Boards & Governance

Ask Your Security Team These Questions in 2018

NACD Blog Feed -

Corey E. Thomas

As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.

To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.

1. Does the security team have a full, well-informed view of the organization’s security posture?

One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.

You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.

It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.

Here are some additional questions you can ask:

  • Which threats are most relevant to the company, and which assets are most vulnerable, and which are most likely to be targets? Ask the security team to explain their answers.
  • Does the security team share threat information with security teams at other organizations of a similar profile?
  • Does the security team have full visibility and control of our entire technology environment, including assets we lease rather than own? Does the team have a detailed inventory of key assets, who is using them and how, and what known risks relate to them?
  • Is the security team part of the procurement process for all technology products and services? Do they vet technology vendors on the security of their products or services? Do they investigate the vendor’s practices for reporting and patching vulnerabilities?
  • Does the security team know who has access to what applications and services? Have they locked access down as far as possible, so people only have the privileges needed to perform their day-to-day role?

2. Is our organization resilient to attack?

Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.

Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.

  • Is all company and customer data encrypted at rest and in transit? If not, which data is being encrypted and when?
  • Has the security team segmented the company’s networks to reduce an attacker’s ability to move through the network and reach valuable assets?
  • Does your organization regularly back everything up to reduce susceptibility to ransomware attacks? Do you run regular backup and restore drills?
  • Do you know how susceptible our employees are to phishing? Are you investing in education programs to raise security awareness?
  • Do you have multi-factor authentication in place on all of our technical services and applications?
  • Does the organization have cyber insurance to help it recoup any costs of a security incident? Which scenarios or factors are not covered by the insurance?

3. Is the security team confident it can detect and respond quickly to security incidents?

According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.

A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.

Some relevant questions include:

  • Does the security team map normal behavior (both for human users and machine entities) on the network? Are they able to detect anomalous behavior?
  • Is the security team able to investigate and verify alerts quickly? Do they have sufficient resources committed to monitoring systems that alert suspicious activity?
  • How quickly could the security team investigate a potential breach or determine which technology assets and users may have been compromised? Does the security team have sufficient visibility across all technical assets to investigate fully? Does the security team log any information that would be needed to investigate a security incident?

Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?

4. How do you measure the effectiveness of our cybersecurity program and initiatives?

Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.

Some questions to ask your security team include:

  • Is the security team proud of the company’s patching program? Do they feel adequately supported by the IT team in their efforts?
  • Who is responsible in the organization for initiating testing of organization-wide breach readiness?
  • How frequently does the security team test the company’s defenses for effectiveness? Do they hire external security consultants to try to penetrate the network and facilities?
  • Is the security team able to track progress over time?
  • Does the security team have a view of the maturity of its program? Is there a clear roadmap for future progress?
  • What measures has the security team taken in the past six months to improve security posture? What results have they seen? How will they adjust the program moving forward?

5. Do political or financial considerations impact your ability to protect the organization effectively?

It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.

The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.

Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.

  • Are there any budgetary or political roadblocks to implementing foundational security controls?
  • Does the security team have adequate headcount and resources? How is the answer to this question determined? If not, in which areas are we below critical mass?
  • Does the head of security have the opportunity to be heard among the most senior executives in the organization?
  • Do the business leaders across the company truly understand the potential costs and implications of the business of being breached? Do they discuss risk tolerance and prioritization payoffs in an open, strategic way? Do they build resilience plans based on these discussions?
  • Is security considered an audit function, or does the organization strive to build security into its products, services, and operations by design?

Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.

Corey Thomas is CEO, president, and a member of the board of Rapid7. 

CES Tour Reveals Trends and Innovations That Will Reshape Business

NACD Blog Feed -

Shelly Palmer guides directors through the show floor.

At the conclusion of day two of NACD and Grant Thornton’s board-focused experience of the 2018 Consumer Electronics Show (CES), my feet are throbbing, my head is spinning, and I have a clearer picture of what the future holds thanks to a much sought-after spot at Shelly Palmer’s breakfast lecture on innovation and future trends, which was followed by an exclusive, small-group tour of this colossal show—some 3,900 exhibitors in all.

According to Palmer, the next-generation automobiles displayed by Mitsubishi, Nissan, Ford, and so many other companies raises the following question: How will we move—or want to be moved—from point A to point B?

“What does it mean to get from here to there? Uber is already self-driving. I push a few buttons and the car shows up,” Palmer said as he took us through the North Hall of the Las Vegas Convention Center—home to what has been dubbed the world’s largest auto show.

Among the flashier electric vehicles on display was the Mercedes-AMG Project ONE Showcar, an electric hybrid Formula 1 race car. While only 275 of these cars will be made, the technology applied in its engineering eventually could end up in your self-driving car.

Palmer also highlighted the following provocative insights to the directors in our tour group:

  • Smart speakers are among the fastest-adopted technologies, having achieved 50-percent penetration in U.S. homes in just three years.
  • Any device powered by electricity will be voice-controlled.
  • While Amazon is not exhibiting at this year’s show, its presence was abundantly visible through some 30,000 examples of apps compatible with its Alexia device.
  • Companies that may be considered old-line—Blackberry, Honeywell, ADP—have reinvented themselves through their understanding and embrace of technology that makes us more secure. “Security,” Palmer said, “is the gateway drug to home systems.”
  • At Honda’s booth, spectators were charmed by an adorable three-foot robot. The Japanese automaker discovered after the devastating tsunami in 2011 that children responded to the robot, which is capable of expressing empathy. “Americans have no interest in this,” Palmer said, adding this nugget: “Robotics are way ahead of anthropology and sociology.”
  • Chinese companies are the world’s leader in artificial intelligence. Google and Facebook lead in America. The presence of Chinese companies exhibiting at CES was a quantum leap over last year.
  • Some 15 million American homes have cut the cable cord and instead have roof antennas for TV service. So how can Comcast expect to flourish? The broadband giant will provide its customers the ability to connect various Internet of Things technologies that can be controlled through its voice remote.

More insights from CES and directors’ impressions of the governance implications raised by some of what they experienced will be covered in the January/February 2018 issue of NACD Directorship magazine.

The Future Is Now at CES

NACD Blog Feed -

The 2018 Consumer Electronics Show (CES) opened to the public yesterday in Las Vegas. With over 3,900 exhibitors from 29 countries, there is a lot to absorb.

For a group of some 40 directors, a sneak peek of CES given courtesy of the National Association of Corporate Directors (NACD) and Grant Thornton LLP provided a focused beginning to a three-day exploration of new technology—from robots to self-driving cars and augmented reality to smarter cities—and the implications for corporate governance.

For Grant Thornton, supporting NACD’s first CES Experience underscores the accounting firm’s position “as a challenger brand in the marketplace,” said Michael Desmond, a partner and National Audit Industry & Growth Leader at Grant Thornton. “Being here at CES with a group of directors allows us to support our partnership with NACD and continue our reach into the marketplace at the C-suite and board levels. At the same time, this is where forward thinking and innovation are on display and all of these elements converge.”

Accompanying Desmond was David Wedding, a Grant Thornton partner who also chairs the firm’s board. “I’m here as a director myself and we, of course, are facing disruption in our industry from the impact of technology just like our customers. It will be interesting to see what’s trending and how other directors assess the ramifications of what we see.”

Maureen Conners, a director of Fashion Incubator in San Francisco and NACD’s Northern California Chapter, and former director of Deckers Brands, has been attending CES for at least 15 years. “The best advice I would give to any one coming to CES is not to be afraid to ask the dumb questions,” she said. Conners worked in product development at Gillette, Levi Strauss, and Mattel and started attending CES when as a consultant she helped Polaroid launch its first digital camera. She spoke of how seeing a driverless car maneuver onto a stage during an Intel presentation on Monday night stirred questions for her about how they will ultimately be used.

“I must admit it’s different seeing it in person,” she said.

Liane Pelletier, a director who was on the tour, serves on the boards of ATN International, Expeditors International, and NACD’s Northwest Chapter, echoed that sentiment: “It’s one thing to read about discrete enabling technologies that can disrupt our companies, and it’s entirely different to see and envision all of the use cases.”

Some of the other new products that stand to have industry-altering impacts included: a concept bed from Reverie that adjusts itself based on brain-wave activity; a self-driving Lyft vehicle; and a plush Aflac duck robot with three patents pending that uses a mixed-reality app to help comfort kids coping with cancer.

Come back tomorrow for additional coverage of NACD and Grant Thornton’s board-focused CES Experience.

A Walk-Up to CES: What to Expect from the Annual Tech Extravaganza

NACD Blog Feed -

Driverless vehicles; virtual and augmented reality; wearables that monitor health, sleep, and stress; smarter features for the home and cities; and bigger, thinner televisions. Innovation has always been central to what used to be called the Consumer Electronics Show, which this year marks its 51st anniversary. These are just some of the product categories being touted in advance of the opening next week of CES in Las Vegas.

For the first time, NACD and Grant Thornton LLP will host CES Experience, which will include a tour for a small group of directors that is curated by Shelly Palmer. This annual hub of technology innovation now spans nearly a mile in and around the Las Vegas convention center. It is a colossal undertaking both for attendees and the organizer, the Consumer Electronics Association, which this year brings together 3,900 exhibitors, 67,321 exhibit personnel, more than 109,000 attendees, and some 7,400 members of the media.

There are 600 startups in just one wing of the show.

When NACD’s Chief Programming Officer Erin Essenmacher attended CES last year, she was nearly overwhelmed by the sheer number of exhibitors introducing potentially game-changing products. To both maximize her time and see those exhibitors most likely to be showing a next-generation gadget, Essenmacher recognized that a director-centric guided tour of this mecca of innovation could benefit NACD members.

An autonomous vehicle from Ford that was on display at CES 2017 delivers Dominoes Pizza.

CES 2018 opens Tuesday, Jan. 9, with a keynote address by Ford Motor Co. president and CEO James Hackett, the first “non-car guy” to helm the 114-year old automaker. Hackett has proclaimed the new Ford to be a mobility technology company, with vehicle safety to be driven by innovations in artificial intelligence (AI) rather than new material or safety features. Since he took the reins in May, Hackett, formerly president and CEO of Steelcase, has invested in self-driving and electric-powered autos and car-to-car communications. Ford was the first automaker to exhibit at CES at least 11 years ago and over the years almost every major automaker has become a regular. Innovations in the automotive industry have become so ubiquitous at CES that the North Hall of the convention center has been dubbed the “Las Vegas auto show.” At least 12 of the more than 200 information sessions at CES will be devoted to automotive-related topics such as cybersecurity and who insures the driverless car.

Part of NACD’s curated tour will be spent exploring person-to-machine interfaces and machine-learning sensors that can detect humans’ moods. Directors will also see advancements in haptic (from the Greek haptesthai, “to touch”)technology, which has evolved beyond vibration to synthesize feedback from even simple hand gestures made on a tactile screen.

At the end of each day, directors will have an opportunity to be debriefed by Palmer and compare notes over dinner.

I will be blogging for NACD from CES and colleagues will be posting on social media.

Judy Warner is editor in chief of NACD Directorship magazine. 

Spring Proxy Season 2018: Early Projections

NACD Blog Feed -

What trends will heat up the next proxy season and beyond? That’s a burning question for the 80 percent of public companies that hold annual meetings during the first half of the year according to statistics from Broadridge, as well as for those that will wrap up the year later in the fall mini-season. Prognosticating what’s to come this season is no easy task, since proxy season is a complex process.

Sometimes the trends we predict are no more than wishful thinking. To make plausible predictions, we must find empirical clues from shareholder resolutions (hundreds each year), director elections (at thousands of companies each year), and then consider the activity that happens behind the scenes in private dialogue.

Bearing in mind our evidence, we can ask a number of questions:

  • What new rules will be effective? New requirements will raise expectations during this proxy season.
  • What proposals were most successful in 2017? Success (getting more than a 50 percent vote) emboldens proponents, so these issues are unlikely to go away.
  • What proposals were most frequent in 2017? Even if vote tallies are low, proponents may try again.
  • What proposals or other actions are being planned right now for the 2018 spring season—based on survey data and other sources?

After seeking answers, we will conclude with what we think will be hot in the 2018 proxy season.

Clue 1: What new rules or policies will be effective?

Proxy seasons can be shaped by new rules put in place by the Securities and Exchange Commission (SEC), as well as by new voting policies from proxy advisors such as Institutional Shareholder Services (ISS). This spring, a few major developments are notable. First, this is the first year that the pay ratio rule will require disclosure of the ratio between the total pay of a company’s median employee and its CEO (or, alternatively, the median total pay of all the company’s employees, minus the CEO). Despite new SEC guidance on calculation, the results, when disclosed prior to the annual meeting, are likely to spark some shareholder outcry at annual meetings.

A few additional issues stand out based on 2018 ISS Americas Proxy Voting Guidelines Updates. ISS has said that it will support shareholder proposals asking for more disclosure on environmental risk, and its updates point to recent policy changes from the Task Force on Climate-Related Financial Disclosures (TCFD). “The updates to ISS’ climate change risk policy better aligns it with the TCFD’s recommendations, which explicitly seek transparency around the board and management’s role in assessing and managing climate-related risks and opportunities,” the report says. Other proxy season trends may include more support for resolutions opposing excessive director pay and resolutions supporting gender pay equity, as predicted in this recent report from Gibson Dunn.

Clue 2: What proposals were successful last year?

Let’s look at the most successful proposals at the 250 largest companies by revenue throughout 2017 according to full-year data from Proxy Monitor. This source is representative of broader trends because, as noted in Proxy Monitor’s early 2017 overview, shareholder proposals are more common at the largest companies. Moreover, “the companies in the Proxy Monitor database encompass the majority of holdings for most diversified investors in the equity markets, making this analysis appropriate for the average shareholder.”

According to the report, governance proposals seem to take the prize. Fifteen of the 294 proposals at the top 250 public companies in 2017, or about 5 percent of the 294 proposals from investors, received a majority vote. Most of these winners can be called “corporate governance” proposals, rather than social issues. Three were for environmental impact reports (at Occidental Petroleum Corp., Exxon Mobil Corp., and PPL Corp.), but all the rest had to do with governance.

Five proposals were victories for proxy access (National Oilwell Varco, Humana, IBM, and Kinder Morgan, Inc.), five for simple majority voting (Cognizant Technology Solutions Corp., Marathon Petroleum Corp., L Brands, Paccar, and First Energy Corp.) and two were specific governance proposals. Shareholders at CVS Health Corp. voted to reduce required ownership to call a special meeting, and shareholders at ADP voted to repeal a bylaw provision that had been adopted without shareholder approval. That vote happened in November, in the so-called “mini-season” (the one experienced by the 20 percent of companies that hold their annual meeting in the second half of the year).

Clue 3: What proposals were most frequent last year?

Now let’s look at the resolutions proposed most frequently last year. Looking again at the 294 resolutions studied in the Proxy Monitor data, the trends are clear. Classifying the proposals generally into the three categories, we see that social policy, with 164 resolutions, was the most popular proposal category, followed by corporate governance issues at 107. Executive compensation did not draw shareholder ire; only 23 resolutions focused on it, down from higher levels in the past.

  • Within social policy, the double-digit issues raised across at least 10 companies were environmental (48 issues were proposed—or 52 if you count four “sustainability metrics” proposals), lobbying (38), political spending (13), employment rights (17), gender equality (12), and human rights (12).
    Diversity proposals are also notable. Although they were relatively rare compared to other 2017 issues, they showed show signs of growth. There were only three such proposals at major companies the previous year, while there were five in 2017. Furthermore, although they did not propose board diversity resolutions, State Street Corp., a major institutional investor, voted against directors serving on nominating committees for boards without women, and BlackRock also voted no at some boards over the diversity issue.
  • Within corporate governance, the double-digit issues were chair independence (28 resolutions), proxy access (22), and special meetings (15). Remaining corporate governance issues were introduced at 9 or fewer companies. Although ISS flagged director overboarding as an issue for 2017 and revised its guidelines accordingly, there were no proposals about this last year.
  • Finally, within executive pay, no particular issue dominated. Various new requirements in pay approval and pay disclosure (say on pay, pay ratio, etc.) have largely resolved this issue.
Clue 4:  What proposals or other actions are being planned for 2018?

As of early January 2018, we have little data on shareholder resolutions to be included in 2018 proxy statements. While some companies have already released their 2018 proxies, none of these contain shareholder resolutions. However, we do know what ISS is recommending with respect to shareholder resolutions in the newest revisions to its proxy voting guidelines for 2018.

As reported in the Wall Street Journal on December 22, companies preparing their 2018 proxy statements can expect “continuing pressure from investors to enhance disclosures regarding board composition, climate change risk, and cybersecurity.” The prediction is based on a survey conducted by executive search firm Russell Reynolds. Secondary trends included the usual mix of corporate governance, board composition, and executive compensation.

Of course, shareholder proposals are not the only way to change a company. Instead of submitting a shareholder resolution on an issue, a shareholder can wage a so-called proxy fight by sending investors a separate proxy voting card with an alternative slate of directors, or, in the case of companies with proxy access, by including a dissident slate in the company’s proxy. (There is still no such thing as a universal proxy card that allows investors to mix and match candidates from the nominating committee and dissidents, despite an SEC proposal in that regard.) According to FactSet, 2017 saw 75 proxy fights for board seats.  While this is fewer than in 2016—which at 101 proxy fights was a banner year—the battles were waged upon household names: ADP, General Motors Co., and Procter & Gamble Co., among others.

What’s Hot and Why

Here is our short-list of five proxy issues that are likely to appear in 2018.

  1. Pay Ratio. Shareholders will be reading these disclosures for the first time.
  2. Environmental proposals. They have been both frequent and successful in recent times, and because ISS is drawing attention to them again this year.
  3. Governance mechanics. Why? Because they matter. They are rarely discussed by bloggers due to their dry and technical nature, but governance issues continue to be popular proxy issues, with more than 100 last year, and with the highest rate of success (12 wins last year—a strong result since majority votes on resolutions remain extremely rare).
  4. Activism. As Douglas Chia, head of corporate governance at the Conference Board, stated in a recent Equilar report, “public company boards will have their work cut out for them in 2018 with activism continuing to dominate the governance landscape.”
  5. Behind the scenes changes. A number of new NACD publications—notably the 2018 Governance Outlook and the 2017–2018 NACD Public Company Survey—shed more light on the upcoming season from behind the scenes.

The next blog predicting proxy season scenarios will highlight NACD research—and more clues to inform your board’s proxy season planning.

Looking Forward to 2018: The Top Risks

NACD Blog Feed -

Jim DeLoach

The top risks for 2018 provide interesting insight into changing risk profiles across the globe. Protiviti and North Carolina State University’s Enterprise Risk Management Initiative have completed the latest survey of 728 directors and C-level executives regarding the macroeconomic, strategic, and operational risks their organizations face.

We ranked the top risk themes in order of priority, providing a context for understanding the most critical uncertainties companies are facing as they move forward into 2018.

1. The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage risk appropriately. With advancements in digital technologies and rapidly changing business models, are organizations agile enough to respond to developments that alter customer expectations and require change to their core business models? Disruption of business models by digital innovations is a given in this environment. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult for them to have the vision to anticipate the nature and extent of change and the decisiveness to act on that vision. In this environment, emotional attachment to the business model can be dangerous because significant adjustments to it are inevitable.

2. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. This risk and the risk of disruptive change present a dilemma to companies. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. This resistance could lead to failure to innovate and force reactionary responses when it’s far too late.

3. The organization may not be sufficiently prepared to manage cyber threats that could significantly disrupt core operations and damage its brand. To no one’s surprise, this risk is listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their second highest risk concern. Technological advancement is constantly outpacing the security protections companies have in place.

4. Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, has dropped some in 2018. However, it is still a major concern for executives and directors. Sixty-six percent of our respondents rated it as a “Significant Impact” risk.

5. The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that could notably affect core operations and achievement of strategic objectives. This issue, coupled with concerns over resistance to change, can be lethal if it leads to the organization’s leadership losing touch with business realities. If there are emerging risks and the organization’s leaders are not aware of them, the entity has a problem.

6. Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. Likely triggered by a tightening labor market, this risk is especially prevalent for entities in the consumer products and services, healthcare and life sciences, and energy and utilities industries. To thrive in the digital age, organizations need to think and act digital, requiring a different set of capabilities and strengths. This risk indicates that directors and executives believe their organizations must up their game in acquiring, developing, and retaining the right talent.

7. Privacy, identity management, and information security risks may not be addressed with sufficient resources. Given the high-profile reports of hacking and other forms of cybersecurity intrusion reported in 2017, this risk is somewhat expected. As the digital world evolves and enables individuals to connect and share information, fresh exposures to sensitive customer and personal information and identity theft also spring up.

8. Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. However, the drop in this risk’s ranking from prior years suggests that respondents seem more positive about macroeconomic issues going into 2018.

9. Inability to utilize data analytics to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to achieve competitive advantage, manage operations, and respond to changing customer preferences. In the digital age, knowledge wins. Advanced analytics are the key to unlocking insights that can differentiate companies in the marketplace.

10. Companies that were not “born digital” face significant operational challenges. Companies that are not steeped in digital operational culture may not be able to meet performance expectations related to quality, time to market, cost, and innovation. Competitors with superior operations—and those digital companies with low operations costs—present notable risk that is only heightened in the digital economy. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale redefined customer experiences very quickly, making it difficult for incumbents to see change coming, much less react in a timely manner to preserve customer loyalty.

The overall message of this year’s study is that the rapid pace of change in the global marketplace creates a risky operating environment for entities of all types. The board of directors may want to evaluate its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance and ask why not.

Jim DeLoach is managing director of Protiviti. 

Subscribe to Lonergan Partners aggregator - Boards & Governance