Investors are on to a definite theme these days—and Kinder Morgan and Anadarko Petroleum Corp. are the latest companies to experience it.
Earlier this month, investors in the energy infrastructure giant backed shareholder resolutions calling for more transparency and reporting on how Kinder Morgan is addressing the impacts of climate change and mitigating the risks. A similar resolution at Anadarko also received a majority vote this month.
As I wrote in a recent NACD blog, one consequence of this growing focus on climate risks is that investors, led by major money managers such as BlackRock and State Street, are increasingly emphasizing the role of corporate boards in driving company responses.
And now Systems Rule, a new report from Ceres, shows that investors are right to push for strong governance systems for sustainability.
Our analysis of board governance practices and performance data of large global companies found that businesses that integrate sustainability priorities such as climate change into board mandates, director expertise, and executive compensation also demonstrate strong performance on sustainability issues.
The report provides important insights for boards to pay attention to as they consider how to oversee climate-change-related risks and strategy.
But here’s the issue: Most large companies aren’t among these performers because they still have fragmented systems of board governance, especially when it comes to sustainability oversight.
This is partially true because many directors and company leaders still do not understand the material impacts associated with environmental and social issues, like climate change. In fact, Systems Rule noted that only 17 percent of corporate directors have demonstrated expertise in sustainability issues.
For companies to get moving and establish governance systems that can deliver commitments and performance on climate change, the whole board needs to start by establishing some baseline fluency that will help them understand when these issues could in fact be material.
Developed specifically to increase board fluency in climate change, the report provides an overview of the different ways that climate change can impact an enterprise and how boards can integrate climate change oversight into their responsibilities in the boardroom.
It’s designed to be a valuable tool for corporate directors who want to educate themselves on what this issue means to their business and what they can do about it.
So how practically can directors build climate competency into their board?
Formally include oversight of climate-change-related issues in the board structure. Formalizing climate change’s importance to business by including it in board committees’ mandates ensures the topic is regularly discussed. Citigroup, Ford Motor Co., and Nike are just a few of the companies that do this.
Recruit climate-competent directors. Committees should cast a wide net through the nominating process so they can consider candidates with diverse backgrounds and expertise in addressing climate change.
Integrate climate change into strategic planning and risk oversight. Directors should ensure that management takes the business impacts of climate change into account at every level of the company. Businesses including BHP Billiton and Shell conduct scenario analyses to assess the impacts of climate change on their portfolio of assets and business policies.
Tie executive compensation to actions that mitigate climate change. To encourage action, executive compensation can be tied to a company’s progress on addressing and opportunities, such as cutting greenhouse gas emissions. Xcel Energy links 30 percent of its executive compensation to carbon emission reduction goals.
Promote climate change disclosure. Without robust disclosure, investors cannot accurately analyze how a company is responding to climate change. Companies including Aviva, Unilever, and Zurich Insurance committed to updating their disclosures based on new Task Force on Climate-related Financial Disclosure (TCFD) guidelines.
The takeaway from our research is clear. It pays for companies and boards to adopt strong board oversight systems for climate change. But as a first step, boards should first develop climate fluency to understand the material risks their company may face. Fluency with the issues and strong, holistic governance systems will lead to the performance impacts that investors and other stakeholders want to see.
Veena Ramani is program director of capital market systems programs at Ceres.
From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzes are awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New in the Threat Environment
According to the 2017 Cybercrime Report, published by Cybersecurity Ventures and the Herjavec Group, cybercrime will cost the global business market $6 trillion annually by 2021. Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, says that this considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.
Cybersecurity and the SEC
In recent years the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
occurrence, frequency, and severity of prior cybersecurity incidents;
probability and potential magnitude of cybersecurity incidents;
adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
aspects of the company’s business and operations that give rise to material cybersecurity risk;
costs associated with maintaining cybersecurity protections;
potential for reputational harm;
existing or pending laws and regulations that may affect the cyber requirements; and
litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.
With the principle of the rule of law and democratic governance under siege in numerous parts of the world, corporate board members are increasingly considering how global events are creating mounting risks to both their businesses and the bottom line.
These actions are taking place in jurisdictions that have long been high risk for companies. The Democratic Republic of the Congo, Venezuela, and Myanmar, for example, have for some time presented operational challenges as a result of poor governance. In recent years, however, countries thought of as bulwarks for the rule of law have also begun to present challenges for businesses. Some argue that these include the United States, a country that traditionally has been known as a powerful advocate for the rule of law and democratic values and the long-time guarantor of the system of global governance, and the United Kingdom, where the legal and regulatory uncertainty caused by Brexit has seen many investment decisions put on hold.
Just in the last few weeks actions taken by the United States with rule-of-law implications have given some in the business community great pause. US actions regarding Chinese telecom company ZTE Corp. have raised questions as to whether a law enforcement action against a corporate entity can be used as a point of leverage in an international trade negotiation. Notwithstanding policy arguments for and against, the US’s withdrawal from the Iran agreement and pending re-imposition of secondary sanctions create significant uncertainty both for international businesses making investment decisions in Iran, and with respect to the US’s long-term commitments to international agreements. Many also note that America’s executive in chief has imposed considerable pressure on elements of the Federal government whose independence has long underpinned the rule of law in the United States, from individual judges and the judiciary to members of Congress, to law enforcement and the Federal Bureau of Investigation. This pressure has at times taken the form of quite personal attacks that set a concerning precedent, including for businesses that must ask whether they could become a target for a president who dislikes what they may be doing.
It is no secret that businesses do well in jurisdictions where the rule of law is strong: where contracts are enforceable, where fair judicial decisions are rendered without unreasonable delay, where assets aren’t arbitrarily seized or contracts arbitrarily renegotiated, where laws and regulations are transparent and applied fairly, where bribes need not be paid for discretionary actions by government. These are environments where businesses thrive. Indeed, as a 2015 Report by law firm Hogan Lovells and the Bingham Centre for the Rule of Law makes clear, there is a strong correlation between foreign direct investment in a country and the existence of a sound rule of law.
Businesses also do well where basic principles of the rule of law and associated norms are embedded. The separation of powers, the existence of a resilient and independent law enforcement system, and basic respect for truth and fact-based decision making are all important contributors to business success.
Finally, the existence of a strong rule of law correlates with broader societal thriving, making for an invigorated source for customers, employees, partners, and suppliers.
Given this reality, it is imperative that boards be sensitive to the range of rule-of-law issues that impact their businesses, even in jurisdictions where they least expect it. This means considering specific risk factors involving rule of law, above and beyond more generic political risk factors, whenever contemplating entry into new jurisdictions. The same can be said for assessing merger and acquisition or joint venture prospects, even in places where rule of law issues aren’t on the front page of newspapers every day. Indeed, a broad range of rule of law risk factors should be included in standard risk matrices so that business-critical issues such as prospects for the enforceability of contracts, or the ability to get a fair and timely judicial decision, or the independence of law enforcement are specifically considered when assessing risk. Existing governance and compliance frameworks can readily be adapted to reflect rule of law issues, alongside human rights and other risk issues. Rule of law matters should be included on the agenda of board meetings when appropriate.
In addition, boards should consider their companies’ own self-interest in the existence of a strong rule of law, and decide what their role might be in encouraging better governance, both within the companies themselves and in the environments where they operate. Many high-profile businesses have stepped up in recent months to publicly support such issues as countering climate change (as occurred when the US withdrew from the Paris Climate Agreement last year, which precipitated an outpouring of commitments by businesses to meet the goals set out), or in response to gun violence (as with Dick’s Sporting Goods following the Parkland school shooting), for instance.
In this regard, business can serve as a champion of good governance and the rule of law, advocating for improving the standards of governance where appropriate, and initiating collective efforts with like-minded companies with shared interests in stronger rule of law. Chambers of Commerce and other trade associations can be powerful voices when it comes to advocating for a strong rule of law that encourages foreign investment and secures stable business environments. Directors can urge the associations they are involved in to initiate efforts to support the rule of law, helping to bring to bear the influence and credibility of the business community to move the needle, in a positive way, on the quality of governance and the rule of law. Further, there are business-driven associations that provide a platform for collaboration to support the rule of law.
With the rule of law being challenged in so many countries around the world, businesses have both a strong interest in and ability to contribute to fostering a strong rule of law everywhere. Businesses, and their directors, should be part of the urgent work to publicize and mitigate what it is we as a global community will lose if the rule of law is undermined.
Ulysses Smith is a US-based lawyer and director of the Business and the Rule of Law Program at the Bingham Centre for the Rule of Law. All thoughts are his own and do not necessarily reflect those of NACD.