The complexities surrounding short-termism make it a tough nut to crack. Short-termism in this instance refers to a focus on short-term company performance results at the detriment of achieving long-term strategic goals. But in all its forms, short-termism is not sustainable in a rapidly changing world. That’s why directors need to ensure that the organizations they govern seek a healthy balance in addressing short- and long-term interests of the organization’s senior executives and stakeholders.
Short-termism is certainly not a new concept. In a recent survey of more than 600 public company directors and governance professionals conducted by NACD, 75 percent of respondents indicated that pressure from external sources to make short-term gains is compromising management’s focus on long-term strategic goals. This pressure can affect the board’s risk oversight.
Short-termism manifests itself in many ways. The more common example is focusing on quarterly earnings at the expense of funding long-term sustainable growth. But it can also lead to the pursuit of several risky activities, including: M&A deals for growth’s sake without clear linkage to the overall corporate strategy; releasing new products to market without sufficient testing; allowing cost and schedule considerations to undermine safety on significant projects (e.g., deferring maintenance or taking risky shortcuts); and taking on excessive leverage to pursue activities that are currently generating attractive returns.
Underlying the evidence of short-termism is a complex series of root causes. Globalization, technological developments, improved transparency, and reduced transaction costs have facilitated capital flows, enabling investors to reallocate their assets to seek higher yields with greater ease. Hedge funds and other activist shareholders are also acquiring small stakes in a company with the objective of steering profits to shareholders immediately (through higher dividends, stock buybacks, asset spinoffs, or downsizing in lieu of investing in innovation that will improve productivity and drive future growth, for instance). Still another cause is the existence of compensation structures emphasizing executive pay over the near term to the detriment of long-term shareholder interests. These compensation models skew management’s decision-making toward maximizing short-term profits even at the cost of taking on excessive risk.
Following are six concrete steps the board can take to ensure short-termism does not compromise risk oversight:
1. Focus the board’s oversight on risks that matter. If risk management is focused primarily on operational matters, chances are management is not focusing attention on the right question: Do we know what we don’t know? To face the future confidently, both management and the board need to focus the risk assessment process on:
a. identifying and managing the critical enterprise risks that can impair the organization’s reputation, brand image, and enterprise value; and
b. recognizing emerging risks looming on the horizon on a timely basis.
Even though the day-to-day risks of managing the business are important, they should not command the board’s risk oversight focus except when truly pressing issues arise.
2. Lengthen the time horizon used to assess risk. Focusing on quarterly performance, annual budgets, and business plans may lead to a risk assessment horizon of no more than three years. That period may be too limiting because strategic opportunities and risks typically have a longer horizon—even with the constant pressure of disruptive change on business models. For example, the World Economic Forum uses a 10-year horizon in its annual risk study. Longer risk-assessment horizons are more likely to surface emerging issues, along with new plausible and extreme scenarios, that might have been missed with a shorter time frame. Thus, the board needs to satisfy itself that management is using an appropriate horizon.
3. Understand and evaluate strategic assumptions. Management’s “worldview” for the duration of the strategic planning horizon is reflected in assumptions about several topics: the enterprise’s capabilities; competitor capabilities and propensity to act; customer preferences; technological trends; capital availability; and regulatory trends, among other things. Directors should weigh in on management’s assumptions underlying the strategy. Doing so could reveal insights into the external environment and internal operating impacts that could invalidate the critical assumptions underlying the strategy. This is a useful approach to understanding sources of disruptive change.
4. Integrate risk and risk management with what matters. Short-termism can render risk to an afterthought to the formulation of strategy. Risk management similarly can become a mere appendage to performance management. The strategy, therefore, may be unrealistic and may involve taking on excessive risk. In addition, performance management may be overly focused on retrospective, backward-looking lag metrics. The board should ensure the strategy-setting process considers risks arising from strategic alternatives, risks to executing the strategy, and the potential for the strategy to be out of alignment with the organization’s mission and values. Directors also should insist that prospective, forward-looking leading metrics be used to complement the more traditional metrics used to manage the day-to-day business operations.
5. Watch out for compensation imbalances. Publicly listed companies on U.S. exchanges are required to disclose in the proxy statement whether the company’s system of incentives could lead to unacceptable risky decision-making in the pursuit of near-term rewards. The compensation committee typically conducts a review for excessive risk-taking in conjunction with its oversight of the compensation structure. Board concerns with respect to short-termism are a red flag for the compensation committee to sharpen its focus on the potential for troubling compensation issues that could lead to bet-the-farm behavior. A key question: Do key executives have sufficient “skin in the game” so they will be incented to take risks prudently in the pursuit of value-creating opportunities?
6. Pay attention to the culture. Short-termism can contribute to a dysfunctional environment that warrants vigilant board oversight. For example, management may continue to execute the same business model regardless of whether market conditions invalidate the underlying strategic assumptions. Also, operating units and process owners may be fixated on making artificial moves (e.g., deferring investments) and manipulating processes (e.g., cutting costs to the bone) to achieve short-term financial targets. Instead, the strategy should be focused on fulfilling customer expectations and enhancing the customer experience by improving process effectiveness and efficiency. These and other red flags warrant the board’s attention because they signal the possibility of unacceptable risk-taking that must be addressed.
If short-termism is a concern of the board, directors need to ensure their risk oversight process isn’t compromised by it. A strong focus on linking risk and opportunity can help overcome some of the “blind spots” that a myopic, short-term outlook can create.
The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.
As many as 95 percent of breaches to companies’ data have a human element associated with them. It is no wonder, then, that security teams call people “the weakest link” in securing an organization and choose other investments for defense. Despite companies’ deep investments in security technology over the years, security breaches continue to increase in frequency and cost.
The conventional approach misses a significant opportunity to utilize people as a defense strategy against the ever-changing threat landscape. In fact, only 45 percent of respondents in the National Association of Corporate Director’s 2016-2017 Public Company Governance Surveyreported that their boards assessed security risks associated with employee negligence or misconduct. Organizations that have fostered intentional security cultures from the boardroom to the server room have managed to transform employees into their strongest asset in defending against attacks, gaining advantages in both protecting against and detecting cyber threats.
What is security culture?
From the boardroom to the server room, people could be your greatest security asset.
Culture-competent boards and management teams understand that culture is the set of behaviors that employees do without being told. In simpler terms, it’s “the way things are done around here.” There are many sub-cultures within an organization, and security culture is one that often looks quite different from the expectations set by policy. Security culture has the power to influence the outcome of everyday business decisions, leaving an employee to judge for themselves the importance of security in a decision. For instance, some frequent questions that employees might encounter include:
Is it ok to release insecure code or should we test more, resulting in a delay?
Do I feel safe to report that I may have incorrectly shared a critical password?
Do I prioritize a secure vendor over a less expensive one?
Each of these decisions, when chosen without security in mind, add to the organization’s security debt. While likely that none of these decisions on their own will lead to the downfall of the organization, each risky action increases the probability of being targeted and successfully compromised by cyber-attackers. On the other hand, if the decisions to the questions presented above are chosen with a secure mindset, over time an organization can expect to see more secure code, better data handling processes, and an increased ability to detect cyberattacks, just to name a few examples. A positive, security-first culture makes it more difficult for an attacker to find and exploit vulnerabilities without detection, incentivizing a different choice in target. Directors at companies across industries should carefully evaluate whether management has established a security-first culture as part of their greater cyber-risk oversight strategy.
It is worth realizing that security-minded employees will not solve all security headaches. However, a company’s talent is an essential third leg of the business stool, partnered with technology and processes. An organization that does not invest in training and empowering its employees to prioritize security is only defending itself with two-thirds of the options available to it.
How do you practice it?
The first step boards and executives can take to shape security culture is to identify the most critical behaviors for your employees. Historically speaking, security culture programs used to be based on compliance and asked, “How many people completed a training?” or “How much time is an employee spending on education?” These are not the right questions. Instead, we should ask, “What will my people do differently after my program is in place?”
Prioritize behaviors by their impact on the security of your organization, customers, and data. Ideally this will distill down into two to three measurable actions that boards and executives can encourage employees to take in the short-term to be security minded. Most mature security culture programs have the following three capabilities to help develop these behaviors: measure, motivate, and educate.
1. Measure It is critical to have measures in place to show progress against culture change. When an organization can measure its key desired behaviors, it can start answering critical questions such as:
– Are my campaigns effective at changing this behavior?
– What groups are performing better? Why?
– Has the company already met its goals? Can I focus on the next behavior?
Measuring culture is notoriously tricky because of its qualitative nature, but it can be done using measures such as the number of malware infections, incident reports, or even surveys that test for the knowledge of, and adherence to, policy and process. Surveys should also test for employees’ perception of the burden of security practices, as well as a self-assessment of individual security behavior.
2. Motivate Effective behavior change requires motivation. Spending the time explaining the purpose behind each security measure goes a long way in getting employees on board. As an example, sharing case studies of successful attacks and lessons learned helps demonstrate to employees that the threat is real and applicable to their work. Some other great ways of providing motivation to follow through on security behaviors are public recognition of outstanding behavior, gamification, or rewards for success.
3. Educate Employees cannot act to change their behavior if they are not fully trained to do so. Ensure employees have the knowledge and tools to complete the security tasks. Ideally, the information presented should be tailored by role and ability level to make it as relevant and interesting to the employee as possible. One key focus should be on educating senior executives on the trade-offs between risk and growth in a company. Consider providing scenarios based on real cyber-attacks that explore the long-term impact of risky business decisions. Add these discussions opportunities into existing leadership courses to help model security-mindset as a valued leadership trait.
Senior level engagement
While the above is a framework that boards and executives can use to drive security behavior change from the bottom up, leadership has an important role in setting the security culture as well. Executives can publicly share the value of security as an employee themselves, which will reinforce the importance they see in proper security culture to the organization and to the customers they serve. Executives should hold their businesses accountable for executing on key security behaviors and publicly call out examples that have impacted the security of the organization, either positively or negatively. Finally, boards should press executives to ensure that the focus of their people-centric security program is on the highest area of risk, not just what is easy to measure.
Masha Sedova is the co-founder of Elevate Security, a company delivering interactive and adaptive security training based on behavioral science. Before Elevate, Masha was a security executive at Salesforce.com, where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers.
The National Association of Corporate Directors (NACD) released the 2016–2017 NACD Public Company Governance Surveylate in 2016. The survey, which NACD has administered for two decades, helps directors affirm that their governance practices are effective, fit for purpose, and clearly communicated to shareholders. Our members find value in benchmarking their companies’ approach in areas such as board structure, composition, education, recruitment, and evaluation year over year, and they use the results to identify opportunities for improvement and validate board priorities for the coming year.
What did we learn about changes to public company governance in the previous year?
Although we did not see any seismic shifts in how public companies govern themselves, the data indicate that corporate boards are slowly adapting to heightened expectations about their contributions and performance.
Let me share 10 key takeaways from this report and illustrate some of the changes we have observed in our analysis.
1. Overseeing Uncertainty Economic uncertainty and business-model disruption are among the top concerns for corporate boards in 2017. Respondents also report that major industry changes, growing regulatory demands, and cyberattacks will significantly affect their companies over the next 12 months. Global economic uncertainty was selected by 60 percent of respondents as one of the five trends that will have the greatest impact on their companies over the next 12 months, most likely in light of ongoing economic turbulence that includes the fallout from Brexit, emerging markets volatility, and the protectionist trade stance of the new US administration.
2. Deeper Board Engagement with Strategy Setting Growing external uncertainty seems to accelerate the momentum for increased board leadership in strategy. For more than half of boards, active involvement in the development of strategy is a goal for major improvement over the next 12 months. Recognizing that successful strategy setting and execution in this volatile environment are challenges, boards are eager to move from the traditional review-and-approve process to more active strategy engagement earlier and on an ongoing basis, allowing directors to examine underlying assumptions, competitive dynamics, and alternatives.
3. The Tyranny of Short-Termism Maybe the most important structural barrier to board engagement in strategy setting is the intense short-term performance pressure placed on both boards and management. Seventy-five percent of respondents report that management’s focus on long-term value creation has been compromised by pressure to deliver short-term results, while 29 percent report that pressure on boards to focus on short-term performance inhibits their ability to effectively oversee long-term strategy development.
4. Risk Oversight Moves to a Higher Standard Board risk oversight is becoming a robust practice, with a large number of boards looking beyond a review of the top risks to consider the linkage between risk and strategy, the impact of incentives, and the strength of their company’s risk culture. Many boards now receive frequent reports on key components of risk management, including summaries of top risks, emerging risks, and their mitigation. According to our survey, 63 percent of them perform in-depth reviews of specific top risks. Perhaps in response to the recent corporate debacles in the auto industry and banking sector, more than 57 percent of boards now assess whether incentives used in the company’s compensation structure could inadvertently create or exacerbate risks.
5. Struggling to Meet the Cybersecurity Challenge Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk. Fifty-nine percent report that they find it challenging to oversee cyber risk, and only 19 percent of respondents report that their boards possess a high level of knowledge about cybersecurity. While 37 percent of respondents feel confident and 5percent feel very confident that their company is properly secured against a cyberattack, many of their boards may lack sufficient expertise or adequate information to confidently assure that cybersecurity defenses are indeed effective.
6. Managing a Growing Board Agenda The average director time commitment has stayed relatively flat at 245 hours per year, with more time spent on preparations and less time on travel compared to last year. The average number of meetings has also remained flat. Facing ever-expanding agendas, boards struggle to effectively prioritize their scarce meeting time. When asked about time allocation over the last 12 months, more than a third of respondents indicate that their boards spent too little time on director education, executive leadership development, cyber-risk oversight, board succession planning, sustainability, CEO succession, and information technology oversight.
7. Information Rich, Insight Poor Boards receive much information from management but express concerns about the quality of that information. While directors noted an average increase of 12 hours for document review in preparation for meetings, roughly 50 percent of respondents noted a glaring need for improvement in the quality of information provided by management.
8. Increased Shareholder Engagement Boards are increasing their shareholder engagement, but their level of preparedness to address activist challenges is uneven. This year, 48 percent of respondents indicate that a representative of their board held a meeting with institutional investors over the past 12 months, compared to 41 percent in 2015. Only 25 percent of respondents have developed a written activist response plan, which may be a critical tool to effectively address a forceful challenge from an activist.
9. The Increasing Reliance On Search Firms for Director Recruitment Boards no longer primarily rely on personal networks to recruit new directors, signaling increased professionalism and a desire to tap into a wider network of candidates. For the first time since NACD began to survey its members on this issue, search firms were the leading source boards used to identify their most recently recruited director.
10. Only a Minority of Boards Conduct Individual Director Evaluations Only 31 percent of respondents report that improving the board evaluation process is an important or very important priority for their boards in the next 12 months. In fact, just 41 percent of boards now use individual board evaluations, and an even smaller number use the results of these evaluations to make decisions about replacing directors.