It is clearer than ever before that sustainability practices can affect corporate value. That was the main thread of a panel that I led at the National Association of Corporate Directors’ 2016 Global Board Leaders’ Summit in Washington, D.C. My co-panelists Christianna Wood, director at H&R Block, and Seth Goldman, founder of Honest Tea, and I discussed the potential risks and opportunities that environmental and social issues pose to companies.
Sustainability is a broad term, and not every environmental or social issue belongs on the board agenda. But when an environmental or social issue has the potential to affect corporate revenue and earnings in the short and long term, sustainability absolutely should be on the table.
At the end of the day, it all comes down to materiality, and this is where corporate directors have a critical role to play.
Materiality is about determining a company’s priorities. As fiduciaries responsible for overseeing a company so that it not only survives but also thrives in the long term, directors have a responsibility to assess whether a company is making the right choices.
But the much harder question is: When does an environmental or social issue rise to the level of being material?
Here are some steps directors can take to drive discussions about whether sustainability issues are material to the companies that they oversee.
1.) Understand how sustainability is being integrated into your company’s efforts as a way to identify material issues.
There are a few ways to do this. Directors could point management towards the Sustainability Accounting Standards Board’s Company Implementation Guide, which provides a great starting point for companies to assess whether certain sustainability factors could be considered material for the purposes of the company’s financial filings. Directors could also integrate themselves more meaningfully into corporate efforts aimed at identifying material sustainability issues. They could provide perspectives on the connections between sustainability factors, corporate strategy, risk, and revenue.
2.) Include key issues being raised by critical stakeholders in the materiality exercise.
While a broader range of stakeholders is raising a variety of issues these days, the financial community is a particularly critical constituency to direct attention towards. As we discussed in our panel, the U.S. investor community is starting to make the connections between sustainability and the financial value of companies in their portfolios. During the 2016 proxy season, close to 400 shareholder resolutions on climate change and other sustainability issues were filed. Large investors including CalPERS, CalSTRS and State Street Global Advisors are asking their portfolio companies to put directors with climate expertise on their boards.
In addition to tracking broad sustainability trends that investors are paying attention to, prudent directors could consider opportunities to engage directly with key shareholders to get a sense of issues specific to the company and the industry. Directors could also track and engage with the broader activist and advocacy community as a risk management exercise.
3.) Weigh in on the time frame over which issues are considered to be material.
Since the board in particular is responsible for long-term corporate performance, directors play an important role in examining whether their company’s materiality process focuses on considering issues over the long or short term.
Overall, momentum is building to adopt a more long-term view to encourage companies and boards to think more broadly about sustainability and materiality. The recently released Commonsense Corporate Governance Principles, which are backed by major U.S. companies including JPMorgan Chase & Co., Berkshire Hathaway, and Blackrock, support the move to long-term thinking. And more companies including Unilever, Coca Cola, and National Grid are moving away from the practice of issuing quarterly guidance specifically to encourage investors and other stakeholders to adopt long-term thinking.
4.) Disclose details on what you consider to be your company’s material priorities.
Noting that determinations of materiality depend on whom the company considers to be its most significant stakeholders, governance experts are starting to call on corporate boards to release a statement noting critical audiences that the company is oriented towards and issues that the corporation is prioritizing. Companies like the Dutch insurance company Aegon have started to issue such statements.
The process of helping to identify the right issues is just a first step in a director’s responsibility on materiality. Directors have an important role to play in ensuring that material issues, when identified are integrated into board deliberations on strategy, risk, revenue and accountability systems. However, getting to the right issues lays an important foundation for the company and its key stakeholders to build on.
The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
Despite this call to action, overcoming short-termism remains a stark challenge for many companies. In fact, as the National Association of Corporate Directors’ (NACD) 2015 Blue Ribbon Commission observed, “factors encouraging a short-term focus are stronger now than ever before.” Additionally, in a 2015 report, the Conference Board contemplated whether short-term biases might jeopardize future business prosperity altogether.
Yet if short-termism is a sizable challenge, so too is the commitment to understanding why short-termism is so entrenched as a business practice and the task of mitigating its harmful effects. In July, the Anti-Fraud Collaboration, a group of organizations focused on fighting financial reporting fraud, hosted a webcast on Coming to Terms with Short-Termism. The discussion, which I was privileged to moderate, featured top experts and generated a wealth of useful takeaways for participants across the financial reporting supply chain.
Let’s look at a few key takeaways from the discussion.
1. Acknowledge and Define the Complexities of the Issue
To address the challenge of short-termism, it helps to understand the complexities of what companies are up against. For one thing, “short-termism” doesn’t equate to short-term activity, which isn’t necessarily bad. NACD Chair Karen Horn, director of Simon Property Group, observed at the outset of the webcast that the “long term is made up of many, many short-term actions.”
Another tricky step to understanding the complexities of short-termism is how to define “short-term” at your company. Is it a month? A quarter? A year? “It depends on the company,” said panelist Bill McCracken, president of Executive Consulting Group LLC. McCracken, who previously served as CEO of CA Technologies, added that even within a company the meaning of “short-term” can change according to different contexts, such as strategy or compensation.
2. Think Strategically
However complex a challenge combatting short-termism may seem, there are several simple solutions for directors to consider. One of them is this: think strategically. A strategic mindset helps short-term actions align with long-term goals. “Boards really need to be conversant with the company strategy,” said Horn. McCracken agreed, noting that board members should become “activist directors” who immerse themselves in the details of the company, its strategy, and its industry. This engaged approach, he added, can help directors be prepared to handle situations such as share buybacks or changes to dividend policy where questions of short-termism may arise.
Similarly, strategic thinking can also help directors gauge the validity of the use of non-GAAP measures. “Shouldn’t the use of non-GAAP measures also tie in to the strategy of the entity?” asked Douglas Chia, executive director of the Conference Board’s Governance Center. “Absolutely,” responded fellow panelist and KPMG Partner Jose Rodriguez.
3. Strengthen Tone at the Top…
One danger of short-termism is that it can heighten fraud risk across the enterprise. Companies need to ensure that management is setting the right tone at the top. “I can’t underemphasize tone at the top,” said Rodriquez. “How do [senior executives] talk to employees? Is everything geared around meeting that analyst’s [earnings] expectations?” From his auditor’s viewpoint, he added, “that would be concerning.
4. …But Don’t Forget the “Mood in the Middle” and “Buzz at the Bottom”
While emphasizing tone at the top, panelists also stressed that short-termism shouldn’t be a point of concern for only senior management. Many instances of fraud, noted Rodriguez, occur outside the C-suite. “It’s middle management and lower management that had to get that sales number to a certain amount of dollars,” he said, and this pressure can lead to channel stuffing or other undesirable activity. Such activity is what audit committees, auditors, and the board ought to be looking for, added Bill McCracken.
5. Dial Down the Emphasis on Quarterly Results
“Our entire [financial reporting] structure is built around quarterly reporting,” said McCracken. While eliminating this quarterly focus might not be possible—or even desirable—panelists agreed that reducing the quarter-to-quarter mindset was an important part of addressing short-termism. “Obviously you can’t get entirely away from that,” said Chia, “but there are ways you can reduce the emphasis and build on the timeline that you think is appropriate—not what you’re being told by the analyst community.”
Fostering robust communication internal and external communication is a core priority for the Anti-Fraud Collaboration, and communication at all levels was a recurring theme throughout this webcast. When discussing the use of non-GAAP measures, Horn noted that “the chairman of the compensation committee should be talking to the chairman of the audit committee as these measures work their way in to [compensation] programs.”
Likewise, communicating effectively with external investors and other stakeholder parties is critical. “Boards need to really understand investor communications,” said Horn. “The way that we can pursue long-term value creation is in partnership with our investors.”