It’s way too early to make any judgments on board conduct in the Equifax controversy. That’ll be for the courts to decide, and they’ll take a long time getting there. But it’s not too early to draw some useful governance lessons from the situation, if media reports are to be believed. And these are lessons that apply regardless of whether the board serves a publicly held, privately owned or nonprofit corporation.
Some of these lessons relate to the board’s crisis management responsibilities. Others relate to the oversight of the board-CEO relationship. Still others invoke expectations of board cybersecurity oversight.
All of the possible lessons are premised on the increasing recognition of the inevitably of crisis, be it black swan or foreseeable, cybersecurity-related or “from out of left field.” For most complex enterprises, crises are just going to happen. The only questions are when, how big the crisis will be, and from what direction it will come. The most prescient of boards will embrace this inevitably and prepare for a corporate governance version of Defcon 3.
The other lessons are more practical in nature.
1. Emergency Succession The swiftness of Mr. Smith’s removal speaks to the “nuts and bolts” value of having an emergency executive succession plan. The sudden Smith transition is a shocking example of how emergency succession applies to circumstances beyond customary triggers such as death, health care and family considerations. In today’s crisis-oriented environment, the need to separate from, and replace even the youngest, seasoned and most successful executives can arise at a moment’s notice.
Succession is a part of the board’s basic responsibilities that often gets lost amid the confluence of best practices and consultant messaging. Such planning can be complicated. According to the New York Times, the Equifax board regarded many of its original replacement candidates as “tainted” by ties to the cyber breach—including some executives who are believed to have sold company stock after the breach was discovered but before it was disclosed to the public.
2. Structuring the Separation There’s also the need to anticipate both the classification and the financial terms of executive separation in the context of a crisis environment. According to media reports, Mr. Smith’s separation was described as a retirement. Yet, the board announced that it was reserving the right to retroactively classify the separation as for-cause termination, based upon the ultimate findings of a board special committee charged with the responsibility for reviewing the data breach. Such a reclassification would have obvious and material implications for Mr. Smith’s compensation arrangements, including valuable stock awards.
This action by the Equifax board reflects several key realities of the crisis environment.
It will often be difficult to fairly ascertain the presence of cause for termination purposes in the direct aftermath of a crisis. The consideration of the results of an internal investigation may be a necessary and equitable precondition.
While not yet considered best practice, the use of clawbacks and other forms of executive compensation disgorgement arrangements is increasingly viewed as an effective response to executive fraud, malfeasance, or other misconduct. Clawback application has most recently been demonstrated by the actions of a financial services company board in response to a significant corporate controversy.
Boards must face the harsh reality of the need to impose separation in advance of intense scrutiny by the media, regulators, and possibly even legislators. The sometimes corporate brutality of “throwing executives under the bus” may be perceived as both part of an effective board response (i.e., to demonstrate board accountability), and necessary to preserve the reputation of the company and the interests of its stakeholders. According to the Wall Street Journal, the departures of the Equifax information officer and chief security officer were not considered by the board to be actions significant enough in stature. Thus, the concept of “strict accountability” for executives in the context of major corporate controversies may increasingly be considered an indirect part of the compact between the board and management.
3. The Standard of Conduct Another lesson is for the board to reconsider the effectiveness of its own cybersecurity oversight efforts. The leading judicial decisions have to date established a high Caremark-style barrier for demonstrating breach of cybersecurity oversight responsibilities. Notable in this regard was the decision of the court in the Home Depot case to extend the protection of the business judgment rule to the board’s conduct, despite its clearly expressed concerns about the speed with which the board implemented protective measures.
However, boards should not place unreasonable reliance on Caremark protection. As instances of cyberbreaches become more egregious, it is reasonable to project a stricter approach to director liability in future cases.
4. The Self-Critique Perhaps the most basic governance lesson from Equifax is the need for board self-evaluation. Any board-driven internal investigation of a corporate controversy will benefit from consideration of the adequacy of the full board’s related oversight efforts. For example, the Wall Street Journal reported that weaknesses in Equifax’s cybersecurity measures were “apparent to outside observers in the months before the hack.” Was the board made aware of these weaknesses? If not, why not? Such a self-critique has been an accepted component of truly comprehensive internal investigations since the “Powers Report” from the Enron board. The willingness to consider how possible governance inadequacies may have contributed to crises can serve as a powerful demonstration of the board’s good faith and assumption of ultimate responsibility.
Equifax is not, as some have characterized it, the second coming of Enron. That’s unnecessary hyperbole at this point. As exaggerated as commentary may be, what is known about the crisis offers a valuable teaching moment to boards about expectations of fiduciary conduct in crisis situations, cybersecurity or otherwise.
Michael W. Peregrine, a partner in McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties and officer/director liability issues. His views are his own and do not necessarily reflect the views of McDermott Will & Emery, its clients, or NACD.
If power and cellular phone service to your plant were inoperable because of a devastating hurricane, how would you reach employees to confirm their safety first, and then address the status of the facility? If your company handled classified projects and a building’s power grid failed in a natural disaster, how long would backup generators work before being refueled by trucks that might not have an easy route to the building? What if the building’s doors were unlocked after the back-up locks failed—could the classified work within the facility be compromised?
These real-life stories, shared at the April program of the NACD Carolinas Chapter, illustrate the unpredictable nature of crises. How can companies prepare for the unknown, and what role does the board play in oversight and direct response in the event of a crisis?
James H. Hance, director for The Carlyle Group, Cousins Properties, Acuity Brands, and Ford Motor Co. (and a former director of Sprint Nextel Corp., Bank of America, and Morgan Stanley), and Linda P. Hudson, chair and CEO of The Cardea Group, and director of Bank of America, Southern Company, and Ingersoll Rand, shared their experiences and advice on crisis management. They were joined by Deloitte’s Henry Phillips and Theresa Drew, who moderated the conversation.
Lessons learned from real-world crises and how the boards of their companies responded follow.
1. Establish and understand what amounts to a crisis.
“As a director, you know the company will have a crisis,” said Hance. “But what will that crisis be and how do you prepare?” He defined a crisis as an immediate problem that “requires the CEO of the company to be involved.”
Further, the initial measure of a company’s successful response tends to be tied to how early the crisis is identified. Social media may lead to the whole world knowing about the crisis very quickly, so the company must be agile enough to respond very quickly in kind.
2. Prepare for the known, but expect the unknown.
According to Hudson, if your company hasn’t thought through the possible risks involved in crisis scenarios, then the company likely will fail in its response. However, even if risks have been evaluated, there “isn’t a high probability the crisis that happens will be what was originally identified.” Hance added that those companies with a robust enterprise risk management function will likely be more prepared for a crisis, whatever it might be.
During her time as CEO at BAE Systems, Hudson deployed playbooks that addressed key crisis management questions. Some of the most critical items included in those playbooks follow.
Who will identify the situation as a crisis?
Who is on the team that is pulled together to respond to a crisis?
What is the escalation protocol?
Who calls whom (ex., customers, regulators, and other stakeholders)?
Who will be the public face of the company?
3. Board oversight is critical.
“The board must be in the escalation cycle in a crisis management plan,” said Hudson. Hance agreed. He also added that the board should exercise policy oversight. Hance pointed to a recent story in the news. A board would not, for example, look at how passengers are removed from planes. However, it would review the airline’s policy for bumping passengers, as well as the company’s culture, and make suggestions to management based on those considerations.
Phillips also emphasized the role of the lead independent director given that a crisis can be very emotional for board members closer to the company. The lead independent director can act as a source of calm leadership through a crisis. In addition, Hance emphasized, “The CEO needs to have a sounding board, and this group of people should be identified and set up ahead of time.”
4. Learn from each crisis and study your competitor’s crises to help prepare for your own.
Each crisis—whether one of your own or one happening at a competitor’s company—is an opportunity to learn. For example, panelists pointed out how well the CEO of General Motors Co. handled the ignition switch crisis, and called out the genuine connection the company made with affected people. Hance concurred and noted that other car companies were watching and learning. He also shared how Ford changed some of its processes after Toyota Motor Corp.’s crisis over sticking accelerators.
Unexpected events like 9/11 and Hurricane Katrina taught companies valuable lessons. For example, many New York banks routed electronic traffic through networks at the World Trade Center. When those networks went down, so did the banks’ ability to do business, according to Hance. Similarly, Hudson shared that after Hurricane Katrina made landfall on the Gulf Coast in 2005, landlines and cell phones alike stopped functioning. Now the company has satellite phones in each of its locations, enabling seamless communications in the event of a communications-disrupting crisis.
5. Use outside help judiciously.
Depending on the industry, Phillips noted the importance of ensuring that the company has the right connections to important officials in the event of a crisis. For example, does the company have an established contact at the Federal Bureau of Investigations in case of a cyber-attack?
The panel agreed that, while legal help can be critical, it is also important to be open and honest, resisting any advice to keep silent during the crisis. Liability will follow, regardless. When asked about involving public relations firms, Hudson shared that each company “should tell its own story.” Doing so can be more authentic.
6. Always do the right thing.
The panelists agreed that the best defense in a crisis is to be sure the company directly addresses the personal needs of those impacted—whether they’re employees or members of the community. After Katrina, Hudson’s company assisted employees in Mississippi who had no access to banks by meeting their need for cash through the recovery period. The company never asked for that cash back.
Hance noted that the board is likely to be criticized in a crisis regardless of whether the proper oversight was exercised. So, as a company, the best approach is to identify what feels like the correct response for each event, and simply to “do the right thing.”
NACD Carolinas would like to thank the panelists for sharing their experiences with attendees and Deloitte for its support of the program.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
Reputation is a precious but fragile enterprise asset. What takes decades to build can be lost in a matter of days once the spotlight shines on unethical or illegal practices that place an organization’s stakeholders or the public at risk. Environmental catastrophes, financial restatements, fraudulent reporting to regulators, massive product recalls, efforts to mislead investors, and other highly publicized events erode brands and impair reputation. We define reputation risk as the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion.
We see 10 key functions of the board’s oversight of reputation risk management, and classify them in five critical areas below.
Effective board oversight – Reputation risk management starts at the top. Strong board oversight on matters of strategy, policy, execution, and transparent reporting is vital to effective corporate governance, a powerful contributor to sustaining reputation, and is the ultimate checkpoint on CEO performance. The board’s active risk oversight effort is important because effective, early identification, and management of risks can reveal major threats to the company’s reputation and ensure that the threats are reduced to an acceptable level.
Integration of risk into strategy-setting and business planning – The board must ensure that risk is not an afterthought in the strategy-setting and business planning processes. Integrating awareness of risks with core management processes makes risk a relevant factor at the decision-making table, facilitates a big picture view to undertaking risk, and intersects risk management with performance In an effort to make the strategy more robust, directors should understand the critical assumptions underlying the strategy; ask tough, constructive questions to challenge assumptions; and consider plausible scenarios that could render one or more assumptions invalid.
Effective communications and image- and brand-building – Building brand recognition unique to a business is vital and, when all else is working well, augments reputation. A good story is easier to tell than one with flaws, but every savvy board knows that some companies are better at telling their stories than others. Therefore, directors need to understand management’s image- and brand-building game plan and how significant changes to that plan could present a significant risk to the company’s reputation.
Strong corporate values, supported by appropriate performance incentives – The notion that, if tone at the top is good, the organization’s culture must be good, doesn’t always hold. Lower-level employees often pay more attention to the messaging and behavior of their supervisory middle managers than to communications from the organization’s leaders. Boards need to ensure that executive management implements a strong tone at the top, effective escalation processes, and periodic assessments of the tone in the middle and at the bottom. Directors need to ensure that management is paying attention to warning signs posted by independent risk management functions and in audit reports: failure to give these warning signs adequate attention on a timely basis reflects on the tone set by executive management. For example, the executive leadership of Barings ignored warnings from internal audit of the consequences of the lack of segregation of duties in its Singapore operations because those operations were making the bank a lot of money. Ultimately, the hidden trading losses took down the institution.
Positive culture regarding compliance with laws, regulations and internal policies – Few incidents undermine reputation more than serious, highly publicized compliance violations. Directors should ascertain that effective internal controls – including monitoring processes and robust training of employees – over compliance matters are implemented and executive management: “walks the talk” with respect to compliance; periodically conducts a comprehensive risk assessment; refreshes the compliance program for changes arising from new regulatory developments; and understands the players and third-party agents in countries in which the organization does business and monitors their dealings closely.
Priority focus on positive interactions with stakeholders – The board should ensure that there is a passionate focus on improving stakeholder experiences. These are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders, and other stakeholders have with a company as a result of its business operations, branding, and marketing. These interactions constitute moments of truth that, if internalized and acted upon, provide a powerful driving force for improving and sustaining reputation.
Quality public reporting – The markets take quality public reporting at face value. Once a company loses the public’s confidence in its reporting, it’s tough to earn it back. These points suggest that a strong audit committee is an imperative.
Strong control environment – A critical component of internal control, the control environment lays the foundation for achieving operational, compliance and reporting objectives. In addition to the board’s oversight and the organization’s commitment to integrity and ethical values, as mentioned above, the control environment consists of: the organizational structure and assignment of authority and responsibility; the processes for attracting, developing and retaining appropriate talent; and the rigor around setting the appropriate performance measures, incentives and rewards that drive accountability for desired results. Embarrassing control breakdowns can tarnish reputation; therefore, boards should demand a strong control environment.
Company performance relative to competitors – Market recognition of success is a huge validation of a company and its management team. Recognition of differentiating strategies, distinctive products and brands, proprietary systems, and innovative processes are intrinsic sources of value that can translate into superior quality, time, cost, and innovation performance relative to the company’s competitors. However, significant performance gaps can diminish reputation if not addressed in a timely manner. These factors should weigh heavily on a board’s evaluation of company performance over time.
World-class response to a high-profile crisis – Sooner or later, every company is tested. No company is immune to a crisis. As a crisis event is a severe manifestation of risk, crisis management preparation is a natural follow-on to risk assessment, particularly for high-impact risks with high velocity, high persistence, and low response readiness. The board should ensure that the risk assessment process is designed to identify areas where preparedness and a response team are needed. Fires cannot be fought by committee.
While a one-size-fits-all approach does not exist, the 10 keys listed above offer boards a framework for focusing on whether executive management is focused on the appropriate fundamentals for enhancing and preserving the enterprise’s reputation.
Jim DeLoach is managing director with Protiviti, a global consulting firm.