Posts Tagged ‘Risk Oversight’

Information Flow Beyond the CEO

July 16th, 2013 | By

As a delegate to NACD’s Advisory Council on Risk Oversight recently said: “Directors don’t know what they don’t know.” This Fortune 500 director was referencing one of the challenges facing corporate boards today: asymmetric information risk.

Asymmetric information risk refers to the risk inherent in the imbalance in the information flow between management and the board. Directors serve in a part-time capacity while the management team operates full time. Naturally, senior-level executives have a much deeper knowledge about the organization’s operational processes and risks than the board. As such, directors rely on senior management for the information necessary to carry out their oversight duties.

In our experience working with boards, we’ve found an effective solution for mitigating asymmetric information risk is to develop a systematic process in which the board is given access to the executive team – beyond the CEO. Examples of senior staff with whom the board should regularly meet include the chief risk officer, chief compliance officer, head of internal audit, chief ethics officer, general counsel, CFO, and chief information officer. NACD’s C-Suite Expectations: Understanding C-Suite Roles Beyond the Core helps directors understand the types of information they should provide.

One way to ensure that this systematic reporting occurs is to include a recurring slot for key executives and functional leaders to present – perhaps during the board and or committee executive sessions. The goal here is to help the board understand what keeps these executives up at night and anticipate issues in advance.

The board is responsible for providing oversight on the appraisal of strategic and enterprise risk. The inherent nature of a director’s role, however, results in a reliance on the information presented in the boardroom and between meetings, by select members of the management team. For the board to mitigate this natural imbalance in information flow, directors should have in place a systematic process for engaging with key executives, in addition to those limited few who traditionally participate in board meetings.

For more on leading practices in risk oversight, read the latest Summary of Proceedings from the NACD Advisory Council on Risk Oversight.

The Boardroom Reality of Cyberattacks

May 23rd, 2013 | By

It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.

Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.

Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.

At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.

  • Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
  • Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
  • Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
  • Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
  • Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
  • Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.

Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.

 

Who Is Trying to Eat Your Lunch?

May 2nd, 2013 | By

Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our councils not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.

But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in collaboration with PwC and Gibson Dunn, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”

In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:

  • Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
  • Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
  • Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
  • Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
  • Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.

Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.