The appropriate length of service by a company director is an emerging issue in corporate governance that yields varying responses among large shareholders, proxy advisors, and directors themselves. Recent board tenure concerns center around a director’s ability to remain independent after extended service, lack of industry expertise and technological familiarity, and poor diversity on corporate boards. Conversely, long-tenured directors can be beneficial because of their deep knowledge of the company acquired through service, the continuity and stability they offer, and their grasp of the historical perspectives that can inform current company strategy. As this issue continues to draw attention from various interested constituencies, corporations should continually assess board composition and consider their current policies on director tenure as shareholders become more attuned to extended service and its implications.
The Current State of Director Tenure in the U.S. and Abroad
No overarching law or regulation currently limits the length of board service in the United States. In fact, few United States public companies address board tenure directly in their bylaws. According to SpencerStuart, approximately 3 percent of company boards in the S&P 500 have specified term limits for directors. Only 17 companies in the S&P 500 set term limits for their directors in 2012, with no company adopting a term of less than 10 years. That same year, board turnover on the S&P 500 reached a 10-year low, reflecting the trend toward directors remaining in their positions.
Mandatory retirement ages are more common. SpencerStuart reports that 72 percent of companies in the S&P 500 have mandatory retirement ages, which reflects a 6 percent increase since 2003. Of those, the mandatory age exceeds 72 in 88 percent of corporate boards. Over the last 10 years, the percentage of boards with mandatory retirement ages of 75 or older has increased from 3 percent to 24 percent, while the percentage of boards with a mandatory retirement at age 70 decreased from 51 percent to 11 percent. Moreover, some U.S. public companies allow boards to waive the mandatory retirement age for directors, which is typically between age 72 and 75, according to David A. Katz and Laura A. McIntosh, authors of Renewed Focus on Corporate Director Tenure.
The lack of term limits and mandatory retirement ages promotes extended board service. Last year, 20 percent of U.S. corporate boards in the S&P 500 had an average director tenure of at least 11 years. The median age of directors was 63.
Director tenure limits are more prevalent outside the United States. The European Commission notes that an appropriate maximum tenure for a director is three terms, or 12 years. The United Kingdom employs the “complain or explain” model, which presumes that directors are no longer independent after nine years of service unless a company can explain why it has determined that a director remains independent after they reach the presumption threshold. France employs one of the most stringent guidelines for independent directors, capping director service at 12 years, though this does not give France the lowest average director tenure in Europe. That distinction goes to Germany, with an average director tenure of five years., Collectively, Europe has relatively shorter board tenures on average compared to the United States, which is 8.6 years. For reference, Spain has the highest average tenure in Europe at 7.7 years. In Asia, Hong Kong does not limit director service, but companies appointing an independent director to serve longer than nine years must employ a separate vote for the director using a special resolution.
Calls for Change
Recently, shareholder advocates have pushed director tenure to the forefront. Institutional Shareholder Services has been visible in highlighting potential issues with corporate director tenure, with its new Governance QuickScore 2.0 program. The product, which uses specific governance factors and technical specifications to rate company governance, takes director tenure into account. According to ISS, “[a] tenure of more than nine years is considered to potentially compromise a director’s independence.” ISS has not disclosed the weighting that each metric will actually have, so it is unknown how much impact long-tenured directors will have on a company’s QuickScore rating.
ISS has yet to alter its voting policy outside of QuickScore such that tenure can lead to a determination that a director is not independent. ISS does urge shareholders to vote against proposals to limit tenure by mandatory retirement ages or term limits, but it suggests shareholders scrutinize the average tenure of alldirectors if their tenure exceeds 15 years in order to promote independence and alternative perspectives.
State Street Global Advisors (SSGA) revised its view on board tenure in 2014 to reflect its support for board refreshment and planning for director succession. According to SSGA’s Head of Corporate Governance Rakhi Kumar, the new policy is “designed to identify companies with a preponderance of long-tenured directors, which may indicate a lack of refreshment of skills and perspectives . . . . [L]ong tenure may also diminish a director’s independence.” Though SSGA does not consider long-tenured directors to be entirely ineffective, SSGA discourages their presence on committees where “independence is considered paramount,” including the audit, compensation, and nominating/governance committees.
SSGA has indicated that it will screen companies based on whether their average board tenure is above one standard deviation from the average market tenure. If a company has a longer-than-average board tenure, SSGA will further screen it for (a) whether one-third of the non-executive directors have tenures in excess of two standard deviations from the average market tenure and (b) classified board structures. Following this screening, SSGA has indicated it may vote against the chair of the nominating committee, long-tenured directors serving on key committees, and/or (c) both the members of the nominating committee and long-tenured directors at companies with classified boards. SSGA, however, has not provided additional details on how it computes average board tenure.
The Council of Institutional Investors supports board turnover in order to guard against a “seasoned board member” losing his or her independence or thinking more like an insider over time. Further, CII’s policy highlights the high salaries that accompany director positions, and how the compensation fails to promote board refreshment. It is estimated that S&P 500 companies pay independent directors an average annual salary of $250,000. Despite an updated policy, however, CII refuses to deem its policy as endorsing a tenure limit, highlighting that removing long-tenured directors “could rob the board of critical expertise.”
Glass Lewis & Co. pushes back on the idea of an inflexible rule limiting director service. Glass Lewis believes such inflexible limits may not provide benefits or returns for shareholders. Its 2014 proxy policy thus reflects the idea that term and age limits are not in shareholders’ best interests, and that there is no evidence of a connection “between either length of tenure or age and director performance.” Nevertheless, Glass Lewis supports “periodic director rotation” through shareholder monitoring to promote fresh perspectives, new ideas, and business strategies. Glass Lewis notes that if a company does have an age or a term limit, shareholders should vote against the board waiving its self-imposed limit absent extenuating circumstances like a merger.
The Effects of Board Tenure Limits
There is no “one-size-fits-all” approach to board tenure. There are merits to imposing board tenure limits at some companies, specifically the potential to promote the independence of corporate directors by limited extensive service. Some directors may also become complacent or out of touch with the company or industry after extensive service. Replacing long-tenured directors may offer a new opportunity for the company to infuse fresh perspectives into the board, whether it may be in corporate strategy or industry expertise. In addition, boards can use mandatory retirement ages or term limits to avoid otherwise unpleasant conversations with directors whom the board believes should retire.
Despite the potential benefits of mandatory director refreshment, there is no strong indication that long-serving directors are not independent, which is the primary concern of those who criticize extended board service. A “one-size-fits-all” approach to term limits or mandatory board refreshment would restrict or remove experienced, knowledgeable board members arbitrarily and create situational difficulties for the company going forward. As noted above, long-tenured directors are often the most knowledgeable about the company and offer stability, particularly during changes in senior management. In addition, at some companies the most long-tenured directors often exercise considerable influence over less-tenured senior management. These factors balance heavily against any strict rule on board tenure. Additionally, term limits offer the potential to interfere with the development of effective collaboration among board members that have developed strong working relationships over the course of their tenures.
It remains to be seen if the increased attention on board tenure will have a significant impact on the corporate governance of U.S. public companies going forward, or if the international trends will be imitated in the United States. Mandatory term limits applicable to all U.S. companies are inappropriate. Rather, companies should continue to have the choice of whether to impose restrictions on board tenure. The important issue, therefore, is how companies make that choice. We suggest a thoughtful consideration of board composition by nominating committees, boards and shareholders on a case-by-case basis that considers tenure, expertise in the particular industry, knowledge about a particular company, diversity, director competency, and the company’s success over the director’s tenure. Boards must also carefully assess their own composition in light of various experiences, backgrounds, skills, and traits that could enhance board performance. Boards themselves, along with input from their shareholders via annual director elections and shareholder engagement, are best equipped to assess whether to retain or remove their own directors, and should not be burdened by a uniform rule that may potentially yield unintended consequences to the detriment of the company and the shareholders.
Steven Haas is a partner in Hunton & Williams’ Richmond, VA, office. He represents clients on corporate governance and M&A matters. He also regularly counsels clients with respect to corporate governance issues and fiduciary duty litigation.
As information security becomes increasingly visible and accepted as a core business function, senior executives need to have a thorough understanding of the organization’s overall security posture as well as a way to identify areas needing improvement.
A security assessment increases awareness and understanding of security issues, but more importantly, it helps key decision-makers make smart security investments by highlighting high-importance and high-payoff tasks to work on. Security assessments are not just hunting expeditions to find security weaknesses. A security assessment is a top-down analysis of existing security controls and processes. It provides an understanding of the status of each control, highlighting both the positive levels of maturity and areas of improvement based on the organization’s specific need as well as recognized best practices.
For some organizations, security assessments aren’t optional as they may be subject to one of the many governmental regulations—HIPAA, PCI, FISMA, Sarbanes-Oxley, Gramm-Leach Bliley, to name a few—which require deploying a set of security controls. Even for organizations who don’t have that regulatory stick, independent assessments help guide the organizations towards improving and strengthening internal security practices.
An assessment starts before the team arrives on-site. It should begin with a kick-off call to handle logistics, introduce the primary point of contact and members of the team, and to discuss the scope of the assessment. Agreeing on the scope and timeline of the assessment beforehand makes sure everyone’s expectations are met by the end of the process. Depending on the size of the organization under review, an assessment should take a few weeks to a few months.
In this phase, the organization pulls together all the documentation referencing their processes, security policies, guidelines, and standards. These documents—which include network architecture diagrams, process diagrams, and workflows for specialized teams such as incident response—should be delivered to the assessment team beforehand so that the team has the opportunity to review them and identify any gaps that need to be addressed in the form of additional documentation or formal interviews. These documents help the assessor to understand the organization before scheduling the actual visit.
Having this information available to study ahead of time saves the assessment team time because the on-site time is spent on face-to-face interviews. It’s not a problem if the documents are rough and only informal materials are available, as the assessment is not evaluating how well the processes are documented.
Focus the Conversation
Having the information in advance means the team can identify the right people to set up meetings with and target the discussions specific to the organization’s environment. For example, if there are 20 areas under review, but only five of them have in-depth technical documents, the assessment team can then set up meetings to review the controls in place for those five areas, and focus the bulk of the time in conversations over the remaining 15 areas. There is no need to waste time digging into what’s already known and well-understood.
Understanding the Roadmap
When undergoing a security assessment, the organization typically is looking at the controls from a top-down perspective. The assessor is not there to perform a technical hands-on test or find out which vulnerabilities need to be patched.
After the assessment is complete, the organization will be able to identify areas needing immediate attention and will have the direction for evolving its security strategy over the next three to five years.
Security Assessment in a Nutshell
Information security is a dynamic field with rapidly changing technology and evolving threats. The number of threats is growing every day and attackers rapidly adopt new techniques. Attackers have different goals, whether they are after financial gain, espionage, blackmail, or just plain publicity. Nearly every organization—independent of size—is a target, especially as attackers piggy-back on smaller companies to reach larger ones.
Board members and executives need to become more involved in ensuring their organizations are making the right investments in people, processes, and technology to provide adequate security for the risks and threats they face. A security assessment is one of the best ways to ensure you are on the right path and give you the visibility you need.
How to Select the Right Team for Your Security Assessment
A security assessment is a critical part of understanding the organization’s security maturity and the security strategy, so selecting a trusted assessor is critical. Here are some of the things to keep in mind when interviewing a security assessment team.
Look for a team comprised of individuals with a broader understanding of information security processes. These are people that understand security operations, enterprise networking, and architecture. Look for experience dealing with security applications, including security information and event (SIEM)/log management, governance risk compliance (GRC), identity access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence.
It’s important the assessor understands the industry, but make sure the assessor is also familiar with security topics outside the industry vertical. Not specializing in one specific sector will ensure the broadest level of knowledge.
Ask to see samples of deliverables. Ensure the assessment will end with deliverables outlining a roadmap and a detailed picture of what the security controls look like. The report needs to have information that will be used at both operational and management levels. It should include action items that define relevant steps on what to do next. The final deliverable must have specific recommendations for addressing gaps or issues identified, a list of steps that need to be taken, and a timetable of when they need to be performed. Also, ask what kind of executive-facing deliverables will be available, with detailed executive summaries about the issues identified and strategic recommendations on closing the gaps.
Will the team perform the assessment on-site, or remotely? There is a value to performing an assessment on-site, but there may be circumstances preventing the team from being able to conduct face-to-face conversations. Ask what the remote assessment will entail. On the other hand, be wary if the assessor insists on a large on-site team for an extended period of time. Many firms use assessments as training ground for junior staff members. This will result in a team of, for example, six assessors with an effective throughput of two or three. At the same time, you’ll be paying a premium for senior members of their team to train junior staff on your dime.
Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,500 organizations, including 30 percent of the Fortune 1000. From the endpoint to cloud, they provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. For more information, call 866-7-Rapid7or visit their website.
Now in its third year, NACD’s Directorship 2020® takes an investigative look at the trends and disruptors that will shape boardrooms agendas of the future. This initiative is designed to raise directors’ awareness of these complex emerging issues and enable them to provide effective guidance to management teams as they navigate the associated risks and opportunities. The inaugural 2015 session was held on March 3 at the Grand Hyatt Hotel in New York City, where subject-matter experts from Broadridge, KPMG, Marsh & McLennan Cos., and PwC and corporate leaders explored the boardroom implications of geopolitical and economic disruption.
Illustrating the boardroom perspective on the impacts of economic and geopolitical disruption on corporate strategy.
In his remarks on economic disruption, Peterson Institute for International Economics Visiting Fellow and International Capital Strategies Executive Chair Douglas Rediker examined the changing face of global competitive markets. Governments around the world are increasingly involved in market activities and are more likely to champion domestic businesses or businesses based in countries with which they have trade agreements. This situation creates a business environment in which companies seeking to expand must assess a foreign country’s protected business sectors in order to fully evaluate the endemic risks and opportunities.
Taking a geopolitical perspective, UBS Executive Director and Head of U.S. Country Risk Dan A. Alamariu considered the ripple effects of government regulation, using a case example of the sanctions recently imposed by the US and EU on Russia. Though these measures did diminish the buying power of the ruble, the sanctions also hurt Western companies operating in Russia because consumers could no longer afford to purchase foreign goods. He cited other examples as well. In its efforts to recover from the financial crisis, the Chinese government has recently implemented a number of economic reforms. While these reforms may succeed in re-establishing China as an “engine of growth,” the infighting that they have triggered among political elites could ultimately dampen growth and set the country on an uncertain course. Closer to home, persistent gridlock in the US government is preventing needed progress on issues critical to the business community, such as tax policy and infrastructure.
Both speakers alluded to the fact that as countries become more divided and inwardly focused—both internally and with respect to international relations—developing collective approaches to major transnational issues such as climate change and cyberattacks will become more challenging. Companies will therefore need to devise their own strategies for addressing these challenges.
Economic and geopolitical disruptors are inextricably linked, and the three main takeaways from both sessions are as follows:
Embrace risk—you may discover opportunities. Directors need to start thinking like emerging markets investors. In other words, they should get comfortable working in a business environment that is volatile and unpredictable. This breed of investor has historically been focused on domestic, regional, and international political and economic risks. Because technology has created a world that is deeply interconnected, investors must proactively cultivate an understanding of geo-economic risks. By extension, it is also important to recognize technology as a major disruptive force that will continue to impact companies across all sectors. For example, tablet devices have completely changed not only how people communicate and access multimedia content but also how companies conduct business. By embracing disruptive technology, companies can in turn create the caliber of differentiated products that will transform the marketplace.
Be prepared. This ageless scouting motto is especially relevant to anyone managing or overseeing a company. Businesses the world over are more interconnected than ever before, which forces companies to compete across national borders and exposes them to international political and economic risks. Boards need to consider the ultimate “black swan” events that could affect their companies. By extension, directors need to be mathematically literate—if they are not already. Black-swan events include natural disasters, such as Hurricane Sandy, which incapacitated businesses in our nation’s financial epicenter; political events, such as the outbreak of war; economic unpredictability; and technological innovation, which we have seen from the automobile to the iPad. Having a by-the-numbers plan for how the company could behave in specific scenarios will create a comprehensive understanding of the risks the business faces. Because it’s impossible to completely protect a company, it is essential to create resiliency. The board must therefore ensure that incident response plans are in place and must routinely test those response plans to confirm that they meet the company’s evolving needs.
Beware of “herd mentality.” Directors need to periodically review the current board composition; and if there are gaps in the board’s collective knowledge that may prevent it from assessing areas of risk, it may be in the board’s best interests to bring in a third-party expert to help inform boardroom discussions. This is especially true of cyber risk. Many boards are still struggling to comprehend the depth and breadth of these threats, and because it’s neither possible nor desirable for every board to have a cyber expert in their ranks, it is imperative to bring in outside sources to inform and educate directors and management.
Look for full coverage of this NACD Directorship 2020 session in the May/June 2015 issue of NACD Directorship magazine.