Stretched supply chains, high levels of inflation, the conflict in Ukraine, and the COVID-19 pandemic continue to stress economies around the world and significantly affect organizations’ risk profiles. As existing risks evolve and new ones emerge, organizations have been under increased pressure to develop risk and insurance management strategies that are resilient as well as to build risk management programs that respond to fast-changing challenges.

For global businesses, the uneven impact of evolving and emerging risks is compounding the challenges of managing their multinational portfolios and introducing new risks for directors and officers. As they seek to remain competitive, business leaders need to understand this changing risk landscape, identify the interconnections, and take action to protect the bottom line, focusing on three main risks.

1. Inflationary Pressures

High inflation in countries around the world is increasing the value of many insured assets. At the same time, supply shortages are prolonging rebuild times and operational stoppages after losses. Underwriters are increasingly scrutinizing insured values to make sure that these reflect today’s replacement costs, requiring organizations to reevaluate their insured properties and assets to determine whether they have adequate coverage that will facilitate recovery in the event of a loss.

Uneven rates of inflation in different countries create an added complication for global companies that must ensure local subsidiaries update the valuation of their property and assets in line with inflation rates.

In addition, insurers are concerned about the impact of inflation on their bottom lines as higher costs contribute to larger claim settlements, which can lead to reserve deficiencies, faster erosion of deductibles, and inadequate coverage. Unease over underinsured assets on their books is leading some underwriters to include policy provisions designed to limit recovery to reported values, coinsurance or average clauses, or coverage disclaimers. It is critical that your management team review and update property values to ensure that they are current and align with inflationary effects.

Liability costs are also escalating due to inflation, with rising defense costs and settlement amounts and an increase in nuclear verdicts. The dynamic of social inflation has been impacting US claim trends for many years and is a growing dynamic across the global marketplace, most notably in the United Kingdom. Management teams also should scrutinize customary liability insurance limits to ensure that they are sufficient in light of these increased costs.

Underinsurance risks are not restricted to your own operations, but to all organizations that you do business with. It is critical to understand insurance requirements during an inflationary period and scrutinize the coverage required of third parties to determine whether they have sufficient limits to cover risk emanating from the relationship.

2. Tax and Regulation Risk

Global organizations with interests in different countries face the added task of abiding by local regulations, including tax requirements from both country-specific and global policies.

However, amid mounting pressure to reduce their spending in the face of inflation, many insurance buyers are foregoing country-specific coverage and instead purchasing global policies to cover their multinational risks.

Although it may lead to financial savings (often upwards of 25 percent) and lower administrative costs, it can open local entities to government investigations and disruptive audits, as well as hefty fines and penalties, if their coverage is not in line with local regulations. The liability created by indirect taxes also is often not identified by the insured entity’s tax group.

Further, claims on global programs tend to be paid to the parent company, which typically then needs to transfer this money to the local entity that experienced a loss. These transfers, when legally allowed, may trigger additional income tax, eroding any program savings. Large monetary transfers may also trigger examinations, requiring risk management and treasury teams to spend time preparing their response to protect the firm instead of focusing on initiatives to improve the company’s resilience.

Your business leaders should work with local entities to review country-specific requirements and determine whether these are adequately addressed through a global program or they require local coverage.

3. Shifting Data Protection Regulations

From the European Union’s General Data Protection Regulation to the California Consumer Privacy Act, different countries and regions are looking at new regulations to protect their citizens’ private data. Enforcement efforts highlight the potentially exorbitant costs of noncompliance with data protection laws, delivering blows to the brand as well as the bottom line.

Not only can companies be held liable for possible mishandling of customer information, but there is also a growing demand for companies to have the financial reserves to pay any fines and other costs related to a breach. Insurance is one of the most sought methods to provide protection for such losses and satisfy applicable laws. Relying on a simple global insurance policy will likely become increasingly difficult in the face of varying country regulations.

Risk management teams should partner with global risk advisors to understand the data privacy risk climate in individual countries and any laws imposing liability for privacy breaches or requiring financial security in each country. Localized risk assessments can help your country risk managers determine whether current policies offer adequate protection.

Improving Your Multinational Resilience

As business leaders take actions to improve resilience in the face of emerging risks, organizations with subsidiaries in several countries will need to make sure that each local entity has adequate coverage to satisfy local regulations and provide the necessary protection in case of a loss.

This can be a moving target for many global programs, requiring significant commitment from the risk management team to keep up to date with shifting country requirements. Risk management teams should continuously monitor emerging risks and evaluate the suitability of current insurance program design to meet cost and compliance comfort levels.

Christian Hunter is the senior vice president and multinational Insurance Regulatory and Tax Consulting Practice leader, North America at Marsh.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Design-led. This term may conjure images of turtlenecked CEOs hawking the latest mobile phone or accessory, but design-led concepts need not be relegated to creative industries or sectors. A design-led approach places people at the center of program development and decision-making, invites empathy into the ways in which a company structures its business, and is something boards should be keenly aware of.

Rooted in industrial design (the creative act of defining a physical product’s form and features), the design movement in business describes a way of looking at products and services with deep empathy for their intended users—customers, employees, suppliers, and even partners. At its core, a design-led approach is simply about viewing the world through the eyes of consumers to resolve their pain points and evoke positive human emotions during every interaction with a company.

Today, design-led concepts can be found in the corners of every corporate function within every industry. What’s more, the design movement has matured into essential curriculum in top business schools and in leadership training in more progressive companies.

The interest in applying design capabilities to all types of businesses and functions (e.g., marketing, human resources, finance) is due in large part to the wide-spread digitalization and automation of commerce channels. Now, with these approaches becoming so well adopted in consumer-facing domains, businesses are turning to the power of design-led approaches coupled with advanced analytics to improve operating margins and accelerate growth. That’s right—you can do both simultaneously.

What Does ‘Design-led’ Look Like?

To demonstrate the power of a design-led, advanced analytics approach, here’s a quick real-life application: A Fortune 500 client was aspiring to install an enterprise data and analytics platform to efficiently manage and monetize operational data, but a price tag of $100 million kept the business from pulling the trigger. Senior executives couldn’t see past the giant expense, especially given the company’s history of information technology (IT) cost overruns and write-offs.

Rather than build an abstract and complex platform that only IT professionals truly grasped, the client took a design-led, advanced analytics approach. First, the company did an empathy map of the key personas (platform stakeholders) who would be using or impacted by the system. Next, it developed a prioritized list of customer and employee use-cases for the platform. Then, the team built only the platform components, one phase at a time, that were absolutely needed to drive practical value for customers and employees as identified in the initial set of use cases. The team aligned the business on this phased roadmap and defined key performance indicators for each phase so the client could measure success.

The close of each design phase included a quantitative review and report to the C-suite on the platform’s value to either customers or employees. The team’s ask to the C-suite was simple: give seed money to build the first phase, and if the team can quantify real value to either employees or customers at the end of the phase, release more money to build the next phase. Then the team would repeat the process. The results? Every phase was successful, and the data platform paid for itself in the four years it took to build.

But Are We Talking about Costs, or Growth?

Today’s market is a pressure cooker of challenges. It’s no wonder almost every board is focused on scenario planning to future-proof the business. While it might be tempting to focus planning efforts exclusively on cost take-out measures to weather tough financial times, we would argue in almost any scenario that a balanced approach to operational efficiency and customer experience innovation is best, even when times are hard—perhaps especially when they are hard.

Take companies such as LVMH. The luxury conglomerate might have been ripe for pandemic failure given its heavy reliance on affluent Chinese tourist sales in brick-and-mortar stores and reluctance to embrace ecommerce as a core business strategy. But when stores closed, the company invested heavily in designing ecommerce channels to connect with customers amid the “stay at home” environment, turbocharging online sales and reaping double-digit market cap gains.

Or take Ford Motor Co. The company encountered multiple pandemic setbacks as a result of the supply chain breakdown and decreased consumer driving during COVID-19, and still made perhaps the boldest innovative move in the history of the company by splitting into the Model e (electric vehicle, or EV) division and the Blue (gas) division. This strategy fundamentally repositioned the company and the design of its products to meet the changing needs of customers and humanity at large. The company took losses during the pandemic, but saved jobs, used assets to develop health equipment for first responders (ventilators, face shields, air purifiers, etc.), and went hard on the EV business investment.

These are just two examples that demonstrate that companies who invested in customer-centric design are now starting to enjoy the fruits of those investments and the public-positioning as strategic market leaders. Others who focused on reducing headcount and spending to manage costs are feeling the pressure that they are now laggards in the competition for the talent and customers they so desperately need.

The beauty of design- and data-led approaches is that they both improve operational efficiency and still allow for smart top-line growth investment. A design-led approach removes friction and delights customers, and a data-driven approach deepens our understanding of customer and employee needs and automates operations and decision-making to produce more significant results.

Getting Started

Boards of directors facing the uncertain economic realities of today would do well to think deeply about how design-led and analytic-powered approaches can help the organizations they serve best their competition, hedge against market turmoil, and grow market share in a recessionary environment.

Boards can discuss these five steps with management to get their companies started:

Know the health of your customer journey and employee experience. Ask management to map and measure the critical customer and employee touchpoints to create deep insights about their human needs and opportunities to win greater loyalty.Assess your asset foundation. Management should take stock of what you have. Most companies are sitting on a treasure trove of data and other assets and don’t even realize their value for new growth and efficiency opportunities.Marry cost efficiency work with experience investments. For every cost cut, make sure management understands the impact on the customer and employee experience, and give something back to delight these stakeholders.Remember, speed is an asset. Don’t be paralyzed by finding the “perfect” answer. Encourage management to use the data to identify multiple solutions. Test many. More than one might be right. The power of analytics and artificial intelligence today is cost accessible and more efficient than human decision-making.Don’t forget about the people. “Design-led” means injecting empathy into all of these steps. At the end of the day, your customers, employees, and suppliers should think to themselves, “They really get me.”

Boards have a key role to play in supporting and encouraging design-led approaches to products and services that can give their companies a competitive edge as economic volatility continues.

Adam Malamut is the chief experience officer of Alvarez & Marsal Digital. Michael Lawless is a managing director with Alvarez & Marsal Digital in Washington, DC.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

In a year already unprecedented in its geopolitical tectonic shifts, twists, and turns, company boards everywhere need not only to up their focus on risk governance generally but do so specifically with respect to geopolitical and cyber risk. Whether or not a business is physically located in a geopolitical hot spot such as China, Taiwan, Russia, or Ukraine—directly or indirectly, through people, assets, or the supply chain—what happens in those hot spots doesn’t stay in those hot spots.

The year started with Russia’s invasion of Ukraine and continued with US-China tensions over Taiwan. Both dramatic geopolitical developments have had a series of reverberations globally including for the business community. For example, shifts in relationships between the United States, European Union (EU), and Russia, including ceasing to do business in Russia, protecting people and assets in Russia and Ukraine, and abiding by unprecedented sanctions, are only a few of the consequences.

It’s Time to Get Ready for Escalated China-Taiwan Tensions

The second half of 2022 has already witnessed another critical geopolitical moment. Perhaps prompted by the visit of US House speaker Nancy Pelosi to Taiwan, China’s hair-trigger response of using its military for an unprecedented show of force with live-fire exercises over and around the island of Taiwan is simply an escalation of tensions that were otherwise long under development. Whether these tensions result in an actual invasion by China of Taiwan or something short of that in the near, medium, or long term, good business judgment requires both management and the board to start planning now.

Smart businesses, such as some of the leading technology companies, are already deeply involved in searching for and securing alternative and diversified manufacturing sites both near China and Taiwan (for example in Vietnam), as well as in onshoring or reshoring their supply chains by building new manufacturing sites “at home.” Although such new facilities will not come online soon enough, leaders must stop planning only for short-term profits and start planning for medium- and long-term resilience which, ostensibly, should yield long-term profits.

Expect the Unexpected

Before 2022, few expected Putin’s Russia to invade Ukraine but it happened with alarming, serious, and immediately disruptive consequences. No one wants the same thing to happen from a deterioration of China-Taiwan relations.

Taiwan is a model democracy and market economy, and an incredibly important source of highly advanced, specialized chips used the world over in technology of all kinds including laptops, smartphones, security networks, and telecommunications networks.

US and global companies with Taiwan-based operations should be most concerned as their exposure isn’t only to the financial implications of supply chain and product or service failure, but also to the impacts on the health and safety of employees. It is also likely that cyberattacks will increase in volume and ultimately result in financial loss either due to denial-of-service attacks, lost productivity, or the need to spend more money and resources on cybersecurity.

With the rising tensions between the United States and China, global companies with a footprint in China could fall into the cyber war between the states. Many US- and EU-based companies are already deciding to close or relocate operations outside of China. If things deteriorate, China may even attempt to seize control of foreign company assets (as Russia has recently done with the remnants of foreign companies that have left that country).

Geopolitical and Cyber-risk Governance “To Dos”

Among the top “to dos” that company boards and management should consider from a geopolitical and cyber-risk governance standpoint are the following:

Ensure that the leadership team has access to real-time geopolitical, national, and local political data and advice relating to the company’s strategic footprint, geography, supply chain, and planning.Designate a member of management who will oversee geopolitical and political developments with the assistance of solid intelligence and advisors, reporting to the C-suite and board periodically and coordinating in real time with risk management efforts.Ask if there is a crisis management plan and team, including a board liaison or member. Is relevant crisis scenario planning integrated into such plans and periodically conducted with the board?Ask whether the risk and information security teams have the resources and tools necessary for foresight and future-proofing.Ensure that the enterprise risk management framework includes geopolitical and cyber-risk identification, analysis, and mitigation considerations.Ensure cyber hygiene. What is the state of cyber-risk management at the organization? Is it effective?Ensure that the organization is vigilant about information and data integrity in its products and services.Integrate digital chatter vigilance into internal and external communications strategy as well as enterprise risk management.Have directors that are risk-savvy, knowledgeable, and experienced.Have directors with specific risk expertise, depending on the company’s risk profile.Consider having a specialized risk and strategy committee.Receive quarterly risk reports from management and conduct executive sessions with the chief risk officer and chief information security officer to ensure organizational resilience and business continuity.

If boards follow the important path of upping or reupping their risk governance to include continuous learning related to geopolitical and cyber risk focused on a company’s specific business footprint, we think that their long-term resilience and sustainability will be seriously improved. Those who do not heed this advice will be at a distinct competitive disadvantage both tactically and strategically, and maybe even existentially, in this era of continuous and overlapping risks and crises. 

Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory; a global ESG, risk, and cyber strategist; a board director; an NACD 2022 Directorship 100 honoree; and a life member of the Council on Foreign Relations.

Tomer Saban is the CEO and cofounder of WireX Systems, a network security company that is changing the way businesses respond to cyberattacks, and before that he worked in the homeland security space, developing defense systems for intelligence agencies.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

The US Securities Exchange Commission recently adopted a new disclosure rule aimed at highlighting the relationship between executive compensation and company performance. The mandate, effective for the upcoming proxy cycle, introduces a new definition of executive compensation, Compensation Actually Paid (CAP) relative to a variety of performance metrics, some of which are prescribed and some of which are selected by each company. Although we won’t cover all the technical details here (that will take place on an upcoming NACD webinar on 10/27), below is a summary of what you need to know today about the new rules, and the potential implications of the new disclosure that warrant conversation in your fall meetings.

There Are Two New Tables and a Required Narrative.

The first table (the pay vs. performance (PvP) table) includes three years of historical data for executive pay and company performance (building to five years of historical data over the next two years). Executive pay includes disclosed total compensation from the summary compensation table (SCT) as well as the new definition of CAP for both the CEO and the average of the other nonexecutive officers. Performance disclosures are

Company total shareholder return (TSR)Peer group TSRCompany net income  Company-selected metric

An explanation of the relationship among the various disclosures of pay and performance must be provided in narrative or graphical format (or both). The second table (tabular list) requires a listing of 3-7 financial (or non-financial) metrics that are most relevant to the company’s determination of executive compensation.

Compensation Committees Should Be Aware of, or Weigh-in on, Four Key Decisions.

The four key decisions are:

Which company-selected performance metric to include the PvP table;Which peer group to include for TSR purposes in the PvP table;Which additional metrics to include in the tabular table; andWhere the required disclosure should be placed within the proxy.

We suspect that many companies will select

The earnings metric in their short-term incentive plan,An index used in their Performance Graph in the 10-K or Annual Report,A minimal listing of metrics that are currently included in the incentive plan designs, andPlacement after the existing required compensation tables (i.e., not within the Compensation Discussion and Analysis (CD&A)).

“Compensation Actually Paid” Is Not What You Think.

Although the opportunity existed to require something like “realizable” or “realized” compensation, the new rules simply adjust the figures already disclosed in the SCT with respect to equity-based compensation and pensions. For example, the equity-based compensation adjustments are not based on realized compensation (e.g., option exercises, performance share units (PSUs) earned, restricted stock vested, etc.) but rather reflect an annual “mark to market” based on fair value estimates at each new measurement date (e.g., updated Black-Scholes valuation for options, updated Monte-Carlo valuation for PSUs with rTSR metrics, etc.)

What Are the Potential Implications of the New Disclosure?

Nobody wants the tail to wag the dog, but there are some potential implications of this new disclosure for executive-level incentive compensation plan designs going forward.

The choice of incentive plan metrics has greater visibility. Because the company-selected metric for the PvP Table and the list of three to seven additional metrics for the tabular list will likely originate from the metrics currently used in the executive-level short-term and long-term incentive plan designs, the choice of metrics should at least consider how this will appear to shareholders in this new disclosure in the future. In other words, does the current incentive framework really capture all the important metrics? Are there metrics being considered for inclusion in the new list that are not currently included in the incentive plan designs but should be?

This is another potential spotlight on ESG-related metrics. If you don’t have any ESG-related metrics in your list of three to seven, are they not important? If you do have ESG-related metrics in your list but they’re not directly incorporated into your incentive plan design, why not? The fact that these metrics will be “tagged” in the disclosure will make it relatively easy for researchers, proxy advisors, and governance groups to assemble comparisons and identify outliers.

There are potential disconnects with the story in the CD&A. The new required narrative following the CAP table may or may not fully align with the more complete pay-for-performance narrative within the CD&A given the different metrics, time frames, and pay definitions. To some extent, these narratives will need to be reconciled.

Relative TSR plans just became more costly. The number of required Monte-Carlo valuations (typically provided by a third party) has expanded from

A single valuation on the grant date toMultiple valuations during the life of the award:at the grant date,at the end of each fiscal year during the performance period, andat the end of the performance period.

Furthermore, there may be an additional calculation of final actual value if there is a difference between the end date of the performance period and the ultimate vesting date.

Equity awards with quarterly or monthly vesting are quite cumbersome. Because the definition of “Compensation Actually Paid” requires re-measurement of outstanding awards at either fiscal year-end or vesting, awards with more frequent vesting provisions add considerable complexity to the calculation of CAP. For example, an award with monthly vesting will require valuation on the grant date and on each of the 12 subsequent vesting dates.

Is this a big deal? The answer is both yes and no. Yes, because it’s a new required table with an entirely new definition of pay and a potentially confusing narrative trying to make pay-for-performance connections between variables and time frames that may not be well aligned. And no, because it is likely to be separate and apart from the CD&A, and therefore may not become an integral component of how the executive compensation program is evaluated externally (i.e., more akin to the impact, if any, of the CEO pay ratio disclosure). However, it is brand new, it needs to be done, and only time will tell how much attention it ultimately receives or the impact it has on the design of executive pay programs.

Greg Stoeckel is a managing director and consulting team leader in Pearl Meyer’s Atlanta office.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Recently, Lloyd’s of London issued a bulletin that will require its insurer groups to separate state-backed cyberattacks from standalone cyber insurance policies. Starting in March 2023, when coverage begins or renews, Lloyd’s global syndicates must exclude attacks involving state actors in policies that protect against physical and digital damage caused by hacks.

This begs the question: If the insurance industry stops covering breaches caused by nation-states, and a significant amount of breaches are suspected to originate from this very source, where does this leave companies? Further, what if the breach source is unknown?

Most, if not all, companies secure a cyber insurance policy to spread out or defer some risk and damage from a cyber breach. Many, however, are likely to start questioning whether the cost of their now-limited insurance policies are worth it. Based on years of cyber investigative experience, I believe Lloyd’s of London’s recent decision will be a difficult one to enforce and nearly impossible to base on unclassified and verifiable data.

The question then comes down to: How do you attribute an attack to a nation-state actor? Attributing back to specific perpetrators is difficult in cyberspace, where identities can be easily disguised by using Tor routers (also known as onion routers), bot networks, and other obfuscation techniques.  

Add to this problem the use of initial access brokers, a dark web concept that I call “crowd-sourced hacking.” Here, actors can be found on various marketplaces and employed to conduct various parts of an attack piecemeal. For example, one actor can conduct the initial network access and then sell it to another actor, who moves laterally through the network and sells the access and network map to another actor, who deploys the malware or ransomware payload.

Some dark web vendors even provide a service dedicated to cultivating archives of stolen credentials, and their clients can include nation-states, organized criminal syndicates, or enterprising cybercriminals with pools of victims to compromise. The attribution waters get even muddier when you start to dive into the forensic science side of cyberspace. On any given day, leagues of different attack tools are being deployed by threat actors big and small. That’s a lot of tools to keep track of, even on the best of days, especially when some of them are used by friendly organizations looking for cyber vulnerabilities to close, not exploit. 

Even if a computer involved in an attack was traced to an IP address located in a North Korean military base, for instance, it wouldn’t necessarily mean said attack had the knowledge of that government’s authorities. The device could have been compromised by hackers in other countries, as in the case of the Office of Personnel Management hack, where the Federal Bureau of Investigation (FBI) arrested a Chinese national for the attack but couldn’t attribute it to the Chinese government.  

And while the specific tactics, techniques, and procedures used by certain nation-states allow for some degree of attribution, only highly sophisticated, investigative methods employed by US law enforcement and intelligence community members such as the FBI, Central Intelligence Agency, or National Security Agency can usually detect them. However, these detection processes aren’t quick ones, sometimes taking months or years. In addition, law enforcement tactics that track such activity are classified and wouldn’t be disclosed to insurance companies seeking to make coverage decisions. 

Given the gray area around attribution, there may be a reckoning around the corner for the insurance sector, especially if other providers such as Lloyd’s attempt to unburden themselves from the financial responsibility of state-sponsored attacks. In an industry all about defining, mitigating, or eliminating risk, cyber insurance must establish a clear, accepted definition of its “nation-state” risk. Otherwise, I foresee a long road of litigation ahead between providers, the insured, and the victims arguing about the identity of the attacker.

Regardless of what happens with the cyber insurance market, having a solid cyber program is important to weather any storm. That’s why enterprises should continue to focus on forging resilient environments that start with risk management. Building out from there, organizations can efficiently secure themselves from threats, no matter the origin.   

James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.