Creating and Perpetuating an Ethical Workplace: The Board’s Role

What defines a “good place to work”? Employees want to be
respected. They want their ideas to be heard. They want clear expectations and
goals to meet or exceed. They want to be rewarded for their hard work and
dedication. And, perhaps most of all, they want to work for a company they can
trust. Providing these workplace components creates happy employees, encourages
good work, inspires loyalty, and ultimately leads to long-term success.

The first step to achieving all of the above? Ensuring the company’s
culture is centered on good character. Acting ethically—doing right by customers
and employees, and being clear and up front about individual and company
actions—is the most important building block in developing a positive culture
and solid reputation.

Company culture and company success are two sides of the same
coin. When employees feel supported, heard, and respected—when a good company
culture is lived and transmitted—they’re more likely to come up with creative
ideas, to care about solving problems, and to remain motivated. This leads to success
with customers, which in turn rewards employees, reinforcing the culture and creating
a virtuous, self-sustaining cycle. Culture can truly make or break a company.
Pay, benefits, and customers may draw people in, but it is the culture—the very
core of a company, what it stands for and how it operates—that will keep employees
or turn them away.

So, what role can a board play in promoting company culture?
How does a board support the adoption and enactment of ethical behavior?

First, the board must support and contribute to the creation
of strong teams. Is the board hiring the right people? How can you be sure? One
essential way is to incorporate ethics and behavioral elements into the vetting
and selection process of our teams. Be sure to ask the right questions; rather
than simply asking what someone has achieved, also ask “how?” What drove their
decision-making, and what effects did that have on outcomes? Were there any tradeoffs
or compromises made during this process? Growing a business is never easy, but
choosing leaders with good character is essential to ensuring that ethical
behavior is built into teams’ DNA and the decision framework. It all starts
from the top.

Second, the board must set expectations that employees will
be offered certain resources that teach and reinforce a culture of ethics to
and in employees. Ethics training must be mandatory but also engaging, which will
enable employees to understand the importance of ethics and good character and
then live it, not just parrot obvious responses. Interactive training, whether
it be digital or in person, should facilitate discussion and incorporate
real-life scenarios and dilemmas into its program.

An ethical workplace doesn’t stop at training. There must be
a visible system in place for team members to escalate concerns. Does the
company have an ethics hotline? Who monitors the hotline? Are management and
other relevant parties checking to make sure it’s being used? How are they
making sure that everyone knows how and when to use it? If it is never used, it
may indicate that employees are afraid to escalate issues.

The board should ensure that management  always communicates to employees that they
have access to the information they need about policies and procedures. Employees
should know what conduct is expected of their role, and also understand how the
company’s written code of conduct applies to their work life. Ensure that refresher
training is readily available and accessible, that employees are instructed to escalate
issues when necessary, and that they understand there is no threat of
retaliation if they do so.

The third step is reinforcement. Accountability must be
demanded from leadership by the board. Is there a review system in place to
make sure top executives continue to follow the code of ethics? How can the
board encourage ethical behavior? CACI established a board-level culture committee
that is assigned to oversee management’s efforts to foster and institutionalize
our culture at all levels of the company.

We also created and institutionalized our own award for
ethical behavior to acknowledge and positively reinforce actions that align
with our culture of good character. Our ethical culture is made visible in many
ways, including through our robust community volunteering program, called “CACI
Cares,” and our support of veterans through several nonprofit organizations. I
am very proud of CACI’s strong and generous presence in both our nation and our
neighborhoods through volunteerism and charitable giving.

Now, renew, repeat, reinforce. To be successful, a culture of
good character must be a priority from the top down. Everyone must put in
effort to ensure that it exists and persists. Make it a key piece of every
single business decision the board makes—where to invest, who to hire, what
policies to implement. At CACI, we expect the same ethical behavior from our
suppliers and even our customers. Turning away from doing business with
unethical organizations might cost the company in the short run, but it has
certainly paid off for us over time.

Finally, it is the board’s duty to ensure that leadership and
others in charge of decision-making not only understand but embrace the
culture. It won’t always be easy, but the board decides who remains in positions
of power—and who doesn’t. Acting ethically establishes trust, both with
employees and with customers. And if you show customers that your company can
be trusted, they will continue to give you their business. Creating an environment
where individual and organizational character is the expectation, not the
exception, will ensure long-term success.

Michael A. Daniels is
a director of CACI International. He also serves on the boards of the Northern
Virginia Technology Council, Two Six Labs, Mercury Systems, and Blackberry.

Cybersecurity: AI to the Rescue?

It’s no secret that the technology industry is prone to overhyping
the latest, greatest, shiny new thing. Sometimes technology lives up to the
hype (cloud computing), and sometimes, well, not so much (blockchain).

And then there are the technologies that are impossible to overhype. Artificial intelligence (AI) is this kind of technology. Over the next five to ten years, we’re going to see AI and machine learning penetrate virtually all aspects of business, not to mention fundamentally change the way we work and live. From medical diagnoses to contract reviews and self-driving automobiles, AI will change everything.

A Cute Puppy Will Change the World

What we see today from AI—applications like chatbots and
virtual agents for customer service—is only a hint of things to come. These
applications have launched AI into what I call its “cute puppy” phase. CEOs and
other executives think it’s cute when they see a chatbot work, but it’s worth
equating the chatbot with witnessing Alexander Graham Bell’s first telephone
call—it’s pretty neat, but to the casual observer the ramifications may not be
readily apparent. Bell’s “cute” telephone wound up changing life as we know it,
acting as a catalyst eventually for the creation of the internet, smartphones,
satellite communications, and many other things in our connected world. AI will
cause a similar global transformation.

Directors need to understand this parallel to Bell and the
telephone because the effective adoption of AI will be a competitive
determinant similar to the adoption of e-commerce 20 years ago: those that
adopt the technology early and do it well will thrive, and those that don’t
will be left in the dust by a burgeoning megacompany because they didn’t adapt.
And, while virtually every functional area of the typical enterprise stands to
be transformed by AI, cybersecurity is one of the areas that stands poised to
reap enormous benefits in the near term.

How AI Transforms Cybersecurity

When we look at the critical issues in cybersecurity—the
skills shortage, the complexity of securing digital assets caused by technology
overload, the need to manage every employee (not to mention every director) as
a potential security threat, and the fact that security teams have to be
perfect while the bad guys only have to be right once—AI can potentially solve
all of them.

As a point of illustration, let’s look at how cybersecurity
teams currently manage threat detection and response. Typically, an
organization will have lots of security technologies in place that generate
alerts when they detect something suspicious. Most of these alerts are false
positives—that is, things that look suspicious but really aren’t. This approach
causes “alert overload,” where so many alerts are generated (tens of thousands
in some cases) that security teams simply cannot investigate them all, which
creates a “needle in the haystack” problem where alerts of legitimately bad threats
get lost amid the sea of false positives.

Now, imagine a world where AI manages the entire threat detection
and response process. The alert overload problem is no longer an issue, because
AI can scale to investigate and respond to every last alert within your
company’s unique architecture. Beyond that, AI learns every time it sees an
actual threat and can use that knowledge to forecast how future threats will
look. Finding the needle in the haystack is a near-impossible task for humans, but
it’s relatively trivial for AI.

This is just one simplistic example of the impact AI will
have on cybersecurity. There is a dark side to AI as well—the bad guys will use
it to create ever more sophisticated and elusive attacks. But when we look at
the lopsided “arms race” today, where the bad guys get to start the 100-meter
dash 99 meters down the track, AI will at least make it a fair race, where
everyone starts at the same line.

Living Up to the Hype

There are a number of hurdles that must be cleared before AI
can realize its potential in the cybersecurity sphere, or any other area of
business, for that matter. There are no standard AI architectures today, no
regulations (there will be), no transparency into technology vendor algorithms
so there is no way to validate how their AI is making decisions (which raises
the specter of two AI systems arguing with each other), and there are not
enough data scientists. We also haven’t really focused on securing AI itself; there
are already algorithm manipulation attacks underway, which is a problem that
must be stopped dead in its tracks.

But, as with e-commerce, the benefits of AI are so profound
that these initial hurdles will be cleared, and cleared quickly. So, when we
look at solving today’s problems with cybersecurity, will AI live up to its
hype? The vote here is a resounding yes—the technology really is that
transformative.

Greg Baker is the vice president and general manager of Cyber Digital Transformation at Optiv.

Realizing the Value of Generational Diversity on Boards

As the topic of boardroom diversity has gained prominence over the
years, considerable attention has been given to the value that women and
minority representation can bring. For the most part, however, generational
diversity hasn’t been discussed as much as other forms of diversity. This
situation has recently started to change.

The 2018 US Spencer Stuart Board Index indicated that independent directors of S&P 500 companies are 63 years old on average. It also reported that 17 percent of new directors were age 50 and younger in 2018, up slightly from 16 percent the previous year. What is driving this trend? The Index indicates that some boards may be bringing on younger directors to obtain specialty skill sets and diverse perspectives. Others may be seeking not only to obtain particular skill sets but also to gain insight into what motivates customers and employees within certain demographic groups.

New Director Differences

It’s becoming clear that introducing more generational diversity
into the boardroom is a priority, and that doing so may bring new perspectives,
unique skills, and varied backgrounds into the board’s oversight role. But, if
not managed properly, adding directors with different experiences and
perspectives may not be as successful as hoped. For some time, new directors
were automatically exposed to either their own boards or nonprofit boards
through their C-suite experience. This often gave them an intrinsic understanding
of the role of the board as well as a good sense of the information they would
need from management in order to perform their roles.

As the search aperture widens beyond the C-suite, candidates may
hold positions that are two or three layers down from the CEO or lower—or, they
may come from academia, the military, government, or other nontraditional
sources. This means they may not have had previous exposure to how corporate boards
operate. Even though less-tenured directors can bring extremely desirable
skills and capabilities, they may not be as familiar with the role of the board
in terms of governance—particularly, the nuances of oversight versus
management. Without this understanding, they can sometimes struggle to find
their voices and to deliver meaningful insights. This suggests that more
education and better onboarding may be required in order to enable new board
members to contribute effectively.

Leading Practices for Generational
Inclusivity

A first step in optimizing the contributions of directors of all
ages is simply recognizing that there may be perceptual and experiential differences
among different cohorts, and that some may be less savvy about the workings of
a board than others. Mentorship
and coaching are initial ways to bridge these differences, with more-tenured
directors offering guidance to new directors on what is expected of them in a
governance role. This includes suggesting strategies for adding value, such as how
and when to lean in and add perspective.

Targeted committee assignments are another way
of including less-tenured directors. For example, consider a new director who
is deeply experienced in technology but less so in finance. The audit
committee, which often has responsibility for overseeing technology risk, may
invite that director to take a lead role on technology
strategy or cybersecurity. This type of assignment can provide newcomers with
an opportunity not only to showcase their strengths, but also to gain valuable
insight into areas where they have less experience. There may also be
opportunities outside the boardroom to invite members to offer their
perspectives, such as meeting with employee councils or customer focus groups
to explore talent strategies, product development, or consumer trends. Offering less-tenured directors specific,
well-defined opportunities to add value within a more informal setting, such as
a committee or working group, can help them form connections and feel more
comfortable in larger meetings of the full board.

Although targeted assignments can be helpful in creating
an inclusive culture, directors should bear in mind that newcomers can feel demoralized if they perceive that they’ve been brought in to “check
a box” or if they are only valued for a specific attribute. Every director, regardless of age or experience level,
should be valued for their ability to offer broad business insights as well as
specific expertise. Accordingly, it is important
not to let conscious or unconscious biases color one’s perceptions. Directors
should be open to understanding each other’s experiences, skills and perspectives,
so they truly allow each person to provide their own unique value.

In terms of generational differences, this need for unbiased
openness goes both ways: one shouldn’t assume that an older person lacks
certain capabilities just as one shouldn’t assume that a younger person possesses
them. A classic example of this bias is the pervasive stereotype that older
people don’t understand technology while younger people inherently do.  

Be Intentional About Realizing
Potential

With boardroom diversity expanding today in all of its forms, performance and value of such diversity are increasingly about the “and”: It’s the skill set and the cultural fit. New members may need different ways of becoming effectively integrated onto the board than their more-tenured counterparts. As more boards intentionally pursue generational diversity for the value it might deliver, they should be equally intentional in creating an inclusive culture that allows this potential to be realized.

Deborah DeHaas is a vice chair and national managing partner, Center for Board Effectiveness, Deloitte LLP.

As used above, Deloitte refers to a
US member firm of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (DTTL). This article contains general information only and
Deloitte is not, by means of this article, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services.
This article is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect your
business, you should consult a qualified professional advisor. Deloitte shall
not be responsible for any loss sustained by any person who relies on this
article. Copyright ©2019 Deloitte Development LLC

NACD Chapter Leaders Discuss Top Issues Shaping Programming

At conference tables in more than 20 cities across the
country, the volunteer leaders of NACD’s chapters have been sitting together to
discuss the topics of greatest import in today’s boardrooms. Out of those
conversations will spring more than 300 NACD chapter programs in the 2019-2020
program season, during which NACD members and guests will hear from high-level peers
and experts in panel discussions, keynote presentations, roundtable discussions,
and the like.

I recently asked five NACD chapter leaders for a sneak peek
of the top issues facing directors now and in the coming quarters, according to
their local discussions. These themes will be reflected in the new program
season, and are discussed below.

1. Innovation and change. How do you reinvent the wheel? This is a question on the mind of NACD New England chapter program committee Chair Ellen Richstone, who is currently a director of Superior Industries International, one of the largest aluminum alloy wheel manufacturers. She also serves on the boards of eMagin Corp. and Orion Energy Systems, and has served on corporate boards across eight different industries since 2003.

“Directors need to focus on innovation,” she said. “Regardless of industry, the world is changing, accelerated by technology, geopolitical factors, and economics.” Richstone gives an example from automotive supply, which is not thought of as a high-tech environment. “Just think of a wheel,” she said. “Many years ago, the wheel was a standard product. Now, we must be concerned with material sciences and design. Consumers are looking for choice, and the company must think about making these products stronger and lighter to increase fuel efficiency and reduce environmental impacts, while reducing costs overall. We also have to ask if we have the right talent capital to get the job done, and whether we have the right culture to attract and keep the right talent.”

Richstone looks forward to an upcoming chapter program showcasing New England-based companies whose products are changing the world, to be held in October, along with a variety of programs that will touch on the area of innovation and change.

2. Sustainability and purpose. Anna Catalano, co-chair of the program committee at NACD Texas TriCities chapter, agreed that innovation and disruption should be at the top of each director’s list. That said, a closely related topic that should also capture the attention of directors is the evolving importance of sustainability and purpose.

“There is a growing sentiment that business takes from people,” stressed Catalano. One of the companies she serves, Kraton Corp., has been proactive rather than reactive. “We have changed the name of the nominating and governance committee to the nominating, governance, and sustainability committee. We are discussing what we stand for, and how we are going to market,” she shared. Kraton, a publicly traded chemical company, has also published a sustainability report, a step forward for the industry. NACD Texas TriCities will offer programs on this and other leading topics in Houston, Austin, and San Antonio this season.

3. The global economy. The thread of the global economy weaves through the various issues facing directors, so much so that no company can ignore it, according to Elizabeth Camp, program co-chair for the NACD Atlanta chapter. “I sit on the boards of Genuine Parts Co., a global public company, and Synovus [Financial Corp.], a public regional bank with community banking roots. The former has a nimble supply chain, but must manage price risk. The latter has exposure to global companies and must manage the business accordingly.” So, she added, “The community is now the world. No matter the industry, you have to consider the global slowdown and tariffs.” Rooted in factors ranging from the global economy, to forces of disruption and change, NACD Atlanta’s program year will have the theme of “the future of boards” and kicks off in September with a program featuring Benjamin Pring, director of the Center for the Future of Work at Cognizant and recognized expert on leading-edge technology and its intersection with business and society.

4. Macro-level risk management. Tom Leppert, the former CEO of large companies in five different industries and former mayor of the city of Dallas, is the program co-chair for the NACD North Texas chapter. He wraps many of these topics together under the notion of macro-level risk management.

“We are good at micro risk analysis,” he said, “but we are less skilled in managing existential and macro risks. We aren’t used to dealing with them because they often had a low probability of happening, although the impact when occurring is enormous. And that probability is increasing.” Leppert currently chairs the boards of building company Austin Industries and dynamic glass manufacturer View. “I spend more than 50 percent of my time on these types of discussions. The board as a whole spends less than that, but still a significant percentage of time looking at macro risks.”

According to Leppert, the board’s role is to ensure that there is a process in place to address these forms of risk and that management has created relevant policies—with appropriate board oversight—to handle the risks. This encompasses reputational risk, both for the company and for the individual director. “I bring a public sensitivity to my work, having been a mayor and having worked at the White House,” he said. “But every one of us, whether in management or on the board, is a news article away from being a public figure.” Leppert expects that macro-risk management will be explored in several of the upcoming NACD North Texas programs, held in both in Dallas and Ft. Worth.

5. Defending capitalism. NACD Pacific Southwest chapter President Larry Taylor is focused on risk management of another kind: the role of corporate directors in our capitalist society. “We should be asking whether directors have a responsibility to protect the long-term viability of the corporations on whose boards they serve as directors,” he opined. “We must face the need to protect the capitalist system in which their corporate entities exist, operate, and earn profits because capitalism and the private sector are under fierce attack.”

According to Taylor, educating employees—particularly younger employees—about the role of the corporation in society can help them to be better informed in their own “employee activism,” making them able to defend capitalism externally as company ambassadors. Taylor believes that societal risk belongs in the risk management process, and he specifically believes that the risk to capitalism should be on the board agenda. Taylor will lead a panel on this topic at the NACD Pacific Southwest/USC Marshall Corporate Directors Symposium on November 14. The chapter will offer programs in Los Angeles, Phoenix, Las Vegas, San Diego, Santa Barbara, Santa Monica, and Reno this program year. 

In a year when NACD launches its director certification program, and directors are focused on refining their educational calendars, these and other NACD chapters will offer timely programs where you live, work, or travel this fall. To find a chapter program near you, visit here.

Kimberly Simpson is an
NACD regional director, providing strategic support to NACD chapters. Simpson,
a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in
2005.

The CHRO Scorecard: Three Metrics Your Board Should Review

A chief human resource officer (CHRO) brings a unique skillset to any board. With deep knowledge of executive succession and the ability to maintain and engage individuals who execute business strategy, CHROs are an invaluable asset to corporate boards. Yet, there are only 28 active CHROs serving on the boards of Fortune 1000 companies.

Much like a chief financial officer might have to report on revenue or a chief marketing officer (CMO) on market penetration, CHROs should report to the board on specific, quantifiable metrics to show the value of their role and its impact. The CHRO’s greatest value often lies within the below fields:

1. Diversity and Inclusion: A commitment to diversity and inclusion (D&I) is apparent at many institutions today. Across North America, approximately 74 percent of corporate respondents in a recent PwC survey reported D&I as a value or priority within their organizations. Yet, to make serious progress, the drive for D&I must be underpinned commercially and financially by the board.

Numerous studies by strategic consulting
firms consistently demonstrate that heterogeneous boards and leadership teams
outperform homogeneous groups in value creation. For D&I to be truly embraced,
companies must look to the old adage that “strategy drives structure.” This
change must come from the top and be diffused throughout the company.

It is essential that the CHRO coordinate
with the CEO to ensure that cross-functional project teams have diverse
representation. A lack of quality D&I can represent a reputational risk to
an enterprise.

High-performing companies generally expect
D&I progress and enterprise goals to be a regular board topic and for the board
to hold the CEO, the CHRO, and other senior executives accountable for the
personal development of high potential diverse talent. Executive leadership
should also be familiar with the development tactics of diverse talent at
outside companies to round out the company’s succession strategy. The CHRO and the CEO should keep the board
informed of external, potential talent from diverse backgrounds while also
ensuring that its own talent development process is commensurate with the
enterprise’s needs—and competitive with others’ programs.

Another way to ensure the progress of a
company’s D&I objectives is for the compensation committee to consider
including personal incentive objectives, tying executive compensation to the
achievement of diversity goals.

When looking at how best to measure the success of D&I initiatives, consider sharing with stakeholders statistics that display the growth of high potential diverse executives in the succession pipeline and the number of senior executives mentoring diverse junior executives.

2. Culture: As Lou Gerstner states in his book, Who Says Elephants Can’t Dance?, “Culture is not the most important thing, it’s the only thing.”

While CEOs must serve as chief
culture officers, the CHRO needs to serve as the steward of cultural direction.
Corporate culture must complement the organization’s vision and its strategic
direction. Any disconnect will seriously jeopardize the prospects for future
success of the business.

As the culture steward, the
CHRO can direct staff to conduct various audits to determine if the desired
culture is being consistently embraced and followed. These audits may take the
form of individual performance reviews, random interviews with employees at
various levels, or employee surveys to determine which behaviors are being
rewarded and how these behaviors align with the desired cultural
transformation.

The CEO must require senior executives to reinforce cultural goals among their employees and call on human resources (HR) for support in embedding the messaging in company culture. Both the CEO and CHRO must have mechanisms in place to report to the board on cultural development. That said, culture change is not a quick fix. Milestones need to be set and understood widely to ensure appropriate progress is being made. An example of a milestone to evaluate would be the percentage change in annual revenue three years after introduction of a culture change.

3. Ethics: Today, as never before, corporate values and ethics have become major risk management considerations and require steadfast attention and monitoring. Recently, the business world has seen the loss of significant shareholder value stemming from sexual harassment claims, from lack of equal pay for equal work practices, and from improper management of consumer protection and rights—and the list goes on and on.

The intersection of corporate
values and the executive team’s individual actions is of paramount importance. As
with culture, senior executives must be the standard bearers of the stated
corporate values, consistently modeling and monitoring the enterprise’s values
and ethics. They may do this through small group meals or meetings with wide
ranges of employees.

A
vibrant culture is closely tied to the enterprise’s values and ethics. Any
significant misalignment risks the erosion of shareholder value through the
loss of talent, constituency confusion, and inappropriate behavior. What the
organization truly honors and rewards plays out in its day-to-day behavior. The
desired values and ethics must be lived daily from the boardroom on down
consistently with the desired culture. Otherwise, the culture will break down
and employees and constituents will become confused and disillusioned.

A CHRO may also consider utilizing
employee surveys or setting up an outside service platform for employees to air
concerns about breaks with the company’s stated ethics and values. The board as
a whole could receive periodic reports from this service and as needed, provide
feedback on matters requiring immediate attention.

Critical matters such as D&I,
culture, values, and ethics, in addition to talent development, need to be
receiving more board-level attention. The CHRO can be invaluable in making that
happen by serving up specific metrics that highlight where a company stands—and
where they need to go. Board engagement on these issues is not only good
corporate citizenship, but also serves the best interests of shareholders and corporate
longevity.

Marketing and AI: What Boards Need to Know

Artificial
Intelligence (AI) is about to exit the hype cycle, and innovative boards should
be empowering and positioning their companies to take on the advantages and
challenges that come with it. Chief marketing officers (CMO) in particular are
either using AI for competitive advantage already, or they are chafing at the
bit to do so. The directors of companies need to be ready to oversee the work
they are doing with the technology.

Whether used by
marketing departments for customer data analytics, targeting, recommendations,
or chatbot support within a company, there are implications to AI
implementation for a company’s leadership, strategy, risk, ethics, and
corporate social responsibility. The good news is that board members do not
need to understand the working of every feature, part, and possibility of AI to
be able to govern its use. This is like driving and even enjoying a Tesla—business
principles apply to and drive governance. Understanding exactly what is under
the hood can come a bit later.

Four broad areas exist
for company directors to consider:

Understanding and
staying abreast of developments in AI;Implementing AI within
marketing;Governing AI
initiatives after implementation; andContinuing with AI in
the future.

Understanding:
Institute an AI Council Within the Board

One of the most significant challenges involved in governing the use of AI is the frenetic pace at which the technology is advancing. Boards should be aware that AI can be applied to a variety of traditional marketing functions: dynamic pricing, demand forecasting, increasing conversion, customer support, and even for customer retention. A recent McKinsey study found that AI will make an impact on various retail sector business functions to the tune of  $600 billion, with other sectors facing significant disruption, too.

Meanwhile, boards should also understand the race across the world that is happening to understand, apply, and reap the benefits of AI. Eighty-five percent of Chinese companies are actively working in AI and China is dominating AI research and implementations. The European Commission chartered with ensuring trust about the use of AI published seven essential guidelines on ethics for AI including human agency, transparency, bias, social and environmental wellbeing and privacy.

While these are not yet governance laws, boards should expect to see laws sometime in the near future. For instance, the General Data Protection Regulation (GDPR)  already requires transparency about any algorithms used. Algorithms need auditing for bias from both technical and social perspectives. A similar law could emerge for use of AI, or GDPR could be more broadly applied to AI, for instance.

For these reasons, it
is useful to constitute an AI council within your company that is specifically
charged with educating the board on the technology and related regulations,
monitoring strategic AI initiatives and competition, reporting on risk and
ethics, and bringing the board up to speed on other related AI oversight
matters. An AI council with a diverse set of experts is best suited to create a
detailed and feasible transformation plan to ensure longevity and staying ahead
of the competition. With the help of an AI council, the rest of the board can
understand the landscape quickly in the business context and be ready to take
on strategic and governance challenges.

Implementing: AI As a
Platform, Not A Point Solution

AI presents a unique
opportunity to market across the customer lifecycle. Companies currently struggle
to consolidate customer data from channel silos and rely either on human skill
or chance to drive conversion. AI presents the real possibility of running one-to-one
marketing and sales to increase conversion based on individual customer
insight.

By consolidating customer data across traditional marketing channels along with transactional, customer support, and loyalty programs into a customer 360 database, AI can provide the following: highly targeted messaging, individualized promotions and pricing, and automated customer engagement and support, all in order to increase repeat and first time conversion.

Siloed marketing departments
with inadequate IT support find expensive and ineffective external point solutions
to make this type of marketing happen. A comprehensive data and customer
lifecycle platform that uses machine learning and AI is able to model the data
as required for differentiation and success at greater speed. 

To realize this potential, boards must drive transformation and sustained long term strategy. Technology implementation should start with clarity on business goals and continued transformation. Here are pitfalls to consider during implementation of such transformations that boards can help companies avoid.

Governing: Oversight
Framework

Since AI adds new challenges
and opportunities to marketing, directors need to be able to understand the
motivations, results, and risks for any marketing processes that use it. At the
outset of the board’s work to oversee AI practices within the company, the
board should request from the CEO and CMO a summary of the following:

opportunities being
pursued via AI;functions and features
in use;types of data and how they
are being used;privacy, bias, and ethics
considerations paired with measures or audit trails to track them;any findings by AI
such as new customer micro-segments or product and service features needed; any external sources
of data being used;any data partners who
might share data and how they might do that; and  any explanations or
assurances provided to stockholders, particularly around any rulings around
data, ethics, and corporate social responsibility.

Thereafter, a report every
six months on changes or progress within these areas is a good way to keep the
board informed about AI’s use and role within the company.

In regular reports, the CMO typically presents metrics such as “ad to sales” ratio and “contribution to sales.” Most marketing departments still struggle with attribution of marketing spend to conversion and cannot readily cite customer acquisition cost (CAC). The use of AI along with customer 360 data enables clarity on customer acquisition, conversion, satisfaction and retention or customer lifetime value (CLV). CMOs in concert with business unit owners should then present KPIs such as CAC, CLV, and sales growth, as improved by AI every half year.

Audit also plays an
important role in the board’s ability to oversee AI marketing efforts. Audit
reports on privacy and bias provided by the audit measures and independent
auditors must be presented yearly. The strategic plan should have half yearly
and yearly benchmarks for the use of AI. The board should gauge the need for
adjustments in strategy or actual progress based on the goals in the plan.

Continuing: Future-Proofing
and Longevity

Faced with ever-faster disruption, companies must future-proof themselves and their technology with continual transformation. Even the government is doing it. Boards must support a culture of measured risk-taking and agile culture and process. Preventing regime change from restarting and reinvesting is a key board responsibility. The AI council should work in concert with the board to list anticipated market changes and product or service features that drive deep differentiation. Whether by internal efforts or by acquisition, strategic planning and preparedness will ensure companies survive.

Tuning Up the High Frequency Enterprise

In my role looking after enterprise strategy for Amazon Web Services (AWS), I employ a team of former chief information officers to help large enterprise customers with their cloud adoption strategies. There are a number reasons why so many enterprises are moving to the cloud, including cost savings and improved performance and reliability, but more often the reasons motivating a move to the cloud include the business’s need for greater speed and agility to help accelerate their digital transformation efforts.

Many enterprises are stuck in what we call a “low-frequency” mode of operating—or an environment where any change involves risk, introduces instability, and requires a lot of effort, ultimately leading the enterprise to move at a slower pace. This is opposed to “high-frequency” enterprises that have achieved a rapid pace of change and reduced risk, where the focus is on frequent value delivery rather than ensuring change does not disrupt operations. In my team’s new eBook, Tuning Up the High Frequency Enterprise, we discuss what the C-suite and board should know about the idea of moving from an organization operating at low-frequency to one of high-frequency.

Understanding
the Low-Frequency Model

Why are so many enterprises stuck in low-frequency mode? Boards should understand that low-frequency digital operations are typically due to a mountain of technical debt within the company’s information technology practices. The debt could have been piled on or caused by years of accrued workarounds and shortcuts for issues in existing systems and applications that were never addressed. This debt is compounded by outdated models of security, risk, and compliance that fail to build in processes meant to discover performance issues or vulnerabilities early in the development process when they are less costly to resolve.

Another reason why low-frequency operation
models persist is that when the digital leaders of an enterprise develop a new
vision and objectives, that vision and grand roadmap too often are expected to
be matched with what we like to call “big execution” in information technology.
Before any team writes a single line of code, months are spent by executives,
managers, and project managers in intricate planning, trying to map out every
step of development and product delivery along the way in advance. The problem
is that in this mode projects tend to grow larger and more unwieldy, with the
scope expanding as more and more requirements are added in by a broader set of
stakeholders.

Taking this approach means months or years can go by before anything is put in the hands of the customer. It can also mean that the project is completed without any periodic validation that it actually achieves the original objectives of the grand vision or strategy. As a result, boards will likely have a more difficult time gaining visibility into the actual progress of these large, low-frequency investments, and assessing whether or not they pose a risk to the future growth and health of the enterprise.

Getting
to High-Frequency Success

On the other hand, becoming a high-frequency enterprise means that the company’s leaders are guiding it towards being an organization where technology is a true enabler of continuous improvement and business value generation. Operating in high-frequency mode means your company’s digital leaders and teams can make changes to products, systems, and applications at the quick pace your business’s strategy requires and at the speed that your customers demand.

How does our team know this works? We have worked with thousands of the largest enterprises globally, and our team is comprised of experts that have led our own digital transformation efforts at companies like Coca-Cola Co., Capital One Financial Corp., and the Department of Homeland Security. Through this work our team has identified seven of the most common strategic shifts needed to get out of this low-frequency mode. Enterprises must identify the rigid and slow-moving anti-patterns holding them back and work to develop new behaviors. The board and the innovation and technology committee can play an active role in this process by working with its technology leadership at the C-suite level to drive an assessment of their current state relative to these patterns, and can suggest that the company prioritize these strategic shifts towards becoming better, high-frequency practitioners of digital transformation.

As board members, your role is of course to look beyond the technology. It’s important to recognize that a mindset shift is usually required to move the business into high-frequency mode. Leaders need to set the agenda, and role model the new patterns for their teams. Change is a fluid journey that requires building a continuous learning culture, constantly refactoring your systems, and always working to reduce your time to delivery. I hope the guidance provided here and in our eBook can help your board understand the enterprise patterns that will speed your digital transformation strategy to success.

Philip Potloff is head of enterprise strategy at Amazon Web Services (AWS).

Stavridis Challenges Boards to Evolve on Cybersecurity

A recent
Accenture report finds that as the challenges of cybersecurity continue to
rapidly change, increasing in impact and complexity, the cost of resolving cyberattacks
is also on the rise. In fact, in 2018, the average cost of cybercrimes on
affected companies increased by 12 percent from the year before, reaching $13
million per company. As these mutating threats grow in volume, sophistication,
and scope, companies and their boards will be forced to play catch-up with
threat actors constantly adapting their cybersecurity defenses.

Admiral James Stavridis, former Allied Commander of NATO, has been consistently beating the drum for enhanced cyberprotection for years, and remains concerned about the varied risks originating from cyberbreaches. Stavridis recently joined NACD to share his insights into board governance of this ever growing threat. He’s currently operating executive of the Carlyle Group, chair of the board of counselors of McLarty Global Associates, and chair of the board of the US Naval Institute. He is also a monthly columnist for TIME magazine, and chief international security analyst for NBC News. Admiral Stavridis will be a featured speaker at the NACD 2019 Global Board Leaders Summit.

Cyber Risks Present a
Unique Challenge for Our Times

Boards largely recognize the growing significance of cyber risks. The 2018–2019 NACD Public Company Governance Survey finds that roughly 77 percent of directors have reviewed their company’s current approach to securing its most critical data assets against cyberattacks. That said, boards remain concerned about governance of this risk area; according to the same survey, 97 percent of respondents report oversight of cybersecurity as an important area of improvement. And they are right to be concerned, as just half (50%) express confidence that their companies are properly secured against a cyberattack.

Directors’ anxieties over cybersecurity are well-founded, as
this security issue cuts across nearly all dimensions of modern life. From
national security threats to the devices we carry with us, or those found in
our homes, the proliferation of digital connectivity has increased our
vulnerability to these threats. For Admiral Stavridis, it’s important to
disaggregate the types of risk, as each will require unique treatments and strategies
to effectively address. He breaks these cyber risks down into the following:

Criminal
activity. This comprises “for profit activity, which by some estimates may
amount up to one trillion dollars a year; and can include activity such as
stealing an individual’s most private and intimate details from the cloud. This
particular risk presents a massive challenge for most companies today.” Terrorism.
“This is the work of groups whose activities are ideologically-driven and
question the value of specific societal structures. These groups include the
Islamic State, Boko Haram, WikiLeaks, right wing nationalist organizations, [and]
international anarchist organizations.” State-on-state
cyber risk. “There are a lot of shadow national activities, which used to
take the form of espionage, but are quickly turning into shadow wars. Hackers
are infiltrating networks, planting devices, manipulating data, and producing
very real kinetic effects. In this arena, the US and China are the largest
rivals, but certainly not the only relevant ones—other important players
include Russia, North Korea, Iran, Israel, and France.”

Cyber-Risk Expertise
in the Boardroom

In response to these threats, observers are debating the
effectiveness of adding cyber-risk expertise to boards. Congress is getting
involved, with the proposal of a bill that would push publicly traded companies
to include cybersecurity experts on their boards. A separate congressional bill
has also been introduced, which if passed into law, would require public
companies to disclose whether directors are cybersecurity experts. Proponents
of these legislative initiatives believe these would elevate oversight of this
risk in the boardroom. Opponents question how expertise will be determined and
by whom, as well as the effectiveness of a single-purpose director.

Admiral Stavridis falls squarely in the camp advocating for inclusion of this knowledge base in the boardroom, noting, “I do think it’s mandatory that every single firm has at least one cyber expert as a board member. So often, boards are simply not up to speed. [To mitigate against this reality,] some boards bring in a chief information officer, technology officer, or another member from the management team. But there is no substitute for having a peer in the boardroom, who broadly understands cyber, as well as the company’s approach to incorporating this risk calculation into its operations.” 

He also believes in the next couple years, the United States
Securities and Exchange Commission is likely to start mandating this type of
expertise for public company boards. According to the Admiral, “it will
resemble audit, in the sense that this will be a defined skillset, and will
require a committee that focuses on its oversight.” He uses one of his boards,
which established a committee on safety, technology, environment, and
operations, as an example. The board decided to incorporate safety and
operations into the committee’s responsibilities, as that is where much of the
firm’s cybersecurity concerns are concentrated. “It’s an interesting grouping,
but [to meet our company’s specific needs], that’s where we delegate governance
of cyber risk, as well as the technology function,” he explained.

Leading Practices for
Cyber-Risk Oversight

The Admiral believes the future of board oversight of risk
is likely to skew towards cyber risk. His decades of experience, in the public
and private sectors, have given him a unique perspective into these threats, boosting
the legitimacy of his warnings.

This issue is not going away anytime soon. Its impact is
likely to be more acutely felt in the coming years, especially as a growing
number of companies leverage customer data to transform business models and
create value. Effectively addressing this challenge will require an approach
that incorporates not only strategy and risk management, but also legal and
technological expertise. There is no panacea. There are, however, practices and
processes that directors can adopt to mitigate exposure to cyber risks.

The NACD Director’s Handbook on Cyber-Risk Oversight provides practical guidance for boards across company sizes and types. Its five key principles are highlighted below:

Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an information technology issue.Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Hear Admiral James Stavridis, former Allied Commander of NATO, speak at NACD’s 2019 Global Board Leaders’ Summit, September 21-24, 2019, in Washington, DC. Register by August 31 to save $500!

D&O Liability: Three Emerging Areas to Watch

The risks for businesses are constantly evolving, and
the pressures on company boards and officers are continually growing. Gone are
the days when directors’ and officers’ main concerns were related to company
mismanagement and misrepresentation claims. Chief among the potential risks
boards must now deal with are emerging technologies, cyber-risk issues, and ever-expanding
litigation against companies and their boards. Given the emergence of these
three threats, it is imperative that you and your fellow board members review your
directors
and officers liability (D&O) insurance for any
lapses in coverage.

Emerging Technologies

Technology is advancing like never before, and
businesses are using innovative technological tools to revamp everything from
back-office processes to the products and services they deliver to customers.
But with the excitement of new and arguably better solutions come a lot of
unknowns.

Although artificial intelligence (AI), blockchain technology, digital assets, and quantum computing are all emerging technologies with something to offer businesses, each also presents potential exposures that must be understood and addressed. Whether it’s the lack of regulation, the evolution of existing regulations to keep up with new technology, a company’s inability to keep up with the times, or a board’s failure to properly disclose associated risks or costs, these new innovations can give rise to exposures that are now only being discovered by courts of law and insurance companies alike. For example, the failure to adequately disclose the potential risks associated with the implementation of AI, or misrepresentations about those risks, could lead to a potential directors and officers (D&O) insurance claim.

Cybersecurity
and Privacy-Related Issues

In the relatively short history of cybersecurity exposure, boards have generally considered cyber-related loss to be a top risk for companies. The threats these incidents can pose to organizations, directors, and officers are becoming more apparent. Those threats include an increase in:

Securities class-action filings as stock drops
associated with data breaches continue.Derivative lawsuit filings against directors
and officers for alleged mismanagement or false or misleading statements related
to cyber incidents.

Over the past year, we’ve seen greater regulatory scrutiny and
activity in the cyber exposure space, and it is not limited to civil litigation.
The Securities and Exchange Commission (SEC), for example, has settled
enforcement proceedings arising out of matters such as a company’s purported
material misstatements and omissions regarding a large data breach and alleged
failures in cybersecurity policies and procedures surrounding such a breach
that compromised the personal information of thousands of customers. We expect
that the SEC and other regulators will continue to focus on cybersecurity
threats and breaches going forward.

In addition to breaches, privacy regulations—such as the General Data Protection Regulation in Europe—are a priority for all boards and a major area of focus for regulators. For example, the Federal Trade Commission’s recent acknowledgment that it has the ability to penalize individuals for their companies’ privacy law violations is a reminder that individuals are not immune to these types of exposures.

In addition to liability concerns, cyber- and privacy-related issues can cause reputational harm. A rating agency recently downgraded its outlook on a company in large part because of breach-related issues. The impact of cyber- and privacy-related exposures on companies and their directors and officers are only beginning to play out.

Litigious
Environment

One need not look far to find significant litigation risks for businesses and their boards of directors. According to an analysis by NERA Economic Consulting, 83 percent of completed company mergers are met with litigation, and one in 12 publicly traded companies are expected to be sued in a securities class action suit this year. What’s more, following the March 2018 US Supreme Court decision in Cyan, Inc. v. Beaver County Employees Retirement Fund, companies going through initial or secondary public offerings are now more likely to be met with litigation in both state and federal court than before.

The world of corporate governance has changed. Business decisions
are now closely scrutinized by the public. The use of email among company
individuals forever preserves a record of discussions that once might have
remained private. And actions taken in the public eye—including those through
social media—can expose a company and its officers and directors to some form
of liability.

Plaintiffs’ attorneys, meanwhile, become more resourceful every
day; even those firms that were previously not feared have turned filing
lawsuits into a factory business. And smaller to midsize companies that once
barely caught the eye of the plaintiffs’ bar are now squarely in their
crosshairs.

According to NERA, 441 new securities class actions were filed in 2018, the most in any year since the aftermath of the 2000 dot-com crash. 2018 was also the fourth consecutive year of growth in the number of filings, exceeding the 434 filings in 2017. In the first quarter of 2019, 118 securities class actions were filed; that puts us on track for 472 class actions this year, and a fifth consecutive year of growth.

The heightened pace and total of securities class action filings that
has continued into 2019 is, in part, attributable to the growing number of
follow-on, event-driven securities litigation filings, as opposed to cases
involving accounting misrepresentations and financial restatements that have
historically made up the bulk of securities litigation. Event-driven litigation
occurs when some adverse event at a company triggers a securities claim—based either
on a stock drop following the announcement of such an event or in the form of a
derivative action thanks to an alleged breach of fiduciary duty. In addition to
cyber-,  privacy-, and sexual harassment-related,
event-driven litigation, an array of other incidents have led to securities
claims, including mass torts, product defects, product recalls, food safety
issues, anti-corruption scandals, and the California wildfires. These types of
risks are difficult to predict.

The cost of litigating even a baseless case that is dismissed or
settled early on can be significant, which has not gone unnoticed by D&O insurers.
The more litigious environment coupled with years of falling premiums and expansions
in coverage have brought the D&O market to a crossroads. The market has seen
14 years of generally soft conditions, providing buyers with favorable premium
pricing and broad coverage enhancements. Over the last few quarters, however,
we’ve seen a dramatic switch. Premium increases are now commonplace and policy
negotiations have become more difficult as insurers face pressure on primary,
excess, and Side-A—or personal asset protection—differences in condition
pricing.

With the risks for directors and
officers constantly becoming more numerous and complex, insurance is more
important than ever. It’s vital to consult closely with your insurance and
legal advisors to ensure the companies you serve have robust D&O insurance
programs that protect both corporate and personal assets against these, and
other, potential threats.

Sarah Downey is the D&O product leader at Marsh.

Overseeing Cyber Risks in a Complex Regulatory Landscape

Organizations face increasing
cybersecurity risks and threats to their customers, financial information,
operations and other data, processes, and systems—and state and federal governments
are alert to the threats imposed on their constituents. To understand just how
widespread concerns about these risks are, look no further than the abundance
of cybersecurity legislation that is currently on the dockets of state
legislatures across the country.

For example, California, New Jersey, Washington, and Illinois are among the latest states to enact breach notification legislation that will significantly impact businesses operating in those jurisdictions by defining whether, when, how, and to whom notifications of a breach must occur. Some of these laws are going into effect just months after being signed and the cost of noncompliance can be severe (in California, fines are assessed per record breached).

As stewards of the strategy,
finances, reputation, and overall
direction of an organization, corporate directors have an important role to
play in ensuring adequate policies and protections are in place to answer the
demands of such regulations—and that their whole board is ready to meet the
oversight demands of new regulations.

Directors are in a position
to provide the leadership and strategic direction necessary to help their
organizations balance the need to safeguard information, minimize disruption in
case of an attack or breach, provide transparency, and manage a sustainable
cybersecurity program with competing strategic
priorities.

There are four key steps boards should take to ensure adequate cybersecurity program development and oversight in response to emerging regulations and threats:

1. Understand the threat landscape and how companies are expected to respond under the law. Corporate directors and leaders need a clear picture of the threats at play to assess and implement an appropriate response framework that both meets the business’s needs and is compliant with a complex web of laws.

Adversaries’ tactics will vary based on their motivations. Nation-states may be focused on cyber warfare while garden variety criminals (including internal threats) are likely to commit fraud or steal information. Each of these threat types will warrant their own response, and may also warrant involving different law enforcement and regulatory agencies.

It is also important to note that the nature
of threats will vary by industry. A real estate company is likely to face a
higher risk of wire fraud, while a manufacturer might be a target of theft of
information by foreign governments. Directors should spend time in their busy
schedules understanding the appropriate responses required per
industry-specific regulations.

In addition, the range of threats—from phishing and social engineering to attacks on the supply chain—is constantly shifting. Boards must be aware of emerging threats, ensure they have the right team in place as first responders, and ensure people and processes are in place to help mitigate and address regulatory and compliance consequences from cyber incidents.

2. Ask relevant executives, leaders, and legal counsel the right questions. The board is tasked with gathering information from leadership, but the value of the exercise is dependent on asking the right questions. This ability becomes much more acutely important in light of a cyber breach, but should be practiced early and often. While these types of questions have been suggested for review by many in the cybersecurity community, it is worth asking the following in light of increased regulatory action:

On risk: What are our risks and how are they being mitigated? Who is the owner of a particular risk?On capabilities: What are the people, tools, and processes we have in place to implement our cybersecurity framework? Do these comply with the demands of new and existing regulations?On controls: What controls are currently in place? What are the organization’s cybersecurity policies and procedures (e.g., incident response plan) and when were they last reviewed, tested, and updated? What training do employees receive regarding privacy and security?On trends: What industry-leading best practices should be considered? What stories of disaster should we read and learn from?On regulation: What is taking shape at the local, state, and federal levels that will impact the business? What is the plan to get compliant and stay compliant?

3. Know the potential costs and how they influence risk tolerance. In the event of an attack, it will be important to demonstrate to regulators good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices will determine the strength of their case for reduced penalties. For most organizations, cybersecurity incidents and regulatory noncompliance are associated with legal, financial, and reputational risks.

Compliance and risk mitigation come with
their own set of financial costs. In Arizona, the maximum fine is $500,000 per
breach event while Alabama can impose a fine of $5,000 per day for failure to
comply with its notification law. To make decisions about risk tolerance,
companies need to balance the risk with the cost of everything from business interruption
to notification costs and potential fines.

Directors of companies should also closely review their own director and officer liability insurance policies frequently to see if cyber-risk-related incidents are covered.

4. Establish metrics for governance. One of a board’s most important roles is to establish and assess metrics to enable oversight of the company’s cybersecurity program. The board should prioritize the development of a well-documented plan that is designed to account for and address evolving regulations, including a board-level metrics portfolio focusing on the following categories:

Program
status, including cybersecurity strategy milestones and program tracking; Internal
environment updates such as patching and the state of infrastructure, and the capacity of people to prevent phishing and data
loss;External
environment updates, including the ability to gather threat intelligence and
respond to emerging cyberthreat trends; Compliance
and audit figures on cybersecurity audit planning and regulatory compliance
tracking; andResponse
figures on disaster recovery, business continuity, and incidence response planning.

Board members’ oversight of
cybersecurity programs is crucial to protecting business interests from current
and future threats. This requires boards to take an active role in strategy,
validation, detection, and response
plans, ultimately steering the dialogue with stakeholders to better understand,
assess, and identify cybersecurity needs and deficiencies that need to be addressed.

It is impractical and
inefficient for organizations to revamp their cybersecurity risk management
program each time a new law goes into effect. Organizations with a presence in
multiple jurisdictions should instead think holistically about their programs.
With the cyberthreat landscape
constantly changing, it requires that risks be regularly weighed against
strategic goals—and that the company meets the regulatory demands created to
protect businesses and consumers alike. By ensuring the quality of a company’s
cybersecurity framework through leadership and oversight, a board can fulfill
its obligation to protect the overall health and sustainability of the
organization.

David
Ross is a principal and the cybersecurity and privacy practices lead at Baker
Tilly.