Cyber-Risk Oversight Amid Russia-Ukraine Tensions

Will they or won’t they? This question has been top of mind for the United States and North Atlantic Treaty Organization (NATO) allies for several weeks as sophisticated intelligence operations have monitored Russian forces inching closer to invading Ukraine outright. The history leading to this moment is complex and nuanced, but one matter is clear: the consequences of a kinetic war in Ukraine would be devastating for its people, economy, and young democracy, and have dire ripple effects around the world.

And that’s just considering potential traditional acts of war.

Could Russian cyberattacks used to “soften the Ukrainian battlefield” spill into business networks around the world?

According to the Cybersecurity and Infrastructure Security Agency (CISA), the agency at the forefront of US cyber defense, it’s time to put “shields up” at organizations of all kinds. “CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets,” reads a notice recently posted to the CISA website in light of current events in Russia and Ukraine.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger emphasized this point at a press conference on Feb. 18, during which she detailed how Russian actors have already deployed distributed denial-of-service attacks within the Ukrainian Ministry of Defense and the country’s state-owned banks. “I cannot stress this enough: we urge our private sector partners to exercise incident response plans and put in place the cybersecurity defenses, like encryption and multifactor authentication, that make cyberattacks harder for even sophisticated cyber actors,” she said.

Businesses and other institutions are called on to defend American infrastructure against the influence of Russian state actors’ cyberattacks, and board members can do their part. Key action steps for you and your board to take in the coming weeks—and as the crisis in Ukraine unfolds—follow.

Understand the 2017 NotPetya Attack

Ukraine is well known among cybersecurity professionals and researchers as the unfortunate testing ground for Russian cyberattacks. In 2017, many nations got a taste of what can happen when such tests stretch beyond their intended borders.

Do you recall when global shipping giant Maersk was moored due to a cyberattack that year? That was part of a cyber event now known broadly as NotPetya, and it impacted an astonishing number of companies and countries. The igniting incident was the injection of malware into commonly used Ukrainian tax software. While the code appeared to operate like ransomware, there were no decryption keys to regain access to data. Once infected, data was simply lost and computer hardware rendered useless.

The United States and United Kingdom attributed the attack to Russian state actors. NotPetya’s power to quickly spread outside Ukraine through connected networks led to multimillion-dollar losses by the likes of FedEx Corp. and DLA Piper.

In today’s environment, a cyberattack in advance of a traditional act of war could leak into networks worldwide accidentally or intentionally, and companies and organizations worldwide need to be prepared to act rapidly to mitigate any related issues. Directors might consider learning about the evolving role cyberattacks play in war and how their organizations’ networks can get caught in the crossfire.

Review NACD Cyber-Risk Oversight Guides

The NACD Director’s Handbook on Cyber-Risk Oversight, updated most recently in 2020 by NACD and coauthors at the Internet Security Alliance (ISA), is a staple for understanding board-level cyber-risk preparedness. The following principles from the handbook are worth reviewing in times of potential crisis:

Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an information technology risk.Directors should understand the legal implications of cyber risks as they relate to their companies’ specific circumstances.Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.

If followed, these principles should leave your board in a sound place to oversee the needs of the cybersecurity organization through a crisis without the board interfering in operational responses. Appendices of the handbook include questions to ask about the company’s cybersecurity posture, a tool that outlines the board’s role in incident response, resources provided by the US Department of Homeland Security, and a guide to involving the US Department of Justice and Federal Bureau of Investigation in the event of a breach.

NACD and ISA in 2021 joined the World Economic Forum to expand upon these core principles in Principles for Board Governance of Cyber Risk. While most of the principles align with the ones above, one critical addition was made: encourage systemic resilience and collaboration.

This new principle acknowledges one of the critical vulnerabilities present in US cyberinfrastructure: that we’re all operating within interconnected systems that are private from one another. What could harm one company could harm many others, and the line of sight into those vulnerabilities is only as clear as the information shared by their owners. It’s critical that board members and their executives understand that their organizations could be affected by a malicious attack at the hands of a state actor, and that information about such attacks should be shared with appropriate industry information sharing groups, law enforcement agencies, and other parties. Information security experts in recent days have applauded the speed at which critical vulnerabilities have been identified, investigated, and declassified for sharing, all in the name of securing companies like yours. Directors can encourage their security leaders to communicate anomalies to law enforcement and information sharing networks as part of their contribution to securing the ecosystem.

Review What Your Company’s Cyber Insurance Covers

Merck & Co. was one of the unfortunate victims of the NotPetya attack in 2017, and its cyber insurance declined to cover the cost of more than 40,000 computers lost to the virus, as the insurer stated that the loss fell under its “War or Hostile Acts” exclusion. There is some good news: the $1.4 billion claim was awarded to Merck early in 2022 by the New Jersey Superior Court. Still, Threatpost reports that Lloyd’s of London and other insurers are taking steps to exclude from coverage and create more explicit terms for what counts as an act of war.

Is your board aware of the types of risk transfer the company practices that would shield the organization in the event of harm done in a borderless cyber war? Consider checking in with your management team to understand what material harm could come to the company if its insurance-based risk transfer solutions will not cover this type of loss.

Follow CISA’s Alerts

CISA is a young and quickly growing agency within the Department of Homeland Security. The agency has had its eyes on the situation in Ukraine for months and has issued several briefings urging private-sector organizations to secure themselves against any known threats and to have crisis response plans in hand and rehearsed, especially at the C-suite and board leadership level.

While CISA publishes a lot of technical, operational-level information, its warnings and briefings are meant to inform leadership and the public about what risks to attend to. If you’re interested in registering for direct emails from the agency about general warnings and news, or would like information more specific to your industry, visit their email subscription page and follow the directions to select what you want to receive.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

How to Make Your 2022 Climate Resolutions Stick

The novelty of the new year is waning, and many resolutions are already losing steam—or have been abandoned altogether. What have we learnt? That anything worth doing is going to take more than changes in the margins. Resolutions, especially the big ones, tend to fizzle without serious lifestyle changes.

A version of this is playing out right now with climate change commitments in the capital markets. As it stands, approximately 60 percent of Fortune 500 companies have declared their climate resolutions in the form of greenhouse emissions reductions goals. Of these, 17 percent have set “net-zero” carbon emissions goals. But market and investor reactions to these ambitions have been muted. The Edelman Trust Barometer 2021 reveals that 72 percent of investors do not believe companies will live up to their environmental, social, and governance (ESG) commitments. Seventy-nine percent of global investors (and a staggering 92 percent of US investors) are concerned that companies will be unable to meet their net-zero goals.

Why the mistrust? Perhaps the answer lies in the chasm between what corporate climate resolutions are and the actions they have been taking in their business. Recent research has highlighted a vast gap between corporate climate commitments and strategic plan disclosures. While 81 of the world’s 100 largest companies had set climate targets as of September 2021, only 17 had referenced climate change in investor presentations on the organizations’ strategic plans and only five had provided substantive details. In other words, their “lifestyle” hasn’t really changed.

Directors should heed the mistrust. As we saw during last year’s proxy season, investors are more than willing to hold corporate directors accountable for their companies’ climate strategies and change guard when they disagree with the path forward. And we’ve already seen announcements foreshadowing how this mistrust could play out in the 2022 proxy season. Aviva Investors recently released its plan to vote against corporate directors of companies falling short of their climate change objectives. State Street Global Advisors also announced its intention to hold boards and CEOs of high-emitting portfolio companies accountable for sub-standard climate transition plans.

Boards should see the current climate around climate change as an opportunity to communicate with management not only about climate change goals but also about how their businesses need to change to achieve them. This understanding of how businesses need to evolve in light of climate change should be reflected in long term strategic plans.

Looking ahead, directors can do the following to help management evolve their strategic plans and meet their climate resolutions:

Query the impact on your business model. While climate change poses great risks to businesses, the opportunities presented are equally compelling, and the climate transition is considered by many to be the greatest investment opportunity of our lifetimes. In his 2022 letter to CEOs, BlackRock CEO Larry Fink called on chief executives to consider how their enterprises could be disrupters rather than victims, asking, “As your industry gets transformed by the energy transition, will you go the way of the dodo, or will you be a phoenix?”

Understand the impacts on the external environment. Climate change not only impacts companies directly but also their operating environment. It affects regulation, supply chains, consumer preferences, and even access to capital. Directors and management can work together to factor each of these external impacts into their company’s long-term strategy refresh.

Evaluate impacts on goals and key performance indicators (KPIs). Are outdated corporate goals being grandfathered in, or worse, distracting leadership from new goals that would redirect the company to thrive in a net-zero world? Reducing greenhouse gas emissions is only part of the battle, not a complete climate strategy in and of itself. Business goals and KPIs should reflect how the company plans to generate value in a transformed business landscape.

Develop climate-conscious capital allocation strategies. Investors are starting to use corporate capital allocation as a yardstick to identify companies whose climate rhetoric matches their actions. The board should call on management to update capital allocation plans if climate change mitigation and adaptation investments, research and development, and capacity building aren’t getting a big enough slice of the pie.

Assess risk processes. Given our evolving understanding of climate science and shifting environmental vulnerabilities, audit committees should assess and develop risk management protocols designed to keep the company afloat. Responsiveness to new data, regulation, and stakeholder needs will be critical to corporate resilience.

Establish accountability systems for climate strategy implementation. Investors are looking for boards to hold management accountable for corporate climate resilience performance. Building on the recommendations above, directors should consider incentivizing management not for climate performance exclusively, but rather for the success of a broader climate-conscious business strategy.

While corporations continue to boldly make climate change commitments, considering the above steps now will enable directors to help management go beyond the marginal changes and implement the ”lifestyle” changes needed for the company to stick to its climate resolutions. It won’t be easy, but it will be necessary to generate value and stay resilient in a carbon-constrained future.

Veena Ramani is a research director at FCLTGlobal. She is an expert in climate change, corporate governance, and ESG disclosure.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Cyber-Risk Oversight Is Evolving: Are Directors Ready?

Last year was yet another challenging one for organizations in terms of cybersecurity. Massive breaches, exponential growth in ransomware attacks, attacks targeting critical suppliers and vendors, and new vulnerabilities in ubiquitous software created heartburn for security teams and executive leadership.

On top of that, several recent announcements from US regulators suggest that corporate directors need to reexamine their cyber-risk oversight efforts in 2022. On Jan. 4, the Federal Trade Commission issued a warning that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Most executives had never heard of Log4j prior to December, when news emerged that a serious vulnerability threatened millions of products that rely on the common software.

Weeks later, US Securities and Exchange Commission (SEC) chair Gary Gensler delivered remarks at the annual Securities Regulation Institute placing cyber-risk oversight squarely on the shoulders of executives and directors. During the meeting, Gensler announced that SEC staff would be recommending new rules on mandatory cybersecurity disclosure by public companies, saying companies and investors alike would benefit from cybersecurity information “presented in a consistent, comparable, and decision-useful manner.”

These initiatives signal an important change in the expectations that regulators have of companies and their directors.

In the past, regulators sought assurance that companies were addressing cyber risk at senior levels. Over the last five years, we have witnessed incredible change in the way that companies have organized themselves to address cyber risk. These critical corporate governance initiatives—from ensuring that directors with cybersecurity or technology expertise are on the board to creating board-level committees responsible for cyber-risk oversight to developing reporting structures between the business and the board—have created an important foundation for many organizations to manage cyber risk.

But in many respects, these critical corporate governance initiatives are just the beginning of the journey. They establish the structure and framework for decisions to be made. Now, with incidents and breaches piling up, the focus is shifting to questions about security program performance and effectiveness. What should directors do to respond?

The next phase of cyber-risk oversight—Cyber-Risk Governance 2.0, if you will—will focus on the data itself. What data should be reported? What metrics should be analyzed? How does this data inform our decision-making? How do we assess our program’s effectiveness?

We are entering a new era of cyber-risk oversight, one that will be marked not by governance changes but by the integration and use of data, information, and metrics.

Effective Cyber-Risk Monitoring and Measurement

When developing or improving the ability to measure and oversee cyber risk, understanding an organization’s exposed assets and security performance are critical. Work from home due to the COVID-19 pandemic, increased dependence on mobile devices and applications, increased cloud and third-party reliance, and high-speed 5G connectivity have all dramatically expanded organizations’ attack surface—the volume of exposed assets that may be at risk of attack.

The expanding attack surface means that significant risks may exist in areas organizations have not historically considered. For example, a recent BitSight study into the security posture of organizations’ mobile applications found that 75 percent of mobile apps contain at least one moderate vulnerability. Few organizations address material and severe vulnerabilities once they’ve released their applications. This is highly risky behavior, and malicious actors are ready to take advantage of these lapses.

Organizations need visibility across their entire attack surface—from on-premises and cloud infrastructure to software as a service and mobile applications. Additionally, ongoing monitoring is essential in an ever-changing risk landscape. Tools that track security performance over time can help guide continuous improvement efforts. This type of insight gives decision-makers the ability to make security investments that deliver the highest impact over time and efficiently allocate resources to the most critical areas of cyber risk within their organization.

Armed with data and insights, corporate directors will be able to build upon their cybersecurity governance initiatives and confidently enter the next phase of risk oversight.

Jake Olcott is vice president of communications and government affairs at BitSight.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Board Committees Are Key to Embedding ESG

There is always a warning—but the call is not always heeded.

When it comes to companies, especially in the United States, taking environmental, social, and governance (ESG) issues seriously, that sentiment couldn’t be more apt. The world has irrevocably changed, and US companies that fully embrace and engage on ESG will remain players in the global market. If US companies don’t get on board with ESG, their equities could be worth less than anyplace else in the world.

Take cybersecurity as an example: It was a threat. Companies knew this and discussed it. It wasn’t until data breaches hit like a magnitude 10 earthquake that companies grasped the severity of the threat and the change required, and took action. Initially, many companies created a board seat for a cybersecurity expert, with the onus landing on that person to know all and see all. But when it came to implementation, cybersecurity became an investment issue that necessitated broader board education and different committees taking responsibility for different pieces of cyber-risk oversight.

ESG is at this crossroads now. Stakeholders’ calls for action are louder and more urgent in their demands for change, increased disclosure, and greater transparency. Boards can no longer continue to only discuss ESG or rely on a solely performative approach.

Embedding ESG starts with the three standing committees on a board. Each committee brings its own concerns and governance charter to incorporating ESG into its processes, and when ESG is effectively integrated, this will lead to the next-level mind-set that is required of boards today.

The Nominating and Governance Committee: ESG and People

The nominating and governance committee, simply put, is focused on people. So, ESG from a nominating and governance perspective needs to focus on questions that employees are raising, such as on the return-to-office policy and on conducting employee surveys that provide answers that make sense in the face of the Great Resignation—a component of the “Great Corporate Renegotiation”.

Questions for the nominating and governance committee include, for example:

What investment are we making in our employee culture—beyond affinity groups?How does working remotely support the company in achieving Scope 1 and 2 carbon emission goals? How is that being tracked, analyzed, and disclosed publicly?Have strategies for recruiting and retaining talent shifted to include historically Black colleges and universities and public universities and colleges?How does our company value and promote women and people of color?What is our board composition strategy? How does it align with Nasdaq listing requirements when it comes to board diversity, for example?

A shift in the mind-set of directors on this committee needs to resonate throughout the board, including through asking integrative questions and showing broad support for setting diversity targets during financial and supply-chain discussions.

In today’s landscape, investors see high resignation rates as a risk indicator, triggering deeper analysis of the risk of volatility in growth and performance projections. Considering the questions posed here, as well as others, will strengthen the board’s oversight of the social and environmental components of ESG.

The Compensation Committee: Put Your Money Where Your ESG Is

The compensation committee has its own role in this equation. It is responsible not only for determining who gets paid and how much but also for achieving any targets that have been set. After the last two years—of the pandemic, as well as the racial reckoning following the murders of George Floyd and Ahmaud Arbery and the $12 million wrongful death settlement for Breonna Taylor’s killing—diversity, equity, and inclusion (DE&I) are not “nice to have.” They are “must haves.”

No longer can companies get away with simply presenting as though they have good governance around equity and race, gender, and sexual orientation. They need to show what they are doing to hit targets and grow a diverse, stable workforce from the front lines to their executive leadership teams.

The compensation committee needs to wed compensation to DE&I targets. When hiring a compensation company to advise it, the committee must check and see if that company has experience bringing DE&I into short- and long-term compensation and then ask, “Whom are they benchmarking our company to?”

If a company is paying an executive for achieving DE&I targets, they should be benchmarking against where the company is going (e.g., Best Buy) versus what they have been doing (e.g., Blockbuster).

The Audit Committee: From Bottleneck to Breakthrough

Finally, the audit committee is responsible for looking at the history of intangible assets, such as a company’s reputation, and determining how to budget the management of those risks in accordance with ESG concerns. Is ESG embedded in internal capital allocation models? Was ESG explicitly included in the company’s last financial materiality assessment? How is the company tracking and reporting this data?

Companies need to invest in creating and tracking their own data, and they need to do so in a way that withstands financial valuation analysis at critical times including during merger and acquisition transactions or when they seek financing externally from banks and investors.

In today’s competitive environment, when a board needs to assess the value of an acquisition target, it’s now a prerequisite to view the assessment through the ESG lens. It begins with the board identifying where the target company aligns with the acquiring firm’s corporate strategy and then identifying alignment in how the acquisition target has integrated and embedded ESG in investments and capital allocation decision processes. Target acquisition companies that are not aligned from an ESG viewpoint will face a discounted value.

Essentially, the audit committee can be a bridge from what was done yesterday to what needs to be done today to consistently moving forward in order to embed resiliency through good governance.

Pay Heed or Pay the Price

The world has changed forever since March 2020. Were there warnings from a financial, social, racial inequity, and public health perspective? Yes, and most went unheeded until the pause button was hit, and we were left to ask: Who are we as a nation? As a people? As a corporation?

The world is demanding answers to pressing questions, and pressure is coming from all sides. Corporations that respond at pace and scale with the global landscape will be invested in by the people within, by the community without, and in the financial capital marketplace. Those that don’t, won’t. Embedding ESG meaningfully and effectively is an advantage that bolsters organizational agility even in times of crisis and will help companies successfully renegotiate their role in society and the economy.

Joyce Cacho is an experienced independent director and honoree of Savoy magazine’s 2021 Most Influential Black Corporate Directors list.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

The Great Resignation: How Did We Get Here, and What Can Our Companies Do to Adjust?

Last May, Anthony Klotz, an associate professor at Texas A&M University, coined the phrase “The Great Resignation” to describe the unprecedented number of resignations occurring as a result of the impact of COVID-19.

It was apt: 4 million Americans—primarily mid-career employees—quit their jobs in July alone, with the greatest increases in departures recorded in tech and health care. Since then, departures have continued across all industries.

On Jan. 20, the NACD Texas TriCities Chapter held a virtual program to discuss this topic and the role that organizational leaders play at a time when the war for talent has peaked. David Bixby, a partner at Meridian Compensation Partners, moderated the panel of speakers, which included Dave Pruner, partner in charge of the Heidrick & Struggles Houston Office and directors Carol Hess (Wi2Wi) and Bill Easter (Delta Airlines, Emerson Electric Co., Grupo Aeroméxico, and Memorial Hermann Health System).

The panelist dialogue, followed by small breakout conversations, yielded insight into what executives and directors can do to understand, monitor, and fend off the causes behind unwanted departures. Here are some of the key takeaways.

Why is the Great Resignation happening?

The Great Resignation has been caused by several factors:

A virtual workplace. COVID-19 forced people to stop business travel and start working from home, using technology to meet with colleagues and clients and sell to customers. Much of this has proven effective and provided a degree of flexibility that was perhaps needed far before the onset of the pandemic. For many employees living in large metropolitan areas, the end of the daily commute resulted in fewer expenses, less stress, and greater productivity. Many relocated from crowded urban areas to quieter suburban or out-of-state locations or moved into second residences. As more companies are adding this flexibility on a permanent basis, people are reexamining their options and realizing that jobs that once were difficult to logistically accommodate due to required commuting are now within reach.

Families at home. With children also learning from home, family routines and dynamics changed. Parents became more hands-on, and newfound family connections. On the other side of the coin, however, the stress of having families at home has been significant. For example, a recent McKinsey & Co. report reveals that the pandemic’s impact on women has been disproportionate and offset substantial progress made in recent years. Women—who often carry the larger share of household, childcare, and eldercare duties—might be experiencing burnout at a much higher rate than men, perhaps driving their (and their spouses’) decisions for an occupational change.

Personal health and safety. As people contemplated the personal risk of contracting COVID-19 in their daily jobs, positions in health care, hospitality, and travel became far less attractive than those in other industries. As these industries either shut down (hospitality and travel) or ramped up (health care), employees more carefully examined their options and their employers’ actions, and they made decisions about personal priorities.

Millennial and Gen Z priorities. As employees began realizing the workplace could be—and would likely continue to be—different, they acted. We have known for years that for millennials and Generation Z employees, the definition of “a great place to work” challenges traditional paradigms and involves work-life balance, flexibility, action on climate change, and organizational purpose. The topic of shareholders versus stakeholders is not up for debate, and younger employees expect their employers to have a productive and positive relationship with the wider community.

How can organizations adjust?

Boardrooms nationwide must consider the implications of the Great Resignation. Organizations’ success lies in their ability to attract and retain the best talent, meaning leaders must consider what can be done to minimize the wave of departures impacting so many companies. The program’s panel and subsequent breakout conversations yielded productive insights on steps for directors to consider:

Be clear on strategic priorities. Examine the priorities that have been driving the business. Are they still relevant? Were they made priorities due to shareholder preference without consideration for stakeholders? Are there changes that need to be made to address a wider community of interest? Priorities should be clearly communicated with their purpose understood. People are less likely to leave if they feel their interests and those of the enterprise are shared or aligned.

Innovate on compensation and benefits. Although the importance of a competitive compensation and benefits package isn’t diminishing, companies are innovating around benefits given recent changes in health-care policy and to address employees’ changing desires. Unlimited vacation, sabbaticals, and mental health days are seen as ways to create more flexibility and demonstrate an understanding of the need to create downtime in a 24/7, connected world. Educational benefits are also increasing as topics such as foreign language lessons are included in some employee development benefits.

Examine entrenched practices. In every long-standing organization, there are policies and practices that are hardwired into the enterprise. Some of these are human resources practices, while others can be found in the operations themselves. These can manifest as leaders who are never questioned or behaviors that are overlooked. Particularly in companies that have experienced past success, it is important to examine if the “non-negotiables” are causing people to question whether the organization is right for them.

Focus on environmental, social, and governance (ESG) topics. A deliberate effort to align ESG with business strategy is important to most of today’s workforce. The purpose of a business can no longer be solely about short-term shareholder interests. In today’s environment it is essential for organizations to commit to ESG standards held by the wider society. Employees want their leaders to not only say the right things but also demonstrate through investment and action that the commitment is real. Compensation committees that align remuneration to ESG goals can further reinforce the priority.

Measure who and how many. As talent development is one of the primary responsibilities of compensation committees and full boards, it is imperative that directors understand the variables of the mass balance over time. Historical patterns of attrition (who and how many annually depart) should be compared against current numbers, and a demographic breakdown of those leaving should be closely examined. Attention should focus on whether or not particular demographic segments are departing at higher rates, which could indicate that specific operational, policy, or cultural issues need attention.

Remember that culture matters. Many are concerned that a hybrid work environment with employees who only gather in the office on occasion will struggle to build culture. Work culture (how it feels to work in an organization) is the glue that keeps people together, as it defines how things are done both formally and informally. It’s important for leaders today, many of whom are Baby Boomers or Gen Xers, to realize that how we define “healthy culture” will likely not be how future generations of workers see a sensible and effective culture. Technology, increased flexibility, and less emphasis on “face time” will bring about different ways to collaborate, challenge, and build camaraderie among coworkers. Boards need to be aware of and support how culture is transforming in their organizations.

COVID-19 has accelerated change that was already taking place in the business world. Directors serving on boards should be careful not to dismiss this as “something that will pass” under the belief that the world will soon return to a more recognizable model. Increasing vacancies in commercial real estate, sustained remote work, and the continued use of videoconferencing indicate that the office of the future will look significantly different than the office of the past.

As employees carefully examine options, driven by a different set of values, there will be great companies that find ways to retain a strong and productive employee base. Directors play a critical role in driving conversation in the boardroom to focus on creating an environment that garners loyalty and commitment. Strategic clarity, aligned values, and flexible work arrangements to provide balance are key to winning the war for talent.

Anna C. Catalano serves on the boards of Willis Towers Watson, Kraton Corp., HollyFrontier Corp., Frontdoor, and Appvion. She is also president of the NACD Texas TriCities Chapter and a board member of the NACD Corporate Directors Institute.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.