When Walter S. Isaacson winds down his 14-year tenure as the president and CEO of the Aspen Institute at the end of this year, his beloved hometown of New Orleans will be seeing more of him. Students in his classroom at Tulane University will be the lucky recipients of his rich knowledge and experience as he returns as a professor in those stately halls in the Garden District.
Walter S. Isaacson will speak at NACD’s 2017 Global Board Leaders’ Summit.
Isaacson, who has penned biographies of such greats as Benjamin Franklin, Albert Einstein, and Steve Jobs will speak at NACD’s 2017 Global Board Leaders’ Summit in October on innovation and disruption. (He will also release a new biography on Leonardo da Vinci in October.)
In addition to his work as a writer, Issacson keeps his governance plate quite full: he is a director of United Continental Holdings and an advisory board member of the National Institutes of Health. His nonprofit board service includes the Society of American Historians, the Carnegie Institution for Science, and My Brother’s Keeper Alliance. He also has served as an advisory board member at Perella Weinberg Partners, a global financial services and advisory firm, since 2015.
I recently had the opportunity to correspond with him via e-mail and ask him any question my heart desired. While the edited version of our full interview will run in the forthcoming May/June 2017 issue of NACD Directorship, I saved choice pieces from our exchange that unfortunately landed on the cutting room floor due to the physical constraints of a magazine page.
Many of my questions were inspired by newspaper headlines. “Why I’m Moving Home,” a recent New York Times op-ed piece by lawyer cum venture capitalist J.D. Vance, particularly grabbed my attention because it explores a common question: Can you really go home? Can you re-integrate yourself into that community—let alone revitalize it?
Isaacson seems to think so—and he’s a living example that it’s possible. Both he and his wife have divided their time between Washington, D.C. and New Orleans for some time. “I am happiest in my hometown of New Orleans dealing with issues of urban planning, jobs programs, and education reform,” he writes. “I got re-involved after Hurricane Katrina when I was made vice chair of the Louisiana Recovery Authority. My wife and I have a place in the French Quarter. I think there is more impact to be made when we act locally, and I am lucky that I have a deep passion for the town where I was born and raised.”
And how have the horrors of Hurricane Katrina shaped his worldview? The storm not only physically decimated New Orleans, but in its aftermath, the city’s population dropped by half largely due to storm-related displacements. Isaacson is determined to help reverse this radical demographic shift by invigorating education and entrepreneurialism to attract top talent and great thinkers back to the city.
“Hurricane Katrina reminded me of the value of home,” he writes. “I think that when we are looking for the good we can do and the impact we can have, now is a good time to be looking locally. I am fortunate to have New Orleans as my hometown. We are trying new ways to reform education and make an innovative environment for creative people and entrepreneurs.”
Do you have a similar experience of returning to your hometown to change it for the better? Do you serve on a board that inspires a company to better serve the communities in which the business operates? We’d love to hear from you. Share your experiences in the comment section.
Judy Warner is editor in chief of NACD Directorship magazine.
“If you had to sign a cybersecurity certification similar to the financial reporting requirements for corporate officers under Sarbanes-Oxley (SOX) Section 302, could you do it?”
As my firm counsels boards and C-suite executives on cyber risk, we often begin by framing our conversation with that provocative question. How directors answer will indicate how confident they are in the cybersecurity posture of their business.
As an exercise, let’s review SOX Section 302. For the purposes of this discussion I have replaced the finance-related text with cybersecurity-specific language. These changes are bolded, and other elements that are critical SOX measures for proper oversight by officers and the board are underlined.
SEC. 302. CORPORATE RESPONSIBILITY FOR CYBERSECURITY REPORTS.
(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,78o(d)), that the principal executive officer or officers and the principal cybersecurity officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
(3) based on such officer’s knowledge, the cybersecurity statements, and other cybersecurity information included in the report, fairly present in all material respects the cybersecurity condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report cybersecurity data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Now, how confident are you in the state of your cyberposture? Fortunately, to use the old exercise phrase, “this has been only a drill.”
However, multiple federal regulators, including the Securities and Exchange Commission, the Federal Trade Commission, and state agencies such as the New York Department of Financial Services, have become far more aggressive in holding corporate officers and board members accountable for cybersecurity oversight. And it is not out of the question that SOX-like requirements may materialize in the future, should another series of damaging breaches occur impacting consumers.
Regardless of whether regulators may soon require such specific attestations, significant discomfort with these questions at the board and C-suite level can indicate that cybersecurity is not being managed as an enterprise, twenty-first century business imperative. With sensitive customer information, employee data, operational processes, intellectual property, and trade secrets all on your networks, cybersecurity represents a real business and reputation risk.
While no program or technology can guarantee that your organization will not be hit by a cyberattack, it is incumbent upon us all to learn what we need to know to ask the right questions and to close as many gaps as possible. As the regulatory environment continues to focus on our ability to provide effective oversight, doing nothing is a sure-fire way to find cyberthieves in your system as well as regulators, litigators, shareholders, and customers knocking on the boardroom door.
Tom Ridge is chair of Ridge Global, a risk management and cybersecurity advisory firm. An experienced corporate board member, he previously served as the first U.S. Secretary of Homeland Security and as the 43rd Governor of Pennsylvania.
The complexities surrounding short-termism make it a tough nut to crack. Short-termism in this instance refers to a focus on short-term company performance results at the detriment of achieving long-term strategic goals. But in all its forms, short-termism is not sustainable in a rapidly changing world. That’s why directors need to ensure that the organizations they govern seek a healthy balance in addressing short- and long-term interests of the organization’s senior executives and stakeholders.
Short-termism is certainly not a new concept. In a recent survey of more than 600 public company directors and governance professionals conducted by NACD, 75 percent of respondents indicated that pressure from external sources to make short-term gains is compromising management’s focus on long-term strategic goals. This pressure can affect the board’s risk oversight.
Short-termism manifests itself in many ways. The more common example is focusing on quarterly earnings at the expense of funding long-term sustainable growth. But it can also lead to the pursuit of several risky activities, including: M&A deals for growth’s sake without clear linkage to the overall corporate strategy; releasing new products to market without sufficient testing; allowing cost and schedule considerations to undermine safety on significant projects (e.g., deferring maintenance or taking risky shortcuts); and taking on excessive leverage to pursue activities that are currently generating attractive returns.
Underlying the evidence of short-termism is a complex series of root causes. Globalization, technological developments, improved transparency, and reduced transaction costs have facilitated capital flows, enabling investors to reallocate their assets to seek higher yields with greater ease. Hedge funds and other activist shareholders are also acquiring small stakes in a company with the objective of steering profits to shareholders immediately (through higher dividends, stock buybacks, asset spinoffs, or downsizing in lieu of investing in innovation that will improve productivity and drive future growth, for instance). Still another cause is the existence of compensation structures emphasizing executive pay over the near term to the detriment of long-term shareholder interests. These compensation models skew management’s decision-making toward maximizing short-term profits even at the cost of taking on excessive risk.
Following are six concrete steps the board can take to ensure short-termism does not compromise risk oversight:
1. Focus the board’s oversight on risks that matter. If risk management is focused primarily on operational matters, chances are management is not focusing attention on the right question: Do we know what we don’t know? To face the future confidently, both management and the board need to focus the risk assessment process on:
a. identifying and managing the critical enterprise risks that can impair the organization’s reputation, brand image, and enterprise value; and
b. recognizing emerging risks looming on the horizon on a timely basis.
Even though the day-to-day risks of managing the business are important, they should not command the board’s risk oversight focus except when truly pressing issues arise.
2. Lengthen the time horizon used to assess risk. Focusing on quarterly performance, annual budgets, and business plans may lead to a risk assessment horizon of no more than three years. That period may be too limiting because strategic opportunities and risks typically have a longer horizon—even with the constant pressure of disruptive change on business models. For example, the World Economic Forum uses a 10-year horizon in its annual risk study. Longer risk-assessment horizons are more likely to surface emerging issues, along with new plausible and extreme scenarios, that might have been missed with a shorter time frame. Thus, the board needs to satisfy itself that management is using an appropriate horizon.
3. Understand and evaluate strategic assumptions. Management’s “worldview” for the duration of the strategic planning horizon is reflected in assumptions about several topics: the enterprise’s capabilities; competitor capabilities and propensity to act; customer preferences; technological trends; capital availability; and regulatory trends, among other things. Directors should weigh in on management’s assumptions underlying the strategy. Doing so could reveal insights into the external environment and internal operating impacts that could invalidate the critical assumptions underlying the strategy. This is a useful approach to understanding sources of disruptive change.
4. Integrate risk and risk management with what matters. Short-termism can render risk to an afterthought to the formulation of strategy. Risk management similarly can become a mere appendage to performance management. The strategy, therefore, may be unrealistic and may involve taking on excessive risk. In addition, performance management may be overly focused on retrospective, backward-looking lag metrics. The board should ensure the strategy-setting process considers risks arising from strategic alternatives, risks to executing the strategy, and the potential for the strategy to be out of alignment with the organization’s mission and values. Directors also should insist that prospective, forward-looking leading metrics be used to complement the more traditional metrics used to manage the day-to-day business operations.
5. Watch out for compensation imbalances. Publicly listed companies on U.S. exchanges are required to disclose in the proxy statement whether the company’s system of incentives could lead to unacceptable risky decision-making in the pursuit of near-term rewards. The compensation committee typically conducts a review for excessive risk-taking in conjunction with its oversight of the compensation structure. Board concerns with respect to short-termism are a red flag for the compensation committee to sharpen its focus on the potential for troubling compensation issues that could lead to bet-the-farm behavior. A key question: Do key executives have sufficient “skin in the game” so they will be incented to take risks prudently in the pursuit of value-creating opportunities?
6. Pay attention to the culture. Short-termism can contribute to a dysfunctional environment that warrants vigilant board oversight. For example, management may continue to execute the same business model regardless of whether market conditions invalidate the underlying strategic assumptions. Also, operating units and process owners may be fixated on making artificial moves (e.g., deferring investments) and manipulating processes (e.g., cutting costs to the bone) to achieve short-term financial targets. Instead, the strategy should be focused on fulfilling customer expectations and enhancing the customer experience by improving process effectiveness and efficiency. These and other red flags warrant the board’s attention because they signal the possibility of unacceptable risk-taking that must be addressed.
If short-termism is a concern of the board, directors need to ensure their risk oversight process isn’t compromised by it. A strong focus on linking risk and opportunity can help overcome some of the “blind spots” that a myopic, short-term outlook can create.