Archives

Driving Behaviors Through Incentives and Risks

Published by

The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.

CompensationCulture

Incentives can reward performance—and create tension and unintentional risks.

One element that helps define an organization’s culture is the set of incentives motivating employees to act. While incentives can effectively reward performance that benefits the enterprise, the compensation committee—and the board more generally—must factor in the tension and unintentional risks that incentives can create.

NACD, along with Farient Advisors, Katten Muchin Rosenman, PwC, and Sidley Austin, last fall cohosted the first-ever joint meeting between the NACD Compensation Committee Chair Advisory Council and the NACD Advisory Council on Risk Oversight. Committee chairs from Fortune 500 corporations joined governance stakeholders for an open dialogue on incentives and risk taking.

The discussion was held under a modified version of the Chatham House Rule, under which participants’ quotes are not attributed to those individuals or their organizations, excepting cohosts.

Six questions emerged that boards and compensation committees should consider:

  1. Do we have an appropriate balance of metrics?
  2. Are we calibrating goals and upside opportunity appropriately?
  3. Are we considering the quality of performance?
  4. How robust are the controls on data that is used as inputs to the compensation plan?
  5. How are our board’s committees collaborating on developing and monitoring incentive plans?
  6. Are we actively exercising discretion?

Below are details for three of those questions. More information is available for download in NACD’s complimentary brief, Incentives and Risk Taking.

Do we have an appropriate balance of metrics?

The Report of the NACD Blue Ribbon Commission on Performance Metrics states, “Corporate leaders must select metrics that encapsulate the company’s strategy, the balance of risk and reward, and the milestones along the way.” Management chooses appropriate metrics for the company. The board’s role is to decide if those metrics help create long-term value for shareholders—and also to ask management the right questions to ensure that risks associated with compensation plan incentives are being mitigated.

“Our responsibility is to understand the business and the industry,” said one director at the meeting. “The more we understand the business, the more [any] red flags will become apparent.” Meeting participants added that just as there is no silver bullet or single perfect metric to use when developing incentive plans, there is no one-size-fits-all approach to finding a satisfactory balance of metrics.

“There’s no perfect performance measure because every one of them can be gamed either deliberately or not deliberately,” said Dayna Harris, vice president at Farient Advisors. “In addition, it’s important to factor in trade-offs—for example, between metrics related to earnings and those related to revenue or returns—in order to get a combination that works.”

Thomas J. Kim, partner at Sidley Austin, said, “Performance metrics for compensation should be consistent with how management and the board think and talk about the business, both internally and externally. Qualitative metrics are generally more appropriate for, and tailored to, specific individuals, rather than for management as a whole.”

Are we calibrating goals and upside opportunity appropriately?

In addition to selecting performance measures, compensation committees must ensure the pay plan keeps the firm’s risk appetite in mind. The goal is to avoid unintended consequences that might compromise the enterprise’s reputation or its long-term viability. At one council delegate’s company, “the chief risk officer does a risk analysis of the executive compensation plans and shares it with the board. We can assess where it nets out on the risk spectrum. The analysis is repeated at the end of the year to look at incentive payouts and whether any business area took undue risks.”

Participants highlighted two areas for compensation committees and boards to consider:

  • Incentive thresholds. “Stretch goals are great and often important to strategy execution. But the board needs to ask whether high incentive thresholds may encourage bad behavior,” one participant said.
  • Slope-of-the-payout curve. Harris advised, “Make sure the upside [payout] opportunity is not excessive, especially for annual incentives. Three hundred to four hundred percent payout ranges can be dangerous.”

Are we considering the quality of performance?

Council delegates also emphasized that it is essential for compensation committees—and, indeed, for all board members—to ask probing questions about the way in which management achieves results, not just whether or not a particular performance target has been met: “How you get there makes all the difference: we have to look at the quality of earnings,” one delegate said. “If our incentive plan is heavily weighted toward rewarding revenue, did we end up with a bunch of low-margin or bad deals?”

One compensation committee chair reported, “To make sure that our results are sustainable, we’ve introduced strong metrics around employee satisfaction and engagement, along with customer satisfaction. These can count for as much as 25 percent of the CEO’s annual bonus.”

Questions about the quality of performance have risen to the top of many boards’ agendas in the wake of criticism over the consequences of aggressive incentive plans at companies such as Wells Fargo and Mylan. Reflecting on what has been publicly reported about these two situations, participants identified the following takeaways for directors:

  • Exercising skepticism is essential in times of good performance—when it is often most difficult to do. “It can be hard for directors to push back when they’re in the boardroom of a high-functioning organization and hearing lots of great stories from management,” observed one participant. Several delegates pointed out that executive sessions can be particularly useful in this regard.
  • Question over-performance as closely as underperformance. “If it looks too good to be true, it probably is,” a director said. “Wells Fargo’s cross-selling numbers were significantly above industry standard. As directors, we need to look very closely at outlier-level performance—it might be a red flag.”
  • Reputation risk can be material, even when financial losses are relatively small.

By incorporating into board discussions the above-listed questions, directors can strengthen responsible oversight of incentives. “It’s our responsibility as directors to understand the business and the industry in depth—trends, competitors, pricing models,” one director said. “That gives us a much deeper understanding about what is possible and what we’re asking management to do when we set goals and targets. It will also help us see potential risks and red flags much earlier.”

Why Are People Part of the Cybersecurity Equation?

Published by
Sedova_Masha

Masha Sedova

The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.

As many as 95 percent of breaches to companies’ data have a human element associated with them. It is no wonder, then, that security teams call people “the weakest link” in securing an organization and choose other investments for defense. Despite companies’ deep investments in security technology over the years, security breaches continue to increase in frequency and cost.

The conventional approach misses a significant opportunity to utilize people as a defense strategy against the ever-changing threat landscape. In fact, only 45 percent of respondents in the National Association of Corporate Director’s 2016-2017 Public Company Governance Survey reported that their boards assessed security risks associated with employee negligence or misconduct. Organizations that have fostered intentional security cultures from the boardroom to the server room have managed to transform employees into their strongest asset in defending against attacks, gaining advantages in both protecting against and detecting cyber threats.

What is security culture?

SecurityCulture

From the boardroom to the server room, people could be your greatest security asset.

Culture-competent boards and management teams understand that culture is the set of behaviors that employees do without being told. In simpler terms, it’s “the way things are done around here.” There are many sub-cultures within an organization, and security culture is one that often looks quite different from the expectations set by policy. Security culture has the power to influence the outcome of everyday business decisions, leaving an employee to judge for themselves the importance of security in a decision. For instance, some frequent questions that employees might encounter include:

  • Is it ok to release insecure code or should we test more, resulting in a delay?
  • Do I feel safe to report that I may have incorrectly shared a critical password?
  • Do I prioritize a secure vendor over a less expensive one?

Each of these decisions, when chosen without security in mind, add to the organization’s security debt. While likely that none of these decisions on their own will lead to the downfall of the organization, each risky action increases the probability of being targeted and successfully compromised by cyber-attackers. On the other hand, if the decisions to the questions presented above are chosen with a secure mindset, over time an organization can expect to see more secure code, better data handling processes, and an increased ability to detect cyberattacks, just to name a few examples. A positive, security-first culture makes it more difficult for an attacker to find and exploit vulnerabilities without detection, incentivizing a different choice in target. Directors at companies across industries should carefully evaluate whether management has established a security-first culture as part of their greater cyber-risk oversight strategy.

It is worth realizing that security-minded employees will not solve all security headaches. However, a company’s talent is an essential third leg of the business stool, partnered with technology and processes. An organization that does not invest in training and empowering its employees to prioritize security is only defending itself with two-thirds of the options available to it.

How do you practice it?

The first step boards and executives can take to shape security culture is to identify the most critical behaviors for your employees. Historically speaking, security culture programs used to be based on compliance and asked, “How many people completed a training?” or “How much time is an employee spending on education?” These are not the right questions. Instead, we should ask, “What will my people do differently after my program is in place?”

Prioritize behaviors by their impact on the security of your organization, customers, and data. Ideally this will distill down into two to three measurable actions that boards and executives can encourage employees to take in the short-term to be security minded. Most mature security culture programs have the following three capabilities to help develop these behaviors: measure, motivate, and educate.

1. Measure It is critical to have measures in place to show progress against culture change. When an organization can measure its key desired behaviors, it can start answering critical questions such as:

–  Are my campaigns effective at changing this behavior?
–  What groups are performing better? Why?
–  Has the company already met its goals? Can I focus on the next behavior?

Measuring culture is notoriously tricky because of its qualitative nature, but it can be done using measures such as the number of malware infections, incident reports, or even surveys that test for the knowledge of, and adherence to, policy and process. Surveys should also test for employees’ perception of the burden of security practices, as well as a self-assessment of individual security behavior.

2. Motivate Effective behavior change requires motivation. Spending the time explaining the purpose behind each security measure goes a long way in getting employees on board. As an example, sharing case studies of successful attacks and lessons learned helps demonstrate to employees that the threat is real and applicable to their work. Some other great ways of providing motivation to follow through on security behaviors are public recognition of outstanding behavior, gamification, or rewards for success.

3. Educate Employees cannot act to change their behavior if they are not fully trained to do so. Ensure employees have the knowledge and tools to complete the security tasks. Ideally, the information presented should be tailored by role and ability level to make it as relevant and interesting to the employee as possible. One key focus should be on educating senior executives on the trade-offs between risk and growth in a company. Consider providing scenarios based on real cyber-attacks that explore the long-term impact of risky business decisions. Add these discussions opportunities into existing leadership courses to help model security-mindset as a valued leadership trait.

Senior level engagement

While the above is a framework that boards and executives can use to drive security behavior change from the bottom up, leadership has an important role in setting the security culture as well. Executives can publicly share the value of security as an employee themselves, which will reinforce the importance they see in proper security culture to the organization and to the customers they serve. Executives should hold their businesses accountable for executing on key security behaviors and publicly call out examples that have impacted the security of the organization, either positively or negatively. Finally, boards should press executives to ensure that the focus of their people-centric security program is on the highest area of risk, not just what is easy to measure.

Masha Sedova is the co-founder of Elevate Security, a company delivering interactive and adaptive security training based on behavioral science. Before Elevate, Masha was a security executive at Salesforce.com, where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers.

Five Ways to Improve Your Board’s Oversight of ESG in 2017

Published by
BoardOversightESG

Click to download this complimentary publication.

The National Association of Corporate Directors (NACD) recently released its sixth annual edition of Governance Challenges 2017: Board Oversight of ESG, produced in collaboration with NACD’s five strategic content partners: Heidrick & Struggles, the KPMG Board Leadership Center, Marsh & McLennan Companies, Pearl Meyer, and Sidley Austin LLP. Environmental, social, and governance (ESG) issues encompass a variety of areas in which shareholders have demonstrated an increasing interest: sustainability, diversity and inclusion, human rights, labor practices, executive compensation, employee relations, and board independence.

According to Institutional Shareholder Services, a record number of shareholder resolutions on climate change were filed in 2016, and the average shareholder support for environmental proposals in general has increased dramatically over the last decade—from receiving an average of 11 percent of the vote in 2006 to 21 percent of the vote by June 2016. Shareholder proposals for the 2017 proxy season are also expected to focus on social issues, as there will likely be a regulatory downshift in these areas under the Trump administration.

Drawing from NACD’s report, here are five ways boards can improve ESG oversight this year in response to growing expectations from investors and consumers in this area.

1. Integrate ESG initiatives into company strategy.

How companies consider ESG issues and link them to financial and operational performance demonstrates the company’s approach to creating sustainable, long-term value for investors. KPMG recommends boards set the context for the company’s discussion around ESG issues by asking how they are applicable to the company, customers, employees, and investors. Specifically determine how environmental sustainability can support the company’s financial future. What are the board’s expectations regarding ESG? Will the company broadly address environmental and social issues, or will the company only focus on areas that directly relate to its strategy and operations?

2. Ensure key functional leaders proactively apply ESG in business operations.

All leaders in the C-suite should understand the importance of ESG and how it impacts their functional responsibilities, according to Heidrick & Struggles. For example, does the CFO include ESG elements when conducting financial analysis? Does the CMO clearly demonstrate how the company is committed to ESG goals instead of resorting to greenwashing (i.e., dedicating more effort to claiming to be environmentally responsible than actually doing it)? The board may also consider adding director ESG expertise should the company be recovering from a company-caused environmental disaster or missed opportunities in the marketplace due to lack of attention to ESG.

3. Use executive compensation to support ESG goals.

While many public companies are already engaging on ESG issues, Pearl Meyer research indicates companies fall on a spectrum from conducting basic reporting on ESG to fully integrating ESG into company strategy, culture, and executive compensation plans.

ESGContinuum

Click image to enlarge in a new window.

Alcoa and Exelon are two examples of companies that have linked ESG goals such as greenhouse gas (GHG) emission reduction to executive compensation. At Alcoa, “20 percent of executive cash compensation is tied to safety, environmental stewardship (including GHG reductions and energy efficiency), and diversity goals.” Exelon rewards executives for “meeting non-financial performance goals, including safety targets, GHG emissions reduction targets, and goals engaging stakeholders to help shape the company’s public policy positions.”

To link ESG to financial results, boards can consider the following questions regarding compensation:

  • Which components of ESG should we link to our business strategy?
  • How do these ESG factors affect our short-term earnings versus long-term value creation?
  • What are the leading and lagging metrics that matter, incorporating both financial and nonfinancial metrics?

4. Improve disclosure on the impact of climate change.

The Financial Stability Board’s (FSB) Task Force on Climate-related Disclosures (TCFD) is an organization initiated by the G20 Finance Ministers and Central Bank Governors that has produced recommendations for disclosing climate-related risks and opportunities. The task force recommends that directors consider the following, as summarized by Marsh & McLennan Companies, to promote better disclosure:

  • Processes and frequency by which the board and/or board committees (such as audit, risk, or other committees) are informed about climate-related issues
  • Whether the board and/or board committees consider climate-related issues when reviewing and guiding strategy, major plans of action, risk-management policies, annual budgets, and business plans, as well as when they are setting the organization’s performance objectives, monitoring implementation and performance, and overseeing major capital expenditures, acquisitions, and divestitures
  • How the board monitors and oversees progress against goals and targets for addressing climate-related issues

See the Recommendations of the Task Force on Climate-related Financial Disclosures for additional guidance.

5. Engage shareholders on ESG issues.

According to Sidley Austin LLP, it has now become the norm for investors to consider environmental and social issues when making investment and voting decisions. Boards should determine who from the board and management will engage investors on these issues. These representatives may vary based on the severity of the topic to be discussed and which shareholder the discussion is with. Tracking shareholder voting records, and analyzing which types of proposals are seeing increased traction over time, will also provide insight into the minds of investors.

For more on how your board can improve ESG oversight, download your free copy of Governance Challenges 2017: Board Oversight of ESG. For NACD members, also see NACD’s handbook on Oversight of Corporate Sustainability Activities.