Tag Archive: Risk Oversight

It’s Time to Get Uncomfortable in the Boardroom

Published by

Kimberly Simpson

Two NACD panels recently tackled issues surrounding sexual harassment in the corporate setting, and how directors should act and react to issues that could have profoundly negative impacts on company reputation and workforce satisfaction.

Key takeaways for directors ranged from careful CEO hiring to board composition. The following concepts could be readily applied to your own board’s conversation about overseeing this risk.

  • Aggregate Data to Spot Problems Before They Happen. Given that the board is ultimately responsible for overseeing company culture (including a culture that tolerates sexual harassment), the board should work to mitigate risks rather than taking up sexual harassment issues once a problem has surfaced, according to Michael Aiello, chair of the corporate department at Weil, Gostshal & Manges LLP. Lucy Fato, executive vice president and general counsel for American International Group (AIG), stated that boards should aggregate information to get the full picture, including:
    • Internal audit findings related to culture;
    • Employee relations/human resources reporting, including hiring trends, turnover statistics, and reports from exit interviews;
    • Hotline reporting, including whether there are too many or too few complaints; and
    • Company legal settlements and insurance payouts.
      Board members should also probe whether the company’s investigative processes are fair and thorough.
  • Go the Extra Mile in CEO Hiring. In light of the board’s primary role of hiring and firing the CEO, along with the fact that fallout from CEO misconduct can significantly impact shareholder value, a board should take steps to ensure that its candidate of choice does not have a history of sexual misconduct or even tolerance for a culture in which harassment is an open secret. According to Sabina Menschel, president and chief operating officer at Nardello & Co., to really know who you are hiring into the corner office, conduct an investigation that includes public records, social media, and supplemented standard reference checks. With regard to CEO hiring, Fato stressed, “Ethics, integrity, and how you carry yourself as a public figure should be a factor in whether you can lead the brand.”
  • Risk Starts at the Top. The CEO and senior management are not alone in the potential spotlight of the #MeToo movement. Board members also must be vetted fully, and once in place, board members should receive code of conduct training, just as employees do, said Fato. In addition, the board should pick one corporate policy per year on which to do a deep dive as part of its oversight duties. Tabletop crisis preparedness exercises also should be conducted.
  • Superstar? Irrelevant. A board may face a difficult choice if a superstar CEO is found to have violated the company’s code of conduct, fearing that a dismissal could impact short-term shareholder value. According to Brenda Gaines, director, Tenet Healthcare, Southern Co. Gas, and NACD, superstar status is always irrelevant when investigating misconduct. She suggests that the board should take action to remove an offending CEO and then have a separate conversation about revenue and valuation implications. She added that the company must be clear about its culture and key principles, and should have zero tolerance for misconduct, applied to everyone in the company equally. “Board members have to keep each other honest,” she said.
  • Expand the Company’s Enterprise Risk Management (ERM) Framework. Sexual harassment should be a part of each company’s ERM framework, given that fallout from a misstep can be quite severe, emphasized Fato. Also, when doing employee surveys, ask specifically about harassment issues. To do so demonstrates that the company cares about these issues, said Menschel. Also, in terms of monitoring potential issues with long-tenured employees or even board members, consider updating background checks at regular intervals, stressed Fato.
  • Diverse Boards Matter. The #MeToo movement will have an impact on the boardroom, as well as on investor relations, according to Renee Glover, director, Fannie Mae, Enterprise Community Partners, and NACD Atlanta. Indeed, large shareholders are asking about diversity on the board, and they may request sexual harassment policies and pay equity measures. Gaines emphasized the clear-cut nature of the need for more diverse boards. “Diversity is good business,” she said, “and we are nowhere near where we should be. We need more gender diversity and more people of color on boards. Don’t miss this in the search for skill sets.”
  • Find an Ally. Rochelle Campbell, manager for board recruitment services at NACD, says that she encourages boards to have at least two diverse members on the board, as such boards tend to be more successful. For women and people of color who are new to a board, they can play an important role in discussions about sexual harassment and equal pay for equal work. When asked for practical advice for new board members, Gaines shared best-practice approaches to oversight of misconduct:
    • Get the facts right.
    • Take the emotion away.
    • Look for an ally on the board.
    • Be persistent.

Glover summed up the issue: “We can do better. And when we do, we can get on with realizing the deeper value that a diverse board can deliver.”

Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.

Four Exercises for Contemplating Digital Readiness

Published by
Jim DeLoach

Jim DeLoach

Over the next few years, the digital revolution will force many organizations to undertake radical change programs and, in some cases, completely reinvent themselves to remain relevant and competitive. Ask executives and directors what their company’s biggest threats are, and chances are the answer will include the threat of disruptive innovation. That said, is disruptive innovation sufficiently emphasized on the board agenda?

Our experience indicates that most boards do not fully grasp the opportunities and risks associated with digital transformation. There are four important activities for organizations to consider as they contemplate what digital means to their business and strategy.

1. Assess digital competencies. Protiviti’s original research has identified more than 30 competencies at which digital leaders excel. These competencies consist of empirically supported capabilities and structural characteristics that can be used to benchmark the organization. They are arrayed across six core disciplines that many traditional businesses struggle with:

  • vision, mission, and strategy;
  • management and employee culture;
  • organization, structure, and processes;
  • communication, marketing, and sales;
  • technology innovation and development;
  • and big data, analytics, and automation.

An example of a competency related to “vision, mission, and strategy” is that executive management must have a clear understanding of the potential impact of digital disruption in the industry segments in which the organization operates and be able to articulate a clear strategic vision fit for the digital age. In addition, digital strategy-setting and review should be a continuous activity for the business and in the boardroom.

Competencies can be useful when plotting the path toward digital maturity. The strategy should reflect the competencies that currently define the organization and address the absence of those which present barriers to success. This is important because the digital age is forcing organizations to radically rethink how to engage with customers and pursue design breakthroughs for improving processes and functions continuously. That means they must balance outside-the-box thinking with the practical considerations of repositioning the business. Many strategies ignore these fundamental issues, resulting in a business that is digital on the edges but not at the core. Our view is that a truly digital business has a digital core.

2. Define and refine continuously the digital vision and strategy. Organizations need to make a conscious decision about whether they are going to lead as the disrupter of the industry or, alternatively, play a waiting game, monitor the competitive landscape, and react only when neces­sary to defend market share. For many companies, the answer may be somewhere in between. For organizations choosing not to actively disrupt the status quo, their challenge is to be agile enough to react quickly as an early mover. Few are ready for that challenge, however.

A leader of the organization must own responsibility for understanding the competitive landscape, the opportunities emerging technologies present, and the threats to existing revenue streams. Management must frame the digital vision and the strategic initiatives supporting it around the enterprise’s core competencies. The vision must reflect the direction in which relevant digital technology is trending. It should express how technology can elevate the company’s differentiating core competencies and deliver unique customer experiences. With technology and regulations changing, and innovation happening so rapidly, the business needs to review and refine its digital priorities constantly.

3. Define the target operating model. Too often policies, processes, and organizational structures get in the way of a business becoming and remaining digital. The key is to empower, trust, and monitor people, not control them. That’s a different way of thinking for organizations rooted in “command and control” structures. The business should clearly define where it’s going in its vision and strategy, and management must recruit and train the right people while ensuring that the enterprise’s policies, processes, and systems are suitable to compete in a digital world.

Accordingly, management should define the processes, organization, talent, methodologies, and systems comprising a future operating model that remains true to the company’s identity and brand promise. In the rush to become digital, the importance of policies shouldn’t be forgotten to address risks and ethical questions leaders must consider.

With the current and future states defined, improvement plans should be developed to close the gaps based on industry best practices and reviewed with executive management and the board. The risks associated with the target state should be identified and assessed against the entity’s risk appetite. In this respect, management should be careful to avoid understating the hyper-scalable business model component of digital transformation. Digital thinking requires organizations to solve the problem of rapid growth and scalability to rely primarily on technology rather than people, as opposed to the traditional focus on scaling ahead of demand.

4. Align the organization with the needed change. Using digital technologies to improve products, services, and processes requires focus and discipline. To enable continuous or breakthrough change with confidence, buy-in must be obtained from executive management and the board for significant changes in strategy, processes, and systems. Support also is needed from business-line leaders, operating personnel, and process owners affected by the change. The communication of change and its implications must address why a digitally-focused culture is necessary for the entity to survive and thrive, and offer a compelling case that the interests of employees and the enterprise are inextricably tied to effecting change.

Depending on a director’s perspective, the exciting or worrisome truth is that the digital revolution is just getting started. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult to have the vision or foresight to anticipate the nature and extent of change. That is why every organization must chart its own digital journey.

To that end, the board should be engaged in all of the above activities, from readiness assessment to organizational alignment. When addressing digital, directors should recognize the signs of organizational short-termism and executive management’s emotional investment in traditional business models. Ultimately, the board must ask the necessary questions to encourage management to advance the enterprise’s digital journey at a pace that will sustain the company’s sources of competitive advantage and market position.

Jim DeLoach is managing director of Protiviti. 

Seven Ways to Stronger Oversight of Supply Chain Risk

Published by
Jim DeLoach

Jim DeLoach

One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.

1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.

2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.

3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.

4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.

5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is important. Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.

6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.

7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.

An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:

  • What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
  • How long would we be able to operate?
  • What if there were significant disruptions in transportation?
  • What contingency plans do we have?
  • Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?

The board should be informed of the results of these assessments.