Ask These Key Questions to Assess Cyber-Risk Oversight

Published by
Jim DeLoach

Jim DeLoach

This special supplement to Jim DeLoach’s recent blog post provides several questions to empower effective conversations about the state of a company’s cyber-risk oversight practices.

I recently shared several business realities that boards should consider as they oversee cybersecurity risk. These realities point to the need for companies and their boards to ensure that cyber-risk management efforts are focused, targeted, cost-effective, and continuously improving. While these realities are important to bear in mind, the board must inform its understanding of the company’s cyber-risk capabilities by asking the right questions.

Following are suggested questions that directors may consider, in the context of the nature of the entity’s risks inherent in its operations.

  • As a board, are we sufficiently engaged in our oversight of cybersecurity? For example:
    • Do we include cybersecurity as a core organizational risk requiring appropriate updates in board meetings?
    • Do we have someone on the board, or someone advising the board, who is the point person this topic?
    • Are we satisfied that the company’s strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted?
    • Does the board receive key metrics or reporting that present the current state of the security program in an objective manner?
    • Is there a policy on securing board packets and other sensitive material communicated to directors? If not, is there potential exposure from sharing confidential information through directors’ personal and professional email accounts and free file-sharing services that are not covered by the company’s cybersecurity infrastructure?
  • Have we identified the most important business outcomes (both unanticipated successes of the digital initiative, as well as adverse events) involving critical data and information assets (the crown jewels)? With respect to those outcomes occurring:
    • Do we know whether and how they are being managed?
    • Does our security strategy differentiate them from general cybersecurity?
    • Do we assess our threat landscape and tolerance for these matters periodically?
    • Are we proactive in identifying and responding to new cyber threats?
  • Does the company have an incident response plan? If so:
    • Have key stakeholders supported the development of the plan appropriate to the organization’s scale, culture, applicable regulatory obligations and business objectives?
    • Have we thought about the impact specific cyber-events can have and whether management’s response plan is oriented properly and supported sufficiently?
    • Is the plan complemented by procedures providing instructions regarding actions to take in response to specific types of incidents? Do all the stakeholders for a planned response know their respective roles and responsibilities? Is it clear for which events the board should play a key role in overseeing the response efforts?
    • Are effective incident response processes in place to reduce the occurrence, proliferation, and impact of a security breach?
    • Are we proactively and periodically evaluating and testing the plan to determine its effectiveness? For example, does management have regular simulations to determine whether the detective capabilities in place will identify the latest attack techniques?
    • In the event of past significant breaches, have we made the required public disclosures and communicated the appropriate notifications to regulators and law enforcement in accordance with applicable laws and regulations?

The dialogue resulting from these questions stand to lead to improvements in cybersecurity, if any are needed. Be sure to check out my earlier blog for further discussion of this important topic.


Jim DeLoach is managing director at Protiviti. 

Investors Want to Engage on Sustainability—Are You Prepared?

Published by
Spitler_Chad

Chad Spitler

The rise of sustainability as a governance imperative is inextricably tied to the growing influence of large institutional investors, particularly index funds, and the governance teams within them. Generally speaking, governance-focused asset managers now control more than one-third of the average public company’s shareholder register. Recently, the world’s three largest investors bulked up the staff of their governance teams dedicated to analyzing and meeting with portfolio companies, which included hiring individuals with expertise on environmental and social topics.

The heightened focus on environmental, social, and governance (ESG) analysis and corresponding engagement is heavily influenced by the Principles for Responsible Investment (PRI). The PRI promotes “active ownership” (such as engagement and proxy voting) and “ESG integration” (which is intended to improve investment decision-making by linking the analysis of ESG factors with financial performance). What began in 2006 with 200 asset owners has grown to more than 1,600 global signatories, including investment managers, with more than $60 trillion in assets.

Recently, the PRI announced that it will de-list signatories if they do not show progress in implementing the Principles. Because being a PRI signatory is commonly a requirement for asset managers to win mandates from asset owners, this move may incentivize PRI members to increase the frequency and sophistication of their engagements and add momentum to the quest for ESG data that is comparable across companies and industries.

Market participants are also seeking to understand and quantify the link between ESG and financial value. An increasing number of data providers, consultants, credit rating agencies, and nonprofits are assessing and rating companies on their performance on ESG criteria. Concurrent with that analysis is the emergence of academic and proprietary research which correlates effective ESG oversight with financial value creation, further encouraging investors to understand how companies link sustainability and business strategy.

Investors Take Action
These dynamics are already changing the market. Investor coalitions, including the Commonsense Corporate Governance Principles and Investor Stewardship Group, have been formed to issue guidance and perspectives on governance and sustainability issues. In addition, certain shareholder proposals on environmental and social issues are receiving high levels of support from a growing range of institutional asset managers. Importantly, within the past few months, both BlackRock and State Street Global Advisors have stated that if they do not perceive progress from issuers on sustainability initiatives in their engagement, they will consider voting against the nominating/governance committees of those companies.

Preparing to Engage

Given these trends, it is incumbent on issuers to take steps now to ensure that they are engaging effectively with their investors. Here are four ways to prepare:

  • Establish clear governance of sustainability. Investors want to know that their portfolio companies have effective governance structures in place to manage the development and execution of sustainable strategies. A coordinated program should be built with the following points in mind:
    • Employees across the organization need to be educated, aligned and incentivized toward common sustainability goals;
    • The financial risks and opportunities of sustainability activities need to be assessed for potential return on investment;
    • Metrics and systems need to be established to track progress against sustainability goals; and
    • The board and management should clearly identify who is responsible for sustainability in order to ensure the integration of sustainability considerations into strategic planning and incentives, as appropriate.
  • Identify the material ESG factors for your company. It is critical to identify which ESG issues have the greatest potential to create risks or provide opportunities that may impact the long-term value of your company. Investors are increasingly looking to the Sustainability Accounting Standards Board (SASB), which provides industry-specific guidance on the most potentially material ESG factors in a given industry, and other disclosure standard setters for this information.
  • Tell your story. Companies should be proactive in communicating with investors about sustainability. That means strengthening disclosure of sustainability governance, strategy, goals, and performance in public filings and producing enhanced sustainability reports to demonstrate the financial materiality of ESG topics. Companies will also want to ensure internal subject matter experts are equipped to engage with investors and external rating agencies.
  • Keep your eye on the future. Today, investors frequently compare financial disclosures to material non-financial information contained in documents such as sustainability reports. One trend that is emerging to help ensure these disclosures are complementary is integrated reporting, which combines financial and sustainability disclosure in a single, cohesive document. While still nascent, this practice is intended to provide investors with a better understanding of the link among corporate business strategy, sustainability initiatives, and short- and long-term value creation.

From traditional governance factors like compensation, board composition, and independence, to environmental and social factors like energy efficiency and diversity, sustainability is now integral to every company’s business model. As the market continues to incorporate, value, and reflect the materiality of sustainability into investment strategy and engagement, companies that can effectively tell their sustainability story will be best positioned to succeed with the world’s largest investors.

Chad Spitler is head of  the Sustainability Advisory Practice at CamberView Partners.

Director Pay: Slow Evolution in a Changing Environment

Published by
Ashley Marchand Orme

Ashley Marchand Orme

While the essentials of director pay remain steady, interesting changes are happening at the margins. Review the findings of the forthcoming Pearl Meyer/NACD 20162017 Director Compensation Report in this condensed article from the March/April edition of NACD Directorship magazine. Members may read the full article, including charts, here.

Continued slow growth in what boards pay their members suggests that “director compensation is evolutionary, not revolutionary,” said Jannice L. Koors, managing director at compensation consulting firm Pearl Meyer and head of the firm’s Chicago office. Director pay has, in other words, changed little over time.

Data from the Pearl Meyer/NACD 2016-2017 Director Compensation Report show that median director pay at public companies increased by 3 percent over the previous year. That brings median total compensation for individual directors to $191,440 for all firms, from micro-sized to the top 200 public companies. Median pay across all companies studied in the previous year’s report was $186,610.

While the report found no about-faces or surprises in overall median director compensation, a closer look at what is happening in the margins reveals continued evolution.

Pay Growth Aligns With the Stock Market

Directors have seen steady increases in pay in recent years as the stock market has continued to recover from the 2008 global financial crisis. The link between director pay and the stock market has strengthened as boards have offered directors less cash and more equity.

When Pearl Meyer published its inaugural director compensation report with the NACD in 1999, less than 25 percent of the largest 200 public companies in the United States included stock in their director compensation plans. That percentage had grown to 50 percent by 2002. In this year’s survey, 93 percent of the companies indicated they include some type of equity in their mix of director pay.

With that mix of pay elements, a strong stock market means bigger paychecks for board members. And that is how it should be, according to the Report of the NACD Blue Ribbon Commission on Director Compensation: Purpose, Principles, and Best Practices. The commission, led by Harvard Business School Professor Robert B. Stobaugh, recommended the following: “Boards should pay directors solely in the form of equity and cash—with equity representing 50 to 100 percent of the total.”

Changes in the Political and Regulatory Environments

The political and regulatory environments can stimulate strong performance among companies traded on the U.S. stock exchanges. Attempts to forecast what the next few years will look like for corporations prove difficult.

The director compensation report notes that President Trump’s administration and a Republican-controlled Congress could adopt protectionist policies that would likely refocus business activity on the United States and away from some international trading partners.

The president’s promises to help businesses by deregulating, however, have produced some level of optimism in corporate America. JPMorgan Chase & Co. in February published results of an online survey showing that more than 75 percent of middle-market business executives expect the policies of the Trump administration and the Republican-controlled Congress to positively affect their businesses because of expected tax reform and fewer regulations.

Koors noted that the current administration feeds the populist sentiment. That environment could call into question how year-over-year growth in director pay aligns with—or outpaces—employee pay increases. “There will continue to be a focus on income inequality and pay gaps,” said Koors. “Even if there’s not regulation around it, boards will continue to have to be sensitive to the broader stakeholder groups, not just the shareholders.”

Committee Pay and Workload

Seventy percent of companies surveyed for the report provide retainers or meeting fees to directors serving as members of a standing committee. However, pay differs depending on which committee the director serves.

Koors said that committees whose workload grew as a result of more regulation have tended to see increases in pay for members. When Enron’s corporate failure led Congress to pass the Sarbanes-Oxley Act of 2002, for example, the law’s regulations to protect shareholders from fraudulent accounting by corporate leaders meant greater oversight responsibilities for the audit committee.

This year’s director compensation report shows that, across all firms, audit committee members earn a median of $7,500 above their base pay for board service, while audit committee chairs drew $20,000.

Similarly, passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act took aim at executive compensation, and subsequent rules, such as say on pay, led to greater responsibilities for—and attention on—the compensation committee. Increased attention on high CEO pay and disclosures meant to improve pay transparency have also translated into more work for compensation committees, and more work should mean higher pay.

Median retainers and meeting fees for compensation committee members, above their standard director pay, totaled $5,000 across all firms, according to the report. Compensation committee chairs earned $15,000 for their service.

Koors added that heightened attention on issues such as increasing board diversity and improving succession planning could presage a workload increase for nominating and governance committees. Members of that committee received a median of $2,500 above their standard pay for board service across all firms, while chairs received $10,500, the report noted.

“Have we reached the point where every committee has an increased workload? Do we go back to pre–Sarbanes-Oxley [when all committee service resulted in the same level of extra pay]? We started to see a little of that in the data, but the most prevalent practice is still differentiation in pay,” Koors said.

Connecting Director Pay to Board Turnover

In addition to director compensation adapting to the political and regulatory environment, the report notes that director pay could be used as a mechanism to spur board turnover.

The 2016–2017 NACD Public Company Governance Survey finds that board turnover slowed last year, with just 67 percent of respondents indicating that their boards had added at least one new director in the past 12 months. That was down from the prior year.

Most boards deliver the biggest portion of pay to directors as equity. But many boards model their director compensation plans on those of executives, which seek to retain senior managers.

Many director compensation plans are similarly set up so that a director forfeits any unvested equity if he or she retires earlier than expected. Common practice is for directors’ equity grants to vest immediately or after one year, the director compensation report states, but companies with vesting periods longer than one year could inadvertently encourage directors to stay on a board for which their skills are no longer applicable in order to avoid forfeiting unvested equity.

“Make sure your director-award provisions allow the director to divest equity at the time of retirement,” Koors said. Doing so could help the company adapt to changing expectations around board turnover.