Overseeing risk is no small task for boards as a company’s footprint is no longer confined to local or even national boundaries. The globalization of business—spurred in large part by the Internet—has simultaneously expanded business opportunities while also introducing new worlds of risk that an organization must contend with.
The National Association of Corporate Directors (NACD) invited Joan Meyer, a partner at Baker McKenzie LLP, and SecureWorks Chief Threat Intelligence Officer Barry Hensley to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is your outlook on the complexities of being an international company?
Joan Meyer: It’s becoming extremely complex because there is increasing enforcement from other jurisdictions. Five or six years ago, the U.S. was the predominant regulator and multinationals only had to deal with certain European countries in addition to the United States. Now, we are seeing emerging markets that are getting extremely aggressive. They are also putting in more restrictive laws and data privacy rules about the transfer of data. It’s a real conundrum for companies because they not only have to comply with U.S. law but the more robust law of various regimes, which create conflicts. Some of that risk may be theoretical because certain jurisdictions have not begun enforcing these laws —but it’s out there.
If you are disclosing information to a U.S. enforcement authority but you can’t get information out of a foreign jurisdiction, a U.S. regulator might not care— they just want the information. In this situation, not only is executive management caught in a bind, but the board will be asked: “What do we do?”
The U.S. Department of Justice is also pursuing individual prosecutions of mid-level managers and the C-suite, and there is increasing pressure on companies dealing with U.S. authorities to get cooperation credit by identifying individuals who are culpable for the misconduct. And it’s not only in the U.S. where that’s happening. Because the government wants real-time cooperation in pursuing individuals, it’s frustrating for companies because they are being pushed to provide investigatory conclusions to the government which they may not have completed. On a global basis—whether it’s Saudi Arabia, China, Russia, or Brazil—individuals are being actively pursued. The problem is compounded if they are expatriates who are working in these foreign countries for a limited period of time, don’t understand the culture, and are suddenly being subjected to detention or prosecution. This puts managers working outside countries with an established legal system at real risk because they may be pursued by authorities simply for a perceived failure to exercise their supervisory responsibilities in the right way.
What questions should a board chair ask the chief information security officer [CISO]?
Barry Hensley: First: What are our top five risks? Only by thinking like the enemy can the CISO begin to itemize and categorize the company’s security risks. Consider the following ways you may be attractive to cyber threats: your brand and how you’re perceived on the world stage; your digital capital, such as intellectual property, electronic currency, and personal data and how it’s secured; and your internet-exposed vulnerabilities.
Second: Does our security program have the visibility to detect an advanced adversary whose work eludes security controls? The threat does not remain static nor does the network. While some tactics and tradecraft are well known, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, while implementing multi-factor authentication is important, bad actors are finding ways to impersonate users and hijack credentials. Does your risk assessment learn from the headlines and adapt? It’s important to keep risk assessments current and update your mitigation strategies and budgets against these threats.
Third: Does your staff collectively understand the term “breach” and the conditions that trigger a formal response? Are you prepared with a meaningful, rehearsed, cross-disciplinary crisis response plan? While no company wants to dwell on the potential for serious incidents and breaches, preparation is still essential. This requires a real understanding of what constitutes an addressable incident, what triggers it, the steps that must occur to resolve the incident, and the people involved. Key tenets should be established, such as: knowing who’s in charge, how the board contacts the key players, and what the measurable actions we take to address the incident are.
Fourth: Is security training tailored to ensure appropriate audiences are aware of threat actors and their tactics? Different segments of the workforce present different risks, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise. Boards need to ask: Do employees understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? And remember: there is no such thing as one-size-fits-all security training.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Click here to read addition coverage of the Leading Minds of Governance–Southwest event with highlights from a discussion on the board’s role in overseeing talent and tone.
The National Association of Corporate Directors’ (NACD) 2016-2017 Public Company Governance Survey reported that, according to the vast majority (96%) of directors, “big picture” risks are overseen at the full board level. The big-picture view of risks includes those with broad implications for the organization’s strategic direction, including issues that can create significant reputation damage.
NACD’s findings are complemented by a recent survey of more than 700 c-suite executives who were asked to identify the top risks for 2017. Conducted in the fall of 2016 by Protiviti in partnership with North Carolina State University’s ERM Initiative, the study indicated that the overall global business context is noticeably riskier than in the two previous years, while respondents’ results in the United States implied that the risk landscape is about the same as before.
The common risk themes were ranked in order of overall priority providing context for understanding the 10 most critical uncertainties companies face in 2017.
Economic conditions in the global marketplace may significantly restrict growth opportunities. There are many sources of economic uncertainty in the markets that companies operate within. Examples of factors impacting growth include market volatility, Brexit, a strong U.S. dollar, central bank monetary policies, the aftermath of the U.S. 2016 election, sluggish growth rates in various global markets, rising global debt, and the threat of deflation. Survey participants may have concerns about a “new normal” of operating in an environment of slower organic growth.
Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Ranked at the top in our prior surveys, this risk fell to the second spot for 2017. Companies continue to display anxiety about regulatory challenges affecting their strategic direction, how they operate, and their ability to compete with global competitors on a level playing field. This risk may be particularly relevant in 2017, given the climate of uncertainty surrounding the new U.S. executive and congressional administrations and their influence on the role of government and the business environment. Any major regulatory change—whether perceived as positive or negative—is of significant interest to executives and directors.
Organizations may not be sufficiently prepared to manage cyberthreats that could significantly disrupt core operations or damage their brand. Cyber risks have evolved into a moving target. Many factors are driving change, including the ongoing digital revolution, new innovations to enhance customer experience, cloud adoption, social media, mobile device usage, and increasingly sophisticated attack strategies, among others. The harsh reality is that new technology offerings and developments in organizations are quickly extending beyond the security protections that they currently have in place.
The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage the risk appropriately. A company’s inability to respond in a timely manner to changing market expectations can be a major competitive threat for organizations that lack agility in the face of new market opportunities and emerging risks. The speed of change and development of emerging technologies can occur anywhere and in any industry, and this risk reaches far beyond the retail marketplaces. Disruption affects all industries. No company is immune.
Privacy, identity, and information security risks are not being addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased security risks to privacy, identity, and other sensitive forms of information. As the digital world evolves and connectivity increases, new opportunities emerge for identity theft and for the compromise of sensitive customer information. Recent hacks exposed tremendous amounts of identity data involving large companies and the federal government in the United States. These underscore the harsh realities of this growing risk concern.
Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. A number of factors are driving this risk—changing demographics in the workplace, slower economic growth, increasingly demanding customers, and growing complexity in the global marketplace. As a result, organizations are being forced to elevate their recruitment and retention efforts to acquire, develop, and retain talent with the requisite knowledge, skills, and core values to execute challenging growth strategies.
Anticipated volatility in global financial markets and currencies may create significant challenges for organizations to address. Given questions surrounding the United Kingdom’s eventual exit from the European Union, as well as uncertainties in China and other world markets, it is not surprising that this risk remains among the top 10 for 2017. Factors indicated earlier—including rising public debt, falling commodity prices, sluggish economic growth, the strong U.S. dollar, and uncertainty regarding monetary policies—all contribute to uncertainty in global financial markets and currencies.
The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. An organization’s culture has a huge impact on the manner in which risk issues are brought to the attention of decision makers when there is still time to act. Given the overall higher levels of risk-impact scores for all risks in 2017 relative to the year before, this cultural issue may be especially concerning to senior management and boards.
Resistance to change could restrict organizations from making necessary adjustments to their business model and core operations. The cultural issues noted above combined with a lack of organizational resiliency can be lethal in these uncertain times. Organizations committed to continuous improvement and breakthrough change are more apt to be early movers in exploiting market opportunities and responding to emerging risks than those companies that cling to the status quo.
Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and demographic shifts in the existing customer base. Protecting the customer base is not easy in today’s highly competitive environment of disruptive change. This may be what is on the minds of the survey participants rating this risk.
The company’s directors may want to consider the risks ranked here when determining the organization’s “big picture risks” to be evaluated in 2017. Boards should be aware of the context of the nature of the entity’s risks inherent in its operations. If your board has not identified these issues as risks, your company’s directors should consider their relevance and ask why not.
This is the second post in a series addressing the short- and long-term impacts of the 2016 presidential election. Read the first post here.
Directors gathered to discuss the impact of the recent presidential election on November 16, 2016 with audit and risk professionals from accounting firm EisnerAmper. While immediate-term changes were pressing on the minds of directors, they also discussed strategies to address societal and business challenges that coalesced around the following topics.
Can Corporations Bring Back Modern Manufacturing Jobs?
Directors were skeptical that the type of manufacturing jobs that have fueled American economic growth since the end of the second World War would ever return—and asserted that changes in trade agreements may directly impact the ability to create jobs.
EisnerAmper Chief Risk Officer Peter Bible outlined how the developing administration of President-elect Donald Trump could affect the ability of American companies to export their goods. The Trans-Pacific Partnership (TPP) “is basically on hold now” said Bible. “He wants tariffs on China and Mexico, wants to renegotiate NAFTA, and reconsider the U.S.’s involvement in international trade agreement.” Bible also pointed out that the president can act unilaterally on trade agreements, thus negating congressional checks on trade decisions.
Jill Wittels, chair at eMagin Corp., voiced concern about the pace at which companies could replace factories to offset the impact of tariffs and build more jobs for Americans. “Imposing currency restrictions and tariffs on goods coming in from China, South America, or other parts of Asia would be highly disruptive,” Wittels said. “You don’t instantly create replacement factories in the U.S. at a comparable cost.”
Robert Klatell, chair of TTM Technologies, concurred. “Realistically speaking, there is not that much flexibility. We cannot create in the United States the scale of manufacturing that exists in China,” Klatell said. “We don’t have the people or the capital to do it. We’ve rarely had a government willing to support manufacturing the same way that China has in the past 10 to 15 years.”
William Leidsdorf, director at Icahn Enterprises, offered a different viewpoint. “I think you have to look at how Congress may change or water down the president’s decisions,” Leidsdorf said. Trump “is a businessman. He’s a pretty good negotiator. He’s going to go in [to the presidency] and say he’ll do a lot of things and then negotiate.”
Educating the Workforce
Re-educating the American workforce has been a ubiquitous topic at roundtables co-hosted by NACD throughout 2016. This event was no exception.
A vigorous discussion about the modern workforce was ignited when Carol Robbins, principal of financial services strategic advisory group CER Consulting, cited the invention of a garment-sewing robot as a groundbreaking technology likely to replace countless garment manufacturing workers around the world. Sharon Manewitz, principal and executive director at Manewitz Weiker Associates, a firm that consults with struggling companies, responded: “But who will make the robots? Will they be made here? We need corporate America to help educational institutions change the nature of education in America” to meet the demands of a knowledge-based economy.
The ability of the workforce to be retrained for modern jobs, and how automation will continue to disappear unskilled and lower-skilled positions, was discussed at length. Klatell, however, looked to the future. “Some people won’t make the transition, so we should be focusing on their children,” Klatell argued. “Hopefully, we can get their kids through school with a more meaningful education to make them more employable.”
Laurie Shahon, president of Wilton Capital Group, placed a board lens on some companies’ struggle to fill open positions in certain fields. “Human capital is an issue boards have to deal with,” Shahon said. “We see jobs available in financial services and other industries, but they can’t be filled because there aren’t sufficient qualified people to fill them.The board can and should present alternate cases in its strategy planning to address these changes.”
If Trump makes good on his campaign promises, deregulation is expected under the new administration and the forthcoming Republican majority congress. How long, though, can directors anticipate deregulated policies to last? Bible pointed out that the current administration might attempt to press through lingering Dodd-Frank provisions. However, he warned that deregulation could cause disruption. “These things are deeply rooted, with a lot of capital behind them,” Bible said. “You can’t just say ‘poof—gone.’ It’s impossible.” Practices that companies have implemented as a result of post-financial crisis legislation [such as the Dodd-Frank Act of 2012] are likely not to disappear as governance best practices because companies invested time, energy, and money to comply with them.
Meanwhile, directors in the room considered what impact deregulation might have on enforcement of the Foreign Corrupt Practices Act (FCPA) and other international business policies by the Department of Justice. Andrea Bonime-Blanc, founder of GEC Risk Advisory, reminded attendees that enforcement of the FCPA, the False Claims Act, and other laws has been on the rise lately. “People are asking, ‘What’s going to happen with FCPA enforcement?’” Bonime-Blanc asked. “Companies can’t just say ‘oh, let’s stop worrying about bribery.’”
Bible responded: “I believe that the FCPA will continue to be enforced as a worldwide standard, and that the new administration’s focus is going to be on executive compensation and on market regulation. I don’t think there will be an increase or a decrease in enforcement.” If anything, Bible indicated that directors should be concerned about the risk of tax repatriation from companies that have moved their headquarters offshore. “Is everyone familiar with how the overseas tax issue works?” Bible asked. “There is $2.6 trillion in money offshore, and $500 billion of that is held by tech companies. There are drives to get that money back into the U.S. economy that can be done without addressing the entire tax structure.”
Don’t Give Up on Culture of Inclusion
The social unrest incited or revealed by the vitriolic presidential election was discussed in the context of the culture of inclusion and tolerance that their companies have invested in building for decades. Aside of the moral imperative felt by many attendees, the disruption of hard-won corporate culture by internal or external actors could present a reputation risk to the company.
Wittels noted that a popular American shoe company had been endorsed by an incendiary website littered with forms of hate speech after a senior manager at the shoe company stated that it felt the country was moving in the right direction under the incoming president. While the company released statements strongly stating its commitment to principles of inclusion, “there are comments about boycott,” Wittels said. “This is a real reputational risk, and a risk with consumers, that could instantly in this communication age go viral and affect the bottom line.”
Klatell returned to the question of the board’s responsibility to ensure that the CEO, his direct reports, and management across the organization are responsible for maintaining a culture of respect, dignity, and inclusion. In the face of employees who may be looking to throw principles of inclusion out of the door, Klatell said: “I’d hope that most companies would stand up and say ‘No, this is what we stand for, and this is how we behave.’”
To see the full list of participants, please click here.