Artificial Intelligence: The New Frontier for Board Oversight?

Artificial intelligence (AI) is a vital part of transacting in the global economy. Whether it is used to automate manual processes, to bolster cybersecurity defenses, or to power complex search algorithms, AI has become a necessity for many corporations. Although it can provide competitive advantages, AI may also pose regulatory and reputational risks. Not surprisingly, over the last few years, courts, legislatures, and government agencies have focused on these risks.

For example, in a set of highly publicized hearings, the US Congress examined whether search algorithms used by certain technology companies operate with learning biases. More recently, the US Securities and Exchange Commission took enforcement action against an asset manager for, among other things, its use of algorithmic trading software. Other companies are facing mounting scrutiny over their use of biometric data in machine learning.

As AI evolves, so do the legal questions it raises. Directors of companies at which AI is a meaningful part of the business model face a complex dilemma: How can they ensure appropriate board oversight over technology that is designed to run autonomously? Some foreign regulators, including the Monetary Authority of Singapore, the UK Financial Conduct Authority, and the Hong Kong Money Authority, have expressed the view that directors are obligated to oversee AI-related risks. While in the United States regulators have largely remained silent about the scope of the board’s role with respect to AI, state and federal governments have signaled an interest in regulating the use of AI technology. For example, New York City lawmakers have enacted legislation restricting the use of automated employment decision tools. At the federal level, the Federal Trade Commission announced an advance notice of proposed rulemaking earlier this year that, among other things, solicits input on regulating algorithmic decision-making. More recently, the White House issued the “Blueprint for an AI Bill of Rights,” recommending that private sector companies adopt AI risk identification and oversight systems.

Even as the regulatory landscape remains in flux, boards of companies where AI is a substantial part of the business model may wish to consider how AI impacts their common law fiduciary obligations. Delaware’s Caremark duty of oversight in particular requires that directors institute and monitor systems to detect and remediate potential risks to the company. Although legal claims involving alleged Caremark violations are notoriously difficult for plaintiffs to litigate, recent Delaware Court of Chancery decisions emphasize that to survive Caremark scrutiny, boards must actively oversee “mission-critical” risks. But few decisions discuss how AI impacts board oversight. Those that do provide limited guidance.

One recent Delaware decision involves SolarWinds Corp., a software provider. Stockholders sought to hold SolarWinds’ board liable for alleged cybersecurity weaknesses that precipitated a cyberattack on its customers. In dismissing the case, the Court of Chancery characterized cybersecurity as a “business risk” protected by the business judgment rule. According to the court, an alleged failure to oversee ordinary “business risks” only becomes an actionable Caremark claim if the failure violates positive law. The court also suggested that the board had not breached any duty because it had defined cybersecurity oversight mechanisms.

Precisely what Caremark requires when AI-powered technology presents more than simply a “business risk” remains an open question. A 2021 ruling involving The Boeing Co. provides at least a partial answer. There, Boeing’s stockholders filed a derivative suit on behalf of the company, alleging that the board’s failure to oversee the safety of Boeing 737 MAX software contributed to two plane crashes.

In denying defendants’ motion to dismiss, the Delaware Court of Chancery opined that although the board had an audit committee for general risk oversight, it did not have defined board reporting systems to specifically address mission-critical aircraft safety.         

While it is difficult to predict how Caremark will continue to apply to AI oversight, existing case law suggests that generalized risk oversight mechanisms and reliance on ad hoc management reporting may not withstand Caremark scrutiny. Boards wishing to bolster their management of mission-critical AI risks may therefore consider doing the following:

Understand how AI is used in the company and the existing oversight mechanisms.

Ensure that the individual(s) overseeing AI have the appropriate skill set and resources.

Establish, in conjunction with management, internal controls for any mission-critical AI risks.

Institute dedicated reporting and board oversight mechanisms for any mission-critical AI risks.

For companies in which AI is a meaningful part of the business model, seek a board member who has familiarity with AI or, alternatively, engage independent advisor(s) to supplement the board’s skill set.

AI is undoubtedly a new oversight frontier for many boards. But as AI continues to drive business decisions, it may be time for directors to evaluate its implications on their fiduciary obligations.

Sarah Eichenberger and Jonathan Rotenberg are securities litigation partners at Katten. Caroline Sabatier is a securities litigation associate at Katten.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Ensuring the Credibility of Reported ESG Information

A tide of pressure for reporting on environmental, social, and governance (ESG) issues continues to gain momentum. Investors, in particular, are pushing for companies to incorporate a holistic mind-set to ESG in decisions that are made and related reporting. In the absence of regulations for reporting ESG-related information, the content and scope of ESG reporting are choices made by companies, with consideration given to who will use the information as well as how they will use the information. There is also flexibility, for now, with respect to how and where the information is presented. Some of this choice and flexibility will soon change as regulations are enacted to enhance trust and confidence in what is being achieved in relation to climate and sustainability goals.

New reporting regulations will be supported by frameworks and standards that are also being developed to support the required disclosures, globally (e.g., by the International Sustainability Standards Board) or jurisdictionally (e.g., the US Securities Exchange Commission’s expected new rules for climate-related disclosures), with much effort to ensure these frameworks and standards are developed in a timely way to meet the growing demand for ESG information. If not already providing relevant ESG information, companies will need to be ready to provide this information when any new regulations take effect.

A lack of regulation and legislation about required reporting on ESG has led to frustration for investors with inconsistent disclosures that make comparability hard and with questionable reliability of the data reported. While reporting frameworks and standards will enhance the comparability of ESG information reported, credibility of the information being reported will come from assurance. Regardless of the requirement for assurance, an opinion or conclusion from an independent practitioner on the ESG-related information will provide the credibility and trust in a company’s ESG information that investors and others seek.

But what does assurance on ESG disclosures mean for directors?

For some companies there will not be a choice about obtaining assurance on ESG-related information as some of the new regulations are expected to mandate assurance. Regardless, the following considerations will be relevant to boards that seek assurance:

Type of assurance needed. There are two options: reasonable or limited assurance. Regulation will in some cases stipulate the type, otherwise a decision about the type of assurance needed will need to be made considering all of a company’s stakeholders.

Costs. An independent verification of ESG-related disclosures will come with incremental costs. This includes direct costs of the engagement (paid to the practitioner providing the services) and indirect costs (including the time of company personnel and costs of other resources needed to generate the information). These costs are expected to be more significant the first year a company solicits assurance and can vary widely depending on the type of assurance as well as the depth and breadth of information provided.

What information is to be reported. The scope of what is being reported may not only depend on required regulatory disclosures, but also the ability of a third party to provide assurance on the disclosed information.

Governance. How can ESG be holistically incorporated into all aspects of the company’s governance principles, in particular to demonstrate a focus on “tone at the top” for ESG matters?

Processes and systems to generate the information. Thisincludes considerations about the source of the information, as well as adopting suitable criteria for developing the disclosures. Criteria are the benchmarks against which the information is evaluated and are essential for the conduct of an assurance engagement to ensure the information is complete, relevant, and reliable.

Controls. This involvesensuring adequate controls and related policies and procedures over the development of ESG information reported.

The third party engaged to provide assurance services. Using professional accountants who provide assurance services as part of their business will ensure that the individual has the essential skills, including sound judgment and expertise, to provide a quality engagement. Professional accountants will also use an accepted assurance framework that is commonly understood, such as International Standard on Assurance Engagements (ISAE) 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, or ISAE 3410, Assurance Engagements on Greenhouse Gas Statements, as relevant to the engagement. Other types of practitioners may be able to provide independent verification, but such engagements may not necessarily align with commonly accepted professional standards including a comprehensive system of quality control.

Timing. Timely efforts by companies will be needed to ensure that consideration is given to the needs of the assurance provider to be able to perform a quality engagement and report accordingly.

Considering the credibility of your ESG disclosures and how that can be achieved is becoming a crucial need of investors and other stakeholders, and an area that cannot be ignored.

Bev Bahlmann is a senior director in RSM’s National Professional Standards Group, focusing on technical communications.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Improving Audit Committee Effectiveness

The strength of our public company financial reporting system relies on many stakeholders playing different but interconnected roles in a process designed to provide investors and our markets with high-quality, reliable financial information. Audit committees play a vital role in the financial reporting system through their oversight of financial reporting, including the audit of the company’s financial statement and internal control over financial reporting performed by the external auditor.

Increasingly, audit committees are also responsible for overseeing other areas of corporate reporting, such as cybersecurity; environmental, social, and governance (ESG); and other non-generally accepted accounting principles information. Given the increasing scope of oversight, how audit committees manage and disclose these responsibilities is an important consideration in today’s environment.

My organization, the Center for Audit Quality (CAQ), and NACD recently convened an investor, James Andrus; an audit committee member, David Herzog; and an academic researcher, Lauren Cunningham to discuss the evolving role of the audit committee and identify best practices related to effective audit committee oversight and responsibilities. The discussion, led by Vanessa Teitelbaum, senior director, Professional Practice at the CAQ, had several important takeaways.

The Agenda of the Audit Committee Has Become Increasingly Crowded

The discussion explored the results of two publications recently released by the CAQ. The first, the CAQ’s ninth annual Audit Committee Transparency Barometer, reflects a long-term positive trend of increased transparency in several areas by audit committee members. The second publication, Audit Committee: The Kitchen Sink of the Board, developed with academic researchers at the University of Tennessee Knoxville’s Neel Corporate Governance Center and the Pamplin College of Business at Virginia Tech, offers leading practices for audit committees. This includes how boards can effectively allocate oversight responsibilities to the audit committee, how audit committee members can keep up with an ever-evolving workload, and how audit committees can improve their disclosures related to their oversight responsibilities.

Lauren Cunningham, one of the researchers who authored the Kitchen Sink report, observed during the webinar that the scope and workload of audit committees is increasing, with 40 percent of the audit committee members interviewed for the report referring to the audit committee as the “kitchen sink” of the board. According to the report, emerging areas of focus such as cybersecurity, ESG, and enterprise risk management are increasingly being assigned to the audit committee, but this can lead to suboptimal work.

Audit Committees Are Using a Variety of Methods to Improve Their Practices

The Kitchen Sink report also identified several leading practices audit committees are using to manage their increased workload. One important consideration for audit committee members is to be purposeful about developing skill sets that match their oversight responsibilities. They can do this by actively assessing the committee’s key risks when planning for continuing education opportunities and utilizing specialists where needed; regularly evaluating whether audit committee refreshment is needed to keep up with the necessary skill sets to properly oversee evolving risks; and carefully managing the committee agenda by mapping out risks to allow for deep dives on a rotation of topics throughout the year. 

Audit committees can also free up time for additional responsibilities by managing the agenda and relationships. This includes working with management to fine-tune the types of materials delivered in advance and hold audit committee members accountable for reading through materials in advance, reflecting on whether meetings allowed for sufficient time to evaluate management’s response to key risks.

“At MetLife, the pre-reads are written documents—we don’t just get slides without context. These written reports really help before we walk through a presentation,” said Herzog. “We also utilize a calendar that helps us organize our meetings. We meet 11 times a year and make liberal use of off-cycle meetings to dive into deeper topics.”

Maintaining a collaborative relationship with management and adopting leading practices to manage shared governance across board committees can also help audit committees free up time.

There Is Need for Improvement in Disclosures

While the CAQ’s 2022 Barometer found that there were several positive disclosure trends among S&P 500 audit committees, including increased disclosures about oversight of cybersecurity year over year, there were still many areas for improvement. For example, while 71 percent of audit committees of S&P 500 companies disclose auditor tenure in the proxy statement, only 9 percent of such audit committees disclose how the audit committee considers length of auditor tenure when reappointing the external auditor. And while 51 percent of audit committees of S&P 500 companies disclose that they are involved in the selection of the audit engagement partner, few disclosed what their involvement in the selection of the audit engagement partner entails.

Cunningham noted, “One thing we saw is that there are two types of audit committees out there. There are those clinging to the [US Securities and Exchange Commission]’s bare minimum rules and who have a ‘check the box’ mentality. Then there are those who are going beyond these rules and disclosing important information about their work that investors want to know.”

“We love to say it just takes one person to enhance disclosures. It either takes a corporate secretary or general counsel that believes in the importance of corporate transparency, or it can be the audit committee sharing resources like the Barometer,” said Cunningham. “It’s really easy for them to forward these documents and say, ‘can we just have a conversation about this? This is what our peers are doing.’”

Herzog, who chairs MetLife’s audit committee, noted on the webinar that board structures can make a difference in how companies manage and effectively communicate their disclosure. “There’s no one size fits all. At MetLife, we have five standing committees that are thoughtfully designed and fit for purpose. These committees are structured so that together they address the risks that MetLife faces.”

Investors want to see clearly defined roles and responsibilities assigned to the audit committee, an explanation for why audit committee members are appropriate for the specific company, examples of continuing education for audit committee members, more explanation for how audit committees address key risks, and details that reflect broader audit committee responsibilities.

“One thing that was important from the Barometer report was that it said, ‘increased transparency improves investor confidence,’” said Andrus, interim managing investment director, board governance and sustainability at CalPERS. “That hits the nail on the head. When we view the people on the audit committee as professional, competent, and good, then we have confidence. The concern becomes when committees do not take their responsibilities seriously and we can’t gauge that there are problems at their company.”

He added, “In many cases, we’re unaware of the other things the audit committee is doing, and they aren’t getting credit for it! We’d have more confidence in the company if we knew of the work audit committees are doing, so I really applaud the Kitchen Sink report for outlining what that work looks like.”

Final Thoughts

When it comes to the audit committee, transparency is the key to investor confidence. Audit committees should take both a quantitative and qualitative approach to personalized disclosures to give investors more insight into the processes, considerations, and decisions made by the audit committee.

Julie Bell Lindsay is the CEO of the Center for Audit Quality.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

M&A Risk Oversight Amid Economic Volatility

Entering a recessionary period is always an interesting time for mergers and acquisitions (M&A);  2022 deal activity is down from 2021 but is relatively stable compared with prior periods. In this cycle, transactions are taking longer to execute due to increased regulatory scrutiny. Also, notably different than during the Global Financial Crisis, the banking system is well-capitalized and resilient, and private capital as well as corporates are sitting on significant amounts of dry powder.

The role of the board in navigating the volatility of today remains critical. When facing a downturn and potential long-term recession globally, companies can find themselves on one of three paths: grow, survive, or die. The board must engage in active strategic oversight and assess potential transactions as buying or selling opportunities.

Companies that grow amid volatility are already in a position of strength with access to capital. The board and management are in the enviable position to pursue strategic targets at advantageous valuations. Targets are often companies in survival mode and focused on liquidity, leverage, and maintaining the core business. These boards should be considering divestitures of noncore assets or restructuring the balance sheet. If a company is entering a recessionary period with declining performance or an impending liquidity crisis, it is critical for the board to know this while it can still act to deliver the best value for shareholders. Being acquired or merging may be the best option. In any case, the board should know which path the company is on.

M&A activity in uncertain times brings several key risks to the forefront of the boardroom, including strategic, financial, regulatory, and talent risks.

Strategic Risk

Boards are well served to proactively oversee a strategic assessment of M&A or divestiture opportunities in the case of a potential downturn. Identifying strategic targets or potential acquirers creates space for thoughtful consideration before getting caught up in the moment. Amid uncertainty, transaction opportunities can present themselves quickly. Identifying a situation as aligned with long-term corporate strategy increases speed to execution, improves valuations, and satisfies shareholder expectations.

The board must also consider allocation of resources when volatility may limit capital and management bandwidth for integration while addressing challenges in the existing business. Importantly, the board must be able to assess when management wants to do a deal and should not (as management often advocates for acquisitions brought to the board) or does not want to do a deal and should. An independent assessment from a third party or appointment of a special committee is an effective measure to clearly analyze risk and reward trade-offs.

Financial Risk

In this environment, valuation and price matter. Boards on both sides of the table should ask for scenario analyses and valuation updates frequently during negotiations. The acquiring board should question growth projections and cost synergies with judgement and scrutiny. Similarly, the board’s role in a sale or divestiture is to obtain the highest and best value for shareholders, and one way to mitigate valuation risk is to keep management focused on executing the deal as quickly as possible.

All boards would be well served to assess proforma financials under macro stress scenarios, as well as typical synergy scenarios. Having a view of the potential downside if revenue does not grow and interest rates rise, for example, is more effective than assuming static macro factors over time.

Regulatory Risk

Regulatory review of proposed M&A transactions has recently expanded in duration, scope, and depth. For example, competitive stakeholder reviews focus on industry, as well as employees, customers, and suppliers. In cross border deals, matters of national security, data privacy, and climate change are high priorities. Regulatory delays can erode value and put pressure on the target, which wants to close the deal as quickly as possible, and the acquirer, which will accept extra time constraints to minimize regulatory remedies.

A disciplined process mitigates regulatory as well as litigation risk. Expect transaction outcomes to be challenged and document decisions, discussions, and disagreements throughout negotiations. Scenario analyses are also effective to identify and address regulatory concerns early. The board must set longer timelines to mitigate against delays in regulatory approvals, protect against renegotiations, and maintain business operations without undue distraction.

Talent Risk

Certain M&A risks remain prevalent in any economic environment. Board and management teams have a role in ensuring successful transitions before and after the deal is finalized. A mismatch in corporate and board culture is one of the most common causes of failed integrations. The board is making a big bet on the leadership team. A deal may fit strategically, but management needs to execute the integration and implement the go-forward strategy. The board must also ask if the directors collectively still provide the right expertise and talent required for the new organization.

However, the last few years have been defined by crises. Boards and management teams are still navigating through the COVID-19 pandemic and the future of work. We are facing an economic recession and global turmoil. Consider board, management, and employee fatigue. Boards must determine if M&A or divestiture opportunities are strategic versus reactive to the market and macro environment.

To navigate M&A today, the board should proactively identify risk and potential impacts through strategic assessments and scenario analyses. Additionally, expect transactions to take more time and focus from the board. Finally, in this cycle with capital in the market, know that there will be winners and losers.

Emily Harte is a Partner at Oliver Wyman, a business of Marsh McLennan.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

ESG and the Board’s Governance Role 

Global research indicates that companies in North America are less committed to environmental, social, and governance (ESG) engagement than those in Europe and Asia-Pacific. For boards seeking to improve their ESG engagement, what steps should they take? Below are 10 steps boards should explore. 

Engage stakeholders. Boards should consider employee, customer, supplier, investor, and other stakeholder interests in the context of maintaining financial vibrancy, sustaining the organization’s strategy and business model, and delivering long-term shareholder value. Interactions with key stakeholders are opportunities to learn about their respective interests and concerns and build relationships based on trust. A company’s commitment to all of its stakeholders and its commitment to its shareholders are not to be viewed as mutually exclusive; rather, both are integral to the purpose of generating sustainable long-term shareholder value. 

Set the context for the ESG agenda with organizational purpose. Directors should develop a shared view with executive management regarding the organization’s purpose, including the promises for which its brand stands. Purpose focuses on why the organization exists and how it benefits the markets it serves. It frames the narrative to the public. 

Integrate ESG considerations with strategy and capital allocation. Boards are stewards of capital, and ESG initiatives are under increased financial pressure as CEOs and investors focus more sharply on risk and reward. Ultimately, directors must view ESG considerations the same way they view everything else that involves the allocation of capital and the future (e.g., understand the strategic opportunity and purpose, inquire as to the risks, and measure and monitor return on capital). 

Assess board ESG capabilities. The board chair and committee chairs should periodically evaluate the board’s expertise with respect to environmental and social matters and the organization’s changing needs to set a context for planning board succession and onboarding new members. Board refreshment is about maintaining currency with respect to knowledge, experience, and perspectives in the boardroom.  

Evaluate the board’s ESG oversight process. ESG-related opportunities and risks, supported by data and metrics, should be included within the scope of the board’s overall oversight process. To that end, it may make sense for directors to review the board committee structure (including the need for a separate ESG- or sustainability-focused committee) to ensure coverage of ESG priorities while also retaining a whole board view of the full picture with respect to ESG strategy and reporting. Based on the review’s results, committee charters should be revised accordingly. 

Set board reporting protocols. To set the foundation for ESG oversight, the board should establish the content and frequency of the ESG reports it is to receive from the company. The board should receive periodic briefings regarding management’s assessment of material ESG issues and the company’s current ESG market ratings and rankings as well as their implications. Directors also need to work with management to define the board’s involvement in significant decisions regarding environmental and social matters, including company positions on sensitive social and political issues.  

Integrate ESG matters into risk management. As Martin Lipton, a noted author, pointed out, ESG “is… a collection of… disparate risks that corporations face, from climate change to human capital to diversity to relations among the board, management, shareholders, and other stakeholders.” The board should ascertain that these risks are added to the scope of the enterprise risk management process, with incorporation into enterprise risk assessments, integration of risk with strategy-setting and performance management, and—if critical to the enterprise—periodic reporting to the board.  

Pay attention to ESG external reporting. High-quality and transparent ESG reporting to the public is a board priority. It is recommended that directors do the following: 

Establish an understanding and reach agreement with management on the nature and extent of the board’s review of draft ESG sustainability reports prior to issuance. 

Engage management regarding the effectiveness of the company’s disclosure controls and procedures, including the role and composition of its disclosure committee as well as the interactions of that committee with management’s ESG committee structure, if any. 

Inquire as to whether the company’s ESG storyline is resonating in the market and impacting the company’s valuation. 

Understand management’s preparations for new regulatory requirements (e.g., the US Securities and Exchange Commission’s forthcoming climate change disclosure enhancements in the United States) affecting the nature, extent, and timing of ESG disclosures. 

Request periodic comparisons of the organization’s ESG reporting relative to its peers to ascertain whether there are potential deficiencies to be corrected. 

Finally, some companies are disclosing the board’s oversight role with respect to ESG matters. 

Focus on sponsorship and accountability related to compensation. The board should agree on the senior executive designated with responsibility for ESG and understand how the organization is driving a collaborative focus on the ESG priorities essential to the organization’s long-term success. Desirably, ESG performance measures are integrated with financial and operational performance monitoring to avoid becoming an appendage that would likely receive curt treatment in the C-suite. Performance expectations and the related metrics linked to incentive compensation plans are the means to ingraining accountability for results and commitment to progress within the culture. It also makes sense for the board to set agenda time for the dedicated ESG sponsor to discuss the company’s progress toward ESG targets in the context of the company’s overall strategy. 

Consider help from outsiders. Board governance sets the tone for effective corporate stewardship of environmental and social issues. To that end, the board may want to consider the need for engaging outside experts, as well as the importance of educating directors, on selected ESG topics. 

These 10 steps are not intended to suggest a fixation on ESG in the C-suite or boardroom, as there are certainly other fundamental issues that must be managed. Rather, the point is that leaders have a fiduciary responsibility to address the opportunities and risks posed by ESG matters as they ensure the long-term viability and well-being of their companies. Accordingly, they should focus on appropriate sustainability objectives while keeping an eye toward delivering expected financial results. In this context, board governance sets a constructive, balanced tone for effective corporate stewardship over environmental and social issues. 

Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD BoardTalk. 

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.