Keep One Eye on Pandemic Fallout, One on the Longer Term, Says Global Risks Report 2021

Last year will forever be defined by COVID-19’s devastating impact across societies and economies. However, the global pandemic also intersected with a range of other threats to accelerate and exacerbate preexisting global challenges and drive unexpected outcomes. Organizations will now need to appreciate how these issues might develop if their strategies and business models are to stand the test of time.

Trends and Reverberations

The Global Risks Report 2021, prepared by the World Economic Forum in collaboration with Marsh & McLennan and other partners, reflects on disparities in the socioeconomic fallout from the COVID-19 pandemic and the implications for the next decade. Strengthened by the insights of more than 650 global risk experts and leaders, the report contains four broad messages, detailed below.

1. Societies will likely continue to grapple with the long-term impacts of the pandemic on their economies. An already sluggish global economy at the end of 2019 is expected to see that growth has dropped by 4.4 percent in 2020, while governments collectively expended almost USD 12 trillion in fiscal measures to support their citizens through the crisis. The road to recovery remains arduous and vulnerable to setbacks from new surges of the virus in the foreseeable future, while pressures on household purchasing power, business reluctance to invest in fixed assets, and government debt crises may also hold back growth.

Downside scenarios set out a global gross domestic product that may be, by the end of 2022, 8.5 percent smaller than pre-pandemic projections—a total loss to economic output in the order of USD 23 trillion. While recently announced large-scale stimulus measures are welcome for many, the challenge ahead is how to transition successfully from providing “life support” in the form of unemployment aid, rental assistance, and tax reliefs to the transformational agenda of revitalizing and restructuring economic ecosystems, sectors, and businesses with an eye toward a sustainable future.

2. Inequality, already on the rise pre-pandemic, was significantly exacerbated by the crisis along multiple dimensions. Massive waves of employment loss globally have endangered the livelihoods of millions of people and may be consolidated in the recovery. Small businesses, youths (aged 15-24), unskilled workers, working parents, and minorities—overrepresented in sectors hardest hit by the pandemic—saw retrenchments and closures at multiples of national averages. Female-owned businesses in North America closed at nearly twice the rate last year of their male-owned counterparts, and Black-owned businesses in the United States suffered closures 2.4 times more than those that were white-owned.

At the same time, lockdowns across the world have interrupted important pathways to socioeconomic mobility, with the education of billions significantly disrupted and workplace constraints throwing a new spotlight on digital divides. Livelihood impacts and disparities have amplified mental health challenges, which will reverberate for many years. Forty percent of adults in the United States have experienced increased anxiety and depressive disorders over the past year, disproportionately so among the young (18-24 years old), racial and ethnic minorities, essential workers, and caregivers.

3. Escalating fractures in domestic politics threaten democracy and the rule of law. Trust in governments, public institutions, and businesses across the world has greatly diminished, often catalyzed by widespread misinformation, mounting social polarization, and hyper-partisanship. Trends suggest that mobility rights have become more constrained, Internet freedom has declined, and surveillance has increased. Pro-democracy and anti-government protests have been intense against injustice, authoritarian behaviors, and shortcomings in national pandemic responses. In some countries this sets a new tone for the future; elsewhere, achieving unity and restoring confidence in public institutions will be hard work.

4. Geopolitical schisms may grow as the pandemic accelerated the existing global trend toward a more protectionist stance. The US-China rivalry continues to intensify; foreign direct investment restrictions across advanced economies have expanded markedly on national security grounds; and challenges stemming from state-on-state cyberattacks have become more acute. While the pandemic may have created turmoil for the cross-border supply of critical goods, moratoria on trade disputes provide hope for the ability of global trade to underpin the recovery and the 40 million US jobs in export sectors, of which 98 percent are with small businesses.

Pressures on several fronts introduce the prospect of a disorderly shakeout for different sectors, which it will be vital for businesses to anticipate at a time of inherent fragility. With governments in all economies holding center stage and keen to seize opportunities for a fundamental reset, it is likely that the implementation of industrial strategy and thematic priorities will generate not only winners and losers, but also disruptive discontinuities in business ecosystems. Regarding the digital agenda, technology giants came out of 2020 with stronger, more diverse revenue streams, with enhanced investment power, and better positioned to compete on more strategic agendas—but also facing a plethora of government-led lawsuits, investigations, regulatory proposals, and legislation across the world. How this plays out will have ramifications for companies in other sectors, whose technology agendas have become more ambitious and more accelerated because of the crisis.

Finally, stakeholder scrutiny has significantly increased. The focus on environmental performance has risen and corporate ethics are on radars, with workforce diversity, supply chains, and employee exploitation among top issues considered. Meeting employee expectations that companies take stances—and quickly—on key issues may take leaders out of their comfort zones and present commercial dilemmas.

Oversight Imperatives

As they take stock of this turbulent risk landscape and guide management teams, boards might wish to reflect on four approaches that will help enhance the resilience of their organizations.

First, there has been much valuable discussion in recent years about disruptive risks. The past year, though, has pressed firms to appreciate the likelihood of concurrent crises, the validity of more extreme scenarios, and the existence of ignored tail risks that were lurking in risk registers all this time. This argues that companies should develop tougher stress tests to understand how they would stand against different eventualities.

Second, the crisis has made firms acutely aware that resilience is not a fixed standard, but an evolving, active process in which organizational muscles are stretched and honed. The most advanced businesses are able to flex trade-offs between agility, efficiency, and robustness with confidence, even at times when data and intelligence are weak.

Third, as boards look to the next year, it will be important to have one eye on near-term surprises and setbacks and the other on longer-term transformations. If companies only do the former, the price of survival may be obsolescence.

Fourth, organizations need to find the right balance between human capital and technological capital and anticipate associated risks accordingly. There’s no question that technology and data have underpinned governmental responses to the pandemic and enabled firms to keep working during the crisis—but the ability to reshape working practices, motivate employees, and retain talent in the recovery will be critical for ongoing success.

Richard Smith-Bingham is an executive director of Marsh & McLennan Advantage and a key contributor to the Global Risks Report 2021.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

What a Biden White House Might Mean for Boards

Editor’s note: This excerpt is pulled from the January/February 2021 issue of Directorship magazine, launched this week. For more key regulatory themes to keep an eye on, as well as further insights into the themes listed below, read the full article here.

“Regulators are in a strong position to drive change. What is more powerful is for the change to come from the top down within business organizations.” So said Laura Cha, chair of the Hong Kong Exchanges and Clearing at a January World Economic Forum conference. In her speech to business leaders, Cha challenged directors to “step up in driving the ESG agenda of their companies.”

Her words were prescient, and US-based directors would be wise to heed them now. As the Joseph R. Biden Jr. administration begins its work, boards that have not been Washington-minded may experience culture shock. The White House under President Donald J. Trump and Vice President Michael Pence focused on deregulation. By contrast, an administration led by President Biden and Vice President Kamala Harris will likely focus on restoring regulations. This is especially true now that both chambers of Congress are controlled by a Democratic majority, albeit by slim margins, after twin victories in Georgia Senate runoff elections. Democrats will control committees and the legislation and nominations brought to the floor, with Vice President Harris casting the deciding vote in the event of a tie. Directors can expect many additional regulations and bills—if not laws—increasing regulatory requirements for companies and the boards that govern them.

A renewed focus on regulation would have two distinct implications for boards. First, board oversight of regulatory compliance must sharpen because companies will have to deal with new or restored regulations. Second, boards themselves are likely to contend with new requirements stemming from the Dodd-Frank Act that were put on ice under the Trump administration. The following key themes should help boards gain an advantage as we enter a new year with a new presidential administration.

Diversity

In light of the current national emphasis on civil rights issues, we may see Congress revive diversity bills under renewed or new sponsorship. For example, the Improving Corporate Governance Through Diversity Act, if reintroduced by its original sponsor Rep. Gregory Meeks (D-NY), would ask the US Securities and Exchange Commission (SEC) to “require the submission of data relating to diversity.” A similar bill could be reintroduced in the Senate by Sen. Robert Menendez (D-NJ). Rep. Carolyn Maloney (D-NY) is likely to bring back the Diversity in Corporate Leadership Act, which would require the SEC to “establish a Diversity Advisory Group to study and make recommendations on strategies to increase gender, racial, and ethnic diversity on the boards of issuers, and to “amend the Exchange Act of 1934 to require issuers to make disclosures to shareholders with respect to gender, racial, and ethnic diversity.”

In parallel with congressional initiatives to increase disclosure requirements, the SEC under a new chair will likely focus on company disclosures on board diversity. The SEC’s scrutiny may extend to compliance and disclosure interpretations (C&DIs) about board diversity. C&DIs—likely more familiar to general counsel and corporate secretaries than to most directors—are interpretations by the SEC’s Division of Corporation Finance intended to provide guidance on rules. It is possible that at some point this year the SEC will expand further the guidance it offered last year. One example: in a Feb. 6, 2020, update on Regulation S-K, the SEC added a question and answer about Item 401(e) that requires discussion of what led to the conclusion that a person should serve as a director, as well as a related provision under Item 407(c) requiring a description of how a board implements policies on nominee diversity “such as their race, gender, ethnicity, religion, nationality, disability, sexual orientation, or cultural background.”

Compensation

The Biden administration will almost certainly strengthen laws affecting working conditions and pay equity, and Congress will likely reintroduce legislation on this topic. In a November fundraising message to Democrats, Robert Reich, former labor secretary under President Bill Clinton, called for an “FDR moment.” Reich, using language that some may find hyperbolic, wants to “reverse Trump’s efforts to take away workers’ health care” and “protect all workers against wage theft.” He also wants to bolster workplace safety inspections to make it easier for businesses to classify workers as independent contractors, and “ensure millions of workers receive the overtime pay they deserve.” In Congress, among the bills likely to be revived is the Corporate Freeloader Fee Act that was introduced by Sen. Sherrod Brown (D-OH) to “impose an excise tax on employers with low-wage employees.”

The new year will also be a time to remember the Dodd-Frank Act. The long-pending pay-for-performance rule proposed in 2015 may be finalized. Section 953 of Dodd-Frank mandated that the SEC pass a rule requiring public companies to disclose “the relationship between executive compensation actually paid and the financial performance of the issuer, taking into account any change in the value of the shares of stock and dividends of the issuer and any distributions.” Legislators who passed the law were concerned that some executives were being overpaid in relation to their performance. The rule defines pay as the total reported in the compensation tables of the proxy, with some modifications, and it defines performance as total shareholder return (TSR) over each of the company’s five most recently completed fiscal years compared to peers.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

US 2021 Cyber Agenda May Affect Liability, Disclosure, and Enforcement

Structural and technological changes have been set in motion by COVID-19, creating new cyber-risk and security challenges that will likely endure even after the pandemic ends. There is no shortage of cyber-threat actors attempting to take advantage of this situation, and the majority of cyberattacks continue to be financially motivated.

While cybersecurity has seen strong progress over the last decade in terms of threat information sharing and cyber-resilience measures, it is still easier to attack than defend in cyberspace. Every year, cybercrime becomes cheaper, easier, and faster, making a variety of companies more vulnerable to attacks than ever before. After all, all companies are tech companies nowadays.

Last year, of course, was no exception. As boards seek to oversee companies’ risk assessments, investments, and cyber-defense tactics to ensure their businesses adapt to meet post-pandemic cyber challenges, they must take stock of the complex and varying types of cyberattacks businesses faced in 2020.

Over the past twelve months, massive amounts of downtime due to business disruption caused by cyberattacks and large troves of highly sensitive data made the private sector particularly vulnerable to ransomware, supply-chain compromise, distributed-denial-of-service (DDoS) attacks, and data breach attacks. As cybercriminals devised new ways to profit, such attacks grew in volume, sophistication, and impact.

DDoS extortions, where attackers extort companies by threatening DDoS attacks, made a resurgence in 2020, with the New Zealand stock exchange among financial institutions targeted. Even Amazon Web Services suffered a record-setting attack last February.

While DDoS attacks have caused significant problems, ransomware dominated the headlines last year. In fact, 2020 saw seven times more ransomware attacks than 2019. However, it is far from just a volume issue, as ransomware operators, driven by profit, think of new and innovative attack strategies. Attackers now almost always steal sensitive data in addition to encrypting the target company’s network or devices—called “double-extortion” ransomware—and extort victims by threatening to either publish data online or to auction off victims’ data on the dark web. Among companies that experienced double-extortion ransomware attacks last year were Banco de Costa Rica and a trio of financial technology providers including Cognizant Technology Solutions Corp., Finastra, and Pitney Bowes. There has also been staggering growth in the ransomware-as-a-service (RaaS) market, with Intel 471 tracking 18 new RaaS groups in 2021.

The US Securities and Exchange Commission (SEC) has issued multiple alerts warning of increasingly advanced ransomware attacks on registrants as well as their third-party service providers. As the massive SolarWinds breach starkly highlighted, even entities with relatively robust cyber defenses are vulnerable to attacks through third-party suppliers. Sophisticated attackers recognize this and are increasingly devoting attention and resources to targeting third-party service providers and other organizations down the supply chain that allow them to compromise many networks at once. Companies everywhere should pay more attention to supply-chain vulnerabilities as potential attack vectors for data breaches, ransomware, and other cyberattacks. 

Indeed, there is no end in sight, with damages from cybercrime projected to reach $6 trillion globally in 2021. Despite ever-growing investments in cyber defense, an increasingly anxious public feels that the oversight of federal agencies, boards, and CEOs fails to meet their expectations. The lack of a generally accepted framework for the evaluation of cyber risk, agreed-upon best practices, or unifying standards adds to the uncertainty and complexity for senior executives and directors of understanding the true nature and extent of an organization’s cyber-risk exposure. Given this emerging reality, the legislative and regulatory agenda must evolve to address these economic, national security, and stakeholder impacts. 

The Expected Cyber Agenda Under the New Presidential Administration

President Joseph R. Biden Jr. has said his administration will make cybersecurity a top priority at every level of the government. Moreover, in stark contrast to the previous administration’s agenda, the focus on data privacy issues will intensify as will collaboration with Europe and the global community. Vice President Kamala Harris has a track record of such focus; as attorney general in California, she spearheaded privacy efforts that ultimately led to the state’s adoption in November of the California Privacy Rights Act (CPRA), which established a new regulatory agency to police data privacy.

Changes in US Senate leadership and anticipated greater collaboration with the US House of Representatives will likely spur bills to address the governance of cybersecurity, incident reporting, and consumer privacy. Senators Sherrod Brown and Pat Toomey have agreed to furthering technology concerns in the Senate Banking Committee. It is widely expected that Senator Jack Reed will reintroduce a bipartisan bill to require disclosure to investors of information on whether a company’s board has a member with cybersecurity expertise. Moreover, the Cyberspace Solarium Commission, mandated by the National Defense Authorization Act of 2019, recommended various legislative initiatives that may advance, including amending the Sarbanes-Oxley Act of 2002 to mandate corporate accountability and certain cybersecurity disclosures by publicly traded companies.

Leadership changes expected at financial services regulators and at the Consumer Financial Protection Bureau will likely coincide with a host of new regulations as well as a revitalization of consumer protection efforts. Further, market participants should anticipate an increase in examinations and enforcement actions from all independent regulators and other oversight agencies, such as the Financial Industry Regulatory Authority.

States legislatures and regulators are expected to continue to prioritize cybersecurity and data privacy. Some may align with the CPRA and others with the New York Department of Financial Services cybersecurity requirements, which cover all financial institutions operating in New York. The lack of a comprehensive federal cyber regime has and will continue to contribute to the diversity of state initiatives, which may be reminiscent of state blue sky laws from the early 1900s.

Without question, the legislative and regulatory landscape in 2021 will include a variety of measures that seek to improve the accountability for and governance of cyber-related concerns.

How Boards Can Act Now

While there is no one-size-fits-all solution, there are specific defensive investments that companies can implement to mitigate risk from costly cyberattacks—and to preempt new regulations and legislation.

The first step in improving cyber defenses is to know what needs protection by quantifying cyber-risk exposure and deriving a risk appetite. Companies should conduct a 360-degree review across the enterprise that covers external exposures, such as those created by third-party service providers. A discussion around risk appetite, addressed in the NACD Director’s Handbook on Cyber-Risk Oversight, should cover the following principles:

Corporate Values: What risk will we not accept?
Strategy: What are the risks we need to take?
Stakeholders: What risks are stakeholders willing to bear, and to what level?
Capacity: What resources are required to manage those risks?
Financial: Are we able to adequately quantify the effectiveness of our risk management and harmonize our spending on risk controls?
Measurement: Can we measure and produce reports to ensure proper monitoring, trending, and communication?

Managing supply-chain risk from third-party service providers has become an essential part of corporate risk management. As supply-chain attacks leverage the existing trust between vendors and customers, they can be incredibly difficult to prevent and detect. Today, unfortunately, many companies remain underinvested in this area.

Companies should ideally try to evaluate the cyber-risk exposure of prospective service providers before engaging them as trusted third-party partners, and one way to achieve this is through security ratings. These ratings, from companies such as SecurityScorecard, provide a standardized snapshot and ongoing monitoring of a company’s cybersecurity capabilities to help it make strategic risk decisions.

Advanced companies can also use security ratings alongside strategic risk metrics to do the following:

Align cyber-risk scenarios with material business exposure.
Roll the reporting of cyber risks together with financial exposure to inform risk-management decisions.
Measure the improvement of cyber-risk reduction over time.

Companies must also ensure sound technology hygiene. A large part of this involves implementing proactive vulnerability and patch management programs and applying secure coding standards across internal and external applications, but it also includes managing supply-chain exposure, integrating enterprise-wide security, and performing regular risk-assessment evaluations and incident-response exercises.

With cybersecurity and data privacy on the legislative and regulatory horizon, boards should act now to ensure their security programs will meet potential requirements and stay up to date as Congress and regulatory bodies proceed with their related plans.

Christopher Hetner has served in various executive roles in both the private and public sectors, including senior cybersecurity advisor to the chair of the SEC, senior member of the US Department of the Treasury Financial Banking Information Infrastructure Committee, cyber-risk advisor to the National Association of Corporate Directors, and global chief information security officer of GE Capital. Robert Peak has served in senior capital markets policy roles including at the SEC, where he worked on the Commission’s issuance of its 2018 cybersecurity guidance. He has advised commissioners, members of Congress, and board members, and is a thought leader in securities trading, regulation, and enforcement.

The views expressed in this presentation are the views of the author and do not necessarily reflect the views of the author’s employer or any other entities with which the author may be associated.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

10 Actions for Boards in Response to Political Violence

The tragic siege of the US Capitol on Jan. 6 was shocking, adding a new burden of questions and actions for boards in its aftermath. And national security officials, law enforcement leaders, and politicians from both sides of the aisle agree: more politically motivated violence is likely.

The events of 2020—particularly the COVID-19 pandemic and racial justice protests—created a greater imperative for companies to consider their positions on environmental, social, and governance (ESG) matters. Worker safety, job security, and company actions that may affect reputation all became important matters for boards to oversee. The recent political violence adds a new level of urgency to addressing ESG issues. As companies weigh enterprise-risk scenarios that could result from potential ongoing political violence, here’s what boards can do.

1. Consider the risk of political violence on your company’s business model. As a result of the violent activity at the Capitol, some companies took swift action to avoid the impact of the violence or to preserve their reputations. Social media companies promptly terminated accounts linked to the violence, home-sharing companies cancelled reservations or issued warnings that they would remove users promoting violence, a book publisher revoked a book contract with a related party, and a popular fundraising site removed all fundraising intended to cover the cost of travel to potentially violent political events. In each case, the risk of staying silent was too great. 

Each company needs to consider the potential that its products or services might be used to effect or contribute to political violence. Companies that fulfill government contracts, especially those related to homeland security, intelligence, or the military, have an even more urgent need to consider the direct impact on their abilities to conduct business as a result of insufficient vigilance. 

Every company should examine its unique characteristics and business model to determine whether it faces specific risks. Outside legal counsel can assist with a thorough review.

2. Understand the impact of this moment on your brand. In this politically polarized time, customers and suppliers are increasingly seeking and drawn to companies and brands that profess political ideals that align with their own. Determine what your company is prepared to say publicly and make sure your managers understand any limitations they have to speak on behalf of the company. 

3. Discuss the company’s policies and practices around political activity. Companies must make clear to their stakeholders what types of political activity are considered appropriate for employees at all levels so that future concerns and prohibited employee activity are addressed in a fair, consistent, and timely manner. Leadership should craft internal policies to address these new workplace concerns with the goal of ensuring worker safety and protecting the company’s brand and business operations. 

To be clear, this review should not support one party affiliation or political view. Management should ensure policies and procedures are based firmly on the best interests of the company and its various constituencies. Remember that “tone at the top” will be important. If these discussions become contentious, boards and C-suites should invite outside legal counsel or other advisors to lead and manage the discussions.

Offering a clear public statement now about a company’s policies regarding political violence creates grounds for remedial action in the event of transgressions by rogue employees and may soften any reputational blowback.  

4. Reexamine guidelines for employee communications. Companies should have well-defined policies on the kinds of conversations and activities that are allowed in the workplace. These should incorporate what defines “appropriate” utilization of workplace email and other company infrastructure. After the events of Jan. 6, one company fired an employee who was photographed wearing his company-issued badge while inside the Capitol building.

Some organizations may also want to review their employee social media policies, even if such activity occurs using personal accounts outside of work hours. For example, what would happen if an employee openly discusses plans for violence or seeks to encourage others to affiliate with a violent group? While this scenario may seem far-fetched for your business, it is better to be clear and upfront about company policy and the consequences of policy violation than to be caught unprepared and unsure about the next steps to take in such an instance.

5. Update crisis plans. Some individuals who stormed the US Capitol have been publicly identified and fired from their organizations. Going forward, companies should have a plan in place in the event that an employee commits or advocates for any behavior that violates company policy.

Boards can help create or update crisis plans that cover the following: prohibited employee activity, the possibility of future political violence against the company itself and its employees, and domestic terrorism in any community connected to the business. These plans should include proposed communications with employees as well as external stakeholders and should outline steps the company would take to address the specific crisis.

6. Refresh workplace safety and violence programs. Threats have been made against numerous corporations in recent weeks—especially technology companies that have been drawn into the debate around their roles in political violence. Consider whether your workplace safety measures and training account adequately for potential domestic terror activities. Programs and policies should be reviewed to ensure that they clearly delineate company policies regarding employee behavior in the workplace that will and will not be tolerated—and to protect employees and other stakeholders who may be put at physical or other risk by domestic terror activities. Provide reminders and training to employees and repeat them at regular intervals.

7. Provide your leaders and front-line personnel with additional training. The threat of political violence or political contention in the workplace is not typically covered in human resource training. Boards can push management to consider offering additional education or training to ensure that human resources, legal, and security personnel are prepared to evaluate any allegations or navigate related situations. Consider whether law enforcement or other expert personnel might be helpful in educating staff on how to identify and respond to extremist groups’ activity.

8. Create a pathway for confidential reporting. Many companies have communication channels to anonymously report harassment or allegations of fraud. Organizations should consider expanding hotlines or creating new ones through which employees can report prohibited activity or discussions of political violence, or related matters that violate company policy. Make sure employees are aware that they have anonymous access to report behavior that makes them feel uncomfortable or unsafe. 

9. Keep an eye on institutional investors. Large institutional investors have the power to upend the corporate landscape; several have already done so with regard to boardroom composition by issuing powerful statements in support of board diversity. If they determine that political violence poses a systemic concern, their statements and actions will reverberate widely.

10. Do not be complacent. Experts suggest that political violence is likely to ebb and flow. While many will rightfully breathe a sigh of relief during periods of relative quiet, take such opportunities to thoughtfully review policies and practices so that your company is prepared when the next incident or upheaval occurs. 

Helene R. Banks, a partner at law firm Cahill Gordon & Reindel LLP, provides guidance to boards and C-suites concerning corporate governance and ESG matters, and is widely published on these topics.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

SolarWinds Supply-Chain Attack Besets Boards with Implications

In 2020, we saw a rapid increase in cyberattacks while the COVID-19 pandemic ravaged the globe. A report by Crowdstrike in September, for example, noted that it had seen more attacks in the first half of 2020 than in all of 2019. Cyber criminals seized the crisis as an opportunity to further monetize attacks by proliferating ransomware and leveraging more commonplace fraud techniques at record levels. Amid this turmoil, a widespread and persistent attack that would further disrupt our confidence in the software supply chain and shatter our trust in enterprise software quietly lingered.

The attack on SolarWinds, disclosed in the company’s December regulatory filings, and subsequent victims including FireEye, Microsoft Corp., and numerous US federal agencies, tears at the fabric of standard risk management and security practices. This is a stark reminder that no amount of risk ranking, vendor profiling, or controls will thwart a persistent, capable adversary, or compensate for systemic vulnerabilities in an organization’s approach to managing a software supply chain and its supporting technologies.

Although the attack used a few new and refined mechanisms to compromise SolarWinds and other organizations (such as low-level compromises of the software development process and the subversion of cloud identity management technology), it was the attackers’ skilled penetration and prolonged period of remaining undetected that was the most astonishing. In fact, had they not attacked FireEye (with a world-class incident response practice in its Mandiant Solutions branch), they may have gone undetected for even longer. The attackers’ approach to target a small set of specific victims using SolarWinds’ supply-chain entry point even though they had potential access to more organizations is also remarkable.

Ultimately, the SolarWinds attack requires a shift in the way companies assess cyber risk in their supply chains as well as the way they view other associated risks. This refactoring will require time for new approaches to develop and mature, but three takeaways from the attack are clear today.

First, an organization cannot simply rely on a combination of questionnaires and outside information about the vulnerabilities and practices of critical suppliers to assess the likelihood of a breach of their systems, which may then harm other organizations. While this approach may have historically served the need to rapidly risk-rank suppliers and limit extending trust to low-performing organizations, it does not adequately address those suppliers that score well in these processes and that are then placed into positions of trust with high-risk access to data and networks.

Second, security and technology leaders will need to focus more on the essential (“key”) suppliers, which are unique to each organization. The level of trusted access that suppliers have enjoyed, even for those critical to business processes, will need to shift, and “essential supplier” blessings (which sidestep risk and security processes) will become a thing of the past. This increased scrutiny of key supplier risks requires that businesses reduce their number of software suppliers. There should be no more “preference buying” across business and technology teams who have largely similar needs but use different and duplicative software simply because of siloed operations and personal preferences. Chief information officers (CIOs) should consolidate software suppliers, and chief information security officers (CISOs) can reduce risk by exercising intense scrutiny over whether remaining suppliers should continue to have critical, trusted access.

Finally, businesses must consider leveraging cloud infrastructure to replicate capabilities that may have historically been delivered through installed, difficult-to-customize, and potentially insecure software. Use of cloud allows organizations to leverage the high level of assurance that cloud providers have built into their infrastructure, further consolidate technology vendors, and use new security design approaches such as zero trust—a relatively new concept in secure computing that focuses on regularly validating the identity and integrity of users and equipment before establishing trusted relationships. If executed correctly, the result is a more resilient enterprise built on cloud-provided infrastructure that has been constructed with a security-by-design approach instead of the inherited flaws of legacy technology environments.

Directors have additional factors to consider when engaging management on the implications of the SolarWinds attack and on software supply-chain risk. Some questions to frame the discussion include the following:

Does the organization have a process to risk-rank vendors based on their level of access to critical data and ability to disrupt the business?
Has the organization adequately identified whether it could be targeted with the goal of compromising other companies, and has it integrated this scenario into its cyber-risk management planning?
Do we need all of our suppliers? Who within the organization is accountable for the proliferation of software suppliers? (As the number of suppliers grows, supply-chain complexity and exceptions to security controls—not to mention risk— also increase.)
If the use of a software supplier requires the company to grant a security policy exception, who makes decisions around exceptions and how are they tracked? (A well-publicized page from a SolarWinds configuration manual suggested that customers exclude the product from basic malware protections for proper functioning. This requirement is not unique to SolarWinds and has been commonplace among software providers since firewalls and antivirus software were created. There are countless examples of CIOs calling CISOs to say, “We have this product going live tomorrow and the firewall is breaking it. We need an exception to our security policy, or we will miss our deadlines.” If these conversations are happening at your organization, the board and management should consider that institutional processes likely require some review.)
Who in the organization is responsible for tracking new developments about the SolarWinds attack? Are they regularly analyzing the company for related compromises and vulnerabilities as new information is made available? (We do not yet know the full extent of the SolarWinds attack—including a complete list of its victims, the techniques used, or all the suppliers compromised. A new compromised supplier was publicly identified as recently as two weeks ago, almost a month after the original attack came to light. It’s likely we will be learning about the depth of this attack for some time yet.)

There is, however, some better news. While the implications are still not fully known, it is believed that the SolarWinds attack was designed as an intelligence-gathering operation. As noted, the attackers appear to have had the ability to compromise thousands of organizations, but instead chose their victims carefully, and have not weaponized the attack in a destructive way thus far. While it is easy to contemplate a more sinister outcome, boards should instead focus on building resilience into their companies’ software supply chains and understanding their potential exposures.

Derek Vadala (@derekvadala) is cofounder and CEO at VisibleRisk, a joint venture between Moody’s Corp., a global integrated risk assessment firm, and Team8, a cybersecurity-focused company creation platform. Vadala leads a team that is focused on creating a standard benchmark for communicating cyber risk to boards and senior business executives in order to improve the global dialogue about this important issue.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Climate Change Under the Biden-Harris Administration: What Boards Should Know

When the Biden-Harris administration takes the reins of the US federal government in January, it will face challenges of historic proportions. In addition to the pandemic and associated economic fallout, the new administration aims to tackle racial injustice and climate change as top priorities.

But rather than viewing these as separate issues, the new administration is approaching them as interconnected. For instance, one of the first administration positions that Biden announced was John Kerry as special presidential envoy for climate—the United States’ first cabinet-level position focused exclusively on climate change and one that has a seat on the National Security Council. Moreover, several of the picks for economy leadership—such as Janet Yellen as secretary of the treasury—have strong climate change credentials.

Regardless of the makeup of the US Senate, we can anticipate plenty of climate action from the incoming presidential administration. Here’s what corporate boards can expect.

Enhanced Regulatory Oversight of Climate Risks

It is a safe bet that US financial regulators will increasingly recognize climate change as a systemic risk to financial systems and start to integrate it into their oversight of major industries. Less than a week after the presidential election, the Federal Reserve highlighted climate change as a near-term risk to the financial system, calling on banks to establish robust systems for climate-risk oversight. Days later, the organization announced its intention to join the Network of Central Banks and Supervisors for Greening the Financial System, a group of 75 global financial regulators seeking to combat climate change by better understanding the risks it poses to economies.

These developments add to the already growing momentum around integrating climate risk considerations into the financial system, including the release of a “first of its kind” report on climate change from the US Commodity Futures Trading Commission in September, which identified climate change as a threat to US market stability and outlined a series of steps that regulators could take to address this risk. An increase in US regulatory action would follow similar actions taken by central banks around the world, including in countries such as the United Kingdom and France, as well as by the European Commission, all of whom have or will institute climate change stress tests of their respective financial sectors.

Increased Freedom for Investors to Engage on Climate

During the Trump administration, investor engagement on climate change has been robust. The 2020 proxy season saw more than 140 climate-related shareholder proposals, with a record six resolutions earning majority votes. These actions are particularly notable given changes in regulation: just this fall, the US Securities and Exchange Commission (SEC) raised the threshold for investors to file resolutions and the US Department of Labor finalized a rule limiting the ability of fiduciaries under the Employee Retirement Income Security Act of 1974 to integrate environmental, social, and governance (ESG) issues such as climate change into their investment process (despite fierce opposition from the investor community).

In the Biden-Harris administration, we may see a reversal of these and other restrictions on the ability of investors to engage on climate change and ESG, potentially allowing investors to move forward with even more tools at their disposal.

Climate Change Disclosure Rules

Increased scrutiny of climate risk under the new administration will go hand in hand with the push for greater transparency throughout the financial system. The annual status report from the Task Force on Climate-related Financial Disclosures (TCFD), increasingly seen as the gold standard in climate change reporting, noted that while 60 percent of the world’s largest public corporations support the TCFD, less than 7 percent actually report the impact of climate change on business and strategy—hence the need for climate change disclosure rules.

Indeed, President-elect Biden has indicated that he would issue an executive action requiring climate change disclosures during the first days of his presidency. SEC commissioners Allison H. Lee and Caroline A. Crenshaw have been ardent in their support for climate change disclosure rules and could be integral in these efforts. Such action would help the United States catch up to a growing number of global peers that are creating climate change disclosure rules. In the past two months, both New Zealand and the United Kingdom began requiring climate-change disclosures from companies and investors and have pointed to using recommendations from the TCFD.

Given these likely regulatory, policy, and market headwinds under the incoming administration, how can companies prepare for these anticipated changes? In addition to building ESG competency, here’s what boards can do.

Embed climate change in enterprise-risk management. Last year, Ceres released Running the Risk, a report that details strategies for proactive board oversight of ESG and climate risk identification, assessment, and mitigation. The 2018 guidance from the Committee of Sponsoring Organizations of the Treadway Commission and the World Business Council on Sustainable Development also includes helpful advice on how to integrate ESG issues into the enterprise risk-management process.

Employ robust scenario analysis. Given the high degree of uncertainty around the impacts of climate change, companies should prepare for a range of possible scenarios—including an aggressive reduction in emissions (spurred by regulations and new technologies) and a business-as-usual scenario (where increased global warming impacts supply chains and owned facilities). This sort of planning can increase an organization’s flexibility in responding to future events and is valued by investors looking to manage portfolio risks.

Align all corporate decision-making with climate science. As corporations conduct risk assessments and make strategy adjustments for climate change, they should look to align all corporate action with the latest scientific understanding on the topic. One way to do this is to follow the more than 1,000 companies that have joined the Science Based Targets initiative.

Follow TCFD recommendations in climate disclosures. Smart risk management is not possible without a foundation of strong disclosure. This is the reason that a growing preponderance of investors, including Blackrock, are calling for rules for climate change disclosures. Companies can prepare by proactively aligning their disclosures to the framework provided by the TCFD.

With climate impacts compounding around the world and the incoming Biden-Harris administration poised to take a more aggressive stance on climate action, companies have the opportunity to prepare by increasing their climate resilience, mitigating climate risk, and openly disclosing their efforts.

Veena Ramani is the senior program director of Capital Market Systems at Ceres. She leads Ceres’ work on board governance.

NACD: Tools and resources to help guide you in unpredictable times.

Poll of Directors Reveals M&A Challenges as COVID-19 Persists

During this time of global health crisis, disruption, and uncertainty, 86.1 percent of directors say that the COVID-19 pandemic has affected their ability to pursue, finance, and close merger and acquisition (M&A) deals, according to the 2020 NACD/Deloitte M&A Poll, conducted for a second year to explore trends in the board’s role in the M&A process.

This year’s results include feedback from 178 directors who responded to an NACD email request between August 5 and 25, 2020 seeking their participation. While the survey results reveal the effects of COVID-19 on M&A activity, they also provide insight into the most important related risks for directors and the areas in which boards may have to evolve to offer adequate oversight of the M&A process.

The Pandemic Alters M&A Closings

With a majority of respondents saying that COVID-19 has affected their ability to pursue, finance, and close M&A deals, more than one-fifth (20.8%) of poll takers say it has “significantly” affected their ability to close deals. Amid this difficult M&A climate, 67.2 percent of respondents agree that there is now a greater role and opportunity for nonexecutive board members to lend their previous experience to management during M&A discussions.

Fortunately, most boards appear to have the experience necessary to provide such guidance to their C-suites, as the vast majority of respondents (96.4%) say that their boards already have one or more directors with some background in M&A.

Nevertheless, in these trying times, some boards are seeking reinforcements. More than a quarter of respondents (26.1%) indicate that their boards have considered bringing on new members with specific expertise in M&A.

Boards already play a critical role in the M&A process, overseeing the various risks associated with any deal. Of the key risks related to M&A transactions that board members concern themselves with, respondents deem valuation (e.g., the risk of overpaying) and value realization (e.g., synergy execution) the most important.

Other notable key risks include hidden liabilities and those associated with change management and culture. More than one-third (32.1%) of respondents indicate that their boards will have to evolve how they provide oversight to address the major risks inherent in the M&A process, including in the three areas below.

Nonfinancial Metrics Lacking

The aim of any merger or acquisition is to achieve sustainable growth. While it is essential to monitor important financial metrics (for example, metrics associated with financial statements prepared using generally accepted accounting principles), such metrics may not provide a complete picture of a merger or acquisition deal. Key nonfinancial metrics related to culture, community support, brand health and reputation, and sustainability may add to the picture and have even gained in importance during the pandemic. The COVID-19 outbreak has cast a spotlight on the efforts organizations have made, or the lack thereof, to be better corporate citizens.

In addition, a focus on sustainability is increasingly associated with resiliency to new and atypical risks, such as climate change. Only 31.8 percent of respondents, however, indicate that nonexecutive directors receive information on the merging or acquired companies’ progress against nonfinancial benchmarks through the close of a deal.

According to NACD’s “Strengthening Oversight of M&A” installment in its Director Essentials series, a relevant question boards may wish to ask is, “What metrics will the board use to measure the transaction’s overall success?”

Integration Strategy Needs Oversight

This year, a larger proportion of respondents indicate that their boards will hold management accountable for integration strategy (93 percent this year, compared to 84 percent last year). So close to the finish line, it is at the integration stage that many organizations notoriously trip up and the prospective benefits of a deal are lost. As organizations endeavor to realize the prospective value of a given merger or acquisition for stakeholders, it behooves boards to remain vigilant and monitor management, even after requisite signatures are affixed to the dotted line.

Questions for the board to ask include: do we have the right mix of leaders from both companies to lead the post-integration effort?

Pre-close Process Commands Board Attention

Finally, the majority (58.7%) of director respondents believe that it is likely that the acquisition pre-close process will be subjected to increased levels of scrutiny by shareholders and regulators in the coming months. It is thus critical that boards ask the right questions at this stage, such as the following:

Under state law or our bylaws, do shareholders need to approve this sale?
What authorities need to be notified of this transaction and when?
Does the transaction require regulatory approval, and what are the arguments for and against it? How strong is our position?

Even before the outbreak of COVID-19, many companies were struggling to adapt to trends such as exponential technological change and the reinvention of industry and business models. One efficient way for companies to adapt is to acquire new capabilities via M&A transactions. As such, executive teams will continue to rely on their boards’ guidance throughout the deal process both today amid the pandemic and beyond into whatever new normal the future holds.

NACD: Tools and resources to help guide you in unpredictable times.

Evolve Risk-oriented Roles and Their Effectiveness Using the Three Lines Model

The Three Lines of Defense framework has long been used to help organizations manage risk. The Institute of Internal Auditors (IIA) recently developed an updated version, the Three Lines Model, to reflect changes in risk management and governance over the years, including the idea that risk management goes beyond simply defending or protecting value. In fact, effective risk management involves proactively addressing risk and creating value.

In a recent Baker Tilly webinar, “Leveraging the updated IIA Three Lines Model for greater organizational resiliency,” my partner Jonathan Marks, firm leader of our global fraud and forensic investigations and compliance practice, and I discussed how this framework can benefit all organizations. Of particular interest to governing boards, the model can help an organization to improve its oversight and monitoring of key risks by more clearly articulating the risk-related roles and responsibilities of the board, senior leadership, risk-related functions, and internal audit capabilities.

No matter the size or industry, every organization manages risk and pursues compliance to some extent—but how effectively? Some companies operate well without formalized risk-oriented functions; but most, and especially growing organizations, benefit from assigning responsibility and accountability to support collaboration and the identification and mitigation of risks that could impact achievement of the organization’s objectives.

The Three Lines Model helps leadership, including boards of directors, see the delineation of roles and responsibilities along the “three lines”: day-to-day management, risk oversight and monitoring functions, and risk assurance-oriented functions, such as internal audit. It also provides a customizable framework upon which to build your organizational understanding of and approach to risk management and monitoring functions. This includes how the organization effectively interacts, communicates, and collaborates between and within each of the three lines. Visualizing how these capabilities work together and address their respective areas of influence can help to identify functions in need of role clarification to ensure no unnecessary duplication or overlap, and any gaps in organizational risk oversight.

In a time of rapid change, clarity around enterprise risks, risk ownership, and risk-related roles and responsibilities can help to support rapid decision-making and prevent organizational risk information from becoming siloed. Becoming a more risk-resilient enterprise requires communicating where the organization is in relation to managing and overseeing risks, where it is going, what risks it’s facing, what challenges management is tackling, how the strategy is changing, what the competition is doing, and how all of these elements affect the organization.

In considering whether to use the Three Lines Model to take a closer look at the organizational risk-management structure, boards and senior leaders may wish to consider asking the following questions:

To what extent have we clearly internally articulated the interrelationships among our risk-oriented functions?
When the business must adapt quickly to address factors beyond its control, to what extent does the organization leverage enterprise risk information to inform decision-making?
Might a greater degree of formalization and clarity around risk- and compliance-oriented roles support strengthened decision-making and the pace of company-, industry-, or market-wide disruption and transformation?

After a year of novel, unpredictable, and ever-present sources of stress for businesses that may only be more dynamic in the year ahead, leveraging the Three Lines Model to evolve a more harmonious risk-management structure, with clearly defined roles and responsibilities, can better equip organizations to respond to these stressors as a united and collaborative whole.

Raina Rose Tagle is a partner in the risk advisory practice at Baker Tilly.

NACD: Tools and resources to help guide you in unpredictable times.

Continue Enhancing Developmental Efforts to Excel in 2021

The conclusion of 2020 marks a year memorable in many ways.  The end of the year will not miraculously resolve challenges experienced throughout, however, it does provide an opportunity to harness this experience in preparation for the future.  This year all organizations have had to strategically rethink the way they do business.   Leaders learned to reach their teams in new and novel ways and employees approached their work from unfamiliar context and perspectives.  As we enter the new year, take advantage of the notion that “change begets change”.  Seize this opportunity of transition to create an ecosystem in which your employees, and hence your organization, are poised to succeed now and into the future.

Just as your organization is unique, every employee is in a different phase of their journey with distinctive challenges and opportunities.  Successful organizations are examining the complete employee lifecycle to align and add value at each step along the way.  By focusing on individual needs and targeted growth, investments in employee development produce greater engagement, productivity, and return.  Career Partners International delivers human capital consulting programs across the globe at all levels of the organization.  Below are just a few examples of ways in which our CPI Partners help their clients chart a successful course for the future, even during the uncertainties of today.

Executive CoachingIt’s no secret that 2020 has upended how people relate and integrate to get work done.  Digital markets, consumer behavior, leadership development, and general workplace processes have been disrupted by cats walking across video screens, children interrupting negotiations or planning sessions, and even lost connections to critical server-held documents.

What has not changed in 2020 is that people must pivot; leaders just need to pivot more quickly.  Our talent development practice has paid close attention to supporting leaders who have had to hold things together on a grand scale, make incredibly difficult decisions around remote work and employee well-being, and navigate turbulence like never before.  Here are three specific behaviors our executive coaches have found critical for leaders to harness and leverage if they hope to be successful in the future.

Listen more.  Our current environment has proven that people will step up and step in when their voices are heard.  The current style of interacting in a “zoom room” has opened the door to incredible innovation.  

Get comfortable with intimacy.  Having visibility into peoples’ homes and moods is the new normal.  Boundaries are more fluid as we seek to truly embrace diversity, equity & inclusion.

Build trust and transparency. Remote work and easy commutes are here to stay.  Leaders must over-communicate and lead with integrity knowing that individuals and teams will rise to the occasion when trust is there to get work done.

Adena Johnston, D. Mgt.Master Corporate Executive CoachVice President and Practice Leader, CCI Consulting

Professional DevelopmentMany of our clients are looking for new and innovative ways to support the development of their employees to create a better employee experience, build stronger engagement & retention, and identify new leaders across their enterprise. Using our PowerAmp Coaching approach, we have provided clients with a solution that combines high touch live coaching with an AI based technology platform that allows them to bring development to a wider range of employees within the organization.

Our clients are using this solution to provide development skills for those employees who would not normally be selected for leadership coaching programs yet need to be strong in their roles as leaders within teams, across networks, and in their daily activities.  PowerAmp Coaching is also being used to identify employees who are most interested in their career development, ensuring returns on investment.   We are working with organizations to integrate this solution into high potential programs, greatly reducing the risk of spending development money on employees who are not willing to invest in themselves.

The way we work has changed significantly over the past year; PowerAmp Coaching provides a great opportunity to bring forth leadership skills at a large scale on a virtual basis.

Larry FisherVice President, Career Transition & Executive CoachingThe Ayers Group

Retirement CoachingWhat a challenging time we live in!   Many individuals have been faced with a career change they were not expecting, which often leads to a major point of reflection on the future.  For those between 50 and 70, it is especially difficult to determine what is important in life, beyond their traditional job.  The New Horizons LifeOptions-Lifestyle Planning program provides an ideal platform to help participants plan beyond just the financials of retirement, should it be in the next 15 days or next 15 years.  Retirement is a key milestone of the employee lifecycle and organizations that support their employees in preparing for this journey have found greater engagement, increased transparency, and stronger succession planning.

Coaching a future retiree with New Horizons provides them with the opportunity to learn new things about the journey which they are about to embark as well as confirm their predetermined thoughts about retirement; both are important.  During the assessment phase of the program considerable time is spent understanding that our past job was, for many of us, the total embodiment of who we are to ourselves and to our community. For many this means re-inventing oneself and discovering other aspects of life we love. For others, this means accepting that we are more than the subject matter expert in an industry, we are a grandparent, a friend, a yoga lover, a woodcarver, a whatever.  Some have gone on to “encore careers” matching their passion with interest; a Supply Chain Director who took on piano lessons, a Data Analyst opening her own catering company, an HR Training Manager volunteering to teach reading in the inner city, and many more.  By shifting the vision of retirement to an opportunity, rather than a looming and uncertain inevitability, employees can become more engaged and involved in their own succession exit. New Horizons are out there to be explored…now more than ever!

Gregg LevineSr. Career Transition ConsultantRatliff & Taylor

Career ManagementAs we approach the new year, many firms are looking at new and compelling ways to enhance employee experience.  Talent is feeling overwhelmed, disconnected, and at risk of burn-out.  Driven by trends related to a new social contract, an ever-evident war for talent, and rapidly changing environments, employees are hungry for more transparency and support related to career growth and development.  In fact, research from Fuel50.com shows that a staggering 81% of employees feel that their skills are not being fully utilized at work.  As talent leaders consider investments for next year, providing scalable and accessible access to insights, coaching, and mentorship support and learning opportunities will be key to satisfying this pervasive demand.

To add to this, research still shows that organizations are more inclined to hire externally, even though the data shows the merits of looking internal first.  This parallels research that shows only twenty-one percent of respondents believe their managers have the skills required to help employees develop their careers. Forty-six percent of survey respondents from a recent Deloitte survey say managers resist internal mobility.  Coaching and feedback are now table stakes competencies for leaders to do the important work of engaging and growing talent.  Investing in coaching, feedback, and productive conflict skills is essential to building or enhancing career agile cultures.

Liane TaylorCareer Engagement Practice LeaderThe Talent Company

In preparing for the new year, understand that the needs of nearly all employees have evolved, as have the tools available to support them.  Whether 2020 brought a struggle or a windfall, a challenge or an opportunity, continuing to invest in the people that make an organization great will yield sustainable positive returns.  Career Partners International Members all over the world are here to support the growth of organizations, their leaders, and their employees during every point of the journey.  We wish each of you a prosperous New Year.
The post Continue Enhancing Developmental Efforts to Excel in 2021 appeared first on CPIWorld.