There was a lot of buzz around NACD’s offices earlier this month as our people learned that momentum is building to end quarterly earnings forecasts. You can’t work at NACD for very long without learning that our members champion long-term value creation and oppose short-termism, or without coming to understand how earnings guidance destroys the former and promotes the latter. (Short-Termism 101: when companies estimate the next quarter’s earnings per share, they drive a 90-day focus on meeting that projection and discourage focus on the organization’s long-term vision.)
Our communal excitement stemmed from reports of an interview on CNBC’s Squawk Box featuring Berkshire Hathaway CEO and chair Warren Buffett and JPMorgan Chase CEO and Business Roundtable member Jamie Dimon. During the June 7 interview, the two iconic businessmen agreed that companies should stop providing quarterly earnings guidance. NACD’s researchers noticed the interview and hailed it as “great news.” They praised the Business Roundtable for its “leadership” and shared links to relevant research with me, like this study asking Does the Cessation of Quarterly Earnings Guidance Reduce Investors’ Short-Termism?, and this one on Moving Beyond Quarterly Guidance: A Relic of the Past from FCLTGlobal, the think tank for focusing capital on the long term.
Later that day, NACD put out a press release noting that while NACD had called for a move away from quarterly earnings guidance in the past, the problem was still lingering in 2017. The 2017–2018 NACD Public Company Survey found that nearly three-quarters (74%) of respondents said that focus on long-term strategic goals has been compromised by pressure to deliver short-term results. Frankly, the finding was discouraging, considering how many years we have all been working to reverse short-termism.
Perhaps a flashback is in order. Dimon and Buffett were not the first to advise ridding corporate America of short-term guidance, and the Squawk Box interview wasn’t even the first time they themselves had done so.
In June 2010, exactly eight years ago this month, NACD joined the Business Roundtable as some of the first subscribers to an Aspen Institute manifesto entitled Long-Term Value Creation: Guiding Principles for Corporations and Investors. One of the principles in that document was the recommendation that companies and investors should “avoid both the provision of, and response to, estimates of quarterly earnings and other overly short-term financial targets.” I was happy to sign on. Even prior to 2010 NACD had been making recommendations against short-termism in our Blue Ribbon Commission reports, our Key Agreed Principles, and other publications, especially those addressing executive compensation.
In July 2016, both Dimon and Buffet themselves had signed onto a similar recommendation when developing Commonsense Corporate Governance Principles, which was published with backing from large institutions and companies across the investment chain. I spoke about the principles on C-Span the following month. The 2016 Principles stated that “companies should not feel obligated to provide earnings guidance—and should do so only if they believe that providing such guidance is beneficial to shareholders.” They further state that “making short-term decisions to beat guidance . . . is likely to be value destructive in the long run.”
In September 2016, I was a delegate at the General Counsel Summit on Short-Termism and Public Trust. The report from that event cited the 2016 Principles with respect to earnings guidance, as well as research from the Conference Board and others dating back more than a decade in questioning the wisdom of earnings guidance.
So looking back, the journey to end earnings guidance has been long. But that was then and this is now. Dimon today chairs the Business Roundtable (he was named chair in December 2016). And on the morning of June 7, the medium was an important part of the message: there were Dimon and Buffett, expressing their views in plain, spontaneous language, live, for all the world to see and hear in all their familiarity.
This entire history reminds me of a quote by Scottish author and government reformer Samuel Smiles, known for his treatise on self-improvement, Self-Help. He wrote: “Progress, however, of the best kind, is comparatively slow. Great results cannot be achieved at once; and we must be satisfied to advance in life as we walk, step by step.”
Thanks to many steps by many people over many years, the bell is tolling for earnings guidance at last. And that is indeed the best kind of progress.
Aligning with your company’s new chief information security officer (CISO) is a great opportunity to provide better protection for your organization, ensure regulatory compliance, and align previously siloed teams to gain clarity on how your business will respond in the event of a cybersecurity crisis. That’s why I urge board members to initiate early communication with those directly in charge of maintaining the enterprise’s vision for security by asking questions and collaborating on cybersecurity strategies.
According to a new study from the Enterprise Strategy Group and the Information Systems Security Association a lack of alignment between the security leader and the business can contribute to high CISO turnover. This is especially true if the CISO doesn’t feel welcome to participate in the boardroom meetings with executives.
This is a two-way street, of course. Board members often lack the knowledge they need to converse with information technology (IT) and cybersecurity professionals. They also tend to lack an understanding of how these groups contribute to effective enterprise risk management. Below we go through a few tips that will help put you on the right track and align these critical parties.
Understanding Your Company’s Risk Tolerance
First, in order for the board to understand the company’s cybersecurity posture, its members need to understand what level of risk is appropriate for your company. Each company’s individual strategy for growth, innovation, and safety should determine the extent to which it manages various types of risk, be it safety risks, operational risks, environmental risks, or technology risks (keeping in mind that technology plays a role in just about every category of risk).
Cybersecurity programs need to address an expansive and ever-changing threat landscape. They should include strategies to identify how vulnerable the organization is, determine whether or not they are compromised, and enhance operational efficiencies. During the first 90 days of his or her tenure, directors should be sure to get input from the new CISO on all of these areas, as well as a documented approach to how they will monitor the overall risk to the business based on these elements.
Understanding the risk tolerance of the business is the first step, but in order to properly determine this the CISO must be able to answer several questions. And knowing which questions to ask, and how these questions relate to managing risk within the company, will go a long way toward effective cyber risk management. To get a full understanding of your company’s cybersecurity posture, and ensure your security team is focused on the right things, ask your new CISO to answer the following questions in his or her first 90-day board report.
Does our security team have a full, well-informed view of our organization’s vulnerabilities? What are our top three cyber threats? How do we identify and deal with emerging threats?
What have we learned from past cybersecurity incidents?
Does management have a clear vision of the cyber risks to our organization? Can you provide any past examples of C-suite executives supporting the cybersecurity objectives of the company?
Are we managing cyber risks in alignment with the appropriate level of risk for our company and industry?
What steps are we taking to ensure compliance with all requirements for our industry? Do we follow any cybersecurity industry best practices such as the Center for Internet Security’s Critical Controls?
What is our cybersecurity incident response plan? Do we maintain an internal and external communications plan as a component of that? Has a tabletop exercise been completed to test the effectiveness of the plan?
How is our security team collaborating with our IT and development operations teams? Look for examples of a strong security operations (SecOps) practice, such as shared data and integrated processes, helping to make security inherent within all business operations and innovation.
How are we ensuring that our partners take appropriate security measures? For example, when engaging outside firms for services, are those other companies protecting sensitive information such as our marketing strategies and customer information? How is this being enforced? This could include signing agreements and performing regular assessments of vendor security practices.
How do you measure the effectiveness of our cybersecurity program and initiatives?
What investments can we make to further reduce our risk? What do we need and why?
Encourage your board as they review the information provided by the CISO to ask for relevant specific examples and documentation. While your fellow board members might not know the underpinnings of cybersecurity, they will have a fresh point of view around the resources and implementation of these processes. For instance, a comprehensive incident response plan should be thoroughly documented and readable for all involved parties so that they are aware of their role during a security incident.
By asking the CISO these probing questions, verifying the responses, having a knowledgeable senior executive or board member sponsors, and partnering with a trusted cybersecurity advisor, your organization will have a defined understanding of its cyber risks and will be prepared to make informed investment decisions.
Only 44 percent of cybersecurity professionals surveyed by the Enterprise Strategy Group and the Information Systems Security Association believe that CISO participation with executive management and boards of directors is at the right level. Clearly, more needs to be done to inform risk-based cybersecurity decision making as well as deeper integration of SecOps into core IT and development responsibilities. How can you buck that trend?
After the 90-day report from the CISO is a perfect time to discuss the answers to these questions. Follow up with your CISO to identify areas of concern and where more support from the board or executives might be needed for them to succeed. An ongoing dialog is critical, and will fine-tune cyber-risk management. It will also allow management to make informed technology investments, identify what training needs to happen, and provide ongoing cybersecurity governance aligned to risk tolerance and business goals.
The time is now for boards to improve the quality of dialogue with CISOs. Initial conversations and expectation-setting will minimize the possibility of overlooking cyber risk that could be detrimental to the corporation and its shareholders, while also making sure that everyone involved in the oversight of security gets on the same page.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
With the principle of the rule of law and democratic governance under siege in numerous parts of the world, corporate board members are increasingly considering how global events are creating mounting risks to both their businesses and the bottom line.
These actions are taking place in jurisdictions that have long been high risk for companies. The Democratic Republic of the Congo, Venezuela, and Myanmar, for example, have for some time presented operational challenges as a result of poor governance. In recent years, however, countries thought of as bulwarks for the rule of law have also begun to present challenges for businesses. Some argue that these include the United States, a country that traditionally has been known as a powerful advocate for the rule of law and democratic values and the long-time guarantor of the system of global governance, and the United Kingdom, where the legal and regulatory uncertainty caused by Brexit has seen many investment decisions put on hold.
Just in the last few weeks actions taken by the United States with rule-of-law implications have given some in the business community great pause. US actions regarding Chinese telecom company ZTE Corp. have raised questions as to whether a law enforcement action against a corporate entity can be used as a point of leverage in an international trade negotiation. Notwithstanding policy arguments for and against, the US’s withdrawal from the Iran agreement and pending re-imposition of secondary sanctions create significant uncertainty both for international businesses making investment decisions in Iran, and with respect to the US’s long-term commitments to international agreements. Many also note that America’s executive in chief has imposed considerable pressure on elements of the Federal government whose independence has long underpinned the rule of law in the United States, from individual judges and the judiciary to members of Congress, to law enforcement and the Federal Bureau of Investigation. This pressure has at times taken the form of quite personal attacks that set a concerning precedent, including for businesses that must ask whether they could become a target for a president who dislikes what they may be doing.
It is no secret that businesses do well in jurisdictions where the rule of law is strong: where contracts are enforceable, where fair judicial decisions are rendered without unreasonable delay, where assets aren’t arbitrarily seized or contracts arbitrarily renegotiated, where laws and regulations are transparent and applied fairly, where bribes need not be paid for discretionary actions by government. These are environments where businesses thrive. Indeed, as a 2015 Report by law firm Hogan Lovells and the Bingham Centre for the Rule of Law makes clear, there is a strong correlation between foreign direct investment in a country and the existence of a sound rule of law.
Businesses also do well where basic principles of the rule of law and associated norms are embedded. The separation of powers, the existence of a resilient and independent law enforcement system, and basic respect for truth and fact-based decision making are all important contributors to business success.
Finally, the existence of a strong rule of law correlates with broader societal thriving, making for an invigorated source for customers, employees, partners, and suppliers.
Given this reality, it is imperative that boards be sensitive to the range of rule-of-law issues that impact their businesses, even in jurisdictions where they least expect it. This means considering specific risk factors involving rule of law, above and beyond more generic political risk factors, whenever contemplating entry into new jurisdictions. The same can be said for assessing merger and acquisition or joint venture prospects, even in places where rule of law issues aren’t on the front page of newspapers every day. Indeed, a broad range of rule of law risk factors should be included in standard risk matrices so that business-critical issues such as prospects for the enforceability of contracts, or the ability to get a fair and timely judicial decision, or the independence of law enforcement are specifically considered when assessing risk. Existing governance and compliance frameworks can readily be adapted to reflect rule of law issues, alongside human rights and other risk issues. Rule of law matters should be included on the agenda of board meetings when appropriate.
In addition, boards should consider their companies’ own self-interest in the existence of a strong rule of law, and decide what their role might be in encouraging better governance, both within the companies themselves and in the environments where they operate. Many high-profile businesses have stepped up in recent months to publicly support such issues as countering climate change (as occurred when the US withdrew from the Paris Climate Agreement last year, which precipitated an outpouring of commitments by businesses to meet the goals set out), or in response to gun violence (as with Dick’s Sporting Goods following the Parkland school shooting), for instance.
In this regard, business can serve as a champion of good governance and the rule of law, advocating for improving the standards of governance where appropriate, and initiating collective efforts with like-minded companies with shared interests in stronger rule of law. Chambers of Commerce and other trade associations can be powerful voices when it comes to advocating for a strong rule of law that encourages foreign investment and secures stable business environments. Directors can urge the associations they are involved in to initiate efforts to support the rule of law, helping to bring to bear the influence and credibility of the business community to move the needle, in a positive way, on the quality of governance and the rule of law. Further, there are business-driven associations that provide a platform for collaboration to support the rule of law.
With the rule of law being challenged in so many countries around the world, businesses have both a strong interest in and ability to contribute to fostering a strong rule of law everywhere. Businesses, and their directors, should be part of the urgent work to publicize and mitigate what it is we as a global community will lose if the rule of law is undermined.
Ulysses Smith is a US-based lawyer and director of the Business and the Rule of Law Program at the Bingham Centre for the Rule of Law. All thoughts are his own and do not necessarily reflect those of NACD.