In his classic treatise on the Wealth of Nations, Adam Smith noted a discrepancy between the interests of owners and the managers who are handling those “other people’s money.” In the twentieth century, Michael C. Jensen and William H. Meckling—citing Smith as well as Adolf A. Berle and Gardiner C. Means’s The Modern Corporation and Private Property—gave new urgency to this issue by introducing the concept of agency costs—the costs of aligning the incentives of these different corporate actors. This led to more than four decades of searching for the best way to align the interests of shareholders and managers.
At first it seemed that the solution would be stock price, since shareholders and managers alike want to optimize that. The advent of the efficient market hypothesis reinforced the focus on market pricing as the arbiter of corporate performance, and of short term shareholder value as the purpose of the corporation. We have learned, painfully, that neither of these ways of thinking about governance issues is adequate.
Meanwhile, corporate law has been overwhelmed by the advent of a litany of corporate governance norms. This has spawned an active governance industry and a variety of new analytical models for framing corporate law, including:
shareholder primacy, in which boards are accountable above all to shareholders;
the stakeholder model, in which the interests of all stakeholders are to be considered and mediated by the board of directors;
the team production model, in which the inputs of various stakeholders are acknowledged; and
the nexus of contracts theory, director primacy, and others.
What has become clear is that there is no “right” corporate governance model. Governance is highly contextual, and is dependent on what a particular company does, its ownership structure, and the markets and political frameworks in which it operates. The focus on corporate governance reflects a move from a simple legal view of the corporation to one that has become increasingly complex and dynamic, constantly responding to societal expectations. Governance is messy because that is life.
One of the consequences is that there seem to be new controversies and consequential regulatory proposals every year. We have spawned a corporate governance reform industry (private sector and regulatory) that has become adept at generating activity to feed itself. A related oddity is the fact that many of the regulatory proposals are symbolic—they certainly cannot be explained by their relevance to improving corporate governance or performance.
To take a current example, think of say on pay. We now have several years of data resulting from the legal ability of shareholders in the US to cast an advisory vote on executive compensation. Rhetoric aside, shareholders have typically approved compensation with votes in favor, typically exceeding 90 percent. There is a double irony here. First, executive compensation is paid mostly in equity with a value based mostly on short-term stock prices. Second, shareholder support for executive pay also appears to be highly correlated with a company’s short-term stock performance. To the extent that the say on pay vote has heightened executives’ incentives to focus on short-term stock price at the potential expense of creating sustainable value, this regulatory initiative would appear to be counterproductive.
Another recent example is last year’s shareholder resolutions asking companies to report on their exposure to climate risk (and related regulatory, technological, legal, and meteorological forces). In spite of proclaimed commitments to engagement on environmental, social, and governance issues, both executive management teams and investors seem indifferent to such proposals. Management typically recommends a vote against the measure, claiming that the company’s reporting is already thorough, and shareholders vote thumbs down accordingly. Preventable Surprises, a self-described “think-do” tank in the United Kingdom, reports that only one of nine such resolutions at the major U.S. utilities received majority support. Three of the largest institutional investors (owning, on average, close to 20 percent of the shares of the nine companies) voted against each of the resolutions. Equally surprising is the lack of disclosure by these investors regarding the impacts of climate risk on their portfolios and investment strategies.
It is unlikely that the explanation for this lies in false perceptions. The actors we are talking about are among the most sophisticated and influential in our society. A more likely explanation is that governance is often viewed as a moral crusade that is tapping into broader public sentiment without regard for materiality or the difficulty of effecting fundamental change. The exercise of governance then becomes largely symbolic and political and, as a result, it is often conservative and self-serving. One systemic danger is that such reforms dull the desire for deeper introspection and more fundamental change.
That systems are integrated (i.e., more than the sum of their parts), and
That systems are fractal (i.e., they are comprised of subsystems which in turn are comprised of other subsystems on so on).
A third principle flows from the first two: that the overall health of the system depends on the continued health of each of its essential subsystems, as well as of the larger systems in which it is embedded. They then reflect on how each of these principles applies to corporations.
Well-managed corporations achieve resilience through positive mechanisms such as economy (i.e devoting the appropriate level of resources based on current conditions), homeostasis (i.e., information and feedback loops that allow a system to adjust to disturbances in its environment and stay within the parameters necessary for its continued functioning), and self-organization (i.e., the ability of a system to learn, diversify and evolve in response to shifts in its environment that might otherwise threaten its survival).
By contrast, poorly managed corporations remain vulnerable due to negative mechanisms such as redundancy (i.e., devoting more resources than needed for a given purpose); imbalance (e.g., information asymmetry between management and directors); and rigidity (doing the same thing over and over and expecting different results).
In systems, multiple purposes are the rule, not the exception. What we observe about a system’s purpose or purposes, actual or apparent, will depend on our level of analysis. The relevant lesson that systems thinking offers on corporate purpose is that the overall goal of a corporate system should not be subordinated to the goals of any one of its subsystems (such as the share ownership subsystem). A critical, ongoing role of effective boards should be to mediate these competing interests.
Systems theory suggests that corporate purpose can be viewed from different perspectives, including the expectations of the state whose laws made incorporation possible. This doesn’t offer a definitive answer to the difficult question of corporate purpose. Indeed, one of the primary insights of systems theory is that the purpose and functions of a system is often the least obvious part of the system, especially to outside observers who pay attention to only a few events or to rhetoric or stated goals.
Where does this thinking lead? First, systems theory counsels against focusing on any single metric. To take the obvious example, short-term profitability is not so much an objective as a constraint a firm may have to meet in order to remain in business. Metrics such as profits, employee turnover, customer satisfaction, and so forth are not ends in themselves. Rather, they are a source of information about whether the corporation is relevant, resilient, and sustainable. Sustainable value creation is the singular goal boards should be focusing on and to which managers should be held accountable.
A related lesson is the need to develop new tools and techniques to measure system-level effects. Increasingly the focus will be on the ability of corporations to generate and account for positive externalities. The work of one organization, The Investment Integration Project, may provide guidance for corporations as well as institutional investors. The organization’s work looks beyond financial metrics to consider system-level events and the integration of the United Nations’ sustainable development goals, for instance.
A third lesson from systems theory is that, given multiple purposes and the complexity inherent in systems analysis, the three branches of government—courts, lawmakers, and regulators—will rarely be well positioned to judge corporate performance. (It is fortunate that the U.S. Securities and Exchange Commission has not yet finalized the proposed Dodd-Frank rule on pay versus performance, which defines performance as no more or less than three years of annualized Total Shareholder Returns (TSR) .)It will also be difficult for academics or the corporate governance profession to identify “one size fits all” reforms that can reliably improve the performance of all companies. Attempts to impose such silver-bullet solutions are more likely to result in what Roberta Romano has described as “quack corporate governance” that often does more harm than good.
This suggests the exercise of restraint by regulators—assuming positive intent and encouraging adaptive responses rather than imposing rigid and formal compliance requirements. In this manner, we can ensure that our corporations can continue to function as dynamic systems that foster the wealth of nations and the globe.
Edward Waitzer is a partner and head of the corporate governance group at Stikeman Elliott LLP. All thoughts are his own.
When it comes to innovation, boards are notorious for sending conflicting messages. They want to hear assurances of innovation and predictability from management in the same breath. Unfortunately, innovation and predictability don’t go hand-in-hand. Simply put, innovation can’t exist without risk. In fact, the two are easily understood as a marriage—they show up together and work in unison.
Those of us who work in cybersecurity—where staying ahead of adversaries can mean life or death for a company—know that better than most. We have to invest in new ideas, technologies, and processes to adapt to an ever-changing threat landscape. Such investment, like any investment, entails some risk.
We can apply lessons learned about cybersecurity innovation to just about any industry. That’s because every company needs to innovate to remain competitive, which inherently means taking risks. How much risk is enough? How much is too much? And what’s the best way to foster innovation while balancing the need to take risks with the need for predictability?
The best way to answer these questions is to develop clear processes around innovation. It all starts with good communication and diversity of viewpoints.
Talk It Through
Effective communication is key between senior leadership and the engineers and others responsible for innovation. Communication reveals ideas worth taking chances on. There are two structural processes that can work well for this that the board could suggest.
Encourage management and engineers to engage in ad-hoc sharing of observations. This means forming groups to share candid observations about what’s working and what’s not working within an organization.
At Rapid7, we pull in team members across the organization to bring a variety of perspectives to the table. I recommend creating small cross-functional teams and getting them in the habit of observing and sharing ideas to generate more innovation. This continuous dialogue pushes people to think more broadly and differently while sharing learnings that can then be reported to the board when discussing innovation.
Facilitate thought-provoking discussions. Encourage management to create thought experiments designed to spark new ideas and challenge conventional thinking. Those facilitating the conversation might start by asking, “If I gave you an unlimited amount of money to double our efficiency, what would you do?” Or, “If we were going to build a business plan to destroy our business and at the same time gain twice the profits and twice the customer loyalty, what would we do right now?”
These processes can be quite powerful in uncovering places to innovate. But in order for a leadership team and those responsible for innovation to maintain a firm grounding in the reality of the industry while also allowing room for creativity, they need a source of external truth. That means urging management to get outside of the company bubble.
Learn from the Field
To gather new ideas, people across functions should spend unmanaged time outside of the organization, bringing observations back to leadership and to their work. Spending time with customers and partners, engaging with peer groups, observing and engaging with competitors, reading, and attending conferences are all ways to gather the insights that are crucial for effective innovation. The board should challenge management to build a culture of curiosity within the company.
That said, directors should beware of herd mentality taking over the minds of management. Emulating companies that have non-sustainable positions or those in which you have too little insight into the success they are having often doesn’t play out well. Instead, encourage management to pay attention to well-performing companies in their quest for ideas that will improve your company’s position.
At Rapid7, I frame these jobs as learning. I don’t need my teams to come back with concrete action steps or specific outcomes but instead with a learning plan and details on what they saw that has the potential to transform the business over the next year.
Anything a team learns that can potentially create an advantage opens the doors to innovation. Therefore, this culture of learning should not focus only on technology, but instead on the combination of process, technology, market, and customer needs.
Create an Innovation Culture
To flourish, innovation also must be nurtured in the culture of the organization as expressed in the attitudes, beliefs, and behaviors of its people. Cultures that punish failure, demand certainty, or reward short term results kill innovation before it can even be expressed as an idea. On the other hand, cultures that emphasize learning, encourage experimentation, and focus on rewarding long-term growth behaviors tend be much better at innovation. One of the keys to this is encouraging transparency and reinforcing that it’s okay to discuss possibilities even when the path to delivery is unclear. Lastly, innovation demands an environment built on trust. When people don’t trust each other, they can’t be vulnerable and share their ideas, hopes, and aspirations. Directors should cultivate a culture of open conversation with their management team, and then encourage the same candor between management and employees across the company.
Embrace the Right Level of Risk
Many organizations pursue the minimal amount of innovation because they fear taking too big a leap and risking too much. Others may aggressively pursue transformational innovation that comes with a high degree of risk. What’s the right balance?
To make that assessment, directors and management can consider the three main levels of innovation, in order of increasing risk.
Incremental improvement innovation. You will generally have a high degree confidence about this level of innovation because others in your industry are already doing it and you have real-world observations to back up planning for those innovations.
Outside-in innovation. Somewhat riskier, this level of innovation involves implementing ideas that you are confident could be successful based on outside observation—perhaps from beyond your industry—and adapting them for your organization.
Moon shot innovation. The ultimate risk, with a potentially high-reward payoff. Think SpaceX’s success at launching a sports car to Mars in its quest to ultimately get settlers there.
For a company that’s doing well inside a stable industry, it’s most likely not wise to take a huge risk. Incremental innovation in this case may be enough, always with an oversight-focused eye on what others in the industry are doing.
A company in a more volatile industry, however, may need to get more aggressive in pursuit of game-changing innovations, with ideas borrowed from other industries. A moon shot in this case, appropriately managed and nurtured over time, may be just what’s needed. Directors should ask management to develop plans and evidence for these innovations that are clear, concise, and geared toward oversight of the project’s successful execution and value creation.
Manage the Learning Cycle
Innovation takes time, starting with the learning cycle.
In our experience, the learning cycle takes about a year, and is crucial for properly managing the risk involved in investing further. For implementation, two to four years is a good rule of thumb to start to see a return on investment. Here’s the typical timeline from idea to implementation.
Year 1: Learn a concept.
Year 2: Decide to learn more or kill it.
Year 3: Learn a few more things and try some ideas. Refine the concept.
Year 4: Get traction.
A successful organization prepares for innovation in the same way a runner prepares for a marathon. Innovations and marathons both take time, conditioning and learning the course. That includes understanding the role that risk plays in innovation. Starting with that foundation will put boards and the companies they serve on the right track for success now and into the future.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
Companies today fall into two groups: those that have been breached and know it, and those that have been breached but don’t know it. The realities of managing cyber risks are that breach risks are impossible to eliminate, resources for managing them are finite, risk profiles are ever-changing, and getting close to secure is elusive.
Our December 2017 discussion with a group of active directors during a dinner roundtable at a National Association of Corporate Directors (NACD) event identified some interesting insights into cyber-risk oversight at the board level.
Winning battles does not necessarily win the war. The discussion focused on how state-sponsored attacks targeting government institutions, industrial facilities, infrastructure, and many business organizations are increasing in both power and sophistication. Combatting so-called advanced persistent threats (APTs) requires faster detection and more advanced response tactics. In the arms race to keep pace (or, in most cases, catch up) with these threats, organizations need to commit adequate resources to tapping into available government intelligence and using it to facilitate their preparedness. Directors should suggest to their management team that they develop and maintain relationships with the correct contacts in the government sector needed to stay informed of emerging risks.
Upgrading detection capabilities. If management and the board believe the entity is an APT target based on what it represents, what it does, and the intellectual property it owns, the directors raised concerns over the maturity of most companies’ cybersecurity countermeasures and what can be done from the board level to encourage more effective mitigation of the risks. Capabilities need to be upgraded beyond the controls, tools, and response mechanisms traditionally used to contain sophisticated attackers and corporate insiders. Our experience is that detective and monitoring controls remain immature across most industries relative to the evolving threat landscape.
Clarifying expectations with management. One director noted that when a chief information officer (CIO) or chief information security officer (CISO) asserts, “Don’t worry, we’re taking care of that,” or delivers a similar pushback, it tends to stifle the dialogue and leaves directors with nowhere to go and an incomplete understanding of cyber-risk mitigation. The group’s ensuing discussion pointed to several themes. Directors should ask the right questions (an appendix in the 2017 NACD publication on cyber risk oversight suggests relevant questions), consider changing board composition if more expertise is necessary, and establishing a separate cybersecurity or technology committee of the board. Although directors have limited time to get into details, they should set clear expectations for management at all levels with respect to cyber incidents that can affect the company’s reputation, brand image, and standing with customers. Expectations regarding cybersecurity strategy and risk tolerances should be incorporated into the entity’s risk appetite statement.
Improving board cybersecurity reporting and metrics. The severity of the Equifax breach as well as others raises the question as to whether boards are probing deeply enough to determine what they don’t know. To that end, the directors noted that too often board reports deliver high-level information only. So, the question then becomes, what reporting and metrics on cybersecurity should the board request? The discussion pointed to several examples of key areas to consider:
The number of system vulnerabilities
The length of time required to implement patches
The length of time to detect a breach
The length of time to respond to a breach
The length of time to remediate audit findings
Percent of breaches perpetrated through third parties
The number of security protocol violations
Paying attention to “blocking and tackling.” The group brought up several cybersecurity issues, including prioritizing high-risk patches, raising awareness of phishing, implementing security segmentation, and refreshing incident response and recovery plans continuously. One director noted that every organization should have multi-factor authentication access controls in place; accordingly, the board should discuss this security measure with management.
Conducting independent cybersecurity assessments. As innovative transformation initiatives constantly expand an organization’s digital footprint, they outpace security protections companies have in place. Accordingly, organizations should consider assessing the current state of their overall cybersecurity using an established framework, in relation to their desired state. If such reviews identify gaps or areas of weakness requiring immediate remediation, the board should satisfy itself that management addresses those areas in a timely manner.
Being aware of challenges in the information technology (IT) and security organizations. The point was raised that many organizations need to seriously consider re-architecting themselves from both a technology and security standpoint. The question the board needs to ask management is: How quickly are we able to get an issue resolved? Management assertions that a solution will disrupt existing operations and legacy systems and, thus, will take time to implement, are a red flag. Our discussion also touched on the issue of inadequate IT and security resources, and the need to innovate the business. The point is, cybersecurity must be focused on what’s important and cannot consume the entire budget.
Considering the value of cybersecurity insurance. One director brought up the importance of cybersecurity insurance coverage as a means to transfer some of the financial risk associated with a variety of cybersecurity incidents, including data breaches, business interruption, and network damage — particularly since the entity’s directors and officers liability policy may not cover these issues. If a company invests in a cybersecurity policy, the insurer may require the business to follow certain guidelines and provide evidence through a cybersecurity assessment, as discussed earlier. If the company hasn’t benchmarked itself against an appropriate framework, directors should inquire as to why not.
Dig into deeper insights from Protiviti by visiting their Board Perspectives piece on the challenges directors face when overseeing cybersecurity risks.