Innovation and disruption are now commonplace in strategy discussions between the board and C-suite. Even innovations outside of a company’s own mission are changing everything from customer expectations to business operations. While the board’s agenda has evolved to include discussion of issues such as emerging technologies and workforce disruption, corporate directors must still contend with evergreen oversight tasks. Directors are feeling stretched, and reasonably so.
NACD’s Master Class board leadership forum convened more than 50 directors recently in Miami, Florida, to sharpen their focus on several pressing board oversight matters. The event highlighted lessons in effective board leadership and explored emerging disruptions that affect strategy and long-term value creation in today’s dynamic business environment. The discussions at Master Class revealed the following takeaways:
Review the outlook on the economy. The U.S. is on track to have its second-longest economic recovery, and it may even become the longest on record, according to Constance Hunter, chief economist at KPMG LLP. Unemployment is at an all-time low, and wages are slowly beginning to rise. Barring any global economic shocks, this could signal that the American economy is likely nearing peak growth. Hunter also reminded directors that though all signs point to stable economic growth this year, an economic downturn in the coming years is still possible.
Pay attention to increased complexity. From social and demographic changes to technological disruption, companies are facing increasingly complex challenges. Addressing these issues will require the board to keep up with today’s dynamic business environment. Being on a board is no longer simply about compliance or risk oversight. Fundamental conversations about company strategy and business models need to become regular topics of discussion. The board needs to ask hard questions of its executive team around the company’s data strategy, whether this team has the requisite set of skills to execute on strategy broadly, and how well the management team understands the competitive landscape and challenges specific to their industry.
Approach technology as an enabler of strategy. Board discussions about technology should focus on the current—or potential—application for the company. Directors should, therefore, approach such dialogues within the context of company strategy. The board should ensure that management understands and meaningfully engages with the company’s technology systems and the staff who use those systems, and assesses how the company invests in technology as an enabler of the broader strategy.
Wake up to disruption. Large companies are beginning to wake up to the disruptive players in their industries. Many so-called startup “unicorns” are now backed by corporate venture capital arms, enabling established, large-scale companies to gain a competitive edge with smaller companies leading transformative ventures and creating disruptive technologies. There are more avenues than ever before for businesses of all sizes to engage with emerging technologies, from pilgrimages to Silicon Valley, or attendance at events such as the annual NACD Consumer Electronics Show Experience, to setting up corporate venture arms.
Think outside—or about—the box. The concept of Innovation dos not have to be limited to a firm’s research and development department. A company can innovate in every facet of its business, from financing to product packaging. One director attending Master Class shared how one of her companies modified its package design for products that customers opened to peer inside. By redesigning the packaging to include transparent plastic, customers were able to see these products through the packaging and, thereby, didn’t feel compelled to open it. This helped the company dramatically reduce the number of products that were spoiled from being opened.
Demand better risk reports. Directors need to push management to enhance the effectiveness of risk reports provided to the board. If risk reports received from management look like audit reports, the board may not be receiving the information it needs to effectively oversee risk. Management teams often present so much information that directors may find it difficult to discern which risks demand the most urgent attention. In fact, the 2017─2018 NACD Public Company Governance Survey reports that in the past 12 months, 79 percent of respondents say they communicated with management about the types of risk information that the board requires.
Communicate what investors want to know. Institutional investors want to know whether the board is capable of being not only the board of today, but that of tomorrow. In this regard, the proxy statement is often underutilized as a way of communicating the board’s strengths and skills that will help strengthen their oversight of the company in the years to come. If effectively used, this document can enrich board-shareholder dialogue. More information is available in the publication Investor Perspectives: Critical Issues for Board Focus in 2018.
Few organizations or boards are capable of answering this question with any degree of certainty. Yet, the question is being raised with greater frequency and urgency due to actions by investors, regulators, customers, supply-chain partners, and competitors.
Click to enlarge in a new window.
Across every industry the increased focus on climate change is accelerating other megatrends such as disruptive technologies, digitization, urbanization, and evolving demographics. Underpinning these megatrends are a combination of technological leaps and upheavals in global society and the environment that will reshape economies, businesses, and lifestyles. For example, over $1 trillion worth of new markets for manufacturers are expected to develop over the next decade as industries transform. This shifting landscape creates many uncertainties, risks, and opportunities for new products, services, supply-chain structures, and improvements in resource management, among many others.
Taken as a whole, these pressures are driving companies to better assess, define, and enact strategies to increase their climate resilience. In their strategic oversight role, boards need better insights on the direct impacts of climate change on the organization as well as the indirect risks and opportunities associated with transitioning to a lower-carbon economy.
Yet, recent NACD corporate governance survey data suggests that many boards need a rethink on this issue. Six percent of respondents indicated that climate change would have the greatest impact on their businesses over the next year. The previous year’s report found that over 90 percent of public company directors believe that climate change would have negligible impact over the next five years.
Companies that focus primarily on climate change’s projected physical impacts expected to play out over the coming decades will have “blind spots” to the indirect risks associated with the transition to a lower-carbon economy. Companies must to go on the offensive to build climate resilience in order to gain competitive advantage.
Climate resilience has the capacity to adapt and succeed in the face of direct and indirect impacts of climate change. In addition to addressing and managing risks, it encompasses the ability to capitalize on the strategic opportunities presented by the shift to a lower-carbon and resource-constrained economy.
To provide boards with a line of sight into its organization’s climate resiliency, management teams can undertake one or more of the following actions:
assess climate vulnerability of operations and facilities;
embed climate impacts into enterprise risk management programs; or
undertake scenario analysis to enhance decision making around risks and opportunities.
As a start, companies can model the risk of physical assets to identify location-level risk exposure and the vulnerability of properties and assets to evolving weather events and climate change. A geographic portfolio review can also help map demographic and infrastructure vulnerabilities to natural hazards to better understand how supply chains may be impacted by weather events.
Existing enterprise risk management (ERM) and risk assessment processes can be used to increase awareness of climate risks and better assess resilience across the organization. Leading organizations are using their ERM processes to identify how direct and indirect climate impacts—including regulatory and technology developments—serve to accelerate or otherwise change the velocity of other trends and risk events. Framing climate as a risk driver helps to align the timeframe of the risk and opportunity assessment to that of most corporate planning cycles.
Scenario analysis is recommended by the Financial Stability Board’s Task Force on Climate-related Financial Disclosures as a technique to assess climate impacts. Modeling different environmental scenarios (such as warming by a margin of 2 degrees Celsius and associated changes) gives form to the amorphous problem of climate change and provides mechanisms to discuss potential future states of operation. In selecting and devising scenarios, companies should consider the appropriate trade-offs in quantification, but also avoid excess complexity and optionality. When assessing for operational climate-risk resilience, it is critical to include a minimum of one favorable and unfavorable scenario respectively. This empowers organizations to make informed decisions regarding their longer-term strategies.
Overall, it is clear that the dialogue on climate change within boardrooms and among C-suites of companies across all sectors must evolve to a focus on how climate change will impact their businesses. The real measure of a climate-competent board is one that can address this critical question: how climate-resilient is the organization?
Lucy Nottingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads research programs on governance and climate resilience. All thoughts expressed here are her own.
Information security should be one of the most important risk areas of focus for boards. However, according to the 2017–2018 NACD Public Company Governance Survey, 88 percent of surveyed directors indicated that they had only some or little knowledge about how to navigate cyber risk. It’s clear that too few directors feel qualified to have this conversation in any degree of depth.
When I joined Amazon.com in 1998, Jeff Bezos, the company’s CEO and chair, viewed security as the most threatening, potentially company-ending risk that the company faced. Since then, many companies have elevated security risk to their technology, the infrastructure on which they depend, as the greatest existential threat to their enterprise. Yet boards struggle to quantify these risks, to determine their tolerance for security risks, and to assess the company’s security program.
In their discussions of security risk, security leaders and board members are constrained by time, frame of reference, shared vocabulary, experience, and understanding of the adversary. Board members could use some help.
I propose ten simple questions that could enable discussion, provide board members with a lens through which they can broadly view the company’s security program and posture, and prompt security leaders to build a shared understanding of the company’s risk profile, threat landscape, and most important security initiatives.
1. Who is in charge?
It is critical for the board to identify the most senior information security leader in the company. This should be a person explicitly designated to lead the program, with the requisite skills, resources, and authority to execute it. This person commonly goes by a title such as chief information security officer (CISO), chief security officer, or head of security, among other titles. Sometimes, companies will take a tiered approach to security. In such cases, the leader of the security team plays a pivotal role, and the board needs to be comfortable that their position and authority is consistent with the importance that the board places on security.
If you identify someone who has security as one responsibility among a portfolio of others, it’s necessary to determine who has single-threaded focus on information security. Once that person is identified, you can discuss whether they have the proper ownership and resources to go with the responsibility, their reporting chain, the support that they receive from the rest of the company, and their relationship with the board. Regardless of who they directly report to, this person should be accountable to the board.
2. How do we assess risk?
Security is about risk management. It’s critical for directors to understand the process of identifying and analyzing security risks, how their likelihood and impact are estimated, how the appropriate controls are prioritized and implemented, how their efficacy is tested, and how results are monitored. Some potential security events are low probability and extremely high impact, making it more difficult to compare them to other risks. Nevertheless, it’s critical to go through the exercise of determining risk appetite, assessing and qualifying risk, quantifying overall exposure, and placing it within the company’s overall risk management framework. Finally, it’s important to be candid about your confidence in the risk assessment.
3. Are we focused on attacks?
It’s important to focus on managing the most critical threats and on breaking the attack kill chain—the structure of an intrusion—rather than to engage in “security theater,” or activities that give the appearance of competence while lacking in substance. Budgets are limited and security talent is in very short supply, so resources should be focused on establishing an architecture that has sufficient defense in depth, resilience, and intelligence to survive modern attack types.
Traditional approaches to defensive security that were dependent on protecting the perimeter of the enterprise continue to prove insufficient. Today, defenders must understand the adversary’s attack mechanisms, work backwards from the path of the attack, layer defensive measures throughout the enterprise, intervene before the attacker can extract sensitive data, and teach employees and customers to play their crucial part.
4. What’s our most important asset?
This question shouldn’t take long to answer. It should drive a discussion between the board and the security leader about how data and services are classified, the policies that are established for their defense, and the required and recommended controls for each class. When a new service is established, this classification framework in combination with the new service’s threat model should make it relatively easy to decide who is responsible for mitigating threats and what controls should be put in place.
When asked to rank their biggest cybersecurity fears, 41 percent of directors said they are most worried about brand damage. While customer trust is the key asset in many businesses, it’s important to identify the specifics of what would be the most devastating loss for the company. It’s only then that a thorough, qualitative assessment of the most critical components of the security program can occur.
5. How do we protect our most important asset?
Board members can calibrate the overall risk profile of a security program once they understand how the most precious asset is protected. The answer to this question should discuss the high-level threat model for that most important asset and, in the context of modern attack patterns, the mechanisms used to defend it. The answer should reflect that this is a journey on terrain that is shifting. There should be an iterative process of quantifying the risks of different threats, and of mitigating the most significant ones.
6. What’s our biggest threat?
This question forms the heartbeat of the conversation between the board and the security leader. It provides an opportunity to describe the company’s current security posture and its target state, and to refresh the board on the evolving threat landscape, the lessons to learn from emerging attacks, and the measures that the company is taking to mitigate the threats. For many companies, security risk is sufficiently important to warrant a discuss of this question at every board meeting, perhaps with a summary of the threat models for any major new products or services, and a review of the most significant risks at any recently acquired companies. When board members hear grandiose plans to address the biggest threat, but the deliverables are more than 18 months away, they may wish to ask for approaches to improve today’s posture without necessarily derailing the long-term solution. Don’t make the perfect the enemy of the good.
7. What do we control?
The board should assess the degree to which the company’s security policy and practices are explicit and prescriptive. Board members should be very suspicious of a security leader who claims to have complete control of the technology platform and the tools that employees use. Full control is usually a dangerous illusion, and any autocratic attempt to achieve it can lead to inflexibility and to employees working against or around the security program. Security should be viewed as a collective responsibility, rather than as a fixed constraint. Boards spend time assessing internal controls that for example provide confidence in custody over sensitive data and in the accuracy of financial reporting. Effective security leaders will distinguish between controls and control, and will strive towards “getting to ‘yes,’” rather than being the one who always says no. Getting to yes is easier if employees buy into a decision and if the path of least resistance is for them to do the right thing by default.
8. Are incident response and recovery plans tested?
This is one of those questions to which the answer can be “no” at most once. In the common case this question will lead to a review of responses and recovery from real incidents, in addition to a summary of simulated attack exercises, consideration of the fidelity of such exercises, and lessons learned. It provides the board with a view of the company’s capabilities in communication, response planning, incident analysis, risk mitigation under duress, and leadership.
9. Would we know if we’d been compromised?
Security technology vendors may tout breakthroughs that provide the ability to identify and prevent attempted compromises with perfect precision and recall. An effective conversation between a security leader and a board will take as a given that all attacks can’t be identified and prevented, and that compromises may already lurk undetected. This should lead to a discussion of actions to make prevention as strong as possible, to improve the probability of detecting lurking intruders, and to reduce the likelihood that they reach critical assets and extract them.
In a world where the edge of the company’s technology footprint is increasingly blurred, where the sophistication of attacks outpaces security awareness, and where advanced persistent threats are used by adversaries, it’s inevitable that the answer to this question will be nuanced.
10. Who would be told, and how do we expect them to respond?
Communication is a key part of a successful incident response plan. Each person, including the board, needs to know his or her role in communicating about incidents internally and externally. The question goes beyond incident handling to include recovery processes and the proactive management of any reputation impact that may arise from the incident.
As a board member, it’s worth thinking about two questions that I used back in 1998 to get Bezos thinking about his role in incident response:
In the event of a high-severity security incident, do you think you’d be told?
Would you like to be told?
Response and recovery go hand in hand. It’s tempting to avoid putting significant effort into planning for recovery from a major security incident, and while everyone would prefer to focus on prevention efforts with a goal of zero incidents, the reality is that there’s no such thing as perfect security. The recovery plan is part of responding to the incident, learning from it, managing communications, and getting the company back in business. A well-executed recovery plan has the potential to limit the reputation damage caused by the event, and to help management and other stakeholders to move beyond it.
Finally, a bonus credit question: Do you have the team and the budget that you need to be successful in managing the company’s security risk?
These 10 questions are a starting point for a longer conversation. Directors and the security leader should regularly employee a more thorough framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, to begin building a deeper understanding of their company’s security posture. While the NIST framework goes to considerably more depth, these 10 questions are intended to get to the essence of what is most important for a board to periodically review.
Tom Killalea (@tomk_) is a director of Capital One Financial Corp., MongoDB, Carbon Black, and Orreco. From 1998–2014 he served in various leadership roles at Amazon.com, including vice president of technology and CISO. All opinions expressed here are his own.