Improving Audit Committee Effectiveness

The strength of our public company financial reporting system relies on many stakeholders playing different but interconnected roles in a process designed to provide investors and our markets with high-quality, reliable financial information. Audit committees play a vital role in the financial reporting system through their oversight of financial reporting, including the audit of the company’s financial statement and internal control over financial reporting performed by the external auditor.

Increasingly, audit committees are also responsible for overseeing other areas of corporate reporting, such as cybersecurity; environmental, social, and governance (ESG); and other non-generally accepted accounting principles information. Given the increasing scope of oversight, how audit committees manage and disclose these responsibilities is an important consideration in today’s environment.

My organization, the Center for Audit Quality (CAQ), and NACD recently convened an investor, James Andrus; an audit committee member, David Herzog; and an academic researcher, Lauren Cunningham to discuss the evolving role of the audit committee and identify best practices related to effective audit committee oversight and responsibilities. The discussion, led by Vanessa Teitelbaum, senior director, Professional Practice at the CAQ, had several important takeaways.

The Agenda of the Audit Committee Has Become Increasingly Crowded

The discussion explored the results of two publications recently released by the CAQ. The first, the CAQ’s ninth annual Audit Committee Transparency Barometer, reflects a long-term positive trend of increased transparency in several areas by audit committee members. The second publication, Audit Committee: The Kitchen Sink of the Board, developed with academic researchers at the University of Tennessee Knoxville’s Neel Corporate Governance Center and the Pamplin College of Business at Virginia Tech, offers leading practices for audit committees. This includes how boards can effectively allocate oversight responsibilities to the audit committee, how audit committee members can keep up with an ever-evolving workload, and how audit committees can improve their disclosures related to their oversight responsibilities.

Lauren Cunningham, one of the researchers who authored the Kitchen Sink report, observed during the webinar that the scope and workload of audit committees is increasing, with 40 percent of the audit committee members interviewed for the report referring to the audit committee as the “kitchen sink” of the board. According to the report, emerging areas of focus such as cybersecurity, ESG, and enterprise risk management are increasingly being assigned to the audit committee, but this can lead to suboptimal work.

Audit Committees Are Using a Variety of Methods to Improve Their Practices

The Kitchen Sink report also identified several leading practices audit committees are using to manage their increased workload. One important consideration for audit committee members is to be purposeful about developing skill sets that match their oversight responsibilities. They can do this by actively assessing the committee’s key risks when planning for continuing education opportunities and utilizing specialists where needed; regularly evaluating whether audit committee refreshment is needed to keep up with the necessary skill sets to properly oversee evolving risks; and carefully managing the committee agenda by mapping out risks to allow for deep dives on a rotation of topics throughout the year. 

Audit committees can also free up time for additional responsibilities by managing the agenda and relationships. This includes working with management to fine-tune the types of materials delivered in advance and hold audit committee members accountable for reading through materials in advance, reflecting on whether meetings allowed for sufficient time to evaluate management’s response to key risks.

“At MetLife, the pre-reads are written documents—we don’t just get slides without context. These written reports really help before we walk through a presentation,” said Herzog. “We also utilize a calendar that helps us organize our meetings. We meet 11 times a year and make liberal use of off-cycle meetings to dive into deeper topics.”

Maintaining a collaborative relationship with management and adopting leading practices to manage shared governance across board committees can also help audit committees free up time.

There Is Need for Improvement in Disclosures

While the CAQ’s 2022 Barometer found that there were several positive disclosure trends among S&P 500 audit committees, including increased disclosures about oversight of cybersecurity year over year, there were still many areas for improvement. For example, while 71 percent of audit committees of S&P 500 companies disclose auditor tenure in the proxy statement, only 9 percent of such audit committees disclose how the audit committee considers length of auditor tenure when reappointing the external auditor. And while 51 percent of audit committees of S&P 500 companies disclose that they are involved in the selection of the audit engagement partner, few disclosed what their involvement in the selection of the audit engagement partner entails.

Cunningham noted, “One thing we saw is that there are two types of audit committees out there. There are those clinging to the [US Securities and Exchange Commission]’s bare minimum rules and who have a ‘check the box’ mentality. Then there are those who are going beyond these rules and disclosing important information about their work that investors want to know.”

“We love to say it just takes one person to enhance disclosures. It either takes a corporate secretary or general counsel that believes in the importance of corporate transparency, or it can be the audit committee sharing resources like the Barometer,” said Cunningham. “It’s really easy for them to forward these documents and say, ‘can we just have a conversation about this? This is what our peers are doing.’”

Herzog, who chairs MetLife’s audit committee, noted on the webinar that board structures can make a difference in how companies manage and effectively communicate their disclosure. “There’s no one size fits all. At MetLife, we have five standing committees that are thoughtfully designed and fit for purpose. These committees are structured so that together they address the risks that MetLife faces.”

Investors want to see clearly defined roles and responsibilities assigned to the audit committee, an explanation for why audit committee members are appropriate for the specific company, examples of continuing education for audit committee members, more explanation for how audit committees address key risks, and details that reflect broader audit committee responsibilities.

“One thing that was important from the Barometer report was that it said, ‘increased transparency improves investor confidence,’” said Andrus, interim managing investment director, board governance and sustainability at CalPERS. “That hits the nail on the head. When we view the people on the audit committee as professional, competent, and good, then we have confidence. The concern becomes when committees do not take their responsibilities seriously and we can’t gauge that there are problems at their company.”

He added, “In many cases, we’re unaware of the other things the audit committee is doing, and they aren’t getting credit for it! We’d have more confidence in the company if we knew of the work audit committees are doing, so I really applaud the Kitchen Sink report for outlining what that work looks like.”

Final Thoughts

When it comes to the audit committee, transparency is the key to investor confidence. Audit committees should take both a quantitative and qualitative approach to personalized disclosures to give investors more insight into the processes, considerations, and decisions made by the audit committee.

Julie Bell Lindsay is the CEO of the Center for Audit Quality.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

M&A Risk Oversight Amid Economic Volatility

Entering a recessionary period is always an interesting time for mergers and acquisitions (M&A);  2022 deal activity is down from 2021 but is relatively stable compared with prior periods. In this cycle, transactions are taking longer to execute due to increased regulatory scrutiny. Also, notably different than during the Global Financial Crisis, the banking system is well-capitalized and resilient, and private capital as well as corporates are sitting on significant amounts of dry powder.

The role of the board in navigating the volatility of today remains critical. When facing a downturn and potential long-term recession globally, companies can find themselves on one of three paths: grow, survive, or die. The board must engage in active strategic oversight and assess potential transactions as buying or selling opportunities.

Companies that grow amid volatility are already in a position of strength with access to capital. The board and management are in the enviable position to pursue strategic targets at advantageous valuations. Targets are often companies in survival mode and focused on liquidity, leverage, and maintaining the core business. These boards should be considering divestitures of noncore assets or restructuring the balance sheet. If a company is entering a recessionary period with declining performance or an impending liquidity crisis, it is critical for the board to know this while it can still act to deliver the best value for shareholders. Being acquired or merging may be the best option. In any case, the board should know which path the company is on.

M&A activity in uncertain times brings several key risks to the forefront of the boardroom, including strategic, financial, regulatory, and talent risks.

Strategic Risk

Boards are well served to proactively oversee a strategic assessment of M&A or divestiture opportunities in the case of a potential downturn. Identifying strategic targets or potential acquirers creates space for thoughtful consideration before getting caught up in the moment. Amid uncertainty, transaction opportunities can present themselves quickly. Identifying a situation as aligned with long-term corporate strategy increases speed to execution, improves valuations, and satisfies shareholder expectations.

The board must also consider allocation of resources when volatility may limit capital and management bandwidth for integration while addressing challenges in the existing business. Importantly, the board must be able to assess when management wants to do a deal and should not (as management often advocates for acquisitions brought to the board) or does not want to do a deal and should. An independent assessment from a third party or appointment of a special committee is an effective measure to clearly analyze risk and reward trade-offs.

Financial Risk

In this environment, valuation and price matter. Boards on both sides of the table should ask for scenario analyses and valuation updates frequently during negotiations. The acquiring board should question growth projections and cost synergies with judgement and scrutiny. Similarly, the board’s role in a sale or divestiture is to obtain the highest and best value for shareholders, and one way to mitigate valuation risk is to keep management focused on executing the deal as quickly as possible.

All boards would be well served to assess proforma financials under macro stress scenarios, as well as typical synergy scenarios. Having a view of the potential downside if revenue does not grow and interest rates rise, for example, is more effective than assuming static macro factors over time.

Regulatory Risk

Regulatory review of proposed M&A transactions has recently expanded in duration, scope, and depth. For example, competitive stakeholder reviews focus on industry, as well as employees, customers, and suppliers. In cross border deals, matters of national security, data privacy, and climate change are high priorities. Regulatory delays can erode value and put pressure on the target, which wants to close the deal as quickly as possible, and the acquirer, which will accept extra time constraints to minimize regulatory remedies.

A disciplined process mitigates regulatory as well as litigation risk. Expect transaction outcomes to be challenged and document decisions, discussions, and disagreements throughout negotiations. Scenario analyses are also effective to identify and address regulatory concerns early. The board must set longer timelines to mitigate against delays in regulatory approvals, protect against renegotiations, and maintain business operations without undue distraction.

Talent Risk

Certain M&A risks remain prevalent in any economic environment. Board and management teams have a role in ensuring successful transitions before and after the deal is finalized. A mismatch in corporate and board culture is one of the most common causes of failed integrations. The board is making a big bet on the leadership team. A deal may fit strategically, but management needs to execute the integration and implement the go-forward strategy. The board must also ask if the directors collectively still provide the right expertise and talent required for the new organization.

However, the last few years have been defined by crises. Boards and management teams are still navigating through the COVID-19 pandemic and the future of work. We are facing an economic recession and global turmoil. Consider board, management, and employee fatigue. Boards must determine if M&A or divestiture opportunities are strategic versus reactive to the market and macro environment.

To navigate M&A today, the board should proactively identify risk and potential impacts through strategic assessments and scenario analyses. Additionally, expect transactions to take more time and focus from the board. Finally, in this cycle with capital in the market, know that there will be winners and losers.

Emily Harte is a Partner at Oliver Wyman, a business of Marsh McLennan.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

ESG and the Board’s Governance Role 

Global research indicates that companies in North America are less committed to environmental, social, and governance (ESG) engagement than those in Europe and Asia-Pacific. For boards seeking to improve their ESG engagement, what steps should they take? Below are 10 steps boards should explore. 

Engage stakeholders. Boards should consider employee, customer, supplier, investor, and other stakeholder interests in the context of maintaining financial vibrancy, sustaining the organization’s strategy and business model, and delivering long-term shareholder value. Interactions with key stakeholders are opportunities to learn about their respective interests and concerns and build relationships based on trust. A company’s commitment to all of its stakeholders and its commitment to its shareholders are not to be viewed as mutually exclusive; rather, both are integral to the purpose of generating sustainable long-term shareholder value. 

Set the context for the ESG agenda with organizational purpose. Directors should develop a shared view with executive management regarding the organization’s purpose, including the promises for which its brand stands. Purpose focuses on why the organization exists and how it benefits the markets it serves. It frames the narrative to the public. 

Integrate ESG considerations with strategy and capital allocation. Boards are stewards of capital, and ESG initiatives are under increased financial pressure as CEOs and investors focus more sharply on risk and reward. Ultimately, directors must view ESG considerations the same way they view everything else that involves the allocation of capital and the future (e.g., understand the strategic opportunity and purpose, inquire as to the risks, and measure and monitor return on capital). 

Assess board ESG capabilities. The board chair and committee chairs should periodically evaluate the board’s expertise with respect to environmental and social matters and the organization’s changing needs to set a context for planning board succession and onboarding new members. Board refreshment is about maintaining currency with respect to knowledge, experience, and perspectives in the boardroom.  

Evaluate the board’s ESG oversight process. ESG-related opportunities and risks, supported by data and metrics, should be included within the scope of the board’s overall oversight process. To that end, it may make sense for directors to review the board committee structure (including the need for a separate ESG- or sustainability-focused committee) to ensure coverage of ESG priorities while also retaining a whole board view of the full picture with respect to ESG strategy and reporting. Based on the review’s results, committee charters should be revised accordingly. 

Set board reporting protocols. To set the foundation for ESG oversight, the board should establish the content and frequency of the ESG reports it is to receive from the company. The board should receive periodic briefings regarding management’s assessment of material ESG issues and the company’s current ESG market ratings and rankings as well as their implications. Directors also need to work with management to define the board’s involvement in significant decisions regarding environmental and social matters, including company positions on sensitive social and political issues.  

Integrate ESG matters into risk management. As Martin Lipton, a noted author, pointed out, ESG “is… a collection of… disparate risks that corporations face, from climate change to human capital to diversity to relations among the board, management, shareholders, and other stakeholders.” The board should ascertain that these risks are added to the scope of the enterprise risk management process, with incorporation into enterprise risk assessments, integration of risk with strategy-setting and performance management, and—if critical to the enterprise—periodic reporting to the board.  

Pay attention to ESG external reporting. High-quality and transparent ESG reporting to the public is a board priority. It is recommended that directors do the following: 

Establish an understanding and reach agreement with management on the nature and extent of the board’s review of draft ESG sustainability reports prior to issuance. 

Engage management regarding the effectiveness of the company’s disclosure controls and procedures, including the role and composition of its disclosure committee as well as the interactions of that committee with management’s ESG committee structure, if any. 

Inquire as to whether the company’s ESG storyline is resonating in the market and impacting the company’s valuation. 

Understand management’s preparations for new regulatory requirements (e.g., the US Securities and Exchange Commission’s forthcoming climate change disclosure enhancements in the United States) affecting the nature, extent, and timing of ESG disclosures. 

Request periodic comparisons of the organization’s ESG reporting relative to its peers to ascertain whether there are potential deficiencies to be corrected. 

Finally, some companies are disclosing the board’s oversight role with respect to ESG matters. 

Focus on sponsorship and accountability related to compensation. The board should agree on the senior executive designated with responsibility for ESG and understand how the organization is driving a collaborative focus on the ESG priorities essential to the organization’s long-term success. Desirably, ESG performance measures are integrated with financial and operational performance monitoring to avoid becoming an appendage that would likely receive curt treatment in the C-suite. Performance expectations and the related metrics linked to incentive compensation plans are the means to ingraining accountability for results and commitment to progress within the culture. It also makes sense for the board to set agenda time for the dedicated ESG sponsor to discuss the company’s progress toward ESG targets in the context of the company’s overall strategy. 

Consider help from outsiders. Board governance sets the tone for effective corporate stewardship of environmental and social issues. To that end, the board may want to consider the need for engaging outside experts, as well as the importance of educating directors, on selected ESG topics. 

These 10 steps are not intended to suggest a fixation on ESG in the C-suite or boardroom, as there are certainly other fundamental issues that must be managed. Rather, the point is that leaders have a fiduciary responsibility to address the opportunities and risks posed by ESG matters as they ensure the long-term viability and well-being of their companies. Accordingly, they should focus on appropriate sustainability objectives while keeping an eye toward delivering expected financial results. In this context, board governance sets a constructive, balanced tone for effective corporate stewardship over environmental and social issues. 

Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD BoardTalk. 

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Multinational Companies Should Monitor Three Emerging Risk Exposures

Stretched supply chains, high levels of inflation, the conflict in Ukraine, and the COVID-19 pandemic continue to stress economies around the world and significantly affect organizations’ risk profiles. As existing risks evolve and new ones emerge, organizations have been under increased pressure to develop risk and insurance management strategies that are resilient as well as to build risk management programs that respond to fast-changing challenges.

For global businesses, the uneven impact of evolving and emerging risks is compounding the challenges of managing their multinational portfolios and introducing new risks for directors and officers. As they seek to remain competitive, business leaders need to understand this changing risk landscape, identify the interconnections, and take action to protect the bottom line, focusing on three main risks.

1. Inflationary Pressures

High inflation in countries around the world is increasing the value of many insured assets. At the same time, supply shortages are prolonging rebuild times and operational stoppages after losses. Underwriters are increasingly scrutinizing insured values to make sure that these reflect today’s replacement costs, requiring organizations to reevaluate their insured properties and assets to determine whether they have adequate coverage that will facilitate recovery in the event of a loss.

Uneven rates of inflation in different countries create an added complication for global companies that must ensure local subsidiaries update the valuation of their property and assets in line with inflation rates.

In addition, insurers are concerned about the impact of inflation on their bottom lines as higher costs contribute to larger claim settlements, which can lead to reserve deficiencies, faster erosion of deductibles, and inadequate coverage. Unease over underinsured assets on their books is leading some underwriters to include policy provisions designed to limit recovery to reported values, coinsurance or average clauses, or coverage disclaimers. It is critical that your management team review and update property values to ensure that they are current and align with inflationary effects.

Liability costs are also escalating due to inflation, with rising defense costs and settlement amounts and an increase in nuclear verdicts. The dynamic of social inflation has been impacting US claim trends for many years and is a growing dynamic across the global marketplace, most notably in the United Kingdom. Management teams also should scrutinize customary liability insurance limits to ensure that they are sufficient in light of these increased costs.

Underinsurance risks are not restricted to your own operations, but to all organizations that you do business with. It is critical to understand insurance requirements during an inflationary period and scrutinize the coverage required of third parties to determine whether they have sufficient limits to cover risk emanating from the relationship.

2. Tax and Regulation Risk

Global organizations with interests in different countries face the added task of abiding by local regulations, including tax requirements from both country-specific and global policies.

However, amid mounting pressure to reduce their spending in the face of inflation, many insurance buyers are foregoing country-specific coverage and instead purchasing global policies to cover their multinational risks.

Although it may lead to financial savings (often upwards of 25 percent) and lower administrative costs, it can open local entities to government investigations and disruptive audits, as well as hefty fines and penalties, if their coverage is not in line with local regulations. The liability created by indirect taxes also is often not identified by the insured entity’s tax group.

Further, claims on global programs tend to be paid to the parent company, which typically then needs to transfer this money to the local entity that experienced a loss. These transfers, when legally allowed, may trigger additional income tax, eroding any program savings. Large monetary transfers may also trigger examinations, requiring risk management and treasury teams to spend time preparing their response to protect the firm instead of focusing on initiatives to improve the company’s resilience.

Your business leaders should work with local entities to review country-specific requirements and determine whether these are adequately addressed through a global program or they require local coverage.

3. Shifting Data Protection Regulations

From the European Union’s General Data Protection Regulation to the California Consumer Privacy Act, different countries and regions are looking at new regulations to protect their citizens’ private data. Enforcement efforts highlight the potentially exorbitant costs of noncompliance with data protection laws, delivering blows to the brand as well as the bottom line.

Not only can companies be held liable for possible mishandling of customer information, but there is also a growing demand for companies to have the financial reserves to pay any fines and other costs related to a breach. Insurance is one of the most sought methods to provide protection for such losses and satisfy applicable laws. Relying on a simple global insurance policy will likely become increasingly difficult in the face of varying country regulations.

Risk management teams should partner with global risk advisors to understand the data privacy risk climate in individual countries and any laws imposing liability for privacy breaches or requiring financial security in each country. Localized risk assessments can help your country risk managers determine whether current policies offer adequate protection.

Improving Your Multinational Resilience

As business leaders take actions to improve resilience in the face of emerging risks, organizations with subsidiaries in several countries will need to make sure that each local entity has adequate coverage to satisfy local regulations and provide the necessary protection in case of a loss.

This can be a moving target for many global programs, requiring significant commitment from the risk management team to keep up to date with shifting country requirements. Risk management teams should continuously monitor emerging risks and evaluate the suitability of current insurance program design to meet cost and compliance comfort levels.

Christian Hunter is the senior vice president and multinational Insurance Regulatory and Tax Consulting Practice leader, North America at Marsh.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

A Design-Led Approach to Profitable Growth

Design-led. This term may conjure images of turtlenecked CEOs hawking the latest mobile phone or accessory, but design-led concepts need not be relegated to creative industries or sectors. A design-led approach places people at the center of program development and decision-making, invites empathy into the ways in which a company structures its business, and is something boards should be keenly aware of.

Rooted in industrial design (the creative act of defining a physical product’s form and features), the design movement in business describes a way of looking at products and services with deep empathy for their intended users—customers, employees, suppliers, and even partners. At its core, a design-led approach is simply about viewing the world through the eyes of consumers to resolve their pain points and evoke positive human emotions during every interaction with a company.

Today, design-led concepts can be found in the corners of every corporate function within every industry. What’s more, the design movement has matured into essential curriculum in top business schools and in leadership training in more progressive companies.

The interest in applying design capabilities to all types of businesses and functions (e.g., marketing, human resources, finance) is due in large part to the wide-spread digitalization and automation of commerce channels. Now, with these approaches becoming so well adopted in consumer-facing domains, businesses are turning to the power of design-led approaches coupled with advanced analytics to improve operating margins and accelerate growth. That’s right—you can do both simultaneously.

What Does ‘Design-led’ Look Like?

To demonstrate the power of a design-led, advanced analytics approach, here’s a quick real-life application: A Fortune 500 client was aspiring to install an enterprise data and analytics platform to efficiently manage and monetize operational data, but a price tag of $100 million kept the business from pulling the trigger. Senior executives couldn’t see past the giant expense, especially given the company’s history of information technology (IT) cost overruns and write-offs.

Rather than build an abstract and complex platform that only IT professionals truly grasped, the client took a design-led, advanced analytics approach. First, the company did an empathy map of the key personas (platform stakeholders) who would be using or impacted by the system. Next, it developed a prioritized list of customer and employee use-cases for the platform. Then, the team built only the platform components, one phase at a time, that were absolutely needed to drive practical value for customers and employees as identified in the initial set of use cases. The team aligned the business on this phased roadmap and defined key performance indicators for each phase so the client could measure success.

The close of each design phase included a quantitative review and report to the C-suite on the platform’s value to either customers or employees. The team’s ask to the C-suite was simple: give seed money to build the first phase, and if the team can quantify real value to either employees or customers at the end of the phase, release more money to build the next phase. Then the team would repeat the process. The results? Every phase was successful, and the data platform paid for itself in the four years it took to build.

But Are We Talking about Costs, or Growth?

Today’s market is a pressure cooker of challenges. It’s no wonder almost every board is focused on scenario planning to future-proof the business. While it might be tempting to focus planning efforts exclusively on cost take-out measures to weather tough financial times, we would argue in almost any scenario that a balanced approach to operational efficiency and customer experience innovation is best, even when times are hard—perhaps especially when they are hard.

Take companies such as LVMH. The luxury conglomerate might have been ripe for pandemic failure given its heavy reliance on affluent Chinese tourist sales in brick-and-mortar stores and reluctance to embrace ecommerce as a core business strategy. But when stores closed, the company invested heavily in designing ecommerce channels to connect with customers amid the “stay at home” environment, turbocharging online sales and reaping double-digit market cap gains.

Or take Ford Motor Co. The company encountered multiple pandemic setbacks as a result of the supply chain breakdown and decreased consumer driving during COVID-19, and still made perhaps the boldest innovative move in the history of the company by splitting into the Model e (electric vehicle, or EV) division and the Blue (gas) division. This strategy fundamentally repositioned the company and the design of its products to meet the changing needs of customers and humanity at large. The company took losses during the pandemic, but saved jobs, used assets to develop health equipment for first responders (ventilators, face shields, air purifiers, etc.), and went hard on the EV business investment.

These are just two examples that demonstrate that companies who invested in customer-centric design are now starting to enjoy the fruits of those investments and the public-positioning as strategic market leaders. Others who focused on reducing headcount and spending to manage costs are feeling the pressure that they are now laggards in the competition for the talent and customers they so desperately need.

The beauty of design- and data-led approaches is that they both improve operational efficiency and still allow for smart top-line growth investment. A design-led approach removes friction and delights customers, and a data-driven approach deepens our understanding of customer and employee needs and automates operations and decision-making to produce more significant results.

Getting Started

Boards of directors facing the uncertain economic realities of today would do well to think deeply about how design-led and analytic-powered approaches can help the organizations they serve best their competition, hedge against market turmoil, and grow market share in a recessionary environment.

Boards can discuss these five steps with management to get their companies started:

Know the health of your customer journey and employee experience. Ask management to map and measure the critical customer and employee touchpoints to create deep insights about their human needs and opportunities to win greater loyalty.Assess your asset foundation. Management should take stock of what you have. Most companies are sitting on a treasure trove of data and other assets and don’t even realize their value for new growth and efficiency opportunities.Marry cost efficiency work with experience investments. For every cost cut, make sure management understands the impact on the customer and employee experience, and give something back to delight these stakeholders.Remember, speed is an asset. Don’t be paralyzed by finding the “perfect” answer. Encourage management to use the data to identify multiple solutions. Test many. More than one might be right. The power of analytics and artificial intelligence today is cost accessible and more efficient than human decision-making.Don’t forget about the people. “Design-led” means injecting empathy into all of these steps. At the end of the day, your customers, employees, and suppliers should think to themselves, “They really get me.”

Boards have a key role to play in supporting and encouraging design-led approaches to products and services that can give their companies a competitive edge as economic volatility continues.

Adam Malamut is the chief experience officer of Alvarez & Marsal Digital. Michael Lawless is a managing director with Alvarez & Marsal Digital in Washington, DC.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Geopolitical and Cyber Hot Spots: Galvanizing Risk Governance for Escalating China-Taiwan Tensions

In a year already unprecedented in its geopolitical tectonic shifts, twists, and turns, company boards everywhere need not only to up their focus on risk governance generally but do so specifically with respect to geopolitical and cyber risk. Whether or not a business is physically located in a geopolitical hot spot such as China, Taiwan, Russia, or Ukraine—directly or indirectly, through people, assets, or the supply chain—what happens in those hot spots doesn’t stay in those hot spots.

The year started with Russia’s invasion of Ukraine and continued with US-China tensions over Taiwan. Both dramatic geopolitical developments have had a series of reverberations globally including for the business community. For example, shifts in relationships between the United States, European Union (EU), and Russia, including ceasing to do business in Russia, protecting people and assets in Russia and Ukraine, and abiding by unprecedented sanctions, are only a few of the consequences.

It’s Time to Get Ready for Escalated China-Taiwan Tensions

The second half of 2022 has already witnessed another critical geopolitical moment. Perhaps prompted by the visit of US House speaker Nancy Pelosi to Taiwan, China’s hair-trigger response of using its military for an unprecedented show of force with live-fire exercises over and around the island of Taiwan is simply an escalation of tensions that were otherwise long under development. Whether these tensions result in an actual invasion by China of Taiwan or something short of that in the near, medium, or long term, good business judgment requires both management and the board to start planning now.

Smart businesses, such as some of the leading technology companies, are already deeply involved in searching for and securing alternative and diversified manufacturing sites both near China and Taiwan (for example in Vietnam), as well as in onshoring or reshoring their supply chains by building new manufacturing sites “at home.” Although such new facilities will not come online soon enough, leaders must stop planning only for short-term profits and start planning for medium- and long-term resilience which, ostensibly, should yield long-term profits.

Expect the Unexpected

Before 2022, few expected Putin’s Russia to invade Ukraine but it happened with alarming, serious, and immediately disruptive consequences. No one wants the same thing to happen from a deterioration of China-Taiwan relations.

Taiwan is a model democracy and market economy, and an incredibly important source of highly advanced, specialized chips used the world over in technology of all kinds including laptops, smartphones, security networks, and telecommunications networks.

US and global companies with Taiwan-based operations should be most concerned as their exposure isn’t only to the financial implications of supply chain and product or service failure, but also to the impacts on the health and safety of employees. It is also likely that cyberattacks will increase in volume and ultimately result in financial loss either due to denial-of-service attacks, lost productivity, or the need to spend more money and resources on cybersecurity.

With the rising tensions between the United States and China, global companies with a footprint in China could fall into the cyber war between the states. Many US- and EU-based companies are already deciding to close or relocate operations outside of China. If things deteriorate, China may even attempt to seize control of foreign company assets (as Russia has recently done with the remnants of foreign companies that have left that country).

Geopolitical and Cyber-risk Governance “To Dos”

Among the top “to dos” that company boards and management should consider from a geopolitical and cyber-risk governance standpoint are the following:

Ensure that the leadership team has access to real-time geopolitical, national, and local political data and advice relating to the company’s strategic footprint, geography, supply chain, and planning.Designate a member of management who will oversee geopolitical and political developments with the assistance of solid intelligence and advisors, reporting to the C-suite and board periodically and coordinating in real time with risk management efforts.Ask if there is a crisis management plan and team, including a board liaison or member. Is relevant crisis scenario planning integrated into such plans and periodically conducted with the board?Ask whether the risk and information security teams have the resources and tools necessary for foresight and future-proofing.Ensure that the enterprise risk management framework includes geopolitical and cyber-risk identification, analysis, and mitigation considerations.Ensure cyber hygiene. What is the state of cyber-risk management at the organization? Is it effective?Ensure that the organization is vigilant about information and data integrity in its products and services.Integrate digital chatter vigilance into internal and external communications strategy as well as enterprise risk management.Have directors that are risk-savvy, knowledgeable, and experienced.Have directors with specific risk expertise, depending on the company’s risk profile.Consider having a specialized risk and strategy committee.Receive quarterly risk reports from management and conduct executive sessions with the chief risk officer and chief information security officer to ensure organizational resilience and business continuity.

If boards follow the important path of upping or reupping their risk governance to include continuous learning related to geopolitical and cyber risk focused on a company’s specific business footprint, we think that their long-term resilience and sustainability will be seriously improved. Those who do not heed this advice will be at a distinct competitive disadvantage both tactically and strategically, and maybe even existentially, in this era of continuous and overlapping risks and crises. 

Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory; a global ESG, risk, and cyber strategist; a board director; an NACD 2022 Directorship 100 honoree; and a life member of the Council on Foreign Relations.

Tomer Saban is the CEO and cofounder of WireX Systems, a network security company that is changing the way businesses respond to cyberattacks, and before that he worked in the homeland security space, developing defense systems for intelligence agencies.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Pay vs. Performance: What Do Public Company Directors Need to Know?

The US Securities Exchange Commission recently adopted a new disclosure rule aimed at highlighting the relationship between executive compensation and company performance. The mandate, effective for the upcoming proxy cycle, introduces a new definition of executive compensation, Compensation Actually Paid (CAP) relative to a variety of performance metrics, some of which are prescribed and some of which are selected by each company. Although we won’t cover all the technical details here (that will take place on an upcoming NACD webinar on 10/27), below is a summary of what you need to know today about the new rules, and the potential implications of the new disclosure that warrant conversation in your fall meetings.

There Are Two New Tables and a Required Narrative.

The first table (the pay vs. performance (PvP) table) includes three years of historical data for executive pay and company performance (building to five years of historical data over the next two years). Executive pay includes disclosed total compensation from the summary compensation table (SCT) as well as the new definition of CAP for both the CEO and the average of the other nonexecutive officers. Performance disclosures are

Company total shareholder return (TSR)Peer group TSRCompany net income  Company-selected metric

An explanation of the relationship among the various disclosures of pay and performance must be provided in narrative or graphical format (or both). The second table (tabular list) requires a listing of 3-7 financial (or non-financial) metrics that are most relevant to the company’s determination of executive compensation.

Compensation Committees Should Be Aware of, or Weigh-in on, Four Key Decisions.

The four key decisions are:

Which company-selected performance metric to include the PvP table;Which peer group to include for TSR purposes in the PvP table;Which additional metrics to include in the tabular table; andWhere the required disclosure should be placed within the proxy.

We suspect that many companies will select

The earnings metric in their short-term incentive plan,An index used in their Performance Graph in the 10-K or Annual Report,A minimal listing of metrics that are currently included in the incentive plan designs, andPlacement after the existing required compensation tables (i.e., not within the Compensation Discussion and Analysis (CD&A)).

“Compensation Actually Paid” Is Not What You Think.

Although the opportunity existed to require something like “realizable” or “realized” compensation, the new rules simply adjust the figures already disclosed in the SCT with respect to equity-based compensation and pensions. For example, the equity-based compensation adjustments are not based on realized compensation (e.g., option exercises, performance share units (PSUs) earned, restricted stock vested, etc.) but rather reflect an annual “mark to market” based on fair value estimates at each new measurement date (e.g., updated Black-Scholes valuation for options, updated Monte-Carlo valuation for PSUs with rTSR metrics, etc.)

What Are the Potential Implications of the New Disclosure?

Nobody wants the tail to wag the dog, but there are some potential implications of this new disclosure for executive-level incentive compensation plan designs going forward.

The choice of incentive plan metrics has greater visibility. Because the company-selected metric for the PvP Table and the list of three to seven additional metrics for the tabular list will likely originate from the metrics currently used in the executive-level short-term and long-term incentive plan designs, the choice of metrics should at least consider how this will appear to shareholders in this new disclosure in the future. In other words, does the current incentive framework really capture all the important metrics? Are there metrics being considered for inclusion in the new list that are not currently included in the incentive plan designs but should be?

This is another potential spotlight on ESG-related metrics. If you don’t have any ESG-related metrics in your list of three to seven, are they not important? If you do have ESG-related metrics in your list but they’re not directly incorporated into your incentive plan design, why not? The fact that these metrics will be “tagged” in the disclosure will make it relatively easy for researchers, proxy advisors, and governance groups to assemble comparisons and identify outliers.

There are potential disconnects with the story in the CD&A. The new required narrative following the CAP table may or may not fully align with the more complete pay-for-performance narrative within the CD&A given the different metrics, time frames, and pay definitions. To some extent, these narratives will need to be reconciled.

Relative TSR plans just became more costly. The number of required Monte-Carlo valuations (typically provided by a third party) has expanded from

A single valuation on the grant date toMultiple valuations during the life of the award:at the grant date,at the end of each fiscal year during the performance period, andat the end of the performance period.

Furthermore, there may be an additional calculation of final actual value if there is a difference between the end date of the performance period and the ultimate vesting date.

Equity awards with quarterly or monthly vesting are quite cumbersome. Because the definition of “Compensation Actually Paid” requires re-measurement of outstanding awards at either fiscal year-end or vesting, awards with more frequent vesting provisions add considerable complexity to the calculation of CAP. For example, an award with monthly vesting will require valuation on the grant date and on each of the 12 subsequent vesting dates.

Is this a big deal? The answer is both yes and no. Yes, because it’s a new required table with an entirely new definition of pay and a potentially confusing narrative trying to make pay-for-performance connections between variables and time frames that may not be well aligned. And no, because it is likely to be separate and apart from the CD&A, and therefore may not become an integral component of how the executive compensation program is evaluated externally (i.e., more akin to the impact, if any, of the CEO pay ratio disclosure). However, it is brand new, it needs to be done, and only time will tell how much attention it ultimately receives or the impact it has on the design of executive pay programs.

Greg Stoeckel is a managing director and consulting team leader in Pearl Meyer’s Atlanta office.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

A Crossroads for Cyber Insurance: Are You Really Covered?

Recently, Lloyd’s of London issued a bulletin that will require its insurer groups to separate state-backed cyberattacks from standalone cyber insurance policies. Starting in March 2023, when coverage begins or renews, Lloyd’s global syndicates must exclude attacks involving state actors in policies that protect against physical and digital damage caused by hacks.

This begs the question: If the insurance industry stops covering breaches caused by nation-states, and a significant amount of breaches are suspected to originate from this very source, where does this leave companies? Further, what if the breach source is unknown?

Most, if not all, companies secure a cyber insurance policy to spread out or defer some risk and damage from a cyber breach. Many, however, are likely to start questioning whether the cost of their now-limited insurance policies are worth it. Based on years of cyber investigative experience, I believe Lloyd’s of London’s recent decision will be a difficult one to enforce and nearly impossible to base on unclassified and verifiable data.

The question then comes down to: How do you attribute an attack to a nation-state actor? Attributing back to specific perpetrators is difficult in cyberspace, where identities can be easily disguised by using Tor routers (also known as onion routers), bot networks, and other obfuscation techniques.  

Add to this problem the use of initial access brokers, a dark web concept that I call “crowd-sourced hacking.” Here, actors can be found on various marketplaces and employed to conduct various parts of an attack piecemeal. For example, one actor can conduct the initial network access and then sell it to another actor, who moves laterally through the network and sells the access and network map to another actor, who deploys the malware or ransomware payload.

Some dark web vendors even provide a service dedicated to cultivating archives of stolen credentials, and their clients can include nation-states, organized criminal syndicates, or enterprising cybercriminals with pools of victims to compromise. The attribution waters get even muddier when you start to dive into the forensic science side of cyberspace. On any given day, leagues of different attack tools are being deployed by threat actors big and small. That’s a lot of tools to keep track of, even on the best of days, especially when some of them are used by friendly organizations looking for cyber vulnerabilities to close, not exploit. 

Even if a computer involved in an attack was traced to an IP address located in a North Korean military base, for instance, it wouldn’t necessarily mean said attack had the knowledge of that government’s authorities. The device could have been compromised by hackers in other countries, as in the case of the Office of Personnel Management hack, where the Federal Bureau of Investigation (FBI) arrested a Chinese national for the attack but couldn’t attribute it to the Chinese government.  

And while the specific tactics, techniques, and procedures used by certain nation-states allow for some degree of attribution, only highly sophisticated, investigative methods employed by US law enforcement and intelligence community members such as the FBI, Central Intelligence Agency, or National Security Agency can usually detect them. However, these detection processes aren’t quick ones, sometimes taking months or years. In addition, law enforcement tactics that track such activity are classified and wouldn’t be disclosed to insurance companies seeking to make coverage decisions. 

Given the gray area around attribution, there may be a reckoning around the corner for the insurance sector, especially if other providers such as Lloyd’s attempt to unburden themselves from the financial responsibility of state-sponsored attacks. In an industry all about defining, mitigating, or eliminating risk, cyber insurance must establish a clear, accepted definition of its “nation-state” risk. Otherwise, I foresee a long road of litigation ahead between providers, the insured, and the victims arguing about the identity of the attacker.

Regardless of what happens with the cyber insurance market, having a solid cyber program is important to weather any storm. That’s why enterprises should continue to focus on forging resilient environments that start with risk management. Building out from there, organizations can efficiently secure themselves from threats, no matter the origin.   

James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.