Talent Development Leaders Tackle Four Challenges

Published by

Directors spend the bulk of their time every quarter reviewing financial results and receive updates on enterprise risk. However, very little time is spent reviewing talent development and succession planning. Compensation committee agendas and metrics tend to be dominated by executive compensation discussions, and relatively little focus is given to measuring and tracking talent development and retention across the leadership suite.

Talent Development

From Left: Steve Newton, Barbara Duganier, Eileen Campbell,  and Doug Foshee

Panelists at a recent event hosted by NACD Texas TriCities’ Chapter, all leaders in the field of executive management and human resources (HR), discussed board-level talent oversight. Barbara Duganier, director, Buckeye Partners, served as moderator of a panel including Eileen Campbell, former vice president of human resources for Marathon Oil; Doug Foshee, former chair and CEO of El Paso Corp.; and Steve Newton, partner, Russell Reynolds Associates. The conversation confronted the fact that while the vast majority of CEOs are promoted from within, boards spend very little time on executive leadership development—and even less time on talent development beyond the chief executive.

The development of executive HR talent in an organization seems often to be left to chance. Whether it’s because the CEO and board don’t place critical importance on the position, or the HR leader views their role less as a strategic asset and more as compensation or benefits cost center, development of HR talent—and others in the executive pipeline—deserves more board-level attention.

Below are several challenges that were discussed, as well as some solutions to developing talent and value from your company’s HR leadership.

Challenge 1: People think they’re good at recognizing talent, but biases and lack of process might lead to missing out on promising people. Ask any executive to identify high potential employees, and they can always name a few promising people. However, because the ability to recognize a talented person is considered a soft skill, it doesn’t get measured or tracked on a regular basis. Interestingly, most people will identify people in their own image—just younger. Therefore, if the leadership team is not diverse, promising people may go overlooked that do not meet preconceived notions of what leadership looks like.

A Solution: Measure and track. HR leadership and the board should insist on tracking talent development-specific metrics with the same level of importance as financial metrics. Measuring also allows boards and executives to notice unconscious biases in recruitment and talent development.

Challenge 2: People are protective of their highest performers. Lateral moves and broadening development positions are imperative in order to assess and build talent across the organization. But as Campbell pointed out, managers are often reluctant to recommend their highest performers to other divisions.

A Solution: Once people are identified as high-potential employees, they should be considered “group resources” rather than belonging to a department or division. By operating across departments, leaders outside of the individual’s direct supervisors can take part in nurturing the long-term development of employees’ talents.

Challenge 3: People are reluctant to put high performers in certain roles due to a fear of failure that could result in career derailment. As a result, sometimes leaders are not “tested” outside their comfort zone, and can remain unproven until they’ve ascended to the role of CEO.

A Solution: Develop a program similar to General Electric Co.’s “popcorn stand,” a concept shared by Doug Foshee. This concept provides a future leader with significant responsibility outside his or her comfort zone in a part of the business where commercial impact on the overall organization is less relevant. In smaller organizations, these could be roles that require managing through ambiguity or necessitating cross-functional skills. In larger organizations, these could be special projects or small profit and loss businesses whose bottom line is minimal or negligible.

Challenge 4: Boards are not comfortable addressing CEO succession if they have just named a new CEO. Steve Newton remarked that given the average tenure of a CEO is four to five years, it’s never too soon to begin assessing readiness of internal candidates if you believe they have gaps between current and desired capabilities.

A Solution: Identify a wide candidate slate within an organization early in a CEO’s tenure and begin developmental plans to grow a leadership team that has both breadth and depth of understanding.

For additional NACD thought leadership on effective management of human capital culture and talent development, members can review the Report of the NACD Blue Ribbon Commission on Talent Development. Key takeaways from speakers at the chapter program can be downloaded here, and to view the entire program visit NACD Texas TriCities Chapter YouTube Channel.


Catalano_Anna Anna Catalano is director of Willis Towers Watson, Mead Johnson Nutrition, Chemtura Corp., Kraton Corp., NACD Texas TriCities Chapter, and the Alzheimer’s Association.

Driving Behaviors Through Incentives and Risks

Published by

The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.

CompensationCulture

Incentives can reward performance—and create tension and unintentional risks.

One element that helps define an organization’s culture is the set of incentives motivating employees to act. While incentives can effectively reward performance that benefits the enterprise, the compensation committee—and the board more generally—must factor in the tension and unintentional risks that incentives can create.

NACD, along with Farient Advisors, Katten Muchin Rosenman, PwC, and Sidley Austin, last fall cohosted the first-ever joint meeting between the NACD Compensation Committee Chair Advisory Council and the NACD Advisory Council on Risk Oversight. Committee chairs from Fortune 500 corporations joined governance stakeholders for an open dialogue on incentives and risk taking.

The discussion was held under a modified version of the Chatham House Rule, under which participants’ quotes are not attributed to those individuals or their organizations, excepting cohosts.

Six questions emerged that boards and compensation committees should consider:

  1. Do we have an appropriate balance of metrics?
  2. Are we calibrating goals and upside opportunity appropriately?
  3. Are we considering the quality of performance?
  4. How robust are the controls on data that is used as inputs to the compensation plan?
  5. How are our board’s committees collaborating on developing and monitoring incentive plans?
  6. Are we actively exercising discretion?

Below are details for three of those questions. More information is available for download in NACD’s complimentary brief, Incentives and Risk Taking.

Do we have an appropriate balance of metrics?

The Report of the NACD Blue Ribbon Commission on Performance Metrics states, “Corporate leaders must select metrics that encapsulate the company’s strategy, the balance of risk and reward, and the milestones along the way.” Management chooses appropriate metrics for the company. The board’s role is to decide if those metrics help create long-term value for shareholders—and also to ask management the right questions to ensure that risks associated with compensation plan incentives are being mitigated.

“Our responsibility is to understand the business and the industry,” said one director at the meeting. “The more we understand the business, the more [any] red flags will become apparent.” Meeting participants added that just as there is no silver bullet or single perfect metric to use when developing incentive plans, there is no one-size-fits-all approach to finding a satisfactory balance of metrics.

“There’s no perfect performance measure because every one of them can be gamed either deliberately or not deliberately,” said Dayna Harris, vice president at Farient Advisors. “In addition, it’s important to factor in trade-offs—for example, between metrics related to earnings and those related to revenue or returns—in order to get a combination that works.”

Thomas J. Kim, partner at Sidley Austin, said, “Performance metrics for compensation should be consistent with how management and the board think and talk about the business, both internally and externally. Qualitative metrics are generally more appropriate for, and tailored to, specific individuals, rather than for management as a whole.”

Are we calibrating goals and upside opportunity appropriately?

In addition to selecting performance measures, compensation committees must ensure the pay plan keeps the firm’s risk appetite in mind. The goal is to avoid unintended consequences that might compromise the enterprise’s reputation or its long-term viability. At one council delegate’s company, “the chief risk officer does a risk analysis of the executive compensation plans and shares it with the board. We can assess where it nets out on the risk spectrum. The analysis is repeated at the end of the year to look at incentive payouts and whether any business area took undue risks.”

Participants highlighted two areas for compensation committees and boards to consider:

  • Incentive thresholds. “Stretch goals are great and often important to strategy execution. But the board needs to ask whether high incentive thresholds may encourage bad behavior,” one participant said.
  • Slope-of-the-payout curve. Harris advised, “Make sure the upside [payout] opportunity is not excessive, especially for annual incentives. Three hundred to four hundred percent payout ranges can be dangerous.”

Are we considering the quality of performance?

Council delegates also emphasized that it is essential for compensation committees—and, indeed, for all board members—to ask probing questions about the way in which management achieves results, not just whether or not a particular performance target has been met: “How you get there makes all the difference: we have to look at the quality of earnings,” one delegate said. “If our incentive plan is heavily weighted toward rewarding revenue, did we end up with a bunch of low-margin or bad deals?”

One compensation committee chair reported, “To make sure that our results are sustainable, we’ve introduced strong metrics around employee satisfaction and engagement, along with customer satisfaction. These can count for as much as 25 percent of the CEO’s annual bonus.”

Questions about the quality of performance have risen to the top of many boards’ agendas in the wake of criticism over the consequences of aggressive incentive plans at companies such as Wells Fargo and Mylan. Reflecting on what has been publicly reported about these two situations, participants identified the following takeaways for directors:

  • Exercising skepticism is essential in times of good performance—when it is often most difficult to do. “It can be hard for directors to push back when they’re in the boardroom of a high-functioning organization and hearing lots of great stories from management,” observed one participant. Several delegates pointed out that executive sessions can be particularly useful in this regard.
  • Question over-performance as closely as underperformance. “If it looks too good to be true, it probably is,” a director said. “Wells Fargo’s cross-selling numbers were significantly above industry standard. As directors, we need to look very closely at outlier-level performance—it might be a red flag.”
  • Reputation risk can be material, even when financial losses are relatively small.

By incorporating into board discussions the above-listed questions, directors can strengthen responsible oversight of incentives. “It’s our responsibility as directors to understand the business and the industry in depth—trends, competitors, pricing models,” one director said. “That gives us a much deeper understanding about what is possible and what we’re asking management to do when we set goals and targets. It will also help us see potential risks and red flags much earlier.”

Why Are People Part of the Cybersecurity Equation?

Published by
Sedova_Masha

Masha Sedova

The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.

As many as 95 percent of breaches to companies’ data have a human element associated with them. It is no wonder, then, that security teams call people “the weakest link” in securing an organization and choose other investments for defense. Despite companies’ deep investments in security technology over the years, security breaches continue to increase in frequency and cost.

The conventional approach misses a significant opportunity to utilize people as a defense strategy against the ever-changing threat landscape. In fact, only 45 percent of respondents in the National Association of Corporate Director’s 2016-2017 Public Company Governance Survey reported that their boards assessed security risks associated with employee negligence or misconduct. Organizations that have fostered intentional security cultures from the boardroom to the server room have managed to transform employees into their strongest asset in defending against attacks, gaining advantages in both protecting against and detecting cyber threats.

What is security culture?

SecurityCulture

From the boardroom to the server room, people could be your greatest security asset.

Culture-competent boards and management teams understand that culture is the set of behaviors that employees do without being told. In simpler terms, it’s “the way things are done around here.” There are many sub-cultures within an organization, and security culture is one that often looks quite different from the expectations set by policy. Security culture has the power to influence the outcome of everyday business decisions, leaving an employee to judge for themselves the importance of security in a decision. For instance, some frequent questions that employees might encounter include:

  • Is it ok to release insecure code or should we test more, resulting in a delay?
  • Do I feel safe to report that I may have incorrectly shared a critical password?
  • Do I prioritize a secure vendor over a less expensive one?

Each of these decisions, when chosen without security in mind, add to the organization’s security debt. While likely that none of these decisions on their own will lead to the downfall of the organization, each risky action increases the probability of being targeted and successfully compromised by cyber-attackers. On the other hand, if the decisions to the questions presented above are chosen with a secure mindset, over time an organization can expect to see more secure code, better data handling processes, and an increased ability to detect cyberattacks, just to name a few examples. A positive, security-first culture makes it more difficult for an attacker to find and exploit vulnerabilities without detection, incentivizing a different choice in target. Directors at companies across industries should carefully evaluate whether management has established a security-first culture as part of their greater cyber-risk oversight strategy.

It is worth realizing that security-minded employees will not solve all security headaches. However, a company’s talent is an essential third leg of the business stool, partnered with technology and processes. An organization that does not invest in training and empowering its employees to prioritize security is only defending itself with two-thirds of the options available to it.

How do you practice it?

The first step boards and executives can take to shape security culture is to identify the most critical behaviors for your employees. Historically speaking, security culture programs used to be based on compliance and asked, “How many people completed a training?” or “How much time is an employee spending on education?” These are not the right questions. Instead, we should ask, “What will my people do differently after my program is in place?”

Prioritize behaviors by their impact on the security of your organization, customers, and data. Ideally this will distill down into two to three measurable actions that boards and executives can encourage employees to take in the short-term to be security minded. Most mature security culture programs have the following three capabilities to help develop these behaviors: measure, motivate, and educate.

1. Measure It is critical to have measures in place to show progress against culture change. When an organization can measure its key desired behaviors, it can start answering critical questions such as:

–  Are my campaigns effective at changing this behavior?
–  What groups are performing better? Why?
–  Has the company already met its goals? Can I focus on the next behavior?

Measuring culture is notoriously tricky because of its qualitative nature, but it can be done using measures such as the number of malware infections, incident reports, or even surveys that test for the knowledge of, and adherence to, policy and process. Surveys should also test for employees’ perception of the burden of security practices, as well as a self-assessment of individual security behavior.

2. Motivate Effective behavior change requires motivation. Spending the time explaining the purpose behind each security measure goes a long way in getting employees on board. As an example, sharing case studies of successful attacks and lessons learned helps demonstrate to employees that the threat is real and applicable to their work. Some other great ways of providing motivation to follow through on security behaviors are public recognition of outstanding behavior, gamification, or rewards for success.

3. Educate Employees cannot act to change their behavior if they are not fully trained to do so. Ensure employees have the knowledge and tools to complete the security tasks. Ideally, the information presented should be tailored by role and ability level to make it as relevant and interesting to the employee as possible. One key focus should be on educating senior executives on the trade-offs between risk and growth in a company. Consider providing scenarios based on real cyber-attacks that explore the long-term impact of risky business decisions. Add these discussions opportunities into existing leadership courses to help model security-mindset as a valued leadership trait.

Senior level engagement

While the above is a framework that boards and executives can use to drive security behavior change from the bottom up, leadership has an important role in setting the security culture as well. Executives can publicly share the value of security as an employee themselves, which will reinforce the importance they see in proper security culture to the organization and to the customers they serve. Executives should hold their businesses accountable for executing on key security behaviors and publicly call out examples that have impacted the security of the organization, either positively or negatively. Finally, boards should press executives to ensure that the focus of their people-centric security program is on the highest area of risk, not just what is easy to measure.

Masha Sedova is the co-founder of Elevate Security, a company delivering interactive and adaptive security training based on behavioral science. Before Elevate, Masha was a security executive at Salesforce.com, where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers.