Boards & Governance

Directors Discuss the Business Implications of Social Media and AI

NACD Blog Feed -

The rapid pace of technological advancements is causing tectonic shifts in the business risk landscape. Social media and artificial intelligence (AI) in particular are causing directors to reconsider how they think and talk about risk. Consequently, these topics were the focus of the first part of a roundtable discussion on the next generation of risk hosted by EisnerAmper LLP and the National Association of Corporate Directors (NACD) in New York last week.

Thomas Jones

There is an abundance of examples of companies that sustained severe reputational damage after being caught in the center of a social media storm. Most recently, credit reporting company Equifax made headlines after the company disclosed that it was the subject of a major data breach that compromised the information of roughly half of the U.S. population. The company’s offering of free credit monitoring to affected customers only made matters worse: several print and digital news outlets, including The New York Times, analyzed the terms of the offer, which suggested that by signing up for the service, a person relinquished his or her right to take legal action against Equifax. While the company later changed the legal language in another effort to assuage public concern, reestablishing its trustworthiness may be more of an uphill battle.

“Some of these things would have always been in the news, but the amount of time and the quickness with which news reaches an audience is unbelievable,” EisnerAmper Audit Partner Steven Kreit observed. “Boards need to make sure there’s a social media strategy throughout the company. Boards need to ask management what it has planned for and make sure they can react to those issues as they come up. It’s also important to have policies around social media. What is the CEO allowed to say? Are they allowed to have personal accounts and use that to disseminate company information?”

Jeannie Diefenderfer

When attendees were asked if they knew their company’s social media policy backwards and forwards, few indicated that they did—but there was some debate as to how necessary this is. “I don’t think it’s appropriate for a board member to know the details of what the policy is,” one director opined. “What the board needs to know is that there’s a policy and that employees know what they can and cannot say about the company.”

Kreit agreed. “You don’t want to get too far into the weeds,” he said, “but a CEO may react to something in the middle of the night and that response may harm the company. And board members need to make sure the company doesn’t get hurt.”

While most of the discussion focused on preparing for the worst, one attendee observed that a company response plan that is effectively used to respond to negative feedback on social media can not only curb a damaging situation, but help to restore trust in the company.

Discussion then turned to AI. Here, some companies are ahead of the curve in applying technology that has the power to parse through massive amounts of data to make a determination about something. Take for example, IBM’s Watson, the supercomputer that famously competed on the game show Jeopardy!, facial recognition software and self-driving cars. Here, the risk is that AI is advancing so rapidly as a disruptor across nearly every industry. If a company isn’t paying attention now, the competition will leave it in the dust later. But AI is a broad subject area and identifying the elements that are most relevant to a board agenda—namely the risks—can initially seem daunting.

“These are conversations I rarely hear discussed around the boardroom table,” Kreit remarked. “And these are risks that keep changing.”

“An interesting exercise is to look at risk factors in public disclosures,” one attendee said. “We look at competitors and it’s easy to see what risks they are identifying in the same industry.”

“In the conversations I’ve had, it isn’t so much about whether the machine will do its own thing and crush humans as much as asking what fundamental technology are we not using to help us be more competitive and customer-focused,” one attendee offered. “The other thing is, technologists sometimes rely too much on technology. At some point, a human being has to put subjectivity in the mix to make sure the automated methodology you employed doesn’t come back and bite you. This conversation comes through the CISO [chief information security officer] on my board as well as the CTO [chief technology officer] together.” Another director remarked that these discussions take place on the audit committee level.

“It’s important to not think about technology and risk without it being an integral part of the strategy discussion,” another director piped in. “If it isn’t, I think it becomes an academic conversation and you’re walking ahead with one eye open and one eye closed.”

To this end, and in closing this portion of the roundtable, another attendee remarked on how board composition it critical in positioning the board to oversee this issue in the years ahead. “If you don’t have enough forward-looking people with experience from other industries, you’re doomed. Look at who you’re working with and have some sense of what you are [as an organization], what you want to be, and how you’re going to get there.”

 

Next week, the NACD Board Leaders’ Blog will feature roundtable discussion highlights that explore geopolitical and regulatory risks.

Revisiting Four Disruptive Trends from CES

NACD Blog Feed -

Back in January I reported on some of the innovative trends that I saw on my trip to the Consumer Electronics Show (CES). Nine months on, the evidence of those technologies’ impact is everywhere. I expect these disruptive innovations to be front and center this January, when the National Association of Corporate Directors (NACD) will host a small group of our members for a directorship-centric tour of CES, along with an exploration of the implications for strategy development and risk oversight.

Courtesy CES

While January is still four months away, we have been talking about these changes across our education events all year, including at the forthcoming Global Board Leaders’ Summit.

Here are a few examples of the how these trends are manifesting.

Artificial intelligence (AI) technology continues its march into the mainstream. Autonomous vehicles give us one window into how AI is fueling disruption and industry change. Self-driving cars have the potential to save thousands of lives. That mission is part of what inspired Sebastian Thrun to found X, Google’s semi-secret moonshot laboratory, to focus on the technology. Self-driving cars’ potential to disintermediate is largely unanticipated by most business outside of the automotive manufacturing and services industry.

At our August Master Class, Travelocity.com founder Terry B. Jones laid out a landscape of compelling examples of disruptions that will be caused by self-driving vehicles. “People say, well, the technology’s going to disrupt insurance and surely it will,” Jones said. “But it’s also going to disrupt hospitals. The number one reason people go to the emergency room is car wrecks. We’re not going to have car wrecks anymore. It’s going to disrupt hotels. You’ll just stay in the car and sleep while it drives. It’s going to disrupt police—we won’t need traffic tickets.”

Extend Jones’ last point about a decrease in traffic tickets to red light cameras and then consider that in 2015, municipalities collected more than $6 billion in revenue from speeding tickets alone. Self-driving cars could bankrupt whole cities that do not have the foresight to create new revenue sources.

Courtesy Ford Motor Co.

Finally, remember the Mercedes self-driving delivery van complete with roof-mounted drones we talked about from CES this year? Turns out, when it comes to dinner, the aircraft are optional: last month Domino’s Pizza and Ford Motor Co. announced a partnership to test pizza delivery via autonomous vehicles.

The increasing level of cooperation between companies across verticals is changing the very nature of industries themselves. The acquisition of Whole Foods Market by Amazon.com has fueled anxiety across industries and driven once unlikely bedfellows to team up, spawning, among other things, a new partnership between Wal-Mart and Google. Part of the urgency behind the Google–Wal-Mart partnership is the dual realization that voice-enabled shopping is the future of retail, and that Amazon now has a significant advantage over both companies in that space. Amazon is forecast to have 70 percent of the voice-enabled speaker market this year.

As noted at CES, the increasing amount of technology in vehicles has effectively transformed cars into giant computer on wheels, forcing companies from Ford to Honda Motor Co. into an identity crisis. When considering the question, “Are we a technology or a car company,” increasingly the answer is “yes.”

At our Master Class in August, Bonny Simi, a director of Red Lion Hotels and the head of ventures for Jet Blue, explained how the airline missed an early opportunity to partner with and invest in a small car ridesharing startup that eight years later has a valuation nearly ten times that of the airline’s market cap. “At the time when the startup approached us, we didn’t think it was relevant to our business because we saw ourselves as an airline,” Simi noted. “We’ve realized we need to think of ourselves as a travel company.”

The next generation of disruption is about more than technology. Don’t underestimate social and demographic shifts in the market, and the power of changing attitudes and norms to create new competition. Younger consumers have different ideas when it comes to everything from privacy to shopping. The rise of companies like Lyft and Airbnb was enabled by mobile technology, but it was also made possible by a generation of younger people who didn’t hold traditional, sometimes negative attitudes about sharing a home, a car, or even a dress, with a stranger.

At last year’s spring Master Class, Peter H. Coors, former chair of the Molson Coors Brewing Co. and chair of MillerCoors, talked about how millennials’ distaste for big brands and an embrace of the small and bespoke was driving sales away from MillerCoors towards smaller, local craft beers. Younger consumers’ preference of supporting local and small businesses presents a threat to larger food and beverage producers.

Younger people are also turning to alternative payment methods. This year at another Master Class session, Jones shared a story about his 20-something, newly married daughter. Since she and her husband had not yet merged their finances, they were sharing money via online payment platforms. When they went into their local branch of a Fortune 500 bank to get a loan, “the loan officer demanded to know who this guy Venmo was that they had been sending so much money to.” The message, especially to more established companies, is that “the way you’ve always done it” isn’t going to win the day moving forward. Don’t overestimate the long-term viability of legacy products and systems.

The complexity of risk will continue to grow exponentially. Acclaimed technology guru Shelly Palmer focused on this concept heavily both at CES and when he addressed our members at the NACD Technology Symposium in Silicon Valley this past July. “The velocity of data is increasing and will always increase, then the value of that data is going to decrease because there’s just too much of it,” Palmer said. “You’re going to have to sort this out in some way.”

To illustrate his point, Palmer then showed a pond half full of lily pads. He asked the audience the following: if the growth doubled every day until day 30, what day was shown on the slide with the pond half full? The answer was day 29. “Human beings do not think exponentially,” Palmer pointed out. “We think in a linear way. The question is, when is it day 29 for any of the things you’re working on? That’s the speed with which technology is coming at you… You don’t need to manage change. You need to be in a mode of continuous improvement and adaptation.”

When you consider the risk side of so much interconnected data, it raises the stakes for everything from privacy to cyber-risk oversight. Companies that don’t have their eye firmly on the ball face consequences with increasingly higher-stakes implications for their business.

Questions to Ask Management

Directors would be wise to begin pressing their management team for briefings on their strategic plans. Below are several questions you could pose at your next board meeting.

  • Have we considered how these forces can provide a strategic advantage to us, either by creating new revenue streams or new efficiencies?
  • Have we considered the risks to our business, including how we could be disintermediated or how a particular disruptive force might create competition including from unlikely or unforeseen sources?
  • How are we thinking about innovation? Are we good at fostering it in house or should we look to outside partnerships to supercharge our efficiencies, products, and capabilities?
  • What are we doing internally, including review of compensation and incentive plans, to ensure new ideas get an open and fair hearing and aren’t killed off internally by managers who may not want to upset the status quo?

 

Are you ready to attend NACD’s CES Experience in January? Register now to be considered for a place in this exclusive tour that will highlight exciting disruptive innovations.

Hacking Back Will Hold Companies Back

NACD Blog Feed -

Corey E. Thomas

Undergraduate, graduate, and professional students of cybersecurity from around the world gathered earlier this year to participate in a cybersecurity competition that simulated the international policy challenges associated with a global cyberattack. While the goal was to practice sound policy decisions, the majority of competing teams unintentionally led the U.S. into starting an international war. Given a variety of diplomatic and other means of responding to cyberattacks, participants largely took the aggressive approach of hacking back in response to cyberattacks from China, and to disastrous consequences.

While the competition’s participants are all students today, they may well go on to be corporate directors and government leaders of tomorrow. Based on current debate about how organizations in the private sector should respond to cyberattacks, it seems the actions taken by these students may well be representative of a broader trend. In fact, there is enough of a push for organizations to be legally authorized to “hack back” that earlier this year a member of Congress proposed a bill to empower people “to defend themselves online, just as they have the legal authority to do during a physical assault.”

As a business leader, I believe this measure would do more harm than good.

What Is Hack Back?

Hack back, which is sometimes called counterstrike, is a term used to refer to an organization taking offensive action to pursue, and potentially subdue, cyberattackers that have targeted them. For the purposes of this article, I am specifically talking about action taken by private sector organizations that affects computers external to their own network. We are not discussing government actions, which tend to occur within existing legal frameworks and are subject to government oversight.

Hack back activities go beyond defensive measures that organizations may put in place to protect their environments. It is generally understood that hack back activities extend beyond the victim’s own network, systems, and assets, and may involve accessing, modifying, or damaging computers or networks that do not belong to the victim. Directors should note that today it is illegal under the Computer Fraud and Abuse Act for private parties to access or damage computer systems without authorization from the technology owners or an appropriate government entity, even if these systems are being used to attack you. That is what proponents of hack back want to change, and the proposed bill goes some way towards doing this.

The Case for “Self Defense”

In response to the legal restriction, proponents of a law to legalize hacking back at cyberattackers often argue that the same principle should apply as that which allows US citizens to defend themselves against intruders in their homes—even with violent force. While it may sound reasonable to implement equal force to defend a network, the Internet is a space of systems designed specifically for the purpose interacting and communicating. Technology and users are increasingly interconnected. As a result, it’s almost impossible to ensure that defensive action targeted at a specific actor or group of actors will only affect the intended targets.

The reality of the argument for hacking back in self-defense is unfortunately more akin to standing by your fence and lobbing grenades into the street, hoping to get lucky and stop an attacker as they flee. With such an approach, even if you do manage to reach your attacker, you’ll almost certainly cause terrible collateral damage. Can your organization afford to clean up such a mess? What would be the repercussions for your reputation and position in the marketplace?

Blame Game

Another significant challenge for private sector organizations looking to hack back is that, unlike governments, they typically do not have the large-scale, sophisticated intelligence gathering programs needed to accurately attribute cyberattacks to the correct actor. Attackers constantly change their techniques to stay one step ahead of defenders and law enforcement, including leveraging deception techniques. This means that even when there are indications that point to a specific attacker, it is difficult to verify that they have not been planted to throw off suspicion, or to incriminate another party.

Similarly, it is difficult to judge motivations accurately and to determine an appropriate response. There is a fear that once people have hack back in their arsenal, it will become the de facto response rather than using the broad range of options that exist otherwise. This is even more problematic when you consider that devices operating unwillingly as part of a botnet may be used to carry out an attack. These infected devices and their owners are as much victims of the attacker as the primary target. Any attempt to hack back could cause them more harm.

The Security Poverty Line

Should hack back be made a lawful response to a cyberattack, effective participation is likely to be costly, as the technique requires specialized skills. Not every organization will be able to afford to participate. If the authorization framework is not stringent, many organizations may try to participate with insufficient expertise, which is likely to be either ineffective or damaging, or potentially both. However, there are other organizations that will not have the maturity or budget to participate even in this way.

These are the same organizations that today cannot afford a great deal of in-house security expertise and technologies to protect themselves, and currently are also the most vulnerable. As organizations that do have sufficient resources begin to hack back, the cost of attacking these organizations will increase. Profit-motivated attackers will eventually shift towards targeting the less-resourced organizations that reside below the security poverty line, increasing their vulnerability.

A Lawless Land

Creating a policy framework that provides sufficient oversight of hack-back efforts would be impractical and costly. Who would run it? How would it be funded? And why would this be significantly more desirable than the status quo? When the U.S. government takes action against attackers, they must meet a stringent burden of proof for attribution, and even when that has been done, there are strict parameters determining the types of targets that can be pursued, and the kind of action that can be taken.

Even if such a framework could be devised and policed, there would still be significant legal risks posed to a variety of stakeholders at a company. While the Internet is a borderless space accessed from every country in the world, each of those countries has their own legal system. Even if an American company was authorized to hack back, how could you ensure your organization would avoid falling afoul of the laws of another country, not to mention international law?

What Directors Can Do

The discussion around hacking back so far has largely been driven by hyperbole, fear, and indignation. Feelings of fear and indignation are certainly easy to relate to, and as corporate directors, powerlessness does not sit well with us. It is our instinct and duty to defend our organizations from avoidable harm.

The potential costs of a misstep or unintended consequences from hack back should deter business leaders from undertaking such an effort. If another company or a group of individuals is affected, the company that hacked back could see themselves incurring expensive legal proceedings, reputational damage, and loss of trust by many of their stakeholders. Attempts to make organizations exempt from this kind of legal action are problematic as it raises the question of how we can spot and stop accidental or intentional abuses of the system.

It’s one thing for students to unintentionally trigger war in the safe confines of a competitive mock scenario, and another thing entirely to be the business leader that does so in the real world. Directors of companies must instead work together to find better solutions to our complex cybersecurity problems. We should not legitimize vigilantism, particularly given the significant potential risks with dubious benefits.

 

Corey Thomas is CEO of Rapid7. All opinions expressed here are his own.

Sustainability and Social Responsibility: Considerations and Tools for Boards

NACD Blog Feed -

Ashley Marchand Orme

Learning how to implement sustainable business practices can be challenging for companies in any industry, and boards may wonder how to integrate sustainability issues into discussions with management. NACD has compiled a set of resources offering practical information to help boards discuss climate-related risks, as well as opportunities associated with environmentally- and socially-sustainable business practices.

The first step is to assess why sustainability and social responsibility are such hot topics for the boardroom. Two important factors to consider are the political environment and shareholder expectations.

Signals From the Current Administration

President Donald J. Trump in June announced that the United States would be withdrawing from the Paris climate agreement, an international deal in which 191 countries have pledged to work toward goals to restrict the increase in temperatures globally to less than 2.0°C and reduce the amount of greenhouse gases being created.

The president in April also signed an executive order aimed at “promoting energy independence and economic growth,” curtailing federal environmental regulations. The order instructs the Department of the Interior to lift former President Obama’s ban on coal leasing activities on federal land.

Watchdog group Environmental Integrity Project recently reported that this year, the Trump administration, when compared to the prior three presidential administrations in the same period, has collected approximately 60 percent less in fines from companies’ violations of pollution-control regulations.

Opposing Pressure From Shareholders

Despite strong signals from the current administration that enforcement of environmental-related regulations will decrease over time, shareholders are applying an opposing pressure on corporations.

More than half (56%) of shareholder proposals introduced this year on proxy ballots related to social, environmental, or policy issues, and Proxy Monitor reports that this proportion is the highest it has seen since it began tracking such data in 2006.

Shareholder proposals relating to environmental and social issues 10 years ago sought fairly basic changes such as increased clarity into companies’ environmental policies. The proposals now seek, for example, enhanced disclosures around what the company is doing to manage climate risks and how executive pay links to sustainability initiatives, the Wall Street Journal reports.

Proposals about environmental issues received a record breaking average of 27 percent support this year, according to Proxy Monitor. That percentage was 21 percent last year and fell in the teens before that.

Meanwhile, State Street Corp., a global financial services and investment management firm with $2.47 trillion in assets under management, published a report earlier this year in which they found that traditional obstacles (like the lack of quality data about ESG) to investing more heavily in companies that prioritize ESG initiative are diminishing.

“Over the long-term, environmental, social and corporate governance issues can have a material impact on a company’s ability to generate returns,” Ron O’Hanley, president and CEO of State Street Global Advisors, said in a press release.

NACD’s Responses

Given the increasing expectations of shareholders and NACD’s continued focus on long-term value creation—a focus that requires a sustainability-focused mindset—NACD has curated its Resource Center: Sustainability and Social Responsibility.

Resource centers are repositories for NACD content, services, and events related to top-of-mind issues for directors. In these resource centers, individuals can find practical guidance, tools, and analyses on subjects varying from board diversity to cyber-risk oversight. Below we have highlighted a sample of helpful materials from our new resource center on sustainability and social responsibility.

Thought Leadership & Research

The resource center features a handbook called Oversight of Corporate Sustainability Activities—part of the NACD Director’s Handbook Series—that offers guidance aimed at strengthening the board’s oversight of sustainability issues.

The handbook, produced in conjunction with EY, centers around four key recommendations:

  • Directors should understand the company’s definition of sustainability in the context of the company’s strategy and specific circumstances.
  • The board and management should align on the sustainability message and information the company chooses to report publicly.
  • Boards should clarify roles for oversight responsibility for sustainability activities, including external reporting.
  • Directors need to establish parameters for sustainability reporting to the board regarding the information required to support robust discussions with management.

Expert Commentary

A number of items included in the resource center provide expert commentary on myriad issues related to sustainability and social responsibility. A favorite of mine is “Living in a Material World,” an article written by Veena Ramani, program director of the Capital Markets Systems, at sustainability-focused nonprofit Ceres.

Ramani discusses the corporate director’s critical role in engaging with management over which sustainability issues are material for the enterprise. She offers four suggestions for board members who want to address the materiality of certain sustainability risks.

Boardroom Tools & Templates

The resource center houses several tools and templates to assist directors as they oversee sustainability-related risks and opportunities. One such tool is the “Self-Assessment: Is Your Board Sustainability-Ready?” evaluation. Directors can answer a set of questions to gauge their board’s level of engagement—or lack thereof—in sustainability oversight.

Videos and Webinars

The NACD BoardVision—Sustainability Oversight video in the resource center features a candid discussion by EY subject matter experts Brendan LeBlanc and Kellie Huennekens on how investors are engaging with boards around sustainability and social responsibility issues. (A transcript of the video is also available here.)

Conclusion

Our hope is that you find this resource center useful and visit it often. We will continue to update it regularly with new and interesting content. If you would like help finding resources on a specific subject matter, please let us know. We welcome the opportunity to engage with directors on pressing needs and concerns.

A Message to Our Members in Florida

NACD Blog Feed -

Peter Gleason

Dear members of the NACD Florida family:

As Hurricane Irma made landfall Sunday morning, I watched the devastation unfold in fear. As the destructive path moves north, I can only hope that all of our families, friends, and loved ones have heeded the warnings of officials and moved to safer areas, or that they have found safe shelter if evacuation wasn’t possible. Unfortunately, this storm is predicted to keep moving and it will likely bring heavy damage to more areas in the southeastern region of our country. Our thoughts and prayers are with everyone in the state of Florida and in the southeastern United States, including the many members of the NACD Family who reside there.

All my best,

Peter R. Gleason
President & CEO

Does Your Enterprise Risk Management Make a Difference?

NACD Blog Feed -

Jim DeLoach

Now that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released its updated framework on enterprise risk management (ERM), it’s time for companies to take a fresh look at their risk management practices. While the concepts in the update aren’t new, the emphasis is markedly different, with a focus on what’s really important in maximizing the value of ERM.

In recent years, ERM implementations have generally focused on three questions:

  1. Do we know what our key risks are?
  2. Do we know how they’re being managed?
  3. How do we know?

In responding to these three questions, executive management and boards in some companies have made progress in differentiating the truly critical enterprise risks from the risks associated with day-to-day business operations.

While seeking these answers is a useful exercise, is it enough? Directors should also ask:

  • Is our ERM approach helping us identify flaws and weaknesses in our strategy on a timely basis?
  • Is our organization able to recognize the signs of disruptive change, and is it agile and resilient enough to adapt?
  • Do we truly consider risk and return in our decision-making processes or do we blindly follow the herd and remain emotionally invested in the comforts of our business model?
  • Do we seek out what we don’t know? Are we prepared for the unexpected?
  • Is everyone competing for capital and funding with rose-colored glasses, making the resource and budget allocation process a grabfest?

Yes, companies have made progress in various ways with enterprise risk management, but depending on the answers to the above questions, more needs to be done.

Adoption and application of COSO’s Framework could alter the conversation by clarifying the importance of integrating risk, strategy, and enterprise performance. While a stand-alone process may be worthwhile and useful, it is not ERM as defined by COSO. The framework introduces five interrelated components and outlines 20 relevant principles arrayed among those components, offering a benchmarking option for companies seeking to enhance their ERM approach.

Four observations frame what COSO is looking for:

  • Integrate ERM with strategy. There are three dimensions to integrating ERM with strategy-setting and execution:
    • risks to the execution of the strategy;
    • implications from the strategy (meaning each strategic option has its unique risk-reward trade-off and resulting risk profile); and
    • the possibility of the strategy not aligning with the enterprise’s mission, vision and core values.

   All three dimensions need to be considered as part of the strategic management process.

  • Integrate risk with performance. Risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.

  • Lay the foundation for ERM with strong risk governance and culture. The board and CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incentivizing unintended consequences. Such pressures may be spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model, and imbalances between rewards for short-term financial performance and stakeholders focused on the long term.

  • Tie risk considerations into decision-making processes. COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity, and better anticipation of changes to the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully and achieve its business objectives.

Boards should urge the executives within their companies to consider the principles embodied by the COSO framework to advance their current ERM approach. In this regard, we suggest organizations focus on three keys:

Position the organization as an early mover. When a market shift creates an opportunity to create enterprise value or invalidates critical assumptions underlying the strategy, it may be in an organization’s best interests to recognize that insight and act on it as quickly as possible. The question is: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? The organization attains time advantage when it obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known.

Address the challenges of risk reporting. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:

  1. Are we riskier today than yesterday?
  2. Are we entering a riskier time?
  3. What are the underlying causes?

Risk reporting is often not actionable enough to support decision-making processes. Once risk reporting is designed to answer these three questions, it becomes the key to evolving ERM to a “risk-informed” decision-making discipline.

Preserve reputation by maximizing the lines of defense. How do organizations safeguard themselves against reputation-damaging breakdowns in risk and compliance management? The widely accepted lines-of-defense model consists of three lines of defense. The first line consists of the business unit management and process owners whose activities give rise to risk. The second line consists of the independent risk and compliance functions, and internal audit is the third line. Also important is the tone of the organization—the collective impact of the tone from the top, the tone from the middle, and the tone at the bottom on risk management, compliance, and responsible business behavior. The proper tone lays the cultural foundation for the effective functioning of each of the three lines of defense. Arguably, the final line of defense is senior management and the board. For example, top management acts on risk information on a timely basis when significant issues are escalated and involves the board when necessary.

These three keys offer a focused line of sight for companies and their boards seeking to advance their ERM approach consistent with the principles and guidance in the updated COSO framework. The relationship of ERM to the processes the CEO values most can be compared to the contribution of salt, pepper, and other seasonings to a sumptuous meal. The objective is to enhance the outcomes that the organization is attempting to achieve by enabling it to be more adaptive in a volatile, complex, and uncertain world.

 

Jim DeLoach is managing director at Protiviti. 

Digital Disruption: Elevating the People Agenda

NACD Blog Feed -

Ilya Bonic

Organizations face a radically shifting context for the workplace that includes cognitive technology, intelligent automation, and machine learning. These technologies are disrupting and threatening many companies across many industries. As a result, organization designs and business models are being updated to defend existing market position and proactively seek the new opportunities that “digital” can offer.

Mercer’s 2017 Talent Trends study found that 97 percent of executives say that becoming a digital organization is important to their future, with 77 percent stating that their company is on a digital journey already. However, as few as 8 percent of CEOs believe their organizations are as digital (or even anywhere near as digital) as they must be to ward off emerging competitors.

This same study also uncovered striking discord between the digital strategy and people strategy. While most CEOs are focused on designing a more digital and agile organization to compete for the future, only 15 percent of human resource (HR) departments have organization and job design as key elements of their people strategy. Only 37 percent of HR respondents have change management on their radar screen. The risks created by this disconnect are significant. Without a culture open to change and a workforce willing and able to adopt new technologies, digital change efforts will rarely be as impactful as they need to be.

The Board’s Role in Elevating the Digital and People Agenda

Boards are custodians of organization strategy. They also play a key role in overseeing the talent strategies required to execute and deliver on business objectives. By reviewing the organization’s talent strategy through the lens of digital disruption, directors can help uncover risks and ensure better alignment between their companies’ digital and people agendas that will be necessary for future success.

Here are five sets of questions to get started.

1. Does the executive team possess digital competence and diversity? Digital strategy should be born from the vision of the CEO and executive team. In combination, does the executive team have the digital competence to appropriately prioritize and drive development of transformational digital strategy? Will they think beyond technology to people capabilities and a culture of agility? And, beyond digital capabilities, is there enough diversity to help foresee the range of potential future business scenarios and support the creativity and agility that will be needed to adapt to changing business circumstances?

2. Do our succession planning and leadership development goals emphasize the capabilities needed in a more digital world? Organizations need to revisit their leadership development programs because the competencies that have reliably predicted leadership potential and success in the past, even just yesterday, are not the same as those needed for tomorrow. Are leaders self-aware such that they are not blindsided by emerging risks? Are leaders sufficiently curious to sense more than the obvious trends that will impact business success? Are leaders creative and entrepreneurial enough to create advantage from new technologies and business design possibilities?

3. Is there a balance between the company’s strategy to build talent and buy? Many organizations have a bias to build talent from within, particularly as they plan their succession pipeline for the executive team. However, buying digital experience (within or outside the organization’s industry) is a much quicker way of building digital competence and diversity of thought. Is there a discipline of building executive “succession slates” that includes curating external candidates who offer capabilities different from those gained through internal experience?

4. Has the workforce plan considered the impact of digital disruption on jobs?
In The Future of Jobs report, the World Economic Forum projected that 35 percent of core skills will change between 2015 and 2020. Current jobs will require a different skillset in a few years; skills instability will be high in all industries regardless of employment outlook; and, if current roles are already difficult to recruit for, it certainly won’t get easier as demand for new skills emerges. Does the organization have a workforce plan that forecasts which skills will be needed in the future and which will be less in demand? Is there a talent plan that aligns with this changing pattern of skill demand? And is there transparency with the workforce, so that those whose jobs are most at risk of disruption are able to take proactive steps to build a skillset that will be relevant tomorrow?

5. What thought has been given to employer brand and the company’s role in society? Digital disruption goes hand-in-hand with job disruption. It is likely that tomorrow’s business models will require a smaller core workforce and that digital technology will destroy more jobs than it creates. It is likely that unemployment and underemployment will rise. How will the organization maintain an attractive employer brand and contribute to the health and welfare of broader society? What plans, tools, and programs does the organization have in place to manage the transition of all members of its workforce (executive and non-executive) who will not be able to adjust to the workforce of the future?

Without a robust people agenda, an organization’s transformation efforts to address the challenge of digital disruption will struggle. By applying a digital mindset to the talent strategy and asking questions like those above, directors can play an important role in ensuring the alignment between people and digital strategy, and better position the organization for success.

Ilya Bonic is president of Mercer’s Career business. 

Inclusion Could Be Uber Directors’ Key to Cultural Change

NACD Blog Feed -

Probably the last thing Uber needs right now is to have anyone recount their recent setbacks, but the company’s quick, Icarus-like fall from grace tells us much about how technology companies going through hyper-growth can go wrong. By 2016, the ride-sharing firm was a segment leader, present in 570 cities worldwide and with 12,000 employees. Yet just since the beginning of the year, Uber’s company culture, marked by “sharp elbows,” has rapidly become a liability.

Betsy Atkins

The key is to preserve the great parts of the culture that drove Uber’s market leadership, including the company’s relentless focus on results, and now augment the culture for a larger scale. Specifically, it would be wise to add an appropriate level of processes and gender rebalance to the company’s board.

For Uber, the hits have just kept coming. First there was the video of CEO and founder Travis Kalanick chewing out one of the company’s own drivers. This was followed by lawsuits and first-person stories alleging a toxic company culture of sexual harassment. For good measure, long-time board member David Bonderman resigned after allegedly making sexist remarks at a meeting to unveil plans for reforming Uber’s sexist culture. Then, Kalanick resigned, Uber investor Benchmark Capital is suing him and the company, and Uber agreed to audits for the next 20 years by the Federal Trade Commission (FTC). The FTC’s actions demonstrate the level of long-term damage cultural problems can inflict.

Now that Uber has selected Dara Khosrowshahi to lead the company, and is likely to become a publicly-traded company in the year and a half to three years, the board has even greater impetus to change the direction of the company’s culture.

As a woman who’s served on many major tech company boards, much of this sounds like old news. Women in technology industries still push against a silicon ceiling when it comes to career advancement and cultural issues. Research from the Society of Women Engineers found that 20 percent of today’s engineering school graduates are women, yet just 11 percent continue working in the field. Women in information technology leadership roles (such as chief information officers or technology vice presidents) are just nine percent of the total, according to a survey from Harvey Nash and KPMG.

The numbers are also bleak in other Silicon Valley boardrooms. Among the Valley’s 150 largest tech firms, only 15 percent of board members are women (versus 21 percent in the S&P 500). A Korn Ferry study of the top 100 U.S. tech firms saw just three with women as CEO/chair, and five with a woman as the board’s lead director.

Changing any corporate culture is a challenge, but I’ve found bringing diversity to the tech industry is even trickier. Fast-growth “unicorn” companies can quickly outgrow their founding, venture-based startup corporate governance, and find themselves facing Uber-like crises with too few seasoned, level-headed business people in the boardroom. Yet in my own experience, I’ve seen technology companies nurture diverse, inclusive cultures, starting with a few one-on-one approaches from the boardroom.

Build internal career networks. At Volvo Car AB, where I serve on the board, we’ve launched a regular program where I have the opportunity to meet with senior and mid-level women executives on personal career development. We work with these executives to build on their strengths, clarify their career aspirations, and offer advice on advancement. This is a new program, but it is already proving a success in energizing and motivating the paths of these current and future female leaders.

Make mentoring personal. On the board of Schneider Electric, I make it a point to directly mentor a number of women on the company’s senior executive team. Women in management find it tremendously helpful to have someone in the boardroom take a personal interest in their career strategy and development. At Uber, new board member Ariana Huffington will be in an ideal position to put her mentoring and career savvy to work in helping rising women execs rebuild the company. The key is a regular ongoing program of mentoring and support.

Go beyond mentoring. The tech industry, in particular has too few role models for rising female talents. The mentoring aid above is helpful, but why not go one step better?  Companies can ask their male and female executives and board members to either mentor or sponsor promising female executives. There is a big difference between mentoring which is periodic advising and coaching and sponsoring where you take ownership for introducing and more actively helping sponsor an individual for their next step up in their career. Women who are already senior managers or board members can kick mentoring up a notch by sponsoring high-potential women. Take personal ownership of career coaching for the top talent in your organization. Give them advice, introduce them to the people they need to sharpen their skills, and introduce their names at strategic moments.

Recognize the women making a difference. When I served as chair of the board’s compensation committee at tech firm Polycom, we were active in the annual recognition event for sales staff. I noted that women were leaders in sales, making up less than 10 percent of the sales force, but were 34 percent of our “President’s Circle” top sales performers. Making an added effort to celebrate and promote this talent is crucial in sending the message that sales is not just a “guy thing” in the company.

The news emerging from Uber can serve as a spark for making the support and advancement of women in your company a boardroom mission. The talents of these women are a strategic asset to companies, and there is a growing body of research proving that firms who nurture and empower their gender diversity gain in revenues and adaptability. In any company, balance sheet results are always found downstream from company culture. When it comes to reshaping that culture to be welcoming to women, the boardroom is the ideal place to start.

 

Betsy S. Atkins is a three-time CEO, serial entrepreneur, and founder of Baja Ventures. She has co-founded technology, CPG, and energy companies, and currently is director of Cognizant Technology Solutions Corp., HD Supply Holdings, Schneider Electric SE, SL Green Realty Corp., and Volvo AB. A version of this article appeared in June on TechCrunch’s Crunch Network.

A Message to Our Members in the Houston Area

NACD Blog Feed -

Peter Gleason

Dear Members of the Houston NACD Family:

As the news of the devastation in Houston continues to come in, please know that our thoughts are with all of you and your families during this crisis. As the home of our Texas TriCities Chapter, including dozens of NACD members who volunteer with the TriCities Board in Houston, not to mention chapter staff and two of our own national staff members stationed there, the city is a key geographical point of our membership, and our thoughts and prayers are with everyone in the community. We know the storm is not yet over, and there are more trying times ahead. We also know the spirit of the Houston community will persevere and will bring the region back stronger than ever.

All my best,

Peter R. Gleason
President & CEO

Subscribe to Lonergan Partners aggregator - Boards & Governance