Last month when NACD joined the Global Network of Director Institutes (GNDI) to convene a “cyber summit,” the 200-seat event filled quickly with the key to the future: people—namely directors, chief executives, and information executives empowered to build corporate value and form a powerful bulwark against information destruction.
As information technology – including especially cyber security – rises as a board-level priority, the solution for addressing it is talent. Not every board can have a cyber expert, but today directors are all the more eager to hear from IT executives, and to consider them for ever-higher posts of company leadership. Chief technology officers, chief information officers, and chief information security officers form a “cyber-C-suite” that can make a critical difference in companies’ futures.
Every year NACD surveys corporate directors to find out their views on a number of issues, including their “leading issues” for the coming year. NACD’s governance surveys are still in the field, but preliminary data from this year’s survey shows that information technology currently ranks 14th as a board priority; and a newly added category, “cyber security risk,” currently ranks seventh. Information technology ranked tenth in 2014 and thirteenth in 2013.
The NACD’s current survey results also show that boards are gaining more cyber knowledge. Based on responses received so far this year, 37.1 percent of respondents feel that they do not receive enough information regarding cyber security and IT risk, and 27.7 percent are dissatisfied or very dissatisfied with the quality of information of these matters. This represents an improvement in the situation. In 2014, when this was a new survey question, more than half (52.1 percent) indicated a shortage of information and a little more than one-third (35.5 percent) expressed dissatisfaction with cyber information quality.
Moreover, in NACD’s ongoing survey, 13.0 percent of respondents said their boards have “high level of knowledge” of cyber, 66.6 percent said they had “some knowledge, and 19.7 percent said they “little knowledge.” (Incidence of “no knowledge” was less than 1 percent.) These preliminary findings represent a slight improvement over last year, when only 10.5 percent of respondents claimed advanced knowledge.
Cyber Expert on Board?
So how do boards get cyber expertise? Is having an expert on board the answer? Not every board has room. After all, boards need to cover many areas of expertise with their available seats, and the typical board size is smaller than a dozen (8-11 is the range, depending on company size).
To get a handle on board talent recruitment, we asked directors what two attributes were most desirable for new director candidates to possess. The data collected thus far for the 2015 edition of the NACD Public Company Governance Survey shows that information technology ranked fifth, up from eighth in 2014 and up from ninth in 2013.
Preliminary survey findings – subject to change
Dos and Don’ts for Board Reports
Clearly based on the above trends, information technology experts have an open invitation to give reports to the board – an experience that can enhance any career.
If you are an information technology expert who has an opportunity to give a report at a board meeting, here are five imperatives to consider.
Use plain English, not jargon. Present your material in clear, actionable terms.
Help the board understand the quality of leadership. This is not a time to stand out as a company savior; if the CEO is not the smartest one in the room, the company has a problem. As the recent cyber summit showed, cyber security should be viewed not as a technological issue, but as an enterprise risk that is addressed like all other risks disclosed in the MD&A. As such, the CEO is the star of this show.
Link your comments to the company’s strategy – the more concretely the better. If you work for a public company, one of the best places to find the strategy spelled out will be in the CEO’s annual letter to shareholders. As stated in a recent NACD blog, the CIO—and/or or CISO or CTO—can play a significant a role in strategy and tactical decisions.
Help the board prioritize the assets that can be enhanced through IT and protected through cyber security. Companies need to assess their most valuable and vulnerable points, including the potential strengths and weaknesses of third-party contractors.
Show them the money! Working with your CEO and CFO, take any opportunity offered to make the business case for a strong IT function. IT and cyber expenditures may not show up on the balance sheet as assets but they are in fact investments in the company’s future and a major contributor to financial value.
If you follow these suggestions, your company, and your career, will be the better for it!
Note: Ted Sikora, NACD Research Analyst, contributed to this report.
Innovative technology can be a differentiator as well as a disruptor in today’s marketplace. Technological advancements are rapidly compressing the half-life of business models and industries that historically have not been viewed as dependent on technology are now being transformed by it and their business models can no longer function without these latest advancements. Consider Uber. The ability to book, track, and pay for a cab from a mobile device significantly differentiated this business from traditional taxi services. The bottom line is that technology is no longer a mere enabler.
At Protiviti, we often receive feedback from directors stating they do not have a sufficient understanding of the information technology (IT) risks facing their organizations. Furthermore, according to the 2014−2015 NACD Public Company Governance Survey, IT was the area with the least amount of satisfaction in terms of both quality and quantity of information received from management.
The board needs to understand IT as a critical enterprise asset, and the opportunities and risks associated with it must be communicated in a manner directors can understand. Directors instinctively know IT risks have increased in significance. Social business, cloud computing, mobile technologies and other developments offer significant opportunities for creating cost-effective business models and enhancing customer experiences. They also may spawn disruptive change, increased privacy and security risks, and further exposure to cyberattacks.
These changes present fresh challenges that create a moving target for companies to manage. While the velocity of disruptive innovation through emerging technologies is not as immediate as a sudden catastrophic event, its persistence of impact is potentially lethal for organizations caught on the wrong side of the change curve.
Add to all of the above the evolving relationship between the CIO and CISO and the board (or the supervisory board in a two-tiered board structure). These dynamics sum up the environment and expectations that these executives face as they address boards now and in the future, placing their interactions with the board within a business model, strategic and/or risk context.
In many organizations, the chief information officer (CIO) and chief information security officer (CISO) brief the full board or the audit committee on the state of IT on an annual basis, if not more frequently. They can approach this briefing in three ways:
Within the context of the business. The CIO or CISO addresses how the business model leverages technology to deliver the products and services the company offers the marketplace and the opportunities and exposures resulting from disruptive change. The business context briefing answers questions such as:
Do we understand potentially disruptive technologies at an industry level? Are we ahead of the curve to the extent that we are able to integrate new technologies into the business on a timely basis?
Are emerging technologies being deployed effectively to achieve our business objectives (e.g., achieve customer loyalty, improve quality, compress time, reduce costs and risks, and drive innovation)?
Are we positioning the company’s operations to anticipate and proactively drive the innovative change needed to secure sustainable competitive advantage?
What emerging technologies could alter the competitive landscape, customer expectations, and strategic supplier and/or distribution channel relationships within the value chain in which we operate? To what extent are our operations and currently deployed technologies exposed to disruptive change?
Are there aspects of our technological capabilities that we should be sharing with analysts, shareholders, and the general public? If so, are we sharing them? If not, why not?
Within the context of executing the strategy. The CIO or CISO articulates how strategic initiatives are driven by critical technologies and how the organization is facilitating the design and implementation of controls over these various technologies to ensure they perform effectively. The strategic execution context briefing answers questions such as:
What technologies are critical to implementing our strategic initiatives (e.g., growth, profitability enhancement, innovation, and process improvement)?
How are we ensuring that these technologies are functioning effectively?
How is the IT department collaborating with other functional units and the lines of business to ensure that an appropriate return on the organization’s investment in these technologies is being realized?
What challenges are we encountering in implementing these technologies to execute our strategy? What is the potential impact of these challenges on the success of our strategic initiatives?
Do we have the reliable and timely information and data we need to execute strategic initiatives?
Within the context of mitigating risks. The CIO or CISO uses a broader business view to identify specific risks that either may be a result of technology or are mitigated partly through the application of technology. The risk mitigation context briefing answers questions such as:
What are the most significant risks arising from IT, and how do they affect the business, including its reputation and brand image? Have we assessed our tolerance for these risks?
Are we mitigating the critical risks to an acceptable level? How do we know?
What critical business risks are we mitigating using a risk response that relies upon an important technology component? Is this technology component performing effectively? How do we know?
The objective is to provide a briefing on IT matters that resonate with directors across all of the above contexts:
The business context: Are we managing disruptive change?
The strategic context: Are we maximizing value contributed and return on investment?
The risk mitigation context: Are we managing the business and reputational impact of our risks?
Two principles underpin this discussion: (1) business objectives are also IT objectives, and (2) IT risks represent business risks. Using these principles, the above contextual perspectives provide insights to CIOs as to how they should communicate with boards and to board members as to the information they should expect from CIOs.
Citing and then speaking to the above contexts in a crisp, nontechnical manner can facilitate an ongoing board dialogue. In this regard, the CIO or CISO should:
Demonstrate an understanding of the business. Using the appropriate context, drill down to the relevant IT-related objectives, plans for achieving objectives, organizational capabilities to execute plans, and measures by which to gauge progress. In today’s world, technology can facilitate and expedite business transformation and growth through technological innovation (the business context), but it also can destroy reputations if not adequately protected and controlled (the risk mitigation context). Board members should be counseled on both of these interrelated contexts.
Focus on the board’s needs. The board has little interest in the intricacies of how the CIO or CISO organization is run and managed. Don’t go there unless requested.
Address business impact and metrics, not just IT impact and metrics. Provide an end-to-end view and focus on business consequences. For example, consider the following metric: “99 percent of our systems are patched within 10 days.” This metric leaves unaddressed the question as to the sensitivity of the data and/or business consequences of service failure of the other 1 percent of systems.
Target the audience. Understand the purpose of the briefing. Ask the board committee chair for direction. Ask people who have presented to the board for insight as to the background and personalities of the various directors.
Keep it pithy. Identify the key message points directors should take away, and focus on supporting those points. Share sophisticated knowledge judiciously. Allow time for questions. Expect to be asked to expedite your briefing if it is scheduled late in the day.
Boards need to clarify their expectations of the CIO and CISO. What are the directors’ needs, what do they not understand, and what IT issues and related business risks concern them the most? More important, what context(s) do directors want these executives to address when presenting on IT matters? In addition, directors need to be realistic with their expectations of CIOs and CISOs due to the natural complexity of IT. Accordingly, the allotted presentation time should be commensurate with directors’ expectations of the briefing.
Questions for Boards
Below are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Is the strategy-setting process influenced by the opportunities presented by technology and the potential to lead and/or respond to disruptive change? Alternatively, is technology narrowly viewed as a strategic enabler?
Does the board devote sufficient time to IT matters, including related opportunities and risks, as well as the organization’s capabilities and processes in managing those opportunities and risks?
Is the board satisfied with the CIO’s periodic communications? If not, has the board conveyed its expectations to the CIO so that future communications are on point?
Is the CIO organization effective in supporting the changing needs of the business and monitoring technology innovations, including how new technology can be deployed by competitors (or employees) to create disruptive change? Does the CIO assist the board in understanding these issues?
Given growth in the number of cyber threats confronting organizations, does the board have an active dialogue with the CISO on incident response preparedness?
For significant IT projects, does the board understand the underlying assumptions about how each project achieves strategic goals, as well as how success will be measured? Is there follow-up to ensure that each significant project delivers on promises made?
Compensation committees sometimes feel challenged by the task of setting targets for annual goals. Not only do they have to address the upside potential and downside risk in the company’s business plan, but also other factors that include external headwinds and tailwinds associated with macroeconomic factors, competitive opportunities and threats, technological disruptions, and regulatory changes. That said, the task of setting annual targets can become quite complex.
The greater challenge may be setting the range of payouts around target, especially payouts at threshold and maximum levels. The threshold defines what level of performance warrants any payout at all while the maximum defines what level of performance is exceptional. Neither level is easy to set by using a formula, yet they are arguably even more important than the target. This raises the question: What is the best way to set those numbers?
Compensation committees are often tempted to follow conventional wisdom and follow how other companies, especially peers, have traditionally structured their payouts, using either a symmetric payout curve, or a payout curve with equal ranges above and below target. Two practices are common: using 90 percent of target for threshold and 110 percent of target for maximum or using 80 percent of target for threshold and 120 percent of target for maximum. Executives then usually get 50 percent of their target bonuses if they achieve the lower level and 150 or 200 percent if they achieve the higher one. A cap of 200 percent helps compensation committees avoid encouraging unacceptable risk-taking and paying too much for windfalls.
Because thresholds and maximum payout levels need to take into account many factors, particularly the relative predictability and volatility of performance outcomes as well as investor expectations, compensation committees need to move beyond conventional practices. They should instead use analyses that are tailored to their company.
For example, consider the case of a branded food company with stable revenues. This company has launched several high-growth, albeit unproven, initiatives to develop innovative products in new categories in addition to expanding geographically. For years, executives have delivered predictable results which were rewarded by payouts fitting a narrow symmetric payout curve, one with a 95 percent threshold and 105 percent maximum. (See Figure 1.) As a result, the compensation committee considers whether, and how, to adjust the range in light of the shift to a strategy with less predictable outcomes.
To arrive at an answer, the compensation committee can ask two sets of questions. The first set focuses on the top-down questions on how the company needs to perform overall.
What do Wall Street analysts expect? The answer can vary from most bullish to most bearish.
What performance levels have their peers delivered in the last three to five years? To find this answer, the branded food company looks at peer performance at the 25th, median, and 75th percentile performance levels.
What has been the company’s own historical performance? Recent performance serves as a yardstick for defining the minimum acceptable performance levels while historic highs are a reference for outstanding performance levels.
Do the growth initiatives yield returns that exceed the company’s return-on- investment requirements? The answer indicates whether the anticipated initiatives have adequate payback.
Does the range of payouts result in a fair sharing of gains between executives and shareholders? This defines what is equitable to shareholders.
The second set of questions focus on what managers in each business unit believe they can deliver. Managers’ answers depend on budgets that take into account a range of possible scenarios from the most optimistic to the most pessimistic, reflecting the managers’ own actions as well as the external headwinds and tailwinds that buffet their businesses. The compensation committee can use can use internal (e.g., the best the unit has done in the past) or external (e.g., best-in-class among peers or industry in general)
In the case of the branded food company, executives and directors are able to glean four things from their analyses:
The opportunities for growth are higher, but the risks of failure are greater.
The company’s targets pass the litmus tests of exceeding historical and competitor levels, and also satisfy the range of expectations of Wall Street analysts.
The growth initiatives yield a range of potential upside outcomes that exceed historical highs, while downside risks, though greater than the past, are acceptable.
The target level of growth surpasses the return-on-investment hurdles for new investment.
Based on the above, the company’s compensation committee chooses to widen the performance range. It tentatively resets the threshold payout to 90 percent and maximum payout to115 percent. (See Figure 2.) This change is in keeping with the intention to pursue a more aggressive growth strategy, one that has much more upside yet poses increased uncertainty. The committee’s choice assures that the company delivers on analyst expectations, remains competitive with peers, fits the realistic performance of the business units, and ensures the 90 percent threshold figure exceeds the previous year’s results.
As a final check, directors test payouts to ensure that executives and shareholders equitably share in gains as performance improves. The committee looks at the ratio of the aggregate bonus payouts to the company’s pre-tax, pre-bonus profit. It also checks the incremental bonus spend to each incremental dollar of pre-tax, pre-bonus profit. It finds the average spend of profit is 5 percent to 8 percent, the incremental spend, 20 percent to 30 percent. Both are reasonable based on competitive data.
Other companies might come to very different conclusions by conducting their own analyses in setting threshold and maximum levels. For example, those businesses facing more turbulent business environments, those with unsophisticated planning processes, and those with less predictable results because they are highly susceptible to external factors, or are less mature, would probably have wider ranges. In any case, through a detailed analysis that asks both the top-down and bottom-up questions, boards can gain the confidence to move beyond conventional wisdom to reasoned alternatives they can explain to both executives and inquisitive investors.
The more volatile the economic and business background, the more likely a board will set a wider range for threshold and maximum percentages. Even so, the “average” company in an “average” year will set percentages using certain guidelines.
Guidelines for Threshold Payouts
Set at the lower end of a company’s peer-performance range (25th percentile)
Set at the lower end of analyst expectations.
Set above the previous year’s results.
Set high enough to create some modest value for shareholders.
Set at a point on the performance curve where executives have a 90-percent chance of triggering the minimum payout.
Guidelines for Maximum Payouts
Set at the top end of peer performance (75th percentile).
Set at the top end of analyst expectations.
Set in line with record-level company performance as is appropriate.
Set at a level that will create significant value for shareholders compared to peer and historical performance.
Set at a point where executives have only a 10 percent chance of hitting the maximum.
An executive compensation consultant since 1991, Blair Jones currently serves as a managing director of Semler Brossy Consulting Group. She has worked extensively across a variety of industries and has particular depth of expertise working with companies in transitional stages. She may be contacted at email@example.com. Seymour Burchman is a managing director of Semler Brossy Compensation Group and has been an executive compensation consultant for over 20 years. His work focuses on reinforcing key strategies and leading to improved shareholder value through the identification of performance measures and goal setting processes. He may be contacted at firstname.lastname@example.org.