To be a public company or to be a private company—that is the question for an increasing number of directors of both private and public enterprises. And given the recent rise in public-to-private buyouts and private-to-public initial public offerings (IPOs), corporate directors need to be comfortable in both worlds.
Heading toward the public markets are our newest IPOs. As of May 10, 2018, according to statistics from Renaissance Capital, the United States has seen pricing of 67 IPOs worth over $50 million—up 28.8 percent from the same period last year. Last year 160 IPOs got to the pricing stage—up 52 percent from the previous year. As for filings, the first quarter of 2018 saw 44 of them in the United States valued at over $50 million; last year featured 140 such filings—both numbers up from the previous periods, signaling a recovery from the dismal market of ten years ago.
However, the number of publicly traded companies on the market has still not rebounded to the pre-dotcom bust levels. Many companies now see an advantage in going private, with major examples in recent times being Panera and Staples. In both of those cases, the move came amid concerns about short-term mindsets on Wall Street inhibiting the companies’ ability to create long-term value. Earlier this year, Univision, a one-time public company that went private in 2007 after a buyout deal, withdrew from an IPO citing “prevailing market conditions.”
There’s also some speculation that companies want to leave public markets because activist shareholders have spooked them. The 2017-2018 NACD Public Company Governance Survey shows that 16 percent of respondents serve on boards that have been approached by activists during the previous 12 months—down from the previous two years but still a level high enough to motivate meetings with shareholders, reported by half of all respondents and the highest level reported since 2015. A Fortune article written at the time of the Safeway and Dell buyouts observes that both companies decided to go private because of the specter of investor activism. The article quotes a private equity executive speaking on background, saying: “Public company boards are scared to death of activists and will do all kinds of things to avoid proxy contests.”
With this business context in mind, the May/June issue of NACD Directorship magazine focuses on entrepreneurship and activist shareholders: who they are, what they want, and why they want it.
The dispersed global ownership of companies today, enabled through technology, has evolved into the complex adaptive system we call the global stock market. As we know from its recent volatility, the market can act a little crazy. But behind every single share that is traded there is a person who made a decision to buy or sell—often as a fiduciary (in the case of institutions). Directors can and should learn from them, even as they maintain their roles as representatives of all stakeholders.
Corporate directors are confronted with a variety of recently proposed governance standards, while activist investor campaigns are challenging both board composition and board effectiveness by targeting individual directors. Given the high level of personal reputational risk and the associated long-term financial consequences now faced by directors, a hard look at the adequacy of company-sponsored director and officer (D&O) risk mitigation and board compensation strategies is timely.
The Bedrock of Certainty Shifts
Shifting stakeholder expectations are codified in the frequently conflicting governance standards published in recent years. Following the National Association of Corporate Director’s own 2011 Key Agreed Principles, there are now draft voting guidelines from Institutional Shareholder Services (ISS) and Glass Lewis & Co.; standards from groups such as the Office of the Comptroller of the Currency (regulator), CalSTRS (investor), the G20, and the Organisation for Economic Co-operation and Development (influencer); and, most recently, the Commonsense Corporate Governance Principles from a group of CEOs led by JPMorgan Chase & Co.’s Jamie Dimon.
This proliferation of standards reflects differing stakeholder expectations and gives direct rise to new risks for directors. With these new risks and expectations emerge associated questions about the adequacy of current governance strategies, company-sponsored reputation-risk-mitigation packages, and director compensation.
Because the board is the legal structure administering governance, the standards that boards choose to guide their oversight have legal force. Furthermore, detailed, prescriptive standards have instrumental force.
For instance, ISS and CalSTRS are promoting highly prescriptive standards. ISS is exploring specific “warning signs” of impaired governance, including monitoring boards that have not appointed a new director in five years, where the average tenure of directors exceeds 10 or 15 years, or where more than 75 percent of directors have served 10 years or longer. CalSTRS expects two-thirds of a board to be comprised of independent directors, and defines director independence specifically as having held no managerial role in the company during the past five years, equity ownership of less than 20 percent equity, and having a commercial relationship with the company valued at no more than $120,000 per year.
The Commonsense Corporate Governance Principles released this summer was an effort to share the thoughts of the 5,000 or so public companies “responsible for one-third of all private sector employment and one-half of all business capital spending.” Certain background facts may lead some stakeholders to discount the Principles. For example, in addition to Dimon, the list of signatories was comprised mostly of executives who hold the dual company roles of chair and CEO. Also, according to the Financial Times, eyebrows have been raised by CEO performance-linked bonuses of about 24 to 27 times base pay at BlackRock and T. Rowe Price, two asset manager companies with executives who were signatories. Coincidentally, these asset manager companies were ranked among the most lenient investors with respect to the executive pay of their investee companies, according to the research firm Proxy Insight.
These standards can be deployed by checklist, and boards can be audited for compliance to the specifics of the adopted standards. But, more importantly, the very existence of these standards lends them authority through expressive force. What they express—or signal, in behavioral economic parlance—is intent, goodwill, and values. Signaling is valuable in the court of public opinion.
Personal Protection Strategies
As reported in NACD Directorshipmagazine earlier this year, activists often wage battle in the court of public opinion to garner public support when mounting an attack against a company. Emphasizing the personal risks, the Financial Times reported in August that “Corporate names are resilient: when their images get damaged, a change of management or strategy will often revive their fortunes. But personal reputations are fragile: mess with them and it can be fatal.”
Make no mistake: this risk is personal. A director’s damaged personal reputation comes with material costs. Risk Management reported in September that the opportunity costs to the average corporate director arising from public humiliation were estimated at more than $2 million.
Among the many governance standards, pay issues are the third rail of personal reputation risks. “If companies don’t use common sense to control pay outcomes, [shareholders have to question] what else is going on at the organization and the dynamic between the chief executive and the board,” an asset manager with Railpen Investments told the Financial Times recently. Clawbacks may be the most disconcerting pay issue because the tactic places directors personally between both the investment community and regulators.
Governance standards just over the horizon may give boards succor, and reputation-risk-transfer solutions may have immediate benefits. Since 2014, the American Law Institute (ALI) has been developing a framework titled, “Compliance, Enforcement, and Risk Management for Corporations, Nonprofits, and Other Organizations.” Members of the project’s advisory committee include representatives from Goldman Sachs & Co., HSBC, Google, Clorox, and Avon Products; diverse law firms offering governance advisory services; law schools; regulators including the Department of Justice; and representatives from a number of prominent courts. According to the ALI, the project is likely to hold an authority close to that accorded to judicial decisions.
The ALI work product remains a well-protected secret, but the project is expected to recommend standards and best practices on compliance, enforcement, risk management, and governance. It can be expected that the ALI standards will reflect the legal community’s newly acquired recognition of the interactions between the traditional issues of compliance, director and officer liabilities, and economics; and the newer issues of cognitive and behavioral sciences. Such governance standards will likely speak to the fact that while director and officer liability will be adjudicated in the courts of law, director and officer culpability will be adjudicated in the courts of public opinion.
Insurance Solutions Available Now
Boards that qualify for reputational insurances and their expressive force can mitigate risks in the court of public opinion. An NACDDirectorshiparticle noted earlier this year, “ . . . these reputation-based indemnification instruments, structured like a performance bond or warranty with indexed triggers, communicate the quality of governance, essentially absolving board members of damaging insinuations by activists.”
Given the increased personal reputational risks facing directors and the long-term financial consequences arising, it may be time for an omnibus revisit of the adequacy of both director compensation and company-sponsored D&O risk mitigation strategies in the context of an enhanced, board-driven approach to governance, compliance, and risk management.
Following the guidelines of the ALI’s project once they are published is a rational strategy. After all, the work product will be one that will have already been “tested” informally in the community comprising the courts of law, and will be designed to account for the reality of the courts of public opinion. And no firm today has natural immunity to reputation damage—even Warren Buffett’s Berkshire Hathaway appears to be in the ISS crosshairs. Reputational insurances which, like vaccines, boost immunity, are available to qualified boards to counter all that is certain to come at them in this upcoming proxy season. And for those who insist on both belts and suspenders, hazardous duty pay may seal the deal.
Nir Kossovsky is CEO of Steel City Re and an authority on business process risk and reputational value. He can be contacted at email@example.com. Paul Liebman is chief compliance officer and director of University Compliance Services at the University of Texas at Austin. He can be contacted at firstname.lastname@example.org.
Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:
How can boards communicate with management about cyber risk?
How does cyber risk fit into discussions about risk appetite?
Here are some highlights from that conversation.
Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?
Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].
Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?
Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.
Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.
Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.
Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?
Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.