NACD’s thought-leadership forum, Master Class, convened in Fort Lauderdale, Florida, late last year to discuss how corporate governance is adapting to the current operating environment. Dialogue among directors and session leaders at the event revealed 10 insightful takeaways:
Board engagement in strategy development is a sign of healthy board-management engagement. The board’s role is to question the CEO’s strategy assumptions, offer alternatives, and ensure a long-term value creation. Senior management’s job is to execute the strategy.
Given the complexity of today’s operating environment, it is even more important to stay attuned to disruptive competition in the company’s industry. Spend time outside of board meetings learning which changes—in technology, policy, or through stakeholder demands, for example—are emerging and how your company should address those disruptions.
Demonstrate directors’ commitment to continued education in communications with shareholders, employees, and other stakeholders. While your board may feel that current director evaluations and education requirements are sufficient, review your director education program to ensure that board members’ skills are being enhanced to keep pace with the changing operating environment.
Consider taking a few steps to enhance recruitment of and onboarding for new directors:
Consider not only the board’s recruitment needs in the next year, but also in the next several years as directors leave the board and as company strategy evolves.
Establish a requirement that the director pipeline includes candidates from diverse backgrounds.
Tailor new-director onboarding programs to individual directors.
Convey a sense of your board’s dynamics with each other and with management to both prospective and new directors.
Determine whether the skillset matrix tests for skills that are necessary for the company strategy. While directors currently serving on the board may have had the skills to help the company achieve its prior strategy, realize that the directors sitting on the board today should be measured against the new ruler of current and future strategy expectations.
Review your board’s bylaws and committee charters to determine whether the documents offer any detail about how directors oversee cultural risk. Probe management about culture. Given recent corporate scandals relating to unhealthy corporate culture, consider adding language to your bylaws and charters to demonstrate a commitment to healthy company culture. Take this commitment a step forward by probing management about how the company currently cultivates a healthy, ethical culture.
Look beyond the information management has presented you to determine the company’s cultural dynamics among not only senior management, but also lower- and mid-level managers. Review online employee satisfaction websites to gauge morale and determine whether behaviors incentivized are realistic and healthy.
Question the quality and volume of information being given to the board on enterprise risks. If the board is receiving 1,000 pages of information monthly about risks, ask whether the board can realistically absorb that information. Ask the chief risk officer to provide the board with a more brief and concentrated view of the risks that need to be addressed, and spend time drilling down on the most pertinent risks, including those that may be sleeping giants.
When stumped on strategy, go back to the beginning. Ask often why the company was founded and what problem the company should help clients or consumers solve. Having a renewed vision of the founder’s mission can help provide fodder as to how to revive that vision in light of today’s operating environment.
Dive deep into consumer trends and behaviors, when considering appropriate strategies. While it may be easy to become mired in the highly technical nature of directorship and oversight, realize that great insight can come from aligning company strategy so that it satisfies customers’ needs and wants.
China’s legislature approved its Cybersecurity Law this past November, solidifying China’s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China’s desire for “cyber-sovereignty” (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP) faces pressure from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.
Significant Provisions of the Law
Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law’s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:
1. Data localization: Article 37 of the law is one of the most contentious and requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China to be storedin mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.” The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.
Impact: The broad applicability of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.
2. Support for Chinese security authorities: Article 28 requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include anyone operating a business over the Internet or networks.
Impact: The loose definition of “technical support” creates the concern that MNCs will be required to grant Chinese authorities access to confidential information, compromising private information and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide decryption assistance and backdoor access to authorities upon request.
3. Certified network equipment and products: For network operators, Article 23 indicates that “critical network equipment” and “specialized network security products” must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.
Impact: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China’s resolve to mitigate this risk and may pose a significant barrier to foreign IT equipment manufacturers selling products in China.
How Directors Can Prepare
China’s Cybersecurity Law has been criticized by the foreign business community, and, depending on the law’s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China’s rise: “The Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.”
Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government’s implementation of the law, may be key. “Leading domestic companies have a stake in seeing a better definition of the law, and their interests aren’t unaligned with multinational companies,” Manning says. “Chinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.”
Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China’s Cybersecurity Law:
Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
For computer hardware or software manufactures, are we willing to share our source code with the Chinese government?
For technology firms, how does the law alter the playing field for our company to compete in China against domestic firms?
What additional investments do we need to make in order to comply with this law?
The National Association of Corporate Directors (NACD) released the 2016–2017 NACD Public Company Governance Surveylate in 2016. The survey, which NACD has administered for two decades, helps directors affirm that their governance practices are effective, fit for purpose, and clearly communicated to shareholders. Our members find value in benchmarking their companies’ approach in areas such as board structure, composition, education, recruitment, and evaluation year over year, and they use the results to identify opportunities for improvement and validate board priorities for the coming year.
What did we learn about changes to public company governance in the previous year?
Although we did not see any seismic shifts in how public companies govern themselves, the data indicate that corporate boards are slowly adapting to heightened expectations about their contributions and performance.
Let me share 10 key takeaways from this report and illustrate some of the changes we have observed in our analysis.
1. Overseeing Uncertainty Economic uncertainty and business-model disruption are among the top concerns for corporate boards in 2017. Respondents also report that major industry changes, growing regulatory demands, and cyberattacks will significantly affect their companies over the next 12 months. Global economic uncertainty was selected by 60 percent of respondents as one of the five trends that will have the greatest impact on their companies over the next 12 months, most likely in light of ongoing economic turbulence that includes the fallout from Brexit, emerging markets volatility, and the protectionist trade stance of the new US administration.
2. Deeper Board Engagement with Strategy Setting Growing external uncertainty seems to accelerate the momentum for increased board leadership in strategy. For more than half of boards, active involvement in the development of strategy is a goal for major improvement over the next 12 months. Recognizing that successful strategy setting and execution in this volatile environment are challenges, boards are eager to move from the traditional review-and-approve process to more active strategy engagement earlier and on an ongoing basis, allowing directors to examine underlying assumptions, competitive dynamics, and alternatives.
3. The Tyranny of Short-Termism Maybe the most important structural barrier to board engagement in strategy setting is the intense short-term performance pressure placed on both boards and management. Seventy-five percent of respondents report that management’s focus on long-term value creation has been compromised by pressure to deliver short-term results, while 29 percent report that pressure on boards to focus on short-term performance inhibits their ability to effectively oversee long-term strategy development.
4. Risk Oversight Moves to a Higher Standard Board risk oversight is becoming a robust practice, with a large number of boards looking beyond a review of the top risks to consider the linkage between risk and strategy, the impact of incentives, and the strength of their company’s risk culture. Many boards now receive frequent reports on key components of risk management, including summaries of top risks, emerging risks, and their mitigation. According to our survey, 63 percent of them perform in-depth reviews of specific top risks. Perhaps in response to the recent corporate debacles in the auto industry and banking sector, more than 57 percent of boards now assess whether incentives used in the company’s compensation structure could inadvertently create or exacerbate risks.
5. Struggling to Meet the Cybersecurity Challenge Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk. Fifty-nine percent report that they find it challenging to oversee cyber risk, and only 19 percent of respondents report that their boards possess a high level of knowledge about cybersecurity. While 37 percent of respondents feel confident and 5percent feel very confident that their company is properly secured against a cyberattack, many of their boards may lack sufficient expertise or adequate information to confidently assure that cybersecurity defenses are indeed effective.
6. Managing a Growing Board Agenda The average director time commitment has stayed relatively flat at 245 hours per year, with more time spent on preparations and less time on travel compared to last year. The average number of meetings has also remained flat. Facing ever-expanding agendas, boards struggle to effectively prioritize their scarce meeting time. When asked about time allocation over the last 12 months, more than a third of respondents indicate that their boards spent too little time on director education, executive leadership development, cyber-risk oversight, board succession planning, sustainability, CEO succession, and information technology oversight.
7. Information Rich, Insight Poor Boards receive much information from management but express concerns about the quality of that information. While directors noted an average increase of 12 hours for document review in preparation for meetings, roughly 50 percent of respondents noted a glaring need for improvement in the quality of information provided by management.
8. Increased Shareholder Engagement Boards are increasing their shareholder engagement, but their level of preparedness to address activist challenges is uneven. This year, 48 percent of respondents indicate that a representative of their board held a meeting with institutional investors over the past 12 months, compared to 41 percent in 2015. Only 25 percent of respondents have developed a written activist response plan, which may be a critical tool to effectively address a forceful challenge from an activist.
9. The Increasing Reliance On Search Firms for Director Recruitment Boards no longer primarily rely on personal networks to recruit new directors, signaling increased professionalism and a desire to tap into a wider network of candidates. For the first time since NACD began to survey its members on this issue, search firms were the leading source boards used to identify their most recently recruited director.
10. Only a Minority of Boards Conduct Individual Director Evaluations Only 31 percent of respondents report that improving the board evaluation process is an important or very important priority for their boards in the next 12 months. In fact, just 41 percent of boards now use individual board evaluations, and an even smaller number use the results of these evaluations to make decisions about replacing directors.