deal increases shareholder value—even if actual synergies realized are at the low end of expectations and one-time costs incurred to realize those synergies are at the high end—the deal likely will turn out well from the acquirer’s standpoint. An even better deal is one that increases shareholder value if synergies are below the low end of the estimated range and integration costs are above the high end.

Conversely, deals that are only accretive at or near the most favorable ends of the two ranges are likely to destroy shareholder value.

Other Impacts on Value

What about the impact of the type of purchase consideration on value? An acquisition can be financed with available cash, new debt, stock, or some combination of these. Debt financing will create a drag on future earnings in the form of interest expense, another cost of realizing synergies that must be considered. If acceptable to the seller, using stock may be advantageous to the buyer.

A final factor to consider is the valuation multiple of the acquirer. If historically it has been somewhat volatile, it is a good idea to run a sensitivity analysis on the pro forma value of the stock, assuming a range of valuation multiples for the acquirer consistent with its recent trading history. The lower the valuation multiple, the lower the increase in value from transaction synergies.

Know the Difference

Board members are unlikely to bless a strategic acquisition with the intent to destroy value. Yet, too often, that is exactly what ends up happening. A disciplined, thorough, and independent valuation analysis can make the difference in helping a board distinguish a suitable match from a bad one. After establishing both the market value of the target and its pro forma value to a particular acquirer, a buyer is well-positioned to negotiate and—if all goes well—finalize the deal.

Justin Johnson is co-CEO of Valuation Research Corp. where he sits on the firm’s board and is a member of the firm’s Private Equity Industry Group and Financial Opinions Committee. Prior to joining VRC, Johnson held positions with Arthur Andersen, Merrill Lynch, and PricewaterhouseCoopers.

Governance at 30,000 Feet

NACD Blog Feed -

American Airlines Group director Alberto Ibargüen recently led a fireside chat with the company’s CEO and Chair Doug Parker during the NACD Florida Chapter’s season kick-off event at Miami International Airport. With more than 100 in attendance, the program featured insights into the highly competitive airline industry along with some key considerations for directors.

A New Day for the Airline Industry

From left to right: Sherrill Hudson, NACD Florida Chapter Chairman; Lauren Smith, NACD Florida Chapter President: Doug Parker, American Airlines Group Inc. and American Airlines CEO and Chairman, and American Airlines director Alberto Ibargüen

From 1978 until deregulation of the airlines, the airline industry yielded no return on capital; however, since the merger of American Airlines and US Airways less than four years ago, American has generated $20 billion in profits. Three airlines—American, Delta, and United—are now leading the pack in rationalizing and leveraging the hub model to offer passenger service across the globe while generating positive returns. Parker insists this is the industry’s “new normal” and spends a great deal of time convincing constituents that the industry is not simply experiencing a temporary “up” in a long-term cycle.

Parker explained that the company must now invest in its people and its products, taking a long-term view of the business. For example, American invested in new aircraft and now has the youngest fleet of any U.S. airline. With regard to employees, many of whom are unionized, Parker raised wages in the middle of a contract term in order to fulfill his promises to them during the merger. He explained, “I use the ‘look them in the eye’ test when it comes to the 120,000 people on the American payroll,” emphasizing the importance of transparent communication with employees. Another area of investment is data protection, and the board routinely raises the issue of cyber risk.

Merger Advice

“Never undertake a merger when there’s not a clear strategy,” cautioned Parker, when talking about the successful US Airways and American merger. Recognizing the herculean amount of work required to meld systems and go-to-market philosophies, he added, “You shouldn’t put your team through one unless two plus two will equal five, not 4.2.”

In terms of building a post-merger board, the merged company board consisted of two American board members, three US Airways board members, including Parker, and five members from the creditors’ committee. With this blended group, directors did not focus on the “this is how we did things” historical perspective, but rather the group was able to move forward as a relatively cohesive unit from the beginning.

Communication and tone at the top became priorities for the board and management after the merger as well. Parker began holding town hall-style meetings, taking questions from employees. These sessions are recorded and offered to American’s employees worldwide.

A Strategic-Asset Board Focused on the Customer Experience

Parker emphasized that by asking the right questions, the board has had an enormous impact on management, “ensuring that the team has a strategic focus.” Given the day-to-day demands of running an airline, pulling the team from those responsibilities can be challenging. Still, the board insisted on an offsite focused on strategic planning, which proved to be very valuable. “I put off the retreat for two years because we were so busy with the integration,” said Parker. “But the offsite was valuable because we were forced to articulate our strategy in a way that could be understood by others, like the teams and investors.”

American Airlines director Susan Kronick, who was in the audience, added that the board works well because it is diverse. “Our board is diverse in terms of gender, ethnicity, and, most importantly, points of view,” she said. “We have rich discussions, and everyone is moving forward together.” She added that a keen focus on the customer experience is a unifying factor. “We take the proactive perspective that the culture of the company is a competitive advantage for us with customers.”

Parker added that the board members aren’t afraid to speak up, and his job is to ensure his team is communicating well to the board. He also echoed the board’s focus on the customer.

“We are transporting people at 525 miles per hour, so we are constrained by the laws of physics,” said Parker. “But we can make sure the rest of the experience is as efficient and comfortable as possible.”

The NACD Florida Chapter would like to thank American Airlines and Miami International Airport for supporting this event and the behind-the-scenes airport tour that preceded the program.

Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.

The Role of Software Patches in Cyber-Risk Mitigation

NACD Blog Feed -

Jim DeLoach

Equifax is not just another organization that was breached. The company was named one of Forbes’ “World’s 100 Most Innovative Companies” for three years straight, from 2015 to 2017. The recent breach of the company’s U.S. online dispute portal web application has raised serious questions about whether boards of directors and senior management are asking the right questions about actions their organizations are taking to protect themselves from cyberthreats. Are boards probing to discover what they don’t know?

In September, Equifax announced a massive breach exposing the personal information of over 40 percent of the U.S. population. The company’s stock declined almost 14 percent after the announcement, and heads rolled over the ensuing three weeks—first the chief information officer (CIO) and chief information security officer (CISO), and then the CEO. The pervasive headline effect of this incident has been as persistent as any in memory.

There are many important aspects of cybersecurity that the board is expected to tend to, including understanding what the organization’s “crown jewels” are, business outcomes management seeks to avoid, understanding the ever-changing threat landscape, and having in place an effective incident response program, to name a few.

But this discussion is more specifically about the systems vulnerabilities we know about. That’s the elephant in the room.

The sage advice—if your flank is exposed, fortify it before you get overrun—seems to apply here. Even noncombatants understand the value of protecting exposed flanks in desperate battle. A known vulnerability is most certainly an exposed flank, particularly when sensitive data is involved.

Enter the role of software patches.

A patch is a software update installed into an existing program to fix new security vulnerabilities and bugs, address software stability issues, or add a new feature to improve usability or performance. Often a temporary fix, a patch is essentially a quick repair. While it’s not necessarily the best solution to address the problem, it gets the job done until product developers design a better solution for a subsequent product release.

The Equifax incident raises the question as to why the company didn’t implement the appropriate patch to its systems when the vulnerability was first identified. To be fair, other companies have suffered a cybersecurity event because they failed to implement a patch in a timely manner, and we have no insights into the unique circumstances at Equifax. Admittedly, patching software at a large organization with multiple, complex systems takes a considerable amount of time. But, for boards and executive teams everywhere, the Equifax episode serves as a stark reminder of the importance of understanding the company’s cybersecurity strategy and tactics to pinpoint whether they know what they need to know.

Often, in our security and privacy consulting business at Protiviti, we see companies implementing patches within 60 to 90 days of discovering a systems vulnerability. We have seen some high-risk patches not applied at all for fear of breaking legacy applications; in effect, the organization simply accepts the risk of not applying these patches and, as an alternative, works to mitigate it. Based on our experience, 30 days from release to deployment is typically the “gold standard” for the time it takes apply a patch.

Is the gold standard enough? Companies are essentially leaving themselves exposed for 30 days. Meanwhile, they may lack the advanced detection and response capabilities to detect unauthorized activity occurring during that time. Organizations with a well-designed vulnerability management program quickly patch known vulnerabilities for critical public-facing services. For example, we see companies setting service level agreement targets of 72 hours, with some striving for 24 hours or less to limit the damage of an attack.

Simply stated, boards need to inquire as to the target duration from release to deployment to shore up cybersecurity vulnerabilities and, if it’s 30 days (or more), question whether that is timely enough, especially when public-facing systems are involved and sensitive personal information is exposed. Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image cry out for this oversight.

It is vitally important to scan public-facing systems immediately upon notification of critical vulnerabilities; “same day” should be the target. In addition, patch deployment should be tracked and verified as part of a comprehensive information technology (IT) governance process. It’s not enough to merely push out a patch. A comprehensive IT governance process should confirm that the risk truly has been mitigated on a timely basis.

Directors and executives should also be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Given the increasing sophistication of perpetrators, simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and security teams can respond timely.

We know that an organization’s preparedness to reduce an incident’s impact and proliferation after it begins is an issue (i.e., the lapsed time between the inauguration of an attack and its detection is too long). Often, it takes over 100 days until suspicious activity is discovered; about 50 percent of the time, organizations learn of breaches through a third party.

In nearly every penetration test Protiviti conducts, the client authorizing the test fails to detect our test activity. Many organizations seem to think that if they outsource to a managed security service provider (MSSP), the problem will be solved —as if a box has been checked. However, we see time and again that this is not the case. Often, there are breakdowns in the processes and coordination between the company and the MSSP that result in attack activity occurring unnoticed. Not many organizations are focusing enough on this failure of detective controls to identify breach activity in a timely manner.

These two fronts—how long it takes to implement a patch, as well as detect a breach—inform the board’s cyber-risk oversight. Every organization should take a fresh look at the impact specific cybersecurity events can have and whether management’s response plan is properly oriented and sufficiently supported. For starters, directors should ensure they are satisfied with the elapsed time:

  • For patching identified system vulnerabilities;
  • Between the initiation of an attack and its ultimate discovery;
  • Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact; and
  • Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators, and law enforcement in accordance with applicable laws and regulations.

Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image beg for careful oversight.

Boards Can Do More to Align on Cybersecurity

NACD Blog Feed -

Organizational cybersecurity is one of the biggest challenges facing companies today. The most recent in a string of headline-grabbing data breaches involved U.S. credit-reporting company Equifax, an event that exposed the private information of some 143 million customers. Grilled on Capitol Hill about the episode, Equifax’s chair and CEO said that “mistakes were made” in the company’s response to the attack, which has prompted dozens of private lawsuits and precipitated a drop in the company’s share price.

As corporate directors are ultimately responsible for their companies’ future, the urgency to address cyber risk is accelerating. There is general agreement across the C-suite that cyber risk is a top priority, according to a recent Marsh global survey regarding corporate cyber risk perception. But survey results also revealed that there is less alignment inside companies regarding how cyber risk is reported to corporate directors and about what is most important.

The Information Disconnect Between Board and C-Suite

When survey respondents were asked what type of reporting on cyber risk the board of directors received, something surprising surfaced. For every type of report we asked about, respondents who indicated they were corporate directors said they received far less information than respondents from the C-suite said they were supplying to directors.

Click to enlarge in a new window.

For example, 18 percent of surveyed directors said they received information about investment initiatives for cybersecurity initiatives. Yet 47 percent of chief risk officers, 38 percent of chief technology or information officers, and 53 percent of chief information security officers said they were already providing reports to board members on investment initiatives.

Whether it’s optimizing risk finance though insurance or other resiliency measures, such investment initiatives are critical to preparing for an attack as well as to managing an incident. Organizations need to ensure that board members are receiving—and carefully reviewing—this vital information.

Tellingly, corporate directors say the type of cyber risk reporting they most often receive consists of briefings on “issues and events experienced.” It’s clearly important for any corporate director to learn about cybersecurity incidents that the company has faced, but it is an after-the-fact activity. There are a number of reasons for boards to be most cognizant of the material they receive regarding an event that has already happened.

Click to enlarge in a new window.

The survey’s C-suite respondents listed “cyber program investment initiatives” as the type of reporting their boards were most likely to be receiving. But with fewer than one-in-five corporate directors saying they received such reports, there is an issue that needs to be addressed, especially given that understanding—and directing—corporate investment in cybersecurity is a key to building effective resiliency measures.

No Incident Can Be Completely Avoided

Many boards seem to focus their oversight on security activities over resiliency best practices. For example, a high number of corporate directors in our survey said their organization did not have a cybersecurity incident response plan. Why? The top reason cited was that “cybersecurity/firewalls are adequate for preventing cyber breaches.” C-suite respondents did not share the same view.

Click to enlarge in a new window.

As firm after firm of all sizes and across geographies have fallen prey to attacks, the belief that one can have enough defenses in place to completely avoid a cybersecurity incident has been widely debunked by real-world events. Thus, the mantra among the organizations with the most sophisticated cyber-risk management programs is: “It’s not a matter of if you will be breached, but when.”

Cyber threats are constantly evolving and the potential threat actors are multiplying. No organization is impenetrable, no matter how strong their security posture may be.

Strong Companies Are Already Preparing for GDPR

One of our key findings regarding corporate readiness involves the lead-up to the EU’s General Data Protection Regulation (GDPR), which is scheduled to take effect in May 2018.

We found that companies that are already preparing for GDPR are doing more to address cyber risk overall than those that have yet to start planning. Survey respondents who said their organizations were actively working toward GDPR compliance—or felt that they were already compliant—were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cybersecurity resiliency measures than those that had not started planning for GDPR. This is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management strength.

The most forward-looking corporate boards recognize the GDPR compliance process as an opportunity to strengthen their organizations’ overall cyber risk management posture on a much broader level, effectively transforming regulations that might previously have been viewed as a constraint as a new competitive advantage.

The lesson here—even for directors of organizations not subject to the GDPR—is that good cyber-risk oversight requires engaging on a number of fronts, both defensive and responsive. Whether it’s playing an active role in attracting highly-skilled talent, seeking cross-functional enterprise alignment on priorities, or viewing regulatory compliance as part of a holistic plan, an engaged board can make the critical difference in how a company assesses, reports on, and addresses the impact of cyber risk on the company.

To receive a copy of Marsh’s report, GDPR Preparedness: An Indicator of Cyber Risk Management, click here.

The Auditor’s Report: Reading Between New Lines

NACD Blog Feed -

Alexandra R. Lajoux

Now that the U.S. Securities and Exchange Commission (SEC) has released an order approving the Public Company Accounting Oversight Board’s (PCAOB) new rules on the auditor’s report, what items should the audit committee and shareholders look for there?

The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion and Related Amendments to PCAOB Standards, released by the PCAOB June 1 and approved by the SEC October 23, contains five main changes, including one that requires careful reading between the lines.

As NACD summarized in a recent brief to its members, the new PCAOB standard will require auditors to:

  • Standardize the format of the auditor’s report, placing the auditor’s opinion in the first section of the auditor’s report, followed by the basis for the opinion. This change makes the auditor’s opinion easier to find in the auditor’s report.
  • Disclose the auditor’s tenure, stating when the audit firm began its current service to the company. This new requirement comes in lieu of limiting audit firm tenure through mandatory audit firm rotation, a concept NACD and others have rejected in the past.
  • State that the auditor is required to be “independent.” This requirement is intended to strengthen shareholder confidence in the auditor’s report, possibly as an offset to the tenure disclosure, if it reveals that the auditor has been serving the client for more than a quarter century, for example.
  • State that the financial statements are free from material misstatements “whether due to error or fraud.” This change aligns with other recent or pending regulations on error vs. fraud, such as the proposed executive pay clawbacks rule still pending under Dodd-Frank, which mandated disgorgement of performance-based pay after financial restatements even if restatements were due to error rather than to fraud.

Report on critical audit matters (CAMs), defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” A number of commenters said that the CAMs mandate is “redundant” with existing reports, which already reveal the required information. See for example NACD’s comment to the PCAOB or State Street’s comment.

The key letter in CAM is M, for material. For those who may wonder what may be “material” to the financial statements, join the club. The SEC has still never defined this term, leaving this job to the courts as they interpret federal securities laws.

The going definition of “material” is more than 40 years old. The SEC release cites TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), in which the U.S. Supreme Court states that a fact is material if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” In that same case, the Supreme Court said that determining materiality requires “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . .”

Such wisdom is not lost on the PCAOB and SEC. In its June 1 release, the PCAOB cites as CAMs the auditor’s evaluation of the company’s “goodwill impairment assessment” and, more broadly, the auditor’s assessment of the company’s “ability to continue as a going concern.” These two examples are material to financial statements. By contrast, the following two examples are not material to the financial statement: a loss contingency already discussed with the audit committee and “determined to be remote;” and a “potential illegal act.”

Audit committees need to ensure that their auditors are in a position to recognize critical audit matters, and to learn from those matters.  But this does not mean looking for problems where there are none.

Significantly, SEC Chair Jay Clayton had this to say about the new standard:

“I would be disappointed if the new audit reporting standard, which has the potential to provide investors with meaningful incremental information, instead resulted in frivolous litigation costs, defensive, lawyer-driven auditor communications, or antagonistic auditor-audit committee relationships — with Main Street investors ending up in a worse position than they were before.

I therefore urge all involved in the implementation of the revised auditing standards, including the Commission and the PCAOB, to pay close attention to these issues going forward, including carefully reading the guidance provided in the approval order and the PCAOB’s adopting release.”

To Chairman Clayton’s point, the SEC makes this point in its approval order:

“As the [PCAOB] notes, in order to succeed, any claim based on these new statements would have to establish all of the elements of the relevant cause of action (e.g., when applicable, scienter, loss causation, and reliance). Moreover, as discussed above, CAMs could be used to defend as well as initiate litigation. …However, because of these risks and other concerns expressed by commenters, we expect the Board to monitor the Proposed Rules after implementation for any unintended consequences.“  (SEC approval order , pp. 32–33)

Shareholders and others should read between the lines of auditor’s report (appreciating the regulations behind it), but they should not expect auditors to “look under rocks” to find problems. That is the job of management, internal control, and the audit committee. The auditor’s job is to focus on the audit of the financial statements to ensure that they conform to generally accepted accounting principles (GAAP). Given the complexity of GAAP, that is a big enough job as it is.

The CAM standard can’t be mastered overnight and won’t be required any time soon. Auditors of large accelerated filers will not be required to adopt CAM changes until audits of fiscal years ending on or after June 30, 2019—with audits of all remaining filers to adopt CAM changes for fiscal years ending on or after December 15, 2020.

By contrast, all the other changes will apply to audits of fiscal years ending on or after December 15, 2017.  That mean, essentially that auditors must work on this immediately, since most companies they are working with right now have fiscal years ending December 31, 2017. (According to Audit Analytics, 71 percent of public companies have a fiscal year ending December 31.)

So now is the time to prepare for the changes! In its above-cited report on the new rule, NACD prepared questions for directors to ask, along with related resources.

Questions for Boards

  • For which fiscal year will our auditor first be required to report on CAMs?
  • What areas during the audit do we anticipate our auditor will find challenging, subjective, or complex—and how can we preemptively address those concerns?
  • How will the auditor’s insights in the newly expanded report affect our ongoing work as we prepare the audit committee report for the proxy and review risk disclosures in the annual report on Form 10-K?
  • How will it shape our meeting with auditors, who themselves have extensive standards for their communications with audit committees?
  • How might our company need to adjust our year-end reporting calendar in order to file the 10-K on time?

NACD Resources: See NACD’s commentary on this topic to the PCAOB in the Corporate Governance Standards Resource Center, and visit NACD’s Audit Committee Resource Center for a repository of content related to leading practices for the audit committee. Register for the KPMG webinar “What You Need to Know About the New Auditor Reporting Model” on Thursday, November 9, and review the Center for Audit Quality’s recent alert “The Auditor’s Report—New Requirements for 2017.”

Why You Should Care About Climate-Competent Boards

NACD Blog Feed -

Vanguard Group CEO William F. McNabb III just tipped the list. The world’s top three asset managers—Blackrock, Vanguard, and State Street Corp.—are now calling the companies that they invest in to adopt climate risk disclosure.

Veena Ramani

In a recent open letter to corporate directors across the globe, McNabb explained that Vanguard, the $4.5 trillion mutual-fund management firm, expects businesses to embrace materiality-driven disclosures to shine more light on sustainability risks.

Summing up the challenge of climate risk, McNabb wrote that it’s the kind of risk that tests the strength of a board’s oversight and risk governance. That’s the crux of the challenge for directors. As investors ratchet up the pressure on companies to analyze their exposure to the impacts of a warming planet, they’re calling on boards to be knowledgeable about material climate risk and capable of preparing for its impacts and capitalizing on its opportunities.

As we heard in Karen Horn’s opening keynote of NACD’s 2017 Global Board Leaders’ Summit, directors can no longer ignore the inherent impact of these issues on the long-term value creation of the corporate world —ranging from climate risk, natural resource capital, and implications of the Paris Climate Agreement.

This growing scrutiny has directors’ attention—especially after a high-profile vote in May by nearly two-thirds of Exxon Mobil Corp.’s shareholders demanding an analysis of climate risks. The number of directors who think that disclosure of sustainability risk is important to understanding a company’s business jumped to 54 percent  in 2017 from 24 percent last year, according to a survey of 130 board members by the accounting firm BDO USA.

Board-level competence around climate change and other sustainability risks is the way forward. Through an understanding of what climate change means, why it matters to their business, and what their organizations are capable of changing, directors can successfully make climate risk part of their governance systems.

In a new report by Ceres called Lead from the Top, we outline ways that companies and boards can build up that competence.

But rather than settling with bringing on a director who is competent in sustainability, our report explains why companies must work to build an entire board that is competent to oversee these risks. By engaging thoughtfully on material sustainability risks as one cohesive body, this kind of board is able to ask the right questions of its management, support or challenge senior management as needed, and ultimately make informed and thoughtful decisions affecting corporate strategy and risk.

We identified three key principles that companies and boards can use as they work to build a sustainability-competent board:

1. Sustainability needs to be integrated into the director nomination process. Finding directors who can apply their knowledge about climate and other sustainability risk to relevant board deliberations is a good first step. Companies can get the right people on board by approaching this systematically as a part of the board nominations process, specifically identifying experience in material environmental, social, and governance (ESG) risks in the board skills matrix and by casting a wide net to consider candidates with diverse backgrounds and skills.

2. The whole board needs to be educated on sustainability issues that impact their company. For sustainability to become part of the fabric of board oversight and integrated into decision-making on strategy, risk, and compensation, all directors on the corporate board need to be well informed on material sustainability issues so they can lead thoughtful deliberations and make strategic decisions. Companies can do this through focused, ongoing training programs that bring in experts from outside the company and by educating the board on the connections between climate change and material impacts and the connections to risk and strategy. Embedding ESG into the existing board materials so it does not become one additional issue topic to vie for directors’ attention is essential. Sustainability managers embedded within companies can play a key role in driving this integration.

3. Boards should directly engage a diverse array of stakeholders, including investors, on sustainability issues impacting their company. With more investors paying attention to climate change and other sustainability issues, shareholders increasingly expect boards to engage directly with them on critical issues. One of the goals of McNabb’s letter was to nudge directors to engage directly with shareholders. Given this growing focus, material environmental and social factors should be made a part of any dialogue between directors and investors.

It all comes down to the bottom line. Risk and opportunity define business. Corporate boards will have a difficult time performing their fiduciary duty to the companies they lead and the shareholders that they represent without understanding the risks and opportunities created by climate change. Our report lays out practical steps directors can take as they consider how to make their board competent in addressing climate change and other environmental, social, and governance issues.

 

Veena Ramani is the program director of Capital Market Systems at Ceres. Ceres is a sustainability nonprofit organization working with the most influential investors and companies to build leadership and drive solutions throughout the economy.

NACD Staff Gives Back

NACD Blog Feed -

This past Friday, October 20, National Association of Corporate Directors (NACD) staff packed up and readied itself for a big move. After five years on Pennsylvania Ave., NACD’s national office relocated across the Potomac River to Arlington, Virginia. NACD staff turned what could have been a stressful moving day into an opportunity to give back to the community that it works in through its first Day of Service.

Packaging food for delivery

Serving hot meals on a mobile food kitchen

President and CEO Peter Gleason championed NACD’s Day of Service as a way to involve staff in volunteer activity and to demonstrate to that the organization is dedicated to supporting and improving the lives of others. NACD spent time with several worthy local nonprofit organizations, including:

  • Martha’s Table, an organization that seeks to provide healthy meal and food programs for children and their families. For over 37 years, Martha’s Table has worked to support children, families, and neighbors by making healthy food and quality learning more accessible.
  • DC Central Kitchen, whose mission is to use food as a tool to strengthen bodies, empower minds, and build communities. This organization provides culinary training for jobless adults and then hires them to prepare 3 million meals annually for homeless shelters, schools, and nonprofits.
  • Capital Area Food Bank, an organization working to solver hunger, chronic malnourishment, heart disease, and obesity. It provides 540,000 people in and around the nation’s Capital access to healthy food annually.
  • Arlington Food Assistance Center, which obtains and distributes groceries directly and free of charge to those in Arlington who cannot afford groceries them.
  • Food & Friends, whose vision is to provide meal delivery to people with HIV/AIDS, cancer, and other serious illnesses who have limited ability to provide nourishment for themselves. Their simple premise is that anyone can get sick and everyone can help.

Organizing food for a “market day” at an elementary school

One group of NACD volunteers reported back from Martha’s Table with this experience:

“Our crew of four baked about 230 muffins in one afternoon for our Day of Service assignment. Martha’s Table is a charity that has various aims, including introducing healthy eating to those who might not have access to traditional resources, such as the homeless. Their mobile soup kitchen, McKenna’s Wagon, provides meals daily to the homeless at various locations. The muffins we baked and packaged were destined to go on the truck Friday night as dessert for those that McKenna’s Wagon served. We had a lot of fun baking at Martha’s Table. We had a recipe for apple spice muffins and an aggressive timeline to meet! Everyone pitched in, bonded, and encouraged each other. It was a rewarding experience.”

Baking for a mobile soup kitchen

Do you know a deserving organization in the metropolitan Washington, DC area that could use volunteers in the future? Make your suggestion by leaving us a comment.

Subscribe to Lonergan Partners aggregator - Boards & Governance