The Governance Implications of the DOJ’s New Corporate Enforcement Policy

The US Department of Justice’s (DOJ) Corporate Enforcement Policy (CEP) is never going to be the most popular item on the board’s education agenda, but it is quickly becoming one of the most significant.

With the DOJ’s renewed focus on corporate fraud enforcement and new fiduciary duty interpretations from the Delaware courts, corporate responsibility is back in vogue on boardroom agendas. Directors, especially those serving on audit and compliance committees, are now incentivized to recognize this movement and its potential implications for the company.

This is particularly important given the government’s emphasis on individual accountability and the significant, highly time-pressured decisions companies will be required to consider should they become aware of potential wrongdoing within their ranks. Those will most definitely be board-level decisions, not management’s.

The foundation for the renewed emphasis on corporate responsibility dates back to September 2022 and a series of policy speeches by senior DOJ officials. The fundamental message was three-fold: that the DOJ remains committed to corporate criminal enforcement, to supporting corporate responsibility, and to encouraging investment in compliance and culture.

That message surely caught the attention of most corporate counsel and, in many companies, that of the board’s audit and compliance committees. But for others in leadership, it may have seemed more like government saber-rattling than a serious initiative that deserved full-board attention. To a certain extent, that’s understandable.

But the government’s corporate responsibility messaging became much tougher for boards to ignore with the DOJ’s Jan. 17, 2023, release of its revised CEP. This revised policy document generally serves to underscore the government’s focus on prosecuting corporate fraud.

More particularly, though, it introduces a series of “new, significant, and concrete incentives” (including declination of prosecution) for companies to self-disclose identified corporate misconduct to the government. And for companies that choose not to self-disclose, the revised CEP provides incentives for companies that “go far above and beyond the bare minimum” when cooperating with DOJ investigators.

The revised CEP’s provisions have been supplemented by the Feb. 22, 2023, release of the US Attorneys’ Offices Voluntary Self-Disclosure Policy (VSD) which provides additional details on the requirements for voluntary self-disclosure, as well as on the benefits that the DOJ believes self-disclosure offers.

In essence, the revised CEP and the VSD combine to serve notice on boards to take internal investigations of potential fraud even more seriously than they already do. These important new policies are something of a flashing light, alerting boards to the possibility that they may be called upon to make serious, “bet the ranch” decisions on whether, and if so, how, to engage with the DOJ should an investigation identify problematic behavior—including that of executives. And with that alert, it encourages boards and their audit committees to prepare for the potential that they may be called upon to make those decisions.

Key to this preparation is an understanding that both the revised CEP and the VSD implicate corporate governance in three notable areas, which may most effectively be addressed by the board’s audit and compliance committees:

1. Key Board Decision-Making. The board of directors is likely to face a series of critically important decisions regarding corporate cooperation and voluntary self-disclosure should an internal investigation identify likely criminal wrongdoing by the corporation or its employees, including executives. These decisions relate to confirming that the results of the internal investigation accurately and reasonably identify possible criminal wrongdoing, and processing the chain of related decision-making. The latter includes deciding whether to make a voluntary self-disclosure; whether to meaningfully cooperate with the DOJ investigation or otherwise remediate; and whether to not disclose or otherwise to not cooperate.

These are in most circumstances board-level decisions and should not be made without the input of qualified white-collar defense counsel. They are decisions which must weigh the potential advantages of cooperation and self-disclosure (e.g., declination of prosecution), with the potential disadvantages of proactively engaging with the DOJ on matters of corporate conduct, especially when the evidence of wrongdoing is not clear-cut.

The issuance of both the revised CEP and the VSD gives members of audit and compliance committees the opportunity to familiarize themselves with these possible decisions, so as to be positioned to advise the board should wrongdoing be identified. Telling oneself, “It couldn’t happen here” is not a recommended governance best practice.

2. The Compliance Program. The audit and compliance committees and the board should recognize that, in many ways, the incentives offered by the revised CEP and the VSD underscore the value of maintaining an effective compliance program. Compliance program effectiveness is one of the key factors the DOJ will consider in determining whether a company will receive full credit for the “timely and appropriate remediation” element of the revised CEP.

Eight specific plan criteria are identified, and while they have all previously been identified in prior DOJ documents, they may serve as a useful resource for audit and compliance committee monitoring.

3. Executive Compensation. In her Sept. 15, 2022 presentation, Deputy Attorney General Lisa O. Monaco introduced the use of financial and executive compensation in promoting compliance and avoiding improperly risky behavior. Specific approaches include rewarding companies that claw back compensation from employees, managers, and executives when misconduct happens.

In her presentation, Monaco indicated that she has directed the DOJ’s Criminal Division to develop further guidance on how to reward corporations that employ clawback or similar arrangements. While the revised policy does not include such guidance, it does reference the use of compensation to incentivize compliance, and Monaco’s referenced guidance may still be forthcoming.

Key Takeaways

Nether the revised CEP nor the VSD represent the end of the corporate responsibility messaging from the DOJ. Indeed, a series of public conferences in early spring provide a logical forum for additional statements from the DOJ on corporate fraud enforcement. Boards should expect further updates from their corporate counsel on these points and should be prepared to work with management on necessary responses.

From a board awareness angle, there are several key takeaways from both the revised CEP and the VSD:

1. It is clear that the DOJ and its Criminal Division are committed to incentivizing self-disclosure, corporate cooperation, and remediation. The DOJ is offering corporations what it believes to be meaningful benefits to encourage early and proactive engagement with government prosecutors when indications of material misconduct arise.

 2. These self-disclosure incentives notwithstanding, the DOJ makes it clear what it perceives to be the risks of failing to self-disclose: “The bottom line: call us before we call you.”

 3. Decisions on whether to engage with the DOJ on possible misconduct are among the most consequential and time-sensitive that a governing board may be called upon to make—and it should take some meaningful steps in the near term to be prepared to do so if circumstances arise. The board and its counsel will need to heavily weigh these decisions, which the DOJ says it appreciates.

 4. Companies should be highly motivated to assure the effectiveness of their corporate compliance plans in general, and to manage risks and incentivize ethical employee behavior in particular, as a means of demonstrating their good faith efforts to address corporate fraud.

 5. When it comes to cooperating with the government, timing is everything. As DOJ leadership has made clear, companies seeking cooperation credit need to come forward and disclose important evidence to the DOJ quickly. Both companies and prosecutors evaluating those companies will now be “on the clock.” An undue or intentional delay in providing information and documents will result in a reduction or outright denial of cooperation credit.

Planning for what leaders never want to happen (e.g., indications of material corporate misconduct) is not going to be a popular board education choice. But in the current enhanced corporate responsibility environment, it may be the smart play from a board perspective.

Michael W. Peregrine is a partner in the Chicago office of McDermott Will & Emery. His views do not necessarily represent the views of McDermott Will & Emery or its clients. He thanks his partner, Sarah Walters, for her assistance in preparing this post.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Protect Your Company From Digital Assassination

Six actions to make sure you’re ready when—not if—a cyberattack strikes.

“Beginning today, all passwords must include sign language, thumb fingerprints, and animal noises,” read a sign in a corporate office I visited recently. Unfortunately, contemporary cyber challenges extend way beyond password protection.

Among the most costly and troublesome matters facing boards today are crises created by cyberattacks and hacks.

As the Wall Street Journal noted in September, “Cybersecurity has emerged as a key business risk that threatens firms’ ability to operate or even survive, and boards face increasing pressure to ensure that cybersecurity risks are effectively managed.”

Cyberattacks cause data, privacy, and financial issues and countless organizations are just not prepared for the cost, operational, and reputation reach of these disruptions, nor C-suite time and resources drained addressing the cyber crisis.

“If it were measured as a country, then cybercrime—which is predicted to inflict damages totaling $6 trillion globally in 2021—would be the world’s third-largest economy after the United States and China,” reported Cybersecurity Magazine. Estimates suggest global losses could hit $10 trillion by 2025.

Cyber crisis response—before, during, and in the aftermath—demands innovative thinking, new skills, and contrasting approaches that match the breadth, depth, magnitude, and speed of today’s online world.

Much is revealed about leadership in moments of crisis. In the event of a cyberattack, companies must quickly determine what’s going on and how to neutralize it—and at the same time preserve corporate brand and reputation, employee morale, equity value, and sales. It requires grace under pressure and transparency. Those ill prepared will suffer far more than 15 minutes of global shame.

As former president Ronald Reagan said, “The greatest leader is not necessarily the one who does the greatest things. He is the one that gets people to do the greatest things.”

Understanding the Impact

There are three basic sources of digital attacks. All have reputational considerations and consequences.

Outside attacks. Crime syndicates or state actors; overseas competitors seeking theft or destruction; as well as ransom, extortion, retaliation, or denial of service.

Reputation attacks. Against brands, operations, or issues from activists or trolls seeking to disrupt; digital attacks on leaders or board members; an operational mistake, compounded by inept fact gathering and communications.

Internal attacks. Carelessness or intentional leaks by current, disgruntled, or former employees seeking retaliation for work issues, commercial espionage, or financial gain.

Our firm repeatedly sees that companies underestimate internal attacks. When law enforcement investigates cybercrime, they look inside first.

Are you prepared for a two-hour digital day?

Cyberattacks are a form of terrorism, and these disruptions drive fear and uncertainty and unsettle trust. During a cyberattack, constituents need assurance that the crisis is being skillfully overseen, and the organization’s leaders need to communicate at every level to face and direct change.

Speaking in Europe before two groups of board chairs and CEOs, I said, “In the face of today’s black swan events, last year’s thinking and crisis plans are ineffective and should be dragged into the trash icon. They will not be effective in today’s digital world.”

Cyberattacks do not usually occur during normal business hours. They happen at night, on weekends, or on holidays when companies have limited resources to deploy. Many would be surprised how few companies are prepared or trained for that scenario.

In my coauthored book, Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks, we established a standard digital response process, as well as response time for digital harm of eight hours.

Today, that concept is crucial, as speed and magnitude have dramatically accelerated. We now face a two-hour digital day.

When assassins mount a public assault—something that must be acknowledged or answered—you really only have one or two hours for an initial response, as posts turn viral in today’s instant, mobile environment.

Countless corporate cultures and leaders, and notably their advisors, are simply not organized to operate at this warp digital speed.

Six Actions to Minimize the Impact of Cyberattacks

In addition to understanding these new dimensions of time, to minimize the impact of a cyber crisis and respond effectively, there are six effective actions that corporate boards and management should follow.

Who’s the boss? Appoint a C-suite executive to lead and train a company cyber-crisis SWAT team. Its mission is simple: be available to immediately respond to a cyber crisis 24/7/365. This team should predetermine obvious cyber-crisis scenarios and responses based on company industry and geography. It should include leadership from communications, human resources, investor relations, information technology (IT) , marketing, legal, operations, and sales. Outside resources should have broad experience in these areas and cybersecurity.

Reach out and touch someone. Not only are cyber jobs in high demand, but like most areas, there is a massive talent shortage. The Wall Street Journal noted in December that the cybersecurity talent gap grew by 26.2 percent over the past year, to around 3.4 million unfilled jobs worldwide.

Companies should align with a university that offers a major cybersecurity curriculum—through donations, participation, and research—to continually attract top talent and be on top of trends. In addition, encourage IT team members to participate in professional organizations that provide best practices, papers, and seminars on cybersecurity and report back about changing and trending issues.

Practice makes perfect. Perhaps the most important thing a company can do is conduct a tabletop exercise, led by independent professionals with broad experience in cyber crises. This exercise can identify weakness in command structure, knowledge of internal processes, and the complex and considerable impact of external forces brought on by the crisis. Unfortunately, many organizations focus only on the IT component, not how an attack will affect various constituents, as well as what and how you need to communicate.

Planning for cyberattacks and crises should include the CEO, chief financial officer, chief counsel, and the cyber-crisis SWAT team as noted above. Most who participate in these drills come away chastened, but confident that they are more prepared for an actual attack.

Vanquish evolving challenges. As Michael Bodson, who recently retired as president and CEO of DTCC, a global leader in financial markets, said, “It’s not just about stealing anymore. Concern and focus of boards and management today is to oversee and deploy resources not only to deflect nuisance hackers, but much more importantly, be prepared and defeat a new cybercriminal element, partnering with rogue nations, trying to disrupt economies and commerce, as well as create disorder.”

Another CEO interviewed noted, “No matter what the technology glitch, keep everyone away from the IT people. They do not need others looking over their shoulder asking, ‘What’s happening?’ while they are trying to fix the issue.”

Find a cloud to hide us. Like all business insurance, cyber insurance costs are skyrocketing and becoming more restrictive.

“Cyberattacks are on the rise in all industries, so cyber insurance must be a critical component of any corporate plan,” said Christopher Keegan, cyber and technology national practice leader at Brown & Brown, an insurance brokerage firm. “With an expert internal team and seasoned independent advisors, C-suites and boards must develop a clear understanding of how, to what extent—and for how long—cyberattacks or hacks could impact company operations. Another consideration is what level of insurance will efficiently minimize the financial impact from the most impactful attacks. Not so easy, as risk is ever-changing.”

Insurers will want in-depth information about company cyber policies and procedures. Businesses that can’t satisfy this greater level of scrutiny could face higher premiums and be offered limited coverage or refused coverage altogether.

And just to throw a monkey wrench into the insurance mix, Lloyd’s of London, the world’s leading insurance market, announced that after March 2023, it will not cover most state-sponsored cyberattacks.

Send in the lawyers. “Successful cyber-crisis planning is critical and interdisciplinary. One key ingredient is legal counsel as the company responds to a crisis and effectuates a multi-pronged response across the C-suite and other key sectors,” noted John Cleary, privacy litigation group chair at the law firm Polsinelli. “Particularly in cybersecurity, advance legal input, well before any incident, is essential to help a company adhere to regulatory requirements and legal standards, as well as ensure proper risk management to define customer, counterparty relationships and obligations.

“When a cyber crisis hits, the legal team should be deployed in key areas: confidential analysis of legal issues and potential exposures, liaison with law enforcement, regulators, and review of needed communications,” Cleary concluded.

Don’t Stop Thinking About Tomorrow

Cyberattacks are damaging, penetrating, and now frequent.

Attacks so far have been on single companies. But what happens when we have a multi-company or multi-industry attack on infrastructure, technology, or finance and big enterprises go down?

The cascading effect and disruption to people’s lives, the economy, and the business could be devastating. That’s why we must be continually knowledgeable and vigilant for our companies, as well as our personal lives.

Richard Torrenzano is chief executive of The Torrenzano Group, a reputation and high-stakes issues management firm. For nearly a decade, he was a member of the New York Stock Exchange management (policy) and executive (operations) committees.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Disclosing the Business, Operational, and Financial Impacts of Cyber Risk

In March 2022, the US Securities and Exchange Commission (SEC) proposed a new rule on cyber-risk management, strategy, governance, and incident disclosure. It is as multifaceted as it sounds, and it would require certain SEC registrants to report material incidents within four business days and to make a number of disclosures pertaining to cybersecurity incidents, protocols, and risk management strategies. The proposed rule is a response to the ongoing risk cyber threats pose to public companies and their stakeholders. In January 2023, it entered the SEC’s final rule stage.

The new rule emphasizes materiality: the relationship between cyber threats and an organization’s business, financial, and operational exposures. Compliance with the rule will mean navigating a new treatment of cyber risk: expressing these risks in business terms rather than applying the technical focus, which is the current convention. Leaders will want to determine whether the people, processes, and technology underpinning their cybersecurity ecosystems today are equipped to consider cyber risk in nontechnical terms once this rule takes effect.

Cybersecurity ecosystems grew organically as organizations needed to focus on threats. Now, these ecosystems must evolve to meet new transparency and materiality requirements. Organizations will have to articulate the processes by which they determine materiality and consider how boards will determine—in four business days—which incidents require disclosure. The upside? A business perspective is a more effective basis for prioritizing potential threats and strategizing to manage risk than a technical perspective ever could be.

Summary of Requirements

A recent analysis outlined the SEC’s new requirements (which are summarized below):

Report material cybersecurity incidents within four business days of detection and provide periodic updates on previously reported cybersecurity incidents.

Report cybersecurity incidents that have become material in the aggregate.

Disclose the policies and procedures by which the organization identifies and manages cybersecurity risks.

Report the extent to which the organization engages third parties in its cyber-risk assessments, and the policies and procedures by which the organization oversees and identifies cyber risks associated with its use of third-party service providers.

Disclose the organization’s business continuity, contingency, and recovery plans.

Disclose how cyber risks are considered as part of the organization’s business strategy, financial planning, and capital allocation.

Disclose the board’s oversight of cyber risk, as well as management’s role—and expertise in—assessing and managing cyber risk and implementing cybersecurity policies and procedures.

Report both annually and with certain proxy disclosures whether any member of the board possesses cybersecurity expertise.

Cyberattacks will negatively impact stock prices, as well as short- and long-term shareholder value. Some attacks have been severe enough to put companies out of business. The SEC enumerated examples of costs and damage that can stem from material cybersecurity incidents:

Business interruption, decreased production, delayed product launches;

Ransom and extortion demands;

Remediation costs related to liability for stolen data, repairing system damage, and incentivizing customers and partners to maintain relationships after an attack;

Increased cybersecurity protection costs such as higher insurance premiums and additional cybersecurity staff and technologies;

Lost revenue when intellectual property is stolen and used in an unauthorized way;

Litigation and regulatory actions;

Harm to stakeholders, violations of privacy laws, and reputational damage; and

Erosion of the organization’s competitiveness, stock price, and long-term shareholder value.

A Shift in Perspective

With this new rule, the SEC is compelling certain registrants to consider cyber risk as business risk and to express the risk to investors in business terms. The rule benefits registrants too: boards will view cyber risk through a business lens and apply the resulting insights to mitigating risk. By keeping materiality top of mind, boards can make smarter cybersecurity investments, enacting controls and techniques to reduce risks associated with potential incidents.

Cybersecurity reporting has traditionally expressed risks as high, medium, or low, and measured effectiveness by quantifying blocked threats. New cybersecurity reporting will focus on material impacts in business, operational, and financial terms; for example, “Every day the plant is inoperative, we lose $1 billion. If a cyberattack costs us seven days’ production, we lose $7 billion.” This reporting will expose the threats that would do the most harm and describe how those threats would be suppressed. These are terms upon which boards, investors, and insurers can base decisions about risk controls and risk transfer. New cybersecurity reporting, therefore, helps determine where to direct cybersecurity investments, as well as how to optimize cybersecurity measures.

Technology changes quickly and cyber threats do, too. No control remains effective forever. That’s why controls must be as dynamic as the technologies they protect and the threats they protect against. Static analyses of today’s risk are less helpful than establishing a regular flow of information to the board that supports cybersecurity investment decisions based on business, operational, and financial considerations. With the board’s eyes kept regularly on cybersecurity as an aspect of routine governance, directors will be equipped to comply with the SEC’s new requirements.

Terry Jost is managing director of global security and privacy segment leader at Protiviti.

Chris Hetner is special advisor for cyber risk at NACD and prior senior cybersecurity advisor to the SEC chair.

Looking for better insight into your company’s cyber-risk exposures and how to improve the cybersecurity program? The X-Analytics Cyber Risk-Reporting Service, brought to you by NACD, can help.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Getting Started: Private Company Compensation Committees

While the work of public company compensation committees is well understood and receives considerable investor attention, the same cannot be said for private company compensation committees. Most private company boards don’t use standing subcommittees, so the owners lack the point of view of public company directors experienced in this type of work.

For most private companies, setting executive compensation is an annual exercise that is less than optimized. Whether it is due to economic constraints or personal friendships, some important discussions just don’t happen often enough, if at all. If a private company board intends to start a formal compensation committee, here are some important questions to consider.

How do the base pay, annual bonus, and long-term incentives align with the company’s strategic plan and market realities? Most private companies have well-established routines for addressing compensation. Since leadership tends to be stable, the decision-making behaviors and unspoken metrics are known. During economic booms, compensation discussions tend to revolve around the question, “Are we at risk of losing executives?” During moderate times the question leans toward, “Is the pay fair for what the executives are doing?” In a downturn, the thinking is more, “How can we afford to compensate executives?”

Performance reviews at private companies are often summaries, not data-rich exercises. They are also likely to be siloed, and not viewed in terms of the overarching goals of the organization. My experience suggests that the board can improve these areas by asking the following questions:

How has the individual’s performance driven success to achieve strategic goals?

Is the individual a good fit for the role they are in both today and in the future?

How does the individual exemplify the values and culture we aspire to demonstrate?

Looking at this triad of criteria sets the stage for a better evaluation of how impactful the organization’s leaders are in achieving ownership objectives, and therefore how to compensate them for their impact.

Does the company have the right data for benchmarking? Most private companies have access to limited compensation data. Their trade associations often provide compensation data specific to their industry, but I have found such reports to have limitations. They are indicative but not sufficiently informative. Often, there are not enough data to have confidence in what the numbers are saying. When you ask about location adjustments or niche adjustments, there isn’t sufficient information and you need to interpolate to form an opinion. Public companies have an advantage in that their data are rich and plentiful in comparison.

Private companies may be reluctant to pay for something that is often seen as not having enough utility (“but we only use it once a year”), hindering access to higher-quality data insights. There are many high-quality compensation consultants who can help, but they are a greater expense than the data. So, owners do without it—at the expense of more appropriate and competitive executive compensation.

How does the company deal with underperformers that can’t be easily replaced? Private companies tend to have smaller and less well-developed management teams than public companies do. Executive turnover tends to be lower for many reasons. Personal loyalty and relationships tend to be stronger since there is no public market pressure for performance.

If a senior executive isn’t cutting it, but is not easily replaced, how much risk do you want to take in transitioning to a new player? What is the value of “the devil you know” versus going to the open market? While there is value in organizational stability, what is the cost of condoning unacceptable performance? If the problem includes objectionable behaviors, the cost could be more than you think. These types of concerns often prevent needed change.

How much should the company let loyalty overrule merit? As the saying goes, if you are making money, the bank is happy, and if you are paying your taxes, you can do what you want at a private company. If the management team has been together for a long time, personal friendships can get in the way of evaluating and acting upon poor performance. How are you going to balance the conflicts?

Instances of executive underperformance and excessive loyalty are typically well-known throughout the ranks of the business. A decision to accept these shortcomings tells the staff what the real culture is, what gets rewarded, and what negative behaviors are tolerated, at least for the lucky few.

How aggressively should the company set goals? Maybe more critically, should there be any leniency if the company doesn’t make the goals? For a private company, if the owners are happy with the business results, then they are good enough. If there is no outside pressure, then there tends to be incentive to reward people even when they don’t reach their goals (the “let’s be nice” syndrome).

This is where outside directors can help the owners and managers balance conflicts. The outsiders should not have these biases and know they have been engaged to provide clear-eyed perspectives on what is best for the business. The outsider directors, and the board as a whole, need to serve as a compass through these difficult decisions.

Performance and compensation are issues in every organization. As the business grows, the issues become more complicated and the risks of talent flight increase. While much of the work of a compensation committee is formulaic, the bigger issues require deeper consideration. The hardest part of this work is often the judgment to balance facts and figures against emotion, relationships, and the risks and rewards that are not measured in dollars and cents.

These are the quandaries that allow board members to earn their keep.

Bruce Werner is managing director of Kona Advisors, which advises private and family-owned businesses. He has served on the boards of nonprofit and private companies.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Workforces: A “Wicked Problem” Where Boards Can Help

Over the past few years, boards have become far more sensitized to the potential for workforces to both generate incredible value or pose incredible risk depending on how they’re managed. Workforces represent a “wicked problem”—a complex array of issues underlie how they function and perform. However, there are some concrete starting points for board members to drive the right conversations to truly tackle workforce challenges.

Here are three workforce strategies that are especially relevant for boards.

Develop metrics to measure and monitor work intensity. Work intensification—where workers are asked to perform more and more units of work per single unit of time—has quietly and increasingly bedeviled workplaces for decades, culminating in the burnout epidemic and an associated labor crisis now in play. Workers in different contexts may experience work intensification differently. Warehouse workers may be asked to pack too many boxes while office workers may sit through too many meetings. But an array of academic research shows that this phenomenon can slow the business gains sought through work intensification, while creating negative health outcomes for workers. In this context, it’s critical that organizations develop concrete metrics to monitor work intensity to understand when “enough is enough” before impacts such as attrition or pervasive health issues kick in.

What a board member can do: Ask your executive team to concretely measure and consider work intensity going forward. Ask for and examine data that may give you signals that work has tipped over into excess intensity—anything from turnover in critical roles to health plan data on experienced rates of anxiety and depression.

Create a “single account of the truth” on the workforce of your organization and systems and processes to maintain it in real-time. For many, many organizations, it’s a tale of two workforces: one hired with the involvement of human resources (HR) and fully managed through mainstream financial systems, and one—consisting of contract or contingent workers—often hired through procurement, managed through opaque and imprecise financial channels (for instance, workers are managed as groups and not as individuals with individual compensation), and, strikingly, frequently not interviewed by anyone. The latter group’s employee experience can also be dramatically disparate from the organizational mainstream. Deployed properly, contingent labor can be a marvelous source of agility for organizations, but managed as a second, shadowy workforce away from HR and finance’s normal channels, this group can generate meaningful amounts of financial, operational, and reputational risk.

What a board member can do: Ask finance, HR, and procurement to work in synchronization to map out, on a very basic level, who works for you and what you pay them across full-time employees and contractors alike. This critical information, missing in so many organizations, should then be recorded in real time in key technological systems. Posing questions such as, “Do we capture contingent labor in our human resources information systems?” can be extremely helpful.

Scenario plan your flexibility and location strategy against possible changes in your talent markets as well as in the way you work. Years after the seismic disruptions of 2020, organizations are continuing to find the fundamental question of “Where does our work get done?” challenging. We grapple with a constant balancing act, weighing decisions about culture and productivity against volatile markets for key talent ranging from data scientists and nurses to hourly workers across an array of roles. Thoughtful organizations are utilizing scenario planning to give themselves more options to keep work going as labor market conditions shift quickly in real time, asking themselves what will be needed to ensure business continuity. Solutions may range from more flexible real estate contracts to more broadly drawn job specifications and fluid ways of working to more varied pay practices.

What a board member can do: Initiate a conversation about key areas of workforce risk to identify if there are particular roles, geographies, levels, and more prone to turnover or talent attraction challenges. You’ll also want to discuss what market changes might cause those areas of risk to shift. The board should also understand, at a high level, all the levers of flexibility the business can utilize to keep key seats from sitting empty, examining not just the “where” (location strategy and return-to-office policy) but also the “who” (hiring different talent populations, such as formerly incarcerated people), or the “when” (Should the timing of shift work be broken up differently?). At the board level, you don’t have to be in the day-to-day weeds of the flexibility conversation, but you do want to ensure that your organization has the workforce agility to tackle whatever disruptions are coming.

Workforce challenges may be a wicked problem, but they’re not an insurmountable one. Armed with the right questions, boards can play a crucial role in ensuring that companies think intelligently about the humans they employ, creating scenarios in which both the employer and employee win.

Melissa Swift is the US transformation leader at Mercer and focuses on helping organizations transform their work and workforces. Swift is the author of Work Here Now: Think Like a Human, Build a Powerhouse Workplace, in which she details 90 strategies that organizations and teams can employ to both fuel productivity and create happier working populations.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Building Enterprise-wide Resilience in an Age of Permacrisis

Are we in an age of “permacrisis” that is characterized by extended instability, insecurity, and lurching from one pressing challenge to the next? Or does this overdramatize the events of today, downplaying the experiences of earlier generations? Even if permacrisis is too extreme a label, organizations still need to ensure that they are ready to navigate a lengthy period of turbulence and uncertainty in what is being touted as a low-growth, low-cooperation era.

The Global Risks Report 2023, prepared by the World Economic Forum in collaboration with Marsh McLennan and Zurich Insurance Group, reflects on the compounding effects of Russia’s invasion of Ukraine and the complex global recovery from the COVID-19 pandemic. These seismic events have triggered or exacerbated a cascade of near-term crises and set the frame for escalating risks that may harden into new structural realities over the next decade. Board members will need to challenge executive assumptions about what the coming years might offer and bring wisdom to the finessing of unavoidable trade-offs.

Recent headlines about the economy—whether there will be a recession, how deep it might be, and how long it might last—may be front of mind, with the International Monetary Fund, among others, softening the downbeat view of the global economy it was promoting at the end of last year, boosting the confidence of financial markets. But that is too singular and linear a narrative to frame the risk landscape, and organizations would do well to explore their exposures to two different kinds of risk as they assess how they are positioned for the future.

Examine the perils within domestic national fragilities and international economic relations. A protracted cost-of-living crisis could take social unrest and political instability to new levels. In Europe, vulnerable households are choosing between food and heating this winter; in low-income countries significant parts of the population have been plunged back into poverty, wiping out gains from the last decade. Soaring government debt in many countries is constraining welfare payments, health system reform, and investment in future infrastructure resilience. 

Societal polarization continues to be exacerbated by social media algorithms and active misinformation campaigns; trust in government competence and probity has sunk yet further.  National politics is highly divisive, with each new regime in democratic countries determined to undo the legacy of the last government as quicky as possible and tired illiberal regimes seeking new tools to hang on to power.  

Government postures oscillate between populist policies and unaffordable largesse on one hand and heightened surveillance, crackdowns, emergency laws, and support from foreign powers on the other. The likelihood of political violence and state collapse in weaker economies has risen.

Economic and industrial policy levers are being freely deployed in pursuit of economic protectionism and national security, and to constrain the development of rival states. As an instrument of offense, this is most visible in the sanctions imposed on Russian energy businesses, financial system players, and leadership; as a means of defense, it is also apparent in increased foreign investment screening, constraints on technology sharing, and deeper strategic economic alliances with pivotal partner countries.

Strengthened industrial policies that have both national security and economic protectionist foundations are spurring a new “arms race.” While incentives to onshore business activities are attractive, they may also inflate the cost of business, reduce the scope for supply chain diversification, and generate new risks from local dependencies. Moreover, rather than lowering the risk of foreign exposures, a protection-based system may make firms vulnerable to countermeasures in other markets.

Further into the future looms the prospect of more intense rivalry for natural resources, such as food and minerals. The extent of climate change and the level of commitment to net-zero imperatives, along with the degree of conflict in the geopolitical environment, will inform the likelihood of commodity price spikes, multi-resource crises, divergent levels of distress globally, heightened resource nationalism, and increasingly aggressive strategic contestation.

Encourage resilience as an enterprise-wide imperative. Crises of recent years have stretched definitions, imperatives, and opportunities for resilience. Directors should ensure that innovations and momentum acquired through the pandemic are not lost and that the discipline of resilience extends beyond assets and operations to embrace enterprise-wide behaviors. At the height of the pandemic, agility had its time in the sun, but being agile won’t always get you out of a supply chain crunch. 

Safety, security, and continuity questions for business operations remain ever important, but most corporate strategies would benefit from being subjected to tougher resilience assessments, noting that the current multifaceted turmoil may take the world in different directions. A look at corporate share price drops over the last year reveals plenty of firms that were hit by changing events, but also those that wildly misjudged what the future would hold.

The nature of the macro-level risks landscape and perils identified above argue for a continual re-evaluation of non-market forces, by which it is easy to be blindsided. In countries that are critical for raw materials, manufacturing, or sales, these might take the form of tougher regulations and standards (especially on climate transition and data privacy matters); ownership requirements; social license to operate expectations; technology transfer and personnel mobility constraints; and windfall taxes.

Many organizations have risk dashboards that provide a snapshot of individual exposures and concerns, and the likely effects of mitigation plans. But this does not necessarily provide a good view of responsive capabilities for complex multipart crises that demand a variety of levers to be deployed in combination. Board members may find it helpful to understand their organization’s maturity and progress toward greater resilience against the backdrop of a changing risk environment. 

Whether we’re in an age of permacrisis or not, we live in volatile times. The opportunities are tremendous, but there is no room for complacency.

Richard Smith-Bingham is an executive director at Marsh McLennan and a key contributor to the Global Risks Report 2023.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Advance Notice Bylaws: A Brief History and Four Recommendations

The 2023 debut of the universal proxy card, following a US Securities and Exchange Commission (SEC) rule effective Jan. 31, 2022, making it easier for dissidents to campaign for a seat on a board, has inspired some boards to review and strengthen the change-of-control provisions in their bylaws or other corporate policies. One such provision is advance notice bylaws requiring shareholders to give timely notice to a company—in writing and in advance of the annual shareholder meeting—of their intention to submit proposals to nominate a board candidate or to vote on other matters. These bylaw provisions may also require advance notice of proposals on other matters, as long as the provisions are not in violation of the federal rule on proxy proposals (Rule 14a-8); this is a stipulation we see in The New York Times Co. advance notice provisions as updated in 2020.

What follows is a brief history of advance notice bylaws, followed by four recommendations to boards planning to adopt, amend, or defend them.

A Brief History of Advance Notice Bylaws

Directors of public companies are expected to represent the interests of all shareholders with due care and loyalty, but from time to time a company’s ownership base may include a small group of activists who believe that they can do a better job. These dissidents try to get themselves and their nominees on the board. A common way for them to achieve that goal is to wage a proxy fight by proposing a dissident slate for a vote at the next annual meeting. Advance notice bylaws give companies time to respond to such actions.

Advance notice bylaws have a long and distinguished history. They have been widely employed—and challenged—since at least the mid-1990s, when many companies adopted them in response to 1992 proxy voting reforms that empowered dissident shareholders in new ways. Now, more than two decades later, many, if not most, companies have advance notice bylaws. A Delaware judge in the 2020 BlackRock Credit Allocation Income Tr. v. Saba Cap. Master Fund case called them “commonplace.”

Challenges to advanced notice bylaws over recent decades have created a “density of jurisprudence,” as noted by the judge in the 2021 Rosenbaum v. CytoDyn Inc. case. Adding to this density will be Politan Capital Management’s recent shareholder legal challenge to Masimo Corp.’s 2022 bylaw amendments, which has made headlines as it exemplifies a hot new trend. Some have expressed concerns that the Masimo case could lead to curbs. Such an outcome seems unlikely, especially in Delaware, where courts defer to board judgment. However, there could be movement by shareholders themselves to submit and win proxy proposals to ban all bylaw amendments made by boards alone (the typical case), without shareholder approval. A 2017 resolution at Automatic Data Processing received a majority vote.

Plaintiffs challenging advance notice bylaws have objected to overly long notice periods (e.g., 120 days rather than 60 days) or overly detailed disclosure requirements (e.g., proxy-length biographical info for dissident director candidates). Although such super-protective policies have been in existence for at least a decade (Masimo, the company undergoing a high-profile challenge, has had such a policy since 2013), they are now getting challenged in court more frequently because a higher number of dissidents are trying to get on boards via universal proxies.

In the Rosenbaum case, the judge upheld advance notice provisions, as did the court in the aforementioned BlackRock case and in the 2007 Openwave Systems v. Harbinger Capital case. The Openwave decision also warned that courts will resolve any ambiguity by the company in favor of the stockholder’s electoral rights. An outlier in this series of pro-bylaws cases was the 2008 JANA Master Fund, Ltd. v. CNET Networks, Inc. case. In this case, the court put some restrictions on the use of advance notice bylaws, without forbidding them altogether.

Four Recommendations

First, boards must understand that they have a right to institute advance notice bylaws. If boards do not get adequate advance notice of shareholder intentions, they lose the opportunity to engage in focused dialogue on the issue in question, whether it is a director nomination or another matter. The universal proxy rule effective for this proxy season already requires a dissident to “provide the registrant with notice of the names of its nominees for director 60 days before the anniversary of the prior year’s annual shareholder meeting,” with adjustments if the time of the meeting has changed. Many advance notice provisions (both those adopted before this rule and after it) simply lengthen this timeframe. This makes sense because the information sought in such policies is necessary for all shareholders to know.

Second, advance notice provisions should be created in advance of any proxy fights with the help of legal counsel expert in current bylaw trends. A Sidley Austin article cautioned that these should be prepared on a “fair day” rather than a “rainy day” lest courts impugn them as mere devices of entrenchment.

Third, companies should be prepared to explain and defend their policies. The SEC issued guidance in December 2022 addressing the situation of a company that is sued over its advance notice bylaws. The SEC says that companies must make certain disclosures about the litigation and the possible ramifications, and should be prepared to change the date of the annual meeting if it cannot give shareholders enough notice.

Finally, while boards can demand transparency, they must also provide it. Advance notice bylaws exemplify a demand for transparency from dissident shareholders, because such bylaws request factual information about an important matter, be it a potential board member or another matter coming up for vote. Conversely, however, boards must also be transparent, constructing their bylaws in plain English without any ambiguity.

Given their long history, advance notice bylaws are highly unlikely to be declared illegal overnight by a judge. The court’s decision in Masimo and similar cases may, however, provide guidance on writing advance notice bylaws that can withstand judicial scrutiny.

Disclaimer: NACD does not provide tax, legal, or accounting advice. This material has been prepared for informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. For such advice, readers should consult their own tax, legal, and accounting advisors.

Alexandra R. Lajoux is the chief knowledge officer emeritus at NACD.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

ESG-Linked Reputation Risk Strategy Requires Authentication and Communication

If you oversee an effective reputation risk strategy process, but no one knows it, is it actually effective? This is a vital question boards of directors, senior executives, and risk professionals need to ask themselves in this era of enhanced regulatory enforcement.

We now understand more than ever about corporate reputational risk—how to define it, assess its potential impact, and mitigate it—to build reputational resilience, which is valued by investors. We now know, for example, that reputational resilience is the benefit companies earn by prevailing favorably in the competition for the minds of stakeholders. We know this depends on the degree to which actual corporate performance aligns with stakeholders’ expectations. This is as true with environmental, social, and governance (ESG), compliance, disclosure, diversity, political acumen, and other reputational issues as it is with financial performance. 

We know that marketing and communications strategies can manage expectations, but if they are not integrated into enterprise-wide risk management and governance, they can backfire. Incredulous stakeholders will see greenwashing, bluewashing, graywashing, noncompliance, and possibly even non-constructive obstruction.

On the other hand, a study conducted by Steel City Re found that when a crisis allows stakeholders to discover that a company has a robust, authenticated reputation risk strategy, they reward it with a reputation premium, or a higher stock price relative to its peers. Even more compelling, the study found that when companies proactively communicate with stakeholders about their processes and they are authenticated by third parties before any crisis transpires, they gain an even greater stock price premium. The average equity boosts are 5 and 9.3 percent, respectively.

Authentication of the reputation risk management process and communication with stakeholders are key, but these are elements that have been missing from most of the conversations in corporate boardrooms about reputation or ESG-related risk. At the 2022 NACD Summit, we surveyed a group of directors on what they thought comprised an effective reputation risk management and governance process. At first, only 20 percent said it would include management, the board, intelligence gathering of stakeholder expectations, and strategic value protection through a combination of third-party authentication, such as insurance, and communications.

By the end of a presentation titled “Taming the ESG Beast and the Stakeholder Risk de Jure… du Jour,” 66 percent said they favored a demonstrably effective, insurance-authenticated system, fostering thoughtful management and dutiful governance over all that was mission-critical. In other words, for a company’s process to have the desired result, it must not only be effective, but demonstrably effective. And that requires authentication, which is best communicated through insurance, whose very existence needs to be communicated strategically.

Communicating the existence of an effective authenticated management and governance system builds reputation resilience by hardening a company’s defenses. It both deters attacks by regulators, activists, and investors and puts the company and its board in a strong position to defend themselves among these stakeholders and employees, vendors, and social license holders if adverse reputational incidents occur. 

That’s where marketing, communications, investor relations, government affairs, and other externally facing professionals come in. Even if a highly visible public marketing and communications campaign is not justified, it is likely possible to engage in a careful, targeted, quieter effort to inform a more limited number of influential stakeholders, such as analysts, bond raters, and regulators. How to mount such a campaign to the company’s best advantage requires its own strategy discussion.

The simpler the story the better. Being able to point to third-party authentication is tremendously valuable. Reputation insurance, the underwriting of which is designed to assess the completeness and thoughtfulness of the risk management and oversight process, is the only form of authentication that also brings with it the conviction of actual financial risk transfer. Parametric insurance, which bases claims on a series of objective, measurable metrics, is easy for stakeholders to understand and prevents the company from having to do a deep dive into aspects of its process during every presentation.

Overseeing reputation risk strategy, particularly the parts linked to ESG, is weighing heavily on boards where climate change, environmental stewardship, social justice, and dutiful governance are mission-critical issues to ESG-focused investors. Marketing executives and risk strategists are seeing their remit expand to include reputation risk strategy, but often without the necessary tools to meet the challenge without creating additional risk—especially with the politicization of nearly everything.

Reputation strategy cannot be consigned to a silo. Building resilience requires more than traditional enterprise risk management and more than aspirational communications. In the opinion of two-thirds of directors surveyed, it requires a demonstrably effective, insurance-authenticated system, fostering thoughtful management and dutiful governance over all that is mission-critical, and that it is communicated strategically. 

Reputation resilience is a source of value, not a philosophical abstraction. As the United States approaches a potential recession in 2023, there’s no better time for boards to shore up their companies’ reputational resilience by publicly authenticating and communicating their reputational risk governance processes.

Nir Kossovsky is CEO of Steel City Re. Denise Williamee is Steel City Re’s vice president of corporate services. 

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Leading Directors and Experts Reflect on 2022, Discuss Top Business Trends to Come

When you ponder the year ahead and all the trials it will bring, a potential recession as well as supply chain and talent troubles may come to mind. To prepare for these issues and more 2023 trends, NACD gathered experts and board members at the Leading Minds of Governance event on Dec. 13 in Scottsdale, Arizona.

Greg Griffith, senior director of partnerships and corporate development at NACD, moderated the event. Dayna L. Harris, a partner at Farient Advisors; Vada O. Manager, CEO and founder of Manager Global Holdings, a principal and board member of Think TRUE, and a board member at Helios Education Foundation and Valvoline; Debra McCormack, managing director, global board effectiveness and sustainability lead at Accenture; Karen A. Smith Bogart, the president of Smith Bogart Consulting, chair of the Fielding Graduate University board of trustees, and a director of Michelman, Mohawk Industries, and the NACD Pacific Southwest Chapter; and Warren de Wied, a partner at Fried, Frank, Harris, Shriver & Jacobson, served on the panel. Below are key questions and answers from that conversation.

What have you seen, from the last recessions that we’ve had, that corporate [boards] need to do to get through this [potential] recession?

de Wied: History tells us that a financial crisis comes along about every eight to ten years. Companies sometimes forget that bad news may be just around the corner—and we went through an unusually long financial boom. When there’s a reset, certain fundamental values come back into vogue, values that people may abandon during a boom economy, values like balance sheet flexibility, profitability and free cash flow, disciplined M&A [mergers and acquisitions], and not over-leveraging the future. These are lessons that we often seem to have to relearn as the cycle turns, but a well-functioning board anticipates the possibility that things go in a different direction and builds flexibility into its planning.

What we’ve seen in the in the past few months is something of a pullback from ESG [environmental, social, and governance]. It’s important to have a focus on employee issues, on climate risks; indeed, you must have a focus on these areas because they impact the bottom line, they impact the basic functioning of companies. But what you see when the business environment changes is that companies still have to put profitability first. In the last few months, companies have shown that that’s the case. They’ve scaled back ESG programs, and of course we have seen significant workforce reductions, in some cases companies have let ten thousand or more employees go. Companies always have to balance their ESG objectives with the economic realities of business.

The keynote of all of this is that companies need balance; they need balance in their financial and operational execution, they need balance in their social focus. When you get out of balance, usually, something to the downside happens.

When should boards get involved in social and political issues that might affect their businesses, and why?

Smith Bogart: Companies have stakeholders, and therefore they need profitability to reinvest in the firm and invest in the strategy. They need to be clear about what are the critical elements of the strategy and their values and commitments and use those for determining when they want to engage. Often the place where they can make a big impact are with the non-glorious, the non-glamorous issues. I’ve seen companies get actively involved in municipal issues around the funding of bus systems so their employees can get to work. It’s not glamorous. But it’s critical to manufacturing operations, for instance. Other issues where companies have gotten very involved is working with different states around apprenticeship programs, re-training programs that are critical for the capability of the company. I think where companies get into trouble is when they lead with the latest issue, they lead with latest fad, and they’re not germane to the fundamental strategy of investments and where the company’s going short term and long term.

What are the top three governance issues on the minds of directors?

Manager: The bedrock issue… is to really determine and monitor and measure risk. There’s been a fair amount of reexamination of Caremark. For example, with Boeing [the courts] allowed a Caremark issue to go forward because of the duty of safety and duty of care failure. On the other hand, there were a couple other cases that they allowed duty of care to stay in place because they wanted to apply a gross negligence standard versus another standard. That’s something we need to constantly keep in mind and watch. It’s not going to be one-size-fits-all in duty of care….

Second is this issue of ESG [environmental, social, and governance] in the world of corporations. We saw that play out at Disney in a big way in Florida, the governor, officials getting involved. We have a new congress coming in…. ESG covers a wide category and directors can still discharge the responsibilities of ESG [and] make progress on those issues without falling into the traps and some of the issues around stakeholders; our shareholders, in many cases, are putting more measures and standards and expectations with regard to ESG before corporations.

Third… is universal proxy, and how that is also changing the landscape of how directors are being selected…. As you may have even seen and read in different publications and different research and analyses, shareholder actions are up… as a result of the adoption of it, which went into place somewhere around August of 2022. The threshold is lower; it allows individual directors to be more targeted for removal than it does whole board slates under the old system. This is something that we all have to look at as well. It’s even allowing smaller players; your Icahns and your Elliotts aren’t the only players in this anymore.

What are the… key things for your customers and clients to implement in 2023 to work more efficiently and effectively?

McCormack: Board evaluations. Who is doing them? How are they being done? Are you having your individual directors evaluated? This is something that you’re hearing the proxy advisory firms talk about, this is something you’re hearing the investors talk about. We’ve seen that the disclosures around board evaluations have been going up; 60 percent of the S&P 500 reported that they have actually now done a board evaluation and they mentioned specifically that they’ve covered the board, the committees, and the individuals and they’re finding at the group discussions that it’s not good. There’s a lack of true, inspired, down and difficult discussions that you can have when the full group is there. It’s getting the board members one-on-one and having that discussion. How was your performance? How do you think your committee did? What do you think we could do better as a board?

By the way, 49 percent of the board members that were interviewed said that they think one person on their board needs to go away, 19 percent said two people need to be kicked off the board, and 4 percent said three or more need to be kicked off the board. Are you being honest with one another during the evaluations? Are you truly taking a step back and asking if the skills and competencies of the individuals on your board are the skills and competencies that belong for where your strategy is going tomorrow? We’re finding that it’s a difficult time…. It’s really hard when this person is your friend to say, “You know what, I don’t know that you’re right for the board any longer.” When we have that feeling, are we also saying, “Gosh, we shouldn’t be on the board any longer”?

How should compensation committees build a more resilient compensation program based on the unexpected nature of what’s going on in business?

Harris: What a resilient program consists of is several things besides a short-term incentive that allows you to be setting your goals every year for that which is coming down the pike that you can foresee far more easily. The long-term incentive plan ought to be established in a way that allows it to work both in good times and in bad times. That often means a combination of long-term incentive vehicles. Something like your performance stock, performance share units that are highly performance-focused [where] you require certain performance measures in order to have any of them vest and at the same time [that are] balanced with something like restricted stock units or something that has a significant retentive power and is tangible, and that actually works when times are bad. It’s better to have these things set up in the first place, rather than as you approach what you think is going to be a recessionary environment. You’re suddenly scrambling to change and say, “Oh, by the way, we want to add restricted stock to our program when we never had it before.” Then your proxy advisors and investors may say, “Well, why are you doing that? You were so focused on performance.” […]

If you have something that’s not necessarily an objective and quantifiable measure is there something that you can do to ensure that in an environment where you don’t achieve your financial goals, you’re not paying out way above target on your strategic measures? For a resilient program you would think about that. You might have some type of a governor that applies to those strategic measures, something that says our earnings need to be a certain level for us to pay above target in that kind of an environment, when, in fact, perhaps management has knocked the lights out with respect to those strategic measures.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.