Isaacson on Doudna and Biotech: ‘This Is the Revolution That Will Most Change Our Time’

Walter Isaacson’s latest book, The Code Breaker, was published on March 9, the day after Isaacson agreed to participate in an NACD virtual chapter event facilitated by Dr. Helene Gayle, president and CEO of The Chicago Community Trust. The event was supported by Baker Botts, Lockton Cos., and Bank of America Corp.

Isaacson is a professor of history at Tulane University and a board member at United Airlines Holdings, as well as the former CEO of the Aspen Institute, chair and CEO of CNN, and editor of TIME magazine. Highlights from the conversation between Isaacson and Gayle—a physician and director whose board service includes roles at The Coca-Cola Co., Colgate-Palmolive Co., GoHealth, Palo Alto Networks, The Brookings Institution, and the Center for Strategic and International Studies—follow.

You’ve written about some incredible people. Why did Jennifer Doudna’s story make such an impression on you and why did you feel that this was a story that needed to be written?

I wanted to do the biotech revolution. This is the revolution that will most change our time. It will be more important than the digital revolution because instead of hacking digital code and giving us things like iPhones, we’ll be able to combine that with the ability to read, and even rewrite, the code of life—our genetic code. Also, RNA has turned out to be more important than DNA. RNA is at the heart of these [COVID-19] vaccines that we’re all hoping to get. I was looking for a way into that story. Back in 2000, all the men in biology were focused on DNA and the Human Genome Project, but a group of women who had almost been excluded from the Human Genome Project focused on RNA and that was Jillian Banfield, Jennifer Doudna, Emmanuelle Charpentier, I could go on.

Jennifer Doudna discovered the structure of RNA, how it can replicate itself, and that it was the molecule that began life on this planet. Through her life, I got to look at RNA, and then she and Emmanuelle Charpentier are the ones who invented this tool for editing genes called CRISPR. Finally, she decided she had to take on the moral issue—the humanity issue—of how we should use this technology. Those of us who are in boardrooms know that even when you have a product or some idea that’s going to work, you pause at a certain point and ask, How can we make sure this is used for good, and that it doesn’t cause any harm?

What did Doudna bring to CRISPR in the way that she collaborated and worked?

She made sure that everybody who came into her lab or into the company she was working at met everybody else and that they got along and clicked, that they were able to be very collegial with one another. I said [to Doudna], “Some people I know who are great leaders like having creative tension. They like having people with sharp elbows fighting each other because they think that leads to more innovation.” She said [paraphrased], “I get that, but that’s not who I am. I believe in teamwork and collegiality, and people having each other’s backs, working hand in glove instead of always trying to best their own colleagues.” I think we need different ways of collegiality, different ways of competition. When you’re on a board, you don’t just look at who the CEO is, you look at the team that the CEO has built; and each CEO has a different style—sometimes they want creative tension. But in Jennifer’s case she wanted collegiality. That led to her working in a transatlantic collaboration with Emmanuelle Charpentier, and also graduate students who are in Vienna, one in Sweden, and in other places. They were able to collaborate working 24 hours a day because they were all in different time zones to win the race to discover how CRISPR works as a gene editing tool.

Talking about the nature of cooperation and the spirit of collaboration, can you apply lessons on team dynamics and leadership to business or other areas beyond science?

I went to ask Steve Jobs late in his life what the best product he ever made was. I thought he’d say the original Macintosh or maybe the iPhone. He said [paraphrased], “No, making products like that is hard. But what’s particularly important is making a team that can continue to make products like that. They said the best thing I ever did was make the team at Apple.” I began to see that teamwork was a thing and [the United States’] founders and their families may be one of the greatest teams ever put together. You need a person of great rectitude like George Washington; you need really smart people like Jefferson and Madison; you need people with high passion, like Samuel Adams and his cousin John. But you also need somebody who can make teams and that’s what Ben Franklin did. So, when I wrote about Jennifer Doudna, I didn’t just write about her scientific ability. I wrote about her collaborative and team-making ability, and most importantly how to be collaborative and competitive at the same time. Anybody who’s on a business board knows the notion of a frenemy or coopetition, or something where you’re cooperating half the time and competing half the time. That’s the hardest thing to do. We all know how to collaborate; we probably all know how to compete. Jennifer Doudna’s life story teaches us how to interweave the two.

A longer version of this conversation will be published in the May/June 2021 issue of Directorship magazine.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Shining New Light on Human Capital

In this CEO Letter from the March/April 2021 issue of Directorship magazine, NACD CEO Peter Gleason reflects on Larry Fink’s 2021 letter to CEOs and notes that boards have a role to play in reporting on workforce issues and holding their companies and themselves accountable. Read the full issue on human capital management today.

“Despite the darkness of the past 12 months, there have been signs of hope, including companies that have worked to serve their stakeholders with courage and conviction.” So writes Laurence D. Fink, CEO of BlackRock, the world’s largest asset manager, in his 2021 “Dear CEO” letter, which calls on companies to maintain this momentum of positive change. 

Of all the stakeholders affected by COVID-19, employees are arguably the most vulnerable. Although Fink’s letter focuses on the goal of carbon emission reduction (net zero by 2050) and related disclosures, he does not ignore the human element. 

In fact, Fink says, the “E” and “S” in ESG interrelate. “Improved data and disclosures will help us better understand the deep interdependence between environmental and social issues,” he writes. Fink is a proponent of the framework from the Sustainability Accounting Standards Board, which he recommends along with that of the Task Force on Climate-related Financial Disclosures. 

Importantly, Fink’s letter also calls for more disclosure on how human capital contributes to company value. “A company that does not seek to benefit from the full spectrum of human talent is weaker for it,” says Fink. Such a company is “less likely to hire the best talent, less likely to reflect the needs of its customers and the communities where it operates, and less likely to outperform.” Therefore, he urges “company disclosures on talent strategy that fully reflect your long-term plans to improve diversity, equity, and inclusion.” Every day, I see that more companies are holding themselves accountable, releasing transparency reports and voluntarily reporting on the composition of their workforces. The board has an indispensable role to play, and NACD sees a bright future for business as we deliver on our goal to advance the knowledge of professional directors. 

All of our programs—from Accelerate to NACD Directorship Certification—are designed to support and enhance our mission to educate both current and future directors so that they are capable of leading with confidence and are prepared to meet the formidable challenges of the future, including those identified by Fink in his inspiring letter.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Busy Director Neglects Board Duty While CEO’s Actions Raise Questions, What Should She Do?

This article was published in the March/April 2021 issue of Directorship. The scenario presented here is anonymized to protect identities.

The dilemma: Cadenza is an entrepreneur. Like many other entrepreneurs, she needed additional income to live on while she grew her business. Among other work, Cadenza provided consulting services to another entrepreneur. When that individual also ran short of funds, Cadenza was paid in equity rather than cash and given a seat on the board. As Cadenza’s own business began to prosper, she paid little heed to the business of her former client. She stopped receiving board papers and attending board meetings. Now, a shareholder from the other company has asked Cadenza what is going on there. Cadenza called her former client (the CEO of that company) and asked for an update. The news was mixed. For a while, things went well—the company successfully raised capital and gained new shareholders. Then, progress stagnated and it appeared that some company assets were transferred to the CEO, or perhaps sold with the proceeds going to the CEO before a dilutionary capital raising and before some agreements were finalized, to “reward” him for intellectual property that once belonged to the company. The CEO also said that the shareholder who contacted Cadenza had been “causing trouble” for some time, asking for information and threatening to take legal action. He asked Cadenza to ignore the shareholder and take no further action. Cadenza is now worried. She knows that she has not fulfilled her duty as a director. She is still listed with regulators and on the company’s website as a board member. How can she protect her reputation and limit the repercussions from her lack of attention?

Julie Garland McLellan, nonexecutive director and board consultant: The best way to manage the risks of directorship is to do the job diligently. Cadenza’s lack of attention to her duties as a director could have serious repercussions. She has four options:

Lie. Claim she resigned when she stopped working with the CEO and that she expected the CEO to file the paperwork to that effect. This is stupidly risky—not to mention unethical—and if unsuccessful, she will have perjury and other deceptions added to her negligence.
Stay quiet, remain on the board, and hope the CEO will sort it out. This is extremely high risk. If she allows the company to misappropriate assets, she could incur personal liability and be guilty of inaccurate reporting.
Resign fast and hope the CEO will sort it out. This is also very high risk. There is probably evidence of the timing of asset transfers, and she was on the board when they occurred.
Start doing the job. Get a full briefing of what has happened at the company, where the assets have gone, what the CEO has done, and what the prospects are for reinstating any disputed assets. This is high risk.

The fourth option, to me, is the only ethical one and the least risky. To succeed, Cadenza will need to reestablish a good working relationship with the CEO. Her duty is to the company. She must ensure that the CEO properly accounts, then either returns or pays the company for any assets appropriated and sold. She must also understand the positions of the major shareholders and the background of the capital raising.

Intellectual property is often contentious in small start-up and scale-up companies. CEOs may believe that it is their know-how; shareholders may view it as the company’s asset. Cadenza needs legal help identifying what belonged to whom and putting in place systems to control intellectual property and other assets.

Ron Heinrich, chair, Assetlink Group; director, Go Gentle Australia, FarmLink Research, Intersales Temora, Commonwealth Lawyers Association; partner, HBL Ebsworth Lawyers: Cadenza has clearly breached her duties as a director, namely her duty to exercise reasonable care and diligence, by failing to keep herself informed about the activities of the company. As a director, Cadenza had an obligation to act in the best interests of the company as a whole, rather than in the interests of a particular shareholder. She is potentially liable for damages for breach of director duties. She could also be liable to pay a steep financial penalty, as well as potentially be disqualified as a director.

Resigning as a director is not an option. In these circumstances, Cadenza should do all that is possible to mitigate the situation by taking various steps, including the following:

Formally request in writing that the CEO provide full details and copies of the documents that show assets transferred or sold to the CEO. If the CEO refuses to supply such details and copies of the transaction documents, the shareholders could turn to the courts for an order to inspect the company’s books and records.
Convene a meeting of shareholders as a director to discuss the transfer or sale of company assets for the apparent benefit of the CEO.
Recommend to shareholders that they bring a derivative action against the CEO. Importantly, the company is regarded as the proper plaintiff in such circumstances and therefore any proceeds that flow from the derivative suit would be recovered for the company.
Seek advice from a good corporate commercial lawyer as to how best to protect her own position.

Albert Froom, managing partner, Leaders Trust; global practice leader, financial services, AltoPartners: Is there a good way out of this for Cadenza or for the CEO or for the shareholder? Cadenza has obviously failed to fulfill her duties as a nonexecutive director, and by her own admission took no notice of the board packs that were sent nor did she attend any meetings as her business activity increased.

In truth, the shareholder (the investor!) who speaks up and goes to Cadenza, the nonexecutive director, after trying to get information through the CEO has taken the right steps. But until now, the things that might be wrong only appeared to be wrong, with no proven facts known yet to Cadenza or the shareholder.

So what should Cadenza do? She can still act on the rumors! She is still on the board and can fulfill her role by conducting her own due diligence—reviewing past board papers, financial statements, supporting materials, and meeting minutes that were sent to her to establish whether the rumors are true and that business was conducted in the interest of the company and its shareholders.

If she does not have the most recent board papers, she should request them from the company secretary. To reduce her reputation damage, Cadenza should act immediately, informing the shareholder that she is on a fact-finding mission and that she will act accordingly. Based on her findings, she might inform the authorities, either confirming or negating the shareholder’s suspicions. If her findings show that the rumors are true, she can explain that she was just in time but acknowledge to the authorities that she should have been more attentive, learned a valuable lesson, and pledges to be more attentive as a director. She should also consult a lawyer about possible legal actions from the shareholder, the authorities, or even the CEO. A comprehensive media statement should also be prepared that is approved by the lawyer and the board at large in the event the situation is leaked to the press.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

How Boards Can Ensure the Accuracy and Quality of ESG Data

Investors are increasingly demanding that companies provide both quantitative and qualitative environmental, social, and governance (ESG) risk and opportunity disclosures. Customers, employees, and other stakeholders have also added their voices to the call. Yet even as organizations make progress in offering this information, real challenges remain. 

Investors and others rely on ESG information in their decision-making; ESG reporting thus requires the same level of oversight and management that financial disclosures receive. This includes processes and internal controls applied with a rigor that ensures the completeness, accuracy, and consistency of disclosures. Only then are the disclosures “investor-grade.”

However, nonfinancial information does not typically receive the same level of attention as financial data and most organizations do not have a formal reporting process in place to collect, accumulate, and disclose it. Too often, companies disclose nonfinancial metrics that are not fully substantiated with supporting information, or they cannot confirm that the metrics contain no material errors. 

As boards and management evaluate their organizations’ ESG reporting, the overarching question is, How can the board ensure that the ESG data disclosed are accurate and high-quality, so that investors and others can rely on them? 

Below are eight further questions for boards to ask.

How can the board leverage sustainability standards or frameworks when considering the metrics to disclose? Frameworks and standards can help companies understand what information investors and other stakeholders are looking for and make disclosures meaningful to a broader audience in lieu of highly customized metrics that may lack comparability to peer companies.

What are the sources of the data? Information may come from various functions in the organization, including some—such as human capital, engineering, or manufacturing departments—that are not used to disclosing investor-grade data. Some of the data might be manually developed or tracked, making it harder to verify. 

What policies, processes, and internal controls are in place to ensure data quality? Companies should take a hard look at the control environment in which the data are produced. Too often, there are minimal controls in place. Effective underlying processes and internal controls around where information originates and how it is reported gives management comfort on its accuracy, completeness, and consistency.

How is the data consolidated and will we need to implement information technology (IT) system changes? To compile certain metrics, companies may need to consolidate data at a global level or from across various departments, but some organizations may not have IT systems in place to consolidate nonfinancial data. Consider, for example, having to collect data on global worker headcount, greenhouse gas emissions, or safety issues. Manually consolidating this data in spreadsheets increases risk. Some businesses may choose to improve the efficiency and accuracy of the consolidation process by modifying their IT systems to support the effort—but that comes with an investment of money, time, and resources. Another challenge might be local laws and regulations; specific countries restrict what types of employee data can be collected.

Is greater assurance needed over the data disclosed? As boards discuss ESG disclosures, they may want to consider assurance over the metrics and information reported. Nonfinancial data are not typically included in financial statements, so they may not belong under the scope of external audit’s assessment. Additional assurance that ESG processes and policies are followed and effective can be requested and performed by internal audit, external auditors, or another controls-focused function. 

What governance structure exists to review and oversee this data? As companies look at the control environment, it is important to establish a governance structure for ESG metric disclosures. Boards should understand who at the organization is responsible for reviewing ESG information and how frequently reviews are conducted. A common pitfall with ESG disclosures is that reviews typically occur only annually. If a company finds that it is missing ESG information from interim periods, it may be too late to retrieve the necessary data.

Is a management-level disclosure committee involved? Many companies have a management-level disclosure committee in charge of financial reporting. This cross-functional team—usually including individuals from operations, legal, internal audit, finance, and other business groups—helps the company determine whether disclosures are accurate and complete. This broad group of individuals understands the importance of reporting to investors and can also be utilized to review nonfinancial ESG data disclosures. The disclosure committee will want to make sure the information and metrics accurately convey the company’s messaging and are truly investor-grade.

What is the role of the board? Some boards may have a separate sustainability or risk committee, while others may designate responsibility for overseeing ESG reporting to the full board. As this reporting makes its way into earnings calls, annual reports, Form 10-K filings, or proxy disclosures, it should be viewed similarly to financial reporting. Consider the role of the audit committee, as well, which has the most experience in this type of reporting and an understanding of the importance of policies, procedures, and internal controls.

Companies are refining their messaging and expanding their disclosures to meet stakeholder expectations. As stakeholder expectations relating to not only the type of disclosures, but also to the quality of the information within and supporting them, continue to grow, a board-level understanding of how the company can produce investor-grade ESG disclosures is critical.

Maria C. Moats is the leader of the Governance Insights Center at PwC US.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

NACD, ISA, and World Economic Forum Release Joint Cyber-Risk Principles

The release today by the World Economic Forum, NACD, and the Internet Security Alliance (ISA) of global principles and metrics for cyber-risk oversight is an important turning point in how cyber risk will be understood.

Historically, cybersecurity has been conceived as a technical issue, and by extension, the management of cyber risk is shifted down corporate organizational charts to operations personnel. This has led to an almost exclusively technical or operational approach to addressing cyber risk with the hope that effective cyber-management principles will “bubble up” from the information technology (IT) department.

By almost any measure, that approach has been largely inadequate. 

According the Forum, revenues for cyber criminals this year will total about $2.2 trillion—roughly equivalent to the annual revenues of the United Kingdom. Ransomware premiums have risen from the modest five-figure sums of a couple of years ago to up to seven-figure sums now. Although the recent systemic attacks on SolarWinds Corp. and Microsoft Exchange Server were executed by nation-states (Russia and China), we know from experience that, like most innovations, the techniques used in these attacks will fairly rapidly be diffused among a wide variety of attackers. Things are going from very bad to much, much worse.

Meanwhile, enterprises have been consciously engaged in digital transformation for several years now. In the early stages of digital transformation, the focus was on using the wonders of the digital age purely as a revenue-enhancing tool. As time went on, however, the dark underside of digital transformation—cyber risk—became apparent. This and the increase in frequency and severity of cyberattacks has prompted leading organizations to appreciate cybersecurity as a strategic business issue that is part of the core business mission and intimately correlated with organizations’ need for digital transformation.

In this construction of cyber-risk oversight, cybersecurity flows downward through the business from the board to senior leadership and across a reimagined organization that treats cyber risk as an enterprise-wide issue. The principles and methodologies that the Forum, NACD, and the ISA have produced, in the new paper Principles for Board Governance of Cyber Risk, define a process for how boards and senior managers can implement their respective roles in best addressing growing cyber risks.

The NACD and the ISA have been partnering on cyber-risk oversight handbooks for nearly a decade. Meanwhile, the Forum has been operating its own program through its Centre for Cybersecurity. Happily, the three organizations found that their independent investigations yielded substantially similar conclusions, which have been fairly easily integrated in the below list.

Cybersecurity is a strategic business enabler.
Boards need to understand the economic drivers and impact of cyber risk.
Cyber-risk management needs to be aligned with business needs.
Enterprises need to ensure that organizational design supports cybersecurity.
Cybersecurity expertise needs to be incorporated into board governance.
Systemic resilience and collaboration need to be encouraged.

Although the first five principles largely echo previous publications from the three collaborating sponsors, the sixth principle is relatively new. This principle emphasizes that boards must be concerned with more than simply securing themselves and their businesses; in the digital age, modern organizations must appreciate that they are part of a broad and interdependent digital ecosystem. The size and nature of the risk illustrated by recent attacks such as those mentioned above highlight that not only are individual entities under attack, but supply chains and the system itself are subject to attack, as well. As a result, collaboration and information sharing are not simply wise policies; they are imperatives, just as environmental, social, and governance issues are. Although cyber risk needs to be addressed from an empirical and economic perspective, the needs of the greater enterprise system must also be included in cybersecurity ethics and practices.

Friso van der Oord is senior vice president of content at NACD. Larry Clinton is president of the Internet Security Alliance. Daniel Dobrygowski is head of governance and trust at the Centre for Cybersecurity at the World Economic Forum.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Five Reasons Why CEO Succession Fails, and How to Get It Right

The road to CEO success is rocky. The average tenure of CEOs has plummeted, from 8.5 years in 2003 to 3.7 years as of 2020. The Corporate Executive Board finds that in the first year and a half in a new role, 50 percent to 70 percent of executive leaders recruited both internally and externally fail. This lack of success comes at a huge cost. Companies that have to remove a CEO forfeit almost $1.8 billion in shareholder value compared to companies with successful placements. Add to that internal disruption and lost opportunity and the cost mushrooms for companies of all types and sizes. It’s a board’s nightmare.

Despite these odds, there are some lessons to be learned about how to avoid a CEO transition failure and how to get it right in the first place. As consultants to boards and CEOs on leadership and succession, our front-row view of the missteps that create costly mistakes in CEO placement decisions offers a cautionary tale for all leaders considering their own successors and those of their colleagues.

Take the example of the first-time CEO of a growing technology company who, not long after her internal succession, brought BTS Boston in to help focus her team on their strategy. She was frustrated by the mistrust and finger-pointing on the executive team, and as we worked with her to rebuild the team and culture, the challenge of her position became clear. About 18 months previously, the board had by-passed internal candidates to recruit an external industry leader from a marquee brand to follow their long-time, retiring CEO. The high-profile search took a year, and though fully supported by the board, within the first 12 months the new CEO’s divisive leadership style had created an “in crowd” and an “out crowd,” leading to siloed arms of the organization that could not collaborate. When that chief executive abruptly departed, the board scrambled to circle back to internal candidates, and our client got the nod. She would enter her first year with strong headwinds, tasked with rebuilding the team, the culture, and the strategy.

This scenario highlights the blind spots companies have when taking on the high-stakes, high-risk task of CEO succession. One big misstep is often followed by years of recovery. Before going any further with succession planning, boards should pressure test their own processes against these five common mistakes.

1. Overlooking the Question of Character

The CEO of the tech company above went on to see tremendous success, building a top-performing company with a strong team, culture, and trust with the board and shareholders. Her board chair told us two years after her initial ascent to the position that promoting her into the CEO seat was the best decision they had made. But what was that “off-the-paper” difference that made her so successful? And what had they missed about the external candidate who failed?

Character. When evaluating candidates or internal successors, search committees too often rely on hard skills as the concrete metrics to decide on CEO placement. They miss out on the opportunity to ask critical questions about the candidate’s personal values and how they build relationships, instill trust and confidence, grow company value, build credibility with analysts, promote a strong corporate culture, and inspire a shared vision.

Board members must get to know candidates and internal successors personally through conversations over time to learn how the leader thinks, what they find important, how they listen and engage, and how they share their own life lessons and values.

2. Further Dependance on the Wrong Criteria

The profile of a successor is the foundation upon which the future of the company and strategy are based. One of the biggest derailers of success is relying on the wrong profile and the wrong set of criteria for your next CEO. Avoid the following common missteps when setting candidate criteria:

as noted above, overemphasizing industry expertise, while missing the wider range of leadership capabilities and skills that make a high-performing CEO,
trying to simply replace the current CEO rather than taking a fresh look at what will be needed to deliver on the future strategy or market opportunities, and
tasking an external search firm with the development of success criteria based on their models, rather than building the company’s own profile tailored to its business, culture, and strategic requirements.

In the case study of our tech client, the board’s belief that an external change agent would advance the existing strategy led to a cultural mismatch, and ultimately failed.

3. Failure to Develop Internal Candidates

Many boards and CEOs put active succession-planning on the back burner until they are at the precipice of a transition because, quite frankly, it’s hard to do. They perceive too much risk in signaling advancement to internal successor candidates, fearing they’ll create a horse-race that distracts from execution and potentially leads to the loss of key talent. The consequence is a readiness gap with possible successors weakening the organization’s ability to weather the storm of an unexpected departure. Additionally, putting off succession planning reduces the strength and breadth of the candidate pool that comes with a deep leadership bench and those in line lose out on the opportunity to gain exposure to critical audiences, issues, and experiences that would make them more ready and effective to step into the role.

4. Believing Placement Is the End Zone

Making the right selection is the starting point—but setting the new CEO up to succeed is the difference-maker. It can be easy to forget that there is a steep learning curve involved with entering a new CEO seat, even for experienced executives. Particularly for an internal successor, time allocation, building board relationships, executive team management, navigating external visibility, and other new routines need to be established and can make for a bumpy first year. For any candidate, developing trust, building a successful executive team, stabilizing client relationships, setting and selling the strategy, and creating a CEO narrative requires a high level of focus that should be core to the onboarding process.

5. Ignoring the Importance of Transparency in the Process

So often the CEO succession process happens behind closed doors, far away from even those who will work most closely with the new CEO. Beyond the search committee, few have insight into how the CEO will be selected, what the criteria are, and how the decision will be made. This vacuum of information gives rise to rampant speculation, skepticism, and cynicism, and, in more extreme cases, suspicion and concern. The void is sometimes filled with a fear of hidden agendas, such as those involving insider relationships and favoritism, diversity goals, potential unannounced mergers or acquisitions, or the influence of activist investors. If those concerns take root, at best it will make it hard for the team to trust their new leader. At worst, this can create destructive infighting and even cause key players to leave when you can least afford their departures. Make sure to set your next CEO up for success by communicating the how and why of the selection process early and often.

In addition to reviewing company processes and the common missteps above, boards can take the following steps now:

Start early. If it’s not already on the agenda, bring C-suite succession to the front of the deck at your upcoming board meeting. Engage the full board and current CEO in a discussion about succession-planning for each member of the executive team and set expectations of a formal process.

Engage external expertise. Have these experts develop a profile for the CEO of the future state of the company and keep the profile current annually by reevaluating criteria based on material shifts to the company, strategy, or environment.

Develop the bench. Learn about company leaders before they become successors. Have them present at board meetings, learn about their business areas, and hear how they think and what they see as future opportunities for the business. Invest in preparedness with a formal development plan for each leader.

Take the risk out of transitions. Provide the new CEO with a strong third-party coach. The chair can act as a valuable mentor and can help onboard a CEO but is no substitute for an experienced, trusted advisor who creates a safe zone for even the most seasoned leaders.

CEO turnover is a perennial issue, one that will continue to plague companies who fail to plan and prepare for the future. The failures will become more and more costly as the pace and competitive environment of global business continue to accelerate at warp speed. Going forward, it will be even more important for boards to put this issue front and center, plan carefully, and consider actions to take now to develop potential internal candidates to deliver future success.

Sarah Woods is a partner at BTS Boston, formerly Bates Communications, a global management consultancy that improves performance through communicative leadership. Joe Andrews was formerly chief human resources officer for Progress Software Corp. and is currently a consultant, coach, and CEO succession expert with BTS.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

ESG and Human Capital Management Are the Keys to Resilience and Transformation

The COVID-19 pandemic materially altered how corporate boards should be thinking about enterprise sustainability through the lens of environmental, social, and governance (ESG) initiatives. The concept of stakeholder capitalism—and its link to enterprise sustainability—has taken firm root in corporate governance and workforce management. Consistent with the Business Roundtable’s 2019 articulation of the new corporate purpose, 2021 begs for a more expansive view of organizational success—one that puts all stakeholder (employee, customer, shareholder, and community) interests at the heart of the transformation agenda.

It is clear that ESG and stakeholder capitalism will and should have a growing presence in the boardroom and on the board agenda. For example, 67 percent of nearly 2,000 global director respondents in the Global Network of Director Institutes (GNDI) 2020-2021 Survey Report indicate that COVID-19 will increase board focus on ESG, sustainability, and stakeholder value issues. In addition, 39 percent identify meeting the challenges of stakeholder capitalism as one of their top three challenges in responding to the pandemic.

Mercer’s 2020-2021 Global Talent Trends Study reveals similar concerns within an organization. Sixty percent of US human resources (HR) leaders say that they have maintained or stepped up their pace in moving toward an ESG and multi-stakeholder approach to business over the last year. Over half (53 percent) of these HR leaders are now tying ESG objectives to their corporate purpose, and 26 percent are linking these objectives to executive scorecards. In addition, more than one-third of surveyed employees indicate that their choice of future employer would be influenced by the employer’s articulated corporate purpose.

Meanwhile, two-thirds of organizations report that ESG will be a crucial focus for 2021 (71 percent said the same in Europe; 67 percent in the Asia-Pacific region; and 61 percent in North America). The United States clearly has room to grow on this agenda item.

Managing people risk effectively will be critical to future success and sustainability in an uncertain economic and social environment. Stakeholder empathy, particularly in relation to employees, emerged as a top leadership concern in 2020, and is likely to persist as an important component of sustainability, with two in five HR leaders at US companies saying that managing employees inclusively and with empathy will be a key to enterprise resilience going forward.

Indeed, the study finds that organizations that integrate ESG metrics into the CEO’s agenda are more likely to report high revenue growth. Also, investment funds that focus on organizations that prioritize ESG often generate returns superior to those of other funds.

Given the rising emphasis on people and ESG, with a particular focus on the diversity, equity, and inclusion (DE&I) aspects of social corporate objectives, boards must turn to the old adage that you cannot manage what you do not measure and ask their management teams to map out how their organizations will track, monitor, and drive forward their ESG and DE&I program goals. In fact, the GNDI survey reveals that 63 percent of directors see an increased need to incorporate data analytics into the board decision-making process. Boards may wish to ask management, for example, what DE&I analytics and metrics will be tracked and how and when these will be reported. Is the organization considering an internal labor market analysis to assess representation deficits across the company’s hierarchy and to identify specific pain points (e.g., hiring shortcomings, career “ceilings,” and points of retention risk)? The board or committees can also consider links between DE&I goals and incentive plans. Increasingly, investors evaluate companies based on their human capital management and DE&I metrics, such as those pertaining to representation, equity in pay and benefits, and attrition rates by demographic group.

However, only 23 percent of organizations say they will be investing in DE&I analytics and insights in 2021. This is disappointing, given that Mercer’s talent research attests to the impact of analytics in making DE&I progress and the disproportionate toll COVID-19 has taken, for example, on women in the workplace.

Nonetheless, a recent Mercer executive rewards pulse survey of around 1,000 North American organizations finds that nearly half (44 percent) are currently using or considering the use of ESG and DE&I metrics in their incentive plans to promote a focus on related objectives. That said, practices vary significantly, ranging from the majority of companies having no linkage between executive pay and human capital management and DE&I goals, to Hyatt Hotels, which made increasing minority representation across various levels of management in the United States and globally the sole metric in its most recent long-term incentive awards. For most companies, the right answer will fall somewhere in between.

On the bright side, last year saw a fivefold increase in the number of companies measuring pay inequity against 2019 levels, helping to boost the business community’s understanding of large gaps in health and wealth across numerous constituencies. In 2021, 45 percent of HR leaders in the United States (and 35 percent of HR leaders globally) plan to improve pay equity analytics to drive transparency and action.

The bottom line is that decision-quality data is at the heart of charting an enterprise’s course toward people sustainability and organizational performance. Companies that fail to invest appropriately will inevitably find themselves struggling to attract, retain, and engage the diverse talent needed to succeed in today’s marketplace.

Eric Larré is a partner in Mercer’s executive rewards business in Atlanta. He works with corporate boards to develop incentive programs that align with financial and strategic objectives and investor expectations.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Improve Cyber-Risk Measurement Through Scenario-Scoping

Many boards are struggling with the question of what cybersecurity risk means to their organizational objectives and how to manage this risk. There is a strong desire to find some way to look at cyber risk from a quantitative point of view, owing to the late Peter Drucker’s principle of “what gets measured gets managed.” But what is cyber-risk quantification and how can measuring cyber risk help your organization?

Underpinning all measurement activities is something known as “measurement science” or metrology. This scientific approach to measurement has given rise to such basics as temperature reading and distance scales. For things that are a little more abstract, there are scientific principles that can be applied to help improve measurement and, by extension, decision-making.

As enterprise-risk management (ERM) organizations established themselves over the last two decades, they needed a way to help businesses manage loss exposure from risks that were difficult to quantify and that were largely unable to be underwritten by insurers. They also needed a way to prioritize risks based on the potential each risk had to cause harm to organizational objectives. The easiest solution was to directly apply priority labels to show how important the risk was (e.g., high, medium, or low). These labels have also been used by cybersecurity organizations as they lead or assist in managing enterprise cyber risk.

However, there are some problems with this approach. While a useful decision-making shortcut (a company does not want to take on high-risk activities, but it will tolerate low-risk ones), there are reams of academic research that discuss the failures of this approach to account for biases and basic measurement errors. Too many people subconsciously neglect to account for organizational risk when applying these labels and instead use their own risk tolerances to calibrate risk for the entirety of the organization. The use of these scales actually adds error to the risk evaluation process instead of reducing it. Further basic errors include the assumption that the distance between values is equal (i.e., the assumption that risks rise in severity at a consistent rate), which compresses risks at the top into a single category, effectively treating a $50 billion risk as equivalent to a $5 million risk, for example. This approach therefore has the effect of keeping an organization from taking reasonable risks at best and misallocating capital to unnecessarily mitigate risk at worst.

True cyber-risk quantification requires the use of values that measure frequency of loss and impact of loss in attaining organizational missions and goals. In this way, quantifying cyber risk comes down to articulating the scenarios that could cause an organization to fail to deliver the products and services for which it is chartered. Expressing cyber risk this way has been thwarted by a dearth of available data and methodologies at individual companies. However, many third parties have been established to provide such data and methodologies and today, cyber-risk quantification is not only possible but employed by companies all over the world.

Applying this data to your organization requires the development of cyber-risk scenarios. This approach begins with defining top-level cyber-risk categories (such as data disclosure, fraud, and business interruption) and breaks those down into progressively more detailed sets of scenarios. Ultimately, at the lower branches of such a decomposition exercise, an organization will arrive at a series of risk triggers familiar to cybersecurity professionals that can be mapped to a control framework, such as the National Institute of Standards and Technology Cybersecurity Framework. In this way, an organization can connect low-level cybersecurity attacks, such as those involving ransomware and code exploits, to the controls that prevent them and ultimately to organizational objectives (as expressed through a company’s products and services). The good news for enterprise risk teams is that financially oriented frameworks, including the Basel II regulations, also support this approach.

Here is an example of a risk decomposition that connects high-level strategic objectives to lower-lever cybersecurity issues.

Strategic Objective 1: Increase the number of customers that use more than one company product by 40 percent.

Cyber Risks to Objective 1:

Layer 1—External fraud
Layer 2—Systems security
Layer 3—Hacking
Layer 4—Credential stuffing, privilege escalation, lateral movement, etc.

Strategic Objective 2: Increase sales in the North American market by 15 percent.

Cyber Risks to Objective 2:

Layer 1—Business disruption
Layer 2—Systems security
Layer 3—Software
Layer 4—Ransomware

Once such a top-down and bottom-up approach has been made, the exercise of building quantified values to express loss as a result of risk becomes clearer. In addition to traditional revenue metrics such as those weighing the value of delayed or forgone customer transactions, organizations can also leverage public peer data to index losses and project legal and regulatory outcomes.

It is useful to start operationalizing these foundations of cyber-risk quantification as global credit agencies and cyber insurance underwriters are beginning to use similar processes in assessing organizations’ credit worthiness. Indeed, in much the same way that credit rating agencies began talking about environmental, social, and governance risk years ago, so too will cyber ratings become a constituent component in investors’ evaluations over the coming years. This is especially true as the world becomes more aware of the sizable financial impact of mega breaches and supply-chain interruptions on business. Organizations that don’t address cyber risk as a quantifiable, financial risk to their strategic plans will find themselves at a disadvantage in the marketplace. As a board, consider asking the security and enterprise risk leaders in your organization how they are considering the above approaches, including how to use scenario-planning and cyber-risk quantification to inform the company about cyber risks and how ERM leaders and the chief information security officer are bringing their teams together to tackle this problem.

As head of cyber-risk methodology for VisibleRisk, Jack Freund has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.