As discussions of sustainability move beyond financial performance, they tend to spawn divergent views. Many frame the term as what constitutes responsible behavior in driving continued development and growth without deteriorating the environment, depleting natural resources, or creating conditions that destabilize the economy and vital social institutions. Still others prefer to cleave to the traditional view of the corporation and remove external stakeholders and the environment all together to focus solely on the sustainability of the business and its profits.
The type of short-term thinking applied when formulating policy and the kinds of long-term thinking driving sustainability development discussions are like oil and water, and looking to the business world, short-termism on the part of senior management is a sustainability killer. Without a long-term outlook in both the private and public sectors, the sustainability discussion will continue to be over before it begins.
Straight talk about sustainability leads to acknowledgement of several important realities:
Sustainability performance without acceptable financial performance is untenable. The two must be integrated, and neither is a substitute for the other. Overreach in pursuing either preempts long-term progress.
Many directors and senior executives believe the focus on sustainability is inevitable and, of necessity, strategic. Some constituencies believe that investments on the environmental, social, and governance fronts are incompatible with positive near term returns.
Reasonable people can differ in their views as to the appropriate sustainability objectives for a given organization, based on the industry, stakeholder interest, and long-term outlook, as well as the time frame in which the entity should pursue those objectives.
A meaningful impact is only possible through the collective efforts of multiple entities in the private sector, sound policies in the public sector, cross-border global cooperation, and investors committed to the sustainability agenda.
The concept of selective investing offers a set of standards for a company’s operations that socially conscious investors use to evaluate investment alternatives. As professionally managed funds deploying environmental, social, and governance (ESG) factors to screen investments have increased assets under management into the trillions of dollars, directors and executives have taken notice. Earlier this year, the CEO of BlackRock issued a letter to chief executives calling for a “positive contribution to society” beyond financial performance in realizing their organization’s full potential, with emphasis on “understand[ing] the societal impact of [their] business as well as the ways that broad, structural trends—from slow wage growth to rising automation to climate change—affect [its] potential for growth.” As these and other related demands have increased from the investor community, so have requests for increased transparency.
Governance—the “G” in “ESG”—has steadily emerged as a significant differentiator and, increasingly, a make-or-break factor for investors. Bad corporate behavior during the Enron era at the turn of this century, reckless risk-taking precipitating the 2007-2008 financial crisis, catastrophic cyber breaches, egregious violations of laws and regulations, and wanton disregard of safety considerations in addressing cost and schedule pressures have accentuated the importance of effective governance and the strong organizational culture it encourages. As important as these matters are, they’re mere table stakes. The focus on sustainability raises the bar further, with the BlackRock letter calling for a “new model for corporate governance.”
There are other reasons why ESG is important. Younger generations place high importance on sustainability issues. A recent survey noted that 56 percent of public company directors believe that a corporate social responsibility policy increases a company’s ability to attract and retain employees. Also, deploying cost-effective technologies to increase process efficiencies and develop environmentally friendly products and services has become attractive in many sectors. While there is a long road to travel littered by brutal politics and more questions than answers, world opinion has been coalescing around achieving the goal of sustainable development.
Perhaps this is because the world around us all is changing so much. Advanced technologies make feasible what was impossible a decade ago. Global population growth continues to explode, and changing demographics and resource scarcity affect operations. Businesses are left to ask themselves what they are to do in the face of these changes, and corporate directors have a role in leading their companies to action.
Directors should ensure that management answers the question, “What does the organization do about sustainability?,” based on the nature of the entity’s industry, culture, markets, stakeholder priorities, regulatory environment, appetite to lead and invest, intrinsic challenges from an execution standpoint, and long-term outlook. Approaches to consider might include the following:
Articulate sustainability guiding principles and core values;
Assess current ESG performance to identify gaps and opportunity areas;
Conduct an assessment of opportunities to improve performance and address the risks of inaction;
Assess the entity’s current policies, processes, organizational structure, reporting, methodologies, and systems supporting the pursuit of sustainability objectives;
Based on the above, formulate a sustainability strategy and road map of key initiatives supporting that strategy;
Establish accountability for results by setting targets, assigning executive sponsorship, defining initiative ownership, specifying the appropriate performance metrics, and integrating those metrics with operational performance monitoring and the reward system; and
Establish disclosure controls and procedures to ensure reliable internal and external ESG reporting.
The strategy taken by investors in this age of sustainable development is challenging perceptions of the role of the corporation in society. The questions around sustainability—and how hard companies should be working to drive it as a goal—require serious reflection for executive management and the board. A strong commitment to sustainability places an emphasis on actions, not words; on disruptive innovation, not “business as usual”; and, most importantly, on leadership, collaboration, and transparency.
As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.
However, not all directors are familiar with cybersecurity operations and how to assess the associated risks. If you’re a newer member of your company’s board, you may wish to review some of the following topics that you should expect from security and risk teams in their cybersecurity presentations.
Navigating Your First Briefing
If this is your first time listening to a cybersecurity presentation at a board meeting, you can expect the chief information security officer, or CISO, to provide a short background on the company’s cybersecurity practices and how they define cybersecurity in their organization. They’ll also discuss how the board should approach oversight of cybersecurity. The most effective CISOs talk in terms of risk management, which means cutting out technical jargon and focusing on business value. They may also draw the board’s attention to cybersecurity’s impact on stock price and bottom line to establish a common language.
Below are some of the topics you can expect to be reviewed:
How the company generally approaches cybersecurity, including the organizational structure.
The company’s security performance benchmarked against industry peers.
Risks to the company’s cybersecurity environment.
The types of data that security teams think is most critical or sensitive to your company’s continued operations.
The critical operations that could be impacted by a cyber incident.
Some of the key external threats, insider threats, and third-party risks the CISO believes the company faces. This may include examples of cyber incidents that have occurred in other organizations in your sector or beyond.
How they envision board member involvement in cyber-risk oversight and to which types of issues the board should be involved in the response.
The cybersecurity and risk management programs the organization has in place.
They type of information they plan to share in future presentations.
What to Expect Going Forward
Now that you’ve experienced your first cybersecurity presentation as a board member, you can expect that the CISO will continuously educate you and the rest of the board on critical issues. You can expect to be briefed on the effectiveness of the risk management tactics the company is employing. In other words, you should know where and how the company is succeeding or failing (and how that compares to previous quarters), as well as any areas that need strategic improvement.
Here are some topics you can expect from the CISO in their ongoing security presentations to you and the rest of the board:
Technology that the company has purchased and integrated—with a focus on what it is doing for the organization.
Technology the CISO wants to purchase and why.
The accountability metrics the security team has created, categorized in the following ways, and followed by questions directors should ask the reporting CISO:
Do we have any outstanding high-risk findings open from our last audit or assessment?
What percentage of the NIST framework are we implementing?
Operational Effectiveness Metrics
How quickly can we remove employee network access?
How quickly can we (or our vendors) identify and respond to incidents?
What percentage of our users click on spear-phishing training emails?
How did we compare to our peers across certain time spans?
There is a lot to consider and process when listening to an effective cybersecurity presentation. Be sure to prepare yourself beforehand so that you know what to expect and can contribute to future meetings accordingly.
While I am not sure that it should be a radical idea, the following concept seems radical to some: internal organizational culture and external environmental, social, and governance (ESG) matters are, and should be, intimately and inextricably interconnected. They’re two sides of the same coin. I believe that it is not only time for boards to get cracking on internal culture governance, but that it is also a core part of good modern governance for directors to know the key ESG and corporate responsibility issues relevant to their companies. By tying the two together, boards can proactively and carefully oversee management’s efforts to act on these often siloed, disparate, or even ignored and untreated parts of a more resilient organization.
#MeToo, #TimesUp, and #NeverAgain
In the first and second installments in this series, I discussed these movements, context around them for corporate governance, and what directors might do to best oversee these risks. It has grown apparent that these movements also are related. So, what do the #MeToo, #TimesUp, and #NeverAgain movements have in common? Beyond simply being hashtags, they are movements that emerged in reaction to perceived and real decades of troubling policies, behaviors, and practices in both the private and public sectors. They represent both external stakeholders’ reactions as well as potential reputation risk and attendant financial losses to companies and their leaders (including boards).
These movements also represent a singularly contemporary phenomenon which both management and the board should proactively respond to: the intricate and deepening interrelationship of internal corporate culture and external ESG and stakeholder issue management. These two aspects of running a business have been long ignored or sidelined as not important to a business, but they are now emerging and, arguably, merging before our eyes. It is the job of management and the board to understand, manage, and oversee these governance imperatives effectively.
A company’s treatment of external stakeholders is a mirror of its culture. The following four cases offer stark examples of the two extremes of how companies treat their stakeholders.
The Weinstein Company The toxic culture spread by its CEO and founder Harvey Weinstein was ignored, supported, tolerated, and proactively encouraged by its executives and board for many years. Take a look at this “Frontline” documentary to understand the full extent of the actions that led to the bankruptcy of this Hollywood film powerhouse. This case illustrates the intertwining of toxic culture on the inside with no sense of corporate responsibility. It also demonstrates disrespect for outside stakeholders such as established and aspiring actresses and other key third parties.
Wynn Resorts The news out of this company affords another example of a long-standing toxic culture initiated and vitiated by the CEO and apparently supported or ignored by his handpicked board. Key stakeholders such as employees and third parties were adversely affected. Now the ex-wife of the deposed CEO and chair is leading the charge to create positive change at both management and board levels with an aggressive plan to cleanse and grow a healthy culture from the boardroom down into the organization.
In both of these cases it’s likely that neither board ever asked the CEO or management questions about internal culture or exercised oversight of ESG and stakeholder issues. It would not be surprising in both cases to learn that the board actively or passively ignored culture and responsibility issues while focusing exclusively on the financial bottom line.
Merck & Co. The pharmaceutical company has for decades had a succession of great CEOs who have led the company to financial success while building a strong culture of integrity and social responsibility. Witness the crisis management of the complicated Vioxx case by former CEO Ray Gilmartin who voluntarily withdrew the medication, in contrast to Merck’s competitor with equivalent challenged medications. The explanation? Merck did not want to adversely affect their most important stakeholders: customers and patients. Current Merck CEO, Ken Frazier, continues their long-standing tradition of having both a strong internal culture and being a leader on cutting-edge ESG issues externally.
Starbucks A company with leadership that for years was known for having an enlightened corporate culture and for proactively managing its corporate social responsibility (CSR) initiatives may weather its current Philadelphia store racial incident better than most because of this close interrelationship. Starbucks’ ingrained, demonstrated care for its stakeholders were like muscle memory, allowing their management team to respond in lockstep with their lived values. How else does a company’s reputation survive this kind of incident and go further than probably any other company would by shutting down 8000 stores country-wide for a day for implicit bias training?
Second, boards must get much more involved in overseeing and ensuring that management has the right ESG and stakeholder relations program in place. The right program will embrace the interests of important stakeholders like customers, regulators, the media, suppliers, and current and future employees, among others.
And third, any discussion at the board level of culture or ESG should connect the two topics. Culture is part of ESG, and ESG is part of culture.
Crises that are not well managed can mean the difference between value creation and value destruction. Organizations need to forge a culture that is consistent both on the inside and the outside. When something critical happens, an organization that has forged a robust and resilient culture on the inside is more likely to weather the storm than a company that has paid little or no attention to laying a sound culture of values. Indeed, such enlightened companies may even have a reputation and value creation advantage, as I have discussed at length in my book The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparency.
Seven Critical Questions the Board Should Ask Management
As boards wrap their minds around the oversight of internal and external culture, they should consider asking the CEO and management the following critical questions:
Does the leadership (CEO/C-Suite) ever discuss culture?
If so, is it only culture talk (nice speeches, pretty pictures, glad-handing) or does it include culture walk (budgets, resources, reports)?
Is there at least one high level executive who has “culture” explicitly included in his or her portfolio of responsibilities? If not, why not?
Is there at least one high level executive who is in charge of managing ESG issues that are critical and important to the mission, vision, values and strategy of the company? If not, why not?
Have ESG issues been identified as core and critical to the wellbeing of shareholders and key stakeholders (employees, customers, regulators)?
When there has been a crisis involving ESG issues (e.g., a chemical spill, an allegation of executive harassment, an accusation of corruption) what is the track record of the company in handling that crisis? Were they prepared or did they manage the crisis by the seat of their pants?
Is there an effective integration of key roles on ESG issues between human resources, legal, ethics and compliance, risk, public relations, and others that are relevant? Or is the management of such issues siloed, fly-by-night, or otherwise non-existent?
The answers to these and additional questions will lead to a holistic look at the culture of the organization, and will allow the board to understand what buttons need to be pushed to help the organization attain consistency, synchronicity, viability, transparency, and value in the marketplace.
The way a company treats its external stakeholders starts with its internal culture. And the internal culture of an organization starts and ends with leadership. The greatest responsibility of the board at the end of the day is to hold the CEO and the executive team responsible and accountable for all aspects of strategy—not just financial results.
#TimesUp for boards that are ignorant, negligent, or oblivious to these central issues.
Dr. Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory, a strategic governance, risk, cyber and ethics advisor, board member, and former senior executive at Bertelsmann, Verint, and PSEG. She is author of numerous books including The Reputation Risk Handbook (2014) and co-author of The Artificial Intelligence Imperative (April 2018). She serves as Ethics Advisor to the Financial Oversight and Management Board for Puerto Rico, start-up mentor at Plug & Play Tech Center, life member at the Council on Foreign Relations and is faculty at the NACD, NYU, IEB (Spain) and IAE Business School (Argentina). She tweets as @GlobalEthicist. All thoughts shared here are her own. This blog series borrows in part from her forthcoming book with Routledge/Greenleaf (2019), Gloom to Boom: How Leaders Transform Risk into Resilience and Value. All opinions expressed here are her own.