One of Steve Jobs’ last initiatives before his death in October 2011 was a personal pitch to the Cupertino City Council of his vision for a state-of-the-art research and development facility shaped like a spaceship, an integrated 21st century campus surrounded by green space, designed with a commitment to energy efficiency, environmental sustainability, and generous amenities for employees. The updated plans in December 2011 stated: “This new development will provide a serene and secure environment reflecting Apple’s values of innovation, ease of use and beauty.”
About the same time these new campus plans were being developed, Apple was linked with a very different work environment—that of Foxconn Technology Group, the biggest maker of Apple iPhones and iPads. A workers’ rights controversy at Foxconn had dogged both companies for a few years due to worker suicides and factory explosions. Photos of Foxconn’s dormitories and factories at the time show netting outside the windows to catch suicide-jumpers—an image clearly not aligned with a “serene and secure environment reflecting Apple’s values.”
As Bloomberg journalist Tom Randall noted in “Inside Apple’s Foxconn Factories,” “the relationship between the two companies shows how the reputation of global brands is increasingly tethered to the emerging-market companies they do business with.” This is especially true when it comes to the place where the work is done, whether it’s at an address controlled by the corporation or one of its suppliers.
Following the suicides, Apple published a set of standards spelling out how factory workers should be treated and it also moved some of its production work. It’s a continuous process. As Apple noted in response to a December 2014 BBC Panorama News program about Apple’s ongoing challenge to protect Chinese factory workers, Apple stated: “We are aware of no other company doing as much as Apple to ensure fair and safe working conditions. We work with suppliers to address shortfalls, and we see continuous and significant improvement, but we know our work is never done.”
Where the work gets done—planning, making, selling, and servicing the company’s core bundle of products and services—is the workplace. It can be physical space the company owns or leases; it can be cyberspace, where work is done from anywhere, anytime; and, as noted above, it can also be the physical space used by key vendors to whom various stages of the work have been outsourced. It is often a large asset: in 2014, AT&T’s domestic real estate portfolio was 240 million square feet while RadioShack had 4,400 company retail outlets before it declared Chapter 11 bankruptcy in February 2015. In addition, investment in the workplace can approach that of labor and information technology, yet boards often pay little attention to it until there is a crisis.
The workplace is changing, as seen in Harvard Business Review’s October 2014 cover story, “Why we Hate Our Offices and How to Build a Workspace We Can Love,” devoting three articles on 21st century workspaces and the impacts of technology and culture on how and where we work, how we feel about our workspace, and how it impacts our productivity.
Two industry thought leaders described workplace strategy (WPS) more than a decade ago as “a bundle of occupancy, connectivity, and support services to enable those who do the work to get it done.” Michael Joroff from MIT and Michael Bell of the Gartner Group wrote then: “In this definition, all activities are designed to help the workforce accomplish its mission in physical space and cyberspace.”
Directors need to understand the risks to the business if there is no WPS or if the latter is not aligned with enterprise priorities and opportunities. WPS needs to be agile enough to keep pace with ever-changing business requirements and risks. Here are questions directors can ask senior management:
Does the company have a WPS? The fact that a company leases or owns real estate and facilities does not mean it has a strategy. WPS requires an analysis of the supply of and demand for space wherever work is done throughout the enterprise and across divisions, departments, subsidiaries and state, national, and international boundaries, combined with plans to address the gaps or oversupply of space consistent with enterprise goals. The demand side of the equation is the current and forecasted hiring plans for employees and contractors. The supply side is the existing inventory of work space to accommodate that demand, with the added complexity of alternative ways of working from almost anywhere anytime.
The risks of not having a WPS include:
Wasted costs from sub-optimizing the enterprise portfolio of workplace assets. For example, owning vacant real estate with no known or forecasted demand and/or potentially securing and building out new work space for a line of business when those costs could have been avoided by using under-utilized space from another business unit
Lost sales and market share. WPS can become an obstacle to getting the product or service to the customer if workplace is not available when and where it is needed or if it is not adaptable to enable evolving work processes
Impact on talent attraction and retention. Workplace can impact employee satisfaction, especially if it is disconnected from enterprise values that commit to provide a productive and satisfying work environment or if it is in a labor market that cannot meet the business requirements for specific skills
How can WPS support enterprise goals? WPS is becoming part of big data. Collecting, maintaining, and analyzing the data requires collaboration across myriad services including finance and accounting, human resources, information technology, and data analytics, sourcing/supply chain management, real estate and facilities, sales and marketing, and operations. Which group leads WPS varies by company so a report to the board on WPS might come from any of these groups. A WPS report includes trends in the total costs of occupancy with a breakdown by subsidiary, division, or line of business, and by region and real estate asset utilization, which include trends such as vacancy, the amount of square footage, and total workplace costs allocated per employee compared to industry benchmarks.
A good WPS includes performance metrics that flow from enterprise goals. WPS tactics and metrics should support enterprise goals such as cost containment, scaling business for high-growth initiatives, enterprise risk management, corporate social responsibility, sustainability, employee satisfaction, and retention goals.
WPS has long been a part of risk management—disaster preparedness from floods and blizzards, for example—but outsourcing has expanded the risks by including the working conditions of the workplace of one’s global vendors as well as cyber-risks of the supply chain. Consider these reputational risks:
Your product is manufactured in a Bangladeshi building that collapses and kills 900 workers inside
Your point-of-sale machines are breached by attackers whose first step is the theft of credentials of one of your vendors and ends with the theft on a massive scale of your customers’ personally identifiable information and credit card and debit card data.
Part of the update to the board should include an overview of workplace-related supply chain risks. It also includes an explanation of the governance structure that specifies how WPS decisions are made, executed, reinforced, and challenged in the company–at the enterprise level? At the line of business level? Who owns and is accountable for these decisions that can have a major impact on the business?
How agile is our WPS? Business is being disrupted at an accelerating pace. Whether it’s the impact of online shopping on a brick-and-mortar retailer or a merger, acquisition, or disposition of a business unit, directors should consider if the company’s WPS is flexible to enable a rapid response to sudden, unexpected risks and opportunities. Real estate is illiquid. There are ways to make a workplace more agile, but flexibility comes at a cost premium. The premium may be worth it compared to the impact to the business of not having space when you need it or of locating in a “low cost” place where the company cannot hire enough people qualified to meet the business requirements, or being stuck with millions of square feet of vacant space that can only be disposed of at pennies on the dollar. Service providers can help identify risks in the enterprise workplace portfolio and ways to mitigate these risks that align with your company’s goals and needs for agility.
Strategic questions to ask about WPS include:
How much are we spending on Workplace and how much should we spend?
How agile does our Workplace need to be given our competitive environment?
Does our Workplace reflect the values and strategy of the enterprise and align with corporate goals?
How do we know if the Workplace of our key suppliers aligns with our WPS and enterprise values?
A Reflection of Culture
The workplace is a reflection of corporate values and priorities. A headquarters campus, a retail store, a manufacturing plant, a call center, and the cleanliness and safety of an amusement park are all reflections of the culture, personality, and values of the founder or CEO. Office or facilities space is an indicator of the attention paid from the top down to where and how the work of the company gets done.
Here’s a thought experiment:
Recall Merrill Lynch CEO John Thain’s $1.2 Million office renovation in 2008. Because his private office sported luxury items that included a $38,000 commode and $87,000 rug, the CEO’s workplace became an embarrassing emblem of banking industry excess as global financial markets were crashing. The workplace renovation caused so much negative publicity that Thain soon agreed to pay back the shareholders
Now, think of your boardroom as the workplace of your board.
What does your board workplace convey about corporate values to your stakeholders?
Is the board’s workplace aligned with the priorities of the enterprise?
What do you know about the workplace of your key suppliers?
To go back to the example of Apple’s supply chain and the implications for a workplace, a March 27, 2015 article by Eric Pfenner in TheWall Street Journal hints at another way to outsource that has the potential to change the discussion about workplace. In “Japanese Robot Maker Fanuc& Reveals Some of Its Secrets—Company helps make iPhones and Teslas”, Pfenner reported that Fanuc’s giant Robodrill machine tools are used to help shape the aluminum cases for smartphones from Apple, Xiaomi, and other brands.
The efficiency of Fanuc’s robots is breathtaking. “One 86,000 square foot factory in Oshino, making industrial robots, is staffed by only four people at a time,” Pfenner writes. “In another factory, robots can assemble an industrial motor in 40 seconds.” As more industries accelerate the automation of work processes, reputation risk shifts from workplace conditions to workforce and impact on jobs. What WPS most closely aligns with your company’s goals and values?
In today’s evolving world of off-shoring, on-shoring, near-shoring, and right-sourcing, executives and the board would do well to think about the workplace as that bundle of occupancy, connectivity, and support services that enable those who do the work to get it done efficiently and effectively—wherever, whenever, however and-increasingly-whoever is doing the work on behalf of the company—and oversee that their company’s WPS enables enterprise goals and reflects the company’s values.
Margaret Latshaw’s experience includes seven years as an officer at Bank of America and at H&R Block and 10 years as a director on the board of a private real estate company. She is an advisory board member of the real estate center at the University of Missouri-Kansas City and an NACD Fellow since 2013. She currently advises on corporate real estate and business strategy. Contact her at email@example.com.
While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis taught everyone a lesson about just how important it is. The risk oversight playbook has evolved over recent years, during which many boards took a hard look at their membership, how they operate, and whether their operations and the information to which they have access are conducive to effective risk oversight.
In addition, regulators have taken an active interest in the board’s oversight of risk. For example, the U.S. Securities and Exchange Commission requires that proxy disclosures shine a spotlight on the board’s role in overseeing the company’s risk management process, the directors’ qualifications to understand the entity’s risks, and the board’s compensation committee’s evaluation of the entity’s various compensation arrangements to ensure that they are not encouraging the undertaking of excessive, unacceptable risks.
In 2009, the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward. This report recommends 10 principles to assist boards in strengthening their oversight of the company’s risk management. According to the report, “these principles provide a foundation that boards can use to build a more comprehensive risk oversight system tailored to the specific needs of their respective companies.” Further, these principles provide an outstanding framework for a board to use when evaluating its current risk oversight process. Directors should use these 10 timeless principles to assess their board’s process and ascertain whether the process needs refreshment or redirection.
1. Understand the company’s key drivers of success. Understanding the business and industry, what drives value creation, how the business model works, and the critical issues affecting the company lays a vital foundation to an effective risk oversight process. Accordingly, directors must remain abreast of these matters and there must be processes in place to help them in this regard.
2. Assess the risks in the company’s strategy. This principle and the one before it are interrelated as they both focus on understanding the corporate strategy and the risks inherent in the strategy. This understanding provides a context for separating out the everyday, ongoing risks of managing the business to identify the risks that truly matter: the critical enterprise risks that threaten the execution of the company’s strategy and business model.
It is vital that directors understand the risks inherent in the business model, including the key assumptions underlying the continued viability of the business model, and agree with executive management on the company’s risk appetite in the pursuit of enterprise value creation.
3. Define the role of the full board and its standing committees with regard to risk oversight. This principle is important for directors to focus on as they collaborate in clarifying risk oversight responsibilities for the full board and the various standing committees. The NACD Blue Ribbon Commission (BRC) asserts that, “as a general rule, the full board should have primary responsibility for risk oversight, with the board’s standing committees supporting the risks inherent in their respective areas of oversight.”
At Protiviti, our experience is that the vast majority of directors agree with this general rule, as it mirrors the full board’s responsibility for strategy. It also recognizes that there are always outliers due to unique circumstances. Finally, the BRC points to the importance of distinguishing management’s responsibilities from the board’s.
4. Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources. Risk is often an afterthought to strategy, and risk management is an appendage or “side activity” to performance management. This principle addresses such issues as positioning the chief risk officer or an equivalent executive to effectively support the board’s oversight efforts. It looks beyond mere risk identification to consider the adequacy of other dimensions of managing risk, including sourcing, measuring, mitigating and monitoring risk through appropriate policies, processes, people, reporting, methodologies, and systems and data.
5. Work with management to understand and agree on the types of risk information the board requires. This principle remains a common issue for many boards. At Protiviti, we often hear directors complaining of being overwhelmed with reports or too many agenda topics while being underwhelmed with insightful information for decision-making. Directors suffering from information overload require sharper focus on actionable information. Whether or not there is reliance on quantitative models, reporting should provide different perspectives on a given risk.
To focus the risk oversight dialogue, the NACD BRC introduces five categories of risks facing each board
Critical enterprise risks (as discussed above)
Business management risks (i.e., the normal ongoing risks)
Emerging risks and nontraditional risks (e.g., climate change, slowdown in foreign markets, disruptive technological innovation)
These categories are useful, as the critical enterprise risks and emerging risks should capture most of the board’s attention, whereas the business management risks should be addressed through periodic status reporting and escalation of significant issues.
6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions. This principle addresses the need for constructive engagement between boards and management on risk matters. The principle’s reference to challenging assumptions is especially important in light of the financial crisis, after which many have questioned whether boards really understood the key variables driving an institution’s success and exposing it to failure, as well as the sensitivity of those variables to changes in the market. When an organization is making a lot of money, directors need to understand the risks undertaken to achieve success, rather than simply applauding as management breaks out the champagne.
7. Closely monitor the potential risks to the company’s culture and its incentive structure. This principle also points to another lesson of the financial crisis: a company’s culture and incentive compensation structure can potentially impact behaviors, decisions, and attitudes toward taking and managing risk.
Culture and incentives form the glue that binds all elements of the risk management infrastructure together, because they reflect the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, they represent a look into the soul of an organization to ascertain whether risk-reward trade-offs really matter to its leaders.
One of the significant lessons of the financial crisis is the danger of “heads I win, tails you lose” compensation structures for executives whose behaviors can expose the organization to significant risks well beyond the level of risk the board might consider acceptable.
8. Monitor critical alignments of strategy, risk, controls, compliance, incentives and people. This principle speaks to the importance of aligning critical elements to get everyone and everything—people, processes and the organization—on the same page. Without alignment, there is likely to be a disconnect between a company’s strategy and its execution, and a disconnect can be costly as well as risky. Nevertheless, alignment is hard for management to achieve—and even more challenging for directors to oversee.
9. Consider emerging and interrelated risks: What’s around the next corner? Emerging risks deal with issues that are not on management’s radar currently. They require an anticipatory and forward-looking focus. The worst kind of uncertainty is being unaware of what we don’t know; while senior managers have knowledge from internal and external sources, do they really understand what they don’t know?
The fundamental question raised by this principle is an inquiry as to whether management looks out far enough, is monitoring what matters in the external environment and devotes sufficient time to “connecting the dots.” Sooner or later, something fundamental in the organization’s business will change. And when disruptive change occurs, a company’s risk profile is likely to be altered in significant ways. Therefore, directors need to know that management devotes sufficient time to thinking about the unthinkable and response readiness preparation, as both are key to a world-class reaction.
10. Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives? The last principle advocates applying the best practice of periodic board self-evaluations to the risk oversight process.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Has the board articulated its risk oversight objectives? Are those objectives incorporated into the board’s charter?
Has the board evaluated the effectiveness of its processes in achieving its risk oversight objectives? If so, has the board considered the NACD BRC’s 10 principles of effective risk oversight in evaluating its risk oversight processes?
Is the board proactively taking steps to address any gaps that impede its risk oversight effectiveness?
Each year I find myself declaring that the profession of directorship has become more challenging than it was in the previous year. I believe we’ve now reached the point where we should recognize this escalation as the status quo, not an annual anomaly. The Securities and Exchange Commission’s director qualification disclosure requirements, the advent of proxy access, and the increasingly public role of shareholder activists have contributed to a business environment in which directors’ qualifications and performance are continually scrutinized.
NACD’s mission is to help directors lead with confidence—and to foster stakeholders’ confidence in their directors’ ability to effectively serve their companies. I’d like to highlight three critical issues that we believe directors—of all company types—should focus on during the year ahead.
1. Director Awareness
The dramatic slowdown in China’s economy, plummeting oil prices, recent terrorist activities, and the rise of the digital economy have put a fine point on the need for directors to be aware of disruptors that may cause a drastic change in sea conditions for their organizations.
No one can be expected to anticipate every potential disruption. (Who could have seen Uber idling around the corner?) But foresight comes down to one deceptively simple practice: asking the right questions. Are board members exploring the possible impacts of a terrorist act on the company’s supply chain, investigating their organization’s vulnerability to a cyber attack, or considering new competitors that can bring products to market faster than ever before and with nominal investment? Throughout 2016 our NACD Directorship 2020 initiative will continue to focus on disruptive forces, putting a spotlight on the issues that may affect your companies in the years to come.
It goes without saying that activist investors have gotten our attention. A record-setting 355 activist campaigns were announced in 2015, including 33 against Fortune 500 companies. Last year was also a record year in terms of activist campaigns resulting in board seats—127 resulted in at least one board seat for the activist or the activist’s appointee. Our own annual survey of public-company directors found that 20 percent of respondents’ boards were approached by an activist investor in the past year. But nearlyhalf of respondents reported that they are unprepared for an activist challenge.
Activists aren’t practicing black magic; they are performing effective due diligence and smart analytics on their holdings. Boards need to think like activists and anticipate the issues these investors may raise. Do your company’s metrics fall outside industry norms? Does your board composition have any perceived weaknesses? Do you engage with management about the assumptions that undergird your company’s strategy? In 2016, NACD will continue to provide resources that can help your boards to anticipate—and respond to—emerging issues.
M&A activity reached record levels in 2015. Given this phenomenon, it’s more critical than ever that boards understand their role in M&A. We believe it boils down to readiness and oversight.
At any given time, directors may need to consider either the sale of their own company or the purchase of another company. The board must carefully weigh all opportunities to buy or sell as part of its routine corporate oversight. Be on the lookout for NACD’s new M&A Board Resource Center, which will be available later this quarter. The center will serve as a one-stop shop to help boards participate effectively in the evaluation of proposed M&A transactions.
NACD Cyber Summit
On a final note, I’d like to call your attention to the 2016 NACD Cyber Summit, which will be held on June 15 in Chicago. With Congress now considering passage of a bill that would require companies to publicly identify the “cybersecurity experts” on their boards, scrutiny of the board’s role in cybersecurity oversight has never been greater. This year’s Cyber Summit will equip directors and management with the tools they need to foster cyber resiliency and confidently oversee cyber-risk management.
If you would like to receive additional resources on the three issues mentioned above or more information about the Cyber Summit, I encourage you to contact your dedicated NACD Concierge. If you have not yet had a chance to meet the concierge assigned to you, give us a call at 202-775-0509, and we’ll connect you.
Thank you for being an NACD member. I wish you a successful year ahead.