Multinational Companies Should Monitor Three Emerging Risk Exposures

Stretched supply chains, high levels of inflation, the conflict in Ukraine, and the COVID-19 pandemic continue to stress economies around the world and significantly affect organizations’ risk profiles. As existing risks evolve and new ones emerge, organizations have been under increased pressure to develop risk and insurance management strategies that are resilient as well as to build risk management programs that respond to fast-changing challenges.

For global businesses, the uneven impact of evolving and emerging risks is compounding the challenges of managing their multinational portfolios and introducing new risks for directors and officers. As they seek to remain competitive, business leaders need to understand this changing risk landscape, identify the interconnections, and take action to protect the bottom line, focusing on three main risks.

1. Inflationary Pressures

High inflation in countries around the world is increasing the value of many insured assets. At the same time, supply shortages are prolonging rebuild times and operational stoppages after losses. Underwriters are increasingly scrutinizing insured values to make sure that these reflect today’s replacement costs, requiring organizations to reevaluate their insured properties and assets to determine whether they have adequate coverage that will facilitate recovery in the event of a loss.

Uneven rates of inflation in different countries create an added complication for global companies that must ensure local subsidiaries update the valuation of their property and assets in line with inflation rates.

In addition, insurers are concerned about the impact of inflation on their bottom lines as higher costs contribute to larger claim settlements, which can lead to reserve deficiencies, faster erosion of deductibles, and inadequate coverage. Unease over underinsured assets on their books is leading some underwriters to include policy provisions designed to limit recovery to reported values, coinsurance or average clauses, or coverage disclaimers. It is critical that your management team review and update property values to ensure that they are current and align with inflationary effects.

Liability costs are also escalating due to inflation, with rising defense costs and settlement amounts and an increase in nuclear verdicts. The dynamic of social inflation has been impacting US claim trends for many years and is a growing dynamic across the global marketplace, most notably in the United Kingdom. Management teams also should scrutinize customary liability insurance limits to ensure that they are sufficient in light of these increased costs.

Underinsurance risks are not restricted to your own operations, but to all organizations that you do business with. It is critical to understand insurance requirements during an inflationary period and scrutinize the coverage required of third parties to determine whether they have sufficient limits to cover risk emanating from the relationship.

2. Tax and Regulation Risk

Global organizations with interests in different countries face the added task of abiding by local regulations, including tax requirements from both country-specific and global policies.

However, amid mounting pressure to reduce their spending in the face of inflation, many insurance buyers are foregoing country-specific coverage and instead purchasing global policies to cover their multinational risks.

Although it may lead to financial savings (often upwards of 25 percent) and lower administrative costs, it can open local entities to government investigations and disruptive audits, as well as hefty fines and penalties, if their coverage is not in line with local regulations. The liability created by indirect taxes also is often not identified by the insured entity’s tax group.

Further, claims on global programs tend to be paid to the parent company, which typically then needs to transfer this money to the local entity that experienced a loss. These transfers, when legally allowed, may trigger additional income tax, eroding any program savings. Large monetary transfers may also trigger examinations, requiring risk management and treasury teams to spend time preparing their response to protect the firm instead of focusing on initiatives to improve the company’s resilience.

Your business leaders should work with local entities to review country-specific requirements and determine whether these are adequately addressed through a global program or they require local coverage.

3. Shifting Data Protection Regulations

From the European Union’s General Data Protection Regulation to the California Consumer Privacy Act, different countries and regions are looking at new regulations to protect their citizens’ private data. Enforcement efforts highlight the potentially exorbitant costs of noncompliance with data protection laws, delivering blows to the brand as well as the bottom line.

Not only can companies be held liable for possible mishandling of customer information, but there is also a growing demand for companies to have the financial reserves to pay any fines and other costs related to a breach. Insurance is one of the most sought methods to provide protection for such losses and satisfy applicable laws. Relying on a simple global insurance policy will likely become increasingly difficult in the face of varying country regulations.

Risk management teams should partner with global risk advisors to understand the data privacy risk climate in individual countries and any laws imposing liability for privacy breaches or requiring financial security in each country. Localized risk assessments can help your country risk managers determine whether current policies offer adequate protection.

Improving Your Multinational Resilience

As business leaders take actions to improve resilience in the face of emerging risks, organizations with subsidiaries in several countries will need to make sure that each local entity has adequate coverage to satisfy local regulations and provide the necessary protection in case of a loss.

This can be a moving target for many global programs, requiring significant commitment from the risk management team to keep up to date with shifting country requirements. Risk management teams should continuously monitor emerging risks and evaluate the suitability of current insurance program design to meet cost and compliance comfort levels.

Christian Hunter is the senior vice president and multinational Insurance Regulatory and Tax Consulting Practice leader, North America at Marsh.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

A Design-Led Approach to Profitable Growth

Design-led. This term may conjure images of turtlenecked CEOs hawking the latest mobile phone or accessory, but design-led concepts need not be relegated to creative industries or sectors. A design-led approach places people at the center of program development and decision-making, invites empathy into the ways in which a company structures its business, and is something boards should be keenly aware of.

Rooted in industrial design (the creative act of defining a physical product’s form and features), the design movement in business describes a way of looking at products and services with deep empathy for their intended users—customers, employees, suppliers, and even partners. At its core, a design-led approach is simply about viewing the world through the eyes of consumers to resolve their pain points and evoke positive human emotions during every interaction with a company.

Today, design-led concepts can be found in the corners of every corporate function within every industry. What’s more, the design movement has matured into essential curriculum in top business schools and in leadership training in more progressive companies.

The interest in applying design capabilities to all types of businesses and functions (e.g., marketing, human resources, finance) is due in large part to the wide-spread digitalization and automation of commerce channels. Now, with these approaches becoming so well adopted in consumer-facing domains, businesses are turning to the power of design-led approaches coupled with advanced analytics to improve operating margins and accelerate growth. That’s right—you can do both simultaneously.

What Does ‘Design-led’ Look Like?

To demonstrate the power of a design-led, advanced analytics approach, here’s a quick real-life application: A Fortune 500 client was aspiring to install an enterprise data and analytics platform to efficiently manage and monetize operational data, but a price tag of $100 million kept the business from pulling the trigger. Senior executives couldn’t see past the giant expense, especially given the company’s history of information technology (IT) cost overruns and write-offs.

Rather than build an abstract and complex platform that only IT professionals truly grasped, the client took a design-led, advanced analytics approach. First, the company did an empathy map of the key personas (platform stakeholders) who would be using or impacted by the system. Next, it developed a prioritized list of customer and employee use-cases for the platform. Then, the team built only the platform components, one phase at a time, that were absolutely needed to drive practical value for customers and employees as identified in the initial set of use cases. The team aligned the business on this phased roadmap and defined key performance indicators for each phase so the client could measure success.

The close of each design phase included a quantitative review and report to the C-suite on the platform’s value to either customers or employees. The team’s ask to the C-suite was simple: give seed money to build the first phase, and if the team can quantify real value to either employees or customers at the end of the phase, release more money to build the next phase. Then the team would repeat the process. The results? Every phase was successful, and the data platform paid for itself in the four years it took to build.

But Are We Talking about Costs, or Growth?

Today’s market is a pressure cooker of challenges. It’s no wonder almost every board is focused on scenario planning to future-proof the business. While it might be tempting to focus planning efforts exclusively on cost take-out measures to weather tough financial times, we would argue in almost any scenario that a balanced approach to operational efficiency and customer experience innovation is best, even when times are hard—perhaps especially when they are hard.

Take companies such as LVMH. The luxury conglomerate might have been ripe for pandemic failure given its heavy reliance on affluent Chinese tourist sales in brick-and-mortar stores and reluctance to embrace ecommerce as a core business strategy. But when stores closed, the company invested heavily in designing ecommerce channels to connect with customers amid the “stay at home” environment, turbocharging online sales and reaping double-digit market cap gains.

Or take Ford Motor Co. The company encountered multiple pandemic setbacks as a result of the supply chain breakdown and decreased consumer driving during COVID-19, and still made perhaps the boldest innovative move in the history of the company by splitting into the Model e (electric vehicle, or EV) division and the Blue (gas) division. This strategy fundamentally repositioned the company and the design of its products to meet the changing needs of customers and humanity at large. The company took losses during the pandemic, but saved jobs, used assets to develop health equipment for first responders (ventilators, face shields, air purifiers, etc.), and went hard on the EV business investment.

These are just two examples that demonstrate that companies who invested in customer-centric design are now starting to enjoy the fruits of those investments and the public-positioning as strategic market leaders. Others who focused on reducing headcount and spending to manage costs are feeling the pressure that they are now laggards in the competition for the talent and customers they so desperately need.

The beauty of design- and data-led approaches is that they both improve operational efficiency and still allow for smart top-line growth investment. A design-led approach removes friction and delights customers, and a data-driven approach deepens our understanding of customer and employee needs and automates operations and decision-making to produce more significant results.

Getting Started

Boards of directors facing the uncertain economic realities of today would do well to think deeply about how design-led and analytic-powered approaches can help the organizations they serve best their competition, hedge against market turmoil, and grow market share in a recessionary environment.

Boards can discuss these five steps with management to get their companies started:

Know the health of your customer journey and employee experience. Ask management to map and measure the critical customer and employee touchpoints to create deep insights about their human needs and opportunities to win greater loyalty.Assess your asset foundation. Management should take stock of what you have. Most companies are sitting on a treasure trove of data and other assets and don’t even realize their value for new growth and efficiency opportunities.Marry cost efficiency work with experience investments. For every cost cut, make sure management understands the impact on the customer and employee experience, and give something back to delight these stakeholders.Remember, speed is an asset. Don’t be paralyzed by finding the “perfect” answer. Encourage management to use the data to identify multiple solutions. Test many. More than one might be right. The power of analytics and artificial intelligence today is cost accessible and more efficient than human decision-making.Don’t forget about the people. “Design-led” means injecting empathy into all of these steps. At the end of the day, your customers, employees, and suppliers should think to themselves, “They really get me.”

Boards have a key role to play in supporting and encouraging design-led approaches to products and services that can give their companies a competitive edge as economic volatility continues.

Adam Malamut is the chief experience officer of Alvarez & Marsal Digital. Michael Lawless is a managing director with Alvarez & Marsal Digital in Washington, DC.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Geopolitical and Cyber Hot Spots: Galvanizing Risk Governance for Escalating China-Taiwan Tensions

In a year already unprecedented in its geopolitical tectonic shifts, twists, and turns, company boards everywhere need not only to up their focus on risk governance generally but do so specifically with respect to geopolitical and cyber risk. Whether or not a business is physically located in a geopolitical hot spot such as China, Taiwan, Russia, or Ukraine—directly or indirectly, through people, assets, or the supply chain—what happens in those hot spots doesn’t stay in those hot spots.

The year started with Russia’s invasion of Ukraine and continued with US-China tensions over Taiwan. Both dramatic geopolitical developments have had a series of reverberations globally including for the business community. For example, shifts in relationships between the United States, European Union (EU), and Russia, including ceasing to do business in Russia, protecting people and assets in Russia and Ukraine, and abiding by unprecedented sanctions, are only a few of the consequences.

It’s Time to Get Ready for Escalated China-Taiwan Tensions

The second half of 2022 has already witnessed another critical geopolitical moment. Perhaps prompted by the visit of US House speaker Nancy Pelosi to Taiwan, China’s hair-trigger response of using its military for an unprecedented show of force with live-fire exercises over and around the island of Taiwan is simply an escalation of tensions that were otherwise long under development. Whether these tensions result in an actual invasion by China of Taiwan or something short of that in the near, medium, or long term, good business judgment requires both management and the board to start planning now.

Smart businesses, such as some of the leading technology companies, are already deeply involved in searching for and securing alternative and diversified manufacturing sites both near China and Taiwan (for example in Vietnam), as well as in onshoring or reshoring their supply chains by building new manufacturing sites “at home.” Although such new facilities will not come online soon enough, leaders must stop planning only for short-term profits and start planning for medium- and long-term resilience which, ostensibly, should yield long-term profits.

Expect the Unexpected

Before 2022, few expected Putin’s Russia to invade Ukraine but it happened with alarming, serious, and immediately disruptive consequences. No one wants the same thing to happen from a deterioration of China-Taiwan relations.

Taiwan is a model democracy and market economy, and an incredibly important source of highly advanced, specialized chips used the world over in technology of all kinds including laptops, smartphones, security networks, and telecommunications networks.

US and global companies with Taiwan-based operations should be most concerned as their exposure isn’t only to the financial implications of supply chain and product or service failure, but also to the impacts on the health and safety of employees. It is also likely that cyberattacks will increase in volume and ultimately result in financial loss either due to denial-of-service attacks, lost productivity, or the need to spend more money and resources on cybersecurity.

With the rising tensions between the United States and China, global companies with a footprint in China could fall into the cyber war between the states. Many US- and EU-based companies are already deciding to close or relocate operations outside of China. If things deteriorate, China may even attempt to seize control of foreign company assets (as Russia has recently done with the remnants of foreign companies that have left that country).

Geopolitical and Cyber-risk Governance “To Dos”

Among the top “to dos” that company boards and management should consider from a geopolitical and cyber-risk governance standpoint are the following:

Ensure that the leadership team has access to real-time geopolitical, national, and local political data and advice relating to the company’s strategic footprint, geography, supply chain, and planning.Designate a member of management who will oversee geopolitical and political developments with the assistance of solid intelligence and advisors, reporting to the C-suite and board periodically and coordinating in real time with risk management efforts.Ask if there is a crisis management plan and team, including a board liaison or member. Is relevant crisis scenario planning integrated into such plans and periodically conducted with the board?Ask whether the risk and information security teams have the resources and tools necessary for foresight and future-proofing.Ensure that the enterprise risk management framework includes geopolitical and cyber-risk identification, analysis, and mitigation considerations.Ensure cyber hygiene. What is the state of cyber-risk management at the organization? Is it effective?Ensure that the organization is vigilant about information and data integrity in its products and services.Integrate digital chatter vigilance into internal and external communications strategy as well as enterprise risk management.Have directors that are risk-savvy, knowledgeable, and experienced.Have directors with specific risk expertise, depending on the company’s risk profile.Consider having a specialized risk and strategy committee.Receive quarterly risk reports from management and conduct executive sessions with the chief risk officer and chief information security officer to ensure organizational resilience and business continuity.

If boards follow the important path of upping or reupping their risk governance to include continuous learning related to geopolitical and cyber risk focused on a company’s specific business footprint, we think that their long-term resilience and sustainability will be seriously improved. Those who do not heed this advice will be at a distinct competitive disadvantage both tactically and strategically, and maybe even existentially, in this era of continuous and overlapping risks and crises. 

Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory; a global ESG, risk, and cyber strategist; a board director; an NACD 2022 Directorship 100 honoree; and a life member of the Council on Foreign Relations.

Tomer Saban is the CEO and cofounder of WireX Systems, a network security company that is changing the way businesses respond to cyberattacks, and before that he worked in the homeland security space, developing defense systems for intelligence agencies.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Pay vs. Performance: What Do Public Company Directors Need to Know?

The US Securities Exchange Commission recently adopted a new disclosure rule aimed at highlighting the relationship between executive compensation and company performance. The mandate, effective for the upcoming proxy cycle, introduces a new definition of executive compensation, Compensation Actually Paid (CAP) relative to a variety of performance metrics, some of which are prescribed and some of which are selected by each company. Although we won’t cover all the technical details here (that will take place on an upcoming NACD webinar on 10/27), below is a summary of what you need to know today about the new rules, and the potential implications of the new disclosure that warrant conversation in your fall meetings.

There Are Two New Tables and a Required Narrative.

The first table (the pay vs. performance (PvP) table) includes three years of historical data for executive pay and company performance (building to five years of historical data over the next two years). Executive pay includes disclosed total compensation from the summary compensation table (SCT) as well as the new definition of CAP for both the CEO and the average of the other nonexecutive officers. Performance disclosures are

Company total shareholder return (TSR)Peer group TSRCompany net income  Company-selected metric

An explanation of the relationship among the various disclosures of pay and performance must be provided in narrative or graphical format (or both). The second table (tabular list) requires a listing of 3-7 financial (or non-financial) metrics that are most relevant to the company’s determination of executive compensation.

Compensation Committees Should Be Aware of, or Weigh-in on, Four Key Decisions.

The four key decisions are:

Which company-selected performance metric to include the PvP table;Which peer group to include for TSR purposes in the PvP table;Which additional metrics to include in the tabular table; andWhere the required disclosure should be placed within the proxy.

We suspect that many companies will select

The earnings metric in their short-term incentive plan,An index used in their Performance Graph in the 10-K or Annual Report,A minimal listing of metrics that are currently included in the incentive plan designs, andPlacement after the existing required compensation tables (i.e., not within the Compensation Discussion and Analysis (CD&A)).

“Compensation Actually Paid” Is Not What You Think.

Although the opportunity existed to require something like “realizable” or “realized” compensation, the new rules simply adjust the figures already disclosed in the SCT with respect to equity-based compensation and pensions. For example, the equity-based compensation adjustments are not based on realized compensation (e.g., option exercises, performance share units (PSUs) earned, restricted stock vested, etc.) but rather reflect an annual “mark to market” based on fair value estimates at each new measurement date (e.g., updated Black-Scholes valuation for options, updated Monte-Carlo valuation for PSUs with rTSR metrics, etc.)

What Are the Potential Implications of the New Disclosure?

Nobody wants the tail to wag the dog, but there are some potential implications of this new disclosure for executive-level incentive compensation plan designs going forward.

The choice of incentive plan metrics has greater visibility. Because the company-selected metric for the PvP Table and the list of three to seven additional metrics for the tabular list will likely originate from the metrics currently used in the executive-level short-term and long-term incentive plan designs, the choice of metrics should at least consider how this will appear to shareholders in this new disclosure in the future. In other words, does the current incentive framework really capture all the important metrics? Are there metrics being considered for inclusion in the new list that are not currently included in the incentive plan designs but should be?

This is another potential spotlight on ESG-related metrics. If you don’t have any ESG-related metrics in your list of three to seven, are they not important? If you do have ESG-related metrics in your list but they’re not directly incorporated into your incentive plan design, why not? The fact that these metrics will be “tagged” in the disclosure will make it relatively easy for researchers, proxy advisors, and governance groups to assemble comparisons and identify outliers.

There are potential disconnects with the story in the CD&A. The new required narrative following the CAP table may or may not fully align with the more complete pay-for-performance narrative within the CD&A given the different metrics, time frames, and pay definitions. To some extent, these narratives will need to be reconciled.

Relative TSR plans just became more costly. The number of required Monte-Carlo valuations (typically provided by a third party) has expanded from

A single valuation on the grant date toMultiple valuations during the life of the award:at the grant date,at the end of each fiscal year during the performance period, andat the end of the performance period.

Furthermore, there may be an additional calculation of final actual value if there is a difference between the end date of the performance period and the ultimate vesting date.

Equity awards with quarterly or monthly vesting are quite cumbersome. Because the definition of “Compensation Actually Paid” requires re-measurement of outstanding awards at either fiscal year-end or vesting, awards with more frequent vesting provisions add considerable complexity to the calculation of CAP. For example, an award with monthly vesting will require valuation on the grant date and on each of the 12 subsequent vesting dates.

Is this a big deal? The answer is both yes and no. Yes, because it’s a new required table with an entirely new definition of pay and a potentially confusing narrative trying to make pay-for-performance connections between variables and time frames that may not be well aligned. And no, because it is likely to be separate and apart from the CD&A, and therefore may not become an integral component of how the executive compensation program is evaluated externally (i.e., more akin to the impact, if any, of the CEO pay ratio disclosure). However, it is brand new, it needs to be done, and only time will tell how much attention it ultimately receives or the impact it has on the design of executive pay programs.

Greg Stoeckel is a managing director and consulting team leader in Pearl Meyer’s Atlanta office.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

A Crossroads for Cyber Insurance: Are You Really Covered?

Recently, Lloyd’s of London issued a bulletin that will require its insurer groups to separate state-backed cyberattacks from standalone cyber insurance policies. Starting in March 2023, when coverage begins or renews, Lloyd’s global syndicates must exclude attacks involving state actors in policies that protect against physical and digital damage caused by hacks.

This begs the question: If the insurance industry stops covering breaches caused by nation-states, and a significant amount of breaches are suspected to originate from this very source, where does this leave companies? Further, what if the breach source is unknown?

Most, if not all, companies secure a cyber insurance policy to spread out or defer some risk and damage from a cyber breach. Many, however, are likely to start questioning whether the cost of their now-limited insurance policies are worth it. Based on years of cyber investigative experience, I believe Lloyd’s of London’s recent decision will be a difficult one to enforce and nearly impossible to base on unclassified and verifiable data.

The question then comes down to: How do you attribute an attack to a nation-state actor? Attributing back to specific perpetrators is difficult in cyberspace, where identities can be easily disguised by using Tor routers (also known as onion routers), bot networks, and other obfuscation techniques.  

Add to this problem the use of initial access brokers, a dark web concept that I call “crowd-sourced hacking.” Here, actors can be found on various marketplaces and employed to conduct various parts of an attack piecemeal. For example, one actor can conduct the initial network access and then sell it to another actor, who moves laterally through the network and sells the access and network map to another actor, who deploys the malware or ransomware payload.

Some dark web vendors even provide a service dedicated to cultivating archives of stolen credentials, and their clients can include nation-states, organized criminal syndicates, or enterprising cybercriminals with pools of victims to compromise. The attribution waters get even muddier when you start to dive into the forensic science side of cyberspace. On any given day, leagues of different attack tools are being deployed by threat actors big and small. That’s a lot of tools to keep track of, even on the best of days, especially when some of them are used by friendly organizations looking for cyber vulnerabilities to close, not exploit. 

Even if a computer involved in an attack was traced to an IP address located in a North Korean military base, for instance, it wouldn’t necessarily mean said attack had the knowledge of that government’s authorities. The device could have been compromised by hackers in other countries, as in the case of the Office of Personnel Management hack, where the Federal Bureau of Investigation (FBI) arrested a Chinese national for the attack but couldn’t attribute it to the Chinese government.  

And while the specific tactics, techniques, and procedures used by certain nation-states allow for some degree of attribution, only highly sophisticated, investigative methods employed by US law enforcement and intelligence community members such as the FBI, Central Intelligence Agency, or National Security Agency can usually detect them. However, these detection processes aren’t quick ones, sometimes taking months or years. In addition, law enforcement tactics that track such activity are classified and wouldn’t be disclosed to insurance companies seeking to make coverage decisions. 

Given the gray area around attribution, there may be a reckoning around the corner for the insurance sector, especially if other providers such as Lloyd’s attempt to unburden themselves from the financial responsibility of state-sponsored attacks. In an industry all about defining, mitigating, or eliminating risk, cyber insurance must establish a clear, accepted definition of its “nation-state” risk. Otherwise, I foresee a long road of litigation ahead between providers, the insured, and the victims arguing about the identity of the attacker.

Regardless of what happens with the cyber insurance market, having a solid cyber program is important to weather any storm. That’s why enterprises should continue to focus on forging resilient environments that start with risk management. Building out from there, organizations can efficiently secure themselves from threats, no matter the origin.   

James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

What’s Needed for the Future of the American Board

Corporate boards are at a critical juncture: Intensifying pressures and demands will require boards to govern differently and challenge how they assess and reward performance and manage their own workings.

Over the past year, NACD has brought together board leaders and governance experts to discuss what will strengthen board performance in the coming years and what longstanding governance practices and norms may need to change. This work has culminated with the release of The Future of the American Board, a report about leading boards into the future and about positioning them to become better stewards of long-term value creation for all stakeholders.

Re-envisioning what it takes to be a successful board (and not just a strong individual director) that can significantly influence sustainable business performance will not be an easy process. It will involve challenging discussions about the purpose of the corporation and the accountabilities of the board. It will entail uncomfortable decisions about board members who are not fit for the future, and difficult changes to reinvent board processes and reshape behaviors. It will demand a commitment to continuous and fast learning on new drivers and derailers of value and to creating room for diverse voices and perspectives.

Why now?

And this work by boards is urgent. The intensity and accelerating pace of change is real, leading to a fundamentally different operating reality than incumbent executives and directors have experienced in their careers and shifting how businesses generate, preserve, and report value. Disruptions involving economic conditions, the geopolitical order, technology advancements, labor market dynamics, supply chains, regulation, climate change, and social and investor activism are reshaping society and business in powerful ways and, perhaps most important for this work, are transforming the role of business and how companies are governed. The reward is clear: in a world that seems less governable, the quality of board governance is increasingly vital to the sustainability of our enterprises and trust in our market economy.

The Commission’s Focus

In early 2022, NACD established the Commission on the Future of the American Board to reassess the Key Agreed Principles it issued in 2011 and refresh its guidance to help boards future proof themselves. The Commission—comprised of experienced board leaders, investors, CEOs, academics, and former regulators—met repeatedly over a six-month period to discuss several fundamental questions that are acute today and will become even more urgent in the coming years:

How do we expect external pressures and forces affecting board governance to change in the coming years?Are there long-standing norms and practices that we must forcefully challenge?How can we solve for the critical inherent tensions in board governance? In particular, the growing need for deep, proactive board engagement while preserving independence; the focus on long-term strategy and value creation in the face of short-term pressures; and the tension between retaining institutional knowledge and injecting fresh, new, and diverse perspectives and experiences on the board.How must we adapt the workings of the board to be more agile and more prepared to engage management on high-stakes, complex, and often new issues and inform fast but high-quality decisions?How can the board be assured that it has appropriate visibility into issues that affect the workforce?

These extensive discussions offered vastly different viewpoints and surfaced emerging board practices from leading companies were the foundation as of the new “Framework for Governing into the Future” based on a revision of the Key Agreed Principles. This Framework is intended to be utilized by public and private companies as well as by investors and advisors interested in strengthening board quality in the coming years. Each one of the principles is supported by key implications for boards, relevant context, and implementation guidance, including key questions for boards to consider. The 10 principles can be accessed here.

Our Key Takeaways

To advance their performance, boards must now focus on the more nuanced and difficult issues: issues of purpose, accountability, objectivity, information, relationships, talent, culture, commitment, refreshment, and engagement that are highly context dependent and to a large degree rely on the collective behaviors of individual directors. Focusing on these 10 areas can help boards thrive:

Purpose: View corporate purpose as a motivating and unifying force and rethink corporate success through a long-term lens.

Accountability: Recognize that consideration of employee, customer, and other stakeholder interests is key to acting in the corporation’s best interests and delivering value over the long term to shareholders.

Objectivity and Oversight: Embrace board self-determination regarding both governance and agenda priorities.

Information: Position the board for informed, deliberative, and agile decisionmaking through board determination of information needs, and fit-for-purpose information and reporting systems.

Relationships: Bolster trust in board and board-management relationships through agreed norms of behavior.

Talent: Pay attention to issues impacting the workforce and understand the link between strategic imperatives and officer and employee capabilities and constraints.

Culture: Define the parameters of desired corporate and board culture and monitor them.

Commitment: Recognize that more is required of directors to stay well informed and to be available on a far more frequent and flexible basis.

Refreshment: Avoid defaulting to renomination rather than undertaking tough decisions.

Engagement: Value interactions with shareholders, employees, and other key stakeholders as opportunities to learn about their interests and concerns and to build relationships of trust.

We predict that the work of the board will become more complex in an ever-more-turbulent environment. These principles provide guidance to help boards reassess their priorities and governance approach in the interests of ensuring that the US corporation remains fit for purpose in providing goods and services in a manner that benefits stakeholders and society at large.

Learn more about NACD’s Future of the American Board.

Sue Cole is the cochair of the NACD Future of the American Board Commission and chair of the NACD Board of Directors. Cole is currently the managing partner of SAGE Leadership & Strategy LLC, a boutique advisory firm she founded in 2011 to advise family businesses and large non-profits on strategy, leadership development, and governance. She is a director for Biscuitville, Diversified Trust Co., Martin Marietta Materials; she has more than 35 years of experience in the financial services industry, including corporate lending and wealth management.

F. William McNabb III is the cochair of the NACD Future of the American Board Commission and is the former chair and CEO of Vanguard. He stepped down as CEO at the end of 2017 and as chair at the end of 2018. He is a board member of UnitedHealth Group and chair of EY’s Independent Audit Quality Committee, and he also chairs the board of the Zoological Society of Philadelphia. In addition, McNabb is a board member of CECP: The CEO Force for Good and of the Philadelphia School Partnership. He is the executive in residence at the Raj & Kamla Gupta Governance Institute at the LeBow College of Business. He serves on the advisory boards of the Ira M. Millstein Center for Global Markets and Corporate Ownership at Columbia Law School, the Wharton Leadership Advisory Board, and the Dartmouth Athletic Advisory Board. He is also a member of The Wharton School’s Graduate Executive Board.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

How to Rationalize Cybersecurity Tools in Turbulent Times

Amid a strained economy, businesses everywhere are tightening their belts and working to ensure that priority programs and critical infrastructure are earning their keep. But despite inflation being at a 40-year high, now’s the time to be introspective with your ecosystem and lean into your technology investments—not pull back. Here’s why.

First, this isn’t the recession of 2008–2009 and it is certainly not the threat environment we faced 14 years ago. We live in a completely different reality complete with more complex technology ecosystems and more aggressive cyber threat actors. With digital transformation now at full throttle, the world is more interconnected than ever before. The days of the single legacy system are long gone, having been ousted by an overlapping mesh of cloud-first technologies. Exploiting this expansive attack surface, cybercrime is booming.  

As we now brace for a possible recession, it’s often our first instinct to pull back on spending. However, when investments begin to slow around enterprise technology, it’s often the attackers who reap the benefits. Instead, consider this an opportunity to talk to your chief information security officer (CISO) about rationalizing the tools currently in your organization’s stack to buy down systemic risk and build resilience.

A Closer Look at Technology Rationalization 

Compounding technical debt is a common problem. Working with clients, I find that the average mid-enterprise organization has anywhere from 70 to 90 technologies in their environment. Instead of looking at net new tools, now’s the time to look inside the ecosystem and make current technology investments show their worth.

A good place to start is a technology rationalization assessment. Whether your security team conducts the assessment or you hire an outside firm, it’s important to determine what tools you have, whether they’re deployed (or deployed correctly), which are critical to business operations, and whether they’re integrated or not. Additionally, it is imperative during this analysis to understand what data are being generated by these tools. This is also a great opportunity to identify redundancies in your environment, including shadow tools that you can sunset to raise security hygiene and lower costs.

Going beyond a maturity assessment, a tech rationalization analysis evaluates technology as a whole on your ecosystem, then justifies down to the tools essential to running it. A true, holistic evaluation will show your tools’ objective value to the business while ensuring the data generated from these tools remain actionable, and importantly, integrating them to deliver capabilities that drive specific outcomes. Along with improving your security posture, you may also find opportunities to whittle down your total tool count and enjoy savings in the process.

Prepare for Resilience

Addressing the ongoing risks inherent to your organization is an expense, yes. However, not doing so can be multitudes more expensive down the road (i.e., secure today or repair tomorrow). Today’s cyber landscape affects our current economic climate in different ways than past recessions. You simply can’t afford to slow down when it comes to shoring up your cyber defenses.

Case in point, geopolitical tensions are giving rise to new suites of threats and plenty of economic gray area. If the war in Ukraine sent ripples through the international economy, what are the cyber implications of a potential China-Taiwan conflict? The conversation is likely to be much different in this case around the intersection of business and security.

That’s why it’s also a good idea to identify, map, and protect business-critical assets as part of the technology rationalization assessment. What data are they producing and where are the data going? How are they secured? Your CISO should understand what the normal data flow looks like in your enterprise, so that they’re prepared to pivot and recover should crucial operations be interrupted.

Investments in this area should focus on the resilience piece of security because it forges the ability to look ahead and anticipate where the threats are coming from. And with your technology now realigned with critical business processes, data, and infrastructure, you can deploy the right tools, the right way, to help you drive resilience throughout your environment.

You don’t have to sacrifice resilience initiatives for the sake of saving money. By first rationalizing your technology already in place, you can drive resilience and be better equipped to handle economic turbulence and unpredictable threats.

James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

The SEC’s Climate Proposal and Assurance: Three Considerations for Audit Committees

In response to increasing global demand from investors and other financial markets stakeholders for information about public companies’ climate-related risks and opportunities, the US Securities and Exchange Commission (SEC) has released a proposed rule that would enhance and standardize climate-related information disclosed by public companies in their SEC filings. The SEC’s proposed rule would also require third-party assurance over some of the new disclosures.

The SEC has received more than 4,000 individual comment letter responses to their proposed requirements. While we wait for the SEC to adopt a final rule, it is important for all stakeholders in the financial reporting ecosystem to do what they can to get ready for new climate-related disclosure requirements. There are three things audit committees can do to prepare:

Gain an understanding of the key aspects of the SEC’s proposed requirements.Put climate on the audit committee’s agenda.Seek perspectives from the external auditor to understand the auditor’s climate capabilities.  

Understand Key Aspects of the SEC’s Proposed Climate Rule

Greenhouse gas (GHG) emissions attestations. The proposed rule would require certain companies to subject their scope 1 and 2 GHG emissions disclosures to third-party assurance from an assurance provider that meets certain minimum requirements described in the proposed rule.

This assurance requirement would phase in over time, starting first with limited assurance (similar to the level of assurance many boards would be familiar with from interim quarterly reviews). The requirement would then transition to requiring reasonable assurance after a couple of years of limited assurance.

Obtaining any level of assurance by a public company auditor will involve an auditor gaining an understanding of the company’s processes, systems, and data, as appropriate, used to arrive at the company’s GHG disclosures. Auditors will also need to consider risks of material misstatement of the subject matters, and then develop an appropriate approach to obtaining the level of evidence necessary to support their conclusion (limited assurance) or opinion (reasonable assurance). 

Material climate impacts on financial statements. Under current rules, climate-related risks are considered and assessed by management and auditors during the preparation and auditing of financial statements and may have a direct impact, an indirect impact, or in some cases no impact at all on the financial statements.

In an analysis conducted by the Center for Audit Quality (CAQ), we observed that 18 S&P 500 companies have climate-related mentions in the financial statements included in their most recent 10Ks.

The requirements in the SEC proposed rule could increase this number dramatically. For each line in the financial statements, using a 1 percent threshold, a company would be required to disclose in the footnotes the negative and positive impacts from physical climate-related hazards (e.g., flood and fire zones) and transition risks (e.g., regulation, actions to reduce emissions). Companies would also be required to disclose in their financial statements the risks and uncertainties associated with climate-related risks that impact the development of estimates and assumptions.

In comment letter responses to the SEC, stakeholders have expressed concerns about this aspect of the proposal, including that the 1 percent threshold may place disproportionate prominence on climate-related financial statement metrics over more significant financial statement metrics and that it could ultimately result in inconsistent disclosures. As we await the final rule from the SEC, it will be important for public companies to understand this proposed footnote disclosure and think about how their own material climate risks impact their financial statements.

Put Climate on the Audit Committee’s Agenda

The CAQ published a report on audit committee practices which found that 66 percent of audit committee members’ companies issue a sustainability or environmental, social, and governance (ESG)-related report, and 69 percent obtain or are actively discussing obtaining third-party assurance on one or more components of ESG or sustainability data.

Individual boards of directors will need to discuss the proper board committee(s) to be involved in overseeing a company’s climate-related reporting. However, given the role audit committees play in overseeing financial reporting and a company’s internal controls, it is prudent for audit committees to talk to the management team to understand where the company is today with respect to its climate-related reporting and where it wants to be in the future. Audit committees can consider adding the following topics to discussions with company management:

the connection between the organization’s ESG strategy and financial statement impacts and how management considers these impacts, including any impacts on estimates and assumptions;expectations regarding responsibilities for climate reporting and assurance, including oversight of management’s selection of the attestation provider; andthe people, process, and plan to prepare for the SEC’s disclosure requirements.

Seek Perspectives from the External Auditor

Audit committees should also ask their independent auditors for their views on climate-related reporting. Audit committees can consider doing the following in discussions with external auditors:

Ask the external auditors for perspectives on how the company’s climate-related disclosures generally compare to those of other companies. Audit partners report that a lack of tools supporting the collection, collation, and analysis of ESG data presents the greatest challenge in terms of climate and other ESG reporting.Discuss the external auditor’s views on the company’s climate-related disclosures and how the auditor has considered climate-related risks in the audit of the financial statements.Ask the external auditors what their responsibilities are for climate-related disclosures and whether that responsibility is different depending on where the climate-related information is disclosed.

Public company audit firms can also help public companies prepare with a readiness assessment, which may be performed in advance of a review or examination engagement of a company’s climate information. A readiness assessment provides an independent view as to whether the company’s reporting processes, internal controls, evidence available, and governance related to the climate-related information provide the foundation on which to obtain the desired level of assurance.

Julie Bell Lindsay is the CEO of the Center for Audit Quality.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.