In June, NACD convened general counsels (GCs) from across the country for a one-day meeting in New York City on the role of the GC in supporting boards of directors. Program panels consisted of directors, GCs, and subject-matter experts on legal issues affecting board decision making.
The Evolving Role of the GC
According to Richard D. Buchband, senior vice president, GC, and secretary for ManpowerGroup, the GC must clear the way for the board to focus on strategic matters. Though each company is different, long past are the days when the GC’s role was to take minutes in the corner of the boardroom.
A clue to how a general counsel will be perceived in any given company may be found in the interview process, when a candidate should take note of whether board members participate. Also, in assessing how the board will utilize the GC, a candidate or sitting GC should be aware of whether board members hail from countries in which the GC traditionally takes a smaller role, reporting not to the CEO but to the CFO, according to Yvonne E. Schlaeppi, director for Stallergenes Greer and former GC for several companies, including Johnson Controls Europe.
Once connected to the board, the general counsel can be of value for many facets of the enterprise, leveraging his or her unique position in the organization to assimilate information and data from across the business. Several suggested that the general counsel should always offer a recommendation when providing input to the board. In fact, judgment is a critical part of what a GC offers the board. “The crux of a GC being a strategic advisor to the board is having your good judgment on the complex mix of puzzles which general counsels deal with all the time—including commercial, legal, and people challenges—recognized and valued,” said Schlaeppi.
Further, the career of Robert Bostrom, senior vice president, GC, and corporate secretary for Abercrombie & Fitch Co., illustrates how the general counsel can be the glue for an organization in turmoil. During a prior role as general counsel at Freddie Mac, he saw several CEOs and CFOs come and go around the time of the 2008 financial crisis and when the government appointed a conservator. Today, Bostrom co-chairs Abercrombie’s enterprise risk management group and leads the organization’s crisis management team, taking point on risks affecting the company’s reputation.
Moving the Board Forward
Of course, given that the GC is often the most knowledgeable person about issues of corporate governance, the GC brings tremendous value by providing advice and counseling on governance matters. Gillian A. Hobson, partner, capital markets and mergers & acquisitions at Vinson & Elkins, pointed out that such governance matters include issues such as independence, diversity, proxy access and others outlined in Commonsense Corporate Governance Principles, published in 2016 by a group of leading executives and investors. In addition, in order to move a board forward, the general counsel has a number of specific tools at his or her disposal. The general counsel can:
Suggest formats for a board evaluation and skills matrix;
Bring outside information (such as NACD’s Blue Ribbon Commission Reports) and outside perspectives (such as those from ISS, BlackRock and others) to the board; or
Develop relationships with board members, including board leadership and more progressive board members.
William E. McCracken, director for MDU Resources Group and for NACD, suggested that when boards get “stuck,” the GC is in a “unique position to lift the board’s vision up to see what else is happening out there.” Steven Epstein, corporate partner and co-head of mergers and acquisitions at Fried Frank, agreed. “The GC will be up to speed on the general M&A landscape and the latest thinking of the courts and will be well-positioned to combine that knowledge with the business objectives of the company, which is extremely valuable to the board.”
No Surprises and Keep It Short
Several times throughout the day, panelists espoused the best practice of imparting “no surprises” to the CEO or the board. For example, if the GC sets up lunch with a board member, Buchband suggests a check in with the CEO after the meeting is set but before the lunch takes place. “I ask the CEO if there are any issues he would like me to raise or discuss,” said Buchband. Keeping the board informed on matters affecting governance is equally important.
Also, all panelists reiterated how important it is for the GC to keep materials short and topline for the board. “We can be victims of our own desire to be thorough,” noted Buchband.
Enterprise Risk Management and Compliance Make the GC’s Job Easier
The role of risk assessment is not to avoid all risk, but rather to identify and manage risk, said George J. Terwilliger III, partner at McGuire Woods. In fact, Bostrom noted that enterprise risk management at Abercrombie helps him and the company prioritize risks. If a risk rises to the top, then a cross-functional, high-level team has agreed that it should be there, and he doesn’t have to champion the cause as a lone voice.
Daniel Trujillo, senior vice president and chief ethics and compliance officer for Wal-Mart International, stressed that a culture of compliance must start at the top. A program must then be implemented that is effective, consistent, data driven, efficient and sustainable. Terwilliger echoed that compliance has to be part of the fabric of the company, with the compliance council acting as a convener rather than as “internal police.” Today, predictive analytics help his team spot trouble early at Walmart, at the country or even the store level.
Consider Cross-Border Complexities
Just as Wal-Mart operates globally, so too do companies like Abercrombie. David H. Kistenbroker, global co-head of white collar and securities litigation at Dechert, reminded the audience to consider cross-border complexities when advising the board. Long-arm statutes in the United States and United Kingdom can impact deals all over the world. Due to such complexities, the GC is in a unique position to be a strategic asset to companies operating globally, especially where board members are all based in in the United States.
NACD would like to thank the panelists for sharing their experiences with attendees, and for these generous sponsors for their support of the event: Dechert, Fried Frank, KPMG, and Vinson & Elkins.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.
1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.
2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.
3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.
4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.
5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.
6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.
7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.
An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:
What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
How long would we be able to operate?
What if there were significant disruptions in transportation?
What contingency plans do we have?
Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?
The board should be informed of the results of these assessments.
Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.