Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:
How can boards communicate with management about cyber risk?
How does cyber risk fit into discussions about risk appetite?
Here are some highlights from that conversation.
Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?
Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].
Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?
Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.
Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.
Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.
Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?
Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.
Understanding the behavior of investors, employees, and consumers is a critical success factor for all companies. This can be difficult for corporate directors, however, as America’s demographics are constantly evolving. At this year’s second Directorship 2020® event, NACD partnered with Broadridge Financial Solutions, KPMG’s Audit Committee Institute (ACI), Marsh & McClennan Cos., and PwC to provide an in-depth look at today’s social and demographic trends and how boards can harness the opportunities these often-disruptive forces create.
In his keynote address, Scott Steinberg, CEO of TechSavvy Global and author of Make Change Work For You, affirmed that change is the “new normal.” He emphasized that companies must constantly innovate in order to survive in today’s volatile business environment. Some companies, such as Apple, Amazon, GE, and Samsung, have maintained their competitive edge by mastering the art of “sustainable innovation.” Steinberg pointed out that these companies foster highly collaborative relationships with their employees, who also represent the company’s customer base. By creating avenues for employees to share their observations on emerging threats and opportunities, these organizations are simultaneously constructing platforms to prototype new business products. These collaborative relationships thus enable management to harness the full range of talents that allow an enterprise to continually adapt and grow.
In the second keynote speech, Paul Taylor, former executive vice president of the Pew Research Center and author of The Next America, focused on two major demographic trends that are happening in the United States. First, the bulk of the country’s population is aging. Older generations have always needed the younger ones to drive the economy; the millennials, however—the youngest generation in today’s workforce—are collectively experiencing great difficulty in launching their careers and remain largely dependent on their forebears. Taylor observed that businesses need to mimic these new domestic norms and similarly nurture and invest in millennials to ensure the success of their firms’ future leaders.
Second, Taylor pointed out that by 2050, immigrants will comprise the largest-ever share of the American population: while 20 percent of Americans were of immigrant descent in 1960, that proportion is projected to climb to 37 percent. Not only will this expand the workforce and brainpower of the American economy, but it will also change the demographic complexity of the country’s consumer base. Furthermore, this modern immigration wave has begun to alter traditional attitudes toward racial and ethnic boundaries. For example, children of immigrants are more likely to marry someone of a different race or ethnicity. These trends are already driving business behavior, as contemporary television commercials clearly demonstrate: in an ad for Coca-Cola, the anthem “America the Beautiful” is sung in several languages; and two recent Cheerios ads featured a multi-racial family.
The presentations and discussion in Atlanta generated three key takeaways for directors:
Assess your corporate culture. Corporate culture can often be a significant roadblock to innovation, and many companies stumble because they fail to periodically rethink their identity. A corporate culture that allows for evolution is, by definition, resilient and adaptable. Regard your employees as a wellspring of innovative ideas, because they have the most direct interaction with your customers. Their insights into evolving consumer demands can, in turn, generate your business’s next game-changing idea. A big challenge for many firms is how to encourage employees to speak up, especially at established companies where a the corporate culture has been in place for some time. (FedEx, for example, has a 40-person team that is charged with driving innovation throughout the entire organization.) By contrast, the smaller size and absence of inhibiting precedents at start-ups enable them to be more adept at mining creative solutions from their entire employee base. Spurring and sustaining innovation is about institutionalizing a love of change within your organization. Create forums through which everyone—from the mailroom to the boardroom—feels free to share ideas.
Make educated bets. A lack of risk tolerance is a major barrier to innovation. For companies that are doing well, staying the course may seem like a safe bet; but as the competitive landscape shifts, this approach will ultimately cause the company to falter Create systems that allow the company to take smart risks. In line with the company’s established risk appetite, it’s acceptable—and expected—that a company will have to weather some level of failure. The board can openly discuss unsuccessful ventures with management, leveraging those experiences as learning opportunities instead of viewing them solely as a misstep.
Embrace diversity of all types. According to the Report of the NACD Blue Ribbon Commission on The Diverse Board:
[A] company’s ability to remain competitive will rely on its understanding of global markets, changing demographics, and customer expectations. Diversity is a business imperative, not just a social issue. The new business landscape will require boards to cast a wider net to find the very best talent available. As a natural corollary, the board’s mix of gender, ethnicity, and experiences will likely increase.
In his speech, Paul Taylor addressed the issue of age diversity specifically. Younger directors with relatively little board experience may be passed over for a directorship because seasoned directors perceive them as lacking the experience and credibility necessary to be effective. However, seeking out non-traditional director candidates (whether that status is determined on the basis of age or other criteria) can be critical to effectively managing a board’s talent pipeline. Established directors have the ability to mentor and develop the next wave of board leadership and, in turn, benefit from the perspectives of new directors who bring varied backgrounds and skill sets into the boardroom.
Look for full coverage of this NACD Directorship 2020 session in the May/June 2015 issue of NACD Directorship magazine.
The rate and complexity of change in the marketplace is greater than ever before—and not showing any signs of slowing. From innovation and disruptive technologies to regulatory activity and stakeholder scrutiny, companies are constantly presented with new risks and challenges. As NACD’s new Chair Reatha Clark King observed, writer William Gibson captured the inflection point most corporate boards find themselves approaching: the future is here, it’s just not evenly distributed. As these changes force global economic shifts, it is necessary for those in the boardroom to understand and prepare for the future structure of directorship now.
This week, NACD held the second in a series of exploratory meetings in Chicago to discuss how the boardroom can define and prepare for the challenges and opportunities expected in the next five to seven years. This meeting series—held in New York City, Chicago, and Los Angeles—will culminate in the kickoff of NACD Directorship 2020 at the 2013 NACD Board Leadership Conference. An effort to provide directors with a clear vision of what their roles will resemble in the future, NACD Directorship 2020 will extend from educational programs and roundtable exchanges to publications, all shaped by feedback from these events.
At the Langham Hotel in Chicago, more than 100 directors attended the afternoon session to discuss two topics: the future state of communications between the board and C-suite and how to select performance metrics that will generate sustainable organizational profit. Sessions were led by NACD President and CEO Ken Daly; Akamai Technologies Lead Director and Audit Committee Chairman Martin Coyne; NACD Chair King; and former Bell and Howell CEO, current NACD Director, and Northwestern University Professor Bill White. During the highly interactive sessions, each table was given a specific set of questions to discuss and provide thoughts among their peers. Takeaways from the event include:
Directorship is a part-time job with full time accountability. Inherent in the board/C-suite relationship is an information imbalance. However, with the right culture and board leadership, the board and senior management can easily communicate expectations and necessary information.
A CEO’s leadership style can serve as an indicator that the risk of information asymmetry has become too high. Directors establish a level of trust with the CEO and management to allow for board access to other members of the senior team, as well as site visits to see the company’s operations.
With an expanding board agenda, process and expectation setting are critical. The board should clearly communicate to management the types and format of information that need to be presented.
An empowered lead director or non-executive chair can help mitigate the risk of information imbalance. By facilitating communication channels and work between the independent directors and the CEO, this leadership position can break down some of the road blocks that may develop between the C-suite and directors. The relationship between the CEO and lead director or chair should be transparent.
Culture is critical in effective dialogue between the board and senior management. With the right culture, directors can be sure they are aware of the risks that are keeping the CEO up at night.
Sharing information via performance metrics, which are focused on what directors need to know, can bridge gaps in information flow. Ultimately, the board has to make winning decisions which are informed by data.
Today, directors balance short-term shareholder expectations with generating long-term sustainable profit. The role of the stakeholder, though, is more significant than ever before and expected to grow. In the future, directors will have to be increasingly focused on balancing shareholder return with stakeholder concerns.
It may be difficult for the board to address and to communicate with every stakeholder. The board should identify which stakeholders are critical to the strategic plans, and target communications to those groups.
Balance also extends to leading versus lagging indicators. The board should first approve the right strategy and set goals accordingly. Leading indicators will drive ensuing performance—but lagging indicators are also necessary to provide the right feedback loop.
Innovation is important to the success of any company. How innovation is defined, though, is largely dependent on the company, and should be rooted in the corporate strategy. For some, innovation will manifest in processes, products, or both.
The next NACD Directorship 2020 event will be held Sept. 10 in Los Angeles. Between events, NACD’s blog will feature viewpoints and research from our NACD Directorship 2020 partners—Broadridge, KPMG, Marsh & McLennan Cos., and PwC—that will take a deeper look into the emerging issues and trends that will redefine directorship.