The Governance Implications of the DOJ’s New Corporate Enforcement Policy

The US Department of Justice’s (DOJ) Corporate Enforcement Policy (CEP) is never going to be the most popular item on the board’s education agenda, but it is quickly becoming one of the most significant.

With the DOJ’s renewed focus on corporate fraud enforcement and new fiduciary duty interpretations from the Delaware courts, corporate responsibility is back in vogue on boardroom agendas. Directors, especially those serving on audit and compliance committees, are now incentivized to recognize this movement and its potential implications for the company.

This is particularly important given the government’s emphasis on individual accountability and the significant, highly time-pressured decisions companies will be required to consider should they become aware of potential wrongdoing within their ranks. Those will most definitely be board-level decisions, not management’s.

The foundation for the renewed emphasis on corporate responsibility dates back to September 2022 and a series of policy speeches by senior DOJ officials. The fundamental message was three-fold: that the DOJ remains committed to corporate criminal enforcement, to supporting corporate responsibility, and to encouraging investment in compliance and culture.

That message surely caught the attention of most corporate counsel and, in many companies, that of the board’s audit and compliance committees. But for others in leadership, it may have seemed more like government saber-rattling than a serious initiative that deserved full-board attention. To a certain extent, that’s understandable.

But the government’s corporate responsibility messaging became much tougher for boards to ignore with the DOJ’s Jan. 17, 2023, release of its revised CEP. This revised policy document generally serves to underscore the government’s focus on prosecuting corporate fraud.

More particularly, though, it introduces a series of “new, significant, and concrete incentives” (including declination of prosecution) for companies to self-disclose identified corporate misconduct to the government. And for companies that choose not to self-disclose, the revised CEP provides incentives for companies that “go far above and beyond the bare minimum” when cooperating with DOJ investigators.

The revised CEP’s provisions have been supplemented by the Feb. 22, 2023, release of the US Attorneys’ Offices Voluntary Self-Disclosure Policy (VSD) which provides additional details on the requirements for voluntary self-disclosure, as well as on the benefits that the DOJ believes self-disclosure offers.

In essence, the revised CEP and the VSD combine to serve notice on boards to take internal investigations of potential fraud even more seriously than they already do. These important new policies are something of a flashing light, alerting boards to the possibility that they may be called upon to make serious, “bet the ranch” decisions on whether, and if so, how, to engage with the DOJ should an investigation identify problematic behavior—including that of executives. And with that alert, it encourages boards and their audit committees to prepare for the potential that they may be called upon to make those decisions.

Key to this preparation is an understanding that both the revised CEP and the VSD implicate corporate governance in three notable areas, which may most effectively be addressed by the board’s audit and compliance committees:

1. Key Board Decision-Making. The board of directors is likely to face a series of critically important decisions regarding corporate cooperation and voluntary self-disclosure should an internal investigation identify likely criminal wrongdoing by the corporation or its employees, including executives. These decisions relate to confirming that the results of the internal investigation accurately and reasonably identify possible criminal wrongdoing, and processing the chain of related decision-making. The latter includes deciding whether to make a voluntary self-disclosure; whether to meaningfully cooperate with the DOJ investigation or otherwise remediate; and whether to not disclose or otherwise to not cooperate.

These are in most circumstances board-level decisions and should not be made without the input of qualified white-collar defense counsel. They are decisions which must weigh the potential advantages of cooperation and self-disclosure (e.g., declination of prosecution), with the potential disadvantages of proactively engaging with the DOJ on matters of corporate conduct, especially when the evidence of wrongdoing is not clear-cut.

The issuance of both the revised CEP and the VSD gives members of audit and compliance committees the opportunity to familiarize themselves with these possible decisions, so as to be positioned to advise the board should wrongdoing be identified. Telling oneself, “It couldn’t happen here” is not a recommended governance best practice.

2. The Compliance Program. The audit and compliance committees and the board should recognize that, in many ways, the incentives offered by the revised CEP and the VSD underscore the value of maintaining an effective compliance program. Compliance program effectiveness is one of the key factors the DOJ will consider in determining whether a company will receive full credit for the “timely and appropriate remediation” element of the revised CEP.

Eight specific plan criteria are identified, and while they have all previously been identified in prior DOJ documents, they may serve as a useful resource for audit and compliance committee monitoring.

3. Executive Compensation. In her Sept. 15, 2022 presentation, Deputy Attorney General Lisa O. Monaco introduced the use of financial and executive compensation in promoting compliance and avoiding improperly risky behavior. Specific approaches include rewarding companies that claw back compensation from employees, managers, and executives when misconduct happens.

In her presentation, Monaco indicated that she has directed the DOJ’s Criminal Division to develop further guidance on how to reward corporations that employ clawback or similar arrangements. While the revised policy does not include such guidance, it does reference the use of compensation to incentivize compliance, and Monaco’s referenced guidance may still be forthcoming.

Key Takeaways

Nether the revised CEP nor the VSD represent the end of the corporate responsibility messaging from the DOJ. Indeed, a series of public conferences in early spring provide a logical forum for additional statements from the DOJ on corporate fraud enforcement. Boards should expect further updates from their corporate counsel on these points and should be prepared to work with management on necessary responses.

From a board awareness angle, there are several key takeaways from both the revised CEP and the VSD:

1. It is clear that the DOJ and its Criminal Division are committed to incentivizing self-disclosure, corporate cooperation, and remediation. The DOJ is offering corporations what it believes to be meaningful benefits to encourage early and proactive engagement with government prosecutors when indications of material misconduct arise.

 2. These self-disclosure incentives notwithstanding, the DOJ makes it clear what it perceives to be the risks of failing to self-disclose: “The bottom line: call us before we call you.”

 3. Decisions on whether to engage with the DOJ on possible misconduct are among the most consequential and time-sensitive that a governing board may be called upon to make—and it should take some meaningful steps in the near term to be prepared to do so if circumstances arise. The board and its counsel will need to heavily weigh these decisions, which the DOJ says it appreciates.

 4. Companies should be highly motivated to assure the effectiveness of their corporate compliance plans in general, and to manage risks and incentivize ethical employee behavior in particular, as a means of demonstrating their good faith efforts to address corporate fraud.

 5. When it comes to cooperating with the government, timing is everything. As DOJ leadership has made clear, companies seeking cooperation credit need to come forward and disclose important evidence to the DOJ quickly. Both companies and prosecutors evaluating those companies will now be “on the clock.” An undue or intentional delay in providing information and documents will result in a reduction or outright denial of cooperation credit.

Planning for what leaders never want to happen (e.g., indications of material corporate misconduct) is not going to be a popular board education choice. But in the current enhanced corporate responsibility environment, it may be the smart play from a board perspective.

Michael W. Peregrine is a partner in the Chicago office of McDermott Will & Emery. His views do not necessarily represent the views of McDermott Will & Emery or its clients. He thanks his partner, Sarah Walters, for her assistance in preparing this post.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Protect Your Company From Digital Assassination

Six actions to make sure you’re ready when—not if—a cyberattack strikes.

“Beginning today, all passwords must include sign language, thumb fingerprints, and animal noises,” read a sign in a corporate office I visited recently. Unfortunately, contemporary cyber challenges extend way beyond password protection.

Among the most costly and troublesome matters facing boards today are crises created by cyberattacks and hacks.

As the Wall Street Journal noted in September, “Cybersecurity has emerged as a key business risk that threatens firms’ ability to operate or even survive, and boards face increasing pressure to ensure that cybersecurity risks are effectively managed.”

Cyberattacks cause data, privacy, and financial issues and countless organizations are just not prepared for the cost, operational, and reputation reach of these disruptions, nor C-suite time and resources drained addressing the cyber crisis.

“If it were measured as a country, then cybercrime—which is predicted to inflict damages totaling $6 trillion globally in 2021—would be the world’s third-largest economy after the United States and China,” reported Cybersecurity Magazine. Estimates suggest global losses could hit $10 trillion by 2025.

Cyber crisis response—before, during, and in the aftermath—demands innovative thinking, new skills, and contrasting approaches that match the breadth, depth, magnitude, and speed of today’s online world.

Much is revealed about leadership in moments of crisis. In the event of a cyberattack, companies must quickly determine what’s going on and how to neutralize it—and at the same time preserve corporate brand and reputation, employee morale, equity value, and sales. It requires grace under pressure and transparency. Those ill prepared will suffer far more than 15 minutes of global shame.

As former president Ronald Reagan said, “The greatest leader is not necessarily the one who does the greatest things. He is the one that gets people to do the greatest things.”

Understanding the Impact

There are three basic sources of digital attacks. All have reputational considerations and consequences.

Outside attacks. Crime syndicates or state actors; overseas competitors seeking theft or destruction; as well as ransom, extortion, retaliation, or denial of service.

Reputation attacks. Against brands, operations, or issues from activists or trolls seeking to disrupt; digital attacks on leaders or board members; an operational mistake, compounded by inept fact gathering and communications.

Internal attacks. Carelessness or intentional leaks by current, disgruntled, or former employees seeking retaliation for work issues, commercial espionage, or financial gain.

Our firm repeatedly sees that companies underestimate internal attacks. When law enforcement investigates cybercrime, they look inside first.

Are you prepared for a two-hour digital day?

Cyberattacks are a form of terrorism, and these disruptions drive fear and uncertainty and unsettle trust. During a cyberattack, constituents need assurance that the crisis is being skillfully overseen, and the organization’s leaders need to communicate at every level to face and direct change.

Speaking in Europe before two groups of board chairs and CEOs, I said, “In the face of today’s black swan events, last year’s thinking and crisis plans are ineffective and should be dragged into the trash icon. They will not be effective in today’s digital world.”

Cyberattacks do not usually occur during normal business hours. They happen at night, on weekends, or on holidays when companies have limited resources to deploy. Many would be surprised how few companies are prepared or trained for that scenario.

In my coauthored book, Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks, we established a standard digital response process, as well as response time for digital harm of eight hours.

Today, that concept is crucial, as speed and magnitude have dramatically accelerated. We now face a two-hour digital day.

When assassins mount a public assault—something that must be acknowledged or answered—you really only have one or two hours for an initial response, as posts turn viral in today’s instant, mobile environment.

Countless corporate cultures and leaders, and notably their advisors, are simply not organized to operate at this warp digital speed.

Six Actions to Minimize the Impact of Cyberattacks

In addition to understanding these new dimensions of time, to minimize the impact of a cyber crisis and respond effectively, there are six effective actions that corporate boards and management should follow.

Who’s the boss? Appoint a C-suite executive to lead and train a company cyber-crisis SWAT team. Its mission is simple: be available to immediately respond to a cyber crisis 24/7/365. This team should predetermine obvious cyber-crisis scenarios and responses based on company industry and geography. It should include leadership from communications, human resources, investor relations, information technology (IT) , marketing, legal, operations, and sales. Outside resources should have broad experience in these areas and cybersecurity.

Reach out and touch someone. Not only are cyber jobs in high demand, but like most areas, there is a massive talent shortage. The Wall Street Journal noted in December that the cybersecurity talent gap grew by 26.2 percent over the past year, to around 3.4 million unfilled jobs worldwide.

Companies should align with a university that offers a major cybersecurity curriculum—through donations, participation, and research—to continually attract top talent and be on top of trends. In addition, encourage IT team members to participate in professional organizations that provide best practices, papers, and seminars on cybersecurity and report back about changing and trending issues.

Practice makes perfect. Perhaps the most important thing a company can do is conduct a tabletop exercise, led by independent professionals with broad experience in cyber crises. This exercise can identify weakness in command structure, knowledge of internal processes, and the complex and considerable impact of external forces brought on by the crisis. Unfortunately, many organizations focus only on the IT component, not how an attack will affect various constituents, as well as what and how you need to communicate.

Planning for cyberattacks and crises should include the CEO, chief financial officer, chief counsel, and the cyber-crisis SWAT team as noted above. Most who participate in these drills come away chastened, but confident that they are more prepared for an actual attack.

Vanquish evolving challenges. As Michael Bodson, who recently retired as president and CEO of DTCC, a global leader in financial markets, said, “It’s not just about stealing anymore. Concern and focus of boards and management today is to oversee and deploy resources not only to deflect nuisance hackers, but much more importantly, be prepared and defeat a new cybercriminal element, partnering with rogue nations, trying to disrupt economies and commerce, as well as create disorder.”

Another CEO interviewed noted, “No matter what the technology glitch, keep everyone away from the IT people. They do not need others looking over their shoulder asking, ‘What’s happening?’ while they are trying to fix the issue.”

Find a cloud to hide us. Like all business insurance, cyber insurance costs are skyrocketing and becoming more restrictive.

“Cyberattacks are on the rise in all industries, so cyber insurance must be a critical component of any corporate plan,” said Christopher Keegan, cyber and technology national practice leader at Brown & Brown, an insurance brokerage firm. “With an expert internal team and seasoned independent advisors, C-suites and boards must develop a clear understanding of how, to what extent—and for how long—cyberattacks or hacks could impact company operations. Another consideration is what level of insurance will efficiently minimize the financial impact from the most impactful attacks. Not so easy, as risk is ever-changing.”

Insurers will want in-depth information about company cyber policies and procedures. Businesses that can’t satisfy this greater level of scrutiny could face higher premiums and be offered limited coverage or refused coverage altogether.

And just to throw a monkey wrench into the insurance mix, Lloyd’s of London, the world’s leading insurance market, announced that after March 2023, it will not cover most state-sponsored cyberattacks.

Send in the lawyers. “Successful cyber-crisis planning is critical and interdisciplinary. One key ingredient is legal counsel as the company responds to a crisis and effectuates a multi-pronged response across the C-suite and other key sectors,” noted John Cleary, privacy litigation group chair at the law firm Polsinelli. “Particularly in cybersecurity, advance legal input, well before any incident, is essential to help a company adhere to regulatory requirements and legal standards, as well as ensure proper risk management to define customer, counterparty relationships and obligations.

“When a cyber crisis hits, the legal team should be deployed in key areas: confidential analysis of legal issues and potential exposures, liaison with law enforcement, regulators, and review of needed communications,” Cleary concluded.

Don’t Stop Thinking About Tomorrow

Cyberattacks are damaging, penetrating, and now frequent.

Attacks so far have been on single companies. But what happens when we have a multi-company or multi-industry attack on infrastructure, technology, or finance and big enterprises go down?

The cascading effect and disruption to people’s lives, the economy, and the business could be devastating. That’s why we must be continually knowledgeable and vigilant for our companies, as well as our personal lives.

Richard Torrenzano is chief executive of The Torrenzano Group, a reputation and high-stakes issues management firm. For nearly a decade, he was a member of the New York Stock Exchange management (policy) and executive (operations) committees.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Disclosing the Business, Operational, and Financial Impacts of Cyber Risk

In March 2022, the US Securities and Exchange Commission (SEC) proposed a new rule on cyber-risk management, strategy, governance, and incident disclosure. It is as multifaceted as it sounds, and it would require certain SEC registrants to report material incidents within four business days and to make a number of disclosures pertaining to cybersecurity incidents, protocols, and risk management strategies. The proposed rule is a response to the ongoing risk cyber threats pose to public companies and their stakeholders. In January 2023, it entered the SEC’s final rule stage.

The new rule emphasizes materiality: the relationship between cyber threats and an organization’s business, financial, and operational exposures. Compliance with the rule will mean navigating a new treatment of cyber risk: expressing these risks in business terms rather than applying the technical focus, which is the current convention. Leaders will want to determine whether the people, processes, and technology underpinning their cybersecurity ecosystems today are equipped to consider cyber risk in nontechnical terms once this rule takes effect.

Cybersecurity ecosystems grew organically as organizations needed to focus on threats. Now, these ecosystems must evolve to meet new transparency and materiality requirements. Organizations will have to articulate the processes by which they determine materiality and consider how boards will determine—in four business days—which incidents require disclosure. The upside? A business perspective is a more effective basis for prioritizing potential threats and strategizing to manage risk than a technical perspective ever could be.

Summary of Requirements

A recent analysis outlined the SEC’s new requirements (which are summarized below):

Report material cybersecurity incidents within four business days of detection and provide periodic updates on previously reported cybersecurity incidents.

Report cybersecurity incidents that have become material in the aggregate.

Disclose the policies and procedures by which the organization identifies and manages cybersecurity risks.

Report the extent to which the organization engages third parties in its cyber-risk assessments, and the policies and procedures by which the organization oversees and identifies cyber risks associated with its use of third-party service providers.

Disclose the organization’s business continuity, contingency, and recovery plans.

Disclose how cyber risks are considered as part of the organization’s business strategy, financial planning, and capital allocation.

Disclose the board’s oversight of cyber risk, as well as management’s role—and expertise in—assessing and managing cyber risk and implementing cybersecurity policies and procedures.

Report both annually and with certain proxy disclosures whether any member of the board possesses cybersecurity expertise.

Cyberattacks will negatively impact stock prices, as well as short- and long-term shareholder value. Some attacks have been severe enough to put companies out of business. The SEC enumerated examples of costs and damage that can stem from material cybersecurity incidents:

Business interruption, decreased production, delayed product launches;

Ransom and extortion demands;

Remediation costs related to liability for stolen data, repairing system damage, and incentivizing customers and partners to maintain relationships after an attack;

Increased cybersecurity protection costs such as higher insurance premiums and additional cybersecurity staff and technologies;

Lost revenue when intellectual property is stolen and used in an unauthorized way;

Litigation and regulatory actions;

Harm to stakeholders, violations of privacy laws, and reputational damage; and

Erosion of the organization’s competitiveness, stock price, and long-term shareholder value.

A Shift in Perspective

With this new rule, the SEC is compelling certain registrants to consider cyber risk as business risk and to express the risk to investors in business terms. The rule benefits registrants too: boards will view cyber risk through a business lens and apply the resulting insights to mitigating risk. By keeping materiality top of mind, boards can make smarter cybersecurity investments, enacting controls and techniques to reduce risks associated with potential incidents.

Cybersecurity reporting has traditionally expressed risks as high, medium, or low, and measured effectiveness by quantifying blocked threats. New cybersecurity reporting will focus on material impacts in business, operational, and financial terms; for example, “Every day the plant is inoperative, we lose $1 billion. If a cyberattack costs us seven days’ production, we lose $7 billion.” This reporting will expose the threats that would do the most harm and describe how those threats would be suppressed. These are terms upon which boards, investors, and insurers can base decisions about risk controls and risk transfer. New cybersecurity reporting, therefore, helps determine where to direct cybersecurity investments, as well as how to optimize cybersecurity measures.

Technology changes quickly and cyber threats do, too. No control remains effective forever. That’s why controls must be as dynamic as the technologies they protect and the threats they protect against. Static analyses of today’s risk are less helpful than establishing a regular flow of information to the board that supports cybersecurity investment decisions based on business, operational, and financial considerations. With the board’s eyes kept regularly on cybersecurity as an aspect of routine governance, directors will be equipped to comply with the SEC’s new requirements.

Terry Jost is managing director of global security and privacy segment leader at Protiviti.

Chris Hetner is special advisor for cyber risk at NACD and prior senior cybersecurity advisor to the SEC chair.

Looking for better insight into your company’s cyber-risk exposures and how to improve the cybersecurity program? The X-Analytics Cyber Risk-Reporting Service, brought to you by NACD, can help.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Getting Started: Private Company Compensation Committees

While the work of public company compensation committees is well understood and receives considerable investor attention, the same cannot be said for private company compensation committees. Most private company boards don’t use standing subcommittees, so the owners lack the point of view of public company directors experienced in this type of work.

For most private companies, setting executive compensation is an annual exercise that is less than optimized. Whether it is due to economic constraints or personal friendships, some important discussions just don’t happen often enough, if at all. If a private company board intends to start a formal compensation committee, here are some important questions to consider.

How do the base pay, annual bonus, and long-term incentives align with the company’s strategic plan and market realities? Most private companies have well-established routines for addressing compensation. Since leadership tends to be stable, the decision-making behaviors and unspoken metrics are known. During economic booms, compensation discussions tend to revolve around the question, “Are we at risk of losing executives?” During moderate times the question leans toward, “Is the pay fair for what the executives are doing?” In a downturn, the thinking is more, “How can we afford to compensate executives?”

Performance reviews at private companies are often summaries, not data-rich exercises. They are also likely to be siloed, and not viewed in terms of the overarching goals of the organization. My experience suggests that the board can improve these areas by asking the following questions:

How has the individual’s performance driven success to achieve strategic goals?

Is the individual a good fit for the role they are in both today and in the future?

How does the individual exemplify the values and culture we aspire to demonstrate?

Looking at this triad of criteria sets the stage for a better evaluation of how impactful the organization’s leaders are in achieving ownership objectives, and therefore how to compensate them for their impact.

Does the company have the right data for benchmarking? Most private companies have access to limited compensation data. Their trade associations often provide compensation data specific to their industry, but I have found such reports to have limitations. They are indicative but not sufficiently informative. Often, there are not enough data to have confidence in what the numbers are saying. When you ask about location adjustments or niche adjustments, there isn’t sufficient information and you need to interpolate to form an opinion. Public companies have an advantage in that their data are rich and plentiful in comparison.

Private companies may be reluctant to pay for something that is often seen as not having enough utility (“but we only use it once a year”), hindering access to higher-quality data insights. There are many high-quality compensation consultants who can help, but they are a greater expense than the data. So, owners do without it—at the expense of more appropriate and competitive executive compensation.

How does the company deal with underperformers that can’t be easily replaced? Private companies tend to have smaller and less well-developed management teams than public companies do. Executive turnover tends to be lower for many reasons. Personal loyalty and relationships tend to be stronger since there is no public market pressure for performance.

If a senior executive isn’t cutting it, but is not easily replaced, how much risk do you want to take in transitioning to a new player? What is the value of “the devil you know” versus going to the open market? While there is value in organizational stability, what is the cost of condoning unacceptable performance? If the problem includes objectionable behaviors, the cost could be more than you think. These types of concerns often prevent needed change.

How much should the company let loyalty overrule merit? As the saying goes, if you are making money, the bank is happy, and if you are paying your taxes, you can do what you want at a private company. If the management team has been together for a long time, personal friendships can get in the way of evaluating and acting upon poor performance. How are you going to balance the conflicts?

Instances of executive underperformance and excessive loyalty are typically well-known throughout the ranks of the business. A decision to accept these shortcomings tells the staff what the real culture is, what gets rewarded, and what negative behaviors are tolerated, at least for the lucky few.

How aggressively should the company set goals? Maybe more critically, should there be any leniency if the company doesn’t make the goals? For a private company, if the owners are happy with the business results, then they are good enough. If there is no outside pressure, then there tends to be incentive to reward people even when they don’t reach their goals (the “let’s be nice” syndrome).

This is where outside directors can help the owners and managers balance conflicts. The outsiders should not have these biases and know they have been engaged to provide clear-eyed perspectives on what is best for the business. The outsider directors, and the board as a whole, need to serve as a compass through these difficult decisions.

Performance and compensation are issues in every organization. As the business grows, the issues become more complicated and the risks of talent flight increase. While much of the work of a compensation committee is formulaic, the bigger issues require deeper consideration. The hardest part of this work is often the judgment to balance facts and figures against emotion, relationships, and the risks and rewards that are not measured in dollars and cents.

These are the quandaries that allow board members to earn their keep.

Bruce Werner is managing director of Kona Advisors, which advises private and family-owned businesses. He has served on the boards of nonprofit and private companies.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Workforces: A “Wicked Problem” Where Boards Can Help

Over the past few years, boards have become far more sensitized to the potential for workforces to both generate incredible value or pose incredible risk depending on how they’re managed. Workforces represent a “wicked problem”—a complex array of issues underlie how they function and perform. However, there are some concrete starting points for board members to drive the right conversations to truly tackle workforce challenges.

Here are three workforce strategies that are especially relevant for boards.

Develop metrics to measure and monitor work intensity. Work intensification—where workers are asked to perform more and more units of work per single unit of time—has quietly and increasingly bedeviled workplaces for decades, culminating in the burnout epidemic and an associated labor crisis now in play. Workers in different contexts may experience work intensification differently. Warehouse workers may be asked to pack too many boxes while office workers may sit through too many meetings. But an array of academic research shows that this phenomenon can slow the business gains sought through work intensification, while creating negative health outcomes for workers. In this context, it’s critical that organizations develop concrete metrics to monitor work intensity to understand when “enough is enough” before impacts such as attrition or pervasive health issues kick in.

What a board member can do: Ask your executive team to concretely measure and consider work intensity going forward. Ask for and examine data that may give you signals that work has tipped over into excess intensity—anything from turnover in critical roles to health plan data on experienced rates of anxiety and depression.

Create a “single account of the truth” on the workforce of your organization and systems and processes to maintain it in real-time. For many, many organizations, it’s a tale of two workforces: one hired with the involvement of human resources (HR) and fully managed through mainstream financial systems, and one—consisting of contract or contingent workers—often hired through procurement, managed through opaque and imprecise financial channels (for instance, workers are managed as groups and not as individuals with individual compensation), and, strikingly, frequently not interviewed by anyone. The latter group’s employee experience can also be dramatically disparate from the organizational mainstream. Deployed properly, contingent labor can be a marvelous source of agility for organizations, but managed as a second, shadowy workforce away from HR and finance’s normal channels, this group can generate meaningful amounts of financial, operational, and reputational risk.

What a board member can do: Ask finance, HR, and procurement to work in synchronization to map out, on a very basic level, who works for you and what you pay them across full-time employees and contractors alike. This critical information, missing in so many organizations, should then be recorded in real time in key technological systems. Posing questions such as, “Do we capture contingent labor in our human resources information systems?” can be extremely helpful.

Scenario plan your flexibility and location strategy against possible changes in your talent markets as well as in the way you work. Years after the seismic disruptions of 2020, organizations are continuing to find the fundamental question of “Where does our work get done?” challenging. We grapple with a constant balancing act, weighing decisions about culture and productivity against volatile markets for key talent ranging from data scientists and nurses to hourly workers across an array of roles. Thoughtful organizations are utilizing scenario planning to give themselves more options to keep work going as labor market conditions shift quickly in real time, asking themselves what will be needed to ensure business continuity. Solutions may range from more flexible real estate contracts to more broadly drawn job specifications and fluid ways of working to more varied pay practices.

What a board member can do: Initiate a conversation about key areas of workforce risk to identify if there are particular roles, geographies, levels, and more prone to turnover or talent attraction challenges. You’ll also want to discuss what market changes might cause those areas of risk to shift. The board should also understand, at a high level, all the levers of flexibility the business can utilize to keep key seats from sitting empty, examining not just the “where” (location strategy and return-to-office policy) but also the “who” (hiring different talent populations, such as formerly incarcerated people), or the “when” (Should the timing of shift work be broken up differently?). At the board level, you don’t have to be in the day-to-day weeds of the flexibility conversation, but you do want to ensure that your organization has the workforce agility to tackle whatever disruptions are coming.

Workforce challenges may be a wicked problem, but they’re not an insurmountable one. Armed with the right questions, boards can play a crucial role in ensuring that companies think intelligently about the humans they employ, creating scenarios in which both the employer and employee win.

Melissa Swift is the US transformation leader at Mercer and focuses on helping organizations transform their work and workforces. Swift is the author of Work Here Now: Think Like a Human, Build a Powerhouse Workplace, in which she details 90 strategies that organizations and teams can employ to both fuel productivity and create happier working populations.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.