“What would you do if I sang out of tune? Would you stand up and walk out on me? Lend me your ears and I’ll sing you a song, and I’ll try not to sing out of key. Oh, I get by with a little help from my friends.”
When The Beatles first recorded that song in 1967, it’s a safe bet they weren’t thinking about corporate governance and the role of the board of directors. Yet, as I’ve pondered the array of corporate scandals over the past decade, I found these fifty-one-year-old lyrics floating to the forefront of my mind.
Whenever there is a highly publicized failure of corporate governance, the first question that’s typically posed is, “Where was the board?” However, in my experience—after 20-plus years of service in public and private companies, both in the for-profit and nonprofit sectors—that question rarely gets to the heart of the matter because process isn’t the primary culprit. A better question is, “What happened and why?”
Conventional wisdom examines whether the board had sufficient information, process, and the right reports. What often doesn’t get scrutinized is whether the board had the right people in the right places and if the chair or lead director is doing his or her job setting the tone at the top.
In this rapidly changing, complex world, it is incumbent upon the chair or lead director to continuously improve both the process and substance of governance, even in the strongest and healthiest of companies. This is where The Beatles’ lyrics come into play.
The Complexities of Conducting
The role of the chair or lead director is similar to that of an orchestra conductor. The conductor’s primary duties are to interpret the musical score of the composer via an ensemble of players. Using indications within the score, the conductor sets the tempo, shapes the phrasing, and guides the players to perform in concert. While it sounds simple enough, it’s a task of enormous complexity.
The sheet music that an orchestra is given can be likened to the committee charters and board responsibilities. The paper needs to contain the “right tune” and the right mix of notes, etc., but those same notes can be played beautifully or poorly, in harmony or in discordance. Even if individual performers are playing well, one bad violinist can wreck the whole orchestra if his or her part is not minimized or if the conductor doesn’t have the power or influence to get rid of the bad player. Taking the analogy further, the conductor also has to spot the talented players (i.e. board members), even if they are hidden away or young, and feature them.
Then there’s the pacing of the score—think board process. Whether it’s played loudly, softly, fast or slow, is a matter of feel. That’s what the conductor is expressing with his or her gestures and baton-waving. And, of course, the conductor has to be ahead of the music, so the sound carries to the audience, as well as anticipate what’s next.
So, you can have all the scores (or board processes) you want, but if the conductor can’t make the band of sterling musicians work together, the net result is less than stellar performance.
It’s doubly challenging in cases where the board doesn’t have an independent chair because the power of the lead director is usually quite limited, leaving him or her to conduct solely through influence versus explicit authority. In the corporate realm, these are some of the factors that must be considered when making governance better.
Soft Yet Hard
In its recent report, the NACD Blue Ribbon Commission on Culture as a Corporate Asset aptly stated, “While it is often perceived as a ‘soft issue,’ [culture] is actually a hard issue—both in the sense of having concrete impact, and in the sense of being difficult to assess.” The same is true of tone at the top. It can be incredibly hard to assess because it’s ethereal in nature, like the orchestra conductor filling the concert hall with melodious music.
But it does come down to the interactions among the board and its committees, and the transparency of information flow between management and the board at all levels. The responsibility for the “tone” of these interactions, i.e., getting the music to sound good, resides with the board chair or lead director.
In the collective interest of corporations and shareholders everywhere, there’s much to be gained by the ongoing tuning of this tone. Regularly posing the following questions is one example:
Are your governance processes appropriate for the speed of change today?
Is there sufficient clarity about the roles and responsibilities of the directors and management?
Are the right people in the right places for today and tomorrow?
Is the orchestra playing in concert in the eyes of the audiences, i.e.. customers, employees, shareholders and the broader community?
The answers are less important than asking the questions and bringing this kind of curiosity to the board room now.
As the aforementioned NACD Blue Ribbon Commission reported, even for companies with healthy cultures, resting on laurels isn’t an option. The stakes are simply too high and the operating environment too volatile not to seek continuous improvement.
It concluded that, “Performed properly, culture oversight not only can be embedded into directors’ existing activities, but also can significantly improve the quality and impact of the board’s work overall.” This notion of making the music match the words when setting the tone at the top goes right along with the Commission’s finding. That, and a little help from friends, might even mean singing on key.
Roger O. Goldman is chair of the executive committee of American Express National Bank, lead director of Seacoast Bank, and former chair of the board for Lighthouse International. Opinions are his own.
If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.
Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.
The Importance of Communicating About Cybersecurity
Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.
Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”
Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.
At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.
CPA Firms and Cybersecurity: Bringing Expertise and Values
Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.
Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.
Key Topics to Discuss with Your Auditor
So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.
How the Financial Statement Auditor Considers Cybersecurity Risk
An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).
A talk with the external auditor might involve the following questions.
How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?
How CPA Firms Can Assist Boards in Cyber-Risk Oversight
Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.
One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.
Here are seven questions to ask CPA firms about these initiatives.
How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
What other types of engagements are available to help board members with cybersecurity risk oversight?
These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.
As discussions of sustainability move beyond financial performance, they tend to spawn divergent views. Many frame the term as what constitutes responsible behavior in driving continued development and growth without deteriorating the environment, depleting natural resources, or creating conditions that destabilize the economy and vital social institutions. Still others prefer to cleave to the traditional view of the corporation and remove external stakeholders and the environment all together to focus solely on the sustainability of the business and its profits.
The type of short-term thinking applied when formulating policy and the kinds of long-term thinking driving sustainability development discussions are like oil and water, and looking to the business world, short-termism on the part of senior management is a sustainability killer. Without a long-term outlook in both the private and public sectors, the sustainability discussion will continue to be over before it begins.
Straight talk about sustainability leads to acknowledgement of several important realities:
Sustainability performance without acceptable financial performance is untenable. The two must be integrated, and neither is a substitute for the other. Overreach in pursuing either preempts long-term progress.
Many directors and senior executives believe the focus on sustainability is inevitable and, of necessity, strategic. Some constituencies believe that investments on the environmental, social, and governance fronts are incompatible with positive near term returns.
Reasonable people can differ in their views as to the appropriate sustainability objectives for a given organization, based on the industry, stakeholder interest, and long-term outlook, as well as the time frame in which the entity should pursue those objectives.
A meaningful impact is only possible through the collective efforts of multiple entities in the private sector, sound policies in the public sector, cross-border global cooperation, and investors committed to the sustainability agenda.
The concept of selective investing offers a set of standards for a company’s operations that socially conscious investors use to evaluate investment alternatives. As professionally managed funds deploying environmental, social, and governance (ESG) factors to screen investments have increased assets under management into the trillions of dollars, directors and executives have taken notice. Earlier this year, the CEO of BlackRock issued a letter to chief executives calling for a “positive contribution to society” beyond financial performance in realizing their organization’s full potential, with emphasis on “understand[ing] the societal impact of [their] business as well as the ways that broad, structural trends—from slow wage growth to rising automation to climate change—affect [its] potential for growth.” As these and other related demands have increased from the investor community, so have requests for increased transparency.
Governance—the “G” in “ESG”—has steadily emerged as a significant differentiator and, increasingly, a make-or-break factor for investors. Bad corporate behavior during the Enron era at the turn of this century, reckless risk-taking precipitating the 2007-2008 financial crisis, catastrophic cyber breaches, egregious violations of laws and regulations, and wanton disregard of safety considerations in addressing cost and schedule pressures have accentuated the importance of effective governance and the strong organizational culture it encourages. As important as these matters are, they’re mere table stakes. The focus on sustainability raises the bar further, with the BlackRock letter calling for a “new model for corporate governance.”
There are other reasons why ESG is important. Younger generations place high importance on sustainability issues. A recent survey noted that 56 percent of public company directors believe that a corporate social responsibility policy increases a company’s ability to attract and retain employees. Also, deploying cost-effective technologies to increase process efficiencies and develop environmentally friendly products and services has become attractive in many sectors. While there is a long road to travel littered by brutal politics and more questions than answers, world opinion has been coalescing around achieving the goal of sustainable development.
Perhaps this is because the world around us all is changing so much. Advanced technologies make feasible what was impossible a decade ago. Global population growth continues to explode, and changing demographics and resource scarcity affect operations. Businesses are left to ask themselves what they are to do in the face of these changes, and corporate directors have a role in leading their companies to action.
Directors should ensure that management answers the question, “What does the organization do about sustainability?,” based on the nature of the entity’s industry, culture, markets, stakeholder priorities, regulatory environment, appetite to lead and invest, intrinsic challenges from an execution standpoint, and long-term outlook. Approaches to consider might include the following:
Articulate sustainability guiding principles and core values;
Assess current ESG performance to identify gaps and opportunity areas;
Conduct an assessment of opportunities to improve performance and address the risks of inaction;
Assess the entity’s current policies, processes, organizational structure, reporting, methodologies, and systems supporting the pursuit of sustainability objectives;
Based on the above, formulate a sustainability strategy and road map of key initiatives supporting that strategy;
Establish accountability for results by setting targets, assigning executive sponsorship, defining initiative ownership, specifying the appropriate performance metrics, and integrating those metrics with operational performance monitoring and the reward system; and
Establish disclosure controls and procedures to ensure reliable internal and external ESG reporting.
The strategy taken by investors in this age of sustainable development is challenging perceptions of the role of the corporation in society. The questions around sustainability—and how hard companies should be working to drive it as a goal—require serious reflection for executive management and the board. A strong commitment to sustainability places an emphasis on actions, not words; on disruptive innovation, not “business as usual”; and, most importantly, on leadership, collaboration, and transparency.