CISO and Director Perceptions of Each Other, and Themselves, Diverge

Few board-level topics have been as noteworthy or confusing
in recent years as cyber risk, and with it, the changing role of chief
information security officers (CISOs).

A pair of interesting studies released in recent months, Optiv Security’s The State of the CISO and NACD’s 2019-2020 Public Company Governance Survey, provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity, and perhaps even more interestingly, how they view their work relative to how others perceive their roles.

Boards and CISOs Are Better Aligned

The stereotypical storyline of the board-CISO relationship goes
a little like this: CISOs have trouble communicating with boards due to the
difficulty of connecting cybersecurity programs to business value. As a result,
directors think of CISOs as technical personnel rather than true C-level
executives, and CISOs think board members just don’t get cybersecurity.

However, Optiv’s recent report, which surveyed 100 CISOs from the United States and another 100 from the United Kingdom, indicates that this gap in perception is narrowing considerably. Ninety-six percent of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86 percent said they are getting more funding for their programs because of this improved understanding.

Similarly, NACD’s most recent survey of directors found that 79.3 percent of board members believe their board’s understanding of cyber risk has significantly improved compared to two years ago. Only 8.7 percent indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.

There’s Still Room for Improvement

While the communication gap between CISOs and board members
appears to be narrowing, there is still a bit of a chasm when it comes to
business priorities. According to the Optiv survey, 76 percent of CISOs feel that cybersecurity has become so important in
their organizations that “CEO tracks” for CISOs will start to emerge. Seventy
percent of US respondents and 64 percent of UK respondents said that executive
leadership at their company ranks cybersecurity as their top enterprise concern,
even if it slows down business.

But NACD’s survey shows that directors are not quite on the
same page when it comes to business priorities. Only 28 percent of responding
directors said they prioritize security above all else, even if it slows down
business, and 61 percent said that
cybersecurity should not be prioritized above overall business velocity.
While these numbers undoubtedly would have been far lower just a few years ago
(before directors began scaling the cybersecurity learning curve), they indicate
that CISOs may be a bit optimistic in their view of how boards prioritize
cybersecurity.

Breach Experience Is a Resume-Builder

Perhaps the most interesting finding across the two surveys
is how CISOs and boards view CISO breach experience. It was not long ago that a
breach hitting the headlines was a career-limiting event for CISOs. Today,
there is a greater understanding from boards that breaches are often
unavoidable, and it is the response to a breach that is the true measure of a
CISO’s performance.

In Optiv’s survey, 58
percent of CISOs indicated that having breach experience on their resume increases
their chances of being considered for other CISO roles. This is a far
cry from just a few years ago, when a data breach was a “scarlet letter” on
CISO careers, and indicates a significant shift in how senior executives and
boards view CISOs and data breaches.

However, NACD’s survey validates that CISOs are actually
underestimating the value of breach experience on their career paths compared
to how directors view such skills. Ninety-two
percent of directors surveyed said that experiencing a breach makes a CISO
candidate more attractivebecause
they have expertise in helping companies respond and recover from a breach
incident.

The Relationship Continues to Evolve

These are only a few data points on the complicated
relationship between CISOs and their boards. However, the Optiv and NACD
surveys do reveal several important trends:

Cyber risk has become important enough that
cybersecurity is a board-level business priority.Directors are educating themselves on
cybersecurity and have a much better understanding of the risks and security
technology than they did just a few years ago. CISOs are emerging from the old perception of
being “technical personnel” to becoming legitimate C-level executives. The perceptions
around breach experience speak to this: there’s now an understanding that no
organization can stop all breaches, and the most important thing is to have an
experienced hand guiding breach response and recovery efforts.The cyber risk landscape is constantly evolving, and so
shall the relationship between CISOs and boards. It will be interesting to
watch how things progress in the years to come.

Mark Adams is the senior practice director of risk
transformation at Optiv.

A Blueprint for a Tech-Empowered Experienced Workforce

By 2030, the number of employees in the global workforce aged 50 to 64 is projected to increase by 15 to 30 percent. Companies thus face a critical challenge: How can they balance automation and digitalization ambitions with the growing societal demand to help ensure adequate social protection and well-being for older workers?

For example, a recent report from Marsh & McLennan shows that the issue is particularly pressing given that 50 to 80 percent of tasks done by older workers are at high risk of being replaced by new technologies.

The Imperative to Develop an Aging
Workforce Strategy

Companies often view the aging population as a multi-faceted
challenge. A rapidly aging workforce, projected increases in healthcare costs,
and a perceived shrinking talent pool are just three of the issues corporate
leaders must manage. The terms used to describe this expanding demographic
group, such as “silver tsunami,” “silver wave,” or the “grey economy,” often reflect
a negative view of this demographic shift.

In organizations’ quest for higher productivity and efficiency—via automation and digitalization or otherwise—older workers and their valuable experience are underappreciated, if not overlooked entirely.  According to the World Economic Forum’s 2016 Future of Jobs report, only 4 percent of respondents planned on investing in experienced workers as part of their workforce strategy for the future even as 65 percent reported that they planned to invest in reskilling current employees.

Reframing this demographic shift highlights that an older workforce is, in fact, an elegant solution to both a talent shortage and a loss of institutional knowledge triggered by mass retirement. Further, with the expansion of the longevity economy, denoting economic activity driven by those aged 50 and above, retaining older workers ensures that companies understand this new market and stay relevant in it.

The question, then, is no longer about why companies should
value and retain older workers, but how companies can build a comprehensive
strategy around these workers. Three key steps can help organizations as they
begin building this strategy:

1. A Change in Mentality

The first step to building an older worker strategy is to
recognize the value that older workers bring to an organization, namely their extensive
experience and rich industry knowledge. Reframing “older workers” as
“experienced workers” puts a focus on these qualities. This shift goes beyond
the semantics—it precipitates a change in perspective away from the popular
misconceptions of experienced workers as being more costly, less productive, and
less able to learn new technologies. Indeed, research has shown that experienced
workers have many of the qualities that will be in high demand moving forward,
such as verbal and social skills, industry experience, innovative thinking,
maturity, emotional stability, and good judgment in decision-making.

Tapping into the experienced workforce can also help address rising concerns of a shortfall in talent. More than 70 percent of executives predict significant industry disruption in the next three years, citing talent migration as their main concern among the socioeconomic forces.  

2. Tech Integration Rather Than
Substitution

Companies today face mounting pressure to constantly
innovate and maintain a competitive edge. In the quest for greater productivity
and efficiency, companies will need to effectively deploy new technologies and
digitalize. It would be a mistake, though, to assume this process is antithetical
to retaining experienced workers.

Consider the prospect of achieving a healthy balance between experienced workers and technology: Here, robots and humans would coexist and complement each other at work, as opposed to robots replacing the existing workforce. Such a balance is already being struck in Germany at BMW’s largest European factory, where experienced workers work alongside tabletop robots that assist them in repetitive or physically demanding tasks. The company adopted this combination of robots and humans in response to the increased demand for customization and individualization, which requires a more sophisticated human approach rather than a fully automated process.

Such a balance can only be achieved through a carefully
planned process of integrating technology into the workforce, which involves
redesigning both jobs and talent models.

Job Redesign: Technology
is an enabler for change. Executives should begin by identifying the goals they
want to achieve before leveraging technology to enable them to happen. Job
redesign and augmentation will then require breaking down these goals into
smaller tasks to determine the most appropriate combination of automation and
human skills based on technology implementation.

Job redesign also entails looking at what conditions are
needed to best support experienced workers in adapting to these technologically
enhanced jobs. Analyzing the tasks in each job, for example, can illustrate
where investments are needed to provide experienced workers with the skills to
succeed in jobs that are revised or altogether new.

Talent Model Redesign:
Organizations also need to explore new and innovative talent models, both to
optimize costs and to offer a more attractive employee value proposition for
experienced workers. For example, the rise of the gig economy has brought much
flexibility and mobility to the workplace and has presented itself as a
candidate for the talent model of the future.

The attractiveness of a gig economy model, however, is hampered by structural drawbacks such as the lack of benefits and career development for gig workers, making the arrangement unsustainable in the long run for the experienced workforce. Redesigning talent models will thus require overcoming such challenges, not only in the gig economy but also in other new employment arrangements.

3. An Inclusive Culture

While job and talent model redesign are critical to fully
leveraging a future-ready experienced workforce, they are not enough. These
procedural elements must be complemented by an inclusive organizational culture
that values experienced workers. This requires companies to have a clear
vision, robust stewardship, effective communication and strong accountability
from both the leadership and the board, and finally, a strong suite of
age-friendly policies implemented across the organization.

Given the parallel trends of aging and automation,
forward-looking companies should look to fundamentally integrate technology
into their business models while at the same time empowering their experienced
workforce. Societal pressure to take care of experienced workers aside,
achieving optimal growth requires that corporations refresh their workforce
strategy to include experienced workforce in the future of work.

Leslie Chacko is a managing director at Marsh & McLennan Cos. and focuses on the impacts and application of digital and emerging technologies. He was a coauthor of the recent NACD and Marsh & McLennan report Governing Digital Transformation and Emerging Technologies. Patty Sung, principal at Mercer, is one of the founding members of Mercer’s Innovation Hub, based in Washington, DC.

To learn more, see the Marsh & McLennan’s report The Twin Trends of Aging and Automation: Leveraging a Tech-Empowered Experienced Workforce at MMC.com.

Auditors Can Help Directors Cope with the Changing Information Landscape

Throughout my career, I’ve been
fortunate to have worked in the capital markets at some pretty interesting times:
as a lawyer in Silicon Valley during the late-‘90s dot-com boom, at the US Securities
and Exchange Commission just after the passage of the Sarbanes-Oxley Act of
2002, and at Citigroup as it emerged from the financial crisis of 2007 to 2009.

As of this posting, I’ve been at the
Center for Audit Quality (CAQ) for just over seven months. And this position is
yet another example of my being in an interesting place at an interesting time.
Why? I see three reasons:

Technology.
Technology and data have given rise to unprecedented business models and
company structures. We continue to shift to a service- and IP-based economy,
where the massive amount of data generated is now an enterprise asset. Information
Beyond the Financials. Stakeholders have an increased interest in and are relying
on company-reported information outside of the audited financial statements
prepared in accordance with Generally Accepted Accounting Principles (GAAP).
This information could include non-GAAP financial measures; key performance
indicators such as the sales pipeline; intangible indicators of value not
included in the historical financial statements, such as a company’s brand and intellectual
property; environmental, social, and governance (ESG) metrics; and cyber-risk
management or other types of enterprise risk management disclosures. Timeliness
of Information. This refers to two concepts: First, as we all know, unaudited
company earnings releases and analyst presentations are more likely to move
markets than the annual release of audited financial statements. Second, the news
cycle operates at rapid speed, and a negative news story—accurate or not—can
spread quickly and destroy trust and reputations in a flash.The
Role of Auditors: Present and Future

Although I am not a certified public
accountant, my experiences in the capital markets have ingrained in me a deep
appreciation for the audit profession’s purpose and value.

I often say that the public-company auditing
profession is one of those “assumed” or unremarked-upon institutions in the
capital market system. The profession largely operates behind the scenes, and
people tend not to notice when things are going right.

Yet there is so much taking place behind the scenes, and there is also so much that is going right for this profession. Every day, auditors contribute to high-quality, reliable financial statements, which many have referred to as the bedrock of our capital markets system. Auditors do this by reviewing a company’s financials and internal controls; by serving as an independent check on management and as a resource for audit committees; and by bringing their critical thinking, standards-based analytical skills, and skepticism to those complex areas of the financials, such as fair value. The state of audit quality today is high, thanks in no small part to the profession’s enormous efforts to maintain trust and continuously strive to improve.

The health and stability of the US
capital markets depend on consistent, reliable, and comparable information. But
much of the company-reported information I referred to above—on which
stakeholders are relying—does not go through the rigor of independent third-party
assurance.

At the CAQ, we believe auditors can
help fill these existing and growing gaps in assured information. It’s a
natural evolution for a profession with unique competencies in standards-based
analysis, objectivity, professional skepticism, and critical thinking. Auditors
can enhance confidence in areas such as:

ESG Reporting. Depending on the particular industry, public companies are increasingly issuing stand-alone ESG reports or including ESG metrics and indicators such as gender and/or minority pay gap statistics, greenhouse gas emissions, or other risks to the sustainability of the business in public-facing filings or documents. This information typically is not subject to an independent assessment. Boards should know that auditors can be engaged to perform an attestation of a company’s ESG information.Cybersecurity. Boards should also be aware of the American Institute of CPAs’ cybersecurity risk management reporting framework, SOC for Cybersecurity. According to the CAQ’s Cybersecurity Risk Management Oversight tool, organizations can use the framework to “communicate pertinent information regarding their cybersecurity risk management efforts and educate stakeholders about the systems, processes, and controls they have in place to detect, prevent, and respond to breaches.” The reporting framework also “enables CPAs to examine and report on management-prepared cybersecurity information.”Learn More: To help directors and other market participants get a handle on this evolving environment, the CAQ has released a new resource, The Role of Auditors in Company-Prepared Information: Present and Future. In clear terms, the paper delineates where the auditor’s role begins and ends today in the context of the audit of financial statements. It also highlights the need for the auditor’s role to evolve for the benefit of stakeholders, public company board members, company management, and the markets.

Of course, expanding the auditor’s role
will not happen overnight, and it won’t occur without considerable effort and
dialogue. My CAQ colleagues and others in the auditing profession look forward
to engaging in this dialogue with all of the stakeholders in our capital
markets system, especially our friends in the director community.

We are fortunate to find ourselves
in interesting times. Let’s prepare ourselves now to make the most of them.

Julie Bell Lindsay is the executive director of the Center for Audit Quality.

Zooming in On the Personalization Minefield

Think about your own online shopping experiences or the
content recommendations on your favorite app—the more tailored it is to your
needs, the better your experience is.

A personalized customer experience is becoming a differentiator
for all kinds of organizations to achieve higher customer satisfaction,
increased engagement, and stronger brand loyalty. With the abundance of choices
that consumers face for every little decision, brands that can help customers
easily find what they need or might enjoy will thrive.

According to Forrester Research, in 2016 89 percent of digital businesses reported spending money on personalization, but only 40 percent of consumers think that what they get matches their unique preferences.

Delivering personalized, one-to-one experiences at scale
requires oversight of data, technology, and talent. Boards must probe the multiple
underlying issues raised by personalization such as avoiding popularity biases,
and how data about the evolving intent of customers will be captured and stored.
Furthermore, boards should have management explain how they have thought
through data privacy: The transparent and responsible use of data is important
to building and maintaining trust with customers.

As the strategic imperative of personalized experiences
grows, here are key principles that board members should keep in mind in their
oversight:

Real-time and one-to-one experiences. With machine learning, customer experiences are moving from being persona- and segment-based (relying on factors such as demographics and general interests) to being truly individual and one-to-one.

As more and more experiences become digital, organizations
of all kinds stand to benefit greatly by creating and delivering relevant
experiences for their customers—be it in online retail, in-flight
entertainment, or personal finance. Being able to combine real-time user
activity with what is already known about the customer and products is crucial to
delivering relevant experiences. Being able to capture in real time how a
specific user is evaluating a product online, such as zooming in to see certain
details, may allow the seller to suggest a different product.

These insights can help your organization tailor recommendations to specific customers and suggest similar products, and machine learning can enable you to do this at scale across billions of interactions. As board members, you should ask management for a long-term technology strategy and roadmap that allows the evaluations of customer interactions that stand to benefit from individual personalization. It is also essential to ask management to evaluate how well the company knows its customers today. Boards should question: What are the different data sources that the company has access to, and are there any data gaps that would prevent the company from building a comprehensive understanding of their customers’ preferences? It’s also crucial to evaluate whether or not the organization has the right skills in its workforce for a successful rollout of a personalization strategy.

Personalization across
every touchpoint. Brands are increasingly recognizing that personalization throughout
the customer journey is intrinsic to building strong loyalty. Delivering
relevant marketing and customer care experiences up to the last mile can enable
your business to build a flywheel—where every stage of the personalized customer
journey feeds the other. For example, understanding what products or offerings
are driving engagement in a promotional email can subsequently help serve a
more personalized online retail experience.

Just addressing customers by their first names in promotional emails or sending marketing communications based on broad personas is hardly going to cut it. Every such engagement is an opportunity for the brand to deliver meaningful, customized experiences. As board members, ensure that management—especially those in marketing and customer care—is appropriately skilled to build an individual personalization strategy for communication across all points of interaction, be it in-app messages and notifications, interacting with a chat-bot, or a promotional email. Personalized communication means delivering tailored messages, product recommendations, offers, and discounts. Doing this at scale requires a long-term data and machine learning strategy. Directors should ask management to explain what disciplines are included in the personalization project, possibly setting up a cross-functional team that spans product development, marketing, and customer care along with data science and machine learning experts.

Omni-channel
interactions and strategy. Most customers interact with businesses across
multiple channels: mobile, web, and with various technological devices.
Consumers expect a consistent experience every time they engage with your brand.

When building a machine learning-driven personalization
strategy, ensure that management is taking a holistic look to bring together
these various pieces of data in one place. This is true not only for data from past
activity but also for real-time interactions: If a user is searching for a
product on a website and then continues on to a mobile app, it is important to factor
in the recent web activity to decide what the experience on the mobile app
should be. Building a true omni-channel personalization experience requires a
strategic focus. When overseeing management, prompt them to consider a
personalization strategy that can be applied equally across every channel that interacts
with customers.

Praveen Maloo is the
senior product marketing manager for Amazon Web Services AI and Machine
Learning.

In 2020, Directors Worry About Balancing Economic Downturn, Business-Model Disruption

The 2019-2020 NACD Public Company Governance Survey, released this week, received responses from over 500 public-company directors to more than 80 survey questions. The questions discussed the trends most likely to impact organizations over the next year; areas in which boards would like to improve; the size, shape, and structure of boards and committees; and oversight of key areas of focus for the board, including strategy formulation, enterprise risk, cyber risk, human capital, compliance, and environmental, social, and governance (ESG) issues.

Overall, the survey results show that in the year ahead,
boards face two conundrums: navigating a disruptive operating environment while
preparing for a slowdown, and pushing forward with digital innovation while pausing
to ensure a secure cyber environment. Directors also report important progress
in two emerging areas of oversight: human capital and ESG risk.

Public companies face
a conundrum navigating two divergent business forces.

Directors identify growing business-model disruptions (52
percent) and a slowing global economy (51 percent) as the trends most likely to
impact their organizations over the next 12 months. While not contradictory,
these divergent trends create a challenge for many public companies: how to
balance a growth and disruption mindset to stave off competition while
preparing for the impact of a potential recession.

More proactive and continuous board involvement in shaping strategy may be needed to navigate this conundrum. This includes recognizing the potential need for more frequent course corrections as conditions change. Boards should also work with management to create a shared short- and long-term picture to understand where the markets, industry, and competition are heading and what that means for strategy and growth prospects. Tools and tactics to do so can be found in the NACD Blue Ribbon Commission reports on preparing for the future and on adaptive governance.

Public companies must
also confront growing friction between the need to digitally innovate and the
effective management of cyber risks.

Companies have no shortage of opportunities to adopt
emerging technologies in order to buttress their growth and respond to
disruptive competitors. However, new technologies also come with risk,
increasing opportunities for cyber-attackers and heightening exposure to
data-privacy missteps. Boards must work with management teams to reconcile the
need to transform themselves digitally with the need to ensure underlying data
assets are properly secured. Sixty-one percent of directors report that they
would be willing to compromise on cybersecurity to achieve business objectives,
while 28 percent prioritize cybersecurity above all else.

Directors and boards can turn to the NACD Director’s Handbook on Cyber-Risk Oversight to enhance their oversight practices and to the NACD report Governing Digital Transformation and Emerging Technologies to help ensure that the right balance between the two needs is maintained.

Board oversight of human capital is maturing.

Most directors (77 percent) are comfortable with their
board’s oversight of current and future talent needs, although just 43 percent said
they have reviewed charters to ensure that talent oversight responsibilities
are effectively allocated across the board. Additionally, only 34 percent responded
that their boards have set clear expectations for what they require from
management to effectively oversee human capital risk.

To address this issue, boards could expand the discussion of human capital strategy and risk to ensure that it aligns with the overall strategy development process. They should consider updating their governance guidelines and committee charters to formalize human capital oversight responsibilities, as well as consider expanding the set of voices reporting on talent issues to include the information technology, audit, and operating business units. NACD’s recent report Board Oversight of Human Capital Strategy and Risks provides boards with actionable guidance on how to improve their oversight of human capital.

ESG is becoming commonplace in the boardroom, though more work remains.

Nearly 80 percent of public-company boards now engage on environmental,
social, and governance (ESG) issues in some meaningful way, according to the
directors surveyed. Most focus on ensuring links to strategy and risk.
Discussions with investors often center on elements of the “S”in ESG, with an emphasis on human
capital (65 percent) and diversity (74 percent).

To provide effective oversight, boards need to ensure a common definition of ESG across the organization. This definition should be used by management to identify and prioritize ESG risks and opportunities, and it should be presented to the board in the context of the company’s strategy. Guidance is available in NACD’s handbook Oversight of Corporate Sustainability Activities.

Learn more in the full report. In addition to more on these findings, the full report contains data and insights on board size and structure, types and size of committees, board refreshment, and enterprise risk and compliance oversight. All six oversight topics have rich dashboards to show the current state of board oversight in these areas.

Keeping Up with Breaches: What Your Board Can Learn from Proxy Disclosures

High-profile breaches make the news far too often, ones that
compromise hundreds of millions of people’s data and that cost organizations
millions of dollars. Many companies that have been hit are still working to recover
from reputational and financial damages, months and even years later.

Looking beyond the big headlines, though, your board can
find valuable information on cybersecurity in those companies’ proxy
statements.

In 2018, the Securities and Exchange Commission (SEC) issued updated interpretive guidance to help public companies draft their cybersecurity disclosures. The guidance encourages companies to be more transparent on their cybersecurity risks and incident disclosures, including disclosing the board’s role in overseeing cybersecurity risk. But if you look at most companies’ proxy statements, their disclosures don’t really say much. In fact, they often include only a sentence or two with boilerplate language that simply states that their board or one of its committees oversees risks related to cybersecurity.

On the other hand, when you look at the proxies of some companies that have successfully managed to make it through a breach, there’s usually a noticeable difference. They are more transparent about their board’s cybersecurity oversight. Their disclosures are also more robust, spelling out in more detail what their boards are doing to get a better handle on cybersecurity.

Here are some of the things such companies are doing—and
that your board can do as well to strengthen your cybersecurity policies and
procedures:

Having
“private sessions” with the chief information security officer (CISO) or chief
information officer (CIO). Private sessions have historically been used by
the audit committee to hear from someone leading a significant risk area of the
company without senior management in the room. Having a similar private session
with the CISO or CIO provides an opportunity to have candid and confidential
conversations, to clarify matters discussed in previous committee meetings, and
to talk about sensitive topics like key risks and the adequacy of the cyber
budget and resources.Hearing directly
from third parties about the company’s security programs. Many companies
are using third parties to perform cyber readiness assessments, penetration
testing, breach table-top crisis simulations, and other support exercises around
cybersecurity. While these third parties are generally hired by management,
they can also present their findings or points of view to the full board or the
committee responsible for overseeing cybersecurity. This provides an “outside-in”
perspective on the company’s security program.Leveraging
internal audit to test aspects of cybersecurity-related internal controls. Companies
can use internal audit for independent testing of certain aspects of their
cyber risk program. For example, internal audit can look at internal controls
around user access control management, security controls, third-party vendor
management, security exceptions, exception approvals, and the monitoring of
expired exceptions. Internal audit can also follow up on both the results of
penetration testing and suggestions for improvement. Paying
particular attention to the company’s cybersecurity crisis plans. Most companies
have accepted that they will have to deal with a cyber breach at some point, so
it’s crucial to have a response and recovery plan. Boards who have dealt with
breaches are disclosing their active participation in overseeing those plans.Including
cyber oversight as part of their discussions related to company strategy. Being
proactive and focusing on cyber risk at the strategy stage is also critical—ether
related to ongoing businesses or the company’s focus on adopting emerging
technologies in new business areas. Noting in disclosures that the board is
incorporating cyber risk into its strategy discussions indicates that it is
getting ahead of the risk and not leaving it as an afterthought. Specifying
the number of times per year the board is briefed on the threat environment and
the company’s progress in addressing cyber risks. Briefings seem to be happening
on average about twice a year, with certain industries indicating that they are
getting briefings quarterly. More broadly, some companies are disclosing how they are
staying educated related to cyber risk, either by noting annual board training
or by discussing the addition of directors with specific cybersecurity
expertise to the board.

Companies that have gone through a cyber crisis have experienced the process from start to finish, and they have recognized the need to be more transparent in their disclosures about the board’s role. If you haven’t been through a crisis, it can be helpful to look at such companies’ disclosures. There’s a lot you can learn. At a minimum, you can think about whether your board should be doing the same things, and if you are doing these things already, you might want to enhance your disclosures to show that you’re taking the right steps should your company be hit with a breach.

While there may not be many of the more robust disclosures
out there just yet, I believe we’ll start to see more in the future—not only
because the likelihood of companies being attacked is constantly on the rise but
also because boards will continue to be in the spotlight as cybersecurity oversight
evolves.

Directors Discuss the Implications of AI for the Workforce

Ready or not, artificial intelligence (AI) is already
permeating the business world, posing a host of opportunities and—if AI isn’t
approached intelligently—an accompanying host of risks. AI’s lure may be in its
capacity to collect and learn from data, which is indeed revolutionary, but AI’s
implications extend well beyond having the right data at the right time and
deploying it well.

NACD, in partnership with Grant Thornton, hosted an October 29 roundtable discussion in Naples, Florida for directors wanting to better understand the implications of this rapidly expanding technology and the board’s role overseeing how it is implemented and managed within an organization. Over the next two weeks, the NACD BoardTalk blog will feature highlights from this discussion.

Nichole Jordan, Grant Thornton’s national managing partner of
markets, clients, and industry, led the conversation by breaking down the
concept of AI into three questions boards should consider:

What is our understanding of our company’s
digital transformation strategy?Are we leveraging technology for our board work?
How is our company staying ahead of regulations?
A digital transformation strategy hinges on the people that
a company has to deliver on that strategy, according to Jordan, and AI can be a
differentiator in a marketplace clamoring to attract and retain top talent. For
example, some companies are using artificial emotional intelligence to monitor
employee engagement and to make better-informed decisions and better drive
business value.

In the financial services industry, for instance, the responsible
company must pay financial penalties when trading errors occur, but these
errors are common—and understandable—because the people responsible for
executing trades are constantly operating under high-stress conditions.
Innovations in wearable technology could be used to notify an employee when
they are under a heightened state of stress and encourage them to slow down or
wait to make a decision in the interest of avoiding making an error.

That same wearable technology could be used to monitor an
employee’s facial expressions and vocal cadence—which could result in better
business outcomes and, as one director observed, coaching and feedback in a
call-center context. Other directors observed that AI could be used for
employee safety and compliance—such as using AI technology to monitor time on
the road in the trucking industry, in which drivers are required to drive no
more than 11 hours per day.

These possibilities do raise ethics and compliance issues,
though. For example, these potential advantages could also be seen as invasions
of privacy. Many of the AI programs being piloted now to help employee
performance are opt-in only, meaning the employee must consent for the company
to collect their personal information in this way. Multiple attendees also
expressed concerns about the hiring phase, in which AI could ostensibly be used
to screen for people that fit the company’s current mold—potentially perpetuating
or introducing discriminatory hiring practices, as well as denying a company of
the game-changing talent it might have hoped to attract.

Here, it’s critical to remember that AI is only as good as
the algorithms that underpin the system. “This is the risk here—and also one of
the reasons why these systems are in pilot mode,” Jordan said. “But it’s also
why the combination of the human and the machine leads to the very best
outcome.”

Jordan emphasized the need to mindfully temper technology
with human discretion and judgment:

“AI provides data points for a hiring manager to consider or
can reduce a significant volume of applications—and those industries where
there is a high job application volume is where we see this technology being
tested right now.”

“But,” as one director observed, “there are so many
mom-and-pop shops that don’t bring enough sophistication to the table that they
run a huge risk of making some significant errors.”

“And it’s not just hiring,” another director added. “It’s
promotions from within and making judgment calls. I’m concerned about biases
and missed opportunities.”

Jordan noted that at the board level, an AI strategy is
required because of that risk. “While the company may not be engaging with AI
today, there should be a discussion about when it will be incorporated into the
strategy,” Jordan said, “or, at least have some outside organizations come in
and talk with you, because it’s good for boards to get that outside
perspective.”

Visit the NACD
BoardTalk blog next week for additional coverage of this discussion, including
insights on how boards are using AI to approach their work and the regulatory
concerns around this rapidly evolving technology.

Thoughts on the BRT Statement on the Purpose of the Corporation

In what has been characterized as a “move[ment] away from shareholder primacy” and a “commitment to all stakeholders,” the Business Roundtable (BRT) released a new “Statement on the Purpose of a Corporation.” The new statement is, in many ways, a reversion to the BRT’s 1981 “Statement on Corporate Responsibility.” The 2019 statement supersedes the 1997 “Statement on Corporate Governance” which had declared that “the paramount duty of management and of boards of directors is to the corporation’s shareholders.” 

None
of this, of course, is news to the regular readers of the financial
press. The new statement has received a tremendous amount of attention
from investors, journalists, academics, and politicians. It will be
carefully considered by public company management teams and boards of
directors, even those not part of the BRT. 

Despite
all of that attention, at least three critical points seem to be underappreciated. They
are worth pausing over. 

First,
despite the title of the statement, it is really not so much about “purpose” as
it is about commitments to various corporate constituencies. A
corporation’s purpose is typically to produce goods and/or services in the
advancement of business goals often articulated in a mission statement. The
purpose of the corporate form is to enhance the ability to gather the equity
capital required for the production of those goods and/or services by promising
limited liability to those capital providers. All of this takes place in
the context of a capitalist economic system, the benefits of which the new statement
references. 

Second, the now somewhat discredited language of “primacy of shareholder interests” never meant that there weren’t duties to the other stakeholders. Nor did it imply that long-term shareholder interests could be served without meeting the fair expectations of the other stakeholders. The various commitments articulated in the statement represent what corporations were already obligated to do or what most found it in their enlightened self-interest to do when attending to building value for the shareholders. For example:

The statement commits to “delivering value to customers.” Customers are protected by the market—companies that do not deliver value through quality and innovation do not flourish and may not survive. And, customers have the protections of the antitrust laws, the FDA, the CPSA, privacy laws, the UCC, tort law, and contractual warranties. The statement commits to “investing in our employees.” A dedicated, motivated and well-trained workforce is a competitive advantage. Especially at a time of relatively full employment, the market will punish companies that do not treat employees well. Employees are protected by OSHA, WARN, ERISA, ADA, ADEA, EEOC, FLSA, NLRA, whistle-blower anti-retaliation laws, employment agreements, and state law limitations on noncompetition agreements. The statement commits to “dealing fairly and ethically with our suppliers.” Suppliers have contract rights and will not do business with those who stiff them.The statement commits to “supporting the communities in which we work… and protect[ing] the environment.” Again, there are specific protections here (including environmental laws), and companies support their communities through the payment of taxes and philanthropy. Moreover, universities and other not-for-profits with stock in their endowments benefit from corporate profitability.There
is also a raft of protections for creditors—a stakeholder group that was not
specifically called out in the statement. 

There
are of course duties to the shareholders, to whom the statement appropriately
commits to seek to “generat[e] long-term value.” That commitment is enforced
through generalized fiduciary duties. Unlike the other stakeholders, the
shareholders generally are not protected by specific laws and regulations
(other than securities laws). Moreover, shareholders receive value only if
there is residual value left over after all of the other stakeholders have
received their due. This is graphically illustrated on the right side of a
corporate balance sheet—shareholders’ equity is at the bottom and can be
negative.  

Finally, the legal impact of the statement must be questioned.

The statement does not change the law. Generalized fiduciary duties are still owed only to the shareholders, and in some ways that is the practical meaning of the phrase “primacy of shareholder interests.” Even though some commentators have suggested that the statement establishes equivalent duties to all of the stakeholders to whom commitments are made, that is simply not the case. And, from the standpoint of corporate decision-making, thank goodness for that! Nor does the law stand in the way of fulfilling the commitments articulated in the statement: It has always been the case that corporate directors and officers can take actions of the types that are committed to in the statement… so long as there is any rational basis for concluding that those actions will ultimately redound to the benefit of the shareholders. That is the legal and economic underpinning for corporate social responsibility.

Thomas A. Cole is senior counsel and chair emeritus of the executive committee of Sidley Austin LLP. He teaches the seminar on corporate governance at The University of Chicago Law School. He is the author of CEO Leadership: Navigating the New Era in Corporate Governance, to be published in November by The University of Chicago Press. His colleagues advised the BRT in the development of the 2019 statement. The views expressed in this essay are not necessarily the views of Sidley or its clients.

For more thoughts on stakeholder primacy, check out NACD Directorship‘s November/December 2019 article, “The Primacy Debate: Voices For and Against.”

Alignment on Risk Management Is Dangerously Askew

Boards are under increasing pressure from
investors, regulators, and the general public to adapt to and better manage the
factors that influence how organizations are created, grow, and succeed—and to
do so with transparency and accountability. This requires unparalleled
collaboration and harmony of purpose among those charged with risk management.

But findings from a new Institute of
Internal Auditors (IIA) report paint a troubling picture that is anything but
harmonious. Worse yet, the report’s key findings suggest that boards generally
have an overly optimistic—and potentially dangerously skewed—view of how risks
are managed.

OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk uses quantitative and qualitative surveys to determine how boards, executive management, and chief audit executives view key risks based on their personal knowledge of the risks and their views of their organizations’ capabilities to address them. Importantly, the report offers an analysis of how those views differ and what that means to an organization’s risk management.

Data analysis for this year’s report reveals
varying levels of misalignment among respondents on 11 primary risks. Some of the
report’s most important findings include:

Boards have a consistently rosier outlook than others who walk the halls. Executive management’s views on risk management capabilities are consistently more conservative than the board’s, which suggests an even more disconcerting condition: Boards don’t grasp the complexity of the risks their organizations face, aren’t getting the right information to fully understand the organization’s risk posture, or simply take what information is presented to them about risk management at face value. Furthermore, directors are more likely than executive management and chief audit executives to think their organization’s risks are well managed. This suggests better communication pipelines are needed between management and the board to ensure that directors see the full risk picture.

Most survey respondents believe a certain level of misalignment on risk perceptions is acceptable. The qualitative survey found approximately 7 in 10 respondents expressed the view that some level of misalignment is “healthy”. While some misalignment around individual knowledge is to be expected, a cavalier attitude that that misalignment is somehow healthy is troubling, in particular with respect to misaligned perceptions of an organization’s ability to manage risk.

Certain industries are falling behind when it comes to integrating enterprise risk management processes. Overall, 67% of respondents reported using a systematic approach to identifying, managing, and monitoring risk. However, some industries that struggle to develop coordinated risk management strategy include health care (51%), retail/wholesale (47%), and public/municipal (38%).

Cybersecurity and data are increasingly important for proper board oversight, but respondents seem to have little understanding of these areas. Boards and C-suite executives reported minimal knowledge in cybersecurity and data, which were rated among the most relevant to companies today. For example, less than a third of board members and executives interviewed rated their knowledge of cybersecurity at either a six or seven on a seven-point scale (top two). Organizations should make improving their understanding in these areas a top priority. Moreover, predictions by chief audit executives about the growing influence of three risk areas—data and new technology, data ethics, and sustainability—offer organizations an opportunity to proactively address them.

Talent management is on the radar of all OnRisk 2020 respondents. They understand that finding and keeping talent, particularly workers with data and information technology skills, will drive future success.

The Time for Action Is Now

Internal audit is often unfairly criticized
as identifying problems without offering solutions. Indeed, a long-standing macabre
joke among risk managers is that internal audit’s job is to come in to bayonet
the wounded.

One of OnRisk 2020’s significant benefits is that it offers solutions. Through careful analysis of survey data, as well as additional research, the IIA has identified actions each respondent group could take to improve their alignment on risk management and, ultimately, enhance their organization’s ability to address each of the 11 risks examined in the report. One theme for recommendations across a number of key risk areas was for boards to press executive management for more information or more frequent updates on risk management efforts. Another was a push for greater transparency and timeliness from executive management when reporting on key risks. OnRisk 2020’s overarching message is that all organizations can benefit from conducting reviews of risk knowledge and capability perspectives among their boards, C-suites, and internal audit functions.

One definition of risk management is to
identify and evaluate risks based on impact and likelihood, then implement
necessary controls and processes to leverage or minimize them. Any weakness in
an organization’s risk management strategy or its execution is, in itself, a
risk. Misalignment among the board, executive management, and internal audit on
risk is one such weakness that can and must be corrected.

Richard
F. Chambers (CIA, QIAL, CGAP, CCSA, CRMA) is CEO and president of The Institute
of Internal Auditors. He has worked as a risk management and internal audit
leader for more than four decades.

Fit for the Future: An Urgent Imperative for the General Counsel

In the report of the 2019 NACD Blue Ribbon Commission, Fit for the Future: An Urgent Imperative for Board Leadership, NACD and this year’s commissioners offer recommendations for a critical and updated approach to board leadership and operations, involving greater speed of decision making, proactive behaviors, adaptability, and innovation. Necessitated by a landslide of challenges such as the pressure for companies to articulate and justify their broader purpose, increased investor scrutiny, fast-changing geopolitical strife, and the growing complexities of technology and business model disruption, boards must evolve rapidly in order to create long-term value amid seismic shifts, sometimes occurring concurrently, and sometimes interacting and amplifying each other.

In this environment, which puts a premium on orchestrating
dramatic transformations and the successful execution of new ideas, there is an
even greater onus on boards—and board leadership—to exercise good judgment.

The general counsel, as an advisor to the board and as a partner
to board leadership in the role of corporate secretary, plays an important part
in identifying future-state opportunities and supporting board leadership’s
efforts to identify needs and embrace change. While the general counsel will be
a pivotal player in supporting actions identified throughout the report, key
areas of focus for the general counsel are highlighted below.

Build Agility and Clarity
Into Board Operations and Structure

Facilitate board assessment. The general counsel can both recommend and facilitate assessment of the current operations of the board and the performance of existing directors. Likewise, the general counsel can help determine and document the needs for future directors, with an eye toward diversity and the skills needed to future-proof the board. Board assessments would be usefully complemented from time to time by a 360-degree management assessment of the board, enabling some helpful truths to be conveyed, in a measured fashion, about how the board’s overall contribution could be strengthened.

Rethink agenda setting in partnership with board leadership. Board leaders—and by extension generals counsel—must optimize scarce meeting time, rethink agenda setting, and consider the use of virtual tools to connect more continuously as a board. Important objectives include creating “white space” time in the board agenda for open conversation and to delve into identified issues of importance, and fostering dialogue and minimizing time spent on formal presentations.The general counsel should make creative recommendations for new ways of collaborating. For example, the general counsel could recommend that board leadership consider encouraging cross-fertilization and interaction between committee chairs, combined with periodic joint meetings of committees with overlapping or interlinked mandates, such as the audit, risk, and technology committees.

Regularly update documents to keep forward momentum and provide clarity. Working with the chair of the nominating and governance committee, the general counsel can assist in performing a rigorous governance review that covers the board’s governance guidelines, operations, structure, and charter(s) every year. The board’s annual goals should also be clearly captured, and minutes may need a fresh approach to effectively document thinking on strategic issues.

Streamline reporting to the board. Review the protocol for the flow of information to the board to ensure appropriate transparency on company performance and risk, while also evaluating the volume, efficacy, and digestibility of information provided to the board.

Draft board leadership and director role requirements. The general counsel can surface the need to define, and periodically refine, the characteristics and role requirements expected of the company’s next board leader in order to prepare candidates to lead the board into the future. For example, the board should consider emphasizing the importance of fortitude and adaptability when updating the leader’s role definition. Also, the general counsel can draft individual director job descriptions that reflect the new requirements of the board’s current and future strategic needs, valid stakeholder expectations, and an inclusive board culture.

Revise and refresh director onboarding. Robust director onboarding is becoming increasingly important, and repeating onboarding for directors who have held a seat for some time can also be valuable. In fact, a board on which one commissioner serves has created a “re-boarding” program for directors, which kicks in 18 months into their board service to help them better understand the business and to enhance their board and committee contribution.

Foster Continuous Learning

Partner with board leadership on a learning agenda. The general counsel should assist in developing and maintaining a targeted, continuous learning agenda for the board, which may include time on board or committee agendas for learning about industry-specific topics or emerging trends, as well as external time spent on additional learning that may benefit the company on governance matters, regulatory developments, shareholder/stakeholder issues, and/or team dynamics and decision making. A continuous-education strategy for the board should also include sessions where the board collectively reflects on governance failures that happened elsewhere, perhaps at companies in their industry.

Consider management’s learning as well. Continuous learning also applies to management, and the board should encourage selected executives to take board positions at companies that are not competitors. For the general counsel, seek opportunities beyond the legal sphere to increase your value as a business partner to the board.

Increase Transparency
and Accountability

Balance risk with a need for increased visibility. In the board of the future, the board leader needs to challenge prevailing assumptions about the limits of transparency and disclosure, engaging directors and management in dialogue about how to appropriately offer visibility into the workings of the board. As a leader in managing organizational risks, the general counsel should have a voice in how to increase visibility without also increasing risk to an unacceptable degree.

The proxy statement and the compensation discussion and analysis can be utilized to tell a more comprehensive story about how the board operates.

It is likewise important to prepare designated members of the board to engage directly with investors on selected governance matters.

Use clear documents to impact accountability. Strengthening the board’s accountability for individual director and collective performance is an urgent mandate for every board leader. This requires that board members have a detailed job description and a clear understanding of what is expected of them. As noted above, the general counsel should have a hand in developing director role descriptions that reflect the enhanced requirements of the company’s board.

It is the board leader’s job, as ever, to build and maintain
a high-performing board. Board leaders must catalyze and orchestrate a
transformation in how the board is composed and structured, how it operates and
interacts with the business, and how it holds itself accountable. The general
counsel’s involvement, diligence, and creativity will be critical in supporting
board leadership on this journey. In addition to strategies and
recommendations, the 2019 report offers toolkits to assist the board and, by
extension, the general counsel, in accelerating change to achieve the board’s
optimal future state.