Is your board ready if the company receives a so-called godfather offer—an offer so strong it cannot be ignored—to purchase the company? Could social conflicts within the company be the undoing of an M&A deal that would benefit shareholders? Panelists at a recent NACD Carolinas Chapter program shared insights on board readiness, lessons learned, and the current state of the M&A market.
The Godfather Offer at Piedmont Natural Gas
According to Tom Skains, former chair and CEO of Piedmont Natural Gas Company, and director of Duke Energy Corp., directors should remember two critical points about the possibility for M&A activity at their companies:
Always be prepared for the unexpected.
Everything is for sale at the right price.
In the case of Piedmont, Skains was aware of industry consolidation and how Piedmont performance compared to peers. However, given the company’s stock price in 2015, he believed Piedmont would be among the last in the industry to be an acquisition target. Nonetheless, after two major companies in the field merged in what became the catalyst for Piedmont, the company was courted by two potential suitors, with offers as much as 50 percent over the company’s trading value. Within two months, Duke Energy purchased Piedmont for $4.9 billion.
How was the deal wrapped so quickly? Skains shared the formula for success.
Appoint a deal lead and keep flawless records. Skains was the chief negotiator, and only a small group knew about the potential deal. Skains kept a log of his conversations and reviewed the log at the end of each day with his general counsel.
Be transparent with the board. The board was fully informed. In fact, Skains updated the lead independent director each day. Regular executive sessions of the board were held.
Deploy good deal hygiene. The official record was the board minutes, and no note taking was permitted. No errant emails or texts were allowed.
The deal also was able to move with greater speed because conflicts were removed from the equation. In fact, to avoid awkward social challenges between the acquiring company and the target, the potential roles of Piedmont leadership were removed as considerations until the deal was done.
Navigating Social Issues in a Merger of Equals
Walter Wilkinson, founder and general partner of Kitty Hawk Capital, and lead independent director for QORVO, emphasized that many deals never get done because of social issues—that is, the future of a merging company’s management team or its directors. He shared his experience as a board chair during a nine-month merger process involving two semiconductor companies.
Social issues arose involving both CEOs, and then to which CFO would take become the CFO for the consolidated company’s new CEO. Also, four board members from each company board ultimately had seats on the consolidated board, but information had to be limited so those who were exiting would not have personal concerns during the negotiations. Eventually the merger was successful, but it is worth noting that social dynamics took time to resolve.
Tim Wielechowski, managing director in the Mergers & Acquisitions Group at Wells Fargo Securities, shared a bright picture of the M&A market:
Despite the fact that M&A activity was slightly down in 2016 from a record year in 2015, the M&A market continues to be healthy and robust. In 2017, volume year to date has surpassed last year’s volume for the same time period. Valuations remain high.
Private equity participation has been increasing, competing with strategic buyers.
It is common for deals to be over-equitized in order to get them done, and 40 percent equity contribution is typical.
CEO optimism is strong due to the anticipated pro-business environment.
Chris Gyves, a partner at Womble, Carlyle, Sandridge and Rice, LLP, expertly moderated the panel. NACD Carolinas would like to thank him and the panelists for sharing their experiences with attendees.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
Cyber risk, which is among the top five risks for organizations across many industries, presents a moving target. As innovative information technology (IT) transformation initiatives expand the digital footprint, they outpace the security protections companies have in place. Security and privacy internal control structures that reduce risk to an acceptable level today will inevitably become inadequate in the future—and even sooner than many may realize.
As companies continue the battle to protect their resources, boards remain concerned with the security and availability of information systems and the protection of confidential, sensitive data. Many executives think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board engagement with cybersecurity.
Our research indicates that board engagement in information security matters is improving. In the spirit of further improvement, following are eight business realities directors should consider as they oversee cybersecurity risk.
1. The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening—it’s also about handling the upside of a company’s successful digital initiatives. As companies harvest new sources of value through digitization and business model innovation, the wise course is to plan for incredible success. Directors should ensure that the organization’s cybersecurity systems are resilient enough to handle that success.
2. It is highly probable that the company is already breached and doesn’t know it. The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening—now. Boards should be concerned about the duration of significant breaches before they are finally detected.
Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators. Simulations of likely attack activity should be performed periodically to ensure that defenses accurately detect breaches and that responses are timely. Boards should focus on the adequacy of the company’s playbook for responding, recovering, and resuming normal business operations after an incident. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in a breach’s wake.
3. The board should focus on adverse business outcomes that must be managed. While most businesses know what their crown jewels are, they forget to focus on the business outcomes they are looking to manage when they assess security. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than those developed around specific assets and systems.
For example, if an application is deemed to be key for business processes and is exposed to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter. Employee users have access to data, regularly download it, and might even e-mail it, either ignoring or forgetting the business imperative to protect it. Therefore, controls over what happens to critical data assets once downloaded cannot be ignored. IT leaders must look at information security risks holistically and consider user leakage an integral part of the adverse outcomes to be managed.
4. Cyberthreats are constantly evolving. Because the nature and severity of threats in the cybersecurity environment change incessantly, protection measures must evolve to remain ahead of the threat profile. Boards should inquire as to how the organization’s existing threat management program proactively identifies and responds to new threats to cybersecurity, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model, and its visibility as a potential target. Directors should also insist on an assessment of the related risks resulting from major systems changes.
5. Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of adversaries, waiting and ready with an arsenal of technology, people, processes, and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short when combating the ever-changing threats to businesses. Security functions need to change the way they deliver protective services and move far beyond initiatives to create enterprise-wide awareness of cyber risk. Accordingly, boards should expect:
– A clear articulation of the current cyber risks facing all aspects of the business;
– A summary of recent cybersecurity incidents, how they were handled, and lessons learned;
– A short-term and long-term road map outlining how the company will continue to evolve its cybersecurity capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
– Meaningful metrics that provide supporting key performance and risk indicators of successful management of top-priority cyber risks.
6. Cybersecurity must extend beyond the four walls. Notable gaps in knowledge of vendors’ data security management programs and procedures currently exist between top-performing organizations and other companies—particularly in areas that might stand between an organization’s crown jewels and cyberattackers. As companies look upstream to vendors and suppliers (including second tier and third tier), and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors should expect management to collaborate with third parties to address cyber risk in a cost-effective manner across the value chain. Attention should be paid to assessing insider risk because electronic connectivity and use of cloud-based storage and external data management obfuscates the notion of who constitutes an “insider.”
7. Cybersecurity issues cannot dominate the IT budget. Over the past decade, IT departments have been reducing operations and maintenance costs consistently, funneling those savings to fund other priorities like security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets for innovation.
With a strained budget, it becomes critical for IT leaders to target protection investments on the business outcomes that can adversely impact the organization’s crown jewels, understand the changing threat landscape and risk tolerances, and prepare for the inevitable incidents. Without this discipline, cybersecurity will continue to consume larger portions of the IT budget. Innovation will then suffer, and the business could ultimately fail—not because a severe threat is realized, but because the spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and innovators. Therefore, as important as the imperative for sound cybersecurity practices is, directors should not allow it to stifle innovation.
8. Directors should gauge their confidence in the advice they’re receiving. While there is no one-size-fits-all solution, boards should periodically assess the sufficiency of the expertise they rely on for cybersecurity matters. There may be circumstances where the board should strongly consider adding individuals with technology experience either as members of the board or as advisers to the board.
Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. Boards of directors need to ensure the organizations they serve are undertaking focused, targeted efforts to improve their cybersecurity capabilities continuously in the face of ever-changing threats.
NACD’s thought-leadership forum, Master Class, convened in Fort Lauderdale, Florida, late last year to discuss how corporate governance is adapting to the current operating environment. Dialogue among directors and session leaders at the event revealed 10 insightful takeaways:
Board engagement in strategy development is a sign of healthy board-management engagement. The board’s role is to question the CEO’s strategy assumptions, offer alternatives, and ensure a long-term value creation. Senior management’s job is to execute the strategy.
Given the complexity of today’s operating environment, it is even more important to stay attuned to disruptive competition in the company’s industry. Spend time outside of board meetings learning which changes—in technology, policy, or through stakeholder demands, for example—are emerging and how your company should address those disruptions.
Demonstrate directors’ commitment to continued education in communications with shareholders, employees, and other stakeholders. While your board may feel that current director evaluations and education requirements are sufficient, review your director education program to ensure that board members’ skills are being enhanced to keep pace with the changing operating environment.
Consider taking a few steps to enhance recruitment of and onboarding for new directors:
Consider not only the board’s recruitment needs in the next year, but also in the next several years as directors leave the board and as company strategy evolves.
Establish a requirement that the director pipeline includes candidates from diverse backgrounds.
Tailor new-director onboarding programs to individual directors.
Convey a sense of your board’s dynamics with each other and with management to both prospective and new directors.
Determine whether the skillset matrix tests for skills that are necessary for the company strategy. While directors currently serving on the board may have had the skills to help the company achieve its prior strategy, realize that the directors sitting on the board today should be measured against the new ruler of current and future strategy expectations.
Review your board’s bylaws and committee charters to determine whether the documents offer any detail about how directors oversee cultural risk. Probe management about culture. Given recent corporate scandals relating to unhealthy corporate culture, consider adding language to your bylaws and charters to demonstrate a commitment to healthy company culture. Take this commitment a step forward by probing management about how the company currently cultivates a healthy, ethical culture.
Look beyond the information management has presented you to determine the company’s cultural dynamics among not only senior management, but also lower- and mid-level managers. Review online employee satisfaction websites to gauge morale and determine whether behaviors incentivized are realistic and healthy.
Question the quality and volume of information being given to the board on enterprise risks. If the board is receiving 1,000 pages of information monthly about risks, ask whether the board can realistically absorb that information. Ask the chief risk officer to provide the board with a more brief and concentrated view of the risks that need to be addressed, and spend time drilling down on the most pertinent risks, including those that may be sleeping giants.
When stumped on strategy, go back to the beginning. Ask often why the company was founded and what problem the company should help clients or consumers solve. Having a renewed vision of the founder’s mission can help provide fodder as to how to revive that vision in light of today’s operating environment.
Dive deep into consumer trends and behaviors, when considering appropriate strategies. While it may be easy to become mired in the highly technical nature of directorship and oversight, realize that great insight can come from aligning company strategy so that it satisfies customers’ needs and wants.