In recent years, ERM implementations have generally focused on three questions:
Do we know what our key risks are?
Do we know how they’re being managed?
How do we know?
In responding to these three questions, executive management and boards in some companies have made progress in differentiating the truly critical enterprise risks from the risks associated with day-to-day business operations.
While seeking these answers is a useful exercise, is it enough? Directors should also ask:
Is our ERM approach helping us identify flaws and weaknesses in our strategy on a timely basis?
Is our organization able to recognize the signs of disruptive change, and is it agile and resilient enough to adapt?
Do we truly consider risk and return in our decision-making processes or do we blindly follow the herd and remain emotionally invested in the comforts of our business model?
Do we seek out what we don’t know? Are we prepared for the unexpected?
Is everyone competing for capital and funding with rose-colored glasses, making the resource and budget allocation process a grabfest?
Yes, companies have made progress in various ways with enterprise risk management, but depending on the answers to the above questions, more needs to be done.
Adoption and application of COSO’s Framework could alter the conversation by clarifying the importance of integrating risk, strategy, and enterprise performance. While a stand-alone process may be worthwhile and useful, it is not ERM as defined by COSO. The framework introduces five interrelated components and outlines 20 relevant principles arrayed among those components, offering a benchmarking option for companies seeking to enhance their ERM approach.
Four observations frame what COSO is looking for:
Integrate ERM with strategy. There are three dimensions to integrating ERM with strategy-setting and execution:
risks to the execution of the strategy;
implications from the strategy (meaning each strategic option has its unique risk-reward trade-off and resulting risk profile); and
the possibility of the strategy not aligning with the enterprise’s mission, vision and core values.
All three dimensions need to be considered as part of the strategic management process.
Integrate risk with performance. Risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
Lay the foundation for ERM with strong risk governance and culture. The board and CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incentivizing unintended consequences. Such pressures may be spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model, and imbalances between rewards for short-term financial performance and stakeholders focused on the long term.
Tie risk considerations into decision-making processes. COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity, and better anticipation of changes to the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully and achieve its business objectives.
Boards should urge the executives within their companies to consider the principles embodied by the COSO framework to advance their current ERM approach. In this regard, we suggest organizations focus on three keys:
Position the organization as an early mover. When a market shift creates an opportunity to create enterprise value or invalidates critical assumptions underlying the strategy, it may be in an organization’s best interests to recognize that insight and act on it as quickly as possible. The question is: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? The organization attains time advantage when it obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known.
Address the challenges of risk reporting. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:
Are we riskier today than yesterday?
Are we entering a riskier time?
What are the underlying causes?
Risk reporting is often not actionable enough to support decision-making processes. Once risk reporting is designed to answer these three questions, it becomes the key to evolving ERM to a “risk-informed” decision-making discipline.
Preserve reputation by maximizing the lines of defense. How do organizations safeguard themselves against reputation-damaging breakdowns in risk and compliance management? The widely accepted lines-of-defense model consists of three lines of defense. The first line consists of the business unit management and process owners whose activities give rise to risk. The second line consists of the independent risk and compliance functions, and internal audit is the third line. Also important is the tone of the organization—the collective impact of the tone from the top, the tone from the middle, and the tone at the bottom on risk management, compliance, and responsible business behavior. The proper tone lays the cultural foundation for the effective functioning of each of the three lines of defense. Arguably, the final line of defense is senior management and the board. For example, top management acts on risk information on a timely basis when significant issues are escalated and involves the board when necessary.
These three keys offer a focused line of sight for companies and their boards seeking to advance their ERM approach consistent with the principles and guidance in the updated COSO framework. The relationship of ERM to the processes the CEO values most can be compared to the contribution of salt, pepper, and other seasonings to a sumptuous meal. The objective is to enhance the outcomes that the organization is attempting to achieve by enabling it to be more adaptive in a volatile, complex, and uncertain world.
Investors now see corporate governance as a hallmark of the board’s effectiveness and one of the best sources of insight into the way companies operate. In response to this trend, Farient Advisors LLC, in partnership with the Global Governance and Executive Compensation Group, produced the report 2017—Global Trends in Corporate Governance, an analysis of corporate governance practices in the areas of executive compensation, board structure and composition, and shareholder rights covering 17 countries across six continents.
NACD, Farient Advisors LLC, and Katten Muchin Rosenman LLP cohosted a meeting of the NACD Compensation Committee Chair Advisory Council on April 4, 2017, during which Fortune 500 compensation committee chairs discussed the report’s findings in the context of the current proxy season. The discussion was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.
Global Governance Trends
2017—Global Trends in Corporate Governance finds that governance standards around the world have strengthened in response to financial crises and breakdowns in corporate ethics and compliance. Those crises and breakdowns have led to greater pressure from governments and investors, who are demanding economic stability and safe capital markets. In regard to executive compensation, the report notes a number of global governance trends:
Source: Farient Advisors, 2017—Global Trends in Corporate Governance, p. 18.
Most of the 17 countries surveyed (94%) require executive compensation disclosure, although the disclosures made and the quality of these disclosures varies from country to country. Surveyed countries that had the least developed disclosures are South Africa, China, Brazil, and Mexico.
Say-on-pay voting is mandatory in most developed countries, although there is variance on whether the votes are binding or not. For developed countries where the vote is voluntary (e.g., Canada, Belgium, Germany, and Ireland), it still remains a leading practice.
Common leading practices are to use competitive benchmarks, such as peer groups to establish rationales for pay, and to provide investors with information on components of pay packages and performance goals.
2017 Proxy Season Developments
Meeting participants shared a number of observations and practices from the current proxy season:
Continuous improvement on disclosures Council participants indicated they are sharing more information with shareholders, in a more consumable way. “We want to be in the front ranks as far as providing information to shareholders,” said one director. “Instead of asking ‘why should we share that?’ we’re starting to ask ‘why not?’” Another director added, “Over the last few years we’ve moved from a very dense legalistic document to something that’s much more readable. Our board set up a process to do a deep-dive review every two years; this fall is our next review. It’s a way to ensure our disclosures keep pace with current practices and also reflect where we are as a company and board.”
Council members also discussed the status of Dodd-Frank rulemaking, given the new presidential administration and SEC commission. S. Ward Atterbury, partner at Katten Muchin Rosenmann LLP, said, “While it’s unclear exactly what the SEC will do with Dodd-Frank requirements in the future, investors have spoken on some of the issues, especially on things like say on pay and pay for performance. There may be less formal regulation, but the expectations on companies and boards are still there [to provide pay-for-performance disclosure].”
Growing interest in board processes According to one director, “We’re hearing more interest about CEO succession as it relates to strategy. Investors are asking us to describe our process—they understand we can’t discuss specifics.”
Director Pay Dayna Harris, partner at Farient Advisors LLC, discussed the increased focus on director pay: “Given the recent law suits regarding excessive director compensation and an increase in director pay proposals in 2016, Institutional Shareholder Services (ISS) created a new framework for shareholder ratification of director pay programs and equity plans.” ISS’ framework evaluates director pay programs based on stock ownership guidelines and holding requirements, equity vesting, mix of cash and equity, meaningful limits on director pay, and quality of director pay disclosure. ISS’ updated factors for evaluating director equity plans include relative pay magnitude and meaningful pay limits.
Environmental, social, and governance (ESG) issues Meeting participants agreed that social issues, such as ESG and gender pay equity, are increasing in popularity among investors. In particular, nonbinding shareholder proposals on climate change received majority support this year at Exxon Mobil Corp., Occidental Petroleum Corp., and PPL Corp.
Refining approaches to outreach and engagement with investors Meeting participants discussed leading practices for engaging shareholders. Some directors indicated that investors have turned down their offers to speak on a regular basis because of time constraints. One delegate emphasized that just making the offer to meet with shareholders is appreciated, even if that offer is turned down. One director said, “We invited one of our major long-term shareholders to speak at one of our off-site [meetings] as part of a board-education session. It was a different type of engagement and very valuable.”
Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.