Understanding the Cyber Dialogue

December 18th, 2015 | By

Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:

  • How can boards communicate with management about cyber risk?
  • How does cyber risk fit into discussions about risk appetite?

Cyber Dialogue

Here are some highlights from that conversation.

Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?

Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].

Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?

Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.

Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.

Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.

Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?

Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.

Additional NACD resources

NACD’s Director’s Handbook Series: Cyber-Risk Oversight

NACD—Building a Relationship With the CISO

NACD—Assessing the Board’s Cybersecurity Culture

NACD—Cybersecurity Risk Oversight and Breach Response

No Comments »

D100 Directors Impart Their Best Advice

November 30th, 2015 | By

We sometimes all wish we could go back in time to advise ourselves on how to approach a new challenge or community given the knowledge and experience we have today. For the 2015 NACD Directorship 100 (D100), each honoree was asked to do just that. D100 directors were asked to provide a short, written response to this question: “What is the best advice you would give to a first-time director?” The D100 editorial team received responses from most honorees and they ranged from pithy maxims to stories about the challenges of staying independent.

A portion of the responses from the Class of 2015 D100 directors follows. Profiles of D100 honorees can be found in the November/December issue of NACD Directorship magazine.


Gary AndersonGary E. Anderson

Chemical Financial Corp., Eastman Chemical Co.

“I found that the best way to [contribute] was to frame appropriate questions dealing with the topic at hand. It doesn’t matter what the issue is, whether on corporate strategy, short-term tactics, succession planning, compensation, or risk management. The use of appropriate questioning also can work at home with the family!”

 

 

Veronica BigginsVeronica Biggins

Avnet, Southwest Airlines

“I fully embrace the Southwest Airlines and Avnet way of doing business: treat your people well and they will be equipped and motivated to treat your customers extraordinarily well, and that will produce distinguished rewards for your shareholders. Everyone is important, in every nook and cranny of the business, and every decision at the board level should involve the question, ‘How will this affect our people, our principles, and our culture?’”

 

Paula H. J. Cholmondeley

Dentsply Intl., Nationwide Mutual Funds, Terex Corp.

  • “Know your shareholders. What are their expectations? Is the company meeting them?
  • “Know your colleagues. Diversity of views, backgrounds, and experience enriches the company bottom line. Learn where your colleague’s views differ from yours. Understand why. Have courage and join them in candid discussion.
  • “Know your management team. Do they live their values? Are they delivering results?
  • Be involved in NACD, as governance is a learned skill and doing it right keeps our private enterprise system strong.”

 

Betsy HoldenBetsy D. Holden

Diageo PLC, Time Inc., Western Union Co.

“The best advice that I received as a new director was, first of all, choose wisely. Select an industry and company that you are really interested in, a management team that you believe in, and a board where your skills and experiences are relevant and will add value.

“Secondly, what really differentiates the best directors is how they interact with management and the other directors. Good directors are confident and courageous, and challenge management in a positive, constructive way…They understand that chemistry is the intangible that drives board effectiveness and they really listen to and treat other directors with respect.”

 

Nancy KarchNancy J. Karch

Genworth Financial, Kate Spade & Co., Kimberly- Clark Corp., MasterCard

“Some of the best advice I received as a new director was to accept that this role is different than anything I had ever done, and to have patience to learn the ropes. [A director] is an advisor, a member of a peer team, a leader on governance matters, a decision maker on some matters—[it’s] a mix unlike anything else. Plus, as in any job change, one is entering a new culture, and in the case of a board, both a company and a board culture. So be patient.”

 

Tim ManganelloTimothy Manganello

Bemis Co., Delphi Automotive

“The best advice I received was pertinent to me both as a director and as a chair/CEO. That is: ‘Tim, be yourself, remember that is what got you here.’ [That advice] caused me to think about hard work, integrity, ethics, and striving to make the proper decisions.

“It also reminded me that as my career evolved from working summer jobs in automotive plants to the boardroom of BorgWarner, I listened to, learned from, and developed relationships with people from all levels of society. This has become a valuable tool in the boardroom. Each time ‘a sticky issue’ is discussed, I remember to think back to my previous experiences and express what I think is the proper approach.”

 

Sarah RaissSarah E. Raiss

Canadian Oil Sands, Commercial Metals Co., Loblaw Cos., Vermillion Energy

“The best advice I received came from a very seasoned director. He said that I should find a person or two on the board that I could best relate to and either ask them to be my ‘board buddy’ or just make them my ‘board buddy’ without even asking. This person would help me understand current board dynamics, help me understand the history as necessary, and provide feedback on the value I brought to the board. I have used this technique on every board to which I am appointed, [and it] has allowed me to be more productive and a valuable contributor more quickly. I am most appreciative of my ‘buddies.’”

 

Ronna RomneyRonna Romney

Molina Healthcare, Park Ohio Holdings Corp.

“Three people gave me great advice when I decided to accept board positions at Molina Healthcare and Park Ohio. The first was Mary Molina, the company’s chair. It was simple but profound: ‘Remember the mission. It is the cornerstone of our corporate culture.’

“The second came from Ed Crawford, chair and CEO of Park Ohio. He said, ‘Act with integrity at all times and have the courage to do the right thing.’

“The third was from my husband, Bruce Kulp, former general counsel of Ford Europe. He counseled me to listen, get as much information as possible, trust in the power of common sense, and to always think strategically.

“Lastly, the people you deal with in management and the board are human. They have families. They have good days and bad days. Kindness is powerful, even in the boardroom.”

 

Olympia SnoweOlympia J. Snowe

Aetna, T. Rowe Price Group

“One of the key components of executing critical judgment is ensuring an ongoing evaluation of how the company’s short term goals enhance its strategy for creating long-term value. That requires early and extensive director engagement in the shaping of the strategy, greater understanding and knowledge of business operations, and constant assessment and management of the risk.

“In this era of deeper investor involvement, it is more essential than ever for boards to communicate to shareholders the extent to which the independent directors are vigorously exercising their due diligence towards maximizing the value of the enterprise.”

 

Ron SugarRonald D. Sugar

Air Lease Corp., Amgen, Apple, Chevron Corp.

“Select your boards carefully…You should be mindful of geography, meeting schedules, and be prepared to put in whatever time is necessary. And when trouble comes, you must be committed to see things through—whatever it takes.

“In well-run companies, board meetings enter a predictable rhythm, and are fairly routine. It has been said that in routine times, the quality of a board doesn’t really matter—until suddenly those moments when it matters enormously. Such ‘moments’ might include a significant market shift, a technology disruption, a planned (or unplanned) management succession, a serious regulatory or litigation threat, an environmental or safety crisis, a significant acquisition, a hedge fund activist campaign, or a hostile takeover attempt. In those moments, the board’s collective wisdom, perspective, and mature judgement can make—or break—a company.”

 

Dave WilsonDavid A. Wilson

Barnes & Noble Education, CoreSite Realty Corp.

“The best advice came from the counsel I engaged for [a] special committee. He noted the fiduciary duties of directors formed a foundation but not the entire structure. The greatest challenge I will ever confront as an independent director, he said, is ‘independence.’ He was speaking not of the independence necessary to meet SEC and NYSE thresholds. Rather, he spoke of the independence of mind, thought and action.

“What our attorney never told me was how challenging it may be to hold fast when you are in the minority, but how critical it is to our governance system that you do.

“Polonius may have been a pompous fool, but I still find value in these words: ‘This above all: to thine own self be true, And it must follow, as the night the day, Thou canst not then be false to any man.’—William Shakespeare, Hamlet, Act 1 Scene III.’”


Review the full list of D100 honorees at NACDonline.org/Magazine, and take a few moments to consider who you might nominate for inclusion in our tenth anniversary list. A call for nominees will be issued to all NACD members in early 2016.

No Comments »

Strine Rips Fund Voting, Advocates Tax on Trades

November 3rd, 2015 | By

For the 1,200-plus directors convened at this year’s NACD Global Board Leaders’ Summit, Delaware Supreme Court Chief Justice Leo E. Strine Jr. had words of advice that ranged from improving time management to establishing a Tobin-like tax on financial transactions. The nation’s leading jurist on corporate matters also cautioned against using electronic devices during board meetings for unrelated matters because that information may one day be discoverable in court.

Leo Strine at NACD 2015 GBLS

Interviewed on Tuesday, Sept. 29, by NACD President Peter Gleason, Strine was at his provocative best. The proliferation of technology in the boardroom, Strine observed, may lead to an unintended consequence: the ability to discern just how engaged directors are and by what in board meetings. Strine warned of the possibility, and even the probability, of a shareholder suit that alleges inattention and seeks to support that allegation with a review of the director’s online activity when in board meetings—measuring just how much time was spent looking at material on the board portal versus sending e-mails, text-messaging family or friends, or playing fantasy football.

Boards also need to assess whether they are using their time to best effect. “There are no disciplined studies about how boards should be scheduled and what you do in certain committees,” Strine said. “The pattern is that if something is required legally or by statute, then that tends to get done first. A real challenge is to think like business people about your function as a director and how you use your time, and [recognize] that it reflects the priorities that you (as a board) set.” Strine challenged directors to set “a board budget of hours.”

Strine repeated a suggestion he has made previously that U.S. tax policy be adjusted to include a so-called Robin Hood or Tobin tax. Such a tax is named for the late Nobel Prize-winning Yale economist James Tobin, who in 1973 recommended a levy on short-term currency swaps in order to thwart speculation. A similar tax on stock trades, Strine maintains, would discourage short-term fund-hopping and generate new revenue.

Strine took issue with the voting practices of some large asset managers, noting that the sheer volume of votes created by shareholder proposals and the numbers of companies in each fund make informed voting impossible. Even the most “rational” investors, such as Fidelity Investments and the Vanguard Group, tend to vote their funds in one direction for the sake of expedience, he said. (See related content: Taking the Long View with Bill McNabb.) “It would be good for index funds to have their own voting policies. Why is the index fund voting the same way as the dividend fund?” Strine asked. “Why?”

One of the CEO’s most important jobs is to develop the next generation of leadership, Strine reminded the assembled directors, and boards should have opportunities for regular contact with up-and-comers.

Strine also recommended that boards consider the benefits of adopting a forum-selection bylaw. The inclusion of such a bylaw would allow corporations to determine where court cases are adjudicated when suits cover more than one jurisdiction. The state of Delaware in May enacted an arbitration law that is intended to provide speedier, more cost-effective dispute resolution as long as one of the companies in the dispute is domiciled in Delaware.

For further reading:  NACD Directorship featured an interview with Strine in the May/June issue.

No Comments »