Global Cyber Summit Sends Message to Boardrooms

April 28th, 2015 | By

Corporate directors’ mindsets regarding cybersecurity fundamentally need to change. As one participant at April’s inaugural Global Cyber Summit hosted by the Global Network of Director Institutes (GNDI) noted, “We have to go from ‘is it possible we’ll be attacked?’ to ‘it’s probable;’ from ‘how much does it cost?’ to ‘how much should we invest?’; and from ‘can we control cyber threats?’ to ‘how can we keep pace?’”

In the words of another participant, “Yesterday’s approach to cyber at many companies was compliance. Today, the approach is risk management, and the imperative for the future is resiliency.” With the passage of last week’s Protecting Cyber Networks Act and National Cybersecurity Protection Advancement Act, the nation moved one step closer to greater resiliency. Both bills made clear lawmakers’ expectation that companies should share information regarding cyber breaches not just with the government, but also with each other. By sharing information about cyber hacks with peers—via information sharing and analysis centers (ISACs) or information sharing and analysis organizations (ISAOs)—and the Department of Homeland Security, companies may be able to improve their cyber defense. Experts at the summit discussed information sharing in light of the massive threat cyber-breaches pose. While information sharing is important to an effective cyber defense, corporate directors should not view it as a panacea. Instead, “it is another tool in the company’s toolbox.”

At April’s summit, the GNDI, the National Association of Corporate Directors (NACD), and the Washington Board of Trade convened more than 200 directors and cyber experts from around the world for a three-day conference to explore the board’s role in effectively overseeing their companies’ cyber defenses. Supported by AIG, the Center for Audit Quality (CAQ), and KPMG, the event provided directors the opportunity to gain insight from experts including Shawn A. Bray, director of INTERPOL Washington; Larry Clinton, president and CEO of the Internet Security Alliance; Richard Knowlton, director of the Internet Security Alliance for Europe and group corporate security director at Vodafone; Jan Hamby, rear admiral, U.S. Navy (Ret.) and chancellor of the National Defense University; Tim McKnight, chief information security officer of General Electric; and Arne Shönbohm, president of the Cyber-Security Council Germany.

Five boardroom imperatives emerged from the event:

  1. View cybersecurity as an enterprise-wide risk issue. Without a doubt, cyber-risk poses a significant threat to companies of all shapes and sizes. From the boardroom perspective, however, it should be viewed not as a technological issue, but as an enterprise risk that is addressed like all other risks disclosed in the MD&A. “Security—not merely cybersecurity—is the key.” Directors should ensure that the company is properly structured to respond to an attack and has plans for both breach prevention and cyberattack response. And don’t be complacent. As one participant at the cyber summit advised, “If you ask management how we’re doing on cyber-risk management and they say, ‘great,’ don’t accept that as an answer.”
  2. Identify your critical assets. Throughout the summit, speakers noted the interdependent nature of cyberattacks. No company is an island, so achieving a perimeter-defense strategy that attempts to protect the entire enterprise is virtually impossible. Instead, management must identify what assets, if breached, would bring the company down: the “crown jewels.” Directors should ensure that defense efforts identify and prioritize them. As part of this identification process, the company also can assess its most vulnerable points, making sure to account for third-party contractors’ potential weaknesses. If a vendor in your supply chain is hacked, are your assets still protected?
  3. Ensure adequate resources for your information technology (IT) teams. Cybersecurity should be viewed as an investment in the company’s future, not as a cost center. Panelists noted a growth in the use of a chief information security officer (CISO), separate from a chief information officer (CIO). Regardless of the leadership structure employed, however, directors must remember that cybersecurity is largely a human issue. Does the c-suite have the staff and training needed to effectively defend the company against hacks? If the company is not going to develop an internal security defense program, how will it acquire one from outside? Is the IT team staffed with both technology professionals and security experts? Broadly, the company should run ongoing employee cybersecurity education programs throughout the enterprise.
  4. De-jargon the board dialogue. The technical nature of cybersecurity can create a formidable barrier to effective board oversight. While it is critical for the board to receive reports on the company’s cyber efforts on a continuous basis, CIOs, chief technology officers (CTOs), or CISOs may deliver the reports in jargon. Panelists noted that the solution, however, is not necessarily to invite a cyber expert to sit on the board. Instead, the entire board should comprise directors who are equipped to ask the probing questions necessary for effective oversight. The board can invite experts to speak to the board on cyber issues and ask management to provide “de-jargoned” reports in clear, actionable terms.
  5. Incorporate cyber into your strategy and every business decision. Panelists stressed the need for directors to address cyber issues proactively—starting with prevention—rather than waiting to respond to a breach. To do so, cyber should be an aspect of the front-end of business decisions: strategy, legal, and financial. Does the CIO (or CISO, CTO) play a role in strategy and tactical decisions? Does the CIO have a working relationship with the IT teams at third-party vendors? In an M&A scenario, do you assess the cyber vulnerabilities of the target company? These questions can help bring cyber-consciousness to board decisions.

For more on guidance on the board’s role in cyber-risk oversight, download the NACD Cyber-Risk Oversight Handbook here. Kate Iannelli, Alexandra Lajoux, and Ashley M. Marchand contributed to this report.

No Comments »

Leveraging Social and Demographic Trends

April 24th, 2015 | By

Understanding the behavior of investors, employees, and consumers is a critical success factor for all companies. This can be difficult for corporate directors, however, as America’s demographics are constantly evolving. At this year’s second Directorship 2020® event, NACD partnered with Broadridge Financial Solutions, KPMG’s Audit Committee Institute (ACI), Marsh & McClennan Cos., and PwC to provide an in-depth look at today’s social and demographic trends and how boards can harness the opportunities these often-disruptive forces create.

Doodle_D2020ATL_Demographic Trends_645x281_borderIn his keynote address, Scott Steinberg, CEO of TechSavvy Global and author of Make Change Work For You, affirmed that change is the “new normal.” He emphasized that companies must constantly innovate in order to survive in today’s volatile business environment. Some companies, such as Apple, Amazon, GE, and Samsung, have maintained their competitive edge by mastering the art of “sustainable innovation.” Steinberg pointed out that these companies foster highly collaborative relationships with their employees, who also represent the company’s customer base. By creating avenues for employees to share their observations on emerging threats and opportunities, these organizations are simultaneously constructing platforms to prototype new business products. These collaborative relationships thus enable management to harness the full range of talents that allow an enterprise to continually adapt and grow.

In the second keynote speech, Paul Taylor, former executive vice president of  the Pew Research Center and author of The Next America, focused on two major demographic trends that are happening in the United States. First, the bulk of the country’s population is aging. Older generations have always needed the younger ones to drive the economy; the millennials, however—the youngest generation in today’s workforce—are collectively experiencing great difficulty in launching their careers and remain largely dependent on their forebears. Taylor observed that businesses need to mimic these new domestic norms and similarly nurture and invest in millennials to ensure the success of their firms’ future leaders.

Second, Taylor pointed out that by 2050, immigrants will comprise the largest-ever share of the American population: while 20 percent of Americans were of immigrant descent in 1960, that proportion is projected to climb to 37 percent. Not only will this expand the workforce and brainpower of the American economy, but it will also change the demographic complexity of the country’s consumer base. Furthermore, this modern immigration wave has begun to alter traditional attitudes toward racial and ethnic boundaries. For example, children of immigrants are more likely to marry someone of a different race or ethnicity. These trends are already driving business behavior, as contemporary television commercials clearly demonstrate: in an ad for Coca-Cola, the anthem “America the Beautiful” is sung in several languages; and two recent Cheerios ads featured a multi-racial family.

The presentations and discussion in Atlanta generated three key takeaways for directors:

  1. Assess your corporate culture. Corporate culture can often be a significant roadblock to innovation, and many companies stumble because they fail to periodically rethink their identity. A corporate culture that allows for evolution is, by definition, resilient and adaptable. Regard your employees as a wellspring of innovative ideas, because they have the most direct interaction with your customers. Their insights into evolving consumer demands can, in turn, generate your business’s next game-changing idea. A big challenge for many firms is how to encourage employees to speak up, especially at established companies where a the corporate culture has been in place for some time. (FedEx, for example, has a 40-person team that is charged with driving innovation throughout the entire organization.) By contrast, the smaller size and absence of inhibiting precedents at start-ups enable them to be more adept at mining creative solutions from their entire employee base. Spurring and sustaining innovation is about institutionalizing a love of change within your organization. Create forums through which everyone—from the mailroom to the boardroom—feels free to share ideas.
  2. Make educated bets. A lack of risk tolerance is a major barrier to innovation. For companies that are doing well, staying the course may seem like a safe bet; but as the competitive landscape shifts, this approach will ultimately cause the company to falter Create systems that allow the company to take smart risks. In line with the company’s established risk appetite, it’s acceptable—and expected—that a company will have to weather some level of failure. The board can openly discuss unsuccessful ventures with management, leveraging those experiences as learning opportunities instead of viewing them solely as a misstep.
  3. Embrace diversity of all types. According to the Report of the NACD Blue Ribbon Commission on The Diverse Board:

[A] company’s ability to remain competitive will rely on its understanding of global markets, changing demographics, and customer expectations. Diversity is a business imperative, not just a social issue. The new business landscape will require boards to cast a wider net to find the very best talent available. As a natural corollary, the board’s mix of gender, ethnicity, and experiences will likely increase.

In his speech, Paul Taylor addressed the issue of age diversity specifically. Younger directors with relatively little board experience may be passed over for a directorship because seasoned directors perceive them as lacking the experience and credibility necessary to be effective. However, seeking out non-traditional director candidates (whether that status is determined on the basis of age or other criteria) can be critical to effectively managing a board’s talent pipeline. Established directors have the ability to mentor and develop the next wave of board leadership and, in turn, benefit from the perspectives of new directors who bring varied backgrounds and skill sets into the boardroom.

Look for full coverage of this NACD Directorship 2020 session in the May/June 2015 issue of NACD Directorship magazine. For information on future events and recaps of past events, visit the NACD Directorship 2020 microsite.

No Comments »

Blue Ribbon Impact

April 17th, 2015 | By
  • If a tree falls in the forest, and no one hears it, does it make a sound?
  • If an NACD Blue Ribbon Commission (BRC) makes a recommendation, and no one heeds it, does it have an impact?

The answer to both questions may be no, but neither question is realistic. You can’t have a forest without living creatures to hear its noises, and you can’t have a BRC without a community to hear its message. So let’s ask instead: “How much do readers of the BRC reports hear?” and “What do they do about it?” Certainly these matters are worth pondering. After all, what is the point of giving guidance if few follow it?

The current issue of NACD Directorship brings this question to life as Ashley M. Marchand interviews past chair Robert E. (“Bob”) Hallagan about the BRCs’ potential for shaping board practices. This blog validates that claim with some of the more convincing findings from NACD’s annual public company governance surveys, referred to here by the year the survey data was collected (titling conventions have varied over time). In conclusion, we will ponder what it all means.

1993 – The BRC on Executive Compensation recommended pay for performance. Before vs. After: Taking NACD’s 1992 and 1995 surveys as respective before and after snapshots, we see directors paying more attention to performance in the wake of this very first BRC report. The 1992 survey showed that corporate performance was the #1 corporate governance issue for only 15% of respondents. By 1995, corporate performance had become a top issue for 52% of respondents.

1995 – The BRC on Director Compensation recommended director payment in equity, with dismantling of benefits. Before vs. After: Whereas in 1995 it was common for directors to receive benefits but no stock, by 1999 the trend was the opposite. By then nearly two-thirds of companies included stock as part of director pay, and under 10% paid benefits.

1996 – The BRC on Director Professionalism recommended executive sessions. Before vs. After: The 1997 survey showed that 10% of companies held executive sessions; the 1999 survey recorded a rise to 44%. The Director Professionalism sold 10,000 copies in its first printing and has been reissued with updated notes and appendices several times since. It was cited in Brehm v. Eisner (2000) for its emphasis on director independence. The Brehm case would lead to the In Re Walt Disney Derivative Litigation (Del. Chancery 2005, Del. Supreme, 2006) over compensation awarded to Michael Ovitz. Also, Justice Jack Jacobs of the Delaware Supreme Court later made the following statement (in a talk at the University of Delaware):Are corporate guidelines relevant? Yes of course. Consider the Report of the NACD Blue Ribbon Commission on Director Professionalism. With perfect hindsight, one would think that the persons who drafted this document were clairvoyant, because many of their suggestions for best practices have now become law in one form or another” (Delaware Discourses: Governance Guidelines [2005], p. 19).

1998 – The BRC on CEO Succession recommended board engagement in succession. Before vs. After: The 1997 survey showed that CEO succession ranked #5 as a board concern at that time. But the following three surveys would show a steady rise from #3 to #2 to #1 in 20013.

1999 – The BRC on the Audit Committee recommended all-independent membership for the AC (as did a competing “Blue Ribbon Committee” report sponsored by the New York Stock Exchange that same year—a recommendation that would eventually lead to a listing requirement under the Sarbanes-Oxley Act of 2002). Before vs. After: Prior to 1999, audit committees only had to have a majority of independence members, so all-independent audit committees were relatively rare and not even the subject of a survey question. The 2001 survey did ask about committee independence and showed 70% of audit committees as entirely independent. (Percentages went up from there due to passage of new stock-exchange requirements for listed company governance in the wake of Sarbanes-Oxley: the 2003 survey showed that 75.3% of companies reported having only outside directors on their audit committee. By 2005, that percentage had risen to 86.3%.)

2000 – The  BRC on the Role of the Board in Strategy recommended that boards make strategy a higher priority. Response to this recommendation was delayed, but decisive. Before vs. After: In 1999, strategy ranked second, after corporate performance. From 2001 to 2004, in seeming contradiction to the Commission’s recommendation, it dropped progressively lower. But in 2005 it rose to number 1 and has held that place ever since.

2001 – The BRC on Board and Director Evaluation recommended formal evaluation of boards and directors. Before vs. After: The NACD had visited the topic of CEO and board evaluation in 1994, but its recommendations at the time had little impact (so it is not listed above). This 2001 BRC came at a better time to ride a wave of interest. The 1999 survey showed 32% of boards conducted evaluations; the 2003 survey showed that 85% did so. This was no doubt due to stock exchange requirements referenced immediately above. But the stock exchange rules themselves were born in part out of the BRC process. In 2001, NACD CEO and President Roger W. Raber testified before the House Energy and Commerce Committee, which asked him to make listing recommendations to the stock exchanges. He submitted those in a letter dated March 4, 2002. Nine of NACD’s 10 recommendations—all based on Blue Ribbon Commission recommendations—subsequently became stock exchange listing requirements.

2002 –The BRC on Risk Oversight recommended that the board play an active role in overseeing risk management. Before vs. After: The 2001 survey showed that only 5% of respondents ranked this issue among their top three. The 2003 survey saw this percentage increase to 26.1%, and the 2005 survey saw it rise to 33.2%—more than one in three respondents.

2003 –The BRC on Executive Compensation recommended an entirely independent compensation committee for all public companies (not just those covered by the Sarbanes-Oxley–mandated stock-exchange rules that would be issued in November of that year). Before vs. After: The 2005 survey showed a rise in overall independence of compensation committees compared to 2003. “Three-fourths (75.9%) of firms overall, up from 65.5% in 2003, indicated that they had only independent outsiders on their compensation committees.”

2004 – ­The BRC on Board Leadership recommended that boards consider using an independent lead director in cases where they did not have an independent chair.

Before vs. After: In the immediate and near-term aftermath of this report there was an apparent surge in the use of the lead director—even greater than that seen when the “presiding director” disclosure requirement of the New York Stock Exchange became effective in 2003. The 2005 survey indicates that over a third (38.5%) of the boards studied had a designated lead director, almost four times the number (10.0%) shown in the 2003 survey.” The 2007 survey says that “44.8% of respondents’ boards have a designated lead director.”

2005 – The BRC on Director Liability recommended active board oversight of ethics and compliance. Before vs. After: In 2005 the prevalence of board committees to oversee ethics and compliance was 5% (with one in five committees combining with another committee, such as audit or governance). In 2007 the prevalence of a standing committee to focus on ethics and compliance doubled to 11.2%.

2007 – The BRC on the Governance Committee recommended director orientation (as well as ongoing director education). Before vs. After: In 2007, 60% of respondents said that their boards had a policy or program on director education. In 2009, 72.8% said they had such a program.

2008 – The BRC on Board-Shareholder Communications made several recommendations on improving relations with shareholders. Before vs. After: The 2007 survey showed that 80% of respondents considered relations with shareholders to be critical or important; the 2009 survey showed a rise in interest, with 90% seeing the issue as critical or important.

2009 – The BRC on Risk Governance, building on its 2002 predecessor, recommended strong board oversight of key risk factors. Before vs. After. Risk oversight had already been on the rise as a top of mind issue at the time of this survey, moving from a ranking of 14th in 2007 and 2008 up to 6th in 2009, partly as a result of the financial crisis. By 2011 it would rank 3rd.

2010 – The BRC on Performance Metrics recommended inclusion of non-financial metrics when assessing executive performance and awarding compensation. Before vs. After. The 2010 survey explored the use of non-financial metrics such as customer satisfaction, workplace safety, and workplace diversity in setting executive pay. In that year, between 14% and 54% of boards used specific nonfinancial metrics for this purpose. The 2011 survey showed a range of 13% to 50%, and the 2012 survey showed a range of 11% to 39%. So for the near term, at least, this BRC clearly did not change board behavior. The 2015 BRC report, which will focus on the importance of long-term value, will revisit this issue and build on this foundation.

2010 – Issued in the same year as the BRC study of performance metrics, the BRC on the Audit Committee recommended that the AC and board assess the “tone at the top,” including ethical performance of senior management. Before vs. After. The 2010 survey showed that 76.6% of companies measured ethics; the 2011 survey showed that 79.3% measured did so; and the 2012survey showed that 82.1 did.

2011 – The BRC on Lead Director (like its predecessor on board leadership) recommended continued use of the lead-director role as a viable alternative to an independent chair. Before vs. After: The 2011 survey showed that 65.4% of respondents sat on boards with lead directors; the 2012 survey showed 82.8% had a lead director; the 2013 survey showed “three quarters.”

2012 – The BRC on Board Diversity recommended inclusion of diversity of personal identity as one of several value-adding dimensions (along with diversity of experience and expertise). Before vs. After: In 2014, 77% of boards had at least one woman director%, up from 72.6% in 2012 and 68% in 2011 (no data for 2013). Impact on minority representation was not as positive.

2013 – The BRC on Talent Development recommended that the board put more focus on talentand that talent cascade. Talent management stayed flat before, during, and after this BRC was issued. Surveys from 2010 to 2014 all showed that talent management ranked 5th—so the BRC did not raise this issue any higher than it had been. Note, however, that this was up from a much lower ranking (16th, calculated by a slightly different method) in 2009. In this case the survey was a lead, and the BRC was a lag.

2014 – The BRC on Strategy Development recommended that the board get involved in strategy earlier and more dynamically. Our 2015 survey just went into the field, so we don’t yet have results.

In 2015, the NACD’S Blue Ribbon Commission will focus on Value Creation, reprising the theme of the performance metrics BRC, which was a good half decade ahead of its time. The new Commission’s first meeting on April 9 included a lively exchange on the intersection of public and private interests, with both public servants and corporate directors engaged in the discussion. Luminaries in the room included not only this year’s BRC co-chairs Karen Horn (board member at Eli Lilly & Co.) and Bill McCracken (former CEO and chair of CA Technologies [now CA Inc.]) but also former Gov. John Engler of Michigan and former Sen. Olympia Snow of Maine, both retired from political leadership but active on corporate boards. NACD Chair Reatha Clark King and other BRC veterans (notably including NACD president and longtime BRC ex-officio member Peter Gleason) carried forward past wisdom even as all looked ahead.

Caveats and Conclusions

So, based on the foregoing, can we say that NACD BRC reports change the governance world? Maybe not, but they certainly do make ripples.

With 21 BRCs to date, and multiple recommendations per BRC (typically 10), overall impact is hard to trace. Proof of impact is more circumstantial than scientific, even with the many positive findings above. The surveys themselves present a moving target, as field dates, wording, response rates, and target populations have changed over time. Even BRC release dates vary, as some took more than a year to produce (there were no reports in 1997 or in 2006). Furthermore, there are other factors—such as new laws and investor pressure—affecting board behavior; so a mere change in a BRC-compatible direction does not mean much in itself. And even when change does occur in the wake of a BRC recommendation, independent of any other known causal factor, we can’t know for certain which came first: the respondent boards’ impetus to change or the BRC they read. (That is, did NACD foresee an impending change and thus mirror or reinforce it in their recommendations, or did the BRC reports in fact alter reality?)

All these caveats aside, survey findings have been instructive in assessing BRC impact. My “null hypothesis” was that no correlation exists between BRC recommendations and subsequent board behavior. My challenge was to disprove this hypothesis—to show that, in some cases, there is indeed a positive correlation. I made this case by comparing what the survey data showed about the issue shortly before and shortly after a BRC recommendation. The raw data stream indicates that, even when legislative and investor co-impacts are taken into account, BRCs accurately predicted trends and/or may have influenced them.

To be sure, there were negative or flat examples as well—two instances in which the data stayed the same or moved in the opposite direction from a recommendation, indicating ignorance or disregard of a key recommendation. These instances were rare, however, and may have needed more time to play out. The 1994 BRC on evaluating the CEO and the board did not change behavior, but it laid the groundwork for the 2001 BRC on evaluation, which did. And the 2010 BRC on performance metrics and 2012 BRC on board diversity have not yet moved the needle, but their influence may unfold over time. NACD will revisit both topics in 2015. As mentioned earlier, this year’s BRC will focus on value creation, and we plan to launch a new diversity initiative, paying sustained attention to the related issue of talent.

Clearly, there will always be a sound somewhere when a tree falls in a forest, just as there will always be some impact when a new BRC emerges. Get ready for the boom!

***********

The following links lead to the most recent editions of these uniquely useful reports.

No Comments »